EXTRA 04/2011 (04)
The area of physical security is not the most popular among PenTesters. It is difficult to find an expert in this field, but many people areas have a interest in learning about it. Just for those people we have prepared the November issue of PenTest Extra, which is devoted to physical and network security. So „Let’s get Physical”, as Kent Blackwell writes, which is a topic that is closer to home than you might think. The basic tenants of physical security are very similar to network security. In both categories are assets that need protection, foreign intruders attempting to get those assets, and protection mechanisms to keep the assets safe. And according to Jon Derrenbacker, physical security is no longer a boring subject for Pentesters. From „Guaranteed Access” you can learn that there is one guaranteed way to gain access to any network, and it is a physical layer exploit. More can be found on pages 6 and 12. We are happy to provide you the next article from Core Security. This time specialist Alex Horan wanted to show you how to make web application penetration test. He explained the process from start to finish and introduces the theory with some useful figures. It was well written, well structured and full of information that is both relevant and insightful. Go to the page 18 and read „The Process Explained from Start to Finish”. As I mentioned, physical security is related to network security and we have something on that subject too. Jump to the page 24, to find „Anatomy of attack detection, without data!” by Rishi Narang. You can learn that most organizations do not understand or implement security properly, especially those with IDS/IPS deployments. The article just might make some organizations change their way of thinking. The next one will certainly interest you. Theofanis Kontos pointed out that only after bombings and terrorist attacks people really drew attention to securing sensitive locations and assets. We have started to become more secure using one of the most popular devices – the ever popular surveillance camera. If you want to know how this intelligent video works, please find the „Intelligent Video Surveillance” on page 30. Interviews have become a tradition in PenTest Extra. In this issue we have the pleasure to find out more about Patrick Bedwell. He has more than 14 years experience in the network security and network management industries and he is the Vice President of Product Marketing at Fortinet, which he describes during this interview. We invite you to read about him on page 46. In the end we would like to recommend three books for your library collection. In recent months, there have been many new books in the field of IT Security, but we have noted three titles: „Web Application Security: A Beginner’s Guide”, „Security Metrics: A Beginner’s Guide” and „Securing the Clicks”. In each of these books you will find something useful and practical. You can read the reviews on page 42, to find out more. We hope you will find this issue of PenTest Extra interesting and useful. Thank you all for your great support and invaluable help. Enjoy reading! Krzysztof Marczyk Pentest Team EXTRA 04/2011(4)
TEAM Editor: Krzysztof Marczyk firstname.lastname@example.org Associate Editor: Aby Rao Betatesters / Proofreaders: Dennis Distler, Michael Munt, Rishi Narang, Jonathan Ringler, Johan Snyman, Jeff Weaver, Edward Werzyn Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic email@example.com Art Director: Ireneusz Pogroszewski firstname.lastname@example.org DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca email@example.com Marketing Director: Ewa Dudzic firstname.lastname@example.org Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by
Mathematical formulas created by Design Science MathType™
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
Let’s Get Physical
by Jon Derrenbacker
Everyone has different ideas of what physical security is, what it encompasses, and how to exploit it. It can include a wide range of exploits, many being surprisingly simple. Regardless of method, going after physical security in a PenTest often proves one of the easiest ways to gain access to a network. Sometimes physical exploits are almost looked on as cheating, simply because some of them are so simple, so obvious, and yet completely unprotected.
by Kent Blackwell
Your boss calls you into his office to inform you a penetration test has been requested by one of your clients. Unlike the bi-annual vulnerability sweeps Company Inc. has previously requested, they have also asked for a physical security assessment as well. You’ve never preformed this kind of test before and by the time you’ve made it back to your desk your imagination is already running wild with scenarios that wouldn’t look out-of-place in a Mission Impossible movie.
WEB APPLICATION PENTESTING
The Process Explained from Start to Finish by Alex Horan
If a security tester, for example, has only a couple of days to test and report on the security posture of a web application, the tester needs to ensure that manual efforts are only devoted to areas of the web application that deserve manual attention. It would be highly inefficient for the tester to spend a third of his or her time simply crawling the application and recording all of the unique URLs associated with the application.
