A Study on the Security aspects of Network System Using Penetration Testing

Transcription

1 A Study on the Security aspects of Network System Using Penetration Testing 1 Shwetabh Suman, 2 Vedant Rastogi 1,2 Institute of Engineering and Technology, Alwar, India 1 [email protected] 2 [email protected] Abstract Penetration testing is used to search for vulnerabilities that might present in a network system. The testing process usually involves simulating different types of attacks on the target a machine or network. This type of testing provides an organized and controlled way to identify security problems. Generally the resources and time required for comprehensive testing can make penetration testing cost intensive. Consequently, such tests are usually only performed during important milestones. A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and/or insiders. Several procedures carried out during penetration tests can be easily automated. The paper addresses the problem of automated penetration testing limitations by studying the differences with manual testing. Keywords Penetration Test, Semi Automated Testing, Manual Testing I. INTRODUCTION The rapid growth in the internet and web technologies has been beneficial to businesses and peoples. With the rise of new technologies comes the challenge of providing a secure environment for the efficient processing. A study conducted by the CISCO in 2013 suggests that over 90 percent of IT based companies have fallen victim to malicious attacks [1]. Security testing is used to build a secure system but it has been ignored for a long time. It is of immaculate importance these days for all the IT security peoples. In today s world, privacy and security have been assigned foremost importance, therefore it is highly recommended to look forward for data and operations security in software applications, which demands urgent attention but it is rather ignored. Therefore, our objective is to introduce developers with an esteemed importance of system s security, which can be induced by implementing security testing methodology in SDLC process to produce a secure software system. So, Security Testing has been defined from developer s point of view. It resembles methods that need to be incurred in SDLC process to incorporate security feature in software. Software Security Unified Knowledge Architecture not only describes Security testing s values and objectives but also provides some developer s guidelines to produce a secure software system. Before a penetration test, certain key issues need to be placed in order to ensure useful and timely results. It includes the technical requirements such as time constraints; cover the full range of the threats, the range of IP addresses over which the test is to be conducted and the systems that are to be attacked and also those that are not to be attacked as part of the test with minimal disruption to normal operation. Other requirements may also include legal and contractual issues specifying liability information to individuals regarding the test taking place. Such requirements can vary depending on legal structures in the organization or even the host country of the organization. Network penetration testing is a well-known

2 Shwetabh Suman et al.: A Study on the Security aspects of Network System Using Penetration Testing 19 approach used for security testing. Penetration testing can be a laborious task which relies much on human knowledge and expertise, with various techniques employed, and an extensive amount of tools used in the process. A methodical approach to penetration testing is therefore recommended. The flaw hypothesis methodology, used in this thesis, represent one of the most used models for penetration testing and have great similarities in other penetration testing methodologies and standards used today. There are few reasons for an organization to hire a security professional to perform a penetration test. The main reason is that security breaches can be extremely costly. A successful attack may lead to direct financial losses, harm the organization s reputation, trigger fines, etc. With a proper penetration test it is possible to identify security vulnerabilities and then take counter measures before a real attack takes place. A penetration test is generally performed by people external to the organization responsible for the system under test. Consequently, the testers operate with a different point of view of the system s resources and may be able to identify issues that were not readily visible to internal operators. II. LITERATURE REVIEW We have reviewed some earlier efforts to automate the penetration testing process. There are various tools which provide the basis for understanding the automated procedures for penetration testing in the context of their production environments. A commercial application developed for automated penetration testing developed by Core Security Technologies. Core Security s Impact is GUI-based application designed for easing the work of corporate security mechanism which needs an efficient application to perform penetration testing on their systems [2]. This application automates all phases of a penetration test, from requirement specification to final report generation. Basic concept behind this application is procedure used by the majority of automated penetration testing tools such as the start scans a range of hosts in a network, looking for vulnerabilities for which it has suitable exploits. In an additional manner after the vulnerability exploitation, this application is able to install agents on the affected machines that provide different levels of remote access. These active agents can launch additional tests from the new location, allowing the penetration tester to move from host to host within the system under test. The exploits used by this software are constantly updated and for the end users. The exploit database contains a large number of up-to-date exploits which gives it the ability to test a wide range of systems. Major drawback of Core Security Technologies software is its high price and the lack of a command line interface. Another commercial application developed for automated penetration testing developed by Immunity Inc [3]. Immunity s Canvas is a vulnerability exploitation tool uses the same approach as Core Impact s, the only difference, it provides a lower level of automation and it has less features such as pivoting and automated reporting. Major advantages of this tool over Core Impact are a considerably lower price and a feature of command line interface. As for additional point this application does not provide fully automated procedures for penetration testing. It is a basic support tool for penetration testers those can use it to gather information about the system under test and choose appropriate exploits for actions among all provided. This tool is able to automate parts of the penetration testing process; the end user of this tool must have a substantial knowledge about penetration testing and system security. Fast-Track [4] is a python-based open-source project based on the Metasploit framework providing penetration testers with automated tools to identify and exploit vulnerabilities in a network. Fast-Track extends Metasploit with additional features and is composed of several tools concerned with different aspects of the penetration test: MSSQL server attacks, SQL injection, Metasploit Autopwn Automation, Mass Client Side attacks, additional exploits not included in the Metasploit framework, and Payload generation. Existing Tools for Penetration Testing Few of the most common tools used by security professionals for penetration testing are discussed in this

