Embed Size (px)
Citation preview
Penetration Testing Penetration Testing from Analysts from Analysts perspectiveperspective
Computer Forensics and SecurityComputer Forensics and Security
BC Institute of TechnologyBC Institute of Technology
Prepared by Arif ZinaPrepared by Arif Zina
Presentation OutlinePresentation Outline
What is penetration TestingWhat is penetration Testing The process and MethodologyThe process and Methodology
Planning and preparationPlanning and preparation Information gathering and analysisInformation gathering and analysis Vulnerability detectionVulnerability detection Penetration AttemptPenetration Attempt Analysis and reportingAnalysis and reporting Cleaning upCleaning up
Limitation of Penetration TestingLimitation of Penetration Testing ConclusionConclusion
What is penetration testingWhat is penetration testing
Identify vulnerabilities that exist in a system that has Identify vulnerabilities that exist in a system that has security security measuresmeasures in place. in place.
Involves the attacking methods conducted by trusted Involves the attacking methods conducted by trusted individuals.individuals.
Scanning of IP addresses to identify machines that are Scanning of IP addresses to identify machines that are offering services with known vulneribilities.offering services with known vulneribilities.
Exploiting known vulnerabilities that exist in an unpatched Exploiting known vulnerabilities that exist in an unpatched system.system.
Increase upper managements awareness of security issues Increase upper managements awareness of security issues and decision making.and decision making.
Serious consequences on the network if tests not Serious consequences on the network if tests not conducted properly.conducted properly.
The Process and The Process and MethodologyMethodology
Planning and PreparationPlanning and Preparation
Meeting between the organization and the testers.Meeting between the organization and the testers.
Clear objectives of the tests to be conducted and to focus Clear objectives of the tests to be conducted and to focus on demonstrating the exploitable vulnerabilities that exist on demonstrating the exploitable vulnerabilities that exist within the organizations network.within the organizations network.
Ensure that tests are done during off-peak hours to prevent Ensure that tests are done during off-peak hours to prevent disruptions and crashes due to unusual network traffic.disruptions and crashes due to unusual network traffic.
Inform security staff on the penetration tests to be Inform security staff on the penetration tests to be conducted…?conducted…?
Treat data obtained as confidential and to be Treat data obtained as confidential and to be returned/destroyed after the tests are completed.returned/destroyed after the tests are completed.
Information Gathering and AnalysisInformation Gathering and Analysis
Gather much information about the targeted systemsGather much information about the targeted systems
NslookupNslookup (Available on Unix and Windows Platforms)(Available on Unix and Windows Platforms) WhoisWhois (Available via any Internet browser client)(Available via any Internet browser client) ARINARIN (Available via any Internet browser client)(Available via any Internet browser client) Dig Dig (Available on most Unix platforms and some (Available on most Unix platforms and some
webweb sites via a formsites via a form)) Web Based ToolsWeb Based Tools (Hundreds if not thousands of sites offer (Hundreds if not thousands of sites offer
various recon tools)various recon tools) Target Web SiteTarget Web Site (The client’s web site often reveals too (The client’s web site often reveals too
muchmuch informationinformation))
Social EngineeringSocial Engineering
Conduct network survey to identify reachable systemsConduct network survey to identify reachable systems
NMAPNMAP - - Nmap provides options for fragmentation, spoofing, Nmap provides options for fragmentation, spoofing, use of decoy IP addresses, stealth scans. Determines: O/S, packet use of decoy IP addresses, stealth scans. Determines: O/S, packet filters/firewalls of the machine.filters/firewalls of the machine.
VulnerabilityVulnerability detection detection Nmap or other scanning tools are first used to identify hosts and determine Nmap or other scanning tools are first used to identify hosts and determine
ports and services available.ports and services available.
Determine the vulnerability that exists in a each system identified by: Determine the vulnerability that exists in a each system identified by: open ports, O/S and application patch level and service pack applied.open ports, O/S and application patch level and service pack applied.
Vulnerability on-line databases available to search for specific Vulnerability on-line databases available to search for specific exploits.exploits.
Manual Vulnerability scanning – Detection is done manually by a Manual Vulnerability scanning – Detection is done manually by a tester having a collection of exploits and vulnerability at their tester having a collection of exploits and vulnerability at their disposal.disposal.
Automated vulnerability scanning – Nessus automates vulnerability Automated vulnerability scanning – Nessus automates vulnerability scanning and determines any vulnerabilities. Also lists steps to scanning and determines any vulnerabilities. Also lists steps to correct these vulnerabilities. correct these vulnerabilities.
Other Automated scanning tools are also available – SARA, SAINT, Other Automated scanning tools are also available – SARA, SAINT, SATAN…etc..SATAN…etc..
Penetration AttemptPenetration Attempt
After determining the vulnerabilities that exist in the system:After determining the vulnerabilities that exist in the system:
Identify suitable targets for penetration attempt.Identify suitable targets for penetration attempt. Estimate time and effort needed to put in for the vulnerable systems.Estimate time and effort needed to put in for the vulnerable systems. Determine the importance on how long the penetration tests take on a system.Determine the importance on how long the penetration tests take on a system.
Some vulnerabilities exploited by penetration testing and malicious Some vulnerabilities exploited by penetration testing and malicious
attackers fall into the following categories:attackers fall into the following categories:
Kernel Flaws – Kernel code is the core of the operating system.Kernel Flaws – Kernel code is the core of the operating system. Buffer overflows – Result of poor programming practice.Buffer overflows – Result of poor programming practice. Symbolic links – a file pointing to another file.Symbolic links – a file pointing to another file. File descriptor attacks – Privileged programs can assign inappropriate File descriptor attacks – Privileged programs can assign inappropriate file file
descriptor, and exposing it.descriptor, and exposing it. Trojans – Custom built programs or could include programs such as Trojans – Custom built programs or could include programs such as Back-orifice, Net Bus, and Back-orifice, Net Bus, and
SubSevenSubSeven Social Engineering – Obtain information through staff members.Social Engineering – Obtain information through staff members.
Penetration AttemptPenetration Attempt
Password Cracking has became normal practice in penetration testing:Password Cracking has became normal practice in penetration testing:
Dictionary Attacks – Uses a word list of dictionary file.Dictionary Attacks – Uses a word list of dictionary file.
Hybrid Crack- Tests for passwords that are variations of the words Hybrid Crack- Tests for passwords that are variations of the words in a dictionary file. in a dictionary file.
Brute Force – Tests for passwords that are made up of characters Brute Force – Tests for passwords that are made up of characters going through all the combinations. going through all the combinations.
Brutus is a tool that can be used to automate telnet and ftp Brutus is a tool that can be used to automate telnet and ftp account cracking.account cracking.
http://www.hoobie.net/brutushttp://www.hoobie.net/brutus
Analysis and ReportingAnalysis and Reporting
After conducting all the tasks, the next thing to do is to generate a After conducting all the tasks, the next thing to do is to generate a report for the company, and should include:report for the company, and should include:
Overview of the penetration testing process done.Overview of the penetration testing process done.
Analysis and commentary on critical Vulnerabilities that exists in Analysis and commentary on critical Vulnerabilities that exists in the network/system.the network/system.
Addressing vital vulnerabilities first, then followed by less vital Addressing vital vulnerabilities first, then followed by less vital ones.ones.
Detailed listing of all information gathered during penetration Detailed listing of all information gathered during penetration testing.testing.
Suggestion and techniques to resolve vulnerabilities found.Suggestion and techniques to resolve vulnerabilities found.
Cleaning UpCleaning UpThe cleaning up process is done to clear any mess that had been The cleaning up process is done to clear any mess that had been made as a result of the penetration tests.made as a result of the penetration tests.
A detailed and exact list of all actions performed during the A detailed and exact list of all actions performed during the tests must tests must be kept.be kept.
Cleaning up of compromised hosts must be done securely Cleaning up of compromised hosts must be done securely without affecting operations.without affecting operations.
Clean up to be verified by the organization’s staff.Clean up to be verified by the organization’s staff.
Removal of temporary user accounts previously created during Removal of temporary user accounts previously created during testing.testing.
Limitations of Penetration Limitations of Penetration TestingTesting
A penetration test can only identify those A penetration test can only identify those problems that it is designed to look for.problems that it is designed to look for.
A penetration tester does not have complete A penetration tester does not have complete information about the system being tested.information about the system being tested.
A penetration test is unlikely to provide A penetration test is unlikely to provide information about new vulnerabilities, especially information about new vulnerabilities, especially those discovered after the test is carried out.those discovered after the test is carried out.
ConclusionConclusion
A network Security or vulnerability assessment may be A network Security or vulnerability assessment may be useful to a degree, but do not always reflect the extent to useful to a degree, but do not always reflect the extent to which the hacker will go to exploit a vulnerability.which the hacker will go to exploit a vulnerability.
A penetration test alone provides no improvement in the A penetration test alone provides no improvement in the security of a computer or network. Action to be taken to security of a computer or network. Action to be taken to address these vulnerabilities found during the Penetration address these vulnerabilities found during the Penetration Testing.Testing.
ReferencesReferences
Some of the tools that are popularly used for penetration testing are shown in this appendix. The tools below are grouped according to the testing methodologies outlined earlier.
Information Gathering: Nmap – Network scanning, port scanning and OS detection URL: http://www.insecure.org/nmap/index.html hping – Tool for port scanning. URL: http://www.kyuzz.org/antirez/hping.html netcat - Grabs service banners / versions. URL: http://packetstorm.securify.com/UNIX/netcat/ firewalk - Determining firewall ACLs. URL: http://www.packetfactory.net/Projects/Firewalk/ ethereal - Monitoring and logging return traffic from maps and scans. icmpquery - Determining target system time and netmask. URL: http://packetstorm.securify.com/UNIX/scanners/icmpquery.c strobe - Port scanning utility URL: http://packetstorm.securify.com/UNIX/scanners/strobe-1.04.tgz
Vulnerability Detection:
Nessus - Scans for vulnerabilities. URL: http://www.nessus.org/ SARA – Another scanner to scan for vulnerabilities. URL: http://www.www-arc.com/sara/
Penetration Tools:
Brutus – Telnet, FTP and HTTP Password cracker URL: http://www.hoobie.net/brutus LC3 – Password cracking utility URL: http://www.atstake.com/lc3
THANK - YOUTHANK - YOU
