How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing ....
Transcript of How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing ....
![Page 1: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/1.jpg)
8/26/14
1
How Not to Fail at Penetration Testing
![Page 2: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/2.jpg)
8/26/14
2
http://www.sans.org/event/sans-pen-test-
hackfest-2014 Or
http://is.gd/hackfest
http://securityweekly.com Copyright 2014
We Have a Problem
• Penetration Testing is on a crash course
• We have some issues we need to resolve quickly
• Luckily, these corrections are easy
• If we move quickly
Knowing you have a problem is a good first step
![Page 3: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/3.jpg)
8/26/14
3
http://securityweekly.com Copyright 2014
Scanning Issues
• We are quickly becoming a commodity industry
- But what does that mean?
• Many customers will see little value difference between Pentesting offerings
• Penetration testing will become like toilet paper
- When you need it, you will not care what you get
• Some small corrections are required
Doing it by the book
http://securityweekly.com Copyright 2014
Looking for Red
• Many testers follow a Nessus > Metasploit path - This is at least 4 years
out-of-date • Most exploitable issues are
actually found in medium, low and informational
• Back to the true definition of hacking
• These tools are our eyes and ears, nothing more What being addicted
![Page 4: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/4.jpg)
8/26/14
4
http://securityweekly.com Copyright 2014
Solution
• Let’s start looking at the other findings
• Let’s start sifting through the low, medium and informational findings
• This is what our customers are paying us to do
• They can run as scanner and focus on the Reds and Purples
• They hire us to do the “harder” stuff
http://securityweekly.com Copyright 2014
Informational: Directory Listing
![Page 5: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/5.jpg)
8/26/14
5
http://securityweekly.com Copyright 2014
PII… Lots of it
http://securityweekly.com Copyright 2014
Informational: SMTP Server Found
![Page 6: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/6.jpg)
8/26/14
6
http://securityweekly.com Copyright 2014
Informational: Web Server Found on Port 8888
http://securityweekly.com Copyright 2014
Low + Easy Password = Shell
![Page 7: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/7.jpg)
8/26/14
7
http://securityweekly.com Copyright 2014
Doing it Right
• Requires time
• Requires knowledge
• Requires patience
• Requires just a bit of OCD
• Requires a cool shirt and a mechanical bull
- Happy Birthday Kevin! What doing it right
might look like
http://securityweekly.com Copyright 2014
Going Beyond Scanning
• Is there anything beyond scanning?
- “No!!! Everything comes from Nessus, Nmap and Nexpose!!!!”
• Getting to the crux of why good penetration testing takes time
![Page 8: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/8.jpg)
8/26/14
8
http://securityweekly.com Copyright 2014
Ever whish this guy was still running a major AV company?
http://securityweekly.com Copyright 2014
Lets Get On With it
• We created extra slides and videos for each of the AVs we bypassed
• It was not all that hard (More on this later)
• The videos and slides can be found here:
- http://tinyurl.com/SecurityWeekly-AVBypass
• Video Here: http://blip.tv/securityweekly/sacred-cash-cow-tipping-bypassing-av-7016677
![Page 9: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/9.jpg)
8/26/14
9
http://securityweekly.com Copyright 2014
Merging Physical and Virtual
http://securityweekly.com Copyright 2014
Mixing Personal and Business
![Page 10: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/10.jpg)
8/26/14
10
http://securityweekly.com Copyright 2014
How Bad Can it Be?
http://securityweekly.com Copyright 2014
Pretty Bad…
![Page 11: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/11.jpg)
8/26/14
11
http://securityweekly.com Copyright 2014
What can you get?
http://securityweekly.com Copyright 2014
Getting Caught
• Is an absolute must
• At some point we should all strive to be caught in our testing endeavors
- Just not right away
• This is the core of providing value to customers
• Penetration Testing is about proving risk - It is not about proving you are 1337
• Getting caught is a big step in discovering clipping levels
• You can also circle back and do this after the 31337 stuff is done
![Page 12: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/12.jpg)
8/26/14
12
http://securityweekly.com Copyright 2014
Feel Free to Steal this
http://securityweekly.com Copyright 2014
This too
![Page 13: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/13.jpg)
8/26/14
13
http://securityweekly.com Copyright 2014
Giving up
http://securityweekly.com Copyright 2014
One step forward…
• Turns out some Internet white listing products support regular expressions for white-listed sites
• Which makes sense because regex can be the solution to many problems
• However… Position matches can be very hard when dealing with a URL. - Especially for a domain
• What if malware used the domain as a parameter is a reverse HTTP C2 channel?
![Page 14: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/14.jpg)
8/26/14
14
http://securityweekly.com Copyright 2014
White List Proxies
http://securityweekly.com Copyright 2014
![Page 15: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/15.jpg)
8/26/14
15
http://securityweekly.com Copyright 2014
http://securityweekly.com Copyright 2014
Websense?
![Page 16: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/16.jpg)
8/26/14
16
http://securityweekly.com Copyright 2014
Yes, Websense.. Customer.com
http://securityweekly.com Copyright 2014
![Page 17: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/17.jpg)
8/26/14
17
http://securityweekly.com Copyright 2014
http://securityweekly.com Copyright 2014
![Page 18: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/18.jpg)
8/26/14
18
http://securityweekly.com Copyright 2014
ISR Evilgrade Attacks
http://securitynik.blogspot.com/2014_04_01_archive.html
http://securityweekly.com Copyright 2014
![Page 19: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/19.jpg)
8/26/14
19
http://securityweekly.com Copyright 2014
http://securityweekly.com Copyright 2014
Other Proxy Firewalls
![Page 20: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/20.jpg)
8/26/14
20
http://securityweekly.com Copyright 2014
Moving Forward
• We are the pointy end of the stick, if we get complacent, the rest of the industry follows
- Ops teams, Dev teams and Forensicshateor?, Forensiactors? People who do forensics
- Hi Rob!!
• If penetration testing can be reduced to a checklist or a automated tool.. It will be
- This will be bad for all of us in the security community
http://securityweekly.com Copyright 2014
Penetration Testers Code of Ethics
• I will never copy and paste automated results
• I will never completely trust scan results
• I will strive to get caught (after being awesome)
• I will go beyond the scan results
• I will be a hacker in the original sense of the word
• I will always stay in scope
• My reports will rock
![Page 21: How Not to Fail at Penetration Testing - Counter Hack · How Not to Fail at Penetration Testing . 8/26/14! 2! event/sans-pen-test-hackfest-2014 Or ... checklist or a automated tool..](https://reader031.fdocuments.net/reader031/viewer/2022022515/5af786007f8b9a744490ddb3/html5/thumbnails/21.jpg)
8/26/14
21
http://securityweekly.com Copyright 2014