Evaluation of Penetration Testing Software. Research

Similar documents
WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

(WAPT) Web Application Penetration Testing

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Penetration Testing with Kali Linux

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Using Nessus In Web Application Vulnerability Assessments

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

What is Web Security? Motivation

Vulnerability Assessment and Penetration Testing

Client logo placeholder XXX REPORT. Page 1 of 37

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Sample Report. Security Test Plan. Prepared by Security Innovation

Using Free Tools To Test Web Application Security

Wikto how does it work and how do I use it?

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Web Application Security

Web Application Penetration Testing

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Essential IT Security Testing

Penetration Testing Report Client: Business Solutions June 15 th 2015

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Running a Default Vulnerability Scan

!!!!!!!!!!!!!!!!!!!!!!

Java Program Vulnerabilities

Guidelines for Web applications protection with dedicated Web Application Firewall

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Certified Ethical Hacker (CEH)

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

STABLE & SECURE BANK lab writeup. Page 1 of 21

AN OVERVIEW OF VULNERABILITY SCANNERS

Web Application Security

Web Application Vulnerability Testing with Nessus

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Penetration Testing in Romania

Application Code Development Standards

Chapter 1 Web Application (In)security 1

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Adobe Systems Incorporated

Web Application Report

Demystifying Penetration Testing

Bust a cap in a web app with OWASP ZAP

Security Testing Of (Web) Applications. Erwin Geirmaert Security Innovation

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

How To Protect A Web Application From Attack From A Trusted Environment

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Basic & Advanced Administration for Citrix NetScaler 9.2

Security and Vulnerability Testing How critical it is?

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Running a Default Vulnerability Scan SAINTcorporation.com

Information Technology Policy

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Check list for web developers

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Passing PCI Compliance How to Address the Application Security Mandates

Locking down a Hitachi ID Suite server

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Ethical Hacking as a Professional Penetration Testing Technique

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Web Application Guidelines

Andreas Dittrich, Philipp Reinecke Testing of Network and System Security. example.

Cloud Security:Threats & Mitgations

Vinny Hoxha Vinny Hoxha 12/08/2009

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Understanding Security Testing

Web Security Testing Cookbook*

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Source Code Review Using Static Analysis Tools

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Network Security Audit. Vulnerability Assessment (VA)

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

HTExploit: Bypassing htaccess Restrictions

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Application Security Testing

April 11, (Revision 2)

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Executive Summary On IronWASP

Chapter 4 Application, Data and Host Security

Penetration Testing Service. By Comsec Information Security Consulting

ECE 4893: Internetwork Security Lab 12: Web Security

IJMIE Volume 2, Issue 9 ISSN:

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

IBM. Vulnerability scanning and best practices

Transcription:

Evaluation of Penetration Testing Software Research Penetration testing is an evaluation of system security by simulating a malicious attack, which, at the most fundamental level, consists of an intellectual attempting to bypass the rules and firewalls that establish software security. As it is impossible to achieve 100% security, the goal of penetration testing an unyielding and unadaptive ruleset is to decrease the chance that a system can be compromised. Testing is generally conducted from one of three viewpoints; white box, black box, and gray box. Fundamentally, white box is complete knowledge of software and access to underlying code. This includes comprehensive testing by debugging and creating specialized test programs that evaluate all routes through the code. Although thorough and comprehensive, white box testing is also expensive and time-consuming. In contrast, black box testing is viewing the remote system as an unknown box which simply performs an operation on the input to procure the output. As a result, without knowledge of system internals, black box testing is generally less comprehensive and thus costing less money and time. Finally, gray box testing is a mixture of white and black where the researcher conducts testing at the black box level with code access at the white box level for generating test cases. Practices In addition to those three viewpoints at which penetration testing can be performed, there are also three large penetration testing methodologies; the Open Source

Security Testing Methodology Manual (OSSTMM) 1, the Information Systems Security Assessment Framework (ISSAF) 2, and the NIST Guideline on Network Security Testing (Special Publication 800-42) 3. However, of these three, the most accepted and comprehensive is the OSSTMM, an open and peer-reviewed methodology that, when properly applied, accurately measures security without assumptions and anecdotal evidence. The OSSTMM consists of Information Security, Process Security, Internet Technology Security, Communications Security, Wireless Security, and Physical Security modules, each of which has specific tasks and goals that need to be completed and verified. Practices which are especially relevant to the Drupal project include those of the Internet Technology Module that concern automated software, exploitation vectors, privilege control, and heavy load situations. Tasks for automated vulnerability scanners include testing with at least two redundant tools, utilizing popular exploits and cracking tools, and checking for both false positives and false negatives in discovered vulnerabilities. Exploitation vectors to examine include buffer overflows in long strings, SQL injection, brute-force password discovery, cross-site scripting (XSS), bypass of input validation in encoded strings (unicode, etc), server-side includes, cookie manipulation, hidden field modifications, HTTP header manipulation, and input sanitization. Privilege control emphasizes the concept of granting resource and system control at the lowest possible level, thus preventing a compromised daemon running as root to infect and control the entire machine. Ensuring that a system does not reveal valuable information under stress or become unstable during a denial-of-service attack 1 http://www.isecom.org/osstmm/ 2 http://www.oissg.org/issaf 3 http://csrc.nist.gov/publications/nistpubs/800-42/nist-sp800-42.pdf

(DOS) is also an important goal. These tasks and goals are summarized by figure A. Figure A (OSSTMM v2.2 p.49 (Section C Internet Technology Security) ISECOM) Tools Tools for penetration testing include vulnerability scanners, packet sniffers, exploitation software, packet crafters, password crackers, and port scanners. For the purposes of this evaluation, however, only active open-source vulnerability scanners will be considered. This includes tools such as Nikto 4, Paros 5, WebScarab 6, Wikto 7, and Sara 8, however, tools such as Nessus 9, Whisker 10, Spike 11, and WebInspect 12 will be 4 http://www.cirt.net/code/nikto.shtml 5 http://www.parosproxy.org/index.shtml 6 http://www.owasp.org/index.php/category:owasp_webscarab_project 7 http://www.sensepost.com/research/wikto/ 8 http://www-arc.com/sara/ 9 http://www.nessus.org/nessus/ 10 http://www.wiretrip.net/rfp/w.asp 11 http://www.immunitysec.com/resources-freesoftware.shtml

excluded. Evaluations were performed by setting up a scanner and a target a virtual machine running 32-bit Ubuntu Gutsy (7.10) desktop edition with drupal, mysqlserver5.0, and apache2.2-common (outdated; 5.2-2ubuntu2.1, 5.0.45-1ubuntu3, and 2.2.4-3build1, respectively) from the Ubuntu repositories. All configuration was left to the default, except for timezone, Drupal module configuration, and user setup. Timezone and locale was set to GMT -7 with no DST. All Drupal modules were enabled without additional configuration. All users that needed to be created were named ubuntu. In addition, the default Apache test directory was removed and a blog post to Drupal was made so that the default welcome screen would not be shown. It is important to note, however, that the purpose of this evaluation is to highlight the features and capabilities of each vulnerability scanner, not to actually determine security vulnerabilities present in Drupal, the MySQL database, and the Apache webserver. A sample post was committed so that the default welcome screen would not appear. The Drupal installation is shown in figure B. In addition, false positives and false negatives were not checked for. 12 http://www.spidynamics.com/products/webinspect/

Figure B. Drupal installation on a remote virtual Nikto Interface: Console Language: Perl Last Update: November 2007 Nikto is a web server assessment tool designed to find software misconfigurations, insecure file permissions, and outdated software. It supports SSL, proxies, basic client authentication, and CGI scanning. Furthermore, Nikto also features IDS evasion techniques (using libwhisker), report generation, file/folder name mutations, among others. Verdict: Nikto was easy to download, install, and setup. Configuration was a breeze, and scanning was quick and painless, finishing in less than a minute. In addition to the speed, Nikto was also comprehensive, reporting number of vulnerabilities not detected by other scanners (fig. C).

Figure C. Nikto scan on a Drupal webserver. Interface: GUI Paros Language: Java Last Update: August 2006 Paros is a vulnerability assessment proxy that supports editing both HTTP and HTTPS packets on the fly. It also supports recording web traffic, scanning for common vulnerabilities, and spidering a website. In addition, Paros has plugin support and report generation functionality. The web scanner searches for a number of different vulnerabilities such as HTTP PUT, directory browsing, obsolete/default files, SQL injection, Carriage Return/Line Feed injection (CRLF), server side includes, parameter tampering, and cross-site scripting.

Verdict: Paros has great potential, however, the data it presents is a little overwhelming (fig. D). Furthermore, although feature-packed, the vulnerability scanner seems to weaker Nikto's be (figure be a than and could improved E). Figure D. Paros main view (web traffic recorder). Figure E. Paros webspider (top) and alert/scanner (bottom) interfaces. Separate images were combined. Interface: GUI WebScarab Language: Java Last Update: May 2007 WebScarab is an HTTP and HTTPS application analysis framework. Although having many of the same features as Paros, WebScarab does bring a number of

previously unseen abilities to the table, such as SessionID analysis, fuzzing, bandwith simulating, and the execution of user-inputted Java expressions. Verdict: WebScarab's neat interface (fig. F) and superior features make it a musthave for web vulnerability scanning. The only downside is that it may take some time to master WebScarab. Figure F. WebScarab's main interface. Interface: Console Wikto Language: C#.NET Last Update: October 2007 Wikto is a web server assessment tool based on Nikto, but with additional

features. New features include a file/folder scanner, and Google SOAP API integration when combined with WinHTTrack 13 (a web server mirroring tool) and HTTprint 14 (a web server fingerprinting tool). Wikto can utilize the Google SOAP API to mirror a website from Google's cache and analyze it, instead of directly accessing the website and triggering an Intrusion Detection System (IDS). Wikto also can utilize a Googlehacking database to search for inadvertently indexed files. Wikto also utilizes fuzzy logic and other scanning optimizations when performing a Nikto scan. Verdict: Although, seemingly a great tool, Wikto is essentially Nikto with a GUI, as many of the additional features do not work out of the box or at all. This includes the Google SOAP API integration, as Google no longer supports the API and has stopped giving out API keys as of December 5 th, 2006. Additional software by SensePost (Aura 15 ) does bypass this restriction. The Nikto database scanner (fig. G) is also much slower than Nikto itself, despite the optimizations and improvements. Wikto's numerous dependencies detracts from its abilities, as addition software does need to be installed for full functionality. Furthermore, Wikto is only supports Windows, as it makes use of the.net runtime and does not work with Mono on Wine. Note that WinHTTrack, HTTprint, and Aura were not installed during testing. 13 http://www.httrack.com/ 14 http://www.net-square.com/httprint/ 15 http://www.sensepost.com/research/aura/

Figure G. The Nikto webscanner view of Wikto. Interface: Console/HTML SARA Language: Perl Last Update: November 2007 Sara is a security analysis tool that can check for SQL injection vulnerabilities, initiate a remote self-scan, interface with nmap and SAMBA, process HTTPS, check for SSH server vulnerabilities, and can differentiate results depending on whether it is running on a trusted or untrusted host. It also supports firewalled environments, integration with the National Vulnerability Databse (NVD), 3 rd party plugins, and running in daemon mode as a webserver (fig. H). It can also be run as a console tool. Verdict: SARA's poor on-line and included documentation made it hard to compile and utilize; it often complained about modules and libraries that were not present and could not be identified. SARA's reports and results were hard to access, as they only showed up when running as in daemon mode, although they were detailed and comprehensive. Furthermore, SARA hung when scanning in both daemon and console mode, with Wireshark logging no network usage. Although a great tool with a number of new and interesting features, SARA simply did not compile or run properly.

Figure H. SARA daemon/webserver Summary of Findings/Recommendations Many penetration testing tools provided the same basic functionality, however, the quality and thoroughness of each differed. Among the top tools were Nikto and WebScarab; not only were they quick and efficient, but they were also thorough and comprehensive. One tool did not compile and run correctly, SARA, as poor documentation did not enable easy dependency installation. Most tools supported both Linux and Windows, although some only supported one or the other. The Drupal project should utilize at least two penetration testing tools, specifically Nikto and WebScarab to ensure quality and thoroughness. In addition, other software beyond the scope of this document such as nmap 16, Nessus, Hping 17, and John the Ripper 18 should also be utilized to test for overall system security. Furthermore, the Drupal project should also consider physical security issues such as whether an intruder can simply enter the server room and reconfigure Drupal, or whether plaintext database passwords are stored on the hard drive. These security evaluations should be performed 16 http://www.insecure.org/ 17 http://www.hping.org/ 18 http://www.openwall.com/john/

according to the OSSTMM manual at least once every major release, preferably when any core or at-risk component is severely modified. The Drupal project should also work together with many Linux distributions to ensure that software repositories are up-to-date.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information