PenTest: Get to Know Yourself Before Others Do

Wednesday, December 14, 2011

Malgorzata Skora

1a490136c27502563c62267354024cd5

Article by Milind Bhargava

In the past several years, it has become apparent that there is real money to be made from criminal hacking, and identity theft is one of the world’s fastest growing problems.

Although there are many ways to secure systems and applications, the only way to truly know how secure you are is to test yourself.

By performing penetration tests against your environment, you can actually replicate the types of actions that a malicious attacker would take, giving you a more accurate representation of your security posture at any given time.

Although most penetration testing methods have traditionally been somewhat ad-hoc, that has changed in the last several years. Robust, repeatable testing methodologies now exist, and high quality commercial tools can be implemented to ensure that both testing parameters and results are high-quality and trustworthy.

What is Pen-Testing?

Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, pricelists, databases and other protected information.

The main thing that separates a penetration tester from an attacker is permission.The penetration tester will have permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested.

In many cases, a penetration tester will be given user- level access and in those cases, the goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to.

Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen- tester to keep detailed notes about how the tests were done so that the results can be verified and so that any issues that were uncovered can be resolved.

It’s important to understand that it is very unlikely that a pen-tester will find all the security issues. As an example, if a penetration test was done yesterday, the organization may pass the test.

However, if today is Microsoft’s patch Tuesday and now there’s a brand new vulnerability in some Exchange mail servers that were previously considered secure, and next month it will be something else. Maintaining a secure network requires constant vigilance.

Pen-Testing vs. Vulnerability Assessment

The main focus of this article is penetration testing but there is often some confusion between penetration testing and vulnerability assessment. The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible while vulnerability assessment places the emphasis on identifying areas that are vulnerable to a computer attack.

An automated vulnerability scanner will often identify possible vulnerabilities based on service banners or other network responses that are not in fact what they seem. A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract.

It is important to keep in mind that you are dealing with a Test. A penetration test is like any other test in the sense that it is a sampling of all possible systems and configurations. Unless the contractor is hired to test only a single system, they will be unable to identify and penetrate all possible systems using all possible vulnerabilities. As such, any penetration test is a sampling of the environment. Furthermore, most testers will go after the easiest targets first.

How Vulnerabilities Are Identified

Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner. The steps are similar for the security tester and an unauthorized attacker. The attacker may choose to proceed more slowly to avoid detection, but some penetration testers will also start slowly so that the target company can learn where their detection threshold is and make improvements.

The first step in either a penetration test or a vulnerability scan is reconnaissance. This is where the tester attempts to learn as much as possible about the target network as possible. This normally starts with identifying publicly accessible services such as mail and web servers from their service banners.

Many servers will report the Operating System they are running on, the version of software they are running, patches and modules that have been enabled, the current time, and perhaps even some internal information like an internal server name or IP address.

Once the tester has an idea what software might be running on the target computers that information needs to be verified. The tester really doesn’t KNOW what is running but he may have a pretty good idea. The information that the tester has can be combined and then compared with known vulnerabilities, and then those vulnerabilities can be tested to see if the results support or contradict the prior information.

In a stealthy penetration test, these first steps may be repeated for some time before the tester decides to launch a specific attack. In the case of a strict vulnerability assessment, the attack may never be launched so the owners of the target computer would never really know if this was an exploitable vulnerability or not.

Most hackers follow a common approach when it comes to penetration testing. In the context of penetration testing, the tester is limited by resources namely time, skilled resources, and access to equipment; as outlined in the penetration testing agreement. A pentest simulates methods that intruders see to gain unauthorized access to an organization’s networked systems and then compromise them.

Why Pentest?

There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having a second set of eyes check out a critical computer system is a good security practice. Testing a new system before it goes on-line is also a good idea.

Another reason for a penetration test is to give the IT department at the target company a chance to respond to an attack. The Payment Card Industry (PCI) Data Security Standard (DSS), and other recent security recommendations and regulations, require external security testing.

Find Holes Now Before Somebody Else Does

At any given time, attackers are employing any number of automated tools and network attacks looking for ways to penetrate systems. Only a handful of those people will have access to 0-day exploits, most will be using well known (and hence preventable) attacks and exploits.

Penetration testing provides IT management with a view of their network from a malicious point of view. The goal is that the penetration tester will find ways into the network so that they can be fixed before someone with less than honorable intentions discovers the same holes.

In a sense, think of a Penetration Test as an annual medical physical. Even if you believe you are healthy, your physician will run a series of tests (some old and some new) to detect dangers that have not yet developed symptoms.

Report Problems to Management

If a CSO (or security team) has already pointed out to upper management the lack of security in the environment, penetration testing results help to justify the resources to address those needs.

Often an internal network team will be aware of weaknesses in the security of their systems but will have trouble getting management to support the changes that would be necessary to secure the systems. By having an outside group with a reputation for security expertise analyzes a system; management will often respect that opinion more.

Furthermore, an outside tester has no vested interest in their results. Inside a corporation of ny size, there will be political struggles and resource constraints. Administrators and techies are always asking for budget increases for new technology. By using an independent third party to verify the need, management will have an additional justification for approving or denying the expenditure of money on security technologies.

Similarly, system administrators who know the intricacies of their environment are often aware of how to compromise their network. As such, it is not uncommon for management to assume that without such knowledge, an attacker would be unable to gain unauthorized entry. By using a third party who operates with no inside knowledge, the penetration testing team may be able to identify the same vulnerability and help convince management that it needs to be resolved.

A penetration testing team may also be able to prove that an exploit exists while the internal network staff “knew” it was there but wasn’t quite able to pull all the pieces together to demonstrate the exploit effectively. Remember that ultimate responsibility for the security of IT assets rests with management. This responsibility rests with management because it is they, not the administrators, who decide what the acceptable level of risk is for the organization.

Verify Secure Configurations

If the CSO (or security team) are confident in their actions and final results, the penetration test report verifies that they are doing a good job. Having an outside entity verify the security of the system provides a view that is devoid of internal preferences.

An outside entity can also measure the team’s efficiency as security operators. The penetration test doesn’t make the network more secure, but it does identify gaps between knowledge and implementation.

Security Training For Network Staff

Penetration testing gives security people a chance to recognize and respond to a network attack. For example, if the penetration tester successfully compromises a system without anyone knowing, this could be indicative of a failure to adequately train staff on proper security monitoring.

Testing the monitoring and incident handling teams can show if they are able to figure out what is going on and how effective their response is. When the security staff doesn’t identify hostile activity, the post-testing reporting can be used to help them hone their incident response skills.

Discover Gaps in Compliance

Using penetration testing as a means to identify gaps in compliance is a bit closer to auditing than true security engineering, but experienced penetration testers often breach a perimeter because someone did not get all the machines patched, or possibly because a non-compliant machine was put up temporarily and components specifically related to system auditing and security.

Testing New Technology

The ideal time to test new technology is before it goes into production. Performing a penetration test on new technologies, applications and environments before they go into production can often save time and money because it is easier to test and modify new technology while nobody is relying on it. Some examples might include a new externally facing web server with OAP enabled, a new wireless infrastructure, or the introduction of mobile messaging gateways.

Tools

Open source tools can help you determine what your problems will be before someone else does. There are a wide variety of tools that are used in penetration testing. These tools are of two main types; reconnaissance or vulnerability testing tools and exploitation tools.

While penetration testing is more directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less intrusive tools. Then once the targets have been identified the exploitation attempts can begin.

The line between these tools is very muddy. For example Metasploit 2.5 is clearly a penetration testing tool with almost no reconnaissance functionality but version 3.0 will be adding some reconnaissance features. Nmap is clearly a reconnaissance tool and Nessus is mainly a reconnaissance tool but it has some penetration testing functionality. Many of the single-purpose tools fall more cleanly into either the recon- naissance or exploitation category.

Nmap – Open Source port scanner at heart (Nmap). Port scanning is typically a part of the reconnaissance phase of a penetration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most cases, a penetration tester will scan all ports. An actual attacker may choose to not scan all ports if he finds a vulnerability that can be exploited because of the noise (excess traffic) a port scanner creates.

Another capability of Nmap is its ability to determine the operating system of the target computer. Different networking implementations will respond differently to different network packets. Nmap maintains a type of database and will match the responses to make a guess at what type of operating system the target computer is running.

This OS detection isn’t perfectly accurate but it can help the attacker tailor his attack strategy, especially when coupled with other pieces of information. Around for years, more popular, a lot more than just port scan – fingerprint, evasion techniques, custom scripting.

What it will help us test

Zero Day Exploits, Network Connected Devices, Client Side Attacks, Windows 7, everything, more information and application can be download from http:// www.nmap.org.

For the purpose of demonstration, I have chosen a website that needs to be scanned for vulnerabilities and then I will show how they can be exploited. First we scan it using Nmap.As you can see in Figure 1, Nmap starts scanning immediately for open ports, running OS detection etc.

After the scan has completed, you get a report such as the one shown below in Figure 2: Open ports and services running. This will tell you the open ports and services running on them. Many web administrators leave the anonymous login via ftp enabled and thus allow malicious hackers to get in and steal data.

This only gives us a brief idea of what we are dealing with. If not much else, it gives you a very good idea of what you shall be dealing with, which takes us to the next application.

For a more detailed view, we will use Acunetix’s Web Vulnerability Scanner that can be downloaded from: http:// www.acunetix.com/cross-site-scripting/scanner.htm. We now scan another website, Figure 3 shows us the vulnerabilities present on the websites and also the ports open.

The above report makes us very curious, seeing how many SQL and Blind SQL Injection vulnerabilities are present. Such vulnerabilities in large companies can lead to serious loss of data to the end users as well as huge financial loss to the company itself.

Now we select the SQL Vulnerabilities section and we get the following: Figure 4 above shows us different pages where different SQL Injection vulnerabilities exist. These can range from simple access to database for viewing or can even modify it. The malicious hacker can then for example change the billing amount or steal confidential financial information for his own gain. The following is the report generated by Acunetix as shown is Figure 4.

Conclusion

Penetration testing is like the annual physical at your doctor’s office. Accunetix WVS and Nmap are diagnostic tools, much like a blood test or an X-ray. A blood test will check for many things, but it still takes a doctor to review the data, make inferences, perform additional tests and then reach a diagnostic conclusion.

Penetration testing is no different. Accunetix WVS will test for many things, but it will always take a human to review the results and make inferences based on knowledge and experience that you will never be able to put in a tool. That being said, Accunetix WVS is an excellent diagnostic tool. It lowers the barrier of entry for the vast majority of a penetration test through intelligent automation.

Bibliography

• Retrieved from Acunetix Web Vulnerability Scanner: http://www.acunetix.com/cross-site-scripting/scanner.htm
• Retrieved from Nmap: http://www.nmap.org/
• Retrieved from https://www.eccouncil.org/certification/ certified_ethical_hacker.aspx
• Retrieved from https://www.eccouncil.org/certification/ ec-council_certified_security_analyst.aspx


Milind Bhargava, (CEH), (ECSA) is in love with the field of Information Security, in pursuit of his love he has completed his CEH & ECSA certifications in 2010 from EC-Council and completed IT Security & Ethical Hacking course from Appin Noida, India. He has worked as Head of IT for an Oil & Gas MNC in Doha, Qatar, where his responsibilities included but were not limited to Network Security. He believes that ethical hacking is an addiction, which you can never master. It’s a skill which you can control, but never stop learning more about. And so he continues on his quest as an eternal student. This is also his frst attempt at writing an article, and he hopes you like it.

Contributed by PenTest Magazine

Possibly Related Articles:
15202
Network->General
Information Security
Compliance Open Source Scanners Tools Vulnerability Assessments Penetration Testing Metasploit Nmap Network Security Pentesting
Post Rating I Like this!
1ecccc0718eb6582398a6147ae61de59
Thanyaw Zinmin As a CMS developer I read some of the security white papers and I have sense that we are the best to hack back ourselves.CMS already have been tested in all directions but some file upload access and user level permissions are the worst for us[web dev-per].Thanks for your knowledge.
1323962902
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked