Penetration Testing. Module 20

Transcription

1 Penetration Testing Module 20

2 Ethical Hacking and Countermeasures Penetration Testing P e n e t r a t i o n T e s t i n g M o d u le 2 0 Engineered by Hackers. Presented by Professionals. C E H E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 2 0 : P e n e t r a t io n T e s t in g E x a m Module 20 Page 2873 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

3 Ethical Hacking and Countermeasures Penetration Testing S e c u r i t y N e w s c E H U rla H 1ItbKjl Home ^ News Company Products Contacts O c to b e r 0 2, T h e C ity o f T u ls a, O k la h o m a la s t w e e k b e g a n n o t if y in g r e s id e n ts t h a t t h e ir p e r s o n a l d a ta m a y h a v e b e e n a c c e s s e d - b u t i t n o w t u r n s o u t t h a t t h e a tta c k w a s a p e n e t r a t io n t e s t b y a c o m p a n y t h e c it y h a d h ir e d. " C ity o ffic ia ls d id n 't re a liz e t h a t t h e a p p a r e n t b re a c h w a s c a u s e d b y t h e s e c u r it y f ir m, U ta h - b a s e d S e c u r ity M e tr ic s, u n t il a f t e r 9 0,0 0 0 le tte r s h a d b e e n s e n t t o p e o p le w h o h a d a p p lie d f o r c it y jo b s o r m a d e c r im e r e p o r t s o n lin e o v e r t h e p a s t d e c a d e, w a r n in g th e m t h a t t h e ir p e r s o n a l id e n t if ic a tio n in f o r m a t io n m ig h t h a v e b e e n a c c e s s e d," w r it e s T u ls a W o r ld 's B ria n B a rb e r. "T h e m a ilin g c o s t t h e c it y $ 2 0,0 0 0, o ffic ia ls s a id." " A n a d d it io n a l $ 2 5,0 0 0 w a s s p e n t o n s e c u r it y c o n s u lt in g s e r v ic e s t o a d d p r o te c t io n m e a s u r e s to t h e w e b s ite, " F O X 23 N e w s r e p o r ts. h ttp://w w w. esecurityplonet. com ' ' ' Q C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. \VS Nl S e c u r i t y N e w s C i t y o f T u l s a C y b e r A t t a c k W a s P e n e t r a t i o n T e s t, N o t H a c k Source: h ttp ://w w w.ese curityp la ne t.co m The City of Tulsa, Oklahoma last week began notifying residents th a t th e ir personal data may have been accessed -- but it now turns out th a t the attack was a penetration test by a company the city had hired. "City officials d id n't realize th a t the apparent breach was caused by the security firm, Utahbased SecurityM etrics, until after 90,000 letters had been sent to people w ho had applied for city jobs or made crim e reports online over the past decade, w arning th em th a t th eir personal identification inform ation m ight have been accessed," w rites Tulsa W orld's Brian Barber. "The mailing cost the city $20,000, officials said." "An additional $25,000 was spent on security consulting services to add p rotection m easures to th e w eb site," FOX23 News reports. "The th ird -p arty consultant had been hired to perform an assessment of the city's n etw o rk fo r vulnerabilities," w rite NewsOn6.corn's Dee Duren and Lacie Lowry. "The firm used an unfam iliar testing procedure th a t caused the City to believe its w ebsite had been com prom ised. 'W e had Module 20 Page 2874 Ethical Hacking and Countermeasures Copyright by EC-C0IMCil

4 Ethical Hacking and Countermeasures Penetration Testing to trea t this like a cyber-attack because every indication initially pointed to an attack,' said City M anager Jim Tw om bly." "The chief inform ation officer w ho failed to determ ine th at the hack was actually part of a penetration test has been placed on adm inistrative leave w ith pay," w rites Softpedia's Eduard Kovacs. "In the m eantim e, his position will be filled by Tulsa Police D epartm ent Captain Jonathan Brook." Copyright 2012 Q uinstreet Inc By Jeff Goldman Module 20 Page 2875 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

5 Ethical Hacking and Countermeasures Penetration Testing M o d u l e O b j e c t i v e s C E H J Security Assessments J Pre-Attack Phase J Vulnerability Assessment J Attack Phase J Penetration Testing J Post-Attack Phase J What Should be Tested? J Penetration Testing Deliverable 0us Templates J ROI on Penetration Testing J Pen Testing Roadmap J Types of Penetration Testing J Web Application Testing J Common Penetration Testing J Outsourcing Penetration Testing Techniques Services C o p y rig h t b y IC-Ccuncil. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. M o d u l e O b j e c t i v e s 1 All the modules discussed so far concentrated on various penetration testing techniques specific to the respective elem ent (web application, etc.), mechanism (IDS, firew all, etc.), or phase (reconnaissance, scanning, etc.). This m odule summarizes all the pen etra tion tests. This m odule helps you in evaluating the security of an organization and also guides you to make your n etw o rk or system m ore secure w ith its counterm easures. The m odule will make you fam iliarize w ith: S S S Security Assessments Vulnerability Assessments Penetration Testing Pre-attack Phase Attack Phase Post-attack Phase S W hat Should be Tested S ROI on Penetration Testing s Types of Penetration Testing 2 Com m on Penetration Testing Techniques Penetration Testing Deliverable Templates Pen Testing Roadmap W eb Application Testing Outsourcing Penetration Testing Services Module 20 Page 2876 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

6 Ethical Hacking and Countermeasures Penetration Testing M o d u l e F l o w C E H C o p y rig h t b y ic - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. M o d u l e F l o w 1 For better understanding of penetration testing, this m odule is divided into various sections. Let's begin w ith penetration testing concepts. Pen Testing Concepts ןןןזןןן Types o f Pen Testing Pen Testing T echniques Pen Testing Phases Pen Testing R oadm ap O u tsourcin g Pen Testing Services This section starts w ith basic concept o f penetration testing. In this section, you w ill learn the role of penetration testing in the security assessment and w hy vulnerability assessment alone is not enough to detect and rem ove vulnerabilities in the netw ork. Later in this section, you will examine w hy penetration testing is necessary, how to perform a good penetration test, how to determ ine testing points, testing locations, and so on. Module 20 Page 2877 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

7 Ethical Hacking and Countermeasures Penetration Testing S e c u r i t y A s s e s s m e n t s II Level of Security w E v e r y o r g a n iz a tio n u s e s d i f f e r e n t t y p e s o f s e c u r it y a s s e s s m e n ts t o v a lid a t e t h e le v e l o f s e c u r it y o n its n e t w o r k r e s o u r c e s I I S e c u r it y A s s e s s m e n t C a te g o r ie s I Security Audits E F Vulnerability Assessments Penetration Testing o ca E a c h t y p e o f s e c u r it y a s s e s s m e n t r e q u ir e s t h e p e o p le c o n d u c t in g t h e a s s e s s m e n t t o h a v e d i f f e r e n t s k ills Copyright <D by EC Cm h ich. S e c u r i t y A s s e s s m e n t s C u Every organization uses different types of security assessments to validate the level of security on its netw ork resources. Organizations need to choose the assessment m ethod that suits the requirem ents of its situation m ost appropriately. People conducting different types of security assessments m ust possess different skills. Therefore, pen testers if they are employees or outsourced security experts m ust have a thorough experience of penetration testing. Security assessment categories include security audits, vu ln e ra b ility assessments, and pen etra tion testing or ethical hacking. - '^ S e c u r i t y A s s e s s m e n t C a t e g o r i e s The security assessment is broadly divided into three categories: 1. Security Audits: IT security audits typically focus on the people and processes used to design, im plem ent, and manage security on a netw ork. There is a baseline involved for processes and policies w ithin an organization. In an IT security audit, the a uditor and the organization's security policies and procedures use th e specific baseline to audit the organization. The IT m an ag em en t usually initiates IT security audits. The National Institute o f Standards and Technology (NIST) has an IT security audit manual and associated toolset to conduct the audit; the NIST A utom ated Security Self-Evaluated Tool (ASSET) can be dow nloaded at sse t/. In a com puter, the security a u d it technical assessment of a system or application is done m anually or autom atic. Module 20 Page 2878 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

8 Ethical Hacking and Countermeasures Penetration Testing You can perform a manual assessment by using the follow ing techniques: 9 Interviewing the staff e Reviewing application and operating systems access controls 6 Analyzing physical access to the systems. You can perform an autom atic assessment by using the follow ing techniques: 9 Generating audit reports 9 M onitoring and reporting the changes in the files 2. V u ln e ra b ility Assessm ents: A vulnerability assessment helps you in identifying security vulnerabilities. To perform a vulnerability assessment you should be a very skilled professional. Through proper assessment, threats fro m hackers (outsiders), fo rm e r employees, internal employees, etc. can be determ ined. 3. : Penetration testing is the act of testing an organization's security by sim ulating the actions of an attacker. It helps you in determ ining various levels of vulnerabilities and to w hat extent an external attacker can damage the netw ork, before it actually occurs. Module 20 Page 2879 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

9 Ethical Hacking and Countermeasures Penetration Testing C o p y rig h t b y IC-Ccuncil. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. S e c u r i t y A u d i t מ j י J) A security audit is a systematic, measurable technical assessment o f how the security policy is em ployed by the organization. A security audit is conducted to m aintain the security level of the particular organization. It helps you to identify attacks th a t pose a threat to the n etw o rk or attacks against resources th a t are considered valuable in risk assessment. The security auditor is responsible for conducting security audits on th e particular organization. The security auditor works w ith the full know ledge of the organization, at tim es w ith considerable inside inform ation, in order to understand the resources to be audited. 9 A security audit is a systematic evaluation of an organization's com pliance to a set of established inform ation security criteria. 9 The security audit includes assessment of a system's softw are and hardware configuration, physical security measures, data handling processes, and user practices against a checklist of standard policies and procedures. 9 A security audit ensures th a t an organization has and deploys a set of standard inform ation security policies. 9 It is generally used to achieve and dem onstrate com pliance to legal and regulatory requirem ents such as HIPPA SOX, PCI-DSS, etc. Module 20 Page 2880 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

10 Ethical Hacking and Countermeasures Penetration Testing V u l n e r a b i l i t y A s s e s s m e n t C E H UflNM IU kji **.u. S ca n n in g T ools V u l n e r a b i l i t y s c a n n in g t o o l s s e a r c h n e t w o r k s e g m e n t s f o r I P - e n a b le d d e v ic e s a n d e n u m e r a t e s y s t e m s, O S 's, a n d a p p lic a t io n s ^ כ T e st S y s te m s /N e tw o rk Additionally, vulnerability scanners can identify common security configuration mistakes Vulnerability scanners can test systems and network devices for exposure to common attacks C o p y rig h t b y ic - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. V u l n e r a b i l i t y A s s e s s m e n t A vulnerability assessment is a basic type of security. This assessment helps you in finding the know n security weaknesses by scanning a netw ork. W ith the help of vulnerabilityscanning tools, you can search n etw o rk segments for IP-enabled devices and enum erate systems, operating systems, and applications. Vulnerability scanners are capable of identifying device configurations including the OS version running on com puters or devices, IP protocols and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports th at are listening, and applications th a t are installed on com puters. By using vulnerability scanners, you can also identify com m on security mistakes such as accounts that have w eak passwords, files and folders w ith weak permissions, default services and applications th a t m ight need to be uninstalled, and mistakes in the security configuration of com m on applications. They can search fo r com puters exposed to know n or publicly reported vulnerabilities. The softw are packages that perform vulnerability scanning scan the com puter against the Com m on Vulnerability and Exposures (CVE) index and security bullets provided by the softw are vendor. The CVE is a ve nd o r-n e u tra l listing of reported security vulnerabilities in m ajor operating systems and applications and is m aintained at h ttp ://c v e.m itre.o rg /. Vulnerability scanners can test systems and netw ork devices fo r exposure to com m on attacks. This includes com m on attacks such as the enum eration o f security-related inform ation and denial-of-service attacks. However, it m ust be noted th a t vulnerability scanning reports can Module 20 Page 2881 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

11 Ethical Hacking and Countermeasures Penetration Testing expose weaknesses in hidden areas of applications and frequently include many false positives. N etw ork adm inistrators w ho analyze vulnerability scan results m ust have sufficient knowledge and experience w ith the operating systems, netw ork devices, and applications being scanned and th eir roles in th e netw ork. You can use tw o types of autom ated vulnerability scanners depending upon the situation: network-based and host-based. N etwork-based scanners a tte m p t to detect vulnerabilities from the outside. They are norm ally launched fro m a rem ote system, outside the organization, and w ith o u t an authorized user access. For example, netw ork-based scanners exam ine a system for such exploits as open ports, application security exploits, and buffer overflows. Host-based scanners usually require a softw are agent or client to be installed on the host. The client th en reports back the vulnerabilities it finds to the server. Host-based scanners look for features such as w eak file access permissions, poor passwords, and logging faults. Module 20 Page 2882 Ethical Hacking and Countermeasures Copyright by EC-C0lMCil

12 Ethical Hacking and Countermeasures Penetration Testing L i m i t a t i o n s o f V u l n e r a b i l i t y A s s e s s m e n t C E H itk tjl The methodology used as well as the diverse vulnerability scanning software packages assess security differently Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time It does not measure the strength of security controls It must be updated when new vulnerabilities are discovered or modifications are made to the software being used C o p y rig h t b y ic - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. L i m i t a t i o n s o f V u l n e r a b i l i t y A s s e s s m e n t Vulnerability scanning softw are allows you to detect lim ited vulnerabilities at a given point in tim e. As w ith any assessment software, which requires the signature file to be updated, vulnerability scanning softw are m ust be updated w hen new vulnerabilities are discovered or im provem ents made to the softw are are being used. The vulnerability softw are is only as effective as the m aintenance perform ed on it by the softw are vendor and by the adm inistrator w ho uses it. V ulnerability scanning softw are itself is not im m une to softw are engineering flaws th at m ight lead to non -d etectio n of serious vulnerabilities. A nother aspect to be noted is th a t the m ethodology used m ight have an im pact on the result of the test. For example, vulnerability scanning softw are th at runs under the security context of the dom ain adm inistrator w ill yield different results than if it w ere run under the security context of an authenticated user or a non -a uthe ntica te d user. Similarly, diverse vulnerability scanning softw are packages assess security differently and have unique features. This can influence the result of the assessment. Examples of vulnerability scanners include Nessus and Retina. Module 20 Page 2883 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

13 Ethical Hacking and Countermeasures Penetration Testing I n t r o d u c t i o n t o P e n e t r a t i o n T e s t i n g C E H A pentest simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them l& In the context of penetration testing, the tester is limited by resources - namely time, skilled resources, and access to equipment - as outlined in the penetration testing agreement IF 11 Most attackers follow a common approach to penetrate a system C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. 1 I n t r o d u c t i o n t o P e n e t r a t i o n T e s t i n g m This m odule marks a departure from the approach follow ed in earlier modules; here you will be encouraged to think "o utsid e the box." Hacking as it was defined originally portrayed a streak of genius or brilliance in the ability to conjure previously unknown ways of doing things. In this context, to advocate a m ethodology th at can be follow ed to sim ulate a real-w orld hack through ethical hacking or penetration testing m ight come across as a contradiction. Penetration testing is a process o f evaluating the security of the n etw o rk by trying all possible attack vectors like an attacker does. The reason behind advocating a m ethodology in penetration testing arises from the fact th a t most attackers fo llo w a com m on underlying approach w hen it comes to penetrate a system. In th e context of penetration testing, as a tester you will be lim ited by resources such as tim e, skilled resources, and access to equipm ent, as outlined in the penetration testing agreem ent. The paradox of penetration testing is the fact th at the inability to breach a target does not necessarily indicate the absence of vu ln era bility. In other words, to maximize the returns fro m a penetration test, you m ust be able to apply your skills to th e resources available in such a m anner th at the attack area of the target is reduced as much as possible. A pen test simulates m ethods th at intruders use to gain unauthorized access to an organization's netw orked systems and then com prom ise them. It involves using proprietary and Module 20 Page 2884 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

14 Ethical Hacking and Countermeasures Penetration Testing open source tools to test fo r known and unknow n technical vulnerabilities in networked systems. A part from autom ated techniques, penetration testing involves m anual techniques for conducting targeted testing on specific systems to ensure th a t there are no security flaw s th at may have gone undetected earlier. The main purpose behind fo o tp rin tin g pen testing is to gather data related to a target system or n etw o rk and find out its vulnerabilities. You can perform this through various techniques such as DNS queries, n etw o rk enum eration, n etw o rk queries, operating system ide ntification, organizational queries, ping sweeps, point of contact queries, port scanning, registrar queries, and so on. Module 20 Page 2885 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

