Methodology, Network Forensics, Security

An Introduction to Penetration Testing – Part 1

Information Security Wordle: RFC2196 - Site Se...

Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog)

In an earlier article, many moons ago (Sorry Jamie !), I stated my opinion that Forensics and Security were opposite sides of the same coin. I’ve felt very strongly that my skills as a Security Consultant have only been strengthened and expanded by the experiences I’ve gained with Forensics, both as part of the Forensic Focus community (again, apologies for my absence) and as part of my MSc (an ongoing epic spanning two Universities and many years).

There is a particular area of Security work that I think mirrors the skill set of Forensics more closely than others – and that is Penetration Testing. PenTest is probably the most bleeding edge, exciting and intellectually challenging thing in the InfoSec field – no matter how much I try, I struggle to get as excited about writing an “Acceptable Use Policy” as I do given free rein to attempt a “capture the flag” task on a corporate network. (That’s not to say that AUPs don’t have their own excitements … nah, I’m kidding, but they are important – like eating your vegetables…) – at the same time though, the same measured and methodical approaches and investigative skills that apply in Forensics, apply in PenTest.

Over the next few articles ( I don’t know how many yet, I’ve not written them – but I’m aiming to get an update to you fortnightly ) I’d like to take you through a high level PenTest methodology, showing you some of the tools and toys that you can play with along the way, at the end of it all, my intent is to run a competition (with a small prize for the winner – something like an iPod Nano perhaps?) of a live machine ( or machines … ) connected to the internet that you can all have a pop at – rules and scoring criteria yet to be determined – and will have to write a short report on. ( Not that report writing will phase a single Forensicator! )

In any case, let’s start with outlining the basic methodology – remember, like Forensics, many parts of a PenTest methodology are iterative, as you learn more in one phase, you may want to return to an earlier phase and see what further advances you can make with your new-found knowledge.

1. Planning & Paperwork

  • Getting your tools together
  • Getting Authorisation & Correct Paperwork
  • Estimating required time / effort
  • Building a test lab

2. Discovery – Information Gathering & Analysis

  • Passive Information Gathering
  • Active Information Gathering
  • Analysis

3. Vulnerability Detection

  • Automated Tools
  • Manual Confirmation
  • Analysis

4. Exploitation

  • Automated Tools
  • Manual Confirmation / Manual Exploitation
  • Obfuscation and Avoiding Detection
  • Analysis

5. Reporting and Recommendations

  • Writing a report & Presenting relevant findings

We’ll come back to a majority of the first items at the end – when we’ve had a chance to build some knowledge of the tasks involved and the tools that are available to us – also we’ll build a test lab as we go along.

However, right now, I’m going to drum in the law.

IT IS AGAINST THE LAW TO ATTEMPT TO ACCESS THE COMPUTER OR NETWORK OF ANY INDIVIDUAL, ORGANISATION OR GOVERNMENT WITHOUT THEIR EXPRESS KNOWLEDGE AND PERMISSION. FAILURE TO OBTAIN ADEQUATE CLEARANCES COULD LEAD TO FINES, IMPRISONMENT OR EXTRADITION – DEPENDING ON WHICH COUNTRY YOU ARE IN AND WHAT YOU’VE DECIDED TO TEST. DO NOT DO ANYTHING WITHOUT WRITTEN AUTHORISATION FROM SOMEONE WHO YOU HAVE GOOD REASON TO BELIEVE IS CAPABLE OF GRANTING SUCH AUTHORISATION.

Please come back on, or after the 3rd of July for “An Introduction to Penetration Testing – Part 2 – The Discovery Phase”. (By the way, you can subscribe by clicking on the button to my right – and you’ll be updated for the remainder of this introductory course [and be notified when the competition starts] as well as all the other interesting articles and entries on Forensic Focus).

About the Author Si Biles ( @si_biles ) is a consultant for Thinking Security in deepest darkest Oxfordshire, ‘cos he’s a CLAS consultant he spends quite a lot of time doing things for the Government, outside of that he has a particular interest in network security, vulnerability analysis, penetration testing and incident response & forensics. You can read more of his blogging on his own site  and occasionally other places such as : BCS Security Blog

Discussion

15 thoughts on “An Introduction to Penetration Testing – Part 1

  1. Hi, I am doing penetration testing as part of my final year project. I will do some penetration testing on an operating system such as XP and will attempt to explain the remaining artefacts. I need some advice on what exploits I could use and a methodology to explain and understand the remaining artefacts, please advise.

    Posted by Ali Huet | June 24, 2012, 4:22 pm
    • Hi,

      I guess sticking it out for the full length of the blog isn’t an option then …

      You’ll want to start with a fairly basic, un-patched install of XP – this will give you the largest footprint to attack. Build it into a VM with as small a disk as you can, leaving you the minimum amount of potential to analyse ( minimum slack space ). If your VM environment supports snapshots, now is a good time to take one so that you can restore and repeat at will. Image the disk with your favourite tool of choice – obviously leaving the disk untouched. Then I would have a go with Metasploit – you should be able to get into your test box pretty much at will with all of the exploits available. I’d suggest that the exercise is more about your methodology and forensic skills than any particular exploit, but at the end of the day you should follow your exploit through as if it were a real hacking attempt – get in, shut down security, try and establish a long term back door, root around the file system for anything interesting, take a file or two, delete or modify the logs to hide your access. Shut the VM down and then image again. You can then compare the images at your leisure in order to identify the artefacts. I would recommend that you attempt the same exploit and follow through more than once – that’s just good practice, but it will also highlight how the artefacts change depending on time, and perhaps try altering the order of things to see what differences there are there. ( e.g. if you shut down logging early in the process, then there will be less log entries to delete – this would give a substantially different footprint ). With regard to explaining and understanding the artefacts, the advantage of using Metasploit is that the code is available for you to examine – so you should be able to identify what has actually been done – then you can map your results to the exploit.

      Hope this helps,

      Si

      Posted by ThinkingSec | June 24, 2012, 7:17 pm
  2. Really interesting Si, and as ever very well written! Look forward to the remaining articles in the series – and perhaps at the end some recommended further reading?

    What/where’s the subscription button you mention?

    cheers,

    Jonathan

    Posted by Jonathan Krause | June 25, 2012, 8:34 am
    • Hi Jonathan,

      Glad you like it ;-) Hope that you can find time to enter the competition ! Sure, I’d be happy to bear that in mind and make sure that I put down some sites, books and papers that others might find useful – I’ll try and do it with reference to each topic as we go along.

      The subscription button ( on my screen ) is at the top right of the article in the side-bar – I just mean the “Don’t miss an article! Click to subscribe to this blog and receive notifications of new posts by email.” Which I’m sure you already have anyhoo ! I do push all of the blog entries that I do out through Twitter ( as you know – but I’m not going to miss the marketing opportunity for everyone else :-P ) [@si_biles].

      Catch up soon !

      Si

      Posted by ThinkingSec | June 25, 2012, 5:46 pm
      • I agree – nice intro article – I too would like to take a shot at the ‘staged hacking’ as I’m currently self teaching ethical hacking/pen testing, using BackTrack, learning the linux shell and well….soaking myself in industry articles. But the active/experience/testing is limited to what “I” setup – (I hacked my own WEP wireless…wooohooo!) I will likewise subscribe too! Looking forward to the next post!
        john

        Posted by John | June 25, 2012, 6:15 pm
  3. Hi Si,

    Thanks for the response, I will take your advice on board and use it towards my project.

    Ali

    Posted by Ali | June 26, 2012, 1:56 pm
  4. Keep up the great work..Nice stuff! Thanks..

    Rob

    Posted by rjpear | July 1, 2012, 1:19 am
  5. Very timely article, this. Thank you for deftly tackling the subject and presenting it in plain-speak. I look forward to following the track.

    Si, would you be so kind as to list available, related certifications and comment on each one?

    Thank you,

    Sean

    Posted by Sean Erickson | July 2, 2012, 5:06 am
    • Glad you are enjoying it – got round to Part 2 eventually today !

      That’s an interesting question – I will do that – it will be in a couple of weeks and on my own blog page ( http://www.biles.net ) rather than interrupting the flow here though – I will post a link in that week’s article when I get there, so that you can know …

      Cheers,

      Si

      Posted by ThinkingSec | July 3, 2012, 11:18 pm
  6. Reblogged this on Yury Chemerkin.

    Posted by Yury Chemerkin | July 14, 2012, 12:59 pm

Trackbacks/Pingbacks

  1. Pingback: CEH – Self Study « Thinking Security's Blog - June 28, 2012

  2. Pingback: Forensic Focus Blog: An Introduction to Penetration Testing – Part 1 | The Forensics Study Site - June 29, 2012

  3. Pingback: Elgato game capture HD – A quick review … « Thinking Security's Blog - July 14, 2012

  4. Pingback: NWrap Version 0.05 – NMap Wrapper with OPRP Database Dump « Thinking Security's Blog - July 17, 2012

  5. Pingback: An Introduction to Penetration Testing – Part 1 | Security Watch - November 29, 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 649 other followers

%d bloggers like this: