Improving Application Security through Penetration Testing

Dominick Baier (dbaier@ernw.de) Security Consultant / BS 7799 Lead Auditor ERNW GmbH

Outline • • • • •
What is Penetration Testing and Auditing Standards and Ethics The Process of Testing Pen-Testing Web Applications The Tools

2

"Improving the Security of Your Site by Breaking Into it"
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html

3

Penetration Testing vs. Auditing •
Penetration Testing - Simulating a motivated attacker for a specific amount of time - Black Box / White Box Approach - Is more like a snapshot of the current security of a system or a business process

Auditing - Analyzing

• • • •

Configuration Files Architecture Source Code Operational Plans and Procedures
4

- Policy conformance

Why Penetration Testing •
To measure the security of a system, network or a business process - By a third party

• •

To assess possible Risks To make the upper management "security aware"

5

Possible Goals of a Penetration Test • • • •
How much information about our network is publicly available ? Is it possible to compromise this and that system ? Is it possible to disturb business process X ? How effective work our security controls ? - Firewall - AntiVirus / Spam / Content Filter - Intrusion Detection Systems

• • •

Is our Information Security Policy correctly enforced ? Can employees compromise workstation security? "Are we safe ?"

6

What can be tested •
Servers and Workstations - Web Server - Database Server - Domain Controller - Workstations

Infrastructure - Network Devices - Wireless Networks - Dial-In Access - VPNs

• •

Applications Employees (Social Engineering)

7

Attackers to simulate •
Outside Attackers - Script Kiddies - Competitors - Terrorists - Journalists

Insiders - Employees - Disgruntled Employees - Contractors - Consultants

8

Standards •
Pete Herzogs's OSSTM "Open Source Security Testing Methodology Manual" - Very practical approach - Checklists of what and in which order to test - List of tools

ISO 17799 / BS 7799 Standard for Information Security - Focuses more on the policy and paper work side of security - Extensive catalog of security controls - Defines a standard for audits

NIST Guidelines for Network Security Testing

9

Ethics • •
Findings are under strict NDAs No information gathered during the test - is sent in clear text over the internet - is used for personal profit

• • •

ISACA Code of Professional Ethics ISC
2

Code of Ethics

Full Disclosure

10

The STRIDE Threat Model •
STRIDE - Spoofing Identity - Tampering with data - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege

11

The Pen-Tester's Mantra • • • • • • •
Segregation of Duties Minimal Machine Least Privilege Patch-Level Defense in Depth Secure the Weakest Link Strong Authentication

12

Course of Actions •
Opening Meeting - Goals of the Pen-Test - Scope - Responsible Admins

• •

The Audit / Test itself The Report - Found issues - Countermeasures - Prioritization

Closing Meeting

13

Stages of a Pen-Test • • •
Gathering Information Analyzing the Infra-Structure Analyzing the Machines - Fingerprinting - Port / Vulnerability-Scanning - Attacking the System / Proof of Concept

Analyzing Applications - Functional / Structural Analysis - Attacking Authentication and Authorization - Attacking Data and Back-End Communication - Attacking Clients

14

Information Gathering •
In this phase you try to compile as much publicly available information as possible - Internic - IANA / RIPE - Whois - Google / Usenet - Private homepages of employees - Email Addresses - Telephone numbers

15

16

17

Information Gathering •
Google Search-Syntax - allintitle:"Index of /etc" - site:gov site:mil site:ztarget.com - filetype:doc filetype:pdf - intitle:, inurl:, allinurl: - allinurl:mssql, allinurl:gw … - inurl:".aspx?ReturnUrl=" - "+www.ernw.+de" - related:www.ernw.de - login site:www.microsoft.com - [cached] filetype:xls

18

19

20

21

22

23

24

Information Gathering •
Mailing-Lists / Forums / Usenet - Some vendors even post internal support questions to public newsgroups

?

25

Information Gathering •
Mailing-Lists / Forum / Usenet

Invitation?

26

Analyzing the Infra-Structure and Machines •
A layered modell

Data Application Service OS Network

Data Application Service OS

27

Analyzing the Infra-Structure and Machines •
The Reality
Auth Database Data

LDAP

HTTP

DCOM CORBA

SOCKETS

Browser

Web Server

Application Server

Database Server

Web Content

Audit Logs

28

Analyzing the Infra-Structure and Machines • • • • •
Querying System and DNS Information Portscanning Fingerprinting Vulnerability Scanning Exploiting a Vulnerability

29

Querying System and DNS Information •
TraceRoute - Tracing the network route give you information about

• •

The provider Type of connection - Simple / Redundant / Load Balanced

- At which hop gets ICMP blocked?

