14

Network Penetration Testing

Penetration Testing IntroPen Testing Process and LawPlanning and Passive ReconPort ScanningPractice QuestionsForged Emails (Lab 4b)Introduction to Basic Exploits (Lab 5)Metasploit Framework (Lab 6)Web Application Technologies/Vulnerabilities (Lab 7)Apache Web Application Configuration (Lab 8a)Web Application Testing (Lab 8b)SQL Injection Testing/Attacks (Lab 9)Password Attacks (Lab 10)Active Recon - Network Scanning, Enumeration and Vulnerability Scanning (Lab 4a)

Pen Testing Process and Law

Week 1 Day 1 - Lecture 3

Last Update Unknown

Security Testing Process

Test Planning & Ground Rules

  • Testing objectives
  • Scope of test - systems excluded?
  • Who is aware of test - Blind/Double Blind?
  • Timeframe of test
  • Legal agreement - client doesn’t always know the law
  • Confidentiality/Non Disclosure Agreement (NDA)
  • Written agreement - signed off by customer which is a 'Get out of Jail Card' email/document

Passive Info Gathering

  • Company website
  • Social networking reconnaisance
  • Whois database
  • Google hacking
  • Physical information gathering
  • Limited DNS recon

Active Scanning & Enumeration

  • DNS zone transfers
  • Network mapping with scanning tools
  • Banner grabbing, OS and Application Fingerprinting, Port scanning
  • Vulnerability Scanning
  • War driving
  • Social engineering

Exploiting Uncovered Vulnerabilities

  • Exploit using attack tools/frameworks
  • Write custom exploits
  • Some may succeed
  • Some may fail
  • Some may crash target systems

Escalating Privileges

  • Gaining Root or Admin on target
  • Cracked passwords used
  • Pivot onto other systems

Reporting  

  • Document Test
  • Main Findings, How found, Impact 

Security Testing Methodology

OSSTMM: Open Source Security Testing Methodology Manual

  • Widely used methodology covering all aspect of performing security tests, and aims to provide a baseline for any test. Many docs for diff test types.

PTES: Pen Testing Executive Standard

  • Framework, instruction - general/technical

ISSAF: Information System Security Assessment Framework

  • Peer reviewed framework

NIST: The National Institute of Science and Technology

  • Guideline on Network Security Testing

OWASP: The Open Web Application Security Project

  • Comprehensive standards and methods for web testing

Law and Ethics

Law Relevant to Testing

  • Security testers should be familiar with laws relating to unauthorised access to computer networks and data.
  • Misuse of security tools is against the law.

Original Computer Misuse Act (CMA)

Sections 1-3 of the Act introduced three criminal offences:

  1. Unauthorised access to computer material
  2. Unauthorised access with intent to commit or facilitate commission of further offences
  3. Unauthorised modification of computer material

Max Jail Sentence - 5 Years

New Computer Misuse Act (CMA)

  1. Unauthorised access to computer material.
  2. Unauthorised access with intent to commit or facilitate further offences.
  3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. (Now handles DoS)

  3A. Making, supplying or obtaining articles for use in offence under section 1         or 3 (developing/owning/distributing “Hacking Tools”)

Max Jail Sentence - 10 Years

Security Testing Process - Attacker

Ethics is doing what is morally right (as opposed to what is wrong).


Security Testers have to act ethically.

  • Trusted with Organisations Sensitive Data and Systems
  • Social Engineering - may have to lie, but should not cause distress 
  • Dual Nature of Tools - same toolset as malicious attackers

Unethical Hackers will not have the 'Test Planning & Ground Rules' or 'Reporting' stages. Instead an additional stage, 'Covering Their Tracks' would exist where they disable security, delete audit and event logs and install backdoor processes.

Reporting the Results of a Test

Open Test Reporting

  • The report is the product of the security test.
  • Report must be clear, and appropriate for the intended audience.
  • Make sure the target reader understands the essence of the report.
  • Management summary should not include detailed technical screenshots!

Penetration Test Report

  • A good report will usually include an executive overview and a technical summary.
  • The executive overview summarizes the attacks and indicates their potential business impact, and suggested mitigation.
  • The technical summary will include a methodological aligned presentation of the technical aspects of the test, usually read by IT staff and management

Possible Sections

  • Contents
  • Executive Summary
  • Methodology
  • Main Findings by department, severity - Finding, Impact and Recommendation
  • Appendices with details of all findings with screenshots, output logs, etc 

It is important to keep an accurate record during the security test execution.

Some of the tools which can be used are:

  • Kali - KeepNote
  • Dradis Framework (collaborative)