Академический Документы
Профессиональный Документы
Культура Документы
2
"Improving the Security of Your Site by
Breaking Into it"
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html
3
Penetration Testing vs. Auditing
• Penetration Testing
- Simulating a motivated attacker for a specific amount of time
- Black Box / White Box Approach
- Is more like a snapshot of the current security of a system or a
business process
• Auditing
- Analyzing
• Configuration Files
• Architecture
• Source Code
- Policy conformance
• Operational Plans and Procedures
4
Why Penetration Testing
5
Possible Goals of a Penetration Test
6
What can be tested
7
Attackers to simulate
• Outside Attackers
- Script Kiddies
- Competitors
- Terrorists
- Journalists
• Insiders
- Employees
- Disgruntled Employees
- Contractors
- Consultants
8
Standards
9
Ethics
• Full Disclosure
10
The STRIDE Threat Model
• STRIDE
- Spoofing Identity
- Tampering with data
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
11
The Pen-Tester's Mantra
• Segregation of Duties
• Minimal Machine
• Least Privilege
• Patch-Level
• Defense in Depth
• Secure the Weakest Link
• Strong Authentication
12
Course of Actions
• Opening Meeting
- Goals of the Pen-Test
- Scope
- Responsible Admins
• The Report
- Found issues
- Countermeasures
- Prioritization
• Closing Meeting
13
Stages of a Pen-Test
• Gathering Information
• Analyzing the Infra-Structure
• Analyzing the Machines
- Fingerprinting
- Port / Vulnerability-Scanning
- Attacking the System / Proof of Concept
• Analyzing Applications
- Functional / Structural Analysis
- Attacking Authentication and Authorization
- Attacking Data and Back-End Communication
- Attacking Clients
14
Information Gathering
- Internic
- IANA / RIPE
- Whois
- Google / Usenet
- Private homepages of employees
- Email Addresses
- Telephone numbers
15
16
17
Information Gathering
• Google Search-Syntax
- allintitle:"Index of /etc"
- site:gov site:mil site:ztarget.com
- filetype:doc filetype:pdf filetype:xls
- intitle:, inurl:, allinurl:
- allinurl:mssql, allinurl:gw …
- inurl:".aspx?ReturnUrl="
- "+www.ernw.+de"
- related:www.ernw.de
- login site:www.microsoft.com
- [cached]
18
19
20
21
22
23
24
Information Gathering
25
Information Gathering
Invitation?
26
Analyzing the Infra-Structure and Machines
• A layered modell
Data Data
Application Application
Service Service
OS OS
Network
27
Analyzing the Infra-Structure and Machines
• The Reality
Auth
Data
Database
LDAP
CORBA
Web Audit
Content Logs
28
Analyzing the Infra-Structure and Machines
29
Querying System and DNS Information
• TraceRoute
- Tracing the network route give you information about
• The provider
• Type of connection
- Simple / Redundant / Load Balanced
- At which hop gets ICMP blocked?
30
Querying System and DNS Information
31
Portscanning & Fingerprinting
32
Banner Grabbing
33
Vulnerability Scanner
34
Vulnerability Scanner
• Database Scanner
- MetaCoreTex (www.metacoretex.com)
- AppSecInc AppDetective (www.appsecinc.com)
- ISS Database Scanner (www.iss.net)
35
Vulnerability Investigation
• www.securityfocus.com/bid
36
Vulnerability Investigation
• www.packetstormsecurity.org
37
Pen-Testing Web Applications
38
Structural Analysis
• ...or graphical
39
Pen-Testing Web Applications
40
Pen-Testing Web Applications
• Look for
- Cascading Style Sheets (.css)
- XML Dateien / XML Stylesheets (.xml / .xsl)
- JavaScript Dateien (.js)
- Include Files (.inc)
- Text Dateien (.txt)
- Comments
- Client-Side Validation
- Forms
• Hidden Fields
• Password Fields
• MaxLength Attributes
41
Pen-Testing Web Applications
www.site.com/show.aspx?content=marketing.xml
www.site.com/UserArea/default.php?UserID=5
www.site.com/dbsubmit.php?Title=Mr&Phone=123
www.site.com/menu.asp?sid=73299
• Cookie values
42
Canonicalization Errors
• Popular Examples
- Apache WebServer
• /scripts und /SCRIPTS
- Microsoft IIS 5
• ../ and .%2e%2f
- ISS Firewall
• action=delete and action=%64elete
- Microsoft IE4
• Dotless IP Bug
43
Resource Names
• Example
http://server/cms/show.aspx?file=content.xml
http://server/cms/show.aspx?file=../web.config
http://server/cms/show.aspx?file=../web.config.
http://server/cms/show.aspx?file=../web.config::$DATA
http://server/cms/show.aspx?file=..%5cweb.config
http://server/cms/show.aspx?file=..%255cweb.config
http://server/cms/show.aspx?file=..%%35%63web.config
44
Testing for SQL Injection
45
Testing for Cross Site Scripting
46
Tools
• Web Scanner
- WebInspect (www.spidynamics.com)
- NStealth (www.nstalker.com)
47
Conclusion
• If you follow the 7 golden rules, you can eliminate most of the
vulnerabilities
48
• Questions ?
49
Links
• OSSTM
- www.isecom.org
• NIST Draft Guidelines to Network Security Testing
- http://csrc.nist.gov/publications/drafts/security-testing.pdf
• ISC 2 Code of Ethics:
- https://www.isc2.org/cgi/content.cgi?category=12
• ISACA Code of Professional Ethics
- http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1
50
Links
• Wfetch
- (http://download.microsoft.com/download/d/e/5/de5351d6-
4463-4cc3-a27c-3e2274263c43/wfetch.exe)
• NetCat
- http://www.atstake.com/research/
tools/network_utilities/nc11nt.zip)
51