�������������������������������������������������� �������������������������� �������������������������
/ ������������������������� / ����������������� / �������������������� / ������������������������� / �������������������������������� / ��������������������� / ������������������ / ��������������� / ����������������
��������������
/ ��������������������������������������������
�������������
/ �������������������������������������������� ����������
��������������
/ ��������������������������������������������� ���������������������������������������������� ��������������������������
Visit digitalforensicsmagazine.com
��������������������������������������� ��������������������������������������� ������������������������������
NEXT ISSUE OUT SOON SUBSCRIBE NOW ������������������������������������������������������������������������� �������������������������������
EDITOR’S NOTE
CONTENTS
Dear Readers
TEAM Managing Editor: Tymoteusz Kubik tymoteusz.kubik@software.com.pl Associate Editor: Aby Rao abyrao@gmail.com Betatesters / Proofreaders: Jeff Weaver, Robert Keeler, Daniel Wood, Scott Christie, Rishi Narang, Dennis Distler, Massimo Buso, Hussein Rajabali,Johan Snyman, Michael Munty, Aidan Carty, Jonathan Ringler Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl Publisher: Software Media Sp. z o.o. ul. Bokserska 1, 02-682 Warszawa Phone: +48 22 427 36 56 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
I shall start the editors note with the words of our cover story author for the may issue. He states in the article that the near field communications are plausible to bring revolution in different sectors offering the possibility of having „all in one” very practical device at hand. The man behind the story is Pierlugi Paganini – an expert with more than 20 years of experience in the field, at a time running his own Security Affairs. Not only he perceives the NFC as a one of the crucial topics so that is why we decided to focus also your attention on this one. Another author contributing to the NFC section is Robert Keller covering the NFC authentication. While initial access authentication strength has increased dramatically in the last decade, with the use of single scan smart cards, biometric scanners, software and hardware tokens, and captscha images. None of these solutions provided an exit strategy for the user that provides an endpoint is locked after each and every usage. That is not all we have. Another must-read is the text by our solid columnist – Stefano Maccaglia and his co-worker Andrea Minghiglioni. After reading their article you should learn that, in every aspect of Pen Testing and especially in the social side, the best tool available is the Pen Tester’s brain. If your pen-testing tool kit is not enough you should definitely read Israel Arroyo’s text concerning Nessus 5. He proofs that this one is very useful! Last but not least we are giving you an interview with profesor Patrick Engebretson. You may find it very useful as it is not very common to get to know academical point of view on the topic of information security. In addition at the end of the magazine you will find Jeff Weaver reviewing the NT objectives white paper on top 10 business logic attack vectors. Please enjoy the may issue, keep on reading, keep on reaching us as we will be trying not only meet to your expectations but to read your minds in terms of pen-testing. Our aim for the june issue is to cover the topics which are not in your mind yet but will be important for from july on. Enjoy!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
04/2012 (4)
Tymoteusz Kubik & the PenTest Team
Page 4
http://pentestmag.com
CONTENTS
NFC
NFC, business opportunities, security and privacy issues by Pierluigi Paganini
TOOLS
Nessus 5 as a pen-testers must-use
06
by Israel Arroyo Jr.
From the user-end, NFC represents a true revolution, the possibility to provide unique devices a mobile wallet, a credit and debit cards, a tag for dynamic identification, an instrument to share information. For this reason NFC technology is really desirable for different business and marketing models. The NFC solutions have the ambitious task to be the link across diverse fields from health care to telecommunications.
NFC Authentication – A Chance at Closing a Security Hole in Endpoint Access Control Left Open For Decades by Robert Keeler
While initial access authentication strength has increased dramatically in the last decade, with the use of single scan smart cards, biometric scanners, software and hardware tokens, and captcha images. None of these solutions provided an exit strategy for the user that provides an endpoint is locked after each and every usage.
SPECIAL
Brain@work: fulfill your duty by using human weakness
by Stefano Maccaglia & Andrea Minghiglioni
16
Interview with Patrick Engebretson
34
Learn what the academical attitude to information security is all about. „Time management is a critical skill no matter what industry you’re in. In my professional life I am a teacher, penetration tester, and author. Each of these roles requires me to stay focused and meet specific deliverables. I use a variety of techniques to manage my time. I try to start my day early in the morning before any of my family is awake. This gives me some quiet time to focus and prioritize what I need to accomplish for the day, I’m also big on “to do” lists. Every day I make a list of the tasks that I want to accomplish. The task list helps me to stay on track and focused.”
REVIEW
Everybody has heard the adagio “Security is a matter of Culture”. The motto is true, especially for complex environments such as an Enterprise or a big Public Company. Moreover, the idea of Culture leads us to the human nature… Today, more than in the past, espionage and data theft rely on the human nature.
04/2012 (4)
INTERVIEW by Aby Rao
10
26
How come the Nessus vulnerability scanner has gained such high praise of multiple penetration testing frameworks? Why this specific one should be considered when building your arsenal of tools in your Penetration Tester toolkit? Learn how to gain a wealth of information with a few simple checks and scans which may not necessarily be caught with other security tools.
Attacking and exploiting the top 10 business logic attack vectors by Jeff Weaver
38
Review on the NT Objectives article which builds a base level knowledge and awareness of the top 10 business logic attacks and how to start to identify and test for them in future penetration testing engagements.
Page 5
http://pentestmag.com
NFC
NFC, Business Opportunities, Security And Privacy Issues Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity.
T
he standard describe a radio technology that allows two devices to communicate at a short distance, no more than a few centimeters, allowing the exchange of information quickly and safely. From the user-end, NFC represents a true revolution, the possibility to provide unique devices a mobile wallet, a credit and debit cards, a tag for dynamic identification, an instrument to share information. For this reason NFC technology is really desirable for different business and marketing models. The NFC solutions have the ambitious task to be the link across diverse fields from health care to telecommunications. The NFC technology is widely used in many areas and the main applications that can benefit from its introduction are: • • • • • • •
Payment via mobile devices such as smartphone and tablets. Electronic Identity. Electronic ticketing for use in transportation. Integration of credit cards in mobile devices Data transfer between any kind of devices such as digital cameras, mobile phones, media players. P2P (peer to peer) connection between wireless devices for data transfer. Loyalty and Couponing/Targeted Marketing/ Location-Based Services 04/2012(4)
• • • •
Device Pairing Healthcare/Patient Monitoring Gaming Access Control/Security Patrols/Inventory Control (tags and readers)
NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 related to Identification cards, contactless integrated circuit cards and proximity cards. This international standard defines proximity cards used for identification, and the transmission protocols for communicating with it opening the NFC to a wide range of applications. NFC also covers the usage of contactless RFID smart card system primarily used in electronic money cards and in payments processes. From a technological perspective NFC is an extension also of the standards ECMA and ETSI, and describes the integration of a smart card with a terminal device. All NFC devices allow writing and reading of information at a high speed (424Kbis/s) once two devices approaching less than few centimeters away, creating a wireless connection, which is also compatible with the already known Wi-Fi and Bluetooth. The short distances between terminals of communications make it more secure, making really difficult data “sniffing”.
Page 6
http://pentestmag.com
NFC
NFC Authentication – A Chance at Closing a Security Hole in Endpoint Access Control Left Open For Decades Near Field Communication (NFC) devices add a needed layer to authentication that has been missing for decades. NFC authentication can not only better control the opening of an access endpoint but also ensure the immediate closing of endpoint data access portals, notebook computers, tablets and smartphones when the user is not in front of them.
