Chapter 12: Network Penetration Testing

Previous page
Table of content
Next page


Overview

There are few subjects that can perk up a tired audience quicker than a discussion of network penetration testing. This is the chance for the good guys to act like the bad guys for a short period of time. Secretly, this is what most network administrators wish they could do, but for whatever reason, they have not joined the "elite" of the "information Wild West." Having a chance to "hack" a network as part of their job is something that most people will jump at. It is interesting, it is dramatic, and it is the reason (at least initially) that most people become interested in the information security field. While management and government rally the public about the danger of computer crime, it is a fact that many in the information security field, on either side of the fence, regard the process of breaking into and securing computer networks as a challenging test of skill and experience.

Network penetration testing, like network security and hacking, is part art and part science. Using the same tools that the average attacker will use in trying to circumvent the security on the network, the goal of a network administrator is to discover the errors and omissions of their own security policy implementation before the bad people do.

Despite the intangible qualities of the art of network penetration testing, for our purposes, we want a process that has definable goals and achievable outcomes. Our ultimate goal is to provide information that will allow us to create a more secure network. Therefore, before beginning any work on network penetration testing, it is important to take care of some paperwork.

The network penetration test should begin with clear goals. These goals would then be affected by a number of constraints on the test itself. This is crucial because, sometimes, it can be difficult to tell the difference between a penetration test and a real attack. When your testing crashes an important server, many would argue that there is no real difference.

At a minimum, your plan of action should define the following from the outset:

  • Goals. An idea of what the network penetration will attempt to accomplish. For example, "To test for vulnerabilities on the corporate network by testing the administrative, physical, and technical controls that affect information security. This information will then be used to prioritize any corrective action that may be required to align the state of the network with the published information security policy of this company."

  • Scope. What is to be tested should always be defined. This serves as a statement of work for the project and can include a specific checklist of tests to be performed, or can provide a broad description of the testing procedures. Statisticians would say that we are what we measure and, in this case, we will only be able to evaluate the security of what we have tested. This portion should leave no confusion as to what will be examined and what will not be examined.

  • Off-limits. Closely related to scope should be an explicit list of what is off-limits. Services or vulnerabilities should be clearly listed; for example, "In no event shall the physical security of the building be attempted to be circumvented or disabled." or "The server at 192.168.1.11 is to be exempt from all testing." In many cases, someone from outside your organization may be the one performing the actual testing. Some information may be sensitive enough that even the testing of the security by an outside entity can be suspect. Other times, the service is important enough that automated scanning, with the possible result of a host crash, may be unacceptable. If either of these cases apply, these exceptions to the policy must be clearly stated.

  • Time of execution. In most instances, a network penetration test is going to look a lot like a network attack. To protect the person doing the testing and to allow the organization to detect a real attack, the time of the test should be clearly defined.

Ultimately, for the network penetration testing to provide any value to the company that orders it, a thorough report should be made at the conclusion of the testing. Whether you are performing the test yourself or employing the services of a third party, you should expect, at a minimum, the following from the final report:

  • Executive summary. A manager is going to expect to see the results of the testing. An overview should be written that is sufficient to convey the findings of the testing without going into too much detail.

  • Technical presentation. For those who actually need to implement the findings of the testing, a technical report should be included; this report contains details of the testing process along with descriptions of the vulnerabilities.

Both the technical presentation and the executive summary should also include the following sections:

  • Results sorted by priority. It would be the rare penetration test that returned the result of "A+" and nothing more. When action needs to be taken in response to discovered vulnerabilities, it is crucial that these be prioritized for the benefit of management and network administrators.

  • Risk exposure. What is the potential effect on the company if the identified vulnerabilities are not addressed?

  • Resource requirements. What would it require to reduce the threat from any risks discovered during this process?

  • Recommended actions. Finally, a recommendation as to the course of action that should be taken to address the issues revealed through the testing process.

When the report has been generated, reviewed, and acted upon, the final step is to evaluate the company's information security policy. Does anything in the report suggest that it was an oversight in the security policy that must be addressed? A security policy is not a static document. It is to be expected that as the result of a test, it would change to reflect the changing nature of the network and the threats that put it at risk.

Ideally, the time for network penetration testing is after the security policy has been implemented. In some cases, a simple penetration test has also been used to convince management of the importance of a proper information security policy. Once the initial testing has occurred, it should then be scheduled for regular testing in the future and after all significant changes to the security policy or implementation in the enforcement of the security policy.

To properly perform network penetration testing, it is important for network administrators to change their perspective on their network for a time. They must look at their own network from the point of view of a determined attacker.

Whether or not a particular attacker knows it, there is a certain series of steps that occur in more or less detail before an attack is actually launched. The first and most important step is to understand the motivation for someone to attack your network. Understanding this step will help define the goals of the various groups of attackers and to better understand their targets.

Many attackers are simply out to gain recognition or admiration from their peers. Hackers motivated in this manner may increase their virtual tally through the number of systems that they compromise or rank their prestige vis-a-vis their peer group based on the perceived difficulty of attacking the target. Many attackers in this category are the stereotypical "hackers." That is, they are (usually) young males with a great deal of time and an incomplete understanding of the technology they are using. Attackers in this category are the most likely to use vulnerabilities discovered by others that have been made simple to use through the use of exploit scripts — programs that execute a series of precompiled attacks. The lower skilled of this group are commonly referred to in a derisive manner as "script kiddies" due to their reliance upon other, more experienced attackers for the actual knowledge required to successfully launch an attack.

Unless your network presents a particularly attractive target for attackers in this group — that is, your network represents some sort of "crown jewel" of possible targets — most attackers looking for prestige in their peer group are most likely to attack the most clearly vulnerable sites. Normal expenditures on network security will be sufficient to deter these attackers because, sadly, there are plenty of easier targets out there for them to set their sights on.

"Hacking" has not always carried the negative connotations that it does in today's language. At one point, it was a symbol of respect to be referred to as a "hacker" in any technology. This is because the original hackers were simply people who sought to fully understand the workings of any technology. Thus, a hacker was simply someone with a great deal of knowledge and curiosity regarding technology. The second primary motivation for attacking networks still reflects this basic premise of hacking — curiosity.

Many people in the security industry are there because they are motivated by curiosity. Just as some people are attracted to being expert chefs, musicians, mechanics, or fighter pilots, the curious hacker simply seeks to understand how networks work and what information can be learned about any given network. Simply put, they hack because it is something they have a talent for and because they like it. Like those seeking prestige, many curious hackers will move on if a given target seems to be unyielding in its secrets. On the other hand, the curious hacker will also be more tempted than those looking for prestige to stick with a particular target if it proves to be an especially tough nut to crack. It does follow. after all, that a well-protected network must have a great deal of interesting information.

The curious hacker is especially valuable to the rest of the security community because it is their drive to understand how programs and protocols work that often leads them to discover what breaks a particular application of network technology. The product of the curious hacker's skill and dedication is what allows the majority of the hacking community access to lesser-known exploits.

Hackers motivated by either prestige or curiosity have the ability to wreak havoc with your network but, commonly, these attackers are looking for the easiest target they can find — because in most cases they do not have any particular motivation to specifically attack your network, they will move on to an easier target if it appears that your network is following good security practices in the same way that burglars move on to homes with owners who do not secure their windows and doors with secure locks and place burglar alarm decals on their windows. These homes are not impossible to break into; it is just that easier targets exist that will make their own efforts that much more productive.

From the point of view of your network's security, the more dangerous motivations are yet to come. In some cases, your network specifically will come under attack because of what an attacker thinks or knows about the information they are likely to find there. In this case, the attackers are primarily motivated by gain. When an attacker steals the account information of your customers, they are hoping to use that information to increase the money in their own pocket. This motivation is particularly dangerous to your information security because attackers specifically know what they want. It is only by bypassing your information security systems that they can specifically access what they want.

