Penetration Testing
What is Penetration Testing?
 AKA “Pentesting”
 An attack on a computer system with the intention of
finding security weaknesses.
 Performed by sysadmins or trusted agents.
How is this different from hacking?
 “Black-hat hackers” violate computer security for
maliciousness or personal gain.
 “White-hat hackers” break security for non-malicious
purposes, usually when performing authorized security
tests.
 “Grey-hat hackers” rationalize that they are acting
moral when they are not. e.g.:
 Breaking into systems for fun, then emailing the sysadmin to tell
them about the security hole.
What are the goals of Pentesting?
 Discover network or application vulnerabilities.
 Determine feasibility of particular set of attack vectors.
 Assess the magnitude of business& operational impacts of
a successful attack.
 Test capability of network defenses.
Successful attacks against gov’t
computers, as reported to CERT*
*US-Computer Emergency Response Team
Attempted attacks
 Pentagon: 10,000,000 attempts each day
 Nat’l Nuclear Security Agency: 10,000,000/day
 From the same document...
 Michigan: 120,000 attacher per day
 U.K. 120,000 attacks per day
 Utah: 20,000,000 attacks each day
 Multiple definitions of attack & attempt?
 Do not blindly believe any numbers you read.
5 Phases of a network attack
1. Reconnaissance
2. Scanning
3. Penetration
4. Covering Tracks
5. Maintaining Access
Pentesting generally focuses
on Steps 1-3
Reconnaissance
Collecting data on the target passively.
Multiple interpretations:
1. sending no electrons to the target network, or
2. only sending electrons through means that are normally authorized,
such as reading the public website.
Common means:
 Google
 whois
Reconnaissance
nslookup www.usna.edu



IP address
Server name
http://www.whois.net, search for usna.edu




Physical address
Name of sysadmins (people with root access)
Names/IP of DNS servers
Reconnaissance
nslookup www.usna.edu



IP address
Server name
http://www.whois.net, search for usna.edu




Physical address
Name of sysadmins (people with root access)
Names/IP of DNS servers
Reconnaissance

Google for URL prefixes (different servers)
site:usna.edu
site:usna.edu –www.usna.edu
site:usna.edu –www.usna.edu –libguides.usna.edu
...

Run nslookup to find name/IP of each server
nslookup libguides.usna.edu
nslookup aisweb.usna.edu
Reconnaissance
URL
IP
Server Name
www.usna.edu
136.160.88.139
webster-new.dmz.usna.edu
libguides.usna.edu
174.132.16.38
libguides.com
aisweb.usna.edu
136.160.88.133
aeisenhower.dmz.usna.edu
library.usna.edu
136.160.88.140
library.usna.edu
lists.usna.edu
136.160.89.10
lists.usna.edu
…
Exercise: In 10 minutes, find out as much as you can about the USMA network.
Scanning
 Collecting data on the target by sending packets at it.
 Find existence of hosts at IP addresses.
 Find open ports on hosts.
 Detemine versions of services on hosts.
 Determine OS of host.
 Tends to be “noisy” (lots of packets)
 May be construed as an attack. Never do this without
written permission.
Scanning
 nmap is the #1 scanning tool
 “Network Mapper”
1. Host Discovery
nmap –sn 10.10.1.0/24 # Determine which IPs are online
Exercise: what messages does nmap send for this command?
arp, TCP SYN to ports 80, 443, 53
nmap –sL 10.10.1.0/24 # List IPs only
Exercise: what messages does nmap send for this command?
None
Scanning
1. Host Discovery (cont) – using extra ports in scan:
nmap –sn –PS22-25 10.10.1.0/24 # TCP SYN Ping
Exercise: what mechanism does nmap use for this command?
arp, TCP to ports 22-25
Scanning
2.
Enumerate Open Ports:
# List of ports & protocols by usage
less /usr/share/nmap/nmap-service
# Selects only the 5 top ports from this file
nmap –-top-ports 5 10.10.1.10
# TCP SYN Scan (default, same as –sS)
# SYN only, never sends ACK or reset.
# Stealthy, since not logged, but can consume target’s resources.
nmap 10.10.1.10
Scanning
2.
Enumerate Open Ports (cont):
nmap –sT 10.10.1.10
# TCP Connect Scan
# SYN/SYN-ACK/ACK-Reset
# Gets logged, less likely to crash target server.
# TCP ACK Scan
# Send ACK to a host we are not talking to.
# Host may reply by sending a Reset to indicate there is no connection.
nmap –sA 10.10.1.10
Scanning
3.
Version detection:
nmap –sV 10.10.1.10
4.
# Enables service versioning
OS detection:
nmap –O 10.10.1.10
# Enables OS detection
nmap –O –-osscan-guess 10.10.1.10
nmap –O –-fuzzy 10.10.1.10
Pentest admin
Signed agreement.






“Get out of jail free card.”
Never send any electrons to the target network without one
Scope – range if IPs, type of tests, etc.
Damage control
Indemnification
In-house vs. Outsourced



Trust?
Can a sysadmin reasonably pentest their own network?