E
ndpoint access authentication has not included closing down access by logging out users when they get up and walk away without logging off. A resolution has finally arrived. While initial access authentication strength has increased dramatically in the last decade, with the use of single scan smart cards, biometric scanners, software and hardware tokens, and captscha images. None of these solutions provided an exit strategy for the user that provides an endpoint is locked after each and every usage. That scenario finally is about to change. Implementation of Near Field Communication (NFC) devices look to be the selected solution to be the successor of usernames and passwords and succeed where most other authentication technologies have failed on closing down access points after usage. And in the process end the annoying need to keep entering passwords when our personal devices have “timed out” and they have not left our field of vision. Usernames and password authentication typically leave computers exposed when users walk away from them. While most authentication requires a forced login to access data through endpoints, there is no forced logout required when a user’s task is completed. And while IT has be quick to place the blame on users not logging out as the problem, in actuality the problem is not so easy to place blame on others. The fault is a 04/2012(4)
logical one that dates back more than three decades. At that time, computers and access endpoints were never left on. Back then, these devices were powered on for use, turned off when not in use. This is time when passwords were developed as a requirement for usage. The user was forced to login to access anything on startup. Because these access points were then turned off, there was no corresponding reason that forced users to logout. Some people seem to have issues understand that principle. A need to access the data forces one to login. Nothing forces users to log out. Hence, there is no logic that requires that step – so often it is forgotten. And basically, this not the users fault. Endpoints are now not turned off, so the logic circle is broken. Yes, IT can make logout a rule and if the user breaks the rule, then the user should be responsible. Nice in theory. I’ve not seen that approach work in the last two decades. The problem is a result of something completely unrelated. Because access points were always kept powered off back in the1980s when passwords were first implemented, the logic was easy to follow. Turn on the access point, enter your user name and password, do what you needed to, and then turn off the access point. There was a full circle of logic to follow and although not foolproof if a workstation was left on and no one was around, it was an oddity and quickly noticed and normally the user’s behavior was corrected – to turn off the access point when not in use – at some point over
Page 10
http://pentestmag.com
secureninja.com
Forging IT Security Experts
• Security+ • CISSP® • CEH (Professional Hacking) v7.1 • CAP (Certified Authorization Professional) • CISA • CISM • CCNA Security • CWNA • CWSP • DIACAP • ECSA / LPT Dual Certification • ECSP (Certified Secure Programmer) • EDRP (Disaster Recovery Professional) • CCE (Computer Forensics) • CCNA Security
Expert IT Security Training & Services
• CHFI • ISSEP • Cloud Security • Digital Mobile Forensics • SSCP • Security+ • Security Awareness Training … And more
Free Hotel Offer on Select Boot Camps Offers ends on Jan 31, 2012 – Call 703-535-8600 and mention code: PentestNinja to secure your special rate.
Welcome Military – Veterans Benefits & GI Bill Post 9/11 Approved WIA (Workforce Investment Act) Approved
www.secureninja.com
703 535 8600
Sign Up & Get Free Quiz Engine From cccure.org
SPECIAL
Brain@work: fulfill your duty by using human weakness Everybody has heard the adagio “Security is a matter of Culture”. The motto is true, especially for complex environments such as an Enterprise or a big Public Company. Moreover, the idea of Culture leads us to the human nature… Today, more than in the past, espionage and data theft rely on the human nature.
I
n technical terms, vulnerabilities: from eavesdropping on phreaking, from drive-by to direct exploit, are the main arguments of every assessment. Instead, only in limited cases we are committed to test the “culture” of the Company’s personnel. In fact, as we could demonstrate, the human behaviour can really make the difference. That is why it is every employee’s duty – from the executive to the guard at the door – to put security as a top priority. The social engineering problem has been widely analysed by security researcher and it has exploited since the early days of computer security: the Mitnick case has become legendary. Nevertheless, we must update our schemes today because Social Engineering has updated itself. We live in an interconnected world composed of data, of virtual relationship. In fact, the “more the world become interconnected, more are the options for fraudster and spies”. In terms of results, small changes in daily behaviours can have a huge upside for information security. Today Social Engineering can manifest itself in very different forms such as: • • • •
Phishing Tabnabbing Social Networks hacking External Storage devices 04/2012(4)
• •
Botnet Lots more…
It is probably ended the time when we could test data leakage with dumpster diving or a simple talk in front of the coffee machine… and the persuasion techniques are now more related to force the user to open this, or save that or read the other one remotely than stealing the wall safe numerical code… This imposes a modern and “inclusive” approach in our assessment… so do not panic dumpster diving is not in our agenda… Our techniques must follow this trend and is our duty to inform our customer about such vulnerabilities. However, it is entirely legitimate to have doubts such as: • •
How can a Pen Tester measure it? How a Company can be tested?
The measure is strongly dependant by our abilities and ideas; it is not only a question of tools and previous experience. What we are trying to say is that, in every aspect of a Pen Testing and especially in the social side, the best tool available is the Pen Tester’s brain… we must be creative, we must be able to explore the dark corners of the Company, we must boldly go where
Page 16
http://pentestmag.com
TOOLS
Using Nessus 5 In The Penetration Testing Execution Standard (Ptes) Vulnerability Analysis Phase During Internal Penetration Tests Nessus is one of the de-facto Commercial vulnerability assessment tools that should be part of any Penetration tester’s security tool arsenal. The Nessus 5 vulnerability scanner is available as a subscription based Professional and free Home Feed by Tenable Network Security. This powerful tool can gather a plethora of useful information other than just vulnerability scan reports.
