Improving Application Security

through Penetration Testing

Dominick Baier (dbaier@ernw.de)

Security Consultant / BS 7799 Lead Auditor
ERNW GmbH
Outline

• What is Penetration Testing and Auditing

• Standards and Ethics
• The Process of Testing
• Pen-Testing Web Applications
• The Tools

2
"Improving the Security of Your Site by
Breaking Into it"
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html

3
Penetration Testing vs. Auditing

• Penetration Testing
- Simulating a motivated attacker for a specific amount of time
- Black Box / White Box Approach
- Is more like a snapshot of the current security of a system or a
business process

• Auditing
- Analyzing
• Configuration Files
• Architecture
• Source Code
- Policy conformance
• Operational Plans and Procedures

4
Why Penetration Testing

• To measure the security of a system, network or a business

process
- By a third party

• To assess possible Risks

• To make the upper management "security aware"

5
Possible Goals of a Penetration Test

• How much information about our network is publicly

available ?
• Is it possible to compromise this and that system ?
• Is it possible to disturb business process X ?
• How effective work our security controls ?
- Firewall
- AntiVirus / Spam / Content Filter
- Intrusion Detection Systems
• Is our Information Security Policy correctly enforced ?
• Can employees compromise workstation security?

• "Are we safe ?"

6
What can be tested

• Servers and Workstations

- Web Server
- Database Server
- Domain Controller
- Workstations
• Infrastructure
- Network Devices
- Wireless Networks
- Dial-In Access
- VPNs
• Applications
• Employees (Social Engineering)

7
Attackers to simulate

• Outside Attackers
- Script Kiddies
- Competitors
- Terrorists
- Journalists

• Insiders
- Employees
- Disgruntled Employees
- Contractors
- Consultants

8
Standards

• Pete Herzogs's OSSTM

"Open Source Security Testing Methodology Manual"
- Very practical approach
- Checklists of what and in which order to test
- List of tools

• ISO 17799 / BS 7799 Standard for Information Security

- Focuses more on the policy and paper work side of security
- Extensive catalog of security controls
- Defines a standard for audits

• NIST Guidelines for Network Security Testing

9
Ethics

• Findings are under strict NDAs

• No information gathered during the test

- is sent in clear text over the internet
- is used for personal profit

• ISACA Code of Professional Ethics

• ISC 2 Code of Ethics

• Full Disclosure

10
The STRIDE Threat Model

• STRIDE
- Spoofing Identity
- Tampering with data
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege

11
The Pen-Tester's Mantra

• Segregation of Duties
• Minimal Machine
• Least Privilege
• Patch-Level
• Defense in Depth
• Secure the Weakest Link
• Strong Authentication

12
Course of Actions

• Opening Meeting
- Goals of the Pen-Test
- Scope
- Responsible Admins

• The Audit / Test itself

• The Report
- Found issues
- Countermeasures
- Prioritization

• Closing Meeting

13
Stages of a Pen-Test

• Gathering Information
• Analyzing the Infra-Structure
• Analyzing the Machines
- Fingerprinting
- Port / Vulnerability-Scanning
- Attacking the System / Proof of Concept
• Analyzing Applications
- Functional / Structural Analysis
- Attacking Authentication and Authorization
- Attacking Data and Back-End Communication
- Attacking Clients

14
Information Gathering

• In this phase you try to compile as much publicly available

information as possible

- Internic
- IANA / RIPE
- Whois
- Google / Usenet
- Private homepages of employees
- Email Addresses
- Telephone numbers

15
16
17
Information Gathering

• Google Search-Syntax

- allintitle:"Index of /etc"
- site:gov site:mil site:ztarget.com
- filetype:doc filetype:pdf filetype:xls
- intitle:, inurl:, allinurl:
- allinurl:mssql, allinurl:gw …
- inurl:".aspx?ReturnUrl="
- "+www.ernw.+de"
- related:www.ernw.de
- login site:www.microsoft.com
- [cached]

18
19
20
21
22
23
24
Information Gathering

• Mailing-Lists / Forums / Usenet

- Some vendors even post internal support questions to public
newsgroups

25
Information Gathering

• Mailing-Lists / Forum / Usenet

Invitation?

26
Analyzing the Infra-Structure and Machines

• A layered modell

Data Data

Application Application

Service Service

OS OS

Network

27
Analyzing the Infra-Structure and Machines

• The Reality

Auth
Data
Database

LDAP

HTTP DCOM SOCKETS

CORBA

Web Application Database

Browser Server Server Server

Web Audit
Content Logs

28
Analyzing the Infra-Structure and Machines

• Querying System and DNS Information

• Portscanning
• Fingerprinting
• Vulnerability Scanning
• Exploiting a Vulnerability

29
Querying System and DNS Information

• TraceRoute
- Tracing the network route give you information about
• The provider
• Type of connection
- Simple / Redundant / Load Balanced
- At which hop gets ICMP blocked?

30
Querying System and DNS Information

• DNS Zone transfer

- DNS Server should be configured to allow Zone Transfers only
to specific peers
- DNS Zones are very interesting
• Which machines are listed in the Zone
• Get information about IP network-structure

31
Portscanning & Fingerprinting

• Port Scanning gives you information about which ports a

machine listens on
• Every open port is potentially vulnerable
• More advanced scanners try to figure out what kind of
software (+ vendor and version) is installed

• Most popular Port Scanners

- SuperScan (www.foundstone.com)
- NMAP (www.insecure.org/nmap)

32
Banner Grabbing

• Connect with Netcat or Telnet to a service

• You will often get detailed information

33
Vulnerability Scanner

• Automated scanners that check for known vulnerabilities

- They often give you more information for vulnerability
investigation

• There are vulnerability and exploit databases on the internet

- SecurityFocus (www.securityfocus.com)
- Packet Storm (www.packetstormsecurity.com)

34
Vulnerability Scanner

• System / Host Scanner

- Nessus (www.nessus.org)
- Retina (www.eeye.com)
- ISS Security Scanner (www.iss.net)
- Microsoft MBSA (www.microsoft.com)

• Database Scanner
- MetaCoreTex (www.metacoretex.com)
- AppSecInc AppDetective (www.appsecinc.com)
- ISS Database Scanner (www.iss.net)

• Web Server Scanner

- Nikto (www.cirt.net)

35
Vulnerability Investigation

• www.securityfocus.com/bid

36
Vulnerability Investigation

• www.packetstormsecurity.org

37
Pen-Testing Web Applications

• Visualize the HTTP Traffic

- Sniffer (e.g. Ethereal)
- Web Proxies
• Achilles (http://packetstormsecurity.nl/web/achilles-0-27.zip)
• Fiddler (www.fiddlertool.com)
• WebProxy (www.atstake.com)
- Hand craft HTTP Requests
• Wfetch & Tinyget (IIS6 Resource Kit)

Page Path Auth? SSL? GET/POST Comment

Index.aspx / N N

login.aspx /login/ N Y POST Login Page

about.aspx /about/ N N Email

Addresses

38
Structural Analysis

• ...or graphical

39
Pen-Testing Web Applications

• Try some URLs

- Common Directories
• /html, /images, /jsp, /cgi
- "Hidden" Directories
• /admin, /secure, /adm, /management
- Backup and Log Files
• /.bak, /backup, /back, /log, /logs, /archive, /old
- Include Files
• /include, /inc, /js, /global, /local
- Lokalized Versions
• /de, /en, /1033
- trace.axd

• Look at the HTTP Status Codes

- Everything besides 404 ist interesting

40
Pen-Testing Web Applications

• Look for
- Cascading Style Sheets (.css)
- XML Dateien / XML Stylesheets (.xml / .xsl)
- JavaScript Dateien (.js)
- Include Files (.inc)
- Text Dateien (.txt)
- Comments
- Client-Side Validation
- Forms
• Hidden Fields
• Password Fields
• MaxLength Attributes

41
 Pen-Testing Web Applications

• "Odd" Query Strings

www.site.com/show.aspx?content=marketing.xml
www.site.com/UserArea/default.php?UserID=5
www.site.com/dbsubmit.php?Title=Mr&Phone=123
www.site.com/menu.asp?sid=73299

• Cookie values

42
Canonicalization Errors

• Popular Examples
- Apache WebServer
• /scripts und /SCRIPTS
- Microsoft IIS 5
• ../ and .%2e%2f
- ISS Firewall
• action=delete and action=%64elete
- Microsoft IE4
• Dotless IP Bug

- ASP.NET Authorization Canonicalization Bug

• http://localhost/formsec/secure%5csecret.aspx

43
Resource Names

• Example

http://server/cms/show.aspx?file=content.xml

• Can I use this page to show other files?

http://server/cms/show.aspx?file=../web.config

• Try some variations

http://server/cms/show.aspx?file=../web.config.
http://server/cms/show.aspx?file=../web.config::$DATA
http://server/cms/show.aspx?file=..%5cweb.config
http://server/cms/show.aspx?file=..%255cweb.config
http://server/cms/show.aspx?file=..%%35%63web.config

44
Testing for SQL Injection

• Try if you can inject SQL code in forms

• If the programmer simply concatenates user input with SQL
statements a database compromise is most likely possible

• Try to generate errors

- Insert a ' character
- Does the application behave different ?
- Is maybe even a database error returned ?

• You can execute nasty statements through SQL Injection

- Union
- Drop...
- XP_CMDSHELL

45
Testing for Cross Site Scripting

• Cross Site Scripting let's an attacker inject script code in Web

Pages
• This happens when the Application directly outputs client
input whithout proper HTML encoding
• Can be hard to find - look in
- Query Strings
- Form Fields
- HTTP Headers

• Enables Cookie Stealing / Harvesting Attacks

• Many Developers rely on ASPX's ValidateRequest

- Try <%00...> encoding

46
Tools

• Automatic Mirroring of Web Sites

- wget (www.gnu.org/directory/wget.html)
- Black Widow (www.softbytelabs.com)
- Teleport Pro (www.tenmax.com)

• Web Scanner
- WebInspect (www.spidynamics.com)
- NStealth (www.nstalker.com)

• ASP.NET Specific Scanners

- ASP.NET Security Analyzer (www.owasp.org)
- ASP.NET Shared Hosting Analyzer (www.owasp.org)

47
Conclusion

• Pen-Testing is no Black Magic

• Very systematic procedure

• If you follow the 7 golden rules, you can eliminate most of the
vulnerabilities

• Do regular Pen-Tests or Audits - you can only benefit

- Internal and third party

48
• Questions ?

you can download the slides from www.leastprivilege.com

49
Links

• OSSTM
- www.isecom.org
• NIST Draft Guidelines to Network Security Testing
- http://csrc.nist.gov/publications/drafts/security-testing.pdf
• ISC 2 Code of Ethics:
- https://www.isc2.org/cgi/content.cgi?category=12
• ISACA Code of Professional Ethics
- http://www.isaca.org/Template.cfm?Section=Code_of_Ethics1

50
Links

• Wfetch
- (http://download.microsoft.com/download/d/e/5/de5351d6-
4463-4cc3-a27c-3e2274263c43/wfetch.exe)
• NetCat
- http://www.atstake.com/research/
tools/network_utilities/nc11nt.zip)

51