Cyber Security Auditing Software
Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular par ticular assessment testers may have to perform per form an analysis of Windows systems, systems, UNIX systems, web applications, databases, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com
PenTest Magazine | Penetration Testing in Practice
Contents Writing an Effective Penetration Testing Report .......................................................................................................8 High-Level Security Assessment ............................................................................................................................8 Tools of the Trade ........................................................................................................................................................9 Network reconnaissance & scanning ..............................................................................................................9 Vulnerability indentification & investigation....................................................................................................9 Exploitation of vulnerabilities..............................................................................................................................9 Business Case ..............................................................................................................................................................9 Planning and Preparation........................................................................................................................................ 10 Risk Management.......................................................................................................................................................11 Gathering and Translating Raw Data ................................................................................................................... 12 Analyze and Filter Your Data ............................................................................................................................ 12 Converting Data.................................................................................................................................................... 12 Secure Data Exchange/Transmission ........................................................................................................... 12 Translating Raw Data .......................................................................................................................................... 13 Project Proposal ......................................................................................................................................................... 14 Project Activities ......................................................................................................................................................... 14 Deliverables ................................................................................................................................................................. 15
4
Sample Penetration Testing Report............................................................................................................................ 16 Document Information .............................................................................................................................................. 16 1 Introduction .............................................................................................................................................................. 17 2 Document Scope ................................................................................................................................................... 17 2.1 Scope of Test ................................................................................................................................................. 17 2.2 Limitation ......................................................................................................................................................... 17 2.3 Purpose of Test ............................................................................................................................................. 17 3 Project Details ......................................................................................................................................................... 18 3.1 Project Description ....................................................................................................................................... 18 4 Executive Summary............................................................................................................................................... 18 4.1 Summary ......................................................................................................................................................... 18 4.2 Approach......................................................................................................................................................... 18 4.3 Scope of Work............................................................................................................................................... 18 4.4 Project Objectives......................................................................................................................................... 18 4.5 Timeline ........................................................................................................................................................... 19 4.6 Summary of Findings .................................................................................................................................. 19 4.7 Summary of Recommendations............................................................................................................... 20 5 Methodology ............................................................................................................................................................ 21 5.1 Planning ........................................................................................................................................................... 22 5.2 Exploitation ..................................................................................................................................................... 22 5.3 Reporting......................................................................................................................................................... 22 6 Detailed Findings ................................................................................................................................................... 23 6.1 Detailed Systems Information ................................................................................................................... 23 6.2 Configuration Security Audit (CSA) ........................................................................................................ 23 6.3 Overall Risks .................................................................................................................................................. 24 6.3 Passwords/Keys Found .............................................................................................................................. 24 6.2 Vulnerable Hosts ........................................................................................................................................... 25
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine 7 Conclusion ....................................................................... ................................................................................................................................................ ........................................................................................ ............... 25 8 References ...................................................................... ............................................................................................................................................... ......................................................................................... ................ 26 Hardening VoIP protocols .......................................................................... ............................................................................................................................................. ................................................................... 28 Security Socket Layer (SSL) and SIP .................................................................. ................................................................................................................. ............................................... 28 Secure RTP.............................................................. ....................................................................................................................................... .................................................................................................... ........................... 29 Advanced Encryption Encryption Standard (AES)................................................................. ................................................................................................................ ............................................... 29 HMAC-SHA1............................................................................................................................................................. ................................................................................................................................................................ ... 30 Auth Tag Tag..................................................................... .............................................................................................................................................. ................................................................................................... .......................... 30 Method of Key Distribution ................................................................ ..................................................................................................................................... ..................................................................... 31 ZRTP ............................................................... ........................................................................................................................................ ............................................................................................................... ...................................... 31 Zfone............................................................... ........................................................................................................................................ ............................................................................................................... ...................................... 31 Firewalls...................................................................................................................................................................... .......................................................................................................................................................................... 32 Network Address Translation (NAT) ........................................................................................................... ..................................................................................................................... .......... 32 Session Border Controllers (SBCs) ...................................................................... ..................................................................................................................... ............................................... 32 Signature-based IDS Algorithms ........................................................................................................................ ................................................................................................................................ ........ 33 Naive string search ..................................................................... .............................................................................................................................................. .............................................................................. ..... 34 Aho-Corasick string matching algorithm algorithm........................................................................ ............................................................................................................ .................................... 36 KMP (Knuth-Morris-Pratt) Pattern Searching............................................................... .................................................................................................... ..................................... 39 The Karp-Rabin Algorithm ................................................................. ...................................................................................................................................... ..................................................................... 43 Boyer-Moore Boyer-Moore Pattern Searching ............................................................................. ........................................................................................................................... .............................................. 44 Signature-based IDS benefits....................................................................... benefits ................................................................................................................................ ......................................................... 46 Signature-based IDS restrictions and disadvantages .................................................................... ................................................................................... ............... 46 Practice task........................................................................ ................................................................................................................................................. ........................................................................................ ............... 47 Includes ............................................................................................................................................................... .................................................................................................................................................................. ... 48 Format ................................................................................................................................................................... ....................................................................................................................................................................... 48 Variables Variables ......................................................................... .................................................................................................................................................. ........................................................................................ ............... 48 Format ................................................................................................................................................................... ....................................................................................................................................................................... 48
5
