Metasploit - The Penetration Testers

on

 Information technology is a complex field, littered
with the half-dead technology of the past and an
ever-increasing menagerie of new systems, software,
and protocols. Securing today’s enterprise networks
involves more than simply patch management, fire
walls, and user education; it requires frequent real
world validation of what works and what fails. This is
what penetration testing is all about.

 

 

Penetration testing is a uniquely challenging job. You are paid to think
like a criminal, to use guerilla tactics to your advantage, and to find the weak
est links in a highly intricate net of defenses. The things you find can be both
surprising and disturbing; penetration tests have uncovered everything from
rogue pornography sites to large-scale fraud and criminal activity.
Penetration testing is about ignoring an organization’s perception of
its security and probing its systems for weaknesses. The data obtained from a
successful penetration test often uncovers issues that no architecture review xiv
Foreword or vulnerability assessment would be able to identify. Typical findings include
shared passwords, cross-connected networks, and troves of sensitive data sit
ting in the clear. The problems created by sloppy system administration and
rushed implementations often pose significant threats to an organization,
while the solutions languish under a dozen items on an administrator’s to-do
list. Penetration testing highlights these misplaced priorities and identifies
what an organization needs to do to defend itself from a real intrusion.
Penetration testers handle a company’s most sensitive resources; they
gain access to areas that can have dire real-world consequences if the wrong
action is taken. A single misplaced packet can bring a factory floor to a halt,
with a cost measured in millions of dollars per hour. Failure to notify the
appropriate personnel can result in an uncomfortable and embarrassing con
versation with the local police. Medical systems are one area that even the
most experienced security professionals may hesitate to test; nobody wants
to be responsible for mixing up a patient’s blood type in an OpenVMS main
frame or corrupting the memory on an X-ray machine running Windows XP.
The most critical systems are often the most exposed, and few system admin
istrators want to risk an outage by bringing down a database server to apply a
security patch.
Balancing the use of available attack paths and the risk of causing dam
age is a skill that all penetration testers must hone. This process depends not
only on a technical knowledge of the tools and the techniques but also on a
strong understanding of how the organization operates and where the path
of least resistance may lie.

 


 

 Imagine that sometime in the not-so-distant future an

attacker decides to attack a multinational company’s

digital assets, targeting hundreds of millions of dollars

worth of intellectual property buried behind millions

of dollars in infrastructure. Naturally, the attacker

begins by firing up the latest version of Metasploit.


After exploring the target’s perimeter, he finds a soft spot and begins a

methodical series of attacks, but even after he’s compromised nearly every

aspect of the network, the fun has only just begun. He maneuvers through

systems, identifying core, critical business components that keep the com

pany running. With a single keystroke, he could help himself to millions of

company dollars and compromise all their sensitive data.

Congratulations on a job well done—you’ve shown true business impact,

and now it’s time to write the report. Oddly enough, today’s penetration

testers often find themselves in the role of a fictitious adversary like the one

described above, performing legal attacks at the request of companies that

need high levels of security. Welcome to the world of penetration testing and

the future of security.

 

 Why Do a Penetration Test?

Companies invest millions of dollars in security programs to protect critical

infrastructures, identify chinks in the armor, and prevent serious data breaches.

A penetration test is one of the most effective ways to identify systemic weak

nesses and deficiencies in these programs. By attempting to circumvent secu

rity controls and bypass security mechanisms, a penetration tester is able to

identify ways in which a hacker might be able to compromise an organization’s

security and damage the organization as a whole.

As you read through this book, remember that you’re not necessarily

targeting one system or multiple systems. Your goal is to show, in a safe and

controlled manner, how an attacker might be able to cause serious harm to

an organization and impact its ability to, among other things, generate reve

nue, maintain its reputation, and protect its customers.

 

Why Metasploit?

Metasploit isn’t just a tool; it’s an entire framework that provides the infra

structure needed to automate mundane, routine, and complex tasks. This

allows you to concentrate on the unique or specialized aspects of penetration

testing and on identifying flaws within your information security program.

As you progress through the chapters in this book and establish a well

rounded methodology, you will begin to see the many ways in which Meta

sploit can be used in your penetration tests. Metasploit allows you to easily

build attack vectors to augment its exploits, payloads, encoders, and more

in order to create and execute more advanced attacks. At various points in

this book we explain several third-party tools—including some written by the

authors of this book—that build on the Metasploit Framework. Our goal is to

get you comfortable with the Framework, show you some advanced attacks,

and ensure that you can apply these techniques responsibly.




 

  • Note on Ethics

  • As a penetration tester, you will be bypassing security measures;
  • that’s simply part of the job. When you do, keep the following in mind:
  • Don’t be malicious.
  • Don’t be stupid.
  • Don’t attack targets without written permission.
  • Consider the consequences of your actions.

