Penetration Testing

Penetration Testing

Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.

If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, pricelists, databases and other protected information. The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested. In many cases, a penetration tester will be given user-level access and in those cases, the goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to.

Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen-tester to keep detailed notes about how the tests were done so that the results can be verified and so that any issues that were uncovered can be resolved. It’s important to understand that it is very unlikely that a pen-tester will find all the security issues. As an example, if a penetration test was done yesterday, the organization may pass the test. However, today is Microsoft’s “patch Tuesday” and now there’s a brand new vulnerability in some Exchange mail servers that were previously considered secure, and next month it will be something else. Maintaining a secure network requires constant vigilance.

Pen-Testing vs. Vulnerability Assessment

The main focus of this paper is penetration testing but there is often some confusion between penetration testing and vulnerability assessment. The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible while vulnerability testing places the emphasis on identifying areas that are vulnerable to a computer attack. An automated vulnerability scanner will often identify possible vulnerabilities based on service banners or other network responses that are not in fact what they seem. A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract.

It is important to keep in mind that you are dealing with a ‘Test.’ A penetration test is like any other test in the sense that it is a sampling of all possible systems and configurations. Unless the contractor is hired to test only a single system, they will be unable to identify and penetrate all possible systems using all possible vulnerabilities. As such, any Penetration Test is a sampling of the environment. Furthermore, most testers will go after the easiest targets first.

How Vulnerabilities Are Identified

Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner. The steps are similar for the security tester and an unauthorized attacker. The attacker may choose to proceed more slowly to avoid detection, but some penetration testers will also start slowly so that the target company can learn where their detection threshold is and make improvements. The first step in either a penetration test or a vulnerability scan is reconnaissance. This is where the tester attempts to learn as much as possible about the target network as possible. This normally starts with identifying publicly accessible services such as mail and web servers from their service banners. Many servers will report the Operating System they are running on, the version of software they are running, patches and modules that have been enabled, the current time, and perhaps even some internal information like an internal server name or IP address. Once the tester has an idea what software might be running on the target computers, that information needs to be verified. The tester really doesn’t KNOW what is running but he may have a pretty good idea.

The information that the tester has can be combined and then compared with known vulnerabilities, and then those vulnerabilities can be tested to see if the results support or contradict the prior information. In a stealthy penetration test, these first steps may be repeated for some time before the tester decides to launch a specific attack. In the case of a strict vulnerability assessment, the attack may never be launched so the owners of the target computer would never really know if this was an exploitable vulnerability or not.

Why Perform Penetration Testing?

Security breaches and service interruptions are costly Security breaches and any related interruptions in the performance of services or applications, can result in direct financial losses, threaten organizations’ reputations, erode customer loyalties, attract negative press, and trigger significant fines and penalties. A recent study conducted by the Ponemon Institute (2014 Cost of Data Breach Study: Global Analysis) reported the average cost of a data breach for the affected company is now $3.5 million. Costs associated with the Target data breach that occurred in 2013 reached $148 million by the second quarter of 2014.

It is impossible to safeguard all information, all the time Organizations have traditionally sought to prevent breaches by installing and maintaining layers of defensive security mechanisms, including user access controls, cryptography, IPS, IDS and firewalls. However, the continued adoption of new technologies, including some of these security systems, and the resulting complexity introduced, has made it even harder to find and eliminate all of an organizations’ vulnerabilities and protect against many types of potential security incidents.

New vulnerabilities are discovered each day, and attacks constantly evolve in terms of their technical and social sophistication, as well as in their overall automation. Penetration testing identifies and prioritizes security risks Penetration testing evaluates an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. Test results validate the risk posed by specific security vulnerabilities or flawed processes, enabling IT management and security professionals to prioritize remediation efforts. By embracing more frequent and comprehensive penetration testing, organizations can more effectively anticipate emerging security risks and prevent unauthorized access

to critical systems and valuable information.

Pen test strategies

Targeted testing

Targeted testing is performed by the organization's IT team and the penetration testing team working

together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test

being carried out.External testing This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access.

