methedology and tools for penetration testing

Ok, I'm not real sure where this post should go, so for now I'm just going to drop it in to the MS Security forum until someone points me to a better forum :) (I didn't think this really belonged in the newbie security forum and I don't see a real home for this type of question)

So here is the deal. My company has recently tasked me to do formal penetration testing of our network (both internal and external). I have never done this on a formal basis and was wondering if any of you had before. I'm looking for methedology, white papers and tool suggestions for this. I have done some googling on it but what I mostly find is companies that provide this service for a fee and unfortunately my company is being rather tight fisted at the moment and they don't want to pay someone from outside to do this.

I do have some of my own tools, but most of my time has been spent in the firewall world and some bit in IDS technologies. I have used, to a certian degree, stuff like Netcat, Retina, etc to scan and footprint, but I don't know if this is enough for them or not. They seem to want true penetration testing, and I have tried to explain to them I'm not really the guy they want for this and that they should hire someone from outside that does this for a living, but like I said they are fairly tight fisted about this whole thing and want to do it "in house" for some reason.

So, does anyone here have suggestions, comments, ideas, etc? TIA

I would recommend you go out and get yourself a copy of "Hacking Exposed" - if you haven't read it already, it's a good enough place to start.

Here are some things that you might want to discuss with your employers re: Penetration Testing.

Are they going to impose limits as to what you are and are not able to do in the scope of your testing?

I'm talking about limiting you with regards to time or targets or methodology? Do they have some pre-conceived notion of what is "fair" and "unfair" for the test? I can guarantee you that the people you are trying to protect yourselves from can not be expected to abide by arbitrary limits. For instance going after key systems during business hours...

Also, are they looking for a certain kind of penetration? In other words are they asking you to try to get to certain data or resources? What about creating a DoS condition? What about a website defacement? What about sending unauthorized email? What about reading email? Deleting files? Changing files?

Are you expected to come in from the "outside" only? That is, the extent of your pen test is limited to an internet connection?


Frequently a company will have these preconceptions in place. In my opinion these are all wrong wrong wrong. The problem may be that everyone has seen too many movies. The real threat is not necessarily from the internet connection. It may come through the internet sure, but it may also come from an unsecured wireless deployment. It may come from a disgruntled employee. It may come from a vendor. It may come from an intruder.

I am not going to give you a list of ways to gain access to things you shouldn't have access to. But I will say this: if I want to come after important data or resources for a given company, I am going to try very hard to not go over an internet connection. There's way too much chance of the connection being logged, and firewalled, and so forth. I'm going to go in through the front door in some fashion.

A little social engineering can be a much bigger threat than most people realize.

With regards to the web defacement stuff and DoS attacks - I hate to say it, but that's really kid stuff. You need to have your systems configured properly and it's annoying if you get nailed, and it's nothing to ignore - but still it's a relatively easy fix. Someone who is manipulating databases or dumping data is a much much bigger problem.

There is nothing different between a penetration test and an unauthorized penetration other than permission. Even though I state that there really should be no boundaries, you need to state what the boundaries are. You need to get your management to sign off on this. You need to make them aware that these activities may have a serious impact on system availability.

One final note about pen-tests. It's important that everyone goes into this with the proper mindset. Invariably you are going to find holes. You need to make sure everyone is on the same page that this is a good thing, and not a reason to start looking for someone to scapegoat over why these holes exist. It's simply a fact that holes will exist and will need to be fixed. The process should be a constant determination of weaknesses and remediation.

It's often good to have an outsider do the assessment once in a while. Maybe annually. This just gives an independant review of the security process and infrastructure.

Sorry for the rambling nature of this post. Hope it helped.

Lv4: Show this to your company if you like.......

Penetration tests carried out by persons familiar with the network topology etc. are generally of little use other than to give them a warm fuzzy feeling. It's exactly the same situation as the adage that a lawyer should never defend himself...... If you made a mistake in the setup of the security there's a good chance you'll make the same mistake in the footprinting or penetration that will leave the company vulnerable without you knowing it. Bear in mind also that if you wish the testing to go far enough you are utterly the wrong person to be trying some social engineering since many in your company may recognize your voice over a phone or your face in a corridor..... So a whole aspect of the test would be invalid should you wish to go that deeply into testing.

Working for a non-profit I fully understand the "tight-fisted" approach but when it finally came down to it I told my CEO that for me to carry out the testing was preposterous and that we have to spend the $X,000 we did to have it done by a reputable and professional company. It took them a week, (2 guys), they were very thorough, I learned a lot, (which is a big benefit to the company and helps to offset the overall cost of the exercise), it allows you to give IDS' etc. a good workout since you should be able to report back to them what it was they did and when they did it, (another cost benefit to your company 'cos if you can't see their attempts then you probably can't see anyone elses which is a bad thing....<s>), and you get a nice report at the end that details not only what is at risk but how to end or mitigate the risk. All in all it is well worth the cost.

BTW, we passed..... Only a potential for DoS which is a balancing act at best between actual security and the potential for DoS.... Since our internet resources are not mission critical the system remained as it was.

Sorry about that, I took off on a tangent there.

With regards to tools and methodolgies:

I recommend following the general outline of the Hacking Exposed books. Start out with a general reconaissance of the target. Try to find out as much information about the company as you can. You're an employee, so you'll need to act as though you're an outsider without any real knowledge at this point. Get familiar with nslookup, dig, whois, etc. Look at the corporate website to try to get some names of people and contact info. Call in to the operator and see about getting some social engineering going to find out information. Addresses, vendors, systems, etc. Call from an outside line - no cheating!

Keep a notebook with you and keep a running log of what you do, when you do it, and what you find out.

Next you can start doing some scanning. Try some wardialing and wardriving too.

See how far you can go coming in from the outside.

It is important to document everything you do, every tool you use. Save your results and logfiles.

After you're done from the outside, time to move to the inside. I recommend two passes here. First as a "visitor" with no network user account. See what you can find out, enumerate, scan, etc. See if you can get user and/or admin level access to a system. See how far you can go.

Next try the inside as a "basic employee" that is an employee with a typical user account with no special admin privileges. Again, no cheating. Follow the same procedure. Remember you're not supposed to know anything more than the person's role you're assuming.

After you're done rampaging through the network, I like to go after physical security. See about coming in off hours. See if you can get into the data center. See if you can physically get to a desktop or a laptop in a management area. Stickers can be a fun way to leave a calling card on machines you've been able to get to.

Hope this helps.

Great points amazingzarkon. I agree that company executives have warped perceptions of what is or is not involved in information security and may not fully understand what they are asking for when they ask you to do penetration testing.

To avoid any problems it would be best to draw up some sort of scope document that defines what the goal of the testing is, what systems will be tested and whether any systems are out of bounds. You may inadvertantly crash something while trying to penetrate so everyone should be aware.

Quote:

---

I'm looking for methedology, white papers and tool suggestions for this.

---

I found a link that has explanations and links to a bunch of different tools here: Top 50 Security Tools

Those are "security" tools and not necessarily "penetration" tools though. If you search the AntiOnline archives and files you will probably find a plethora of options.

If your network is Microsoft you may also want to start with something simple like the free Microsoft Baseline Security Analyzer tool. By running MBSA on your network you can find which computers are not patched against known vulnerabilities and which computers have weak or no passwords and you can use that information to penetrate those systems.

Lastly, I second the nomination of the Hacking Exposed series of books. They are a great resource and can give you plenty of ideas for different ways to "break into" your network.

wow, thanks for the well thought out and timely responses folks.

A lot of this I already knew (I just didn't realize it), like it's not really a fair test because I already know the topology, what I think our weak spots are, I can't social engineer because of being known, etc.

Some other things though I didn't even think about. The real impact to our business, setting boundries (or not), DoS or DDoS attacking and such. I also didn't consider that they may have a preset boundries or ideas of what this testing is going to be or provide.

I do have a couple of copies of the Hacking Exposed books, Second and Third editions, but I think there is a new edition out. Also, our network isn't all MS based, there is a LOT of *nix, and BSD stuff mixed in.

I had thought about asking some of my friends to help on the social engineering side, but I'm worried about too much information being readily available from some sources in the company.

I guess I'm going to call a meeting with the CIO and CFO (both of which want me to do this test and not an outsider) and discuss the points you all have given me.

Anyway, if you guys come up with more points or ideas for me please let me know, and I do certianly appreicate the help you have provided already.

You may want to sell the fact that you want a vulnerability assessment and not really a pen test. Do you really need to penetrate to obtain your goal? A good VA tool, something close to Nessus would do the job. I say Nessus beacause you can start with that (its free) and then provide a report and sell your idea as to why the company may need to purchase assessment tools. You can run the DoS exploit test without having to run an actual DoS attack. Same goes for bufferoverflows, ect. The tool looks for software fingerprints to see if the exploit would work, rather than running the exploits thenselves. Just a thought...Pen testing can be a scary thing, where as VA testing takes away the risk of causing harm.

Meloncholy: VA is a method where a direct approach is made to a specific resource, a web site for example, whereas PT is much more indirect. It may never really touch any of your public assets but rather pass through the perimeter at some unexpected point. For example rather than have a crack at your SMTP server which is probably firewalled, logged etc. a quck drive by the building may produce an unknown and unprotected WAP that can be used. It won't be logged and promises much greater "treasure" than a direct frontal assault. VA tools cannot simulate this kind of activity.

Another tool you should maybe consider, if you can, is Nessus . It's a Unix based tool that scans machines for known vulnerabilities and then reports back what it finds. It is composed of two parts: the Nessus server it self and a Windows client to launch it. Best of all, it's free and incredibly thourough.

I used Nessus in a security class I took last year for an assignment. The best Nessus feature in the version I used was the way in which it produced the reports. When it was done scanning, Nessus automatically created its report in HTML with a main page plus seperate pages for each machine scanned. Each machine that was scanned had it's vulnerabilities listed, their significance, and then summed it all into pie charts and percentages, which would be perfect to show to management types.

Nessus does have the ability to scan multiple machines, another great feature, however this can get to be incredibly time consuming. But if you wanted to have it scan all the machines in your company, you could, just start it as your leaving to go home some night and check the results in the morning.

You will need to install it onto a *nix box somewhere, but I'm not sure if it needs a dedicated machine or not.

Check into it if you want. I apologize for the lack of in depth info, but I thought the reporting abilities might spark your interest.

www.nessus.org - for more information

Enjoy,
Alphabetarian

I definitely agree with Tony Bradley's points about the additional difficulties inherent with trying to pentest yourself. It just doesn't work out that well.

With regards to the Vulnerability Scanning, I agree that this is a good technology to explore for you. It is not a magic bullet, and you need to understand the limitations of the solution (false positives, potential for disrupting production systems with scan activities, etc.) but a good vulnerability scanner is good to have. It can help keep an eye out for systems that need a patch or configuration tweak.

I generally incorporate an automated vulnerability scan or two in penetration test. If you end up contracting with someone for a penetration test or vulnerability assessment they will most likely include this as part of their service.

I like Nessus. Another quick tool is SARA, the Security Auditor's Research Assistant available at ARC. In my opinion SARA is less intensive than Nessus, but still does a fair job at SANS/FBI Top 20 vulnerability scanning. Report output is pretty decent too.

You can do a heckuva lot if you sit down and use some "individual" tools like nmap and netcat and various netbios utils. After you poke around with these from the command-line for a bit you will probably find yourself putting together some scripts that automate the information gathering process you're using these tools for. Takes time, but it may well be worth doing for you. These scripts can be considered vulnerability scanners too.

Please let us know how you fare with your discussions with management!

Regards,

AZ!

Tiger Shark: Going back to the topic of VA vs. PT. I'm not sure I understand where you're coming from. I'm on a VA team for the government and we do full blown assessments of ALL assets, not just specific resources. We are not allowed to "pen test". There are other teams that can do this for a specific target, our goal is more broad. We look for vulnerabilities. If you were looking at the wireless side you could use ISS wireless scanner. Now, no one scanner or tool will catch everything, you will need to use a variety of tools, and yes you must watch for false pos/negs, VA is very close to penetration. Normally, a vulnerability assessment would simply be part of a penetration test, where the tool or service would identify vulnerabilities across a network and provide information on how to plug them. Frequently, the actual penetration test focuses on exploiting vulnerabilities, both technical and non-technical, to leverage access to critical data through a certain subset of the network under some kind of time deadline, he notes. Vulnerability assessments are a bit more comprehensive and penetration tests engage more manual processes to find the path of least resistance in getting to that all-important intellectual property.

Meloncholy: I aplogize if I did not entirely understand your post. What you wrote implied to me that you were regarding VA as a one dimensional effort based around tools such as Nessus which tend to be quite one dimensional. Clearly your impression of VA is multi-dimensional. At the time I didn't want others to think that a uni-dimensional VA would be anything like as effective as a complete PT which will try to find holes in the walls of your building to gain access if it can....... ;)

hack IT is good and gives you a some tools like a spilt nix and win eviroment :)