If you do things illegally, you can be caught and put in jail!

Neither the authors of this book nor No Starch Press, its publisher,

condones or encourages the misuse of the penetration testing techniques

discussed herein. Our goal is to make you smarter, not to help you to get

into trouble, because we won’t be there to get you out.

 

 

BASICS OF
PENETRATION TESTING

 

                               Penetration testing is a way for you to simulate the

methods that an attacker might use to circumvent

security controls and gain access to an organization’s

systems. Penetration testing is more than running scan

ners and automated tools and then writing a report.

And you won’t become an expert penetration tester

overnight; it takes years of practice and real-world

experience to become proficient.



 







 The Phases of the PTES

PTES phases are designed to define a penetration test and assure the client

organization that a standardized level of effort will be expended in a pene

tration test by anyone conducting this type of assessment. The standard is

divided into seven categories with different levels of effort required for each,

depending on the organization under attack.


Pre-engagement Interactions

Pre-engagement interactions typically occur when you discuss the scope and terms

of the penetration test with your client. It is critical during pre-engagement

that you convey the goals of the engagement. This stage also serves as your

opportunity to educate your customer about what is to be expected from a

thorough, full-scope penetration test—one without restrictions regarding what

can and will be tested during the engagement.


Intelligence Gathering

In the intelligence gathering phase, you will gather any information you can

about the organization you are attacking by using social-media networks,

Google hacking, footprinting the target, and so on. One of the most impor

tant skills a penetration tester can have is the ability to learn about a target,

including how it behaves, how it operates, and how it ultimately can be attacked.

The information that you gather about your target will give you valuable

insight into the types of security controls in place.

During intelligence gathering, you attempt to identify what protection

mechanisms are in place at the target by slowly starting to probe its systems.

For example, an organization will often only allow traffic on a certain subset of

ports on externally facing devices, and if you query the organization on any

thing other than a whitelisted port, you will be blocked. It is generally a good

idea to test this blocking behavior by initially probing from an expendable IP

address that you are willing to have blocked or detected. The same holds true

when you’re testing web applications, where, after a certain threshold, the

web application firewalls will block you from making further requests.

To remain undetected during these sorts of tests, you can perform your

initial scans from IP address ranges that can’t be linked back to you and your

team. Typically, organizations with an external presence on the Internet

experience attacks every day, and your initial probing will likely be an unde

tected part of the background noise.




NOTE

In some cases, it might make sense to run very noisy scans from an entirely different IP

range other than the one you will be using for the main attack. This will help you deter

mine how well the organization responds to the tools you are using.



Threat Modeling

Threat modeling uses the information you acquired in the intelligence-gathering

phase to identify any existing vulnerabilities on a target system. When perform

ing threat modeling, you will determine the most effective attack method, The Absolute Basics of Penetration Testing


the type of information you are after, and how the organization might be

attacked. Threat modeling involves looking at an organization as an adversary

and attempting to exploit weaknesses as an attacker would.

Vulnerability Analysis

Having identified the most viable attack methods, you need to consider how

you will access the target. During vulnerability analysis, you combine the infor

mation that you’ve learned from the prior phases and use it to understand

what attacks might be viable. Among other things, vulnerability analysis takes

into account port and vulnerability scans, data gathered by banner grabbing,

and information collected during intelligence gathering.

Exploitation

Exploitation is probably one of the most glamorous parts of a penetration test,

yet it is often done with brute force rather than with precision. An exploit

should be performed only when you know almost beyond a shadow of a doubt

that a particular exploit will be successful. Of course, unforeseen protective

measures might be in place on the target that prevent a particular exploit

from working—but before you trigger a vulnerability, you should know that

the system is vulnerable. Blindly firing off a mass onslaught of exploits and

praying for a shell isn’t productive; it is noisy and provides little if any value

to you as a penetration tester or to your client. Do your homework first, and

then launch well-researched exploits that are likely to succeed.

Post Exploitation

The post exploitation phase begins after you have compromised one or more

systems—but you’re not even close to being done yet.

Post exploitation is a critical component in any penetration test. This is

where you differentiate yourself from the average, run-of-the-mill hacker and

actually provide valuable information and intelligence from your penetration

test. Post exploitation targets specific systems, identifies critical infrastructure,

and targets information or data that the company values most and that it has

attempted to secure. When you exploit one system after another, you are try

ing to demonstrate attacks that would have the greatest business impact.

When attacking systems in post exploitation, you should take the time

to determine what the various systems do and their different user roles. For

example, suppose you compromise a domain infrastructure system and you’re

running as an enterprise administrator or have domain administrative-level

rights. You might be king of the domain, but what about the systems that

communicate with Active Directory? What about the main financial applica

tion that is used to pay employees? Could you compromise that system, and

then, on the next pay cycle, have it route all the money out of the company

to an offshore account? How about the target’s intellectual property?4



Suppose, for example, that your client is a large software development

shop that ships custom-coded applications to customers for use in manufac

turing environments. Can you backdoor their source code and essentially

compromise all of their customers? What would that do to harm their brand

credibility?

Post exploitation is one of those tricky scenarios in which you must take

the time to learn what information is available to you and then use that infor

mation to your benefit. An attacker would generally spend a significant amount

of time in a compromised system doing the same. Think like a malicious

attacker—be creative, adapt quickly, and rely on your wits instead of auto

mated tools.

Reporting

Reporting is by far the most important element of a penetration test. You will

use reports to communicate what you did, how you did it, and, most impor

tant, how the organization should fix the vulnerabilities discovered during

the penetration test.

When performing a penetration test, you’re working from an attacker’s

point of view, something that organizations rarely see. The information you

obtain during a test is vital to the success of the organization’s information

security program and in stopping future attacks. As you compile and report

your findings, think about how the organization can use your findings to

raise awareness, remediate the issues discovered, and improve overall security

rather than just patch the technical vulnerabilities.

At a minimum, divide your report into an executive summary, executive

presentation, and technical findings. The technical findings will be used by

the client to remediate security holes, but this is also where the value lies in a

penetration test. For example, if you find a SQL injection vulnerability in the

client’s web-based applications, you might recommend that your client sani

tize all user input, leverage parameterized SQL queries, run SQL as a limited

user account, and turn on custom error messages.

After the client implements your recommendations and fixes the one

specific SQL injection vulnerability, are they really protected from SQL injec

tion? No. An underlying problem likely caused the SQL injection vulnerability

in the first place, such as a failure to ensure that third-party applications are

secure. Those will need to be fixed as well.


Types of Penetration Tests

Now that you have a basic understanding of the seven PTES categories, let’s

examine the two main types of penetration tests: overt and covert. An overt

pen test, or “white hat” test, occurs with the organization’s full knowledge;

covert tests are designed to simulate the actions of an unknown and unan

nounced attacker. Both tests offer advantages and disadvantages.The Absolute Basics of Penetration Testing


Overt Penetration Testing

Using overt penetration testing, you work with the organization to identify

potential security threats, and the organization’s IT or security team shows you

the organization’s systems. The one main benefit of an overt test is that you

have access to insider knowledge and can launch attacks without fear of

being blocked. A potential downside to overt testing is that overt tests might

not effectively test the client’s incident response program or identify how

well the security program detects certain attacks. When time is limited and

certain PTES steps such as intelligence gathering are out of scope, an overt

test may be your best option.


Covert Penetration Testing

Unlike overt testing, sanctioned covert penetration testing is designed to sim

ulate the actions of an attacker and is performed without the knowledge of

most of the organization. Covert tests are performed to test the internal

security team’s ability to detect and respond to an attack.

Covert tests can be costly and time consuming, and they require more

skill than overt tests. In the eyes of penetration testers in the security industry,

the covert scenario is often preferred because it most closely simulates a true

attack. Covert attacks rely on your ability to gain information by reconnais

sance. Therefore, as a covert tester, you will typically not attempt to find a

large number of vulnerabilities in a target but will simply attempt to find the

easiest way to gain access to a system, undetected.


Vulnerability Scanners

Vulnerability scanners are automated tools used to identify security flaws

affecting a given system or application. Vulnerability scanners typically work

by fingerprinting a target’s operating system (that is, identifying the version

and type) as well as any services that are running. Once you have fingerprinted

the target’s operating system, you use the vulnerability scanner to execute

specific checks to determine whether vulnerabilities exist. Of course, these

checks are only as good as their creators, and, as with any fully automated

solution, they can sometimes miss or misrepresent vulnerabilities on a system.

Most modern vulnerability scanners do an amazing job of minimizing

false positives, and many organizations use them to identify out-of-date systems

or potential new exposures that might be exploited by attackers.

Vulnerability scanners play a very important role in penetration testing,

especially in the case of overt testing, which allows you to launch multiple

attacks without having to worry about avoiding detection. The wealth of

knowledge gleaned from vulnerability scanners can be invaluable, but beware

of relying on them too heavily. The beauty of a penetration test is that it can’t

be automated, and attacking systems successfully requires that you have

knowledge and skills. In most cases, when you become a skilled penetration

tester, you will rarely use a vulnerability scanner but will rely on your knowl

edge and expertise to compromise a system.6


Pulling It All Together

If you’re new to penetration testing or haven’t really adopted a formal

methodology, study the PTES. As with any experiment, when performing a

penetration test, ensure that you have a refined and adaptable process that is

also repeatable. As a penetration tester, you need to ensure that your intelli

gence gathering and vulnerability analysis are as expert as possible, to give

you an advantage in adapting to scenarios as they present themselves.





Location: India

Comments

Post a Comment