Penetration Testing Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA

Objectives What does a malicious hacker do? Types of security tests. What is penetration testing? Why penetration testing? Legal aspects of penetration testing. Vulnerability assessment vs. penetration testing. How to conduct penetration testing? Tools for penetration testing. This module will familiarize you with the following:

NIST, “Guideline on Network Security Testing,” Special Publication , (Sec. 3-10). (Required) Wikipedia, “Penetration Test,” Herzog, P., “OSSTMM Open-Source Security Testing Methodology Manual,” V. 2.2., ISECOM, Layton, Sr., T. P., “Penetration Studies – A Technical Overview,” SANS Institute, NIST, “Technical Guide to Information Security Testing and Assessment,” Special Publication , September Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R. and Mancini, S., “Penetration Testing: Assessing Your Overall Security Before Attackers Do,” SANS Analyst Program, June Readings

What Does a Malicious Hacker Do Reconnaissance: Active/Passive Scanning Gaining Access: Operating systems level/ application level Network level Denial of service Maintaining Access: Uploading/altering/downloading programs or data Clearing Tracks

Penetration Testing Report (Recommendation for Security) Perspective of Adversary ReconnaissanceScanning System Access DamageClear Tracks Web-based Information Collection Social Engineering Broad Network Mapping Targeted Scan Service vulnerability Exploitation Password Cracking DDOS Code Installation System File Deletion Use Stolen Accounts For Attack Log File Changes Reactive Security (Incident Response) Proactive Security (Real Time) Preventive Phase (Defense)

Types of Attacks Operating system attacks. Attackers look for OS vulnerabilities (via services, ports and modes of access) and exploit them to gain access. Application-level attacks (programming errors; buffer overflow). Shrink wrap code attacks. OS or applications often contain sample scripts for administration. If these scripts were not properly fined tune, it may lead to default code or shrink wrap code attacks Misconfiguration attacks. System that should be fairly secured are hacked into because they were not configured correctly. The ways an hacker used to gain access to a system can be classified as:

Security Testing Techniques Network Scanning Vulnerability Scanning Password Cracking Log Review Integrity Checkers Virus Detection War Dialing War Driving ( or wireless LAN testing) Penetration Testing Often, several of these testing techniques are used together to gain more comprehensive assessment of the overall network security posture. (NIST SP , 2003)

Security Testing Methods Every organization uses different types of security testing method to validate the level of security on its network resources. Penetration Testing Ethical Hacking OSSTMM Security Test Vulnerability Scanning Hands-on Audit Thorough Accurate (OSSTMM, 2006)

What is Penetration Testing? A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. (Source:

Why Penetration Testing? Computer related crime is on the rise. Find holes now before somebody else does. Report problems to management. Verify secure configurations. Security training for network staff. Discover gaps in compliance. Testing new technology. (Source: Northcutt et al., 2006)

Legal Aspects of PT U.S. Cyber Security Enhancement Act 2002: Life sentences for hackers who “recklessly” endanger the lives of others. U.S. Statute 1030, Fraud and Related Activity in Connection with Computers. Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out., Thus, it's vital that you receive specific written permission to conduct the test from the most senior executive.

Legal Aspects of PT Your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re- distributed, deleted, copied, modified or destroyed. The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.

Vulnerability Assessment Vulnerability assessment scans a network for known security weaknesses. Vulnerability scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications. Vulnerability scanners can test systems and network devices for exposure to common attacks. Vulnerability scanners can identify common security configuration mistakes.

Limitations of Vulnerability Assessment Vulnerability scanning tool is limited in its ability to detect vulnerabilities at a given point in time. Vulnerability scanning tool must be updated when new vulnerabilities are discovered or improvements are made to the software being used. The methodology used and the diverse Vulnerability scanning tools assess security differently, which can influence the result of the assessment.

Vulnerability Assessment vs. Penetration Test Vulnerability assessment is a process of identifying quantifying, and prioritizing (or ranking) the vulnerabilities in a system. It reveals potential security vulnerabilities or changes in the network which can be exploited by an attacker for malicious intent. A Penetration test is a method of evaluating the security state of a system or network by simulating an attack from a malicious source. This process involves identification and exploitation of vulnerabilities in real world scenario which may exists in the systems due to improper configuration, known or unknown weaknesses in hardware or software systems, operational weaknesses or loopholes in deployed safeguards.

Types of Security Tests Blind Gray Box Tandem Double BlindReversal Attacker’s Knowledge of Target Target’s Knowledge of Attack Double Gray Box Black Box Red team White Box Blue team

Penetration Testing Process PlanningDiscoveryAttack Additional Discovery Reporting (NIST SP , 2003) Reconnaissance Scanning Enumerating Gaining Access Escalating Privilege System Browsing Actions Lack of Security Policy Poorly Enforced Policy Misconfiguration Software reliability Failure to apply patches

FootprintingPort Scanning Enumerating Whois SmartWhois NsLookup Sam Spade NMap Ping Traceroute Superscan Determine the Network Range Identify Active Machines Discover Open Ports and Access Points Fingerprint the Operating System Uncover Services on Ports Map the Network Gather Initial Information Discovery Phase of PT Netcat NeoTrace Visual Route

Attack Phase Steps with Loopback Discovery Phase Gaining Access Escalating Privilege System Browsing Install Add. Test Software Enough data has been gathered in the discovery phase to make an informed attempt to access the target If only user-level access was obtained in the last step, the tester will now seek to gain complete control of the system The information- gathering process begins again to identify mechanisms to gain access to trusted systems

Types of Penetration Test Penetration Test External Test Internal Test Black Box White Box Gray Box Curious Employee Disgruntled End User Disgruntled Administrator

When is Testing Necessary? Penetration Testing was traditionally done once or twice a year due to high cost of service. Automated Penetration Testing software is enabling organizations today to test more often. Test Periodic Testing

Become Certified