Penetration Testing
A penetration test is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system.
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes.
White box - which provides background and system information
Black box - which provides only basic or no information except the company name
Tools
Steps to Penetration Testing
- Reconnaissance - Targets, IP, Domains, Services, Applications, systems, users
- Active=probing the system, Passive=not touching the system
- Scanning - Use of tools to discover more information
- Usally active=scanning ports to determin what services are running
- Gaining Access - Exploitation
- Script kitty uses a tool but does not understand what the tool does.
- Maintaining Access & Covering Tracks -
- Analsis -
The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help determine whether a system is vulnerable to attack if the defenses were sufficient, and which defenses (if any) the test defeated.
The National Cyber Security Center, describes penetration testing as the following: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."
The goals of a penetration test vary depending on the type of approved activity for any given engagement with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor and informing the client of those vulnerabilities along with recommended mitigation strategies.
| Software | URL | Description | Windows Only |
|---|---|---|---|
| Nexpose | http://www.rapid7.com | Nexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features. | |
| Backtrack Linux | [1] | One of the most complete penetration testing Linux distributions available. Includes many of the more popular free pentesting tools but is based on Ubuntu so it's also easily expandable. Can be run on Live CD, USB key, VM or installed on a hard drive. | |
| SamuraiWTF (Web Testing Framework) | http://samurai.inguardians.com | A live Linux distribution built for the specific purpose of web application scanning. Includes tools such as Fierce, Maltego, WebScarab, BeEF any many more tools specific to web application testing. | |
| Cain | http://www.oxid.it/cain.html | Cain & Abel is a password recovery tool that runs on Windows. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. | * |
| Kismet Newcore | http://www.kismetwireless.net | Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet passively collects packets from both named and hidden networks with any wireless adapter that supports raw monitor mode. | |
| Rainbow Crack | http://project-rainbowcrack.com | Rainbow Crack is a password cracker that will run a pre-computed rainbow table against a given series of hashes. | |
| dnsenum | http://code.google.com/p/dnsenum | Think of dnsenum as a supercharged version of a whois query. It not only discovers all of the dns records but it goes a step further and attempts to use google to discover subdomains, discovers BIND versions and more. | |
| dnsmap | http://code.google.com/p/dnsmap | Dnsmap is a passive dns mapper that is used for subdomain bruteforce discovery. | |
| Fierce2 | http://trac.assembla.com/fierce/ | Fierce 2 is an updated version domain scan discovers non-contiguous IP ranges of a network. | |
| FindDomains | http://code.google.com/p/finddomains | FindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses. Provides a console interface so you can easily integrate this tool to your pentesting automation system. | * |
| HostMap | http://hostmap.lonerunners.net | hostmap is a free and automatic tool that enables the discovery of all hostnames and virtual hosts on a given IP address. | |
| URLcrazy | http://www.morningstarsecurity.com/research/urlcrazy | URLCrazy is a domainname typo generator. This will allow you to find squatted domains related to your target company and possibly generate some of your own. | |
| theHarvester | http://www.edge-security.com/theHarvester.php | theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers. | |
| The Metasploit Framework | http://metasploit.com | Metasploit is an ever-growing collection of remote exploits and post exploitation tools for all platforms. You will want to constantly run svn updates on this tool since new features and exploits are added nearly daily. Metasploit is both incredibly powerful and complex. For further guidance, check out this book http://nostarch.com/metasploit.htm . |
Intelligence Gathering
Intelligence Gathering is the phase where data or "intelligence" is gathered to assist in guiding the assessment actions. At the broadest level this intelligence gathering includes information about employees, facilities, products and plans. Within a larger picture this intelligence will include potentially secret or private "intelligence" of a competitor, or information that is otherwise relevant to the target.
OSINT
Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publically (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources.
Corporate
Information on a particular target should include information regarding the legal entity. Most states within the US require Corporations, limited liability companies and limited partnerships to file with the State division. This division serves as custodian of the filings and maintains copies and/or certifications of the documents and filings. This information may contain information regarding shareholders, members, officers or other persons involved in the target entity.
Utah: https://commerce.utah.gov/
Tax records:
http://www.naco.org/Counties/Pages/CitySearch.aspx
Job openings
Searching current job openings or postings via either the corporate website or via a job search engine can provide valuable insight into the internal workings of a target. It is often common practice to include information regarding currently, or future, technology implementations.
| Site | URL |
| Monster | http://www.monster.com |
| CareerBuilder | http://www.careerbuilder.com |
| Computerjobs.com | http://www.computerjobs.com |
| Craigslist | http://www.craigslist.org/about/sites |
Social Networks
- Check Usernames - Useful for checking the existence of a given username across 160 Social Networks.
Individuals
Social Networking Profile
The numbers of active Social Networking websites as well as the number of users make this a prime location to identify employee's friendships, kinships, common interest, financial exchanges, likes/dislikes, sexual relationships, or beliefs.
External Footprinting
The External Footprinting phase of Intelligence Gathering involves collecting response results from a target based upon direct interaction from an external perspective. The goal is to gather as much information about the target as possible.
Identifying IP Ranges
For external footprinting, we first need to determine which one of the WHOIS servers contains the information we're after. Given that we should know the TLD for the target domain, we simply have to locate the Registrar that the target domain is registered with.
WHOIS information is based upon a tree hierarchy. ICANN (IANA) is the authoritative registry for all of the TLDs and is a great starting point for all manual WHOIS queries.
WHOIS lookup
- ICANN - http://www.icann.org
- IANA - http://www.iana.com
- NRO - http://www.nro.net
- AFRINIC - http://www.afrinic.net
- APNIC - http://www.apnic.net
- ARIN - http://ws.arin.net
- LACNIC - http://www.lacnic.net
- RIPE - http://www.ripe.net
Port Scanning
Nmap (Windows/Linux)
Nmap ("Network Mapper") is the de facto standard for network auditing/scanning. Nmap runs on both Linux and Windows. Nmap is available in both command line and GUI versions. For the sake of this document, we will only cover the command line.
Internal Footprinting
The Internal Footprinting phase of Intelligence Gathering involves gathering response results from a target based upon direct interaction from an internal perspective. The goal is to gather as much information about the target as possible.
Vulnerability Analysis
Vulnerability Analysis is used to identify and evaluate the security risks posed by identified vulnerabilities. Vulnerability analysis work is divided into two areas: Identification and validation. Vulnerability discovery effort is the key component of the Identification phase. Validation is reducing the number of identified vulnerabilities to only those that are actually valid.
Vulnerability Testing
Vulnerability Testing is divided to include both an Active and Passive method.
Active
Automated Tools
An automated scanner is designed to assess networks, hosts, and associated applications. There are a number of types of automated scanners available today, some focus on particular targets or types of targets. The core purpose of an automated scanner is the enumeration of vulnerabilities present on networks, hosts, and associated applications.
Network/General Vulnerability Scanners
Open Vulnerability Assessment System (OpenVAS) (Linux)
The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. OpenVAS is a fork of Nessus that allows free development of a non-proprietary tool.
Like the earlier versions of Nessus, OpenVAS consists of a Client and Scanner. To start the Scanner, simply run openvassd from the command line.
Metasploit Scanners
Metasploit Unleashed
The Metasploit Unleashed course has several tutorials on performing vulnerability scanning leveraging the Metasploit Framework.
Vulnerability Validation
Public Research
A product of the vast amount of security research is the discovery of vulnerabilities and associated Proof of Concept (PoC) and/or exploit code. The results from the vulnerability identification phase must be individually validated and where exploits are available, these must be validated. The only exception would be an exploit that results in a Denial of Service (DoS). This would need to be included in the scope to be considered for validation. There are numerous sites that offer such code for download that should be used as part of the Vulnerability Analysis phase.
- Exploit-db - http://www.exploit-db.com
- Security Focus - http://www.securityfocus.com
- Packetstorm - http://www.packetstorm.com
- Security Reason - http://www.securityreason.com
- Black Asylum - http://www.blackasylum.com/?p=160
Common/default passwords
Attempt to identify if a device, application, or operating system is vulnerable to a default credential attack is really as simple as trying to enter in known default passwords. Default passwords can be obtained from the following websites: