Topic 5 Penetration Testing 滲透測試

Introduction to Penetration Testing Defined as a legal and authorized attempt to locate and exploit the vulnerabilities of systems for the purpose of reducing risks in those systems. Penetration testing is also known as pen testing, PT, ethical hacking, white hat hacking. The process includes detecting vulnerabilities as well as providing proof of concept (POC) attacks to demonstrate the vulnerabilities are exist. Provides specific recommendations for addressing and fixing the issues that were discovered during the test.

Penetration Testing Strategies Based on the amount of information available to the pen testers, there are three penetration testing strategies: black box, white box and gray box. Black Box Testing Pen testers have no knowledge about the target. They have to figure out the vulnerabilities of the system on their own from scratch. Simulates the actions and procedures of a real attacker. All they really know are the rules of engagement. For example, social engineering and physical security testing might be permitted, but no Denial of Service is allowed.

Penetration Testing Strategies White Box Testing Pen testers have full knowledge of the network, system, and infrastructure they’re targeting. Simulate a knowledgeable internal threat, such as a disgruntled network administrator or other trusted user. Gray Box Testing Also known as partial knowledge testing. Only assumes that the pen testers are insiders. They need to gather further information before conducting the test. Because most attacks do originate from inside a network, this type of testing is very valuable and can demonstrate privilege escalation from a trusted employee.

Pre-engagement/Preparation Define the goal of the test Identifying risks that will adversely impact the organization. Scope for the penetration test Agree with the client what you are going to test. Educate client on what to expect. Rules of engagement (ROE) Detailed guidelines and constraints regarding the execution of testing. Gives the test team authority to conduct defined activities without the need for additional permissions.

Five Phases of a Penetration Testing Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks

Five Phases of a Penetration Testing Phase 1 - Reconnaissance Gathering as much information as possible about the target of evaluation. Passive reconnaissance approach is taken and will not raise any alarms. (whois, nslookup, company website, Google) Phase 2 - Scanning With information gathered, the goal of scanning is to apply tools and techniques to learn as much technical data about the systems as possible. Live hosts are found and the network is footprinted. Services that are available are confirmed and the operating systems of each platform are verified, and vulnerabilities are assessed.

Five Phases of a Penetration Testing Phase 3 - Gaining Access True attacks are carried out against the targets. Examples of attacks: Accessing an open and non-secured wireless access point, delivering a buffer overflow or SQL injection against a web application. Phase 4 - Maintaining Access Attempting to ensure penetration testers have a way back into the compromised machine or system. Back doors are left open for future use, a sniffer is placed on a compromised machine to watch traffic on a specific subnet. Access can be maintained through the use of Trojans, rootkits, or any number of other methods.

Five Phases of a Penetration Testing Phase 5- Covering Tracks Attempting to hide attack activities from detecting by security professionals. Steps ranges from removing or altering log files, hiding files with hidden attributes or directories, and even using tunneling protocols to communicate with the system. Sometimes even simply corrupting the log files as files get corrupted all the time, and chances are that the administrator will not aware of the problem. Good pen testers should make sensible judgments in this phase.

Demonstration - Reconnaissance DNS Zone Transfer (nslookup)

Demonstration - Reconnaissance Using DNSstuff (http://www.dnsstuff.com)

Demonstration - Scanning Using Netsparker web application security scanner

Demonstration - Gaining Access Using Metasploit

Demonstration - Maintaining Access Using Metasploit Persistent Backdoor Source: http://pentestlab.wordpress.com/2012/03/17/metasploit-persistent-backdoor/ Video: http://www.youtube.com/watch?v=cqSkJ5wOoms

Penetration Testing Tools Purpose Nmap Network and port scanning, OS detection Netcat Port scanning, transferring files, a backdoor Nessus Detect vulnerabilities and misconfiguration, dictionary attack, denial of service Metasploit Framework Develop and execute exploit code against a remote target, test vulnerabilities SuperScan Port scanning, run queries like whois, ping, and hostname lookups Netsparker Web application security scanner

Benefits of Penetration Testing Helps safeguard the organization against failure through preventing financial loss. Proving due diligence and compliance to industry regulators (HKMA), customers and shareholders. Preserving corporate image and justify information security investment. Helps shape information security strategy through quick and accurate identification of vulnerabilities. Proactive elimination of identified risks. Implementation of corrective measures and enhancement of IT knowledge.

Reporting Executive Summary Technical Report Sample Report Communicate to the reader the specific goals of the pen test and the high level findings of the testing exercise Technical Report Present the technical details of the test and all of the aspects/components agreed upon as key success indicators within the pre-engagement exercise Describe in detail the scope, information, attack path, impact and remediation suggestions of the test Sample Report http://www.fireworkswebsites.com.au/images/example-penetration-security-testing.pdf

Standards and Regulations Source: http://palizine.plynt.com/issues/2009Apr/meeting-compliance-requirements/

Standards and Regulations HKMA - Management of Security Risks in Electronic Banking Services Source: http://www.hkma.gov.hk/eng/key-information/guidelines-and-circulars/guidelines/200007061.shtml

References (1) Pre-engagement http://www.pentest-standard.org/index.php/Pre-engagement (2) Reporting http://www.pentest-standard.org/index.php/Reporting (3) Sample Penetration Test Report http://www.fireworkswebsites.com.au/images/example-penetration- security-testing.pdf (4) An Overview of Penetration Testing http://airccse.org/journal/nsa/1111nsa02.pdf (5) Conducting a Penetration Test on an Organization http://www.sans.org/reading_room/whitepapers/auditing/conductin g-penetration-test-organization_67 (6) 滲透測試簡介 http://tp2rc.tanet.edu.tw/ppt/91sem/AttackPenetrationTest.ppt