Professional Documents
Culture Documents
Fixing-The-Industry Pentest 01 2011
Fixing-The-Industry Pentest 01 2011
01/2011 (01)
Dear Readers,
TEAM
Editor: Sebastian Bula
sebastian.bula@software.com.pl
Proofreaders: Jonathan Edwards, Michael Munt, Edward
Werzyn Jr., David Small
Betatesters: Stefan Castille, Michael Munt, Juan Bidini, John J
Trinckes, Jr., Kyle Kennedy, David Small, Massimo Buso, Davide
Quarta, Santosh Kumar Rana
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
Production Director: Andrzej Kuca
andrzej.kuca@software.com.pl
Marketing Director: Sebastian Bula
sebastian.bula@software.com.pl
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used
program
by
DISCLAIMER!
Page 2
http://pentestmag.com
CONTENTS
POINT OF VIEW
04 Why We Do It
by David Small
by Hans-Michael Varbaek
STANDARDS
BLACK BOX
NETWORK SECURITY
HOW-TO
Penetration Testing these days is often done on a oneoff basis, meaning companies do them once a month,
once a quarter or once a year and then never think
about them again. I find that to be a shame and think
that penetration testing can be an invaluable tool in
vulnerability management when performed properly.
TOOLS
INTERVIEW
Page 3
http://pentestmag.com
POINT OF VIEW
Pen Testing:
Why We Do It
Were penetration testers. What do we do? Why do we do it? What
does it say about us?
here are some misconceptions about pentesters. From a shallow look, they appear to be
people who break into computer systems, with
tools designed to do just that. But this isnt the case;
allow me to explain.
The Internet is full of people who try to break into
computers connected to it. This happens all the time.
A computers defenses are generally up to one or two
people; thats us.
We do tedious things. We keep track of the OS and
current software, and patch everything as soon as
patches are issued. We read system logs. We check
permissions. We leave honey-traps. We look for things
that smell wrong. It takes discipline on our end to do all
of these things. Because we do this, its not easy, and
its not quick, to crack into the machines were trying to
protect.
And one of the things we do is to test our security. Its
no different than you giving your doorknob a shake after
youve locked it, to make sure it wont turn, and that the
bolt is engaged and wont open with a simple push. For
most people thats a habit they dont even think about.
Thats penetration testing.
Now an attacker has some sort of motive to try to
get in to our systems. However, its usually something
simple like rooting another machine. There are so
incredibly many computer systems which are simple to
get into that we hope that attackers will become bored
01/2011 (1) May
DAVID SMALL
Page 4
http://pentestmag.com
STANDARDS
Page 6
http://pentestmag.com
Threat Modeling
Pre-Engagement interaction
Page 7
http://pentestmag.com
STANDARDS
and analyzed at the intelligence gathering phase, and can
be used to create attack trees and map out venues for
vulnerability analysis of key processes and technologies.
This is another key component to providing value in
Penetration Testing. If the customer does not know what the
threat is to the business or the actual risk, why should they
resolve the issue. Threat Modeling provides a weighting
system so that testers can rely less on a screenshot of a
shell and more on the overall value to the business.
Vulnerability Analysis
Exploitation
Post-Exploitation
Reporting
Page 8
http://pentestmag.com
the technical gaps that need to be addressed, but also an additional value to the customer as they are allowed
needs to provide a more executive-level report that to test the effectiveness of their defensive monitoring
reflects the organizations exposure to loss in business systems and/or outsources solutions.
terms (financial). This would include the actual meaning
At the end of the day, the forces of the industry will
of which assets are at the highest risk, how much dictate what a penetration test will look like and what
resources are used to protect different assets, and a would it contain. Nevertheless, the PTES is aimed to
recommendation on how to more efficiently close any provide the industry with a baseline it clearly lacks now.
gaps in exposure by spending resources on controls The term has been mutated over many iterations and
and protections more intelligently.
