SlideShare a Scribd company logo

Advanced penetration testing - Amarendra Godbole

IndicThreads
IndicThreads

Aim of penetration testing (pen-testing) is to break into an application while closely approximating an attacker’s behavior. Typical approaches that rely heavily on the usage of security tools produce only tool-based results, and may limit the effectiveness. In order to closely approximate an attacker’s tactics, more of a mental shift, knowledge about the application, and motivation are required. This paper tries to bridge that gap, and aims to discuss advanced and sophisticated steps to make the pen-testing effort more effective, and optimize the skills of the pen-tester and the tools. Starting with planning, recon, deciding the attack surface, tool selection, and final closure, advanced penetration testing will take your understanding about the application to a different level. Overall, these steps will assist in reasonable assessment of the security posture of an application.

Related slideshows

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
1 of 16
Download to read offline
Advanced Penetration Testing Amarendra Godbole
The next 60 minutes or so... • Introduction • Why “Advanced”? • Let’s rock! (aka Steps) • The standards – CWE, CVSSv2, etc. • Conclusion • References, Contacts, etc.
Security and Quality • Security must be built “ground-up” • Cannot be “bolted-on” to the application • Determines overall quality of the application Security == Quality
Penetration Testing • Closely approximate an attacker’s behavior • Find security issues in an application • Time-bound • Leverages knowledge of the pen- tester • Scoped
Challenges • Largely difficult to model an attacker’s mentality • Security skills “acquired” over time • Affect efficiency and coverage
Advanced? • Systematic steps • Focus on innovation as well as tools • Deliver a standardized closure • Use standard ratings • Use standard vulnerability buckets
(I) Planning • Set expectations (helps accurate scoping) • Estimate approximate effort (helps create timeline) • Obtain required approvals • active/passive scan? • Decide point-of-contacts
(II) Reconnaissance • Understand the application • Read, read, and read – guides, doc • “look around” the application • May require scanners, and similar tools • Deliver a DFD (data flow diagram) • Build “mental model” • Easy to visualize component interaction.
(III) Decide attack surface • Scope • Network facing components • User Interfaces’ • Other “entry points” • ... • Optimize time and efforts, maximize effectiveness
(IV) Create attack scenarios • Threat modeling – find weak spots • Assets, threats, mitigations • Use the DFD • Abuse cases • Things break at the extremes! • Creativity counts!
(V)Tools • Right tool for the job • Web-console? Burrp, ratproxy, web- scarab, … • Network protocol? Wireshark, nmap, netcat, … • Take out all “low-hanging” fruit • May have false-positives
(VI) Craft and conduct attacks • Divide time according to attack surface • Network attacks, then local attacks, ... • Record results – success and failures • Keep detailed notes • Keep the application team informed if required
(VII) Delivery and Closure • Formal document • Capture scope • Capture security issues found • Capture mitigated issues • Recommend fixes • Score issues – standardized • CVSS v2 • CWE category • Indicate approximate timeframe for next pen-test.
References and further reading • The Art of Software Security Assessment -Dowd, McDonald, et. al. • 24 Deadly Sins of Software Security -Howard, LeBlanc, et. al. • Common Vulnerability Scoring System (CVSS) • Common Weakness Enumeration (CWE) • CWE Top-25 Most Dangerous Programming Errors • Data Flow Diagram
Questions? ?
Thank You! Amarendra Godbole amunix@gmail.com

More Related Content

Advanced penetration testing - Amarendra Godbole

  • 1. Advanced Penetration Testing Amarendra Godbole
  • 2. The next 60 minutes or so... • Introduction • Why “Advanced”? • Let’s rock! (aka Steps) • The standards – CWE, CVSSv2, etc. • Conclusion • References, Contacts, etc.
  • 3. Security and Quality • Security must be built “ground-up” • Cannot be “bolted-on” to the application • Determines overall quality of the application Security == Quality
  • 4. Penetration Testing • Closely approximate an attacker’s behavior • Find security issues in an application • Time-bound • Leverages knowledge of the pen- tester • Scoped
  • 5. Challenges • Largely difficult to model an attacker’s mentality • Security skills “acquired” over time • Affect efficiency and coverage
  • 6. Advanced? • Systematic steps • Focus on innovation as well as tools • Deliver a standardized closure • Use standard ratings • Use standard vulnerability buckets
  • 7. (I) Planning • Set expectations (helps accurate scoping) • Estimate approximate effort (helps create timeline) • Obtain required approvals • active/passive scan? • Decide point-of-contacts
  • 8. (II) Reconnaissance • Understand the application • Read, read, and read – guides, doc • “look around” the application • May require scanners, and similar tools • Deliver a DFD (data flow diagram) • Build “mental model” • Easy to visualize component interaction.
  • 9. (III) Decide attack surface • Scope • Network facing components • User Interfaces’ • Other “entry points” • ... • Optimize time and efforts, maximize effectiveness
  • 10. (IV) Create attack scenarios • Threat modeling – find weak spots • Assets, threats, mitigations • Use the DFD • Abuse cases • Things break at the extremes! • Creativity counts!
  • 11. (V)Tools • Right tool for the job • Web-console? Burrp, ratproxy, web- scarab, … • Network protocol? Wireshark, nmap, netcat, … • Take out all “low-hanging” fruit • May have false-positives
  • 12. (VI) Craft and conduct attacks • Divide time according to attack surface • Network attacks, then local attacks, ... • Record results – success and failures • Keep detailed notes • Keep the application team informed if required
  • 13. (VII) Delivery and Closure • Formal document • Capture scope • Capture security issues found • Capture mitigated issues • Recommend fixes • Score issues – standardized • CVSS v2 • CWE category • Indicate approximate timeframe for next pen-test.
  • 14. References and further reading • The Art of Software Security Assessment -Dowd, McDonald, et. al. • 24 Deadly Sins of Software Security -Howard, LeBlanc, et. al. • Common Vulnerability Scoring System (CVSS) • Common Weakness Enumeration (CWE) • CWE Top-25 Most Dangerous Programming Errors • Data Flow Diagram