British Columbia Institute of Technology
Term project: Course: Date:
Network Security 2, Dec 03, 2007
Network Security 2 FSCT 8560
Penetration Testing Techniques from an Analysts perspective
Name:
Arif Zina
2
Table of Content
Defining Penetration Testing 1.0
Introduction -------------------------------------------------------------- 3
1.1
Controlled testing from an organizational perspective -------- 3
1.2
Intruder Profile ---------------------------------------------------------- 4
1.3
Definitions ---------------------------------------------------------------- 5
The Process and Methodology 2.0
Planning and preparation ------------------------------------------ 7
2.1
Information gathering and analysis ----------------------------- 8
2.2
Vulnerability detection ---------------------------------------------- 13
2.3
Penetration attempt ------------------------------------------------- 15
2.4
Final Analysis and Clean-up ------------------------------------- 17
Limitations of Penetration Testing ----------------------------------- 18 Conclusion ------------------------------------------------------------------- 18 References ------------------------------------------------------------------- 19
3 Defining Penetration Testing 1.0
Introduction
The primary reason for testing the security of an operational system is to identify potential vulnerabilities and subsequently repair them. The number of reported vulnerabilities is growing daily; for example, the number of new information system vulnerabilities reported to the Bugtraq database has more that quintupled since the start of 1998, from an average of 20 to over 100 per month. The number of computers per person in many organizations continues to rise, increasing the demands on competent and experienced system administrators. Consequently, it is imperative that organizations routinely test systems for vulnerabilities and misconfigurations to reduce the likelihood of system compromise. Typically, vulnerabilities are exploited repeatedly by attackers to attack weaknesses that organizations have not patched or corrected. Generally a small number of flaws in software programs are responsible for the vast majority of successful Internet attacks. SANS Security Alert lists these vulnerabilities and outlines recommendations and suggestions for overcoming these weaknesses. In this environment, security testing becomes critical to all organizations interested in protecting their networks. Technically speaking, a penetration test is the controlled attempt at penetrating a computer system or network from “outside” in order to detect vulnerabilities. It employs the same or similar techniques to those used in a genuine attack. Appropriate measures can then be taken to eliminate the vulnerabilities before they can be exploited by unauthorized third parties. 1.1
Controlled testing from an organizational perspective
Penetration tests are a way to identify vulnerabilities that exists in a system or network that has an existing security measures in place. A penetration test usually involves the use of attacking methods conducted by trusted individuals that are similarly used by hostile intruders or hackers. Depending on the type of test that is conducted, this may involve a simple scan of an IP addresses to identify machines that are offering services with known vulnerabilities or even exploiting known vulnerabilities that exists in an unpatched operating system. The results of these tests or attacks are then documented and presented as report to the owner of the system and the vulnerabilities identified can then be resolved. a penetration test does not last forever. Depending on the organization conducting the tests, the time frame to conduct each test varies. A penetration test is basically an attempt to breach the security of a network or system and is not a full security audit. This means that it is no more than a view of a system’s security at a single moment in time. At this time, the known vulnerabilities, weaknesses or misconfigured systems have not changed within the time frame the penetration test is conducted.
4 Penetration testing is often done for two reasons: •To increase upper management awareness of security issues or to test intrusion detection and response capabilities. •To assist the higher management in decision-making processes. The management of an organization might not want to address all the vulnerabilities that are found in a vulnerability assessment but might want to address its system weaknesses that are found through a penetration test. 1.2
Intruders Profile
In the media, the term “hacker” is used to refer to any person who intrudes into other IT systems without authorization. However, a finer distinction is often made between hackers, crackers and script kiddies. Hackers are regarded as being experimentally-minded programmers who target security loopholes in IT systems for technical reasons. Crackers are people with criminal minds who exploit weak points of IT systems to gain illegal advantages, social attention or respect. Crackers possessing privileged knowledge about the organization they are attacking are termed “insiders”. Insiders are often frustrated (former) employees of an organization who use their knowledge of internal affairs to harm that organization. Script kiddies are usually intruders lacking in-depth background knowledge and driven by curiosity who mainly direct attack tools downloaded from the internet against arbitrary or prominent targets. In addition to the categories described above, industrial espionage also poses a serious threat. The aim of industrial espionage is to gain knowledge of business secrets such as innovative technical designs, strategies and ideas that help in gaining a competitive edge and to use such information for personal benefit.
5
1.3
Definitions
This document uses the terms system, network security testing, operational testing, and vulnerability extensively. For the purposes of this document, their definitions will be as follows:
•System: A system is made up of the following ( see figure 1.1): •Computer system (e.g., mainframe, minicomputer) •Network System (e.g., Local area network) •Network domain •Hosts •Network nodes, routers, switches and firewalls. •Network and/or computer application on each computer system.
6 Fig 1.1
•Network Security Testing: Activities that provide information about the integrity of an organization's networks and associated systems through testing and verification of network-related security controls on a regular basis. The testing activities can include any of the types of tests: network mapping, vulnerability scanning, password cracking, penetration testing, file integrity checking, and virus scanning.
•Operational Security Testing: Network security testing conducted during the operational stage of a system’s life, that is, while the system is operating in its operational environment. •Vulnerability A bug or misconfigurations or special sets of circumstances that could result in an exploitation of that vulnerability. For the purposes of this document, a vulnerability could be exploited directly by an attacker, or indirectly through automated attacks such as Distributed Denial of Service (DDOS) attacks or by computer viruses.
7
The Process and Methodology 2.0
Planning and Preparation
In order to make the penetration test done on an organization a success, a great deal of Planning and preparation needs to take place. Only designated individuals, including network administrators or individuals contracted to perform the network scanning as part of a larger series of tests, should conduct the tests described in this section. The approval for the tests may need to come from as high as the CIO depending on the extent of the testing. It would be customary for the testing organization to alert other security officers, management, and users that network mapping is taking place. Since a number of these test mimic some of the signs of attack, the appropriate manages must be notified to avoid confusion and unnecessary expense. A meeting between the organization and the testers should also include discussing the scope and the objective of the penetration test. There must be a clear objective for the penetration test to be conducted. An organization that performs a test for no clear reason should not be surprise if the outcome contains no clear result. In most cases the objective of a penetration test is to demonstrate that exploitable vulnerabilities exist within an organization’s network infrastructure. The scoping of the penetration test is done by identifying the machines, systems and network, operational requirements and the staff involved. Another area that needs to be discussed and planned is the actual time the tests will be conducted and the duration. This is vital, as it will ensure that while penetration tests are being conducted, normal business and everyday operations of the organization will not be disrupted. Penetration tests may need to be run at particular times of day. There may be conflicts between the need to ensure that everything is tested and the need to avoid loading the network during periods of heavy and critical use. Penetration tests that involve the use of unusual network traffic may cause some systems on the network to crash. Also performing tests such as DoS on organizational systems during business hours could severely affect the availability of services to the customers and business associates, which can be costly and not necessary. One major decision to be made with the organization is whether the staff of that organization should be informed before a penetration test is carried out. Advising staff is often appropriate, but it can change their behavior in ways that will affect the outcome of the penetration test. On the other hand, choosing not to warn staff may result in them taking action that unnecessarily affects the organization’s operation. For example, a security team might be expected to react to an attack by disconnecting from the external network cutting all access to it. If the aim is to assess the response of the security team or other operational units then clearly management must accept such a risk. Otherwise it may be appropriate to give specific instructions that no action is to be taken in response to the penetration test at the time and duration arranged. It is also important and should made clear to the organization that any data collected or obtained during the penetration testing will be treated as confidential and will be returned or destroyed accordingly after the test. Also, prior to any penetration test engagements legal documents protecting the penetration testers and their company must be signed. This is a very
