This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Abstract-- Business needs drive corporations today to connect their enterprise to the Internet. The core intellectual property of any company with a computer network connected to the Internet is at risk from attacks via the Internet. Regulations in the United States of America, such as Sarbanes-Oxley, California Senate Bill 1386 (SB 1386), and the Health Insurance Portability and Accountability Act (HIPAA) require companies to safeguard personally identifiable information. IT organizations should consider many options to enhance the security of their corporate networks.
Developing an effective Attack and Penetration Testing team presents unique management challenges. It can be difficult to find talented personnel, testers gain access to the most sensitive corporate data, and the assessed system owners may not be cooperative.
Business needs drive corporations today to connect their enterprise to the Internet. The core intellectual property of any company with a computer network connected to the Internet is at risk from attacks via the Internet. Regulations in the United States of America, such as Sarbanes-Oxley, California Senate Bill 1386 (SB 1386), and the Health Insurance Portability and Accountability Act (HIPAA) require companies to safeguard personally identifiable information. IT organizations should consider many options to enhance the security of their corporate networks.
IT organizations should assess risks, create policies to mitigate those risks, and develop systems to enforce compliance to the policies. Once a policy is in place, the organization should have mechanisms to test compliance to the policy. Attack and Penetration testing is a set of techniques and methodologies to test compliance to security policies, and to detect previously unknown vulnerabilities. The overall goal is to limit the points of exposure and to restrict the ability of unknown attackers to gain entry.
Without an attack and penetration testing effort, it is difficult to assess how effective the security measures have been. Attack and Penetration Testing is the practice of attempting to break into a target to determine how secure it is. It is a crucial part of assessing the security of the enterprise; the final check to determine the effectiveness of all other security measures. Attack and Penetration Testing can be outsourced to external vendors or developed inside a company. The purpose of this seminar is to describe the IT group's experience creating and developing an in-house Attack and Penetration Testing team.
This report is intended for enterprise IT professionals, and
provides an overview of the organization of the Attack and
Penetration team at IT companies, and then outlines planning, building, deploying, and operating an Attack and Penetration Testing team. Each enterprise environment has unique circumstances; therefore, each organization must adapt the plans and lessons learned that are documented in this presentation to meet its specific needs.
What is Penetration Testing?
Penetration testing involves performing various reconnaissance scans against your perimeter defences, boundary routers, firewalls, switches, network devices, servers, and workstations to allow you to see which devices are within your environment and to determine the overall plan of the network and topology. Once this has been gathered, you can then collate this information and then look at an attack vector to try and penetrate identified systems to see if they can be compromised by using known vulnerability scans, attacks and denial of service attacks. when performing penetrations testing you are essentially taking on the role of the hacker. You will be looking at using tools like PING to detect if hosts are live, port scanners for any hosts that may deny ICMP Echo/Reply requests (PING's) and to also identify which ports are open on devices enabling you to create a footprint of what these devices are used for.
The overall plan is to map out the entire network and to make sure any vulnerable devices are known and patched frequently.
Why do we perform Penetration Testing?
Hackers like to spend most of their time finding holes in computer systems where mostly bad coding is to blame in creating vulnerabilities. Hackers then like to take this knowledge and apply it to real world scenarios by attacking your network. They may be doing this as a grudge because they weren't hired by your company, or perhaps was fired at some stage or even they don't like your company, or just want to get a Kudos kick out of saying, been there, done that! To try and protect our computer systems from these hackers, we need to check for known vulnerabilities and exploits ourselves within our systems. Vulnerabilities can comprise of bugs, application back doors, spy ware that have entered into the coding of the application, operating system or firmware at development time of the product or files that have been replaced at a later date in the form of viruses or Trojans.
Over the past two years we've seen many hackers performing denial of service attacks against ISP's (1), Banks (2), and even world governments (3). Carnegie Mellon Software Engineering Institute a Computer Emergency Response Team (CERT) and many other CERT's collate known and new vulnerabilities across all systems, platforms and applications and publish these to the security community and to the companies who have created the systems in a hope that people will become more aware of vulnerable systems and also to allow the creator's of these products to create and distribute patches for their products. In the event of a patch taking a while, in most cases a technical work around is published to harden the systems that may be affected by this vulnerability.
Who should perform Penetration Testing?
