Monday, May 30, 2011

Introduction to Penetration Testing

This article is just to give you the Basic knowledge and making you understand the Fundamentals of Penetration Testing


Goal of this Article 

q 
  • An overview of how Vulnerability Assessment (VA) & Penetration Testing (PT) is done
  • qDefining scope of the assessment
  • qTypes of Penetration Testing
  • qA brief understanding on how Buffer Overflow works
  • qHow vulnerabilities are scanned and exploited
  • qWhat are the end results
  • qWhat a Penetration Testing Report should contain  
                                           Differentiating VA and PT

Vulnerability Assessment (VA)
In this case the security auditor has to only scan for the vulnerabilities in the server or application and filter out the false positives from the scan output by mapping them with the actual vulnerabilities associated with the target host.
VA Scope Includes:
The VA test can be done both internally and externally
No vulnerabilities are exploited
No dangerous attacks like DOS and Buffer Overflow attacks are used
Automated vulnerability scanning tools line Nessus, Retina or ISS are used 


Penetration Testing (PT)
In this case the security auditor or the penetration tester not only has to scan for the vulnerabilities in the server or application but also has to exploit them to gain access to the remote server.

PT Scope Includes:
The PT test is done both internally and externally
Vulnerabilities are exploited
Dangerous attacks like DOS and Buffer Overflow attacks are used depending upon 
  the customer’s willingness to do so
Automated vulnerability scanning tools and as well as exploits are used 
                                 
             Types Of Penetration Testing
Black Box Penetration Testing
  • Pen tester has no previous knowledge of the remote network
  • Simulating  a real world hacking by a hacker who has no knowledge 
         (E.g. Operating System running,  application running, device type and
          network topology etc..) of the remote network environment 
White Box Penetration Testing
  • Have the   knowledge of the remote network
  • Type of Pen tester network devices (i.e. Cisco gear, TCP/IP),
  • WebServer details (i.e., Apache/*nix or Apache/Win2k),
  • Operating System type (i.e., Windows/*nix),
  • Database platform (i.e., Oracle or MS SQL),
  • Load balancers (i.e. Alteon),
  • Firewalls (i.e. Cisco PIX).. etc
  • Simulating  a attack by a hacker who is having a detailed knowledge of the remote network environment  
 
                  Scope Of Penetration Testing
Non-Destructive Test
  • Scans the remote hosts for possible vulnerabilities
  • Analyze and confirm the findings
  • Map the vulnerabilities with proper exploits
  • Exploit the remote system with proper care to avoid disruption of service
  • No highly critical Denial of Service (DoS) attack is tried
Destructive Test
  • Scans the remote hosts for possible vulnerabilities
  •  Analyze and confirm the findings
  •  Map the vulnerabilities with proper exploits
  • All highly critical Denial of Service (DoS) attacks (e,g like buffer overflows are tried
                                           ~~~ Moving On To Penetration Testing ~~~

Penetration testing includes some steps ... 
  • qFingerprinting or Footprinting
  • qNetwork Information Gathering
  • qSurveying / Network Mapping
  • qPorts Scanning and Services Identification
  • qEvading Firewall Rules
  • qAutomated Vulnerability Scanning
  • qExploiting Services for Known Vulnerabilities
  • qExploiting Web-Based Authorization
  • qPassword Cracking / Brute Forcing
  • qDenial of Services (DoS) Testing
  • qEscalation of Privileges
                                   FLOW CHART
 
 
1. Information Gathering
This is the first step for any remote host Penetration Testing. Here the pen-tester try to gather maximum information on the remote host to precise the attack.
 
Expected Results:
  • qZone Transfer Information
  • q Domain Registration Information
  • q Email IDs
  • q IP Addresses Range
 
Sample Screenshot (Server queried for Zone-Transfer Info):


 
(Information Gathered from Zone-Transfer Info)
 
2. Footprinting / Fingerprinting
In this step, information like WebServer and OS type running on remote host are gathered to further precise the attack.
 