8 important and not to be missed out step. Even if the penetration testers are staff conducting tests on their on systems and network, they should also obtain the relevant legal documents protecting them against any legal actions. This serves as a protection to penetration testers should anything go wrong during the tests. Accidents can happen and no penetration testers would like to be sued as a result of doing their job. 2.1
Information Gathering and Analysis
After doing the necessary planning and preparation with the organization (or target), the next step is to gather as much information as possible about the targeted systems or networks. There’s a wealth of tools and online resources available for us to do the necessary information gathering. If the intended target has an online website, this is a good place to start your information gathering. A very good online resource is available at http://www.netcraft.com. Their service examines a network connected to the Internet and reports back which hosts are visible. It also gives you information such as the operating it is running on, as well as the server’s uptime. A search is conducted for Canadian air traffic control services provider, www.navcanada.ca and the following information is obtained: Nameserver, FQDN, web servers name, Operating systems and IP addreses. See figure 2.1.1. Also, when domain name is queried, it lists various web hosts in the organization, O/S and also presents a site report . See figure 2.1.2
9
Figure 2.1.1
Fig 2.1.2
1
A network survey should also be conducted on the network to determine the number of systems that are reachable, and to provide information such as domain names, server names, ISP information, IP addresses of the hosts as well as the network map. This survey also assists in finding the domain registry information for the servers, and allowing to check information such as IP addresses that are owned by the targeted organization. A very useful tool to conduct a network survey is Nmap. Nmap is a tool made for scanning large networks. We could also use Nmap to determine what operating systems are running on a network as well as the type of packet filters/firewalls are in use, and numerous other characteristics.
An example SYN scan of a class C network using the Nmap CLI:
11 The output of one of the hosts is the subnet is shown as follows:
Nmap port scanner first identify active hosts in the address range specified by the user using Transport Control Protocol/Internet Protocol (TCP/IP) Internet Control Message Protocol (ICMP) ECHO and ICMP ECHO_REPLY packets. Once active hosts have been identified, they are scanned for open TCP and User Datagram Protocol (UDP) ports. These ports will identify the network services operating on that host. A number of scanners support different scanning methods that have different strengths and weaknesses that are usually explained in the scanner documentation. For example, certain scans are better suited for scans through firewalls and others are better suited for scans that are internal to the firewall. All basic scanners will identify active hosts and open ports, but some scanners provide additional information on the scanned hosts. The information gathered during this open port scan will often identify the target operating system. This process is called operating system fingerprinting. For example, if a host has TCP port 135 and 139 open, it is most likely a Windows NT or 2000 host. Other items such as the TCP packet sequence number generation and responses to ICMP packets, e.g., the TTL (Time To Live) field, also provide a clue to identifying the operating system. Operating system fingerprinting is not foolproof. Firewalls filter (block) certain ports and types of traffic, and system administrators can configure their systems to respond in nonstandard ways to camouflage the true operating system. In addition, some scanners will assist in identifying the application running on a particular port. For example, if a scanner identifies that TCP port 80 is open on a host, it often means that the host is running a web server. However, identifying which web server product is installed can be critical for identifying vulnerabilities. For example, the vulnerabilities for Microsoft’s IIS server are very different from those associated with Apache web server.
1 The application can be identified by “listening” on the remote port to capture the “banner” information transmitted by the remote host when a client (web browser ) connects. This information is generally not visible to the end-user (for web servers/browsers); however when it is transmitted, it can provide a wealth of information, including the application type, application version and even operating system type and version. •Organizations should conduct network scanning to: •Check for unauthorized hosts connected to the organization’s network, •Identify vulnerable services, •Identify deviations from the allowed services defined in the organization’s security policy, •Prepare for penetration testing, •Assist in the configuration of the intrusion detection system (IDS), and •Collect forensics evidence. The scanning can also disrupt network operations by consuming bandwidth and slowing network response times. However, network scanning does enable an organization to maintain control of its IP address space and ensure that its hosts are configured to run only approved network services. To minimize disruptions to operations, scanning software should be carefully selected. Network scanning can also be conducted after hours to ensure minimal impact to operations. Network scanning results should be documented and identified deficiencies corrected. Network scanning results should be documented and identified deficiencies corrected. The following corrective actions may be necessary as a result of network scanning: •Investigate and disconnect unauthorized hosts, •Disable or remove unnecessary and vulnerable services, •Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP wrappers). •Modify enterprise firewalls to restrict outside access to known vulnerable services. Below is a list of other common tools that can be used to perform scanning: •Telnet (Can report information about an application or service; i.e., version, platform) •Nmap (powerful tool available for Unix that finds ports and services available via IP) •Hping2 (powerful Unix based tool used to gain important information about a network) •Netcat (others have quoted this application as the “Swiss Army knife” of network •utilities) •Ping (Available on most every platform and operating system to test for IP connectivity) •Traceroute (maps out the hops of the network to the target device or system) •Queso (can be used for operating system fingerprinting)
1
2.2
Vulnerability Detection
After having gathered the relevant information about the targeted system, the next step is to determine the vulnerability that exists in each system. Vulnerability testing is the act of determining which security holes and vulnerabilities may be applicable to the target network or host. The penetration tester or attacker will attempt to identify machines within the target network of all open ports and the operating systems as well as running applications including the operating system, patch level, and service pack applied. Penetration testers should have a collection of exploits and vulnerabilities at their disposal for this purpose. The knowledge of the penetration tester in this case would be put to test. An analysis will be done on the information obtained to determine any possible vulnerability that might exist. This is called manual vulnerability scanning as the detection of vulnerabilities is done manually. Several vulnerability databases are available to anyone on the Internet. Refer to the list below for a sample listing. ISS X-Force Security Focus Database InfoSysSec Database Exploit World
http://www.iss.net/security_center/ http://online.securityfocus.com/archive/1 http://www.infosyssec.com/ http://www.insecure.com/sploits.html
There are tools available that can automate vulnerability detection. Such a tool is Nessus (http://www.nessus.org). Nessus is a security scanner that audit remotely a given network and determine whether vulnerabilities exists in it. It produces a list of vulnerabilities that exist in a network as well as steps that should be taken to address these vulnerabilities. Below is the screen shot of the Nessus interface showing the scanning of the host port and the results of the vulnerability test.
1
Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. Vulnerability scanners can also help identify out-of-date software versions, applicable patches or system upgrades, and validate compliance with, or deviations from, the organization's security policy. To accomplish this, vulnerability scanners identify operating systems and major software applications running on hosts and match them with known exposures. Scanners employ large databases of vulnerabilities to identify flaws associated with commonly used operating systems and applications. In addition vulnerability scanners can automatically make corrections and fix certain discovered vulnerabilities. This assumes that the operator of the vulnerability scanners has “root” or administrator access to the vulnerable host.
1 Before running any scanner, penetration testers should install the latest updates to its vulnerability database. Some vulnerability scanner databases are updated more regularly than others. Vulnerability scanners can be of two types: Network-based scanners Network-based scanners are used for mapping an organization's network and identifying open ports and related vulnerabilities. The scanners can be installed on a single system on the network and can quickly locate and test numerous hosts. Host-based scanners Host-based scanners have to be installed on each host to be tested and are used primarily to identify specific host operating system and application misconfigurations and vulnerabilities. Host based scanners are able to detect vulnerabilities at a higher degree of detail than networkbased scanners, they usually require not only host (local) access but also a “root” or administrative account. Some host-based scanners offer the capability of repairing misconfigurations. Vulnerability scanners provide the following capabilities: •Identify active hosts on network •Identify active and vulnerable services (ports) on hosts •Identify applications and banner grabbing •Identifying operating systems. •Identifying vulnerabilities associated with discovered operating systems and applications. •Identifying misconfigured settings •Testing compliance with host application usage /security policies •Establishing a foundation for penetrating testing. Vulnerability scanning results should be documented and discovered deficiencies corrected. The following corrective actions may be necessary as a result of vulnerability scanning: •Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate. •Deploy mitigating measures (technical or procedural) if the system cannot be immediately patched (e.g., operating system upgrade will make the application running on top of the operating system inoperable), in order to minimize the probability of this system being compromised. •Improve configuration management program and procedures to ensure that systems are upgraded routinely. •Assign a staff member to monitor vulnerability alerts and mailing lists, examine their applicability to the organization's environment and initiate appropriate system changes. •Modify the organization's security policies, architecture, or other documentation to ensure that security practices include timely system updates and upgrades.
1
The completion of the vulnerability detection will produce a definite list of targets to investigate in depth. These lists of targets will be used in the next stage. A penetration will be attempted at these targets that have their vulnerabilities defined. 2.3
Penetration Attempt
After determining the vulnerabilities that exist in the systems, the next stage is to identify suitable targets for a penetration attempt. The time and effort that need to put in for the systems that have vulnerabilities need to be estimated accordingly. Estimations on how long a penetration test takes on a particular system are important at this point. The target chosen to perform the penetration attempt is also important. In a scenario, for instance, a penetration test is conducted on a corporate network, and it is determined that network consisting of more than 200 machines. After gathering sufficient information and vulnerabilities about the network, it is found that there are only 5 servers on the network and the rest are just normal PCs used by the organization’s staff. In this case, the 5 servers would be the likely targets than the PC’s, and therefore more effort should be directed towards the servers. After choosing the suitable targets, the penetration attempt will be performed on these chosen targets. The client’s targets for penetration testing are usually particularly businesscritical systems, so special care is called for in carrying out intrusion attempts. The contingency measures mentioned in the preparation phase are absolutely essential in this stage. They demand, for example, that intrusion attempts (on business-critical systems) be made outside working hours (i.e. at night or weekends) and that the responsible system administrators be present. Scenario:
In the reconnaissance phase a specific server operating system with a web server application was identified on a system that is used for online transactions and which accesses the company’s internal ERP system. The vulnerability search revealed a buffer overflow vulnerability for the underlying database in the ERP system. However, the firewall prevents direct access to the database. The tester now faces the challenge of finding out whether an online transaction that penetrates the firewall to exploit the vulnerability in the database system can be triggered by manipulating an HTTP link. Knowing that a vulnerability exist on a target does not always imply that it can be exploited easily. Therefore it is not always possible to successfully penetrate even though it is theoretically possible. In any case exploits that exist should be tested on the target first before conducting any other penetration attempt. Password cracking has also become a normal practice in penetration tests. In most cases, you’ll find services that are running on systems like telnet and ftp. This is a good place to start and use our password cracking methods to penetrate these systems. Below is some of the methods that can be employed in cracking passwords:
1 •Dictionary Attack – Uses a word list or dictionary file. •Hybrid Crack - Tests for passwords that are variations of the words in a dictionary file. e.g., p@55word •Brute Force - Tests for passwords that are made up of characters going through all the combinations possible. L0pht Crack is one of the popular passwork cracker for Windown NT and 2000. For obtaining hashes, L0pht crack contains features that can be enabled to capture passwords as they traverse the network, copy them out of the Windows registry and retrieve them from Windows emergency repair disks. When hashes are obtained, L0phtCrack first performs a dictionary attack. The dictionary used by L0phtCrack is selected by the user, or the included dictionary may be used (although more comprehensive dictionaries are available on the Internet). L0phtCrack hashes each word in the list and compares that hash to the hashes to be cracked. If the compared hashes match, L0phtCrack has found the password. After L0phtCrack completes the dictionary attack, it iterates through the word list again using a hybrid attack. Finally L0phtcrack resorts to a brute force attack to crack any remaining hashes, trying every possible combination of characters in a set. The set of character’s used by L0phtCrack in a brute force attack can be controlled by the user.
Penetration testing also involves testing through social engineering and organization’s physical security. Social engineering is an art used by hackers that capitalizes on the weakness of the human element of the organization’s defense. 2.4
Final Analysis and Cleanup
The final report should comprise a management summary describing the test engagement, key test results, and recommended action on an abstract level and is designed for top management.
1 The main section of the final report should contain the detailed positive and negative test findings, as agreed. For the vulnerabilities, the results are evaluated and prioritized, and the tester describes the ensuing risks so that the client knows which risks are relevant to his business operations. The report should also contain: •Recommendations on how the client can eliminate the vulnerabilities existing at the time of the penetration test. •Action plan for eliminating vulnerabilities, based on the priorities assigned to the results and drawn up together with the client. •Information for the client to trace the test results clearly, and all information gathered in the various phases must be included. •Detailed information on the tools used, work steps (which tool was used with which options), log files, work times (when were attacks carried out), etc. The action plan should contain a schedule for each critical vulnerability and name a person and/or area that is responsible for its elimination. The sensitive personal data obtained during penetration testing such as passwords or private emails should not be included in the final report for data protection reasons, and should be handed over to a designated person, e.g. the data protection offer. The tester has to remove any software, such as key loggers, that may have been installed in the client’s IT system in the course of the penetration test or any other modifications made to the client’s IT systems, and restore the system to the state in which the tester found it prior to testing. Also, the tester has to ensure that all temporary user accounts created on the systems are removed.
Limitations of Penetration Testing As the techniques used by potential attackers rapidly become more sophisticated and new weak points in current applications and IT systems are reported almost daily, one single penetration test cannot yield an assertion about the level of security of the tested systems that will be valid for the future. It is possible that a new security hole, not discovered during the test, could result into a successful attack, even after the just completion of penetration tests. Because of the rapid pace of developments in IT, the effect of a penetration test is, however, relatively short-lived. The more protection the systems require, the more often penetration testing should be done in order to reduce the probability of a successful attack to a level that is acceptable for the company.
1 This, however, in no way means that penetration tests are useless. Thorough penetration testing is no guarantee that a successful attack will not occur, but it does substantially reduce the probability of a successful attack.
Conclusion It is important to make a distinction between penetration testing and network security assessments. A network security or vulnerability assessment may be useful to a degree, but do not always reflect the extent to which hackers will go to exploit a vulnerability. Penetration tests attempt to emulate a 'real world' attack to a certain degree. The penetration testers will generally compromise a system with vulnerabilities that they successfully exploited. If the penetration tester finds 5 holes in a system to get in this does not mean that hackers or external intruder will not be able to find 6 holes. Hackers and intruders need to find only one hole to exploit whereas penetration testers need to possibly find all if not as many as possible holes that exist. This is a daunting task as penetration tests are normally done in a certain time frame. Finally, a penetration test alone provides no improvement in the security of a computer or network. Action to taken to address these vulnerabilities that is found as a result of conducting the penetration test. References Online Resources: Insecure. Fyodor's Exploit World, Exploits for many Operating Systems including Linux, Solaris, Microsoft, Macintosh. For Hackers, Hacking, Computer Security Auditing & Testing. URL: http://www.insecure.org/sploits.html www.securityfocus.com Wallyware, Inc. Hacker Whacker: See your computer the way hackers do URL http://hackerwhacker.com/ The Penetraiton Testing Group. An Introduction to Penetration Testing URL http://www.penetration-testing-group.co.uk/index.htm Hideaway.net. Strategic Scanning and Assessment of Remote Hosts URL http://www.hideaway.net/Server_Security/Library/General/gentxts/ssarh.htm http://www.l0t3k.org/security/docs/forensic/
Documents and reports System Administration, Networking, and Security (SANS) Institute, SANS Security Alert, May 2000. SANS Institute, SANS Snap: Computer and Hacker Exploits – Step by Step.
2 SANS Institute, SANS Snap: Intrusion Detection – The Big Picture . MIS Training Institute, Staying Ahead of the Hackers: Network Vulnerability Testing. Stevens, W. Richard, TCP/IP Illustrated, Volume 1:The Protocols, 1994.