How to detect the Vulnerabilities Used in XSS Attacks ......................................................................... ....................................................................................... .............. 49 How to trick the users ................................................................................ ........................................................................................................................................ ........................................................ 59 Write your first XSS XSS exploit ................................................................ ..................................................................................................................................... ..................................................................... 61 Conclusions........................................................................ ................................................................................................................................................. ......................................................................................... ................ 64 Tutorial Tutorial 1 – Creating a Safe Safe Testing Testing Environment ........................................................................ ................................................................................................. ......................... 66 Session 1 – Setting up a virtual lab ...................................................................... ..................................................................................................................... ............................................... 66 The Firewall ................................................................ ......................................................................................................................................... .......................................................................................... ................. 76 Broken Authentication and Session Management ....................................................................... ................................................................................................ ......................... 79 Command Injection ..................................................................... .............................................................................................................................................. .............................................................................. ..... 79 SQL Injection............................................................................................................................................................ Injection............................................................................................................................................................... ... 83 Code Injection.................................................................... ............................................................................................................................................. ......................................................................................... ................ 85 Xpath Injection ................................................................... ............................................................................................................................................ ......................................................................................... ................ 86 RegEx Injection................................................................. .......................................................................................................................................... .......................................................................................... ................. 86 XXE (XML External External Entities) Injection .................................................................. .................................................................................................................. ................................................ 87 A2 Broken Authentication And Session Session Management .................................................................... ................................................................................... ............... 88 1. Storing user credentials without hashing or encrypting them .......................................................... 88 2. Easily guessed passwords .......................................................................................................................... .......................................................................................................................... 88 3. Poorly secured password password change features .................................................................. ............................................................................................ .......................... 88
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice 4. Poorly secured password recovery features.......................................................................................... features.......................................................................................... 88 5. Session IDs exposed in a URL. ........................................................................................................... .................................................................................................................. ....... 89 6. Session IDs are vulnerable to session fixation attacks. .................................................................... ........................................................................ 89 7. Session IDs don’t reasonably timeout or sessions aren’t properly invalidated during logout ........................................................................ .............................................................................................................................. ...................................................... 89 8. Session IDs aren’t rotated after a successful login ................................................................. .............................................................................. ............. 89 9. Passwords, session IDs, and other credentials are are sent over unencrypted connections........ 89 10. Browser caching is enabled .............................................................. ..................................................................................................................... ....................................................... 90 Finally ............................................................................................................................................................................ ............................................................................................................................................................................ 90 Summary ...................................................................................................................................................................... ...................................................................................................................................................................... 90 1. Initialize.......................................................................... ................................................................................................................................................... ..................................................................................... ............ 91 2. Notify .................................................................. ............................................................................................................................................ ................................................................................................. ....................... 91 6. Request Validation. Validation. ................................................................... ............................................................................................................................................ ............................................................................ ... 91 7. User Verification Verification ....................................................................................................... .............................................................................................................................................. ....................................... 92 8. Reset Password .................................................................... ............................................................................................................................................. ............................................................................. 92 9. De-Tokenize De-Tokenize ................................................................................................... ...................................................................................................................................................... ................................................... 92 10. Notify, Again.................................................................................................................................................. Again...................................................................................................................................................... 92 11. Login ............................................................................................................................. ................................................................................................................................................................. .................................... 92 Penetration Testing with Perl ....................................................................... ........................................................................................................................................ ................................................................. 93 That was Then, This This is Now ................................................................... .................................................................................................................................... ................................................................. 93 Who This Book is For .................................................................... ............................................................................................................................................. ............................................................................. 94 What’s Inside......................................................................... ................................................................................................................................................... ...................................................................................... ............ 94
6
PenTest Magazine |
Editor in Chief: Milena Bobrowska
[email protected] Managing Editor: Milena Bobrowska
[email protected] Editorial Advisory Board: Jeff Board: Jeff Weaver, Rebecca Wynn Betatesters & Proofreaders: Abishek Proofreaders: Abishek Kar, Kar, Phil Patrick, Steven Wierckx, Krishore PV, Tim Thorniley, Tom Updegrove, Elia Pinto, Brandon Dixon, Ivan Gutierrez Agramont, Sandesh Sandesh Kumar Kumar,, Pradeep Mishra, Mishra, Amit Chugh, Johnette Moody, Steven Hodge, Michał Stawieraj, Kashif Aftab, Jeff Smith, Smith, Jordi Rubio, Rubio, Mardian Gunawan, Gunawan, Arnoud Tijssen, David Kosorok, Mbella Ekoume, Viswa Prakash, Michal Jahim. Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine.
[ GEEKED AT BIRTH ]
Senior Consultant/Publisher: Pawel Consultant/Publisher: Pawel Marciniak CEO: Ewa Dudzic
[email protected] DTP: Ireneusz DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@pen
[email protected] testmag.com Publisher: Hakin9 Publisher: Hakin9 Media Sp. z o.o. SK 02-676 Warsaw, Poland ul. Postepu 17D Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented presented in the magazine magazine were used used only for informative purposes. All rights to trade marks presented presented in the magazine are reserved by the companies which own them.
DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
You can talk the talk. Can you walk the walk?
[ IT’S IN YOUR DNA ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Techn ology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies
www.uat.edu > 877.UAT.GEEK > 877.UAT.GEEK Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs.
PenTest Magazine | Penetration Testing in Practice
Writing an Effective Penetration Testing Report
P
enetration test or pentest is a typical security assessment which is the process to gain access to specific information assets (eq. computer systems, network infrastructur e, or application). Penetration test simulates the attack performed internally or externally by the attackers which has the intention to find security weaknesses or vulnerabilities and validate the potential impacts and risks should those vulnerabilities being exploited.
Security issues found through penetration test are presented to the system’s owner, data owner or risk owner. Effective penetration test will support this information with accurate assessment of the potential impacts to the organization and r ange of technical and procedural safeguards should be planned and executed to mitigate risks. Many penetration testers are in fact very good in technical since they have skills needed to perform all of the tests, but they are lack of report writing methodology and approach which create a very big gap in penetration testing cycle. A penetration test is useless without something tangible to give to a client or senior management. Report writing is a crucial part for any service providers (eq. IT service/advisory). A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems.
8
The target audience of a penetration testing report will vary, technical report will be read by IT or any responsible information security people while executive summary will definitely be read by the senior management. Writing an effective penetration testing report is an art that nee ds to be learned and to make sure that the report will deliver the right i nformation to the targeted audience. Detailed steps will be covered in the next subsequent modules.
High-Level Security Assessment Security assessment offered by service providers in variety of ways. Each type of service provides different levels or degrees of security assurance. Vulnerability assessment (VA) or vulnerability scanning normally offered with the objective to identify weaknesses or vulnerabilities. Uses automated systems (such as Nessus, eEye Retina or QualisysGuard). Inexpensive way to make sure no vulnerability exist. Does not have a clear strategy to improve organization’s security. Network security assessmen t is a combination of automated and hands-on manual vulnerability identification and testing. The report is created, giving practical advice which can improve organization’s security.
Penetration testing involves in multiple attack vectors (eq. wireless testing, social engineering
or client-side testing, or war dialing) to compromise the target environment. Penetration testing can be done with several accepted methodologies from internal and external environment with different approaches such as black-box (with no prior knowledge) , white-box (with full knowledge) or grey-box (with some knowledge) depending on the scope of work agreed with the client. Onsite auditing probably is the most common type of security assessment done in many organizations. It provides the clearest picture of network security. Local access is given to the testers or consultants which allow them to explore and identify anything untoward, including rootkits, backdoors, Trojans, weak passwords, weak permissions or policies, m is-configurations, and other issues.
