Penetration Testing

from Analysts
perspective

Computer Forensics and Security

BC Institute of Technology

Prepared by Arif Zina

 Presentation Outline

 What is penetration Testing

 The process and Methodology
 Planning and preparation
 Information gathering and analysis
 Vulnerability detection
 Penetration Attempt
 Analysis and reporting
 Cleaning up

 Limitation of Penetration Testing

 Conclusion
 What is penetration testing
 Identify vulnerabilities that exist in a system that has
security measures in place.
 Involves the attacking methods conducted by trusted
individuals.
 Scanning of IP addresses to identify machines that are
offering services with known vulneribilities.
 Exploiting known vulnerabilities that exist in an unpatched
system.
 Increase upper managements awareness of security issues
and decision making.
 Serious consequences on the network if tests not
conducted properly.
 The Process and

Methodology
Planning and Preparation

 Meeting between the organization and the testers.

 Clear objectives of the tests to be conducted and to focus on

demonstrating the exploitable vulnerabilities that exist within the
organizations network.

 Ensure that tests are done during off-peak hours to prevent

disruptions and crashes due to unusual network traffic.

 Inform security staff on the penetration tests to be conducted…?

 Treat data obtained as confidential and to be returned/destroyed

after the tests are completed.
 Information Gathering and Analysis

 Gather much information about the targeted systems

 Nslookup (Available on Unix and Windows Platforms)

 Whois (Available via any Internet browser client)
 ARIN (Available via any Internet browser client)
 Dig (Available on most Unix platforms and some
web sites via a form)
 Web Based Tools (Hundreds if not thousands of sites
offer various recon tools)
 Target Web Site (The client’s web site often reveals too
much information)
 Social Engineering
 Conduct network survey to identify reachable systems
 NMAP - Nmap provides options for fragmentation, spoofing, use
of decoy IP addresses, stealth scans. Determines: O/S, packet
filters/firewalls of the machine.
 Vulnerability detection
 Nmap or other scanning tools are first used to identify hosts and determine ports and
services available.

 Determine the vulnerability that exists in a each system identified by: open ports,
O/S and application patch level and service pack applied.

 Vulnerability on-line databases available to search for specific exploits.

 Manual Vulnerability scanning – Detection is done manually by a tester having a

collection of exploits and vulnerability at their disposal.

 Automated vulnerability scanning – Nessus automates vulnerability scanning and

determines any vulnerabilities. Also lists steps to correct these vulnerabilities.

 Other Automated scanning tools are also available – SARA, SAINT, SATAN…etc..
 Penetration Attempt

After determining the vulnerabilities that exist in the system:

 Identify suitable targets for penetration attempt.

 Estimate time and effort needed to put in for the vulnerable systems.
 Determine the importance on how long the penetration tests take on a system.

Some vulnerabilities exploited by penetration testing and malicious

attackers fall into the following categories:

 Kernel Flaws – Kernel code is the core of the operating system.

 Buffer overflows – Result of poor programming practice.
 Symbolic links – a file pointing to another file.
 File descriptor attacks – Privileged programs can assign inappropriate file descriptor, and exposing it.
 Trojans – Custom built programs or could include programs such as Back-orifice, Net Bus, and SubSeven
 Social Engineering – Obtain information through staff members.
 Penetration Attempt

 Password Cracking has became normal practice in penetration testing:

 Dictionary Attacks – Uses a word list of dictionary file.

 Hybrid Crack- Tests for passwords that are variations of the words in a
dictionary file.

 Brute Force – Tests for passwords that are made up of characters going
through all the combinations.

 Brutus is a tool that can be used to automate telnet and ftp account cracking.

http://www.hoobie.net/brutus
 Analysis and Reporting

After conducting all the tasks, the next thing to do is to generate a report for the company,
and should include:

 Overview of the penetration testing process done.

 Analysis and commentary on critical Vulnerabilities that exists in the network/system.

 Addressing vital vulnerabilities first, then followed by less vital ones.

 Detailed listing of all information gathered during penetration testing.

 Suggestion and techniques to resolve vulnerabilities found.

 Cleaning Up
The cleaning up process is done to clear any mess that had been
made as a result of the penetration tests.

 A detailed and exact list of all actions performed during the

tests must be kept.

 Cleaning up of compromised hosts must be done securely

without affecting operations.

 Clean up to be verified by the organization’s staff.

 Removal of temporary user accounts previously created during

testing.
 Limitations of Penetration
Testing
 A penetration test can only identify those
problems that it is designed to look for.

 A penetration tester does not have complete

information about the system being tested.

 A penetration test is unlikely to provide

information about new vulnerabilities, especially
those discovered after the test is carried out.
 Conclusion
 A network Security or vulnerability assessment may be
useful to a degree, but do not always reflect the extent to
which the hacker will go to exploit a vulnerability.

 A penetration test alone provides no improvement in the

security of a computer or network. Action to be taken to
address these vulnerabilities found during the Penetration
Testing.
 References
 Some of the tools that are popularly used for penetration testing are shown
in this appendix. The tools below are grouped according to the testing
methodologies outlined earlier.

 Information Gathering:
 Nmap – Network scanning, port scanning and OS detection
 URL: http://www.insecure.org/nmap/index.html
 hping – Tool for port scanning.
 URL: http://www.kyuzz.org/antirez/hping.html
 netcat - Grabs service banners / versions.
 URL: http://packetstorm.securify.com/UNIX/netcat/
 firewalk - Determining firewall ACLs.
 URL: http://www.packetfactory.net/Projects/Firewalk/
 ethereal - Monitoring and logging return traffic from maps and scans.
 icmpquery - Determining target system time and netmask.
 URL: http://packetstorm.securify.com/UNIX/scanners/icmpquery.c
 strobe - Port scanning utility
 URL: http://packetstorm.securify.com/UNIX/scanners/strobe-1.04.tgz
 Vulnerability Detection:

 Nessus - Scans for vulnerabilities.

 URL: http://www.nessus.org/
 SARA – Another scanner to scan for vulnerabilities.
 URL: http://www.www-arc.com/sara/

 Penetration Tools:

 Brutus – Telnet, FTP and HTTP Password cracker

 URL: http://www.hoobie.net/brutus
 LC3 – Password cracking utility
 URL: http://www.atstake.com/lc3
THANK - YOU