Network penetration testing

© Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.

Information Security Group (ISG)
Network Penetration Testing

reachus@imaginea.com


Network Penetration Testing
Overview

The contemporary way of working with networks as well as connecting with 3rd
parties has left a lot of firms exposed to malicious attacks and with vulnerable areas
that they aren't even conscious of yet.
Network penetration testing uncovers network weaknesses prior to a malicious
hacker.
Network penetration testing includes testing from an external network and an
internal network.

Open Ports/ Services, Open Ports and Services , OS
Hacker targets in a Packet Sniffing fingerprinting
Router Vulnerabilities exploits Liberal Access Control
typical network ARP spoofing, Cryptography Lists(ACL)
Denial of Service
infrastructure Hardware, Firmware, Software
Denial of Service
Hardware, Firmware, Software
specific vulnerabilities specific vulnerabilities

Switch

Open Ports and Services
User Authentication , Authorization
issues, Cryptography
Remote code execution, File Web Server
Upload, XSS
Server misconfiguration exploits
Denial of Service
Hardware, Firmware, Software specific
vulnerabilities

App Server

Open Ports and Services
Hacker Authentication , Authorization
issues, Cryptography
Buffer Overflows
Denial of Service
DBMS misconfiguration exploits
Hardware, Firmware, Software specific
vulnerabilities
DB Server


Penetration Testing Methodology

Step 1
• Information Gathering

Step 2
• Analysis and Planning

Step 3
• Vulnerability Identification

Step 4
• Exploitation

Step 5
• Risk Analysis and Remediation Suggestion

Step 6
• Reporting


Information Gathering Template
Information Required Data
Organization Name

Network diagram with details of the major network components
(router, gateway, firewall, servers, user machines) and their communication paths
Specify timings in which testing can be performed
Note: Network penetration testing could increase network traffic considerably
Specify timings for testing Denial of Service attacks and other applicable attacks
Note: DOS attacks could increase network traffic significantly and may bring the
network down
Specify if there are any restrictions on testing some critical systems in the network.

Provide access to one of the internal IP’s in the organization

Scope of the Test: Specify all IP addresses of the systems to be tested from external and
internal networks.
Target machine IP address Purpose of the
Specify whether the IP address is accessible to public network or limited to machine (Router,
organization's internal network Gateway, server etc)
(Eg: 196.0.0.1, Public IP) (Eg: Router)


Analysis and Planning
Analysis
Verification of given information
Client communication for clarifications (if any)
Understanding the network topology and communication mechanisms
Identification of critical network components and corresponding vulnerabilities to be
tested

Planning
Test modularization based on target machines or vulnerability focus areas
Plan for external and internal network testing
Plan for manual security testing phase
Plan for automation testing phase
Plan for exploitation phase
Plan for risk analysis and reporting phases
Time estimates for each of the phases


Vulnerability Identification
Focus Areas
Open ports and services Input Validation
Cross Site Scripting
OS fingerprinting Buffer Overflow
File Upload
Authentication Remote Command
Authentication Bypass Execution
Weak passwords
Default usernames/ passwords enabled Cryptography
Plain text passwords stored in database/ files Weak Encryption
Weak Key
Authorization WEP key used for wireless
encryption
Privilege Escalation
Gaining Access
ARP Spoofing

Packet Sniffing


Focus Areas
Information Leakage System Configuration
Sensitive Data Revealed Unpatched software and resulting
vulnerabilities
Liberal Access Control Lists
Denial of Service
Published vulnerabilities specific to
SYN flood OS/Software/Service
UDP flood
ICMP flood ARP Spoofing
Ping to Death
Distributed Denial of Service

Note: This is not exhaustive list of vulnerabilities. More vulnerabilities will be added
to the list based on the the technology/requirement/latest threats.


Vulnerability Testing Phases
Automatic scanning of target machines using tools and analysis of the results for
false positives
Port and Services scanning
OS fingerprinting
Vulnerability Scanning
Password cracking/ brute force

Exhaustive manual penetration testing of each target machine and vulnerability
focus areas
Packet sniffing
Cryptography issues
Published vulnerabilities specific to the target machine/OS/Software/Service
Default usernames/passwords enabled

Identification of list of network vulnerabilities from manual and automation testing
results


Tools
Backtrack5: Open Source Linux based OS which contains penetration testing
toolkit will be used for network penetration testing.
Open source Perl scripts will be used for DOS attacks.
Common toolkits:

Tool Purpose
Nmap Port Scanning, OS fingerprinting
Nessus, Nsauditor Network vulnerability scanner
Cain and Abel, John the Ripper, THC Hydra Password cracking tools
ADMSnmp To check default community strings
IKE-Scan To detect VPN server and version
SMTPScan To obtain SMTP server and version

Note: More tools will be added to the list based on the technology or
need or latest advancements.


Exploitation
Attacks will be performed on application machines without causing much damage to the
application resources and infrastructure. This phase is required in network penetration
testing to identify certain vulnerabilities in the target machines. Such as

Denial of Service
Escalation of privileges
Gaining access
Man In The Middle(MITM) network traffic
ARP spoofing
WEP cracking
Published exploit scripts specific to OS/Software/Service

to the list based on the requirement.


Exploitation
Exploitation Toolkits
Tool Purpose

UDP Flood Denial of Service attack using UDP packet flood

SYN Flood Denial of Service attack using SYN packet flood

Ping to Death Denial of Service
Denial of Service using ICMP packet flood in
Smurf6
broadcast network.
Cisco Global Exploiter Exploit published cisco vulnerabilities
Metasploit Framework, Core Impact Exploitation tool
Wireshark Network packet sniffing

Aircrack-ng, Airodump-ng, Airmon-ng, Wireless packet sniffing
WEP Key cracking
Aireplay-ng
De- authentication of a client
Denial of service attacks
ARPSpoof ARP spoofing

to the list based on the requirement.


Risk Analysis and Remediation Suggestion
Risk Analysis
Estimation of the Likelihood of attack
Estimation of the Impact of a successful attack
Evaluate overall RISK of the vulnerability
Risk = Likelihood * Impact

OWASP Risk Rating Methodology is used as a guidance.
Ref: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

Remediation Suggestion
Remediation measures will be suggested for each vulnerability identified. Priority for
remediation will be suggested based on the risk rating of the vulnerability


Report Template

Brief summary of the Network
Brief description of the network includes critical components in the network, type of
communication used, public IPs available etc.

Network Security Summary report
Brief description of the overall security status and the list of major security vulnerabilities
identified.

Vulnerability details for each identified vulnerability:
Vulnerability Classification and Name
Description of the vulnerability
Vulnerability details
Remediation Suggestions
Vulnerability Risk Rating (Likelihood, Impact, Overall Risk)


Security as a Service

http://www.imaginea.com
reachus@imaginea.com

Network penetration testing

More Related Content

What's hot

Viewers also liked

Similar to Network penetration testing

More from Imaginea

Recently uploaded

Network penetration testing