Can you hack it? Penetration testing gives companies a way to find their vulnerabilities before hackers use them to break in and cause harm. (Computer Security).
Rather than trying to find all the weaknesses in the target network, a cybercriminal looks for the path of least resistance, leveraging a few specific weaknesses that will provide unimpeded access to the target network. Emulating such a criminal, the penetration test team looks for the weakest links that will help it achieve its objectives. The penetration test is time based and evaluates whether a network can be cracked in a given amount of time, By contrast, a network vulnerability assessment looks at every component of the network to determine a wide variety of weaknesses. A penetration test is normally performed after a general network vulnerability assessment, providing both reinforcement and validation to the results of the broader test. However, sometimes a penetration test may precede a network vulnerability assessment to serve as convincing evidence to the need of performing a broader and more comprehensive test.
Types of tests. There are several types of penetration tests available in different combinations, depending on the objective of the company being tested. These are covert, overt, black-box, and crystal-box tests.
Covert vs. overt. In a covert test, most employees are unaware that the organization is being tested. In an overt test, system administrators know of the test and can watch the red team in action.
A covert test is more realistic than an overt one and can be used to measure the effectiveness and responsiveness of the defenses. However, such tests are generally longer in duration, as the test team must use slow and stealthy techniques to maintain a low profile and to avoid detection. Overt testing, although less realistic, provides valuable lessons for the organization's security members, as they are able to watch the attack in progress.
Black box vs. crystal box. In a "black box" test, the testing team has no insider knowledge of the target environment. As such, the team must spend a considerable amount of time discovering such information, if any can be found.
In a "crystal box" test, the team is given inside information about the company's network and may even work with insiders who have privileged information, such as the configuration of the network or the types of hardware and software in use.
The combination chosen depends on the objective of the test. For example, an international bank may decide to perform a covert, black-box penetration test to assess the security strength and responsiveness of its U.S. operations, while a domestic online book wholesaler may join a security firm in an overt, crystal-box penetration test against its own internal order procurement systems to determine potential threats from a disgruntled employee.
Most organizations favor the overt, black-box approach. The time and cost savings of an overt operation outweigh the effort of maintaining secrecy for a covert one, and a penetration test performed with no prior knowledge provides the realism that matters most; it helps the company assess the amount of sensitive information available to outsiders and how potential cyber-criminals would go about gathering and using such information.
Project BCS. To better illustrate the process, this article will walk the reader through a penetration test of the networks of a fictitious company called Bob's Computer Systems (BCS). BCS is a newly established, domestic online wholesaler that sells computer components to both consumers and businesses. Because it owns and manages its own Web site and equipment, the engagement requires little coordination with outside vendors.
The BCS security management team, which includes internal audit members and representatives from the company's information security office, wants to know whether an outsider could gain access to the production database and collect confidential information, including passwords, client lists, and credit card information. They solicit a security firm to perform a one-week penetration test with those target objectives.
To save time and money, BCS decides to use an overt, black-box approach and, per the penetration test team's suggestion, assigns one of its own employees to observe the testing process. The red team consists of three members with different technical backgrounds. One is a developer with knowledge of programming and debugging; another is a system tester, experienced in finding vulnerabilities; and the third is a network specialist who knows how networks are normally configured, as well as the common errors that network administrators make in configuring company systems. The red team works from their office away from the ECS facility to ensure that they have only the same level of access that a malicious intruder would.
Test cycle. The BCS penetration test is a cycle that consists of four steps. Step one is profiling, where the testing team gathers intelligence about the target and the objectives. Step two is penetration: infiltrating and gaining access to the target or a "stepping stone" to the target.
Step three is escalation, where the testing team takes any action necessary to achieve the objective or to prepare the stepping stone for leverage. The final step is dispersion. In the event that the objective cannot yet be achieved, team members look for an alternative pathway by repeating the process, starting at step one.
Profiling. Just as a thief cases a bank before a robbery attempt or a soldier gets briefed on the target before an exercise, the team needs to first gather and analyze as much data as possible about the target before the attack. Information such as BCS's domain names, IP addresses, and network population (how many of their IP addresses are being used) and composition (for example, how many mail or Web servers the company uses) will help the team better define the ECS target network and plan the attack. Much of this information is available through open sources.
IP addresses. To determine the boundary of BCS's Internet presence, the team first needs to identify the domain names and IP address ranges that are registered to BCS. All domain names and IP addresses used on the Internet are registered with various registries whose databases can be queried using the Internet utility known as "Whois." Using Whois, the team finds that BCS has two registered domains--buybcs.com and bobscomputersystems.com--and an associated block of 16 registered IF addresses.
The result from the Whois query also provides an IP address of the registered domain name server responsible for resolving names to IP addresses for both domains. Domain name servers, such as the one belonging to BCS, contain zone records (name registration records) for the systems in the domain. Such records contain potentially valuable information such as system name-to-IF-address mappings and mail and domain name server identifications.
This information is important because it tells the testing team (as well as a malicious hacker) which of a company's range of IF addresses are being used for specific services (for example, Web servers). Although the information may not always be completely accurate, it provides a quick way to collect a preliminary list of targets and frees the testing team from wasting time and effort looking through each address for those services that will be targeted. Fortunately for the team (but not for most businesses), in most cases domain name servers are not configured properly by the company or by its Internet service provider, so these records can be divulged using a technique called zone transfer. The test team attempts such a zone transfer and is able to obtain the following system information:
* IP address xxx.yyy.32.41, corresponding to a system named FW a name that may imply its function as the company firewall.
* IP address xxx.yyy.32.43, corresponding to a system named Pine, which is registered as the mail server for both domains.
* IP address xxx.yyy.32.45, corresponding to a system named Mahogany, which is mapped to two names: www.bobscomputersystems.com and www.buy-bcs.com.
To verify the information from the zone record and identify any unregistered hosts on the network (that is, machines not registered with the domain name server), the team next performs ping (messages sent to verify the existence of an IP address) as well as "traceroute" scans on the target network. (Traceroute reveals information about routers and servers along the path between the subject computer and a remote host.) These scans use ICMP data packets (Internet Control Message Protocol is used to send error and control messages) to determine whether a remote system is active and to map the route the packets used to reach the remote system.
Although these data messages were originally devised to help troubleshoot networks, they are frequently used by attackers to determine the status and layout of hosts on the remote network. Therefore, most security-conscious organizations filter or block them at their firewalls or gateway routers.
The team finds that its ping and traceroute scans of the BCS network are blocked, most likely by an Internet router. The team then attempts other types of ICMP-based scans, but those too are blocked.
Since the ICMP-based scans were stymied, the team needs to try another tool. They decide to use Nmap (network mapper), a popular open-source utility to perform its port scans. Nmap can identify what hosts are available on the network, what services those hosts are offering, what operating system they are running, what type of packet filters/firewalls are in use, and many other characteristics.
Nmap uses both TCP and TJDP port scans to determine the status of the targets. TOP, or transmission control protocol, and UDP, or user datagram protocol, both provide connections for the computer to communicate with other computers or net- works. TOP is thorough and more commonly used; however, it can be resource intensive, so UDP, which does not check to see that all data has arrived, is often used for applications that require fast and uninterrupted file transfers, such as streaming music or video. Because only active systems have active TOP and UDP ports, these scans can be used to determine the status of the remote systems.
The scan finds four active ports on all four systems, with varying state values (these are the different modes that a port can be in, such as open or closed). The team surmises that the scan found four active ports because a filtering device may be allowing traffic only to those four ports. The scans also help the team identify a fourth host that was missing from the zone transfer, with the IP address of xxx.yyy.32.44.
By scanning with Nmap, the team is able to identify that target systems FW and Pine are using the Solaris operating system version 2.7; additionally, Pine is running Sendmail and has port 25 (SMTP, or simple mail transfer protocol, the standard e-mail protocol on the Internet) open. The scans also show that the target systems Mahogany and the newly discovered host are both running Windows NT 4.0 with IIS (Internet Information Server), with several open ports.
Penetration. Now that the components of the target network have been identified, the team needs to determine ways to gain access to them. Because it is an overt test, the team can sacrifice secrecy for efficiency and use automated vulnerability scanners, such as the open-sourced Nessus (used by system administrators to search for weaknesses in their systems), to perform a quick sweep of the target network rather than having to manually probe for common vulnerabilities.
Nessus exposes various weaknesses on the target systems. For example, it reveals a buffer overflow in one system (a common attack in which a large number of characters, such as a very long log-in name, can crash a program and allow an intruder entry). It also finds a flaw in Pine's Sendmail application to the IIS Unicode Folder. This flaw, called the Web Server Folder Traversal vulnerability, is one of the most common Windows systems vulnerabilities.
Based on past successes with the IIS Unicode vulnerability, the team decides to attack that weakness first. Using specially crafted URLs, the team first confirms the vulnerability on then discovers the system name is TestBCS, and is able to launch commands remotely via a company Web browser.
To further explore this server and establish it as a relay station, the team now uploads various tools to the server. Although TestBCS does not have the FTP (file transfer protocol) service installed, and the filtering device appears to have rules restricting both inbound and outbound traffic, the team is nevertheless able to transfer files to the server via special messages over HTTP. Using an uploaded Trojan program, the team creates a remote command shell (console screen) on port 25, a port that they had learned from the port scans is not being blocked by the filtering device.
Escalation. While the test members are using the remote shell on TestBCS to explore additional weaknesses in an effort to gain privileged access, they discover that the server is susceptible to an ISAPI buffer overflow (another vulnerability in Microsoft's ITS server). Exploiting this weakness gives the team administrative access to the system and access to the prized and encrypted SAM (security accounts manager) file, which contains user information such as passwords. The team uses the password-cracking program "lophtcrack" to open the SAM file and finds the passwords to the two active users on the server: BCS2001 for user Administrator and BOStest for user Labeca (Larry Abeca).
Dispersion. So far in their search, the team members have been unable to find any customer-related information. However, they do learn that TestBCS is actually part of an internal class C network (a network that could have as many as 254 unique hosts). These addresses are for use only on the internal network; when they connect to the Internet, they are all translated as the external IP address xxx.yyy.32.44. In addition, the team determines that user Labeca is a developer for the Web application, based on the various application source code files found in his home directory. Now the team has an idea of the size of the internal network and a range of internal IP addresses to target.
A new profile. Since the team has already loaded TestBCS with its set of tools, they now use the server to launch various port scans against the entire internal network, to profile the network. They find almost two dozen other network systems, mostly Windows stations with a few Sun servers. The team notices that one of these Sun servers has more than 20 network services running, including FTP, Telnet, SMTP, finger (a program that connects a name with an e-mail address), and an Oracle-related service.
The team's port scans also reveal an internal domain name server within the network. By performing a zone transfer against the internal domain name server, they discover that the Sun server mentioned above is called "dbserv."
Deeper penetration. After determining that dbserv is a database server, both by the naming convention and the Oracle service running on it, the team attempts to gain access to it. Querying the server using the finger command, they are unable to find a user with the user ID of Labeca. However, one team member notices an idle user with the user ID Larrya. Using the user password discovered previously for Labeca on TestBCS, the team is able to successfully log on as Larrya.
Mission complete. While logged on to server dbserv, the team explores the server's files and settings. Browsing through Larrya's history file (which contains a list of recently issued commands), they notice that Larrya had been logging onto two databases named "prod" and "devl" while working on script programs in what appeared to be an application development directory named /app/dev/2.4. Files inside that directory are found to have embedded database user ID Beta and password Beta. Using these credentials, the team is able to connect to the development database devl and view various tables.
One member of the test team, while searching for other exploitable processes, discovers a batch job (a noninteractive program such as a nightly backup) already connected to the production database. This process, launched by another user, was executed as "sqlplus promo/promo@email@example.com," which indicates that the process was connecting to the prod database using user ID Promo and password Promo and executing the extract.sql script. Using this same set of user ID and password, the team is finally able to connect to prod.
Once it gains access to the production database, the team finds several database tables that contain user IDs, passwords, credit card information, and order information, but it is unable to view the tables' specific content, because the user IDs were allowed only to see the definition of tables and not the content itself.
However, the team locates a table called "cust_profile" and is able to view its content, which includes the customers' names, billing addresses, e-mail addresses, and other contact information. With that, the team declares victory and begins the cleanup process.
Cleaning up. In the cleanup phase, the testing team attempts to undo any damage it may have caused to the network through its targeting of weaknesses in the system. This step, which is sometimes neglected, is just as critical as the penetration test itself.
In the case of BCS, the testing team had captured all of the hypothetical company's activities in logs, both through keystroke grabbing and network sniffing. These logs not only serve as proof of the team's work and findings but also provide details that are crucial in undoing any changes inadvertently made during the test.
The test team now backtracks down its path and removes the tools from the TestBCS server and terminates the remote command shell program. Once the cleanup process is complete, the team prepares for its presentation to BCS, while the BCS team member returns to BCS to brief the management about the findings.
Post-test meeting. As mentioned previously, the goal of a penetration test is to determine whether a network is susceptible to a timed attack, not to comprehensively identify network weaknesses. BCS wanted a penetration test as a follow up to a comprehensive vulnerability test that had been conducted months earlier. That test had identified a broad range of vulnerabilities that were corrected by the IT department; the penetration test would help them determine whether the security policies and procedures put in place after that vulnerability test were sufficient.
The red team focuses the post-test meeting with BCS management on explaining why the test was successful in breaking into the system, detailing the pathways taken and weaknesses exploited, rather than discussing other weaknesses found during the test. Some short-term remedies and fixes are discussed during the meeting, but because the test was meant to find any crack in the network armor, rather than detail every weakness, solutions are not the focus of the presentation.
With the findings provided by the test team, BCS management will reevaluate both its network assessment guidelines and its operational policies. The company may repeat the penetration test in a year or so, after it has once again reevaluated and secured its network and allowed time for the revised policies to take effect and be enforced. It's not an inexpensive process, though; a test against a company such as BCS could easily cost in the tens of thousands of dollars.
The ethical hackers of the penetration team help the company assess the vulnerability of its network before it is too late. Crime may not pay, but thinking like a criminal may be the only way to avoid becoming a victim.
Frank Lam, CISSP, (Certified Information Systems Security Professional) is a manager of Deloitte & Touche's Enterprise Risk Services in New York. He specializes in application, system, and network design and implementation, and attack and penetration studies. Mike Beekey, CISSP, is a senior manager of Deloitte & Touche's Enterprise Risk Services in Washington, D.C., and the national leader for attack and penetration studies. Kevin Cayo is a senior consultant of Deloitte & Touche's Enterprise Risk Services in New York, specializing in network design and attack and penetration studies.
|Printer friendly Cite/link Email Feedback|
|Author:||Lam, Frank; Beekey, Mike; Cayo, Kevin|
|Date:||Feb 1, 2003|
|Previous Article:||Get the most from your guard force: eliciting peak performance from a contract guard force requires that security managers take a progressive stance...|
|Next Article:||U.S. judicial decisions. (Legal Reporter).|