Penetration Testing

Penetration Testing:

A penetration test (pen-test) is a controlled process in which a trusted third party performs security verification by using methods, tools and styles that would be performed by persons with malicious intent. Since more and more companies have heavily integrated Information Technology into their businesses, there is an increased threat of attack from people intent on stealing that information.

This type of approved attempts at testing your company’s security measures is sometimes known as Ethical Hacking. It is ethical because you have given the Penetration Testing company permission to attempt to ‘hack’ your security systems.

Penetration Testing is an ethical way of assessing the potential vulnerabilities in your information security structure. The purpose of a Penetration Test is to determine these vulnerabilities so that you can better defend against all forms of attack. A pen test can be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents

Elements of the Pen-Test

Target - a resource which will be targeted for attack during the pen-test. The target can be a single item (server, router, safe) or a set of resources with some common denominator (server farm, network segment, offices).

Trophy - a resource that the testers are tasked with extracting or destroying. Malicious attackers usually stand to gain benefit from the attack, and if the valuable resource is identified, it can be tagged as a 'trophy' to be won by the pen-testers. Bear in mind that sometimes the trophy may not be a physical item, but a loss of functionality or service that can tarnish the reputation of the company.

Test vector - the attack channel or set of channels that the pen-testers will use during the test.

Test type - which type of test will the pen-tester perform.

                Black box - the pen-tester performs the attack with no prior knowledge of the infrastructure, defense mechanisms and communication channels of the target organization. Black box test is a simulation of an unsystematic attack by weekend or wannabe hackers (script kiddies).

                Gray box - the pen-tester performs the attack with limited knowledge of the infrastructure, defense mechanisms and communication channels of the target organization. Gray box test is a simulation of a systematic attack by well prepared outside attackers or insiders with limited access and privileges.

                White box - the pen-tester performs the attack with full knowledge of the infrastructure, defense mechanisms and communication channels of the target organization. White box test is a simulation of a systematic attack by well prepared outside attackers with insider contacts or insiders with largely unlimited access and privileges 

Phases of Penetration Testing:

Phases of Penetration Testing

Planning Phase:

The planning phase is where the scope for the assignment is defined. Management

approvals, documents and agreements like NDA (Non Disclosure Agreement), etc., are

signed. The penetration testing team prepares a definite strategy for the assignment.

Existing security policies, industry standards, best practices, etc. will be some of the inputs

towards defining the scope for the test. This phase usually consists of all the activities that

are needed to be performed prior to commencement of the actual penetration test

Discovery Phase:

The discovery phase is where the actual testing starts; it can be regarded as an information gathering phase. This phase can be further categorized as follows:

• Footprinting phase

• Scanning and Enumeration phase

• Vulnerability Analysis phase

Strategies involved in Pen-Test

Footprinting:

The process of footprinting is a completely non‐intrusive activity performed in order to get the maximum possible information available about the target organization and its systems using various means, both technical as well as non‐technical. This involves searching the internet, querying various public repositories (whois databases, domain registrars, Usenet groups, mailing lists, etc

A penetration tester must utilize this phase as much as possible and be creative enough in identifying various loopholes and try to explore every possible aspect that could lead to relevant information leakage about the target organization in the shortest time possible.

Scanning and Enumeration:

The scanning and enumeration phase will usually comprise of identifying live systems,

open / filtered ports found, services running on these ports, mapping router / firewall rules, identifying the operating system details, network path discovery, etc.

This phase involves a lot of active probing of the target systems. A penetration tester must be careful and use the tools for these activities sensibly and not overwhelm the target systems with excessive traffic.

Vulnerability Analysis:

After successfully identifying the target systems and gathering the required details from

the above phases, a penetration tester should try to find any possible vulnerabilities

existing in each target system. During this phase a penetration tester may use automated tools to scan the target systems for known vulnerabilities. These tools will usually have their own databases consisting of latest vulnerabilities and their details.

It is important for any penetration tester to be up to date with the latest security related activities. More often than not this phase solely depends on the experience of the penetration tester

Strategies involved in Pen-Test

Based on specific objectives to be achieved, the different penetration testing strategies include:

External testing strategy:

External testing refers to attacks on the organization's network perimeter using procedures performed from outside the organization's systems, that is, from the Internet or Extranet. This test may be performed with non-or full disclosure of the environment in question. The test typically begins with publicly accessible information about the client, followed by network enumeration, targeting the company's externally visible servers or devices, such as the domain name server (DNS), e-mail server, Web server or firewall.

Internal testing strategy:

Internal testing is performed from within the organization's technology environment. This test mimics an attack on the internal network by a disgruntled employee or an authorized visitor having standard access privileges. The focus is to understand what could happen if the network perimeter were successfully penetrated or what an authorized user could do to penetrate specific information resources within the organization's network. The techniques employed are similar in both types of testing although the results can vary greatly.

Blind testing strategy:

A blind testing strategy aims at simulating the actions and procedures of a real hacker. Just like a real hacking attempt, the testing team is provided with only limited or no information concerning the organization, prior to conducting the test. The penetration testing team uses publicly available information (such as corporate Web site, domain name registry, Internet discussion board, USENET and other places of information) to gather information about the target and conduct its penetration tests. Though blind testing can provide a lot of information about the organization (so called inside information) that may have been otherwise unknown -- for example, a blind penetration may uncover such issues as additional Internet access points, directly connected networks, publicly available confidential/proprietary information, etc. But it is more time consuming and expensive because of the effort required by the testing team to research the target.

Double blind testing strategy:

A double-blind test is an extension of the blind testing strategy. In this exercise, the organization's IT and security staff are not notified or informed beforehand and are "blind" to the planned testing activities. Double-blind testing is an important component of testing, as it can test the organization's security monitoring and incident identification, escalation and response procedures. As clear from the objective of this test, only a few people within the organization are made aware of the testing. Normally it's only the project manager who carefully watches the whole exercise to ensure that the testing procedures and the organization's incident response procedures can be terminated when the objectives of the test have been achieved.

Targeted testing strategy:

Targeted testing or the lights-turned-on approach as it is often referred to, involves both the organization's IT team and the penetration testing team to carry out the test. There is a clear understanding of the testing activities and information concerning the target and the network design. A targeted testing approach may be more efficient and cost-effective when the objective of the test is focused more on the technical setting, or on the design of the network, than on the organization's incident response and other operational procedures. Unlike blind testing, a targeted test can be executed in less time and effort, the only difference being that it may not provide as complete a picture of an organization's security vulnerabilities and response capabilities.

Pen-Test Types

Denial of Service (DoS) Testing:

Denial of service testing involves attempting to exploit specific weaknesses on a system by exhausting the target's resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of Service testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. 

Denial of service can take a number of formats; those that are important to test for are listed below:

1. Resource overload – these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds.
2. Flood attacks – this involves sending a large amount of network requests with the intention of overloading the target. This can be performed via:ICMP (Internet Control Message Protocol), known as "smurf" attacks UDP (User Datagram Protocol), known as "fraggle" attacks.
3. Half open SYN attack - this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started.

Out of Bound Attacks:

These attempt to crash targets by breaking IP header standards:

Oversized packets (ping of death) – the packet header indicates that there is more data in the packet than there actually is.

•

Fragmentation (teardrop attack) – sends overlapping fragmented packets (pieces of packets) which are under length.

•

IP source address spoofing (land attack) – causes a computer to create a TCP connection to itself.

•

Malformed UDP packet header (UDP bomb) – UDP headers indicate an incorrect length.