T
his tutorial will give you a basic understanding of just how powerful this tool can be used not only to gain valuable information on your infrastructures current state of security, but it can be a powerful tool for E-Discovery and to check for regulatory compliance on your servers in your environment during your next internal penetration test. This makes it easier to scope out your penetration testing efforts and make for a great overall security assessment.
Introduction
The purpose of this document is show how the Nessus 5 vulnerability scanner can have value during an internal penetration test, and the kind of information that can be gained as a result of using it, and the appropriate audit templates during the assessment. As a penetration tester it is not a mystery to us in the industry at the number of tools there are to conduct a penetration test. There are so many tools out there that it would be impossible to use everyone on a single engagement. Unless of course the engagement was very long in duration, and all layers (Network, Application and Operating System) were going to be tested. After reading this document a penetration tester should be able to use the techniques described to obtain sensitive information from Windows servers that reside in your infrastructure. The same methods can also be used to conduct authenticated regulatory compliance 04/2012(4)
checks on Windows and UNIX server implementations. Furthermore, once this information is gathered, you can then target these systems for further exploitation during the exploitation phase of the Penetration Testing Execution Standard (PTES) located at http:// www.pentest-standard.org/index.php/Main_Page. For the purposes of this document a Windows Server has been tested for these processes. The attack machine was configured with the Professional Feed Tenable Nessus 5 Vulnerability Scanner running on a Virtual Machine using CentOS Linux 6.2 64 bit. The
Figure 1. Nessus client connecting to Nessus Server
Page 26
http://pentestmag.com
Global I.T. Security Training & Consulting
������������������������������������������������������������ ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������
IS YOUR NETWORK SECURE?
www.mile2.com ��
mile2 Boot Camps
A Network breach... Could cost your Job! Available Training Formats � � � � �
������������������������� ����������������� ������������������������������������������� ���������������������������������� ����������������������������������������������
������������������������ �������������� �������������������� ������������������ ����������������������������
�������������������
� ������� �������� ������ ������
�� ���� ��� ���� ��� ���� ��������� ��� ����
� � ����������������������������������������� Other New Courses!! ���� ��������������������� �������� � ������������������������������������� �������� ������������������� ��������� � ��������������������������������������� ����������� ���� � � ���������������������� ���������� ��������������������������� �������� � ������������������������������� ��������� ��������������������������� ���������� �������������������������� � � �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ��������������� ������� � ������������������������������������������������ ���������
�
������������������������������ ����������������������������������������
� � ����������������� �������� � �����������������������������������
(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.
INFORMATION ASSURANCE SERVICES
����������������� �������������
���������������������������������������� ��� ������������������� ��� ������������������������� ��� ������������������������������������� ��� �������������� ��������������������������������������������
�������������� ���������������
11928 Sheldon Rd Tampa, FL 33626
INTERVIEW
Interview with
Patrick Engebretson Dr. Patrick Engebretson obtained his Doctor of Science degree with a specialization in Information Security from Dakota State University. He currently serves as an Assistant Professor of Information Assurance and also works as a Senior Penetration Tester for security firm in the Midwest. His research interests include penetration testing, hacking, intrusion detection, exploitation, honey pots, and malware. In the past several years he has published many peer reviewed journal and conference papers in these areas. Dr. Engebretson has been invited by the Department of Homeland Security to share his research at the Software Assurance Forum in Washington, DC and has also spoken at Black Hat in Las Vegas. He regularly attends advanced exploitation and penetration testing trainings from industry recognized professionals and holds several certifications. He teaches graduate and undergraduate courses in penetration testing, wireless security, and intrusion detection, and advanced exploitation. Aby Rao: Prof. Engebretson, not very often we get a chance to interview someone from academia. Please tell us a little about yourself.
Patrick Engebertson: My name is Patrick Engebretson, I currently serve as an Assistant Professor of Information Assurance at Dakota State University. I received my doctorate from Dakota State in 2009 and was given the opportunity to stay on as a full time faculty member. In the past I have spoken at both the Black Hat and DefCON conferences. My research focuses exclusively on hacking, penetration testing, and malware analysis. Aside from teaching, I also work as a Senior Penetration Tester for a company in South Dakota. It’s a nice blend of academic and practical experience. 04/2012(4)
AR: Where and what do you teach?People who are mostly into ethical hacking are mostly employed by the industry. Why academia?
PR: Great question! Higher education is a fantastic place to study and conduct research. It gives you an opportunity to absolutely focus on a single topic. The classes I teach fall directly in-line with my research on hacking and penetration testing. I get to set my own schedule, teach the topics I enjoy, and spend my time doing nothing but researching, digging, exploring, and finding new ways of exploiting things. This freedom is vastly different than my experience in the private sector. When I had a corporate job, a vast majority of my time was spent doing nonsecurity related tasks like budgets and meetings. I
Page 34
http://pentestmag.com
was also required to spend a significant amount of time providing “defensive” services like firewall and IDS management. Outside of academia I was always working on projects that were a priority to other people. In academics I get to set the topics and the priorities.
AR: Please tell us about your book ‘Basics of Hacking and Penetration Testing’ and what kind of readers would it attract.
PR: One of the classes I teach is called Penetration Testing. This book was really an outgrowth of that class. The book is definitely aimed at beginners or people who are interested in penetration testing but are unsure of where to start. Often times I find that people know a single tool or two but they don’t really understand how each of the tools and phases blend together. Regardless of which methodology a penetration tester uses, the process is very cyclical. Understanding the importance of each phase as well as the tools and techniques that are employed in that phase is crucial to the overall success of the test. With this in mind, the goal of the book was to write something in less than 200 pages that would provide an overview of the phases and seminal tools employed in a simple penetration test. There are lots of good books out there that simply cover tool use but these books are either too thick (and thereby discouraging or intimidating to someone new in our industry) or they do a very poor job of explaining how the tool output can be used (or is required) in later phases. Consider the process of exploitation. Many people who are new to our industry have used a framework like Metasploit and some have used a vulnerability scanner like Nessus or OpenVAS but in my classes I found that most new comers don’t understand how to connect the output of the vulnerability scanner to the exploits inside Metasploit. The book is small enough that anyone with a little computer experience should be able to get through it in just a few days. Once the reader finishes the book they should have enough knowledge to dive into more indepth penetration testing topics and tools.
AR: How did you manage to take time out of your busy schedule and write a book? Your time management skills may inspire some of our readers.
PR: Time management is a critical skill no matter what industry you’re in. In my professional life I am a teacher, penetration tester, and author. Each of these roles requires me to stay focused and meet specific deliverables. I use a variety of techniques to manage 04/2012(4)
my time. I try to start my day early in the morning before any of my family is awake. This gives me some quiet time to focus and prioritize what I need to accomplish for the day, I’m also big on “to do” lists. Every day I make a list of the tasks that I want to accomplish. The task list helps me to stay on track and focused. If an item is too long for my daily list (like writing the book) I break it into a single task that I can accomplish that day like “Write 5000 Words” or “Complete Chapter 4”. Time management is also important as a penetration tester. I am usually given a timeframe to complete the test. It’s easy to get lost chasing a single vulnerability or custom exploit but it’s important to remember the overall goal and pace.
AR: Lot of fresh graduates have trouble finding their first security job. What would be your advice to them?
PR: Get involved! Do something! Join a security club (or start one), go to a security conference, learn a new tool or technique to improve your penetration testing skills. Learn to program in a new language, get involved in an open source security project. There are lots of ways for you to get involved in the security community. Involvement and networking are a critical component to finding a job. You have to be more than smart. You need to make connections and when you do make connections you need to be able to “stand out” from the crowd. Take a look a conference like DefCON. I remember the first time I attended, I was almost afraid to approach the speakers because I thought they were intimidating. But nothing could be further from the truth! Take the initiative and walk up to the speakers even if they are your heroes. Introduce yourself, ask questions. I have never met a security person a conference who wasn’t willing to talk.
AR: You have published several papers and presented at various conferences. What are you currently working on?
PR: I am working on a couple of projects right now. Specifically, I’ve been busy with malware and malware analysis over the past year. More recently, I’ve started working on penetration testing game consoles and automation of the basic PT process.
AR: Some of our readers may be interested to know how to pursue higher education in Information Security, particularly a masters or a doctorate degree? What universities/ programs would you recommend?
Page 35
http://pentestmag.com
INTERVIEW PR: Dakota State for sure! We have undergraduate, graduate, and doctorate degrees in security that can be completed entirely online. If DSU isn’t right for you, there are lots of good schools for Info Sec. I encourage your readers to focus on programs that are accredited as Centers of Academic Excellence (CAE) by the National Security Agency. CAE programs have been externally reviewed and typically have more scholarship and grant activity. Above all, I encourage the readers to look closely at the curriculum and courses being taught in the degree. Just because a school offers a degree in security doesn’t mean you’ll get the skills you’re looking for. Really dig into the program and find out what kind of Information Security is taught at the school. Some programs focus on policy, some on software, some on hardware, some on defensive or some like DSU even offensive security.
AR: How do you prepare your students for a career in Information Security?
PR: HD Moore, Val Smith, Moxy Marlinspike, Jared DeMott, Joe Grand, Deviant Ollam and many many more. I don’t know if they’re “Hacking Heroes” but I definitely admire their work.
AR: What pentesting tools would we find in your hacking kit?
PR: It’s a great time to be a penetration tester. There are hundreds of great tools and even dozens of good penetration-testing specific distributions. Backtrack is still my favorite distribution but I like to use others as well. Lately I’ve been playing with Blackbuntu and BackBox a lot. As for specific tools I love the old standards (which are covered in my book) like NMap, Nessus, OpenVAS, and Metasploit. Some of my other favorites include Netcat, RainbowCrack, MetagooFil, IDA Pro, and FOCA. Lately I’ve gotten into Python and have found myself writing some new custom tools to be more productive as a penetration tester.
PR: I stress hands on experiences in the classroom. I work hard to blend the lecture to lab ratio. My exams are also two part. Students have to understand the theoretical processes behind the topic but they also have to be able to perform and implement the process as well. For example, in one of my classes we talk about passwords. Students have to be able to explain (in writing) the difference between LM, NTLM, and Kerberos passwords. Then they have to be able to physically crack the passwords and access the system.
AR: Can you recommend any places in South Dakota for vacation?
AR: Do you attend conferences such as DefCon, HackerHalted etc? Do you have a favorite and why?
PR: I spend most of my days learning new (hacking) tools, writing exploits and programming. When I need to unplug and step away from the computer, I like to read, ride bicycle, shoot archery, and spend time with my wife and two little girls. It’s a very busy life but I really enjoy it!
PR: Cons are a huge part of my security life. They are a wonderful place to learn and network. You will meet the most interesting, smart, and fascinating people at security cons. Attending a security conference like DefCON is a great way to see what the best-of-the-best in our industry is working on. There are dozens of tool releases and cutting edge talks presented each year. As I mentioned before, the biggest advice I have for your readers is to get involved! Don’t just sit in your hotel room. Talk to people, go to parties, participate in the events like Capture the Flag, or lock picking. DefCON is my favorite Con. Partly because it’s the first one I attended, partly because of the admission price (very cheap), partly because it’s in Las Vegas but mostly because the worlds most renowned speakers attend and present every year.
PR: Mount Rushmore, Deadwood, and the Badlands are great. If you come in the spring to the east side of the state we have an awesome little security conference that is completely free to the public. We try to pull in big names each year. This year we had Moxy Marlinspike, Joe Grand, Jon McCoy, and Jared DeMott speaking. You can find information here: http://dakotacon.org/.
AR: How do you spend your leisure time?
By Aby Rao
AR: Who are some of your Hacking Heroes and why? 04/2012(4)
Page 36
http://pentestmag.com
WHAT IS A GOOD FUZZING TOOL? Fuzz testing is the most efficient method for discovering both known and unknown vulnerabilities in software. It is based on sending anomalous (invalid or unexpected) data to the test target - the same method that is used by hackers and security researchers when they look for weaknesses to exploit. There are no false positives, if the anomalous data causes abnormal reaction such as a crash in the target software, then you have found a critical security flaw.
In this article, we will highlight the most important requirements in a fuzzing tool and also look at the most common mistakes people make with fuzzing.
PROPERTIES OF A GOOD FUZZING TOOL
There are abundance of fuzzing tools available. How to distinguish a good fuzzer, what are the qualities that a fuzzing tool should have? Model-based test suites: Random fuzzing will certainly give you some results, but to really target the areas that are most at risk, the test cases need to be based on actual protocol models. This results in huge improvement in test coverage and reduction in test execution time. Easy to use: Most fuzzers are built for security experts, but in QA you cannot expect that all testers understand what buffer overflows are. Fuzzing tool must come with all the security knowhow built-in, so that testers only need the domain expertise from the target system to execute tests. Automated: Creating fuzz test cases manually is a time-consuming and difficult task. A good fuzzer will create test cases automatically. Automation is also critical when integrating fuzzing into regression testing and bug reporting frameworks. Test coverage: Better test coverage means more discovered vulnerabilities. Fuzzer coverage must be measurable in two aspects: specification coverage and anomaly coverage. Scalable: Time is almost always an issue when it comes to testing. User must also have control on the fuzzing parameters such as test coverage. In QA you rarely have much time for testing, and therefore need to run tests fast. Sometimes you can use more time in testing, and can select other test completion criteria.