15 Ethical Hacking and Countermeasures Penetration Testing P e n e t r a t i o n T e s t i n g C E H Penetration testing that is not completed professionally can result in the loss of services and disruption of the business continuity I # Penetration testing assesses the security model of the organization as a whole It reveals potential consequences of a real attacker breaking into the network A penetration tester is differentiated from an attacker only by his intent and lack of malice C o p y rig h t b y IC - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. k P e n e t r a t i o n T e s t i n g Penetration testing goes a step beyond vulnerability scanning in the category of security assessments. W ith vulnerability scanning, you can only examine the security of the individual com puters, netw ork devices, or applications, but penetration testing allows you to assess the security m odel of the netw ork as a whole. Penetration testing can help you to reveal potential consequences of a real attacker breaking into the n etw o rk to n e tw o rk adm inistrators, IT managers, and executives. Penetration testing also reveals the security weaknesses th a t a typical vulnerability scanning misses. A penetration test w ill not only point out vulnerabilities, it w ill also docum ent how the weaknesses can be exploited and how several m inor vulnerabilities can be escalated by an attacker to com prom ise a co m p ute r or netw ork. Penetration testing m ust be considered as an activity th at shows the holes in the security m odel of an organization. Penetration testing helps organizations to reach a balance between technical prowess and business functionality from the perspective of p ote ntia l security breaches. This test can help you in disaster recovery and business co n tin u ity planning. M ost vulnerability assessments are carried o ut solely based on so ftw a re and cannot assess security th a t is not related to technology. Both people and processes can be the source of security vulnerabilities as much as the technology can be. Using social engineering techniques, penetration tests can reveal w h e th e r employees routinely allow people w ith o u t identification Module 20 Page 2886 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

16 Ethical Hacking and Countermeasures Penetration Testing to enter com pany facilities and w here they w ould have physical access to com puters. Practices such as patch m anagem ent cycles can be evaluated. A penetration test can reveal process problems, such as not applying security updates until three days after they are released, which w ould give attackers a three-day w in d o w to exploit know n vulnerabilities on servers. You can differentiate a penetration tester from an attacker only by his ot her intent and lack of malice. Therefore, employees or external experts m ust be cautioned against conducting penetration tests w ith o u t proper authorization. Penetration testing th a t is not com pleted professionally can result in the loss of services and d isruption of business co ntin uity. M anagem ent needs to give w ritte n approval for penetration testing. This approval should include a clear scoping, a description of w h a t will be tested, and w hen the testing will take place. Because of the nature o f penetration testing, failure to obtain this approval m ight result in co m m itting com puter crime, despite the best intentions. Module 20 Page 2887 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

17 Ethical Hacking and Countermeasures Penetration Testing W h y P e n e t r a t i o n T e s t i n g C E H I d e n t i f y t h e t h r e a t s f a c i n g a n o r g a n i z a t i o n 's i n f o r m a t i o n a s s e t s «F o r t e s t i n g a n d - ^ v a l i d a t i n g t h e e f f i c i e n c y o f s e c u r i t y p r o t e c t i o n s a n d c o n t r o l s a e R e d u c e a n o r g a n i z a t i o n 's e x p e n d i t u r e o n I T s e c u r i t y a n d e n h a n c e R e t u r n O n S e c u r i t y I n v e s t m e n t ( R O S I) b y i d e n t i f y i n g a n d r e m e d i a t i n g v u l n e r a b i l i t i e s o r w e a k n e s s e s I t f o c u s e s o n h i g h s e v e r i t y v u l n e r a b i l i t i e s a n d e m p h a s i z e s a p p l i c a t i o n - l e v e l s e c u r i t y i s s u e s t o d e v e l o p m e n t t e a m s a n d m a n a g e m e n t 8 P r o v i d e a s s u r a n c e w i t h c o m p r e h e n s i v e a s s e s s m e n t o f o r g a n i z a t i o n 's s e c u r i t y i n c l u d i n g p o l i c y, p r o c e d u r e, d e s i g n, a n d I m p l e m e n t a t i o n S P r o v i d i n g c o m p r e h e n s i v e a p p r o a c h o f p r e p a r a t i o n s t e p s t h a t c a n b e t a k e n t o p r e v e n t u p c o m i n g e x p l o i t a t i o n 8 G a in a n d m a i n t a i n c e r t i f i c a t i o n t o a n i n d u s t r y r e g u l a t i o n ( B S , H I P A A e t c. ) S E v a l u a t i n g t h e e f f i c i e n c y o f n e t w o r k s e c u r i t y d e v i c e s s u c h a s f i r e w a l l s, r o u t e r s, a n d w e b s e r v e r s S A d o p t b e s t p r a c t i c e s i n c o m p l i a n c e t o l e g a l a n d i n d u s t r y r e g u l a t i o n s 8 F o r c h a n g i n g o r u p g r a d i n g e x i s t i n g i n f r a s t r u c t u r e o f s o f t w a r e, h a r d w a r e, o r n e t w o r k d e s i g n C o p y rig h t b y ig - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. W h y P e n e t r a t i o n T e s t i n g? Penetration testing plays a vital role in evaluating and m aintaining security of a system or netw ork. It helps you in finding out the loopholes by deploying attacks. It includes both script-based testing as well as hum an-based testing on networks. A penetration test not only reveals netw ork security holes, but also provides risk assessment. Let's see w h a t you can do w ith the help of penetration testing: 9 You can identify the threats facing an organization's inform ation assets. Q You can reduce an organization's IT security costs and provide a better Return On IT Security Investm ent (ROSI) by identifying and resolving vulnerabilities and weaknesses. 9 You can provide an organization w ith assurance: a thorough and com prehensive assessment of organizational security covering policy, procedure, design, and im plem entation. 9 You can gain and m aintain certification to an industry regulation (BS7799, HIPAA, etc.). 9 You can adopt best practices by conform ing to legal and industry regulations. 9 You can test and validate the efficiency of security protections and controls. 9 It focuses on high-severity vulnerabilities and emphasizes application-level security issues to developm ent team s and m anagem ent. Module 20 Page 2888 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

18 Ethical Hacking and Countermeasures Penetration Testing e It provides a com prehensive approach of preparation steps th a t can be taken to prevent upcoming exploitation. 9 You can evaluate the efficiency of netw ork security devices such as firewalls, routers, and web servers. 6 You can use it fo r changing or upgrading existing infrastructure of software, hardware, or n etw o rk design. Module 20 Page 2889 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

19 Ethical Hacking and Countermeasures Penetration Testing C o m p a r i n g S e c u r i t y A u d i t, V u l n e r a b i l i t y A s s e s s m e n t, a n d P e n e t r a t i o n T e s t i n g C E H S e c u r ity A u d it V u ln e ra b ility A sse ssm e n t P e n e tra tio n T e s tin g A s e c u r it y a u d it ju s t c h e c k s w h e t h e r t h e o r g a n iz a tio n is f o l lo w in g a s e t o f s ta n d a r d s e c u r it y p o lic ie s a n d p r o c e d u r e s 6 A v u ln e r a b ilit y a s s e s s m e n t fo c u s e s o n d is c o v e r in g t h e v u l n e r a b ilit ie s in t h e i n f o r m a t io n s y s te m b u t p r o v id e s n o in d ic a t io n i f t h e v u ln e r a b ilit ie s c a n b e e x p lo it e d o r t h e a m o u n t o f d a m a g e t h a t m a y r e s u lt f r o m t h e s u c c e s s fu l e x p lo it a t i o n o f t h e v u ln e r a b ilit y 6 P e n e tr a t io n te s t in g is a m e t h o d o lo g ic a l a p p r o a c h to s e c u r it y a s s e s s m e n t t h a t e n c o m p a s s e s t h e s e c u r it y a u d it a n d v u ln e r a b ilit y a s s e s s m e n t a n d d e m o n s t r a t e s i f t h e v u ln e r a b ilit ie s in s y s te m c a n b e s u c c e s s fu lly e x p lo it e d b y a tta c k e r s C o p y rig h t b y IC-Ccuncil. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. C o m p a r i n g S e c u r i t y A u d i t, V u l n e r a b i l i t y A s s e s s m e n t, a n d P e n e t r a t i o n T e s t i n g Although a lot of people use the term s security audit, vulnerability assessment, and penetration test interchangeably to mean security assessment, there are considerable differences between them. S e c u r it y A u d it V u ln e r a b ilit y A s s e s s m e n t P e n e tr a tio n T e s tin g A security audit just checks whether the organization is following a set of standard security policies and procedures A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers TABLE 20.1: Comparison between Security Audit, Vulnerability Assessment, and Penetration Testing Module 20 Page 2890 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

20 Ethical Hacking and Countermeasures Penetration Testing W h a t S h o u l d b e T e s t e d? C E H An organization should conduct a risk assessment operation before the penetration testing that will help to identify the main threats, such as: C o m m u n ic a t io n s f a i l u r e a n d e - c o m m e r c e f a i lu r e P u b lic f a c in g s y s te m s ; w e b s ite s, e m a il g a t e w a y s, a n d r e m o t e a c c e s s p la t f o r m s FTP, IIS, a n d w e b s e r v e r s L o s s o f c o n f i d e n t i a l i n f o r m a t i o n M a i l, D N S, f i r e w a l l s, a n d p a s s w o r d s N o t e : T e s t i n g s h o u l d b e p e r f o r m e d o n a ll h a r d w a r e a n d s o f t w a r e c o m p o n e n t s o f a n e t w o r k s e c u r i t y s y s t e m C o p y rig h t b y IC - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. W h a t S h o u l d b e T e s t e d? It is always ideal to conduct a vulnerability assessment in an organization so that various potential threats can be know n well before they occur. You can test various netw ork or system com ponents fo r security vu lnerabilities, such as: 9 Com m unication failure e E-commerce failure 9 Loss of confidential inform ation 9 Public facing systems websites Q Q e e gateways Remote access platform s Mail DNS 9 Firewalls 9 Passwords e e FTP IIS 9 W eb servers Module 20 Page 2891 Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil

21 Ethical Hacking and Countermeasures Penetration Testing W h a t M a k e s a G o o d P e n e t r a t i o n T e s t? E H Consider the follow ing factors to perform a good penetration test: 9 Establish the param eters for the penetration test such as objectives, lim itations, and the justification of procedures. The establishm ent of these param eters helps you in know the purpose of conducting penetration test. 9 Hire skilled and experienced professionals to perform the test. If the penetration testing is not done by the skilled and experienced professionals there are chances of damaging the live data and m ore harm can happen than the benefits. 9 Choose a suitable set of tests th a t balance cost and benefits. 9 Follow a m ethodology w ith proper planning and docum entation. It is very im p orta nt to docum ent the test at each phase fo r the fu rth e r references. 9 D ocum ent the result carefully and making it com prehensible for th e client. 9 State th e p otential risks and findings clearly in th e final report. Module 20 Page 2892 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

22 Ethical Hacking and Countermeasures Penetration Testing R O I o n P e n e t r a t i o n T e s t i n g C E H ( * At* Itfctul * m u. D e m o n s t r a t e t h e R O I f o r P e n - t e s t w i t h t h e h e lp o f a b u s in e s s c a s e s c e n a r io, w h i c h i n c lu d e s t h e e x p e n d i t u r e a n d t h e p r o f i t s in v o l v e d in i t C o m p a n ie s w i l l s p e n d o n t h e p e n - t e s t o n l y i f t h e y h a v e a p r o p e r k n o w l e d g e o n t h e b e n e f i t s o f t h e P e n - t e s t C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. R O I o n P e n e t r a t i o n T e s t i n g ROI (return on investm ent) is a traditional financial measure. It is used to determ ine the business results of for the fu tu re based on the calculations of historical data. The ROI is calculated based on three things: e Q Payback p e rio d : In this m ethod the tim e taken to get the pay back (getting the am ount invested) on a particular project is calculated. N et p re se n t v a lu e : Future benefits are calculated in th e term s of today's money. 9 In te rn a l ra te o f re tu rn : The benefits based on the interest rate. So w henever a penetration test is conducted, a com pany checks w hat kinds of benefits are there associated w ith the penetration testing. W hat could be the costs to be incurred for the for penetration testing? Costs related to the hiring of skilled professionals? All these things to be kept in view and penetration testing should be conducted planning. through proper 9 Penetration testing helps companies in identifying, understanding, and addressing vulnerabilities, which saves th e m a lot o f m oney resulting in ROI. Module 20 Page 2893 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

23 Ethical Hacking and Countermeasures Penetration Testing e Dem onstrate the ROI for a pen test w ith the help of a business case scenario, which includes the expenditure and the profits involved in it. Module 20 Page 2894 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

24 Ethical Hacking and Countermeasures Penetration Testing T e s t i n g P o i n t s C E H O r g a n iz a t io n s h a v e t o r e a c h a c o n s e n s u s o n t h e e x t e n t o f information that can be divulged t o t h e t e s t i n g t e a m t o d e t e r m i n e t h e s t a r t i n g p o i n t o f t h e t e s t M V I PenetrJ! : 9vidi" ia team with adh estine lnf0r1r)ati0n tl0n3l ' ^ a u>? Ve ^ reallstic dvar't*ge t to ' SBSsss servtees Copyright ID ^ ^ ^ M lllc il. All Rights Reserved. R eproduction is Strictly Prohibited. T e s t i n g P o i n t s Every penetration test will have a start- and end-point, irrespective of w he th er it is zero knowledge or partial knowledge test. How does a pen test team or an organization determ ine this? W hile providing a p en etra tion -testin g team w ith inform ation such as th e exact configuration of th e firew all used by the target n etw o rk may speed up th e testing, it can w ork negatively by providing the testers w ith an unrealistic advantage. If the objective of the penetration e ffo rt is to find as much vulnerability as possible, it m ight be a good idea to opt fo r w hite box testing and share as m uch inform ation as possible w ith the testers. This can help in detecting hidden vulnerabilities th at are often undetected because of obscurity. On the other hand, if the purpose of th e penetration test is to evaluate the effectiveness o f the security posture of the organization irrespective of any "security by obscu rity" m easures w ithholding inform ation will derive m ore realistic results. Similarly, by making highly sensitive inform ation, such as the names and user IDs o f system adm inistrators, the organization may be defeating the purpose of a com prehensive pen test. Therefore, balance m ust be reached between assisting the testing team in conducting th eir test faster and providing a m ore realistic testing environm ent by restricting inform ation. Some organizations may choose to get the initial pen test audited by a second pen test team so th at there is a th ird party assurance on the results obtained. Module 20 Page 2895 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

25 Ethical Hacking and Countermeasures Penetration Testing T e s t i n g L o c a t i o n s C E H I f f The pentest team may have a choice of doing the test either remotely or on-site A remote assessment may simulate an external hacker attack. However, it may 4 miss assessing internal guards An on-site assessment may be expensive * and may not simulate an external threat exactly C o p y rig h t b y IC-Ccuncil. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. T e s t i n g L o c a t i o n s The penetration test te am may have a preference on the location from w here they w ould probe the netw ork. Alternatively, the organization may w a n t the n etw o rk to be assessed from a rem ote location. If the pen test team is based overseas, an onsite assessment may be expensive than a rem ote one. The location o f the assessment has an influence on the test results. Testing over the Internet may provide a m ore realistic test environm ent. However, the pen test te am may learn little if there is a well-configured perim eter firew all and robust w eb application defenses. A purely external assessment may not be able to test any additional inner netw ork defenses put in place to guard against an internal intruder. Sometimes, th e organization may have a netw ork that is dispersed geographically across locations and th at contains several systems. In this case, the organization may choose to prioritize locations or the team m ay choose locations depending on critical applications. If a com plete knowledge test is being undertaken, the pen test team can undertake an asset audit to determ ine w hich systems are critical to the business, and plan the test accordingly. Module 20 Page 2896 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

26 Ethical Hacking and Countermeasures Penetration Testing C o p y rig h t b y ic - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. M o d u l e F l o w i So far, we have discussed various pen testing concepts. Depending on the scope of operation and tim e required fo r conducting a pen test, the tester can choose the appropriate type of penetration testing. The selection of the particular type of penetration testing depends upon the type of resources to be protected against attacks. Now, w e will discuss various types of pen testing. Pen Testing Concepts! H I Types o f Pen Testing Pen T esting T echnique s Pen T esting Phases Pen Testing R oadm ap % ; O u tsourcing Pen Testing Services Module 20 Page 2897 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

27 Ethical Hacking and Countermeasures Penetration Testing In this section, you will learn different types of penetration testing such as external testing, internal testing, Black-box, gray-box penetration testing, w hite-box penetration testing, announced/unannounced testing, autom ated testing, and manual testing. Module 20 Page 2898 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

28 Ethical Hacking and Countermeasures Penetration Testing T y p e s o f P e n e t r a t i o n T e s t i n g C E H E x te rn a l T e s tin g External testing involves analysis of publicly available information, a network enumeration phase, and the behavior of the security devices analyzed In te rn a l T e s tin g Internal testing involves testing computers and devices within the company & B l a c k - h a t t e s t i n g / z e r o - k n o w l e d g e t e s t i n g G r a y - h a t t e s t i n g / p a r t i a l - k n o w l e d g e לי t e s t i n g 9 W h i t e - h a t t e s t i n g / c o m p l e t e - k n o w l e d g e t e s t i n g 9 A n n o u n c e d t e s t i n g U se r 1 U se r 2 C o p y rig h t b y IC-Ccuncil. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. T y p e s o f P e n e t r a t i o n T e s t i n g Penetration testing is broadly divided into tw o types. They are: h r E x t e r n a l T e s t i n g m External penetration testing is the conventional approach to penetration testing. The testing is focused on the servers, infrastructure, and underlying softw are pertaining to th e target. It may be perform ed w ith no prior knowledge of the site (black box) or w ith full disclosure of the topology and environm ent (white box). This type of testing will take in a com prehensive analysis o f publicly available inform ation about the target. I n t e r n a l T e s t i n g Internal testing makes use of similar m ethods as the external testing, and it is considered to be a m ore versatile view of the security. Testing will be perform ed fro m several n etw o rk access points, including both logical and physical segments. It is critical to note th at despite everything, inform ation security is an ongoing process and penetration testing only gives a snapshot o f the security posture of an organization at any given point in tim e. Internal testing w ill be perform ed fro m a num ber of n etw o rk access points, representing each logical and physical segment. The follow ing tests comes fall under internal testing: Module 20 Page 2899 Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil

29 Ethical Hacking and Countermeasures Penetration Testing 9 Black-hat te s tin g /z e ro -k n o w le d g e te sting 9 G ray-hat te s tin g /p a rtia l-k n o w le d g e te sting 9 W h ite -h a t te s tin g /c o m p le te -k n o w le d g e te sting 9 A n n o u n ce d te sting 9 U na n no u n ce d te stin g Module 20 Page 2900 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

30 Ethical Hacking and Countermeasures Penetration Testing E x t e r n a l P e n e t r a t i o n T e s t i n g C E H J External penetration testing involves a comprehensive analysis of company's externally visible servers or devices, such as: J I t is t h e t r a d i t i o n a l a p p r o a c h t o p e n e t r a t i o n t e s t i n g J T h e g o a l o f a n e x t e r n a l p e n e t r a t i o n t e s t i n g is t o d e m o n s t r a t e t h e e x i s t e n c e o f k n o w n v u l n e r a b i l i t i e s t h a t c o u l d b e e x p l o i t e d b y a n e x t e r n a l a t t a c k e r J I t c a n b e p e r f o r m e d w i t h o u t p r i o r k n o w l e d g e o f t h e J I t h e l p s t h e t e s t e r s t o c h e c k i f s y s t e m is p r o p e r l y t a r g e t t o b e t e s t e d o r w i t h f u l l d i s c l o s u r e o f t h e t a r g e t ' s m a n a g e d a n d k e p t u p - t o - d a t e p r o t e c t i n g t h e b u s i n e s s t o p o l o g y a n d e n v i r o n m e n t f r o m i n f o r m a t i o n l o s t a n d d i s c l o s u r e C o p y rig h t C b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. E x t e r n a l P e n e t r a t i o n T e s t i n g A pen tester conducts external penetration test for determ ining the external threats to the netw ork or system. The attacker can perform an external attack w ith o u t accessing a system by using credentials or the appropriate rights. The main aim behind conducting this pen test is to id e n tify p o te n tia l weaknesses in the security o f target n etw o rk system. External testing is focused on the servers, infrastructure, and underlying softw are pertaining to the target. It may be perform ed w ith no prior knowledge of the site (black box) or w ith full disclosure o f th e topology and environm ent (w hite box). This type of testing w ill take in a com prehensive analysis of publicly available inform ation about the target, a netw ork enum eration phase w here target hosts are identified and analyzed, and the behavior of security devices such as screening n e tw o rk-filte rin g devices. Vulnerabilities are then identified and verified, and the im plications assessed. It is the traditional approach to penetration testing. Module 20 Page 2901 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

31 Ethical Hacking and Countermeasures Penetration Testing I n t e r n a l S e c u r i t y A s s e s s m e n t C E H ItbKJl N«kw I n t e r n a l p e n e t r a t i o n t e s t in g f o c u s e s o n c o m p a n y 's i n t e r n a l r e s o u r c e s s u c h a s D M Z s, n e t w o r k c o n n e c t io n s, a p p lic a t io n s e r v ic e s, e tc. a n d c o m p r e h e n s i v e a n a ly s is o f t h r e a t s a n d r is k s t h a t a r is e w i t h i n t h e c o m p a n y The goal of internal penetration testing is to demonstrate the exposure of information or other organization assets to an unauthorized user An internal security assessment follows a similar methodology to external testing, but provides a more complete view of the site security C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. :.ןיי :) I n t e r n a l S e c u r i t y A s s e s s m e n t A pen tester conducts internal penetration testing in order to ensure nobody can access the system inside netw ork by misusing user privileges. It is used to identify the weaknesses of co m p ute r system inside the particular network. The internal security assessment gives a clear view of the site's security. Internal security assessment has similar m ethodology like external penetration testing. The main purpose behind the internal p en etra tion testing is to find o ut the various vulnerabilities inside the netw ork. Risks associated w ith security aspects are carefully checked. Exploitation can be done by a hacker, a malicious em ployee, etc.: 9 Testing will be perform ed from a num ber of n etw o rk access points, representing each logical and physical segment. Q For example, this may include tiers and DMZs w ithin the environm ent, the corporate netw ork, or partner com pany connections. Module 20 Page 2902 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

32 Ethical Hacking and Countermeasures Penetration Testing B l a c k - b o x P e n e t r a t i o n T e s t i n g C E H P e n e t r a t i o n t e s t m u s t b e c a r r i e d o u t a f t e r e x t e n s i v e i n f o r m a t i o n g a t h e r i n g a n d r e s e a r c h C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. B l a c k - b o x P e n e t r a t i o n T e s t i n g In black-box testing, a pen tester carries out the test w ith o u t having any prior knowledge the target. In order to sim ulate real-w orld attacks and m inimize false positives, pen testers can choose to undertake black-hat testing (or a zero-knowledge attack, w ith no inform ation or assistance fro m the client) and map the netw ork w hile enum erating services, shared file systems and operating systems discreetly. Additionally, the pen tester can undertake w ar dialing to detect listening m odem s and w ar driving to discover vulnerable access points if it is legal and w ithin th e scope o f the project. The follow ing points summarize the black-box pen testing: 9 It does not require prior knowledge o f the infrastructure to be tested e Penetration test m ust be carried out after extensive inform ation gathering and research e It takes a considerable a m ount of tim e fo r the project to discover the nature of the infrastructure and how it connects and interrelates 9 You will be given only a com pany name 9 This test simulates the process of a real hacker 9 Time consuming and expensive type of test Module 20 Page 2903 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

33 Ethical Hacking and Countermeasures Penetration Testing G r e y - b o x P e n e t r a t i o n T e s t i n g C E H I In a g r e y b o x t e s t. I t p e r f o r m s security A p p r o a c h e s t o w a r d s P e r fo r m e d m o s t ly w h e n a t h e t e s t e r u s u a lly assessment a n d testing i n t e r n a l l y t h e a p p l i c a t i o n s e c u r it y p e n e t r a t io n t e s t e r s t a r ts h a s a limited knowledge of information t h a t t e s t s f o r a ll v u l n e r a b i l i t i e s w h i c h a h a c k e r m a y f i n d a n d a b la c k b o x t e s t o n w e ll protected systems a n d f in d s t h a t a l i t t l e p r i o r e x p l o i t k n o w l e d g e is r e q u ir e d in o r d e r t o conduct a thorough review C o p y rig h t b y ic - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. GD G r a y - b o x P e n e t r a t i o n T e s t i n g In gray-box penetration testing, the test is conducted w ith lim ited knowledge about infrastructure, defense mechanism, and com m unication channels of the target on which test is to be conducted. It is sim ulation of those attacks that is perform ed by the insider or outsider w ith lim ite d accesses privileges. In this case, organizations w ould prefer to provide the pen testers w ith partial knowledge or inform ation th a t hackers could find such as dom ain name server. This can save tim e and expenses of the organization. In gray-box testing, pen testers may also interact w ith system and n etw o rk adm inistrators. Module 20 Page 2904 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

34 Ethical Hacking and Countermeasures Penetration Testing W h i t e - b o x P e n e t r a t i o n T e s t i n g C E H J Complete knowledge of the infrastructure that needs to be tested is known J This test simulates the process of company's employees In fo rm a tio n is p ro v id e d s u c h a s *s O C o m p a n y i n f r a s t r u c t u r e IP a d d r e s s / f i r e w a l l / ID S d e t a ils C o m p a n y p o lic ie s d o 's a n d d o n 't s C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. W h i t e - b o x P e n e t r a t i o n T e s t i n g In w hite-box penetration testing, the test is conducted w ith full knowledge of infrastructure, defense mechanism, and com m unication channels of the target on which test is being conducted. This test simulates the insider attacker w ho has full privileges and unlim ited access to the ta rg et system. This type o f penetration test is being conducted w hen the organization needs to assess its security against a specific kind of attack or a specific target. In this case, th e com plete inform ation about the target is given to the pen testers. The inform ation provided can include netw ork topology docum ents, asset inventory, and valuation inform ation. Typically, an organization w ould opt fo r this w hen it wants a com plete a ud it of its security. Module 20 Page 2905 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

35 Ethical Hacking and Countermeasures Penetration Testing A n n o u n c e d / U n a n n o u n c e d T e s t i n g C E H A n n o u n c e d T e s tin g U n a n n o u n c e d T e s tin g J Is a n a t t e m p t t o c o m p r o m i s e J Is a n a t t e m p t t o c o m p r o m i s e s y s t e m s o n t h e c l i e n t w i t h t h e f u l l s y s t e m s o n t h e c l i e n t n e t w o r k s c o o p e r a t i o n a n d k n o w l e d g e o f w i t h o u t t h e k n o w l e d g e o f IT t h e IT s t a f f s e c u r i t y p e r s o n n e l J E x a m in e s t h e e x is tin g s e c u r i t y J A l l o w s o n l y t h e u p p e r i n f r a s t r u c t u r e f o r p o s s ib le m a n a g e m e n t s b e a w a r e o f v u l n e r a b i l i t i e s t h e s e t e s t s J I n v o lv e s t h e s e c u r i t y s t a f f o n t h e J E x a m in e s t h e s e c u r i t y p e n e t r a t i o n t e s t i n g t e a m s t o i n f r a s t r u c t u r e a n d c o n d u c t a u d i t s r e s p o n s i v e n e s s o f t h e IT s t a f f r s 6!* C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. A n n o u n c e d / U n a n n o u n c e d T e s t i n g Announced testing is an a tte m p t to access and retrieve pre-identified flag file(s) or to com prom ise systems on the client n e tw o rk w ith the full cooperation and knowledge of the IT staff. Such testing examines the existing security infrastructure and individual systems for possible vulnerabilities. Creating a te a m -o rie n te d e n viro n m e n t in w hich m em bers of the organization's security staff are part of the penetration team allows fo r a targeted attack against the m ost w o rth w h ile hosts. Unannounced testing is an a tte m p t to access and retrieve p re -id en tified flag file(s) or to com prom ise systems on the client n etw o rk w ith th e awareness of only the upper levels of m anagem ent. Such testing examines both the existing security infrastructure and the responsiveness of the staff. If intrusion detection and incident response plans have been created, this type of test w ill identify any weaknesses in th eir execution. Unannounced testing offers a test of the organization's security procedures in addition to the security of th e infrastructure. In both cases, the IT representative in the organization w ho w ould norm ally report security breaches to legal authorities should be aware of the test to prevent escalation to law e n fo rce m e n t organizations. Module 20 Page 2906 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

36 Ethical Hacking and Countermeasures Penetration Testing A u t o m a t e d T e s t i n g C E H U tlilm itfcu l *ck * Automated testing can result in time and cost savings over a long term; however, it cannot replace an experienced security professional Tools can have a high learning curve and may need frequent updating to be effective With automated testing, there exists no scope for any of the architectural elements to be tested As with vulnerability scanners, there can be false negatives or worse, false positives C o p y rig h t b y E C -C 0 M C il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. A u t o m a t e d T e s t i n g Instead o f relying on security experts, some organizations and security-testing firm s prefer to auto m a te th e ir security assessments. Here, a security tool is run against the target and the security posture is assessed. The tools a tte m p t to replicate the attacks th at intruders have been known to use. This is sim ilar to vulnerability scanning. Based on the success or failure of these attacks, the tool atte m p ts to assess and report security vulnerabilities. However, it m ust be noted th a t a thorough security assessment also includes elements of architectural review, security policy, fire w a ll rule-base analysis, application testing, and general benchm arking. Autom ated testing is generally lim ited to external penetration testing using the black-box approach and does not allow an organization to profit com pletely from the exercise. As an autom ated process, there is no scope for any of the policy or architectural elem ents in the testing, and it may need to be supplem ented by a security professional's expertise. One advantage attributed to autom ated testing is that it reduces the volum e of traffic required for each test. This gives an impression th a t the organization can service its custom ers concurrently for th e same overhead structure. Organizations need to evaluate if this indeed serves th e purpose of the test. A n on -a utom ated security assessment will always be m ore flexible to an organization's requirem ents and m ore cost effective, as it will take into account other areas such as security architecture and policy, and will most likely be m ore thorough and therefore secure. In addition, testing at frequent intervals allows the consultants to explain to Module 20 Page 2907 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

37 Ethical Hacking and Countermeasures Penetration Testing the m anagem ent o f the organization and the technical audiences w hat they have discovered, the processes they used, and the ram ifications of all the recom m endations. Additionally, they can inform in person, as an individual e ntity helping to support the IT security departm ent augm enting the budgets required. Module 20 Page 2908 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

38 Ethical Hacking and Countermeasures Penetration Testing M a n u a l T e s t i n g C UflrfM E H Itfeul KmU* Manual testing is the best option an organization can choose to benefit from the experience of a security S? E? l professional Q The objective of the professional is to assess the security posture of the organization from an attacker's perspective A manual approach requires planning, test designing, scheduling, and diligent documentation to capture the results of the testing process Copyright by IG-G*IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited. M a n u a l T e s t i n g Several organizations choose to have a manual assessment of th e ir security and benefit from the experience of a seasoned security professional. The objective of the professional is to assess the security posture of the organization from an attacker's perspective. Under the manual approach, the security professional attem pts to unearth holes in the security model of th e organization by approaching it in a methodical m anner. The phases of testing can involve basic in fo rm a tio n gathering, social engineering, scanning, vuln era bility assessment, exploiting vulnerabilities, etc. A manual approach requires planning, test designing and scheduling, and diligent docum entation to capture the results o f the testing process in its entirety. D ocum entation plays a significant role in deciding how well the team has been able to assess th e security posture of the organization. Some organizations may choose to have th e ir own internal team to do the manual assessment and an external agency audit at the same tim e. Some others m ay choose to get a second external team to audit the findings of the first external team. The rules of engagem ent and the expected deliverables should be clearly defined. In the long term, the m anagem ent will benefit m ore from a manual approach as the team w ould be able to explain the gravity of the situation fro m an unbiased view p oint and make recom m endations on im proving the security posture. Module 20 Page 2909 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

39 Ethical Hacking and Countermeasures Penetration Testing M o d u l e F l o w C E H C o p y rig h t b y ic - C c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. M o d u l e F l o w 1 Considering th at you became fam iliar w ith pen testing concepts and the types of penetration testing, we will move forw ard to penetration testing techniques. This section covers various penetration testing techniques. jh & Pen Testing Concepts gmi Types o f Pen Testing Biilii.iB Pen Testing Techniques Pen Testing Phases Pen Testing R oadm ap O u tsourcin g Pen Testing Services Module 20 Page 2910 Ethical Hacking and Countermeasures Copyright by EC-C0linCil

40 Ethical Hacking and Countermeasures Penetration Testing C o m m o n P e n e t r a t i o n T e s t i n g T e c h n i q u e s C E H Passive Research Is used to gather all the inform ation about an organization's system configurations O p e n S o u rc e M o n ito r in g N e tw o r k M a p p in g a n d OS F in g e r p r in tin g S p o o fin g Facilitates an organization to take necessary steps to ensure its co n fid e n tia lity and integrity Is used to get an idea of the network's configuration being tested Is th e act o f using one m achine to pretend to be ano th e r Is used here for both internal and external penetration tests N e tw o r k S n iffin g Is used to capture th e data as it travels across a n e tw o rk T ro ja n A tta c k s A B r u te - fo r c e A tta c k V u ln e r a b ility S c a n n in g A S cenario A nalysis Are m alicious code o r program s usually sent in to a n e tw o rk as em ail attach m en ts o r transferred via "Instant Message" into chat rooms Is the most com monly known password cracking method. Can overload a system and possibly stop it from responding to the legal requests Is a com prehensive exam ination o f th e targeted areas o f an organization's n e tw o rk infrastructure Is th e fin a l phase o f testing, m aking a risk assessment o f vuln erabilities much m ore accurate C o p y rig h t b y IG - G c u n c il. A ll R ig h ts R e s e rv e d. R e p r o d u c tio n is S t r ic tly P r o h ib ite d. C o m m o n P e n e t r a t i o n T e s t i n g T e c h n i q u e s The follow ing are a fe w com m on techniques th a t can be used for penetration testing: P a s s i v e r e s e a r c h Passive research is used to gather inform ation about an organization related to the configuration fro m public dom ain sources such as DNS records, nam e registries, ISP looking- glass servers, Usenet new sgroups, etc. י / r j 9 O p e n s o u r c e m o n i t o r i n g = Open source m onitoring facilitates an organization to take necessary steps to ensure its confidentiality and integrity. M onitoring includes alerting in the follow ing situations: 9 W hen the database is not available 9 W hen a database error occurs 9 The file system is running out of space etc. Graphing and seeing trends for: 9 Database Module 20 Page 2911 Ethical Hacking and Countermeasures Copyright by EC-COUIICil

41 e Table locks 9 Replication lag e Table cache efficiency etc. N e t w o r k m a p p i n g a n d O S f i n g e r p r i n t i n g N etw ork m apping and OS fingerprinting gives an idea a b o u t th e configuration of th e entire netw ork being tested. This tech n iq u e is designed to specify different types of services present on th e targ et system. S p o o f in g Spoofing is an a tte m p t by s o m e o n e or som ething to m asq u e ra d e as s o m e o n e else. For exam ple: one m achine preten d s to be an o th er. Spoofing is used here for both internal and external penetration tests. N e t w o r k s n i f f i n g N etw ork spoofing occurs w h en th e attacker forges th e source or destination IP address in th e IP header. It is used to capture data as it travels across a netw ork. T r o j a n a t t a c k s A Trojan attack is installing a Trojan (malicious softw are) o n to th e victim's system. It gets installed th ro u g h em ail, CD-ROM, In tern et Explorer, etc. % B r u t e f o r c e a t t a c k s W l... Session IDs can be guessed by using th e brute force technique. It tries multiple possibilities of patterns until a session ID works. An attacker using a DSL line can m ake up to 1000 session IDs per second. This technique is used w h en th e algorithm th a t produces session IDs is not random. / o נ \ V u l n e r a b i l i t y s c a n n i n g Vulnerability scanning is used to discover w eak n esses in a security system in order to im prove or repair before a breach occurs. It is a com prehensive exam ination of th e targ eted areas of an organization's n etw o rk infrastructure S c e n a r i o a n a l y s i s Scenario analysis helps in dealing with uncertainties. It is th e final phase of testing, making a risk assessm en t of vulnerabilities m uch m o re accurate. M odule 20 Page 2912 Ethical Hacking and C ounterm easures Copyright by EC-C0lMCil

42 U s i n g D N S D o m a i n N a m e a n d I P A d d r e s s I n f o r m a t i o n D ata fro m th e DNS se rv e rs re la te d to th e ta rg e t n e tw o rk ca n be u sed to m a p a ta r g e t o rg a n iz a tio n 's n e tw o r k The IP b lo ck o f an o rg a n iz a tio n can be d iscern e d by lo o k in g up th e d o m a in n am e a n d c o n ta c t in fo rm a tio n fo r p e rs o n n e l The DNS re cord also p ro v id e s so m e va lu a b le in fo rm a tio n re g a rd in g th e OS o r applications th a t are run on th e server Copyright by IC-Ccuncil. U s i n g D N S D o m a i n N a m e a n d I P A d d r e s s I n f o r m a t i o n Data from th e DNS servers related to th e targ et netw ork can be used to m ap a target organization's netw ork. DNS zones can be analyzed for inform ation a b o u t th e target organization's netw ork. This can result in obtaining further data, including th e server host's n am es, services offered by particular servers, IP add resses, and contact data for th e m e m b e rs of th e IT staff. M any attackers have b een know n to use softw are, which is easily available to th e general public, to create w ell-organized netw ork diagram s of th e targ et netw ork. IP address data regarding a particular system can be gained from th e DNS zone or th e A m erican Registry of Internet N um bers (ARIN). A nother w ay of obtaining an IP ad d ress is by using port-scanning softw are to d e d u c e a ta rg e t organization's n e tw o rk diagram. By exam ining th e DNS records, you can get a good understanding a b o u t w h ere th e servers of th e target netw ork are located. The DNS record also provides so m e valuable inform ation regarding th e OS or applications th a t are being run on th e server. The IP block of an organization can be discerned by looking up th e dom ain n a m e and contact inform ation for personnel can be obtained. M odule 20 Page 2913 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

43 E n u m e r a t i n g I n f o r m a t i o n a b o u t H o s t s o n P u b l i c l y A v a i l a b l e N e t w o r k s A d d itio n a lly, th e e f f o r t c a n p r o v id e s c re e n e d s u b n e ts a n d a c o m p r e h e n s iv e lis t o f th e ty p e s o f tr a f f ic th a t a re a n d o u t o f th e n e t w o r k W e b s ite c r a w le r s c a n m i r r o r th e e n t ir e s ite s E n u m e r a tio n c a n b e d o n e u s in g p o r t s c a n n in g to o ls, IP p r o t o c o ls, a n d lis te n in g t o T C P /U D P p o r ts T h e te s tin g te a m c a n th e n v is u a liz e a d e ta ile d n e t w o r k d ia g ra m th a t c a n b e p u b lic ly a c c e s s e d Copyright ID by ic -Ctuncil. All RightsAe&fvkdReproductiori is Strictly Prohibited. E n u m e r a t i n g I n f o r m a t i o n a b o u t H o s t s o n P u b l i c l y A v a i l a b l e N e t w o r k s W ith th e IP addresses obtained in th e preceding step, th e pen-test te a m can outline th e netw ork to explore possible points of entry from th e perspective of an attacker. T esters achieve this by analyzing all d ata a b o u t th e hosts th a t a re uncovered to th e Internet by th e target organization. T hey can use port-scanning tools and IP protocols, and they can listen to TCP/UDP ports. Port scans will also reveal inform ation a b o u t hosts such as th e current operating system th a t is running on th e system and also oth er applications. An effective port-scanning tool can also help to ded u ce how th e router and firewall IP filters are configured. The testing te a m can th en visualize a detailed netw ork diagram th a t can be publicly accessed. Additionally, th e effort can provide screen ed subnets and a co m p reh en siv e list of th e types of traffic th at is allowed in and out of th e netw ork. W eb site craw lers can m irror entire sites and allow th e testing group to check for faulty source code or inadvertent inclusions of sensitive inform ation. M any tim es, organizations have given inform ation th a t is not intended for use by th e public, but is posted on th e w ebsite. 9 If th e rules of e n g a g e m e n t perm it, th e p e n -te st te a m m ay purchase research reports on th e organization available for sale and use th e inform ation available therein for M odule 20 Page 2914 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

44 com prising th e security of th e target organization. These can include covert m eans, such as social engineering, as well. It is necessary to point out th a t prior approval from m a n a g e m e n t is a critical aspect to be considered before indulging in such activities. M odule 20 Page 2915 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

45 M o d u l e F l o w C E H Copyright by ic-ccuncil. 1 M o d u l e F l o w Pen testing is the test co n d u cte d in th re e phases for discovering th e vulnerabilities or w eakness in an organization's system s. The th re e phases are th e pre-attack phase, attack phase, and p o st-attack phase. fr&j Pen Testing C oncepts הזזח! Types of Pen Testing lilii.ib Pen Testing T echniques ן י ^ ן _ Pen Testing P hases Pen Testing R o a d m a p O utsourcing Pen Testing Services This section highlights th e th re e phases of pen testing. M odule 20 Page 2916 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

46 P h a s e s o f P e n e t r a t i o n T e s t i n g C E H Copyright by IG-Gcuncil. <? 1 < r^ yv P ף] ( Q [!ן h a s e s o f P e n e t r a t i o n T e s t i n g </ * These are th re e phases of penetration testing. m - m ] P r e - a t t a c k P h a s e This phase is focused on gathering as m uch inform ation as possible a b o u t th e target organization or netw ork to be attacked. This can be non-invasive or invasive. A t t a c k P h a s e The inform ation g ath ered in the pre-attack ph ase form s th e basis of th e attack strategy. Before deciding th e attack strategy, th e tester m ay choose to carry out an invasive inform ation gathering process such as scanning. P o s t - a t t a c k P h a s e This is a crucial part of th e testing process, as th e tester needs to resto re th e netw ork to its original state. This involves cleanup of testing processes and rem oval of vulnerabilities created (not th o se that existed originally), exploits crafted, etc. M odule 20 Page 2917 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

47 P r e - A t t a c k P h a s e : D e f i n e R u l e s o f E n g a g e m e n t ( R O E ) C E H H u le s 0 f > % 9e r ^ R u le s o f e n g a g e m e n t (ROE) is th e fo r m a l p e rm is s io n t o c o n d u c t p e n e tr a tio n te s tin g -leve / ^ ROE p ro v id e s " to p - le v e l" g u id a n c e f o r c o n d u c tin g th e p e n e tr a tio n te s tin g A s s i s t a n t ROE helps testers to overcome legal, federal, and policy related restrictions to use different penetration testing tools and techniques * Copyright by IG-Gcuncil. P r e - a t t a c k P h a s e : D e f i n e R u l e s o f E n g a g e m e n t ( R O E ) Rules of e n g a g e m e n t (ROE) are th e guidelines and constraints a b o u t th e execution of penetration testing. It should be developed and p resen ted before conducting th e penetration test. It gives authority to th e pen te s te r to conduct defined activities w ithout th e need for additional permissions. ROE helps pen testers to o v erco m e, legal federal-, and policy-related restrictions to use different penetration testing tools and techniques M odule 20 Page 2918 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

48 P r e - A t t a c k P h a s e : U n d e r s t a n d * _ C u s t o m e r R e q u i r e m e n t s... ~ J B e fo re p ro c e e d in g w it h th e p e n e tr a tio n te s tin g, a p e n te s te r s h o u ld id e n tify w h a t n e e d s to b e te s te d I t e m s t o b e T e s t e d C re a te a c h e c k lis t o f te s tin g re q u ire m e n ts * Servers Yes No W orkstations Yes No s Id e n tify th e tim e fra m e a n d te s tin g h o u rs 9 Id e n tify w h o w ill be in v o lv e d in th e r e p o rtin g a n d d o c u m e n t d e liv e ry U» IS Routers Yes No Firew alls Yes No B> Networking devices Yes No n Cabling Yes No B Databases Yes ם No n A p p lications Yes No י מ Physical security Yes No * Telecom m unications Yes No Copyright by IG-Gcuncil. P r e - a t t a c k P h a s e : U n d e r s t a n d C u s t o m e r R e q u i r e m e n t s O nce ROE is defined to conduct penetration test, th e second step in th e pre-attack phase, you should clearly und erstan d th e cu sto m er requirem ents, i.e., w h a t th e cu sto m er expects from th e penetration test. Before proceeding w ith th e p e n e tra tio n testing, a pen tester should identify w h a t needs to be te ste d in th e target organization. To clearly identify th e c u sto m er requirem ents, do th e following things: Q C reate a checklist of testing requirem ents 9 Identify th e tim e fram e and testing hours Q Identify w h o will be involved in th e reporting and d o c u m e n t delivery Prepare th e check list for th e item s th at need to be tested in targ et organization as sho w n in following figure: M odule 20 Page 2919 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

49 I t e m s t o b e T e s t e d Servers Yes No Workstations Yes No Routers Yes No g Firewalls Yes No Networking devices Yes No Q Cabling Yes No ^ Databases Yes No Applications ך?, Yes No Physical security Yes No Telecommunications Yes No FIGURE : C h e c k lis t o f th e ite m s th a t n e e d t o b e te s te d M odule 20 Page 2920 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

50 P r e - A t t a c k P h a s e : C r e a t e a C h e c k l i s t o f t h e T e s t i n g R e q u i r e m e n t s C E H Do you have any security related policies and standards? If so, do you want us to review them? If the client organization requires analysis of its Internet presence? W hat is the IP address configuration for internal and external netw ork connections? If the organization requires pen testing of individual hosts? How many n etw orking devices exists on the client's network? W hat is th e n etw o rk layout (segments, DMZs, IDS, IPS, etc.)? It the organization requires pen testing o f netw o rkin g devices such as routers and switches? Copyright by IC-Ccuncil. I rxrr P r e - a t t a c k P h a s e : C r e a t e a C h e c k l i s t o f t h e T e s t i n g R e q u i r e m e n t s To collect th e p e n e tra tio n te s t req u irem en ts from th e custo m er, ask th e c u sto m e r th e following questions. The answ ers of th e se questions will help you to define th e scope of th e test. Do you have any security-related policies and stan d ard s? If so, do you w a n t us to review th e m? Q Q W hat is th e netw ork layout (segm ents, DMZs, IDS, IPS, etc.)? If th e client organization requires analysis of its Internet presence? 9 If th e organization need s physical security a sse ssm e n t? 9 W hat is th e IP address configuration for internal and external netw ork connections? 9 It th e organization requires pen testing of netw orking devices such as routers and sw itches? 9 If th e organization requires pen testing of individual hosts? 9 How m any netw orking devices exists on th e client's netw ork? M odule 20 Page 2921 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

51 Ethical Hacking and Countermeasures P r e - A t t a c k P h a s e : C r e a t e a C h e c k l i s t o f t h e T e s t i n g R e q u i r e m e n t s ( c o n t d) C E H W hat security controls are deployed across the organization? If th e organization requires assessment o f wireless networks? If th e organization requires assessment o f analog devices in the network? M S. If th e organization deploy a m o b ile w o rkfo rce? If so, if th e m obile security assessment is required? W hat w orkstation and If the organization server operating requires the systems are deployed assessment o f web across the organization? infrastructure? W h at are the w e b a p p lica tio n and services offered by the client? Copyright by IC-Ccuncil. V V P r e - a t t a c k P h a s e : C r e a t e a C h e c k l i s t o f t h e T e s t i n g R e q u i r e m e n t s ( C o n t d ) The following are a few m o re questions that you should ask th e c u sto m er to co m p lete th e checklist of penetration testing requirem ents: 9 W hat security controls are deployed across th e organization? 9 If th e organization requires a ssessm en t of wireless netw orks? 9 If th e organization requires a ssessm en t of analog devices in th e netw ork? 9 If th e organization deploy a m obile w orkforce? If so; if th e m obile security assessm en t is required? 9 W hat are th e w e b application and services offered by th e client? 9 If th e organization requires th e assessm en t of w e b infrastructure? 9 W hat w orkstation and server operating system s are deployed across th e organization? M odule 20 Page 2922 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

52 P r e - A t t a c k P h a s e : D e f i n e t h e P e n - T e s t i n g S c o p e C E H Copyright by IG-Gcuncil. P r e - a t t a c k P h a s e : D e f i n e t h e P e n - t e s t i n g S c o p e You should define th e scope of your penetration test explicitly and in writing. This will help you to identify w h a t needs to be tested in th e target organization, and help to develop th e procedure to test particular co m p o n e n t once identified. This also help you to identify limitations, i.e., w h a t should not be tested. Pen testing test c o m p o n e n ts d e p e n d on th e client's o p eratin g en v iro n m e n t, th re a t perception, security an d com pliance req u irem en ts, ROE, and b u dget. The following are th e possible areas of th e scope of th e penetration test: 0 N etw ork Security 0 System Softw are Security 0 Client-side Application Security 0 Server-side Application Security 0 Social Engineering 0 Application C om m unication Security 0 Physical Security 0 D um pster Diving 0 Inside Accomplices 0 S abotage Intruder Confusion 0 Intrusion Detection 0 Intrusion R esponse M odule 20 Page 2923 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

53 P r e - A t t a c k P h a s e : S i g n P e n e t r a t i o n T e s t i n g C o n t r a c t C E H J The penetration testing contract must be drafted by a law yer and signed by the penetration tester and the company J The contract must clearly state the following: O b je ctive o f th e p e n e tra tio n te s t t Indem nification clause N on-disclosure clause Fees and p ro je c t schedule C onfidential inform a tio n R e p o rtin g and re s p o n s ib ilitie s Copyright by IC-Ccuncil. P r e - a t t a c k P h a s e : S i g n P e n e t r a t i o n T e s t i n g C o n t r a c t O nce th e req u irem en ts and scope of th e penetration test is confirm ed from th e client, you need to sign th e contract with th e co m p an y to conduct th e penetration test. This contract m ust be drafted by a law yer and duly signed by th e p e n e tra tio n te s te r and th e com pany. The contract should include th e following term s and conditions: 9 Non-disclosure clause 9 Objective of th e penetration test 9 Fees and project schedule 9 Sensitive inform ation Q Confidential inform ation 9 Indem nification clause 9 Reporting and responsibilities M odule 20 Page 2924 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

54 P r e - A t t a c k P h a s e : S ig n C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (N D A ) A g r e e m e n t s E H Pen testers should sign Confidentiality and Non-Disclosure (NDA) Agreem ents that guarantees that the company's information will be treated confidentially It also protects testers from legal liabilities in the event of some untoward happening during pen testing Many documents and other inform ation regarding pen-test contain critical information that could damage one or both parties if improperly disclosed Agreem ents are designed to be used by both the parties to p rotect sensitive inform a tio n fro m disclosure Copyright by IC-Ccuncil. P r e - a t t a c k P h a s e : S i g n C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e ( N D A ) A g r e e m e n t s As a pen tester, you will also need to sign Confidentiality and Non-Disclosure (NDA) A greem ents to m aintain th e confidentiality of th e com pany's sensitive inform ation. M any d o cu m en ts and oth er inform ation regarding th e pen test contain critical inform ation th at could d am ag e one or both parties if disclosed to o th er parties. Both (pen tester and com p an y ) parties should agree and duly signed on th e te rm s and conditions included in th e Confidentiality and N on-disclosure (NDA) A g reem en ts before conducting penetration test. The following are th e ad vantages of signing Confidentiality and N on-d isclosure (NDA) A greem ents: Q They ensure th a t th e com pany's inform ation will be tre a te d confidentially. 9 They will also help to provide cover for a n u m b er of oth er key areas, such as negligence and liability in th e event of som ething u ntow ard happening. M odule 20 Page 2925 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

55 P r e - A t t a c k P h a s e : S ig n C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (N D A ) A g r e e m e n t s (Cont d) C E H _ m J Both parties bear responsibility to protect tools, techniques, vulnerabilities, and inform ation from disclosure beyond the terms specified by a written agreement V ' J Non-disclosure agreements should be narrow ly drawn to protect sensitive information A re a s Specific areas to consider include: O w n e rsh ip Use o f the evaluation reports Results; use o f the testing m ethodology in custom er docum entation J Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited P r e - a t t a c k P h a s e : S i g n C o n f i d e n t i a l i t y a n d N o nt - D i s c l o s u r e ( N D A ) A g r e e m e n t s ( C o n t d ) The Confidentiality and Non-Disclosure ag re e m e n ts d o c u m e n t is a pow erful tool. O nce you sign th e NDA a g reem en t, th e c o m p an y has th e right to file a lawsuit against you even if you disclose th e inform ation to third party either intentionally or unintentionally. The following points should be considered while crafting Confidentiality and Non-Disclosure (NDA) A greem ents: 9 Both parties should bear responsibility to p ro te c t tools, tech n iq u es, vulnerabilities, and inform ation from disclosure beyond th e term s specified by a w ritten a g re e m e n t 9 Non-disclosure a g re e m e n ts should be narrow ly draw n to protect sensitive inform ation. Q Specific areas to consider include: 9 O w nership 9 Use of th e evaluation reports Results; use of th e testing m ethodology in c u sto m er d o cu m en tatio n M odule 20 Page 2926 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

56 P r e - A t t a c k P h a s e : I n f o r m G a t h e r i n g a t i o n c E H 1 J J J J P re -a tta c k p h a s e a d d re s s e s th e m o d e o f th e a tta c k a n d th e g o a ls to be a c h ie v e d R e c o n n a is s a n c e is c o n s id e re d as th e fir s t in th e p re - a tta c k p h a s e, w h ic h a tte m p ts t o c o lle c t in f o r m a t io n a b o u t th e ta r g e t H a c k e rs t r y t o fin d o u t as m u c h in f o r m a t io n as p o s s ib le a b o u t a ta r g e t H a c k e rs g a th e r in f o r m a tio n in d if fe r e n t w a y s th a t a llo w s th e m to fo r m u la t e a p la n o f a tta c k * 7 ' Types of R econnaissance Passive R econnaissance A ctive R econnaissance In vo lve s c o lle c tin g in fo rm a tio n a b o u t a ta rg e t fr o m th e p u b lic ly a ccessib le so u rce s In vo lve s in fo rm a tio n g a th e rin g th ro u g h so c ia l e n g in e e rin g, o n -s ite v is its, in te rv ie w s, a n d q u e s tio n n a ire s ---- Copyright by IG-Gcuncil. [Ufv^ P r e - a t t a c k P h a s e : I n f o r m a t i o n G a t h e r i n g The pre-attack phase add resses th e m o d e of th e attack and th e goals to be achieved. R econnaissance is considered as th e first in th e pre-attack phase and is an a tte m p t to locate, gather, identify, and record inform ation a b o u t th e target. An attacker seeks to find out as m uch inform ation as possible ab o u t th e victim. A ttackers gather inform ation in different w ays th at allows th e m to form ulate a plan of attack. T here are tw o types of reconnaisance: P T ] P a s s i v e r e c o n n a i s s a n c e It com prises th e attacker's a tte m p ts to scout for or survey potential targets and investigations or explorations of th e target. It also includes inform ation gathering and m ay involve com petitive intelligence gathering, social engineering, breaching physical security, etc. A ttackers typically spend m o re tim e on th e pre-attack or reconnaissance activity th an th e actual attack. Beginning with passive reconnaissance, th e tester g athers as m uch inform ation as possible ab o u t th e target com pany. M uch of th e leaked inform ation caters to th e netw ork topology and th e types of services running within. The tester can use this sensitive inform ation to provisionally m ap out th e netw ork for planning a m o re c o o rd in ated attack strategy later. M odule 20 Page 2927 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

57 W ith regard to publicly available inform ation, access to this inform ation is in d ep en d e n t of th e organization's resources, and can th erefo re be effectively accessed by anyone. Inform ation is often contained on system s unrelated to th e organization. A c ti v e r e c o n n a i s s a n c e The inform ation gathering process encroaches on th e target territory. Here, th e p erp etrato r m ay send probes to th e target in th e form of port scans, netw ork sw eep s, en u m eratio n of shares and user accounts, etc. The attacker m ay ad o p t techniques such as social engineering, em ploying tools such as scan n ers and sniffers th a t a u to m a te th e s e tasks. The footprints th at th e attacker leaves are larger, and novices can be easily identified. M odule 20 Page 2928 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

58 P r e - A t t a c k P h a s e : I n f o r m G a t h e r i n g (cont d) a t i o n C E H Information retrieved in this phase C om petitive intellig e n ce N e tw o rk re gistra tio n inform ation O perating system and user's inform ation A nalog co nnectio ns Physical and logical lo ca tio n o f th e organization o o o o o o o o o o r \ r \ w w u, u, A ny o th e r in fo rm a tio n th a t has th e p ote ntia l to re sult in a possible e x p lo ita tio n DNS and m ail server inform ation A uthentication credentials inform ation C ontact and w eb site inform ation Product range and service offerings of the target company that are available online Copyright by IC-Ccuncil. P r e - a t t a c k P h a s e : I n f o r m a t i o n G a t h e r i n g ( C o n t d ) phase: The following inform ation is retrieved during th e pre-attack ', 9 Com petitive intelligence Q N etw ork registration inform ation 9 DNS and mail server inform ation Q Q O perating system inform ation User's inform ation 9 A uthentication credentials inform ation 9 Analog connections 9 Contact inform ation 9 W ebsite inform ation 9 Physical and logical location of th e organization 9 Product range and service offerings of th e targ et co m p an y th a t are available online 9 Any oth er inform ation th a t has th e potential to result in a possible exploitation M odule 20 Page 2929 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

59 A t t a c k P h a s e C E H % Penetrate Perim eter Escalate Privileges.. U ftrfm IUK4I IU U. Acquire Target Execute, Implant, Retract Copyright by ic-ccuncil. S B A t t a c k P h a s e This stage involves th e actual co m p ro m ise of th e target. The attacker m ay exploit a vulnerability discovered during th e pre-attack phase or use security loopholes such as a w eak security policy to gain rights to th e system. The im portant point here is th a t th e attacker needs only o n e port of entry, w h ereas th e organizations are left to d efen d several. Once inside, th e attacker m ay escalate his privileges and install a backdoor so th at he or she sustains access to th e system and exploits it in order to achieve his/her m alicious intent. During th e attack phase, th e attacker or pen te s te r need s to: Q P enetrate perim eter 9 Execute, im plant, retract e e Acquire target Escalate rrivileges M odule 20 Page 2930 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

60 A c t i v i t y : P e r i m e t e r T e s t i n g UflrfW*1 c E H ltbk4l J Testing methods for perim eter security include but are not limited to: _ A forging responses w ith crafted * M 1 M Evaluating e rror reporting packets J / \ ^ # anc error m anagem ent ^ W / \ w ith ICMP probes by attem pting connections using ^ # O various protocols such as SSH, J A. FTP, and Telnet W / \ Measuring the threshold for denial o f service by attempting persistent TCP connections, evaluating transitory TCP connections, and attempting to stream UDP connections Examining the perim eter security / L 4_ \ w system's response to web server ^ # j p i m scans using m ultiple methods such as POST, DELETE, and COPY Evaluating the IDS s capability by passing malicious content (such as malformed URL) and scanning the target variously for responding to abnormal traffic Copyright by IG-Gcuncil. A c t i v i t y : P e r i m e t e r T e s t i n g Social engineering is an ongoing activity through th e testing phase as sensitive inform ation can be acquired at any stage of testing. The tests that can be carried out in this context include (but are not limited to) im personating or mocking p h one calls to capture sensitive information, verifying information gathered through activities such as d u m p ster diving. O ther m eans include testing, trusted person acquisition, and a tte m p ts to retrieve legitimate authentication details such as passw ords and access privileges. Information gath ered here can be used later in w eb application testing also. Firewall Testing: The inform ation gained during th e pre-attack p h ase using techniques such as firewalking is further exploited here. A ttem pts are m ad e to evade th e IDS and bypass the firewall. The processes include but are not limited to: Crafting and sending packets to check firewall rules. For exam ple, sending SYN packets to test stealth detection. This d eterm ines th e nature of various packet responses through th e firewall. A SYN packet can be used to e n u m e ra te the target netw ork. Similarly, other port scans with different flags set can be used to a tte m p t enum eration of th e netw ork. This also gives an indication of th e source port control on th e target. M odule 20 Page 2931 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

61 Usually, perim eter testing m easu res th e firewall's ability to handle fragm entation: big packet fragm ents, overlapping fragm ents, flood of packets, etc. Testing m e th o d s for p e rim e te r security include but are not limited to: 9 Evaluating error reporting and error m a n a g e m e n t with ICMP probes 6 Checking access control lists with crafted packets 9 M easuring th e threshold for denial-of-service by attem p tin g persistent TCP connections, evaluating transitory TCP connections, and attem p tin g stream ing UDP connection e Evaluating protocol-filtering rules by attem p tin g connections using various protocols such as SSH, FTP, and Telnet e Evaluating IDS capability by passing malicious co n ten t (such as m alform ed URLs) and scanning th e target for response to abnorm al traffic M odule 20 Page 2932 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

62 E n u m e r a t i n g D e v i c e s C E H UflrfW* Itfcul N«kM A device inventory is a collection of netw ork devices together with some relevant information about each device that is recorded in a document After the network has been mapped and the business assets identified, the next logical step is to make an inventory of the devices A physical check may be conducted additionally to ensure that the enum erated devices have been located Copyright by IC-Ccuncil. E n u m e r a t i n g D e v i c e s. A device inventory is a collection of netw ork devices, to g e th e r w ith so m e relevant inform ation a b o u t each device, which is recorded in a d o cum ent. After th e netw ork has been m ap p e d and th e business assets identified, th e next logical step is to m ake an inventory of th e devices. During th e initial stages of th e pen test, th e devices m ay be referred to by their identification on th e netw ork such as IP address, MAC address, etc. This can be d o n e by pinging all devices on th e netw ork or by using device en u m e ra tio n tools. Later, w h e n th e re is a physical security check, devices m ay be cross checked regarding their location and identity. This step can help to identify u n au th o rized devices on th e netw ork. The oth er m eth o d is to do ping sw eeps to d etec t responses from devices and later correlate the results w ith th e actual inventory. The likely p aram eters to be captured in an inventory sh eet w ould be: 9 Device ID 9 Description 9 H ostnam e 9 Physical location 9 IP address 9 MAC address M odule 20 Page 2933 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

63 e N etw ork accessibility M odule 20 Page 2934 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

64 A c t i v i t y : A c q u i r i n g T a r g e t C E H Acquiring a target refers to the set of activities undertaken where the tester subjects the suspect machine to more intrusive challenges such as vulnerability scans and security assessment Testing methods for acquiring target include but are not limited to: A c tiv e p ro b in g a s s a u lts : U se re s u lts o f th e n e tw o rk scans t o g a th e r fu r th e r in fo rm a tio n th a t ca n lea d t o a c o m p ro m is e R u n n in g v u ln e r a b ility scans: In th is phase v u ln e ra b ility scans are com pleted kv 9 - J Trusted system s and tru s te d process assessm ent: A tte m p tin g to access th e m achine's resources using legitim ate in fo rm a tio n obtained th ro u gh social engineering o r other means *. u ץ- u * Aft SU Copyright C by IC-Ccuncil. A c t i v i t y : A c q u i r i n g T a r g e t Usually, target acquisition refers to all the activities th at are un d ertak en to unearth as m uch inform ation as possible ab o u t a particular m achine or system s so th a t it can be used later in th e actual process of exploitation. Here, acquiring a target is referred to as th e set of activities u n d ertaken w h e re th e te s te r subjects th e targ eted m achine to m o re intrusive challenges such as vulnerability scans and security assessm ent. This is do n e to obtain m ore inform ation a b o u t th e target and can be used in th e exploit phase. Examples of such activities include subjecting th e m achine to: Q Active probing assaults: Use th e results of netw ork scans to g ath er further inform ation th at can lead to a com prom ise. 9 R unning vulnerability scans: Vulnerability scans are com p leted in this phase. T rusted sy stem s an d tru sted process a ss e ssm e n t: A ttem pting to access th e m achine's resources using legitim ate inform ation obtained through social engineering or oth er m eans. M odule 20 Page 2935 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

65 A c t i v i t y : E s c a l a t i n g P r i v i l e g e s C E H Once the target has been acquired, the tester attempts to exploit the system and gain greater access to the protected resources T he te s te r m a y ta ke adva nta ge o f p o o r s e c u rity p o lic ie s and ta k e a d v a n ta g e o f e m a il o r u n s a fe w e b c o d e to g a th e r in fo rm a tio n th a t can lead t o e scala tio n o f p rivileg es Use o f techniques such as brute force to achieve privileged status. Examples o f tools include get admin and password crackers J Use of Trojans and protocol analyzers Use o f inform a tio n gleaned through techniques such as social engineering to gain unauthorized access to the privileged resources Copyright by IG-Gcuncil. A c t i v i t y : E s c a l a t i n g P r i v i l e g e s W hen an attacker succeeds in gaining unauthorized access into a system or netw ork, th e d eg ree of escalation d e p e n d s on th e various authorizations possessed by an attacker. The ultim ate aim of an attacker w ould be to gain th e highest possible adm inistration privilege that gives access to th e entire n etw o rk, sensitive inform ation, online banking etc. O nce th e target has been acquired, th e tester a ttem p ts to exploit th e system and gain greater access to th e p rotected resources Activities include (but are not limited to): 9 The tester m ay take adv an tag e of poor security policies and take ad v an tag e of or unsafe w e b code to g ath er inform ation th a t can lead to th e escalation of privileges e Use of techniques such as brute force to achieve privileged status. Examples of tools include get adm in and passw ord crackers 9 Use of Trojans and protocol analyzers 9 Use of inform ation gleaned through techniques such as social engineering to gain u n au th o rized access to th e privileged resources M odule 20 Page 2936 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

66 A c t i v i t y : E x e c u t e, I m R e t r a c t p l a n t, a n d c U 'trfm E H Itfeul luckw Compromise System Execute Exploits In this phase, the tester effectively compromises the acquired system by executing the arbitrary code The objective of system penetration is to explore the extent to which the security fails Execute Exploits already available or specially crafted to take advantage of the vulnerabilities identified in the target system Copyright by IC-Ccuncil. I p H ' l A c t i v i t y : E x e c u t e, I m p l a n t, a n d R e t r a c t In this phase, th e tester effectively com prom ises th e acquired system by executing th e arbitrary code. The objective here is to explore th e extent to which security fails. The tester a ttem p ts to execute th e arbitrary code, hides files in th e co m p ro m ised system, and leaves th e system w ithout raising alarms. He or she th en a tte m p ts to re-en ter th e system stealthily. Activities include: 9 Executing exploits to take advantage of th e vulnerabilities identified on th e target system. 9 Exploiting buffer overflow s in order to trick th e system into running arbitrary code. 9 Executing activities that are usually subjected to co n tain m en t m easu res such as th e use of Trojans and rootkits. Activities in th e retract phase include m anipulation of audit log files to rem ove traces of the activities: Examples include use of tools such as audit poll. The tester m ay also ch an g e settings within th e system to rem ain inconspicuous during a re-entry and change log settings. The tester m ay re-enter th e system using th e backdoor im planted by th e tester. M odule 20 Page 2937 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

67 P o s t - A t t a c k P h a s e a n d A c t i v i t i e s I C E H J This phase is critical to any p e n e tra tio n test as it is th e re sp on sibility o f th e te s te r to resto re th e system s to th e ir p re -te s t states O Removing all files uploaded on the system 0 A 0 Post-attack phase activities V -J include som e of th e follow ing: s - J Cleaning all registry entries and rem oving vulnerabilities created Removing all to o ls and exploits fro m the tested systems Restoring th e n e tw o rk to the pre-test state by rem oving shares and connections Analyzing all results and presenting the same to the organization Copyright C by IC-Ccuncil. P o s t - a t t a c k P h a s e a n d A c t i v i t i e s This phase is critical to any penetration test as it is th e responsibility of th e tester to restore th e system s to a pre-test state. The objective of th e test is to sh o w w h ere security fails, and unless th e re is a scaling of th e penetration test ag reem en t, w h e re b y th e te s te r is assigned th e responsibility to correct th e security posture of th e system s, this phase m ust be com pleted. Activities in this phase include (but are not restricted to): 9 Removing all files u ploaded on th e system 9 Cleaning all registry entries and rem oving vulnerabilities created 9 Reversing all file and setting m anipulations d o n e during th e test Q Reversing all changes in privileges and user settings 9 Removing all tools and exploits from th e tested system s 9 Restoring th e netw ork to th e pre-test stage by rem oving shares and connections 9 M apping of th e n etw o rk state 9 D ocum enting and capturing all logs registered during th e test 9 Analyzing all results and presenting th e m to th e organization M odule 20 Page 2938 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

68 The p enetration teste r should d o c u m e n t all his or her activities and record all observations and results so th a t th e test can be rep eatab le and verifiable for th e given security p o stu re of th e organization. For th e organization to quantify th e security risk in business term s, it is essential th at th e tester should identify critical system s and critical resources and m a p th e th reat to these. M odule 20 Page 2939 Ethical Hacking and C ounterm easures Copyright by EC-C0lMCil

69 P e n e t r a t i o n T e s t i n g D T e m p l a t e s e l i v e r a b l e C E H A pentest report will carry details of th e incidents that have occurred during th e testing process and th e range of activities carried out by the testing team T g f Broad areas covered include objectives, observations, activities undertaken, and incidents reported The team may also recom m end corrective actions based on the rules of the engagement Copyright C by IC-Ccuncil. P e n e t r a t i o n T e s t i n g D e l i v e r a b l e T e m p l a t e s A pen test report carries details of th e incidents th a t have occurred during th e testing process and th e range of activities th a t th e testing te a m carries out. It captures th e objectives as agreed upon in th e rules of e n g a g e m e n t and provides a brief description of th e observations from th e testing e n g a g e m e n t. U nder th e activities carried out will be all th e tests, th e devices against which th e tests w ere conducted, and th e prelim inary observations. T hese are usually cross-referenced to the appropriate test log entry. O ther inform ation th a t can be captured u n d er incident description can include: 9 A detailed description of th e incident e The d a te and tim e w h e n th e incident occurred 9 Contact inform ation for th e person w h o observed th e incident 9 The stage of testing during w hich th e incident occurred 6 A description of th e steps taken to create th e incident. This can be su p p le m e n te d by screen captures 9 O bservations on w h e th e r th e incident can be rep eated or not M odule 20 Page 2940 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

70 e Details on th e tool (if detected), th e n a m e and version of th e tool, and if relevant, any custom configuration settings U nder risk analysis, the im pact of th e test is captured from a business perspective. The inform ation included is: 6 The initial estim ate of th e relative severity of th e incident to th e business 9 The initial estim ate of th e relative likelihood (or frequency) of th e incident reoccurring in production 9 The initial estim ate of th e cause of th e incident M odule 20 Page 2941 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

71 M o d u l e F l o w Q O Q Q O y Pen Testing Concepts Types of Pen Testing Pen Testing Techniques I : : I, i Pen Testing Phases Pen Testing Roadmap Outsourcing Pen Testing Services Copyright by IC-Ccuncil. M o d u l e F l o w P e n T e s t i n g R o a d m a p 1A penetration test is a tech n iq u e th a t evaluates or audits th e security of a co m p u ter system or oth er facility by launching an attack from a malicious source. It also proves how vulnerable th a t a c o m p u te r system w ould be in the ev en t of th e real attack. The rules, practices, m eth o d s as well as procedures im plem ented, follow ed during th e course of any inform ation security audit program are defined by pen testing m ethodology. This m ethodology defines you a ro ad m ap w ith proven practices as well as practical ideas that are to be handled w ith care for assessing th e system security correctly. A detailed explanation a b o u t th e pen testing ro ad m ap is given in th e next slides. I b d Pen Testing C oncepts חזזח Types of Pen Testing i l i l l l l i Pen Testing T echniques Pen Testing P hases Pen Testing R o a d m a p ; % O utsourcing Pen Testing Services M odule 20 Page 2942 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

72 P e n e t r a t i o n T e s t i n g M e t h o d o l o g y C E H In fo rm a tio n G a th e rin g V u ln e ra b ility A n a ly s is E xte rn a l P e n e tra tio n Testing In te rn a l N e tw o r k P enetration T esting R o u te r a n d S w itc h e s P e n e tra tio n Testing F ire w a ll P e n e tra tio n Testing IDS P e n e tra tio n T esting W ire le s s N e tw o rk P e n e tra tio n T esting D e n ia l o f S ervice P e n e tra tio n T esting P assw ord C racking P enetration T esting Social E ng in ee ring P e n e tra tio n Testing S to le n PDAs a n d L a p to p P e n e tra tio n T esting S ou rce C ode P e n e tra tio n Testing W e b A pplication P enetration Testing SQL In je c tio n P e n e tra tio n Testing Physical S e c u rity P e n e tra tio n Testing P e n e t r a t i o n T e s t i n g M e t h o d o l o g y The following are th e various phases in th e penetration testing m ethodology: I n f o r m a t i o n G a t h e r i n g Inform ation gathering is one of th e m ajor steps of th e penetration testing. It is th e first phase in th e p enetration testing process. It is done using various tools, scanners, online sources, sending simple http requests, specially crafted requests, etc. V u l n e r a b i l i t y A n a l y s i s Vulnerability analysis is a m eth o d of identifying vulnerabilities on a provides an overview of th e flaws th a t exist in a system or netw ork. netw ork. It E x t e r n a l P e n e t r a t i o n T e s t i n g An external penetration test is co nducted to know w h e th e r th e external netw ork is secure or not. In external penetration testing, hacking is do n e in th e sa m e w ay th e actual a ttack er d o e s b u t w ith o u t causing any h a rm to th e n e tw o rk. This helps in making th e netw ork m ore secure. Various m eth o d s used in external penetration testing are: 9 Footprinting 9 Public Inform ation & Inform ation Leakage M odule 20 Page 2943 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

73 9 DNS Analysis & DNS Brute forcing 9 Port Scanning 9 System Fingerprinting 9 Services Probing 9 Exploit Research 9 M anual Vulnerability Testing and Verification of Identified Vulnerabilities 9 Intrusion D etection/p revention System Testing 9 Passw ord Service Strength Testing 9 R em ediation Retest (optional) I n t e r n a l N e t w o r k P e n e t r a t i o n T e s t i n g In internal netw ork penetration testing, all th e possible internal n e tw o rk flaws are identified and sim ulated as if a real attack has taken place. Various m eth o d s used for th e internal netw ork penetration testing are: 9 Internal N etw ork Scanning 9 Port Scanning 9 System Fingerprinting 9 Services Probing 9 Exploit Research 9 M anual Vulnerability Testing and Verification 9 M anual Configuration W eakness Testing and Verification 9 Limited Application Layer Testing 9 Firewall and ACLTesting 9 A dm inistrator Privileges Escalation Testing 9 Passw ord Strength Testing 9 N etw ork E quipm ent Security Controls Testing 9 D atabase Security Controls Testing 9 Internal N etw ork Scan for Known Trojans 9 Third-Party/V endor Security Configuration Testing ^ ^ R o u t e r a n d S w i t c h e s P e n e t r a t i o n T e s t i n g Router sw itches penetration is carried out to determ ine: 9 End to end router security 9 Bandwidth and speed of th e internet connection M odule 20 Page 2944 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

74 9 Data transfer sp eed 9 R outer p erform ance 9 R outer Security assessm en t F i r e w a l l P e n e t r a t i o n T e s t i n g tc Firewall penetration testing is one of th e m ost useful m e th o d s in analyzing security effectiveness. T hrough this m eth o d, you can identify how secure your firewall netw ork is against th e attacks perform ed by netw ork intruders. ID S P e n e t r a t i o n T e s t i n g An intrusion detection system (IDS) can be softw are or hardw are. IDS penetration testing helps you to test th e strength of th e IDS. It can be perform ed w ith the help of tools such as IDS inform er, an evasion gatew ay, etc. W i r e l e s s N e t w o r k P e n e t r a t i o n T e s t i n g W ireless netw orks are m o re econom ical th an w ired netw orks. T hough wireless netw orks are cheaper, th e re are various risks associated w ith th em. A wireless netw ork is less protected th an a w ired one. T herefore, wireless netw orks m ust be tested strictly and th e respective security e n h a n c e m e n ts m ust be applied. D e n i a l o f S e r v i c e P e n e t r a t i o n T e s t i n g The m ain purpose of a denial-of-service (DoS) attack is to slow d ow n th e w ebsite or even to crash it by sending to o m any requests, m o re th an a particular server can handle. If th e attacker know s th e details of th e server and its technical specifications, it b eco m e s m ore vulnerable. S o m etim es DoS is d o n e on a trial and erro r basis. So th e penetration tester m ust check how m uch th e w ebsite or server can w ithstand. It is also necessary to provide an alternative w ay to react to th e situation w h en th e limit exceeds. P a s s w o r d C r a c k i n g P e n e t r a t i o n T e s t i n g Passw ords are used to protect c o m p u te r resources from unauthorized access. Passw ord cracking penetration testing identifies th e vulnerabilities associated with p assw o rd m a n a g e m e n t. This helps in avoiding various kinds of malicious attacks such as brute force attacks, hybrid attacks, and dictionary attacks, etc. S o c ia l E n g i n e e r i n g P e n e t r a t i o n T e s t i n g Social engineering is a m eth o d used by attackers to get crucial inform ation of a com pany. Attackers especially targ et individuals within th e organization to g ath er as m uch inform ation as possible a b o u t th e com pany. This is com pletely d o c u m e n te d and th e n th e em ployees are ed u cated a b o u t possible social engineering attacks and cautioned a b o u t various threats. M odule 20 Page 2945 Ethical Hacking and C ounterm easures Copyright by EC-C0l1nCil

75 S to le n L a p t o p s, P D A s, a n d C e l l P h o n e s P e n e t r a t i o n T e s t i n g The penetration tester should find out th e possible loopholes in physical locality and identify th e various w ays th at an intruder can e n ter into th e com pany. O nce th e im portant electronic devices th a t contain sensitive inform ation of th e co m p an y are stolen, you can extract inform ation from th ese stolen devices. T herefore, such penetration testing proves very beneficial. Penetration tests are d o n e especially on senior m e m b e rs of th e co m p an y as their PDAs, laptops and m obile p hones often contain sensitive inform ation. S o u r c e C o d e P e n e t r a t i o n T e s t i n g The p enetration tester should perform source code analysis by using so m e source code analysis tools. T hese tools will help th e pen tester to d etect th e vulnerabilities in the source code. A p p l i c a t i o n P e n e t r a t i o n T e s t i n g P rogram m ers m ay m ake so m e m istakes at th e tim e of softw are creation. Those m istakes can b ec o m e potential vulnerabilities. Application penetration testing helps in determ ining th e design error of th e softw are. S Q L I n j e c t i o n P e n e t r a t i o n T e s t i n g The p enetration tester should perform SQL injection penetration testing on th e application in order to find out vulnerabilities in th e application. The pen teste r should try to sim ulate different types of SQL injection attacks to find th e possible vulnerabilities. P h y s i c a l S e c u r i t y P e n e t r a t i o n T e s t i n g Here th e penetration te s te r tries to gain physical access to th e organizational resources before, during, and after business hours. All the physical security controls m ust be properly tested. M odule 20 Page 2946 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

76 P e n e t r a t i o n T e s t i n g M e t h o d o l o g y ( E H «d) ( Cont *יי י~«י S u rv e illa n c e C am era P e n e tra tio n T esting D a tab ase P e n e tra tio n Testing VoIP P enetration Testing VPN P e n e tra tio n Testing C loud P enetration Testing V irtu a l M a c h in e P enetration Testing W a rd ia lin g V iru s a nd T ro ja n D e te c tio n Log M a n a g e m e n t P e n e tra tio n T esting File Inte grity C hecking M o b ile D evices P e n e tra tio n T esting T elecom and B ro a d b a n d P e n e tra tio n T esting E m ail S e c u rity P e n e tra tio n T esting S e c u rity Patches P e n e tra tio n Testing D a ta Leakage P e n e tra tio n Testing SAP P enetration Testing Copyright by ic-ccuncil. P e n e t r a t i o n T e s t i n g M e t h o d o l o g y S u r v e i l l a n c e C a m e r a P e n e t r a t i o n T e s t i n g A surveillance cam era can be used to m onitor th e live target. The surveillance cam era can be prone to security flaws d u e to n o n -robust design of th e w e b interface created for th e surveillance cam era activities. As a pen tester, you should try to find out vulnerabilities in th e w eb interface of th e surveillance cam era. You should do th e following things to test th e surveillance cam era: 9 The w e b interface should be com pletely debugged Q Try to look for th e injection points from w h e re th e m otion im ages are included rem otely 9 Validate th e im age path 9 C reate th e different m otion picture recorder and editor in order to validate m otion or picture recoded by th e surveillance cam era w h e th e r th ey are sa m e or not D a t a b a s e P e n e t r a t i o n T e s t i n g In this process, a penetration teste r tries to directly access data contained in th e d atab a se or indirectly accessing th e data through triggers or stored procedures executed by a d atab a se engine. This m e th o d helps in avoiding u n au th o rized access of d ata. M odule 20 Page 2947 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

77 V o IP P e n e t r a t i o n T e s t i n g ( ^ w IP In VoIP penetration testing, access to th e VOIP netw ork is a tte m p te d to record th e conversations and even a DoS attack m ay also be used to find out th e com pany's security policies. f V P N P e n e t r a t i o n T e s t i n g Som etim es, em ployees are allowed to w ork from h o m e or rem otely and in such יי situations, th e re are lot of security issues associated with VPN. So th e p enetration te a m a ttem p ts to gain access to th e VPN through a re m o te endpoint or a VPN tu n n el and check th e vulnerabilities. C l o u d P e n e t r a t i o n T e s t i n g Cloud com puting system s are w idespread today. T here are risks associated w ith cloud com puting. The organizations m ust figure out th e s e risks and apply proper security m echanism s to protect against potential risks. To find out th e vulnerabilities in a cloud-based application, conduct a penetration test on th e cloud. V i r t u a l M a c h i n e P e n e t r a t i o n T e s t i n g An attacker can exploit th e virtual m achine security flaw by running malicious code on th e virtual m achine. The pen tester need s to find out th e vulnerabilities in th e VM by simulating th e actions of an attacker before a real attack occurs. W a r D i a l i n g Dial-up m o d e m s used by th e com panies have various vulnerabilities. These allow attackers to hack a system or netw ork easily. W ardialing penetration testing will be useful: 9 To identify th e vulnerabilities of th e m o d em s. 9 To know th e passw ords related vulnerabilities. 9 To know w h e th e r th e re is any op en access to organizations system s or not. V i r u s a n d T r o j a n D e t e c t i o n Viruses and Trojans are th e m ost w idespread malicious softw are today. O nce on th e system and netw orks, th ese are very dangerous. Early detection of viruses and Trojans is very im portant. L o g M a n a g e m e n t P e n e t r a t i o n T e s t i n g A m a n a g e m e n t log contains a record of all th e events that use a data grid netw ork. It contains th e co m p lete track of events such as status of node, agent transm ission, job request, etc. T herefore, proper log m a n a g e m e n t helps in tracking any malicious activity such as unauthorized access from outside attackers at an early stage. M odule 20 Page 2948 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

78 F i l e I n t e g r i t y C h e c k i n g Checking th e integrity of a file is th e best w ay to tell w h e th e r it is corrupted or not. It involves checking th e following things: 9 Filesize 9 Version Q W hen it w as created 9 W hen it w as modified Q Q The login n a m e of any user w h o modifies th e file Its attributes (e.g., Read-Only, Hidden, System, etc.) m m M o b i l e D e v i c e s P e n e t r a t i o n T e s t i n g In mobile p enetration testing, th e pen tester tries to access and m anipulate th e data on th e particular mobile device simulating all possible attacks such as using social engineering, uploading malicious code, etc. Mobile device p enetration pinpoints and ad d resses gaps in end-user aw aren ess and security exposures in th e s e devices before attackers actually m isuse and co m prom ise them. T e l e c o m a n d B r o a d b a n d P e n e t r a t i o n T e s t i n g The pen tester tries to d eterm in e th e vulnerabilities in th e b ro ad b an d co n n ectio n of th e particular co rp o rate netw ork. The pen tester sim ulates different types of attacks such as unauthorized access, installation of malicious softw are, DoS attacks on b ro ad b an d connections to check w h e th e r th e netw ork w ithstands th e se types of attacks. E m a i l S e c u r i t y P e n e t r a t i o n T e s t i n g _. security p enetration testing helps to check all th e vulnerabilities associated with an m echanism. _ S e c u r i t y P a t c h e s P e n e t r a t i o n T e s t i n g Unless th e system or softw are is u p d ated w ith th e latest security patches, it is vulnerable to attacks. Poorly designed security patches have m ore vulnerability so testing th e m helps in resolving such issues. D a t a L e a k a g e P e n e t r a t i o n T e s t i n g Penetration testing of data leakage helps in th e following ways: 9 Preventing confidential inform ation from going out to th e m arket or to com petitors 9 Allows increasing internal com pliance level for data protection 9 Im p rovesaw areness am o n g st em ployees on Safe Practices 9 Will be useful to easily d e m o n stra te s com pliance to regulations 9 Controls exposure with w orkflow s for mitigation M odule 20 Page 2949 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

79 = S A P P e n e t r a t i o n T e s t i n g Attackers m ay be able to break into SAP platform and can perform espionage, sabotage, and fraud attacks on business-critical inform ation. The SAP penetration testing service sim ulates th e process perform ed by an attacker. In SAP penetration testing, th e pen tester tries to find th e vulnerabilities in th e SAP platform by conducting different types of attacks, and th e n checks w h e th e r he or she is able to break into th e SAP platform. M odule 20 Page 2950 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

80 A p p l i c a t i o n S e c u r i t y A s s e s s m e n t C E H Application security assessment is an in-depth analysis of applications to identify and assess security vulnerabilities that can expose the organization's sensitive information This test checks on application so that a malicious user cannot access, modify, or destroy data or services within the system Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited / r A p p l i c a t i o n S e c u r i t y A s s e s s m e n t Application security a ssessm en t is d o n e by a security professional to identify security vulnerabilities and significant issues. Application security a ssessm en t involves: Q Inspection of application validation and bounds checking for both accidental and mischievous input. Q M anipulation of client-side code and locally stored inform ation such as session inform ation and configuration files. 9 Examination of application-to-application interaction b e tw e e n system c o m p o n e n ts such as th e w e b service and back-end data sources. e Discovery of opportunities th a t could be utilized by an attacker to escalate their permissions. 9 Examination of event logging functionality. 9 Examination of authentication m eth o d s in use for their robustness and resilience to various subversion techniques. M odule 20 Page 2951 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

81 Even in a w ell-deployed and secured infrastructure, a w eak application can expose th e organization's crow n jew els to unacceptable risk. Application security a ssessm en t is designed to identify and assess th re a ts to th e organization through b e sp o k e or proprietary applications or system s. This test checks th e application so th at a malicious user can n o t access, modify, or destroy data or services within th e system. M odule 20 Page 2952 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

82 W e b A p p l i c a t i o n T e s t i n g I C E H Tests include OS command injection, script injection, SQL injection, LDAP injection, and crosssite scripting Checks for access to administrative interfaces, sends data to manipulate form fields, attempts URL query strings, changes values on the clientside script, and attacks cookies Copyright C by IG-Gcuncil. W e b A p p l i c a t i o n T e s t i n g I This test phase can be carried out as th e tester proceeds to acquire th e target. I n p u t v a l i d a t i o n Tests include OS c o m m a n d injection, script injection, SQL injection, LDAP injection, and cross-site scripting. O ther tests include checking for d e p e n d en cy on th e external data and th e source verification. O u t p u t s a n i t i z a t i o n Tests include parsing special characters and verifying error checking in th e application. I A c c e s s c o n t r o l The te s te r checks access to adm inistrative interfaces, transfers data for m anipulating form fields, checks URL query strings, changes th e values of client-side script, and attacks cookies. O ther tests include checking for authorization breaches, en u m eratin g assets accessible through th e application, lapses in ev en t handling sequences, proxy handling, and com pliance w ith least privilege access rule. M odule 20 Page 2953 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

83 W e b A p p l i c a t i o n T e s t i n g - I I C E H 1. C hecking fo r B u ffe r O verflo w s > > ב< Checking for buffer overflows include attacks against stack overflow s, heap overflows, and form at string overflows 2. C o m p o n e n t C hecking / Component checking checks for security controls on web server/application components that might expose the web application to vulnerabilities DoS checking tests for DoS induced by malform ed user input, user lockout, and application lockout due to traffic overload, transaction requests, or excessive requests on the application S*.v Data and error checking checks fo r data-related security lapses such as storage of sensitive data in the cache or throughput of sensitive data using HTML 4. Data and Error י ג 01 0>! hecking C Copyright by IC-Ccuncil. W e b A p p l i c a t i o n T e s t i n g I I C h e c k i n g f o r B u f f e r O v e r f l o w s Tests include attacks against stack overflows, heap overflows, and fo rm at string overflows. D e n i a l - o f - s e r v i c e Test for DoS is induced d u e to m alform ed user input, user lockout, and application lockout d u e to traffic overload, transaction requests, or excessive requests on th e application. C o m p o n e n t c h e c k i n g Check for security controls on w e b serv er/application c o m p o n e n ts m ight expose th e w eb application to vulnerabilities, such as basic authentication. D a t a a n d e r r o r c h e c k i n g Check for data-related security lapses such as storage of sensitive data in th e cache or input of sensitive data using HTML. Check for verbose error m essages th a t give aw ay m ore details of th e application th a n necessary and error type. M odule 20 Page 2954 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

84 S Q L i n j e c t i o n t e c h n i q u e s SQL injection m ay be a tte m p te d against w e b applications to gain access to th e targ et system. M odule 20 Page 2955 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

85 W e b A p p l i c a t i o n T e s t i n g - I I I C E H Confidentiality Session Configuration Check 9 Management Verification R N V N V W P I W For applications using secure protocols and encryption, check for lapses in key exchange mechanism, adequate key length, and weak algorithms It checks tim e v a lid ity o f session tokens, length o f tokens, e xpira tio n o f session tokens w h ile tra n s itin g fro m SSL to non-ssl resources, presence o f any session tokens in th e b row ser h istory o r cache, and random ness o f session ID (check fo r use o f user data in generating ID) It a tte m p ts to m anip u la te resources using HTTP *9 m e th o d s such as DELETE and PUT, check fo r versio n co n te n t a v a ila b ility and any visible, re stricte d source code in p ublic dom ains, a tte m p t d ire c to ry and file listing, and te st fo r kn ow n vu ln e ra b ilitie s and accessibility o f a dm in istra tive interfaces in servers and server י com ponents W e b A p p l i c a t i o n T e s t i n g I I I C o n f i d e n t i a l i t y c h e c k ^ For applications using secure protocols and encryption, check for lapses in key exchange m echanism, in ad eq u a te key length, and w eak algorithm s. Validate authentication schem es by attem p tin g user en u m eratio n through login or a recovery process. Check digital certificates and use a signature verification process. j S e s s i o n m a n a g e m e n t Check tim e validity of session tokens, length of tokens, and expiration of session tokens w hile transiting from SSL to non-ssl resources, presence of any session tokens in th e b ro w se r history or cache, and ra n d o m n ess of session ID (check for use of user data in generating an ID). - C o n f i g u r a t i o n v e r i f i c a t i o n A ttem pt m anipulation of resources using HTTP m eth o d s such as DELETE and PUT, check for version co n te n t availability, and any visible restricted source code in public dom ains, a tte m p t directory, and file listing, test for know n vulnerabilities, and accessibility of adm inistrative interfaces in th e server and server co m p o n en ts. M odule 20 Page 2956 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

86 N e t w o r k S e c u r i t y A s s e s s m e n t I! C E H It scans th e n e tw o rk e n v iro n m e n t fo r id e n tify in g v u ln e ra b ilitie s and helps to im p ro v e an e n te rp rise 's se c u rity p o licy It uncovers n e tw o rk s e c u rity fa u lts th a t can lead to data o r e q u ip m e n t being e x p lo ite d o r destroyed by Trojans, denial o f service attacks, and o th e r intrusions It ensures th a t th e se c u rity im p le m e n ta tio n a c tu a lly p ro vid e s th e p ro te c tio n th a t th e e n te rp ris e re q u ire s w h e n any a tta c k takes place on a n e tw o rk, g e n e ra lly by "e x p lo itin g " a v u ln e ra b ility o f th e system 0 is perform ed by a team attem pting to break into the netw ork or servers Copyright by IC-Ccuncil. N e t w o r k S e c u r i t y A s s e s s m e n t N etw ork security assessm en t is an effective m eth o d to protect th e system s from external attacks. V ulnerabilities p re s e n t in routers, firewalls, DNS, w e b an d d a ta b a se servers, and oth er system s b ec o m e a d o o rw ay to attackers to perform attacks. N etw ork assessm en t helps in reducing th e risks related to netw orks. It gives a m ore clear idea a b o u t th e risks posed by external and internal attackers. e e It scans th e netw ork en v iro n m en t for identifying vulnerabilities and helps to im prove an enterprise's security policy It uncovers netw ork security faults th a t can lead to data or eq u ip m e n t being exploited or destroyed by Trojans, denial-of-service attacks, and o th e r intrusions It ensures that th e security im plem entation actually provides th e protection th at th e enterprise requires w h e n any attack takes place on a netw ork, generally by "exploiting" a vulnerability of th e system 9 It is perform ed by a te a m attem p tin g to break into th e netw ork or servers M odule 20 Page 2957 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

87 W i r e l e s s / R e m o t e A c c e s s A s s e s s m e n t c Ur«tM E H ItbKJl NMhM W ireless/remote Access assessment involves assessing risks associated with wireless/cellular networks, VPN systems, and mobile devices ^ e l e s s T e *, ^ L11 i 1 Bluetooth a,b a n d g GHz signals W ir e le s s n e tw o r k s W ir e le s s r a d io tr a n s m is s io n s Radio c o m m u n ic a tio n c h a n n e ls Copyright by IG-Gcuncil. All Rights Reserved. Reproduction is Strictly Prohibited W i r e l e s s / R e m o t e A c c e s s A s s e s s m e n t ' ^ W ireless/rem o te access assessm en t add resses th e security risks associated w ith an increasing mobile w orkforce. W ireless netw orking has various benefits as well as security risks. A ssessm ent includes testing th e following things: 9 Bluetooth a;b and g 9 W ireless netw orks 9 Radio co m m unication channels 9 W ireless radio transm issions 9 GHz signals M odule 20 Page 2958 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

88 W i r e l e s s T e s t i n g C E H Methods for wireless testing include but are not limited to: Check if the access point's default Service Set Id e n tifier (SSID) is easily available. Test for "broadcast SSID" and accessibility to the LAN through this. Tests can include brute forcing th e SSID character string using tools like Kismet Check fo r vulnerabilities in accessing th e WLAN through the wireless router, access point, or gateway. This can include verifying if the default W ired Equivalent Privacy (WEP) encryption key can be captured and decrypted A u d it fo r broadcast beacon o f any access point and check all protocols available on the access points. Check if Layer 2 sw itched netw orks are being used instead o f hubs for access point connectivity Subject authentication to playback o f previous authentications in order to check fo r privilege escalation and unauthorized access Verify that access is granted only to client machines with registered MAC addresses Copyright by IG-Gcuncil. W i r e l e s s T e s t i n g A wireless netw ork can be attacked in m ultiple w ay s and conducting a penetration test is difficult process here, co m p ared to a w ired netw ork. To launch the attack against wireless netw orks, attackers use various m eth o d s such as: Q Denial-of-service attacks 6 M an-in-the-m iddle attacks 9 ARP poisoning attacks M eth o d s for wireless testing include but are not limited to: 9 Check if th e access point's default Service Set Identifier (SSID) is easily available. Test for "broadcast SSID" and accessibility to th e LAN through this. Tests can include b ru te forcing th e SSID character string using tools like Kismet 9 Check for vulnerabilities in accessing th e WLAN through th e wireless router, access point, or gatew ay. This can include verifying if th e default W ired Equivalent Privacy (WEP) encryption key can be captured and decrypted M odule 20 Page 2959 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

89 e Audit for a b ro ad cast b e aco n of any access point and check all protocols available on th e access points. Check if Layer 2 sw itched netw orks are being used instead of hubs for access point connectivity 9 Subject authentication to playback of previous authentications in order to check for privilege escalation and unauthorized access 6 Verify th at access is granted only to client m achines with registered MAC addresses M odule 20 Page 2960 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

90 Ethical Hacking and Countermeasures T e l e p h o n y S e c u r i t y A s s e s s m e n t C E H UflrfW* tfeul A te le p h o n y security assessm ent is p e rfo rm e d to id e n tify vu ln e ra b ilitie s in co rp o ra te voice te ch n o lo g ie s th a t m ig h t re sult in to ll fra u d, eavesdropping on calls, u nauth o rize d access to voice m ail systems, DoS attack, etc. T e le p h o n e s e c u rity a ssessm e n t in c lu d e s s e c u rity a s s e s s m e n t o f PBXs, V o ic e o v e r IP (V oip ) syste m s, m o d e m s, m a ilb o x e s, e tc. Copyright by ic-ccuncil. T e l e p h o n y S e c u r i t y A s s e s s m e n t The m ain objective of a telep h o n y a ssessm en t is to conduct: 9 Toll fraud 9 Eavesdropping on tele p h o n e calls 9 U nauthorized access to voic system A telephon y security assessm en t add resses security concerns relating to c o rp o rate voice technologies. This includes th e ab u se of PBXs by outsiders to route calls at th e targ et's ex p en se, mailbox d ep lo y m en t and security, voice over IP (VoIP) integration, unauthorized m o d e m use, and associated risks. T elephony security assessm en t consists of: 9 PBX testing 9 Voic testing 9 FAX review 9 M o d e m testing M odule 20 Page 2961 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

91 S o c i a l E n g i n e e r i n g C E H B S o cia l e n g in e e rin g re fe rs to th e n o n - te c h n ic a l in fo r m a tio n syste m a tta c k s th a t re ly o n tr ic k in g p e o p le to d iv u lg e s e n s itiv e in fo rm a tio n B It e x p lo its tr u s t, fe a r, a n d h e lp in g n a tu re o f h u m a n s to e x tra c t th e s e n s itiv e d a ta such as s e c u rity p o lic ie s, s e n s itiv e d o c u m e n ts, o ffic e n e tw o rk in fra s tr u c tu r e, p a s s w o rd s, e tc. Copyright by ic-ccuncil. S o c i a l E n g i n e e r i n g Social engineering refers to th e m eth o d of influencing and persuading people to reveal sensitive inform ation in order to perform so m e malicious action. You can use this to g ather confidential inform ation, authorization details, and access details by deceiving and m anipulating people. All security m easu res a d o p te d by th e organization are in vain w h e n em ployees g et "socially e n g in e e re d " by strangers. S o m e exam ples of social engineering include unwittingly answ ering th e questions of strangers, replying to sp am s, and bragging in front of co-w orkers. M ost often, people are not even aw are of a security lapse on their part. Possibilities are that they divulge inform ation to a potential attacker inadvertently. Attackers take special interest in developing social engineering skills, and are so proficient th a t their victims d o n 't even realize th at they have b een scam m ed. Despite having security policies in th e organization th ey can be com prom ised becau se social engineering attacks target th e w eakness of people to be helpful for launching their attack. A ttackers always look for new w ays to g ath er information; th ey ensure th a t th e y know th e people on th e p e rim e te r security guards, receptionists, and help desk w o rk ers in order to exploit th e h u m an 's oversight. People have b een conditioned not to be overly suspicious; they associate certain behavior and app earan ces w ith know n entities. M odule 20 Page 2962 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

92 Ethical Hacking and Countermeasures T e s t i n g N e t w o r k - F i l t e r i n g D e v i c e s C E H P e n etratio n te stin g is a m e th o d o f e valu a tin g th e se c u rity o f an in fo rm a tio n system o r n e tw o rk by s im u la tin g an a tta ck to fin d o u t v u ln e ra b ilitie s th a t an attacker could exploit T e stin g in v o lv e s a c tiv e a n a ly s is o f syste m c o n fig u ra tio n s, d e s ig n w e a k n e s s e s, n e tw o rk a rc h ite c tu re, te c h n ic a l fla w s, a n d v u ln e ra b ilitie s I f Black box te stin g sim ulates an attack fro m som eone w h o has n o p rio r kn o w le d g e o f th e system, and w h ite box te stin g sim ulates an attack fro m som eone w h o has com plete know ledge about the system A co m pre h e nsive re p o rt w ith details o f v u ln e ra b ilitie s disco ve re d and suite o f re com m e n d ed counte rm e a sure s is d elive re d to th e executive, m anagem ent, and technical audiences Copyright by IC-Ccuncil. T e s t i n g N e t w o r k - f i l t e r i n g D e v i c e s T here are various w ays to configure netw ork-filtering devices. In so m e instances, they m ay be careless to check malicious traffic, while in others; they m ay be strict to allow legitimate traffic. The objective of th e pen test te a m w ould be to ascertain th a t only legitim ate traffic flows through th e filtering device. H ow ever, if multiple filters are used, like a DMZ configuration th at uses tw o firewalls, each filter has to be tested to m ake sure th at it has been configured in th e correct way. It is a fact, how ever, th a t even th e m ost preventive firewall cannot restrict netw ork intrusion w h en th e intrusion is initiated within th e organization. M ost firewalls have th e ability to log all activities. But, if th e logs are unm o n ito red over a period of tim e, they m ay hinder th e functionality of th e firewall. Pen testers m ay test th e firewall for en d u ran ce by checking th e logs and ensuring that th e logging activity does not interfere with th e firewall's prim ary activity. Proxy servers m ay be subjected to tests to d e te rm in e their ability to filter out u n w an ted packets. The pen testers m ay re c o m m e n d th e use of a load balancer if th e traffic load seem s to be affecting th e filtering capabilities of th e devices. Testing for default installations of th e firewall can be d o n e to ensure th a t default user IDs and passw ords have b een disabled or changed. Testers can also check for any re m o te login capability th a t a re enabled and allow an intruder to disable th e firewall. M odule 20 Page 2963 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

93 D e n i a l - o f - S e r v i c e S i m u l a t i o n C E H U rtifm Itfeul Km U* r These tests are meant to א r Some online services can be יי check the effectiveness of used to simulate DoS attacks anti-dos devices ^ for a nominal charge J Copyright C by IC-Ccuncil. D e n i a l o f S e r v i c e E m u l a t i o n - ב T here are tw o classes of DoS: magic packet attacks and resource-exhaustion attacks. Magic packet attacks usually take advantage of th e existing vulnerability in the OS or application for vast abnorm al resp o n se and excessive CPU utilization or a full sy stem crash by sending one or a few particular packets, for exam ple, W inn uke and Ping of D eath. R esource-exhaustion attacks do not com pletely rely on th e vulnerabilities; instead th ey m ake use of th e available co m p u ter resources. A resource-exhaustion DoS attack is im plem ented by intentional utilization of th e m axim um resources and th en stealing th em. While small DoS attacks can be duplicated by running DoS from o n e m achine co n n ected to th e targ et netw ork, large tests that seek to duplicate DoS attacks m ay n e e d to utilize m any m achines and large a m o u n ts of n etw o rk bandw idth. T hese m ay prove to be tim e consum ing and resource intensive, as well. Instead of deploying several generic servers, h ard w are devices m ay be used to create large volum es of netw ork traffic. They can also c o m e w ith attack/testing m odules th a t are designed to em u late th e m ost co m m o n DoS attacks. Simulating hacker attacks can include spoofing th e DoS source ad d ress to th a t of a router or device on th e netw ork itself so th a t if th e IDS are triggered, th e netw ork cuts itself off and th e objective is achieved. A nother option is to em u late th e DoS from an online site over th e Internet. S om e firms offer this service for a charge and ro u te traffic over th e Internet to em u late th e attack. M odule 20 Page 2964 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

94 T here are several tools available to sim ulate a denial-of-service attack and assess th e effectiveness of anti-dos devices. For exam ple, W eb A valanche can be configured to increase th e co n n ectio n -p er-seco n d rate and bandw idth usage. This form ulates connections w hich is less latent and usually faster th an th e average user's HTTP connection. H ow ever, this m ay not essentially affect th e capabilities of th e devices th a t are tested to study traffic. M odule 20 Page 2965 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

95 Copyright ffi by EC-Concil. M o d u l e F l o w m Pen testing results can be effective w h en th e test is perfo rm ed by a skilled pen tester. Hiring a highly skilled professional on p e rm a n e n t basis m ay be a huge investm ent; therefore, m ost com panies prefer outsourcing their pen testing services. O utsourcing th e pen testing can increase th e frequency, scope, and consistency of its security evaluations. Pen Testing C oncepts wwm Types of Pen Testing Biilii 11 Pen Testing T echniques Pen Testing P hases Pen Testing R o a d m a p O utsourcing Pen Testing Services A detailed explanation ab o u t outsourcing penetration testing services is explained on th e next slides. M odule 20 Page 2966 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

96 1 O u t s o u r c i n g P e n e t r a t i o n T e s t i n g S e r v i c e s C E H itk tjl H..U1 To get the network audited by an external agency to acquire an intruder's point of view The organization may require a specific security assessment and suggestive corrective measures J J Professional liability insurance pays for settlements or judgments for which pen testers become liable as a result of their actions, or failure to perform professional services It is also known as E&O insurance or professional indem nity insurance Copyright by IG-Gcuncil. O u t s o u r c i n g P e n e t r a t i o n T e s t i n g S e r v i c e s An organization m ay choose to outsource p en etratio n -testin g services if th ere is a lack of specific technical know ledge and expertise within th e organization. The organization m ay require a specific security assessm en t and suggested corrective m easures. Alternatively, th e organization m ay ch o o se to get its netw ork audited by an external agency to acquire an intruder's point of view. The need to o utsource m ay also be due to insufficient staff tim e and resources. The baseline audit m ay require an ongoing external a ssessm en t or th e organization m ay w a n t to build c u sto m er and p a rtn e r confidence. From an organization's perspective, it w ould be p ru d en t to appoint a cutout. A cu to u t is a com pany's in-house m onitor over th e course of th e test. This person will be fully aw are of how th e test will be conducted, th e tim e fram e involved, and th e co m p reh en siv e n atu re of th e test. The cutout will also be able to intervene during th e test to save both pen testers and crucial production system s from u n accep tab le d am a g e. U nderw riting P en etratio n Testing 9 T here is an inherent risk involved in undertaking a p enetration test. M ost organizations w ould like to know if th e penetration testing organization has professional liability insurance. Professional liability insurance pays for settlem en ts or ju d g m en ts for which pen testers b ec o m e liable as a result of their actions or failure to perform professional services. They take care of th e costs involved in defending against th e claim, which M odule 20 Page 2967 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

97 includes th e attorney's fees, court costs, and o th er related expenditures involved in investigation, and this also includes th e expenditure of th e se ttlem en t process. From a pen tester's perspective, professional liability insurance is m alpractice insurance for professional service providers. It is also know n as E&O insurance or professional indem nity insurance. M odule 20 Page 2968 Ethical Hacking and C ounterm easures Copyright by EC-C0lMCil

98 A n o rg a n iz a tio n s a n c tio n s a p e n e tra tio n te s t O a g a in s t a n y o f its p r o d u c tio n s y s te m s a fte r it a g re e s u p o n e x p lic itly s ta te d ru le s o f e n g a g e m e n t It m u s t s ta te th e te r m s o f re fe r e n c e u n d e r w h ic h th e a g e n c y can in t e r a c t w it h th e o r g a n iz a tio n It can specify th e desired code o f co n d u ct, th e O procedures to be fo llo w e d, and th e nature o f th e interaction between the testers and the organization T e r m s o f E n g a g e m e n t Source: Term s of e n g a g e m e n t are essential to protect both th e organization's interests and th e pen tester's liabilities. The term s lay d ow n clearly defined guidelines within which th e testers can test th e system s. They can specify th e desired code of conduct, th e procedures to be followed, and th e nature of interaction b e tw e e n th e testers and th e organization. It is p ru d en t for an organization to sanction a penetration test against any of its production system s only after it agrees upon explicitly stated rules of en g ag em en t. This contract agreed upon w ith th e pen test agency m ust state th e term s of reference u n d er which th e agency can interact with th e organization. For instance, if th e pen test agency is undertaking netw ork m apping, th e rules of e n g a g e m e n t m ay read as follows: "Pen test agency can obtain m uch of th e required inform ation regarding th e site's netw ork profile, such as IP address ranges, te le p h o n e n u m b e r ranges, and other general n etw o rk topology through public inform ation sources, such as Internet registration services, w e b pages, and te le p h o n e directories. M ore detailed inform ation a b o u t th e site's netw ork architecture can be obtained through th e use of d o m ain n a m e serv er (DNS) queries, ping sw eeps, port scans, and connection route tracing. Informal inquiries, not related to M odule 20 Page 2969 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

99 organization, m ay also be a tte m p te d to g ath er inform ation from users an d adm inistrators th at could assist in gaining access to netw ork resources." M odule 20 Page 2970 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

100 P r o j e c t S c o p e D e te rm in in g th e sco p e o f th e p e n te s t is e s s e n tia l to d e c id e if th e te s t is a ta rg e te d te s t o r a c o m p re h e n s iv e te s t C o m p re h e n s iv e a ssessm e n ts a re c o o rd in a te d e ffo rts b y th e p e n te s t a g e n c y to u n c o v e r as m u c h v u ln e r a b ilit y as p o s s ib le th r o u g h o u t th e o rg a n iz a tio n A ta rg e te d te s t w ill s e e k to id e n tify v u ln e r a b ilitie s in s p e c ific syste m s a n d practice s Copyright by IC-Ccuncil. M P r o j e c t S c o p e D eterm ining th e scope of th e pen test is essential to decide if th e test is a targeted ג 1 test or a com prehensive test. O ne of th e factors th at have a significant effect on th e effort estim ation and cost c o m p o n e n t of th e penetration test is w h e th e r or not th e pen test agency can undertake a zero k n o w led g e te st or a partial know ledge test. Providing even partial know ledge to th e pen testers results in tim e and cost savings. The burden is on th e client to m ake sure th at th e inform ation provided is co m p lete to th e extent intended to be. This is im portant because if sensitive system data ab o u t critical system s is given beforehand, it m ight d efeat th e purpose of th e penetration test. If th e agency is going to u n d ertak e a targ eted test, it can seek to identify vulnerabilities in specific system s and practices such as: 9 R em ote access technologies such as dial-in m o d e m s, w ireless, and VPN 9 Perim eter defenses of Internet-connected system s 9 Security of w e b applications and d atab a se applications 9 Vulnerability to denial-of service attacks On th e o th er hand, com prehensive assessm en ts are coordinated efforts by the pen test agency to uncover as m uch vulnerability as possible th ro u g h o u t an organization's IT practices and netw o rk ed infrastructure. M odule 20 Page 2971 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

101 P e n T e s t S e r v i c e L e v e l A g r e e m e n t s C E H A service level agreement is a contract that details the terms of service that an outsourcer will provide The bottom line is that SLAs f define f the minimum levels of d: availability from the testers and determine what actions will be taken in the event of serious disruption P e n T e s t S e r v i c e L e v e l A g r e e m e n t s The contract a g re e m e n t th a t describes th e te rm s of service th a t an outsourcer provides is know n as a Service Level A g reem en t (SLA). SLAs should m atch th e testing requirem en ts as closely as possible. Proficiently d o n e SLAs can include re m e d ie s and penalties for missing particular service levels. T hese penalties encourage th e pen test te a m to achieve th e objectives, and m ake sure th a t they get back on track quickly. M any organizations also ask for referrals and exam ples of SLAs they have used w ith oth er cu sto m ers w ho had similar testing needs. The organization m ay w an t to verify the m etrics used and th e quality of th e results achieved to assess the ability of the pen-test te a m to m e e t its requirem ents. From a pen tester's perspective, it m ay be difficult to provide exam ples of real-world SLAs because they are considered confidential business inform ation, similar to o th er contract term s. The b o tto m line is th at SLAs define th e m inim um levels of availability from th e testers and d eterm in e w h a t actions can be taken in th e event of serious disruption. Normally, th e contract covers th o se issues as com pensation, w arranties and rem edies, resolution of disputes, and legal com pliance. It basically fram es th e relationship, and M odule 20 Page 2972 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

102 d eterm in es th e m ajo r responsibilities, situation. both during norm al testing and in an em ergency M odule 20 Page 2973 Ethical Hacking and C ounterm easures Copyright by EC-COUIICil

103 Penetration Testing Consultants CEH Hiring qualified penetration tester results in the quality of the penetration testing Main role of penetration testing consultants include validation of security controls implemented across an organization's external or internal resources such as firewalls, servers, routers, etc., and develop security policies and procedures Each area of the network must be examined in-depth A proficient pen tester should posses experience in diffe rent IT fields such as software developm ent, systems administration, and consultancy Copyright C by IC-Ccuncil. Penetration Testing Consultants When companies outsource penetration testing, though it is a bit costly to hire qualified professionals who are exclusively trained, it usually yields good results. More qualitative work can be done and desired goals can be achieved. 9 Hiring a qualified penetration tester results in the quality of the penetration testing. 9 A penetration test of a corporate network can examine numerous different hosts (with a number of different operating systems), network architecture, policies, and procedures. 9 Each area of the network must be examined in-depth. 9 Penetration testing skills cannot be obtained without years of experience in IT fields, such as development, systems administration, or consultancy. M odule 20 Page 2974 Ethical Hacking and C ounterm easures Copyright by EC-C0linCil

104 M odule Summary CEH A pen test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network Internal testing involves testing computers and devices within the company Pen testing test components depends on the client's operating environment, threat perception, security and compliance requirement, ROE and budget The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company Security assessment categories are security audits, vulnerability assessments, and penetration testing Module Summary r י Copyright C by IC-Ccuncil. 9 A pen test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them. 9 Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network. Q Internal testing will be performed from a number of network access points, representing each logical and physical segment. 9 Pen testing test components depend on the client's operating environment, threat perception, security and compliance requirement, ROE, and budget. 9 The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company. 9 Security assessment categories are security audits, vulnerability assessments, and penetration testing. M odule 20 Page 2975 Ethical Hacking and C ounterm easures Copyright by EC-C0lMCil