What is Penetration Testing ?
Penetration testing is using the tools and techniques of malicious attackers to find and exploit weaknesses in a system in order to improve the defensive capabilities of the system. Penetration testing requires curiosity, cleverness, and a willingness to push the limits of what is possible.
Legal Issues in Penetration Testing
There is still a lot of legal grey area with regards to hacking as evidenced by the Weev and Aaron Schwartz cases. Generally, only the owner of a system can legally perform penetration testing against that system. Conducting a penetration test against any other system requires explicit written permission from the system’s owner.
A system administrator, who wants to conduct a penetration test against his or her company, should get written permission from a C-level executive before beginning any testing. Testing against hosted systems like web applications that run on Amazon EC2, Linode, RackSpace, or any other web-hosting provider, require permission from the owner of the hosting system before testing begins.
Potential Risks for Penetration Testers
First and foremost, penetration testers risk getting fired or serving jail time unless the proper permission is obtained ahead of time. Apart from the personal risk, penetration testing poses an operational risk to the information systems being tested. Penetration testing can disrupt network communications and cause servers and services to become unstable. It is important for the organization to be aware of the potential risks and for the tester to know how to minimize the risks and potential impact of testing.
Core Components Of Penetration Testing
Penetration tests typically cover five major areas, Social Engineering, Physical Testing, Wireless Testing, Web Application Testing, and Network Testing. A penetration test that addresses all five areas is considered a full scope test; all other tests are considered limited scope.
- Social engineering exploits weaknesses in human behavior to gain access to sensitive information. Typical attacks include phishing and spear phishing via email or text message and pretexting via phone calls.
- Physical testing exploits weaknesses in physical security controls to gain physical access to buildings, data centers, or network closets.
- Wireless testing exploits weaknesses in wireless networking protocols to access the wireless network and the clients using it.
- Web application testing exploits weaknesses in web applications to gain unauthorized access to the underlying database or operating system or to attack other users of the web application.
- Network testing exploits weaknesses in network devices such as routers, switches, servers, and workstations to gain unauthorized access to the devices and data stored on them. This is what people traditionally think of as penetration testing.
The Penetration Testing Mindset
Many penetration testers want to send an exploit to pop a box and call it a day, but a single exploit is rarely enough to achieve the goals of a penetration test. Most penetration testing goals require exploiting multiple weaknesses throughout a system. As an example, a tester may need to compromise an internal user’s machine and then pivot through it to get to an internal database. Testers with the one-and-done mindset will find themselves often frustrated and failing to accomplish the goals of the penetration test. Instead, a good tester continually assess the goals of the test, the information or access level obtained, the information or access level still needed, and how best to obtain what is needed from the current vantage point. An example of the continual assessment mindset is given below.
” Gail needs to access the sensitive data stored in a Microsoft SQL server. To access the server she wants to get the username and password for a domain administrator account, an SQL admin account, or the sa account. Gail currently has network access to the server and other devices on the network. She attempts to brute force the sa account, which fails. Next, she scans the SQL server and other network devices for exploitable vulnerabilities. The SQL server does not have any exploitable vulnerabilities but another server on the network does. After compromising the other server, she now has access to the hashed password of the local administrator account. She then accesses the SQL server using the local administrator password but still cannot access the data in the SQL server. Fortunately, a SQL admin account was used to run a Windows service. Gail is able to use her administrative access to impersonate the SQL admin’s security token and is then able to access the data in the SQL server. ”
By continually assessing her situation, Gail was able to accomplish her goal even though she did not achieve the goal in the intended manner.
This course is not designed to teach a particular penetration testing methodology but it is important to develop a methodology and use it consistently to ensure each penetration test is thorough and produces consistent results. The Penetration Testing Execution Standard (PTES) is still a work in progress but is a very comprehensive methodology. It was developed by industry leading practitioners for other practitioners and is aimed at helping companies and individuals conduct high quality penetration tests. The PTES site includes a lot of documentation and an extensive technical guide. The PTES defines the following methodology.
“Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.”
Threat Modeling is the process of determining which assets are most likely to be attacked, by what method, and the potential impact of the attack. Proper threat modeling requires the tester to define business assets, business processes, threat agents, and threat capabilities.
Vulnerability Analysis is “…the process of discovering flaws in systems and applications which can be leveraged by an attacker.”
Exploitation “…focuses solely on establishing access to a system or resource by bypassing security restrictions.” In some cases the exploit may lead to administrative access to the system and in other cases privilege escalation will be required.
Post Exploitation focuses on “…determine the value of the machine compromised and … maintain control of the machine for later use.”
Reporting is used to “…communicate to the [organization] the specific goals of the penetration test and the … findings of the testing exercise.” It is important for the report to contain enough information to reproduce the results of the test and to include potential fixes for the identified vulnerabilities.