Internal testing This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could

cause.

Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only

be given the name of the company. Because this type of test can require a considerable amount of time

for reconnaissance, it can be expensive.

Double blind testing

Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one

or two people within the organization might be aware a test is being conducted. Double-blind tests

can be useful for testing an organization's security monitoring and incident identification as well as its

response procedures.Four distinct pen testing service offerings you can provide customers to ensure they have full coverage.

Vulnerability scanning

This is a straightforward opportunity and a mature offering. The biggest question you'll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer's networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated  customers need to scan.

Infrastructure pen testing

This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You'll use live mmunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses -- that's what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer's defenses.

Application pen testing

Trying to break into applications is probably the most important step nowadays, given that so many attacks directly target applications. You can use a Web application scanner (HP's WebInspect, IBM's AppScan), but you should also invest in some people that know how to exploit application logic errors. There's no substitute for a skilled application tester to determine what's broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It's much better for you to figure this out than a malicious hacker.

User testing 

This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don't have a set of rules. They use social engineering because it works. Don't let social engineering surprise your customer and catch them off-guard. 

PENETRATION TESTING TOOL

Reconnaissance Tools

Reconnaissance often begins with searches of internet databases including DNS registries, WHOIS databases, Google, on-line news sources, business postings, and many other on-line resources. The reconnaissance phase often includes print media as well, specifically electronically searchable archives that would be found at a college library or large public library.

Nmap

Nmap is a popular port scanning tool. Port scanning is typically a part of the reconnaissance phase of a penetration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most cases, a penetration tester will scan all ports. An actual attacker may choose to not scan all ports if he finds a vulnerability that can be exploited because of the “noise” (excess traffic) a port scanner creates.

Another capability of nmap is its ability to determine the operating system of the target computer. Different networking implementations will respond differently to different network packets. Nmap maintains a type of database and will match the responses to make a guess at what type of operating system the target computer is running. This OS detection isn’t perfectly accurate but it can help the attacker tailor his attack strategy, especially when coupled with other pieces of information.

Nessus

Nessus is a popular vulnerability scanner that many security professionals use regularly. Nessus has a huge library of vulnerabilities and tests to identify them. In many cases, Nessus relies on the responses from the target computer without actually trying to exploit the system. Depending on the scope of a vulnerability assessment, the security tester may choose an exploitation tool to verify that reported vulnerabilities are exploitable. 

Nessus includes port scanning and OS detection, so sometimes a vulnerability assessment will just use Nessus and let Nessus call nmap or other scanners for these components of the test. For a stealthy scan, a security professional or an attacker may choose to run these tools separately to avoid detection.

Packet Manipulation and Password Cracking Tools

There are many other reconnaissance tools within the penetration tester arsenal, but two categories bear special mention here: packet manipulation tools and password cracking tools. The former category includes tools like hping that allows a penetration tester or attacker to create and send all types of specially crafted TCP/IP packets in order to test and exploit network-based security protections, such as firewalls and IDS/IPS. The password cracking category includes tools like John the Ripper or Cain and Able, which is used to detect and obtain weak password for multiple authentication mechanisms, such as the ones supported by most Unix and Windows operating systems.

Exploitation Tools

Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It’s one thing to have vulnerability testing software or banners indicate the possibility of an exploitable service, but quite another to exploit that vulnerability. Some of the tools in this category are used by both attackers and penetration testers. There are many more exploitation tools than the ones listed here. Many tools in this category are single-purpose tools that are designed to exploit one vulnerability on a particular hardware platform running a particular version of an exploitable system. The tools that we’ve highlighted here are unique in the fact that they have the ability to exploit multiple vulnerabilities on a variety of hardware and software platforms.

