Download presentation
Presentation is loading. Please wait.
Published byKaylee Obray Modified over 3 years ago
1
Slide Heading Ethical Hacking Ed Chorbajian Affinity Inc. April 11, 2012
2
Introductions Ed Chorbajian echorbajian@affinityit.com New York, NY linkedin.com/in/edchorbajian Affinity, Inc. http://affinityit.com IT services and solutions provider, helping Fortune 500 and growth companies Corporate Headquarters in Milwaukee, WI
3
About Affinity, Inc.
4
Clients
5
About Ed Chorbajian Certifications CSSLP, GWAPT, CISSP, GPEN, GCIH, GSLC, SCJP Experience 5+ years Security 10 years Software Development Education MBA (80% complete) at New York University Stern MS in Computer Science BA in Mathematics and Physics
6
Agenda Slide Heading Context Static Analysis Dynamic Analysis Q&A
7
A Hacker is Someone who Finds information security vulnerabilities Exploits them (Black Hat)
8
An Ethical Hacker is Someone who Finds information security vulnerabilities Exploits them Has permission (White Hat)
9
Ethics Yes - “has permission” is a simplification Ethics describes right and wrong behaviors Our discussion today is not about ethics
10
Ethics Sometimes it depends on your point of view Hackers that made Stuxnet targeted Iranian nuclear plants and probably delayed Iran’s uranium enrichment program by two years
11
Find and Exploit Vulnerabilities SQL Injection humor
12
Find and Exploit Vulnerabilities SQL Injection humor
13
Find and Exploit Vulnerabilities SQL Injection humor
14
Find and Exploit Vulnerabilities SQL Injection humor
15
Find and Exploit Vulnerabilities SQL Injection – not so funny An attack targeting the victim’s data, database and database server Data: possible to read, add, modify, delete Database: possible to drop tables, drop indexes, create users, grant and revoke privileges Database server: possible to mount further attacks against the victim’s internal network
16
Partial List of Vulnerabilities Injection Cross-Site Scripting Encryption implementation Parameter Tampering
17
Partial List of Vulnerabilities Injection SQL Injection LDAP Injection XML Injection Code Injection OS Commanding
18
Partial List of Vulnerabilities Cross-Site Scripting Reflected Cross-Site Scripting Stored/Persistent Cross-Site Scripting DOM-based Cross-Site Scripting
19
Partial List of Vulnerabilities Encryption implementation Symmetric Asymmetric (Public/Private Key Cryptography) Password Hashes Key Management
20
Partial List of Vulnerabilities Parameter Tampering Business Logic Abuse Buffer Overflow Cross-Site Request Forgery Information Leakage Directory Traversal Authentication/Authorization Session Fixation
21
In the past … To defend your organization “You don’t need to outrun the bear in the woods, just your neighbor” Be less insecure than you neighbor Hackers attack the easier targets
22
Today … Organizations are specifically targeted Hacktivists - political agenda Anonymous
23
Threat Agents Unintentional/careless users Non-professional hackers/script kiddies Researchers Professional hackers Corporate/industrial espionage Insiders/partners Organized criminals Hacktivists Nation-state intelligence agencies
24
Today … Nation-state intelligence agencies Source: http://www.mcafee.com/us/resources/reports/rp-virtual-criminology-report-2009.pdf
25
Today … Advanced Persistent Threat – APT Have large resources Have much patience Target specific organizations Purpose Intellectual Property Disruption Etc.
26
Today … Verizon 2012 Data Breach Investigations Report March 22, 2012 (Larger Orgs are samples with at least 1,000 employees) http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012-press_en_xg.pdf
27
Today … Verizon 2012 Data Breach Investigations Report Hacktivists tend to target larger organizations High profile Motive is attention and publicity Denial of Service attacks Download and distribute secret information Website defacements
28
Today … Verizon 2012 Data Breach Investigations Report Organized criminals tend to target smaller organizations Low profile Motive is money Smaller revenue - for each attack High volume - through many attacks Easier to exploit victims
29
Today … Verizon 2012 Data Breach Investigations Report http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012-press_en_xg.pdf
30
Agenda Slide Heading Context Static Analysis Dynamic Analysis Q&A
31
Static and Dynamic Analyses Static - the source code Can see “everything” Dynamic - a running application See everything that is actually there, including Infrastructure Middleware Third-party libraries Actual source code used
32
Automated and Manual Techniques Automated Technique Use a tool that does much of the work Catches the more easily detected vulnerabilities Manual Technique Use expertise to find vulnerabilities that the tools cannot find on their own Do much of the work using many tools
33
Static Analysis Automated I personally worked with IBM Rational AppScan Source Edition for Security (Ounce Labs) HP Fortify Static Code Analyzer Can scan 100,000s of lines of code Expensive tools
34
Process for Automated The client stages the source code: Complete source code that compiles/builds without error Workspace and project files All dependencies SDLC documents The tools are ineffective when any required component is missing
35
Process for Automated Inventory the source code Configure the tool Run the scan Could produce thousands of findings Analyze the results
36
Results of the Analysis Determine if each finding is a False Positive or a True Positive Raise, lower or keep the suggested severities Critical High Medium Low Informational
37
Results of the Analysis Communicate the vulnerabilities to the client Provide recommendations on how to remediate the security defects The client remediates the defects Available for assistance - includes explaining in-depth technical questions on vulnerability risks and remediation strategies Retest
38
True/False Positive/Negative False Positive – the tool found a security defect, but it really is not a security defect The reason to vet the findings True Positive – the tool found a security defect, and it really is a security defect The tool did its job
39
True/False Positive/Negative True Negative – the tool did not find the security defect, and there is no security defect The tool did its job Not reported, but implied False Negative – the tool did not find the security defect, but there really is a security defect The tool missed this
40
Manual Static Analysis Generally do a targeted search May not be practical to look at thousands or millions of lines of code Examples Authentication/Authorization Encryption implementation Logging Output to web browser
41
Authentication/Authorization Example There was a backdoor in a client’s software system, which was written by their vendor Hard-coded username and password Bypass normal authentication controls Unlimited access to the system Bypass normal authorization controls Logging turned off for this username Bypass normal auditing controls
42
Authentication/Authorization Example Vendor included the backdoor for convenience Support and maintenance In addition to this client, other organizations using this vendor’s system had the same security issue With the same credentials!
43
Encryption Implementation Example 1 Password hashes were not salted Cryptographic hash is a one-way function There are no encryption/decryption keys SHA-2 Password is encrypted and is not feasible to decrypt
44
Encryption Implementation Example 1 How are password hashes utilized? When a user authenticates, the password is hashed; then the result is compared to the password hash stored in the database If a hacker get access to the password hashes in the database, then they can use Rainbow Tables to determine the password Pre-computed password hash values
45
Encryption Implementation Example 1 Why is a salt necessary? A salt is value that is combined with the password before being hashed The encrypted result is very different than without the salt Preferably have a different salt for each user
46
Encryption Implementation Example 2 Organization has encrypted credit card information The encryption used AES-128 with the key composed of two 8 character passwords concatenated together
47
Encryption Implementation Example 2 Normal use of AES-128 Encryption key is 128 bits long 2^128 possible keys 300,000,000,000,000,000,000,000,000,000,000,000,000 To guess the key, divide by 500,000 tries/sec (These days, over 2,000,000 tries/sec) Then again divide by 86,400 sec/day Divide by 100 (for a 1% chance of success) Trillions of years is still not remotely close
48
Encryption Implementation Example 2 Normally use of AES-128 128 bits = 16 chars x 8 bits/char Each char has 2^8 = 256 possibilities Range from ’00’ to ‘FF’ Hexadecimal notation 256^16 = (2^8)^16 = 2^(8*16) = 2^128
49
Encryption Implementation Example 2 Normal use of AES-128 Example key in Binary notation: 00011110001011010110101000011000011 00001010000111000110111010110011011 00101011101111011100010001011111001 11110010001001101111010 Same key as 16 chars Hexadecimal notation: 1E2D6A1861438DD66CAEF7117CF9137A
50
Encryption Implementation Example 2
52
Passwords consist of the 94 keyboard printable characters ‘A’ through ‘Z’ ‘a’ through ‘z’ ‘0’ through ‘9’ 32 symbols (not including SPACE) Hexadecimal ‘21’ through ‘7E’
53
Encryption Implementation Example 2 A password type key reduces the key space from 256 possibilities to 94, for every char The effective key length changes from 128 to 105 Moreover, user chosen 16-character passwords has a randomness (entropy) of at best 38 bits
54
Encryption Implementation Example 2 http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
55
Encryption Implementation Example 2 2^38 bits = 274,877,906,944 possibilities To guess the key, divide by 500,000 tries/sec Then again divide by 86,400 sec/day Divide by 2 (for 50% chance of success) Result is on average the encryption key can be cracked in 3 days
56
Encryption Implementation Example 2 Better recommendation for client: Use AES-256 Use hexadecimal instead of char Use two 32 chars XOR’ed together
57
Logging Example Failed credentials were logged If a user’s password was “ihearthacking7” And the user changed it to “ihearthacking8” (not recommended to increment numbers) And at the next login the user mistakenly entered the old password Easy for a hacker viewing the log to guess the user’s current password
58
Output to Web Browser Example 1 There was a first scan that found no output encoding, thus very vulnerable to Cross-Site Scripting Developers remediated defects Wrapped output with HTMLEncode everywhere The rescan found no issues
59
Output to Web Browser Example 1 What is Cross-Site Scripting? An attack conducted through a vulnerable website to the victim’s browser It allows an attacker to insert client-side script in the browser The script can Deface the website Steal the session Redirect the victim to another website
60
Output to Web Browser Example 1 What does HTMLEncode do? Less-than character (<) is converted to < Greater-than character (>) is converted to > Ampersand character (&) is converted to & Double-quote character (") is converted to " Thus, is converted to <script>
61
Output to Web Browser Example 1 But looking through the code, there was a sortable HTML table written in JavaScript Output for ascending or descending was in the portion of the code HTMLEncode would not prevent Cross-Site Scripting in this context Straightforward solution: If “ASC” then sort ascending Otherwise sort descending
62
Output to Web Browser Example 2 Weak Cross-Site Scripting filtering Custom security library If code saw “ ” or “ ”, it just removed it Example: Data1 MaliciousCode Data2 This code’s result: Data1MaliciousCodeData2
63
Output to Web Browser Example 2 Unfortunately, a hacker can use: ipt> Thus, this code’s result: ha.ckers Cross-Site Scripting Cheat Sheet Especially for filter evasion http://ha.ckers.org/xss.html
64
Agenda Slide Heading Context Static Analysis Dynamic Analysis Q&A
65
Dynamic Analysis Specifically, Web Application Penetration Testing Types: Black Box White Box Grey Box
66
Black Box Zero knowledge of the system beforehand Other than what is the target More realistic test (what an attacker would experience) Unless the attacker is an insider
67
White Box Given knowledge of the system from the client Documents Source code
68
White Box More realistic test (in terms of resource allocation) Can find more vulnerabilities in a shorter time frame Hiring dozens of expert ethical hackers at 8 hours/day trying for 5 years is prohibitive for most budgets
69
Grey Box Given some knowledge of the system from the client Documents? Source code?
