Advanced Penetration Testing for
Highly-Secured Environments:
The Ultimate Security Guide
Planning and Scoping for a
Successful Penetration Test
This chapter provides an introduction to the planning and preparation required
to test complex and hardened environments. You will be introduced to the
following topics:
• Introduction to advanced penetration testing
• How to successfully scope your testing
• What needs to occur prior to testing
• Setting your limits – nothing lasts forever
• Planning for action
• Detail management with MagicTree
• Exporting your results into various formats using MagicTree
• Team-based data collection and information sharing with Dradis
• Creating reusable templates in Dradis
Introduction to advanced penetration
testing
Penetration testing is necessary to determine the true attack footprint of your
environment. It may often be confused with vulnerability assessment and thus
it is important that the differences should be fully explained to your clients.
Planning and Scoping for a Successful Penetration Test
[ 8 ]
Vulnerability assessments
Vulnerability assessments are necessary for discovering potential vulnerabilities
throughout the environment. There are many tools available that automate this
process so that even an inexperienced security professional or administrator can
effectively determine the security posture of their environment. Depending on scope,
additional manual testing may also be required. Full exploitation of systems and
services is not generally in scope for a normal vulnerability assessment engagement.
Systems are typically enumerated and evaluated for vulnerabilities, and testing can
often be done with or without authentication. Most vulnerability management and
scanning solutions provide actionable reports that detail mitigation strategies such as
applying missing patches, or correcting insecure system configurations.
Penetration testing
Penetration testing expands upon vulnerability assessment efforts by introducing
exploitation into the mix
The risk of accidentally causing an unintentional denial of service or
other outage is moderately higher when conducting a penetration test
than it is when conducting vulnerability assessments. To an extent,
this can be mitigated by proper planning, and a solid understanding
of the technologies involved during the testing process. Thus, it is
important that the penetration tester continually updates and refines
the necessary skills.
Penetration testing allows the business to understand if the mitigation strategies
employed are actually working as expected; it essentially takes the guesswork out
of the equation. The penetration tester will be expected to emulate the actions that
an attacker would attempt and will be challenged with proving that they were
able to compromise the critical systems targeted. The most successful penetration
tests result in the penetration tester being able to prove without a doubt that
the vulnerabilities that are found will lead to a significant loss of revenue unless
properly addressed. Think of the impact that you would have if you could prove
to the client that practically anyone in the world has easy access to their most
confidential information!
Penetration testing requires a higher skill level than is needed for vulnerability
analysis. This generally means that the price of a penetration test will be much higher
than that of a vulnerability analysis. If you are unable to penetrate the network
you will be ensuring your clientele that their systems are secure to the best of your
knowledge. If you want to be able to sleep soundly at night, I recommend that you
go above and beyond in verifying the security of your clients.
Chapter 1
[ 9 ]
Advanced penetration testing
Some environments will be more secured than others. You will be faced with
environments that use:
• Effective patch management procedures
• Managed system configuration hardening policies
• Multi-layered DMZ's
• Centralized security log management
• Host-based security controls
• Network intrusion detection or prevention systems
• Wireless intrusion detection or prevention systems
• Web application intrusion detection or prevention systems
Effective use of these controls increases the difficulty level of a penetration
test significantly. Clients need to have complete confidence that these security
mechanisms and procedures are able to protect the integrity, confidentiality,
and availability of their systems. They also need to understand that at times the
reason an attacker is able to compromise a system is due to configuration errors,
or poorly designed IT architecture.
Note that there is no such thing as a panacea in security. As penetration testers,
it is our duty to look at all angles of the problem and make the client aware of
anything that allows an attacker to adversely affect their business.
Advanced penetration testing goes above and beyond standard penetration testing
by taking advantage of the latest security research and exploitation methods
available. The goal should be to prove that sensitive data and systems are protected
even from a targeted attack, and if that is not the case, to ensure that the client is
provided with the proper instruction on what needs to be changed to make it so.
A penetration test is a snapshot of the current security posture.
Penetration testing should be performed on a continual basis.
Many exploitation methods are poorly documented, frequently hard to use, and
require hands-on experience to effectively and efficiently execute. At DefCon
19 Bruce "Grymoire" Barnett provided an excellent presentation on "Deceptive
Hacking". In this presentation, he discussed how hackers use many of the very same
techniques used by magicians. It is my belief that this is exactly the tenacity that
penetration testers must assume as well. Only through dedication, effort, practice,
and the willingness to explore unknown areas will penetration testers be able to
mimic the targeted attack types that a malicious hacker would attempt in the wild.
Planning and Scoping for a Successful Penetration Test
[ 10 ]
Often times you will be required to work on these penetration tests as part of a team
and will need to know how to use the tools that are available to make this process
more endurable and efficient. This is yet another challenge presented to today's
pentesters. Working in a silo is just not an option when your scope restricts you to a
very limited testing period.
In some situations, companies may use non-standard methods of securing their
data, which makes your job even more difficult. The complexity of their security
systems working in tandem with each other may actually be the weakest link in
their security strategy.
The likelihood of finding exploitable vulnerabilities is directly
proportional to the complexity of the environment being tested.
Before testing begins
Before we commence with testing, there are requirements that must be taken into
consideration. You will need to determine the proper scoping of the test, timeframes
and restrictions, the type of testing (Whitebox, Blackbox), and how to deal with
third-party equipment and IP space. The Penetration Testing Execution Standard
(PTES) lists these scoping items as part of the "Pre-Engagement Interaction" stage.
I highly recommend that you review this phase at: http://www.pentest-standard.
org/index.php/Pre-engagement.
Although this book does not follow the PTES directly, I will attempt
to point out the sections of the PTES where the material relates.
Determining scope
Before you can accurately determine the scope of the test, you will need to gather
as much information as possible. It is critical that the following is fully understood
prior to starting testing procedures:
• Who has the authority to authorize testing?
• What is the purpose of the test?
• What is the proposed timeframe for the testing? Are there any restrictions
as to when the testing can be performed?
• Does your customer understand the difference between a vulnerability
assessment and a penetration test?
Chapter 1
[ 11 ]
• Will you be conducting this test with, or without cooperation of the IT
Security Operations Team? Are you testing their effectiveness?
• Is social engineering permitted? How about Denial of Service attacks?
• Are you able to test physical security measures used to secure servers, critical
data storage, or anything else that requires physical access? For example,
lock picking, impersonating an employee to gain entry into a building, or just
generally walking into areas that the average unaffiliated person should not
have access to.
• Are you allowed to see the network documentation or to be informed
of the network architecture prior to testing to speed things along? (Not
necessarily recommended as this may instill doubt for the value of your
findings. Most businesses do not expect this to be easy information to
determine on your own.)
• What are the IP ranges that you are allowed to test against? There are
laws against scanning and testing systems without proper permissions. Be
extremely diligent when ensuring that these devices and ranges actually
belong to your client or you may be in danger of facing legal ramifications.
• What are the physical locations of the company? This is more valuable to
you as a tester if social engineering is permitted because it ensures that you
are at the sanctioned buildings when testing. If time permits, you should let
your clients know if you were able to access any of this information publicly
in case they were under the impression that their locations were secret or
difficult to find.
• What to do if there is a problem or if the initial goal of the test has been
reached. Will you continue to test to find more entries or is the testing
over? This part is critical and ties into the question of why the customer
wants a penetration test in the first place.
• Are there legal implications that you need to be aware of such as systems
that are in different countries, and so on? Not all countries have the same
laws when it comes to penetration testing.
• Will additional permission be required once a vulnerability has
been exploited? This is important when performing test on segmented
networks. The client may not be aware that you can use internal systems
as pivot points to delve deeper within their network.
• How are databases to be handled? Are you allowed to add records, users,
and so on?
This listing is not all-inclusive and you may need to add items to the list depending
on the requirements of your clients. Much of this data can be gathered directly from
the client, but some will have to be handled by your team.
Planning and Scoping for a Successful Penetration Test
No comments:
Post a Comment