Penetration Testing

1
Penetration Testing

• A Comprehensive Security Testing Suite
• By Shomiron Das Gupta
• Founder, NetMonastery Network Security Pvt. Ltd.

2
Contents

• Penetration Testing (PT) Options
• Our Testing Lifecycle
• Testing Approach
• Application Testing
• Our Team
• Common Tools Used
• Proprietary Tools Used

3
Testing Options

• External PT
• Rigorous testing of public facing systems,
  network devices, security components etc
• Tests are exploitive in nature and try all
  available breach options
• Emphasis on firewall, Servers and applications
• Tests may be intrusive or non-intrusive in nature

• Internal PT
• Testing the network from the common network user
  perspective
• Working out all combination of attacks using
  different network scenarios
• Emphasis on data storage system, firewall, IDS
  etc
• Tests are more time consuming and thorough

4
The Testing Lifecycle

• Planning
• Review the scope target
• Plan the attacks
• Audit
• Perform automated / manual tests
• Record system feedback
• Gap Analysis
• Compare gaps to industry recognized standards
• Mitigation
• Recommend mitigation
• Review mitigated systems

5
Penetration Testing Phases

• Reconnaissance
• Service Identification
• Vulnerability Testing
• Exploit System Attack
• Gaining Access
• Keeping Access

6
Reconnaissance

• Looking for the target networkWeb Search, Whois
  and other network tools
• Probing the networkMake sure it is the correct
  target
• Target identificationFinding the right target
• Scanning the targetLooking for open ports on the
  system

7
Service Identification

• Scanning the systemLocate open service ports and
  avoid detection
• Probing the portsFind the services running on
  the system using tools
• Manual probingConfirm the tool reports as there
  may be services running on odd ports
• Slow scansFinding ports that may be filtered

8
Vulnerability Testing

• Tuning the VA scan engineReports of the service
  identification helps narrow the test
• Adding custom scriptsUpdated scripts tries to
  locate latest vulnerabilities
• Non-Invasive testCarry out a non-invasive scan
• Evaluate and confirm resultsManual confirmation
  of all the test results prevent false positives

9
Exploit Systems Attack

• Use the VA results to write exploit
  scriptsGather available exploits and self
  written exploits
• Exploit scriptingChaining exploits to gain
  access
• Shell codeObtaining shell and planting backdoor
• ACL on backdoorControl access and secure backdoor

10
Gaining and Keeping Access

• Writing clean up scriptsEnvironment based
  cleanup scripts
• Clean up attack logsPrevent detection by
  cleaning system logs
• Hide user TrojanDepending on the type of
  contract system binaries will be changed to hide
  attacker

11
Application Testing

• Source Code Review
• Identify security loopholes by reviewing source
  code
• Provide best practices recommend work around
• Skill set available for C, C, Java, .NET, Perl
  etc
• Black Box Testing
• Black hunting or searching all available
  interfaces
• Identify and exploit security errors in
  applications
• Provide best practices recommend work around
• Specialist in testing of web applications,
  database and heterogeneous environments

12
Our Team

• More than 2000 Man Days of combined project
  execution experience
• Executed projects for the Government, Defense,
  Datacenters, Financials, Investigation Agencies,
  Service Providers, BPO / ITES etc.
• Certifications include GCIA (SANS), CISSP, CISA,
  BS7799 Lead / Internal Auditor, MCSE etc.
• All members participate in approximately 600hrs
  of research programs per year

13
Common Tools Used

• N-Stealth
• NStumbler
• NBTScan
• SARA
• Firewalk
• Xprobe2
• CainAble
• NGrep
• THC-Amp
• Amap
• NTop
• Stunnel

• Packetto
• THC-Hydra
• Spike
• Achilles
• Brutus
• Hunt
• Lsof
• Honeyd
• Snort
• Whisker
• Nikto
• Tripwire

• Nessus
• NMap
• Dsniff
• Hping2
• Ethereal
• TCPDump
• Kismet
• L0phtCrack
• Retina
• Fport
• SAINT

• Snoop
• LIDS
• WinFP
• Fping
• Libnet
• Cheops
• IPTraf
• PSTools
• Arpwatch
• TCPReplay
• Shadow
• Pwdump3

14
Proprietary Tools Used

• RaptAuditor
• An all round self developed security audit tool,
  used for scanning, VA, attack and penetration.
  This tool helps in identifying targets and helps
  to unearth weaknesses in the target system. It
  intuitively scans for vulnerabilities in the
  target system and identifies mitigation
  strategies discovered vulnerabilities.
• GhostProxy
• Ghostproxy is a proxy tool that is used during a
  penetration test. It is used to create tunnels
  into a secured network and spread the attack
  perimeters. It is able to virtually map machines
  behind a firewall and is able to divert IDS
  alerts as decoys.
• ARPMed
• ARPMed is a network device hijacking tool that is
  used to divert and hijack an operational network
  host. It uses ARP poisoning concepts to break the
  trust between two hosts and hijack a target and
  set up a man in the middle attack.
• PACInjector
• PACInjector is an anomalous packet injecting
  system that injects malicious packets into
  networks at and extremely high data speed. This
  tool is used to test response buffers and
  Intrusion detection system and test systems in
  loaded conditions. PACInjector is also used to
  test false positive having the capacity to
  automatically generate comparative reports.

15
Our horizons have Moved

• Thank You

16
h t t p / / w w w . n e t m o n a s t e r y . c
o m