70
Rules of Engagement Scope Anything to specifically focus on Anything to specifically avoid Time frames 2 weeks or 4 weeks or … Days/nights Weekdays/weekends Provide the client with source IPs To differentiate from a real attack
71
Permission Memo Explicit, written and signed Names of testers Start and end dates Contact information
72
Environment QA/test Environment Safer Data corruption Denial of Service Production Environment Real – what hackers see Testing may impact experience of the client’s customers
73
Tools SecTools.Org List of the top 125 network security tools http://sectools.org BackTrack Pen Testing Distribution http://www.backtrack-linux.org
74
Tools Samurai Web Testing Framework Pen Testing Distribution Focused on Web Applications http://www.samurai-wtf.org
75
Process Overview Research Gather information from external sources Gather Information from Web Application Find and exploit vulnerabilities Report findings Remediation by client Retest
76
Research Gather information from external sources Whois records Names Emails Phone numbers http://networking.ringofsaturn.com/Tools/whois.php
77
Research Gather information from external sources Google hacking site:theTargetWebsiteOfTest.tdl inurl:phpinfo intitle:“admin login” ext:xls groups.google.com insubject:"problem with my code“ author:@theTargetWebsiteOfTest.tdl
78
Research Gather information from external sources Press releases Including vendors/partners Job postings Technologies and versions Linkedin profiles Facebook Twitter Blogs
79
Research Gather Information from Web Application Spider to follow links and download entire site Wget http://www.gnu.org/software/wget/
80
Research Wget
81
Research Wget After downloading the client’s website Look at all the images Menu graphics may reveal parts of the site that some users do not have access Information leakage
82
Research Gather Information from Web Application Forced browsing – find pages and resources that are not found through following links DirBuster https://www.owasp.org/index.php/Category:OWASP_DirBuster_Pr oject Comes with a sorted (by popularity) word list small.txt: 88,000 words, dirs/files found >2 hosts medium.txt: 221,000 words, dirs/files found >1 host big.txt - 1,274,000 words, all dirs/files found
83
Research DirBuster
84
Research DirBuster examples: Find backup files index.php.bak It found a PHP include file, thus having the PHP source code, and the credentials coded within File’s permissions were set to world readable
85
Research Gather Information from Web Application Word list generator CeWL http://www.digininja.org/projects/cewl.php Can be helpful for username/password guessing
86
Research CeWL
87
Research Gather Information from Web Application View the web page’s HTML source code Internet Explorer: Page -> View source Firefox: View -> Page Source Read the comments for any interesting information Usernames Passwords “TO DO: add security”
88
Find and Exploit Vulnerabilities Automated tool w3af Web Application Attack and Audit Framework http://w3af.sourceforge.net
89
Find and Exploit Vulnerabilities Examples Authentication Authorization
90
Find and Exploit Vulnerabilities Authentication example My home router - wanted to configure WiFi Own WPA-2 hexadecimal password MAC filtering Configured Hydra for router’s login webpage Online password cracker In about 2 hours, it found the password for the admin account http://thc.org/thc-hydra/
91
Find and Exploit Vulnerabilities Hydra
92
Find and Exploit Vulnerabilities Authorization example Automated tool did not find any vulnerabilities Use an interception proxy – Burp Intercepts requests before they reach the browser Intercepts responses after they leave the browser http://portswigger.net/burp/proxy.html
93
Find and Exploit Vulnerabilities Authorization example
94
Find and Exploit Vulnerabilities Authorization example The application allowed users to view their salary information After authenticating Changed assigned user ID before the browser sent the response to the server Can now view anyone's salary
95
Questions? Thank you
Similar presentations
© 2018 SlidePlayer.com Inc.
All rights reserved.
Ppt on event driven programming ppt Ppt on oxygen cycle and ozone layer Powerpoint ppt on global warming Ppt on video teleconferencing jobs Ppt on world diabetes day Ppt on ufo and aliens facts Ppt on introduction to object-oriented programming python Ppt on e learning system Ppt on the greatest dictator of the world Ppt on emotional intelligence and management