|Read more about this book|
(For more resources on this subject, see here.)
Penetration testing methodology defines a roadmap with practical ideas and proven practices which should be handled with great care in order to assess the system security correctly. This chapter summarizes each step of penetration testing methodology with its reasonable description which may help you to understand and focus the testing criteria with the BackTrack operating system environment.
Penetration testing can be carried out independently or as a part of an IT security risk management process that may be incorporated into a regular development lifecycle (for example, Microsoft SDLC). It is vital to notice that the security of a product not only depends on the factors relating to the IT environment, but also relies on product specific security's best practices. This involves implementation of appropriate security requirements, performing risk analysis, threat modeling, code reviews, and operational security measurement. PenTesting is considered to be the last and most aggressive form of security assessment handled by qualified professionals with or without prior knowledge of a system under examination. It can be used to assess all the IT infrastructure components including applications, network devices, operating systems, communication medium, physical security, and human psychology. The output of penetration testing usually contains a report which is divided into several sections addressing the weaknesses found in the current state of a system following their countermeasures and recommendations. Thus, the use of a methodological process provides extensive benefits to the pentester to understand and critically analyze the integrity of current defenses during each stage of the testing process.
Types of penetration testing
Although there are different types of penetration testing, the two most general approaches that are widely accepted by the industry are Black-Box and White-Box. These approaches will be discussed in the following sections.
The black-box approach is also known as external testing. While applying this approach, the security auditor will be assessing the network infrastructure from a remote location and will not be aware of any internal technologies deployed by the concerning organization. By employing the number of real world hacker techniques and following through organized test phases, it may reveal some known and unknown set of vulnerabilities which may otherwise exist on the network. An auditor dealing with black-box testing is also known as black-hat. It is important for an auditor to understand and classify these vulnerabilities according to their level of risk (low, medium, or high). The risk in general can be measured according to the threat imposed by the vulnerability and the financial loss that would have occurred following a successful penetration. An ideal penetration tester would undermine any possible information that could lead him to compromise his target. Once the test process is completed, a report is generated with all the necessary information regarding the target security assessment, categorizing and translating the identified risks into business context.
The white-box approach is also referred to as internal testing. An auditor involved in this kind of penetration testing process should be aware of all the internal and underlying technologies used by the target environment. Hence, it opens a wide gate for an auditor to view and critically evaluate the security vulnerabilities with minimum possible efforts. An auditor engaged with white-box testing is also known as white-hat. It does bring more value to the organization as compared to the blackbox approach in the sense that it will eliminate any internal security issues lying at the target infrastructure environment, thus, making it more tightened for malicious adversary to infiltrate from the outside. The number of steps involved in white-box testing is a bit more similar to that of black-box, except the use of the target scoping, information gathering, and identification phases can be excluded. Moreover, the white-box approach can easily be integrated into a regular development lifecycle to eradicate any possible security issues at its early stage before they get disclosed and exploited by intruders. The time and cost required to find and resolve the security vulnerabilities is comparably less than the black-box approach.
The combination of both types of penetration testing provides a powerful insight for internal and external security viewpoints. This combination is known as Grey-Box testing, and the auditor engaged with gray-box testing is also known as grey-hat. The key benefit in devising and practicing a gray-box approach is a set of advantages posed by both approaches mentioned earlier. However, it does require an auditor with limited knowledge of an internal system to choose the best way to assess its overall security. On the other side, the external testing scenarios geared by the graybox approach are similar to that of the black-box approach itself, but can help in making better decisions and test choices because the auditor is informed and aware of the underlying technology.
Vulnerability assessment versus penetration testing
Since the exponential growth of an IT security industry, there are always an intensive number of diversities found in understanding and practicing the correct terminology for security assessment. This involves commercial grade companies and non-commercial organizations who always misinterpret the term while contracting for the specific type of security assessment. For this obvious reason, we decided to include a brief description on vulnerability assessment and differentiate its core features with penetration testing.
Vulnerability assessment is a process for assessing the internal and external security controls by identifying the threats that pose serious exposure to the organizations assets. This technical infrastructure evaluation not only points the risks in the existing defenses but also recommends and prioritizes the remediation strategies. The internal vulnerability assessment provides an assurance for securing the internal systems, while the external vulnerability assessment demonstrates the security of the perimeter defenses. In both testing criteria, each asset on the network is rigorously tested against multiple attack vectors to identify unattended threats and quantify the reactive measures. Depending on the type of assessment being carried out, a unique set of testing process, tools, and techniques are followed to detect and identify vulnerabilities in the information assets in an automated fashion. This can be achieved by using an integrated vulnerability management platform that manages an up-to-date vulnerabilities database and is capable of testing different types of network devices while maintaining the integrity of configuration and change management.
A key difference between vulnerability assessment and penetration testing is that penetration testing goes beyond the level of identifying vulnerabilities and hooks into the process of exploitation, privilege escalation, and maintaining access to the target system. On the other hand, vulnerability assessment provides a broad view of any existing flaws in the system without measuring the impact of these flaws to the system under consideration. Another major difference between both of these terms is that the penetration testing is considerably more intrusive than vulnerability assessment and aggressively applies all the technical methods to exploit the live production environment. However, the vulnerability assessment process carefully identifies and quantifies all the vulnerabilities in a non-invasive manner.
This perception of an industry, while dealing with both of these assessment types, may confuse and overlap the terms interchangeably, which is absolutely wrong. A qualified consultant always makes an exception to workout the best type of assessment based on the client's business requirement rather than misleading them from one over the other. It is also a duty of the contracting party to look into the core details of the selected security assessment program before taking any final decision.
Penetration testing is an expensive service when compared to vulnerability assessment.
Security testing methodologies
There have been various open source methodologies introduced to address security assessment needs. Using these assessment methodologies, one can easily pass the time-critical and challenging task of assessing the system security depending on its size and complexity. Some of these methodologies focus on the technical aspect of security testing, while others focus on managerial criteria, and very few address both sides. The basic idea behind formalizing these methodologies with your assessment is to execute different types of tests step-by-step in order to judge the security of a system accurately. Therefore, we have introduced four such well-known security assessment methodologies to provide an extended view of assessing the network and application security by highlighting their key features and benefits. These include:
- Open Source Security Testing Methodology Manual (OSSTMM)
- Information Systems Security Assessment Framework (ISSAF)
- Open Web Application Security Project (OWASP) Top Ten
- Web Application Security Consortium Threat Classification (WASC-TC)
All of these testing frameworks and methodologies will assist the security professionals to choose the best strategy that could fit into their client's requirements and qualify the suitable testing prototype. The first two provide general guidelines and methods adhering security testing for almost any information assets. The last two mainly deal with the assessment of an application security domain. It is, however, important to note that the security in itself is an on-going process. Any minor change in the target environment can affect the whole process of security testing and may introduce errors in the final results. Thus, before complementing any of the above testing methods, the integrity of the target environment should be assured. Additionally, adapting any single methodology does not necessarily provide a complete picture of the risk assessment process. Hence, it is left up to the security auditor to select the best strategy that can address the target testing criteria and remains consistent with its network or application environment.
There are many security testing methodologies which claim to be perfect in finding all security issues, but choosing the best one still requires a careful selection process under which one can determine the accountability, cost, and effectiveness of the assessment at optimum level. Thus, determining the right assessment strategy depends on several factors, including the technical details provided about the target environment, resource availability, PenTester's knowledge, business objectives, and regulatory concerns. From a business standpoint, investing blind capital and serving unwanted resources to a security testing process can put the whole business economy in danger.
Open Source Security Testing Methodology Manual (OSSTMM)
The OSSTMM (www.isecom.org/osstmm/) is a recognized international standard for security testing and analysis and is being used by many organizations in their day-to-day assessment cycle. It is purely based on scientific method which assists in quantifying the operational security and its cost requirements in concern with the business objectives. From a technical perspective, its methodology is divided into four key groups, that is, Scope, Channel, Index, and Vector. The scope defines a process of collecting information on all assets operating in the target environment. A channel determines the type of communication and interaction with these assets, which can be physical, spectrum, and communication. All of these channels depict a unique set of security components that has to be tested and verified during the assessment period. These components comprise of physical security, human psychology, data networks, wireless communication medium, and telecommunication. The index is a method which is considerably useful while classifying these target assets corresponding to their particular identifications, such as, MAC Address, and IP Address. At the end, a vector concludes the direction by which an auditor can assess and analyze each functional asset. This whole process initiates a technical roadmap towards evaluating the target environment thoroughly and is known as Audit Scope.
