Tech Segment: Pen Testing: The Unanswered Questions
I'd like to take some time and cover a bit about the philosophy surrounding penetration testing and vulnerability assessments, and answer a few questions we've received in the past about pen testing.
Why Have a Penetration Test?
- Understand threats for better defense
- Determine risk to make informed IT decisions
- Test incident handling procedures, intrusion detection systems, and other security
- TSA is a good example
Phases Of a Pen Test
- Finding your targets, and the "right" targets is very important. If I am external, I like to go slow and low. This means if there is only one IP address, take a week. Attackers have all the time in the world, you should at least have a week to slip past any IDS/IPS.
- Nmap is your friend! Adjust the timings accordingly, refer to last week for some times on scanning internal networks
- I have found some interesting ways to find targets:
- Probe for SNMP Sys.Descr mib using community string public
- Compromise a Linux host and look in ~/.ssh/known_hosts
- Compromise a Windows host and look in the RDP history
- ntbscan is a great tool for Windows enumeration
- Cain & Abel has a great ARP scanner
- host -l <domain> sometimes works! Try it on the internal DNS servers too
Port Scanning & Service Identification
- Nmap works great for this (nmap -T4 -n -sV -oA myscans -iL <file with arp scanning results>)
- Nessus does a great job too, always export the results to NBE format and grep away
- The mDNS.py program from GNUCITIZEN works excellent for Bonjour service identification, this is good because you can enumerate all devices in one shot with multicast
- Most of us know how to execute an exploit, so I will leave that topic alone
- Once you compromise a Windows system, grab the SAM database and crack the LM hashes. Sounds lame and real 1990's, but I am surprised as to how effective this method is even today
- Dump stored passwords from all other applications
- Poke around on the file system, be smart, here's a tip, look for files or folders named "backup"
Stories of Interest
Compromising Disk Encryption through Cold Boot Key Recovery [securethoughts] - Researchers at Princeton University have found that many disk-encryption mechanisms, such as BitLocker, TrueCrypt and FileVault, can be compromised by recovering the encryption key which remains latent in memory, even after the computer is cold-booted.
Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE [byte_bucket] - ""On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations.""