Penetration Testing

University of Sunderland

CSEM02

Harry R Erwin, PhD

Resources

• Qinetiq Information Security Foundation Course (2002)

• Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems Security Professional Study Guide, 2nd edition, Sybex

• Whittaker and Thompson, 2004, How to Break Software Security, Pearson

Definition

• An activity used to test the strength and effectiveness of deployed security measures with an authorized attempted intrusion attack. Penetration testing should be performed only with the consent and knowledge of the management staff. (Tittle et al., 2004)

General Comments

• Usually done to give management a ‘warm and fuzzy’ feeling about the security of their system.

• Expensive

• Does not substitute for good security testing or for good security design.

• This discussion will be of how it is done.

General Approach

• The members of the team first scope the penetration test. This includes:– Consultation with the customer about the specific type

of testing to be performed.• On-site• Remote• Application• Telecommunications• Hybrid

– Number of hosts to be tested– Timescale

Penetration Testing Services

• Begins with a tailored security health check (SHC), comprised of part or all of:– Network security health check

• Onsite

• Remote

– Application security health check– Telecommunications security health check

• Should be flexible and appropriate

Network SHC

• Location can be remote or onsite• Starts with public records

– RIPE/DNS/Google (you’ve seen this demonstrated)

• Network assessment– Architecture

• Gateways (RIP/OSPF)• Firewalls (ACL/rules)

– Protocols– IP range– Anomalies

Network Testing

• If onsite, you will need to conduct on-host audits– Windows

– Unix

• Infrastructure management should also be assessed– Remote/terminal/back-end management

• Should include a comprehensive configuration review and recommendations

Network Testing

• Host assessment– Identify the live hosts. – Apply operating system fingerprinting to

identify potential vulnerabilities.– Determine the trust relationships.

• Service assessment– Services offered.– Anomalies and vulnerabilities.

Network Testing

• Vulnerability assessment– Automated tools?– Manual determination– Risk assessment of data flow

Application Testing

• What applications are running?– By server type– Stovepipe or specialized systems– Protocols– Session and authentication handling– Default scripts and generic vulnerabilities

Authentication Analysis

• Session handling– Session identifier—how predictable and identifiable,

can it be brute forced, can it be replicated?

– Session timeout

• Comparison to best practices– Correctly implemented?

– Predictable secret values?

– Is brute force blocked?

– Password complexity adequate?

Transactional Security

• Can transactions be identified in the data stream?

• How much information can be derived from them?

• What happens when– Transactions are replicated– Transactions are injected– Transactions are deleted

Source Code Review• Logical analysis

– Control flow– Functionality

• Information leakage– Error messages

• Input validation– Bad input– Bypass– Drilling through

• Expensive in time and money.Pay me now, or pay me later. It costs more later.

Telecomms Testing

• War-dialing and modem detection– Identified modems need to be inventoried

• PABX audit looks for:– Toll fraud– Call redirection– Remote reconfiguration– Trunk line configuration

Penetration Test Process

• Scope/preparation

• Briefing

• Physical test

• Knowledge transfer and education

• Diagnosis

• Debriefing

• Report

Scope/Preparation

• Scope and scale the test

• Establish deadlines and schedules

• Sign contract

• Conduct test planning– Risk and perceived threat– Technology– Identify and deploy necessary skills

Initial Briefing

• Meet technical staff

• Collect contact information

• Describe the test

• Identify areas of concern– Maintain contact– Track major user issues– Be open

Physical Test

• Evaluate the network– IP range– Subnets

• Automated tests (nessus/nmap)• Hands-on tests

– Prior experience of testers– Trust analysis– Exploits

Debriefing

• Evaluated automated results

• Assess anomalies

• Ensure full scope of testing has been completed

• Make sure the nature of any successful penetration is clear to the customer

Closure

• Make sure all experts/managers are involved.

• Discuss all results

• Identify who receives reports

• Provide contact details

• Prepare report– When due, what, and follow-up.

Conducting the Test

• Identify target and goal

• Gather information

• Identify potential routes into network

• Test potential routes

• Capture target

Identify Target and Goal

• Targets– What is to be attacked?

• Goals– Compromise– Privacy-sensitive data– Defacement– Denial of service– Fraud

Information Gathering

• Resources include:– RIPE (Europe)

– ARIN (US)

– DNS

– IRC (technical chat rooms)

– Phone books

– Public business records

– Trash cans

– Google (which you’ve seen)

Potential Routes

• Social engineering– Open sources– Newsgroups and papers published

• Use this to plan the penetration

• Play the role

• Create trust

Telecomms

• War-dialing to identify modems

• Voice mail

Mapping

• Identify servers and subnets• Evaluate firewalls and routers• Each route in needs to be assessed

– Firewalls– Protection– Access– Speed– Special circumstances

Capture Target

• Develop detailed capture scenario• Take into account vulnerabilities and

special circumstances• Implement

Usually, you will demonstrate the initial access point vulnerability, give the administrators time to fix it, and continue from the access point to the target.

What Allows This to Succeed?

• Public data

• Uneducated staff

• Misconfigured servers

• Misconfigured boundary protection

• Lack of IDS

• Patches not implemented

Countermeasures

• Have your security reviewed

• Educate users and staff

• Implement authentication, access control, and audit

• Use an IDS

• Code reviews

• Keep private data private