There are different forms of security testing which have been classified under OSSTMM methodology and their organization is presented within six standard security test types:
- Blind: The blind testing does not require any prior knowledge about the target system. But the target is informed before the execution of an audit scope. Ethical hacking and war gaming are examples of blind type testing. This kind of testing is also widely accepted because of its ethical vision of informing a target in advance.
- Double blind: In double blind testing, an auditor does not require any knowledge about the target system nor is the target informed before the test execution. Black-box auditing and penetration testing are examples of double blind testing. Most of the security assessments today are carried out using this strategy, thus, putting a real challenge for auditors to select the best of breed tools and techniques in order to achieve their required goal.
- Gray box: In gray box testing, an auditor holds limited knowledge about the target system and the target is also informed before the test is executed. Vulnerability assessment is one of the basic examples of gray box testing.
- Double gray box: The double gray box testing works in a similar way to gray box testing, except the time frame for an audit is defined and there are no channels and vectors being tested. White-box audit is an example of double gray box testing.
- Tandem: In tandem testing, the auditor holds minimum knowledge to assess the target system and the target is also notified in advance before the test is executed. It is fairly noted that the tandem testing is conducted thoroughly. Crystal box and in-house audit are examples of tandem testing.
- Reversal: In reversal testing, an auditor holds full knowledge about the target system and the target will never be informed of how and when the test will be conducted. Red-teaming is an example of reversal type testing.
Which OSSTMM test type follows the rules of Penetration Testing?
Double blind testing
The technical assessment framework provided by OSSTMM is flexible and capable of deriving certain test cases which are logically divided into five security components of three consecutive channels, as mentioned previously. These test cases generally examine the target by assessing its access control security, process security, data controls, physical location, perimeter protection, security awareness level, trust level, fraud control protection, and many other procedures. The overall testing procedures focus on what has to be tested, how it should be tested, what tactics should be applied before, during and after the test, and how to interpret and correlate the final results. Capturing the current state of protection of a target system by using security metrics is considerably useful and invaluable. Thus, the OSSTMM methodology has introduced this terminology in the form of RAV (Risk Assessment Values). The basic function of RAV is to analyze the test results and compute the actual security value based on three factors, which are operational security, loss controls, and limitations. This final security value is known as RAV Score. By using RAV score an auditor can easily extract and define the milestones based on the current security posture to accomplish better protection. From a business perspective, RAV can optimize the amount of investment required on security and may help in the justification of better available solutions.
Key features and benefits
- Practicing the OSSTMM methodology substantially reduces the occurrence of false negatives and false positives and provides accurate measurement for the security.
- Its framework is adaptable to many types of security tests, such as penetration testing, white-box audit, vulnerability assessment, and so forth.
- It ensures the assessment should be carried out thoroughly and that of the results can be aggregated into consistent, quantifiable, and reliable manner.
- The methodology itself follows a process of four individually connected phases, namely definition phase, information phase, regulatory phase, and controls test phase. Each of which obtain, assess, and verify the information regarding the target environment.
- Evaluating security metrics can be achieved using the RAV method. The RAV calculates the actual security value based on operational security, loss controls, and limitations. The given output known as the RAV score represents the current state of target security.
- Formalizing the assessment report using the Security Test Audit Report (STAR) template can be advantageous to management, as well as the technical team to review the testing objectives, risk assessment values, and the output from each test phase.
- The methodology is regularly updated with new trends of security testing, regulations, and ethical concerns.
- The OSSTMM process can easily be coordinated with industry regulations, business policy, and government legislations. Additionally, a certified audit can also be eligible for accreditation from ISECOM (Institute for Security and Open Methodologies) directly.
|Read more about this book|
(For more resources on this subject, see here.)
Information Systems Security Assessment Framework (ISSAF)
The ISSAF (www.oissg.org/issaf) is another open source security testing and analysis framework. Its framework has been categorized into several domains to address the security assessment in a logical order. Each of these domains assesses the different parts of a target system and provides field inputs for the successful security engagement. By integrating its framework into a regular business lifecycle, it may provide accuracy, completeness, and efficiency to fulfill the organization's security testing requirements. The ISSAF was developed to focus on two areas of security testing, technical and managerial. The technical side establishes the core set of rules and procedures to follow and create an adequate security assessment process, while the managerial side accomplishes engagement management and the best practices that should be followed throughout the testing process. It should be remembered that an ISSAF defines the assessment as a process instead of an audit. Since auditing requires a more established body to proclaim the necessary standards, its assessment framework does include the Planning, Assessment, Treatment, Accreditation, and Maintenance phases. Each of these phases holds generic guidelines that are effective and flexible to any organizational structure. The output is a combination of operational activities, security initiatives, and a complete list of vulnerabilities that may exist in the target environment. The assessment process chooses the shortest path to reach the test deadline by analyzing its target against critical vulnerabilities that can be exploited with minimum effort.
The ISSAF contains a rich set of technical assessment baseline to test the number of different technologies and processes. But this has introduced another problem of maintenance, to keep updating the framework in order to reflect new or updated technology assessment criteria. When comparing with OSSTMM methodology, the latter is less affected by these obsolescence issues because the auditor can be able to use the same methodology over the number of security engagements using different set of tools and techniques. On the other hand, ISSAF also claims to be a broad framework with up-to-date information on security tools, best practices, and administrative concerns to complement the security assessment program. It can also be aligned with OSSTMM or any other similar testing methodology, thus, combine the strengths of each other. However, it is important to note that ISSAF is still in its infancy and a bit outdated when compared to other methodologies and frameworks.
Key features and benefits
- Provides a high value proposition to secure the infrastructure by assessing the existing security controls against critical vulnerabilities.
- A framework addresses different key areas of information security. This covers risk assessment, business structure and management, controls assessment, engagement management, security policies development, and good practices.
- The overall technical assessment process provided by ISSAF consists of operations management, physical security assessment, penetration testing methodology, incident management, change management, business continuity management, security awareness, and legal and regulatory compliance.
- The ISSAF penetration testing methodology purely examines the security of a network, system, or application. Because the framework can transparently focus on target specific technology which may involve routers, switches, firewalls, intrusion detection and prevention systems, storage area networks, virtual private networks, various operation systems, web application servers, databases, and so forth.
- It bridges the gap between the technical and managerial view of security testing by implementing the necessary controls to handle both areas.
- It enables management to understand the existing risks floating over the organization's perimeter defenses and reduces them proactively by identifying the vulnerabilities that may affect the business integrity.
Combining the power of both methodologies, OSSTMM and ISSAF does provide sufficient knowledge base to assess the security of an enterprise environment efficiently.
Open Web Application Security Project (OWASP) Top Ten
Hardening the network devices not only prevents a malicious adversary from entering the secure network using well-known exploits and vulnerabilities, but also proactively thwarts against unauthorized and inappropriate modification to the infrastructure. However, this phenomenon does not prevent network-based web applications from being exposed to such attacks. Thus, it opens another gate for an attacker to land himself onto the application layer before moving his steps into the system. Due to this obvious security glitch, several testing methodologies have been introduced to critically assess the underlying security risks of the application. One such attempt was done by OWASP open community to bring its top ten project forward and increase the awareness of application security among various organizations. The project does not focus on complete application security programs but provides a necessary foundation to integrate security through secure coding principles and practices.
What is meant by "Application Layer"?
Layer-7 of the Open Systems Interconnection (OSI) model is known as the "Application Layer". The key function of this model is to provide a standardized way of communication across heterogeneous networks. A model is divided into seven logical layers, namely, Physical, Data link, Network, Transport, Session, Presentation, and Application. The basic functionality of the application layer is to provide network services to user applications. More information on this can be obtained from: http://en.wikipedia.org/wiki/OSI_model.
Addressing the application security constitutes people, processes, management, and technology criteria. Thus, relying on application risk assessment strategy is not the only choice. Combining all the counterparts of an organization may contribute a significant amount of improvement to the security of an application itself. OWASP top ten project categorizes the application security risks by evaluating the top attack vectors and security weaknesses in relation with their technical and business impact. While assessing the application, each of these risks demonstrates a generic attack method independent of the technology or platform being used. It also provides specific instructions on how to test, verify, and remediate each vulnerable part of an application. The OWASP top ten mainly focuses on the high risk problem areas rather than addressing the all issues surrounding web application security. However, there are some essential guidelines available from the OWASP community for developers and security auditors to effectively manage the security of web applications.