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine The best practice assessment methodology used by security consultants should involves the following high-level components: • • • •
Network reconnaissance to identify networks or hosts Bulk network scanning and probing to identify potential vulnerable hosts Vulnerability identification and investigation and further p robing (manually) Exploitation of vulnerabilities and circumvention of security mechanisms
Tools of the Trade Selecting the right and correct penetration testing tools will help us to focus on the information (data) to be collected from the target environment . Do not directly confused with the variety of tools available in the market. Knowing the capabilities and features of the tools is the key to successful security assessment. Start by evaluating Open Source and commercial tools available in the Internet. Compare the Open Source with the commercial ones in ter ms of functions, features and deliverables. Make sure that the tools you will be choosing can be used through the entire security assessment process. Do not waste your budget to purchase some commercial tools which you don’t really want to use due to the lack of capabilities and features. Test the tools before buying them. Categorizing security assessment tools will help you to find what you are looking for. The following are the examples of tools commonly used for security assessment which has been categorized based on the usage objectives:
Network reconnaissance & scanning • • • •
Nmap or ZenMap (open source) Hping (open source) NetDiscover (open source) NBTStat (open source)
Vulnerability indentification & investigation • • • • •
9
Nmap with NSE (open source) Nessus (commercial) eEye Retina (commercial) QualisysGuard (commercial) OpenVAS (open source)
Exploitation of vulnerabilities • • • • •
Metasploit Framework (open source) ExploitPack (open source) Core Impact (commercial) Metasploit Express and Pro (commercial) Immunity CANVAS (commercial)
Most of the tools shown above are available on BackTrack/Kali Linux as well as BackBox Linux penetration testing distributions. As for the penetration testing methodologies, we can creat e our own or adopt from several wellknown standards such as: • • • • • •
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment OISSG ISSAF, Information Systems Security Assessment Framework ISECOM OSSTMM, Open Source Security Testing Methodology Manual OWASP Testing Guide, Open Web Application Security Project SANS Institute, Conducting a Penetration Test on an Organization PTES, Penetration Testing Execution Standard
Business Case Why conduct penetration test? What are the obj ectives of penetration test? What are the bene fit of penetration test compared to other type of security assessments?
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice Those are probably the most common questions raised when we talk about the import ance of penetration test to a prospective clients or organizations. Answers to the above questions are explained as follows: From a business perspective , penetration testing helps safeguard your organization against failure, through: Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes. Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment. Protecting your brand by avoiding loss of consumer confidence and business reputation.
•
•
•
From an operational perspective , penetration testing helps shape information security strategy through: Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.
•
Planning and Preparation Prior to starting a penetration testing project, careful planning and preparation should be done. Assembling a team is part of the planning itself. A solid team should have members from multiple knowledge areas based on skills and expertise. Scope of work determines the requirements to assemble a small or large team. Do not just focus on the penetration testers only, ensure that you can cover several areas related to project management, quality assurance, network and infrastructure, applications, risk analysis, and etc.
10
Figure 1. Sample Pentest Project Team (Small) Table 1. Sample Project Team Resources (Small)
PenTest Magazine |
No.
Position/Function
Resource Name
1.
Project Manager (PM)
A
2.
Quality Assurance (QA)
B
3.
Senior Security Analyst/Lead Pentester
C
4.
Security Analyst/Pentester #1
D
5.
Security Analyst/Pentester #2
E
6.
Technical Documentation
F
7.
Network Infrastructure Specialist
G
8.
Application Specialist
H
Penetration Testing in Practice | PenTest Magazine In the above example, we use 8 (eight) resources to perform several tasks in a small pentest project. Always remember the successful project factors or components: scope , schedule , budget and resources .
Risk Management Risk calculation and analysis are part of the overall risk management. An effective penetration testing report should include at minimum, risk calculation and analysis. Guide to risk management can be easily found from several resources in the Internet (eq. NIST SP800-30, Risk Management Guide for Information Technology Systems). Components of risk analysis explained as follows: Threat – a possible danger that might exploit a vulnerability to breach security and thus cause
possible harm. Vulnerability – a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. Impact – a successful threat exercise of a vulnerability (internal or external).
Risk rating based on this calculation: Risk = Threat x Vulnerability x Impact
After calculating the risk rating, we start wr iting report on each risk and how to mitigate it (risk mitigation or reduction). Table 2. Risk Analysis and Rating Calculation
Risk Analysis Threat
Low
Medium
High
Critical
Vulnerability
L
M
H
C
L
M
H
C
L
M
H
C
L
M
H
C
Impact
Low
1
2
3
4
1
4
6
8
3
6
9
12
4
8
12
16
Medium
2
4
6
8
4
8
12
16
6
12
18
24
8
18
24
32
High
3
6
9
12
6
12
18
24
9
18
27*
36
12
24
36
48
Critical
4
8
12
16
8
16
24
32
12
24
36
48
16
32
48
64
11
Rating Calculation L
Low
1 – 16
M
Medium
17 – 32
H
High
33 – 48
C
Critical
49 – 64
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice Table 3. Sample Risk Analysis (Overall)
Threat
Vulnerability
Impact
Risk
Networking Devices
3.0
2.0
2.0
12.0
Operating Systems
3.0
3.0
3.0
27.9
Average
3.0
2.5
2.5
19.5
Host Type
Gathering and Translating Raw Data Analyze and Filter Your Data Penetration testing team members should collect useful information (data) from the field, assuming that they are working in client’s environment. Analyze and filter i nformation gathered. Categorize information based on the adopted pentest methodology so that you can focus on collecting “good and useful” data and not a bunch of trash. Always document your steps and provide screenshots or any good evidence (this will be useful in case the clients want to repeat the same testing processes). Step by step documentation is not really mandatory but they are really helpful in certain situations. I did this a lot.
Converting Data Data translation might be needed in certain scenarios. You might want all of your team members to have a standard in translating collected data. Raw data can be easily translated to multiple type of file formats such as text , xml , html , png , jpg and etc.
12
The following shows you an example of converting data from an xml to an html file format: nmap –A –iL targets.txt –A output
The above command results three different types of file s: Filename
File Type
output.nmap
Text file
output.gnmap
Grepable text file
output.xml
XML file
Now we can convert the output.xml to output.html as shown below: xsltproc output.xml output.html
Secure Data Exchange/Transmission Raw data collected should be sent regularly or at a specific time period (scheduled), as agreed by team leader and members. Any information (data) collected is treated as “confidential” as stated in the non-disclosure agreements (NDAs). Avoid sending any information through insecure network or media. If you can’t avoid using the Internet for exchanging or transmitting the information. Apply the confidentiality, integrity and availability on the data collect ed by implementing out-of-band method of transmitting data, as well as using encryption and hashing such as MD5 to preserve the integrity of your collected data.
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine Translating Raw Data Effective pentest report should include the representation of your collected raw data, translated to a meaningful information in different type of forma ts. The final deliverables should be easily interpreted by the targeted audience. You can use tools such as Microsoft Excel and Visio to create a meaningful presentation of your information such as tables (detailed and summary), charts, diagrams, flows, and etc. Table 4. Sample Vulnerability by Type No.
Vulnerability Type
Total
1.
Default or weak password
2.
Mis-configuration
4
3.
Missing patches/updates
6
4.
Weak encryption
2
5.
Miscellaneous
5
10
Total
27
13
Figure 2. Sample Chart – Summary of Vulnerable Hosts
Table 5. Sample Summary of Vulnerable Hosts No.
Host IP
Hostname
Operating System
Vulnerable
Exploited?
Risk Factor
1.
192.168.1.1
LON-RTR1
Cisco IOS 12.x
Yes
Yes
High
2.
192.168.1.2
LON-RTR2
Cisco IOS 12.x
Yes
No
3.
192.168.1.3
LON-SW1
Cisco IOS 12.x
Yes
Yes
High
4.
192.168.1.4
LON-SW2
Cisco IOS 12.x
Yes
Yes
High
5.
192.168.1.5
LON-DC1
Windows Server 2003 SP2
Yes
Yes
High
6.
192.168.1.6
LON-SVR1
Windows Server 2003 SP2
Yes
Yes
High
7.
192.168.1.7
LON-WEB1
Windows Server 2008 R2 SP0
Yes
No
Medium
8.
192.168.1.8
LON-APP1
Windows Server 2008 R2 SP0
Yes
No
Medium
Medium
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice Project Proposal Proposal should be kept simple and precise. Project proposal is also called “Statement of Work”, a persuasive document with the objectives to: 1. Identify what work is to be done 2. Explain why this work needs to be done 3. Persuade the reader that the proposers (you) are qua lified for the work, have a plausible management plan and technical approach, and have the resources needed to complete the task within the stated time and cost constraints. A strong proposal has an attractive, professional, inviting appe arance. The information (content) should be easy to access. A strong proposal has a well-organized plan of attack with clear technical details because technical depth is needed to sell your project. It should have the “why, what, how and when” components or aspects. Project proposal should at least consist of several sections as shown in the following examples: 1 Introduction 2 Detailed Project Plan 2.1 Scope of Work (SoW) 2.2 Target of Evaluation 2.3 Project Phases 2.4 Project Duration 2.5 Project Schedule/Timeline 3 Project Management 3.1 Project Organization 3.2 Resources 4 Deliverables 5 Tools and Methodology 6 Miscellaneous 7 Project Experience (based on your team’s experience) 8 Contact 9 Appendices
14
Project Activities Activities related to a penetration te sting project should be clearly defined. We can use this document to track our project progress by placing the perc entage of tasks done. Project management portfolio tools can be used to help us in visualizing the project activitie s/tasks in a form of Gantt chart. Table 6. Sample Project Activities
PenTest Magazine |
No.
Activity/Task
Estimated Duration (days)
1.
Planning and preparation
2
2.
Kick-off meeting
1
3.
Initial assessment
2
4.
Information gathering
5
5.
Vulnerability identification
5
6.
Risk assessment
3
7.
Exploitation/penetration
5
8.
Post-exploitation (optional)
3
9.
Housekeeping (cleaning-up)
1
10.
Risk calculation (analysis)
2
11.
Reporting
3
12.
Project Closing
1
Start Date
End Date
Complete (%)
Penetration Testing in Practice | PenTest Magazine
Figure 3. Sample Gantt chart (not related to Figure 7)
Deliverables Deliverable is a tangible or intangible object produced as a result of the project that is intended to be delivered to a client or customer. The result of a security assessment is a form of deliverable. Deliverable s in the form of reports that will be delivered and reviewed by the client or senior management in several types or formats. Type of deliverables in pentest project are: • •
Executive Summary Technical Report
Executive summary report consist of the assessment findings, include recommendations on
how to remediate risks (risk mitigation strategy) with appropriate security controls (safeguards). Recommendations should cover the people , process , and the technology aspects. Technical report consist of detailed information related to the assessment findings, include
recommendations on how to remediate risks (risk mitigation strategy) with appropriate security controls (safeguards).
by Semi Yulianto
15
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice
Sample Penetration Testing Report Document Information Document Details
16
Company Document Title
ACME Network Infrastructure – Vulnerability Assessment and Penetration Testing Report
Version Due Date Author Pen-testers
1.0 01 December 2013 Semi Yulianto 1. Semi Yulianto 2. Arvin Yulianto 3. Andryanto Eka Wijaya
Reviewed by Approved by Classification Document Type
Team Team Confidential Deliverable
Recipients Name
Title
Quality Assurance Date
Issue Review QA/Final Approval
02/12/2013 03/12/2013 06/12/2013
Department
Name
Title
Completed
Semi Yulianto Semi Yulianto Arvin Yulianto
Senior Security Analyst Senior Security Analyst QA Manager
02/12/2013 05/12/2013 11/12/2013
Document History Version
1.0
PenTest Magazine |
Date
Name
Description
11/12/2013
Network Infrastructure – Vulnerability Assessment and Penetration Testing Report
Final Report
Penetration Testing in Practice | PenTest Magazine 1 Introduction A critical problem for public and pri vate institutions is the increasing threat of attack. This is due to a combination of increasingly sophisticated and a utomated attack tools, the rapid increase in the number of vulnerabilities being discovered, and the increasing connectivity of users. As systems are opened to employees, customers and trading partners, networks becomes more complex and are more susceptible to a security breach. That is why information security is one of the most challenging issues facing companies today. These recent trends in cybercrime make it more critical than ever that organizations acquire a true assessment of their security vulnerabilities so they can identify and address those vulnerabilities associated with their most valuable information assets. Your organization’s true vulnerability to threats can be determined only by answering the following questions in regards to each of your identified vulnerabilities: • • •
Is the vulnerability real, or is it a false positive? Can the vulnerability be exploited? Are there any sensitive systems or data exposed by the vulnerability?
Clearly, the answers to these questions will allow you to prioritize your vulnerabilities and structure your security strategy as effectively and efficiently as possible, instea d of simply identifying your vulnerabilities and then attempting to a ddress them based only on assumptions about risk. One of the easiest and fastest ways to obtain these answers, both initially, and on an ongoing basis, is to perform a penetration test on your network. A penetration test is an authorized, local atte mpt to “hack” into a system, to identify exploitable weaknesses, and to reveal what systems and data are at risk. The teste r may use several methods to gain entry to the target network, often initia lly breaking into one relatively low priority section and then leveraging it to attack more sensitive areas. Your organization is probably already running (or wonders what penetration testing offers you that vulnerability scanning do not. It’s simple: An Information Security Assessment tells you only what an attacker can potentially do to your environment. A penetration test tells you what an attacker can definitely do to your environment.
17
That’s because penetration tests exploit identified vulnerabilities, just as an attacker would. Unlike vulnerability scans, penetration tests leave litt le doubt as to what an attacker can or cannot do. Penetration tests eliminate the guesswork involved in protecting your network by providing you with the information you need to effectively prioriti ze your vulnerabilities.
2 Document Scope The document hereby describes the proceedings and results of the Information Systems (IS) Vulnerability Assessment and Penetration Testing (VA-PT) conducted at ACME. The test performed by our team and took place on 1 Nov – 6 Dec 2013 as part of a special assignment.
2.1 Scope of Test Scope of the assessment included conducting black-box & white-box testing on the network infrastructure environment based on the industry standards and guidelines.
2.2 Limitation The test was limited to certain hosts (IP addresses) provided b y the ACME based on the criticality and business risks of assets being assessed. Due to some technical and non- technical constrains, several targets were not being exploited during the assignment, and thus non-intrusive Security Assessment was conducted to avoid risks.
2.3 Purpose of Test The purpose of test is to provide security assurance, compliance a nd best practices based on industry standards and associations such: • • • • •
SANS Institute Institute for Security and Open Methodologies – OSSTMM Open Information Systems Security Group – ISSAF National Institute of Standards and Technology (NIST) Payment Card Industry Data Security Standard (PCI DSS)
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice 3 Project Details 3.1 Project Description The following describes project details based on the assignment: Name of Organization: Target of Evaluation: Project Duration: Sources: Tests Performed:
Tools Used:
ACME Network Infrastructure 60 (sixty) working days Given IP addresses Phase 1: Information gathering Phase 2: Vulnerability Assessment Phase 3: Vulnerability Identification and Analysis Phase 4: Exploitation Phase 5: Remediation (fixing) Phase 6: Reporting •
•
•
•
•
•
•
Type of Tests: Deliverables:
Nmap Nessus MetasploitPro Metasploit Framework Hydra Telnet Armitage
Hybrid (Black-box & White-box) Security Tests Executive Summary & Technical Report
4 Executive Summary 4.1 Summary ACME has assigned the task of carrying out VAPT of the Network Infrastructure (servers, firewall s, intrusion detection systems, and networking devices) located on ACME internal network (data center). This is the final Penetration Testing report. The assessment was performed from 1 June to 30 July 2013 . The detailed report about each task and our findings are described below.
18
The purpose of the test is to determine security posture of the ACME’s environment (Network Infrastructure). The tests are carried out assuming the identity of an attacker of a user with malicious intent. At the same time due care is taken not to harm the server or database.
4.2 Approach The following explains the steps taken during the tests: • • • • • • • • •
Perform live systems detection on targets Gather information about the targets Perform unauthorized discovery and mapping of systems, services, or vulnerabilities Identify and assess vulnerabilities detected Perform enumeration on targets Exploit any known vulnerabilities found for proof-of-concept (PoC) Perform detailed analysis on findings Calculate and rank risks based on severity and risk factor Prepare technical and non-technical reports
4.3 Scope of Work The scope of this security assessment and penetration test was limited to: • • •
Networking devices (routers and switches) Security appliances (firewalls, IDSes and IPSes) Server hosts (operating systems)
4.4 Project Objectives This security assessment is carried out to gauge the security posture of ACME’s network Infrastructure. The result of the assessment is then analyzed for vulnerabilities. Given the limited time that is given to perform the assessment, only immediately exploitable services have been tested. The vulnerabilities are assigned a risk rating based on threat, vulnerability and impact.
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine 4.5 Timeline The timeline of the test as follows: Penetration Test
Start Date/Time
End Date/Time
Initial Testing (Phase 1)
01/11/2013
29/11/2013
Final Testing (Phase 2)
02/12/2013
05/12/2013
Risk Mitigation & Remediation
06/12/2013
10/12/2013
Reporting
11/12/2013
13/12/2013
4.6 Summary of Findings The following describes the number of risks ranked based on risk fac tor: 4.6.1 Vulnerability Assessment Host Type
High
Medium
Low
Networking Devices
0
9
18
Operating System
0
41
11
Total
0
50
29
19
4.6.2 Configuration Security Audit Host Type
High
Medium
Low
Firewall
0
7
23
IPS
0
3
6
Router
0
37
77
Switch
0
29
49
0
76
155
Total
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice
4.7 Summary of Recommendations Several vulnerabilities have been found and it is advisable to perform corrective actions as stated below: •
•
• •
20
• •
•
If possible, Telnet should be disabled. It is recommended that Secure Shell (SSH) should be used as a cryptographically secure alternative to Telnet. If not required, SNMP should be disabled. However if SNMP is required, Nipper recommends that only SNMP version 3 should be configured. If access using community strings is required, strong community strings should be configured. Configure an ACL to restrict access. Apply the ACL to the relevant lines. Enforce message signing in the host’s configuration. On Windows, this is found in the Local Security Policy. On Samba, the setting is called ‘server signing’. Upgrade the installation of PHP to a version of PHP that is currently supported. Install missing patches and adopt a patch management process to keep single or multiple servers up to date (applicable to Microsoft Windows, Unix/Linux and other operating systems). A strong password should be configured for all users. We recommend that passwords: are at least eight characters in length; must include uppercase characters; must include lowercase characters; must include numbers; must include non-alphanumeric characters; must not contain the username/service name; must not contain the devices host name; must not contain device details (i.e. make, model); must not be dictionary based with character substitution (i.e. an “i” swapped for a “1”); must not contain character sequences (i.e. “qwerty”); must not be dictionary based with common characters appended (i.e. “1”). • • • • • • • • • • •
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine
21
Figure 1. Sample password tested with Password Meter (http://www.passwordmeter.com)
5 Methodology Vulnerability Assessment and Penetration Testing Methodology Simplified:
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice 5.1 Planning During planning we gather information from the given technical infrastructure design to learn about targets. Then, we detect the live system its OS and determined the running services and its versions.
5.2 Exploitation Utilizing the information gathered in Planning we start to find the vulnerability for each OS and service that we discovered after that trying to exploit i t.
5.3 Reporting Based on the results from the first two steps, we start analyzing the results. Our risk rating is based on this calculation: Risk = Threat x Vulnerability x Impact Table: Risk Analysis Threat
Low
Medium
High
Critical
Vulnerability
L
M
H
C
L
M
H
C
L
M
H
C
L
M
H
C
Impact
Low
1
2
3
4
1
4
6
8
3
6
9
12
4
8
12
16
Medium
2
4
6
8
4
8
12
16
6
12
18
24
8
18
24
32
High
3
6
9
12
6
12
18
24
9
18
27*
36
12
24
36
48
Critical
4
8
12
16
8
16
24
32
12
24
36
48
16
32
48
64
Table: Rating Calculation L
Low
1 – 16
M
Medium
17 – 32
H
High
33 – 48
C
Critical
49 – 64
After calculating the risk rating, we start wr iting the report on each risk and how to mitigate it.
22
* Based on our analysis, risks that falls under this category will be considered as High.
5.3.1 Risk Analysis Threat
Vulnerability
Impact
Risk
Networking Devices
3.0
2.0
2.0
12.0
Operating System
3.0
3.0
3.0
27.9
Average
3.0
2.5
2.5
19.5
Host Type
Overall Risk = MEDIUM
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine 6 Detailed Findings 6.1 Detailed Systems Information 6.1 Vulnerability Assessment (VA) No.
IP Address
Description
Operating System
Vulnerable Exploited*
Risk Factor
1
192.168.1.1
Host A
Microsoft Windows Server 2008
Yes
No
Medium
2
192.168.1.2
Host B
Microsoft Windows Server 2008
Yes
No
Low
3
192.168.1.3
Host C
Microsoft Windows Server 2008
Yes
No
Low
4
192.168.1.4
Host D
Microsoft Windows Server 2008
Yes
No
Medium
5
192.168.1.5
Host E
Microsoft Windows Server 2008
Yes
No
Medium
6
192.168.1.6
Host F
Microsoft Windows Server 2008
Yes
No
Medium
7
192.168.1.7
Host G
Microsoft Windows Server 2008
Yes
No
Low
8
192.168.1.8
Host H
Microsoft Windows Server 2003
Yes
No
Low
9
192.168.1.9
Host I
Microsoft Windows Server 2003
Yes
No
Low
10
192.168.1.10 Host J
Microsoft Windows Server 2003
Yes
No
Medium
11
192.168.1.11 Host K
Microsoft Windows Server 2003
Yes
No
Low
12
192.168.1.12 Host L
Microsoft Windows Server 2003
Yes
No
Medium
13
192.168.1.13 Host M
Microsoft Windows Server 2003
Yes
No
Medium
14
192.168.1.14 Host N
Redhat Linux 2.4
Yes
No
Medium
15
192.168.1.15 Host O
Redhat Linux 2.4
Yes
No
Medium
16
192.168.1.16 Host P
Redhat Linux 2.4
Yes
No
Medium
17
192.168.1.17 Host Q
Redhat Linux 2.4
Yes
No
Medium
* Non-intrusive security assessment. Exploitation was not allowed.
6.2 Configuration Security Audit (CSA) No. IP Address
Host Type
Description
Location
Risk Factor
Inspection
1
192.168.1.1
Host A
Microsoft Windows Server 2008
Location A
Medium
Automated
2
192.168.1.2
Host B
Microsoft Windows Server 2008
Location A
Medium
Automated
3
192.168.1.3
Host C
Microsoft Windows Server 2008
Location A
Medium
Manual
4
192.168.1.4
Host D
Microsoft Windows Server 2008
Location A
Medium
Manual
5
192.168.1.5
Host E
Microsoft Windows Server 2008
Location A
Medium
Automated
6
192.168.1.6
Host F
Microsoft Windows Server 2008
Location A
Medium
Automated
7
192.168.1.7
Host G
Microsoft Windows Server 2008
Location A
Medium
Automated
8
192.168.1.8
Host H
Microsoft Windows Server 2003
Location B
Medium
Automated
9
192.168.1.9
Host I
Microsoft Windows Server 2003
Location B
Medium
Automated
10
192.168.1.10 Host J
Microsoft Windows Server 2003
Location B
Medium
Automated
11
192.168.1.11 Host K
Microsoft Windows Server 2003
Location B
Medium
Automated
12
192.168.1.12 Host L
Microsoft Windows Server 2003
Location B
Medium
Automated
13
192.168.1.13 Host M
Microsoft Windows Server 2003
Location B
Medium
Automated
14
192.168.1.14 Host N
Redhat Linux 2.4
Location C
Medium
Automated
15
192.168.1.15 Host O
Redhat Linux 2.4
Location C
Medium
Automated
16
192.168.1.16 Host P
Redhat Linux 2.4
Location C
Medium
Automated
17
192.168.1.17 Host Q
Redhat Linux 2.4
Location C
Medium
Automated
23
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice 6.3 Overall Risks No.
IP Address
Description
Operating System
VA
CSA
Overall
1
192.168.1.1
Host A
Microsoft Windows Server 2008
Medium
Medium
Medium
2
192.168.1.2
Host B
Microsoft Windows Server 2008
Low
Medium
Medium
3
192.168.1.3
Host C
Microsoft Windows Server 2008
Low
Medium
Medium
4
192.168.1.4
Host D
Microsoft Windows Server 2008
Medium
Medium
Medium
5
192.168.1.5
Host E
Microsoft Windows Server 2008
-
Medium
Medium
6
192.168.1.6
Host F
Microsoft Windows Server 2008
Medium
Medium
Medium
7
192.168.1.7
Host G
Microsoft Windows Server 2008
Low
Medium
Medium
8
192.168.1.8
Host H
Microsoft Windows Server 2003
Low
Medium
Medium
9
192.168.1.9
Host I
Microsoft Windows Server 2003
Low
Medium
Medium
10
192.168.1.10 Host J
Microsoft Windows Server 2003
Medium
Medium
Medium
11
192.168.1.11 Host K
Microsoft Windows Server 2003
Low
Medium
Medium
12
192.168.1.12 Host L
Microsoft Windows Server 2003
Medium
-
Medium
13
192.168.1.13 Host M
Microsoft Windows Server 2003
Medium
-
Medium
14
192.168.1.14 Host N
Redhat Linux 2.4
Medium
-
Medium
15
192.168.1.15 Host O
Redhat Linux 2.4
Medium
-
Medium
16
192.168.1.16 Host P
Redhat Linux 2.4
Medium
-
Medium
17
192.168.1.17 Host Q
Redhat Linux 2.4
Medium
-
Medium
* High vulnerabilities found in the Initial Phase of the assessment have successfully remediated. Follow-up and continuous monitoring should be done for Medium and Low level vulnerabilities (Risk Treatment Plan/RTP).
24
6.3 Passwords/Keys Found Multiple weak passwords/keys found. No.
Type
Service
1.
Password
Enable
2.
Password
Users
3.
Community
SNMP
4.
Password
Line
Common weaknesses found.
PenTest Magazine |
No.
Description
1.
The password too short
2.
The password too short and did not meet the minimum complexity requirements
3.
The password did not meet the minimum complexity requirements
Penetration Testing in Practice | PenTest Magazine 6.2 Vulnerable Hosts 6.2.1 Host 192.168.1.1 Host IP:
192.168.1.1
Description:
Host A
Operating System:
Microsoft Windows Server 2008
Vulnerable:
Yes
Exploited:
No
Vulnerability Assessment
High
Medium
Low
Risk Factor:
0
0
1
Overall Risk:
Low Configuration Security Audit
High
Medium
Low
Risk Factor:
0
4
8
Overall Risk:
Medium MEDIUM
6.2.2 Host 192.168.1.2 Host IP:
192.168.1.2
Description:
Host B
Operating System:
Microsoft Windows Server 2008
Vulnerable:
Yes
Exploited:
No
Vulnerability Assessment
High
Medium
Low
Risk Factor:
0
0
1
Overall Risk:
Low Configuration Security Audit
High
Medium
Low
Risk Factor:
0
5
10
Overall Risk:
Medium
25
MEDIUM
7 Conclusion Most of the vulnerabilities found in the Initial Phase of the assessment have successfully remediated. Vulnerabilities that could not be remediated immedi ately due to some technical and operational reasons (eq. needed for remote administration and troubleshooting) still introduce risks therefor compensating controls must be applied and implemented to reduce or mitigate risks associated with vulnerabilities being exposed. Compensating security controls are controls that provide an alte rnative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical application. A compensating control would be to increase monitoring of that server or isolate that server on its own network segment. For systems to remain secure, security posture must be evaluated and improved continuously. Establishing the organizational structure that will support these ongoing improvements is essential in order to maintain control of corporate information systems. We conclude that the overall security has been improved. We hope that ACME’s network infrastructure will be reviewed at least every 6 (six) months or annually depending on the a mount of changes to the source code.
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice 8 References Appendix A – Vulnerability Assessment Summary
Attached Vulnerability Assessment summary. Appendix B – Configuration Security Audit Summary
Attached Vulnerability Assessment summary. Appendix C – Nmap Scanning Report
Attached Nmap scan reports. Appendix D – Nessus Vulnerability Scanning Report
Attached Nessus scan reports. Appendix E – Nipper Security Audit Report
Attached Nessus scan reports.
26
PenTest Magazine |
May 31 - June 3, 2015 Marriott Resort at Grande Dunes Myrtle Beach, SC USA The international meeting place for IT security professionals in the USA Since 1998
Register Now at www.TechnoSecurity.us with promo code PTE15 for a 20% discount on conference rates!
Comexposium IT & Digital Security and Mobility Trade Shows & Events:
n event by
PenTest Magazine | Penetration Testing in Practice
Hardening VoIP protocols
S
ecuring VoIP networks is not an easy task at all, but it is very important. In this chapter the author will write about a really important process which should be always considered either on a VoIP system and any time you would protect your information, this process is called Hardening.
Usually, in the world of Information Technology, people think about security as it was only regarding files which resides in mass memories. But, also the speach which pass through a VoIP network has the same value: in the previous chapters, we have alread y seen how the authoritative information could be listened during a running telephone call and used by malicious people in order to cheat the users. We have also seen how VoIP protocols have several security problems and for each of that the author has suggested some countermeasure. In this chapter the author will threat all these security aspect in a deeply way. At the beginning, VoIP was used by the company just in order to realize internal telephony calls. In this way the security aspects of VoIP networks was been avoided for several years. Hence, VoIP systems was been hardening just in the last years and not always in the correct ways. This is due to the fact that VoIP hardening is not an easy task and it involves embedded devices which are not cheaper. Furthermore, vendors initially have not incorporated their security features in an easy and interoperable way and the VoIP consumers have suffered about it.
28
In this chapter the reader will learn the guide lines used by the best expert in VoIP security. These best practice should be applied in order to avoid the attacks reported in the p revious chapters.
Security Socket Layer (SSL) and SIP As already reported several times in this workshop, SIP is a clearte xt protocol which could be both registred and tampered by attackers that stays on the VoIP network as passive listener. SIP uses just an authentication method called message digest, since it is based on an ashing algorithm it suffers of dictionary attacks. This kind of attacks are performed by mean of the rainbow tables, that usually are employed offline. The rainbow tables contain a lot of already hashed words, the attacker try to use these ashed words until one of that does not match with the authent ication word. Since most SIP User Agents Clients (UACs) use four digit codes for passwords (usually the last four digits of the phone’s extension), this method could be used against the SIP authentication process. In order to avoid this lack of security, in the authentication process SIP uses another protocol called SSL which is also used by several other different network protocols. For instance, HTTP is usually used with SSL in order to get a secure connection by mean of an internet browser, this kind of connection is called HTTPS. Using SSL with SIP is quite similar to use SSL with HTTP. When SIP and SSL are used together, they are called SIP over SSL (SIPS). With SIPS you can encrypt the session protocol from a UAC either to a SIP Proxy or a PBX. Then, the PBX will be able to use again SSL with the next hop, in this way each hop will be encrypted and the end-to-end conversation will be completly encrypted. In order to secure SIP with SSL, both a certificate exchanging and a session keys exchangig is required between two network devices. These devices have to provide the SSL support with a certificate chain process. In the following the author will report the steps required by two network device, which are interested in a secure network connection establishment. In particular they’re the steps needed by two network devices in order to set up an SIPS connection:
PenTest Magazine |
Penetration Testing in Practice | PenTest Magazine •
• •
•
•
at the beginning, when an user needs to set up a phone call, his UAC will send to the SIP server (which could be either a proxy server or a PBX) asking for a SSL session; the SIP server will reply with its public certi ficate; the SIP UAC validates the public certificate belongi ng to the SIP server. In order to accomplish this process it uses its root chain; the SIP UAC and the SIP server will exchange their session keys. They’ll be used in order to encrypt and decrypt data in the whole session; the SIP server will contact the next hop device (it c ould be either another SIP server or a UAC), in order to negotiate another SSL session.
Figure 1 reports this steps by mean of a graphical scheme.
Figure 1. SIPS handshake.
There’s an important difference between HTTP and SIP, while the first uses of a web browser the latter use either an phone or a softphone. This implies a standardization problem, since there’s an higher variety of telephone device compared to we b browsers. An high variety means that there are a lot of VoIP vendors which unfortunally could develop the handshake process previously reported in different ways. For instance, CISCO and Avaya, two of the major brands in the VoIP systems, provide this handshake in a rather differently way.
29
Secure RTP How to hardening SIP by mean of the SSL protection was reported by the author in the previous section. But in this way, the multimedia part of the call which is carryed out by mean of RTP packets, is again unprotected. Hence, a SIP infrastructure which uses SSL with RTP in clear, permits the attackers both to eavesdrop call (gathering confidential information) and inject vocal signal into the calls. In practice, several of the attacks reported by the previous chapters are again possible. Request For Comment (RFC) number 3711 defines Secure RTP (SRTP) as a protocol which is able to add encryption, confidentiality, and integrity to RTP and RTCP. SRTP can encrypt the payload field belonging to an RTP packet. The information belonging to the RTP header remains in clear, in this way once an encrypted RTP packet will be received by a router, it can read this information in order to forward correctly the packet. The reader can understand how in this way the RTP head er could be tampered by any attacker. Actually the RTP header is protected by SRTP, since it provides authentication and integrity checking for the RTP header information by mean of a keyed–Hash Message Authenticati on Code algorithm with Secure Hash version 1 function. This binomial takes the acronymous name of HMAC-SHA1. Since, SRTP does not provide the encryption of the headers but just an anti-tampering checksum, an SRTP packet is very similar to an RTP packet.
Advanced Encryption Standard (AES) AES is the encryption method used by SRTP in order to provide confidenti aly, since it supplies the payload encryption. AES can be used with two cip her modes: • •
Segmented Integer Counter Mode (SICM) – the default method F8 Mode
| PenTest Magazine
PenTest Magazine | Penetration Testing in Practice Another cipher method, called NULL cipher, could be used with AES. Since, it does not provide encryption to the multimedia signal, it never should be implemented.
HMAC-SHA1 As just reported, SRTP was also designed in order to provide message integri ty to the header of the RTP packets. Hence, in addition to AES, SRTP uses HMAC method for this features. When HMAC is used with the SHA-1 hash function, it is called HMAC-SHA1. HMAC-SHA1 is an hashing method used to verify both the message integrity and the authenticity of the message. With this method, an HMAC-SHA1 hash number will be added at the end of each packet in order to provide the integrity between two VoIP devices. The addition of the integr ity feature will ensure that the RTP packets are not susceptible to any replay attack. Plese, note that a replay attack could be performed even when encryption is applied.
30
Figure 2. SRTP packet characteristics.
Auth Tag In the following the author will report the steps involved by two devices which are using SRTP. The example describes the communication between two UACs having extensions equal to 1000 and 2000. We are supposing that they’re using SRTP having payloads encryption and RTP headers authentication: • •
•
• •
1000 requests the session keys from the Asterisk PBX Since Asterisk has the Master Key (MK), it opens two sessions the fisrt one with 1000 and the latter with 2000. Now the key negotiation phase starts, the MK is passed in the header of SIP and the actual Session Keys (SK) are generated later on the UACs by mean of AES. Once received the MK, both the UACs create the SK for their communication. Once the SK are created, the SRTP communication can start.
As already reported, the standard implementa tion of SRTP depends by the network platform. Once again the most famous plaftorms are: • • •
PenTest Magazine |
Asterisk Cisco Avaya
Penetration Testing in Practice | PenTest Magazine Method of Key Distribution SIP must to be used with an SSL tunnel in order to avoid that SRTP makes the key exchange process in clear. Without an SSL tunnel, SRTP master key can be captured from SIP packets which run in clear through the network and the attacker can decrypt the SRTP packets captured. Hence, whether SIP was used whitout SSL, the security purpose of SRTP is surely reduced.
ZRTP An extension of RTP which applies Diffie-Hellman (DH) key agre ement for SRTP packets is called ZRTP. ZRTP provides the key management services during the setup process belonging to a telephone call. It does not work at the session layer such as a common signalling prot ocols, but it works on SRTP. ZRTP creates a shared secret, which will b e used in order to generate keys and a salt for the sessions enrypted with SRTP. It does neither require Private Shared Secrets (PSK) nor a Public Key Infrastructure (PKI). In order to avoid MITM attacks between the UACs, ZRTP uses a Short Authentication String (SAS) which is an hash value of the DH keys. The SAS will be communicated to both UACs using ZRTP. Each UAC will verify the SAS value to ensure that the hashes match and it means that the keys are not tampered.
Zfone A VoIP client called Zfone (www.zfoneproject.com/ ) could be adopted in order to provide an implementation of ZRTP, which gives security to the RTP communication. Zfone are used with any VoIP signaling protocols (for instance, both SIP or H.323). Zfone could be used with any softphone that does not use RTP encryption. Zfone must be installed on both UACs. Zfone monitors the IP stack belonging to the OS on which the softphone is installed, by expecting an incoming VoIP call. Once a VoIP incoming call has been intercepted by Zfone, it encrypts the media communication. When either a non-SRTP or non-ZRTP device is establishing the phone call, Zfone detects that the call is beginning and then starts a key agreement between the local UAC and the remote UAC. Once the key agreement was ended, Zfone will encrypt all RTP packets between the two UACs.
31
In order to use Zfone between two UACs which do not support natively media encryption (such as both ZoIPer and X-Lite softphones belonging to our Workshop testplant), the following instructions could be executed (please, notice that we are configurating two new UACs, respectively called 4000 and 5000, on the PBX belonging to the Workshop testplant, instead of modify those already existing): •
You have to edit the sip.conf on Asterisk PBX, by adding the following lines at the end of file:
[4000] type=friend username=4000 host=dynamic secret=4000pwd context=test [5000] type=friend username=5000 host=dynamic secret=5000pwd context=test •
In the extensions.conf file, you have to add the following lines in the [test] realm:
[test] exten => 4000,Dial,(SIP/4000) exten => 5000,Dial,(SIP/5000)
| PenTest Magazine
Gah. Your tab just crashed. We can help! Choose Restore This Tab to reload the page. Choose Restore This Tab or Restore All Crashed Tabs to reload the page/pages.
Will you help us? Crash reports help us diagnose problems and make Firefox better.
Report this tab Send an automated crash report so we can fix issues like this.
Include the URLs of the sites you were on when Firefox crashed. Crash report already submitted; thank you for helping make Firefox better!
Close Tab
Restore This Tab
Restore All Crashed Tabs