This is yet another post focused on penetration tests and misleading points about them .
I`m hearing a lot about zero-days , un-patched bugs , in the wild exploits for just reported vulnerabilities and many alike terms that finally will lead to a painful compromise , in case the target is not someone with "Defense in depth strategy" in mind. At the other hand I`m faced with people, thinking about professional penetration testers and skilled auditors as magicians !
Talking about pen-tests , many people think that pro. auditors are successful at their tasks because they always have some 0-day kind of bug/exploit/technique/trick available in their hands. It`s really common to hear that "He has probably used a 0-day to own them..." , "You`re ling me , I checked for every single possibility and could not find anything useful. Do you have any 0-day exploit for service X ?!! " , and so on ...
Yes , zero-day stuff will some times guarantee success of missions , but are they really used every time ? Will pen-test fail if every single host/software is updated to latest version ? Will you be hacker-proof if you monitor everything and keep your softwares and systems immune against zero-hour threads ?
I`ll instantly answer NO , to above questions. Doing pen-test for at least 4 years and successfully compromising many banks , government & military services , mission-critical infrastructures and tens of individual companies , I have to say that success of mission was very rarely depended on using private or zero-day stuff ! I`m not saying 'never depended' because some times customers specifically ask for being tested against unknown and zero day vulnerabilities and techniques , but that`s not a general case .
I divide customers into two groups . Those who understand the risk of zero-day attacks and willing to pay enough so their pen-test (and R&D behind tests) cover it, and those who blindly tell you "Try every possible way to break into network " and don`t care about unknown vulnerabilities , assuming being safe against attacks on latest-versions is enough .
So how tests lead to successful compromise , if we`re faced with a patched infrastructure and we have not used ANY zero-day exploit (Although we may have some) ?
Reviewing past projects results, and watching the way most teams manage their networks will tell us that there are always some design flaws and management problems , guarantee the success of hackers .
When I mention design-flaw , I usually mean the way networks are planned and designed , or the way small pieces of a big infrastructure are putted together . This is really common in big networks. Telecommunication or banks networks for example, have many entry/access points among many back-end systems . Assume a bank , have X number of services available to customers , and customers can access these services in Y different ways , and there are Z number of known attacks/vulnerabilities available for every combination .
Therefore we have X*Y*Z number of ways to gain access to interesting data ,and we`re always allowed to test at least few of them. Insecurely allowing branches to connect to central office , is an example for this group of vectors , causing serious risks that affecting infrastructure .
I mentioned management problems too . And I mean the way networks are managed . This covers they way a password-policy is deployed ,to the way administrators keep their systems up-to-date ,configure services and devices ,and monitor & take care of human-factor mistakes . Even a single insecurely configured service can put whole of linked systems at risks , or a single missed security patch can be used as entry point for digging other systems & services .
If you search enough and investigate everything carefully you`ll always find an out-dated thing ! Yes , out-dated means something that have some KNOWN vulnerabilities . This thing can be a firmware , a third-party service or software , an active-x , or even old version of a protocol .
And finally about weak/default/missing passwords ?
There`s yet another interesting vector to investigate , which is not taken seriously by many people trying to break into a network . Foot printing .
I wrote multiple paragraphs right above this sentence about finding X and Y , checking this and that , looking for design flaws and etc ... . Have you ever imagined where all of those information may come from ? They all depend on a good foot-printing process which is the very first of every penetration test . The more you focus on it and do it carefully , the more findings you`ll have to work on for next steps.
I personally had some experiences that effective and deeply foot-printing a target , resulted in finishing pen-test at first step ! Yes , believe me or not , if you search enough and carefully there`s chance to gain access to some critical knowledge about target , without touching a single host in target`s network which may result in instant compromise of data/systems/users . Even if this case do not apply , you`ll always learn very much about your target .
So what`s the point behind writing all these ?
The point is that , why should you use zero-day stuff at all , when there are MANY ways to get close to target without using it ? If a hacker/auditor correctly try every mentioned vector , I can guarantee that he`ll be inside and intruded enough BEFORE reaching the end of first loop of try & discovery !
Some people may ask "why should we waste that much of time & energy, when there`s chance of almost instantly 0wning final targets by using few zero-day stuff ? "
Nice question . The answer is that zero-day stuff are not provided freely or even easily and even more important , not only they are not free but they are usually very expensive ! So the point is that zero-days have their own value and cost and can`t/should n`t be used like normal stuff unless it`s really necessary or asked by customer. Value of every single zero-day thing , should make you think that does it really worth using it against target ? Let me be more clear in providing an example here . Will you use a zero-day vulnerability that costs 20.000$ against a 10.000$ target ? It`s highly depended on you but most people will answer no . Of course you may answer like you use this 20k $ vuln 5 times and you`ll be the winner . This way I`ll wait for you to come back later time , willing to pay 50k $ for same flaw because you have wasted and burnt it previously for multiple cheap targets , and now you`re faced with a hardly locked down target which costs 200k $ ! got the point ?
There`s usually so much time,energy,knowledge and experience behind every single zero-day you gain access to (Either by finding it yourself or paying for it) . So they should be used like golden and final bullets , when there`s no way not to use them .
So , next time you failed in your intrusion attempt , it`s better to look back and see how you`ve finished previous steps and how much careful you`ve been in reviewing and working on your findings , rather than asking God a zero-day . Did you really tried every possible way ? I bet no !
There is still much to write about zero-days , like why/when we should look for them , or the idea behind current zero-day markets and clubs . I`ll prefer to leave these topics for another post. I`d appreciate your comments telling me how to continue this topic or even completely stopping it :)
I`m hearing a lot about zero-days , un-patched bugs , in the wild exploits for just reported vulnerabilities and many alike terms that finally will lead to a painful compromise , in case the target is not someone with "Defense in depth strategy" in mind. At the other hand I`m faced with people, thinking about professional penetration testers and skilled auditors as magicians !
Talking about pen-tests , many people think that pro. auditors are successful at their tasks because they always have some 0-day kind of bug/exploit/technique/trick available in their hands. It`s really common to hear that "He has probably used a 0-day to own them..." , "You`re ling me , I checked for every single possibility and could not find anything useful. Do you have any 0-day exploit for service X ?!! " , and so on ...
Yes , zero-day stuff will some times guarantee success of missions , but are they really used every time ? Will pen-test fail if every single host/software is updated to latest version ? Will you be hacker-proof if you monitor everything and keep your softwares and systems immune against zero-hour threads ?
I`ll instantly answer NO , to above questions. Doing pen-test for at least 4 years and successfully compromising many banks , government & military services , mission-critical infrastructures and tens of individual companies , I have to say that success of mission was very rarely depended on using private or zero-day stuff ! I`m not saying 'never depended' because some times customers specifically ask for being tested against unknown and zero day vulnerabilities and techniques , but that`s not a general case .
I divide customers into two groups . Those who understand the risk of zero-day attacks and willing to pay enough so their pen-test (and R&D behind tests) cover it, and those who blindly tell you "Try every possible way to break into network " and don`t care about unknown vulnerabilities , assuming being safe against attacks on latest-versions is enough .
So how tests lead to successful compromise , if we`re faced with a patched infrastructure and we have not used ANY zero-day exploit (Although we may have some) ?
Reviewing past projects results, and watching the way most teams manage their networks will tell us that there are always some design flaws and management problems , guarantee the success of hackers .
When I mention design-flaw , I usually mean the way networks are planned and designed , or the way small pieces of a big infrastructure are putted together . This is really common in big networks. Telecommunication or banks networks for example, have many entry/access points among many back-end systems . Assume a bank , have X number of services available to customers , and customers can access these services in Y different ways , and there are Z number of known attacks/vulnerabilities available for every combination .
Therefore we have X*Y*Z number of ways to gain access to interesting data ,and we`re always allowed to test at least few of them. Insecurely allowing branches to connect to central office , is an example for this group of vectors , causing serious risks that affecting infrastructure .
I mentioned management problems too . And I mean the way networks are managed . This covers they way a password-policy is deployed ,to the way administrators keep their systems up-to-date ,configure services and devices ,and monitor & take care of human-factor mistakes . Even a single insecurely configured service can put whole of linked systems at risks , or a single missed security patch can be used as entry point for digging other systems & services .
If you search enough and investigate everything carefully you`ll always find an out-dated thing ! Yes , out-dated means something that have some KNOWN vulnerabilities . This thing can be a firmware , a third-party service or software , an active-x , or even old version of a protocol .
And finally about weak/default/missing passwords ?
There`s yet another interesting vector to investigate , which is not taken seriously by many people trying to break into a network . Foot printing .
I wrote multiple paragraphs right above this sentence about finding X and Y , checking this and that , looking for design flaws and etc ... . Have you ever imagined where all of those information may come from ? They all depend on a good foot-printing process which is the very first of every penetration test . The more you focus on it and do it carefully , the more findings you`ll have to work on for next steps.
I personally had some experiences that effective and deeply foot-printing a target , resulted in finishing pen-test at first step ! Yes , believe me or not , if you search enough and carefully there`s chance to gain access to some critical knowledge about target , without touching a single host in target`s network which may result in instant compromise of data/systems/users . Even if this case do not apply , you`ll always learn very much about your target .
So what`s the point behind writing all these ?
The point is that , why should you use zero-day stuff at all , when there are MANY ways to get close to target without using it ? If a hacker/auditor correctly try every mentioned vector , I can guarantee that he`ll be inside and intruded enough BEFORE reaching the end of first loop of try & discovery !
Some people may ask "why should we waste that much of time & energy, when there`s chance of almost instantly 0wning final targets by using few zero-day stuff ? "
Nice question . The answer is that zero-day stuff are not provided freely or even easily and even more important , not only they are not free but they are usually very expensive ! So the point is that zero-days have their own value and cost and can`t/should n`t be used like normal stuff unless it`s really necessary or asked by customer. Value of every single zero-day thing , should make you think that does it really worth using it against target ? Let me be more clear in providing an example here . Will you use a zero-day vulnerability that costs 20.000$ against a 10.000$ target ? It`s highly depended on you but most people will answer no . Of course you may answer like you use this 20k $ vuln 5 times and you`ll be the winner . This way I`ll wait for you to come back later time , willing to pay 50k $ for same flaw because you have wasted and burnt it previously for multiple cheap targets , and now you`re faced with a hardly locked down target which costs 200k $ ! got the point ?
There`s usually so much time,energy,knowledge and experience behind every single zero-day you gain access to (Either by finding it yourself or paying for it) . So they should be used like golden and final bullets , when there`s no way not to use them .
So , next time you failed in your intrusion attempt , it`s better to look back and see how you`ve finished previous steps and how much careful you`ve been in reviewing and working on your findings , rather than asking God a zero-day . Did you really tried every possible way ? I bet no !
There is still much to write about zero-days , like why/when we should look for them , or the idea behind current zero-day markets and clubs . I`ll prefer to leave these topics for another post. I`d appreciate your comments telling me how to continue this topic or even completely stopping it :)
Things you have mentioned are true facts, normally none or very few 0days/private vulnerabilities are used in penetration testings. with the new hardware protections the age of these kind of vulnerabilities seems to be finally over. human errors?! forever.
ReplyDeleteI didn't see this post,I saw this today .
ReplyDeleteif maybe for you continue this intersting post. please :)
thanks again .
Spynetc