- Developer's Guide: www.owasp.org/index.php/Guide
- Testing Guide: www.owasp.org/index.php/Category:OWASP_Testing_Project
- Code Review Guide: www.owasp.org/index.php/Category:OWASP_Code_Review_Project
In order to justify top ten application security risks presented by OWASP, we have explained them below with their short definitions, exemplary types, and preventive measures:
- A1 - Injection: A malicious data input given by an attacker to execute arbitrary commands in the context of a web server is known as injection attack. SQL, XML, and LDAP injections are some of its well-known types. Escaping the special characters from user input can prevent the application from malicious data injection.
- A3 - Broken Authentication and Session Management: Use of insecure authentication and session management routines may result in the hijacking of other user accounts and the predictable session tokens. Developing a strong authentication and session management scheme can prevent such attacks. The use of encryption, hashing, and secure data connection over SSL or TLS is highly recommended.
- A4 - Insecure Direct Object References: Providing a direct reference to the internal application object can allow an attacker to manipulate such references and access the unauthorized data, unless authenticated properly. This internal object can refer to a user account parameter value, filename, or directory. Restricting each user-accessible object before validating its access control check should ensure an authorized access to the requested object.
- A5 - Cross-Site Request Forgery (CSRF): Forcing an authorized user to execute forged HTTP requests against a vulnerable web application is called a cross-site request forgery attack. These malicious requests are executed in terms of a legitimate user session so that they can not be detected. Binding a unique unpredictable token to every HTTP request per user session can provide mitigation against CSRF.
- A6 - Security Misconfiguration: Sometimes using a default security configuration can leave the application open to multiple attacks. Keeping the entire best known configuration for the deployed application, web server, database server, operating system, code libraries, and all other application related components is vital. This transparent application security configuration can be achieved by introducing a repeatable process for software updates, patches, and hardened environment rules.
- A7 - Insecure Cryptographic Storage: Applications that do not employ the cryptographic protection scheme for sensitive data, such as healthcare information, credit card transaction, personal information, and authentication details fall under this category. By implementing the strong standard encryption or hashing algorithm one can assure the security of data at rest.
- A8 - Failure to Restrict URL Access: Those web applications that do not check for the access permissions based on the URL being accessed can allow an attacker to access unauthorized pages. In order to resolve this issue, restrict the access to private URLs by implementing the proper authentication and authorization controls, and develop a policy for specific users and roles that are only allowed to access the highly sensitive area.
- A9 - Insufficient Transport Layer Protection: Use of weak encryption algorithms, invalid security certificates, and improper authentication controls can compromise the confidentiality and integrity of data. This kind of application data is always vulnerable to traffic interception and modification attacks. Security of such applications can be enhanced by implementing SSL for all sensitive pages and configuring a valid digital certificate issued by an authorized certification authority.
- A10 - Unvalidated Redirects and Forwards: There are many web applications which use dynamic parameter to redirect or forward a user to a specific URL. An attacker can use the same strategy to craft a malicious URL for users to be redirected to phishing or malware websites. The same attack can also be extended by forwarding a request to access local unauthorized web pages. By simply validating a supplied parameter value and checking the access control rights for the users making a request can avoid illegitimate redirects and forwards.
Key features and benefits
- Testing the web application against OWASP top ten security risks ensure the most common attacks and weaknesses are avoided and that the confidentiality, integrity, and availability of an application is maintained.
- The OWASP community has also developed a number of security tools focusing on the automated and manual web application tests. A few of these tools are WebScarab, Wapiti, JBroFuzz, and SQLiX, which are also available under the BackTrack operating system.
- When considering the security assessment of web infrastructure, the OWASP Testing Guide provides technology specific assessment details, for instance, testing the Oracle is approached differently than MySQL. Such a guide provides a wider and collaborative look at multiple technologies which helps an auditor to choose the best suited procedure for testing.
- Encourages the secure coding practices for developers by integrating security tests at each stage of development. This will ensure that the production application is robust, error-free, and secure.
- It provides industry wide acceptance and visibility. The top ten security risks can also be aligned with other web application security assessment standards; thus, help in achieving more than one standard at a time with little more efforts.
Web Application Security Consortium Threat Classification (WASC-TC)
Identifying the application security risks requires a thorough and rigorous testing procedure which can be followed throughout the development lifecycle. WASC Threat Classification is another such open standard for assessing the security of web applications. Similar to the OWASP standard, it is also classified into a number of attacks and weaknesses, but addresses them in a much deeper fashion. Practicing this black art for identification and verification of threats hanging over the Web application requires standard terminology to be followed which can quickly adapt to the technology environment. This is where the WASC-TC comes in very handy. The overall standard is presented in three different views to help developers and security auditors to understand the vision of web application security threats.
- Enumeration View: This view is dedicated to provide the basis for web application attacks and weaknesses. Each of these attacks and weaknesses has been discussed individually with their concise definition, types, and examples of multiple programming platforms. Additionally, they are inline with their unique identifier which can be useful for referencing. There are a total of 49 attacks and weaknesses collated with a static WASC-ID number (1 to 49). It is important to note that this numeric representation does not focus on risk severity but instead serves the purpose of referencing.
- Development View: The development view takes the developer's panorama forward by combining the set of attacks and weaknesses into vulnerabilities which may likely to occur at any of three consecutive development phases. This could be a design, implementation, or deployment phase. The design vulnerabilities are introduced when the application requirements do not fulfill the security at the initial stage of requirements gathering. The implementation vulnerabilities occur due to insecure coding principles and practices. And, the deployment vulnerabilities are the result of misconfiguration of application, web server, and other external systems. Thus, the view broadens the scope for its integration into a regular development lifecycle as a part of best practices.
- Taxonomy Cross Reference View: Referring to a cross reference view of multiple web application security standards which can help auditors and developers to map the terminology presented in one standard with another. With a little more effort, the same facility can also assist in achieving multiple standard compliances at the same time. However, in general, each application security standard defines it own criteria to assess the applications from different angles and measures their associated risks. Thus, each standard requires different efforts to be made to scale up the calculation for risks and their severity levels. The WASC-TC attacks and weaknesses presented in this category are mapped with OWASP top ten, Mitre's Common Weakness Enumeration (CWE), Mitre's Common Attack Pattern Enumeration and Classification (CAPEC) and SANS-CWE Top 25 list.
More details regarding WASC-TC and its views can be found at: http://projects.webappsec.org/Threat-Classification.
Key features and benefits
- Provides an in-depth knowledge for assessing the web application environment against the most common attacks and weaknesses.
- The attacks and weaknesses presented by WASC-TC can be used to test and verify any web application platform using a combination of tools from the BackTrack operating system.
- The standard provides three different views, namely, enumeration, development, and cross reference. Enumeration serves as a base for all the attacks and weaknesses found in the web applications. Development view merges these attacks and weaknesses into vulnerabilities and categorizes them according to their occurrence in the relative development phase. This could be a design, implementation, or deployment phase. The cross reference view serves the purpose of referencing other application security standards with WASC-TC.
- WASC-TC has already acquired industry-level acceptance and its integration can be found in many open source and commercial solutions, mostly in vulnerability assessment and managerial products.
- It can also be aligned with other well-known application security standards, such as OWASP and SANS-CWE. Thus, leverages to satisfy other standard compliances.
|Read more about this book|
(For more resources on this subject, see here.)
BackTrack testing methodology
BackTrack is a versatile operating system that comes with number of security assessment and penetration testing tools. Deriving and practicing these tools without a proper methodology can lead to unsuccessful testing and may produce unsatisfied results. Thus, formalizing the security testing with structured a methodology is extremely important from a technical and managerial perspective.
The BackTrack testing methodology we have presented in this section will constitute both the black-box and white-box approaches. Either of these approaches can be adjusted according to the given target of assessment. The methodology is composed of a number of steps that should be followed in a process at the initial, medial, and final stages of testing in order to accomplish a successful assessment. These include Target Scoping, Information Gathering, Target Discovery, Enumerating Target, Vulnerability Mapping, Social Engineering, Target Exploitation, Privilege Escalation, Maintaining Access, and Documentation and Reporting. Whether applying any combination of these steps with black-box or white-box approaches, it is all left up to the penetration tester to decide and choose the most strategic path according to the given target environment and its prior knowledge before the test begins. We will explain each stage of testing with a brief description, definition and its possible applications.
The illustration for the BackTrack testing process is also given below.
Before starting the technical security assessment, it is important to observe and understand the given scope of the target network environment. It is also necessary to know that the scope can be defined for a single entity or set of entities that are given to the auditor. What has to be tested, how it should be tested, what conditions should be applied during the test process, what will limit the execution of test process, how long will it take to complete the test, and what business objectives will be achieved, are all the possible outlines that should be decided under target scoping. To lead a successful penetration testing, an auditor must be aware of the technology under assessment, its basic functionality, and interaction with the network environment. Thus, the knowledge of an auditor does make a significant contribution towards any kind of security assessment.
Once the scope has been finalized, it is time to move into the reconnaissance phase. During this phase, a pentester uses a number of publicly available resources to learn more about his target. This information can be retrieved from Internet sources such as forums, bulletin boards, newsgroups, articles, blogs, social networks, and other commercial or non-commercial websites. Additionally, the data can also be gathered through various search engines such as Google, Yahoo!, MSN Bing, Baidu, and others. Moreover, an auditor can use the tools provided in BackTrack to extract network information about a target. These tools perform valuable data mining techniques for collecting information through DNS servers, trace routes, Whois database, e-mail addresses, phone numbers, personal information, and user accounts. The more information that is gathered it will increase the chances for the success of penetration testing.
This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides a complete image of the current technologies or devices interconnected and may help further in enumerating various services running over the network. By using the advanced network tools from BackTrack, one can easily determine the live network hosts, operating systems running on these host machines, and characterize each device according to its role on the network system. These tools generally implement active and passive detection techniques on the top of network protocols which can be manipulated in different forms to acquire the useful information, such as operating system fingerprinting.
This phase takes all the previous efforts forward and finds the open ports on the target systems. Once the open ports have been identified, they can be enumerated for the running services. By using a number of port scanning techniques such as fullopen, half-open, and stealth, scan can help determining the port visibility, even if the host is behind a firewall or Intrusion Detection System (IDS). The services mapped to the open ports help in further investigating the vulnerabilities that may exist on the target network infrastructure. Hence, this phase serves as a base for finding vulnerabilities in various network devices which can lead to a serious penetration. An auditor can use some automated tools given in the BackTrack to achieve the goal of this phase.
Until the previous phase, we have gathered sufficient information about the target network. It is now time to identify and analyze the vulnerabilities based on the disclosed ports and services. This process can achieved via a number of automated network and application vulnerability assessment tools present under BackTrack OS. It can also be done manually but takes an enormous amount of time and requires expert knowledge. However, combining both approaches should provide an auditor a clear vision to carefully examine any known or unknown vulnerability that may otherwise exist on the network systems.
Practicing the art of deception is considerably important when there is no open gate available for an auditor to enter the target network. Thus, using a human attack vector, it is still possible to penetrate the target system by tricking a user into executing malicious code that should give backdoor access to the auditor. Social engineering comes in different forms. This can be anybody pretending to be a network administrator over the phone forcing you to reveal account information, or an e-mail phishing scam leading to hijack your bank account details. There is an immense set of possibilities that could be applied to achieve the required goal. It is essential to note that for a successful penetration, sometimes it may require additional time drawing the human psychology before applying any suitable deception against the target.
After carefully examining the discovered vulnerabilities, it is possible to penetrate the target system based on the types of exploits available. Sometimes it may require additional research or modifications to the existing exploit in order to make it work properly. This sounds a bit difficult, but may get easier when considering a work under advanced exploitation tools, which are already provided with BackTrack. Moreover, an auditor can also apply client-side exploitation methods mixed with a little social engineering to take control of a target system. Thus, this phase mainly focuses on target acquisition process. And the process coordinates three core areas, which involve pre-exploitation, exploitation, and post-exploitation activities.
Once the target is acquired, the penetration is successful. An auditor can now move freely into the system depending on his access privileges. These privileges can also be escalated using any local exploits matching the system environment, which once executed, should attain super-user or system-level privileges. From this point of entry, an auditor might also be able to launch further attacks against the local network systems. This process can be restricted or non-restricted depending on the given target scope. There is also a possibility to learn more about the compromised target by sniffing the network traffic, cracking passwords of various services, and applying local network spoofing tactics. Hence, the purpose of privilege escalation is to gain the highest level access to the system.
Sometimes an auditor may be asked to retain access to the system for a specified time period. Such activity can be used to demonstrate illegitimate access to the system without hindering the penetration testing process again. This saves time, cost, and resources being served for gaining access to the system for security purposes. By employing some secreting tunneling methods, which make a use of protocol, proxy, or end-to-end connection strategy that can lead to establish a backdoor access, can help an auditor to maintain his footsteps into the target system as long as required. This kind of system access provides a clear view on how an attacker can maintain his presence in the system without noisy behavior.
Documentation and reporting
Documenting, reporting, and presenting the vulnerabilities found, verified, and exploited will conclude our penetration testing methodology. From an ethical perspective this is extremely important because the concerning managerial and technical team can inspect the method of penetration and try to close any security loopholes that may exist. The types of reports created for each relevant authority at the contracting organization may have different outlooks to understand and analyze the weak points that exist in their IT infrastructure. Additionally, these reports can serve the purpose of capturing and comparing the target system integrity before and after the penetration process.
The ethical vision of security testing constitutes rules of engagement that have to be followed by an auditor to present professional, ethical, and authorized practices. These rules define how the testing services should be offered, how the testing should be performed, determine the legal contracts and negotiations, define the scope of testing, prepare the test plan, follow the test process, and manage a consistent reporting structure. Addressing each of these areas requires careful examination and design of formal practices and procedures that must be followed throughout the test engagement. Some examples of these rules have been discussed below.
- Offering testing services after breaking into the target system before making any formal agreement between the client and auditor should be completely forbidden. This act of unethical marketing can result in the failure of a business and may have legal implications depending on jurisdictions of a country.
- Performing a test beyond the scope of testing and crossing the identified boundaries without explicit permissions from a client is prohibited.
- Binding a legal contract that should limit the liability of a job unless any illegal activity is detected. The contract should clearly state the terms and conditions of testing, emergency contact information, statement of work, and any obvious conflicts of interest.
- Scope definition should clearly define all the contractual entities and the limits imposed to them during security assessment.
- Test plan concerns the amount of time required to assess the security of a target system. It is highly advisable to draw up a schedule that does not interrupt the production of business hours.
- Test process defines the set of steps necessary to follow during the test engagement. These rules combine technical and managerial views for restricting the testing process with its environment and people.
- Test results and reporting must be presented in a clear and consistent order. The report must mark all the known and unknown vulnerabilities, and should be delivered confidentially to the authorized individual only.
In this article, we have discussed a detailed penetration testing methodology with its various views from the development lifecycle and risk management process. We have also described the basic terminology of penetration testing, its associated types, and the industry contradiction with other similar terms. The summary of these key points has been highlighted below:
- There are two types of penetration testings, namely, black-box and whitebox. Black-box approach is also known as "external testing" where the auditor has no prior knowledge of the target system. White-box approach refers to an "internal testing" where the auditor is fully aware of target environment. The combination of both types is known as gray-box.
- The basic difference between vulnerability assessment and penetration testing is that the vulnerability assessments identify the flaws that exist on the system without measuring their impact, while the penetration testing takes a step forward and exploits these vulnerabilities in order to evaluate their consequences.
- There are a number of security testing methodologies, but a very few provide stepwise and consistent instructions on measuring the security of a system or application. We have discussed four such well-known open source security assessment methodologies highlighting their technical capabilities, key features and benefits. These include Open Source Security Testing Methodology Manual (OSSTMM), Information Systems Security Assessment Framework (ISSAF), Open Web Application Security Project (OWASP), and Web Application Security Consortium Threat Classification (WASC-TC).
- We have also presented a structured BackTrack testing methodology with a defined process for penetration testing. This process involves a number of steps which have been organized according to the industry approach towards security testing. These include Target Scoping, Information Gathering, Target Discovery, Enumerating Target, Vulnerability Mapping, Social Engineering, Target Exploitation, Privilege Escalation, Maintaining Access, and Documentation and Reporting.
- Finally, we have discussed the ethical view of penetration testing that should be justified and followed throughout the assessment process. Putting ethics on every single step of assessment engagement leads to a successful settlement between auditor and business entity.
- Tips and Tricks on BackTrack 4 [Article]
- FAQs on BackTrack 4 [Article]
- BackTrack 4: Target Scoping [Article]
- Blocking Common Attacks using ModSecurity 2.5 [Article]
- Telecommunications and Network Security Concepts for CISSP Exam [Article]
- Preventing SQL Injection Attacks on your Joomla Websites [Article]