Penetration Testing can be defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure. The process includes probing for vulnerabilities as well as providing proof of concept attacks to demonstrate the vulnerabilities are real.
Proper penetration testing always ends with specific recommendations for
addressing and fixing the issues that were discovered during the test. On the
whole, this process is used to help secure computers and networks against future
attacks. The general idea is to find security issues by using the same tools and
techniques as an attacker. These findings can then be mitigated before a real hacker exploits them.
Penetration testing is also known as:
• Pen testing
• PT
• Hacking
• Ethical Hacking
• White Hat Hacking
•Offensive Security
• Red Teaming.
It is important to spend a few moments discussing the difference between
Penetration Testing and Vulnerability Assessment. Many people (and vendors) in the security community incorrectly use these terms interchangeably. A vulnerability assessment is the process of reviewing services and systems for potential security issues, whereas a penetration test actually performs exploitation and Proof of Concept (PoC) attacks to prove that a security issue exists. Penetration Tests go a step beyond vulnerability assessments by
simulating hacker activity and delivering live payloads.
What is Penetration Testing?
A penetration test is when Ethical Hackers do their magic. They can test many of the vulnerabilities identified during the vulnerability assessment to quantify the actual threat and risk posed by the vulnerability.
When Ethical Hackers are carrying out a penetration test, their ultimate goal is usually to break into a system and hop from system to system until they “own” the domain or environment. They own the domain or environment when they either have root
privileges on the most critical Unix or Linux system or own the domain administrator
account that can access and control all of the resources on the network. They do this to
show the customer (company) what an actual attacker can do under the circumstances
and current security posture of the network.
Many times, while the ethical hacker is carrying out her procedures to gain total
control of the network, s/he will pick up significant trophies along the way. These trophies can include the CEO’s passwords, company trade-secret documentation, administrative passwords to all border routers, documents marked “confidential” held on the CFO’s and CIO’s laptops, or the combination to the company vault. The reason these trophies are collected along the way is so the decision makers understand the ramifications of these vulnerabilities. A security professional can go on for hours to the CEO,
CIO, or COO about services, open ports, misconfigurations, and hacker potential without making a point that this audience would understand or care about. But as soon as you show the CFO his next year’s projections, or show the CIO all of the blueprints to the next year’s product line, or tell the CEO that his password is “IAmWearingPanties,” they will all want to learn more about the importance of a firewall and other countermeasures that should be put into place.
The goal of a vulnerability test is to provide a listing of all of the vulnerabilities withn a network. The goal of a penetration test is to show the company how these vulnerabilities can be used against it by attackers. From here, the security professional (Ethical Hacker) provides advice on the necessary countermeasures that should be implemented to reduce the threats of these vulnerabilities individually and collectively.
Let’s take a look at the Ethical Penetration Testing process and see how it differs from
that of unethical hacker activities.
Penetration Testing Process and Methodology
1. Form two or three teams:
• Red team—The attack team
• White team—Network administration, the victim
• Blue team—Management coordinating and overseeing the test (optional)
2. Establish the ground rules:
• Testing objectives
• What to attack, what is hands-off
• Who knows what about the other team (Are both teams aware of the other?
Is the testing single blind or double blind?)
• Start and stop dates
• Legal issues
• Just because a client asks for it, doesn’t mean that it’s legal.
• The ethical hacker must know the relevant local, state, and federal laws and how they pertain to testing procedures.
• Confidentiality/Nondisclosure
• Reporting requirements
• Formalized approval and written agreement with signatures and contact information
• Keep this document handy during the testing. It may be needed as a “get out of jail free” card
Penetration Testing Process
3. Passive Scanning Gather as much information about the target as possible
while maintaining zero contact between the penetration tester and the target.
Passive scanning can include interrogating.
• The company’s website and source code
• Social networking sites
• Whois database
• Edgar database
• Newsgroups
• ARIN, RIPE, APNIC, LACNIC databases
• Google, Monster.com, etc.
• Dumpster diving
4. Active Scanning Probe the target’s public exposure with scanning tools, which might include:
• Commercial scanning tools
• Banner grabbing
• Social engineering
• War dialing
• DNS zone transfers
• Sniffing traffic
• Wireless war driving
5. Attack surface enumeration Probe the target network to identify, enumerate, and document each exposed device:
• Network mapping
• Router and switch locations
• Perimeter firewalls
• LAN, MAN, and WAN connections
6. Fingerprinting Perform a thorough probe of the target systems to identify:
• Operating system type and patch level
• Applications and patch level
• Open ports
• Running services
• User accounts
7. Target system selection Identify the most useful target(s).
8. Exploiting the uncovered vulnerabilities Execute the appropriate attack tools targeted at the suspected exposures.
• Some may not work.
• Some may kill services or even kill the server.
• Some may be successful.
9. Escalation of privilege Escalate the security context so the ethical hacker has more control.
• Gaining root or administrative rights
• Using cracked password for unauthorized access
• Carrying out buffer overflow to gain local versus remote control
10. Documentation and reporting Document everything found, how it was found, the tools that were used, vulnerabilities that were exploited, the timeline of activities, and successes, etc.
Unethical vs Ethical Hackers: What's the Difference?
1. Target selection
• Motivations would be due to a grudge or for fun or profit.
• There are no ground rules, no hands-off targets, and the white team is definitely blind to the upcoming attack.
2. Intermediaries
• The attacker launches his attack from a different system (intermediary) than his own to make tracking back to him more difficult in case the attack is detected.
• There may be several layers of intermediaries between the attacker and the victim.
• Intermediaries are often victims of the attacker as well.
3. Next the attacker will proceed with penetration testing steps described
previously.
• Passive scanning
• Active scanning
• Footprinting
• Target system selection
• Fingerprinting
• Exploiting the uncovered vulnerabilities
• Escalation of privilege
4. Preserving access
• This involves uploading and installing a rootkit, backdoor, Trojan’ed applications, and/or bots to assure that the attacker can regain access at a later time.
5. Covering his tracks
• Scrubbing event and audit logs
• Hiding uploaded files
• Hiding the active processes that allow the attacker to regain access
• Disabling messages to security software and system logs to hide malicious processes and actions
6. Hardening the system
• After taking ownership of a system, an attacker may fix the open vulnerabilities so no other attacker can use the system for other purposes.
How the attacker uses the compromised systems depends upon what his overall
goals are, which could include stealing sensitive information, redirecting financial transactions, adding the systems to his bot network, extorting a company, etc.
The crux is that ethical and unethical hackers carry out basically the same activities
only with different intentions. If the ethical hacker does not identify the hole in the
defenses first, the unethical hacker will surely slip in and make himself at home.
Setting the Stage
Understanding all the various players and positions in the world of hacking and penetration testing is central to comprehending the big picture. Let us start by painting the picture with broad brush strokes. Please understand that the following is a gross oversimplification; however, it should help you see the differences between the various groups of people involved.
It may help to consider the Star Wars universe where there are two sides of the “force”: Jedis and Siths. Good vs Evil. Both sides have access to an incredible power. One side uses its power to protect and serve, whereas the other side uses it for personal gain and exploitation.
Learning to hack is much like learning to use the force (or so I imagine!). The more you learn, the more power you have. Eventually, you will have to decide whether you will use your power for good or bad. There is a classic poster from the Star Wars Episode I movie that depicts Anakin as a young boy. If you look closely at Anakin’s shadow in the poster, you will see it is the outline of Darth Vader. Try searching the Internet for “Anakin Darth Vader shadow” to see it.
Understanding why this poster has appeal is critical. As a boy, Anakin had no aspirations of becoming Darthll Vader, but it happened nonetheless.
It is probably safe to assume that very few people get into hacking to become a super villain. The problem is that journey to the dark side is a slippery slope. However, if you want to be great, have the respect of your peers, and be gainfully employed in the security workforce, you need to commit yourself to using your powers to protect and serve. Having a felony on your record is a one way ticket to another profession. It is true that there is currently a shortage of qualified security experts, but even so, not many employers today are willing to
take a chance, especially if those crimes involve computers. The rules and restrictions become even more stringent if you want a computer job which It is probably safe to assume that very few people get into hacking to become a super villain. The problem is that journey to the dark side is a slippery slope.
However, if you want to be great, have the respect of your peers, and be gainfully employed in the security workforce, you need to commit yourself to using your powers to protect and serve. Having a felony on your record is a oneway ticket to another profession. It is true that there is currently a shortage of qualified security experts, but even so, not many employers today are willing to take a chance, especially if those crimes involve computers. The rules and restrictions become even more stringent if you want a computer job which requires a security clearance.
In the pen testing world, it is not uncommon to hear the terms “white hat” and “black hat” to describe the Jedis and Siths. The terms “white hat”, “ethical hacker”, or “penetration tester” will be used interchangeably to describe the Jedis or good guys. The Siths will be referred to as “black hats”, “crackers”, or “malicious attackers”.
It is important to note that ethical hackers complete many of the same activities with many of the same tools as malicious attackers. In nearly every situation, an ethical hacker should strive to act and think like a real black hat hacker. The closer the penetration test simulates a real-world attack, the more
value it provides to the customer paying for the penetration testing (PT).
Please note how the previous paragraph says “in nearly every situation”. Even though white hats complete many of the same tasks with many of the same tools, there is a world of difference between the two sides. At its core, these differences can be boiled down to three key points: authorization, motivation, and intent. It should be stressed that these points are not all inclusive, but they can be useful in
determining if an activity is ethical or not.
The first and simplest way to differentiate between white hats and black hats is authorization. Authorization is the process of obtaining approval before conducting any tests or attacks. Once authorization is obtained, both the penetration tester and the company being audited need to agree upon the scope of the test. The scope includes specific information about the resources and systems to be included in the test. The scope explicitly defines the authorized targets for the penetration tester. It is important that both sides fully understand
the authorization and scope of the PT. White hats must always respect the authorization and remain within the scope of the test. Black hats will have no such constraints on the target list.
ADDITIONAL INFORMATION
Clearly defining and understanding the scope of the test is crucial. The scope formally defines the rules of engagement for both the penetration tester and the client. It should include a target list as well as specifically listing any systems or attacks which the client
does not want to be included in the test. The scope should be written down and signed by authorized personnel from both the testing team and the client. Occasionally, the scope will need to be amended during a penetration test. When this occurs, be sure to update the scope and resign before proceeding to test the new
targets.
The second way to differentiate between an ethical hacker and a malicious hacker is through examination of the attacker’s motivation. If the attacker is motivated or driven by personal gain, including profit through extortion or other devious methods of collecting money from the victim, revenge, fame, or the like, he or she should be considered a black hat. However, if the attacker is preauthorized and his or her motivation is to help the organization and improve their security, he or she can be considered a white hat. In addition, a black hat hacker may have a significant amount of time focused on attacking the organization. In most cases, a PT may last 1 week to several weeks. Based on the time allotted during the PT, a white hat may not have discovered more advanced time-intensive exposures.
Finally, if the intent is to provide the organization a realistic attack simulation
so that the company can improve its security through early discovery and mitigation of vulnerabilities, the attacker should be considered a white hat. It is also important to comprehend the critical nature of keeping PT findings confidential. Ethical hackers will never share sensitive information discovered
during the process of a penetration testing with anyone other than the client. However, if the intent is to leverage information for personal profit or gain, the attacker should be considered a black hat.
It is also important to understand that not all penetration tests are carried out in the same manner or have the same purpose. White box penetration testing, also known as “overt” testing, is very thorough and comprehensive. The goal of the test is to examine every nook and cranny of the target’s system or network.
This type of test is valuable in assessing the overall security of an organization. Because stealth is not a concern. By disregarding stealth in favor of thoroughness the penetration tester is often able to discover more vulnerabilities.
The downside to this type of test is that it does not provide a very accurate simulation of how most modern day, skilled attackers exploit networks. It also does not provide a chance for the organization to test its incident response or
early-alert systems. Remember, the tester is not trying to be stealthy. The tester is attempting to be thorough.
Black box penetration testing, also known as “covert” testing, employs a significantly different strategy. A black box test is a much more realistic simulation of the way a skilled attacker would attempt to gain access to the target systems and network. This type of test trades thoroughness and the ability to detect multiple vulnerabilities for stealth and pin-point precision. Black box testing typically only requires the tester to locate and exploit a single vulnerability. The benefit to this type of test is that it more closely models how a real-world attack takes place. Not many attackers today will scan all 65,535 ports on a target. Doing so is loud and will almost certainly be detected by firewalls and intrusion detection systems. Skilled malicious hackers are much more discrete. They may only scan a single port or interrogate a single service to find a way of compromising and owning the target. Black box testing also has the advantage of allowing a company to test its incident response procedures and to determine if their defenses are capable of detecting and stopping a targeted attack.
