effective penetration testing kevin pescatello a capstone ... · effective penetration testing...
TRANSCRIPT
Effective Penetration Testing
Kevin Pescatello
A Capstone Presented to the Information Technology College Faculty
of Western Governors University
in Partial Fulfillment of the Requirements for the Degree
Master of Science in Information Security Assurance
22-Jan-2013
Effective Penetration Testing
Effective Penetration Testing Page 2
Copyright © 2013 Netwerk Guardian LLC
Abstract
This paper will cover the importance of providing penetration-testing services that
comply with laws and corporate governance. Most penetration testing services may or may not
provide the proper structure for execution. Some of these events provide good testing scenario
of what and how to test but fail to provide the supporting documentation, communication, and
legal counsel throughout the process. This project will cover a real life penetration test initiated
from start to finish including the best practices used and required for legally complying with
laws and corporate governance as it should be. The paper will present a case study of a real
penetration test, provide the business dynamics as well as the technical objectives required to
test, and provide countermeasures for an organization. The paper will provide documentation
and artifacts that support the legal and technical requirements in the appendix. The body of the
paper will cover the testing preparation, methodology, and execution. All the information
provided in the report will be changed to protect the identity of the client used in this paper.
Effective Penetration Testing
Effective Penetration Testing Page 3
Copyright © 2013 Netwerk Guardian LLC
Table of Contents
Introduction ................................................................................................................................................... 1
Project scope ............................................................................................................................................. 1
Defense of the Solution ............................................................................................................................. 2
Methodology Justification ........................................................................................................................ 3
Organization of the Capstone Report ........................................................................................................ 3
Systems and Process Audit ........................................................................................................................... 4
Audit Details ............................................................................................................................................. 5
Problem Statement .................................................................................................................................... 6
Problem Causes ......................................................................................................................................... 6
Business Impacts ....................................................................................................................................... 7
Cost Analysis ............................................................................................................................................ 7
Risk Analysis ............................................................................................................................................ 8
Detailed and Functional Requirements ....................................................................................................... 10
Functional (end-user) Requirements ....................................................................................................... 10
Detailed Requirements ............................................................................................................................ 11
Existing Gaps .......................................................................................................................................... 12
Project Design ............................................................................................................................................. 12
Scope ....................................................................................................................................................... 12
Assumptions ............................................................................................................................................ 13
Project Phases ......................................................................................................................................... 13
Timelines ................................................................................................................................................ 16
Dependencies .......................................................................................................................................... 16
Resource Requirements .......................................................................................................................... 16
Risk Factors ............................................................................................................................................ 17
Important Milestones .............................................................................................................................. 17
Deliverables ............................................................................................................................................ 18
Methodology ............................................................................................................................................... 19
Approach Explanation ............................................................................................................................ 20
Approach Defense ................................................................................................................................... 21
Project Development ................................................................................................................................... 22
Hardware ................................................................................................................................................. 22
Effective Penetration Testing
Effective Penetration Testing Page 4
Copyright © 2013 Netwerk Guardian LLC
Software .................................................................................................................................................. 23
Tech Stack ............................................................................................................................................... 23
Architecture Details ................................................................................................................................ 23
Resources Used ....................................................................................................................................... 23
Final Output ............................................................................................................................................ 23
Quality Assurance ....................................................................................................................................... 25
Quality Assurance Approach .................................................................................................................. 25
Solution Testing ...................................................................................................................................... 25
Implementation Plan ................................................................................................................................... 26
Strategy for the Implementation ............................................................................................................. 26
Phases of the Rollout .............................................................................................................................. 26
Details of the Go-Live ............................................................................................................................ 28
Dependencies .......................................................................................................................................... 28
Deliverables ............................................................................................................................................ 28
Training Plan for Users ........................................................................................................................... 29
Risk Assessment ......................................................................................................................................... 29
Quantitative and Qualitative Risks ......................................................................................................... 29
Cost/Benefit Analysis ............................................................................................................................. 30
Risk Mitigation ....................................................................................................................................... 31
Post Implementation Support and Issues .................................................................................................... 32
Post Implementation Support .................................................................................................................. 32
Post Implementation Support Resources ................................................................................................ 33
Maintenance Plan .................................................................................................................................... 34
Conclusion, Outcomes, and Reflection ....................................................................................................... 35
Project Summary ..................................................................................................................................... 35
Deliverables ............................................................................................................................................ 36
Outcomes ................................................................................................................................................ 36
Reflection ................................................................................................................................................ 37
References ................................................................................................................................................... 38
Appendix A: Network Devices ................................................................................................................... 39
Appendix B: Critical Services..................................................................................................................... 40
Effective Penetration Testing
Effective Penetration Testing Page 5
Copyright © 2013 Netwerk Guardian LLC
Appendix C: Penetration Test Plan ............................................................................................................. 41
Appendix C: Penetration Test Action Plan (Con’t) .................................................................................... 42
Appendix D: Audited IT Processes ............................................................................................................. 43
Appendix D: Audited IT Processes (Con’t) ................................................................................................ 44
Appendix E: Qualitative Risk Matrix ......................................................................................................... 44
Appendix F: List of Legal Concerns ........................................................................................................... 44
Appendix G: Sample Contract .................................................................................................................... 45
Appendix G: Sample Contract (Con’t) ....................................................................................................... 46
Appendix H: Sample Contract (Con’t) ....................................................................................................... 47
Appendix I: Data Breach Calculator Report ............................................................................................... 47
Appendix J: Penetration Results and Countermeasures .............................................................................. 48
Executive Summary .................................................................................................................................... 48
Test Objectives............................................................................................................................................ 48
Port Scanning Results and Issues ............................................................................................................ 48
Scanning Windows machines ............................................................................................................. 48
Countermeasures ................................................................................................................................. 49
DoS/DDoS Testing ................................................................................................................................. 49
Countermeasures ................................................................................................................................. 49
Application Server Testing ..................................................................................................................... 50
Countermeasures ................................................................................................................................. 50
Sniffing and MITM Attacks .................................................................................................................... 52
Countermeasures ................................................................................................................................. 53
Appendix AA: MBSA (Microsoft Baseline Security Analyzer) Scan Results ........................................... 54
Appendix AB: Nmap Scan Results ............................................................................................................. 56
Appendix AC: Nessus Scan Results Application Server MAXWELLSM ................................................. 56
Effective Penetration Testing
Effective Penetration Testing Page 6
Copyright © 2013 Netwerk Guardian LLC
Appendix AD: Nessus Scan Results Network ............................................................................................ 60
Appendix AE: Communication Plan........................................................................................................... 60
1
Effective Penetration Testing Page 1
Copyright © 2013 Netwerk Guardian LLC
Introduction
This paper outlines the issue of having a penetration test fail and details how an effective
test is to work. What happens when a business requests a pen-test but the company providing the
service does not get the requirements correctly? In addition, the pen-test company that performs
the test does not always perform the test with best practices. The process of soliciting a request
for proposal to identify security posture to planning is where the pen-test company may not
provide accurate results. Often the meeting of the two companies is a short time frame and
requires both sides not just to hear but listen to the requirements and provide a well-documented
response. While the choice to get a pen-test is not difficult the dynamics or preparing and
executing one is quite involved. Many penetration tests do not perform well as they should
because of poor planning or communication and at times both. This paper will outline the costs,
failures, motives, and methods needed to review the security posture at a company.
Project scope
This project will include the entire process of presenting the need for the penetration test,
the acceptance with scope of work, signed written consent, communication plan, action plan, list
of assets and scan type activities, penetration methods, documentation, and a paper report as
attachments concluding the penetration test. This paper will not include any client specific
information relating to the solicitation, presentation, and procurement of contract. The
information provided in this paper demonstrates a theoretical scenario in which Certified Ethical
Hackers have provided a best practices approach in security assessment and penetration testing.
Most companies do not understand the need for a penetration test but will experience
either a breach or denial of service that will affect them. Rather than waiting for the inevitable
the project will provide research of how pervasive the intent of criminal minds permeate the
internet seeking new targets. Once that message has been received and accepted the project will
2
Effective Penetration Testing Page 2
Copyright © 2013 Netwerk Guardian LLC
detail the scope of work that will be conducted based on needs and cost. Time has dictated the
direction of this project and so a sample agreement and action plan will be provided to
demonstrate the fundamentals of penetration testing. The communication plan is key to this
project’s success as this is one of the pivotal factors that if not done correctly or at all will
completely remove the effectiveness of testing. The scan type activities are going to be to
enumerate the network and identify systems and when possible known vulnerabilities before
attempting any penetration testing. Automated tools will help assess the situation while leaving
the manual coding for the penetration test. This includes the methodology used in the test that
will be automated and manual once targets are identified.
All the activities herein will create documentation that will serve two purposes. The first
purpose is to gain a better grasp at the inventory one holds onsite and associated risks. The
second purpose will be to prepare the company for a security standard certification and
accreditation. The final report will be the assessed security posture of the company and the
countermeasures it should put in place to secure the infrastructure.
Defense of the Solution
This topic was chosen because the candidate has found that not all security providers
follow best practices for penetration testing and often leave some fundamental part out that
causes poor execution, results, and worse are the disappointed clients. The security industry
requires that professionals provide best in class formulation of strategy when performing tests
that are often not shared. The information security market has not realized its full potential in its
effectiveness to secure corporate and public sector networks. The poor security practices in
which information has been leaked is the cause for the spike in hacking events in 2012. The
paper will go through the details and necessary activities of the perfect penetration test. It is
3
Effective Penetration Testing Page 3
Copyright © 2013 Netwerk Guardian LLC
public knowledge that not all penetration-testing companies follow the best practices. It is also
noted that not all penetration-testing companies have the same expertise.
There will also be a survey of penetration testing companies to participate in a review
based on what is going on in the industry. This review will be for the company taking the survey
and for its view of the competitive landscape. Seeking participation in this survey is challenging
because the survey asks for truthful but anonymous response. This information will support the
solution and the reason for this research.
