Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.
This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given
2. Company
◦ Infosec specialists
◦ SensePost turned 8!
◦ .pta.za company of +-20
◦ Services
Assessments
Automated services
Training
Technology
◦ Published papers + books. Presented at many international
conferences.
◦ Tool agnostic
Me
◦ senior analyst
◦ UP graduate
3.
4.
5. Some facts
Some info
Quick hacks
Trends
What is penetration testing? How do we do it?
Why is software insecure?
Demos
Observations
Conclusion
10. Networks last century
◦ Sometimes protected by means of a firewall at
the ingress/egress points
◦ Hard crunchy shell
◦ Completely 0wnable internal networks (the
soft, chewy centre)
◦ Many weak external facing standard services
◦ Servers sat on internal network
◦ Business services used variety of protocols
◦ Security was secondary to function
11. Current networks
◦ Virtually every network has some kind of firewall in
front
◦ Internal networks auto-updated
◦ Few external facing (hardened) services
◦ Servers isolated
◦ Business services migrated to HTTP
◦ Custom applications abound
◦ Security seen as important
◦ Major focus on user-content
12. Increasing criminal element
Client-side attacks
Other platforms receiving more attention
l33t 0wns no longer acceptable to corporates
without mature recommendations
Mobile focus
Value moving
Vulns are marketable
13. Site scanned
◦ port 80 open
◦ website appears clean
◦ run directory/file brute-forcer on website
/webstats/stats/default.asp
Login Page
Sql injectible
14. ◦ Internal search field also SQL injectible
returns errors
• used sql-injector.pl
• sql user a domain administrator
• changed password of domain admin user with term service access
• found external term services box
• login to internal network as domain administrator
15.
16. Metasploit - Open Source Platform for:
◦ Developing, Testing and Using Exploit Code
◦ Written in Perl/Ruby with components in C, Python
and Assembly
Supports *nix as well as Windows (Cygwin)
Makes running exploits trivial, requires no
underlying knowledge
17.
18. Hacking is not a black art – it can be
structured
One hole is all we need
It’s OK to be hacked (by us :)
19. The practical verification of security mechanisms
◦ Offensive
◦ Blackbox
Requirements
◦ Knowledge
tools
platforms
protocols
◦ Puzzle solving abilities
◦ Tenacity
Targets
◦ networks
◦ machines
◦ applications
web
thick
◦ information
20. Typical pen-testing Goals
◦ enumerate users
◦ bypass authentication mechanisms
◦ access user data
◦ perform administrative actions
◦ deny service
◦ compromise underlying platform
◦ use target to hop further into the network
Ethics
◦ only done with mandate
◦ customer informed of
targets
testing times
◦ NDAs
◦ user data kept confidential (or redacted)
21. 1. There’s no madness in our method
2. Learn the trade, not the trick
3. It’s not about the what, it’s about the where
4. Everything’s easy in bite-sized chunks
5. Don’t worry about knowing the answers, it’s
figuring the questions that’s hard
6. The more you know, the luckier you’ll get
22. Discover the possible set of targets
Test whether targets are reachable
Determine the services being offered
Vulnerability detection & analysis
Vulnerability exploitation
Methodology varies according to objective
Threat modelling useful for discovering
possible weak points in complex
applications
23. Network layer
◦ Attacks are mostly canned
◦ Testing is automated
◦ Software is mature – hence slightly more secure
Application layer
◦ Most business apps run over HTTP
◦ Custom apps mean custom vulns
◦ Custom software is less mature, fewer security protections
◦ Labour intensive testing
◦ Basic tasks are automated
◦ Web threats not fully understood
Web 2.0 world changes that further
24. On the Internet today, we hack web servers
◦ 13 Million unique web servers
◦ 70% of all open ports are HTTP
Frameworks, code-sharing and thin clients make
developing for the web quick and easy
◦ Yet its much harder to develop securely than many think
Web applications are attractive targets
◦ Internet facing
◦ Wide spread
◦ Encapsulate complex business logic
◦ Offer windows into the private network
Responsibility lies largely with the developer
◦ Naivety increases our chances of success
25.
26. Statement:
If we can build skyscrapers and bridges that
last 80 years and more without falling
down, why is software broken before it is
deployed?
27. Buildings do fall down
◦ Environmental factors not accounted for (Tacoma Narrows)
◦ Security threats (9/11?)
Security in general is always defeatable
◦ How much is the attacker willing to spend?
◦ Security is a human vs. human game – boundaries are
limited only by the attacker’s imagination
◦ Security is not limited to software (how secure is your
house?)
◦ How well do defenders understand the attackers?
◦ As tech evolves, so the threat landscape changes (pace of
change)
28. Developers are front-line software defenders. What
about them?
◦ Devs are not taught security fundamentals
Input validation (whitelist/blacklist)
Assertion checking
Return status
Unsafe functions/mechanisms
◦ Security is often seen as secondary on software projects
(features are king!)
◦ Often they only learn about threats when their applications
are compromised
◦ As new attacks emerge, the gap between the protected and
the exposed grows
◦ Spot fixing
29. How to fix?
◦ Cheques made out to ML Slaviero. CC also
accepted.
◦ Developer education (coding against threats)
◦ Tighter integration between application
components
◦ Abstraction of security code
◦ New architectures?!?
31. What is it?
◦ Most web applications interact with a database
◦ Users enter data which is passed into database queries
◦ Certain chars have special meaning in DBs
eg ‘ for SQL
◦ Data is not escaped sufficiently, allowing the alteration of
the query
Effects?
◦ Data extraction
◦ Data modification
◦ Command execution?
32.
33. x‘ OR 1=1--
5555
@result = “select * from Users where
Card = ‘$cardnumber’
And
Pin = ‘$customerpin’;”
@result = “select * from Users where
Card = ‘x‘ OR 1=1--
‘ And
Pin = ‘5555’;”
35. What is it?
◦ Web apps output their stored data as HTML to
browsers
◦ If data contains HTML, then the interface is
altered
◦ Caused by insufficient escaping of user supplied
data (input validation… sound familiar?)
◦ New exploits emerging all the time
Effects?
◦ Malicious HTML can be used to perform a variety
of attacks
cookie theft
internal port scanners
perform actions on your behalf
38. Old attacks don’t disappear
Dev mistakes are repeated
Development frameworks evolve to mitigate
some threats leading to over-reliance on
framework
◦ Authentication/input validation understood fairly well
◦ .Net input validation vuln
Passwords are an attacker’s friend
Authorisation issues widespread
Users are gullible
Value is moving
Increasing complexity of attacks
39. Hacking is learnable
Education is key
Know where you stand