Vulnerability Assessment
and Penetration Testing
Presenters: Bruce Upton CISSP, CISA, C|EH
[email protected] Jerry McClurg
CISSP, CISA, C|EH
Agenda and Overview:
Vulnerability Scanning and Identification:
• What is a vulnerability assessment?
• Internal versus external scanning an testing
• How are vulnerability tests different from penetration tests? • Vulnerability scanning tools and reporting
• Additional considerations:
• Understanding vulnerability assessments and penetration tests are
only valid for a short period of time
• Continuous monitoring • Management oversight
What’s the Difference?:
Vulnerability Identification versus Penetration Testing:
• Vulnerability Assessment: Generally, a vulnerability assessment is an
automated scan of network resources resulting in a detailed report of security vulnerabilities.
• Penetration Test: Penetration testing incorporates vulnerability scanning
and identification, but additional effort is applied in an attempt to exploit identified vulnerabilities.
• Vulnerability assessments and penetration tests are both good security
What’s the Difference?:
Vulnerability Identification versus Penetration Testing:
• A vulnerability assessment may identify the following security weaknesses:
• Users have local administrator rights on their Windows 7 computers. • Users can access most websites on the Internet.
• Users have the authority to run programs from within Internet Explorer.
• A penetration test would identify the security weaknesses, but go quite a bit
further:
• Users have local administrator rights on their Windows 7 computers. • Users can access most websites on the Internet.
• Users have the authority to run programs from within Internet Explorer. • A user was convinced to visit a phishing website
• The user ran a “connection test” application
• Symantec Antivirus did not detect the “connection test” application • Unauthorized remote access was obtained into the network.
Internal versus External:
Generally speaking, there are two types of assessments:
• Internal Assessment: The vulnerability scan or penetration test is
performed from inside the organization. The engineer(s) either
physically visit the organization or gain secure remote access. The test simulates an attack from the inside-out. This overall approach will:
• Identify internal devices (enumeration)
• Identify services and footprint internal devices
• Identify internal security weaknesses in the following, at a minimum, categories:
• Patch management, network segregation, network access controls, data security, intrusion detection systems (IDS) testing, SCADA (if in scope), key management and crypto security (if in scope);
Internal versus External:
Generally speaking, there are two types of assessments:
• External Assessment: The vulnerability scan or penetration test is
performed from outside the organization. The engineer(s) test the
organizations infrastructure using an outside-in approach. This overall approach will:
• Identify external devices (enumeration)
• Identify services and foot print external devices
• Identify external security weaknesses in the following, at a minimum, categories:
• Firewall security, remote access portals, database management system (DBMS) security,
web application security, intrusion detection systems (IDS) and intrusion prevention services (IPS) testing.
Testing Quality:
Testing quality and effectiveness:
• The overall effectiveness of your assessment is generally based on three
main factors:
• The effectiveness and thoroughness of the scanning toolset(s)
• The overall quality and talent of the internal and/or external security firm or
personnel
• Certifications, experience, etc.
• How effectively the security firm and internal departments work together
• Free flow of information between the firm and key departments is central to the success of an assessment
Toolsets:
Vulnerability scanning toolsets:
• The effectiveness and thoroughness of a vulnerability assessment is heavily based on
toolsets. Some effective toolsets include:
• Qualys
• Internal and external vulnerability scanning • Low false-positive rates
• Pay per IP model
• Rapid7
• Internal and external vulnerability scanning • Low false-positive rates
• Pay per IP model
• Nessus
• Internal and external vulnerability scanning • Effective pricing model
• In our experience, Nessus tends to have a higher false-positive rate
• Nexpose
• Internal and external vulnerability scanning • Community edition available
Toolsets:
Vulnerability scanning toolsets:
• Qualys
Toolsets:
Vulnerability scanning toolsets:
• Qualys
Toolsets:
Vulnerability scanning toolsets:
• Qualys
• Advantages:
• Low false-positive rates • Detailed reporting
• Remediation tracking
• Most vulnerabilities identified will have resolution strategies
• Disadvantages
• All scan data is stored in the cloud at Qualys
Toolsets:
Vulnerability scanning toolsets:
• Nexpose
• Enterprise-class with a low false-positive rate, strong reporting and numerous
Toolsets:
Vulnerability scanning toolsets:
• Nexpose
Toolsets:
Vulnerability scanning toolsets:
• Nexpose
• Advantages:
• Low false-positive rates • Detailed reporting
• Many compliance and simulation scan templates
• Most vulnerabilities identified will have resolution strategies
• It’s not a pay-per-IP scanning solution, potentially making it a good fit for internal scanning and testing
• Disadvantages
• Like most vulnerability scanners it generates a lot of network traffic. It could cause network latency or denial-of-service if it’s not configured properly.
• Resource intensive
Tool Availability:
Overall, We’re seeing two concerning trends today:
• The availability of hacking tools is unprecedented. Free tools to:
• Exploit websites
• Identify vulnerabilities • Perform data mining
• Hacking wireless networks, etc.
• Tools available to hide your tracks and/or become virtually invisible are at an
all time high. Examples include:
• VPN solutions that don’t keep long-term logs
• ProXPN - pro
• TOR
• Tor is free software and an open network that helps you defend against traffic analysis, a form of
network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security – torproject.org
• The world has learned just how effective TOR is: the Snowden leaks demonstrated the NSA has
Why are we concerned?
The following attack was performed using publicly-available
software and our origin was successfully masked:
• First step, go dark (anonymous) to obscure where your Internet
traffic is originating from. In our case, it looks like we’re coming from Germany:
Why are we concerned?
The following attack was performed using publicly-available
software and our origin was successfully masked:
• An outside-in approach was used and it starting with Google
hacking:
• The hacker identifies a target (neither of these websites were
Why are we concerned?
The following attack was performed using publically-available
software and our origin was successfully masked:
• An escape string is used to look for an SQL-injection vulnerability:
Why are we concerned?
The error message tells us it’s likely vulnerable to an
SQL-injection attack…
• Further testing reveals it is, and the following information is
Why are we concerned?
SQL-injection commands are further used to extract
information:
• Database table names are obtained using an SQL-injection string:
• Count(table_name) of information_schema.tables where
table_schema=0x67656D656469615F7073 is 27
Why are we concerned?
SQL-injection commands are further used to extract
information:
• Table field names are extracted from the “users” table:
• Count(column_name) of information_schema.columns where
table_schema=0x67656D656469615F7073 and table_name=0x7573657273 is 13
Why are we concerned?
SQL-injection commands are further used to extract
information:
• Username and password field data are extracted from the
“users” table:
Why are we concerned?
Data extraction:
• Testing revealed the passwords are encrypted • How are they encrypted?
• How do we find out?
Why are we concerned?
Password decryption:
• There are a number of off-line tools such as Hashcat and
L0phtCrack that can be used to launch brute-force or dictionary attacks.
• A number of websites specialize in dictionary lookups • Cloudcracker.com
• Crackstation.net
Why are we concerned?
Password decryption:
• We were able to successfully identify how the passwords were
Why are we concerned?
Malicious intent:
• We stopped testing at this point, but unfortunately, most
blackhat hackers would not.
• Web anonymity is a great way to encourage Internet privacy.
However, the tools to protect our Internet privacy are being used maliciously by hackers to cover their tracks.
Additional Considerations
Vulnerability and penetration testing frequency:
• Vulnerability assessments and penetration tests are only valid for a
short period of time
• For example, the second Tuesday of every month is known as
“Patch Tuesday”. The following Wednesday is known as “Exploit Wednesday”.
• To address these security gaps-in-time, continuous monitoring
systems can be implemented:
• Bit9 Parity • Tripwire • FireMon
Additional Considerations
Assess and Identify All Ports, Programs, and Services :
• The programs we have discussed should identify all active
ports/services
• What About Software Programs or Inactive Processes? • Tools that Identify All Installed Software
• Microsoft Assessment and Planning (MAP) Toolkit
• Emco Network Software Scanner
Additional Considerations
Assessment Plan:
• Start from the External View
• View Information from a Hacker Viewpoint • Domain and DNS Registration
• Gateway Routers, IDS, Firewalls
• Email and DMZ Devices
• Internal Network
• Internal/Rogue User Access • Vendor/Visitor Access
Additional Considerations
Document and Track Open Issues:
• Easy to Lose Track Without Tracking and Follow-up
Summary and Take-Aways:
• Document and Follow an Assessment Plan
• Maintain Multiple Software Toolsets
