Penetration Testing

Chao-Hsien Chu, Ph.D.

College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
Objectives
What does a malicious hacker do?
Types of security tests.
What is penetration testing?
Why penetration testing?
Legal aspects of penetration testing.
Vulnerability assessment vs. penetration testing.
How to conduct penetration testing?
Tools for penetration testing.
This module will familiarize you with the following:
NIST, Guideline on Network Security Testing, Special
Publication 800-42, 2003. (Sec. 3-10). (Required)
Wikipedia, Penetration Test,
http://en.wikipedia.org/wiki/Penetration_testN
Herzog, P., OSSTMM Open-Source Security Testing
Methodology Manual, V. 2.2., ISECOM, 2006.
Layton, Sr., T. P., Penetration Studies A Technical
Overview, SANS Institute, 2001.
NIST, Technical Guide to Information Security Testing and
Assessment, Special Publication 800-115, September 2008.
Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles,
R. and Mancini, S., Penetration Testing: Assessing Your
Overall Security Before Attackers Do, SANS Analyst
Program, June 2006.
Readings
What Does a Malicious Hacker Do
Reconnaissance:
Active/Passive
Scanning
Gaining Access:
Operating systems level/
application level
Network level
Denial of service
Maintaining Access:
Uploading/altering/downloading
programs or data
Clearing Tracks
Penetration Testing Report
(Recommendation for Security)
Perspective of Adversary
Reconnaissance Scanning
System Access
Damage Clear Tracks
Web-based
Information
Collection
Social
Engineering
Broad
Network
Mapping
Targeted
Scan
Service
vulnerability
Exploitation
Password
Cracking
DDOS
Code
Installation
System File
Deletion
Use Stolen
Accounts
For Attack
Log File
Changes
Reactive Security
(Incident Response)
Proactive Security
(Real Time)
Preventive Phase
(Defense)
Types of Attacks
Operating system attacks. Attackers look for OS
vulnerabilities (via services, ports and modes of access) and
exploit them to gain access.
Application-level attacks (programming errors; buffer
overflow).
Shrink wrap code attacks. OS or applications often contain
sample scripts for administration. If these scripts were not
properly fined tune, it may lead to default code or shrink wrap
code attacks
Misconfiguration attacks. System that should be fairly secured
are hacked into because they were not configured correctly.
The ways an hacker used to gain access to a system can be
classified as:
Security Testing Techniques
Network Scanning
Vulnerability Scanning
Password Cracking
Log Review
Integrity Checkers
Virus Detection
War Dialing
War Driving (802.11 or wireless LAN testing)
Penetration Testing
Often, several of these testing techniques are used together to gain more
comprehensive assessment of the overall network security posture.
(NIST SP 800-42, 2003)
Security Testing Methods
Every organization uses different types of security testing
method to validate the level of security on its network
resources.
Penetration
Testing
Ethical
Hacking
OSSTMM
Security Test
Vulnerability
Scanning
Hands-on
Audit
Thorough
A
c
c
u
r
a
t
e

(OSSTMM, 2006)
What is Penetration Testing?
A penetration test is a method of evaluating the security of
a computer system or network by simulating an attack from
a malicious source.
The process involves an active analysis of the system for
any potential vulnerabilities that may result from poor or
improper system configuration, known and/or unknown
hardware or software flaws, or operational weaknesses in
process or technical countermeasures.
The intent of a penetration test is to determine feasibility of
an attack and the amount of business impact of a successful
exploit, if discovered.
(Source: http://en.wikipedia.org/wiki/Penetration_test)
Why Penetration Testing?
Computer related crime is on the rise.
Find holes now before somebody else does.
Report problems to management.
Verify secure configurations.
Security training for network staff.
Discover gaps in compliance.
Testing new technology.
(Source: Northcutt et al., 2006)
Legal Aspects of PT
U.S. Cyber Security Enhancement Act 2002: Life sentences
for hackers who recklessly endanger the lives of others.
U.S. Statute 1030, Fraud and Related Activity in Connection
with Computers. Whoever intentionally accesses a protected
computer without authorization, and as a result of such
conduct, recklessly causes damage or impairs medical
treatment, can receive a fine or imprisonment of five to 20
years.
Attacking a network from the outside carries ethical and legal
risk to you, the tester, and remedies and protections must be
spelled out in detail before the test is carried out. , Thus, it's
vital that you receive specific written permission to conduct
the test from the most senior executive.
Legal Aspects of PT
Your customer also requires protection measures. You must be
able to guarantee discretion and non-disclosure of sensitive
company information by demonstrating a commitment to the
preservation of the company's confidentiality. The designation
of red and green data classifications must be discussed before
the engagement, to help prevent sensitive data from being re-
distributed, deleted, copied, modified or destroyed.
The credibility of your firm as to its ability to conduct the
testing without interruption of the customer's business or
production is also of paramount concern. You must employ
knowledgeable engineers who know how to use minimal
bandwidth tools to minimize the test's impact on network
traffic.
Vulnerability Assessment
Vulnerability assessment scans a network
for known security weaknesses.
Vulnerability scanning tools search network
segments for IP-enabled devices and
enumerate systems, operating systems, and
applications.
Vulnerability scanners can test systems and
network devices for exposure to common
attacks.
Vulnerability scanners can identify common
security configuration mistakes.
Limitations of Vulnerability Assessment
Vulnerability scanning tool is limited in
its ability to detect vulnerabilities at a
given point in time.
Vulnerability scanning tool must be
updated when new vulnerabilities are
discovered or improvements are made to
the software being used.
The methodology used and the diverse
Vulnerability scanning tools assess
security differently, which can influence
the result of the assessment.
Vulnerability Assessment vs. Penetration Test
Vulnerability assessment is a process of identifying
quantifying, and prioritizing (or ranking) the vulnerabilities
in a system. It reveals potential security vulnerabilities or
changes in the network which can be exploited by an
attacker for malicious intent.
A Penetration test is a method of evaluating the security
state of a system or network by simulating an attack from a
malicious source. This process involves identification and
exploitation of vulnerabilities in real world scenario which
may exists in the systems due to improper configuration,
known or unknown weaknesses in hardware or software
systems, operational weaknesses or loopholes in deployed
safeguards.
Types of Security Tests
Blind
Gray Box
Tandem
Double Blind Reversal
Attackers Knowledge of Target
T
a
r
g
e
t

s

K
n
o
w
l
e
d
g
e

o
f

A
t
t
a
c
k

Double
Gray Box
Black Box
Red team
White Box
Blue team
Penetration Testing Process
Planning Discovery Attack
Additional Discovery
Reporting
(NIST SP 800-42, 2003)
Reconnaissance
Scanning
Enumerating
Gaining Access
Escalating Privilege
System Browsing
Actions
Lack of Security Policy
Poorly Enforced Policy
Misconfiguration
Software reliability
Failure to apply patches
Footprinting Port Scanning
Enumerating
Whois
SmartWhois
NsLookup
Sam Spade
NMap
Ping
Traceroute
Superscan
Determine the
Network Range
Identify
Active Machines
Discover Open Ports
and Access Points
Fingerprint the
Operating System
Uncover
Services on Ports
Map the
Network
Gather Initial
Information
Discovery Phase of PT
Netcat
NeoTrace
Visual Route
Attack Phase Steps with Loopback
Discovery
Phase
Gaining
Access
Escalating
Privilege
System
Browsing
Install
Add. Test
Software
Enough data has
been gathered in
the discovery
phase to make an
informed attempt
to access the target
If only user-level
access was
obtained in the last
step, the tester will
now seek to gain
complete control
of the system
The information-
gathering
process begins
again to identify
mechanisms to
gain access to
trusted systems
Types of Penetration Test
Penetration
Test
External
Test
Internal
Test
Black Box
White Box
Gray Box
Curious Employee
Disgruntled End User
Disgruntled Administrator
When is Testing Necessary?
Penetration Testing was
traditionally done once or
twice a year due to high
cost of service.
Automated Penetration
Testing software is
enabling organizations
today to test more often.
Upgrade
New
Attack
Quality
Assurance
Rollout
Test
Test
T
e
s
t

T
e
s
t

Periodic
Testing
Become Certified