Anatomy of Attack Detection, Without Data! by Rishi Narang
There has been a constant evolution in the threat landscape and attack vectors. New attacks, malware, malicious packets traverse our network every now and then. The industry has deployed the measures on perimeter, host and virtually anywhere in between. We
have IPS, AV, Firewalls and other protection, and detection tools but most of them look for patterns, or as the standards say, do a DPI (Deep Packet Inspection). But the bottleneck hits when these wares start morphing or a slight change in the code, enables the signature writers to add exorbitant amount of code in the product. The overhead on signature writers and pattern matchers is increasing exponentially.
SECURING SENSITIVE LOCATIONS
Intelligent Video Surveillance by Theofanis Kontos
Intelligent video comprises any solution where the video surveillance system automatically performs an analysis of the captured image. Hence, the central idea behind it is that observation and alarm detection do not burden the human personnel any more, but are assigned to computers.
Interview with Patrick Bedwell by Arao
Patrick Bedwell has more than 14 years experience in the network security and network management industries. He is the vice president of product marketing at Fortinet and is responsible for executing the marketing strategy for Fortinet’s network security products. Prior to joining Fortinet, Patrick held product marketing and product management leadership positions at Arcot Systems, McAfee, SecurityFocus, Network ICE and Network General. Patrick earned an MBA with honors from Santa Clara University and a BA degree in English from the University of California, Berkeley.
Now What am I forgetting by Justin Rogosky
The article below details the exploits of a diamond thief who didn’t use a weapon or threat of violence, he came in everyday as a client and became a trusted individual. Normally, engagements don’t allow you to build up the kind of relationship required for this level of access, but being friendly can get you a lot farther than most people realize.
IT Security Books
In recent months on the market appeared a lot of new books in the field of IT Security. We want to introduce you three of them. „Web Application Security” and „Security Metrics” are a part of „Hacking Exposed” series, which has a good reputation and recognition. The last one, „Securing the Clics”, provides knowledge of network security.
Guaranteed Access Everyone has different ideas of what physical security is, what it encompasses, and how to exploit it. It can include a wide range of exploits, many being surprisingly simple. Regardless of method, going after physical security in a PenTest often proves one of the easiest ways to gain access to a network. Sometimes physical exploits are almost looked on as cheating, simply because some of them are so simple, so obvious, and yet completely unprotected.
ith the advent of Svartkasts and PwnPlugs, physical security is no longer a boring subject for pentesters. To pentesters these devices are some of the most exciting exploits at any level. To businesses they’re a nightmare. The criticality of physical security can’t be overstated, with high value
targets such as the Nuclear Power plants in Iran, and the U.S. Governments Secret SIPR networks being victims to physical layer compromise. If there’s one guaranteed way to gain access to any network, it’s with a physical layer exploit. Everyone has different ideas of what physical security is, what it encompasses, and
Figure 1. Traffic Lights guarantee security on roads
Let’s Get Physical Your boss calls you into his office to inform you a penetration test has been requested by one of your clients. Unlike the bi-annual vulnerability sweeps Company Inc. has previously requested, they have also asked for a physical security assessment as well. You’ve never preformed this kind of test before and by the time you’ve made it back to your desk your imagination is already running wild with scenarios that wouldn’t look out-of-place in a Mission Impossible movie.
he reality, unfortunately, couldn’t be farther from the truth. While there may be some scenarios that require dangling from a harness over a pressure sensitive floor, chances are, it won’t ever be you. So what can we expect when conducting such an assessment? The basic tenants of physical security are very similar to network security. In both categories are assets that need protection, foreign actors trying to get those assets (or manipulate them in some way), and protection mechanisms to keep said assets safe. The testing methodologies are nearly identical as well. This should not be surprising if you think about it. The basics of planning, recon, execution and reporting are all applicable to a physical security test. In practice however, they diverge significantly. A firewall will never get suspicious if it sees a packet wearing a slightly offcolor visitor’s badge, a security guard will. While there are some technical skills involved (lock picking, forged IDs, etc) your ability to succeed in a physical assessment will ultimately hinge on your ability to socially engineer your way around (Read: Lying your ass off). Don’t misunderstand though, a lie isn’t simply telling someone else a mistruth. You can lie with your body language by confidently walking past the guard with a fake badge. You can lie with your actions by carrying a huge, empty box to get someone to hold a door open. You can even lie with your appearance after observing how employees dress, wear their badges, and general demeanor. This EXTRA 04/2011(4)
is not intended to be a comprehensive guide to physical security. I intend only to give a brief over view of what you can expect when conducting a physical security assessment. This covers planning, reconnaissance, gaining access and what do once you’re in. We will be skipping over the legalese of working out contracts with a target company. Keep in mind however, test can and will go wrong. It is extremely important to make sure you keep multiple copies of the tester agreement on your person at all times and to have a 24/7 contact number for the head of the organization’s security team. Nothing is worse than facing down an armed guard with no idea who to contact inside the organization. The article is written from the point of view of a black-box tester, I.E. the tester has no prior knowledge. This writer accepts no responsibility for any actions you may take as a result of reading this article. Reconnaissance for a physical test is as important as it gets and for obvious reasons. To get inside a building you are going to need to know a great deal of information. What kind of front-desk security do they employ? What kind of badging system do they use? What kind of locks are in use? All of these questions (and many more) need to be thoroughly answered before attempting your test. The first steps you can take are very reminiscent of a network test, passive recon. The Internet has a wealth of information on companies, especially publically traded ones. Everything from
employees from the parking lot. The next five minutes are going to be the most critical of the entire test. You must remain calm and alert; remind yourself you are just another employee heading in for a day of work. If you can convince yourself of this, it will be much easier to convince others of this fact. As you approach the door you will be tailgating through, consider faking a phone call. Alternatively you can arrange to have a team member call you at a previously selected time. To add another layer, appear angry or annoyed at the person on the other end of the line. This further increase the chances no one will bother you. Human beings (or at least most of them) naturally want to believe the best about someone they don’t know. Most people hate confrontation and will actively avoid situations where they might have to deal with it. In all of the physical security assessments I have preformed, this has never failed to work. The worst that happens is someone gives you a suspicious look. Merely hold up your badge for a moment then breeze through. This may all sound far too easy but ask yourself seriously, how likely would you be to stop someone you didn’t know, closely inspect their badge, and ask them what their business at this location was? Especially if they appear agitated and on a seemingly important phone call? Here’s a hint, you won’t, and almost no one else will either. So you’ve made it past security. The hard shell has been broken and you have unfettered access to the gooey inside. Now what? Technically, you’ve succeeded. Security has been bypassed and you are inside. What you do next depends on the contract you’ve worked out with the target. You might simply walk into the security manager’s office to say hello (This gets good reactions, most of the time). If your mandate is to prove risk, this won’t be good enough. You will need to show in some way you were able to exfiltrate sensitive company information. Once you are inside, the clock is ticking. Every encounter with another employee is
Figure 3. PoGo plugs make great backdoors
Sense of Security
Compliance, Protection and
At Sense of Security, Information Security and Risk Management is our only business. Our consultants are experts in their fields; our specialists are always ahead of the curve. By engaging Sense of Security, our clients ensure they are protected, their information is safe from threats from both within and outside the organisation, they meet their regulatory requirements and their employees, partners and suppliers can conduct business in complete confidence.
EXTRA WEB APPLICATION PENTESTING
The Process Explained from Start to Finish Organizations are increasingly looking to “webify” services and applications they provide to both employees and customers. Given the threat landscape, the need to test web applications to ensure that these services and applications are truly secure has never been greater. It is common for the ratio of web application developers to professional security testers to be more than 100:1 in medium to large organizations.
hile teams of web application developers create applications faster than ever before, it’s unrealistic to think that far fewer security testers can just as quickly test the security of these applications as they are created.
place – e.g. no DoS tests, no credentials supplied but bruteforcing of credentials is acceptable, etc. When measuring the security posture of web applications, testers should determine if DNS poisoning is an acceptable part of the test. If an attacker can
Automation and Scope: Key Elements for a Successful Test
To keep pace, it’s critical that security testers maximize available time to test web applications. They can do this with automation and scope. Automation in this case refers to the use of automated tools and solutions to help decrease the amount of time spent looking for security issues – especially those that can be found using automated processes. If a security tester, for example, has only a couple of days to test and report on the security posture of a web application, the tester needs to ensure that manual efforts are only devoted to areas of the web application that deserve manual attention. It would be highly inefficient for the tester to spend a third of his or her time simply crawling the application and recording all of the unique URLs associated with the application. Scope, on the other hand, determines the boundaries of web application security posture testing. This can be as simple as defining what URLs are in scope for testing or as detailed as the type of testing that can take EXTRA 04/2011(4)
Figure 1. The Ciso Diaries
Anatomy of attack detection, without data!
There has been a constant evolution in the threat landscape and attack vectors. New attacks, malware, malicious packets traverse our network every now and then. The industry has deployed the measures on perimeter, host and virtually anywhere in between.
e have IPS, AV, Firewalls and other protection, and detection tools but most of them look for patterns, or as the standards say, do a DPI (Deep Packet Inspection). But the bottleneck hits when these wares start morphing or a slight change in the code, enables the signature writers to add exorbitant amount of code in the product. The overhead on signature writers and pattern matchers is increasing exponentially. To break this overload a trend of heuristic signatures revamped the headlines. These signatures were based on approximation and intuitive thinking of the security professionals in an attempt to sync it with the minds of these malware authors. In technical terms, these patterns included probability factors, as well as possibilities of expected variance in the malicious code. The result as we all know was good, better protection but often leading to trigger a benign file as malicious. Professionals as well as enterprises have always been skeptical to rely on heuristic signatures as the manual verification in peak business hours can delay deadlines or can even lead to a customers’ walk away. Good gains expect high risks and some accepted it, but many rejected. But still, this model is under company radar and have been an optional part of any security suite ever since. But, not many did think about the network part of every attack, whether that is a malware, or a malicious EXTRA 04/2011(4)
program, or a vulnerability being exploited. Everything traverses on a network of interconnecting machines, and hardware channels. There are NIDS/NIPS and firewalls but unfortunately they are still on the track of their original idea. And, if we tickle them, the only argument that boils down is the cryptographic communication channels where most of the preventive security vendors kneel down. They can’t feasibly detect patterns in an encrypted stream, and nor can they play with heuristic signatures on a platform they can’t understand. But, what if the focus shifts to the way these malware communicate, the way they spread, the way they talk or being controlled remotely? A NIPS/NIDS or any gateway level device can do analysis over the packets’ headers to correlate an attack or a malware outbreak. Some of the header fields of different types of protocols are shown in Figure 1 (IP4 header), Figure 2 (ICMP Header), and Figure 3 (TCP Header). This concept is equally valid for individual agents running on each client. In reference to these headers, here are some guidelines that can be leveraged by the perimeter, gateway level network devices or NIPS/NIDS: •
Maintain a database of hosts, devices and systems in the network. Possibly maintain a list of allotted IPs mapped with the owner. http://pentestmag.com
SECURING SENSITIVE LOCATIONS
Intelligent Video Surveillance In the wake of the 9/11 events and the London and Madrid bombings, the world has become increasingly sensitive to security threats. This continuing trend has brought about ever more challenging physical security requirements and demands for timely response and decisions in case of emergency incidents.
ndustry responds to the resulting new market trend through new offerings of security products and solutions. To this end intelligent video greatly assists security personnel by assigning the menial tasks to computers and leaving the human operator the capacity to act fast and decisively. Intelligent video surveillance simplifies incident detection, and makes it more efficient and easy to process. We are all familiar with some form of video surveillance. The picture of a usually uniformed person watching a screen for long hours looking for suspicious behaviour or people has been ubiquitous in large corporate or government buildings for a long time. In this traditional �
setting, analogue cameras bring video image via coaxial cabling to screens installed for this purpose. Security personnel sit there and are expected to constantly observe and visually detect potential intruders or other threats and raise an alarm when needed. In case of emergency, the guard would commonly use an out-ofband channel such as the telephone to communicate the situation according to the security policy. Occasionally, video recording is performed using VCR devices and taped video is kept for a certain period of time so that it may be utilised during investigations after an incident. The drawbacks of this setting are obvious even to the casual reader: •
Figure 1. Traditional video surveillance
The attention of the security personnel fades sharply with time and potential intruders have more chances to succeed as time progresses. Time is lost making phone calls to superiors in case of emergency. Reaction to incidents can be slow especially in case of personnel shortage The taped video can be physically archived but is difficult and tedious to search; storage is also space-consuming Video image cannot be processed on-the-fly; the taped video cannot be easily processed The analogue surveillance system does not scale well; expansion can mean a major system reorganisation http://pentestmag.com
Now What am I forgetting An article that recaps some of the points I have been hearing on podcasts and talks at cons like DerbyCon and Hack3rCon. Being asked about physical controls, I tried to keep the examples to that domain, but feel they are applicable across the aisle in IT.
nitially, I had started writing an article about implementing physical access controls into a business. I believe that would have gone fine, except it didn’t seem to fit into a magazine exclusively dedicated to penetration testing. I also wanted to mention some of the driving topics and ideas that were main points at conferences (Yea, DerbyCon and Hack3rCon) and observations I have made at work and even at the drive thru line at. I chose to split this into two sections. The first is the unsexy, I dream about patching systems and reviewing logs defensive guy, and the second is the super ‘leet hacker red team. I am by no means an expert and I primarily do more information security stuff than anything. But all in all, I don’t think the worlds are that far apart.
Point 1 : You need to know what is critical to your business before you can protect what is critical to your business
One of the big mistakes are that businesses make is under protecting the critical, or try to evenly protect all of their assets. From a physical standpoint, this leaves you with cheap door locks and hollow core doors protecting financial data, while high quality locks and solid core doors are installed on janitors closets. Each industry needs to protect different assets and protect them to different degrees. Software engineering firm will not require the same level of protection against EXTRA 04/2011(4)
Figure 1. Who would want to shut off our electricity?
IT Security Books In recent months on the market appeared a lot of new books in the field of IT Security. We want to introduce you three of them. „Web Application Security” and „Security Metrics” are a part of „Hacking Exposed” series, which has a good reputation and recognition. The last one, „Securing the Clics”, provides knowledge of network security. All three books are easy available through PenTest Magazine.
Web Application Security: A Beginner’s Guide by Bryan Sullivan and Vincent Liu November 2011
eb Application Security: A Beginner’s Guide imparts the hard-learned lessons and experiences of top security professionals, as well as knowledge that could take years to learn. It provides IT professionals with an actionable, rocksolid foundation in Web application security – from a complete overview of the tools and resources essential to Web application security to the trade’s best practices for detecting vulnerabilities and protecting applications. Important tips and key techniques plus the most common terminology are all clearly explained. Designed specifically for the needs of IT professionals looking to boost their skills in the ever-changing world of computer security, the book is divided into three sections. The first two chapters present a primer on web application and software security concepts in general. The second section, comprising six chapters, deals with principles of securing common areas of functionality of web applications. The authors show the best ways to defend the integrity of databases, file systems, user accounts, and many other important resources. Finally, the third section shows the most effective ways to put all the concepts learned into action by laying out some secure development and deployment methodologies.
Bryan Sullivan, Senior Security Researcher at Adobe Systems, was previously Security Program Manager EXTRA 04/2011(4)
Patrick Bedwell Patrick Bedwell has more than 14 years experience in the network security and network management industries. He is the vice president of product marketing at Fortinet and is responsible for executing the marketing strategy for Fortinet’s network security products. Prior to joining Fortinet, Patrick held product marketing and product management leadership positions at Arcot Systems, McAfee, SecurityFocus, Network ICE and Network General. Patrick earned an MBA with honors from Santa Clara University and a BA degree in English from the University of California, Berkeley.
Tell us about Fortinet, your services and products.
Patrick Bedwell: Fortinet is a network security provider based in Sunnyvale, CA. We deliver benefits in three areas: •
protection against the increased sophistication of security threats targeting enterprise networks by integrating a wide range of technologies into a single physical or virtual appliance high performance protection with the fastest firewalls on the market that can keep up with everincreasing network speeds visibility and control of applications, users, and data by providing granular control over what content is allowed on a network EXTRA 04/2011(4)
Fortinet’s flagship product, FortiGate, consolidates a wide range of network security technologies into a single physical or virtual appliance. These technologies include firewall, intrusion prevention (IPS), application control, Web content filtering, VPN, and antivirus/ antispam. Customers can deploy as much or as little of the technologies that we include in the FortiGate – it’s all provided for one price. Our physical appliances take advantage of custombuilt processors to deliver many of the fastest firewalls on the planet. This integrated multi-threat approach allows organizations to reduce costs and improve protection while improving protection of their network. Lastly, in addition to the FortiGate line, Fortinet offers many specialized security technologies that deliver more granular control over essential aspects of today’s
In the next issue of
Cross – Site Request Forgery Available to download on January 15th Soon in Pentest! • Anatomy Of CSRF Attack • XSRF Is Not The Same As XSS • Preparing For The CSRF Defense • Detect If A Website Is Vulnerable and more...
If you would like to contact PenTest team, just send an email to email@example.com or firstname.lastname@example.org. We will reply a.s.a.p..