Prathan Phongthiproek!Management Consulting, KPMG Thailand
Beyond the Penetration Testing
Penetration Testing !?
❖ Penetration Testing is more a process than mere scripts and tools;!❖ Time Management!❖ Methodology!❖ Risk Assessment!❖ Recommendation and Remediation Plan!❖ Reporting!❖ Superheroes !!
Penetration Tester Average Annual Salary
http://www.payscale.com/research/US/Job=Penetration_Tester/Salary
Penetration Testing
What management thinks I do.
What my client thinks I do.
What my parents think I do.
What I think I do
“Penetration Testing” versus “Hacking”
❖ Classic Penetration Testing!❖ Thinking inside the box!
❖ Assign Limited block of IP Address!
❖ Unable to go beyond the scope of approved list, Only touch xyz hosts, Don't touch abc host.!
❖ Follow Pentest Methodology; OSSTMM, NIST, Etc!
❖ Use public exploits: Exploit-db, Metasploit
❖ Real World Hacking!❖ Thinking outside the box!
❖ Know one piece of information and have to expand from there!
❖ Compromise all system and targeted attack!
❖ All Methodologies are integrated!
❖ Intelligent information gathering, 0-day exploit
Battle Plan = PenTest Methodologies
❖ National Institute of Standards and Technology (NIST SP800-115)!❖ Open Source Security Testing Methodology Manual (OSSTMM)!❖ The Penetration Testing Execution Standard (PTES)!❖ Open Web Application Security Project (OWASP)
OWASP Top 10 - 2013
https://www.owasp.org/index.php/Top_10_2013-Top_10
Risk Rating Methodology
Risk = Likelihood factors + Impact factors
Threat Agent + Vulnerability Technical Impact + Business Impact
Risk Assessment Calculator
OWASP Testing Guide v4
❖ Released 17th September 2014!❖ 11 Domains!❖ 87 Modules
Informa(on)Gathering
Configura(on)and)Deploy)Management
Iden(ty)Management
Authen(ca(on
Authoriza(on
Session)Management
Input)Valida(on
Error)Handling
Weak)Cryptography
Business)Logic
Client)Side
Don’t trust scan results
❖ Many testers follow a Nessus -> Metasploit Acunetix, IBM Appscan, HP Web Inspect!
❖ Need Manual Test: Identity Management, Authentication, Authorization, Business Logic, Client Side Testing !
❖ These tools are our eyes and ears, nothing more!
❖ Human - 80%, Tools - 20%
Go Beyond…
❖ Some application is protected by Blacklist Checking or Web Application Firewall (WAF)!
❖ Understand the Application and Look into developer mind!
❖ Combine & Conquer!❖ This is what our clients are
paying us to do
Manual and Semi-automated Tool
Case Study #1: SQLi 101
❖ Select * from users where username=‘input1’ and password=‘input2’!
username= ‘ or a=a#!
password= whatever!
❖ Select * from users where username=‘’ or a=a#’ and password=‘whatever’!
❖ Select * from users where FALSE or TRUE!
FALSE or TRUE = TRUE
Case Study #1: SQLi 101
❖ Blacklisting comment characters (# or - -)!❖ Select * from users where username=‘input1’ and password=‘input2’!
username= ‘ or ‘a’=‘a!
password= whatever!
❖ Select * from users where username=‘’ or ‘a’=‘a’ and password=‘whatever’!
❖ Select * from users where FALSE or [ TRUE and FALSE ]!
FALSE or FALSE = FALSE
Case Study #1: SQLi 102
❖ Blacklisting comment characters (# or - -)!❖ Select * from users where username=‘input1’ and password=‘input2’!
username= ‘ or a=a or ‘a’=‘a!
password= whatever!
❖ Select * from users where username=‘’ or a=a or ‘a’=‘a’ and password=‘whatever’!
❖ Select * from users where FALSE or TRUE or [ TRUE and FALSE ]!
FALSE or TRUE or FALSE = TRUE
Case Study #1: SQLi 102
Case Study #1: SQLi 102
Case Study #2: Account Enumeration
❖ Locate at Amazon Virtual Private Cloud!
❖ Running IIS8.0!
❖ PHP latest version!
❖ No issue from scan results
Case Study #2: Account Enumeration
Case Study #2: Account Enumeration
Case Study #3: Mobile App Hard Coded
Case Study #3: Mobile App Hard Coded
Case Study #4: Whitebox PentestMS03-026
RPC DCOM
KNF6A2350 KNF6A2351
KNF6A2349-01 KNF6A2300
KNF6A2334-01 KNF6A2314-01
KNF6A2324-02 KNF6A2329-02
KNF6A3479-01 MNF20AV6229-01
MS0
5-03
9
NSRVAPP1 NSRVAPP2 NSRVDB1
MS PnP Overflow
MSSQL (1433)
MSSQL
NFSHP4 KNF6A2337-01 KNF6A2339-01
KNF6A2354-01 KNF6A3475-01 MNF20AB6214-02KNF6A2355
3389
33893389
3389
3389
3389
3389
3389
3389
33893389
3389
3389
3389
3389
3389
3389
3389
3389
Dev Dev2 Interweb Intraweb NFSImage NFSDATA
WEB2ADEVWEB1 WEB2B WEB2C WEB2D WEB2E SQL
DEVWEB2
3389
3389
172.18.77.21 (AD)
3389
3389
3389
172.18.77.22 (EXCHANGE)
172.23.111.24
172.23.111.21
Team Rules
#1: Act like a warrior, Don't be a zombie.!
#2: CRITICAL/HIGH issues or Compromise the system, You get a Free BUFFET !!!
#3: If you miss it, I get a Free BUFFET+…!
#4: Keep Statistics (PWNED’em ALL)
Reporting
❖ 1 Page Executive Summary!
❖ Remediation plan for short term and long term!
❖ Clear Description!
❖ Sharp Risk Rating!
❖ Make sense recommendation!
❖ and Great Presentation
PenTesters Code of EthicsI will never copy and paste automated results to report!I will never completely trust scan results!I will go beyond scanning results!I will thinking outside of the Box!My report will rock !!
Facebook: https://www.facebook.com/tan.prathan!Linkedin: https://www.linkedin.com/in/pprathan!Slideshare: https://www.slideshare.net/pprathan!Vimeo: https://vimeo.com/prathan
Thank you
Top Related