Security Testing Fundamentals
Susan Congiu
[email protected]
5 Principles Needing to Test \
u
e \
\ \
\
u
e
0
0
0
Authentication: Identity - Validity
0
0
0
Integrity: protection from tampering/spo
Login, timeout, failures, pw changes, mins/ ma stored encrypted, bypass captured URL, handling deletion of outdated, expirations, 2-factor:atm u e 0 0 0 Unix:Access.conf, .htaccess, .nsconfig u e 0 0 0 Windows: challenge/response; SSO; Passport u
e
0
0
0
\ u e 0 0 0
Certificates
Symmetric: Kerberos, Blowfish, DES Asymmetric: RSA, MD5, SHA-1 \ u e 0 0 0
Encryption
SERVERS: web, app, database server OS’s: NT, UNI X, LI NUX
enumeration, Access/Object Privileges/Views/Stored Procs Preventing DoS
CLIENT: browser, other apps, components Browser settings: Zones
Cookies AcceptingCookies: Cannot be used as a virus or plug-in http:/ / www.cookiecentral.com/ text only
$ENV{ ‘HTTP_COOKIE’} When deleting- close browser first!
.softwarereliable.com TRUE / FALSE 446684799 SR_ID d o m a i n - The domain that created AND that can read the variable. f l a g - A TRUE/ FALSE value indicating if all machines within a given domain can access the variable. This value is set automatically by the browser, depending on the value you set for d o m a i n . p a t h - The path within the domain that the variable is valid for. s e c u r e - A TRUE/ FALSE value indicating if a secure connection with the domain is needed to access the variable. e x p i r a t i o n - The UNIX time that the variable will expire on. UNIX time is defined as the number of seconds since Jan 1, 1970 00:00:00 GMT. n a m e The name of the variable
Open Systems I nterconnect
Protocols SSL, TLS, PCT – session layer 2 sided (both c and s must be configured) S-HTTP – application layer IPSec – network or I P layer (implemented in routers/ switches)
NETWORK Firewalls – catch all rule: everything not previously allowed is explicitly denied Router based (Packet filtering) at IP level
Headers inspected based on port, protocols, and destination/ source I P addresses
Proxy based (gateways)
More secure: software on the perimeter Proxy server interacts with internet and extensively log traffic
Router Tools:Lancope I nc.’s StealthWatch Watch abnormal traffic patterns
another for traffic exchange
Test the Routers Built-in Filters that set limits which IP’s can be used on other I SP networks
Network Scanning Tools NAI ’s Cybercop 5.5 : Network Discovery: Ping scans, OS identification, TCP and UDP port scan, password guessing, SNMP data capture, limited app banner grabbing, limited packet sniffing, limited remote control software, no modem testing For UNI X: tests Trusted Host, TFTP, FTP/ Anonymous FTP,Finger,NFS,NI S, Xwindows,Sendmail For Windows: ,Anonymous Null access (I PC$), unprotoected Registry Elements, Windows SMB File shares, Limited NT Service Pack level detection, no Netware or Vax vulnerabilities Web Security : Http server vulnerabilities, web browser vulnerabilities, firewall/ router, router product, limited firewall product, DOS warnings and vulnerabilities Product Admistration Analysis and Fix Guidance, Scripting to add new scans,selectable tests, no scheduled scanning like CI SCO secure scanner,customizable reports, product update, unlimited I P address ranges (I SS
DMZ
Small network/ host between private and outsid public network Separated by another packet filter Does not initiate any inward connections- no access to hosts within private network Open subnet -> router -> proxy -> router -> internal network (good for web-commerce with SSL)
VPN Remote users dial into local Point of Presence to connect Provides private encrypted tunnel through public internet space -app IPSec, PPTP, L2TP
Cerebus Internet Scanner 5.0.02 (NT/2000-free tool Test points of failure, screen architecture, backdoors, holes
Modem scan in commercial version
http://www.cerberus-
www.whois.net Social Engineering: phone numbers/ contacts
WEB Vulnerabilities –
disable if possible or content filter from firewall
HTML – run as nobody – fork from root (binds to 80) JAVA – signed applets Jscript/ VBScript – not in a sandbox Active X – signed script policy CGI, ASP, PHP, SSI
Host/Network Identification Ipconfig /all
oracle.com Unbreakable?
Viruses and Worms Worms: self-propagating
Transport mechanism for other apps
Viruses: infect another program by replicating itself onto the host www.wildlist.org : Testing Anti-Virus
Password Cracking
Dictionary & Brute Force attacks Don’t leave passwords in memory- empt arrays may be visible in core dumps Disable emulators (telnet) that could show passwords in clear text : sqlplus
Valid Remote Apps vs Rogue Carbon Copy,iCloseup,CoSession,ControlIT,Laplink, PCAnywhere,Reachout,Timbuktu,VNC VS. Back Orifice,Girlfriend,NetBus,PhaseZero, Sockets de Troi,Stacheldracht,SubSever,Trin00 DDoS Agent
7
Echo
19 chargen
22
SSHD secure shell
23
Telnet
25
SMTP service listens on
37 TIME (tcp/udp) 45,46,47 Page II 53
DNS Zone Transfers (tcp/udp)
66
SQL*NET
67,68DHCP/bootstrap protocol server 69
Trivial file transfer
70 Gopher
109-110
POP2/POP3
111/2049
RPC tcp/udp portmap & rpcbind
119
NNTP for newsgroups
123
NTP
135-138
NBT/NetBIOS in NT tcp/udp
139
NetBIOS Session Service tcp
143/220
IMAP
161-162
SNMP 161/UDP
179
BGP (tcp)
194/529
IRC
389
LDAP
443
SSL
445
Microsoft CIFS (TCP/UDP) ; Windows2000 uses for NetBIOS Syslog
515
Unix: LDP (local print daemon) - can have a buffer
ports above 1024 do not have to run as root for DNS: 1080/tcp
SOCKS
1352
Notes Remote Protocol NRPC
1521
/etc/services: {oracle listener-name} 1
NFS
2301
Compaq Insight Manager
4045
lockd
5190
AIM
6000 - 6255 7777 8000-8080 8888
X Windows Apache web server HTTP Netscape default Admin Server
Demo/ More Tools…. AW Security Port Scanner
qasecure.com www.netcraft.com
Other Technologies Biometrics
The Twenty Most Critical
Version 2.501 November 15, 2001
http://www.sans.org/top20.htm
Policy
Tying it together with cross-team buy-in Your company’s security team (NOT the software testing team alone)
The role of the test group is test the existing system to look for errors in
IT is generally responsible for network security, firewall testing, packet