In this case, the same network security systems that keep out the egotistic and curious may not be adequate to keep out those specifically looking for your information. Attackers in this category may be more than the rogue individual hacker or even a group of hackers; they may be part of a large crime syndicate or even government organizations. This means that we can assume that the attackers in this category have the time to sufficiently test your network defenses, the expertise to know what to attack and how to carry out the attack in an effective manner, and the money to finance their efforts. It is defending your network against this group of attackers that the value of the security policy becomes clear. You cannot assume to have the same budget to allocate to network defense that attackers have to circumvent those defenses. Thus, you need to understand the value of what you are trying to defend against versus how much to spend defending against an adversary who potentially has much greater resources than you.

The final type of motivation is revenge. Hackers may have many reasons to strike back at a company. They may feel that the company has slighted or otherwise belittled their skills or a cause that they are particularly close to. The motive of revenge can also be based on political ideology. Ideology is behind a number of political attacks known as "hacktivism," in which the political ends of an individual or group are furthered through network attacks.

Revenge is often found as a motive of employees of a company, be they current or former. Perhaps an employee feels that he passed over for a promotion, unfairly terminated, or "downsized." With an inside view of the network and knowledge of targets that would be particularly damaging to the health of the company, this type of revenge can be particularly dangerous to a network.

Understanding the different motivations that an attacker might have is important when planning your network penetration test. Based on what we now know, attacks based on prestige or curiosity will most likely be deterred through straightforward security testing. Because the threat is simply looking for the easiest target, the solution is to configure enough security so that the attacker will simply get tired or bored with trying and move on to an easier victim. Threats that seek some sort of gain are more difficult to thwart because they usually have a specific goal in mind. What on your network would most likely serve as a target for someone with motivation? If you identify a resource, then it would be a good use of your time to try to penetrate your network resources to "break into" that resource yourself. Finally, assume that someone outside your company is simply interested in causing you damage. These types of attacks are generally denial-of-service attacks, either based on application flaws or simply bandwidth-based denial-of-service. How can your company protect against this? If the attacker is a knowledgeable employee of your company, what would be the likely target?

Understanding the motivation of the different classes of attackers should give you a better idea of the likely targets and scope of any likely attack against your network. Once the motivations of attackers are understood, the next phase is the information-gathering phase of an attack. During this phase, attackers seek to learn all they can about your network for the purpose of selecting appropriate targets. Granted, not all attackers are sophisticated enough to fully examine all the information on your network; but when performing penetration testing, it is a good idea to assume that they are. What information can someone who has no idea of your information systems learn about your company? Can he learn about the type of business you have? Most likely, because letting people know your business is part of being in business. Can they learn the operating systems that your servers run? The release versions? The types of network applications that support your network and their release versions? The IP addresses of your servers and the configuration of your firewall?

People who are good at network penetration and hacking in general know that information is valuable. Thus, any serious threat is going to begin with "casing the joint" before an actual attack is launched. In network security terms, this is known as footprinting and is an attempt to obtain a detailed description of the security procedures of an organization. This is an attempt to understand where the likely targets in a network are, and what kinds of defenses are protecting them.

The process of footprinting has its own methodology, which you can emulate while conducting your own penetration testing. While you may know your network, it may be useful to begin the network penetration test with only the knowledge that an outside person may obtain. To do this, start thinking like a hacker.

First perform a through search on all the information that you can find out about your company. Go through your company's Web site, taking notes on all the information you can pick up about your company. Some things to look for include:

  • Corporate organization. Does the corporation have any remote branches, subsidiaries, or strategic business partners? It can be assumed that each of these corporate entities will have some type of network. Perhaps they even have their own Internet access outside that of corporate headquarters. Are the links between head-quarters and branch offices or partners IP-based VPNs or circuit-based VPNs such as Frame Relay? The hope is that one of these remote sites or business partners may be easier to break into and thus provide a backdoor to the main site.

  • Personnel information. This can reveal quite a bit about a company. E-mail addresses, phone numbers, and personnel structure all can work together to give an attackers information they can use for the most powerful attack method known — that of social engineering.

  • Technology information. Note any information on your company Web site that may provide a clue as to the actual technology you are using on your network. This may be information about security policies, vendor alliances, Web site hosting, user help pages for accessing corporate resources, etc. This information also includes any domains that are associated with your company. While there may be the primary domain that people associate with your organization, be sure to look for other domains that might suggest to an attacker information about corporate or technical structure of your network.

Make sure to also include a Web search on several different search engines, looking for information about your company. You never know when an industry writer, ex-or current employee, or your own advertising copy may post something to the Internet that is of significance to your information security. A common method of digging up particularly juicy information is to search for the e-mail address or domains of your company in Internet newsgroups and Web-based bulletin boards. A support engineer may be in need of some quick help and post details of a problem on a board — information that may seem innocent but, when combined with other information that can be found about your company, may be enough to suggest likely avenues of attack.

Many Internet search engines also allow you to search for Web pages that link back to your site. For example, on the Google search engine, if you type "link:www.proteris.com." it will provide a link of all Web pages that link back to your site. This is a quick way to turn up some information about where else on the Internet your company has visibility.

Once your notes are complete, examine them with an eye toward information security. What in your research can be used to give attackers some direction? This is the same information that attackers would use to begin their own work. The goal of this information is to try to find actual hosts that will serve as targets.

The next step in the footprinting process is to determine the IP ranges that your target network uses. This is a fairly straightforward process, in that the American Registry for Internet Numbers (ARIN) [1] maintains a complete database of network numbers correlated with the business units that own them. By entering in a company or business unit name into the ARIN database, a range of network numbers that have been assigned to that company are returned. This information can then be correlated with IP addresses that can be found for publicly accessible resources such as Web servers, DNS, and mail servers. This will give attackers clues to the network ranges that can be used for servers, if they are hosting the servers on their own network or another network.

During this time period, a serious attacker will also begin the process of social engineering. This may mean calling any available telephone numbers and posing as an important member of the company. It would not be unheard of for an attacker to physically go through a company dumpster in an attempt to find important memos that relate to information security policies or likely targets. Companies that are in the process of mergers or transitions are especially vulnerable to this type of probing, as it is more than likely that the confusion and uncertainty that make social engineering successful will come into play. An attacker might also attempt to learn the local exchange telephone block that has been assigned to the company and use a tool known as a wardialer to dial each of the numbers in an attempt to find modems attached to phone lines that may serve as a weakly protected backdoor into the corporation.

DNS is also a very useful tool for attackers. As noted in the previous paragraph, this allows an attacker to use a domain name and translate that into IP addresses. The amount of information given out by DNS can vary. In some poorly configured DNS implementations, the DNS entries for an entire network can be delivered to any host that requests them. Fortunately, this practice is disappearing as many network administrators realized they were essentially providing an entire network topology to the curious every time a DNS request was made. Today, DNS is typically configured to be much more guarded in the information that it provides to the outside world; but even so, the DNS information that you need to have available for others to be able to access your network resources is a clue that attackers can use to identify potential targets.

Attackers will use the information they learn from the IP addresses to then perform some network reconnaissance. This is most likely done through the use of a network scan. This can be a direct scan of the network through the use of any number of freely available network scanning tools. An attacker or security professional places a network range of IP addresses into a software program and the program then "tests" each IP address in that network range to see if it is an address that is "live," that is, assigned to a host. Reconnaissance may also take place using tools such as Traceroute, which trace the path of a packet from the attacker's site to your site. Multiple iterations of this program will allow an attacker to create a fairly detailed view of the network topology, including any type of load balancing that may be occurring due to multiple Internet links by your company. This is also an excellent method to use when trying to determine the likely position of a firewall or other security device in the network between the attacker and yourself.

Most of these scanning attacks are not very subtle and are akin to walking past a building with a placard saying, "I'm going to attack your network now!," but alone, network scanning is so common that it is easy to miss these signs. An attacker can also be very discreet when performing these types of scans, breaking them up into small chunks over a time period of weeks and sourcing them from multiple hosts, all in an attempt to cover or at least obscure their tracks from those less vigilant.

Scanners themselves have varying levels of sophistication. The simplest scan is to simply use the PING application to send packets to an IP address to see if it is active. When network administrators discovered this application of PING in the scanning of their own networks, ICMP packets, the type that PING uses, were thus blocked at most firewalls. Scanning software responded to this change in network security by using other types of packets in an attempt to bypass the ICMP filters. For example, scanning software may try to create a TCP connection on a number of ports. If the connection is successful, the scanning software has a good idea of what applications the host is serving. If unsuccessful and an error message is returned from the scanned host, then this is useful information as well. It lets the scanning software know that, at the very least, there is indeed a live host at that address.

Network administrators responded to this use by filtering out which ports allow incoming connections through the firewall. Thus, a host PC in a network may be able to create connections to resources on the Internet, but hosts on the Internet trying to make a connection through the firewall to the internal host are blocked. Scanning software again responded by sending TCP segments without a connection request. This, of course, would generate an error; but again, the presence of an error is information that an attacker could use to launch further attacks against your network.

This process of attack, defend, new attack is one of the elements that makes information security an interesting profession. This escalation of attack technologies and security technologies continues endlessly. I am never at a loss for respect for the ways that people figure out how to attack or circumvent a security policy. I do not agree with their goals or methods, but a certain "geeky" technical side of me appreciates the thought and creativity that goes into such attempts. Nevertheless, for every defense, you can assume that someone is thinking of a counter-attack. Discovering what your network is defending and what it is allowing through is one of the primary purposes of performing network penetration testing.

Through this escalation, scanners have developed to the point where they can send IP fragments, send a range of spoofed source addresses to obscure the real source of the scan, guess the remote host operating system, and identify any running applications that happen to be listening on the ports.

Originally, scanning a network was the final step in determining the likely targets to attack. Once the hosts were found, the real research would begin. An attacker would attempt to determine what applications were available over the network, along with the version or release level of the application. Once this information had been obtained, the attacker would then try to correlate known attacks against the version of the operating system. If, for example, a network scan had detected a Cisco router with an operating system version 12.2(1) and the scan also revealed that the router was acting as an SSH server to allow remote administration, with some research, an attacker could learn that this version of SSH was vulnerable to certain types of specially crafted packets generated by the SSHredder application. This would lead the attacker to perhaps execute this attack or determine that the router itself was not the primary target of their hack. This cross-referencing could be a great deal of work.

Many scanners today include additional resources to "helpfully" interpret and organize all the research and vulnerabilities that attackers previously had to do on their own. A scanning program today will not only include the scanning software, but also a database of applications, vulnerabilities for the various release levels of the applications, and a guide on how to take advantage of them and perhaps fix them.

The cynical among us may be disgusted that such resources are available for anyone to download from the Internet and use against our networks. For just a few minutes worth of work once the target network has been identified, an attacker may have a complete printout of the network vulnerabilities suitable for presentation at a board meeting. On the other hand, having these tools is incredibly valuable for those trying to protect our networks. Because we know that some of the primary motivations for attackers is to simply choose the path of least resistance in accomplishing their goals, these tools provide a way for network administrators to perform their own tests and as well as see exactly what a possible hacker would see. No network penetration test would be complete without scanning your own network from the inside and outside with these tools.

The ultimate goal of network footprinting is to identify targets for a likely attack. Once accomplished, an attacker will move on to the next step — attacking. The database of vulnerable systems is used to allow the attacker to work his way into the network. Most of the time, the initial goal of an attacker would be to gain administrative privileges on a system, preferably a domain controller or other device central to the network. With administrative privileges, an attacker would then install software (sometimes known as a "Root kit") that would allow the attacker unrestricted access to the server should his original attack vector be removed and at the same time allow the attacker to cover his tracks by removing or obscuring data that would reveal what he had done to the system.

Once administrative access has been gained, attackers would then be free to perform whatever action suited their motivation for the attack. They might change the Web site, remove important files, shut down the servers, or use the host as a stepping stone for another attack. During the process of your penetration testing then, any evidence that points to a way for attackers to gain administrative access to a host should constitute the top priority for fixing.

Network administrators rarely take the process of network penetration testing to this extreme. Simply knowing that an attacker could access your network through a previously unknown vulnerability is typically enough for the administrator to take action. Only in extremely rare circumstances should the actual execution of the attack be carried out on a live system. It is, however, acceptable for learning or demonstration purposes to create a test network that closely mirrors the production network in terms of operating systems and applications. This will allow proof of concept testing on any suspect vulnerabilities.

The vast majority of the time, penetration testing is going to reveal vulnerabilities that can be fixed in one of three ways:

  1. Patch the affected system. A surprising number of network security vulnerabilities can be completely eliminated by applying the proper patch to the application. The reason that network administrators do not always do this in a timely manner is that the company may be releasing patches at such a rapid rate that it is difficult for network administrators to keep up, or the patch itself may adversely affect a business-critical application in its own right.

  2. Reconfigure the firewall or other security devices. All packet filtering devices should follow the rule that all traffic not permitted is otherwise denied. However, it is easy to make mistakes when many applications are concerned. Furthermore, rules on the packet filters may have been applied in a manner that has unforeseen consequences for IP traffic. Reconfiguring these devices is usually straightforward.

  3. Change access control permissions for applications and operating systems. Most out-of-the-box operating systems are designed for ease of use by inexperienced network administrators, not security. Network penetration testing often reveals that permissions are more liberal than they need to be. Changing the access controls of shares and other network resources will assist in reducing these vulnerabilities.

Simply running a network scan, however, cannot be construed as complete network penetration testing. The scan is the starting point. Clearly, if there is an obvious way for someone to gain administrative access through the network, then this must be dealt with immediately.

Many vulnerabilities that allow your information to be compromised are not purely technical in nature. It is difficult for a network penetration test that is based solely on IP packets to understand that users expect help-desk personnel to ask for passwords over the phone or that the key to the server room has been lost and replaced several times. Thorough network penetration testing includes examining administrative and physical security procedures in addition to the technical information that network scanning provides. The primary goal of this additional testing is twofold: to ensure that users are following your documented security policy and that these policies are sufficient to protect your network from unforeseen circumstances.

For example, is it possible to log in with an account from a former employee? If it is, is it possible because the employee's account has not been disabled in accordance with the security policy of the company or because the implementation rules of the security policy do not specify that this is a step that must be taken? Is it possible to recover company information from magnetic media tossed into the dumpster because someone has not taken the time to properly sanitize the media in accordance with the security policy or because the security policy does not address the actions that must be performed on hard drives before they are disposed of? Are all devices on your network accounted for, and can the source of all traffic be identified? Or has someone walked in the front door of your company and installed another PC on an available port that is acting as a network sniffer?

As you can see, thorough network penetration testing means that you need to be creative. Many times, the easiest way into a company network is not through the firewall, but through the front door.

[1]ARIN is the Internet Number registry for North America and is accessed at the Web site www.arin.net. There are registries for other continents, such as RIPE (Europe/Middle East), APNIC (Asian Pacific region), and LACNIC (Latin America and Caribbean region). All of these registries can be accessed through the IANA homepage at www.iana.net.


Previous page
Table of content
Next page
Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs
BUY ON AMAZON
Project Management JumpStart
Lotus Notes and Domino 6 Development (2nd Edition)
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
.NET-A Complete Development Cycle
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy