British Columbia Institute of Technology

Term project: Network Security 2

Course: Network Security 2, FSCT 8560

Date: Dec 03, 2007

Penetration Testing Techniques from an Analysts perspective

Name: Arif Zina

 2

Table of Content

Defining Penetration Testing

1.0 Introduction -------------------------------------------------------------- 3

1.1 Controlled testing from an organizational perspective -------- 3

1.2 Intruder Profile ---------------------------------------------------------- 4

1.3 Definitions ---------------------------------------------------------------- 5

The Process and Methodology

2.0 Planning and preparation ------------------------------------------ 7

2.1 Information gathering and analysis ----------------------------- 8

2.2 Vulnerability detection ---------------------------------------------- 13

2.3 Penetration attempt ------------------------------------------------- 15

2.4 Final Analysis and Clean-up ------------------------------------- 17

Limitations of Penetration Testing ----------------------------------- 18

Conclusion ------------------------------------------------------------------- 18

References ------------------------------------------------------------------- 19
 3

Defining Penetration Testing

1.0 Introduction

The primary reason for testing the security of an operational system is to identify potential
vulnerabilities and subsequently repair them. The number of reported vulnerabilities is growing
daily; for example, the number of new information system vulnerabilities reported to the Bugtraq
database has more that quintupled since the start of 1998, from an average of 20 to over 100
per month.

The number of computers per person in many organizations continues to rise, increasing the
demands on competent and experienced system administrators. Consequently, it is imperative
that organizations routinely test systems for vulnerabilities and misconfigurations to reduce the
likelihood of system compromise.

Typically, vulnerabilities are exploited repeatedly by attackers to attack weaknesses that

organizations have not patched or corrected. Generally a small number of flaws in software
programs are responsible for the vast majority of successful Internet attacks.

SANS Security Alert lists these vulnerabilities and outlines recommendations and suggestions
for overcoming these weaknesses. In this environment, security testing becomes critical to all
organizations interested in protecting their networks.

Technically speaking, a penetration test is the controlled attempt at penetrating a computer

system or network from “outside” in order to detect vulnerabilities. It employs the same or similar
techniques to those used in a genuine attack. Appropriate measures can then be taken to
eliminate the vulnerabilities before they can be exploited by unauthorized third parties.

1.1 Controlled testing from an organizational perspective

Penetration tests are a way to identify vulnerabilities that exists in a system or

network that has an existing security measures in place. A penetration test usually
involves the use of attacking methods conducted by trusted individuals that are
similarly used by hostile intruders or hackers. Depending on the type of test that is
conducted, this may involve a simple scan of an IP addresses to identify machines that
are offering services with known vulnerabilities or even exploiting known
vulnerabilities that exists in an unpatched operating system. The results of these tests
or attacks are then documented and presented as report to the owner of the system and
the vulnerabilities identified can then be resolved.

a penetration test does not last forever. Depending on the organization conducting the tests, the
time frame to conduct each test varies. A penetration test is basically an attempt to breach the
security of a network or system and is not a full security audit. This means that it is no more
than a view of a system’s security at a single moment in time. At this time, the known
vulnerabilities, weaknesses or misconfigured systems have not changed within the time frame
the penetration test is conducted.
 4

Penetration testing is often done for two reasons:

•To increase upper management awareness of security issues or to test intrusion

detection and response capabilities.

•To assist the higher management in decision-making processes.

The management of an organization might not want to address all the vulnerabilities that are
found in a vulnerability assessment but might want to address its system weaknesses that are
found through a penetration test.

1.2 Intruders Profile

In the media, the term “hacker” is used to refer to any person who intrudes into other IT systems
without authorization. However, a finer distinction is often made between hackers, crackers and
script kiddies.

Hackers are regarded as being experimentally-minded programmers who target security

loopholes in IT systems for technical reasons.

Crackers are people with criminal minds who exploit weak points of IT systems to gain illegal
advantages, social attention or respect. Crackers possessing privileged knowledge about the
organization they are attacking are termed “insiders”. Insiders are often frustrated (former)
employees of an organization who use their knowledge of internal affairs to harm that
organization.

Script kiddies are usually intruders lacking in-depth background knowledge and driven by
curiosity who mainly direct attack tools downloaded from the internet against arbitrary or
prominent targets.

In addition to the categories described above, industrial espionage also poses a serious threat.
The aim of industrial espionage is to gain knowledge of business secrets such as innovative
technical designs, strategies and ideas that help in gaining a competitive edge and to use such
information for personal benefit.
 5

1.3 Definitions

This document uses the terms system, network security testing, operational testing, and
vulnerability extensively. For the purposes of this document, their definitions will be as follows:

•System:

A system is made up of the following ( see figure 1.1):

•Computer system (e.g., mainframe, minicomputer)

•Network System (e.g., Local area network)
•Network domain
•Hosts
•Network nodes, routers, switches and firewalls.
•Network and/or computer application on each computer system.
 6

Fig 1.1

•Network Security Testing:

Activities that provide information about the integrity of

an organization's networks and associated systems through testing and verification of
network-related security controls on a regular basis. The testing activities can include any of
the types of tests: network mapping, vulnerability scanning, password cracking, penetration
testing, file integrity checking, and virus scanning.

•Operational Security Testing:

Network security testing conducted during the operational stage of a system’s life, that is,
while the system is operating in its operational environment.

•Vulnerability

A bug or misconfigurations or special sets of circumstances that could result in an

exploitation of that vulnerability. For the purposes of this document, a vulnerability could be
exploited directly by an attacker, or indirectly through automated attacks such as Distributed
Denial of Service (DDOS) attacks or by computer viruses.
 7

The Process and Methodology

2.0 Planning and Preparation

In order to make the penetration test done on an organization a success, a great deal of
Planning and preparation needs to take place. Only designated individuals, including network
administrators or individuals contracted to perform the network scanning as part of a larger
series of tests, should conduct the tests described in this section. The approval for the tests may
need to come from as high as the CIO depending on the extent of the testing. It would be
customary for the testing organization to alert other security officers, management, and users
that network mapping is taking place. Since a number of these test mimic some of the signs of
attack, the appropriate manages must be notified to avoid confusion and unnecessary expense.

A meeting between the organization and the testers should also include discussing the scope
and the objective of the penetration test. There must be a clear objective for the penetration test
to be conducted. An organization that performs a test for no clear reason should not be surprise
if the outcome contains no clear result. In most cases the objective of a penetration test is to
demonstrate that exploitable vulnerabilities exist within an organization’s network infrastructure.
The scoping of the penetration test is done by identifying the machines, systems and network,
operational requirements and the staff involved.

Another area that needs to be discussed and planned is the actual time the tests will be
conducted and the duration. This is vital, as it will ensure that while penetration tests are being
conducted, normal business and everyday operations of the organization will not be disrupted.
Penetration tests may need to be run at particular times of day. There may be conflicts between
the need to ensure that everything is tested and the need to avoid loading the network during
periods of heavy and critical use. Penetration tests that involve the use of unusual network
traffic may cause some systems on the network to crash. Also performing tests such as DoS on
organizational systems during business hours could severely affect the availability of services to
the customers and business associates, which can be costly and not necessary.

One major decision to be made with the organization is whether the staff of that organization
should be informed before a penetration test is carried out. Advising staff is often appropriate,
but it can change their behavior in ways that will affect the outcome of the penetration test. On
the other hand, choosing not to warn staff may result in them taking action that unnecessarily
affects the organization’s operation. For example, a security team might be expected to react to
an attack by disconnecting from the external network cutting all access to it. If the aim is to
assess the response of the security team or other operational units then clearly management
must accept such a risk. Otherwise it may be appropriate to give specific instructions that no
action is to be taken in response to the penetration test at the time and duration arranged.

It is also important and should made clear to the organization that any data collected or
obtained during the penetration testing will be treated as confidential and will be returned or
destroyed accordingly after the test. Also, prior to any penetration test engagements legal
documents protecting the penetration testers and their company must be signed. This is a very
 8

important and not to be missed out step. Even if the penetration testers are staff conducting
tests on their on systems and network, they should also obtain the relevant legal documents
protecting them against any legal actions. This serves as a protection to penetration testers
should anything go wrong during the tests. Accidents can happen and no penetration testers
would like to be sued as a result of doing their job.

2.1 Information Gathering and Analysis

After doing the necessary planning and preparation with the organization (or target),
the next step is to gather as much information as possible about the targeted systems
or networks. There’s a wealth of tools and online resources available for us to do the
necessary information gathering.

If the intended target has an online website, this is a good place to start your information
gathering. A very good online resource is available at http://www.netcraft.com. Their service
examines a network connected to the Internet and reports back which hosts are visible. It
also gives you information such as the operating it is running on, as well as the server’s
uptime.

A search is conducted for Canadian air traffic control services provider, www.navcanada.ca and
the following information is obtained: Nameserver, FQDN, web servers name, Operating
systems and IP addreses. See figure 2.1.1.

Also, when domain name is queried, it lists various web hosts in the organization, O/S and also
presents a site report . See figure 2.1.2
 9

Figure 2.1.1

Fig 2.1.2
 1

A network survey should also be conducted on the network to determine the number of systems
that are reachable, and to provide information such as domain names, server names, ISP
information, IP addresses of the hosts as well as the network map. This survey also assists in
finding the domain registry information for the servers, and allowing to check information such
as IP addresses that are owned by the targeted organization.

A very useful tool to conduct a network survey is Nmap. Nmap is a tool made for scanning large
networks. We could also use Nmap to determine what operating systems are running on a
network as well as the type of packet filters/firewalls are in use, and numerous other
characteristics.

An example SYN scan of a class C network using the Nmap CLI:

 11

The output of one of the hosts is the subnet is shown as follows:

Nmap port scanner first identify active hosts in the address range specified by the user using
Transport Control Protocol/Internet Protocol (TCP/IP) Internet Control Message Protocol (ICMP)
ECHO and ICMP ECHO_REPLY packets.

Once active hosts have been identified, they are scanned for open TCP and User Datagram
Protocol (UDP) ports. These ports will identify the network services operating on that host. A
number of scanners support different scanning methods that have different strengths and
weaknesses that are usually explained in the scanner documentation. For example, certain
scans are better suited for scans through firewalls and others are better suited for scans that are
internal to the firewall.

All basic scanners will identify active hosts and open ports, but some scanners provide
additional information on the scanned hosts. The information gathered during this open port
scan will often identify the target operating system. This process is called operating system
fingerprinting. For example, if a host has TCP port 135 and 139 open, it is most likely a
Windows NT or 2000 host.
Other items such as the TCP packet sequence number generation and responses to ICMP
packets, e.g., the TTL (Time To Live) field, also provide a clue to identifying the operating
system.
Operating system fingerprinting is not foolproof. Firewalls filter (block) certain ports and types of
traffic, and system administrators can configure their systems to respond in nonstandard ways
to camouflage the true operating system.

In addition, some scanners will assist in identifying the application running on a particular port.
For example, if a scanner identifies that TCP port 80 is open on a host, it often means that the
host is running a web server. However, identifying which web server product is installed can be
critical for identifying vulnerabilities. For example, the vulnerabilities for Microsoft’s IIS server
are very different from those associated with Apache web server.
 1

The application can be identified by “listening” on the remote port to capture the “banner”
information transmitted by the remote host when a client (web browser ) connects. This
information is generally not visible to the end-user (for web servers/browsers); however when it
is transmitted, it can provide a wealth of information, including the application type, application
version and even operating system type and version.

•Organizations should conduct network scanning to:

•Check for unauthorized hosts connected to the organization’s network,
•Identify vulnerable services,
•Identify deviations from the allowed services defined in the organization’s security policy,
•Prepare for penetration testing,
•Assist in the configuration of the intrusion detection system (IDS), and
•Collect forensics evidence.

The scanning can also disrupt network operations by consuming bandwidth and slowing
network response times. However, network scanning does enable an organization to maintain
control of its IP address space and ensure that its hosts are configured to run only approved
network services.

To minimize disruptions to operations, scanning software should be carefully selected. Network

scanning can also be conducted after hours to ensure minimal impact to operations.
Network scanning results should be documented and identified deficiencies corrected.