it has been given a very narrow freedom to operate
Such a recommendation would not have been possible between the minimum that has been dictated by
without the surrounding activities that provide the business regulatory requirements (which did good and actually
relevance of the exercise and the tested business forced more businesses to test themselves), and the
elements. This is also where the organization would glass ceiling that has been created de-facto by the
end up finding the most value out of the engagement, hordes of pentesters that know nothing better than
as opposed to most common pentests which leave it using some product to push out a report to the customer
with a laundry-list of exploits and vulnerabilities, without and move on to the next. By clearly defining the term
their actual relevance or business impact. In the report, (which is used in a multitude of standards without an
the tester will be required to identify the symptomatic adequate definition of what it means or consists of)
vulnerabilities (like a patch missing) as well as tie out the and what the purpose, value and components of a
systemic vulnerabilities a patch is missing BECAUSE Penetration Test are, PTES will increase the confidence
there are gaps in policy and procedure in x/y/z area which of customers and testers alike. For quite some time
allowed for the patch to not be
now, organizations expect
Measuring detection and incident response is an the value of conducting a
installed in a timely manner or
integrated part of a penetration test
within the specified time)
Penetration test to be not
Its important to note that although there isnt a much more than a rubber stamp on the audit report or a
dedicated section for detection and incident response, ticked checkbox on their compliance worksheet. PTES
the organizations capabilities to identify, and react to is attempting to increase that value and blow some wind
anything from the intelligence gathering, through the into the dwindling sails of what once was a critical part
vulnerability analysis, exploitation and post exploitation of running a secure operations. In the modern days
is also put to the test. The penetration test includes where everyone being so easily hacked by an APT isnt
direct references to such capabilities in each section (as it time our testers start acting like one? Or would you
well as in the reporting section), and can be extremely rather an Automated Penetration Test (APT) that you
useful to clearly identify the organization maturity in pay for and does not even attempt to learn WHY they
terms of risk management and handling. This provides are doing the test in the first place?
CHRIS NICKERSON
Page 9
http://pentestmag.com
STANDARDS
Comment
Penetration Testing Execution Standard (PTES)
provides a great start for information security
professionals who are new to penetration testing and
vulnerability analysis. As a novice one always wonders
what is a good starting point and PTES definitely
provides an excellent view of the landscape.
Another salient feature of PTES is that it is developed
by a group of professionals rather than one single
organization or institution. It must have been a
challenge to blend in various mindmaps and come
up with a monolithic structure. It would be interesting
to see if PTES go down The Open Web Application
Security Project (OWASP) route where the
documentation is augmented with videos, tutorials
and tools and receives tremendous professional
support and participation.
ABY RAO
JEFF WEAVER
Upcoming events
TakeDownCon is a brand new information security
conference series, created by EC-Council. This highly technical
information security conference series is very focused the
theme of this first of the series is Taking Down Security,
focusing on attack and defense vectors. World class experts
including Barnaby Jack, Kanen Flowers, Joe McCray, Rodrigo
Branco, Sean Arries, among others, will demonstrate and
showcase how security systems can be taken down at ease.
This 2 days conference, in a very casual and relaxed setting, is
targeted towards information security researchers, engineers
and technical professionals. http://www.takedowncon.com
III Security Forum will take place in
the Techinical Scool, in Carlos Casares,
Buenos Aires, Argentina. Security
experts will talk on the following: 2600
& BuenosAiresLibre.org checking
your companys security Privacity in
Social Networks Impossible mission?
Wireless Hacking Secure Solution
with *BSD http://www.eetcasares.org/
sign
Comment
Say Hello to
Red Team
Tesng!
Security Art's Red Team service operates on all fronts
on behalf of the organizaon, evaluang all
informaon security layers for possible vulnerabilies.
Only Red Team tesng provides you with live
feedback on the true level of your organizaonal
security.
Thinking creavely! Thats our approach to your test.
Security Arts Red-Team methodology
consists of:
1. Informaon and intelligence gathering
2. Threat modeling
3. Vulnerability assessment
4. Exploitaon
5. Risk analysis and quanficaon of
threats to monetary values
6. Reporng
www.security-art.com
Page
STANDARDS
Building a Better
Penetration Test Report
Do you build reports for your penetration tests? Want to make
them more useful and more readable? This article is for you.
Various tips are spelled out that have proven effective for the
author over the years.
and off you go. This is not or should not be further from
the case. Remember whether youre a third-party tester
or an internal tester, the executives pay your bills, be
nice to them! The reports I reviewed basically had an
executive summary that said either Your stuff is broken
beyond repair or You need to pay us to come fix it for
you. Neither are really good messages to send to nontechnical executives. Below are some tips for driving
the point home without being insulting and without over
or understating the problems.
Executive Summaries
Page 12
Vulnerability Reporting
Page 13
STANDARDS
rely 100% on the scan data but you use it. The question
is, should you just, by default, provide the scan data with
your report? This one causes a pretty heated argument
in my head. On one hand I think you should just include
the full tool data with your report, you used a scanner,
some web application discovery tool, etc, you should
provide the raw data. On the other hand I balance this
with the fact that the number one complaint I hear about
penetration testing reports is they dropped 60 pounds
of paper on my desk and just left it there, what am I
supposed to do with that? Here is what I think should be
done with tool data:
course, you
only used Web Killer 2020 as the only tool.
That just shows a lack of attention to detail. Yet
another example from my report review, EVERY
vulnerability was found with AppScan. Now Im not
denigrating AppScan at all (thats another article)
but it should never, ever be the only tool you use in
your work. No tool should be. You should develop a
varied ecosystem of tools that you use in particular
circumstances and dont be afraid to add new ones,
after an appropriate test period of course.
