It’s no wonder why managers and company execs are realizing the importance of a well designed Network structure which has enterprise architecture as part if its conception and the security aspects that are involved in the processes. With the ever growing potential of threats from global communications lines we as a society now engage in on a daily basis of truly global communication whether we are aware of it or not. Calling your local credit card company can bounce you right off a satellite in the UK to India and back in a blink. I would strongly advise a hardening of systems to begin with, and if you are not aware of the term please contact us our engagements are both in the public, and private sectors. We provide a free 1 hour consultation and can be available for further consultation or services. Don’t risk what you’ve build we can provide the solution. for further information email info@avatarpoint.com and leave the best time to contact you and we will do the rest.
Digitally Enhanced Human Intergration providers.
I find it increasingly interesting the human integration of man and machine, were the Borgs really our future? I think the move has been a slow one though, first we had to use big rooms to use them, then they became a personal thing we could use in our home, then transformed to a connected everywhere i breath sort of thing, then to I need to take it everywhere i go Tablet-city , and currently wearable and implantable beyond civilian eyes.
Internal Penetration Testing Plan
- The steps in an effective Internal penetration testing approach.
“1. Map the network
2. Scan the network for live hosts.
3. Port-scan individual machines
4. Try to gain access using known vulnerabilities.
5. Attempt to establish null sessions
6. Enumerate users/identify domains on the network.
7. Sniff the network using Wireshark
8. Sniff POP3/FTP telnet passwords.
9. Sniff email messages.
10. Attempt replay attacks
11. Attempt ARP poisoning.
12. Attempt MAC flooding.
13. Conduct man in the middle attacks.
14. Attempt DNS poisoning.
15. Try logging into a console machine.
16. Boot the PC using an alternative OS and steal the SAM file.
17. Bypass the OS to obtain information.
18. Reset the administrator password.
19. Attempt to plant a software key logger to steal passwords.
20. Attempt to plant a hardware key logger to steal passwords.
21. Attempt to plant spyware on the target machine.
22. Attempt to plant a Trojan on the target machine.
23. Attempt to bypass antivirus software installed on target machine.
24. Attempt to send a virus using the target machine.
25. Attempt to plant root kits on the target machine.
26. Hide sensitive data on the target machine.
27. Hide hacking tools and other data on the target machine.
28. Use various steganography techniques to hide files on the target machine.
29. Escalate user privileges.
30. Capture POP3 traffic
31. Capture SMTP traffic.
32. Capture IMAP email traffic.
33. Capture the communications between FTP client and FTP server.
34. Capture HTTP traffic.
35. Capture RDP traffic.
36. Capture VOIP traffic.
37. Run Wireshark with the filter -ip.src==ip_address.
38 Run Wireshark with the filter -ip.dst==ip_address.
39. Run Wireshark with the filter -tcp.dstport==port_no.
40. Run Wireshark with the filter -ip.addr==ip_address.
41. Spoof the MAC address
42. Poison the victims IE proxy server.
43. Attempt session hijacking on telnet traffic.
44. Attempt session hijacking on FTP traffic.
45. Attempt session hijacking on HTTP traffic.
46. Document everything”
- The potential resources available to support Internal penetration testing.
Wireshark, Core Impact, Metasploit, Canvas, Internet scanner, NetRecon, Cybercop, Nessus, Cisco
secure scanner and Retina are the most useful tools as recommend by EC-Council Press (2007).
- The phases involved with Internal penetration testing.
According to the National Institute of standards and technology (NIST) publication SP800-115 Planning, Discovery, Attack and Reporting are the phases of the penetration testing methodology, I have not found a variance of sequence whether the testing is external or internal.
- The factors that influence the sequencing and selection of particular Internal penetration testing activities.
The level of access granted by the client has a factor in the penetration testing as well as the budget allocated for the testing, dependent upon some of the initial testing results and the clients request many different factors can determine sequencing and selection of activities.
.
Reference:
EC-Council Press (2007 ). Penetration Testing Procedures and Methodologies: Course Technology, Cengage Learning, Clifton Park, NY.
Retrieved from the internet on 2/24/13
csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
Footprinting & Social Engineering
- The steps to be included in an effective foot-printing approach.
- “Find Companies’ external and internal URLs.
- Perform whois lookup for personal details.
- Extract DNS information.
- Mirror the entire website and lookup names.
- Extract archives of the website.
- Google search for company’s news and press releases.
- Use people search for personal information of employees.
- Find the physical location of the web server using the tool neo tracer.
- Analyze company’s infrastructure details from job posting.
