Penetration testing is often referred to as ethical hacking. Using this procedure, a trusted third party or a security engineer of an organization attempts to compromise or break into the network and its devices by scanning, simulating live attacks, and exploiting vulnerable machines to measure the overall security posture. Penetration testing techniques are of three common types:
•
Black-box•
White-box•
Gray or Crystal-boxIn the black-box technique, the tester has no prior knowledge of the network of the organization. Typically, the organization only gives the tester information about a specific system or domain for the “externally attempted” hack. In the white-box technique, the tester has been given more information (that is, network diagrams, list of devices, and so on) prior to starting the tests. The crystal-box test occurs when the tester is provided with an account on the internal network and standard access to the network.
NOTE This section describes and lists several tools that you can use to assess the security posture of an organization. However, it is strongly recommended that you do not use any of these if you are unsure of the complications and side effects they may have in your organization. On many occasions, it is better to hire a third-party company to perform such tests.
Numerous security tools are designed to automate and ease the penetration testing process. These tools can be a combination of commercial vulnerability assessment tools and free open-source tools. Professional ethical hackers also develop their own tools to automate the test or to specifically test for new vulnerabilities. Commercial tools work by using sets of thousands of preset configurations or vulnerability tags (vuln-tags). Some of these commercial tools are focused on different areas (for example, web security, wireless security, and so on). Examples of commercial tools are Qualys Guard (http://www.qualys.com), and e-Eye Retina (http://www.eeye.com/html/index.html).
Hundreds of open-source tools exist, ranging from meticulously developed and supported tools to small scripts developed to perform a specific task. Table 2-1 lists some of the most commonly used open-source tools.
You can combine penetration testing with infrastructure device configuration audits to provide a comprehensive study of the security posture of an organization. For instance, on completion of the penetration test, you have an understanding of the current vulnerable systems within your organization. Even more, you have determined how visible these systems are to a potential attacker. You can combine this information with an analysis of the configuration of your infrastructure components, such as routers and firewalls.
Table 2-1 Common Open-Source Security Tools
Tool Description Website
Metasploit Comprehensive set of penetration testing and vulnerability assessment tools
http://metasploit.org
Nmap Scanner http://insecure.org/nmap
Cain and Abel Password cracking http://www.oxid.it/cain.html John the Ripper Password cracking http://www.openwall.com/john/ AirCrack WEP/WPA cracking tool http://www.aircrack-ng.org/
doku.php AirSnort 802.11 WEP encryption cracking
tool
http://airsnort.shmoo.com/
Nessus (Now commercial) network
scanner
http://www.nessus.org
Rainbow Crack Password cracker http://www.antsight.com/zsl/ rainbowcrack/
Sara Vulnerability assessment tool http://www-arc.com/sara
HPing2 Packet crafter http://www.hping.org
Kismet Wireless sniffer http://www.kismetwireless.net
NetStumbler Windows-based wireless sniffer http://www.stumbler.net KisMAC MAC-based wireless sniffer http://kismac.de
Nikto Web scanner http://www.cirt.net/code/
nikto.shtml Paros Proxy Web vulnerability assessment
proxy
NOTE Some commercial tools are designed to perform device configuration and firewall rule analysis. Examples of these tools are the Cisco Configuration Assurance Solution (CCAS) (http://www.cisco.com/en/US/products/ps6364/prod_bulletin0900aecd802c8487.html), the AlgoSec Firewall Analyzer (http://www.algosec.com), and Security Risk Auditor from Redseal Systems (http://www.redseal.net).
CCAS automatically completes systematic audits of the production network configuration to detect device misconfigurations, policy violations, inefficiencies, and security gaps. Cisco Advanced Services for Network Security group also provides comprehensive security posture assessment services, including detailed network security architectural reviews. For more information, go to http://www.cisco.com/en/US/products/svcs/ps2961/ ps2952/serv_group_home.html.
The manual analysis of complex firewall policies is almost impossible because it is very time-consuming. As a result, it is difficult to detect many risks. The use of automated tools or professional services is a must.
TIP Conduct penetration tests and network security architectural reviews periodically, because new threats and vulnerabilities are introduced on a daily basis. Doing so allows you to measure the effectiveness of the methods used to improve the overall security after the initial tests and architectural review.
You need to understand the confidentiality requirements and risks of these types of tests. To ensure unbiased results, executives often hire third-party security professionals to perform high-level audits within the network and infrastructure readiness tests without telling their own security engineers and managers. The results of such tests are often kept a secret until a contingency plan has been built. You also need to understand the ethics and laws governing these types of activities. If you are a security professional hired by an organization to perform these types of tests and reviews, going outside your contractual boundaries is not only unethical, but also illegal.
NOTE The Cisco Press book titled Penetration Testing and Network Defenseby Andrew Whitaker and Daniel P. Newman covers all the best practices of penetration testing in detail.