01/2011 (1) May
Page 14
http://pentestmag.com
Remediation
Page 15
STANDARDS
Re-test
Report Tips
BILL MATHEWS
Bill Mathews is co-founder and
lead geek of Hurricane Labs,
an information security firm
founded in 2004. Bill wrote
this article while recovering
from
pneumonia
so
any
errors are purely the result of
medication. :-) You can reach
Bill @billford on Twitter and be
read other musings on http://
blog.hurricanelabs.com
Page 16
http://pentestmag.com
Page 17
BLACK BOX
Page 18
http://pentestmag.com
<Run name="DefaultRun">
<Test ref="test1"/>
<Logger class="logger.Filesystem">
</Logger>
peach2.3.8\peach\logs" />
</Run>
</Peach>
<Test name="test1">
<StateModel ref="sm"/>
<Agent ref="windbg"/>
<Publisher name="socket"
class="tcp.TcpListener">
</Publisher>
</Test>
Launcher"/>
Page 19
http://pentestmag.com
BLACK BOX
In the vulnerability research area, there has been
a considerably greater effort in fuzzing servers than
fuzzing clients. The reason for this is that clients
Listing 3. Actions within a State
<Agent name="windbg">
<Monitor class="debugger.WindowsDebugEngine">
<Param name="CommandLine" value="c:\
publisher="socket"/>
method="dostart"
About Peach
</Monitor>
</Agent>
Listing 4. StateModel
<StateModel name="sm" initialState="initial">
<State name="initial">
publisher="socket"/>
publisher="socket">
<DataModel ref="Request_Model"/>
</Action>
<DataModel ref="Response_Model"/>
</Action>
publisher="socket"/>
</StateModel>
<String name="client_request"/>
</DataModel>
<DataModel name="Response_Model">
</DataModel>
http://pentestmag.com
var id = "myiframeid";
function setIframe() {
document.body.removeChild(iframe);
iframe = document.createElement("iframe");
iframe.setAttribute("src", "http://
127.0.0.1");
iframe.setAttribute("id", id);
document.body.appendChild(iframe);
}
setTimeout("setIframe();", timeout);
setTimeout("setIframe();", timeout);
</script>
</body>
</html>
Page 21
http://pentestmag.com
BLACK BOX
<String value="Thu"/>
</String>
</Monitor>
<String value="Jan"/>
<String value="2020">
</String>
Peach2.3.8\mytest\launcher.html />
</String>
</String>
</String>
</Block>
</DataModel>
Page 22
http://pentestmag.com
Conclusion
ADRIAN FURTUNA
Adrian Furtuna works as
a Senior Advisor at KPMG
Romania where he is involved
in
penetration
testing,
vulnerability assessment and
security audit projects. Adrian
has a particular interest in
offensive security techniques
which he studies as part of
his PhD program at Military Technical Academy of Bucharest.
He has also published a number of scientific articles at various
conferences discussing Red Teaming activities, cyber defense
exercises and denial of service attacks. Adrian can be contacted
by email at adif2k8@gmail.com.
Comment
Clients Less Important Than Servers
Page 23
http://pentestmag.com
NETWORK SECURITY
Dueling Apache
Tomcat
Setting up a JSP-enabled web server is cumbersome and complex.
Apache Tomcat aims to solve this dilemma by providing a quick,
easy, and cost-effective solution for developers to deploy their
applications and services. While this is great for functionality,
its default configuration can greatly decrease the security of a
network.
Page 24
http://pentestmag.com
Page 25
http://pentestmag.com
NETWORK SECURITY
JOVON ITWARU
Jovon Itwaru is lead security analyst at Core Defend
Technologies. He provides a holistic approach to security
that allows clients to better under security and the role they
must take in proactively defending their network. He can be
reached at jovon@coredefend.com. More information about
the company can be found at http://www.coredefend.com
Page 26
http://pentestmag.com
Page
Page 28
http://pentestmag.com
Contribute
Penetration Testing Magazine is a community-oriented
magazine. We want IT security specialists and enthusiasts
to work together and create a magazine of the best quality,
attractive to every individual and enterprise interested in the
penetration testing field.
If you are interested in being a part of our community
submit an article or bring up a subject you consider important
and up-to-date. Are there any trends on the market youd like
to take a closer look at? Are there any tools or solutions worth
reviewing or presenting to the community? Are there any
touchy and controversial issues you feel have to be discussed
in public? Then share your opinions with us.
If you run an IT security company, your contribution is the
most welcome. Tell us about your solutions and advertise
in the magazine for free, or have a special issue devoted
exclusively to you. As long as you provide top-notch quality of
you writings, we are always ready to cooperate and help your
company develop with us.
Are you a student? Were looking forward to you articles!
Fresh attitude, opinions and beliefs of the young and budding
IT security gurus are invaluable for us. You will give your career
a great start when you write to a respectable IT magazine.
