Slide Heading Ethical Hacking Ed Chorbajian Affinity Inc. April 11, 2012.

Slide HeadingEthical Hacking

Ed ChorbajianAffinity Inc.

April 11, 2012

Introductions

• Ed Chorbajian• [email protected]• New York, NY• linkedin.com/in/edchorbajian

• Affinity, Inc.• http://affinityit.com• IT services and solutions provider, helping Fortune

500 and growth companies• Corporate Headquarters in Milwaukee, WI

About Affinity, Inc.

About Affinity, Inc.

• Clients

About Ed Chorbajian

• Certifications• CSSLP, GWAPT, CISSP, GPEN, GCIH, GSLC, SCJP

• Experience• 5+ years Security• 10 years Software Development

• Education• MBA (80% complete) at New York University Stern• MS in Computer Science• BA in Mathematics and Physics

Agenda

Slide Heading

Context

Static Analysis

Dynamic Analysis

Q&A

A Hacker is

• Someone who• Finds information security vulnerabilities• Exploits them• (Black Hat)

An Ethical Hacker is

• Someone who• Finds information security vulnerabilities• Exploits them• Has permission• (White Hat)

Ethics

• Yes - “has permission” is a simplification

• Ethics describes right and wrong behaviors

• Our discussion today is not about ethics

Ethics

• Sometimes it depends on your point of view• Hackers that made Stuxnet targeted Iranian

nuclear plants and probably delayed Iran’s uranium enrichment program by two years

Find and Exploit Vulnerabilities

• SQL Injection humor


• SQL Injection – not so funny• An attack targeting the victim’s data, database and

database server• Data: possible to read, add, modify, delete• Database: possible to drop tables, drop

indexes, create users, grant and revoke privileges

• Database server: possible to mount further attacks against the victim’s internal network

Partial List of Vulnerabilities

• Injection• Cross-Site Scripting• Encryption implementation• Parameter Tampering


• Injection• SQL Injection• LDAP Injection• XML Injection• Code Injection• OS Commanding


• Cross-Site Scripting• Reflected Cross-Site Scripting• Stored/Persistent Cross-Site Scripting• DOM-based Cross-Site Scripting


• Encryption implementation• Symmetric• Asymmetric (Public/Private Key Cryptography)• Password Hashes• Key Management


• Parameter Tampering• Business Logic Abuse• Buffer Overflow• Cross-Site Request Forgery• Information Leakage• Directory Traversal• Authentication/Authorization• Session Fixation

In the past …

• To defend your organization• “You don’t need to outrun the bear in the

woods, just your neighbor”• Be less insecure

than you neighbor• Hackers attack

the easier targets

Today …

• Organizations are specifically targeted• Hacktivists - political agenda• Anonymous

Threat Agents

• Unintentional/careless users• Non-professional hackers/script kiddies• Researchers• Professional hackers• Corporate/industrial espionage• Insiders/partners• Organized criminals• Hacktivists• Nation-state intelligence agencies

Today …

• Nation-state intelligence agencies

Source: http://www.mcafee.com/us/resources/reports/rp-virtual-criminology-report-2009.pdf

Today …

• Advanced Persistent Threat – APT• Have large resources• Have much patience• Target specific organizations• Purpose

• Intellectual Property• Disruption• Etc.

Today …

• Verizon 2012 Data Breach Investigations Report• March 22, 2012• (Larger Orgs are samples with at least 1,000 employees)

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012-press_en_xg.pdf

Today …

• Verizon 2012 Data Breach Investigations Report• Hacktivists tend to target larger organizations

• High profile• Motive is attention and publicity• Denial of Service attacks• Download and distribute secret information• Website defacements

Today …

• Verizon 2012 Data Breach Investigations Report• Organized criminals tend to target smaller

organizations• Low profile• Motive is money• Smaller revenue - for each attack• High volume - through many attacks• Easier to exploit victims

Today …

• Verizon 2012 Data Breach Investigations Report

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012-press_en_xg.pdf

Agenda

Slide Heading

Context

Static Analysis

Dynamic Analysis

Q&A

Static and Dynamic Analyses

• Static - the source code• Can see “everything”

• Dynamic - a running application• See everything that is actually there, including

• Infrastructure• Middleware• Third-party libraries• Actual source code used

Automated and Manual Techniques

• Automated Technique• Use a tool that does much of the work• Catches the more easily detected

vulnerabilities• Manual Technique

• Use expertise to find vulnerabilities that the tools cannot find on their own

• Do much of the work using many tools

Static Analysis

• Automated• I personally worked with

• IBM Rational AppScan Source Edition for Security (Ounce Labs)

• HP Fortify Static Code Analyzer• Can scan 100,000s of lines of code• Expensive tools

Process for Automated

• The client stages the source code:• Complete source code that compiles/builds

without error• Workspace and project files• All dependencies• SDLC documents

• The tools are ineffective when any required component is missing

Process for Automated

• Inventory the source code• Configure the tool• Run the scan

• Could produce thousands of findings• Analyze the results

Results of the Analysis

• Determine if each finding is a False Positive or a True Positive

• Raise, lower or keep the suggested severities• Critical• High• Medium• Low• Informational

