PenTesting the Internal Network

Penetration Penetrati on Testing Testing - a tool for improving our cyber security

Adrian Furtuna Ph.D. CEH KPMG Management Consulting IT Advisory

Cyber Security – Security – A Mutual Challenge Embassy of Sweden 12th March 2013

Agenda



Who am I



Why this topic



Case study 1



Case study 2



Lessons learned



Conclusions



Q&A

©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated

2

Who am I 

Member of the Pentest Team Team in KPMG Romania 

Our motto: “ Hacking through complexity ”



Doing pentests against various applications and systems: 

Internet Banking applications



General web applications



Mobile applications



Internal networks, public networks



Wireless networks



Social engineering, etc



Speaker at Hacktivity, Hacktivity, DefCamp, Hacknet and other local security confs



Teaching assistant at Information Security Master programs (UPB, MTA and ASE) 

Teaching penetration testing classes cl asses



Organizing Capture the Flag contests


3

Why this topic? 

The need for more efficient cyber security

Penetration testing is part of the defense-indepth approach 





Verify the effectiveness of defense mechanisms and people



Find weak spots in defense layers



Show the real risk of a vulnerability



Suggest corrective measures



Re-verify

Is my data safe?

Penetration testing can be used for improving our cyber security


4

Case Study 1


5

Pentesting the internal network (2011)

Objective: See what an internal malicious user could do, given simple network physical access.

■ Malicious user:

visitor, contractor, contractor, malicious employee

■ Targets:

confidential data, client information, strategic business plans, etc

■ Initial access:

physical network port in users subnet


6

Pentesting the internal network (2011) – cont.


7

Pentesting the internal network (2011) – cont. 1. Netwo worrk ma mapping ■

IP ranges

■

Host names


8


IP ranges

■

Host names

2. Se Serv rvic ice e an and d OS di disc scov over ery y ■

Windows 7

■

Windows 2008 Server R2

■

Common client ports open

■

IIS, MsSQL, Exchange, etc


9


IP ranges

■

Host names


Windows 7

■

Windows 2008 Server R2

■

Common client ports open

■

IIS, MsSQL, Exchange, etc

3. Vul ulne nera rabi bili lity ty sc scan anni ning ng ■

Nessus: 1 high, high, 30 medium, 39 low

■

MsSQL server default password for sa user


10

Pentesting the internal network (2011) – cont. 4. Expl plo oitation


11

Pentesting the internal network (2011) – cont. 4. Expl plo oitation ■ Add local admin


12

Pentesting the internal network (2011) – cont. 4. Expl plo oitation ■ Add local admin 5. Po Post st-e -exp xplo loit ita ati tion on ■

Info gathering

■

Credentials to other systems


13


Info gathering

■


6. Pivoting ■

Connect to 2 nd db server

■

Upload Meterpreter


14


Info gathering

■


6. Pivoting ■

Connect to 2 nd db server

■

Upload Meterpreter

7. Po Post st-e -exp xplo loit ita ati tion on ■

List tokens

■

Impersonate Domain Admin token

■

Create Domain Admin user

■

Game Over


15

Pentesting the internal network (2011) – cont. Game over

on Domain Controller:


16

Case Study 2


17

Pentesting the (same) internal network (2012)

Objective: See what an internal malicious user could do, given simple network access. Test the findings from previous year

■ Malicious user:

visitor, contractor, contractor, malicious employee

■ Targets:

confidential data, client information, strategic business plans, etc

■ Initial access:

network port in users subnet


18

Pentesting the (same) internal network (2012) – cont. 1. Netwo worrk ma mapping ■

~ the same as last year




19






Nessus: 0 high, 21 medium, 30 low


20






Nessus: 0 high, 21 medium, 30 low

Now what?

■

No default/weak passwords

■

No missing patches

■

No exploitable config problems

■

No sql injection….


21

Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 1


22

Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 1 ■

Setup a fake local NetBIOS server

■

Respond to every request with my IP address

■

Setup multiple local services (HTTP, (HTTP, SMB)

■

Request Windows authentication on connection => capture password hashes


23

Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 1 – cont. ■

Captured around NTLM 50 hashes

■

Cracked about 25% using dictionary attack with mangling rules in a few hours

■

Gained network access as domain user (low privileges)

■

Could access some shared files on file server

■

Not enough


24

Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 2 ■

Man in the middle attack between victim and proxy server

■

Setup a fake local proxy server

■

Request Basic authentication

■

Receive user’s credentials in clear text (base64 encoded)


25

Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 2 – cont The victim sees this:

What would you do?


26

Pentesting the (same) internal network (2012) – cont. 5. Expl plo oitation ■

Got local admin password (global) from a special user

■

Could connect as admin on any workstation


27


Got local admin password (global)

■


6. Pivoting ■

Search the machines from IT subnet for interesting credentials / tokens

■

Found a process running as a domain admin user


28


Got local admin password (global)

■


6. Pivoting ■

Search the machines from IT subnet for interesting credentials / tokens

■

Found a process running as a domain admin user

7. Expl plo oitation ■

Impersonate domain admin

■

Create new domain admin user

■

Game over


29

Lessons learned


30

Pentest comparison

2011

2012

Low hanging fruits removed

no

yes

IT personnel vigilance

low

high

Network prepared for pentest

no

yes

Existing vulnerabilities

yes

yes (lower nr)

medium

high

Overall exploitation difficulty


31

Consultant’s advice

■ Make yourself periodic vulnerability assessments (e.g. Nessus scans) ■ Prepare your network before a pentest (you should always be prepared, btw) ■ An homogeneous network network is easier to defend then an heterogeneous heterogeneous one ■ Do not allow local admin rights for regular users ■ Patch, patch, patch ■ Educate users for security risks


32

Conclusions



Penetration testing can be used for improving our cyber security



Do it periodically with specialized people



Mandatory for new applications / systems before putting in production



Vulnerability Vulnerabil ity assessment is not penetration testing


33

Q&A


34

Thank Than k You You Adrian Furtunǎ, PhD, CEH Security Consultant, KPMG Romania IT Advisory, Management Consulting +40 747 333 008 [email protected]

© 2013 KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity All rights reserved The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future No one should act on such information without appropriate professional advice after a thorough examination of the particular situation

PenTesting the Internal Network

Recommend Documents