Introduction:
Network Penetration Testing is a process to find security issues in the organization network, attached devices and network applications. Security issues could be insecure protocol, misconfigured operating systems, improper firewall protection, outdated software, etc.
The main aim of this testing is to identify any security issues in the network and defend it before cyber attackers can locate them and execute an exploit. This test reveals a hacker’s view of the network and will help understand the security preparedness of the organization against evolving threats. It helps the organization to secure the network and also gets the status of how effective its current security defenses are.
Methodology:
The testing process is based on Open Source Security Testing Methodology (OSSTM) that is executed in four steps which are as follows:
- Reconnaissance
- Port Scanning
- OS Fingerprinting
- Service Fingerprinting
- Vulnerability Assessment
- Manual Penetration Testing
- Report Generation
1. Reconnaissance:
In this stage, network professionals find as much information about the target network without running any intrusive tests. They will review network specifications, various cases of network usage, and other types of relevant documentation. This information is gathered in this step that will be useful in later stages.
The information that is collected such as domain names, server names, IP addresses, network map, ISP / ASP information, system and service owners, possible test limitations.
Techniques used include DNS interrogation, website searches, who is interrogated on Internet registry databases, e-mail headers, bounced mails, traceroute to servers, ping, website spidering, checking robots.txt files, find meta information from public documents.
Tools used include DNS tools NSlookup, DNSRecin & DNSMap, Metagoofil.
Below three sections are very important in this stage:
Port Scanning:
Port Scanning is the invasive examination of system ports on the transport level. Identify a list of active hosts and mapped it to their IP addresses by doing a network scan. This stage is used to enumerate live or accessible internet services as well as penetrating the firewall to discover additional live systems. Various tools and techniques are used to perform testing in stealthy mode. This is to prevent alerts and bypass IDS, IPS and Firewall.
The expected results include open, closed, or filtered ports, IP addresses of live systems, list of discovered tunneled and encapsulated protocols, list of discovered routing protocols supported, network map.
Techniques used include TCP half, full; FIN, ACK and stealth scan of systems. Scan the network for detecting filtered ports. Packet fragmentation and session splicing techniques are used for stealthily passing through firewalls and IDS systems; SNMP querying is carried out for additional network information.
Tools used include Fragroute, Whisker, Nmap, Firewalk, SNMPc and Hping.
OS Fingerprinting:
OS Fingerprinting will be done to determine the operating systems and version level of the targeted host by analyzing packets that are originating from the host. It is performed for mapping the remote networks and exploit the vulnerabilities present in them.
This will work only for packets that carry a full-fledged TCP connection that has a SYN, SYN/ACK, and ACK connection.
The expected result includes OS type, version level and patch level.
Techniques used include Identification of operating system version and patch level based on responses to customized TCP/UDP packets, ICMP responses, OS banners and TCP sequence numbers.
Tools used include Nmap, Ring and Xprobe.
Service Fingerprinting:
This is the active inspection of the application listening behind the service. In certain cases, more than one application exists behind a service where one application is the listener and the others are considered components of the listening application. A good example of this is PERL installed for use in a Web application. In that case, the listening service is the HTTP daemon and the component is PERL.
The expected result includes service type and patch level.
Application identification is carried out by capturing application banners, responses to custom queries, analysis of websites for internal links, platform information and protocol behavior.
Tools used include Nmap, Amap, and Nessus.
2. Vulnerability Assessment:
In this stage, different automated tools are used to test for vulnerabilities for determining existing security loopholes and system patch levels.
Expected results include a list of system vulnerabilities, type of application or service by vulnerability, patch levels of systems and applications, list of possible denial of service vulnerabilities.
Techniques used include a comparison of system information collected with public security databases to determine system security risks, searching online databases and mailing lists specific to the systems being tested.
Automated tools such as Qualys, Nessus, Nikto and Whisker are utilized to identify existing security breaches. Custom scripts using NASL are also run to test specific application vulnerabilities. Expert validation of vulnerability is conducted to eliminate false positives on discovered vulnerabilities.
3. Manual Penetration Testing:
In this step, vulnerabilities that are identified in the previous steps are now manually verified. Post verification exploits are divided into Harmless and Harmful exploits. If vulnerabilities are identified as not harmful, then controlled exploitation can be executed. Harmful exploits are performed post confirmation from the customer.
Expected results include the demonstration of exploited vulnerabilities. Few examples are given below:
Password Cracking: Password Cracking is the process that is performed in an attempt to gain unauthorized access to the network or system by using common passwords or algorithms that can guess passwords.
Expected results include password file cracked, list of login IDs with user or system passwords, list of systems vulnerable to crack attacks, list of documents or files vulnerable to crack attacks, list of systems with user or system login IDs using the same passwords.
Password cracking techniques include brute force, dictionary and hybrid attempts on systems to audit the strength of passwords.
Tools for password cracking include L0phtcrack, John the ripper, Brutus and Sqldict.
Buffer Overflow: Buffer overflow attacks are used to exploit specific vulnerabilities in OS and applications by giving inputs that are longer than defined memory buffers.
Expected results include administrative access to the compromised system. Tools are dependent on discovered vulnerabilities.
4. Report Generation:
A report is generated detailing all the identified vulnerabilities in the network and system along with specific recommendations to mitigate each risk. Based on the discovered risks in the IT infrastructure, will suggest the recommended practical solutions and develop an implementation roadmap for strengthening security.
This will involve patch recommendations, suggestions on improving practices & policies, and options on security products for controlling the discovered risks. The assessment would look at risks from Internet, internal and through access points including RAS servers.
Below is the list of contents of the detailed testing report:
- Executive summary
- Vulnerabilities identified
- Vulnerability ratings
- Compliance requirements where applicable
- Screenshots where feasible
- Solutions with details and additional resources.
Pre-requisites for Network Penetration Testing:
External Penetration Test:
- List of live IP addresses or public IP range
Internal Penetration Test:
- List of IP addresses or internal IP ranges
- All IP addresses to be accessible from a single location
- Provision to connect laptops to the network
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.