Transcript What is Penetration Testing?

Penetration Testing
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
Objectives
This module will familiarize you with the following:
•
•
•
•
•
•
•
•
What does a malicious hacker do?
Types of security tests.
What is penetration testing?
Why penetration testing?
Legal aspects of penetration testing.
Vulnerability assessment vs. penetration testing.
How to conduct penetration testing?
Tools for penetration testing.
Readings
• NIST, “Guideline on Network Security Testing,” Special
Publication 800-42, 2003. (Sec. 3-10). (Required)
• Wikipedia, “Penetration Test,”
http://en.wikipedia.org/wiki/Penetration_testN
• Herzog, P., “OSSTMM Open-Source Security Testing
Methodology Manual,” V. 2.2., ISECOM, 2006.
• Layton, Sr., T. P., “Penetration Studies – A Technical
Overview,” SANS Institute, 2001.
• NIST, “Technical Guide to Information Security Testing and
Assessment,” Special Publication 800-115, September 2008.
• Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles,
R. and Mancini, S., “Penetration Testing: Assessing Your
Overall Security Before Attackers Do,” SANS Analyst
Program, June 2006.
What Does a Malicious Hacker Do
Reconnaissance:
• Active/Passive
Scanning
Gaining Access:
• Operating systems level/
application level
• Network level
• Denial of service
Maintaining Access:
• Uploading/altering/downloading
programs or data
Clearing Tracks
Perspective of Adversary
Web-based
Information
Collection
Social
Engineering
Reconnaissance
Broad
Network
Mapping
Service
vulnerability
Exploitation
Targeted
Scan
Scanning
Password
Cracking
System Access
Preventive Phase
(Defense)
Proactive Security
(Real Time)
DDOS
Code
Installation
System File
Deletion
Damage
Use Stolen
Accounts
For Attack
Log File
Changes
Clear Tracks
Penetration Testing Report
(Recommendation for Security)
Reactive Security
(Incident Response)
Types of Attacks
The ways an hacker used to gain access to a system can be
classified as:
• Operating system attacks. Attackers look for OS
vulnerabilities (via services, ports and modes of access) and
exploit them to gain access.
• Application-level attacks (programming errors; buffer
overflow).
• Shrink wrap code attacks. OS or applications often contain
sample scripts for administration. If these scripts were not
properly fined tune, it may lead to default code or shrink wrap
code attacks
• Misconfiguration attacks. System that should be fairly secured
are hacked into because they were not configured correctly.
Security Testing Techniques
•
•
•
•
•
•
•
•
•
Network Scanning
Vulnerability Scanning
Password Cracking
(NIST SP 800-42, 2003)
Log Review
Integrity Checkers
Virus Detection
War Dialing
War Driving (802.11 or wireless LAN testing)
Penetration Testing
Often, several of these testing techniques are used together to gain more
comprehensive assessment of the overall network security posture.
Security Testing Methods
Every organization uses different types of security testing
method to validate the level of security on its network
resources.
Accurate
Penetration
Testing
OSSTMM
Security Test
Ethical
Hacking
Vulnerability
Scanning
(OSSTMM, 2006)
Hands-on
Audit
Thorough
What is Penetration Testing?
• A penetration test is a method of evaluating the security of
a computer system or network by simulating an attack from
a malicious source.
• The process involves an active analysis of the system for
any potential vulnerabilities that may result from poor or
improper system configuration, known and/or unknown
hardware or software flaws, or operational weaknesses in
process or technical countermeasures.
• The intent of a penetration test is to determine feasibility of
an attack and the amount of business impact of a successful
exploit, if discovered.
(Source: http://en.wikipedia.org/wiki/Penetration_test)
Why Penetration Testing?
• Computer related crime is on the rise.
• Find holes now before somebody else does.
• Report problems to management.
• Verify secure configurations.
• Security training for network staff.
• Discover gaps in compliance.
• Testing new technology.
(Source: Northcutt et al., 2006)
Legal Aspects of PT
• U.S. Cyber Security Enhancement Act 2002: Life sentences
for hackers who “recklessly” endanger the lives of others.
• U.S. Statute 1030, Fraud and Related Activity in Connection
with Computers. Whoever intentionally accesses a protected
computer without authorization, and as a result of such
conduct, recklessly causes damage or impairs medical
treatment, can receive a fine or imprisonment of five to 20
years.
