Ramy Al Damati

Based on specific objectives to be achieved, the different penetration testing strategies include:




External testing strategy

External testing refers to attacks on the organization's network perimeter using procedures performed from outside the organization's systems, that is, from the Internet or Extranet. This test may be performed with non-or full disclosure of the environment in question. The test typically begins with publicly accessible information about the client, followed by network enumeration, targeting the company's externally visible servers or devices, such as the domain name server (DNS), e-mail server, Web server or firewall.



Internal testing strategy

Internal testing is performed from within the organization's technology environment. This test mimics an attack on the internal network by a disgruntled employee or an authorized visitor having standard access privileges. The focus is to understand what could happen if the network perimeter were successfully penetrated or what an authorized user could do to penetrate specific information resources within the organization's network. The techniques employed are similar in both types of testing although the results can vary greatly.



Blind testing strategy

A blind testing strategy aims at simulating the actions and procedures of a real hacker. Just like a real hacking attempt, the testing team is provided with only limited or no information concerning the organization, prior to conducting the test. The penetration testing team uses publicly available information (such as corporate Web site, domain name registry, Internet discussion board, USENET and other places of information) to gather information about the target and conduct its penetration tests. Though blind testing can provide a lot of information about the organization (so called inside information) that may have been otherwise unknown -- for example, a blind penetration may uncover such issues as additional Internet access points, directly connected networks, publicly available confidential/proprietary information, etc. But it is more time consuming and expensive because of the effort required by the testing team to research the target.



Double blind testing strategy

A double-blind test is an extension of the blind testing strategy. In this exercise, the organization's IT and security staff are not notified or informed beforehand and are "blind" to the planned testing activities. Double-blind testing is an important component of testing, as it can test the organization's security monitoring and incident identification, escalation and response procedures. As clear from the objective of this test, only a few people within the organization are made aware of the testing. Normally it's only the project manager who carefully watches the whole exercise to ensure that the testing procedures and the organization's incident response procedures can be terminated when the objectives of the test have been achieved.



Targeted testing strategy

Targeted testing or the lights-turned-on approach as it is often referred to, involves both the organization's IT team and the penetration testing team to carry out the test. There is a clear understanding of the testing activities and information concerning the target and the network design. A targeted testing approach may be more efficient and cost-effective when the objective of the test is focused more on the technical setting, or on the design of the network, than on the organization's incident response and other operational procedures. Unlike blind testing, a targeted test can be executed in less time and effort, the only difference being that it may not provide as complete a picture of an organization's security vulnerabilities and response capabilities.

Now that we have explored the different strategies in penetration testing, lets take a look at some of the techniques/ methods used in a penetration test and how it helps in performing a successful penetration testing:





Passive research

As the name suggests, a passive research is a method used to gather as much information about an organization's systems configuration from public domain sources such as:

DNS (domain name service)

RIPE (Réseaux IP Européens)

USENET (newsgroups)

ARIN (American Registry for Internet Numbers)

*Passive research is generally performed at the beginning of an external penetration test.





Open source monitoring

This service is an associated technique that utilizes Internet meta-searches (multiple searches of Web sites, newswires, newsgroups and other sources) targeted on keyword that are important to the organization. The data is collected and discoveries are highlighted to the organization. This helps identify whether organization's confidential information has been leaked or whether an electronic conversation involving them has taken place. This enables an organization to take necessary measures to ensure confidentiality and integrity.



Network mapping and OS fingerprinting

Visualization of network configuration is an important part of penetration testing. Network mapping is used to create a picture of the configuration of the network being tested. A network diagram can be created which infers the logical locations and IP addresses of routers, firewalls, Web servers and other border devices.

Additionally, this examination can assist in identifying or "fingerprinting" operating systems. A combination of results from passive research and tools such as ping, traceroute and nmap, can help create a reasonably accurate network map.



An extension of network mapping is Port Scanning. This technique is aimed at identifying the type of services available on the target machine. The scan result reveals important information such as function of a computer (whether it is a Web server, mail server etc) as well as revealing ports that may be serious security risks such as telnet. Port scans should include number of individual tests, including:



TCP (Transmission Control Protocol) scan

Connect scan

SYN (or half open) scan

RST (or Xmas-tree) scan

UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) scans. Tools such as nmap can perform this type of scan.

Dynamic ports used by RPC (Remote Procedure Call) should be scanned using tool such as RPCinfo.



Spoofing

Spoofing involves creation of TCP/IP packets using somebody else's Internet addresses and then sending the same to the targeted computer making it believe that it came from a trusted source. It is the act of using one machine to impersonate another. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. The destination machine only uses that source IP address when it responds back to the source. This technique is used in internal and external penetration testing to access computers that have been instructed to only reply to specific computers. This can result in sensitive information be released to unauthorised systems. IP spoofing is also an integral part of many network attacks that do not need to see responses (blind spoofing).



Network sniffing

Sniffing is technique used to capture data as it travels across a network. Sniffing is an important information gathering technique that enables capturing of specific information, such as passwords and also an entire conversation between specific computers, if required. To perform sniffing, the network card of computer needs to be put in promiscuous mode, so that it captures all data being sent across the network.

Sniffing is extensively used in internal testing where the sniffer or the computer in promiscuous mode is directly attached to the network enabling capturing of a great deal of information. Sniffing can be performed by a number of commercial tools such as Ethereal, Network Associates SnifferPro and Network Instruments Observer.





Trojan attack

Trojans are malicious programs that are typically sent into network as e-mail attachments or transferred via IM chat rooms. These programs run in stealth mode and get installed on the client computer without the users knowledge. Once installed, they can open remote control channels to attackers or capture information. A penetration test aims at attempting to send specially prepared Trojans into a network.



Brute force attack

A brute force attack involves trying a huge number of alphanumeric combinations and exhaustive trial and error methods in order find legitimate authentication credentials. The objective behind this time consuming exercise is to gain access to the target system. Brute force attacks can overload a system and can possibly stop it from responding to legitimate requests. Additionally, if account lockout is being used, brute force attacks may close the account to legitimate users.



Vulnerability scanning/analysis

Vulnerability scanning/analysis is an exhaustive examination of targeted areas of an organization's network infrastructure aimed at determining their current state. The targets range from a single system or only critical systems to scanning the entire network. It is usually performed using automated tools that test for a multitude of potential weaknesses in a system against a database of known vulnerabilities and report potential security holes. And although they don't actively prevent attacks, many scanners provide additional tools to help fix found vulnerabilities. Some of the commonly used vulnerability scanners include: the open-source Nessus Project's Nessus, ISS Internet Scanner, GFI Software's GFI LANguard Network Security Scanner, eEye Digital Security's Retina Network Security Scanner, the BindView RMS vulnerability-management solutions and Network Associates CyberCop.



Scenario analysis

Once a vulnerability scanning has been done and weaknesses identified, the next step is to perform Scenario testing. This testing aims at exploiting identified security weaknesses to perform a system penetration that will produce a measurable result, such as stolen information, stolen usernames and passwords or system alteration. This level of testing assures that no false positives are reported and makes risk assessment of vulnerabilities much more accurate. Many tools exist to assist exploit testing, although the process is often highly manual. Exploit testing tends to be the final stage of penetration testing.