Penetration testing tips, tricks and unusual situations

Raul Siles is a senior security analyst with more than 10 years of expertise performing advanced security services. He is a SANS Institute author and instructor of penetration testing courses, a regular speaker at security conferences and contributor to research and open source projects.

In this interview, Raul talks about unusual and interesting situations he encountered while working as a penetration tester, outlines practical tips for those interested in a penetration testing career, lists his favorite tools, profiles his upcoming training workshop at SANS Secure Europe 2012, and more!

A great deal of newcomers to the information security field are fascinated by penetration testing. What advice would you give to those interested in making this their career path?
Penetration testing is one of today’s cutting-edge information security topics, to some extent influenced by Hollywood, where the main movie character’s goal is to break into some IT infrastructure or critical systems to save the world, and also somehow influenced by human nature, considering most people prefer breaking things (if they are given the opportunity to do so) versus fixing them.

After so many years as a professional penetration tester, I am glad I can feel still the excitement of breaking into a new network, system, application, or device, and still have the enthusiasm of discovering new vulnerabilities, and keep my interest on understanding and building new tools. However, newcomers must know this is the grateful part, and penetration testing also involves lots of, sometimes boring, repetitive tasks. You will face multiple disheartening situations where you spend many hours or even days trying to find a vulnerability to get in, and you do not succeed. Almost as you have lost hope of finding anything interesting, you end up finding that key element or flaw that compensates all the tough work.

In order to be a good professional penetration tester (and leaving social engineering apart) it is crucial to possess an in-depth technical background. You must love the technology and always be willing to learn about new things, that is the reason why I like to self-dubbed myself “the apprentice”. The more you know and have played and tested how technologies work, the better. It is only through a thorough understanding of how things work, and an insatiable desire of learning all the details, that you will be able to find ways to manipulate them to make them work or behave in an unexpected way they were never designed for. This is the real out-of-the-box thinking and philosophy behind the original and positive hacking term.

A final key point for newcomers is that during their career as professional penetration testers they are going to get involved in two very common scenarios: working alone or as a team member. Most experienced penetration testers are used to and feel comfortable working alone, but they also need to practice and improve their skills to work as a team member. We at Taddong are always trying to improve and become more effective and efficient, optimizing our interactions as a team, especially during large penetration tests.

In all your years as a penetration tester, what are some of the most interesting situations you’ve encountered?
It is difficult to select the top situations from all the different penetration tests I’ve been part of, and my memory is not good enough to do a fair comparison between them. I feel that through the years you get used to breaking into the most commonly spread technologies (such as Windows or Unix systems, networks and network devices, or web applications), so I definitely like when I encounter something new that catches my interest, and in particular, if it is tied to the physical world.

Back in the old days, I remember the first time I got access to a “video wall”, the huge multi-display environment you can see on big IT operation centers from where they monitor and manage large IT and networking infrastructures. By getting full control of it, and the underlying systems, you can feel the power of owning the target organization.

More recently, during a multi-scope penetration test, we were able to get control of the IT infrastructure used to manage the physical security environment, including the cameras (CCTV) and video recording capabilities, the access turnstiles, or any other access control to critical facilities, such as the Board of Directors meeting room, or the data centers within the target company headquarters. The interaction with the physical world from the cyber (or technology) world is always an eye opener for those taking security decisions about priorities and budgets.

On the funny side, I remember a penetration test where we got access to one of the target Unix servers, we found it was previously compromised. The attacker had established it as his basement repository for warez (illegal software) and movies. As soon as we notified the customer about the findings, the first thing he did was to request us a copy of all the movies before proceeding to delete them. There were lots of movies and we had to use several DAT/DSS tapes, commonly used for backups, to get them.

How would you compare the security of web applications five years ago with today? Are we much more secure? Have secure development practices caught on enough? What areas still need work?
It is contradictory.

On the one hand, with all the secure development initiatives and awareness campaigns taking place over the last five years, you believe (or at least want to believe) that web applications are more secure today. Indeed, from a five-thousand foot view, they are more secure today than five years ago. Specific industry leaders, such as SANS and OWASP, have widely contributed to create security awareness programs targeted at the development community and the industry as a whole, with initiatives such as the OWASP Top 10 and the CWE/SANS Top 25. However, these two are just the tip of the iceberg, as there are lots of components and effort involved to architect, design, develop, deploy, and maintain a secure web application.

The availability of high-quality technical training and open-source projects today allow professionals to acquire the skill set, and get the tools, required to design a secure software development life cycle (SSDLC) within their organizations and build secure web applications. However, there should be a clear interest in driving business goals from top management to integrate security as a key element on their products, and take and facilitate the appropriate decisions and investment towards it.

On the other hand, due to the complexity and large scale web applications available today, lots of them including the most critical ones are still vulnerable. One of the most common flaws in web applications are injection vulnerabilities, and in particular, SQL injection. Some industry statistics published during the last five years reflect an evolution towards a significant reduction on the number of SQL injection vulnerabilities in web applications due to the aforementioned awareness campaigns and the availability of development and database security tools to mitigate them. However, most of the public incidents that have taken place during last year, 2011, affecting Fortune 500 companies, involved SQL injection as part of the attack or as the main entry point. Therefore, one wonders if these statistics are indeed reflecting the reality, or if SQL injection continues to be a top issue, as it seems.

Another very good example are session management vulnerabilities, commonly masked by associated authentication vulnerabilities. Although weaknesses in the way web applications manage user’s sessions to track them have been well known during the last decade, the results on our web application penetration tests over the recent years, unfortunately, ratify that session management vulnerabilities are very common and widely prevalent in critical web applications still today. In particular, session fixation, a vulnerability that was initially published in 2002, have recently affected industry leading critical business web applications and frameworks as well as multiple environments we have analyzed.

When you think about what you can do today through web applications in the real world, or just the opposite, what (few things) you cannot do through them, it is scary to realize all the security vulnerabilities that could allow a malicious user, or attacker, to get access to very sensitive information or modify the way the application works. As a result, critical tasks we are involved in on a daily basics from our computer or mobile device can be manipulated, such as e-Banking, e-payments or e-shopping, paying taxes and other e-Government related interactions, health care access, and even leisure activities, such as buying transportation, vacation, or theatre tickets.

What are your favourite security tools?
If I simply enumerate a few of the tools we use everyday, I’m sure I will forget about others and, considering the large number of high quality and advanced security testing tools available today, it won’t be fair. Instead, and apart from the commercial offerings such as CORE Impact, I like to recommend testing frameworks that include multiple ready to use tools.

I’m involved in two open-source projects: one called Samurai WTF (Web Testing Framework) focused on web application testing, and another one called MobiSec, focused on mobile security testing. These environments are LiveDVDs where we have collected the top testing tools, pre-installed and configured them, building the perfect environment for testing the security of applications or mobile devices.

From a web application perspective, If I’m forced to select a single tool, it would be a web interception and manipulation proxy, as this kind of tool provides the professional penetration tester all the freedom and flexibility required to understand and assess how the web application works, and opens the door for vulnerability discovery and exploitation. By far, my favorite open-source web interception proxy today is OWASP ZAP (Zed Attack Proxy), a feature-rich tool that is being actively and extensively developed, with even more new amazing features to come in future versions. From a commercial side, my preferred option is Burp Suite, as it offers a very good balance between cost and functionality (something I always like to emphasize to colleagues to evaluate before acquiring any priced alternative), and it combines the best of both web application testing worlds: automated and manual.

Apart from the tools and scripts, professional penetration testers have to improve and extend their programming skills, as they are going to face multiple scenarios where none of the available tools can be used for a specific task, so they will need to modify an existing tool (very common with open-source tools) or create a custom new one. The set of programming languages that most security tools are developed in, and that will set you apart as a professional, mainly includes scripting languages, C, Ruby, Python, Java, and Perl (without pretending to enter into the common “what is the best language (or OS)” wars).

I always like to emphasize in class that penetration testers have to master their toolset, and understand every minor detail of the different tools they use. A professional must use both Windows and Linux/Unix/Mac OS X tools, as there are very good alternatives in all these computing platforms or OS. As a general rule of thumb, for any specific tool I suggest to use the same OS the author has used to develop the tool, because it is more probable that the tool performance and stability is going to be better on that platform, and because when new features are released, they tend to be available first on the author’s OS of choice.

Finally, apart from testing the tools on real-world target production environments during professional engagements, penetration testers need to play and test new features or new tool updates. For this purpose I highly recommend to build your own testing labs, and luckily there are multiple vulnerable web applications you can use to practice your skills and tools against with authorization, therefore, without going to jail.

At SANS Secure Europe 2012 you’ll be teaching web app pen testing and ethical hacking. What can attendees expect from your course? What are the knowledge prerequisites?
SANS Web App Penetration Testing and Ethical Hacking, known as Security 542, is an intermediate course that teaches attendees the art of web application penetration testing. Not only the class focuses on the technical details of web vulnerabilities, such as SQL injection, Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), but also on the various professional aspects of a penetration test, covering an extensively probed 4-step thorough methodology: Reconnaissance, Mapping, Discovery of (client-side and server-side) vulnerabilities, and Exploitation.

It also adds key considerations, such as getting proper authorization and defining the penetration test scope, and detailed tidbits on team work and the (anxiously awaited lovely) report. The training goal is to provide attendees with a usable methodology and toolkit to perform tests of their own.

This training is highly technical and very lab intensive, with more than 30 hands-on exercises, plus a final Capture the Flag (CtF) challenge where attendees can put in practice their skills and all the techniques and tools learned throughout the week. The material provides a deep understanding of how web applications work and what attack vectors are available, and makes use of real-world target applications and exercises for an in-depth exploration of web application penetration testing.

The class target audience are network or wireless penetration testers and ethical hackers, interested on expanding their knowledge into web environments, auditors who need to build deeper technical skills, security practitioners and professionals, plus web application architects, administrators, and developers. Attendees are recommended to have a working knowledge of TCP/IP and web technologies before they step into class.