Network penetration testing

Marek Kumpošt
Penetration testing

> Authorized attempt to violate specific constraints defined in a form

of a policy

> Technique to discover, understand, and document all security holes

found in a system

> Not restricted to network only

> Penetration testing can prove presence of a security flaw

> But not their total absence

Penetration study

> Complex process to evaluate (through penetration testing) the

strength of all security controls within the system/network

> + suggestions how to fix them

> The goal of a penetration study is also finding interpretations

(causes) of discovered vulnerabilities and to suggest how to
remove/close them

> Not intrusive - detects/enumerate potential vulnerabilities but

does not exploit them
Lifecycle of penetration testing

> Phase 1: Information gathering about tested environment

> Phase 2: Scanning, enumeration, fingerprinting, ...

> Phase 3: Exploitation, vulnerability testing, ...

> Phase 4: Report and evaluation

Recommended tools and pentesting arsenal

https://www.kali.org/
Types of penetration testing

> Black-box pentesting

> Tester knows no details about tested environment
> Simulation of an external attacker with no internal knowledge

> Grey-box pentesting

> Tester might have some arch. details, credentials, etc...

> White-box pentesting

> Nothing is hidden from the tester in this scenario
> Arch. details, credentials, source code of tested application
Determining scope of a pentest (1/2)

> Who has the authority to authorize testing?

> What is the purpose and what is the timeframe for the testing?

> Who is authorized to know about the pentesting (IT, mngmt, ITsec.)?

> What documentation will you have (IP ranges, applications, DB, ...)?
Determining scope of a pentest (2/2)

> What are the conditions for the test to be immediately stopped?

> Will additional permissions be required for exploiting vulnerabilities?

> Are there any legal implications you should be aware of?

> Is social engineering (or physical security) also part of the pentest?
Most important part of any pentest?

> Take good notes!!! ;-)

> Of your setup, testing procedures, used tools, results, follow-ups

> Tips for tools: Dradis, MagicTree, ThreadFix or just Notepad ...
Information gathering

> Name servers, IP ranges, banners, running services

> Operating systems, IDS/IPS presence
> Technology used, network device types
> Google for anything, that might help you to build knowledge

> Find everything that you can -> prioritize, remove

misleading data -> use gathered data to develop a pentest plan
Information gathering – example with DNS
How do you get info you want?

> Network scanning – typical approach in the beginning

> List of live IP addresses – PING scan
> Information from WHOIS database – DNS name, A, MX records,
geolocation, reputation of an IP, SPAM db lookups, etc.

www.tcpiputils.com
How do you get info you want?

> Service scanning

> Basic portscan – slower scan with nmap

> Gives us information about running services

> Services fingerprinting
- possible versions of services
- used to identify vulnerabilities and help us finding
relevant exploits
PING scan of a network

> What is this technique good for?

> Get a list of live IP addresses

> Get a list of your targets, understand IP addressing structure
> Basic PING scan can be easily detected
Getting more info about targets?

> Services scanning – fingerprinting and service banners

> Get info about running services

> Versions of services
> Operating system of a server and its possible version

> Patches of a service or operating system

> Enabled modules, internal service name, ...
Service scanning with NMAP

> nmap –A is very noisy and easy to discover scan

> -sS – half-open scan, more stealthy
Basic nmap options for scanning

> --open – report only open ports of a target

> -Pn – skip host discovery (if i.e. firewall drops ping)

> T0-5 – aggressiveness of a scan 0-slowest, 5-insane

> -sA/P/X/S/T/U/M/I/C – different scan types

> -oA/G/X/N – output from nmap scan – good for import to msf
Usage of nmap
scripts

> Make sure you fully

understand any script that
you run! ;-)

> nmap –sC <target> - runs

about 50 basic set of nmap
scripts, but is very loud on
the network...
Getting information from SNMP

> Commonly misconfigured service by admins

> Great source of various information about your targets

> Default public string; non-encrypted versions, open ports on fw

> Tools in kali: SNMPenum, SNMPcheck, onesixtyone

> You get a lot of info by sending just one packet!

Metasploit – Swiss army knife for pentesting

> Previous manual work done effectively from one framework

> Great source of various information about your targets

> Results of your activities are stored in a database

> All configured (db, msf, web server) in Kali Linux

Metasploit – Swiss army knife for pentesting

> Workspaces for storing different project in msf

> Metasploit can import result from nmap

> Or you can run nmap directly from Metasploit!

> db_nmap with options you would use with standard nmap

> Metasploit prompt accepts standard Linux commands

CVE - database

> Common Vulnerabilities and Exposures (cve.mitre.org)

> Structured reference for publicly known vulnerabilities

> HeartBleed – CVE-2014-0160

> You can search for CVEs related exploits directly in msf
Pentest reporting – general guidelines

> Scope of the pentest (what/when/why/how/who)

> What is scanned, what is the goal, what is excluded, ...

> For each discovered vulnerability

> Discuss risk, impact, attacker’s skill, affected hosts

> Provide description/evidence, recommendation and references

Useful pointers

> OWASP testing guide

- https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf

> OWASP reporting guide

- https://www.owasp.org/index.php/Reporting

- Certified Ethical Hacker (CEH) certification

Questions?

Thx…