INFORMATIONAL MEMORANDUM

To: John Q. Smith, Information Technology Director

City Police Department

From:., Information Security Associate
City Police Department



Subject: Network Security Vulnerability Testing Permission Needed




As a result of the media exposure surrounding the City Police Departments
new police chief hire, the data network that supports the department was targeted
and compromised.
Our examinations, so far, have found that the data integrity of one of our servers
has been compromised and a plain text file was placed on the server without our
knowledge. Though the extent of the compromise has not yet been fully
determined, it is my recommendation that we commission an investigation by a
third party security organization to do a root cause analysis.
In the meantime, our initial response has been decided by management. We will
begin a network penetration test on our network infrastructure to identify and
exploit any gaping security holes (white hat). Knowing what happened that led to
this compromise is of great importance, but of even greater importance is to look
for any security flaws we find so that we arent compromised again in the
immediate future.

To undertake this task of conducting a penetration test to find the holes in our
network infrastructure we will need penetration testing tools. I have decided on the
following three penetration testing tools: Aircrack-ng, Nessus and Metasploit.


Descriptions and Limitations of Selected Tools

Aircrack-ng
Aircrack-ng is a group of wireless exploitation tools that allows an attacker to
penetrate an organization or persons wireless network. According to Henry
Dalziel from concise-courses.com, aircrack-ng is made up of several different
programs that include: rcrack-ng (which can cracks WEP and WPA Dictionary
attacks), airdecap-ng (which can decrypts WEP or WPA encrypted capture files),
aireplay-ng (which is a packet injector), airodump-ng (which is a packet sniffer),
and several others. (http://www.concise-courses.com/security/top-ten-pentesting-
tools/)
Aircrack-ng is limited to the use of being an infiltration and wireless network
access tool. This limitation makes it good for getting network access to an
organization or individual but other tools would be require to completely penetrate
a network.

Nessus
Nessus is a vulnerability scanning tool. It scans a targets IP and ports against a
database of known signatures. When a scan is complete and match is found,
Nessus gives a list of the discovered vulnerabilities. These vulnerabilities can take
the form of security holes, default/common passwords, legacy exploits, zero day
exploits or even misconfiguration.
Though Nessus has the ability to look for vulnerabilities, its capabilities outside of
scanning are limited. Though it does an amazing job at identifying potential attacks
against a target, it cannot exploit targets natively. Nessus biggest limitation in my
opinion is its reliance on known signatures to trigger alerts. In other words, it can
only find Vulnerabilities it specifically has updated information on.

Metasploit
Metasploit is a database of security vulnerability code and tools that helps security
professionals and hobbyists alike explore and exploit computer weaknesses.
Metasploit is one of the most, if not the most, popular security tools used by
information security and penetration testers around the world.
Its limitations are that Metasploit has a steep learning curve. For the more
complicated exploits you have an understanding of computer logic and knowledge
of how to program in a few different languages (Python, C, etc.) in order to get the
most out of it.

Performing a network penetration test

By themselves, Aircrack-ng, Nessus and Metasploit do not have enough
functionality to complete a penetration test. That is why we will use each of the 3
tools for a specific phase of the entire Penetration test.
To begin, I would start with using the Aircrack-ng suite to get network access
while outside of the Police Station (War driving). This would allow me a bit of
anonymity (reducing my risk of being discovered) while giving me a good chance
to crack the WPA2 protection and gain entry into the Police Stations wireless
network.
Assuming everything goes as planned, once I attain network access I would then
use the Nessus Vulnerability Scanner to map and search for vulnerable targets. The
Nessus scanner is automated and will search out any connected network in order to
find banners, server versions, protocols open/running, etc. With this information,
Nessus is able to match the discovered servers to profiles it keeps in its database.
When a match is found, Nessus will display a report of vulnerabilities based on
that discovered servers information and then rank those vulnerabilities by severity
level. The higher the severity, the greater the risk. Those servers with high risks
and available exploits are the servers I will attack.
Once the vulnerabilities are exposed then a server with a high likelihood of being
compromised will be selected. The selected server should be the highest value
target thats the easiest to exploit; Thats where Metasploit would become useful. I
would use the Metasploit Open Source project to find specific relevant exploit
tools or code that matches the weakness (discovered by Nessus) in my server.
Once I have network access, a target and code to exploit my target I can change the
Metasploit provided attack scripts to fit the network I want to attack and begin my
exploit.


Conclusion

It is my professional recommendation that we move forward with acquiring these 3
testing tools as soon as possible. Our network has been compromised and we have
to take decisive yet swift action in order to adopt a more secure network
environment.


.
Information Security Associate
City Police Department