Penetration Testing
Vulnerability Scanning & Penetration Testing
Most responsible organizations conduct network vulnerability scans on a quarterly or annual basis. Vulnerability scans help an organization understand key network vulnerabilities at a point in time.
While a vulnerability scan can not be a substitute for an overall IT security review, it is important to conduct the vulnerability scans at a regular frequency to assess if any recent changes (since the last scan) occurring on the organization's computers and network have introduced any vulnerabilities or security holes within the organization's infrastructure.
We perform internal as well as external network scans to help you with understanding the security position of your organization's network.
Methodology
BizTech’s test methodology not only results in a thorough test of the entire target environment, but also a detailed deliverable with both tactical and strategic recommendations. These recommendations are both actionable and advisory in nature, while all along correlated to our client’s business goals.
The core ideal around our methodology is to organize and to iteratively test the target environment from the most general components to the most specific. In a large complex corporate environment, this is from the external network blocks presented to us at the beginning of the engagement down to the specific security controls utilized by external facing applications.
The entire testing process is primarily manual to limit generic results from scanners and checklist methods used in general vulnerability assessment. In this way BizTech can focus the engagement on directed attack logic based testing against systems and networks. Some tools used by our expert teams during penetration tests include, (but are in no way limited to):
Open Source
− netcat / socat
− wget
− hping
− nmap
− paros
− nikto
− Backtrack
− Metasploit
− many others
Zero-Day
− Exploit source code and scripts modified by BizTech and derived from ones on security underground websites, chat rooms and ftp sites
Custom Developed
− Modified exploits or custom developed scripts to automate a specific process during the engagement
− Manual application exploit tests that cannot be achieved via automated tools
The BizTech security team evaluates numerous tools each year. Many that are proven useful and reliable are added to our main penetration testing tool chest. However the tools that the team selects for our tool belt when engaged on a vulnerability & penetration test will be chosen to accomplish the specific job at hand. Every tool used on a penetration test has been tested at BizTech prior to its use on a client engagement. To visually depict our methodology for penetration testing, we have provided a process flow diagram. This diagram is shown on the next page, followed by a narrative of each step.
Penetration Test Process Flow
Although we take precautions to minimize the negative impact on client systems, we do not guarantee against service interruptions due the inherent risk of such testing that could result from unpatched systems, unique system configurations and other such issues. We also recommend the establishment of incident response procedures in the event of any adverse impact or disruption of network services. CLIENT assumes full responsibility to backup and/or otherwise protect its data against loss, damage or destruction prior to and during all phases of the proposed services, and to take appropriate measures to respond to any adverse impact of the systems or disruption of service.
Network Mapping
In the process of moving from general to specific, building an accurate network map of the externally facing devices is a critical task at the beginning of the penetration test. To support this, in many cases BizTech will obtain the network blocks from the client. This is typically in the form of a block of Internet addresses provided by one or many Internet Service Providers (ISPs). These addresses are then probed to see if they are in use (not for vulnerabilities at this time). The probes are executed 3 times at different intervals during the first part of the engagement to ensure that no system is missed. The data gathered is used to create a network map of the external environment.
System Identification & Classification
The network map would not be very useful if the systems located on the network were not identified and classified. Another probe is performed of the systems identified, this time using TCP finger printing, service fingerprinting, and various methods to identify and classify systems and services. The data gathered is used to classify the systems by function. Data gathered about the system helps to determine the classification. For example, a system running a particular version of the Apache Web Server as well as BEA Web logic is most likely a web application server. After each system is classified the network map is updated to reflect each system’s functionality and operation system. Before the next testing steps begin, BizTech will debrief the client’s key security contacts on specific system findings and intended target list to be used in the attack phase.
System Tests
System Vulnerability Identification
Each host and all associated listening services to be targeted for the test is probed, singularly and in tandem with the other hosts to locate potential vulnerabilities. Using a large working knowledge of exploit techniques, public information, and results of private vulnerability research, the BizTech consultants catalog all the potential attack vectors that might be exploitable. BizTech consultants devise several attack strategies and commence to exploitation.
System Vulnerability Exploitation
If the plan of attack devised in the previous step includes any techniques that may impact production systems and infrastructure, the client is first advised of the possible system downtime that may arise. At this point it is up the client to decide whether or not to proceed with the exploitation. As a rule, any potential vulnerability found is manually investigated, researched, and an attempt is made to exploit. Exceptions to this rule are techniques that will cause a denial of service (DoS) or harm the data on the target system. BizTech will only attempt to exploit a Denial of Service, or alter data on a target if specifically instructed by the client in writing. In exploiting vulnerability, BizTech will make an attempt to either gain unauthorized access to the target system, or extract sensitive data from it. An exploit is considered successful if we were able to achieve either of these objectives. As successful exploitation leads BizTech to systems compromise, BizTech consultants will report the breach to the client’s key security personnel immediately.
Web Application Tests
Introduction
Web application tests include SQL Injection (SQLi), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Session Hijacking, Forced Browsing, Privilege Escalation, URL Mangling, weak cryptographic storage and transport, etc., as defined in the OWASP and CWE/SANS documentation and elsewhere.
The high level steps in testing web application security include:
Manually exercising the application’s functionality through a local security proxy (this also identifies passive security issues);
Crawling through application pages to identify additional pages which may have been missed in step 1;
Scanning for the pages identified in steps 1 and 2 for web application security issues as mentioned above (this is called active security scanning);
Testing the vulnerabilities identified in step 3 to weed out false positives;
Manual testing to identify additional issues which may have been missed, or cannot be tested for by the automated tools;
Application Architecture Identification
Using the classifications previously established BizTech will use tools and manual intervention to identify the specific applications running on each of the systems. When an application server is identified, other systems will be identified within an application server group. This grouping will help identify potential flaws in application trust relationships. This information is vital to the successful identification of application vulnerabilities. In addition to identifying purposeful applications, BizTech will attempt to discover Trojans and Backdoors that may be present in the environment.
Application Exploitation
Before any application exploitation occurs, BizTech will debrief the client’s key security contacts on the application architectures identified. BizTech will explain the plan of attack for each system and which techniques will be used. At this point, the client will sign off on application exploitation. If the system is a production system, the client will be advised of the possible system downtime that may arise. At this point it is up the client to decide whether or not to proceed with the exploitation. Each system will be attacked with many different types of application vulnerability testing techniques. These tests include but are not limited to:
Identity management process testing (user registration, de-registration, etc.)
Authentication Testing
Authorization Testing
Session Management Testing (e.g. CSRF, Cookie attributes, Session timeout, etc.)
Input Validation
Buffer Overflow
Cross Site Scripting
URL Manipulation
SQL Injection
Hidden Variable Manipulation
Cookie Modification
Error, Exception Handling and Logging
Client Side Testing – Execution of Code on the client (DOM based cross site scripting, JavaScript execution, HTML injection, URL redirect, Clickjacking, etc.)
System Compromise
As systems are compromised, the client’s key security contacts will be notified. At this time, the client contacts are given the opportunity to decide if the particular system should undergo additional tests. If they decide to have BizTech continue, additional techniques will be used to further penetrate the target system and the environment as a whole. This can include password cracking tools, a network sniffer, remote management tools, etc. Successful execution establishes a launch point for additional attacks against the environment.
Data Extraction
Each system that is compromised will be examined for the existence of critical data and files. If BizTech finds such data to be accessible, a sample of this data will be downloaded from the system and securely stored by BizTech until the presentation of deliverables.
Further Compromise
Once a system has been compromised, there are many trust relationships that can be potentially exploited, or data exposed through a compromise might lead to the compromise of additional systems and applications. Using both data gathered and techniques similar to those used to develop the network map and system classification, BizTech will launch a new stage of discovery against the environment. For example, a web server is compromised. This system is allowed to access a system on the internal network for data storage and retrieval. The internal server can be potentially compromised if vulnerabilities exists that can be exploited from the web server.
Report Development & Delivery
By the completion of each stage of the test, the following deliverables will be developed and delivered to the client in draft form to solicit comments:
System and Application Exploitation Results
Tactical and Strategic Recommendations
Once a final deliverable has been developed, it will be presented to the client in the form of an engagement close-out presentation. Separate presentations for both management and technical groups can be given at the client’s request.
Internal Penetration Testing Overview
The objective of an internal penetration test is to determine if the current security controls are vulnerable to an actionable attack from an attacker that has gained access to the internal network either physically or virtually; and to determine the risk of an insider attempting to gain unauthorized access. This level of testing validates corporate security policy and development standards by attempting to identify how resilient the internal facing application is to determined attackers. The product of an internal test is a report that documents the web application’s existing security posture, identifies specific weaknesses and vulnerabilities and makes recommendations for their remediation.
Benefits of an internal penetration test include:
Identification of the internal facing web application’s exposure to security risks.
Identification of specific vulnerabilities affecting the network, as it pertains to the in-scope web application.
Validation and verification of existing web application security controls, policies and procedures by impartial, third-party experts.
The following illustrates some of the different vulnerability classes BizTech covers during an internal penetration test. This list is not intended to be exhaustive and the actual testing performed depends on the specifics of the organization being tested.
Layer 2 Attacks
VLAN Hopping
ARP Cache Poisoning
Insufficient Segmentation and Access Control
Exploitation of Weaknesses within the switched architecture related to trunking, STP, or failover protocols
Layer 3 Attacks
IP redirection
Session Hijacking
Session Replay
Password capture
Network / Operating System Layer Attacks
Network Hash Passing
Exploitation of DHCP weaknesses
Microsoft, Novell, Unix weaknesses
Logical Attacks
Abuse of Functionality
Cryptography
Algorithm
Key Management
Data Protection
Transport
Storage
Buffer Overflow
Stack-based
Heap-based
Format String
Protocol Fuzzing
Internal Penetration Testing Approach
All testing phases will be coordinated with Client to minimize any adverse impact that may occur as a result of the services. We strongly recommend full-disclosure of the testing to all individuals responsible for the network and related services and devices. Although we take precautions to minimize the negative impact on client systems, we do not guarantee against service interruptions due to the inherent risk of such testing that could result from unpatched systems, unique system configurations, and other such issues. We also recommend the establishment of incident response procedures in the event of any adverse impact or disruption of network services. Client assumes full responsibility to backup and/or otherwise protect its data against loss, damage or destruction prior to and during all phases of the proposed services, and to take appropriate measures to respond to any adverse impact of the systems or disruption of service.
Reconnaissance
Network Mapping
In the process of moving from general to specific, building an accurate network map of the devices is a critical task at the beginning of the penetration test. To support this, in many cases BizTech will obtain the internal IP address space passively through manual investigation and traffic captures performed on the internal network. Findings such as network broadcasting, dynamic routing updates, CDP messages, SNMP polling and the like can provide much information about the network topology. Later, more active techniques are utilized such as layer 2 (ARP) pings of the local net, up to and including port scanning of more remote internal segments. At the end of this phase, BizTech will have built a fairly comprehensive logical map of the internal network environment.
System Identification & Classification
The network map would not be very useful if the systems located on the network were not identified and classified. Another probe is performed of the systems identified, this time using TCP fingerprinting, service fingerprinting, and various methods to identify and classify systems and services. The data gathered is used to classify the systems by function. Data gathered about the system helps to determine the classification. For example, a system running a particular version of the Apache Web Server as well as BEA Web logic is most likely a web application server. After each in scope system is classified the network map is updated to reflect each system’s functionality and operation system. Before the next testing steps begin, BizTech will debrief the client’s key security contacts on specific system findings and intended target list to be used in the attack phase.
Network Tests
Low Level Network Testing
BizTech will take a holistic look at the discovered network architecture and attempt to bypass controls such as Switched Networks, VLANS, Segmentation, ACL’s, Internal Firewalls, and 802.11x (NAC) authentication mechanisms using layer 2 based attacks such as ARP Cache Poisoning, VLAN Hopping, or low layer attacks involving dynamic failover protocols, Multicast groups, VLAN and Dynamic Trunking, and other techniques.
This stage of testing is aimed at gathering vital information that may help a BizTech consultant (and ultimately an attacker) in compromising internal systems and applications.
System Tests
System Vulnerability Identification
Each host (for system(s) and application(s) in scope) and all associated listening services to be targeted for the test is probed, singularly and in tandem with the other hosts to locate potential vulnerabilities. Using a large working knowledge of exploit techniques, public information, and results of private vulnerability research, the BizTech consultants catalog all the potential attack vectors that might be exploitable. BizTech consultants devise several attack strategies and commence to exploitation.
System Vulnerability Exploitation
If the plan of attack devised in the previous step includes any techniques that may impact production systems and infrastructure, the client is first advised of the possible system downtime that may arise. At this point it is up the client to decide whether or not to proceed with the exploitation. As a rule, any potential vulnerability found is manually investigated, researched, and an attempt is made to exploit. Exceptions to this rule are techniques that will cause a denial of service (DoS) or harm the data on the target system. BizTech will only attempt to exploit a Denial of Service, or alter data on a target if specifically instructed by the client in writing. In exploiting a vulnerability, BizTech will make an attempt to either gain unauthorized access to the target system, or extract sensitive data from it. An exploit is considered successful if we were able to achieve either of these objectives. As successful exploitation leads BizTech to systems compromise, BizTech consultants will report the breach to the client’s key security personnel immediately.
Application Tests
Application Architecture Identification
Using the classifications previously established BizTech will use tools and manual intervention to identify the specific in-scope applications. When an application server is identified, other systems will be identified within an application server group. This grouping will help identify potential flaws in application trust relationships. This information is vital to the successful identification of application vulnerabilities. In addition to identifying purposeful applications, BizTech will attempt to discover Trojans and Backdoors that may be present in the environment.
Application Exploitation
Before any application exploitation occurs, BizTech will debrief the client’s key security contacts on the application architectures identified. BizTech will explain the plan of attack for each system and which techniques will be used. At this point, the client will sign off on application exploitation. If the system is a production system, the client will be advised of the possible system downtime that may arise. At this point it is up to the client to decide whether or not to proceed with the exploitation. Each in-scope system will be attacked with many different types of application vulnerability testing techniques. These tests include but are not limited to:
Input Validation
Buffer Overflow
Cross Site Scripting
URL Manipulation
SQL Injection
Hidden Variable Manipulation
Cookie Modification
Once Compromised
Data Extraction
Each in-scope system component that is compromised will be examined for the existence of critical data and files. If BizTech finds such data to be accessible, a sample of this data will be downloaded from the system and securely stored by BizTech until the presentation of deliverables.
Further Compromise
Once a system has been compromised, there are many trust relationships that can be potentially exploited, or data exposed through a compromise might lead to the compromise of additional systems and applications. Using both data gathered and techniques similar to those used to develop the network map and system classification, BizTech will launch a new stage of discovery against the environment. For example, a web server is compromised. This system is allowed to access a system on the internal network for data storage and retrieval. The internal server can be potentially compromised if vulnerabilities exists that can be exploited from the web server.
Internal Penetration Test Reporting
The BizTech team will prepare a formal report with an Executive/Business discussion, and technical, detailed findings of the test. The report will detail any identified threat or vulnerability or potential vulnerability, as well as recommendations for countermeasures to eliminate or mitigate these risks. Wherever possible, the report will recommend specific security patches, and/or architectural configuration, or procedural changes that may be required. Any vulnerability that the BizTech team uncovers will be ranked according to severity as defined by Client. Any files, passwords, or system information obtained during the assessment will be included as part of the report deliverable.
Assessment of the effectiveness of the existing controls both in terms of design and operating effectiveness;
Risks identified;
Security risk mitigation recommendations based on reviews;
Overall risk level rating of the test environment;
Discussion of the test activities performed to arrive at the overall rating.
Getting Started
To get started today with a complimentary requirements discovery session with our security experts, call us at 1-778-381-6074 or send us a message.