Network scanning results should be documented and identified deficiencies corrected. The
following corrective actions may be necessary as a result of network scanning:

•Investigate and disconnect unauthorized hosts,

•Disable or remove unnecessary and vulnerable services,
•Modify vulnerable hosts to restrict access to vulnerable services to a limited number of
required hosts (e.g., host level firewall or TCP wrappers).
•Modify enterprise firewalls to restrict outside access to known vulnerable services.

Below is a list of other common tools that can be used to perform scanning:

•Telnet (Can report information about an application or service; i.e., version, platform)
•Nmap (powerful tool available for Unix that finds ports and services available via IP)
•Hping2 (powerful Unix based tool used to gain important information about a network)
•Netcat (others have quoted this application as the “Swiss Army knife” of network
•utilities)
•Ping (Available on most every platform and operating system to test for IP connectivity)
•Traceroute (maps out the hops of the network to the target device or system)
•Queso (can be used for operating system fingerprinting)
 1

2.2 Vulnerability Detection

After having gathered the relevant information about the targeted system, the next step is to
determine the vulnerability that exists in each system. Vulnerability testing is the act of
determining which security holes and vulnerabilities may be applicable to the target network or
host. The penetration tester or attacker will attempt to identify machines within the target
network of all open ports and the operating systems as well as running applications including
the operating system, patch level, and service pack applied. Penetration testers should have a
collection of exploits and vulnerabilities at their disposal for this purpose. The knowledge of the
penetration tester in this case would be put to test. An analysis will be done on the information
obtained to determine any possible vulnerability that might exist. This is called manual
vulnerability scanning as the detection of vulnerabilities is done manually.

Several vulnerability databases are available to anyone on the Internet. Refer to the list
below for a sample listing.

ISS X-Force http://www.iss.net/security_center/

Security Focus Database http://online.securityfocus.com/archive/1
InfoSysSec Database http://www.infosyssec.com/
Exploit World http://www.insecure.com/sploits.html

There are tools available that can automate vulnerability detection. Such a tool is Nessus
(http://www.nessus.org). Nessus is a security scanner that audit remotely a given network and
determine whether vulnerabilities exists in it. It produces a list of vulnerabilities that exist in a
network as well as steps that should be taken to address these vulnerabilities.

Below is the screen shot of the Nessus interface showing the scanning of the host port and the
results of the vulnerability test.
 1

Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. Vulnerability

scanners can also help identify out-of-date software versions, applicable patches or system
upgrades, and validate compliance with, or deviations from, the organization's security policy. To
accomplish this, vulnerability scanners identify operating systems and major software
applications running on hosts and match them with known exposures. Scanners employ large
databases of vulnerabilities to identify flaws associated with commonly used operating systems
and applications.

In addition vulnerability scanners can automatically make corrections and fix certain discovered
vulnerabilities. This assumes that the operator of the vulnerability scanners has “root” or
administrator access to the vulnerable host.
 1

Before running any scanner, penetration testers should install the latest updates to its
vulnerability database. Some vulnerability scanner databases are updated more regularly than
others. Vulnerability scanners can be of two types:

Network-based scanners

Network-based scanners are used for mapping an organization's network and identifying open
ports and related vulnerabilities. The scanners can be installed on a single system on the
network and can quickly locate and test numerous hosts.

Host-based scanners

Host-based scanners have to be installed on each host to be tested and are used primarily to
identify specific host operating system and application misconfigurations and vulnerabilities.
Host based scanners are able to detect vulnerabilities at a higher degree of detail than network-
based scanners, they usually require not only host (local) access but also a “root” or
administrative account. Some host-based scanners offer the capability of repairing
misconfigurations.

Vulnerability scanners provide the following capabilities:

•Identify active hosts on network

•Identify active and vulnerable services (ports) on hosts
•Identify applications and banner grabbing
•Identifying operating systems.
•Identifying vulnerabilities associated with discovered operating systems and
applications.
•Identifying misconfigured settings
•Testing compliance with host application usage /security policies
•Establishing a foundation for penetrating testing.

Vulnerability scanning results should be documented and discovered deficiencies corrected.

The following corrective actions may be necessary as a result of vulnerability scanning:

•Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate.

•Deploy mitigating measures (technical or procedural) if the system cannot be

immediately patched (e.g., operating system upgrade will make the application running
on top of the operating system inoperable), in order to minimize the probability of this
system being compromised.

•Improve configuration management program and procedures to ensure that systems are
upgraded routinely.

•Assign a staff member to monitor vulnerability alerts and mailing lists, examine their
applicability to the organization's environment and initiate appropriate system changes.

•Modify the organization's security policies, architecture, or other documentation to

ensure that security practices include timely system updates and upgrades.
 1

The completion of the vulnerability detection will produce a definite list of targets to investigate
in depth. These lists of targets will be used in the next stage. A penetration will be attempted at
these targets that have their vulnerabilities defined.

2.3 Penetration Attempt

After determining the vulnerabilities that exist in the systems, the next stage is to
identify suitable targets for a penetration attempt. The time and effort that need to put
in for the systems that have vulnerabilities need to be estimated accordingly.
Estimations on how long a penetration test takes on a particular system are important
at this point. The target chosen to perform the penetration attempt is also important.

In a scenario, for instance, a penetration test is conducted on a corporate network, and it is

determined that network consisting of more than 200 machines. After gathering
sufficient information and vulnerabilities about the network, it is found that there
are only 5 servers on the network and the rest are just normal PCs used by the
organization’s staff. In this case, the 5 servers would be the likely targets than the PC’s, and
therefore more effort should be directed towards the servers.
After choosing the suitable targets, the penetration attempt will be performed on these
chosen targets. The client’s targets for penetration testing are usually particularly business-
critical systems, so special care is called for in carrying out intrusion attempts. The contingency
measures mentioned in the preparation phase are absolutely essential in this stage. They
demand, for example, that intrusion attempts (on business-critical systems) be made outside
working hours (i.e. at night or weekends) and that the responsible system administrators be
present.

Scenario:

In the reconnaissance phase a specific server operating system with a web server application
was identified on a system that is used for online transactions and which accesses the
company’s internal ERP system. The vulnerability search revealed a buffer overflow vulnerability
for the underlying database in the ERP system. However, the firewall prevents direct access to
the database. The tester now faces the challenge of finding out whether an online transaction
that penetrates the firewall to exploit the vulnerability in the database system can be triggered
by manipulating an HTTP link.

Knowing that a vulnerability exist on a target does not always imply that it can be exploited
easily. Therefore it is not always possible to successfully penetrate even though it is theoretically
possible. In any case exploits that exist should be tested on the target first before conducting
any other penetration attempt.

Password cracking has also become a normal practice in penetration tests. In most cases, you’ll
find services that are running on systems like telnet and ftp. This is a good place to start and
use our password cracking methods to penetrate these systems. Below is some of the methods
that can be employed in cracking passwords:
 1

•Dictionary Attack – Uses a word list or dictionary file.

•Hybrid Crack - Tests for passwords that are variations of the words in a
dictionary file. e.g., p@55word

•Brute Force - Tests for passwords that are made up of characters going
through all the combinations possible.

L0pht Crack is one of the popular passwork cracker for Windown NT and 2000. For obtaining
hashes, L0pht crack contains features that can be enabled to capture passwords as they
traverse the network, copy them out of the Windows registry and retrieve them from Windows
emergency repair disks.
When hashes are obtained, L0phtCrack first performs a dictionary attack. The dictionary used
by L0phtCrack is selected by the user, or the included dictionary may be used (although more
comprehensive dictionaries are available on the Internet).

L0phtCrack hashes each word in the list and compares that hash to the hashes to be cracked. If
the compared hashes match, L0phtCrack has found the password.

After L0phtCrack completes the dictionary attack, it iterates through the word list again using a
hybrid attack. Finally L0phtcrack resorts to a brute force attack to crack any remaining hashes,
trying every possible combination of characters in a set. The set of character’s used by
L0phtCrack in a brute force attack can be controlled by the user.

Penetration testing also involves testing through social engineering and organization’s physical
security. Social engineering is an art used by hackers that capitalizes on the weakness of the
human element of the organization’s defense.