• Attacking a network from the outside carries ethical and legal
risk to you, the tester, and remedies and protections must be
spelled out in detail before the test is carried out. , Thus, it's
vital that you receive specific written permission to conduct
the test from the most senior executive.
Legal Aspects of PT
• Your customer also requires protection measures. You must be
able to guarantee discretion and non-disclosure of sensitive
company information by demonstrating a commitment to the
preservation of the company's confidentiality. The designation
of red and green data classifications must be discussed before
the engagement, to help prevent sensitive data from being redistributed, deleted, copied, modified or destroyed.
• The credibility of your firm as to its ability to conduct the
testing without interruption of the customer's business or
production is also of paramount concern. You must employ
knowledgeable engineers who know how to use minimal
bandwidth tools to minimize the test's impact on network
traffic.
Vulnerability Assessment
• Vulnerability assessment scans a network for
known security weaknesses.
• Vulnerability scanning tools search network
segments for IP-enabled devices and
enumerate systems, operating systems, and
applications.
• Vulnerability scanners can test systems and
network devices for exposure to common
attacks.
• Vulnerability scanners can identify common
security configuration mistakes.
Limitations of Vulnerability Assessment
• Vulnerability scanning tool is limited in
its ability to detect vulnerabilities at a
given point in time.
• Vulnerability scanning tool must be
updated when new vulnerabilities are
discovered or improvements are made to
the software being used.
• The methodology used and the diverse
Vulnerability scanning tools assess
security differently, which can influence
the result of the assessment.
Vulnerability Assessment vs. Penetration Test
• Vulnerability assessment is a process of identifying
quantifying, and prioritizing (or ranking) the vulnerabilities
in a system. It reveals potential security vulnerabilities or
changes in the network which can be exploited by an
attacker for malicious intent.
• A Penetration test is a method of evaluating the security
state of a system or network by simulating an attack from a
malicious source. This process involves identification and
exploitation of vulnerabilities in real world scenario which
may exists in the systems due to improper configuration,
known or unknown weaknesses in hardware or software
systems, operational weaknesses or loopholes in deployed
safeguards.
Target’s Knowledge of Attack
Types of Security Tests
Blind
Gray Box
Tandem
White Box
Blue team
Black Box
Red team
Double Blind
Double
Gray Box
Reversal
Attacker’s Knowledge of Target
Penetration Testing Process
• Reconnaissance
• Scanning
• Enumerating
Planning
Additional Discovery
Discovery
Reporting
•
•
•
•
•
Lack of Security Policy
Poorly Enforced Policy
Misconfiguration
Software reliability
Failure to apply patches
Attack
• Gaining Access
• Escalating Privilege
• System Browsing
Actions
(NIST SP 800-42, 2003)
Discovery Phase of PT
Footprinting
Port Scanning
Gather Initial
Information
Determine the
Network Range
•
•
•
•
NMap
Ping
Traceroute
Superscan
• Netcat
• NeoTrace
• Visual Route
Enumerating
Identify
Active Machines
•
•
•
•
Whois
SmartWhois
NsLookup
Sam Spade
Discover Open Ports
and Access Points
Fingerprint the
Operating System
Uncover
Services on Ports
Map the
Network
Attack Phase Steps with Loopback
Discovery
Phase
Gaining
Access
Enough data has
been gathered in
the discovery
phase to make an
informed attempt
to access the target
Escalating
Privilege
If only user-level
access was
obtained in the last
step, the tester will
now seek to gain
complete control
of the system
System
Browsing
Install
Add. Test
Software
The informationgathering
process begins
again to identify
mechanisms to
gain access to
trusted systems
Types of Penetration Test
• Black Box
External
Test
• White Box
• Gray Box
Penetration
Test
• Curious Employee
Internal
Test
• Disgruntled End User
• Disgruntled Administrator
When is Testing Necessary?
Upgrade
Rollout
Periodic
Testing
Test
• Automated Penetration
Testing software is
enabling organizations
today to test more often.
Test
Test
• Penetration Testing was
traditionally done once or
twice a year due to high
cost of service.
New
Attack
Quality
Assurance
Test
Become Certified