- Track the email using “readnotify.com”"
I would also include the 34 steps in information gathering as described by EC-Council press (2007)it is most useful in foot-printing. The use of social engineering in foot-printing can also be very useful and productive.
- The potential resources available to support foot-printing and social engineering.
There are a great number of tools that can support foot-printing such as IP to Country, Anacubis and nslookup. Additional many websites like dnsstuff.com, ARIN, and Neotrace to name a few.
Social engineering methodologies can use human base such as impersonation or third person approach or it may be computer base like clicking on an email or responding to a website questionnaire popup to implement a social engineering campaign.
- The role Google can play in identifying potential information useful in subsequent phases of penetration testing.
Google can provide target information on the company or organizations infrastructure and press releases that have been made, other useful information can be interview with employees of the company that can reveal names and titles for social engineering projects. Google can also be used in depth by using “intitle.index of” to map the target company or organization and using the advanced search options for Google can focus the options results for the tester.
- The areas within the organization that present useful targets for social engineering efforts.
Some of the areas of targets are “receptionists and help-desk personnel, Technical support executives and vendors of the target organization employees.”
.
Reference:
EC-Council Press (2007 ). Penetration Testing Procedures and Methodologies: Course Technology, Cengage Learning, Clifton Park, NY.
External Penetration Testing Plan
- The steps in an effective external penetration testing approach.
1. Inventory company’s external infrastructure
2. Create topographical map of network
3.Identify the IP address of the targets
4. locate the traffic routes that go to the web servers.
5. Trace the TCP traffic path to the destination.
6. Trace the UDP traffic path to the destinations.
7. Identify the physical location of the target servers.
8. Examine the use of IPv6 at the remote location.
9. Look up the domain registry for the IP information.
10. Find the block information about the target.
11. Locate the ISP servicing the client.
12. List open ports.
13. List closed ports.
14. List suspicious ports that may be stealth ports.
15. Port scan every port on the target network.
16. Use SYN scan on the target and analyze the response.
17. Use connect scan on the target and analyze the response.
18. Use Xmas scan on the target and analyze the response.
19. Use FIN scan on the target and analyze the response.
20. Use Null scan on the target and analyze the response.
21. Firewalk the routers gateway.
22. Examine TCP sequence number prediction.
23. Examine the use of standard and nonstandard protocols.
24. Examine IP ID sequence number prediction
25. Examine the system uptime of the target.
26. Examine the operating systems used by different targets.
27. Examine the patches applied to the system.
28. Locate the DNS record of the domain and attempt DNS hijacking
29. Download applications from the company’s Web site and reverse engineer the binary code.
30. List programming languages and application software used to create various programs on the target server.
31. Look for errors and custom Web pages.
32. Guess different sub domain names and analyze different responses.
33. Hijack sessions
34. Examine cookies generated by the server.
35. Examine the access controls used by the WE [application server].
36. Brute force URL injections and session tokens.
37. Check the directory consistency and page-naming syntax of the Web pages.
38. Look for sensitive information in the webpage source code.
39. Attempt URL encoding on the Web pages.
40. try buffer overflow attempts in the input fields.
41. look for invalid ranges in the input fields.
42. Attempt escape character injections
43. try cross-scripting(XSS) techniques
44. Record and replay the traffic to the target Web server and note the response.
45. try various SQL – injection techniques.
46. Examine hidden fields.
47. Examine server-side includes (SSL)
48. Examine e-commerce and payment gateways handled by the Web server.
49. Examine welcome, error and debug messages.
50. probe the server through SMTP mail bouncing.
51. Grab the banners of the HTTP servers.
52. Grab the banners of the SMTP servers.
53. Grab the banners of the POP3 servers.
54. Grab the banners of the FTP servers.
55. Identify the Web extensions used on the server.
56. try to use HTTPS tunnel to encapsulate traffic..
