Network penetration testing Marek Kumpošt Penetration testing > Authorized attempt to violate specific constraints defined in a form of a policy > Technique to discover, understand, and document all security holes found in a system > Not restricted to network only > Penetration testing can prove presence of a security flaw > But not their total absence Penetration study > Complex process to evaluate (through penetration testing) the strength of all security controls within the system/network > + suggestions how to fix them > The goal of a penetration study is also finding interpretations (causes) of discovered vulnerabilities and to suggest how to remove/close them > Not intrusive - detects/enumerate potential vulnerabilities but does not exploit them Lifecycle of penetration testing > Phase 1: Information gathering about tested environment > Phase 2: Scanning, enumeration, fingerprinting, ... > Phase 3: Exploitation, vulnerability testing, ... > Phase 4: Report and evaluation Recommended tools and pentesting arsenal https://www.kali.org/ Types of penetration testing > Black-box pentesting > Tester knows no details about tested environment > Simulation of an external attacker with no internal knowledge > Grey-box pentesting > Tester might have some arch. details, credentials, etc... > White-box pentesting > Nothing is hidden from the tester in this scenario > Arch. details, credentials, source code of tested application Determining scope of a pentest (1/2) > Who has the authority to authorize testing? > What is the purpose and what is the timeframe for the testing? > Who is authorized to know about the pentesting (IT, mngmt, ITsec.)? > What documentation will you have (IP ranges, applications, DB, ...)? Determining scope of a pentest (2/2) > What are the conditions for the test to be immediately stopped? > Will additional permissions be required for exploiting vulnerabilities? > Are there any legal implications you should be aware of? > Is social engineering (or physical security) also part of the pentest? Most important part of any pentest? > Take good notes!!! ;-) > Of your setup, testing procedures, used tools, results, follow-ups > Tips for tools: Dradis, MagicTree, ThreadFix or just Notepad ... Information gathering > Name servers, IP ranges, banners, running services > Operating systems, IDS/IPS presence > Technology used, network device types > Google for anything, that might help you to build knowledge > Find everything that you can -> prioritize, remove misleading data -> use gathered data to develop a pentest plan Information gathering – example with DNS How do you get info you want? > Network scanning – typical approach in the beginning > List of live IP addresses – PING scan > Information from WHOIS database – DNS name, A, MX records, geolocation, reputation of an IP, SPAM db lookups, etc. www.tcpiputils.com How do you get info you want? > Service scanning > Basic portscan – slower scan with nmap > Gives us information about running services > Services fingerprinting - possible versions of services - used to identify vulnerabilities and help us finding relevant exploits PING scan of a network > What is this technique good for? > Get a list of live IP addresses > Get a list of your targets, understand IP addressing structure > Basic PING scan can be easily detected Getting more info about targets? > Services scanning – fingerprinting and service banners > Get info about running services > Versions of services > Operating system of a server and its possible version > Patches of a service or operating system > Enabled modules, internal service name, ... Service scanning with NMAP > nmap –A is very noisy and easy to discover scan > -sS – half-open scan, more stealthy Basic nmap options for scanning > --open – report only open ports of a target > -Pn – skip host discovery (if i.e. firewall drops ping) > T0-5 – aggressiveness of a scan 0-slowest, 5-insane > -sA/P/X/S/T/U/M/I/C – different scan types > -oA/G/X/N – output from nmap scan – good for import to msf Usage of nmap scripts > Make sure you fully understand any script that you run! ;-) > nmap –sC - runs about 50 basic set of nmap scripts, but is very loud on the network... Getting information from SNMP > Commonly misconfigured service by admins > Great source of various information about your targets > Default public string; non-encrypted versions, open ports on fw > Tools in kali: SNMPenum, SNMPcheck, onesixtyone > You get a lot of info by sending just one packet! Metasploit – Swiss army knife for pentesting > Previous manual work done effectively from one framework > Great source of various information about your targets > Results of your activities are stored in a database > All configured (db, msf, web server) in Kali Linux Metasploit – Swiss army knife for pentesting > Workspaces for storing different project in msf > Metasploit can import result from nmap > Or you can run nmap directly from Metasploit! > db_nmap with options you would use with standard nmap > Metasploit prompt accepts standard Linux commands CVE - database > Common Vulnerabilities and Exposures (cve.mitre.org) > Structured reference for publicly known vulnerabilities > HeartBleed – CVE-2014-0160 > You can search for CVEs related exploits directly in msf Pentest reporting – general guidelines > Scope of the pentest (what/when/why/how/who) > What is scanned, what is the goal, what is excluded, ... > For each discovered vulnerability > Discuss risk, impact, attacker’s skill, affected hosts > Provide description/evidence, recommendation and references Useful pointers > OWASP testing guide - https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf > OWASP reporting guide - https://www.owasp.org/index.php/Reporting - Certified Ethical Hacker (CEH) certification Questions? Thx…