Prathan Phongthiproek!Management Consulting, KPMG Thailand

Beyond the Penetration Testing

Penetration Testing !?

❖ Penetration Testing is more a process than mere scripts and tools;!❖ Time Management!❖ Methodology!❖ Risk Assessment!❖ Recommendation and Remediation Plan!❖ Reporting!❖ Superheroes !!

Penetration Tester Average Annual Salary

http://www.payscale.com/research/US/Job=Penetration_Tester/Salary

Penetration Testing

What management thinks I do.

What my client thinks I do.

What my parents think I do.

What I think I do

“Penetration Testing” versus “Hacking”

❖ Classic Penetration Testing!❖ Thinking inside the box!

❖ Assign Limited block of IP Address!

❖ Unable to go beyond the scope of approved list, Only touch xyz hosts, Don't touch abc host.!

❖ Follow Pentest Methodology; OSSTMM, NIST, Etc!

❖ Use public exploits: Exploit-db, Metasploit

❖ Real World Hacking!❖ Thinking outside the box!

❖ Know one piece of information and have to expand from there!

❖ Compromise all system and targeted attack!

❖ All Methodologies are integrated!

❖ Intelligent information gathering, 0-day exploit

Battle Plan = PenTest Methodologies

❖ National Institute of Standards and Technology (NIST SP800-115)!❖ Open Source Security Testing Methodology Manual (OSSTMM)!❖ The Penetration Testing Execution Standard (PTES)!❖ Open Web Application Security Project (OWASP)

OWASP Top 10 - 2013

https://www.owasp.org/index.php/Top_10_2013-Top_10

Risk Rating Methodology

Risk = Likelihood factors + Impact factors

Threat Agent + Vulnerability Technical Impact + Business Impact

Risk Assessment Calculator

OWASP Testing Guide v4

❖ Released 17th September 2014!❖ 11 Domains!❖ 87 Modules

Informa(on)Gathering

Configura(on)and)Deploy)Management

Iden(ty)Management

Authen(ca(on

Authoriza(on

Session)Management

Input)Valida(on

Error)Handling

Weak)Cryptography

Business)Logic

Client)Side

Don’t trust scan results

❖ Many testers follow a Nessus -> Metasploit Acunetix, IBM Appscan, HP Web Inspect!

❖ Need Manual Test: Identity Management, Authentication, Authorization, Business Logic, Client Side Testing !

❖ These tools are our eyes and ears, nothing more!

❖ Human - 80%, Tools - 20%

Go Beyond…

❖ Some application is protected by Blacklist Checking or Web Application Firewall (WAF)!

❖ Understand the Application and Look into developer mind!

❖ Combine & Conquer!❖ This is what our clients are

paying us to do

Manual and Semi-automated Tool

Case Study #1: SQLi 101

❖ Select * from users where username=‘input1’ and password=‘input2’!

username= ‘ or a=a#!

password= whatever!

❖ Select * from users where username=‘’ or a=a#’ and password=‘whatever’!

❖ Select * from users where FALSE or TRUE!

FALSE or TRUE = TRUE

Case Study #1: SQLi 101

❖ Blacklisting comment characters (# or - -)!❖ Select * from users where username=‘input1’ and password=‘input2’!

username= ‘ or ‘a’=‘a!

password= whatever!

❖ Select * from users where username=‘’ or ‘a’=‘a’ and password=‘whatever’!

❖ Select * from users where FALSE or [ TRUE and FALSE ]!

FALSE or FALSE = FALSE

Case Study #1: SQLi 102

❖ Blacklisting comment characters (# or - -)!❖ Select * from users where username=‘input1’ and password=‘input2’!

username= ‘ or a=a or ‘a’=‘a!

password= whatever!

❖ Select * from users where username=‘’ or a=a or ‘a’=‘a’ and password=‘whatever’!

❖ Select * from users where FALSE or TRUE or [ TRUE and FALSE ]!

FALSE or TRUE or FALSE = TRUE

Case Study #1: SQLi 102

Case Study #1: SQLi 102

Case Study #2: Account Enumeration

❖ Locate at Amazon Virtual Private Cloud!

❖ Running IIS8.0!

❖ PHP latest version!

❖ No issue from scan results

Case Study #2: Account Enumeration

Case Study #2: Account Enumeration

Case Study #3: Mobile App Hard Coded

Case Study #3: Mobile App Hard Coded

Case Study #4: Whitebox PentestMS03-026

RPC DCOM

KNF6A2350 KNF6A2351

KNF6A2349-01 KNF6A2300

KNF6A2334-01 KNF6A2314-01

KNF6A2324-02 KNF6A2329-02

KNF6A3479-01 MNF20AV6229-01

MS0

5-03

9

NSRVAPP1 NSRVAPP2 NSRVDB1

MS PnP Overflow

MSSQL (1433)

MSSQL

NFSHP4 KNF6A2337-01 KNF6A2339-01

KNF6A2354-01 KNF6A3475-01 MNF20AB6214-02KNF6A2355

3389

33893389

3389

3389

3389

3389

3389

3389

33893389

3389

3389

3389

3389

3389

3389

3389

3389

Dev Dev2 Interweb Intraweb NFSImage NFSDATA

WEB2ADEVWEB1 WEB2B WEB2C WEB2D WEB2E SQL

DEVWEB2

3389

3389

172.18.77.21 (AD)

3389

3389

3389

172.18.77.22 (EXCHANGE)

172.23.111.24

172.23.111.21

Team Rules

#1: Act like a warrior, Don't be a zombie.!

#2: CRITICAL/HIGH issues or Compromise the system, You get a Free BUFFET !!!

#3: If you miss it, I get a Free BUFFET+…!

#4: Keep Statistics (PWNED’em ALL)

Reporting

❖ 1 Page Executive Summary!

❖ Remediation plan for short term and long term!

❖ Clear Description!

❖ Sharp Risk Rating!

❖ Make sense recommendation!

❖ and Great Presentation

PenTesters Code of EthicsI will never copy and paste automated results to report!I will never completely trust scan results!I will go beyond scanning results!I will thinking outside of the Box!My report will rock !!

Facebook: https://www.facebook.com/tan.prathan!Linkedin: https://www.linkedin.com/in/pprathan!Slideshare: https://www.slideshare.net/pprathan!Vimeo: https://vimeo.com/prathan

Thank you