Methodology Justification
The following information explains what the root cause of the problem associated with
penetration testing. This paper will go into detail after the process of soliciting the right
company to perform a penetration test that details the security posture that are to interrupt
business processes or reveal confidential information. There will be an actual penetration test
that will incorporate the best practices explained herein that solves the problem of ineffective
testing. There will be additional documentation attached herein the appendix providing the
scope for the test and the reasons behind it. The causes and impact will address what normally
happens during these engagements and what should happen. The paper will outline the
framework required to test for a specific company detailing the action items that company has to
take for information security assurance. An analysis will begin based on research of recent
reports on data and intellectual theft, costs for testing, and the costs associated for not testing.
Finally, the paper will address a solution that produces relevant results.
Organization of the Capstone Report
The report will go through and explain what needs is to be for a typical company looking
for a penetration test. It will list and discuss the requirements, provide documentation examples
4
Effective Penetration Testing Page 4
Copyright © 2013 Netwerk Guardian LLC
of the dynamics for preparing the company for this type of activity as well as the company
preparing their assets for review. The path that the project will take will be one-step of activity
followed by a discussion of best practices and where popular, submit the most common mistakes
or caveats. The paper will detail the actual appointment of testing with a communication plan
and planned tests. Notably, the testing can take different direction based on results found and
require more or less effort depending on what is being tested for. This will be an example of
how dynamic the process is and what can be learned from it. The artifacts created will provide
insight to the business processes the company requires functioning and being profitable. This
will also show where possible vulnerabilities that can be exploited or where devices fail. In the
appendix is where these artifacts will be for reviewing.
Systems and Process Audit
In the following sections, the typical business is to audit the assets that are on site and
pose a risk either by design and implementation. The company who is the subject of the
penetration test will be listing all the devices in preparation for the test. Each asset owner
responsible for the integrity and operation of that device will provide a list of devices and their
function. The company will provide the business justification for the device and why it is in use
today. This business use will be reviewed by the pen testing team to see if the services used
justify the existence of the device on the network based on industry experience. This will be a
form of checks and balance to what management provides as business use in their processes. If
the two match then there is good cause for its existence. If there is a disparity of use then it is
probably time to review its effectiveness. The list of processes associated with the assets will be
in Appendix B. The search here is for a return on investment being associated with a process or
asset. If none exists then why test it.
5
Effective Penetration Testing Page 5
Copyright © 2013 Netwerk Guardian LLC
Audit Details
The penetration test team was able to simulate penetration testing of an actual client and
meet with a high-ranking officer to coordinate the evaluation of assets. Typical services that are
provided in a company were also evaluated. This included network devices, services that ran on
the network, applications, and the supporting processes. These supporting processes were not
the type of processes that are normally audited in a security standard accreditation and
certification but ones conducted in order to benefit directly from the device’s purpose. We found
that the company had purchased numerous network devices including switches that support
enterprise class configurations and management and servers in Appendix A. The server on the
network was consisting of one platform that we will be testing as well as unique services
running. The IT department personnel that were interviewed explained their tasks associated
with each device or service recorded in Appendix B. This document shows the critical services
associated with devices in a map and this in a table for ease of reading.
When the interview began, the approach was to determine what technology supported
what business process and how many times technology is used. Beginning from the project bid
being awarded there is human input required to enter in that data into the core business
application called Streetsmarts. This was done by the operations manager and required a
workstation and a LAN (Local Area Network) connection to the server and VoIP (Voice over
Internet Protocol) services. Once the project is in the system and resources assigned to the
project tickets are made for each truck leaving the yard with asphalt. The tickets possess project
and customer information required for accounting and had to be entered into the system. This is
the second time that technology has to be used in order to operate and provide a profit. In
summary of the remaining processes that total number of technology dependent business
6
Effective Penetration Testing Page 6
Copyright © 2013 Netwerk Guardian LLC
operations that included network devices was twelve (12). It is true that if the server were down
for a long period there would be no way for the company to keep efficient records and remain
profitable. There would be an increase in person-hours and contingent support processes to
maintain some work flow but it would end the company’s ability to compete successfully.
Problem Statement
The company called upon the pen testing team to ascertain where their security posture
was in relation to their network device footprint. This was the first problem to address because
they were asking a very vague question. What they should have asked was what must be done to
ensure our internal services are not denied availability or the integrity of data to suffer business
impact. The pen testing team introduced the company to a tool that they could use to establish
what devices and services are important to stay running and their severity Appendix D. This is
illustrated in the form of a device and process map, which can be seen as a list in Appendix B.
Problem Causes
The company knew about the recent rise in hacking events around the world and what
was the possibility that it could happen to them. However, their approach was wrong in that they
wanted the pen testing team to test what they had in place and give them a report based on patch
level and weaknesses. They never thought about configurations, operational behavior with
devices, or the users influence. What was discovered was that the network was all built on an
untagged vlan with no other security precautions made to suppress layer two (2) exploits. The
VoIP network ran on the same data network without an encrypted protocol like SRTP. There
was anti-virus software but no intrusion detection or prevention device to alert or mitigate
threats.
7
Effective Penetration Testing Page 7
Copyright © 2013 Netwerk Guardian LLC
Business Impacts
When a company looks to a professional service like penetration testing, they are looking
for results that reveal their security posture. These results will give them the direction they need
to move forward. Sophos Naked Security blog reports, “By giving your pentesters a
comprehensive overview of the application and access to architecture diagrams, configuration
and even source code, you can give them a head-start and counter this asymmetry” (McKerchar,
2012). This will help them align security around business processes as most of their processes
run on the network infrastructure. The key here is to take the resultant report and use it for a
road map to a more secure infrastructure. When a company does not invest in this type of
assessment than the integrity of their business processes are at risk. The technology that helps
business compete is also the same technology that can stop them. The business case is what
must be done to determine the effectiveness of the company’s network defenses that ensures the
continuity of the business.
Cost Analysis
The costs required to perform the penetration test and reporting is based on size of
company assets and the depth in which the testing should go. Typically, the costs start around
$2,500.00 and range upward on average to $37,500.00 for most SMB (Small Medium
Businesses). This will cover the testing and reporting but the action required on the company
will be an extra cost. Average cost would equate to $150.00 to $200.00 hourly for skilled pen
tester. Enterprise sized companies can expect to see something in a higher range depending on
size and difficulty of masking the attack.
The client that has agreed to the penetration test for this project and is looking to have the
following tested; web application, network load resiliency, workstation, and domain controller.
8
Effective Penetration Testing Page 8
Copyright © 2013 Netwerk Guardian LLC
The cost associated with such test will be reflected in the test plan and a schedule in Appendix
entries C and F respectively. The cost will be $1,600.00 since the test is one type of each device
and two services.
Risk Analysis
The risks associated with this process are that the normal behavior is to fail. Improper
targets, no risk assessments, misinformed clients, no legal counsel sought before the engagement,
and the selection of the wrong pen-testing group, will exhibit failure. We know the risks for an
attack are high because we live in a much-interconnected world. Some startling facts will put
things in perspective to get a penetration test done the right way. An October 2012 report from
Imperva stated that the following attack types are on the rise in discussions on hacker forums;
19% DDoS and 19% for SQL injection. Notably, the article states that security professionals do
not spend time on hacker forums to learn the tools and techniques (Imperva, 2012). Verizon
Data Breach Investigation Report for 2011 highlights some of the most significant threats and
their mode of insertion. It was reported that most data breaches were “98% stemmed from
external agents, and 58% of all data theft was tied to activist groups. In addition, 98% attacks
transpired on servers and were not difficult to execute (Verizon 2012). Therefore, it is
paramount that when considering a penetration test that you know your systems and what to test.
When trying to find statistics that support the success and failure of penetration tests it
will be hard to acquire that data in the duration for this paper. A few inquiries had gone out to
penetration testing companies and the feedback was minimal but this is what it reported. The
following reports from the in-depth research beyond the right way and steps to conduct a
penetration test. A company called Netragard was able to produce a publication that reflects the
objective of this paper. In the publication, Netragard highlights the terminology and the differing
9
Effective Penetration Testing Page 9
Copyright © 2013 Netwerk Guardian LLC
perspectives that make the objective penetration testing subjective to the buyer. It is unfortunate
that not all companies are providing the best service in the terms of services advertised alone.
Before that end is reached here is what Netragard had to say about terminology. Penetration
testing is just that breaking through something to test an exploit. “Since Penetration Tests are
tests, they must determine the genuineness of the vulnerabilities that they identify, hence the
word “test”. In most, if not all cases this determination is done through exploitation” (Netragard,
2012). If you are going to test something, than do that. Most times clients buying a service
think that vulnerability scanning and reporting is all that is necessary. This is incorrect.
Penetration tests have a statistical average of success and failure. While these rates may
not be easily discovered a recent survey of professionals has been included in this project.
Averaging around 17% unsuccessful was the self-review most companies estimated making 83%
of what they do is delivered and accepted. The industry peer review was 8% higher in the
unsuccessful rate at 25% average 75% success on assignments. This project has made it
explicitly clear that communication and educating the client what the penetration is intended for
helps curb these ratios to a more successful rate. During the survey, many of these companies
were given a chance to comment on the factors that help or inhibit a penetration test.
The respondents stated the factors that help promote a successful penetration test from
field experience were presented with the following key points. Effectiveness of the test would
exhibit a white box test where network diagrams and user accounts are made available. Also
noted in testing that automation can only take you so far and that creative manual testing will
often provide points of entry. Social engineering while not utilized in this test has been a big
provider of information among the general user population. Survey participants noted that even
season security professionals on site would tip their hand to sensitive information providing a
10
Effective Penetration Testing Page 10
Copyright © 2013 Netwerk Guardian LLC
way to plant a rootkit or back door. The following freestanding statements provide interesting
points that support the project’s goal technically and in communication. A respondent stated that
having a good communication plan suggesting an agreement upon limits for testing is a good
practice. Know the effects of the tools before you use them in hopes of observing the expected
result. It was also reported a cooperative staff from the employing client to the pen test team
often yields better results testing exactly what the client needed. Clients that take security
serious and have policies surrounding security provide reports with close to zero exploits.
The other side of effective penetration testing is when a test does not deliver what is
outline in the test plan or even fail to test at all. Survey respondents stated that pen tests are
treated like witch-hunt and that client balks and if anything is found they treat it as their own
failure. Terminology, understanding what the objective of the penetration test is often
miscommunicated, and terms are confused like vulnerability assessment and pen testing. Those
two terms are not the same. Running tools that you are not familiar with yielding results adverse
to the test plan and worse, adverse to the client’s devices. Hardened network infrastructure is not
reason for failure in a penetration test but while nothing may be exploited, the test ran according
to plan.
Detailed and Functional Requirements
Functional (end-user) Requirements
The company in this case is the end user that must provide documents and configurations
to the pen testing team in order to make the best use of time and resources. This gathering of
information must start in the operations manager office with the understanding that we need to
speak with all the asset owners in order to capture the assets and the way that they are used.
Since the client has a small operation, the current office was just fine. Legal counsel must be
11
Effective Penetration Testing Page 11
Copyright © 2013 Netwerk Guardian LLC
sought as to represent the client’s best interest and the consequences. Good and bad come can
from penetration tests and the liability has to be addressed and agreed upon by both sides.
Seeking a lawyer with technical background dealing in penetration tests will be the best choice.
The laws passed that mandate compliance for publically traded companies is stricter and further
reaching. The requirements that are to be tested need to match legal requirements. During the
test, there must be communication between the pen test team and the client to ensure that no
permanent damage occurs from testing. The client will have to draw a line as to what is
permissible and what is not. This paper strongly agrees that communication during a penetration
test at a site is paramount in order to stay on plan and provide results without impacting the client
or damaging assets. While the penetration test in this project was simulated in a lab from the
client, the infrastructure was an exact copy. Good communication helps the pen testers as well
as the client requesting the test. A sample communication plan will be inserted for completeness
of the project.
Detailed Requirements
The company will use the sheet provided in the appendix to track assets and processes
associated with each device. Next, they will have to evaluate the severity of each process and
what is the outcome should that service and eventually the device not be available. The pen test
team will take this information under review but also provide their assessment after the test. The
evaluation will be included in the final report. All legal arrangements must be made concurrently
while both sides strive towards a plan and an agreement. This agreement will need to be
reviewed by both sides’ attorneys.
12
Effective Penetration Testing Page 12
Copyright © 2013 Netwerk Guardian LLC
Existing Gaps
The current state of penetration testing relies on the penetration testers doing a perfect job
of informing the client of requirements and testing against such requirements. The gap lies in the
information presentation versus the information comprehension. As noted earlier this can be test
types not fully understood. If the industry as a whole could close this gap, it would help the
client in many ways. There needs to be a link to common terms that both sides understand. The
client will also know that the test will only work if the information they provide for objectives is
clear and not vague. The next thing that will change is the way the industry is viewed. There is
a perception that security is an unneeded expense and that the high tech analysis is really a
luxury. Companies will eventually get security services they need to get a snapshot of their
security posture and action items to remedy any variance from the goal. In addition, the project
will identify with security standard certification steps that a company can follow so that the
expense and effort is going to count twice
Project Design
Scope
This project is going to include the presentation of terminology correctly used in this
field, guideline of how a penetration test should be planned, executed, and the dynamics of the
process of doing a penetration test. The project should tell a clear message of how to proceed
with a penetration test for the client and the professional organization providing the service. The
documentation that will be provided will give the reader a better understanding of what it takes
to have an effective penetration test. The statistical analysis, testing, and survey should clarify
the inhibitors and enablers of effective penetration testing. What will the project include and
exclude?
13
Effective Penetration Testing Page 13
Copyright © 2013 Netwerk Guardian LLC
Assumptions
The following are assumptions that have been seen or demonstrated in the industry. This
includes contradicting views on terminology, insufficient definition of assets and targets, poor
execution of penetration test, little or no legal counsel and agreements prior to commencing, and
the best talent used incorrectly.
Project Phases
There are various types of phases over the course of a penetration test that needs to be
executed the right way from the start. The phases of this project are going to encompass these
but also include other phases. The phases are as follows; problem statement, preliminary
research for solution, in-depth research, meeting and planning with client with signed written
approval, perform assessment, and provide the report. This can be bulleted as follows,
• Phase 1 – Problem Statement (reason for the research)
• Phase 2 – Preliminary Research (supporting the problem)
• Phase 3 – In-depth Research (survey of pen-testers)
• Phase 4 - Meeting and Planning
• Phase 5 - Assessment (actual penetration test)
• Phase 6 - Reporting
In phase one we have the project and its problem statement and what we are going to
prove. Industry knowledge, recent articles, and education will present the problem and how it
can be fixed by following the right process. When phase two starts, it will be confirmed by
preliminary research from recent reports as to the effectiveness of penetration tests to date. Most
will be industry knowledge and a few supporting reports and publications from penetration
testing companies. The third phase is where the project gets real time information from
14
Effective Penetration Testing Page 14
Copyright © 2013 Netwerk Guardian LLC
professionals in the field and incorporates this into the project with survey results. These results
will confirm phase one and two and provide conditions to be advised that can help or inhibit the
penetration test in phases four through six.
Just like a going through a security audit, we must identify the assets that need to be
tested and their owners. This is important because we have to know how they are used every day
and what services are they really going to need testing. This where most companies make
mistakes in giving the keys to the place to the pen testing group stating please test these devices
but for what? The pen test team will want to review with the CIO as to what daily operations are
like and what services are being used over the internal and external facing network. This
interview will help the pen test team ask the right questions and steer the company down the
right road for their testing requirements. In addition, it helps gauge what level of testing and
time will be required and charge the right fee. Shortly after the meeting the company will be
engaged in inventorying their assets that are in production and what services are on their as they
are being used.
The next step is phase four will be where the pen test team takes the information from the
client and builds a test plan. This test plan is going to cover what the client wants to test for and
how they are going to do the test. A good penetration test team will have a communication plan
as when they are executing certain attacks and what the outcome should be. The IT Manager or
Director should be the only person beside the executive officers that knows a test is in progress.
This liaison to the company and the pen test team will alert the lead pen tester if there is anything
adversely happening that inhibits daily operations if that is what is agreed. It may not be agreed
upon to stop an attack and the agreement may be to let things break and test how well the
company IT personnel respond. This will be submitted in person with the legal written contract
15
Effective Penetration Testing Page 15
Copyright © 2013 Netwerk Guardian LLC
for the client to review. In the contract is the details about the impact of the test and the fact that
the pen test team will not be prosecuted for conducting illegal activity inside or from outside the
company. The contract needs to be signed by the CEO or CIO of the company for approval in
writing to do a penetration test because of the potential damaging impact it can have on assets.
Both sides’ legal resources must review the legal obligations prior to signing contract. There
may be some tests that the client may not be so accommodating on and will not like it to take
place. The agreement is going to be as comprehensive as the test plan. In fact, the test plan is
what will be signed as the two sides go over every test.
The fifth phase of this project is going to be the actual penetration test itself. When the
company chooses the time, the pen test team will insert themselves in the ether and begin their
assessment. If the pen test team gets the cooperation of the company to do a white box attack
then it will go faster and less cost will be incurred. If the company has chosen to let the pen test
do a black box test then the cost will be substantially higher. This phase of the project is where
the dynamics are in play. The ethical hackers are in the ether and they are scanning and foot
printing the entire architecture to make sure it matches any documentation provided. The
hackers are working according to the test plan and will be executing vulnerability assessments
and then exploiting what they have found. In Appendix C, there will be detail on the test plan as
to what networks and machines are being targeted with what attack and what the result should be
if exploited. The client may very well provide a list of items already scanned and identified as
weak and would like to know what to expect if a service or device is taken down.
The last phase is number six and this will be the reporting portion of the project. What
will be proven here is whether the penetration testing team listened to the client and executed.
The report should contain the test plan objectives with a detailed explanation of how each test
16
Effective Penetration Testing Page 16
Copyright © 2013 Netwerk Guardian LLC
resulted. Next, there should be some suggestions in the report that will help the client remediate
any vulnerability exploited from the test.
Timelines
Each step in the process must be completed in relative short and agreed upon time. The
nature of the testing and the urgency of reporting are vital to both the client and the pen test
team. Phase one has already begun and will take about 14 days to complete. Phase two was
kicked off about a week after phase one in order to provide facts in the argument to be proven by
the candidate. After about a week of statistical research phase three was started. Phase three
will be the longest as it is very difficult to get people to participate However, these are real life
statistics that come from the field. The candidate will have to perform a theoretical test based on
a local client to apply this theory about an effective penetration test. The interview and review of
documentation will provide a sampling of data that will be measured against effectiveness of
testing best practices.
Dependencies
Phases four through six cannot be completed until phase three is done. Notably, steps
four through six cannot be completed until a client is secured even if a theoretical test, it will be
based on a real client network. The interview with the client must occur before the scheduled
phase five in order to complete the project. Once the requirements are outlined and understood
the rest of the project will proceed as scheduled.
Resource Requirements
The hardware requirements will be for the test to take place on a network with routers,
switches, and servers. The labor required for this will be at least one and no maximum but two
or three will expedite the testing far more quickly than one. This agreement will require an
17
Effective Penetration Testing Page 17
Copyright © 2013 Netwerk Guardian LLC
additional resource as an attorney that reviews the legal document that authorizes and binds the
two parties to operate professionally with the client’s interest as a focal point. The company
providing the service will provide names of the team members that will be coming onsite or
offsite to perform the test. They will have to comply with company policy that the participants
all have to be US citizens and have a clean criminal record or one that has been made right
provided by documented testimony of character and a signature of said individual recommending
them for this service. Pen-test team will be utilizing communication so that the testing remains
on schedule and adheres to the test plan.
Risk Factors
There is a possibility that outside forces can affect the testing. If the day of the
penetration test becomes known to more than just the Operations Manager or President it can
have adverse effects as administrators and asset owners will be hardening their devices or maybe
even shutting them off or acting out of the normal sequence to throw the test. This type of
testing is very imposing and intrusive not just because of the type of test but also because of what
it means. The test is a measure of a company’s applied security practice. People can influence
the test just as if people can influence an experiment by tampering with the subject matter or
communicating what is happening so responses may not be authentic. This will taint the test.
Some conditions can exist that intrude upon the test making it difficult to execute. The
penetration tester can have an off day or fail to push a test as far as they can. Time constraints
and other operational issues may inhibit a test from moving according to plan.
Important Milestones
One of the most significant milestones this project can have is the meeting with the client.
This is by far one of the most rewarding experiences where the penetration testing team can help
18
Effective Penetration Testing Page 18
Copyright © 2013 Netwerk Guardian LLC
a client determine their level of security on their infrastructure. Educating the client as to the
terminology and risks facing their company will prepare them for the test and the real world.
Moreover, removing any barriers and resistance to investing in security will be done at this point
demonstrating a return on investment. The second milestone that is the most anticipated is the
actual test. The test will have a scheduled to adhere to but it does not mean that the testers will
not have the option to perform certain exploits outside of the script. You can only speculate
what you will be doing at the planning stage of the test and then the rest will be figured out when
on site. Environmental changes occur that may go unplanned and the team may have to come up
with another entry into the system or possibly even stop an attack if it exceeds the threshold
mutually agreed upon by the client and the testers. The last milestone will be the report. When
all the testing activity has subsided and the network is at a normal state then a report will be
made. Here is where a learning opportunity presents itself to the client. The results will show
where they are weak and a remediation plan will exist to show how they can counter their
vulnerabilities.
Deliverables
The list of deliverables will be a well-designed approach to the project, a meeting and
signing of the contract agreement and test plan, a list of considerations for the legal implications,
action plan (pen tester’s schedule), communication plan, test results and countermeasures report.
Most of what will be provided is working documents and results. The tools required to achieve
this will be using Backtrack5 RC3, Nessus, Armitage, Nmap, and Microsoft Baseline Security
Analyzer (MBSA). The way in which they are used will be in the report.
19
Effective Penetration Testing Page 19
Copyright © 2013 Netwerk Guardian LLC
Methodology
The methodology implemented in this project is a theme based on fundamentals of
reading, understanding, and executing. When the penetration testers engage the client, they want
to educate the client and understand the terminology. Once this is accomplished, the dialogue
that takes place will be natural as the exchange of questions and answers helps move the client
along to getting their test objectives correctly set. When the client moves throughout each phase
in this project the penetration testers will manage the client to ensure that after they understand
what needs to be done that they will begin providing the documentation of assets for a speedy
and thorough test. This is another checkpoint of the fundamentals to review who we are, why we
are here, and what exactly is going to be tested. The methodology of planning, doing, checking,
and acting is a common theme among security standards. This is fundamental to validating the
details to make sure assets and supporting processes are really going to have an impact. Pivot
Point Security brings up the fact that a well scoped penetration test requires a lot of effort and
more so for a full security audit (Pivot Point Security, 2012). So the first phase will be addressed
by planning and the communication required achieving the next phase.
The second phase is the research and here we relied on industry knowledge and
awareness along with some sources. This is where we are looking at the problem at a high level.
The issue of being effective exists here and we now have to look at what we are going to do
about it. Additional sources have been provided to show just how stark reality is when nothing is
done about security. Phase one and two are closely related but phase three is where the
methodology changes from traditional research to real time investigative queries. The response
time to the survey that will shed some real time light on the issue is slow going.
20
Effective Penetration Testing Page 20
Copyright © 2013 Netwerk Guardian LLC
Phase four really takes on new dimension to the project as research and planning
becomes applied directly in the project. A real life penetration test will begin and the client is
going to benefit from it. The dynamics here of business, technology, and economics are come
into play as client reaches for security and penetration tester extends to deliver a business
solution. The resulting economic exchange benefits both parties, as the payment is an
investment in the longevity of the company. As we progress in the phases, the real time
interaction goes up and the amount of research decreases. In the last phase, the reporting does go
back into a research mode as the penetration team provides reasons for the holes and the best
countermeasure to circumvent them.
The strategy being used here is the fundamental approach to an effective penetration
testing initiative. The other methods cannot produce results because those methods miss the
mark. They miss the targets for educating the client, providing the objectives and test plan
rationale. The uses from going through this process like the legal framework, and documentation
created can be applied to ISO 27001/2 certification and accreditation, FISMA, and HIPAA
compliance.
Approach Explanation
The approach to solving the problem is to carefully identify the problem and understand
why it is not working. The past has shown that the performance of combined 20% failure is not
exemplary. In order to identify what is going on you have to slow down and identify the pieces
that interact to bring the results you are looking for. The way this project is scheduled is to do
just that. Theoretically, one could just run through the activities and try to do a better job than
the first time through the penetration test. That approach is doomed to fail since there is no
change in activity except a more careful second approach at the same environment. The issues
21
Effective Penetration Testing Page 21
Copyright © 2013 Netwerk Guardian LLC
are still present and no one has learned the difference or importance of taking the time to identify
underlying issues. Questions are raised if it was process, documentation, communication, or
even the testing skill set. Repeating something repeatedly and expecting different results is akin
to insanity.
Changing the approaches in other phases can significantly change the outcome of the
project. At any phase if no time is given to provide the details of devices and services to test, test
plan and agreement, or the actual assessment can lead to missed targets. The assessment phase
could rely on automation and not get the right results. The assessment phase could concentrate
too much on manual testing and miss the delivery date. The focus can change during the
assessment based on real time results, tunnel vision of testers, and client intervention. Therefore,
it is vitally important that the test plan is followed, and communicated to the penetration test
team in real time. This depends on the size of client and scope of test. Any changes that do
occur have to be evaluated by the lead on the project based on knowledge and experience. If
changes in approach for phase six where the report is delivered there can be some negative
effects. If the delivery of the report is emailed, there is a chance that it is intercepted. If the
report provides little to no remediation tips and countermeasures than the reason for the test is
lost. How the report is generated can also be a factor in its effectiveness. If only automation is
used and reported than, that is failure. If some automation is used and some manual testing is
used but not included in the report than that is failure. There needs to be a time of learning in
order to promote security. Defining how the attack was done is the reason for the hired service.
Approach Defense
It is evident by the preceding paragraphs to ensure that the approach is well thought out
and followed to be effective. This project has outlined the timeline and steps required to be
22
Effective Penetration Testing Page 22
Copyright © 2013 Netwerk Guardian LLC
effective. The approach that is represented by this project is very scalable depending on the
availability of resources. In each phase, there is documentation of the meetings, and objectives
to get the security posture defined at the end of the project. Each phase requires that both sides
understanding their objectives and the mutually agreed upon goal. As each phase comes and
goes there is going to be a check and balance as the next phase is not possible until the first phase
is done. This check will be a call or email between the provider and the client as to when to
proceed to the next step. This is especially true for phases four through six. Phases one through
three can be done out of order but the results of each naturally empowers the next phase to begin.
The justification to approaching the project in this manner is to educate client and penetration
tester of best practices in penetration testing.
A post process benefit of this project is that the company, private or public, can stand to
gain a significant advantage in reaching a security certification and accreditation by continuing
their security audit in an elected framework. Each phase from four to six will allow the client to
benefit from the project. Assets and processes associated with the assets are going to be defined
for risk and impact. It would be wise for the company to quantify the assets and associated risk
if something were to happen. This work should be done after the first meeting with an
agreement to pursue. This technical and business assessment does align the technical process
with business objectives, which falls under corporate governance.
Project Development
Hardware
The hardware that is used for the test will be the penetration tester’s laptop and server for
virtualized environment. The hardware used at the test site will be subject to the items listed in
Appendix A for servers and network devices as executed in the test plan as time permits.
23
Effective Penetration Testing Page 23
Copyright © 2013 Netwerk Guardian LLC
Software
There will not be any software developed for this testing. There may be some
customized scripts but no developing of software for testing at the client location. The
penetration testing software that will be used is, Backtrack with several software pieces
contained therein. These particular pieces will be mentioned in the test plan and here are a few.
Ettercap, Metasploit, Nessus, and Nmap.
Tech Stack
The layers of service that will be tested against are the OSI model, as well as some
applications again per the test plan in the Appendix C. Most of the testing will be targeting
layers two through four and occasionally layer five.
Architecture Details
The client will provide the following information when architecture is known for a white
box test it will be referenced here but details are in Appendix A. The network consists of a flat
network with one (1) server and ten (10) workstations. The penetration test only used one (1)
workstation and one (1) server. There are VoIP phones but were not tested due to time
constraints.
Resources Used
The resource required to do the test will require just one penetration tester and their
laptop due to the size of client and project timeline. The client’s hardware will be the test subject
and listed in Appendix A. No other resources required.
Final Output
The output of this testing is to provide the client with a security posture assessment so
that future action can be taken to remediate the vulnerabilities. The tangible results will be the
24
Effective Penetration Testing Page 24
Copyright © 2013 Netwerk Guardian LLC
report that follows the test plan. This test plan covers the objectives that need to be tested per
client request. The results will include the objective; exploit used, report, and steps to remediate
the vulnerability. The intangible will be the knowledge the client gains from having the test
performed as well as a roadmap to better security. In addition, the client will have the ability to
start the task of being compliant within an industry security certification. This can be either ISO
27001/2 for private companies or FISMA compliance by following NIST SP800-53v3
publication for the public sector.
The initial meeting with the client defined to the client just how susceptible the
equipment and applications are on site. Once the client realized the potential for loss, they were
convinced the penetration service was needed. The subsequent meeting that took place was an
interview that detailed the business process flow from the beginning of profit making activities.
These activities are seen in Appendix B Critical Services and Appendix D Audited Processes.
The inventory was also taken and recorded noting that an outsourced IT company was taking
care of the run and maintain aspects. After the meeting, the penetration testing team went back
to the office to outline a test plan and a contract agreement noted in Appendix G. The client did
not have a technical lawyer to understand the effects the test would have but was knowledgeable
enough to know the impact if business processes were damaged beyond resumption. Most
important to know is that the data and services required to the business stay function even after
the test. Notably, any client information or financial data of the client’s customers must also
remain with integrity and confidential. The laws requiring that client information remain private
are extensive. None of the more popular federal laws applies to this private client; however, the
law is the same. The penetration team then submitted the test plan and the contract agreement to
the client for written permission to test their network.
25
Effective Penetration Testing Page 25
Copyright © 2013 Netwerk Guardian LLC
Quality Assurance
Quality Assurance Approach
The quality management approach to this test is to communicate and plan and then check
often at each phase if the project is staying on course with its design. If at any step the
communication and understanding of what needs to be done or explained starts moving off
target, than the lead penetration tester will assert themselves to regain control and proceed as
planned. The accountability between the two parties will remain in effect as part of the
deliverables from the test plan. Both parties will sign the test plan after being reviewed by legal
counsel. The terms and conditions will be set to protect each other while driving the process
forward.
Solution Testing
A solution that has been chosen for this project has been explicitly described in ISO
270001/2 in which assets, processes, and associated impacts must be defined. This practice has
been emulated here in the penetration test process and provides a methodology for the client to
move forward. The methodology is a plan, do, check, act process explained in the ISO 27001/2
standard as well as the Risk Management Framework but with different steps..
Most ineffective penetration testing is a result of poor planning and communication of the
needs of the client and the solutions from the penetration testing team. There is research
supporting that security testing does not always goes as purchased. Meaning that what you
bought is not what you are getting. Some of that research has been provided herein. The way in
which this solution is to be tested is by a real penetration test and documented here.
26
Effective Penetration Testing Page 26
Copyright © 2013 Netwerk Guardian LLC
Implementation Plan
Strategy for the Implementation
The strategy for this project is to plan, do, check act in the simplest form. What we have
seen for other strategies is to throw resources at it and have some manufactured report that really
does not explain why exploits occur and how they affect the client’s business processes. The
following description in phases of rollout describes in detail how the project is to run.
Is the test just for insecure configurations and port usage or patch level? Is the testing
going to be conducted in isolation or as the devices are used together with other technology that
provides a service? Will application source code be accessible to review for vulnerabilities?
Can scripts be made to validate it? Questions like these need to be asked in order to get the
scope of the test defined. Therefore, the asset owners are to make a list of devices that provide
service that if not protected could disable the company from making a profit. This will be the in
preparation of the execution phase.
Phases of the Rollout
The sequence that will be used in rolling out this test will be done in the following
manner. First, there has to be a meeting between the penetration test group and the potential
client. It is here that the client will understand the explanation of terms and services and those
they will accept in an agreement. In between the presentation of services and the signing of the
agreement, the company needs to seek legal counsel. The company needs to do is get legal
advice from an attorney that has knowledge of technological testing where intellectual property,
assets, and risks operate in the same arena. The lawyer has to be knowledgeable about USC 18
Section 1029 & 1030, PCI, Sarbanes Oxley, as well as other laws about privacy and disclosure.
27
Effective Penetration Testing Page 27
Copyright © 2013 Netwerk Guardian LLC
The company will coordinate with the lawyer to make sure that the vendor they choose to go
with operates under an agreement.
The next step is to make sure that the client has instructions to prepare documentation for
what is to be tested. In order to conduct a penetration test correctly the client will have to define
their assets and organize them. Know what is in possession and know what needs to be tested.
This could mean assigning ownership of the asset analyzed. There are a few tools to help with
the risk assessment. The client is to pick a tool or two that measures risks on software like
operating systems and one that does networks. One tool is referenced in Appendix B. This
needs to be completed in preparation of the penetration team to do their testing. It is entirely up
to the client before any testing of the infrastructure to put in place a communication tree between
the CIO and the outsourced vendor. This way if something does affect production network
someone can stop it or inform the staff that this is expected today.
The next thing the client needs to do is calculate the risk. Most often, it is the
quantitative assessment then qualitative. However, here are the two assessments presented by
the two formulas; Calculate Risk = Vulnerability X Attacks X Threat X Exposure (Snedaker,
2007). This will definitely get a dollar amount but there is some subjective evaluation of the
attack and exposure. Again, this qualitative weight in the quantitative formula is like a hybrid.
Unless the client is benchmarking from proven studies to extrapolate your numbers, there will be
some subjective input. The latter formula could be qualitative, as the reference to the frequency
will be subjective in the first year run. The next subsequent years can more easily define risk as
quantitative. A historic record will assist you in the following years.
Finally, when the penetration team arrives on site or at a location for the coordinated
effort, the first thing will be for the leader to go over the test plan. Each penetration tester has
28
Effective Penetration Testing Page 28
Copyright © 2013 Netwerk Guardian LLC
their own skill level and strength and will be charged with the activity that is their strong suit.
This will complete phase one of the assessment. Phase five of the project the penetration testers
will be actively engaging their targets while keeping the lead informed of success or failures or
peculiar findings along the way. These real time results will be recorded and resources may be
allocated to different focuses as time and test warrants.
Phase six will end the agreement with test result and countermeasures will be supplied in
a hand delivered report. This helps ensure that no information gets out about the client’s test
results.
Details of the Go-Live
The project will be fully implemented when the penetration test is completed and results
delivered. If a company cannot be found for a real test, one will be used for a theoretical
penetration test.
Dependencies
Dependencies are the items that must be completed before proceeding to the next phase.
This project outlines at least three phases that should be completed before the penetration test
begins in phase four. The documentation is very important and must be completed or the entire
results of the project are in jeopardy. The documentation created and the processes driving this
project will help make the penetration test more effective.
Deliverables
The deliverables are going to be both tangible and intangible because of the technology
used. The first realization of achievement will be the report following the penetration test. First,
as in, the first derived from the process exclusively for the sake of gain. There is no higher
achievement. Notably, the process itself will yield both tangible and intangible deliverables in
29
Effective Penetration Testing Page 29
Copyright © 2013 Netwerk Guardian LLC
the form of the process to list and quantify assets and their associated risks as intangible
foundation for other security standards. Also the tangible asset sheet and numerical value
assessed in determining the risks. These three deliverables are the essential part of this project.
In terms of creating the effective penetration test, that deliverable the client and the penetration
team benefit from. Both parties can walk away knowing that they had set out and done exactly
what they were going to do.
Training Plan for Users
This project does not provide any training however in order to achieve success the
terminology that will be taught to the client will be considered training.
Risk Assessment
Quantitative and Qualitative Risks
Costs are the number one driving factor around security if you look at it from the results.
Costs will be incurred if no security measures are taken. In addition, costs are required to assure
a certain level of security. Finally, costs are the numerical value that is debated between
departments when determining where to spend money. Now with this mindset the quantitative
and qualitative risks are going to be defined.
Qualitative risks associated with security have been referenced in the preceding
paragraph and it sets the scene for the discussion here and in the next paragraph for quantitative
risks. How well do you know your network infrastructure? This question is to be the subject of
the project and evaluated in terms that are relative to risk of missing business opportunities. The
risk associated with not defending the network perimeter can be devastating. First, the client
may not have confidential and available resources anymore. The downstream network devices
may not be able to provide services as they used to if software is being hacked or some malware
30
Effective Penetration Testing Page 30
Copyright © 2013 Netwerk Guardian LLC
has inserted itself onto the network. There is a numerical value associated with this but for this
case we are looking at the inability for the client to remain productive and generating profit for
the shareholders or stakeholders in the wellness of the organization. What are the items at stake.
They are jobs, income, reputation, and liability to name a few. This impact on operations from
not having a penetration test evidenced by the likelihood, frequency, of an event is to take place.
This can be matched up to costs and become quantitative later. Most times this is represented in
a chart with X and Y axis filled with frequency (X), impact (Y), and events is the row on top
along X axis. The project is to safeguard against the possibility that the event will take place.
Now quantitatively speaking the cost can be found by applying cost to certain events or
assets and their frequency. This part of the project may or may not be completed by the client
but should in order to progress down the road to a security standard certification. The first cost
to review is the reputation. This cost is priceless and should be protected at any cost required.
When you have lost, your reputation from a breach there is no recovery depending on type of
breach and trade. There may be other costs of not doing the penetration test for a hosted web
application tied to an internal database. Here, if a hacker could make a way in through SQL
injection or stack overflow there might be some information or access given to help the hacker
get in. Quantitatively the cost of a down website is proportionate to the amount of sales
generated on any given day if nothing further is done from the event.
Cost/Benefit Analysis
Below are a few cost benefit analysis if certain criteria exists without action.
• If no penetration test occurs, then the cost of an intrusion and leaked data can be exceedingly
high. A lost laptop has been reported to cost $89,000.00 imagine what would happen in a
break in that could total millions of dollars. “As reported from Symantec that every
31
Effective Penetration Testing Page 31
Copyright © 2013 Netwerk Guardian LLC
corporate breach cost 5.5 million” (Symantec, 2011). Most of these breaches are Trojans
worms and virus and not that what the public thinks of intrusion by network by hackers at the
front door. Most networks have real good firewalls and so intrusion through firewalls is not
possible.
• If the penetration test proceeds without proper tracking and yield results not requested or
incorrect than the cost can be high including the cost of the penetration test. Some exploits
are going to get past the penetration testers and the company looking for a real good
assessment. No penetration test can find everything given the amount of time but it does
give a snapshot in time of how the security posture stands in a few key areas. There will be
no cost overrun as this activity is budgeted and if effective should provide a return on
investment.
Notably, the client chosen for this is in a petroleum refining industry and when the Symantec
sponsored risk calculator was used to ensure the client’s risk, the results were fitting. According
to the risk calculator, this client stood to lose $98,000.00 approximately for each data breach
event. Considering the client is not very large or has a large attack surface this result is suiting as
shown in Appendix I.
Risk Mitigation
The process of identifying risk is important in order to protect the business from adverse
effects on a device, business process, or objective. Risk is defined by the opportunity that exists
for something to go wrong based on design, configuration, or use. Risk is the overall scope of
devices, processes, threats, and the frequency or likelihood that a negative event will occur. The risks
that the client identifies will be the ones tested. Effectively mitigating these risks must begin
with identification and then be solved. The best way to mitigate the risk is to find the
32
Effective Penetration Testing Page 32
Copyright © 2013 Netwerk Guardian LLC
vulnerability and patch and prepare a plan around it. Depending on the costs to avoid, defer, or
prevent the risk will be the secondary driving force in the risk mitigation selection. The primary
driver will be the business process benefit. If avoidance is chosen then some aspect of the
business is omitted. This can be a loss of income in order to avoid some risk. The client would
have to ask itself if removing a line of business is worth not facing the risk. If there is a business
process that has such a high impact is not present then the associated high costs to mitigate the
threat will be incurred.
The risk associated with client’s core business application and that a zero day or other
vulnerability could occur is high than the action is preventative. Preventative action could be to
have a custodian of that application be present to patch and monitor the application and data it
produces. There could be a secondary server that is kept offline and patched ready to go. The
secondary can contain relevant data in the event that the other is compromised or destroyed.
This backup plan is a very good solution like a hot site for disaster recovery.
The alternative to having a backup server ready to launch should the primary go down
would be to have it outsourced to the cloud. The risk is still there but now you have transferred
that risk to a cloud provider who will manage that for you. The cloud provider still faces the
same risks that the client would have but at what cost is the cloud solutions for use and
maintenance versus having the server in house is the question.
Post Implementation Support and Issues
Post Implementation Support
When the penetration test is over and the results and remediation steps are presented, the
only thing left to do is to periodically test the same systems. This is part of a continuous
improvement plan and validation of countermeasures. All security standards repeat the same
33
Effective Penetration Testing Page 33
Copyright © 2013 Netwerk Guardian LLC
steps in order to review essential and non-essential systems and security practices. This will be
the post implementation support. The client can elect to have the same penetration test team
review their assets as to not have to create new relationships with other groups. This consistency
will help the client’s security posture remain poised and ready to adapt to new systems and
environments.
The client will have an annual review of assets and processes and the following
penetration test will record the effectiveness of the implemented countermeasures. When the
second penetration test is completed, there will be a review of results and countermeasures from
the first test with the second test. Time taken to review the results between tests will help the
penetration test team gauge how the client’s IT department is able to perform the necessary
change. Any high-risk results will be brought before the executive office for review. Again, a
report and countermeasures will be provided to the client.
The forms required will be the same as listed in the appendix as well as the report. This
annual review by penetration test will start to present a theme for security either good or bad.
There are no other forms required externally but internally there may be guidelines and
procedures created as a product of the first test.
Post Implementation Support Resources
Providing for the future security of the client is going to be a concern for security and
revenue generation for the pen testing company. Most importantly is that the client receives
some support going forward. This effort will be first evidenced in the report that follows the test.
The countermeasures and best practices to safeguard and mitigate risks will outline some
maintenance type activities. The following guideline describes what should be done, when, and
by whom.
34
Effective Penetration Testing Page 34
Copyright © 2013 Netwerk Guardian LLC
Maintenance Plan
The short duration after the penetration test will be the most active as the client receives
instructions from the pen testers to harden network devices, servers, and endpoint devices. This
lockdown session will be executed according to the results from the penetration test first and
then by industry best practices. The patching of the core business application will lead the
changes followed by the hardening of network and end point devices. This will conclude the
short-term plan.
The long-term plan will have the following built into a series of rollouts as budget and
time permits. The department will have security-hardened workstations where only necessary
services will be running to do the job. The workstations will have integrity checks performed
every hour on the MD5 hash values on files that are used by processes. If a process is initiated
by something other than the system account or from non-sanctioned programs, an alert will go
out. The process will be stopped, and blocked from making changes to the system. This will be
an example of TCSEC (Trusted Computer System Evaluation Criteria) for verified protection.
All networks will be designed securely with IDS, IPS systems in an enterprise style monitoring,
and control system. Packets will be captured and analyzed by deep packet and application layer
inspection. This intense scanning allows for the recording of network traffic for forensic
analysis. Users email will be filtered based on rules stating that email will only receive content
from known users and be subject to inspection and analysis of content. Here the email is read
and executed on VMware hosted systems that act as end users. These test VMware machines
open email like normal users and records what files and processes are initialized and modified.
When the results show no detrimental impact on the system the email is the sent to the end user
and IT department. If there are adverse effects made to the VMware system then the system
35
Effective Penetration Testing Page 35
Copyright © 2013 Netwerk Guardian LLC
records the email, processes, files, and changed state of the computer. This will allow for a
lower cost of maintaining the systems over time as these threats will be mitigated in VMware. In
addition, the Security department will learn what tools and methods used to exploit users and
systems for information.
Users requiring access to files on the network will have a second machine not attached to
the internet where they will access this information. Keeping the two systems separate adds a
physical layer of protection where the more sensitive information has no means of going outside.
This will address any further vulnerability found in the core business application. Not only will
these machines not have internet access but also they will not have USB ports, CD/DVD-RW
drives, or any other means to install or remove data. Thin clients will be used with Citrix
XenApp and XenDesktop to deploy virtual desktops. These virtual desktops are maintained
locally on a server with security hardened processes are used to verify integrity before use each
day.
Conclusion, Outcomes, and Reflection
Project Summary
This project started out with the realization that not all penetration tests are done
correctly. Many tools and easy to frameworks exists to help aid in testing but should not be
relied on to lead the test. Certain criteria that the client requests to be validated often go unmet
and therefore incorrect results are circulated. The project set out to determine the how to achieve
an effective penetration test. What was presented were statistics showing that many are run
incorrectly with poor communication and design of the test plan. The field survey showed a real
time efficiency grade done by companies that perform these tests. It all indicates that more is
needed to improve the service while educating the client. Next, the project covered the phases of
36
Effective Penetration Testing Page 36
Copyright © 2013 Netwerk Guardian LLC
what was to be done in phases and the details. The product of the design and testing was an
effective penetration test providing that the core application and server are resilient to most
common attacks.
Deliverables
The deliverable that the project is primarily responsible for is the results from the
penetration test and countermeasures. All other documentation created is to facilitate the process
will benefit the client. There may be diagrams submitted within the report to expand upon a
result but most will be text output.
Outcomes
The resultant effects of this project of been highly esteemed by industry professionals and
the client receiving the service. Penetration testing is certainly a very intense and time-
consuming process when there is a commitment to the act. The energy, intellect, and business
relationships that have been developed over the course of the project has heightened the sense for
the need of security. What was anticipated in the process was delivered on all counts except for
the actual test. A theoretical based on a real company was conducted in place. The results of the
DoS and DDoS attacks were not expected. It did inform the candidate that not all goes as
planned on either side of the test.
The client was very happy to receive the results of the penetration test showing how
resilient their application stood against several attacks. The manufacturer of the core business
application was very happy to hear also that the results were good and that their product is
resilient. The candidate expresses satisfaction in the effort-expensed builds towards their
profession and that the experience will help sharpen their skills for the next opportunity.
37
Effective Penetration Testing Page 37
Copyright © 2013 Netwerk Guardian LLC
Reflection
The candidate has learned a great deal about the process of knowing how to legally break
into and stop service in order to provide a security assessment for a client. The steps taken in the
project were required in order to be effective and after each phase checking and planning the
next. The time take to meet with a client and provide a real understanding just how attackers
work to take down businesses was rewarding. The client really appreciates the time taken to
empower and defend their business against today’s malicious technological minds.
38
Effective Penetration Testing Page 38
Copyright © 2013 Netwerk Guardian LLC
References
Pivot Point Security. (2012). Stop Wasting Your Money on Penetration Testing. Retrieved from http://pivotpointsecurity.com/downloads/18
McKerchar, R. (2012). Practical IT: how to manage cost-effective penetration testing. Retrieved
from http://nakedsecurity.sophos.com/2012/05/09/practical-it-how-to-manage-cost-effective-penetration-testing/
Imperva. (2012). Hacker Intelligence Initiative, Monthly Trend Report#13. Retrieved from
http://www.imperva.com/docs/HII_Monitoring_Hacker_Forums_2012.pdf Verizon. (2012). 2012 Data breach Investigations Report. Retrieved from
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Netragard. (2012). How to Choose the Right Vendor. Retrieved from
http://www.netragard.com/how-to-avoid-failure-with-your-next-penetration-testvulnerability-assessment?utm_expid=26785886-2&utm_referrer=http%3A%2F%2Fwww.netragard.com%2F
Snedaker. (2007). The Best Damn IT Security Management Book Period. Retrieved from
http://mmlviewer.books24x7.com/book/id_25442/viewer.asp?bookid=25442&chunkid=761233067
Symantec. (2012). 2011 Annual Study - U.S. Cost of a Data BreachRetrieved from
http://www.slideshare.net/symantec/2011-annual-study-us-cost-of-a-data-breach-march-2012
39
Effective Penetration Testing Page 39
Copyright © 2013 Netwerk Guardian LLC
Appendix A: Network Devices
Electronic Equipment Owner(s) Quantity Tested
3com 5500 24p Switch Out Sourced IT 1 No
Dell R710 Windows 2008 R2
Out Sourced IT 1 Yes
Dell Workstations Out Sourced IT 10 Yes
Cisco Phone Out Sourced IT 10 No
Printers Out Sourced IT 1 No
40
Effective Penetration Testing Page 40
Copyright © 2013 Netwerk Guardian LLC
Appendix B: Critical Services
Company Services associated with devices that are critical for daily operation are mapped and listed below.
Name of
Service
Severity Associated
Device(s)
Up/Down Stream
Process
Process Owner
Project Bidding Medium Windows Server 2008 R2/Workstations/ LAN/Phones
Projects entered into Streetsmarts
Operations Manager
Project Entry High Windows Server 2008 R2/Workstations/ LAN
Projects entered into Streetsmarts/Streetsmarts auto calculation
Operations Manager
Ticket Info Entered High Windows Server 2008 R2/Workstations/ LAN
Streetsmarts auto calculation/Ticket Batch Upload
Scale Clerk
Ticket Batch Upload
High Windows Server 2008 R2/Workstations/ LAN
Streetsmarts auto calculation/Costs accounted in Streetsmarts invoice goes out
Scale Clerk
Invoices Printed and Sent
Low Windows Server 2008 R2/Workstations/ LAN/Printer
Receives all payments/Enter payments
Accounts Receivable
A/R Enter payments
Medium Windows Server 2008 R2/Workstations/ LAN/Phone
Payments post to all accounts/Issue payments to vendors
Accounts Receivable
A/P Enter payments High Windows Server 2008 R2/Workstations/ LAN/Phone
Prints checks and sends them/ Payments post to all accounts and balances
Accounts Payable
Payments post to all accounts and balances
Medium Windows Server 2008 R2/Workstations/ LAN
Issues payments to vendors and employees/Enters payments
Accounts Payable
Prints checks and sends them
Low Windows Server 2008 R2/Workstations/ LAN/Printer
Enters payments/ Prints checks and sends them
Accounts Payable
Payments post to all accounts and balances
Medium Windows Server 2008 R2/Workstations/ LAN
Prints checks and sends them
Accounts Payable
Windows IIS Service
Low Windows Server 2008 R2/Workstations/ LAN
Streetsmarts/Time Tracker
Outsourced IT
41
Effective Penetration Testing Page 41
Copyright © 2013 Netwerk Guardian LLC
Appendix C: Penetration Test Plan
This is the penetration test plan that was designed after receiving the list of critical devices and associated services. This test plan will be followed and not deviated from in the initial test. The client can express further testing be needed per test result for further analysis in writing at any time after the initial test. The following is a list of items for the test plan.
1. Target Devices and Services a. Have all identified targets of evaluation documented b. Obtain and review prioritized list of services
2. Scan Operating Systems a. Use Microsoft Baseline Security Analyzer b. Use Nmap to discover devices banner grabbing c. Use Nessus to discover vulnerabilities
3. Test Network Devices a. Use Nmap to discover devices and ports b. Discover services c. DoS/DDoS Attack
4. Test Core Business Application a. Test core business application against
i. Clear text traffic capturing ii. Man in the middle
iii. Spoofing iv. Armitage w/Meterpreter
42
Effective Penetration Testing Page 42
Copyright © 2013 Netwerk Guardian LLC
Appendix C: Penetration Test Action Plan (Con’t)
43
Effective Penetration Testing Page 43
Copyright © 2013 Netwerk Guardian LLC
Appendix D: Audited IT Processes
This section contains information about the processes that run along with IT assets in the penetration test.
44
Effective Penetration Testing Page 44
Copyright © 2013 Netwerk Guardian LLC
Appendix D: Audited IT Processes (Con’t)
This section contains information about the processes that run along with IT assets in the penetration test.
Appendix E: Qualitative Risk Matrix
Event 1 Event 2 Event 3
Medium High Critical
Low Medium High
Low Low Medium
Appendix F: List of Legal Concerns
1. Customer data privacy 2. Transaction integrity (Non PCI Transactions) 3. Theft of client data 4. Corporate Espionage 5. Employee Data privacy 6. Tax and Accounting Record Keeping
Since this company is not publically traded the following information should be considered when reviewing risk and requirements for testing as time permits.
45
Effective Penetration Testing Page 45
Copyright © 2013 Netwerk Guardian LLC
Appendix G: Sample Contract
PENETRATION TESTING CONTRACT This contract is between Pen-test team(hereinafter referred to as the “provider”) and target client (hereinafter referred to as the “client”) for the supply of Penetration Testing services by the provider for the client. Whereas the provider provides certain computer and systems security consulting and testing services including Penetration Testing services, and Whereas the client wishes to retain the provider to provide computer and systems security services, specifically Penetration Testing services, therefore The client does hereby retain the provider for the purpose of providing Penetration Testing services on the client’s computers and network infrastructure. The objective of the Penetration Testing service is to identify and report on security posture including any vulnerability to allow the client to close the issues in a planned manner outlined by provider, thus significantly raising the level of their security protection. The client understands that computer security is a continually growing and evolving environment and that testing by Pen-test team does not mean that the client’s site is secure from every form of attack. There is no such thing as 100% effective testing, and for example it is never possible to test for vulnerabilities in software or systems that are not known at the time of testing. Further security breaches can and frequently occur from internal sources whose access is not a function of system configuration and/or external access security issues. The client has provided the provider with certain required information regarding the scope and range of the tests from the inventory audit and business process assessment and the client hereby warrants that all information provided is true and accurate and that the client owns or is authorized to represent the owners of the computers and systems described. The client further warrants and represents that they are authorized to enter into binding legal agreements. The provider has provided a written quote for the services contracted in the amount of $1,600.00. The client, prior to any services being performed by the provider, shall make half of payment for contracted services one week prior to start date. A copy of the written quote is attached to this contract as Schedule A. The provider will complete the penetration test on the agreed upon start date of 15-Jan-2013 and finish date 18-Jan-2013. Upon furnishing the written report and remediation effort required to harden the client’s systems, all remaining payments or balance shall be paid in full. Any payment that exceeds 30 days past report delivery date shall accrue interest of five (5%) percent compounded each business day. The provider shall be under no liability whatever to the buyer for any indirect loss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract. In the event of any breach of this contract by the provider the remedies of the buyer shall be limited to a maximum of fees paid by the client. There will be a communication plan between the pen test team and the operation manager of the client. At each point in the test there will be notification of that test beginning to the operations manager only. If there are, any adverse effects of the test the Operations Manager will notify the lead pen tester. The test will stop and results noted.
46
Effective Penetration Testing Page 46
Copyright © 2013 Netwerk Guardian LLC
Both parties shall maintain this contract as confidential. No information about this contract, contract terms, or contract fees shall be released by either party. Information about the client’s business or
Appendix G: Sample Contract (Con’t)
computer systems or security situation that the provider obtains during the course of its work will not be released to any third party without prior written approval. The provider and the client have imparted and may from time to time impart to each other certain confidential information relating to each other’s business including specific documentation. Each party agrees that it shall use such confidential information solely for the purposes of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise. Where disclosure to a third party by either party is essential such party with the agreement of the other party will prior to any such disclosure obtain from any such third party duly binding agreements to maintain in confidence the information to be disclosed to the same extent at least as the parties are bound. This contract is subject to the laws of the State of Connecticut, USA. All disputes arising out of this contract shall be subject to the exclusive jurisdiction of the State of Connecticut, USA. Neither party shall be liable for any default due to any act of God, war, strike, lockout, industrial action, fire, flood, drought, storm or other event beyond the reasonable control of either party. Schedule A The following is an estimate for the test plan. It will take one work day or eight (8) hours tom complete the following work Time 08:00- 08:30 Target Devices and Services
Have all identified targets of evaluation documented Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems
Use Microsoft Baseline Security Analyzer Use Nmap to discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Use Nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application
Armitage and meterpreter used for testing but not successful. 13:00-14:30 Man in the middle:
47
Effective Penetration Testing Page 47
Copyright © 2013 Netwerk Guardian LLC
Appendix H: Sample Contract (Con’t)
Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures
Appendix I: Data Breach Calculator Report
48
Effective Penetration Testing Page 48
Copyright © 2013 Netwerk Guardian LLC
Appendix J: Penetration Results and Countermeasures
Report and Countermeasures
Executive Summary
The following is a report of the tests taken to gain a foothold, capture data, and/or deny access to the client’s business processes. There will be a review of tests run and what the outcomes resulted. If there are any countermeasures to take to thwart such activities, they will be presented. The following report is for Client X who requested that their network be tested for exploits and deficiencies that could hold them liable for data leakage or suffer loss of service. The tests conducted were very focused and concentrated on a workstation and the server.
Test Objectives
1. Target Devices and Services a. Have all identified targets of evaluation documented b. Obtain and review prioritized list of services
2. Scan Operating Systems a. Use Microsoft Baseline Security Analyzer b. Use Nmap to discover devices banner grabbing c. Use Nessus to discover vulnerabilities
3. Test Network Devices a. Use Nmap to discover devices and ports b. Discover services c. DoS/DDoS Attack
4. Test Core Business Application a. Test core business application against
i. Clear text traffic capturing ii. Man in the middle
iii. Spoofing iv. Armitage w/Meterpreter
Port Scanning Results and Issues
Scanning Windows machines
The first test was scanning of services and ports on Microsoft devices. The test discovered the default Windows system ports open for unsigned SMB, telnet, and high ports. This included the port scanning by Nessus as well as the Microsoft Baseline Analyzer. The results from Nessus showed that there existed an unsigned SMB/Samba port (445) as well as using the open clear text port channel (23). Nessus found only (1) medium and (1) low alert for the server 10.10.10.5. Port (135) on the workstation was found open and that is used for remote procedure protocol. Port (139) was found open and used with SMB for file sharing with other devices beside Microsoft. Port (808) is the Streetsmarts Web based application running encrypted. Port (992) was found to be an SSL port with a certificate error. Additional ports were found open ranging from (49152-49157) and is due from a release from Microsoft
49
Effective Penetration Testing Page 49
Copyright © 2013 Netwerk Guardian LLC
in January 2008 to start the open port range at that (49152). Some P2P (peer-to-peer) file sharing has been known to run over these ports. The possible attack could have occurred but was not conducted in test was escalation in privileges via SMB vulnerability and brute forcing usernames and passwords. The attacker also could have social engineered the information from an unsuspecting user. There is a probability this could have happened but the users answer to only one IT person and thus really negate the probability of that occurring.
Countermeasures
Using a host-based firewall either Microsoft’s built-in or vendor, the client can block traffic in either direction form the host. In the penetration test it was recorded that with Zonealarm Free Antivirus and Firewall was able to deny our only exploit to gain control or information of the systems. Simply trusting only the gateway, and the server, the workstation would not have been easily compromised. It is possible to assume the identity of the gateway but locking down ports would have greatly reduced that threat. Below in appendix AA through AC are the scan results.
DoS/DDoS Testing The application server MAXWELLSM Dos/DDoS Test Used Low Orbit Ion Cannon (LOIC) infamously known by use from the hacktivist group Anonymous to perform a denial of service against the server in order to deny application use to client machine. Later, another machine was used to point the low Ion cannon at the Windows 7 platform client machine. Test 1 - Target port 808 on application server with 10 thread and numerous TCP requests wait for response Attack started 13:20 12-Jan-2013 Results: After 5 minutes 10 threads and speed set to fastest. The server 2008 and windows 7 client were still able to communicate. Test 2 - Target port 808 on application server with 100 threads and numerous TCP requests wait for response. Attack started 13:32 13:46 12-Jan-2013 Results: 109,106,402 TCP requests and application is up. Windows error reporting service stopped and started at least twice. Test 3 - Target port 808 on application server with 1000 thread and numerous http requests do not wait for response. See if IIS crashes. Attack started 13:55 12-Jan-2013 Results: Despite LOIC requesting many pages many times and showing no failures, the application still launched. Test 4 - DDoS target port 80 1000 threads http. Two machines hitting the server started 14:05 14:15 ended. This included (3) LOICs, and one python script slowloris.py with 1000 new threads every ten (10) seconds. Results: Still launched application
Countermeasures No countermeasure directly required but the use of a network access control (NAC) device could help other protocols. This device would help enforce the number of connections per host on the network. This would greatly improve the chances to allow other protocols on the network to communicate like VoIP and lower the chances of other denial of service attacks.
50
Effective Penetration Testing Page 50
Copyright © 2013 Netwerk Guardian LLC
Application Server Testing Test 1: Used websploit Results: Nothing to report as the communication between the application and the server is encrypted from client side software. Test 2: Meterpreter used in with Armitage A connection made it impossible to glean any data or provide a way to leak data out; Meterpreter was used in this test knowing the administrator password the connection was possible. Even a regular user with password known would be able to both pass the hash dump and crack passwords later in order to attempt to escalate privileges. Time being the factor is how successful the cracker would be. Results: We were able to log keystrokes and take screen shots of the user’s computer. This is one way that data could be captured. In this test, we show that key logging and screen captures are possible however, they are not very effective as shown below, Image 4.
Countermeasures
In the test, it was discovered that knowing the username or a username and or escalating privileges by brute forcing passwords helped make the reverse tcp shell possible. One of the ways we did stop this from happening again was to use Zone Alarms Free Antivirus and Firewall software. This is where a trusted gateway and server was setup and the rest of the same subnet was untrusted. This solution is an inexpensive way to harden the network.
Image 1 – Armitage Text Output of Key logging
Image 2 – Email Credentials Entered
51
Effective Penetration Testing Page 51
Copyright © 2013 Netwerk Guardian LLC
Image 3 Screenshot before Launching Encrypted Application
Image 4 - After Launching Encrypted Application Notice in the image below that the application icon is present big ‘S’ in the tool bar and on the workstation it is in the foreground. However, the image reveals that it is not seen and therefore encrypted to the reverse tcp shell.
52
Effective Penetration Testing Page 52
Copyright © 2013 Netwerk Guardian LLC
Sniffing and MITM Attacks Using Ettercap we copied traffic from the user and the gateway to our penetration testing laptop. We used Ettercap, urlsnarf, dnsiff, and Driftnet with these commands entered to see traffic. In ettercap we scanned the subnet and added a target 1 = gateway and target 2 = the victim machine. Here we were able to get a copy of everything being sent by the user to the laptop first before going to the real gateway. This is done with sslstrip, iptables, ettercap with MITM attack arp spoofing ettercap --mitm ARP:REMOTE --text --quiet --write /root/sslstrip/ettercap.log --iface eth0 Also the GUI was used to pick target client Windows 7 machine 10.10.10.7 and second target the application server 10.10.10.5. Execute the following commands
In the CLI we entered: root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:/#cat /proc/sys/net/ipv4/ip_forward root@bt:# sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-
port 10000 Now verify it took the filter root@bt:~# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 10000 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination root@bt:# sudo python sslstrip.py -l 1000 -f lock.ico
Results sslstrip: No data or text of any sort was visible as all data was being passed through and encrypted channel. Results with dsniff: We addresses were visible, but no usernames or passwords. These results show the application is very secure. Results with driftnet: There were no pictures or images of the site going across. There were web addresses being listed. Results with urlsnarf: root@bt:~# urlsnarf -n -i eth0 urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128] 10.10.10.7 - - [15/Jan/2013:23:10:12 -0500] "GET http://www.google.com/ HTTP/1.1" - - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:10:13 -0500] "GET
53
Effective Penetration Testing Page 53
Copyright © 2013 Netwerk Guardian LLC
10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nqRS HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9Z HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9K HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9A HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17 -0500] "GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nroD HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Executed commands: root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:/#cat /proc/sys/net/ipv4/ip_forward 1 In another terminal, we used Driftnet root@bt:/# driftnet -i eth0 root@bt:/# driftnet -i eth0 -v -s (in an attempt to gain audio being streamed) We could then see what the user was looking at for images. Results: Images from core business application were not being sent to our laptop despite driftnet running root@bt:~# driftnet -i eth0 -v driftnet: using temporary file directory /tmp/driftnet-AmaowM driftnet: listening on eth0 in promiscuous mode driftnet: using filter expression `tcp' driftnet: started display child, pid 2562 driftnet: link-level header length is 14 bytes .driftnet: new connection: 10.10.10.7:49363 -> 23.45.9.75:80 ...driftnet: new connection: 10.10.10.7:49365 -> 23.45.9.75:80 ...driftnet: new connection: 10.10.10.7:49364 -> 23.45.9.75:80 ...driftnet: new connection: 10.10.10.7:49368 -> 23.45.9.75:80
Countermeasures
No countermeasures needed to be taken to secure the core business application. However, countermeasures need to be made to eliminate the ability to see what web or secure web traffic users are trying to conduct. Again, a NAC device would help qualify not on the user but the device on the network. In addition, the device can emulate MITM attack against attacker and take all their traffic into a black hole. Trustwave NAC appliance is one of these devices that can do this mitigation. A less costly approach for smaller companies would be to use a VPN or SSH tunnel to a known good server. Some of these solutions are offered free on the web and some can be made.
54
Effective Penetration Testing Page 54
Copyright © 2013 Netwerk Guardian LLC
Appendix AA: MBSA (Microsoft Baseline Security Analyzer) Scan Results The automated scanning results are attached but abbreviated for length. Microsoft Baseline Security Analyzer Results (MBSA) results have been included below. The workstation used in the test had even a lower score for vulnerabilities discovered.
56
Effective Penetration Testing Page 56
Copyright © 2013 Netwerk Guardian LLC
Appendix AB: Nmap Scan Results
Scanning known hosts Nmap MAXWELLSM (Application server Open Ports) Scanning 10.10.10.5 [1000 ports] Discovered open port 80/tcp on 10.10.10.5 Discovered open port 23/tcp on 10.10.10.5 Discovered open port 445/tcp on 10.10.10.5 Discovered open port 139/tcp on 10.10.10.5 Discovered open port 49154/tcp on 10.10.10.5 Discovered open port 49156/tcp on 10.10.10.5 Discovered open port 49157/tcp on 10.10.10.5 Discovered open port 49155/tcp on 10.10.10.5 Discovered open port 135/tcp on 10.10.10.5 Discovered open port 808/tcp on 10.10.10.5 Discovered open port 49153/tcp on 10.10.10.5 Discovered open port 49152/tcp on 10.10.10.5 Discovered open port 992/tcp on 10.10.10.5 _ssl-cert: ERROR 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC ClientW7 (Open Ports) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-methods: No Allow or Public header in OPTIONS response (status code 503) |_http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC
Appendix AC: Nessus Scan Results Application Server MAXWELLSM
60
Effective Penetration Testing Page 60
Copyright © 2013 Netwerk Guardian LLC
Appendix AD: Nessus Scan Results Network
Appendix AE: Communication Plan The communication plan used during penetration test. This was a single pen tester performing the test so no other communication had to be coordinated with teammates. Time 08:00- 08:30 Target Devices and Services Have all identified targets of evaluation documented
61
Effective Penetration Testing Page 61
Copyright © 2013 Netwerk Guardian LLC
Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems
Call to operations manager test to begin 1 hour in length. Use Microsoft Baseline Security Analyzer Use Nmap to discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Call to operations manager test to begin 1 hour in length. Use Nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application Armitage & Meterpreter used. 13:00-14:30 Man in the middle: Call to operations manager test to begin 1.5 hour in length. Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures