SECFORCE          
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
   
HOME SECFORCE - penetration testing COMPANY SECFORCE - penetration testing SERVICES SECFORCE - penetration testing RESEARCH SECFORCE - penetration testing BLOG SECFORCE - penetration testing INITIATIVES SECFORCE - penetration testing CONTACT
 
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    SECFORCE - penetration testing

Blog ■

 
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    Home : Blog  
SECFORCE - penetration testing SECFORCE - penetration testing
   
Archive for November, 2008
 

Penetration testing, antivirus, firewalls and false sense of security

Sunday, November 9th, 2008

False sense of security is an ongoing issue. Fueled by inaccurate marketing strategies promising the ultimate security product and convincing clients that their product will make your system immune to every single attack.

Security professionals are used to hear all kind of comments from clients caught up by false sense of security; the three most common mistakes are:

Client – My application must be secure, it is running over SSL.
Penetration tester – That’s good, your IDS will not pick up my attacks.

Client – My web application must be secure, it is protected by my firewall.
Penetration tester – Sure enough your firewall is not going to filter web traffic on your web server.

Client – My server must be secure, it has an antivirus up to date.
Penetration tester – Your antivirus will only pick up known signatures, it will not pick up my custom made scripts.

We recently performed a back box web application peneration test for a client who expresed (before the penetration test) how secure his application was as he deployed SSL on the application layer, antivirus on the server and everything was protected using a firewall.

During the penetration test we managed to find a page which allowed uploading arbitrary files to the web server. When we tried to upload some of the standard web shells we saw how the antivirus was detecting them and removing them from the server. It is fair to say that an antivirus in this case provides a very thin layer of security. After doing some modifications to the scripts we easily bypassed the antivirus protection.

In this example achieving command execution required another step as the user the web server was running as had not enough privileges. However, it was easy enough finding a high privilege username/password for the MS SQL database also running on the server. The next steps were:

- Creating a custom script which connected to the MS SQL database using a high privileged account.
- Enabling xp_cmdshell stored procedures, as we found it disabled.
- Enjoying command execution.

Once we got to this point it was easy to execute Metasploit Meterpreter to bypass firewall protection, tunneling services over HTTP.

In conclusion, SSL, antivirus and firewalls are essential parts on the security of an infrastructure, however they need to be properly implemented and they don’t protect from all kinds of attacks.

Black box penetration testing vs white box penetration testing

Monday, November 3rd, 2008

One of the common questions that we get from our clients is about the differences between a black box penetration test and a white box penetration test.

White box testing, also known as clear box testing or glass box testing, is a penetration testing approach that uses the knowledge of the internals of the target system to elaborate the test cases. In application penetration tests the source code of the application is usually provided along with design information, interviews with developers/analysts, etc. In infrastructure penetration tests network maps, infrastructure details, etc. are provided. The goal of a white box penetration test is to provide as much information as possible to the penetration tester so that he/she can gain insight understanding of the system and elaborate the test based on it.

White box penetration testing has some clear benefits:

  • Deep and thorough testing
  • Maximizes testing time
  • Extends the testing area where black box testing can not reach (such as quality of code, application design, etc.)

However, there are also some disadvantages:

  • Non realistic attack, as the penetration tester is not in the same position as an non-informed potential attacker

A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. In a black box penetration test the penetration tester has no previous information about the target system.

The benefits of this type of attack are:

  • It simulates a very realistic scenario

The disadvantages of a black box penetration test are:

  • Testing time can not be maximised in certain scenarios
  • Some areas of the infrastructure might remain untested

When commissioning a penetration test, there is no right/wrong decision about white box or black box, it really depends on the scenario that needs to be tested.

 
   
 
BLOG

Archives

July 2014
April 2014
March 2014
February 2014
August 2013
June 2013
February 2013
January 2013
December 2012
November 2012
October 2012
January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008

Categories

Aircraft security (1)
Business Continuity (2)
CREST (1)
cyber security (2)
Embedded devices security (2)
exploit (8)
Fuzzing (1)
Penetration Testing (41)
Phishing (3)
Risk Management (5)
SECFORCE (17)
Security architecture (2)
Security Books (1)
Security Compliance (1)
Security research (9)
social engineering (1)
social media (1)
sql injection (3)
SQL Server (3)
Tools (13)
Uncategorized (2)
Vulnerabilities (10)
 
SECFORCE - penetration testing
  SECFORCE - penetration testing Aegon House, 13 Lanark Square
Canary Wharf - E14 9QD, London
SECFORCE - penetration testing Direct Line +44 (0) 845 056 8694
E-mail SECFORCE - penetration testing
  Follow us in Twitter Check us out in LinkedIn SECFORCE is CREST certified. Click on the logo for more information ISO9001 ISO27001
SECFORCE - penetration testing
    Copyright (c) 2014 SECFORCE Ltd · All Rights Reserved