Sections:
White Box
Black Box
Web Security
Network Security
Wireless Security
Application Security
Standards and Methodologies
How To
Open Source Intelligence
Vulnerabilities
Imagine you see that the file accepts 2 GETrequests, the first one is loggedin=1 and the second is
downfile=info.pdf. Obviously if the pseudo-file info.pdf
can be downloaded with this call, the penetration
tester should try to download other files, perhaps the
well-known /etc/passwd. An automated scanner will try
Page 30
http://pentestmag.com
Page 31
http://pentestmag.com
Humans
Machines
Finding Advanced
0days
Yes
No (Requires AI)
Simultaneous
Requests
No
Yes
Smart Interpreting of
Results
Yes
No (Requires AI)
Massive Variations in
Requests
Time consuming!
Yes
Time consuming!
Yes
Yes
No (Requires AI)
Time consuming!
Yes
HANSMICHAEL VARBAEK
Hans-Michael
Varbaek
has been in the hacking
community for a little over
10 years now, though with
shorter and longer breaks
from time to time. Around 5
years ago he decided to get
back after a long period of
inactivity, where he began
creating custom cheats for
WoW. (Mountain Climbing, No Clip, etc.) A year later he began the
education as SysAdmin, and during this time he created InterN0T
after brainstorming like crazy. Then he moved to Sweden to
work within IT- support, with some of the big manufacturers of
products like printers, cameras, and so forth. Meanwhile, he
discovered his first 0days in Web Applications, and a year later
he was going for CTP+OSCE, which he completed successfully.,
while shortly Shortly thereafter he began blogging about Web
Application Security at Exploit-DB.
Page 32
http://pentestmag.com
HOW-TO
Operationalizing
Tools Needed:
Page 34
http://pentestmag.com
id="1"
url="http://192.168.38.156/login.php"
/>
<case
id="2"
url="http://192.168.38.156/login.php"
postbody="username=admin&password=password"
/>
</testcases>
BILL MATHEWS
Bill Mathews is co-founder and
lead geek of Hurricane Labs,
an information security firm
founded in 2004. Bill wrote
this article while recovering
from
pneumonia
so
any
errors are purely the result of
medication. :-) You can reach
Bill @billford on Twitter and be
read other musings on http://
blog.hurricanelabs.com
Page 35
http://pentestmag.com
TOOLS
Pulling Shellcode
From Network Stream
In computer security terms, a shellcode is used as a payload
in exploiting software vulnerabilities. It consists of small piece
of codes, the exploitation of which may result in the attacker
starting a command shell, from which the attacker can control
the compromised computer; hence the term shellcode. But the
function is not limited to spawn a shell only, it can go the other
way around.
hellcode can either be local or remote, depending and event driven analysis of IDS alerts. Sguils main
on whether it gives an attacker control over component is an intuitive GUI that provides access to a
the machine it runs on (local) or over another wide variety of security related information, including realmachine through a network (remote) [1]. Shellcode time IDS alerts, network session database and full packet
can usually be seen and grabbed from the
network stream with the help of proper tools
in hand. Metasploit framework provides
ready to run shellcode modules that can be
compiled easily. Earlier days of exploitation
Figure 1. Snort Rule and Signature
with shellcode required lots of coding and
programming efforts. Metasploit has simplified
this in their framework. In this article, we will
use several security tools to pull the shellcode
from network stream and analyze the output.
Tools Used
Sguil
Page 36
http://pentestmag.com
Figure 5. Wireshark
Wireshark
Libemu
Page 37
http://pentestmag.com
TOOLS
Shellcode Analysis
Page 38
http://pentestmag.com
Conclusion
References
[1] http://en.wikipedia.org/wiki/Shellcode
[2] http://sguil.sourceforge.net/
[3] http://libemu.carnivore.it/
[4] http://www.phreedom.org/solar/honeynet/scan20/scan20.html
[5] http://en.wikipedia.org/wiki/NOP
[6] http://msdn.microsoft.com/en-us/library/ms742212%28v=vs.8
5%29.aspx
[7]http://sandsprite.com/shellcode_2_exe.php
[8] http://malzilla.sourceforge.net/
Page 39
http://pentestmag.com
INTERVIEW
Interview with
Gary McGraw,
Ph.D. CTO Cigital
Page 40
http://pentestmag.com
Page 41
http://pentestmag.com
INTERVIEW
findings and talk about them. There will be BSIMM3
soon, in which even more companies will participate
were shooting for forty. There will also be BSIMM
Longitudinal, which amounts to studies done over time
for some firms (ten so far). We will once again release
all of these data publicly, so that everyone in the field
and everyone in security can use it and think about
metrics and measurements in a much more serious
fashion than has been done in the past.
http://pentestmag.com