One way to determine the security of your network is to actively attack your computing resources. In this video, you’ll learn techniques for testing security controls on your network.
<< Previous Video: Assessment TechniquesNext: Vulnerability Scanning >>
If we’re performing a penetration test on our network, then we are going to be actively attacking the systems that are out there. You’ll sometimes hear this referred to as pen testing. And this is a little bit different than vulnerability scanning. When we were doing vulnerability scanning, we were being relatively passive. We weren’t really attacking systems directly.
If we’re trying to get into a system, though, and really see if we can take advantage of the vulnerabilities of that system, then we call that penetration testing. If we’re able to get in and see what the bad guys can do, then certainly we can test and be sure that we’re putting the right security in place. There’s usually a mandate also in some environments that someone come in every so often and actively attack your systems, actively try to get in to your data, to your operating systems, and in through your applications.
There are some guides out there that can help you, one from the National Institute of Standards and Technology.gov. Here’s the publications URL. This is a technical guide to information security testing and assessment. So that is a nice read that can help you understand some of the techniques and some of the things that you can use when you plan to do some of your penetration testing.
If you’re going to be doing penetration testing, then you need to understand what the latest vulnerabilities might be for those operating systems. So you have to stay up to date with what the latest threats are. The challenge, of course, is the applications may have been around for a long time. But sometimes we’re just finding new threats in some very old applications.
And if you don’t keep up with that, then you may never know that there was a new way to get into the way that that application works. You can look at a big list of these. The National Institute of Standards and Technology has a National Vulnerability Database that you can find at nvd.nist.gov. Another thing you can do is to constantly do vulnerability scans.
Use those new methods that you’ve now learned about to see if any of the systems on your network are susceptible to those new threats. And you want to make sure that whatever scanner that you’re using is using the latest signatures because of that. That way, you can say up to date with all of those and watch the news.
There is all kinds of interesting information occurring for the latest set of news. If there’s something big in the news, the bad guys are going to try to find ways to get in using some of those new techniques. And if you’re able to see new vulnerabilities come out, then you may be able to set up your firewalls. You may be able to set up your systems so that even if somebody tried to get in with some of those new techniques, they would not be able to.
There are many aspects to penetration testing. One of the things that we can do is to bypass some of the security controls that might be in our environment. Go outside your environment. Try to force your way in through your firewall. Can you get into the network from somewhere out on the internet?
You might also want to think doing this in person. Think about going and trying to get into the building to get around some of the security you might have. Are there certain gates that are left open? Are certain doors easier to get into? Perhaps there’s an area of the building that’s not monitored.
You want to be able to find those things. You have to think like the bad guy to be able to do that. There are also people inside the organization that may bypass security controls. So don’t focus solely on getting in from the outside. Think about how the people internally in your building and in your network have access to these different systems.
Do they get around your database controls to grab information? Are they taking information from those databases and sharing them with third parties using different tools, like sending it in a Google Mail or sending it through a Yahoo Mail? Your penetration testing should consider this lack of control and see just how much you’re able to do if you had a simple login like everyone uses on your network.
You also want to think about using the same tools that other people use to get around your security systems. There are things like Ultra Surf and Tor and many of the other proxies and encrypted methods to get around your existing security controls. If you have set up a policy that says you may not send our sensitive data out through Google Mail and you’re blocked Google Mail, people try to find a way around that.
So use some of those proxies, use some of those encryption techniques. See what you’re able to boot from inside of your networking and you’ll have a pretty good idea of what anybody else is able to do as well. When you’re testing your security controls, try to use the same methods that the bad guys use. Try to get in your firewall, get around your IPS system, maybe try to do some scanning.
How slow do you have to scan to get through your IPS? That’s one of the best ways you can get an idea of what the bad guys would have to do to get into your systems. And try many different techniques. Maybe it’s not just one scanner. Maybe it’s other scanners. Maybe it’s other security frameworks that would allow you to try different methods to get in.
This is going to give you a pretty good idea of what the bad guys are seeing so that you can have an understanding of how you can set up your security systems to prevent them from even getting in in the first place. When you’re at the point where you’re really trying to exploit some of these vulnerabilities, you have to be pretty careful. Some of these buffer overflows or injections can cause the application to break.
You may cause the database server to be unavailable. You may cause the application itself to not be accessible through a web browser. So that denial of service, that loss of data can be pretty bad. So usually this is something you’re planning internally and you’ve got backups, you make sure that everybody has systems in place that are aware that this is going to occur.
You want to make sure that you don’t cause a problem for anybody else, especially with your production systems. And you may need to try different methods to break into a system. Try your brute force attacks. Try your buffer overflows. Try the known injection types for that application.
There’s many, many different ways. And your goal, of course, is to see if you can get in and pwn that system. And if you’re able to get in, then the bad guys can get in as well. And that’s what you’re trying to avoid. So if you can get in, then you know exactly what you should be patching and filling in all the holes that the bad guys could possibly use.
When performing a penetration test, there’s this concept of a black box, a white box, and a gray box. And it refers to how much you know about this network that you’re attacking, how much you know about the databases and the systems and the firewalls and all of those things that might be in place. If this is a black box test, then you approach it from the perspective of knowing nothing about what’s behind your IP address or what’s on your network, as if you showed up with no prior knowledge of anything that’s happening inside.
Sometimes if you have a third party that you’re contracting to do a test, this might be a way that you start to say, try just getting in and seeing what you can gather. Try some recon. Try to figure out what systems are there. And then try to attack them knowing nothing about what might be there already.
The exact opposite of this, of course, would be a white box, where you’re giving someone a network map. Maybe you already know the IP addresses of your database servers. You know what version numbers they happen to be. And you might be doing some very, very specific vulnerability checks, some very specific penetration tests against all of those different systems that you might have.
A gray box obviously then would be something in between. You know a little bit about the network, you know a little bit about the systems, but you don’t know everything. And if somebody’s going to start performing some tests, they may be much broader tests to be able to determine exactly what might affect those systems that you have in your environment.
A common example of a penetration test is somebody using some specific well known vulnerabilities to attack the operating systems that you might have in your environment. I have here two virtual machines that I’m running. One is my canary machine and one is my destiny machine. This is my machine that’s going to be doing the attack.
The Windows machine here is a relatively unpatched version of Windows. Let’s see the IP address on this machine. It’s 192.168.1.16. And it’s just sitting out there on the network somewhere, waiting for somebody to try performing some type of attack. And see if we can penetrate the security that’s on this Windows machine.
Now, I don’t have the login into this machine as the bad guy. But what I’m going to do is run this Metasploit framework that I’m running here. And I’m going to choose a very specific Windows exploit that deals with the RPC, the Remote Procedure Calls, in this Windows. And I happen to know there was a very, very bad, very, very common vulnerability in some older Windows systems that took advantage of this.
This particular Microsoft RPC DCOM interface buffer overflow is one that I can use to try to attack this machine. And you can see there’s a lot of different things we can do here. It’s definitely going to this system. And I have the option now of setting up and running this particular exploit. So let’s choose some of the things associated with this exploit and run this injection.
I’m going to run– let’s do a reverse shell here. I’m going to do a shell reverse TCP. And 192.168.1.16 is the one– the 25 is my list and the remote host is 26. Let’s scroll down and put that in. So we’re going to add the IP address of that Windows machine– 26.
And I’ll just choose to run that exploit in my console. So it’s going to try going out to that Windows machine, attacking it with that specific vulnerability. And now in my console, I have a shell. And it’s one that allows me to interact with that Windows machine. I can do a directory. I can change directories off to the root.
And now I’m in the root. Let’s do a directory of that. I’m on that Windows machine. I have access to everything on that Windows machine because of that vulnerability. And I would have only been able to see if that machine was really, really exploitable if I tested it with my penetration testing. Now, the idea is I would get the patch for that Windows machine. I would apply that patch.
And then I’d run the same penetration test again. And we want to be sure that none of the bad guys can do exactly what I did to gain access to any of our systems.