1 / 38

Penetration Testing Steps

Penetration Testing Steps. BAI514 – Security I. Penetration Testing Overview. Penetration testing is a security testing methodology that gives an insight into the target’s security posture and the strength of the target’s network security. Penetration Testing Overview.

jake
Download Presentation

Penetration Testing Steps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Penetration Testing Steps BAI514 – Security I

  2. Penetration Testing Overview • Penetration testing is a security testing methodology that gives an insight into the target’s security posture and the strength of the target’s network security

  3. Penetration Testing Overview • Security snapshot includes • Level I – High-level assessment • Top-down look at the organization • Policies • Procedures • Standards • Guidelines • Not hands on • System security not actually tested

  4. Penetration Testing Overview • Security snapshot includes (cont.) • Level II – Network evaluation • Some Level 1 activities • More hands on • More information gathering

  5. Penetration Testing Overview • Security snapshot includes (cont.) • Level III – Penetration test • Not usually concerned with policies • Takes the adversarial view of a hacker • See what can be accomplished and with what difficulty

  6. Penetration Testing Overview • Reason to conduct a penetration test of an organization is the same as the reason to have a security policy • To leverage due diligence and due care data protection for the preservation of the organization’s capital investment

  7. Penetration Testing Overview • Factors that make penetration testing a necessity • Technology has focused on the ease of use at the operational end • Skill level required to execute a hacker exploit has steadily decreased • Size and complexity of network and web-based applications has increased • Detrimental impact of a security breach on corporate assets and goodwill is greater than ever

  8. Penetration Testing Overview • Penetration testing is usually carried out in a black-box mode • Penetration testing involves three phases • Preparation phase • Formal contract is executed containing nondisclosure of the client’s data and legal protection for the tester • Scope, timing, depth, etc. • Execution phase • Testing is executed • All vulnerabilities are recorded • Delivery phase • Results are communicated to the organization • Corrective action is advised

  9. Legal and Ethical Implications • Attacking a network from the outside carries ethical and legal risk to the tester, and remedies and protections must be spelled out in detail before the test is begun • US Cyber Security Enhancement Act 2002 implicates life sentences for hackers who “recklessly” endanger the lives of others • US Statute 1030, Fraud and Related Activity in Connection with Computers states that whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years

  10. Legal and Ethical Implications • Penetration testers MUST receive specific written permission to conduct the test from the most senior executive possible • Testers should be specifically indemnified against prosecution for the work of testing

  11. The Three Pretest Phases • The three pretest phases • Footprinting • Scanning • Enumerating

  12. The Three Pretest Phases • Reconnaissance follows seven steps • Gather initial information • Determine the network range • Identify active machines • Discover open ports and access points • Fingerprint the operating system(s) • Uncover services on ports • Map the network

  13. Penetration Testing Tools and Techniques • Gather as much information from public sources • Whois • Nslookup • ARIN • Traceroute (tracert) • Google

  14. Penetration Testing Tools and Techniques • Port Scanners • Port scanning is one of the most common reconnaissance techniques used by penetration testers to discover vulnerabilities in services listening to well-known ports • Nmap • SuperScan • SATAN • SARA • Etc…

  15. Penetration Testing Tools and Techniques • Vulnerability Scanners • Nessus is a popular open-source network scanner that can run numerous scans • Windows GUI available • Linux based • Microsoft Baseline Security Analyzer • Free Windows vulnerability scanner • Retina Network Security Scanner • Popular commercial vulnerability scanner • Runs on Windows

  16. Penetration Testing Tools and Techniques • Password Crackers • Three basic types of password-cracking tests • Dictionary • Hybrid • Brute force • Common tools • Brutus • WebCracker • ObiWan • Ophcrack • John the Ripper

  17. Penetration Testing Tools and Techniques • Trojan Horses • Program that performs unknown and unwanted funtions • An unauthorized program contained within a legitimate program • A legitimate program that has been altered by the placement of unauthorized code within it • Any program that appears to perform a desirable and necessary function but does something unintended

  18. Penetration Testing Tools and Techniques • Trojan Horses (cont.) • Transmitted in several ways • Email attachments • Freeware • Physical installation • IRC chat • Infected websites • Cracked/Pirated software • Unlike worms, trojans don’t self-replicate

  19. Penetration Testing Tools and Techniques • Trojan Horses (cont.) • Type of Trojans • Remote Access Trojan • Keylogger or password sending Trojans • Software detection killers • Purely evil (destructive)

  20. Penetration Testing Tools and Techniques • Buffer Overflows • Occurs when a program allocates a specific block length of memory for something but then attempts to store more data than the block was intended to hold • Can overwrite memory areas and interfere with execution of programs • Can allow an intruder to load a remote shell or execute a command • The attacker must create a specific data feed to induce the error

  21. Penetration Testing Tools and Techniques • Buffer Overflows (cont.) • For a buffer overflow to work, the target system must fail to test the data or stack segment • Once the stack is smashed, the attacker can deploy their payload and take control of the target system

  22. Penetration Testing Tools and Techniques • Buffer Overflows (cont.) • Three ways to test for a buffer overflow vulnerability • Look for strings declared as local variables in functions or methods • Verify boundary checks are in the source code • Check for improper use of input/output or string functions • Feed the application large amounts of data and check for abnormal behavior

  23. Penetration Testing Tools and Techniques • SQL Injection Attack • Class of injection exploits that occur when one scripting is embedded inside another scripting language • SQL commands are added to input fields in program or web page • ‘ or 1=1 • Preventing SQL injection requires enforcing better coding practices

  24. Penetration Testing Tools and Techniques • Cross Site Scripting • Web attacks are successful because they are not noticed immediately • An XSS vulnerability is created by the failure of a web-based application to validate user-supplied input before returning it to the client system • Attacker can craft malicious URLs and trick users into clicking on them • The links enable the attacker’s client-side scripting language, such as Javascript or Vbscript, to execute on the victim’s browser

  25. Wireless Network Penetration Testing • Two main drivers for the popularity of wireless networking • Ease of implementation • Cost effectiveness • Most common wireless LAN standards defined by IEEE’s 802.11 working group • 802.11b • 802.11g • 802.11n

  26. Wireless Network Penetration Testing • War Driving • The term used to describe the process of a hacker who, armed with a laptop and a wireless adapter card and traveling by car, bus, subway, train, or other form of mechanized transport, goes around sniffing for WLANs • Common war-driving exploits find many wireless networks using only SSID for access control • These networks are susceptible to parking lot attack

  27. Wireless Network Penetration Testing • WLAN Vulnerabilities • Same protocol-based attacks as wired LANs • Have their own set of unique vulnerabilities • SSID Issues • Service Set Identifier is an identification value set in the access point to identify the local wireless network • The SSID acts like a simple password • Wireless access points are configured to broadcast the SSID • Many APs use default SSIDs

  28. Wireless Network Penetration Testing • WEP Weaknesses • Wired Equivalent Privacy is a component of the IEEE 802.11 WLAN standard • Data encrypted at the data link layer using RC4 encryption • Vulnerable due to relatively short keys that remain static • 64-Bit shared key • Must be configured on each client

  29. Wireless Network Penetration Testing • WEP Weaknesses (cont.) • Not designed to withstand a directed cryptographic attack • Utilities capable of exploiting RC4 vulnerability • AirSnort • WEPCrack • Vulnerable to DoS attacks • Interference • Flooding

  30. Wireless Network Penetration Testing • WEP Weaknesses (cont.) • Other techniques to DoS wireless devices • Request for authentication at such frequency as the disrupt legitimate traffic • Request deauthentication of legitimate users • Mimic the behavior of an AP to convince users to connect to it • Repeatedly transmit RTS/CTS frames to silence the network

  31. Wireless Network Penetration Testing • MAC Address Vulnerabilities • Easily sniffed • Attacker can masquerade as a valid MAC • MAC spoofing is VERY easy

  32. Wireless Network Penetration Testing • Wireless Scanning Tools • NetStumbler – displays APs • MiniStumbler – designed for Windows Mobile • AirSnort – cracks WEP keys • Kismet – wireles IDS and sniffer • SSID Sniff – displays APs • AirMagnet – wireless sniffer • AiroPeek – wireless sniffer • Wireshark – all purpose sniffer

  33. Wireless Network Penetration Testing • Wireless Vulnerabilities Countermeasures • Change the AP’s default admin password • Change the default SSID • Disable the Broadcast SSID function • Enable WPA • Implement MAC filtering • Limit radio emanations • Locate AP in DMZ • Implement VPNs • Disable DHCP server

  34. Social Engineering • The acquisition of sensitive information or inappropriate access privileges by an outsider by manipulating people • Exploits the human side of computing • Hardest form of attack to defend against • Divided into two types • Human-based – person to person • Computer-based – uses software to automate information gathering

  35. Social Engineering • Common techniques • Asserting authority or pulling rank • Professing to have authority • Browbeating subject • Praising, flattering, or sympathizing • Using positive reinforcement to coerce • Only defense is a security policy and awareness

  36. Intrusion Detection System (IDS) • Monitors packets on the network and looks for signs of an attack • Two types • Signature based • Anomaly based

  37. Intrusion Detection System (IDS) • Methods IDSs use to identify attacks • Protocol Stack Verification • Verifies valid values in protocol fields • Application Protocol Verification • Verifies valid packet intent

  38. FIN

More Related