Metasploit Version 2.5

Metasploit is a relatively new addition to the penetration tester’s tool belt. It provides attack libraries attack payloads that can be put together in a modular manner. The main purpose of Metasploit is to get to a command prompt on the target computer. Once a security tester has gotten to a command-line, it is quite possible that the target computer will be under his total control in a short time. The currently released version of Metasploit Framework as of June, 2006 is version 2.5. Version 3.0 is expected out shortly.This is a tool that attackers would use to take over, or own, a computer. Once an attacker can gain this level of access to a computer, they would often install code that would allow them to get back onto the computer more easily in the future. In some cases, a penetration tester would also install tools on the computer, but often they would simply document the access and what data was available and move on to other testing. This would depend on the defined scope of the testing. The security professional also would want to be careful about causing data loss or server instability that may result in lost productivity. A malicious attacker may be more cavalier about using the computer without regard to lost productivity, though a highly skilled attacker targeting a specific company may be very careful not to damage the system so that they can avoid detection.

SecurityForest Exploitation Framework 

Although still technically in Beta version, the SecurityForest Exploitation Framework is another open-source tool that can be leveraged by penetration testers. This framework leverages a collection of exploit code known as the ExploitTree, and the Exploitation Framework is a front-end GUI that allows testers to launch exploit code through a Web browser (similar to Metasploit’s Web interface). The Framework is very similar to Metasploit, in fact, with a few key differences. ExploitTree has a remarkable number of exploits included, but the vast majority of these are in pre-compiled format (most likely in a C file) or exist as Perl executables.

They are also not natively integrated into the Framework. This framework is not nearly as extensible as some other tools; it primarily functions as a GUI to launch attacks from.

CORE IMPACT (version 5.1)

CORE IMPACT is a commercial penetration testing tool that combines a healthy dose of reconnaissance with exploitation and reporting into one point and click penetration testing tool. The main purpose of CORE

IMPACT is to identify possible vulnerabilities in a program, exploit those vulnerabilities without causing system outages, and clearly document every step along the way so that the entire procedure can be verified by another party. The CORE IMPACT penetration testing tool makes is easy for a network administrator or penetration tester to run tests against a network or host without having a whole suite of security testing utilities. Overall, we found the program to do a good job of scanning the network for vulnerabilities, successfully exploiting them, and reporting on the results. One really slick feature of CORE IMPACT is the ability to install an agent on a compromised computer and then launch additional attacks from that computer. This proved useful in an actual penetration testing assignment by allowing the tester to compromise one machine and from there run automated scans inside the network looking for additional machines. Those scans weren’t quite as good as actually being on-site, but it did allow us to discover internal hosts from outside the network. For most systems, CORE IMPACT will work well, but as Core Security Technologies states in their documentation, it isn’t meant to be a replacement for an experienced penetration tester. One of the areas we ran into some trouble on was when a single IP address had different ports mapped to different servers with different operating systems. Sometimes CORE IMPACT would identify a host as having a given operating system and then refuse to launch a vulnerability against a service that did not match that operating system. In one tested network, a single public IP address was in use by three different computers: an Exchange server, an IIS web server, and a Linux computer running SSH. The OS had been identified as being in the Linux family so an attack against IIS vulnerability wasn’t an option. We were able to work around this by re-scanning the machine using only the ports that mapped to the Windows system. As a commercial vendor, Core Security Technologies does a lot of testing of their exploit code to ensure that it will not adversely affect the target hosts. In testing CORE IMPACT, we found that it was rare for it to crash systems. There was one case where an unpatched Windows 2003 server rebooted a few times in different testing scenarios. Later, the same test was used to exploit the system and gain access to a command prompt. Other than this one test against an unpatched Windows 2003 server, we did not crash any systems. The reporting feature of CORE IMPACT is quite good. It includes an executive report, a report that lists vulnerabilities and all the machines affected by those vulnerabilities, a detailed report of all hosts and an exhaustive report of every test that was run, when it ran, how long it ran and detailed results of the running.

This last report is one that you don’t need very often but if you do need it, it has all the details do duplicate a test. Keeping accurate notes is one of the most difficult and time consuming tasks for a pen-tester because often many tests are attempted with small variations to the test. CORE IMPACT makes it easy to go back and find any steps that weren’t properly recorded.