Penetration Testing University of Sunderland CSEM02 Harry R Erwin, PhD
Resources Qinetiq Information Security Foundation Course (2002) Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems Security Professional Study Guide, 2 nd edition, Sybex Whittaker and Thompson, 2004, How to Break Software Security, Pearson
Definition An activity used to test the strength and effectiveness of deployed security measures with an authorized attempted intrusion attack. Penetration testing should be performed only with the consent and knowledge of the management staff. (Tittle et al., 2004)
General Comments Usually done to give management a warm and fuzzy feeling about the security of their system. Expensive Does not substitute for good security testing or for good security design. This discussion will be of how it is done.
General Approach The members of the team first scope the penetration test. This includes: Consultation with the customer about the specific type of testing to be performed. On-site Remote Application Telecommunications Hybrid Number of hosts to be tested Timescale
Penetration Testing Services Begins with a tailored security health check (SHC), comprised of part or all of: Network security health check Onsite Remote Application security health check Telecommunications security health check Should be flexible and appropriate
Network SHC Location can be remote or onsite Starts with public records RIPE/DNS/Google (you ve seen this demonstrated) Network assessment Architecture Gateways (RIP/OSPF) Firewalls (ACL/rules) Protocols IP range Anomalies
Network Testing If onsite, you will need to conduct on-host audits Windows Unix Infrastructure management should also be assessed Remote/terminal/back-end management Should include a comprehensive configuration review and recommendations
Network Testing Host assessment Identify the live hosts. Apply operating system fingerprinting to identify potential vulnerabilities. Determine the trust relationships. Service assessment Services offered. Anomalies and vulnerabilities.
Network Testing Vulnerability assessment Automated tools? Manual determination Risk assessment of data flow
Application Testing What applications are running? By server type Stovepipe or specialized systems Protocols Session and authentication handling Default scripts and generic vulnerabilities
Authentication Analysis Session handling Session identifier how predictable and identifiable, can it be brute forced, can it be replicated? Session timeout Comparison to best practices Correctly implemented? Predictable secret values? Is brute force blocked? Password complexity adequate?
Transactional Security Can transactions be identified in the data stream? How much information can be derived from them? What happens when Transactions are replicated Transactions are injected Transactions are deleted
Source Code Review Logical analysis Control flow Functionality Information leakage Error messages Input validation Bad input Bypass Drilling through Expensive in time and money. Pay me now, or pay me later. It costs more later.
Telecomms Testing War-dialing and modem detection Identified modems need to be inventoried PABX audit looks for: Toll fraud Call redirection Remote reconfiguration Trunk line configuration
Penetration Test Process Scope/preparation Briefing Physical test Knowledge transfer and education Diagnosis Debriefing Report
Scope/Preparation Scope and scale the test Establish deadlines and schedules Sign contract Conduct test planning Risk and perceived threat Technology Identify and deploy necessary skills
Initial Briefing Meet technical staff Collect contact information Describe the test Identify areas of concern Maintain contact Track major user issues Be open
Physical Test Evaluate the network IP range Subnets Automated tests (nessus/nmap) Hands-on tests Prior experience of testers Trust analysis Exploits
Debriefing Evaluated automated results Assess anomalies Ensure full scope of testing has been completed Make sure the nature of any successful penetration is clear to the customer
Closure Make sure all experts/managers are involved. Discuss all results Identify who receives reports Provide contact details Prepare report When due, what, and follow-up.
Conducting the Test Identify target and goal Gather information Identify potential routes into network Test potential routes Capture target
Identify Target and Goal Targets What is to be attacked? Goals Compromise Privacy-sensitive data Defacement Denial of service Fraud
Information Gathering Resources include: RIPE (Europe) ARIN (US) DNS IRC (technical chat rooms) Phone books Public business records Trash cans Google (which you ve seen)
Potential Routes Social engineering Open sources Newsgroups and papers published Use this to plan the penetration Play the role Create trust
Telecomms War-dialing to identify modems Voice mail
Mapping Identify servers and subnets Evaluate firewalls and routers Each route in needs to be assessed Firewalls Protection Access Speed Special circumstances
Capture Target Develop detailed capture scenario Take into account vulnerabilities and special circumstances Implement Usually, you will demonstrate the initial access point vulnerability, give the administrators time to fix it, and continue from the access point to the target.
What Allows This to Succeed? Public data Uneducated staff Misconfigured servers Misconfigured boundary protection Lack of IDS Patches not implemented
Countermeasures Have your security reviewed Educate users and staff Implement authentication, access control, and audit Use an IDS Code reviews Keep private data private