A Model for Penetration Testing

Similar documents
Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

CPTE: Certified Penetration Testing Engineer

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Penetration testing.

Ethical Hacking and Prevention

Practice Labs Ethical Hacker

Definitive Guide to PENETRATION TESTING

ISDP 2018 Industry Skill Development Program In association with

DIS10.1 Ethical Hacking and Countermeasures

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Metasploit: The Penetration Tester's Guide PDF

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Security Solutions. Overview. Business Needs

CSWAE Certified Secure Web Application Engineer

CoreMax Consulting s Cyber Security Roadmap

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

What every IT professional needs to know about penetration tests

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

EC-Council - EC-Council Certified Security Analyst (ECSA) v8

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

August 18-19, 2018 (Saturday-Sunday)

Curso: Ethical Hacking and Countermeasures

Ingram Micro Cyber Security Portfolio

Pluralsight CEU-Eligible Courses for CompTIA Network+ updated March 2018

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Penetration Testing with Kali Linux

Online Intensive Ethical Hacking Training

Matt Walker s All in One Course for the CEH Exam. Course Outline. Matt Walker s All in One Course for the CEH Exam.

Certified Secure Web Application Engineer

Certified Ethical Hacker

DIS10.1:Ethical Hacking and Countermeasures

Chapter 5: Vulnerability Analysis

Site Data Protection (SDP) Program Update

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Ethical Hacking & Information Security. Justin David G. Pineda Asia Pacific College

Cyber security reviews and the benefits MM-CS-CSR-01

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Principles of ICT Systems and Data Security

RiskSense Attack Surface Validation for Web Applications

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Certified Vulnerability Assessor

IoT & SCADA Cyber Security Services

Pearson: Certified Ethical Hacker Version 9. Course Outline. Pearson: Certified Ethical Hacker Version 9.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

hidden vulnerabilities

Penetration testing using Kali Linux - Network Discovery

Industry Best Practices for Securing Critical Infrastructure

Course 831 Certified Ethical Hacker v9

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

EC-Council C EH. Certified Ethical Hacker. Program Brochure

10 FOCUS AREAS FOR BREACH PREVENTION

Cross Platform Penetration Testing Suite

CYBER SECURITY AND MITIGATING RISKS

ASSURANCE PENETRATION TESTING

Pearson: Certified Ethical Hacker Version 9. Course Outline. Pearson: Certified Ethical Hacker Version 9.

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Building Secure Systems

Week 04 Assignment 4-3. William Slater. CYBR 625 Business Continuity Planning and Recovery. Bellevue University

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Host Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016

Effective Strategies for Managing Cybersecurity Risks

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Objectives of the Security Policy Project for the University of Cyprus

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Trustwave Managed Security Testing

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Will you be PCI DSS Compliant by September 2010?

Certified Ethical Hacker V9

CSC 5930/9010 Offensive Security: OSINT

Quick Lockdown Guide. Firmware 6.4

Advanced Diploma on Information Security

Evaluating Website Security with Penetration Testing Methodology

Integrigy Consulting Overview

ScienceDirect. Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology

Tiger Scheme QST/CTM Standard

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Hands-On Hacking Course Syllabus

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

CEH: CERTIFIED ETHICAL HACKER v9

Cyber Security Audit & Roadmap Business Process and

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Application Penetration Testing

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Security Audit What Why

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CCISO Blueprint v1. EC-Council

Automating the Top 20 CIS Critical Security Controls

Contents User Guide... 1 Overview... 1 Create a New Report... 3 Create Report... 3 Select Devices... 3 Report Generation... 4 Your Audit Report...

Becoming a Penetration Tester. An attempt to guide you from my mistakes.. By Perla Caston

Department of Management Services REQUEST FOR INFORMATION

Mobile MOUSe HACKING REVEALED ONLINE COURSE OUTLINE

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

SensePost Training Overview 2011/2012

Exam Questions v8

Modern Day Penetration Testing Distribution Open Source Platform - Kali Linux - Study Paper

Protect Your Organization from Cyber Attacks

Transcription:

