Tech Segment: Pen Testing: The Unanswered Questions
I'd like to take some time and cover a bit about the philosophy surrounding penetration testing and vulnerability assessments, and answer a few questions we've received in the past about pen testing.
Why Have a Penetration Test?
- Understand threats for better defense
- Determine risk to make informed IT decisions
- Test incident handling procedures, intrusion detection systems, and other security
- TSA is a good example
Phases Of a Pen Test
- Finding your targets, and the "right" targets is very important. If I am external, I like to go slow and low. This means if there is only one IP address, take a week. Attackers have all the time in the world, you should at least have a week to slip past any IDS/IPS.
- Nmap is your friend! Adjust the timings accordingly, refer to last week for some times on scanning internal networks
- I have found some interesting ways to find targets:
- Probe for SNMP Sys.Descr mib using community string public
- Compromise a Linux host and look in ~/.ssh/known_hosts
- Compromise a Windows host and look in the RDP history
- ntbscan is a great tool for Windows enumeration
- Cain & Abel has a great ARP scanner
- host -l <domain> sometimes works! Try it on the internal DNS servers too
Port Scanning & Service Identification
- Nmap works great for this (nmap -T4 -n -sV -oA myscans -iL <file with arp scanning results>)
- Nessus does a great job too, always export the results to NBE format and grep away
- The mDNS.py program from GNUCITIZEN works excellent for Bonjour service identification, this is good because you can enumerate all devices in one shot with multicast
- Most of us know how to execute an exploit, so I will leave that topic alone
- Once you compromise a Windows system, grab the SAM database and crack the LM hashes. Sounds lame and real 1990's, but I am surprised as to how effective this method is even today
- Dump stored passwords from all other applications
- Poke around on the file system, be smart, here's a tip, look for files or folders named "backup"
Stories of Interest
Compromising Disk Encryption through Cold Boot Key Recovery [securethoughts] - Researchers at Princeton University have found that many disk-encryption mechanisms, such as BitLocker, TrueCrypt and FileVault, can be compromised by recovering the encryption key which remains latent in memory, even after the computer is cold-booted.
Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE [byte_bucket] - ""On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations.""
YouTube Hijacked by Pakistan - [securethoughts] YouTube was unintentially(?) hijacked by the primary Pakistani ISP, after the government decided that the site contained blasphemous content. Apparently the ISP managed to keep YouTube offline for several hours after hijacking their IP ranges using BGP. By default internet routers use the most specific rulesets when directing traffic, and the Pakistani ISP's routes were more specific. This undoubtedly caused a major DoS of Pakistan, and their upstream provider decided to remove them from the internet until the issue is resolved. As the writer of the ZDNet article says to the Pakistani government: "Do not anger the Internet gods or you will suffer their wrath!"