Results of the Analysis

• Communicate the vulnerabilities to the client• Provide recommendations on how to remediate

the security defects• The client remediates the defects

• Available for assistance - includes explaining in-depth technical questions on vulnerability risks and remediation strategies

• Retest

True/False Positive/Negative

• False Positive – the tool found a security defect, but it really is not a security defect• The reason to vet the findings

• True Positive – the tool found a security defect, and it really is a security defect• The tool did its job

True/False Positive/Negative

• True Negative – the tool did not find the security defect, and there is no security defect• The tool did its job• Not reported, but implied

• False Negative – the tool did not find the security defect, but there really is a security defect• The tool missed this

Manual Static Analysis

• Generally do a targeted search• May not be practical to look at thousands or

millions of lines of code• Examples

• Authentication/Authorization• Encryption implementation• Logging• Output to web browser

Authentication/Authorization Example

• There was a backdoor in a client’s software system, which was written by their vendor• Hard-coded username and password

• Bypass normal authentication controls• Unlimited access to the system

• Bypass normal authorization controls• Logging turned off for this username

• Bypass normal auditing controls

Authentication/Authorization Example

• Vendor included the backdoor for convenience• Support and maintenance

• In addition to this client, other organizations using this vendor’s system had the same security issue• With the same credentials!

Encryption Implementation Example 1

• Password hashes were not salted• Cryptographic hash is a one-way function

• There are no encryption/decryption keys• SHA-2

• Password is encrypted and is not feasible to decrypt


• How are password hashes utilized?• When a user authenticates, the password is

hashed; then the result is compared to the password hash stored in the database

• If a hacker get access to the password hashes in the database, then they can use Rainbow Tables to determine the password• Pre-computed password hash values


• Why is a salt necessary?• A salt is value that is combined with the

password before being hashed• The encrypted result is very different than

without the salt• Preferably have a different salt for each user


• Organization has encrypted credit card information

• The encryption used AES-128 with the key composed of two 8 character passwords concatenated together


• Normal use of AES-128• Encryption key is 128 bits long• 2^128 possible keys

• 300,000,000,000,000,000,000,000,000,000,000,000,000

• To guess the key, divide by 500,000 tries/sec• (These days, over 2,000,000 tries/sec)

• Then again divide by 86,400 sec/day• Divide by 100 (for a 1% chance of success)• Trillions of years is still not remotely close


• Normally use of AES-128• 128 bits = 16 chars x 8 bits/char• Each char has 2^8 = 256 possibilities

• Range from ’00’ to ‘FF’• Hexadecimal notation

• 256^16 = (2^8)^16 = 2^(8*16) = 2^128


• Normal use of AES-128• Example key in Binary notation:

• 00011110001011010110101000011000011000010100001110001101110101100110110010101110111101110001000101111100111110010001001101111010

• Same key as 16 chars Hexadecimal notation:• 1E2D6A1861438DD66CAEF7117CF9137A


• Passwords consist of the 94 keyboard printable characters• ‘A’ through ‘Z’• ‘a’ through ‘z’• ‘0’ through ‘9’• 32 symbols (not including SPACE)

• Hexadecimal ‘21’ through ‘7E’


• A password type key reduces the key space from 256 possibilities to 94, for every char• The effective key length changes from 128 to

105

• Moreover, user chosen 16-character passwords has a randomness (entropy) of at best 38 bits


http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf


• 2^38 bits = 274,877,906,944 possibilities• To guess the key, divide by 500,000 tries/sec• Then again divide by 86,400 sec/day• Divide by 2 (for 50% chance of success)• Result is on average the encryption key can be

cracked in 3 days


• Better recommendation for client:• Use AES-256• Use hexadecimal instead of char• Use two 32 chars XOR’ed together

Logging Example

• Failed credentials were logged• If a user’s password was “ihearthacking7”• And the user changed it to “ihearthacking8”

(not recommended to increment numbers)• And at the next login the user mistakenly

entered the old password• Easy for a hacker viewing the log to guess the

user’s current password

Output to Web Browser Example 1

• There was a first scan that found no output encoding, thus very vulnerable to Cross-Site Scripting

• Developers remediated defects• Wrapped output with HTMLEncode everywhere

• The rescan found no issues


• What is Cross-Site Scripting?• An attack conducted through a vulnerable

website to the victim’s browser• It allows an attacker to insert client-side script

in the browser• The script can

• Deface the website• Steal the session• Redirect the victim to another website


• What does HTMLEncode do?• Less-than character (<) is converted to <• Greater-than character (>) is converted to >• Ampersand character (&) is converted to &• Double-quote character (") is converted to

"

• Thus, <script> is converted to <script>


• But looking through the code, there was a sortable HTML table written in JavaScript • Output for ascending or descending was in the

<script> portion of the code• HTMLEncode would not prevent Cross-Site

Scripting in this context• Straightforward solution:

• If “ASC” then sort ascending• Otherwise sort descending


• Weak Cross-Site Scripting filtering• Custom security library• If code saw “<script>” or “</script>”, it just

removed it• Example:

• Data1<script>MaliciousCode</script>Data2• This code’s result:

• Data1MaliciousCodeData2


• Unfortunately, a hacker can use:• <scr<script>ipt>• Thus, this code’s result:

• <script>

• ha.ckers Cross-Site Scripting Cheat Sheet• Especially for filter evasion

• http://ha.ckers.org/xss.html

Agenda

Slide Heading

Context

Static Analysis

Dynamic Analysis

Q&A

Dynamic Analysis

• Specifically, Web Application Penetration Testing• Types:

• Black Box• White Box• Grey Box

Black Box

• Zero knowledge of the system beforehand• Other than what is the target

• More realistic test (what an attacker would experience)• Unless the attacker is an insider

White Box

• Given knowledge of the system from the client• Documents• Source code

White Box

• More realistic test (in terms of resource allocation)• Can find more vulnerabilities in a shorter time

frame• Hiring dozens of expert ethical hackers at 8

hours/day trying for 5 years is prohibitive for most budgets

Grey Box

• Given some knowledge of the system from the client• Documents?• Source code?

Rules of Engagement

• Scope• Anything to specifically focus on• Anything to specifically avoid

• Time frames• 2 weeks or 4 weeks or …• Days/nights• Weekdays/weekends

• Provide the client with source IPs• To differentiate from a real attack

Permission Memo

• Explicit, written and signed• Names of testers• Start and end dates• Contact information

Environment

• QA/test Environment• Safer

• Data corruption• Denial of Service

• Production Environment• Real – what hackers see• Testing may impact experience of the client’s

customers

Tools

• SecTools.Org• List of the top 125 network security tools• http://sectools.org

• BackTrack• Pen Testing Distribution• http://www.backtrack-linux.org

Tools

• Samurai Web Testing Framework• Pen Testing Distribution• Focused on

Web Applications

• http://www.samurai-wtf.org

Process Overview

• Research• Gather information from external sources• Gather Information from Web Application

• Find and exploit vulnerabilities• Report findings• Remediation by client• Retest

Research

• Gather information from external sources• Whois records

• Names• Emails• Phone numbers• http://networking.ringofsaturn.com/Tools/whois.php

Research

• Gather information from external sources• Google hacking

• site:theTargetWebsiteOfTest.tdl• inurl:phpinfo• intitle:“admin login”• ext:xls• groups.google.com

• insubject:"problem with my code“• author:@theTargetWebsiteOfTest.tdl

Research

• Gather information from external sources• Press releases

• Including vendors/partners• Job postings

• Technologies and versions• Linkedin profiles• Facebook• Twitter• Blogs

Research

• Gather Information from Web Application• Spider to follow links and download entire site

• Wget• http://www.gnu.org/software/wget/

Research

• Wget

Research

• Wget• After downloading the client’s website

• Look at all the images• Menu graphics may reveal parts of the

site that some users do not have access• Information leakage

Research

• Gather Information from Web Application• Forced browsing – find pages and resources

that are not found through following links• DirBuster• https://www.owasp.org/index.php/

Category:OWASP_DirBuster_Project

• Comes with a sorted (by popularity) word list• small.txt: 88,000 words, dirs/files found >2 hosts• medium.txt: 221,000 words, dirs/files found >1 host• big.txt - 1,274,000 words, all dirs/files found

Research

• DirBuster

Research

• DirBuster examples:• Find backup files

• index.php.bak

• It found a PHP include file, thus having the PHP source code, and the credentials coded within• File’s permissions were set to world

readable

Research

• Gather Information from Web Application• Word list generator

• CeWL• http://www.digininja.org/projects/cewl.php

• Can be helpful for username/password guessing

Research

• CeWL

Research

• Gather Information from Web Application• View the web page’s HTML source code

• Internet Explorer: Page -> View source• Firefox: View -> Page Source

• Read the comments for any interesting information• Usernames• Passwords• “TO DO: add security”


• Automated tool• w3af

• Web Application

Attack and

Audit Framework

• http://w3af.sourceforge.net


• Examples• Authentication• Authorization


• Authentication example• My home router - wanted to configure WiFi

• Own WPA-2 hexadecimal password• MAC filtering

• Configured Hydra for router’s login webpage• Online password cracker

• In about 2 hours, it found the password for the admin account

• http://thc.org/thc-hydra/


• Hydra


• Authorization example• Automated tool did not find any vulnerabilities• Use an interception proxy – Burp

• Intercepts requests before they reach the browser

• Intercepts responses after they leave the browser

• http://portswigger.net/burp/proxy.html


• Authorization example


• Authorization example• The application allowed users to view their

salary information• After authenticating

• Changed assigned user ID before the browser sent the response to the server

• Can now view anyone's salary

Questions?

Thank you

Slide Heading Ethical Hacking Ed Chorbajian Affinity Inc. April 11, 2012.

Documents

Transcript of Slide Heading Ethical Hacking Ed Chorbajian Affinity Inc. April 11, 2012.