Conducting Penetration Tests

Previous page
Table of content
Next page

Conducting Penetration Tests

Not all network administrators think like attackers or have the skill set required to break into networks. Conducting penetration tests requires you to think like an attacker. Additionally, you will need to have experience identifying weaknesses in network security, experience with tools that are used to compromise networks, and at least a basic level of expertise with one or more programming languages. If you are not confident in your abilities to think like an attacker, you should consider enlisting the help of another administrator or a consultant who is.

For a penetration test to be useful to your organization for more than just proving that weaknesses in security exist, you must carefully document your actions. The first step in conducting a penetration test is to create a methodology that you will follow when attempting to break into the network. This methodology will help ensure that you complete all the attacks that you have outlined, budget your time appropriately, and establish a foundation for creating documentation on the results of the penetration test.

Conducting penetration testing on networks without explicit written permission from the target organization is a computer crime in many parts of the world. Do not conduct penetration tests on any network, even that of your own organization, unless you have this permission.

The objective of the penetration test is to compromise the intended target or application. To accomplish this goal, a patient attacker will stick to a well-defined methodology. For example, if you are conducting a penetration test, you might want to follow these steps:

  1. Gather information.

  2. Research vulnerabilities.

  3. Compromise the target application or network.

Step 1. Gathering Information

Like an attacker, at first you might have little to no knowledge about your target network. But by the end of this step, you will have constructed a detailed roadmap of the network that you can use to break into the network in an organized manner. The goal of performing this step is to gather as much information as possible about the target network through publicly available sources. This will give you an indication of how large the target might be, how many potential entry points exist, and which security mechanisms exist to thwart the attack.

Gathering information, often called footprinting, requires you to be patient, detail oriented, and resourceful. During this step, you should gather the following types of information:

  • Basic information about the target

  • Domain Name System (DNS) domain name and IP address information

  • Information about hosts on publicly available networks

Obtaining Basic Information About the Target

All information about the target and subsidiaries of the target is useful, including Web sites and other IT services offered by the target, contact information for the target, organizational structure, and names of employees. You can get most of this information on the Internet simply by searching the target organization s Web site and querying search engines by using the name of the target.

Basic information about the company will reveal details that might be used to generate passwords, points of entry into the target s network including physical buildings and logical entry points such as phone numbers and names of key employees that can be used in social engineering attacks, and a general understanding of the technical sophistication of the target. (For more on social engineering, see the sidebar below.) For example, you can query Internet search engines on the name of the target and the strings password for and ftp . Surprisingly, with a little fine-tuning, this tactic will unearth the logins to FTP servers used by many large organizations.

Social Engineering

Sometimes the easiest way to get information about a network or break into that network is to ask. As strange as it sounds, employees have been known to wittingly or unwittingly reveal important information about their company. For the attacker, it is about asking the right questions to the right person with the right tone. This exploitation of trust is called social engineering.

For example, an attacker might find the telephone number for the company switchboard operator and ask to be transferred to the help desk. Because the call is transferred rather than directly dialed, the call identification will appear to the help desk as though it originated internally. The attacker might then explain that he is a new employee and is very afraid of computers. The attacker might continue by saying he is not sure what his account name is and how long his password needs to be. After the help desk administrator patiently explains how account names are generated and the organization s password policy, the attacker might explain while complimenting the help desk administrator on how smart she is and how well she explained the account and password problem that his boss told him his account was enabled for remote access but that he lost the information about which server to connect to.

By the end of the conversation, the attacker will have a good idea of how hard breaking into the network by logging on with a valid user s credentials might be. The attacker can use the names of employees he has gathered from the Web site and information learned from the help desk about the password policy to attempt to log on to the remote access server by using passwords that users are likely to pick. Meanwhile, the help desk administrator will end the conversation feeling as though she did a great job in assisting a user who really needed help.

An attacker might even gain access directly to the network simply by asking. In July 2002, a student at the University of Delaware was caught changing her grades in the school s database system by calling the university s help desk and pretending to be her professors. In all cases, she reportedly stated that she had forgotten her password and asked to have it reset, and in all cases, the help desk obliged.

Social engineering is difficult for networks to defend against, especially if network administrators and other employees in key positions (such as administrative assistants) do not know that they might be the target of such attacks. Consequently, security awareness training is essential for everyone in the company.

Using DNS Domain Name and IP Address Information

By using information about the target network stored in DNS servers, you can begin to create a diagram of the target organization s network. You can analyze DNS zones for the target organization to obtain information, including the server host names, services offered by certain servers, IP addresses of servers, and contact information for members of the IT staff.

By analyzing DNS records, you also can get a pretty good idea about the location of the servers and the OS or applications that are being run on the server. For example, you might be able to deduce that a computer with the host name SFO04E2K that is registered with a Mail Exchange (MX) record is a server running Windows 2000 and Microsoft Exchange 2000 Server and is located in San Francisco, or that a network device named cis2500dt2 is a Cisco Systems 2500 series router directly connected to the target s ISP. One of the first things that attackers do is create a network diagram with information gained from analyzing DNS zones.

The IP address information about the target gained from the DNS zone, American Registry of Internet Numbers (ARIN), and other sources can be scanned with port-scanning software to further develop your network diagram. Attackers have been known to use publicly available sources to create better network diagrams on the target network than the target network s administrators have.