A Model for Penetration Testing Chuck Easttom Collin College Professional Development chuck@chuckeasttom.com Research Gate Publication Abstract Penetration testing is an increasingly integral part of cyber security. A wide range of techniques exist to conduct penetration testing. The industry is also replete with tools to assist in the process of penetration testing. What is missing is a cohesive model of penetration testing the brings together a wide range of standards into a single, comprehensive model that can be applied to a wide range of penetration testing scenarios. Keywords Penetration testing, pen testing, hacking. I. INTRODUCTION AND LITERATURE REVIEW The field of penetration testing is a growing subset of cyber security (Yeo, 2013). The process of penetration testing needs to be a methodical process that includes a detailed analysis of the threats and potential attackers (Bishop, 2007). The industry is replete with penetration testing certifications such as GPEN from the SANS Institute, Certified Ethical Hacker from EC-Council, and Offensive Securities OCSP (Easttom, 2016). Each of these certifications and their associated training courses, emphasizes a different aspect of penetration testing. In addition to the training and certifications in the field of penetration testing, there are industry tools that have become widely accepted in the penetration testing community. Kali Linux is a Linux distribution that includes several security tools, including widely used penetration testing tools (Beggs, 2014). Perhaps the most widely used penetration testing tool is Metasploit (Jaswal, 2016). Each of the current, widely accepted, penetration standards recommends a particular sequence of tasks. There is overlap between the different methodologies, but each has its own elements, particular to that specific standard. The Pen Testing Execution Standard (PTES, 2016) recommends seven stages Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting It is noteworthy that in this process, the first four stages involve pre-penetration test information gathering. NIST 800-115 (U.S. Department of Commerce, 2015) uses four phases Planning Discovery Attack Reporting The National Security Agency InfoSec Assessment Methodology (NSA- IAM) describes three general phases, each sub-divided into specific tasks to be conducted during that phase (Cross, 2000; Johnson, 2004). Pre-Assessment o Determine and manage the customer s expectations o Gain an understanding of the organization s information criticality o Determine customer s goals and objectives o Determine the system boundaries 2014, IJIRIS All Rights Reserved Page 1

o Coordinate with customer o Request documentation On-Site Assessment o Conduct opening meeting o Gather and validate system information (via interview, system demonstration, and document review) o Analyze assessment information o Develop initial recommendations o Present out-brief Post-Assessment o Additional review of documentation o Additional expertise (get help understanding what you learned) o Report coordination (and writing) The Payment Card Industry Data Security Standards (PCI-DSS) also define a process for penetration testing (PCI-DSS, 2015). The overview of that process is provided here: Scope Qualifications of a Penetration tester Penetration Testing Components Methodology Pre-engagement The actual penetration test Post-Engagement Each of these standards provides a starting point for penetration testing. They each have a specific perspective in mind. For example, the PCI-DSS standard specifically addresses credit card processing needs, while the NSA-IAM is concerned about United States Government cyber security. While each of these standards has a different focus, even a casual review reveals some commonalities. II. THE METHOD The method described in this paper is a four-phase process that combines elements from each of the previously described standards and is consistent with those standards. Thus, this four-phase methodology could be used in conjunction with any of the aforementioned standards. The methodology describes your approach to penetration testing for a particular test. This will include: 1. The amount of information given (i.e. black box, white box, gray box testing). 2. Is this testing for some standard (NSA-IAM, PCI, etc.)? 3. Will this test involve internal and external testing, or just one of those options? 4. Will this test include physical penetration testing and/or social engineering? 5. What is the mix of manual and automated testing? Most importantly, the methodology should describe the reasons for choosing a specific methodology. An example methodology statement might look something like the following example: This test is being conducted for PCI-DSS requirements. The test will involve internal and external testing, and be conducted with the tester being given extensive information (i.e. a white box test). This specific test sill not include physical testing or social engineering. The test will involve both automated and manual tasks with the primary tools used being: Metasploit OWASP-ZAP Vega Nmap Nessus These tools will be used in conjunction with manual testing techniques. Page 2

