Penetration TestingPenetration Testing

Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

ObjectivesObjectives

• What does a malicious hacker do?• Types of security tests.• What is penetration testing?• Why penetration testing?• Legal aspects of penetration testing.• Vulnerability assessment vs. penetration testing.• How to conduct penetration testing?• Tools for penetration testing.

This module will familiarize you with the following:

• NIST, “Guideline on Network Security Testing,” Special Publication 800-42, 2003. (Sec. 3-10). (Required)

• Wikipedia, “Penetration Test,” http://en.wikipedia.org/wiki/Penetration_testN

• Herzog, P., “OSSTMM Open-Source Security Testing Methodology Manual,” V. 2.2., ISECOM, 2006.

• Layton, Sr., T. P., “Penetration Studies – A Technical Overview,” SANS Institute, 2001.

• NIST, “Technical Guide to Information Security Testing and Assessment,” Special Publication 800-115, September 2008.

• Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R. and Mancini, S., “Penetration Testing: Assessing Your Overall Security Before Attackers Do,” SANS Analyst Program, June 2006.

ReadingsReadings

What Does a Malicious Hacker DoWhat Does a Malicious Hacker Do

Reconnaissance:• Active/Passive

Scanning

Gaining Access:• Operating systems level/

application level• Network level• Denial of service

Maintaining Access:• Uploading/altering/

downloading programs or data

Clearing Tracks

Penetration Testing Report(Recommendation for Security)

Perspective of AdversaryPerspective of Adversary

Reconnaissance Scanning System Access Damage Clear Tracks

Web-basedInformationCollection

SocialEngineering

BroadNetworkMapping

TargetedScan

ServicevulnerabilityExploitation

PasswordCracking

DDOSCode

Installation

System FileDeletion

Use StolenAccounts

For Attack

Log FileChanges

Reactive Security(Incident Response)

Proactive Security(Real Time)

Preventive Phase(Defense)

Types of AttacksTypes of Attacks

• Operating system attacks. Attackers look for OS vulnerabilities (via services, ports and modes of access) and exploit them to gain access.

• Application-level attacks (programming errors; buffer overflow).

• Shrink wrap code attacks. OS or applications often contain sample scripts for administration. If these scripts were not properly fined tune, it may lead to default code or shrink wrap code attacks

• Misconfiguration attacks. System that should be fairly secured are hacked into because they were not configured correctly.

The ways an hacker used to gain access to a system can be classified as:

Security Testing TechniquesSecurity Testing Techniques

• Network Scanning

• Vulnerability Scanning

• Password Cracking

• Log Review

• Integrity Checkers

• Virus Detection

• War Dialing

• War Driving (802.11 or wireless LAN testing)

• Penetration Testing

Often, several of these testing techniques are used together to gain more comprehensive assessment of the overall network security posture.

(NIST SP 800-42, 2003)

Security Testing MethodsSecurity Testing Methods

Every organization uses different types of security testing method to validate the level of security on its network resources.

PenetrationTesting

EthicalHacking

OSSTMM Security Test

VulnerabilityScanning Hands-on

Audit

Thorough

Acc

ura

te

(OSSTMM, 2006)

What is Penetration Testing?What is Penetration Testing?

• A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.

• The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.

• The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered.

(Source: http://en.wikipedia.org/wiki/Penetration_test)

Why Penetration Testing?Why Penetration Testing?

• Computer related crime is on the rise.

• Find holes now before somebody else does.

• Report problems to management.

• Verify secure configurations.

• Security training for network staff.

• Discover gaps in compliance.

• Testing new technology.

(Source: Northcutt et al., 2006)

Legal Aspects of PTLegal Aspects of PT

• U.S. Cyber Security Enhancement Act 2002: Life sentences for hackers who “recklessly” endanger the lives of others.

• U.S. Statute 1030, Fraud and Related Activity in Connection with Computers. Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years.

• Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out. , Thus, it's vital that you receive specific written permission to conduct the test from the most senior executive.

Legal Aspects of PTLegal Aspects of PT

• Your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re-distributed, deleted, copied, modified or destroyed.

• The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.

Vulnerability AssessmentVulnerability Assessment

• Vulnerability assessment scans a network for known security weaknesses.

• Vulnerability scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications.

• Vulnerability scanners can test systems and network devices for exposure to common attacks.

• Vulnerability scanners can identify common security configuration mistakes.

Limitations of Vulnerability AssessmentLimitations of Vulnerability Assessment

• Vulnerability scanning tool is limited in its ability to detect vulnerabilities at a given point in time.

• Vulnerability scanning tool must be updated when new vulnerabilities are discovered or improvements are made to the software being used.

• The methodology used and the diverse Vulnerability scanning tools assess security differently, which can influence the result of the assessment.

Vulnerability Assessment vs. Penetration TestVulnerability Assessment vs. Penetration Test

• Vulnerability assessment is a process of identifying quantifying, and prioritizing (or ranking) the vulnerabilities in a system. It reveals potential security vulnerabilities or changes in the network which can be exploited by an attacker for malicious intent.

• A Penetration test is a method of evaluating the security state of a system or network by simulating an attack from a malicious source. This process involves identification and exploitation of vulnerabilities in real world scenario which may exists in the systems due to improper configuration, known or unknown weaknesses in hardware or software systems, operational weaknesses or loopholes in deployed safeguards.

Types of Security TestsTypes of Security Tests

BlindGray Box Tandem

Double Blind Reversal

Attacker’s Knowledge of Target

Tar

get’

s K

now

led

ge o

f A

ttac

k

Double Gray BoxBlack Box

Red team

White BoxBlue team

Penetration Testing ProcessPenetration Testing Process

Planning Discovery Attack

Additional Discovery

Reporting

(NIST SP 800-42, 2003)

• Reconnaissance• Scanning• Enumerating

• Gaining Access• Escalating Privilege• System Browsing

Actions

• Lack of Security Policy • Poorly Enforced Policy• Misconfiguration• Software reliability• Failure to apply patches

Footprinting Port Scanning

Enumerating

• Whois• SmartWhois• NsLookup• Sam Spade

• NMap• Ping• Traceroute• Superscan

Determine the Network Range

Identify Active Machines

Discover Open Ports and Access Points

Fingerprint the Operating System

Uncover Services on Ports

Map the Network

Gather Initial Information

Discovery Phase of PTDiscovery Phase of PT

• Netcat• NeoTrace• Visual Route

Attack Phase Steps with LoopbackAttack Phase Steps with Loopback

DiscoveryPhase

GainingAccess

EscalatingPrivilege

SystemBrowsing

Install Add. Test Software

Enough data has been gathered in the discovery phase to make an informed attempt to access the target

If only user-level access was obtained in the last step, the tester will now seek to gain complete control of the system

The information-gathering process begins again to identify mechanisms to gain access to trusted systems

Types of Penetration TestTypes of Penetration Test

PenetrationTest

ExternalTest

InternalTest

• Black Box

• White Box

• Gray Box

• Curious Employee

• Disgruntled End User

• Disgruntled Administrator

When is Testing Necessary?When is Testing Necessary?

• Penetration Testing was

traditionally done once or

twice a year due to high

cost of service.

• Automated Penetration

Testing software is

enabling organizations

today to test more often.

Upgrade

New Attack

QualityAssurance

Rollout

Test

Test

TestT

est

PeriodicTesting

Become CertifiedBecome Certified