Upload
madison-mccoy
View
222
Download
2
Tags:
Embed Size (px)
Citation preview
Penetration TestingPenetration Testing
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
ObjectivesObjectives
• What does a malicious hacker do?• Types of security tests.• What is penetration testing?• Why penetration testing?• Legal aspects of penetration testing.• Vulnerability assessment vs. penetration testing.• How to conduct penetration testing?• Tools for penetration testing.
This module will familiarize you with the following:
• NIST, “Guideline on Network Security Testing,” Special Publication 800-42, 2003. (Sec. 3-10). (Required)
• Wikipedia, “Penetration Test,” http://en.wikipedia.org/wiki/Penetration_testN
• Herzog, P., “OSSTMM Open-Source Security Testing Methodology Manual,” V. 2.2., ISECOM, 2006.
• Layton, Sr., T. P., “Penetration Studies – A Technical Overview,” SANS Institute, 2001.
• NIST, “Technical Guide to Information Security Testing and Assessment,” Special Publication 800-115, September 2008.
• Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R. and Mancini, S., “Penetration Testing: Assessing Your Overall Security Before Attackers Do,” SANS Analyst Program, June 2006.
ReadingsReadings
What Does a Malicious Hacker DoWhat Does a Malicious Hacker Do
Reconnaissance:• Active/Passive
Scanning
Gaining Access:• Operating systems level/
application level• Network level• Denial of service
Maintaining Access:• Uploading/altering/
downloading programs or data
Clearing Tracks
Penetration Testing Report(Recommendation for Security)
Perspective of AdversaryPerspective of Adversary
Reconnaissance Scanning System Access Damage Clear Tracks
Web-basedInformationCollection
SocialEngineering
BroadNetworkMapping
TargetedScan
ServicevulnerabilityExploitation
PasswordCracking
DDOSCode
Installation
System FileDeletion
Use StolenAccounts
For Attack
Log FileChanges
Reactive Security(Incident Response)
Proactive Security(Real Time)
Preventive Phase(Defense)
Types of AttacksTypes of Attacks
• Operating system attacks. Attackers look for OS vulnerabilities (via services, ports and modes of access) and exploit them to gain access.
• Application-level attacks (programming errors; buffer overflow).
• Shrink wrap code attacks. OS or applications often contain sample scripts for administration. If these scripts were not properly fined tune, it may lead to default code or shrink wrap code attacks
• Misconfiguration attacks. System that should be fairly secured are hacked into because they were not configured correctly.
The ways an hacker used to gain access to a system can be classified as:
Security Testing TechniquesSecurity Testing Techniques
• Network Scanning
• Vulnerability Scanning
• Password Cracking
• Log Review
• Integrity Checkers
• Virus Detection
• War Dialing
• War Driving (802.11 or wireless LAN testing)
• Penetration Testing
Often, several of these testing techniques are used together to gain more comprehensive assessment of the overall network security posture.
(NIST SP 800-42, 2003)
Security Testing MethodsSecurity Testing Methods
Every organization uses different types of security testing method to validate the level of security on its network resources.
PenetrationTesting
EthicalHacking
OSSTMM Security Test
VulnerabilityScanning Hands-on
Audit
Thorough
Acc
ura
te
(OSSTMM, 2006)
What is Penetration Testing?What is Penetration Testing?
• A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.
• The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.
• The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered.
(Source: http://en.wikipedia.org/wiki/Penetration_test)
Why Penetration Testing?Why Penetration Testing?
• Computer related crime is on the rise.
• Find holes now before somebody else does.
• Report problems to management.
• Verify secure configurations.
• Security training for network staff.
• Discover gaps in compliance.
• Testing new technology.
(Source: Northcutt et al., 2006)
Legal Aspects of PTLegal Aspects of PT
• U.S. Cyber Security Enhancement Act 2002: Life sentences for hackers who “recklessly” endanger the lives of others.
• U.S. Statute 1030, Fraud and Related Activity in Connection with Computers. Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years.
• Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out. , Thus, it's vital that you receive specific written permission to conduct the test from the most senior executive.
Legal Aspects of PTLegal Aspects of PT
• Your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re-distributed, deleted, copied, modified or destroyed.
• The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.
Vulnerability AssessmentVulnerability Assessment
• Vulnerability assessment scans a network for known security weaknesses.
• Vulnerability scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications.
• Vulnerability scanners can test systems and network devices for exposure to common attacks.
• Vulnerability scanners can identify common security configuration mistakes.
Limitations of Vulnerability AssessmentLimitations of Vulnerability Assessment
• Vulnerability scanning tool is limited in its ability to detect vulnerabilities at a given point in time.
• Vulnerability scanning tool must be updated when new vulnerabilities are discovered or improvements are made to the software being used.
• The methodology used and the diverse Vulnerability scanning tools assess security differently, which can influence the result of the assessment.
Vulnerability Assessment vs. Penetration TestVulnerability Assessment vs. Penetration Test
• Vulnerability assessment is a process of identifying quantifying, and prioritizing (or ranking) the vulnerabilities in a system. It reveals potential security vulnerabilities or changes in the network which can be exploited by an attacker for malicious intent.
• A Penetration test is a method of evaluating the security state of a system or network by simulating an attack from a malicious source. This process involves identification and exploitation of vulnerabilities in real world scenario which may exists in the systems due to improper configuration, known or unknown weaknesses in hardware or software systems, operational weaknesses or loopholes in deployed safeguards.
Types of Security TestsTypes of Security Tests
BlindGray Box Tandem
Double Blind Reversal
Attacker’s Knowledge of Target
Tar
get’
s K
now
led
ge o
f A
ttac
k
Double Gray BoxBlack Box
Red team
White BoxBlue team
Penetration Testing ProcessPenetration Testing Process
Planning Discovery Attack
Additional Discovery
Reporting
(NIST SP 800-42, 2003)
• Reconnaissance• Scanning• Enumerating
• Gaining Access• Escalating Privilege• System Browsing
Actions
• Lack of Security Policy • Poorly Enforced Policy• Misconfiguration• Software reliability• Failure to apply patches
Footprinting Port Scanning
Enumerating
• Whois• SmartWhois• NsLookup• Sam Spade
• NMap• Ping• Traceroute• Superscan
Determine the Network Range
Identify Active Machines
Discover Open Ports and Access Points
Fingerprint the Operating System
Uncover Services on Ports
Map the Network
Gather Initial Information
Discovery Phase of PTDiscovery Phase of PT
• Netcat• NeoTrace• Visual Route
Attack Phase Steps with LoopbackAttack Phase Steps with Loopback
DiscoveryPhase
GainingAccess
EscalatingPrivilege
SystemBrowsing
Install Add. Test Software
Enough data has been gathered in the discovery phase to make an informed attempt to access the target
If only user-level access was obtained in the last step, the tester will now seek to gain complete control of the system
The information-gathering process begins again to identify mechanisms to gain access to trusted systems
Types of Penetration TestTypes of Penetration Test
PenetrationTest
ExternalTest
InternalTest
• Black Box
• White Box
• Gray Box
• Curious Employee
• Disgruntled End User
• Disgruntled Administrator
When is Testing Necessary?When is Testing Necessary?
• Penetration Testing was
traditionally done once or
twice a year due to high
cost of service.
• Automated Penetration
Testing software is
enabling organizations
today to test more often.
Upgrade
New Attack
QualityAssurance
Rollout
Test
Test
TestT
est
PeriodicTesting
Become CertifiedBecome Certified