57. OS fingerprint target computers.
58. Check for ICMP responses (Type 3 port unreachable).
59. Check for ICMP responses (Type 8 echo request).
60. Check for ICMP responses (Type 13 time-stamp request).
61. Check for ICMP responses (Type 15 information request).
62. Check for ICMP responses (Type 17 subnet address mask request).
63. Check for ICMP responses from broadcast address.
64. Port scan DNS servers (TCP/UDP 53).
65. Port scan TFTP servers (port 69).
66. Test for NTP ports (port 123).
67. Test for SNMP ports (ports 161 and 162)
68. Test for Telnet ports (port23)
69. Test for LDAP ports (port 389)
70. Test for NetBIOS ports (port 135-139 and 445)
71. Test SQL server ports (ports 1433 and 1434)
72. Test for Citrix ports (port 1495)
73. Test for Oracle ports (port 1521)
74. Test for NFS ports (ports 2049).
75. Test for compaq HP inside manager ports (ports 2301 and 2381).
76. Test for remote desktop ports (port 3389).
77. Test for Sybase ports (port 5000).
78. Test for SIP ports (ports 5060).
79. Test for VNC ports (ports 5800 and 5900).
80. Test for X11 ports (port 6000).
81. Test for JetDirect ports (ports 9100).
82. Port Scan FTP data (port 20)
83. Port scan Web servers (port 80)
84. Port scan SSL servers (port 443)
85. Port scan Kerberos and active Directory (TCP/UDP 88).
86. Port scan SSH servers (port 22).
- The potential resources available to support external penetration testing.
There are a number of tools to choose from; below are some listed for your consideration.
“NMAP http://nmap.org/tools.html)
Nessus – (http://www.nessus.org)
A network vulnerability scanner too systems.
SARA -(http://www-arc.com/sara/)
The second successor to the SATAN
vulnerability scanner tool (first successor was SAINT)
Whisker –(http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2)
A CGI vulnerability scanner
Hping2– (http://www.kyuzz.org/antirez/hping/)
A network to custom ICMP, UDP or TCP packets.
Allows testing of firewall rules and supporting testing of fragmented packets.
Firewalk –(http://www.packetfactory.net/Projects/Firewalk/)
A tracer tool that allows the Access Control Lists of a firewall to be determined and a network map can be created.
John The Ripper –http://www.openwall.com/john/
A cracking tool to identify weak password syntax.
Crack / Libcrack –(http://www.users.dircon.co.uk/~crypto/)
A password cracking tool for Unix systems.
NAT (NetBIOS Auditing tool) –(http://www.tux.org/pub/security/secnet/tools/nat10/)
A tool to identify vulnerabilities in a NetBIOS configuration of a NT system.
Toneloc –A war dialer to check for modems on desktop systems
that auto-answer and or run remote access software.”
- The phases involved with external penetration testing.
| “Penetration testing consists of four phases according to NIST’s pen testmethodology.” | ||
| “Planning | ||
| In the planning phase, rules are identified, management approval is finalized, and the testing goals are set. The planning phase sets the groundwork for a successful penetration test. No actual testing occurs in the planning phase. | ||
| Discovery | ||
| The discovery phase starts the actual testing. Network scanning (port scanning) is used to identify potential targets. In addition to port scanning, other techniques are commonly used to gather information on the targeted network. The second part of the discovery phase is vulnerability analysis. During this phase, services, applications, and operating systems of scanned hosts are compared against vulnerability databases (for vulnerability scanners this process is automatic). Generally human testers use their own database or public databases to identify vulnerabilities manually. This manual process is better for identifying new or obscure vulnerabilities, but is much slower than an automated scanner. |
||
| Attack | ||
| While vulnerability scanners only check that a vulnerability may exist, the attack phase of a penetration test exploits the vulnerability, confirming its existence. Most vulnerabilities exploited by penetration testing and malicious attackers fall into the following categories: | ||
|
||
| Reporting | ||
| The reporting phase occurs simultaneously with the other three phases of the penetration test. In the planning phase, rules of engagement, test plans and written permission are developed. In the discovery and attack phase, written logs are usually kept and periodic reports are made to system administrators and/or management, as appropriate. Generally, at the end of the test an overall testing report is developed to describe the identified vulnerabilities, provide a risk rating, and to give guidance on the mitigation of the discovered weaknesses. Penetration testing is important for determining how vulnerable an organization’s network is and the level of damage that can occur if the network is compromised. Because of the high cost and potential impact, annual penetration testing may be sufficient. The results of penetration testing should be taken very seriously and discovered vulnerabilities should be mitigated. As soon as they are available, the results should be presented to the organization’s managers. Corrective measures can include closing discovered and exploited vulnerabilities, modifying an organization’s security policies, creating procedures to improve security practices, and conducting security awareness training for personnel to ensure that they understand the implications of poor system configurations and poor security practices. Organizations should consider conducting less labor-intensive testing activities on a regular basis to ensure that they are in compliance with their security policies and are maintaining the required security posture. If an organization performs other tests (e.g., network scanning and vulnerability scanning) regularly between the penetration testing exercises and corrects discovered deficiencies, it will be well prepared for the next penetration testing exercise and for a real attack.” |
||
- The factors that influence the sequencing and selection of particular external penetration testing activities.