Documented test cases: When a bug is found, it needs to be documented for your internal developers or for vulnerability management towards third party developers. When there are billions of test cases, automated documentation is the only possible solution. Remediation: All found issues must be reproduced in order to fix them. Network recording (PCAP) and automated reproduction packages help you in delivering the exact test setup to the developers so that they can start developing a fix to the found issues.
MOST COMMON MISTAKES IN FUZZING
Not maintaining proprietary test scripts: Proprietary tests scripts are not rewritten even though the communication interfaces change or the fuzzing platform becomes outdated and unsupported. Ticking off the fuzzing check-box: If the requirement for testers is to do fuzzing, they almost always choose the quick and dirty solution. This is almost always random fuzzing. Test requirements should focus on coverage metrics to ensure that testing aims to find most flaws in software. Using hardware test beds: Appliance based fuzzing tools become outdated really fast, and the speed requirements for the hardware increases each year. Software-based fuzzers are scalable in performance, and can easily travel with you where testing is needed, and are not locked to a physical test lab. Unprepared for cloud: A fixed location for fuzz-testing makes it hard for people to collaborate and scale the tests. Be prepared for virtual setups, where you can easily copy the setup to your colleagues, or upload it to cloud setups.
��������������������� ��������������� ������������������������� ��������������������� ������������������������� ������������������������������� ��������������������
������������������������������������ ������ ���������������������������
REVIEW
Attacking and Exploiting The Top 10 Business Logic Attack Vectors In NT Objectives White paper titled “Top 10 Business Logic Attack Vectors Attacking and Exploiting Business Application Assets and Flaws – Vulnerability Detection to Fix”, they describe the top business logic attack vectors and how automated testing alone will not identify these vulnerable business logic flaws.
T
hey state how important it is that the penetration tester needs to understand business process and flows of an application to discover to potential inherent vulnerabilities of custom applications. Many times the developers of the custom application to not follow a SDLC process and or test for security as the application is being developed. In most application development, security is a mere after thought, if at all. What makes that even scarier, a majority of the time little to no security testing is conducted prior to launching the application If anything is done it is a quick automated vulnerability scan using commercial or open source security scanners that will miss these attack vectors entirely. In this paper they point out the importance of conducting black box security testing via augmenting automated scans to find the well-defined syntax-based attacks such as SQL injections and Cross-Site-Scripting (XSS), but also how critical it is to manually test the business logic of the custom application (this typically is a very in-depth manual process). Then they highlight the top 10 attack vectors for business logic and provide examples that demonstrate the attack vector as well as how to test for these flaws As a penetration tester it is easy to get into an engagement and overlook a few of these attack vectors or dismiss them entirely due to a scanner not reporting these potential and sometimes critical vulnerabilities. 04/2012(4)
This white paper also reminds us of how important it is that any business that develops applications in-house needs to invest in educating their developers in secure application development processes. Businesses also need to have a well-defined process and best practices documented and then conduct audits against these processes to hold developers accountable. It is also important that these businesses have an SDLC process as well as encouraging developers to utilize available secure development frameworks and leverage static code analysis prior to the launch of any new application. If a business leverages a third party company to create custom applications for them, they need to ask that company if they can provide their documented SDLC processes or any other document security practices that they follow prior to making a decision to outsource the development of the application to the company in question. The white paper discusses the following 10 business logic attack vectors and gives examples with testing pointers: 1. Authentication flags and privilege escalations at application layer • This attack vector talks about the application ACLs, privileges, user authentication and the potential vulnerabilities that may exist in the implementation of the authorization.
Page 38
http://pentestmag.com
In the next issue of
All on information security in terms of Euro 2012 & London 2012 Olympics
Available to download on June 6th
If you would like to contact PenTest team, just send an email to maciej.kozuszek@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.
���������������� “We help protect critical infrastructure one byte at a time”
• ���� Checklists, tools & guidance •���� Local chapters • ������ builders, breakers and defenders • ���������� ������������������������������������������������� and more.. ��������������������������������