3 Table1: Comparison of Penetration Testing Tools/Techniques Tools /Techniques Functions Availability Platform Advantages Mapper or Nmap [5] Security Auditing Network Scanning Port Scanning as an opensource Linux, Windows, Mac Excellent scalable Work against remote Metasploit [6] system Use for vulnerability of computer systems All versions of Unix and Windows It is a Framework has various functions for security scanning on single platform. Hping [8] Remote OS fingerprinting Security auditing and testing firewalls and networks Windows, Open BSD, Solaris, Mac OS X Low level scriptable and idle scanning SuperScan [9] Detect TCP/UDP ports determine which services are running on those ports Run queries Windows Possible to access unauthorized open ports paper. Network Mapper or Nmap is a security scanner tool for a computer network [5]. This is open-source software application basically used to create a map of a network and to provide a list of hosts with related services that exist in the network. This tool is often used by professionals for performing security auditing, since the scanning of a network might reveal vulnerable services or configurations. Nmap tool can also be used for network monitoring and inventory. This tool is excellent scalable and this property makes it for scanning large networks. Another tool Metasploit [6] is a framework for security testing. This is an exploitation framework provides several tools, utilities, and scripts to execute and develop exploits against targeted remote system. A variety of different techniques and tools are for penetration testing. Table 1 lists some of these tools. III. TESTING WORKFLOW In this work we studied various automated tools for penetration testing. By analyzing the behavior of different tools a common approach to automated penetration testing emerged. The procedure followed by these tools consists of three main phases: First scan host machines in the network under test to collect all possible information Secondly we need to identify vulnerabilities of these host by matching the results of the first phase i.e. scan with entries in a vulnerability database In the third phase it exploits vulnerability to gain access to for a certain resource It s difficult to find all vulnerabilities using automated tools. There is some vulnerability which can be identified by manual scan only. Penetration testers can perform better attacks on

