Penetration testing – a play in 6 acts Peter AufnerDavid Bidner
Intro
• who are we?• what do we do?• what are you going to see today?
• questions? at the end.
Penetration Test – getting started
• why?
• think like an attacker• outside the box• consider any possibility• go the easy way• knowledge is key
• know and understand your tools• adapt exploits• find new vulnerabilities
Penetration Test – types of testing
• black box• no prior knowledge• external attacker view
• white box• full knowledge available• more like a security assessment
• grey box• path in between• differs for most assessments
Penetration Test – scoping
• type of test• application / device assessment• broad infrastructure• red team assessment
• customer deliverables• allocated accounts• system / IP lists• testing hours
• any forbidden actions?• social engineering• (D-)DoS
Penetration Test - phases
• reconnaissance
• attack
• wrap-up
Penetration Test - reconnaissance
• information gathering• open knowledge• active & passive gathering• customer deliverables
• enumeration• IP range scanning• Port scanning• Service detection• Interface enumeration• Protocol enumeration
Penetration Test - attack
• exploitation• known exploit usage• OWASP top 10• broken by design
• persistence• code execution• shell access
• movement• vertical
• escalation of privileges • lateral
• jumping between hosts
Penetration Test – wrap-up
• reporting• summary• recommendations
• housekeeping• debriefing• retesting
• Collection of CVEs• Common Vulnerabilities and Exposures
• searchable by:• vendor• product• version• CVSS Score• type of vulnerability
Exploit Database
• collection of public exploits• verified by Offensive Security Staff
• searchable by:• CVE• Software (version)
seclists.org
• keep up to date• new vulnerabilities
• collection of mailing lists• partner with prominent vendors• open source issues
Open Web Application Security Project
• online de-facto standard to look up common security problems• grouped by programming languages and likelihood
• famous for “OWASP Top-10”• + best practices to avoid them
• provides teaching and learning examples• Juice Shop Project
• can be found at: https://www.owasp.org/• OWASP cheat sheet
OWASP – Top 10
1. Injection2. Broken authentication3. Data exposure4. XML external entities5. Broken access control
6. Security misconfiguration7. Cross-site scripting8. Insecure deserialization9. Using components with known vulnerabilities10. Insufficient logging and monitoring
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project | 2017
OWASP – Top 10
1. Injection2. Broken authentication3. Data exposure4. XML external entities5. Broken access control
6. Security misconfiguration7. Cross-site scripting8. Insecure deserialization9. Using components with known vulnerabilities10. Insufficient logging and monitoring
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project | 2017
OWASP – Top 10
1. Injection2. Broken authentication3. Data exposure4. XML external entities5. Broken access control
6. Security misconfiguration7. Cross-site scripting8. Insecure deserialization9. Using components with known vulnerabilities10. Insufficient logging and monitoring
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project | 2017! Outlook: received email:! Urgent: Re: Receipt for produ…from: office@r..
the story begins …
What is Social Engineering?
• Exploit the human factor• Usually based on emotions or stress• Something must be done quickly• Colleague in need of help
• Often uses tricks to build trust• Showing false sender address in mails
• Programs often show warnings• Too technical• Overridden by urgency
Social Engineering –the technical perspective1. Weaponize a document2. This now includes a macro to prepare a reverse shell3. Send the document to the victim (E-Mail, watering hole, …)4. Wait for the reverse shell to open5. Start exploring
the story continues …
What is pivoting?
• Exploration after an initial foothold is established• 2nd stage enumeration
• The outside defenses are breached already!• Inside the trust may be higher• … thus the defenses lighter
• Abuse of trust in the victim machine• Can go unnoticed a long time• If done carefully
• Gain persistence
Pivoting –the technical perspective• Access to a machine inside the network has been established• Do port scans• Enumerate configurations• ‚Draw a map of the network‘• Gain access to interesting targets• Servers• Devices of high ranking personnel
• Watch what is happening inside
the story continues …
What is an Injection attack?
• Putting instructions into an unexpected location• SQL Injection – Modify Queries being sent to the database in the
background• Command Injection – Appending additional commands to legitimate
ones• May allow quick access to • large amounts of data• command line interface
Injection attacks –the technical perspective• Sillaj had a known vulnerability• Particularly easy to find• SQL is a language that supports boolean expressions• We made an ‚always true‘ statement• -> got access to the application
the story continues …
What are insecure file uploads?
• Upload of any file to a location on the webserver• No check whether the filetype is plausible• File can be accessed directly• Script execution in upload directories
Insecure file uploads –the technical perspective• Upload function available• Attacker uploaded a ‚shell‘• Comfortable interface to navigate the server
• Attacker found that the files are stored in a subdirectory• Name remains unchanged• Scripts are executed in the upload directory
• Attacker can access all of the server with permissions of the webapp
the story continues …
MyBB – overview
• free and open-source forum software (LGPL)• written in PHP• regularly updated• one of the best known forum software solutions
What is cross-site scripting (XSS)?
• Inject script code to be run on other clients• attacks the client not the server
• could be used in various attacks• fetch cookies• automated site requests• phishing
• most of the time a step in an exploit chain
Cross-site scripting –the technical perspective• weakness in application embedded video rendering• web server security configuration• cross site requests not forbidden
• Attacker tricked the admin to confirm the credentials• Attacker escalates privileges via XSS
… the story ends.
Is it really that easy? – sometimes, but ...
• Windows AV disabled• improve exploits
• Sillaj Upload self-written• look further, maybe find another vuln
• Attacker in the same subnet• tunnelling
• lots of fast forwarding• coding, testing, etc.
Summary
• Social Engineering• education
• Pivoting• monitoring
• legacy software• replace
• XSS• keep on track with updates!
• File uploads• secure coding
…forget something?
IoT Cam
• What about the cam we found before?
IoT Cam – Security problems
• IoT devices should never be in the same network as other systems• Open RTSP Server allows anyone to sneak a peak into the physical
environment• Lack of patches could allow for• Easy persistence• Abuse as part of a DDoS attack
Outro
• Peter Aufner• SGS Digital Trust Services• Technical Lead Penetration Testing• MSc. in Computer Science and Business Informatics• member of LosFuzzys, local CTF Team
• David Bidner• BearingPoint Technology GmbH• Advanced Threat Inspection• finished Master in Secure & Automotive Systems in 2018• member of LosFuzzys, local CTF Team
References
• https://www.owasp.org/index.php/OWASP_Juice_Shop_Project• https://cheatsheetseries.owasp.org• https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
Image and art sources:
• Social engineering: https://www.kratikal.com/blog/reason-behind-rise-impersonation-attacks/• pivoting: https://www.forescout.com/platform/see/• injection: https://www.needpix.com/photo/88580/syringe-injection-health-
medical-hospital-blood-transfusion-free-vector-graphics• file upload: https://www.needpix.com/photo/18841/upload-uploading-
documents-files-remove-share-folder-green-data• code execution: https://www.needpix.com/photo/721905/settings-gear-options-
free-vector-graphics• win: https://pxhere.com/en/photo/1588203• cam: https://securelist.com/iot-lottery/83300/• expectations: https://buffaloculturenow.com/expectations-failure-agreements/