Goal of this Article
q
- An overview of how Vulnerability Assessment (VA) & Penetration Testing (PT) is done
- qDefining scope of the assessment
- qTypes of Penetration Testing
- qA brief understanding on how Buffer Overflow works
- qHow vulnerabilities are scanned and exploited
- qWhat are the end results
- qWhat a Penetration Testing Report should contain
Vulnerability Assessment (VA)
In this case the security auditor has to only scan for the vulnerabilities in the server or application and filter out the false positives from the scan output by mapping them with the actual vulnerabilities associated with the target host.
Penetration Testing (PT)
In this case the security auditor or the penetration tester not only has to scan for the vulnerabilities in the server or application but also has to exploit them to gain access to the remote server.
Types Of Penetration Testing
Black Box Penetration Testing
- Pen tester has no previous knowledge of the remote network
- • Simulating a real world hacking by a hacker who has no knowledge
(E.g. Operating System running, application running, device type and
network topology etc..) of the remote network environment
White Box Penetration Testing
- • Have the knowledge of the remote network
- •Type of Pen tester network devices (i.e. Cisco gear, TCP/IP),
- •WebServer details (i.e., Apache/*nix or Apache/Win2k),
- •Operating System type (i.e., Windows/*nix),
- •Database platform (i.e., Oracle or MS SQL),
- •Load balancers (i.e. Alteon),
- Firewalls (i.e. Cisco PIX).. etc
- •Simulating a attack by a hacker who is having a detailed knowledge of the remote network environment
Scope Of Penetration Testing
Non-Destructive Test
- •Scans the remote hosts for possible vulnerabilities
- •Analyze and confirm the findings
- •Map the vulnerabilities with proper exploits
- •Exploit the remote system with proper care to avoid disruption of service
- •No highly critical Denial of Service (DoS) attack is tried
Destructive Test
- •Scans the remote hosts for possible vulnerabilities
- • Analyze and confirm the findings
- • Map the vulnerabilities with proper exploits
- •All highly critical Denial of Service (DoS) attacks (e,g like buffer overflows are tried
~~~ Moving On To Penetration Testing ~~~
Penetration testing includes some steps ...
- qFingerprinting or Footprinting
- qNetwork Information Gathering
- qSurveying / Network Mapping
- qPorts Scanning and Services Identification
- qEvading Firewall Rules
- qAutomated Vulnerability Scanning
- qExploiting Services for Known Vulnerabilities
- qExploiting Web-Based Authorization
- qPassword Cracking / Brute Forcing
- qDenial of Services (DoS) Testing
- qEscalation of Privileges
1. Information Gathering
This is the first step for any remote host Penetration Testing. Here the pen-tester try to gather maximum information on the remote host to precise the attack.
3. Network Surveying / Network Mapping
4. Port Scanning & Services Identification 
8. Password Cracking or Brute Forcing
Expected Results:
- qZone Transfer Information
- q Domain Registration Information
- q Email IDs
- q IP Addresses Range
Sample Screenshot (Server queried for Zone-Transfer Info):
(Information Gathered from Zone-Transfer Info)
2. Footprinting / Fingerprinting
In this step, information like WebServer and OS type running on remote host are gathered to further precise the attack.
Expected Results:
- qRemote server OS type
- q Remote server web-server type
- q Applications running on remote server
Sample Screenshot (Banner displaying OS, application & WebServer details):
3. Network Surveying / Network Mapping
A network survey serves often as an introduction to the systems to be tested. It is best defined as a combination of data collection, information gathering, and policy control.
Expected Results:
- qFirewall / Routers / IDS Discovery
- qPossible Local Network / Subnet Discovery
- qIP Addresses Range
- qNetwork Topology Mapping
- qISP information
Sample Screenshot (Local address of the remote network discovered):
Port scanning is the invasive probing of system ports on the transport and network level. This module is to enumerate live or accessible Internet services as well as penetrating the firewall to find additional live systems.
Expected Results:
- qOpen, closed or filtered ports
- qServices Identification
Sample Screenshot (NMAP port scan output):
5. Evading Firewall Rules
In this phase, firewall evasion techniques are used to bypass firewall rules. This can further help in port scanning, remote host detection and remote network discovery.
Expected Results:
- q Mapping of firewall configuration rules
- q Partial Access to devices behind the firewall
Sample Screenshot : (Trace Route using UDP packets)
It is clear from the two screenshots that the packet filtering device (i.e. Firewall / Router) is not configured to block UDP packets.
6. Automated Vulnerability Scanning
The focus of this module is identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host. The scanning is done using automated tools or scripts to make the process faster.
Expected Results:
- qList of vulnerabilities associated with each remote services
- qList of possible denial of service vulnerabilities
- qPossible misconfiguration on the remote server
Sample Screenshot
What is MVS ?
MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host isvulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot
7. Exploiting Services For Known Vulnerabilities
MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host isvulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot
7. Exploiting Services For Known Vulnerabilities
This is the most important phase of penetration testing. Here the weaknesses found in the remote services are exploited using openly available exploits or self developed or customized exploits.
Expected Results:
- q Gaining Access to the system
- q Retrieving hidden information
- q Domain Hijacking
- q Spamming Mail Servers
Sample Screenshot (FrontPage fp30reg.dll Overflow Exploit):
Here the web application flaws are exploited to gain access to restricted information. The Web-Based authentication is exploited by using XSS (Cross-Site Scripting) or SQL injection or MITM (Man-in-the-middle) attacks etc...
Expected Results:
Sample Screenshot (SQL injection used for gaining access to admin page):  |
Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak passwords due to human factors.
Password Lists and Words List are use for validating the password in this process
Expected Results:
Sample Screenshot (Brute Forcing using Brutus):  |
Denial of Service (DoS) is a situation where the applications or services running over the remote system stops functioning and prevents authenticated network users or devices to access it.
Expected Results:
Sample Screenshot (DOS attack for CISCO):  10. Escalation of Privileges Escalation of Privileges is the type of rights the attacker gains over the remote system. It is the final stage of the remote host hacking where the attacker gains complete control over the remote system. |
Expected Results:
    ============================================================= It took me around two days to reproduce the entire paper from the ppt into a webpage. This paper was written by Debasis Mohanty but was not published in webpage form till now so i tried my best to convert it into a webpage. Download the original PPT by him and learn the basics of Buffer Overflow written for beginners only - |
0 comments:
Post a Comment