4 Shwetabh Suman et al.: A Study on the Security aspects of Network System Using Penetration Testing 21 application based on their skills and knowledge of system being penetrated. The methods like social engineering can be done by manual testing only. Manual testing process includes design, business logic with code verification. In the next section tools procedures will be compared with the actions manually performed by a penetration tester in a production environment, with the goal of understanding the differences that make manual testing the preferred solution in such environments. IV. WORK ANALYSIS In this section we analyze the differences between an aggressive penetration test carried out by most of the standard automated tools and the process followed by a penetration tester manually testing a system in a production environment. The main difference between the automatic and manual approaches is that vulnerabilities derived from software application flaws are not exploited in production environments. However, various vulnerabilities can still be identified and reported as a problem. The first scanning phase is common for both automatic and manual approaches and, although few different, it leads to very similar results that may reveal vulnerable exposed services in the system under test. A professional penetration tester does not necessarily need to exploit these vulnerabilities, but simply point them out to the client. Some of the exploits instead are considered safe to exploit. A penetration tester may decide to leverage a safe exploit to gain access to the vulnerable resource. In any production environment, an experienced penetration tester always applies the safest techniques first. Using a combination of automatic tool and manual process can result in the various benefits. 1. In semi automated system all the technical and logical security issues can be identified easily. Technical vulnerabilities can be efficiently identified by automated tool while the logical vulnerabilities which could not identified by the automated tool, can be identified by testing professional s analysis. 2. The total volume of false positives can be minimized using semi automated system. Software can apply various tests on a network application and customized error messages and response can better be analyzed by testing professionals. This will reduce the number of false positive results which could occur if the software is used alone [7]. 3. The unique and evolving nature of software applications require a human to select suitable tests for a particular module, to be applied by the software. In this way large applications can be tested quickly and efficiently. A logged in state can be maintained using a combination of software and security personnel. If the software is logged out at some point, security personnel can detect it and log in again before the software proceed to next test. 4. Software tools can remotely scan without source code accessibility. They can quickly crawl through a web system and find out all the links associated with that domain. Human interaction will enhance this process to carefully map the online system and remove the bad links. Since vulnerabilities due to software bugs are usually not exploited, the tester needs to leverage other security issues in order to gain access and start the expanding process. V. CONCLUSIONS Penetration testing is a very effective method to analyze the weakness and strength of network systems. By using penetration test in any organization offers benefits such as protect company data, companies often take measures to guarantee the availability, confidentiality and integrity of data or to ensure access for authorized persons. This paper presented a study on the comparison of several security tools implementing penetration-testing and manual testing over network. We tried to show a robust method for the best result to secure a network using penetration testing. The goal of this study is to investigate the results of combining manual and automated approach as semi automated proxy security evaluation tool that automates the security testing of network and at the same time give control of the testing process to the test performer. This semi automated approach is also expected to maintain security evaluation tool with the help of a security

5 analyst is expected to eliminate the problems that can result by using automated or manual approach alone. REFERENCES [1] J Aileen G. Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, Monique Jones AN OVERVIEW OF PENETRATION TESTING International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November [2] Farkhod Alisherov A., and Feruza Sattarova Y, Methodology for Penetration Testing, International Journal of of Grid and Distributed Computing, Vol.2, No.2, June [3] Penetration Testing: A Review,Kumar Shravan,, Bansal Neha,Bhadana Pawan, COMPUSOFT, An international journal of advanced computer technology, 3 (4), April-2014, [4] Roning, J., Laakso, M., Takanen, A. & Kaksonen, R. (2002) Protossystematic approach to eliminate software vulnerabilities, December [5] Potter, Bruce, and Gary McGraw. "Software security testing." Security & Privacy, IEEE 2.5 : 81-85, [6] Bhattacharyya, Debnath, and Farkhod Alisherov. "Penetration testing for hire."international Journal of Advanced Science and Technology 8, [7] Que Nguyet Tran Thi and Tran Khanh Dang, Towards Side-Effectsfree Database Penetration Testing, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, volume: 1, number: 1, pp [8] Smith, Bryan, William Yurcik, and David Doss. "Ethical hacking: the security justification redux." Technology and Society, 2002.(ISTAS'02) International Symposium on. IEEE, [9] Klevinsky, Thomas J., Scott Laliberte, and Ajay Gupta. Hack IT: security through penetration testing. Addison-Wesley Professional, 2002.