Stages of a Penetration Test

Friday 30 December 2011

Heres' the Secret

It for most penetration tests these are the main stages that will take place in order, each stages has a higher level of access and control over the system.

- Information Gathering: This is using non intrusive techniques to gather as much information as you can on the target network. Such as crawling the internet webpages, using whois lookups, looking at company adverts and news.

- Network Mapping:
 This is a more technical approach to gaining more information on the system, here you will map all live hosts on the network and on the server. Scan the ports and services. Identify the operating systems, identify firewalls, switches and routers, fingerprint services and map out what is available publically over the internet and what services are interal only.

- Vulnerability Identification: This is where we will identify vulnerable services and systems. We will do this by using the service banners we attained in the previous phase. We will also perform vulnerability scans for known vulnerabilities and check for false positives. Once we discover vulnerabilities we enumerate these further and estimate the impact and privellages gained from the vulnerability. From here we can plan our attack path and scenario.

- Penetration: This is where we will find tools, scripts and exploits that will help us gain access by exploiting the vulnerabilities in the previous stage. We can also develop our own tools and scripts to exploit these vulnerabilities. Also in this stage we will optimise and customise any scripts we have so that they will work in this scenerio, it is very common that we will have to modify exploits to work in the current scenario. Once we have all our tools we can test the proof of concept and see if they work with the vulnerabilities so we can eliminate false positives. At the end of this stage we can document our findings and the possible impact of these exploits.

- Gaining Access:
 Here we will attempt to gain some sort of access to the target system, starting with low privellage access such as finding blank or default passwords in system accounts, brute forcing user accounts, and finding public services with poor configurations allowing us to read and write files for example. Here we also use our tools from the previous phase to gain what access we can.

- Privellage Escallation: It is likely that we have low access on the system and cannot complete our goal yet due to incorrect privellages. In this stage we can identify local vulnerabilities that can help us get administrator or root privellages over the system such as 'root' on unix systems and 'system' on Windows systems. Here we will have to bypass the systems internal antivirus and firewall systems. We can search for known exploits based on the findings of the internal services we have found or we can attempt to write our own.

- Enumerating Further: Now we are inside the network and can see many systems that weren't accessable from the outside. Here we can obtain the stored hashes on the current system and decrypt them to see if they work on any other network systems. We can also identify all other hosts, services, firewalls, routers and switches on the network and test if they are vulnerable as done in the previous stages. We can also sniff local traffic and attempt to get more passwords to compromise other systems. Other techniques that are used in this phase are gathering important data on the local system such as cookies and browsing history to attempt password attacks on exterior web pages. We can also gather email accounts that could enable us to perform phishing attacks on other uses in the network. Also we could execute client side attacks on other network users to compromise their system with a little social engineering.

- Compromising other Users/Systems: Here we put all the information found in the previous section to use and gain as much access as we can over the network. It is common to find many vulnerabilities here as often companies don't think they need to secure the local network as they do not think anyone can access it.

- Maintaining Access: This is where you setup a permanent method of accessing the system so you don't have to exploit it every time you want to access it. Also this could give you access even after the vulnerability was patched. There are number of methods of doing this. You could setup a backdoor on the system that you can connect to and feed commands to, simillar to a system shell. This is usually done by opening up a port on the system and allowing access by a user and password, it is important the backdoor has authentication otherwise anyone could have access to the system. Rootkits can be installed these have the highest privellages on a system even higher than the system administrator. You can also setup covert channels such as http-tunnels, icmp-tunnels and vpn tunnels which allows you to send and receive data to and from the target system undetected.

- Covering Tracks: This is where you do all you can to remain undetected on the system so you can keep access for as long as possible, here you hide files used to exploit the system and that may raise suspisions. You also should clear the logs files or alter them so the attack logs are not there. You can also disable antiviruses and IDS to prevent them from finding your backdoor/rootkit.

- Reporting:
 This is where you write your report on your findings, you must make sure you tailor your report to the skills of who will receive it, such as the developer must have detailed information on how to patch, or if it was the manager he may not have vast IT knowledge so it must be basic details with colourful graphs and images. You must include the summary of the attack, the impact, the tools used, the services that are vulnerable, the systems compromised, the information that was gathered, screenshots, dates and times of the tests, outputs of all the scans, and the next steps to work on to fix the system.

0 comments: