Penetration Testing - ISACA

Download Report

Transcript Penetration Testing - ISACA 

Penetration Testing
Anand Sudula, CISA,CISSP
SSA Global Technologies, India
Before We Start
 My Introduction.
 Audience Type.
 Expectations from this presentation.
 Disclaimer.
 Not a professional Tester
 Based on my learning, Understanding.
Agenda
 Background.
 What is Penetration Testing.
 Need for Penetration Testing.
 Methods and Techniques of Pen Test.
 Demo.
 Tiger tools.
 MetaSploit.
 ExploitTree
 Whopix.
 ERD Commander(local Password Craking).
 Questions.
 Resources.
Background
What is Penetration Testing
 A form of stress testing, which exposes weaknesses or flaws
in a computer system.
 Art of finding an open door.
 A valued assurance assessment tool.
 PT can be used to find Flaws in
 Policies
 Specifications
 Architecture,
 Implementation,
 Software,
 Hardware,
 And many more………………
Background
Need for Penetration Testing
 To find poorly configured machines.
 Verify that security mechanisms are working.
 Help organizations to tighten the Security system.
FACT!!!!
99.9% secure = 100%vulnerable!
Methods and Techniques of Pen Test.
 Black Box
 zero-knowledge testing
 Tester need to acquire the knowledge and penetrate.
 Acquire knowledge using tools or Social Engineering
techniques
 Publicly available information may be given to the penetration
tester,
Benefits:
Black box testing is intended to closely replicate the attack made
by an outsider without any information of the system. This kind of
testing will give an insight of the robustness of the security when
under attack by script kiddies
Methods and Techniques of Pen Test.
White Box
 complete-knowledge testing
 Testers are given full information about the target system they are
supposed to attack .
 Information includes ,
 Technology overviews,
 Data flow diagrams
 Code snippets
 More…..
Benefits:
 reveals more vulnerabilities and may be faster.
 compared to replicate an attack from a criminal hacker that
knows the company infrastructure very well. This hacker may be
an employee of the company itself, doing an internal attack
Methods and Techniques of Pen Test.
Gray-box or crystal-box test
The tester simulates an inside employee. The tester is given an
account on the internal network and standard access to the network.
This test assesses internal threats from employees within the
company.
Methodology of Penetration Testing.
There are NO formal methods of Penetration testing!!!!!!!!

Typically has Seven Stages







Scope/Goal Definition
Information Gathering
Vulnerability Detection
Information Analysis and Planning.
Attack& Penetration/Privilege Escalation.
Result Analysis & Reporting.
Cleanup.
REPEAT
Methodology of Penetration Testing.
STAGE 1: Scope/Goal Definition
 Which attacker profile the tester will use
 Hacker with no knowledge about the target.
 Hacker with knowledge about the target.
 Internal user with access.
 Which systems or networks the test will be conducted.
 How long will the test last.
Methodology of Penetration Testing.
STAGE 2: Information Gathering.
 Information about the Targets.
 Publicly available information( WWW.Arin.net, nslookup)
 Technical Information provided by organisation.
Methodology of Penetration Testing.
STAGE 3: Vulnerability Detection.
 Manual Detection
 manually probe the target host for common misconfigurations or
flaws because a vulnerability scanner can fail to identify certain
vulnerabilities.
 Ex: database configurations etc….
 Using Software.
 Use of commercial or Freeware Scanners to enumerate known
flaws or vulnerabilities , Ex: Retina ,Hfnectcheck, GFI
Languard, Nikito, nmap so on.
PLENTY TOOLS available in Market/Internet.
Methodology of Penetration Testing.
STAGE 4: Information Analysis and Planning.
 Collating the information gathered in previous stages.
 Preparation of High level attack planning
 Overall Approach
 Target identification.
Methodology of Penetration Testing.
STAGE 5: Attack & Penetration/Privilege Escalation.
Has Two Sub Stages
 I. Attack & Penetration
 Known/available exploit selection
 Tester acquires publicly available s/w for exploiting.
 Exploit customization
 Customize exploit s/w program to work as desired.
 Exploit development
 Develop own exploit if no exploit program available.
 Exploit testing
 Exploit must be tested before formal Test to avoid damage.
 Attack.
 Use of exploit to again unauthorized access to target
Methodology of Penetration Testing.
STAGE 5: Attack & Penetration/Privilege Escalation.
 II. Privilege Escalation
 What can be done with acquired access/privileges.
 Alter.
 Damage.
 What not ……
Repeat the Stages (2 to 5)
Methodology of Penetration Testing.
STAGE 6:Result Analysis & Reporting
Organize Data/related results for Management Reporting.
 Consolidation of Information gathered.
 Analysis and Extraction of General conclusions.
 Recommendations.
Methodology of Penetration Testing.
STAGE 7:Cleanup
Cleaning of all that has been done during the testing
 Any System alterations
 Exploits
Resources.
 Guidelines
 OSSTMM :The Open Source Security Testing Methodology Manual.
 OWASP :Open Web Application Security Project.
 Tools






NMAP,Nikito,John,CAIN&able and many more………….
Whopix
Tigertools (Commercial Tool)
Metasploit.
ExploitTree.
Core Impact (Commercial Tool)
Metasploit Framework
ExploitTree Framework
MilWorm
Demos
 DCOM vulnerability using ExploitTree.
 Password Cracker –Tiger Tools.
 WHOPIX.
 Security Auditor.
 Pasword Craking (Raptor Chown-Recorded Demo).
 ExploitTree.
 MetaSploit.
Questions
Questions?.