Transcript Penetration Test Report (1)

Penetration Testing Report
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
Perspective of Adversary
Web-based
Information
Collection
Lab
8
Broad
Network
Mapping
Service
vulnerability
Exploitation
Social
Engineering
Reconnaissance
Lab
1
Security
Policy
Lab
2
Targeted
Scan
Scanning
Lab
3
Password
Cracking
System Access
Lab
4
Preventive Phase
(Defense)
Proactive Security
(Real Time)
DDOS
Code
Installation
Lab
5
System File
Deletion
Use Stolen
Accounts
For Attack
Log File
Changes
Damage
Clear Tracks
Lab
7
Lab
6
Penetration Testing Report
(Recommendation for Security)
Reactive Security
(Incident Response)
Objectives
This module will familiarize you with the following:
•
•
•
•
Legal aspects of penetration testing.
How to conduct penetration testing?
Penetration testing reports
Penetration Testing Training
Legal Aspects of PT
• U.S. Cyber Security Enhancement Act 2002: Life sentences
for hackers who “recklessly” endanger the lives of others.
• U.S. Statute 1030, Fraud and Related Activity in Connection
with Computers. Whoever intentionally accesses a protected
computer without authorization, and as a result of such
conduct, recklessly causes damage or impairs medical
treatment, can receive a fine or imprisonment of five to 20
years.
• Attacking a network from the outside carries ethical and legal
risk to you, the tester, and remedies and protections must be
spelled out in detail before the test is carried out. , Thus, it's
vital that you receive specific written permission to conduct
the test from the most senior executive.
Legal Aspects of PT
• Your customer also requires protection measures. You must be
able to guarantee discretion and non-disclosure of sensitive
company information by demonstrating a commitment to the
preservation of the company's confidentiality. The designation
of red and green data classifications must be discussed before
the engagement, to help prevent sensitive data from being redistributed, deleted, copied, modified or destroyed.
• The credibility of your firm as to its ability to conduct the
testing without interruption of the customer's business or
production is also of paramount concern. You must employ
knowledgeable engineers who know how to use minimal
bandwidth tools to minimize the test's impact on network
traffic.
Discovery Phase of PT
Footprinting
Port Scanning
Gather Initial
Information
Determine the
Network Range
•
•
•
•
NMap
Ping
Traceroute
Superscan
• Netcat
• NeoTrace
• Visual Route
Enumerating
Identify
Active Machines
•
•
•
•
Whois
SmartWhois
NsLookup
Sam Spade
Discover Open Ports
and Access Points
Fingerprint the
Operating System
Uncover
Services on Ports
Map the
Network
Penetration Test Report (1)
• Introduction
• Summary of Findings
• Network Assessment:
– Information Gathering
– Port Scanning
– ICMP Packet Filtering
Source: Net Dense
• SSL Security Analysis:
– HTTPS Not Enforced
– SSL Protocol/Cipher Suite Evaluation
Penetration Test Report (1)
• Web Application Security:
–
–
–
–
Content Analysis
Malicious Input/SQL Injection
Information Leakage
Cross-Site Scripting
• Web Server Assessment:
–
–
–
–
Apache Tomcat Directory Traversal
Apache Tomcat Directory Listing (CVE-2006-3835)
Apache Tomcat Buffer Overflow (CVE-2007-0774)
Web Server Configuration
Penetration Test Report (2)
Executive Summary:
• Summary
– Approach
• Scope
• Key Findings
• Recommendations:
– Tactical recommendations
– Strategic recommendations
• Tabular Summary
• Graphic Summary
Source: NII
Penetration Test Report (2)
Technical Report:
• Network Security
– Port Scan status
– Service Banner Disclosure
• Web Application Vulnerabilities
Conclusions
Appendix
– SQL Injection
Penetration Testing Report (3)
•
•
•
•
•
•
•
•
Introduction
Date Carried Out
Testing Team Details
Network Details
Scope of Test
Executive Summary
Technical Summary
Annexes
Source: Template 1
Network Details
• Peer to Peer, Client-Server, Domain Model, Active
Directory integrated.
• Number of Servers and workstations.
• Operating System Details.
• Major Software Applications.
• Hardware configuration and setup.
• Interconnectivity and by what means i.e. T1, Satellite,
Wide Area Network, Lease Line Dial up etc.
• Encryption/ VPN's utilized etc.
• Role of the network or system.
Scope of Test
• Constraints and limitations imposed on the team
i.e. Out of scope items, hardware, IP addresses.
• Constraints, limitations or problems encountered
by the team during the actual test
• Purpose of Test: Deployment of new software
release etc.; Security assurance for the Code of
Connection; Interconnectivity issues.
• Type of Test: Compliance test, vulnerability
assessment or penetration test.
• Test Type: White box, Black-box, Grey Box.
Executive Summary
• OS Security issues discovered with appropriate
criticality level specified.
• Application Security issues discovered with
appropriate criticality level specified
• Physical Security issues discovered with appropriate
criticality level specified
• Personnel Security issues discovered with
appropriate criticality level specified
• General Security issues discovered with appropriate
criticality level specified
Executive Summary
Exploited:
• Causes:
– Hardware failing
– Software failing
– Human error
Unable to exploit problem area
• Causes:
– Hardware failing
– Software failing
– Human error
Technical Summary
• Operating Systems Security
• Web Server Security
• Database Server Security
• General Applications Security
• Business Continuity Policy:
– Backup Policy
– Replacement premises, personnel,
software, hardware, document
provisioning
Technical Summary
• File System Security:
– Details of finding
– Recommendation and fix
• Password Policy
• Auditing Policy
• Patching Policy
• Lockdown Policy
• Anti-virus Policy
• Trust Policy
Annexes
•
•
•
•
Glossary of Terms
Network Map/Diagram
Accompanying Scan Results - CD-ROM
Vulnerability Definitions: Critical, important,
information leak, concern, unknown.
• Details of Tools Utilized.
• Methodology Utilized: Reconnaissance,
Enumeration, Scanning, Obtaining Access,
Maintaining Access, Erasing Evidence.
Penetration Test Report (4)
• Front page with Co Logo, disclaimer and other legal stuff as required by
your enabling contract, your company practices and regulations under
which you and the client operate.
• Headlines (This should be at most 2 pages and is for executive
consumption): write this last to ensure it matches the contents of the report.
• Introduction (1 paragraph): Who you are and what you do (2 lines – they
wont read any more). When you did it for whom and who lead the team.
• Scope (the executive version): An executive version of what your task was
and why you were invited to undertake the test. This is a useful reminder
before the next test when you review this report.
• Executive Summary (1½ pages MAX – so it fits on two facing pages):
Headline stuff, the big impacts with some lead for future business subtly
interlaced. Confirm here if the main objective test was passed of failed, it is
very annoying for execs to read a report and not know it the bit you were
contracted to do was done, and if they passed.
Source: Template 2
Penetration Test Report (4)
• Executive Recommendations (5 Max): Identify the immediate high
risks/vulnerabilities that can/should be fixed in the immediate
timeframe.
– High Priority. It is suggested that the following be tackled before
the next stage of testing takes place:
– Medium Priority. It is suggested that the following be tackled in
the short (days) to medium term (weeks):
• Further Information: This should cover the format of the report and
provide easy links should the execs want to drill down. Consider the
use of page breaks to improve the layout of the document. Use
internal hyper links and physical tabs on printed versions – it all adds
to readability and the professional appearance of the report.
• Main Body of Report.
Main Body of Report
•
•
•
•
•
Introduction.
Summary of Methodology Used.
System Description.
Documented Configuration and Architecture.
Technical Analysis:
– Critical Vulnerabilities or Mis-Configurations
– Assessed Impact of current risks
– Significant Threat Attack vectors
• Stages of Testing.
• Security Policy Documentation (SPD).
• Annexes.
Introduction
• Outline the type of tests that were undertaken:
– Application testing
– Firewall penetration
– Firewall hole detection/testing.
• Identify the time frame or testing and numbers of
systems, sites and days testing conducted (on site).
Summary of Methodology Used
• Outline the type of testing methodology, as this will have bearing on the
rest of the report body.
• Black Box Testing - A Penetration test with no prior knowledge of the
target system, bar a valid IP address. No user or application credentials
were supplied to the testing team or any information on services running
on the target.
• White Box Testing - A Vulnerability Analysis Inspection of the target
system to determine what vulnerabilities exist on the system, that
although directly exploitable via a Penetration Test may be utilised in
the future or by a disgruntled/disaffected insider. Full user and
application credentials were supplied to the team.
• Gray Box Testing – Where some knowledge of the infrastructure is
known and a user account maybe held.
Types of Penetration Test
• Black Box
External
Test
• White Box
• Gray Box
Penetration
Test
• Curious Employee
Internal
Test
• Disgruntled End User
• Disgruntled Administrator
Target’s Knowledge of Attack
Types of Security Tests
Blind
Gray Box
Tandem
White Box
Blue team
Black Box
Red team
Double Blind
Double
Gray Box
Reversal
Attacker’s Knowledge of Target
System Description
• Infrastructure. The Target network/system was believed (or
given to be) as detailed below: Insert network diagram or details
of the given/derived/discovered infrastructure. Pictures are better
than words. Ensure to mark what information was provided and
what was learned/ discovered.
• Key or Critical Points. The following were therefore seen to be
critical infrastructure elements in terms of Confidentiality,
Availability or they were deemed to be potentially vulnerable or
high value assets (to either the test of the normal day-to-day
running).
• Network Ranges Tested and Those Excluded (inc reasons).
Spell out what was in test and what was not (and why). Include
IP address ranges and or host names. If too much data reference
an Annex but summarise here for flow purposes.
Configuration and Architecture
• If the discovered LAN is at odds to the live system, a comment
should be made.
• Getting into the main part of the report here and the next parts will
be determined by the type of task or testing employed. Ensure
each part/system/site is concluded before moving onto the next –
except if further information was discovered on a different stage.
This allows the reader to follow the tester’s methodology and
therefore understand why the information discovered was so
important.
• Depending on the processes used either describe how each system
was identified, mapped, scanned and ultimately compromised.
Alternatively outline the each stage of testing and how this
resulted in targeting of vulnerable systems and again to the
inevitable compromise.
Technical Analysis
• Critical Vulnerabilities or Mis-Configurations: Here we give
the bad news straight. Explain what the big issues (this time about
the top 4-8) are give these in semi technical speak so the reader can
comprehend which box has exactly what problem. Don’t use too
much detail as this will be in the annex, sorted per box (usually on
IP Address or role i.e. DC, App server, F&P Server, down to
client).
• Assessed Impact of Current Risks: The problems above need to
be placed in context, so ensure the risk is present in a creditable
format. For example if local access is required to exploit a server
in a lights out data centre, then it is probably not the critical risk
Nessus would have you believe.]
• Significant Threat Attack Vectors: Having identified the valid
risks identify, the main attack vectors and if possible identify all
‘online’ attack avenues based upon your findings.
Stages of Testing
(Classic Penetration Methodology)
• Initial scan of network
• Information gleaned
• Target selected (repeat as required documenting each box
separately)
• Enumeration. Services running and states on target
• Information gathered regarding vulnerable aspects of the
system configuration.
• Confirmation of vulnerability
• Exploitation explained
• Access gained
• Leverage and potential growth avenues
• Summary and rectification work required.
Stages of Testing (Box by Box Targeting)
• Initial Reconnaissance – read the information given by admin staff.
• Footprinting – confirm the network is as per the diagrams . Very
Important dangerous if you attack the wrong one, embarrassing if you
send exploits for the IIS web server to the apache system!
• Target selection based upon probability of vulnerability, time allowed,
easy of exploitation and value of target.
• Attack boxes/services are required having researched information given
at 1.
• Increase privileges as necessary (within permissions of contract).
• Secure longer-term access (within permissions of contract).
• Progressing by leveraging access on box. Go to step 3 and select another
target down the list.
• Repeat as necessary, documenting your activities as you go.
Attack Phase Steps with Loopback
Discovery
Phase
Gaining
Access
Enough data has
been gathered in
the discovery
phase to make an
informed attempt
to access the target
Escalating
Privilege
If only user-level
access was
obtained in the last
step, the tester will
now seek to gain
complete control
of the system
System
Browsing
Install
Add. Test
Software
The informationgathering
process begins
again to identify
mechanisms to
gain access to
trusted systems
Security Policy Documentation
•
•
•
Policy Compliance. Where UK law, industry regulations or company policy have
mandated security controls that were observed to be missing and no such written
policy was found, a comment should be made.
Live System must meet Policy Requirements. When a system fails to implement
the security measures identified in the policy, the system or user maybe operating
outside their lawful boundaries. This represents additional risk to the system, all
systems to which it exchanges data, the users and the company. The following
were observed and rectification action should be made to correct these before the
next regulatory review/audit.
Security mechanisms encountered (Auditing and Accounting). If within scope
comment upon the security barrier's/mechanism's ability to audit and monitor your
actions. Noting the use of syslog servers and auditing or accounting settings on
compromised boxes. Additionally, note if no response was made to initial
intrusions or compromise of boxes it blackhat testing is being undertaken –
especially is the network security staff were supposed to react as normal (note some
of this information may only be available after the event).
Annexes
• Annex A - Summary of Technical Details and analysis of
problems
• Annex B - Detailed Technical Findings – Site 1
• Annex C - Detailed Technical Findings – Site 2 (if 2 or more
sites)
• Annex D - Logs of activities
• Annex E - Output of any automated tool used (raw data)
• Annex F - Details of background work conducted (research)
• Annex G - Equipment used and post work cleaning actions
• Annex H - Details of suggested follow up action
• Annex I - Reference Sites
• Annex J - Glossary
Become Certified