Expected Results:
  • qRemote server OS type
  • q Remote server web-server type
  • q Applications running on remote server
Sample Screenshot (Banner displaying OS, application & WebServer details):
 
3. Network Surveying / Network Mapping 
A network survey serves often as an introduction to the systems to be tested. It is best defined as a combination of data collection, information gathering, and policy control. 
Expected Results:
  • qFirewall / Routers / IDS Discovery
  • qPossible Local Network / Subnet Discovery
  • qIP Addresses Range
  • qNetwork Topology Mapping
  • qISP information
Sample Screenshot (Local address of the remote network discovered):
 
  4. Port Scanning & Services Identification
Port scanning is the invasive probing of system ports on the transport and network level. This module is to enumerate live or accessible Internet services as well as penetrating the firewall to find additional live systems.
 
Expected Results:
  • qOpen, closed or filtered ports
  • qServices Identification
Sample Screenshot (NMAP port scan output):
 
 
5. Evading Firewall Rules
In this phase, firewall evasion techniques are used to bypass firewall rules. This can further help in port scanning, remote host detection and remote network discovery.
Expected Results:
  • q Mapping of firewall configuration rules
  • q Partial Access to devices behind the firewall
Sample Screenshot : (Trace Route using UDP packets)
 
 
It is clear from the two screenshots  that the packet filtering device (i.e. Firewall / Router) is not configured to block UDP packets. 


6. Automated Vulnerability Scanning


The focus of this module is identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host. The scanning is done using automated tools or scripts to make the process faster. 
Expected Results:
  • qList of vulnerabilities associated with each remote services
  • qList of possible denial of service vulnerabilities
  • qPossible misconfiguration on the remote server
Sample Screenshot 


What is MVS ?

MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host is vulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot


7. Exploiting Services For Known Vulnerabilities 
This is the most important phase of penetration testing. Here the weaknesses found in the remote services are exploited using openly available exploits or self developed or customized exploits. 
Expected Results:
  • q Gaining Access to the system
  • q Retrieving hidden information
  • q Domain Hijacking
  • q Spamming Mail Servers
Sample Screenshot (FrontPage fp30reg.dll Overflow Exploit):
 
 
Here the web application flaws are exploited to gain access to restricted information. The Web-Based authentication is exploited by using XSS (Cross-Site Scripting) or SQL injection or MITM (Man-in-the-middle) attacks etc... 
Expected Results:
  • qAccess to restricted / confidential information
  • q Control over web configuration
  • q Can also leads to gaining access over other servers
Sample Screenshot (SQL injection used for gaining access to admin page):
  8. Password Cracking or Brute Forcing 


Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak  passwords due to human factors. 
Password Lists and Words List are use for validating the password in this process
Expected Results:
  • qList of user login IDs or passwords
  • q List of authentication PINs or Password
Sample Screenshot (Brute Forcing using Brutus):
 
 
Denial of Service (DoS) is a situation where the applications or services running over the remote system stops functioning and prevents authenticated network users or devices to access it. 
Expected Results:
  • Disruption of Services
  • q List of other possible DoS vulnerable associated with the systems
  • qSabotage of remote network
Sample Screenshot (DOS attack for CISCO):
 
10. Escalation of Privileges 

 
Escalation of Privileges is the type of rights the attacker gains over the remote system. It is the final stage of the remote host hacking where the attacker gains complete control over the remote system.
 
Expected Results:
  • q Gain administrator / super user rights
  • q Gain privilege to retrieve or modify confidential data
  • q Gain control over server configuration
  • q Gain Control over other servers attached to it  
Sample Screenshot




 
 =============================================================
It took me around two days to reproduce the entire paper from the ppt into a webpage. 
This paper was written by Debasis Mohanty but was not published in webpage form till now so i tried my best to convert it into a webpage.

Download the original PPT by him and learn the basics of Buffer Overflow written for beginners only -




No comments:

Post a Comment