•
Do we need to test our defences?
OVERVIEW
Why testing of defences
Penetration Testing phases
WHY TESTING OF DEFENCES?
INFOSECURITY
WITH
ARE OUR DEFENCES
WORKING?
• Average cost of worst
security breach for 2011
PENETRATION TESTING
• Penetration testing are legitimate and authorised attempts that aim to test
and improve security defences by identifying and exploiting vulnerable systems
• emphasis on determining business risk and potential impact of
intrusions in a controlled, professional and ethical manner
• aids organisations to improve their security practices
• Should be performed regularly, but especially when:
• new services/equipment/policies are introduced
• significant modification of existing services/equipment/policies
ALTERNATIVES TO SECURITY
ASSESSMENT
• Vulnerability assessment • stops at identifying
vulnerabilities, it does not exploit them and hence does not determine
business impact
• tends to focus on software
vulnerabilities only
• Intrusion detection and
network/email/web monitoring
• Security audits
• Security audits follow
rigorous set of criteria and checklists to ensure
compliance with security policy, regulations and
standards
• Penetration testing is a
subset of security audits
• Configuration/Architecture
SO WHY PENETRATION
TESTING?
• Shows real life impact of breaches • Useful for management
• Tests systems in real-life conditions, from the perspective of an
attacker (and what they know)
• Is more transparent to target environment personnel
• Requires less time for in-depth interviews, audits,
PLANNING
• “Get out of Jail Free Card”. No testing can commence without it. • Rules of Engagement. Agree how the test will be run:
• Contact information
• Encryption for data exchange between testers / target organisation • How teams will communicate/debrief
• Start date and finish date for tests. Acceptable times for testing.
Announced vs unannounced tests.
• Black Box vs. Crystal Box testing
SCOPING
• Identify what needs to be tested
• Identify what needs to be avoided
• Third-party equipment (e.g. ISP routers, web hosting servers, cloud
providers)
• Use VM clone or actual production system?
• Internal or external testing?
RECONNAISSANCE
• The purpose of this phase is to learn as much as possible about the target organisation
• inventory of possible targets, infrastructure • people and culture
• terminology
• Provides vital clues for the remaining phases
• whois, DNS Lookups, network sweeps, google searching, metadata,
WEB RECONNAISSANCE
• Organisation website. Background on organisation
• Main business, products, employees, email addresses, office locations,
competitors, Job postings, online devices
• web archives (e.g. The Wayback Machine)
• Document Metadata - pdf, doc(x), dot, xls(x), xlt, ppt(x), jpg, jpeg, etc
• User names, email addresses, file system structure, client software (and
versions) in use
• Social networking sites (LinkedIn, Facebook, Twitter, Myspace, etc)
METADATA ANALYSIS
• Dozens of automated tools
BRINGING IT ALL TOGETHER
• Automated recon tools can integrate results from various sources
• Domain names, IP Addresses, social networking, network
SCANNING
• Aims to discover openings by interacting more with the target
environment. Nmap is a popular tool that can automate the process
• Network sweeps • Network traces • Port scans • OS fingerprinting • Version scans • Vulnerability scans
• Really important to keep records of scanning attempts and monitor
NETWORK TRACES
• Nmap traceroute is
different from Windows, Unix Traceroute.
Optimised for large-scale scans
• Also Layer 4 traceroute,
and web-based
PORT SCANS
• TCP has inbuilt response. If port isopen, TCP will respond to a SYN request
• A SYN/ACK response means
port is open
• A RST/ACK means port is closed
or blocked
• Any other response, or lack of
response, means the port is filtered
• UDP has no inbuilt response. Even if
port is open, UDP will not respond to a request. The application on that port will.
• Response from application means
port is open
• Lack of response means ....????? • UDP scans are more effective if
they include application-layer requests
TCP scans different from UDP scans
SCANNING TECHNIQUES
• Sends pre-defined unusual
stimuli that are designed to show differences in OS
behaviour
• First generation was more
error-prone
• Second generation is
more accurate. Uses more than 30 tests
• Help identify services on
unexpected ports
• e.g. http on 23/tcp rather
than 80/tcp
• Also helps to identify their
version
SCANNING TECHNIQUES
• Knowing live systems, running
services, and their versions, the next step is to discover vulnerabilities
• Nmap, Nessus and numerous
other tools can help in this step
• User accounts are often used
in exploits. Apart from
public-facing resources, they can be harvested from the local network.
• Email addresses
• /etc/passwd in Linux/
Unix
• sid2user in Windows
EXPLOITATION
• The next step is gaining access to the system and running commands
• e.g. installing software on target system, taking files from target system,
sniffing traffic, changing the configuration, pivoting to other systems, etc.
• useful to verify if vulnerability exists
• initial access is often used as pivot point to get further access in the internal
network and show real impact of a vulnerability
• Carries risks and hence it is vital to pre-determine at planning stage what is
allowed on what systems
• data exposure; system integrity; system instability
EXPLOIT TYPES
• Once a vulnerability is
discovered, an exploit is delivered to the service
• Inbound traffic on the
port should be allowed on firewall
• The client needs to
connect to the attacker, in order to retrieve the
exploit
• Popular exploits: Flash
Player, Adobe Acrobat, Internet Explorer, Java, QuickTime Player, etc.
POST EXPLOITATION
• Once access is gained, the next step is to prove access and
show its impact
• Files to pilfer:
• passwords, crypto keys, windows credentials, wifi
pre-shared keys
• source code, system files, application config
• trust relationships, other systems from DNS cache, ARP
DEFENDING AGAINST
RECONNAISSANCE
• Understanding the value of information our systems, devices, employees emit is key • Metadata, job websites, online forums
• Hardening of systems and devices • E.g. silence routers and systems
• Free templates available at cisecurity.org. Automated tools include MBSA, Bastille • Configure systems and applications to behave differently (e.g. different TCP/IP
stack, change server banners and responses. e.g. IPPersonality, Servermask)
• Use pen testing tools against your own systems • Social engineering
