Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

More documents

Recommendations

Info

FOCUSAttacking the MobileInfrastructureWe will explore a few philosophies for attacking a mobilemanagement infrastructure. The article will cover the differencesin testing mobile stuff vs “everything else” as well as reusing someof the things you know to demystify the mobile world.Iwould like to point out that I am by no means anexpert in mobile devices or their managementinfrastructures. This article was as much a learningexperience for me as a writing project. I chose,deliberately to not make this a terribly technical articleand more of a how to approach this article because Ithink sometimes in our industry we get hopelessly lostin the this will be so cool that we forget the this is theright, practical approach. Hope you enjoy.As penetration testers we often times get mired intrying to craft attacks and finding 0-days when we shouldbe fixating on our jobs, that is to provide an assessmentof the security posture of a given system with practicalscenarios. Though I see thevalue in crafting new attacks,I’m not sure it’s the job of atraditional penetration testerbut that’s another article. It’shard enough to resist thattemptation when dealing withweb applications and Windows systems that have beenaround forever and are pretty well understood but throwin something new and our geek buzzers start buzzingovertime. Whenever we’re asked to test some newthing, in this case a mobile infrastructure, out come thecompilers and debuggers. We should start by askingourselves the most boring question possible, is this stuffreally THAT different than what we’re used to?As penetration testers we often times get miredin trying to craft attacks and finding 0-dayswhen we should be fixating on our jobs, that is toprovide an assessment of the security posture of agiven system with practical scenarios.Mobile smart phones and tablets do have a few keydifferences that I wanted to outline:• They are by and large single user systems with rootor admin restricted by default• They run specialized operating systems but relyheavily on web interactions• Often they aren’t controlled or managed by IT,users bring in their personal phones for businessuse (we’re not focusing on these)• Tablets (well the iPad anyway) are quicklybecoming a great way to work from conferencerooms, meetings, etc. They are really a hybridbetween smart phone and alaptop.Now before we dig too muchdeeper I want to say that I’mnot going to focus too muchon attacking the phones/tablets themselves, there is quite a bit of researchand work being done in those areas already and Idoubt I could add much to it. I have always takena more practical approach to penetration testing(right or wrong), I start with the simplest, widestreaching techniques first then move out to the moredifficult methods of attack. I’m not discounting directphone attacks I just find them to be more of a pain05/2011 (5) SeptemberPage 26http://pentestmag.com
than they’re worth. First you have to find a phone totarget which is usually on a person, hope they haveit on and then hope it’s vulnerable to somethingyou’re prepared before. It’s pretty difficult to craft anattack in just a few seconds as the target is walkingby. I digress, the real gold is in the managementinfrastructure of these devices (where it exists)because most likely it contains all the information inthe phone anyway. It’s also probably a much easierand more practical target.I’m also not going to focus on any one managementinfrastructure as I would like to keep it generic enoughto apply to as many as possible. As I looked at thesevarious management tools most of them seemed tohave a few things in common. First, they’re almostall web based with a database backend, does thatsound new, exciting or cutting edge? I hope not. That’sright though, most of these cutting edge, high endmanagement infrastructures are simple web apps.Do we need to break out our compilers and startcomposing custom attacks yet? Probably not. Let’slook at a few ways to approach the problem, withoutdoing anything crazy.Attacking the FrontNow that we have determined most of these arebasically web apps let’s look at where we can hit thisinfrastructure the hardest, the management interface.If you have either been a penetration tester or a webapplication developer, I’ve been fortunate (I think) tohave been both, then you know a dirty not-so-secretsecret. Developers, administrators and IT managementdo not take management interfaces terribly seriously. Ifit’s an inside the firewall test you are nearly guaranteedto find a few open admin interfaces typically with defaultcredentials. Of course I’m certain this won’t happenwith anything as important as a mobile managementinfrastructure but just in case let’s continue our attackon the front.Theoretically every web application that interfaceswith a database has a SQL Injection (SQLi)vulnerability of some sort. Bold statement? Not really,just based on years of experience, I’ve met very fewwith no exploitable vulnerability. Fast forwardingthough let’s say our management infrastructure hasa SQLi vulnerability and we can insert records, let’slook at all we can do with that. First and foremostwe can probably enroll our own phone and figure outwhat the management infrastructure does to a phone.Second we will be able to push our own maliciouscode to the entire enterprise. From a penetrationtesting perspective it’s not going to get much betterthan that. Fortunately I’m sure all of these variousinfrastructures have undergone many rounds ofsecurity testing and hence it just won’t be this easy.Moving on.Attacking the MiddleA few things I noticed while taking my tour of thevarious management suites (aside from how cute alltheir names are) is that almost without exception theyall included some sort of enterprise app store thoughthey gave them various names. Thispiqued my interest for several reasonsoutside of just attack vectors thoughhaving an app store front-end presentsus with the same vulnerabilities asthe management system’s admininterface. This one is interestingfrom a purely logistical perspectivebecause I’m curious who is doingquality control on the apps gettingpushed out. Can anyone submit anapp? Most of the vendor website’sweren’t very clear on this matter andI was on a tight deadline. At any rate,the workflow in these systems wouldbe very interesting to analyze. <strong>Like</strong> itor not (I don’t particularly) but Apple’spolicy of app review before app storesubmission probably catches mostmalware. More companies should takenote for their enterprise mobile appsand adopt a similar policy I think.05/2011 (5) SeptemberPage 27http://pentestmag.com
Page 2 and 3: EDITOR’S NOTE05/2011 (05)Editor:
Page 4 and 5: POINT OF VIEWIsn’t Social Enginee
Page 6 and 7: POINT OF VIEWTrust Pentesting Team.
Page 8 and 9: FOCUSBreaking Downthe i* {Devices}P
Page 10: FOCUSListing 1. IPhone applications
Page 19 and 20: AndroidManifest.xml. An important p
Page 21 and 22: Smartphone running the version of A
Page 23 and 24: Simplied User ExperienceThe user in
Page 28 and 29: FOCUSAt any rate, I think these ent
Page 30 and 31: FOCUSToneLoc and LoadUseful For a P
Page 32 and 33: FOCUSoperate in a degraded state; f
Page 34 and 35: FOCUSInside AndroidApplicationsBy t
Page 36 and 37: (NEW) STANDARDSNew PenetrationTesti
Page 38 and 39: (NEW) STANDARDSof Hatforce. Before
Page 40: (NEW) STANDARDSReferences• [1] So
Page 43 and 44: name, IP address and server locatio
Page 45 and 46: Figure 8. User Agent Switcher Menur
Page 47: Say Hello toRed TeamTesng!Security

Devices - Penetration Testing Like a Hacker. - SecNiche Security Labs

Create successful ePaper yourself

Delete template?

Save as template?