Some of the factors that can determine the sequencing and selection of external penetration testing activities can be human resources either by the organization or testing organization.
some test may produce results that need further evaluation which can lead into other directions of the testing in which can affect the sequence pattern of the testing, additional the organization can provide information that could exclude certain tests if the request are part of the contract or if overlooked can halt the testing if not properly addressed.
.
Reference:
EC-Council Press (2007 ). Penetration Testing Procedures and Methodologies: Course Technology, Cengage Learning, Clifton Park, NY.
Retrieved from the Internet on 2/17/13
www.sans.org/reading_room/…/testing/penetration-testing-you_265
Understanding the colors box, Black, White & Gray
Black-box testing is performed without any knowledge of the organization or infrastructure that will be tested, its starts at 0 information level about the organization, entity or infrastructure and builds from that point up. Of the three known types of penetration testing I believe Black-box is the closest to a real-world attack and is used often to simulate real world attacks, because the methodology used in testing is identical to a real world attack.
White-box testing is performed with prior knowledge about the organization or infrastructure that will be tested, also called “(complete knowledge testing)” EC-Council Press (2007 white box testing is typically used to complete audits of its security or a specific type of attack. Depending on what needs to be assessed some or complete information can be given about the network. IT may or may not be privy to the testing as well.
Gray-box testing combines the methodologies of both Black-box & White-box Testing. Gray-box testing looks to find out what vulnerabilities an attacker can exploit through team processes, an attack team is match with users of the same level of privileges, the simulation is used to monitor malicious insider attacks. “A Gray Box test provides a full system inspection, from both the developer’s perspective and a real malicious hacker’s perspective. It provides full coverage of a wide variety of vulnerabilities and enumerating all potential risks to a given system.”
I believe the military, government and intelligence communities should use Black box testing, additionally I recommend it should be used in conjunction with Gray-box testing but not simultaneously. because of the methodology of black-box testing it would best serve the communities I’ve mentioned I would not exclude corporations or large entities from using black-box testing I only wish to state which organizations it would serve best. an example of real world threats to our national security emulate the black-box testing methodology to be used.
White-box testing should be targeted to corporations, non-profits and small businesses which this testing methodology would serve them well. today’s corporations are increasing receiving insider threats from its employees, using white-box testing targets the correct methodology to be used in such cases.
Gray-box testing can be used by many types of organizations and entities, because of the nature and methodologies used on gray-box testing its very useful in assessing the overall picture of insider access. If a company feels that its security systems are not up to pair Gray-box testing will reveal that flaw and document it.
The general approach for most organizations I believe under normal conditions would be White-box testing, I would like suggest black-box testing because of the current state of cyber security problems we are facing today in both government and corporations. I am aware the cyber community as a whole has seen ever-increasing attacks on systems over the past 24 months and this would be my justification for Black-Box penetration testing methodologies.
Reference:
EC-Council Press (2007 ). Penetration Testing Procedures and Methodologies.: Course Technology, Cengage Learning, Clifton Park NY
Retrieved from the Internet on 1/13/2013
America Falling behind the bandwidth wagon
I didn’t find it surprising that the Report from the New America Foundation by Hibah Hussain, Danielle Kehl, Benjamin Lennet, Chiehyu Li and Patrick Lucey found some interesting facts about the data speeds here in America and the associated cost of using them, such as “The result indicate that U.S. consumers in major cities tend to pay higher prices for slower speeds compared to consumers abroad. For example, when comparing triple play packages in the 22 cities surveyed, consumers in Paris can purchase a 100 Mbps bundle of television, telephone, and high-speed Internet service for the equivalent of approximately $35 (adjusted for PPP). By contrast, in Lafayette, LA, the top American city, the cheapest available package costs around $65 and includes just a 6 Mbps Internet connection. A comparison of Internet plans available for around $35 shows similar results. Residents of Hong Kong have access to Internet service with symmetrical download and upload speeds of 500 Mbps while residents of New York City and Washington, D.C. will pay the equivalent price for Internet service with maximum download speeds that are 20 times slower (up to 25 Mbps and upload speeds of up to 2 Mbps).
The results add weight to a growing body of evidence that suggests that the U.S. is lagging behind many of its international counterparts, most of whom have much higher levels of competition and, in turn, offer lower prices and faster Internet service. It suggests that policymakers need to re-evaluate our current policy approaches to increase competition and encourage more affordable high-speed Internet service in the U.S. ” The biggest surprise to me was the 500Mbps speeds that Hong Kong have that we can even get close too. With that kinda speed I can see why things get done much quicker in Asia than America, maybe the senate or more people in Washington should understand the relation to speed and productivity in computing time of its workers.
C.J.T
