Penetration Testing

What is penetration Testing?

• It is the process of actively evaluating your
information security measures.
• involves probing a computer system or
network to identify and exploit vulnerabilities.
 Why conduct a penetration test?
• business perspective: safeguard your organization against failure,
through
– Preventing financial loss through fraud or through lost revenue due to
unreliable business systems and processes.
– Proving due diligence and compliance to your industry regulators,
customers and shareholders
– Protecting your brand by avoiding loss of consumer confidence and
business reputation.
• operational perspective: shape information security strategy
through
– Identifying vulnerabilities and quantifying their impact and likelihood so
that they can be managed proactively; budget can be allocated and
corrective measures implemented.
 Generic attack steps
10 stage Generic attack process in a nutshell (in chronological order)
1.      Reconnaissance
2.      Network mapping
3.      Port scanning and banner grabbing a host
4.      Vulnerability identification
5.      Exploitation
6.      Privilege escalation
7.      Rootkit installation
8.      Hiding tracks
9.      Monitoring
10.  Using unauthorized privilege gained for benefit
1.    Reconnaissance to find out about the target before attack.
• WhoIs Internet searches for administrative contact phone
numbers and emails
• DNS  Lookup for ISP details
http://www.networksolutions.com/whois/index.jsp 
• Google and google cache to find deleted information about
the victim http://www.googleguide.com/ and
http://johnny.ihackstuff.com/
• SamSpade (http://www.samspade.org/).
• Netcraft (http://www.netcraft.com).
2.    Network mapping of a subnet.
• nmap http://insecure.org/nmap/ is the
defacto network mapping tool.
• Paketo keiretsu enables faster scanning of
large networks by separating the send and
receive functionality of the scanner.
3.Port scanning of an individual host
• Nmap again as well as amap
http://www.thc.org/thc-amap/ . Nmap, by default,
works by using port number to identify the application
running so for instance if the Oracle Listener is on port
1522 then nmap will present this port as being rna-lm
as per the IANA default port assignments.
http://www.iana.org/assignments/port-numbers . By
using the additional –sV switch of nmap it will
correctly identify many applications by their banner.
4.    Banner grabbing a host to identify the actual service being ran and
vulnerability     identification from the version gained from the banner.
This will allow identification  of likely vulnerabilities.
• nessus will identify applications running and then match vulnerabilities
http://www.nessus.org/
• Typhon is a commercial banner grabbing network/host scanner.
http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
• CANVAS is a commercially available tool that comes with exploits written
by Dave Aitel’s ImmunitySec
http://www.immunitysec.com/products-canvas.shtml
• CORE Impact is a similar commercially available tool.
http://www.coresecurity.com/?module=ContentMod&action=item&id=3
2
5.  Exploitation of a software flaw to gain
unauthorized access.
• Metasploit has pre-coded exploits for many
OS and applications
http://www.metasploit.com/
 6.  Cracking passwords and user names is basically the process of taking an
encrypted password and then decrypting it or guessing it correctly by attempting
many times until the correct password is gained.
• JTR (John the Ripper) is a good password cracker http://www.openwall.com/john/
. There is now a patch for John to be able to crack Oracle hashes.

• Also “Cain” is an easy to use Windows based password cracker

http://www.oxid.it/cain.html
• Rainbow crack is a tool used to pre-compute hash-to-cleartext correlations i.e.
“you give me the hash I will give you the password because I have already
computed all the possible permutations”. Rainbow crack has been converted to
allow generation of hashes for the Oracle usernames as discussed at this URL
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049569.html
.These correlations can accessed online at http://www.rainbowcrack-online.com/
7.   Rootkit installation enables covert access at a
later date and generally involves the installation
of software by the attacker to hide their
presence after they have gained privileged
access to the target server.
• http://www.rootkit.com/ which has links to AFX
and hacker-defender rootkits for example.
• The concept of root kits has been transferred to
databases as will be discussed.
8.   Hiding tracks to clear up evidence involves deletion
of logs and tools as well as resetting timestamps.
• Change timestamps to show that files have not been
changed using  timestamps for instance

• Secure deletion of files so that recycle bin or forensic

data recovery cannot bring the attackers tools back
after they have deleted them. Oracle now has a
Recycle bin which uses the PURGE keyword to empty
or avoid it. We will look in detail at this command.
9.    Monitoring the system over time which
typically requires a covert channel.
• Loki sends shell commands over ICMP

• Time based covert channels also exist.

10. Using unauthorized privilege for benefit
• Credit card numbers and Social security IDs form a saleable
resource to a commercially minded hacker.
• An attacker might blackmail a bank if they were able to gain
customers data.
• A competitor may seek advantage in hiring a hacker to subvert
another company or spy upon them to gain their intellectual
property or list of customers.
• Internally an employee may seek advantage over an internal
competitor by taking an unauthorized action that disadvantages
their adversary e.g. causing a mistake to occur and making it look
like their adversary did it.
 Penetration Testing steps
• involves three phases:
– Preparation phase - A formal contract is executed containing non-disclosure of the
client's data and legal protection for the tester. At a minimum, it also lists the IP
addresses to be tested and time to test.
– Execution phase - In this phase the penetration test is executed, with the tester
looking for potential vulnerabilities.
– Delivery phase - The results of the evaluation are communicated to the pre-defined
organizational contact, and corrective action is advised.
• The 5 Steps of PT are as below:

1. Reconnaissance (pre-test phase)

2. Scanning & enumeration (pre-test phase)
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
 pen testing services
• Vulnerability scanning
• Infrastructure pen testing
– Metasploit or Core Impact test all externally visible IP
addresses
• Application pen testing
– use a Web application scanner (HP's WebInspect, IBM's
AppScan)
– Test application logic
– Test database
• User testing