Alexander Polyakov, QSA,PA-QSA
CTO Digital Security (dsec.ru) Head of DSecRG (dsecrg.com) ERPSCAN Architect (erpscan.com) Head of OWASP-EAS
Pentests? Again? Why?
Many companies are doing this
Many companies need this (PCI DSS)
Still many questions
Pentest 101
A penetration test, occasionally pentest, is a method of
evaluating the
security
of a
computer system
or
network
by simulating an attack from a malicious source,
known as a
Black Hat Hacker
, or Cracker. The process
involves an active analysis of the system for any potential
vulnerabilities that could result from poor or improper
system configuration, both known and unknown hardware
or software flaws, or operational weaknesses in process or
technical countermeasures.
Is It Enough?
Is it ok to show only one
Way?
Is it ok if your doctor talks only about neck pain?
There is an obvious need to show ALL POSSIBLE
WAYS
We have gained unauthorized access to your corporate
environment by sending an e-mail with social
Why is It Enough?
Even doctor Haus is mistaken
That is why you need to make pentests regularly
That is why you need to think twice before
choosing a contractor
Can you guarantee that after you’ve patched
ALL vulnerabilities nobody will hack us?
Purpose ???
First Era
– before 2000
Objects
– Network, OS
Purpose
– Penetration from the Internet
Methods
– Not formal, State of art
Teaching
– Blackhat methodologies,
―Improving the security of
your site by breaking into it‖, Dan Farmer & Wietse Venema,
1993
First Era
Why?
– To prove that networks are vulnerable (many people
do not believe it)
Why now?
– To show the business that there is a need in security
(pre-sales)
After 2000 – Era 2 VIVA LA WEB
Objects
– Network, OS,WEB
Purpose
Penetration from the Internet
Hacking WEB-site
Methods
The first version of OSSTMM, Programs like CORE IMPACT
Teaching
Different books (hacking exposed), conference materials
Result of Pentest
– Report with vulnerabilities and their
countermeasures
Second Era
Why?
– More complex pentest
Why now?
– To show the business that there is a need in security
(pre-sales)
– Part of SDLC for WEB development after secure development
and code analysis
…..
Internal pentesting,
Firewall pentesting,
Cloud pentesting,
WEB pentesting,
Database pentesting
SAP pentesting,
WIFI pentesting,
SS7 pentesting,
SCADA pentesting,
GSM pentesting,
Mobile pentesting
……
Objects
– Networks, OS, DBMS, Applications, ERP, Mobile, Wireless, SCADA, Users (social engineering)
Purpose
– Deep assessment of a application or technology
Methods
OSTMM, NIST, ISSAF….
OWASP, WASC, OWASP-EAS…..
Teaching
Certifications: CEH, CREST, CPT, GPEN…..
Training: Blackhat/HITB/Offensive security ……
Result of pentest
– Standardized reports with the list of vulnerabilities, their risks and countermeasuresALL
THAT
YOU
WANT
Third Era
Why now?
– Network is good and there is a need to assess security more
deeply
– Deep segregation inside a company (a clerk with DBA access )
– Part of PDCA for Application/Technology implementation
2010 – HOUSTON, WE'VE GOT A PROBLEM
Do we know more about current threats?
Have we become more secure??
Does the business understand all
security risks?
They don’t care about us ))
Business making business
If it doesn’t bring money –
we don’t need this
If they don’t understand us it means that
we explain it incorrectly
Technical Fail
Business Fail
We’ve found 5 critical vulnerabilities. You can read about them and the countermeasures in the report.
What is this? Just 10 pages? For the money I pay you it must be 10 times more!
Business Fail
We’ve found a vulnerability in DC that can give unauthorized access to the server.
Technical Fail
We’ve found a buffer overflow vulnerability at the 10.0.0.201 server which can be used to run the code execution, making possible to bypass ASLR and DEP countermeasures. See the screenshot for the results.
Technical Fail
We’ve found a XSS vulnerability in the payment system and we can gain access to user accounts.
All money transfers are confirmed by SMS. This vulnerability is not so critical.
What’s Next?
Era 4 – Business-oriented pentest
Purpose – show how technical vulnerabilities can be
used for business threats
Instead of Integrity, Availability Confidentiality –
Espionage, Sabotage and Fraud
Example 1
We have: Internal user inside a company, with no
knowledge
Classic Payment Scheme
SAP
File
server
Bank Net
All is analyzed
using Blackbox
Example 2
We have: Business-critical system for gasoline sales
Purpose: Find technical vulnerabilities and show how
Scheme of Gasoline Station
Database
Gasoline
station
Managing
server
Some help needed
– GreyBox
Example 3
We Have: Payment system
Purpose: Find technical vulnerabilities that can be used
Payment System Analysis
Found XSS vulnerability
Binding of the session to IP (cannot just steal the cookies)
Money sending needs SMS confirmation
Function found for issuing an invoice
Find XSS in receipt request information field
User can approve the receipt or not
Using XSS + XSRF we can automatically approve the receipt
Example 4
We have: SAP system inside a company
Purpose: Need to gain access to critical data through
Attacking SAP Users
Sending an e-mail with social engineering link
Link consists of exploits for SAPGUI
Exploit gains access to user workstation
Collects the saplogon.ini info
Connects to the SAP servers using default passwords, passwords in shortcuts
and bruteforce
Gains critical data (user password hashes and banking accounts)
Sends it to the server
More on
http://erpscan.com
Sapsploit Tool by DSecRG automates all these things
Presentation from HITB Conference –
Forth Era
– Business-oriented Pentest
Objects
Business-critical systems
Purpose
Show how technical vulnerabilities can be used for business threats
Methodology
OSTMM, NIST, ISSAF + business process analysis
Teaching
All that we have plus business-process analysis, specific knowledge of business area
Result of Pentest
Report that shows real business risks which can cause Fraud, Sabotage and Espionage