Enumerating Information About Hosts on Publicly Available Networks

After gathering the IP addresses used by the target network, an attacker can begin the process of profiling the network to find possible points of entry. The attacker does this by enumerating information about hosts that are exposed to the Internet by the target organization. To accomplish this, you can use port-scanning software to scan hosts for listening TCP/UDP ports and IP protocols. Port scans will reveal information about hosts such as the OS running on the host and the services running on the host.

You can use port scanning to determine how router and firewall IP filters are configured. An effective attacker will be able to produce a network diagram for all publicly accessible screened subnets and a reasonably complete listing of the types of traffic allowed in and out of the network.

An attacker also can use software to crawl the target organization s public Web sites and FTP sites. Often, organizations have information that is not intended for public use posted on their public Web sites or FTP sites but not listed in these sites directory structures. Similarly, information that would be useful for breaking into the network might be embedded in the code that the Web pages are written in. For example, a developer might have placed a note to himself about a test login ID and password in the comments of an HTML page or might have used static login information for connections to a server running SQL Server. After downloading the Web pages or FTP files to a local computer, an attacker can run a program such as Grep to search for text strings in the files.

Step 2. Researching Vulnerabilities

After the attacker has completed gathering information about the target network and has created a list of operating systems, network devices, and applications running on the network (including information about how they are configured), her next step is to research their vulnerabilities. Aside from weak passwords and servers with no access control, the easiest way to break into a network is to exploit known vulnerabilities to the hardware and software used by the target organization.

Simple methods of compromising the security of computers, network devices, and applications might already exist. So before you spend any time attempting to break into your networks using elaborate techniques that might reveal your existence do your homework. Researching vulnerabilities when acting as an attacker is not any different from the research that you must do as a network administrator. Use the following resources for your sleuthing:

  • Hardware and software vendor Web sites

    The most obvious place to look for vulnerabilities in hardware or software is the vendor s Web site. In general, you can find product documentation that describes the default security of the hardware or software, knowledge base articles that describe how security works on the hardware or software, and security bulletins that describe known vulnerabilities in the vendor s products.

  • Security-related Web sites and newsgroups

    Numerous Web sites for security professionals discuss security and security weaknesses. You can often use this information to break into networks too. For example, the Web site http://www.netstumbler.com has extensive information about wireless network security. Another good Web site is http://www.securityfocus.com, from which a mailing list called Bugtraq is operated. Bugtraq contains discussions about the latest security vulnerabilities in hardware and software.

  • Web sites run by attackers

    Web sites run by attackers often contain detailed information and tools that be used to break into networks. If you are not familiar with breaking into networks, you can learn a lot about how attackers compromise networks by browsing these Web sites. As with all information, the content of these sites can be used for good purposes and malicious ones. Because in some countries possessing tools that are used to break into computer networks is against the law, you should be careful about downloading tools from these Web sites. Check your local computer crime laws first. Furthermore, many of the applications that can be downloaded from these Web sites have to be modified and are Trojan horse applications themselves.

Step 3. Compromising the Target Application or Network

After you have gathered information about the target network and fully researched potential avenues of attack, you can begin the process of attempting to compromise the network. In general, the compromise of a network starts with the compromise of a single host. Many ways to compromise a network exist, and without knowing the details of a specific scenario, it is difficult to prescribe a precise set of actions. However, when compromising a network, attackers will attempt to accomplish several tasks, including these:

  1. Get passwords.

    The first thing that an attacker will do is copy the passwords or password databases from the compromised host to a computer controlled by the attacker. If the compromised host is a member server running Windows 2000, the attacker will retrieve the password hashes from the Security Accounts Manager (SAM) database, the local security authority (LSA) secrets, and the passwords stored by Microsoft Internet Explorer autocomplete. Immediately after obtaining the password hashes, the attacker will begin an offline attack on them.

  2. Gather information.

    After the attacker gains access to a host inside the target s network whether in a screened subnet or in the internal network the attacker gains a new source of information about the network. Consequently, the attacker returns to step 1 in this methodology and begins gathering basic information about the network from the inside.

  3. Elevate their privileges.

    After an attacker has initially penetrated the network, one of her first goals is to gain access to or create elevated security credentials. Once an attacker has Administrator or System privileges on a computer or network device, little can be done to prevent her from doing whatever she wants to that computer or device. Similarly, if an attacker can obtain control over a domain administrator account, the attacker functionally controls the entire network.

  4. Leverage the compromised host.

    Once under the control of the attacker, a compromised host becomes a platform for attacking other computers on the network from the inside. The attacker might also use the host as a zombie system to attack another network.

  5. Replace files.

    An attacker might want to either ensure that she can continue to access the compromised computer or gather information from users of the computer. To accomplish this, the attacker can install a backdoor application or keystroke logging software to record the keystrokes of locally logged on users, including their passwords.

    During a penetration test, you should compromise the network only in ways agreed to by the target organization ahead of time. You should not disrupt business continuity when performing a penetration test.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
SQL Tips & Techniques (Miscellaneous)
The CISSP and CAP Prep Guide: Platinum Edition
Mastering Delphi 7
.NET-A Complete Development Cycle
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy