Security Testing Guide for Blue Teams

Security Testing for
Blue Teamers…
Ben Finke
June 2015
BigDatainInfoSec-BenFinke-@benfinke

Thanks for coming!
• Ben Finke
• Security Guy at Enterprise Integration

Network Defender

Red Team

Disclaimer
Make absolutely CERTAIN you have written permission
from the system owner/service provider before undertaking
ANY testing activities.
Laws vary from state to state and country to country.
When in doubt I consult my attorney, I suggest you do the
same.
In short: Don’t call me to bail you out! J

Security Testing for Blue Teamers

What this presentation is…
• A guide on effective testing that makes your defenses better
• A security program that gives you information to make decisions
• A how-to on ensuring your defenses are doing what you think they are

What this is not…
• How to hack your boss’s facebook account
• Step-by-step on building a botnet
• A one-size fits all process
• A shortcut

Why bother?
Do you know what is on your network?
Any idea what you have facing the Internet?
Does that fancy firewall thing actually block bad stuff?
Can you tell if someone is attacking you?

Why bother? This. We can do better.
VerizonDataBreachInvestigationreport–2015-
http://www.verizonenterprise.com/DBIR/2015/

Yeah But…
Testing is so expensive!
We don’t have the budget
We don’t have the training
We don’t have the tools

Nonsense.
It does take some time and some
learning, but you can do most of the
testing you’ll need, and be amazed what
you discover along the way.
You don’t need to spend a fortune either.
You got this.

First Problem – Learn the Terrain
• Let’s map out EVERYTHING on your network
• Let’s find out what is connected and what services it’s running
• We need something that scales well, gives you some flexibility, and doesn’t
cost a fortune….

Nmap

nmap – Network Mapper
• Get it directly* from the nmap site: https://nmap.org/
• Open source
• Cross Platform
• Does way more than you think…..
• And we know its fantastic because…..
*What happened to you SourceForge?? L

…Hackers use it in movies
https://nmap.org/movies/

Digging into nmap
• Command line
• GUI – Zenmap
• Multiple output formats
• Can be easily incorporated into scripts and called from other applications
• GREAT documentation and community support
• Examples:
• nmap –A 172.20.10.0/24 –oA
• Demo Time!!

Scanning Protips…
• If you scan something on the other side of the firewall, its going to be, well, wrong.

Scanning Protips…
Know how the common scan options work…
• -sT – Make a TCP connection (SYN – SYN/ACK – ACK)
• -sU – Try to make a UDP service respond (I’d tell you a UDP joke, but you might
not get it).
• -sS – TCP SYN scan –(SYN – SYN/ACK) – sometimes called a “stealth” scan
• -sV – TCP scan and try to get the version
• -Pn – treat all hosts as online, skip discovery
• -O – enable OS detection
• Host discovery – ICMP Ping, Reverse DNS, TCP 80 and TCP 443

Scanning Protips…
Choose a good scanning location
• Home and SMB routers often have a small state table, you may overrun that with
connections and produce false results in the scan
• Wireless connections can also cause timing and other congestion errors that effect
your scan
• If scanning over a VPN…. Try not to scan over a VPN
• If you have a sensitive host in a range, use –exclude

Zenmap!

Plenty of good
open source
projects to help
your custom
implementation.

Use your existing tools to visualize!

But wait, there’s more!
• ndiff – compare two nmap scans and show the
differences.
• Easily store output in code repository for easily historical
reference and change tracking
• NSE – Nmap Scripting Engine

Let’s Get to Work
Do some scans of your network and view the results. Tune the scan options to
meet the need.
Found a lot of stuff you had no idea about, right? Good!
Automate that process through whatever means are comfortable – you want
the information, not more to do.
Run daily and review changes. Discuss with responsible parties when things
change unexpectedly.
Some people might complain that you are hassling them, but I say…

Deal with it….

Your Arsenal
1. Nmap - free
Total Cost - $0

Security Testing Checklist
üNetwork Inventory
üNew Host/Change Detection

Vulnerability Management
Vulnerability – a well known software flaw or misconfiguration that enables
an unauthorized person to change the state of an information system.
Put like a regular person – a missing patch or (likely default) setting that
means an attacker can ruin your day.
Vulnerability Management is NOT just a vulnerability scanner. While that
can help, vulnerability management is about knowing where you have what
so that when a vulnerability is announced you can gauge the risk and plan
accordingly.

Vulnerability Scanners
A number of good ones exist. You might even own some of these today.
The Biggest mistake I see is that people don’t:
1. Tune the scanning policies
2. Cover the ENTIRE network
3. Do anything useful with the output

Getting your VM on….
• Consult your vuln scanner vendor for how to on this.
• You likely have the ability to run “credentialed” scanning. Do this!
• Build a process to manage these vulns you’re going to be digging up
• Protip: Assign an “Application Owner” to every piece of inventory on the
network, and send out reports broken down by the responsible “owner” in
the infamous and oft-imitated stoplight chart
• Also known as “Weaponized Excel”

How does a Vuln Scanner work?
1. Non-Credentialed Scanning
Following the selected scanning policy, performs discovery of available
services across the range of configured targets, begins service detection.
Vuln Scanner Web Server
Hey, is TCP Port 80 Open? (SYN)
It sure is! (SYN/ACK)
Great! (ACK)
So, is this HTTP? (GET / HTTP/1.1)
For sure! (HTTP 200 OK – Server: IIS/7.5)
Check vuln DB for “IIS/7.5” vulnsVuln
DB

Service Detection
That HTTP header will drive a huge amount of the related findings that most vulnerability
scanners will report.
Either no test exists for over-the-network testing, or the test is potentially dangerous.
Other tests like TLS* cipher testing are actively tested for and observed directly.
When False Positives occur, service detection is often why. Credentialed scanning can
remove lots of these false positives.
* All your SSL stuff is turned off, right? Right. Good.

Automate this too!
• Schedule a scan in your vuln scanner and put the scan file someplace.
• This Powershell code let’s you slice and dice the results. Thanks to Carlos
Perez (@darkoperator):
[xml]$report = Get-Content –Raw .scan.nessus
$report_hosts = $report.NessusClientData_v2.Report.ReportHost
$report_hosts | foreach {$_.ReportItem} | where {$_.severity -ne 0} |
ConvertTo-HTML > nessus-report.html
You can even set conditions on which item goes in the report, so you can run a
couple of these and email them to whoever needs them….

Your Arsenal
1. Nmap – free
2. Vuln Scanner - $2K/year
Total Cost - $2000

üVulnerability Management

What would an attacker know?
One of the most common goals of a 3rd party security assessment is “Find out
what an attacker out on the Internet would find.”
I have some great news for you….. You can do this yourself, probably a lot
easier than you think!
A small sampling of free and inexpensive tools at your disposal!

Advanced Google Hacking Searching
http://www.businessinsider.my/how-to-be-a-google-power-searcher-2014-7/

Shodan HQ
• Google search for what’s on the Internet…

Maltego – Building a Case…

Your Arsenal
1. Nmap – free
3. Open Source Intel - Free
Total Cost - $2000

üKnow Your Attack Surface

Test your Defenses
You recently invested in the industry leading Ultra Premium Anti-APT Cyber
Sentinel v1000 system. Hooray!
Does it actually work? I mean, the way its supposed to? Are you sure?

If it detects intrusions, you should intrude!
You should send actual attack traffic through the device to see if
1. It blocks, slows, or at least marginally disrupts it.
2. It tells you about it.
3. You can reconstruct what happened from the Blue team side.
Fortunately, you don’t need to write your own exploit code, we’ll just use Metasploit!
Mac
Attack!

Metasploit – An Intro
Metasploit is a framework that makes security testing easier.
It covers:
• Mapping and Recon
• Exploitation
• Post Exploitation
• Exfiltration
But even if you just want to see if an IPS actually P’s something, it works
great for that too!
Lots and lots of great community support and tutorials available online.

Your Arsenal
1. Nmap – free
3. Open Source Intel – Free
4. Metasploit- Free
Total Cost - $2000

üHack Thyself

“Sure” you’re saying…
“Now I get to spend hours and hours installing this stuff on my system and
trying to keep it all running. How much time am I going to waste just getting
this stuff in place?”.
Almost none at all. In fact, it’s a really good practice to keep your testing kit
separate from the system you surf the web and check your email on.
We need a way to get to all of this tools quickly. It would be a nice benefit if
our testing system was easily portable, ran on whatever we had lying around
to use, and was easy to keep up to date.
Which leads us right to….

Kali Linux

Kali Linux
• Purpose built Linux distribution for security testing
• Hundreds of tools built in and working
• Available as (https://www.kali.org/)
– ISO Image
– Virtual Machine image
– Docker Image(!)
– Raspberry Pi Image(!!)

Raspberry Pi – Just like Mom used to make

VirtualBox
• Cross Platform (Windows, Mac, *NIX)
• FREE (as in beer)
• Run guest VMs on your laptop!
• Boot2Docker
I know what you are thinking….

Isn’t Oracle the Evil Empire?
Maybe, but absolutely not for
this. Thanks Oracle (and
Sun) for VirtualBox!

Your Arsenal – Kali Edition
1. Nmap
2. Vuln Scanner
3. Open Source Intel
4. Metasploit
Ready to Go!

Your Arsenal
1. Nmap – free
3. Open Source Intel – Free
4. Metasploit- Free
5. Flexible Testing Platform - Free
Total Cost - $2000

üHack Thyself
üFlexible Testing Platform

Blue Team Nirvana
• A complete and accurate network inventory
• Know your exposure to vulnerabilities
• Know what the Internet knows about your network
• Verify your defenses and alarms work as designed.

Bonus Round! Fresh Phish!
• Phishing Frenzy – open source project
• http://www.phishingfrenzy.com/

Complete Phishing Platform
1. Develop the scams templates

2. Send out the phishes!

3. Track the results

Happy Hunting!
Any questions?

Ben Finke
@benfinke
ben@benfinke.com
bfinke@entint.com
https://www.linkedin.com/pub/ben-finke/3/95a/8a1
blog.eiblackops.com
blog.benfinke.com
BenFinke-SecuringtheCause-@benfinke

Great Resources
• The nmap book - http://nmap.org/book/
• Metasploit Unleashed - https://www.offensive-security.com/metasploit-unleashed/
• How To Videos on SecurityTube - http://www.securitytube.net/
• Community Discussion - http://www.reddit.com/r/AskNetsec
• Netsec Students - http://www.reddit.com/r/netsecstudents

Security Testing Guide for Blue Teams

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Security Testing Guide for Blue Teams

Semelhante a Security Testing Guide for Blue Teams (20)

Último

Último (20)

Security Testing Guide for Blue Teams