30

Querying System and DNS Information •
DNS Zone transfer - DNS Server should be configured to allow Zone Transfers only to specific peers - DNS Zones are very interesting

• •

Which machines are listed in the Zone Get information about IP network-structure

31

Portscanning & Fingerprinting • • •
Port Scanning gives you information about which ports a machine listens on Every open port is potentially vulnerable More advanced scanners try to figure out what kind of software (+ vendor and version) is installed

Most popular Port Scanners - SuperScan (www.foundstone.com) - NMAP (www.insecure.org/nmap)

32

Banner Grabbing • •
Connect with Netcat or Telnet to a service You will often get detailed information

33

Vulnerability Scanner •
Automated scanners that check for known vulnerabilities - They often give you more information for vulnerability investigation

There are vulnerability and exploit databases on the internet - SecurityFocus (www.securityfocus.com) - Packet Storm (www.packetstormsecurity.com)

34

Vulnerability Scanner •
System / Host Scanner - Nessus (www.nessus.org) - Retina (www.eeye.com) - ISS Security Scanner (www.iss.net) - Microsoft MBSA (www.microsoft.com)

Database Scanner - MetaCoreTex (www.metacoretex.com) - AppSecInc AppDetective (www.appsecinc.com) - ISS Database Scanner (www.iss.net)

Web Server Scanner - Nikto (www.cirt.net)

35

Vulnerability Investigation •
www.securityfocus.com/bid

36

Vulnerability Investigation •
www.packetstormsecurity.org

37

Pen-Testing Web Applications •
Visualize the HTTP Traffic - Sniffer (e.g. Ethereal) - Web Proxies

• • • •
Page
Index.aspx login.aspx about.aspx

Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip) Fiddler (www.fiddlertool.com) WebProxy (www.atstake.com) Wfetch & Tinyget (IIS6 Resource Kit)
Path
/ /login/ /about/

- Hand craft HTTP Requests

Auth?
N N N

SSL?
N Y N

GET/POST

Comment

POST

Login Page Email Addresses
38

Structural Analysis •
...or graphical

39

Pen-Testing Web Applications

Try some URLs - Common Directories • /html, /images, /jsp, /cgi - "Hidden" Directories • /admin, /secure, /adm, /management - Backup and Log Files • /.bak, /backup, /back, /log, /logs, /archive, /old - Include Files • /include, /inc, /js, /global, /local - Lokalized Versions • /de, /en, /1033 - trace.axd Look at the HTTP Status Codes - Everything besides 404 ist interesting

40

Pen-Testing Web Applications •
Look for - Cascading Style Sheets (.css) - XML Dateien / XML Stylesheets (.xml / .xsl) - JavaScript Dateien (.js) - Include Files (.inc) - Text Dateien (.txt) - Comments - Client-Side Validation - Forms

• • •

Hidden Fields Password Fields MaxLength Attributes

41

Pen-Testing Web Applications •
"Odd" Query Strings

www.site.com/show.aspx?content=marketing.xml www.site.com/UserArea/default.php?UserID=5 www.site.com/dbsubmit.php?Title=Mr&Phone=123 www.site.com/menu.asp?sid=73299

Cookie values

42

Canonicalization Errors •
Popular Examples - Apache WebServer

• • • •

/scripts und /SCRIPTS ../ and .%2e%2f action=delete and action=%64elete Dotless IP Bug

- Microsoft IIS 5 - ISS Firewall - Microsoft IE4

- ASP.NET Authorization Canonicalization Bug

http://localhost/formsec/secure%5csecret.aspx

43

Resource Names •
Example

http://server/cms/show.aspx?file=content.xml

Can I use this page to show other files?

http://server/cms/show.aspx?file=../web.config

Try some variations

http://server/cms/show.aspx?file=../web.config. http://server/cms/show.aspx?file=../web.config::$DATA http://server/cms/show.aspx?file=..%5cweb.config http://server/cms/show.aspx?file=..%255cweb.config http://server/cms/show.aspx?file=..%%35%63web.config

44

Testing for SQL Injection • • •
Try if you can inject SQL code in forms If the programmer simply concatenates user input with SQL statements a database compromise is most likely possible Try to generate errors - Insert a ' character - Does the application behave different ? - Is maybe even a database error returned ?

You can execute nasty statements through SQL Injection - Union - Drop... - XP_CMDSHELL
45

Testing for Cross Site Scripting • • •
Cross Site Scripting let's an attacker inject script code in Web Pages This happens when the Application directly outputs client input whithout proper HTML encoding Can be hard to find - look in - Query Strings - Form Fields - HTTP Headers

• •

Enables Cookie Stealing / Harvesting Attacks Many Developers rely on ASPX's ValidateRequest - Try <%00...> encoding

46

Tools •
Automatic Mirroring of Web Sites - wget (www.gnu.org/directory/wget.html) - Black Widow (www.softbytelabs.com) - Teleport Pro (www.tenmax.com)

Web Scanner - WebInspect (www.spidynamics.com) - NStealth (www.nstalker.com)

ASP.NET Specific Scanners - ASP.NET Security Analyzer (www.owasp.org) - ASP.NET Shared Hosting Analyzer (www.owasp.org)

47

Conclusion • • • •
Pen-Testing is no Black Magic Very systematic procedure If you follow the 7 golden rules, you can eliminate most of the vulnerabilities Do regular Pen-Tests or Audits - you can only benefit - Internal and third party

48

Questions ?

you can download the slides from www.leastprivilege.com

49

Links • • • •
OSSTM - www.isecom.org NIST Draft Guidelines to Network Security Testing - http://csrc.nist.gov/publications/drafts/security-testing.pdf ISC
2

Code of Ethics:

- https://www.isc2.org/cgi/content.cgi?category=12 ISACA Code of Professional Ethics - http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1

50

Links • •
Wfetch - (http://download.microsoft.com/download/d/e/5/de5351d64463-4cc3-a27c-3e2274263c43/wfetch.exe) NetCat - http://www.atstake.com/research/ tools/network_utilities/nc11nt.zip)

51

Sign up to vote on this title
UsefulNot useful