SECFORCE          
   
HOME COMPANY SERVICES RESEARCH BLOG NEWS & EVENTS PRESS OFFICE CONTACT
 
    Blog  
    Home : Blog  
   
Posts Tagged ‘Penetration Testing’
 
Newer Entries »

Penetration testing, antivirus, firewalls and false sense of security

Sunday, November 9th, 2008

False sense of security is an ongoing issue. Fueled by inaccurate marketing strategies promising the ultimate security product and convincing clients that their product will make your system immune to every single attack.

Security professionals are used to hear all kind of comments from clients caught up by false sense of security; the three most common mistakes are:

Client - My application must be secure, it is running over SSL.
Penetration tester - That’s good, your IDS will not pick up my attacks.

Client - My web application must be secure, it is protected by my firewall.
Penetration tester - Sure enough your firewall is not going to filter web traffic on your web server.

Client - My server must be secure, it has an antivirus up to date.
Penetration tester - Your antivirus will only pick up known signatures, it will not pick up my custom made scripts.

We recently performed a back box web application peneration test for a client who expresed (before the penetration test) how secure his application was as he deployed SSL on the application layer, antivirus on the server and everything was protected using a firewall.

During the penetration test we managed to find a page which allowed uploading arbitrary files to the web server. When we tried to upload some of the standard web shells we saw how the antivirus was detecting them and removing them from the server. It is fair to say that an antivirus in this case provides a very thin layer of security. After doing some modifications to the scripts we easily bypassed the antivirus protection.

In this example achieving command execution required another step as the user the web server was running as had not enough privileges. However, it was easy enough finding a high privilege username/password for the MS SQL database also running on the server. The next steps were:

- Creating a custom script which connected to the MS SQL database using a high privileged account.
- Enabling xp_cmdshell stored procedures, as we found it disabled.
- Enjoying command execution.

Once we got to this point it was easy to execute Metasploit Meterpreter to bypass firewall protection, tunneling services over HTTP.

In conclusion, SSL, antivirus and firewalls are essential parts on the security of an infrastructure, however they need to be properly implemented and they don’t protect from all kinds of attacks.

Tags: , , , , , , , , ,
Posted in Penetration Testing | No Comments »

Black box penetration testing vs white box penetration testing

Monday, November 3rd, 2008

One of the common questions that we get from our clients is about the differences between a black box penetration test and a white box penetration test.

White box testing, also known as clear box testing or glass box testing, is a penetration testing approach that uses the knowledge of the internals of the target system to elaborate the test cases. In application penetration tests the source code of the application is usually provided along with design information, interviews with developers/analysts, etc. In infrastructure penetration tests network maps, infrastructure details, etc. are provided. The goal of a white box penetration test is to provide as much information as possible to the penetration tester so that he/she can gain insight understanding of the system and elaborate the test based on it.

White box penetration testing has some clear benefits:

  • Deep and thorough testing
  • Maximizes testing time
  • Extends the testing area where black box testing can not reach (such as quality of code, application design, etc.)

However, there are also some disadvantages:

  • Non realistic attack, as the penetration tester is not in the same position as an non-informed potential attacker

A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. In a black box penetration test the penetration tester has no previous information about the target system.

The benefits of this type of attack are:

  • It simulates a very realistic scenario

The disadvantages of a black box penetration test are:

  • Testing time can not be maximised in certain scenarios
  • Some areas of the infrastructure might remain untested

When commissioning a penetration test, there is no right/wrong decision about white box or black box, it really depends on the scenario that needs to be tested.

Tags: , , ,
Posted in Penetration Testing | 1 Comment »

Penetration testing and risk management - Consultants vs Monkeys

Thursday, October 30th, 2008

There are no doubts that penetration testing is becoming mainstream now. It looks like business are eventually concerned about security. Compared to some years ago the number of companies requesting penetration tests has increased exponentially and therefore the number of companies conducting them has incresed too.

One of the important problems affecting some penetration testing companies is that they conduct penetration tests with a very narrow perspective, they don’t put things into context. I call it monkey work. It is quite easy running an automated vulnerability scanner and produce a nice report. However, vulnerability scanners are not clever enough to know how a specific vulnerability affects a bussiness.

A typical example is XSS vulnerabilities. Depending on the context they can be devastating or just a minor issue. It is up to the penetration tester to decide how important this security issue is for the business. I call it consultant work and it is where risk management comes into the game.

At the end of the day a business man just cares about the business. If he/she is conducting a penetration test it is not due to the pleasure of learning about buffer overflows and injection vulnerabilities - it is because he/she thinks the penetration test is good for the business (due to a number of reasons such as clients trust, compliance, etc.).

Therefore what they really want to know about a security issues is:

  • What is the impact for the business
  • What is the likelihood of happening
  • How can be solved

What they are not interested in is:

  • Why stack protection mechanisms can not protect you from a heap overflow
  • How you control EIP on this exploit
  • Why a fuzzer would have never discovered that vulnerability
  • etc…

Tags: ,
Posted in Penetration Testing, Risk Management | No Comments »

Penetration testing with IPv6

Tuesday, October 14th, 2008

Today has been released the Uninformed (number 10) magazine. As usual it is a very interesting read, with very nice and technical articles there. One of them caught my eye, written by H D Moore - Exploiting Tomorrow’s Internet Today, Penetration testing with IPv6.

IPv6 is an Internet layer protocol designed to substitute the current IPv4. The article covers the basics of IPv6 such as configuration and addressing standards.

Later in the article the author some of the common tasks of penetration testing focusing on IPv6 protocol:

Network Discovery

Van Hauser’s IPv6 Attack Toolkit contains a tool for this. The alive6 tool sends an ICMP6 packet using Neighbor Discovery protocol:

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy

Found 2 systems alive

Tools ip and ping6 can also be used for that:

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx
fe80::218:8bff:fexx:xxxx dev eth0 lladdr 00:18:8b:xx:xx:xx
[...]

H D More also covers the use of Nmap and Metasploit against IPv6 hosts.

It is interesting the use of socat to ‘translate’ from IPv4 to IPv6 and then being able to use the common penetration testing tools:

$ socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[IPv6%eth0]:80

In the example above socat creates and binds a local IPv4 port (8080) to a remote IPv6 service which was listening on port 80. After running the command above, the penetration tester can confortably use the common web assessment tools such as nikto o web proxies even if they don’t natively support IPv6.

Tags: , , ,
Posted in Penetration Testing | No Comments »

SCADA Security

Friday, October 10th, 2008

It is interesting to see how security research is a kind of a living being. Almost by nature security rearchers focus their efforts in whatever is more familiar to them, resulting in a vast amount of time dedicated to fairly accessible products such as Microsoft Windows operating systems, MS Office, Linux in its different flavours, etc.

This leaves a gap in the security industry where highly deployed systems (sometimes critical for government infrastructure) remain untested and its security is several years behind the avarage IT system.

Two clear examples of this are MPLS and SCADA systems. Given the fact that these systems are rarely found in penetration testing engagements and independent researchers struggle to find a suitable environment for testing, it doesn’t come to a surprise their security doesn’t match nowadays avarage.

Last week there was two vulnerabilities affecting SCADA systems:

In a world where stack buffer overflows are among species threatened with extinction it is rather suprising reading this kind of vulnerabilities. There is no doubt that due to a number of circunstances security research has been appart from these technologies.

Tags: , , , , , ,
Posted in Vulnerabilities | No Comments »

Cisco config retrieval tool and password reuse

Wednesday, October 8th, 2008

The other day we were at a client site doing a penetration test. This was a very big deployment with almost 100 routers. At some point during the test we managed to get the read/write community string of one of the routers, as there was a script with the hard-coded credentials.

We managed to connect to the router with the SNMP credentials and pulled the Cisco config file. After that, we decoded the telnet and enable passwords and we were ready to go. We tried (with no much hope initially) a couple of other routers reusing the telnet password and they all worked. Every single router was protected with exactly the same password.

We had limited time and the prospect of telneting 100 routers pulling config files was not very appealing so we wrote a nice python script to pull them for us. We released the tool in our research section, so check it out if you are interested.

The lesson to learn here is that no matter how confident you are about the strength of your password because it can be potentially compromise and if you are reusing it, the impact for the business becomes critical.

Tags: , , ,
Posted in Penetration Testing, Tools | No Comments »

 
Newer Entries »
   
 
BLOG

Archives

January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
Categories
Business Continuity (1)
CREST (1)
exploit (3)
Fuzzing (1)
Penetration Testing (21)
Phishing (2)
Risk Management (4)
SECFORCE (8)
Security Books (1)
Security Compliance (1)
Security research (2)
sql injection (1)
SQL Server (1)
Tools (7)
Vulnerabilities (6)
  
  Copyright (c) 2012 SECFORCE Ltd
All Rights Reserved		 Suite 11, Beaufort Court, Admirals Way
E14 9XL London		 SECFORCE is CREST certified. Click on the logo for more informationISO9001+44 (0) 845 056 8694