• home
  well, news, etc
• about
  readme first
• links
  nice places on the net
• contact
  about me

  ---

• m2ssic-metz
  it security master lectures at metz (fr) university
• mssi-luxmbg
  it security master lectures at luxembourg university
• hak1n9
  it (in)security stuff
• toolz
  tools and stuff i developped

1. Hacking for money

Penetration testing, simply put, is finding system vulnerabilities through simulations of real-world attacks.

Goals

Try to find how far a real attacker would make it.

Tools

Well the same as the bad guys.

Method

• contract with "victim"
• hack yourself in, but don't break anything
• keep confidential information confidential
• write a detailed report

1.1. Motivations

Finding vulnerabilities is an essential step in information security, but the reasons to perform a pentest can be multiple:

• evaluate own security concepts
  As the biggest ennemies of a good security policy are time and money, it is often difficult to have a complete and robust information security concept, that holds of all different attackers.

• convince management
  The system administrators often have to balance the features with the security of the internal applications and systems. A pentest down by external experts can therefore help in convincing the management to free budget for vulnerabilities to be fix.

• "corporate blindness"
  Systems may seem secure from the inside view, but an outsider might have a whole different view of it. Never unestimate the creativeness of a potentiel intruder.

• fear of industry espionage, real attacks (DoS, ... )
  It is always a good thing to test worst-case scenarios, before they take place. A denial-of-service for instance is relatively hard to forsee and test internally, so pentest are almost the only solution for these issues.

• compliance with legal framework
  More and more do organisations have to comply to legal obligations, regulations, conventions, standards, etc. only to mention some: cyber crime convention/framemwork, data protection laws, SOX, ISO standards, etc.

• independent advice
  Pentests are normally done by independent experts, which may or may not have more or less information about the "victim" organisation. This independence is important to get a real objective view of its information security.

• image gain
  Well pentest help improve the security and security can be used as marketing tool, depending on the sector of course, but at least it can give clients a better confidence in its products abd services.

2. Pentesting in detail

Penetration testing can be performed whether the tester has zero, some or total knowledge of the "victim" system. Generally one talks about 2 types of tests:

• Blackbox
  A blackbox or zero-knowledge test is a pentest where the testers have little or no prior knowledge about the target. They have to research the necessary information in publicly available databases or make inquiries as an outsider or anonymous attacker would also have to. The idea behind is of course to determine how much information a potentiel attacker could get about the "victim's" system and network architecture.

• Whitebox
  Here the testers get some knowledge about internal systems and networks or even detailed knowledge about certain areas. It can even go as far to stat with accounts on some systems, like for instance an employee would have. Further types of information, like the internal organisational structure, usefull services, like DNS, mail, etc. and maybe some internal procedures are made available to the testers in this type of whitebox or full-knowledge pentesting.

In general one starts with a blackbox test. If the perimeter security stands tight and no intrusion was possible, it is still necessary to perform a further test: a whitebox. This is because, most systems/networks (~90%) follow the saying: "a crunchy shell around a soft, chewy center". A whitebox pentest, where for instance, an attack of an employee from the inside, can be simulated, brings up internal holes and security breaches.

Besides these two basic types, there are some more specific ways of penetration testing:

• WLAN
  More and more organisations use WLAN (WiFi, etc.) network to enhance the mobility of there employees and the ease of use for clients and visitors, but few of the same companies do consider the fact that this opens a big hole in there network and breaks the perimeter security. As such ther can be specific demands for pentesting the wirless vicinity of the "victim".

• Physical
  Information security is a global picture, where physical world should not be neglected, most information is still paper based. So the physical protection mecanisms: doors, locks, alarm systems, etc. should also be tested for its resistance to attacks (intrusions).

• Social
  Similar to the physical aspect above, ther also is a social way of attacking, namely the well known social engineering techniques, becoming more and more popular as well (among the blackhats).

Finally there is the:

• Joker
  The joker is a special contractual agreement, where the testers get a kind of "own this service or system" card at certain moments during the overall pentest. In this way services or systems which were not penetrated or exploited, can however be considered to be so and as such 0days or alike can be more easily tested. Special fall-back or worst-case scenarios can be tested this way as well as "defense in depth" mecanisms, without wasting valuable time.

2.1. Contract

• Objective(s) of the penetration test
  The contract should clearly state the objective being pursued by the organization commissioning the performance of a penetration test. The most common objectives relevant here are:
  • Increasing the security of the technical systems,
  • Identifying vulnerability as a criterion for making decisions (e.g. for investments or the suitability of products),
  • Otaining certification/confirmation from an external third party,
  • Increasing the security of the organizational/personnel infrastructure.

• Nature of the penetration test
• Techniques to be used and excluded
  The individual techniques used in a penetration test are to be described in more detail where this is both possible and appropriate. In particular, any social engineering techniques and active tests of access controls to be employed should be described. Because social engineering techniques are by nature problematic and possibly unethical, it is appropriate to specify a clear framework for them (e.g. avoiding incitement of employees to behave unethically). An active test of access controls attempts to circumvent physical security measures, which can be regarded as burglary. An explanation of the circumstances under which the test is to take place is also necessary in this respect. It is also important to exclude attacking techniques which are expressly not to be used. Such techniques should also be defined in the contract, stating the reasons for their exclusion.

2.2. Obligations

• The Client
  • Provision of information depending on the nature of the penetration test
    Depending on the nature of the penetration test, the penetration tester may be reliant on extensive information from the client. For example, a white-box test requires information on DNS names, IP addresses, security policies, system configurations, firewall rules, escalation procedures, etc. The penetration tester should therefore provide the client with a list of the required information before concluding the contract and agree in the contract that all required information be made available in time.

  • Information from potentially affected third persons
    During normal data traffic on public networks, a penetration test also uses third party systems (e.g. the communication server of a provider, the web server of a mainframe computer). Since it is impossible to exclude impairing the performance of these systems, we advise giving advance notification of the penetration tests to any third persons who may be affected. These information duties could be delegated to the client as it is in a better position to estimate which third parties could be affected by the tests.

  • Protective measures for unforeseeable system failure
    Since it cannot be completely ruled out that systems are impaired during testing such that data is lost, it is in the client’s own interests to create data backups of the high-risk and relevant systems. Data backups ensure that the data can be recovered if necessary and mitigate the potentially adverse effects of data loss.

• The Testers
  • Secrecy
    In the course of a penetration test, a penetration tester may gain access to highly sensitive information on vulnerabilities in the client’s network. This information must not be made available to third persons so as to reduce the risk to the client to a minimum. The tester should therefore be bound to observe secrecy in respect of the information made available to him as well as the information which came to his knowledge in the course of testing. Generally an NDA (Non Disclosure Agreement) is signed with the client.

  • Compliance with licensing regulations
    The tester is responsible for complying with licensing regulations when using commercial security tools. Since the royalties for the use of security tools are normally charged on to the client, the client should be provided with a clear breakdown of these charges.

  • Documenting the testing procedures and results
    The nature and scope of the documentation of the testing procedures and the results should be specified in the contract. The tester should be obliged to provide precise documentation of his testing procedures. This ensures that the techniques he has used can be traced in the event of damage. In addition, the parties should agree to the form in which the results should be presented (report, presentation, reports and analyses of the security tools used).

  • General duty of due care
    The penetration tester must exercise due care while performing testing procedures. For example, it would be grossly negligent if the penetration tester were to “accidentally” attack the system of an uninvolved third party because he had confused a DNS name. The contract should therefore stipulate that the penetration tester must apply due care in the performance of his activity with respect to potential damage he may cause.

2.3. Skills

The following skills are necessary for an expert performance of penetration tests:

• Knowledge of system administration/operating systems
  This knowledge is necessary for evaluating weaknesses in the operating systems of the target systems and also facilitates the handling of the systems used in the penetration test.

• Knowledge of TCP/IP and, if applicable, other network protocols
  Since data traffic on the internet is handled by TCP/IP, which has also become the standard in LANs, in-depth knowledge of this protocol is essential. Knowledge of TCP/IP is closely connected with knowledge of other networks and of the OSI reference model.

• Knowledge of programming languages
  To be in a position to exploit vulnerabilities in applications and systems, knowledge of a programming language is advantageous. While there are a range of ready tools as scripts or with graphical user interfaces, security gaps such as buffer overflows etc. can only be effectively exploited when the tester has the necessary programming knowledge.

• Knowledge of IT security products such as firewalls, intrusion detection systems
  Since security arrangements such as firewalls or intrusion detection systems are extremely common nowadays, the penetration tester should know how these security arrangements work and follow the latest reports on security gaps in IT security products. It is essential to have an overview of the common products on the market in the field of IT security.

• Knowledge of how to handle hacker tools and vulnerability scanners
  In addition to some basic knowledge, experience in handling hacker tools and vulnerability scanners is necessary for performing penetration tests. Skills in the handling of these tools should be obtained through practical experience. Over the course of time, among the multitude of tools available, certain products have achieved a wide distribution (e.g. nmap for port scans, Lophtcrack for Windows passwords). Commercial tools can be used for performing an efficient test and freeware tools can be employed to demonstrate the relatively simple performance of such tests. The efficiency of the penetration test depends heavily on how experienced the penetration tester is in handling these tools.

• Knowledge of applications/application systems
  Many vulnerabilities are located in the applications rather than the operating system software. They span the entire range of application systems, ranging from insufficiently secured macro functions in word processing programs to vulnerabilities of internet browsers through scripting, to buffer overflow errors in large database systems, as examples. The tester should therefore be familiar with as many types of applications as possible. Detailed knowledge of commonly used applications is particularly important, since the risk of hackers and crackers here is generally particularly high.

• Creativity
  In addition to the high professional requirements, creativity is an important quality in a penetration tester. Since a qualified penetration test can only follow a rigid pattern to a limited extent, the question of how to proceed at a particular point will undoubtedly arise during the course of a penetration test when it at first sight seems impossible to further compromise a system. This problem can be approached by cleverly combining the information a tester has obtained, the vulnerabilities he has identified and the tools and methods available to him. By exercising his intelligence, a creative penetration tester should therefore be better positioned to perform a “successful” test than a penetration tester who merely relies on the results of his tools when performing the test. Creativity should, however, never lead to an unsystematic or even chaotic test which is not subsequently traceable.

2.4. Techniques

Penetration testing must be done in a structured manner using well-defined steps:

1. Reconnaissance
   Research information about the target systems and network.
   Computers that can be accessed over the internet must have an official IP address. Freely accessible databases provide information about the IP address blocks assigned to an organization.

2. Enumeration
   • Scan target systems for services on offer.
     An attempt is made to conduct a port scan of the computer(s) being tested, open ports being indicative of the applications assigned to them.

   • Identify systems and applications.
     The names and version of operating systems and applications in the target systems can be identified by “fingerprinting”.

   • Researching Vulnerabilities.
     Information about vulnerabilities of specific operating systems and applications can be researched efficiently using the information gathered.

3. Exploitation
   Exploiting vulnerabilities.
   Detected vulnerabilities can be used to obtain unauthorized access to the system or to prepare further attacks.

4. Reporting
   Writing the final test report.
   This is the less fun part, but by far the most important for the target. This report should contain all the vulnerabilities, breaches and potentiel damage they might have caused as well as solution proposals.

2.5. Usual suspects

Similar as an attack of a real cracker, the pentesters use well known methods and ways for performing their test. Start with the usual suspects, thenfollow your stomach, there is no cookbook-way.

• Reconnaissance:
  • website and other homepages
  • Google
  • DNS
  • whois / RIPE

• Enumeration:
  • port scanning
  • known vulnerbilites first
  • default or error configs

• Exploitation:
  • old versions
  • weak passwords and/or configs
  • unused or forgotten services
  • open shares
  • WLAN
  • backups
  • physical negligence

2.6. Report

The final report should contain the following elements:

• Management summary
  A short and precise summary showing the main issues detected and giving a global picture on the current security situation of the organisation.

• Detailed technical analysis
  The intended audience of this part are the system administrators and or security officiers. It should contain a Detailed listing of all the vulnerabilties, intrusion, exploited systems, etc. Every point should include a description of the problem encountered, a risk analysis for this issue and proposals for solutions.

The report itself is of course essential for the client, but there's something more important, that is most often not recognized:

• Meeting
  Indeed the report should not simply be given, but discussed in detail during a meeting with al the parties, system admins and management. In fact the report is often used as an awareness raising tool for the management or the inexperienced system admins.

pdf version

• download here

copyleft 2004, 2005, 2006, 2007 <pst (a) libre lu> all content released under the gfdl (unless stated otherwise)