Re: Penetration Testing Services

[Andre Gironda <andreg () gmail com>]

On Mon, Aug 2, 2010 at 6:18 AM, cribbar <crib.bar () hotmail co uk> wrote:
> Penetration Testing Community - I am interested in getting an expert response
> to a discussion that keeps raising up in our company.
> management, if we have an IT Security section who are using the most common
> vulnerability scanning / penetration testing tools –what is the point in
> investing significant $$$ in buying in a 3rd party to do exactly the same?

Scans don't find the vulns that adversaries really use. Only
penetration-testers do this. Scans find the vulns that a script kiddie
from 10 years ago could find.

For example, scanners such as Nessus, Qualys, Rapid7, et al -- they
only find CVEs against metastructure. They do not focus on the
infostructure (apps and data). They usually do nothing with
client-side exploits, or drive-by exploits. They don't figure out how
to break your authentication in your web applications or the session
management, or bypass your firewalls and antivirus completely by using
an XSS proxy (or a man-in-the-browser technique like formjacking,
clickjacking, strokejacking, etc). They do not perform risk management
or threat-modeling for you. Penetration-testing, if done well (e.g. by
a CHECK certified company), does all of this.

> I fully appreciate that penetration testing is an area of high skill, as a
> 3rd party you provide an independent neutral security review, it takes years
> to master the topic, and once mastered you need to stay up to date with all
> the current vulnerabilities and exploits, and it is your guy’s area of
> expertise, whereas a security admin is not specific to penetration testing.

Nah. It's not that hard. You have to know enough to run a tool such as
Burp Suite Pro or ProxyFuzz. You can learn these by picking up a few
books such as "The Web Application Hacker's Handbook" or "Fuzzing:
Software Security Testing & Quality Assurance". I might also suggest
"The Art of Software Security Assessments". You can get by doing most
app assessments and penetration-tests (or just general ethical hacking
activities) using these 3 books.

There aren't a lot of good books on client-side exploits or drive-by
exploits yet. You'll have to dig through the Metasploit project
yourself. However, some books cover these subjects, such as recent
ones from the Hacking Exposed or Seven Deadliest Attacks series
(however, the quality of McGrawHill and Syngress security books are
extremely low compared to the first three book's publishers that I
mentioned). Things like Karma, Karametasploit, Metasploit,
Drivesploit, et al.

> • I trawled through the archives of this forum and others, and it seems some
> pen testing companies use the exact same tools such as nmap and nessus, and

Not these ones --
http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

Penetration-testing requires a threat-model and this threat-model
should be attacked in production using social engineering, app
assessments (especially including web applications), database
privilege escalation, and generalized posture assessments.
Penetration-tests also require an agreed-upon target asset, such as a
copy of the 2009 financial report locked in the CEO's safe and using
an agreed-upon methodology.

Nmap and Nessus can certainly be used during penetration-testing, but
they are not the start or end of the activities and tools used. I do
more ethical hacking than penetration-testing, which is usually
open-ended (no target assets) but using a timeboxed period similar to
how Agile developers use sprints. My toolbox is more Nikto, Burp Suite
Pro, and Netsparker. All of these tools can be tied together using The
Dradis Framework.

> in some cases simply pass across a Nessus report for a specific IP range and
> that’s the report they use. This to me sounds a complete rip off, and I

Gartner or Forrester can give you a large list of companies that do
not do this and do not rip you off. You must be using the wrong
penetration-testing companies. Or you can use companies certified by
http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

> can’t see the benefit. So where is the added benefit in having an internal
> security guy run nessus, and paying a 3rd party pen tester x amount of $$$
> money to do exactly the same? Why not just stick with the internal guy? Or

Why not replace the internal guy with Qualys? Any manager can setup
the IP information on the front panel of the box they give you.

> am I missing something? I really would appreciate real examples of whereby
> just running Nessus is simply not enough as it wont catch a, b and c!
> I look forward to your comments.

You're kidding, right? Like I said before, most of the adversaries are
focused on attacks made popular in the past 6 years; not 10 years ago.
Nessus or any of these scanners are focused on CVE type
vulnerabilities in metastructure. They do not focus on CWEs in
infostructure. They mostly or only work on the server-side, not the
client-side. Adversaries switched major focus to the client-side and
now use a very basic model that includes using affiliate web-framework
tools like Fragus (whitehats would use Drivesploit/Metasploit)
combined with spamming-tools like Cutwail (whitehats would use
SET/Maltego) to focus attention on to certain key individuals, and
then infect their browsers using ZeuS (or their memory both inside and
outside of the browser using Meterpreter from Metasploit -- usually
performed by whitehats).

Antivirus, firewalls, and most IPS systems have been shown to not be
able to prevent these attacks (I am guessing 100 percent of the time,
but it's probably more like 95-99%). Once in, adversaries using an
initial IE 0-day exploit will perform a full "Aurora" style
infiltration, which usually involves breaking admin (using
auth/sess-mgmt/XSS) panels on web applications (through various means
usually involving SQLi, RFI/LFI, and file upload vulnerabilities --
usually in this order), accessing web servers & databases (to insert
Fragus -- or whitehats might use Metasploit's "Lucky Punch"), and
grabbing as many source-code repository credentials as possible,
probably in order to insert their own hidden source-code based
backdoors into your custom applications and/or steal intellectual
property, financial records, payment card data, etc (although this is
easier to do long-term if the adversary inserts his or herself into
the custom apps that your business depends on by becoming a silent,
illegal developer).

If the adversary is not capable of performing the attacks in the last
paragraph (and only able to use tools like Fragus, Cutwail, and ZeuS
-- which are very easy GUI tools that have many equivalents in China
and other places around the world), then he or she will usually find a
way to sell their botnet in order to create a SQLi or RFI botnet
themselves or angel investors, or to sell to another adversary with
advanced enough expertise to pull of the final Aurora style attacks.

It's an underground economy that excels at finding every vulnerable
nook and cranny. If you're not getting hit by it, then you've probably
performed a lot of penetration-testing. ;>

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------