Penetration testing is basically when you hire security consultants (or yourself) to exploit your network the way
an attacker would do it, and report the results to you enumerating what holes were found, and how to fix them. It's basically breaking into your own network to see how others would do it.
While many administrators like to run quick probes and port scans on their systems, this is not a penetration test. A penetration tester will use a variety of specialized methods and tools from the underground to attempt to gain access to the network. Depending on what level of testing you have asked for, the tester may even go so far as to call up employees and try to social engineer their passwords out of them (social engineering involves fooling a mark into revealing information they should not reveal).
An example of social engineering could be an attacker pretending to be someone from the IT department and asking a user to reset his password. Penetration testing is probably the only honest way to figure out what security problems your network faces. It can be done by an administrator who is security aware, but it is usually better to pay an outside consultant who will do a more thorough job.
I find there's a lack of worthwhile information online about penetration testing -- nobody really goes about describing a good pen test, and what you should and shouldn't do. So I've hand picked a couple of good papers on the subject and then given you a list of my favorite tools and the way I like to perform a pen-test.
This is by no means the only way to do things -- it's like subnetting, everyone has their own method -- this is just a systematic approach that works very well as a set of guidelines. Depending on how much information you are given about the targets as well as what level of testing you're allowed to do, this method can be adapted.
Penetration testing resources
The advantage of using a Microsoft platform comes from the fact that 90% of your targets may be Microsoft systems. However, the flexibility under Linux is incomparable; it is truly the operating system (OS) of choice for any serious hacker, and as a result, for any serious security professional. There is no best OS for penetration testing -- it depends on what you need to test at a point in time. That's one of the main reasons for having so many different operating systems set up. You're very likely to be switching between them for different tasks.
If I don't have the option of using my own machine, I like to choose any Linux variant. I keep my pen-tests strictly to the network level. There is no social engineering involved or any real physical access testing other than basic server room security and workstation lockdown. (I don't go diving in dumpsters for passwords or scamming employees.)
I try as far as possible to determine the rules of engagement with an administrator or some other technically adept person with the right authorization, not someone at the corporate management level. This is very important because if you do something that ends up causing trouble on the network, it's going to make you look very unprofessional. It's always better to have it what you are allowed to do put clearly in writing.
I would recommend this even if you're an administrator conducting an in-house test. You can get fired just for scanning your own network if it's against your corporate policy. If you're an outside tester, offer to allow one of the company's IT people to be present for your testing. This is recommended because they will ultimately be fixing most of the problems you find. As in-house staff, they will be able to put the results of the test in perspective to the managers.
- Nmap - Workhorse port scanner with version scanning, multiple scan types, OS fingerprinting and firewall evasion tricks. When used smartly, Nmap can find any Internet facing host on a network.
- Nessus - Free vulnerability scanner, usually finds something on every host. It's not too stealthy, though, and will show up in logs.
- Retina - A very good commercial vulnerability scanner, I stopped using this after I started working with Nessus but it's very quick and good. Plus its vulnerability database is very up-to-date.
- Nikto - This is a Web server vulnerability scanner. I use my own hacked up version of this Perl program that uses the libwhisker module. It has quite a few IDS evasion modes and is pretty fast. It is not that subtle, though, which is why I modified it to be a bit more stealthy.
- Cisco Scanner - This is a small little Windows utility I found that scans IP ranges for routers with the default password of "cisco." It has turned up some surprising results in the past and just goes to show how even small little tools can be very useful. I am planning to write a little script that will scan IP ranges looking for different types of equipment with default passwords.
- Sophie Script - A little Perl script coupled with user2sid and sid2user (two windows programs) that can find all the usernames on a Windows box.
- Legion - This is a Windows file share scanner by the erstwhile Rhino9 security group. It is fast and allows you to map the drive right from the software.
- Pwdump2 - Dumps the content of the Windows password SAM file for loading into a password cracker.
- L0phtcrack 3.0 - Cracks the passwords I get from the above or from its own internal SAM dump. It can also sniff the network for password hashes or obtain them via remote registry. I have not tried the latest version of the software, but it is very highly rated.
- Netcat - This is a TCP/UDP connection backend tool, and I am lost without it! Half of my scripts rely on it. There is also an encrypted version called cryptcat that might be useful if you are walking around an IDS. Netcat can do anything with a TCP or UDP connection, and it serves as my replacement to telnet as well.
- Hping2 - A custom packet creation utility, great for testing firewall rules among other things.
- SuperScan - This is a Windows-based port scanner with a lot of nice options. It's fast and has a lot of other neat little tools like NetBIOS enumeration and common tools such as whois, zone transfers, etc.
- Ettercap - When sniffing a switched network, a conventional network sniffer will not work. Ettercap poisons the ARP cache of the hosts you want to sniff so that they send packets to you and you can sniff them. It also allows you to inject data into connections and kill connections among other things.
- Brutus - This is a fairly generic protocol brute forcing tool. It can bruteforce HTTP, FTP, Telnet and many other login authentication systems. This is a Windows tool, however I prefer Hydra for Linux.
This is my collection of exploits in source and binary form. I sort them in subdirectories by operating system, then depending on how they attack - Remote / Local and then according to what they attack - BIND / SMTP / HTTP / FTP / SSH, etc. The binary filenames are arbitrary, but the source filenames instantly tell me the name of the exploit and the version of the software vulnerable. This is essential when you're short on time and you need to pick one. I don't include DoS or DDoS exploits. There isn't anyone I know who would authorize you to take down a production system. Don't do it -- and tell them so.
A lot of people end the pen-test after the scanning stage. Unless someone specifically tells me to do this, I believe it is important you exploit the system to at least level 1. This is important, because there is a very big difference between saying something is vulnerable and actually seeing that the vulnerability is executable. Also, when dealing with executives, saying, "I gained access to the server'" usually gets more attention than, "The server is vulnerable to blank."
After you're done, make a very detailed chronological report of everything you did, including which tools you used, what version they are, and anything else you did without using tools (i.e. SQL injection). Give gory technical details in annexes. Make sure the main document has an executive summary and lots of pie charts that they can understand. Try and include figures and statistics for whatever you can.
To cater to the administrators, provide a report for each host you tested and make sure you provide a link to a site with a patch or fix for every security hole that you point out. Try to provide a link to a site with detailed information about the hole, preferably bugtraq or some well-known source. Many administrators are very interested in these things and appreciate it.
Click over to Firewall.cx for more articles like this one. You don't have to register or jump through any hoops. All you do is get the networking information you want. Copyright 2004 Firewall.cx.