Most auditing companies now provide some level of Penetration testing either from within their company, or sub contracted out to third party security companies. If your company would like a penetration test performed on your current infrastructure, you can outsource to one of these companies to perform tests. Many companies are now looking at creating their own internal security teams that provide a constant day-to-day monitoring of networks and devices, and also spend valuable time researching the latest vulnerabilities from CERT's and collate the relevant security patches in-house under advisement from the Security Community to apply to company systems that are deemed vulnerable or compromised. Unfortunately even if you are patching systems you will always be one or two steps behind the hackers and this is unavoidable, but it's much better than being 20 or 30 steps behind them by failing to identify and patch your systems and becoming vulnerable to attack or even worse, allowing your networks to attack other companies networks which is now in the process of being made illegal in several countries. The UK government are already looking at making it part of UK law that you will be fined if you are found attacking other companies or systems on the internet unless you can provide proof that you are taking security seriously within your organization and applying all available patches regularly to try and stop future attacks from happening. The UK government is also trying to push more responsibility onto ISP's, so that ISP's should be looking out for attack vectors, and if they find attacks coming from their customers or within their networks, they are at liberty to cease infected services until the system is made safe.
Penetration testing can be performed by anyone who is either knowledgeable in this area and keeps up to date with the latest security news, penetration applications and researching ways of attack, or has had extensive experience on penetration system testing or is certified.
The penetration testing scope determines whether the individual tasks should occur in phases or in single sequence. The IS auditor's review should begin with a formal threat assessment to ascertain the likelihood of any threats to the organisation resulting from, among other reasons, hardware and/or software failures, internal employee compromise or data theft, or outside attacks. The risks associated with unauthorised access vary from financial loss; inappropriate release of personal, commercial or politically sensitive information; and reputation lost; to total loss of system control. The specific information system risk of unauthorised access to information resources includes loss of system availability, data and processing integrity, and information confidentiality.
Penetration test planning
A penetration test (pen-test) is a controlled process in which a trusted third party performs security verification by using methods, tools and styles that would be performed by persons with malicious intent.
B. Elements of the pen-test
Target - a resource which will be targeted for attack during the pen-test. The target can be a single item (server, router, safe) or a set of resources with some common denominator (server farm, network segment, offices)
Trophy - a resource that the testers are tasked with extracting or destroying. Malicious attackers usually stand to gain benefit from the attack, and if the valuable resource is identified, it can be tagged as a 'trophy' to be won by the pen-testers. Bear in mind that sometimes the trophy may not be a physical item, but a loss of functionality or service that can tarnish the reputation of the company.
Test vector - the attack channel or set of channels that the pen-testers will use during the test.
Test type - which type of test will the pen-tester perform?
Black box - the pen-tester performs the attack with no prior knowledge of the infrastructure, defense mechanisms and communication channels of the target organization. Black box test is a simulation of an unsystematic attack by weekend or wannabe hackers (script kiddies).
Gray box - the pen-tester performs the attack with limited knowledge of the infrastructure, defense mechanisms and communication channels of the target organization. Gray box test is a simulation of a systematic attack by well prepared outside attackers or insiders with limited access and privileges.
White box - the pen-tester performs the attack with full knowledge of the infrastructure, defense mechanisms and communication channels of the target organization. White box test is a simulation of a systematic attack by well prepared outside attackers with insider contacts or insiders with largely unlimited access and privileges.
This element differentiates from what kind of malicious attackers is the company trying to protect itself. Each next test type is not a super set of the previous one. For proper penetration testing, one has to perform all three types of test.
The penetration test must be approved by top management, with proper signed decision. The decision to perform a pen-test and it's details must be maintained as highly guarded secret which is known only to the top management, the security officer of the company and internal audit. The supplier of the test (pen-tester) must be a credible and trusted company with relevant experience. Priorto top management approval, the supplier must provide a detailed pen-test plan to be approved by the security officer.
This test plan when approved will be amended to the pen-test contract, which should also include the following:
A clause for penalties for any damages caused by the pen-test, which should not be higher then the contract value, except when malicious intent is proven
A clause for risky test approval in which the buyer will approve or disprove possibly risky tests. Should such tests be approved, a list of targets and tests must be included.
A clause to confirm that there is no conflict of interest by any involved parties in the penetration test. This clause should include or be amended by full industry affiliation of all involved parties.
A clause of full confidentiality - restriction on using the results of the test for commercial purposes; restriction on publication of references regarding the pen-test; full and utmost protection of all information, results and conclusions collected during the negotiation, preparation and pen-test regardless of existing Non-disclosure agreements.
A clause of immediate full disclosure - all collected results and conclusions must be reported in detail, regardless of estimated severity. Each conclusion must include tools and process description used to reach the conclusion. All conclusions estimated as critical and severe must be reported as they are identified in the pen-test, and the full detailed report must be handed over in maximum 48 hours days after completion of the pen-test.
Fig. 2.1: Diagram of a penetration test process
Since the penetration process is a controlled process, it must be subject to immediate and later audit. This can and should include
on-hand surveillance of the penetration test as it is performed
filming the entire process on video camera
full packet capture on all interfaces through which the penetration test is perform
Flow hypothesis methodology (FDM)
COMPUSEC's (computer security's) is to automate many of the security functions traditionally enforced by fallible human oversight. In theory, a trusted system should perform as its security specifications define and do nothing more. In practice, most systems fail to perform as specified and/or do more than is specified. Penetration analysis is one method of discovering these discrepancies.
Stages of the Flaw Hypothesis Methodology (FHM).
FHM consists of four stages:
1. Flaw generation develops an inventory of suspected flaws.
2. Flaw confirmation assesses each flaw hypothesis as true, false, or untested.
3. Flaw generalization analyzes the generality of the underlying security weakness represented by each confirmed flaw.
4. Flaw elimination recommends flaw repair or the use of external controls to manage risks associated with residual flaws.
Penetration Testing Types
The penetration testing offering consists of several major components, with each component having smaller sub-components. This hierarchy allows the client to pick and choose only those services needed at the time, thereby reducing the complexity and cost of the solution. The major components of the offering include the following:
¬ External Penetration Testing
¬ Internal Penetration Testing
¬ Social Engineering Testing
General Penetration Testing Methodology
When performing external or internal penetration tests, Technologies employs a standard 3-step methodology. This methodology allows for a systematic testing process that ensures all appropriate tests have been applied to the proper devices. The testing process is cyclical by nature and often involves discovering and re-testing new networks and devices as they are uncovered during the testing process.
The typical external and internal penetration test consists of the following phases:
This step attempts to discover as much information about the client as possible using publicly available resources. Various web search engines are used along with information from the client's web site(s). DNS queries also provide useful information along with queries to the various domain registries. Other sources of information include local, state and Federal regulatory agencies.
During this phase various scanning tools are used to determine the operating systems, protocols, ports and applications in use. Depending on the operating systems and applications discovered, various other port, vulnerability and application scanners are then used to further define the exact environment. The goal at the end of this phase is to understand in detail the exact applications, versions and configurations for all network devices.
The final phase in the analysis attempts to document and verify any possible vulnerability discovered in the network devices. This phase involves a wide variety of exploits depending on the nature of the issue and what type of device on which it is found. The client always has the option of how far the verification stage pursues any discovered flaws.
Technologies will never delete files or data during testing. No web pages will be defaced or changed in any way. No user accounts will be deleted, although during testing it is generally acceptable to add accounts where needed and when possible. These accounts will be documented fully to allow the client to remove them once testing is complete. For any high-risk exploits, screen captures will usually be taken to reduce the overall chance of causing downtime for any system.
Technologies will not use Denial of Service (DoS) or Distributed DoS (DDoS) attacks on any client network. The client should be aware that during testing it is possible for any given network device to be affected by the testing. Log files are especially susceptible during the Scanning phase. The client should be aware of this and notify Technologies in the event that an application is affected or logs are filling up and causing a problem. Technologies will not use untested software tools or techniques in their assessments.
External Penetration Testing Options
All publicly available network applications
o Email, DNS, FTP, database
o Web sites/applications
o Network infrastructure devices
o VPN concentrators
o Specific modems attached to network devices
o Blocks of phone numbers (1 to 1000's)
Internal Penetration Testing Options
Testing of all internal networks, infrastructure devices
o Application servers
o Network management devices
o Routers, switches
Social engineering testing is designed to test the human components of a network. Often the best security technologies in the world can be circumvented by a single employee not following the proper procedures. This testing is designed to test anything from a single employee to a whole department. The testing is carefully designed in cooperation with the client to ensure specific components of existing policies are tested.
The testing can be performed either with some information provided by the client or with no information provided by the client. Whether or not information is shared before testing begins depends largely on the nature of the testing and the time allotted to the testing. Social engineering testing works best when there are specific policies and procedures that are being tested. This testing also has the most effect when it is combined with regular security awareness training for all employees.
Social Engineering Testing Options
External phishing emails
o Attempt to elicit sensitive information, including network login using external email addresses.
Internal phishing emails
o Attempt to elicit sensitive information, including network login using spoofed internal email addresses.
External calls to help desks, support personnel, etc.
o Attempt to elicit sensitive information
Attempts to physically access computer rooms, wiring closets, etc.
o Pretending to be various support personnel Building walk-through's .
o Sensitive information laying on desks
o PC's with no screen saver/passwords
o Accounts/passwords written on white boards, monitor, etc.
o Unlocked cabinets
o Other tests as determined by corporate policy
o Check of trash can for sensitive information
Penetration Testing Tools.
There are a wide variety of tools that are used in penetration testing. These tools are of two main types; reconnaissance or vulnerability testing tools and exploitation tools. While penetration testing is more directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less intrusive tools. Then once the targets have been identified the exploitation attempts can begin. The line between these tools is very muddy. For example CORE IMPACT is a penetration testing tool but it also has a strong reconnaissance piece. Metasploit 2.5 is clearly a penetration testing tool with almost not reconnaissance functionality but version 3.0 will be adding some reconnaissance features.
Nmap is clearly a reconnaissance tool and Nessus is mainly a reconnaissance tool but it has some penetration testing functionality. Many of the single-purpose tools fall more cleanly into either the reconnaissance or exploitation category.
Reconnaissance often begins with searches of internet databases including DNS registries, WHOIS databases, Google, on-line news sources, business postings, and many other on-line resources. The reconnaissance phase often includes print media as well, specifically electronically searchable archives that would be found at a college library or large public library.
Nmap is a popular port scanning tool. Port scanning is typically a part of the reconnaissance phase of a penetration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most cases, a penetration tester will scan all ports. An actual attacker may chose to not scan all ports if he finds a vulnerability that can be exploited because of the "noise" (excess traffic) a port scanner creates.
Another capability of nmap is its ability to determine the operating system of the target computer. Different networking implementations will respond differently to different network packets. Nmap maintains a type of database and will match the responses to make a guess at what type of operating system the target computer is running. This OS detection isn't perfectly accurate but it can help the attacker tailor his attack strategy, especially when coupled with other pieces of information.
Nessus is a popular vulnerability scanner that many security professionals use regularly. Nessus has a huge library of vulnerabilities and tests to identify them. In many cases, Nessus relies on the responses from the target computer without actually trying to exploit the system. Depending on the scope of a vulnerability assessment, the security tester may choose an exploitation tool to verify that reported vulnerabilities are exploitable.
Nessus includes port scanning and OS detection, so sometimes a vulnerability assessment will just use Nessus and let Nessus call nmap or other scanners for these components of the test. For a stealthy scan, a security professional or an attacker may choose to run these tools separately to avoid detection.
Packet Manipulation and Password Cracking Tools
There are many other reconnaissance tools within the penetration tester arsenal, but two categories bear special mention here: packet manipulation tools and password cracking tools. The former category includes tools like hping, that allows a penetration tester or attacker to create and send all types of specially crafted TCP/IP packets in order to test and exploit network-based security protections, such as firewalls and IDS/IPS. The password cracking category includes tools like John the Ripper or Cain and Able, which is used to detect and obtain weak password for multiple authentication mechanisms, such as the ones supported by most Unix and Windows operating systems.
Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It's one thing to have vulnerability testing software or banners indicate the possibility of an exploitable service, but quite another to exploit that vulnerability. Some of the tools in this category are used by both attackers and penetration testers. There are many more exploitation tools than the ones listed here. Many tools in this category are single-purpose tools that are designed to exploit one vulnerability on a particular hardware platform running a particular version of an exploitable system. The tools that we've highlighted here are unique in the fact that they have the ability to exploit multiple vulnerabilities on a variety of hardware and software platforms.
Metasploit Version 2.5
Metasploit is a relatively new addition to the penetration tester's tool belt. It provides attack libraries attack payloads that can be put together in a modular manner. The main purpose of Metasploit is to get to a command prompt on the target computer. Once a security tester has gotten to a command-line, it is quite possible that the target computer will be under his total control in a short time.
The currently released version of Metasploit Framework as of June, 2006 is version 2.5. Version 3.0 is out. This is a tool that attackers would use to take over, or own, a computer. Once an attacker can gain this level of access to a computer, they would often install code that would allow them to get back onto the computer more easily in the future. In some cases, a penetration tester would also install tools on the computer, but often they would simply document the access and what data was available and move on to other testing. This would depend on the defined scope of the testing. The security professional also would want to be careful about causing data loss or server instability that may result in lost productivity. A malicious attacker may be more cavalier about using the computer without regard to lost productivity, though a highly skilled attacker targeting a specific company may be very careful not to damage the system so that they can avoid detection.
SecurityForest Exploitation Framework
Although still technically in Beta version, the SecurityForest Exploitation Framework is another open-source tool that can be leveraged by penetration testers. This framework leverages a collection of exploit code known as the ExploitTree, and the Exploitation Framework is a front-end GUI that allows testers to launch exploit code through a Web browser (similar to Metasploit's Web interface). The Framework is very similar to Metasploit, in fact, with a few key differences. ExploitTree has a remarkable number of exploits included, but the vast majority of these are in pre-compiled format (most likely in a C file) or exist as Perl executables. They are also not natively integrated into the Framework. This framework is not nearly as extensible as some other tools; it primarily functions as a GUI to launch attacks from.
CORE IMPACT (version 5.1)
CORE IMPACT is a commercial penetration testing tool that combines a healthy dose of reconnaissance with exploitation and reporting into one point and click penetration testing tool. The main purpose of CORE IMPACT is to identify possible vulnerabilities in a program, exploit those vulnerabilities without causing system outages, and clearly document every step along the way so that the entire procedure can be verified by another party.
The CORE IMPACT penetration testing tool makes is easy for a network administrator or penetration tester to run tests against a network or host without having a whole suite of security testing utilities. Overall, we found the program to do a good job of scanning the network for vulnerabilities, successfully exploiting them, and reporting on the results. One really slick feature of CORE IMPACT is the ability to install an agent on a compromised computer and then launch additional attacks from that computer. This proved useful in an actual penetration testing assignment by allowing the tester to compromise one machine and from there run automated scans inside the network looking for additional machines. Those scans weren't quite as good as actually being on-site, but it did allow us to discover internal hosts from outside the network.
Analysis of Core Impact
All the systems were placed behind a Cisco PIX 515E firewall, with varying rules for each of the servers. The three servers that were default installs had no restrictions on the traffic allowed in or out of the firewall. The rules were "ICMP any any"and "IP any any". The three servers that were locked down had rules allowing traffic through the firewall that corresponded with their functions. For example, the Windows 2003 server was an eCommerce web-site. While the site is database driven, only port 80 and 443 were allowed through the firewall to the host. All outbound traffic from all systems was allowed.
CORE IMPACT successfully installed a level(0) agent on each of the Windows 2000 and Windows 2003 default installs, though all attempts to upgrade to level(1) agents failed. The SUSE 10 system was unharmed and not compromised. None of the servers that had appropriate firewall filtering were successfully compromised through the firewall.
Fig.5.1: Test Lab Network diagram.
Penetration Testing Reports
After performing a penetration test, compiling the results from the test into a legible format is key. As many key decision makers are not overly technical, it is critically important to have multiple sections to a report. One common structure for penetration testing reports is to include an Executive Summary, a Management Summary that includes some high-level operational details such as server IP addresses and what needs to be fixed immediately, and a Technical Summary with very specific results and remediation suggestions. Inclusion of "attack vectors" is important in a thorough penetration test, as well. Given the complexity of most IT environments today, it really does not suffice to indicate that a particular system has a vulnerability. Instead, it is more informative to first demonstrate exactly how this system was accessed, and then explain the vulnerability and exploit. For example, if a DMZ mail server was compromised, and then used as a "jump point" to access other systems, then this entire attack path should be laid out in detail for everyone to understand. The exploitation of trust relationships is a key factor that is difficult to represent by simple "canned" exploits or attack methods.
Penetration testing is like the annual physical at your doctor's office. CORE IMPACT and Metasploit Framework are diagnostic tools, much like a blood test or an X-ray. A blood test will check for many things, but it still takes a doctor to review the data, make inferences, perform additional tests and then reach a diagnostic conclusion. Penetration testing is no different. CORE IMPACT will test for many things, but it will always take a human to review the results and make inferences based on knowledge and experience that you will never be able to put in a tool. That being said, CORE IMPACT is an excellent diagnostic tool. It lowers the barrier of entry for the vast majority of a penetration test through intelligent automation. CORE IMPACT, a penetration tester can spend more time doing what humans do best: using their experience to make inferences and taking the penetration testing to places that only a human can go. As a result, the tester can do better work in less time meaning they can secure more systems without sacrificing the overall quality of their testing.