Conducting a Penetration Test/Vulnerability Analysis to Improve an Organization s Information Security Posture

Transcription

1 9891 Broken Land Parkway, Suite 100 Columbia, Maryland Conducting a Penetration Test/Vulnerability Analysis to Improve an Organization s Information Security Posture Margaret ( Rhette) Marsh, CCIE, CISSP, GWAPT, GPEN Senior Network Engineer Thomas Shirron, C EH Security Engineer Edwin Covert, CISSP, CISM, PMP Director, Information Assurance Programs

2 Introduction Applied Network Solutions (ANS) is a leading provider of network and security architecture and engineering services. A key element of these services is vulnerability analysis and penetration testing for client networks. In an age of potential catastrophic results from attacked networks and systems, these services can assist in safeguarding our clients against failure by showing an organization performed due diligence and compliance to industry regulators, customers and shareholders. Additionally, at a personal level it can also mean the loss of a job, prosecution and sometimes even imprisonment. Organizationally, vulnerability analysis and penetration testing will assist our clients' network and information security strategy by pro-actively identifying vulnerabilities and quantifying any potential impact and likelihood in advance. This allows for resources to be allocated and corrective measures implemented. Conducting a Penetration Test/Vulnerability Analysis A good definition for such work comes from Vincent Lui in a recent DarkReading.com article. He states, A penetration test is a type of security assessment that simulates a real-world attack by a determined adversary against one or more of your target assets. These assets can be networks, applications, devices, infrastructure, or anything else you deem important enough to protect. Unlike other forms of security assessments, penetration testing's approach really does mean that the penetration tester will attempt to actively exploit identified vulnerabilities and attempt to leverage any weaknesses within the targets to gain further access /professional_pe.html?cid=rssfeed_dr_all ANS follows a defined process for conducting penetration testing and vulnerability analyses. By using a repeatable methodology, we are able to save our clients critical resources. These phases are enumeration, scanning, and reconnaissance; vulnerability assessment; penetration testing and exploitation; and reporting.. Reporting Enumeration, Scanning, and Recon Penetration Testing/Exploitation Vulnerability Assessment Figure 1 - ANS Testing Methodology Understanding the Desired Goal When deciding on whether it is necessary for a penetration test/vulnerability analysis to be conducted, a client really should be asking if their sensitive assets and resources can be attacked in a manner that degrades their business or mission. That is the goal of this type of testing. As Mr. Lui points out, a penetration test is a real-world security assessment targeted at a particular asset. Conversely, these tests are not designed to catch all possible vulnerabilities and shut them down. Additionally, it is NOT the focus of a penetration test/vulnerability analysis to calculate the risk that an asset poses. Crystal Box versus Black Box Testing Because in the wild threats are practically boundless in terms of time and distributed effort (an organization has to protect

3 thousands of potential attack vectors while an attacker only has to be successful with one), ANS recommends that crystal box testing be performed to maximize discovered vulnerabilities and remediation recommendations. Crystal box testing involves some prior knowledge of the infrastructure, application, and traffic flow. The reason for this is to minimize the time penalty that penetration testers have relative to crackers in the wild. In all cases, ANS would coordinate our testing efforts with a client beforehand in order to reduce any risks to their business or operation. The principal advantage crystal box testing presents over black box vulnerability testing and analysis is that prior knowledge of the infrastructure eliminates some time involved in reconnaissance, enumeration, and verification of vulnerabilities that the traditional attacker or hacker has at his leisurely disposal. The secondary advantage is that the vast majority of attacks are insider in that they are launched logically from inside the perimeter infrastructure. Using crystal box testing provides a significant savings in terms of time and money for both the testing group (ANS) and the target organization (the client). In crystal box testing and analysis, far less time is spent scoping out the infrastructure and more time is spent verifying and analyzing what the client cares about the integrity and availability of business-critical applications and service. IP range defining bounds of test Network topology diagram Description of traffic flow where appropriate Additionally, more specialized network testing is available for both wireless penetration and web application penetration testing. We will work with our clients to specify what the times of day are that the testing can occur. In order to avoid scope creep, we always work to specify if indirect attacks are fair game i.e. whether ANS personnel can use other devices (outside the range specified above) as an intermediate step to discover or verify vulnerabilities. Devices outside the range of the above specified networks could include, but are not limited to, entry via wireless networks, Bluetooth, or even VPN. ANS will work with our clients to specify whether ANS is authorized to create DoS conditions, as well as whether vulnerability verification is permitted to what extent to degrade service. We are intimately aware of the conditions such tests can create in production environments and actively seek to reduce any risks to our clients will still providing them the most accurate threat and vulnerability information possible. Client Inputs In order to succeed in any penetration testing or vulnerability analysis exercise, ANS requires that our clients delineate the following as the contained scope for crystal box vulnerability testing: Description and IPs of servers/business-critical applications

