Personal experiences Definitions and dividing Similarities and differences Skills and mentality Methodology and tools Agenda
Definitions Penetration testing –tries to replicate a real attack –goes as deep as possible –its not comprehensive (doesnt enumerate all vulnerabilities –its usually but not always done from outside –its not just a combinations of several vulnerabilities scan tools reports –maybe not so strong, but very intelligent Vulnerability scanning –doesnt go as far as pentesting –but enumerate all possible known bugs and holes –not very intelligent but strong
Types of security tests NIST Computer Security Division : –network mapping (survey and scanning) –vulnerability scanning (network and host scanners) –penetration testing (blue / red team, manual work) –security tests & evaluation (finding mistakes in design...) –password cracking (e.g. can be used during pentests) –log review (system works as intended) –integrity checkers (implementation at start) –virus detection (old is none) –war dialing (rogue modems etc.)
Pros and cons of security tests TypeProsCons Network mappingVery quick and easyDoesnt find vulnerabilities, more often its the first phase of other tests. Vulnerability scanningQuite quick, many good automated tools, wide range Only known bugs, many false positives, doesnt go under cover Penetration testingHacker tools and methods, shows real danger, goes deeply. Very exhausting in time, skills and knowledge. Quite expensive.
Comparison Hacker vs. pen-tester Is pentesting a kind of black art? Who is the real hacker / pentester? Wanna be hackers / pentesters? Who is more dangerous? How can you find the real one?
Who is the real one? First – tier hackers Best programmers and experts. They have a deep understanding of IP protocols and used OS and programming languages. They are able to find new holes or vulnerabilities and to create their own code. They usually dont seek publicity, but they are known because many others use their hacking utilities. Second - tier hackers Have a technical skill level equivalent to system or network administrators. They usually know several OS, know how to use some exploits and have some knowledge of programming language. They are much more common than first – tier hackers and they often rely on them. Third –tier hacker (also script kiddies or lamers) Most populated but also the least respected group. The main principle they use is download and try. They usually dont understand consequences and because they often use untested scripts against real networks, they can cause big problems. Their knowledge about IT is usually quite low, but what they lack (or lose) in skills they gain in motivation, free time etc. If they are successful, they think they are elite.
Usual (or minimal?) level of pentester? Skills, knowledge and experience should be at least similar to the second tier hackers. If he (she?) is better, thats good but its more an exception than a rule. Plus –good reputation and no criminal record –patience and methodology (to find all holes, to document ongoing tests, etc.) –presentation skills (?) and ability to close discovered holes (if required)
Skills and mentality Good skills and knowledge are necessary but not sufficient conditions! You have to think like hacker but behave like professional! Go beyond limits and use of your knowledge in different way is an attitude!
Methodology and tools Before you begin... Classical phases of tests (hacks?) Obligations in execution of tests Basic categories of tools
Classical phases of tests General methodology (from outside) –Reconnaissance (get know as much as possible) –Vulnerability analysis (low hanging fruit, other ways) –Gaining access (trying of concrete attacks and methods, escalation of privileges) Basic phases of attack –Reconnaissance (IP, DNS, mail servers, organization info, etc) –Scanning (ports, services, SW, known vulnerabilities) –Gaining access (exploits, scripts, hacker tools...) –Maintaining access (Trojan horses – application, traditional, kernel) –Covering tracks (hiding in OS, cover channels, wiping audit logs)
Obligations in execution of tests Hacker –doesnt have to follow our test order –needs to find and use only one hole –can have some trouble with covering tracks Pen-tester –must have methodology to test as much as possible –except of having it he has to follow it too –tries to find theoretically all holes but can have problems to prove it
Basic categories of tools Reconnaissance War dialing OS and Application identification Network services testing Port scanning Vulnerability scanning NULL session tools Session manipulation FW, Router, ACL testing Forensic analysis Password cracking DoS Log review Packet forgery Sniffing IDS testing WWW testing..... some more.
Personal experiences Relatively low level of security awareness –95% of blue tests Impossible requirements on pentesters –within one afternoon –if you wont finish as a root, your test were bad Smart handling with test results –final report is just dust collector –its just a potential hole, you cant prove it –its not a complete manual how to do from my messy IS a COSMIC TOP SECRET system Bad inner communication in organization –security officer or manager makes an order of pentests, but sometimes forgets to announce it to the IT stuff of organization (diversion actions and aggressive attitude follow up very quickly)
Conclusion Do you need penetration tests? –Penetration testing is for organizations with a strong security program. –Dont waste your money with pentests if you even dont do regular vulnerability testing alone. Do we need pentesters? –Vulnerability scanning IS NOT a penetration testing –To be up-to-date with an underground is a full time job –No vulnerability scanner does hack you system! Is it important to know basics of security testing?