The test will begin with internal and external vulnerability scans. This will be followed by assessing specific PCI-DSS required security controls. Then manual attempts will be made to penetrate the network. Of course, more detail is usually preferred. This preceding example is merely meant as a starting point of a basic methodology statement might look. Pre- Engagement The most important element of the pre-engagement is a thorough contract. It must include the following 1. Scope of the test 2. Any items not to be tested 3. Goals of the test 4. Time frame of the test 5. Any standards to be met (PCI, NIST, etc.) Any ambiguities in the contract are likely to lead to dissatisfaction for the penetration testing customer. Clearly legal advice is preferred for any contract, but the preceding list provides an overview of the technical issues that must be addressed in the contract. In addition to the contract, information gathering is also critical in the pre-engagement phase. Failure to gather the appropriate information in this phase can lead to incorrect test focus or execution. Gather information regarding the following; 1. Any past breaches. Details on such breaches are important. Obviously, you wish to begin by testing these, to ensure the network is no longer susceptible to them. 2. Any recent risk analysis or audits. This information can also assist you in determining what areas are most critical to test. 3. Any specific concerns the customer has. This can also guide you to testing the appropriate areas. 4. Ensure that you and the client agree on the scope as well as what a penetration test can do. It is important that the client have realistic expectations. The preceding list is exemplary, not exhaustive. More information is always desirable. The actual test Once the pre-engagement phase is complete, the next step is to conduct the actual penetration test. Pen testing is a multi-step process. Each step is equally important. The actual test is further divided into four sub-phases. 1) Phase 1 Passive Scanning You begin the penetration test by gathering as much data on the target as you can. This phase is the passive data gathering phase. This includes social media, netcraft.com, archive.org, etc. All the passive data you can obtain. Advanced Google searching combined with resources such as shodanhq can provide a wealth of information regarding the target network. 2) Phase 2 Active Scanning This phase involves actively scanning the target network. At a minimum, you will use nmap to port scan all available IP addresses. Then use at least two different vulnerability scanners (Vega, OWASP ZAP, Burp Suite, etc.) to scan all available websites. You will also conduct a vulnerability scan of any accessible IP address (Nessus, MBSA, OpenVAS, etc.) Gather as much possible data about services, ports, etc. If appropriate use Metasploit to scan for SQL Servers, SSH, FTP, SMB, etc. Page 3

Network scanning along with wireless and Bluetooth scanning are also recommended 1. This can determine if the wireless is secured, if unencrypted data is being sent over the network, and give a general overview of the network traffic. 3) Phase 3 - Breaching Now you must attempt to breach. This will include manually conducting SQL Injection and Crosssite scripting, trying to deliver malware from Metasploit, attempting phishing, delivering a harmless virus, etc. It is recommended that the penetration tester combine both automated and manual methods. Specific tools may vary depending on current trends, vulnerabilities identified, and the target network. For example, a Windows network may require attempts to exploit using Power Shell. In almost all cases, Metasploit will be useful in attempting to exploit identified vulnerabilities. 4) Phase 4 Completing the test In some cases, it is beneficial to do at least a basic vulnerability scan after the issues found in the penetration test are remediated. This checks to see if the remediation was successful. Reporting The report must be thorough, with the following sections I. Executive summary 1 to 3 paragraphs explaining the scope of the test and results. II. Introduction This is where you describe testing goals and objectives. This section must also include what the testing goals were, what was tested and what was excluded. This is often referred to as the scope of work. This section should include rules of engagement and any past breaches or risk assessments. Such past activity should be guiding the prioritization of your penetration testing. III. Detailed Analyses This must include every test you conducted, preferably with step by step discussion and screen shots. If you used tools that produced reports, those reports are attached as appendices. When you identify vulnerabilities, whenever possible identify them by a well-known standard. For example Page 4

IV. Conclusions & Risk Rating Provide general description of what you found and what the risk level is. A risk rating of the network can be helpful to the customer. This need not be an absolute mathematical scale. It can be simply a description such as low, moderate, high. Or it can be expanded such as low, moderate, elevated, high, extreme. V. Remediation steps This section provides details on how the flaws found in penetration testing can be addressed and mitigated. These should be detailed enough to allow any competent technical person to be able to correct the problems you discovered. This is a critical part of the report. It is not enough to simply state that there are problems, you must provide clear guidance on how to address those problems. 5) Example Pen Test What tests and tools you use will depend on the target network, the scope of work, and the items being tested. For illustration purposes, consider a small network that has 1 gateway router, 30 workstations, 3 servers, and 1 web server. The following would be a very basic penetration test for a small network. Note that this is just an example. Your test assessment plan should be based on the criticality of systems within the target network. External After completing the pre-engagement activities and the phase 1- passive scanning, the active scanning is the next step. In a small network, such as the one described in this scenario, active scanning will flow naturally into phase 3 breaching. It is often easiest to start with external testing. 1. Begin with port scanning all public facing IP addresses (the web server and gateway router. 2. Then use vulnerability scanners to scan the website (Vega, OWASP Zap, Burp Suite, etc.) 3. Manually attempt several common attacks on the web server (Cross Site Scripting, SQL Injection, Website path traversal, etc.) 4. Try appropriate Metasploit attacks on the web server (depending on the server) and on the router. You may wish to use some Metasploit scans on the web server, particularly anonymous FTP scan. 5. Attempt to access the wireless. This should include both trying to break into the Wi-Fi as well as attempts to access the administrative screen for the wireless access point. Page 5

6. Attempt standard attacks such as grab the banner, zone transfer, etc. 7. Try default passwords on any public facing device. Internal Now move internally. This part is done from inside the network 1. Begin with network enumeration which is internal active scanning. 2. Now a network wide vulnerability scan using one or more tools 3. Nmap scan the entire network. Identify what ports and services are running to determine if they all need to be running. 4. Use a packet sniffer to scan network traffic including wireless traffic. Note any sensitive data that is being sent unencrypted and whether the wireless traffic is secure. 5. Perform the standard Metasploit scans (Anonymous FTP, SMB, SSH, SQL Server, Etc.) 6. Attempt to exploit any vulnerabilities found. 7. Attempt standard attacks including a. Try to connect to computers shares b. Try to crack passwords on key machines c. Try to telnet or ssh to printers d. Attempt default passwords on any servers, printers, switches or routers and wireless access points. Of course, you must test all items indicated by any standard you are using. For example, PCI requires all external communication of credit card data to be encrypted. I suggest you test all internal and external data communication. Optional Items 1. Send employees anonymous phishing email that will do something harmless such as redirect them to a page admonishing them not to click on links or a harmless malware attachment that just has a voice or popup telling them not to download attachments. 2. Attempt social engineering via phone or in person. 3. A penetration test is not a vulnerability scan, but can include vulnerability scanning (as already shown in this document). In the same way, a penetration test is not an audit, but can sometimes include elements of an audit. With that in mind, you may wish to check the following items: a. Password policies i. Lockout policy ii. Minimum requirements iii. How often passwords are changed b. Are there any unauthorized devices or software anywhere on the network? c. Are there still accounts active for employees no longer with the organization? This outline is a basic outline for a rather small network. Feel free to expand it and add to it as you see fit. This should be considered the bare minimum of a pen test. III. CONCLUSIONS Page 6

Penetration testing is more than simply hacking. And therefore, it requires a methodology that can be consistently applied. An appropriate methodology is based on well-established standards. In this paper a methodology for penetration testing was described. This is meant as a general template for penetration testing. Clearly, specific penetration tests will have individual requirements that need to be addressed. It is also likely that further research would expound upon the methodology espoused in this paper. REFERENCES Alharbi, M. (2010). Writing a Penetration Testing Report. The SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/testing/writing-penetrationtesting-report-33343 Beggs, R. (2014). Mastering Kali Linux for Advanced Penetration Testing. Birmingham, UK: Packet Publishing Bishop, M. (2007). About Penetration Testing. IEEE Security & Privacy. 5(6). DOI: 10.1109/MSP.2007.159 Cross, K. (2000). Application of the NSA InfoSec Assessment Methodology. SANS Institute Easttom, C. (2016). Computer Security Fundamentals Third Edition. New York City, NY: Pearson Press Jaswal, N. (2016). Mastering Metasploit - Second Edition. Birmingham, UK: Packet Publishing Johnson, B. (2004). National Security Agency(NSA) INFOSEC Assessment Methodology (IAM). http://systemexperts.com/pdf/nsaiam.pdf NIST (2008). A Technical Guide to Information Security Testing and Assessment. Retrieved from http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf Offensive Security (2013). Penetration Test Reporting. Retrieved from https://www.offensivesecurity.com/reports/sample-penetration-testing-report.pdf Penetration Testing Standard (2016). Accessed October 2016. http://www.penteststandard.org/index.php/main_page Penetration Test Guidance Special Interest Group (2015). Penetration Testing Guidance. Payment Card Industry Data Security Standards. https://www.pcisecuritystandards.org/documents/penetration_testing_guidance_march_201 5.pdf U.S. Department of Commerce (2015). Technical Guide to Information Security Testing and Assessment. http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf Yeo, J. (2013). Using penetration testing to enhance your company's security. Computer Fraud & Security. 2013 (4). doi.org/10.1016/s1361-3723(13)70039-3 Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback