Network Penetartion Testing

APPENDIX: 1 LIST OF SECURITY ASSESSMENT TOOLS

Appendix 1. VA & NETWORK PENETRATION TESTING TOOLS
SL. NO. TOOL NAME DESCRIPTION

 
Nessus Nessus vulnerability scanner is an active scanner, featuring high speed discovery, configuration auditing, and asset profiling, sensitive data discovery and vulnerability analysis of your security posture.
2. Nmap Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing.
3. Netcat Netcat is a computer networking utility for reading from and writing to network connections on either TCP or UDP.
4. Netcraft Netcraft is a Web tool that retrieves hosting software information from any domain name.
5. WHOIS WHOIS is a query/response tool which is widely used for querying an official database to determine the owner of a domain name, an IP address, or an autonomous system number on the Internet.
6. Metasploit The Metasploit Framework is a tool for developing and executing exploit code against a remote target machine.
7. BlackWidow BlackWidow is a multi-function internet utility tool. It is used as a web site downloader, download internet manager, site mapping tool, a site ripper and as a site mirroring tool.
8. OpenSSL-Scanner OpenSSL vulnerability scanner scans for a remote exploit for the KEY_ARG overflow in OpenSSL 0.9.6d and older.
9. SSLDigger SSLDigger is a tool to assess the strength of SSL servers by testing the ciphers supported.
10. DirBuster DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers.
11. Wireshark Wireshark is a network protocol analyzer for Unix and Windows.
12. List URLS List URLS comes parses out URLS from a webpage online or a stored page offline. It then gives the option to resolve hostnames and will output the information in a file or to STDOUT in a grep able format.
13. Nipper Nipper is a Network Infrastructure Parser. It takes its input from a network devices configuration file(s), processes it/them and generates a nice friendly report.
14. Brutus Brutus is a remote online password cracker for windows.

APPENDIX: 2 Penetration Testing -Methodology

2.1       Penetration Testing (Offsite) – Methodology – Black Box

In an era of increasing Internet connectivity, testing the security of systems becomes critical to protecting sensitive information. This type of testing at its simplest consists of using contemporary hacking tools and techniques to confirm the effectiveness of a security configuration.

“Penetration testing is a live test of the effectiveness of security defenses through mimicking the actions of real-life attackers. “

Penetration testing is used in a variety of contexts and for a wide range of reasons, including

  • Assessing the type and extent of security-related vulnerabilities in systems and networks.
  • Testing network perimeter security.
  • Empirically verifying the resistance of applications to misuse and exploits.
  • Supplementing the security audits.
  • Provide a "litmus test" before allowing a new application or system to go live.
  • Provide metrics to evaluate the progress of specific areas within a security practice.
  • Test the security baseline for internal systems.

RAS Infotech through Penetration Testing shall try to find how safe customer network is from hackers attack through an acid test and identify the technical risks associated with them and follows the globally established and renowned Open Source Security Testing Methodology (OSSTMM).

RAS Infotech would help customer to minimize the risk of a hacker causing damage to customer network by performing a range of intrusion tests using the same techniques, known to be used by the most common hackers. Through ethical hacking we simulate a real intruder's attacks but in a controlled, safe way for customer.

RAS Infotech Consultant would conduct the penetration test in the following four phases:

  1. Information Gathering

RAS Infotech Consultant will gather inventory of all the internet facing IP addresses within the scope of assessment.

  1. Preparing the Test

To enable the penetration testing process, RAS Infotech Consultant would:

         Understand the Network topology in place based on existing documentation and through initial interactions with network administration team.

         Prepare logical groups of the public facing assets

A tool base test designed to exercise all network components within the scope of the project in an attempt to gain unauthorized access. The vulnerabilities will be checked for

         Firewalls

         Routers

         Switches

         Servers: Web Servers, Database Servers, Application Servers, Mail Servers, FTP Servers, etc.

         Operating Systems: Windows, UNIX etc.

  1. Vulnerability Scans

Set up the vulnerability scanners for the target with agreed time of scan.

  1. i) Scanning
  • IP Probing / IP Sweeps / Ping Sweeps
  • Port Scanning:
  1. System Identification
  2.    Services Identification
  3.    Denial of Service (DoS) Testing

         Operating System Identification: Identify the network operating system(s) and

 

iii) Services Enumeration: Enumerate the accessible services as well as the applications associated with the services on the field system.

  1. iv) Automated Vulnerability Scanning: The focus is to identify, understand and verify the weakness, misconfigurations and known vulnerabilities associated with the remote systems.

The scans performed by RAS Infotech are non-evasive scans are not intended to damage target systems. Some of the tests excluded from the approach are

  • Brute force
  • Buffer overflow
  • DoS

The list of vulnerabilities reported, shall be provided with a remediation plan

  1. v) Exploitation – Escalation of Privileges: This is very complex and important part in this exercise. Identified vulnerabilities will be exploited using openly available exploits or exploits made by RAS Infotech consulting with a prior approval. The exploits shall be carried out on the known list of vulnerabilities and based on its availability.

Web Application Penetration Testing

Web Application Penetration Testing

Web Application Penetration testing helps detect web application vulnerabilities, malware, and logical flaws with daily or on-demand comprehensive testing. Managed by certified security experts, RAS Security Labs Web Application Pen Testing helps organizations find greater business impact of logical flaws with detailed demonstrations through proof-of-concept.

Our security researchers have developed highly efficient, well-documented methodologies and tools to quickly assess and identify security issues in web applications. Our tests adhere to industry standards such as OWASP, WASC, OSSTMM, business logic tests and scoring system based on CVSS.

RAS Security Labs Methodology in Detailed

Application Discovery and Spidering

An application discovery is a process of analyzing the application software, this process enables to gather information, monitoring and management of entire application. Often more hosts are detected during actual testing, hosts discovered later may be inserted in the testing as a subset of the defined testing. Spidering is the process to create a map of the application with all the points of access to the application, it acts as a one major function and it is used in data mining. A typical spider crawls a website one page at a time, gathering and storing the relevant information such as email addresses, meta-tags, hidden form data, URL information, links, etc. Spider also crawls all the links in that page, collecting relevant information in each following page, and so on. Before you know it, the spider has crawled thousands of links and pages gathering bits of information and storing it into a database.

Reconnaissance: Information Gathering

Information gathering is a process to acquire system specific information about a web site. This Information includes software distributions, version details and patch levels. To get this information, we might use various tools and technologies. Most web sites will reveal a certain amount of data, but it's best to limit the amount of data whenever possible. The more information about the web site an attacker learns, the easier the system becomes to compromise.

Following are the tests carried out to gather information;

  • Spiders, Robots and Crawlers
  • Search Engine Discovery/Reconnaissance
  • Identify application entry points
  • Testing Web Application Fingerprint
  • Application Discovery
  • Analysis of Error Code

 

Configuration Testing

Configuration testing is a process of testing against server and application, these tests may reveal sensitive information regarding the infrastructure and topology in place. This information may vary from simple HTTP methods being used to revealing critical information related to encryption/cryptology flows.

Various sets of testing included in configuration management are as follows:

  • SSL/TLS Testing
  • DB Listener Testing
  • Infrastructure Configuration Management Testing
  • Application Configuration Management Testing
  • Testing for File Extensions Handling
  • Old, Backup and Unreferenced Files
  • Infrastructure and Application Admin Interfaces
  • Testing for HTTP Methods and XST

Authentication Testing

Authentication is a process of finding unique individual based on username and password, this is performed using at least three mechanisms: "something you have", "something you know" or "something you are". The Authentication testing covers all the attacks that are done to target web site's method of validating the identity of a user, service or application.

This section will discuss the attacks used to circumvent or exploit the authentication process of a web site.

  • Credentials transport over an encrypted channel
  • User enumeration testing
  • Guessable (Dictionary) user account testing
  • Brute force testing: A Brute Force attack is a manual process of trial and error used to guess a person's username, password, credit-card number or cryptographic
  • Authentication schema bypassing test
  • “Remember Password”, “PasswordReset” & weak password recovery validation Testing
  • Logout and browser cache management testing
  • CAPTCHA (or similar human verification) testing
  • Multiple factors authentication testing
  • Race conditions testing
  • Insufficient authentication testing: Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate.
  • Weak password recovery validation: Weak Password Recovery Validation is when a web site permits an attacker to illegally obtain, change or recover another user's

Authorization Testing

Authorization is a process of allowing access to resources and permitted user. Testing for Authorization means understanding how the authorization process works. It covers attacks that target web site's method of determining if a user, service or application has the necessary permissions to perform a requested action. For example, many web sites should only allow certain users to access specific content or functionality. Other times a user's access to other resources might be restricted. Using various techniques, an attacker can fool a web site into increasing their privileges to protected areas.

  • Path traversal testing
  • Authorization schema bypass testing
  • Privilege escalation testing
  • Credential / Session prediction
  • Insufficient authorization
  • Insufficient session expiration
  • Session fixation

Session Management Testing

HTTP protocol is incapable of tracking users against requests and hence responds to the request sent by the user without tracking the user and privilege. Due to this limitation, user interaction is generally tracked by writing a logical piece of code which is termed as “session”. Session Management is the set of all controls governing state-full interaction between a user and the web-based application. The session helps the web application to track users and his/her controls to perform specific operation right from authentication till the user leaves the application. In case of mismanagement of session, the users might suffer from data/information loss.

Following are the tests conducted to ensure proper session management in place.

  • Session management schema testing
  • Cookie attributes testing
  • Session fixation testing: An attack technique that forces a user's session ID to an explicit value
  • Exposed session variables testing
  • CSRF (Cross Site Request Forgery) testing
  • HTTP Exploit testing
  • Insufficient Session Expiration: Test to see if a web site permits an attacker to reuse old session credentials or session IDs for authorization
  • Insufficient Authorization: Test to see if a web site permits access to sensitive content or functionality that should require increased access control
  • Credential/Session Prediction: A method of hijacking or impersonating a web site

Data Validation Testing

Data Validation testing is the task of testing all the possible forms of input, to understand if the application sufficiently validates input data before using it. Data from an external entity or client should never be trusted, since it can be randomly tampered with by an attacker. Most of the applications often have a large number of entry points, which makes it difficult for a developer to enforce this rule.

The most common web application security weakness is the failure to properly validate input coming from the client or environment before using it. This leads to almost all of the major vulnerabilities in  web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.

  • SQL Injection
    • Oracle Testing
    • MySQL Testing
    • SQL Server Testing
    • MS Access Testing
    • Testing PostgreSQL
  • LDAP Injection
  • ORM Injection
  • XML Injection
  • SSI Injection
  • XPath Injection
  • IMAP/SMTP Injection
  • Code Injection
  • OS Commanding
  • Buffer overflow Testing
    • Heap overflow
    • Stack overflow
    • Format string
  • Incubated vulnerability testing
  • Cross site scripting

Client-side Attacks

Client-side attacks targets vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. When a user visits a website, trust is established between the two parties both technologically and psychologically. A user expects websites they visit to deliver valid content and user also expects the website not to attack them during their stay. By misusing these trust relationship expectations, an attacker may employ several techniques to exploit the user.

  • Content Spoofing
  • Cross-site scripting testing
    1. Testing for reflected cross-site scripting
    2. Testing for stored cross-site scripting
    3. Testing for DOM based cross-site scripting
    4. Testing for cross site flashing

 

Denial of Service Testing

A Denial of Service attack is an attempt to prevent the legitimate users from accessing the services offered by application/server. An attacker sometimes can launch partial or complete Denial of Service thus making several functions or complete service being unavailable to use.

Several tests that are performed to check against Denial of Service Vulnerability include.

  • Testing for SQLWildcardAttacks
  • DoS Testing: Locking Customer Accounts
  • DoS Testing: Buffer Overflows
  • DoS Testing: User Specified Object Allocation
  • DoS Testing: User Input as a Loop Counter
  • DoS Testing: Writing User Provided Data to Disk
  • DoS Testing: Failure to Release Resources
  • DoS Testing: Storing too Much Data in Session

Web Services Testing

Web services are applications that can be published and called over the Internet by client applications. The Web Services Framework utilizes the HTTP protocol (as standard Web Application) in conjunction with XML, SOAP, WSDL and UDDI. The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure and leakage and so on. Web services also have unique XML/parser related vulnerabilities, which must be tested as well.

Following tests are performed to verify the web server vulnerability;

  • WS Information Gathering
  • Testing WSDL
  • XML Structural Testing
  • XML Content-level Testing
  • HTTP GET parameters/REST Testing
  • Naughty SOAP attachments
  • Replay Testing

AJAX (& Web 2.0) Security Testing

AJAX, an acronym for Asynchronous JavaScript and XML, is one of the latest web development techniques to create more advanced and better responsive rich Internet applications. It uses a combination of technologies in order to provide an experience that is more like using a desktop application. Though the usability of AJAX provides a lot of interactive features, an incorrectly designed/developed application opens the possibility for new vulnerabilities. AJAX applications are vulnerable to the full range of traditional web application vulnerabilities. AJAX is vulnerable to SQL injection vulnerability due to insecure coding. In addition, AJAX applications can be vulnerable to new classes of attack such as Cross Site Request Forgery (XSRF). Developers are given a tremendous amount of freedom in how they communicate between the client and the server, because of this testing AJAX application can be challenging and difficult.

Business Logic Testing

Business logic is a part of application that handles real-world business rules that determine how data can be created, stored, and changed. Hackers exploit business logic vulnerabilities in many ways to gain unauthorized access to websites. Session handling, credit card transactions, and password recovery are just a few examples of web-enabled business logic processes that malicious hackers have abused to compromise major websites. Automated scanners cannot detect business logic flaws in applications, as they cannot be programmed to understand the context. To understand the functionality of an application and to find unconventional ways in which vulnerability can be exploited by a hacker, we need to approach security through the eyes of the hacker to find weaknesses.

Following tests are performed to verify the Business Logic Testing

  • Mapping the entire application
  • Examining sensitive areas of production applications
  • Finding issues unlikely to be found via automated scanning
  • Testing applications not accessible by automated scanners
  • Assessing applications that cannot be tested in production-safe ways via automation
  • Checking for authentication and authorization issues
  • Identifying hard-to-find technical vulnerabilities such as blind XSS and blind SQLi
  • Reviewing a detailed vulnerability checklist to ensure complete testing
  • Maintaining a proprietary log to ensure all testing is documented

Risk Assessment

Risk assessment is a systematic process of evaluating potential risks. A risk assessments can be quantitative or a qualitative.

In a quantitative risk assessment, we assign numerical values to the probability an event will occur and the impact it will have. These numerical values can then be used to calculate an event's risk factor, which in turn can be mapped to dollar amounts.

In Qualitative risk assessments, which are used more often, we rank which risks pose the most danger.

Reporting

RAS Security Labs final comprehensive assessment report with an executive summary and details of technical security vulnerabilities with a root cause analysis, Impact, risk ratings and remediation advice. A conference call may be arranged to discuss the findings in the report or for further follow-up questions.