2.4 Final Analysis and Cleanup

The final report should comprise a management summary describing the test engagement, key
test results, and recommended action on an abstract level and is designed for top management.
 1

The main section of the final report should contain the detailed positive and negative test
findings, as agreed. For the vulnerabilities, the results are evaluated and prioritized, and the
tester describes the ensuing risks so that the client knows which risks are relevant to his
business operations.

The report should also contain:

•Recommendations on how the client can eliminate the vulnerabilities existing at the time
of the penetration test.

•Action plan for eliminating vulnerabilities, based on the priorities assigned to the results
and drawn up together with the client.

•Information for the client to trace the test results clearly, and all information gathered in
the various phases must be included.

•Detailed information on the tools used, work steps (which tool was used with which
options), log files, work times (when were attacks carried out), etc.

The action plan should contain a schedule for each critical vulnerability and name a person
and/or area that is responsible for its elimination.

The sensitive personal data obtained during penetration testing such as passwords or private e-
mails should not be included in the final report for data protection reasons, and should be
handed over to a designated person, e.g. the data protection offer.

The tester has to remove any software, such as key loggers, that may have been installed in the
client’s IT system in the course of the penetration test or any other modifications made to the
client’s IT systems, and restore the system to the state in which the tester found it prior to
testing. Also, the tester has to ensure that all temporary user accounts created on the systems
are removed.

Limitations of Penetration Testing

As the techniques used by potential attackers rapidly become more sophisticated and new weak
points in current applications and IT systems are reported almost daily, one single penetration
test cannot yield an assertion about the level of security of the tested systems that will be valid
for the future.

It is possible that a new security hole, not discovered during the test, could result into a
successful attack, even after the just completion of penetration tests. Because of the rapid pace
of developments in IT, the effect of a penetration test is, however, relatively short-lived. The
more protection the systems require, the more often penetration testing should be done in order
to reduce the probability of a successful attack to a level that is acceptable for the company.
 1

This, however, in no way means that penetration tests are useless. Thorough penetration
testing is no guarantee that a successful attack will not occur, but it does substantially reduce
the probability of a successful attack.

Conclusion

It is important to make a distinction between penetration testing and network security

assessments. A network security or vulnerability assessment may be useful to a degree, but
do not always reflect the extent to which hackers will go to exploit a vulnerability.

Penetration tests attempt to emulate a 'real world' attack to a certain degree. The
penetration testers will generally compromise a system with vulnerabilities that they
successfully exploited. If the penetration tester finds 5 holes in a system to get in this does
not mean that hackers or external intruder will not be able to find 6 holes.

Hackers and intruders need to find only one hole to exploit whereas penetration testers
need to possibly find all if not as many as possible holes that exist. This is a daunting task
as penetration tests are normally done in a certain time frame. Finally, a penetration test
alone provides no improvement in the security of a computer or network. Action to taken to
address these vulnerabilities that is found as a result of conducting the penetration test.
References

Online Resources:

Insecure. Fyodor's Exploit World, Exploits for many Operating Systems including
Linux, Solaris, Microsoft, Macintosh. For Hackers, Hacking, Computer Security
Auditing & Testing.
URL: http://www.insecure.org/sploits.html

www.securityfocus.com

Wallyware, Inc. Hacker Whacker: See your computer the way hackers do
URL http://hackerwhacker.com/

The Penetraiton Testing Group. An Introduction to Penetration Testing

URL http://www.penetration-testing-group.co.uk/index.htm

Hideaway.net. Strategic Scanning and Assessment of Remote Hosts

URL http://www.hideaway.net/Server_Security/Library/General/gentxts/ssarh.htm

http://www.l0t3k.org/security/docs/forensic/

Documents and reports

System Administration, Networking, and Security (SANS) Institute, SANS Security Alert, May
2000.

SANS Institute, SANS Snap: Computer and Hacker Exploits – Step by Step.
 2

SANS Institute, SANS Snap: Intrusion Detection – The Big Picture

.
MIS Training Institute, Staying Ahead of the Hackers: Network Vulnerability Testing.

Stevens, W. Richard, TCP/IP Illustrated, Volume 1:The Protocols, 1994.