Penetration Testing Services Technical Description Cyber51

Security Services

Description

Copyright © 2010 - 2012 Cyber 51 Ltd. All Rights Reserved. http://www.cyber51.co.uk | Email: [email protected]

Table of Contents

NETWORK PENETRATION TEST ...................................................................................................... 3 WHY? ................................................................................................................................................................. 3 METHODOLOGY ................................................................................................................................................ 3

Footprinting / Network Mapping ............................................................................................................3 Scanning and enumeration .........................................................................................................................4 Vulnerability Analysis ....................................................................................................................................7 Exploitation ........................................................................................................................................................8 Reporting .............................................................................................................................................................9

WEB APPLICATION PENETRATION TEST ..................................................................................... 9 WHY? ................................................................................................................................................................ 9 METHODOLOGY ...........................................................................................................................................10

Configuration Management Analysis .................................................................................................. 10 Analysis of Authentication ....................................................................................................................... 11 Session Management Analysis ................................................................................................................ 11 Analysis of Authorization ......................................................................................................................... 12 Data Validation Analysis ........................................................................................................................... 12 Analysis of Web Services ........................................................................................................................... 13 Reporting .......................................................................................................................................................... 13

APPENDIX A: TYPES OF PENETRATION TESTS……………………………………………………...……….15


Network Penetration Test

Why?

Individuals and businesses enjoy and rely on modern communication

methods, collaboration services and benefit from new opportunities

the Internet age has created. However, Cyber Crime is on the rise too

and has led governments to form complete new authorities to tackle

Cyber Warfare and malicious activity. We at Cyber 51 play our part in

making the Internet and modern communications a more secure

space.

Hackers attack both private and corporate systems on a daily basis.

The attacker can be stationed anywhere in the world and needs just

internet access and the appropriate tools. The threat is real and it

happens thousands of times a day. Many attacks take place

undetected and result in the theft and destruction of valuable data.

The solution: Penetration Tests and Network Security Audits. Cyber 51

will, with the legal permission of the network owner, attack customer

systems in the same way as a Hacker. In doing so, Cyber 51 is able to

expose security holes in the system.

The benefit: The customer is made aware of the Security holes that exist

and could be exploited by a hacker with malicious intent to gain

unauthorized access to the customer network. In addition, Cyber 51 will

prepare a plan of action and, if the customer wishes, implement the

closure of these holes.

Methodology

Footprinting / Network Mapping

The process of footprinting is a completely non‐intrusive activity

performed in order to get the maximum possible information available

about the target organization and its systems using various means, both

technical as well as non‐technical. This involves searching the internet,

querying various public repositories (whois databases, domain

registrars, Usenet groups, mailing lists, etc.).

Also, our Security Testing Consultants will look to obtain as much detail

as possible of the current topology and network profile. This can consist

of information around IP addressing, gathering public domain

information about the business, Ping sweeps, port scanning etc.


This information is then compiled and subsequently analyzed for further

areas of investigation.

Information Gathering

o Expected results

• Domain names

• Servers names

• IP addresses

• Network Topology

• Information about ISP

• Internet presence

• Company Profile

o Tasks:

• Examine and gather information about domain

registries.

• Find IP addresses Blocks

• Names and locations of DNS servers

• Use of multiple traces in order to identify systems and

devices between.

• Identify email addresses related to the company.

• Identify newsgroups, Forums and boards where

information related to the company is located.

• Examine web pages and scripts source codes

• Examine email headers

Scanning and enumeration The scanning and enumeration phase will comprise of identifying live

systems, open / filtered ports found, services running on these ports,


mapping router / firewall rules, identifying the operating system details,

network path discovery, etc.

This phase involves a lot of active probing of the target systems.

After successfully identifying the open ports, services behind them will

be fingerprinted, either manually or by using readily available tools.

Then, the penetration tester will confirm the exact name and version of

the services running on the target system and the underlying Operating

System before including the same in the final report.

Services identification on systems

o Expected Results

• Ports open, closed and filtered

• IP addresses of live systems

• IP addresses of internal networks

• Asset Services

• Map the Network

• List tunneled and encapsulated protocols

discovered

• List supported routing protocols

• Application type and patch level

• Type of operating systems

o Tasks

• Collection of responses from network

• Test TTL / firewalking firewall

• Use ICMP and reverse lookup to determine the

existence of machines on network

• Use TCP fragments with FIN, NULL and XMAS on

ports 21, 22,25,80 and 443 of the hosts found on the

network

• Use TCP SYN on ports 21, 22, 25.80 and 443 of the

hosts found on the network.


• Attempt connections on DNS servers

• Use TCP SYN (half open) to list ports that are closed

or open filtered all hosts on the network found

• Use TCP fragments to ports and services available

in the host

• Use UDP packets to list all open ports found on the

network host

• Try to identify the Standard protocols

• Try to identify non-standard protocols

• Try to identify encrypted protocols

• Identify date, time and System Up-Time

• Identify the predictability of TCP sequence

numbers

• Identify the predictability of TCP sequence number

ISN

Service identification:

o Expected Results

• Type of services

• Application version and type that offers the service

o Tasks

• Match each open port with its corresponding

service

• Identify the Server Up-Time and patches applied

• Identify the application that provides the service

through the use of fingerprinting and banners

• Identify the version of the application

• Use UDP based services and Trojans attempt to

make connections to the services found

System Identification:


o Expected Results

• Type of operating system

• Patch Level

• Type of system

• Enumeration System

o Tasks

• Examine system responses to determine your

operating system

• Check the prediction of TCP sequence numbers

Vulnerability Analysis After successfully identifying the target systems and gathering the

required details from the above phases, a penetration tester will try to

find any possible vulnerabilities existing in each target system.

During this phase a penetration tester will use automated tools to scan

the target systems for known vulnerabilities. These tools have their own

databases consisting of latest vulnerabilities and their details.

During this phase a penetration tester will also test the systems by

supplying invalid inputs, random strings, etc., and check for any errors

or unintended behaviours in the system output.

By doing so there are many possibilities that the penetration tester may

come across unidentified vulnerabilities.

Penetration tester will not to rely only on automated tools for this

activity

Vulnerability testing

o Expected Results

• Type of applications and services listed by

vulnerability

• Patch Level of systems and applications

• List of vulnerabilities that can cause denial of

service

• List of areas secured by obscurity


o Tasks

• Integrate the most popular scanners, hacking tools

and exploits in this test

• Measure the goal with these tools

• Try to identify vulnerabilities in a system and

application type d

• Perform redundant testing with at least two of the

most popular scanners

• Identify the vulnerabilities of the operating system

• Identify application vulnerabilities

• Check the vulnerabilities found by using exploits

Exploitation During this phase a penetration tester will try to find exploits for the

various vulnerabilities found in the previous phase.

Quite often, successful exploitation of vulnerability might not lead to

root (administrative) access. In such a scenario additional steps need

to be taken, further analysis is required to access the risk, that particular

vulnerability may cause to the target system.

Example attack scenarios in this phase include, but aren’t limited to;

buffer overflows

application or system configuration problems

modems

routing issues

DNS attacks

address spoofing

share access and exploitation of inherent system trust

relationships.


Potential vulnerabilities will be systematically tested for weakness and

overall risk. The strength of captured password files will be tested using

password-cracking tools. Individual user account passwords may also

be tested using dictionary-based, automated login scripts. In the event

that an account is compromised, we will attempt to elevate privileges

to that of super user, root, or administrator level.

Our Security Consultants will maintain detailed records of all attempts

to exploit vulnerabilities and activities conducted during the attack

phase.

Reporting The last phase in the entire activity is the reporting phase. This phase

can occur in parallel to the other three stages or at the end of the

Attack stage.

The final report will be prepared keeping in mind both Management as

well as Technical aspects, detailing all the findings with proper graphs,

figures, etc. so as to convey a proper presentation of the vulnerabilities

and it’s impact to the business of the target organization.

An executive summary, describing in brief, the activities performed,

findings, and high-level recommendations will be provided.

Also detailed technical descriptions of the vulnerabilities and the

recommendations to mitigate them will be documented in this report.

All the security holes found and exploited will be accompanied with

proper Proof‐of‐Concept by means of screenshots of the successful

exploits, or any other such methods.

This report will consist in an Executive report containing, without to be

limited to: conclusions, recommendations, statistics, and hacking

methodology brief, and a Technical Report containing without to be

limited to: Information Gathering, Network Information, Analysis and

Attack results of accomplished tasks.

Web Application Penetration Test

Why?

Web applications have become increasingly vulnerable to different

forms of hacker attacks. According to a Gartner Report, 75% of attacks

today occur at the application level. A Forrester survey states that

“people are now attacking through applications, because it’s easier


than through the network layer.”

Despite common use of defenses such as firewalls and intrusion

detection or prevention systems, hackers can access valuable

proprietary and customer data, shutdown websites and servers and

defraud businesses, as well as introduce serious legal liability without

being stopped or, in many cases, even detected.

To counter this problem, Cyber 51 Ltd. offers a comprehensive security

risk assessment solution - Web Application Penetration Testing - to

identify, analyze and report vulnerabilities in a given application. As

part of this service, Cyber 51 Ltd. attempts to identify both inherent and

potential security risks that might work as entry points for the hacker.

We believe vulnerabilities could be present in a web application due

to inadvertent flaws left behind during development, security issues in

the underlying environment and misconfigurations in one or more

components like database, web server etc.

When conducting a Web Application Penetration Testing assignment,

Cyber 51 Ltd. adopts a strong technology and process-based

approach supported by a well-documented methodology to identify

potential security flaws in the application and underlying environment.

Adherence to industry standards such as OWASP, customized tests

based on technology and business logic, skilled and certified security

engineers, risk assessment on the vulnerabilities found, scoring system

based on CVSS (Common Vulnerability Scoring System) make us

different from the other vendors in this space.

Customers would benefit from web application penetration testing on

the application as it gives an in-depth analysis of your current security

posture, recommendations for reducing exposure to currently identified

vulnerabilities are highlighted and it allows the customer to make more

informed decisions, enabling management of the company’s exposure

to threats. The security assessment report submitted on completion of

the engagement provides a detailed and prioritized mitigation plan to

help customers in addressing security issues in a phased manner.

Methodology

Configuration Management Analysis The infrastructure used by the Web application will be evaluated from

a security perspective.

The tests to be performed are as follows:

• TLS and SSL tests.


• Security Testing over the listener of management system databases.

• Testing the configuration of the infrastructure and its relationship with

the Web application, vulnerability analysis, analysis of authentication

mechanisms and identification of all the ports used by the Web

application.

• Testing the application settings, search through directories and

regular files, comments from developers and the eventual acquisition

and operational analysis of logs generated by the application.

• Searching for old files, backups, logs of operations and other files

used by the Web application.

• Search and test management interfaces or web application related

infrastructure.

• Test various HTTP methods supported and the possibilities of XST

(Cross-Site Tracing).

Analysis of Authentication We will evaluate the various mechanisms and aspects of the web

application authentication.


• Credentials management

• Enumeration of users and user accounts easily identifiable.

• Proof of identification credentials brute force, based on information

found or inferred.

• Testing the authentication mechanisms looking for evasion

• Logouts mechanisms and weaknesses associated with the Internet

browser cache.

• Strength tests over captchas and test multi-factor authentication.

Session Management Analysis We will evaluate the different mechanisms and management aspects

of web application sessions.



• Session management scheme will be tested.

• CSRF (Cross-Site Request Forgery).

• Test attributes Cookies.

• Setting sessions.

• Evidence of attributes exposed session and repetition.

Analysis of Authorization We will evaluate the various mechanisms and aspects of web

application authorization.


• Privilege escalation.

• "Path Traversal".

• Evidence of evasion of clearance mechanisms.

• Testing the "business logic" of the Web application, avoiding, altering,

or cheating their relationships within the application.

Data Validation Analysis We will evaluate the various repositories, access and protection

mechanisms related to the validation of data used by the Web

application.


• Test various XSS (Cross Site Scripting) and "Cross Site Flashing."

• SQL Injection tests.

• LDAP injection tests.

• Evidence of ORM injection.

• XML Injection tests.

• SSI injection testing.

• Testing XPath Injection.

• Injection Test IMAP / SMTP.


• Evidence Code Injection.

• Injection Test Operating System Commands.

• Evidence of buffer overflow.

• Evidence of Splitting / Smuggling of HTTP.

• Evidence of evasion of clearance mechanisms.

• Evidence of privilege escalation.

Analysis of Web Services We will evaluate the web application services related to SOA (Service

Oriented Architecture):


• Security testing of WSDL.

• Evidence of structural Security of XML.

• Testing of security at XML content.

• Test HTTP GET parameters / REST.

• Tests with contaminated SOAP attachments.

• Repeat testing of web services.

• Testing AJAX Web application vulnerabilities regarding this

technology.

Reporting The last phase in the entire activity is the reporting phase. This phase

can occur in parallel to the other three stages or at the end of the

Attack stage.

The final report will be prepared keeping in mind both Management as

well as Technical aspects, detailing all the findings with proper graphs,

figures, etc. so as to convey a proper presentation of the vulnerabilities

and it’s impact to the business of the target organization.

An executive summary, describing in brief, the activities performed,

findings, and high level recommendations will be provided.

Also detailed technical descriptions of the vulnerabilities and the

recommendations to mitigate them will be documented in this report.


All the security holes found and exploited will be accompanied with

proper Proof‐of‐Concept by means of screenshots of the successful

exploits, or any other such methods.

This report will consist in an Executive report containing, without to be

limited to: conclusions, recommendations, statistics, and hacking

methodology brief, and a Technical Report containing without to be

limited to: Information Gathering, Network Information, Analysis and

Attack results of accomplished tasks.


Penetration Testing

Any of our Penetration Tests can contain one or more modules as listed

below. We will tailor any Penetration Test to your individual business

needs.

Internet Security Assessment

Any device with access to the Internet is a potential open door to

would-be hackers. We provide vulnerability assessments during which

we closely map the network architecture, examine all open ports, hosts

and services with access to the Web, and ensures that these network

devices are secure. Defensive thinking gathers information such as

domain names, IP network ranges, operating system and applications,

to identify systems on the network, how they are related, the services

that are exposed through open ports (such as http, SMTP, terminal

services, etc.). Once open ports and attached services are identified,

we determine whether each service has been updated with the most

recent patches and identifies other vulnerabilities located within the

exposed services. In addition to conducting vulnerability assessments,

we perform more rigorous penetration tests in which the information

gathered from the assessment is used to attempt to penetrate the

network. This more thorough procedure can confirm whether potential

vulnerabilities are, in fact, capable of being exploited to expose the

network. Following all vulnerability assessments and penetration tests,

we use the information we gather to prepare a thorough vulnerability

analysis and offers recommendations for strengthening network

security.

Intranet Security Assessment

While outside threats must be guarded against, business must also

protect against potential threats from within their own networks. Using

many of the same techniques and procedures for Internet Security

Testing, we provide Intranet risk assessment and analysis to protect

against the potential threat posed by insiders. Depending on the

client’s needs, intranet testing can be performed by us under varying

degrees of disclosure of network information from the client, for

example with or without network accounts.


Dial-in RAS Security Assessment

Dial-in links pose a potential threat to the integrity of the network

security system. We examine dial-up connections that allow employees

to access the network through public telephone lines or other dial-up

connections. Given a range of telephone exchanges that may include

modems, we can identify target numbers that allow for remote access.

Using these numbers, we attempt to exploit vulnerabilities in the system

and gain access to the network. We can also assess risks posed by the

exposure of dial-up connections to the public telephone network

which might undermine the client’s own internal security architecture.

Web Application Assessment

This assessment examines what services are being offered on Web-

based portals and e-commerce applications to examine potential

vulnerabilities with respect to authentication, authorization, data

integrity, data confidentiality, and consumer privacy concerns. We can

test these applications using either zero-knowledge testing or full-

access testing to examine the full range of potential vulnerabilities. We

also conduct source code audits to identify any potential vulnerability

among the applications and scripts that are accessible through the

Web.

Wireless Assessment

Wireless networks, while highly convenient, present additional security

threats since the wireless signals are not limited by the physical

boundaries of a traditional network. We evaluate how to prevent

wireless communications from being exposed to eavesdropping and

access by unauthorized intruders. Additionally, we examine the

enterprise infrastructure for unencrypted or standard WEP enabled

access points that may be vulnerable in order to ensure the security of

the network.


Social Engineering Assessment

Social engineering involves manipulating and/or deceiving company

employees and other human resources to gain unauthorized access to

a network or to confidential information. We are a premier consulting

firm in our ability to identify weak links in the security chain through

exploitation of human vulnerabilities. We leverage our unparalleled

expertise in this field to expose what is often the weakest link in the

information security apparatus: the human element. Once individual or

systemic weaknesses are identified, we recommend procedures

designed to ensure that employees do not divulge information that

could compromise company assets. The social engineering assessment

not only uses tactics intended to gain confidential information, but also

to induce unsuspecting employees to create vulnerabilities that can

subsequently be exploited to gain access to confidential information.

Telecommunications Assessment

We have unique experience testing vulnerabilities in private bank

exchanges that operate company voicemail and messaging systems.

Unauthorized access to these systems can allow an intruder to

eavesdrop on and manipulate employee voicemail messages, initiate

outgoing calls from internal company lines, and access corporate

telephone networks and directories.

Database Assessment

Client lists, credit card records, and other confidential information held

in databases must be given particular protection from unauthorized

disclosure. We test database integrity to determine whether any

vulnerability may compromise this sensitive information.

Physical Security Assessment

Access to confidential information can often be obtained by simply

gaining physical access to company premises. We conducts on-site

surveillance to assess physical security and uses social engineering,

pass key duplication, and other techniques designed to gain physical

entry into secure areas and the network system.


Forensic Analysis

In addition to preventing future attacks, we can conduct forensic

analysis to evaluate past security breaches. This analysis examines log

reports, compares backups to identify modifications to the network,

and investigates the introduction of foreign software tools to help

identify intruders, determine the extent to which the network has been

compromised, and mitigate potential damages from the intrusion.

Intrusion Investigation

We can investigate documented intrusion attempts in to your network

and situations where data was actually compromised. Through

investigation, you can find the source of the attack, the techniques

used, and how to correct these flaws. While it is always best to stop

attacks before they happen, it is important to investigate any possible

compromise of your intellectual property.

Documents

Penetration Testing Services Technical Description Cyber51