4 Testing Goals Penetration Test Type of Testing Figure 2 - Inputs to Penetration Testing ANS will assist our clients with specifying whether this should an announced test, and if their internal information technology and infrastructure staff is both permitted to know about its execution, or if the test is unannounced and the staff is unaware. Both types of testing plans have risks and rewards. For example, an unannounced or limitedly-announced test will allow the client to determine how their staff and procedures perform in a near-real-world attack scenario, but can lead to an overreaction if it is detected and gets out of hand. ANS would also require points of contact information to be provided as vital points of escalation on both sides. If the client prefers black box testing, the assessment will address any vulnerabilities that can be seen from the public facing side of the network and may include servers, workstations, firewalls, routers, and both application and infrastructure software. Regardless of the approach (crystal box or black box), ANS will always follow our prescribed four-phase approach to all of our penetration testing/vulnerability analysis projects. These phases are enumeration, scanning, and reconnaissance; vulnerability assessment; penetration testing and exploitation; and reporting. Enumeration, Scanning, and Reconnaissance Phase In the enumeration phase, ANS will use automated tools and scanners to find ports, services, addresses, and fingerprint operating systems. For example, ANS will use Zenmap (an nmap front end), nikto (a web scanner), nessus, netcat, and various tools within and MetaSploit and/or Backtrack 4 to scan and enumerate the network ranges and find website vulnerabilities. Specifically targeted web application vulnerability discovery is an additional service. ANS will also gather data from the website via such tools as nslookup, Google, ARIN, Robtex, and others to learn about a client's domain mapping, and internal administrative contacts. DNS services, zone-transfers and other methods are used to determine vulnerability to critical infrastructure. Various OS fingerprinting tools may be used e.g., p0f and others. Traditionally, enumeration includes password and username discovery valid within the target domain. To this end, Cain and Able, SAINT, or other password tools may be used. A partial list of tool is attached to this paper. A complete list of tools is available upon request. Not all tools listed are appropriate for every client. Vulnerability Assessment The results from the enumeration and reconnaissance phase will feed into the vulnerability assessment phase. Nmap scan results will get rescanned with Nessus and SuperScan to discover vulnerabilities. The client's website will be dissected in an offline fashion with curl and httprint. Any common forms that are used will be researched for known vulnerabilities. ANS is able to use SQLBrute, SQLANLZ, and Backtrack 4

5 tools 2 on any databases that are found. The resulting data from these tools will be crossreferenced in the Common Vulnerabilities and Exposures (CVE) database hosted at nvd.nist.gov. ANS will take the results from the CVE database and categorize them into Low, Medium and High priority vulnerabilities. Penetration Testing and Exploitation During this penetration testing phase of the project ANS will determine the severity of each vulnerability. ANS will test SQL injection, XSS, and possibly CSRF using non-performance degrading techniques to determine if any databases are susceptible to SQL injection attacks. Any actual exploit testing will be coordinated with the client before being performed, and where possible, options for discussion of verification but not exploitation are offered. ANS certified ethical hackers (CEH) or GIAC penetration testers will use their expertise to review factors such as CVE database results, likelihood of attack, origin of exploit, difficulty to perform the exploit, and availability of exploit code or automated tools. The exploitation portion of the test incorporates the reconnaissance, scanning, and enumeration data previously detailed and accomplishes verification that potential attacks are active vulnerabilities on the client's infrastructure. Some common tools used are BeEF, SprAJAX, ratproxy, Metasploit/Metaterpreter, Durzosploit, Backtrack 4 final, and others. Where feasible, vulnerabilities will be verified by minimum-to-zero-impact scripts. Reporting The results of our penetration testing/vulnerability analysis are typically 2 See Tools List for a more complete list of tools ANS uses divided into two parts: ANS will create and submit a draft report to our client for review. Typically, again, ANS requires feedback on this draft document within five business days. ANS then incorporates the client's feedback into the final report. Other reporting elements that go into an overall project include: Daily reports a report of activities performed and any high severity vulnerabilities discovered. These reports can be encrypted and ed to the client or provided verbally if that is more convenient. Scan and reconnaissance results a compilation of raw data output from scans and automated tools used during the project, including failed test results, and passive OS fingerprinting, service enumeration, etc. Methodology for exploitation Mitigation recommendations ANS's suggestions to mitigate High severity and Medium severity vulnerabilities on the axes of likelihood and impact. Appendices containing the raw data from the various tools, and command shells, custom scripts, etc. Summary Penetration testing and vulnerability analyses are critical elements of an information security program. They provide real-world attacks in a controlled setting against mission-essential resources. However, in order for the testing to be effective, organizations should understand the goals of their testing scenario or project and understand the type of testing they desire. Finally, it is crucial for any organization desiring these tests to ensure their supporting organization (those doing the testing i.e. internal staff or outside contractors) have a

6 formalized process to work from. Ad hoc is not the way to go for this demanding process. About the Authors Margaret ( Rhette) Marsh is a Senior Network Engineer for Applied Network Solutions (). She holds the Cisco Certified Internetworking Expert certification (CCIE), the Certified Information Systems Security Professional (CISSP) certification, and the SANS Institute s GIAC Web Application Penetration Tester (GWAPT) and the GIAC Certified Penetration Tester (GPEN) certifications. She has work in the federal and commercial information security fields for many years and can be reached at rmarsh@ansfederal.com. Thomas Shirron is a Security Engineer for Applied Network Solutions. He holds the Certified Ethical Hacker (C EH) designation from EC-Council. He can be reached at tshirron@ansfederal.com Edwin Covert is the Director, Information Assurance Programs for Applied Network Solutions. He holds the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM) designations and has fifteen years in the information security and information assurance arenas. He also holds the Project Management Professional (PMP) certification. He has worked in the federal, military, and commercial sectors and is the author of numerous papers and presentations. He can be reached at ecovert@ansfederal.com About Applied Network Solutions Applied Network Solutions (ANS) is a Small Veteran Owned Professional Services company providing mission critical, network centric solutions to U.S. Government clients. Founded in 1999, and incorporated in Maryland, ANS provides Enterprise Architecture, Network Engineering, and Systems Engineering services as part of those solutions. Our network and security architecture and engineering solutions can help an organization or agency select the right elements from an array of new technologies and deploy them to your greatest advantage. Our technical expertise extends from small local networks to the largest networks in the world. With our record of success and indepth knowledge of complex, multi-vendor IP data networks, we can ensure maximum performance, scalability, and security that your business depends on.

7 Metasploit Absinthe Mezcal Napkin WebScarab BiDiBlah Nessus Nmap UNIX Hping2 THC-Amap (linux) THC-Orakel Crackert 11g UNIX THC- Orakel UNIX THC-Hydra THC- IPv6 Attack Toolkit THC- Scan THC -Snooze THC- Keyfinder THC --pptp-bruter Partial List of Potential Tools THC- Yaop Snort THC-- FuzzyFingerprint Ozyman--DNS Set p0f netcat kismet ettercap nikto dsniff netstumbler aircrack superscan sysinternals netfilter samspade ngrep Xprobe-NG EtherApe PWDump Rainbow Crack Firewalk Arpwatch Stunnel Wireshark MDcrack Whisker ObiWan VIPPR Phoss Hijetter 3 3 A complete list of tools used by ANS is available on demand.