Friendly hacking Penetration testing vs. hacking Kamil Golombek [email protected] Tel. +420 241 046 279 Agenda Definitions and dividing Similarities and differences Skills and mentality Methodology and tools Personal experiences.
Download ReportTranscript Friendly hacking Penetration testing vs. hacking Kamil Golombek [email protected] Tel. +420 241 046 279 Agenda Definitions and dividing Similarities and differences Skills and mentality Methodology and tools Personal experiences.
Slide 1
Friendly hacking
Penetration testing
vs. hacking
Kamil Golombek
[email protected]
Tel. +420 241 046 279
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Agenda
Definitions and dividing
Similarities and differences
Skills and mentality
Methodology and tools
Personal experiences
Slide 9
Definitions
Penetration testing
– tries to replicate a real attack
– goes as deep as possible
– it’s not comprehensive (doesn’t enumerate all
vulnerabilities
– it’s usually but not always done from outside
– it’s not “just” a combinations of several vulnerabilities
scan tools reports
– maybe not so strong, but very intelligent
Vulnerability scanning
– doesn’t go as far as pentesting
– but enumerate all possible known bugs and holes
– not very intelligent but strong
Slide 10
Types of security tests
NIST Computer Security Division :
–
–
–
–
–
–
–
–
–
network mapping (survey and scanning)
vulnerability scanning (network and host scanners)
penetration testing (blue / red team, “manual work”)
security tests & evaluation (finding mistakes in design ...)
password cracking (e.g. can be used during pentests)
log review (system works as intended)
integrity checkers (implementation at start)
virus detection (old is none)
war dialing (rogue modems etc.)
Slide 11
Pros and cons of security tests
Type
Pros
Cons
Network mapping
Very quick and easy
Doesn’t find
vulnerabilities, more
often it’s the first phase
of other tests.
Vulnerability scanning
Quite quick, many good
automated tools, wide
range
Only known bugs, many
“false positives”, doesn’t
go under cover
Penetration testing
Hacker tools and
methods, shows real
danger, goes deeply.
Very exhausting in time,
skills and knowledge.
Quite expensive.
Slide 12
Comparison
Hacker vs. pen-tester
•
•
•
•
•
Is pentesting a kind of “black art”?
Who is the real hacker / pentester?
“Wanna be” hackers / pentesters?
Who is more dangerous?
How can you find the real one?
Slide 13
Who is the real one?
First – tier hackers
Best programmers and experts. They have a deep understanding of IP
protocols and used OS and programming languages. They are able to find
new holes or vulnerabilities and to create their own code. They usually don’t
seek publicity, but they are known because many others use their hacking
utilities.
Second - tier hackers
Have a technical skill level equivalent to system or network administrators.
They usually know several OS, know how to use some exploits and have
some knowledge of programming language. They are much more common
than first – tier hackers and they often rely on them.
Third –tier hacker (also script kiddies or “lamers”)
Most populated but also the least respected group. The main principle they
use is “download and try”. They usually don’t understand consequences and
because they often use untested scripts against real networks, they can
cause big problems. Their knowledge about IT is usually quite low, but what
they lack (or lose) in skills they gain in motivation, free time etc. If they are
successful, they think they are “elite”.
Slide 14
Usual (or minimal?) level of pentester?
• Skills, knowledge and experience should be at
least similar to the second tier hackers.
• If he (she?) is better, that’s good but it’s more an
exception than a rule.
• Plus
– good reputation and no criminal record
– patience and methodology (to find all holes, to
document ongoing tests, etc.)
– presentation skills (?) and ability to close discovered
holes (if required)
Slide 15
Skills and mentality
Good skills and knowledge are
necessary but not sufficient conditions!
You have to think like hacker but behave
like professional!
Go beyond limits and use of your
knowledge in different way is an attitude!
Slide 16
Methodology and tools
• Before you begin ...
• Classical phases of tests (hacks?)
• Obligations in execution of tests
• Basic categories of tools
Slide 17
Classical phases of tests
• General methodology (from outside)
– Reconnaissance (get know as much as possible)
– Vulnerability analysis (“low hanging fruit”, other ways)
– Gaining access (trying of concrete attacks and methods,
escalation of privileges)
• Basic phases of “attack”
–
–
–
–
Reconnaissance (IP, DNS, mail servers, organization info, etc)
Scanning (ports, services, SW, known vulnerabilities)
Gaining access (exploits, scripts, hacker tools ...)
Maintaining access (Trojan horses – application, traditional,
kernel)
– Covering tracks (hiding in OS, cover channels, wiping audit
logs)
Slide 18
Obligations in execution of tests
• Hacker
– doesn’t have to follow our “test order”
– needs to find and use only one hole
– can have some trouble with covering tracks
• Pen-tester
– must have methodology to test as much as
possible
– except of having it he has to follow it too
– tries to find theoretically all holes but can have
problems to prove it
Slide 19
Basic categories of tools
• Reconnaissance
• War dialing
• OS and Application
identification
• Network services testing
• Port scanning
• Vulnerability scanning
• NULL session tools
• Session manipulation
• FW, Router, ACL testing
•
•
•
•
•
•
•
•
•
Forensic analysis
Password cracking
DoS
Log review
Packet forgery
Sniffing
IDS testing
WWW testing
..... some more.
Slide 20
Personal experiences
• Relatively low level of security awareness
– 95% of blue tests
• Impossible requirements on pentesters
– „within one afternoon “
– if you won’t finish as a “root”, your test were bad
• “Smart” handling with test results
– final report is just “dust collector”
– „it’s just a potential hole, you “can’t” prove it “
– “it’s not a complete manual how to do from my messy IS a COSMIC
TOP SECRET system”
• Bad inner communication in organization
– security officer or manager makes an order of pentests, but sometimes
forgets to announce it to the IT stuff of organization (diversion actions
and aggressive attitude follow up very quickly)
Slide 21
Conclusion
Do you need penetration tests?
– Penetration testing is for organizations with a strong security
program.
– Don’t waste your money with pentests if you even don’t do
regular vulnerability testing alone.
Do we need pentesters?
– Vulnerability scanning IS NOT a penetration testing
– To be up-to-date with an underground is a full time job
– No vulnerability scanner does hack you system!
• Is it important to know basics of security testing?
Slide 22
Hack’em all!
Friendly hacking
Penetration testing
vs. hacking
Kamil Golombek
[email protected]
Tel. +420 241 046 279
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Agenda
Definitions and dividing
Similarities and differences
Skills and mentality
Methodology and tools
Personal experiences
Slide 9
Definitions
Penetration testing
– tries to replicate a real attack
– goes as deep as possible
– it’s not comprehensive (doesn’t enumerate all
vulnerabilities
– it’s usually but not always done from outside
– it’s not “just” a combinations of several vulnerabilities
scan tools reports
– maybe not so strong, but very intelligent
Vulnerability scanning
– doesn’t go as far as pentesting
– but enumerate all possible known bugs and holes
– not very intelligent but strong
Slide 10
Types of security tests
NIST Computer Security Division :
–
–
–
–
–
–
–
–
–
network mapping (survey and scanning)
vulnerability scanning (network and host scanners)
penetration testing (blue / red team, “manual work”)
security tests & evaluation (finding mistakes in design ...)
password cracking (e.g. can be used during pentests)
log review (system works as intended)
integrity checkers (implementation at start)
virus detection (old is none)
war dialing (rogue modems etc.)
Slide 11
Pros and cons of security tests
Type
Pros
Cons
Network mapping
Very quick and easy
Doesn’t find
vulnerabilities, more
often it’s the first phase
of other tests.
Vulnerability scanning
Quite quick, many good
automated tools, wide
range
Only known bugs, many
“false positives”, doesn’t
go under cover
Penetration testing
Hacker tools and
methods, shows real
danger, goes deeply.
Very exhausting in time,
skills and knowledge.
Quite expensive.
Slide 12
Comparison
Hacker vs. pen-tester
•
•
•
•
•
Is pentesting a kind of “black art”?
Who is the real hacker / pentester?
“Wanna be” hackers / pentesters?
Who is more dangerous?
How can you find the real one?
Slide 13
Who is the real one?
First – tier hackers
Best programmers and experts. They have a deep understanding of IP
protocols and used OS and programming languages. They are able to find
new holes or vulnerabilities and to create their own code. They usually don’t
seek publicity, but they are known because many others use their hacking
utilities.
Second - tier hackers
Have a technical skill level equivalent to system or network administrators.
They usually know several OS, know how to use some exploits and have
some knowledge of programming language. They are much more common
than first – tier hackers and they often rely on them.
Third –tier hacker (also script kiddies or “lamers”)
Most populated but also the least respected group. The main principle they
use is “download and try”. They usually don’t understand consequences and
because they often use untested scripts against real networks, they can
cause big problems. Their knowledge about IT is usually quite low, but what
they lack (or lose) in skills they gain in motivation, free time etc. If they are
successful, they think they are “elite”.
Slide 14
Usual (or minimal?) level of pentester?
• Skills, knowledge and experience should be at
least similar to the second tier hackers.
• If he (she?) is better, that’s good but it’s more an
exception than a rule.
• Plus
– good reputation and no criminal record
– patience and methodology (to find all holes, to
document ongoing tests, etc.)
– presentation skills (?) and ability to close discovered
holes (if required)
Slide 15
Skills and mentality
Good skills and knowledge are
necessary but not sufficient conditions!
You have to think like hacker but behave
like professional!
Go beyond limits and use of your
knowledge in different way is an attitude!
Slide 16
Methodology and tools
• Before you begin ...
• Classical phases of tests (hacks?)
• Obligations in execution of tests
• Basic categories of tools
Slide 17
Classical phases of tests
• General methodology (from outside)
– Reconnaissance (get know as much as possible)
– Vulnerability analysis (“low hanging fruit”, other ways)
– Gaining access (trying of concrete attacks and methods,
escalation of privileges)
• Basic phases of “attack”
–
–
–
–
Reconnaissance (IP, DNS, mail servers, organization info, etc)
Scanning (ports, services, SW, known vulnerabilities)
Gaining access (exploits, scripts, hacker tools ...)
Maintaining access (Trojan horses – application, traditional,
kernel)
– Covering tracks (hiding in OS, cover channels, wiping audit
logs)
Slide 18
Obligations in execution of tests
• Hacker
– doesn’t have to follow our “test order”
– needs to find and use only one hole
– can have some trouble with covering tracks
• Pen-tester
– must have methodology to test as much as
possible
– except of having it he has to follow it too
– tries to find theoretically all holes but can have
problems to prove it
Slide 19
Basic categories of tools
• Reconnaissance
• War dialing
• OS and Application
identification
• Network services testing
• Port scanning
• Vulnerability scanning
• NULL session tools
• Session manipulation
• FW, Router, ACL testing
•
•
•
•
•
•
•
•
•
Forensic analysis
Password cracking
DoS
Log review
Packet forgery
Sniffing
IDS testing
WWW testing
..... some more.
Slide 20
Personal experiences
• Relatively low level of security awareness
– 95% of blue tests
• Impossible requirements on pentesters
– „within one afternoon “
– if you won’t finish as a “root”, your test were bad
• “Smart” handling with test results
– final report is just “dust collector”
– „it’s just a potential hole, you “can’t” prove it “
– “it’s not a complete manual how to do from my messy IS a COSMIC
TOP SECRET system”
• Bad inner communication in organization
– security officer or manager makes an order of pentests, but sometimes
forgets to announce it to the IT stuff of organization (diversion actions
and aggressive attitude follow up very quickly)
Slide 21
Conclusion
Do you need penetration tests?
– Penetration testing is for organizations with a strong security
program.
– Don’t waste your money with pentests if you even don’t do
regular vulnerability testing alone.
Do we need pentesters?
– Vulnerability scanning IS NOT a penetration testing
– To be up-to-date with an underground is a full time job
– No vulnerability scanner does hack you system!
• Is it important to know basics of security testing?
Slide 22
Hack’em all!