Penetration testing is the methodology of assessing real-world security of a network environment through discovering vulnerabilities and, eventually, exploiting them to confirm a potential security threat. The motivation and intent of penetration testing is to simulate a realistic security attack, putting in-place defense mechanism through its paces, to help improve an organizations’ security structure through early discovery and mitigation of any security flaws. A well-conducted penetration test provides a complete snapshot of the current security posture of an organization, seen through the eyes of a potential hacker.
Penetration testing requires an authorization from the subject organization, explicitly defining the scope and target for the conducted tests and attacks. Therefore, penetration testing is also called ethical hacking or white-hat hacking in contrast to the black-hat hacking (cracking), which is distinguished by an unauthorized access to an organizations’ network for malicious intents, like password or data theft and personal gains through extortion and vandalism. Authorization, motivation and intent of an exploit are the key points that set apart the white-hat (penetration tester) from the block-hat (hacker). However, for a good penetration tester, it is critical to think and act (attack) the same way as a potential black-hat hacker would do. The closer a penetration test simulates the real hacker’s behavior, the more value it provides in terms of organizations’ security.
NOTE In a recent speech at the American Enterprise Institute on cybersecurity, General Keith B. Alexander, Head of the National Security Agency (he reports to President Obama), mentions Basics of Hacking and Penetration Testing by Pat Engebretson, saying “it is a great book, I am reading it, and learning a lot.”
Despite subtle differences, penetration testing is often wrongly used interchangeably for vulnerability assessment. Vulnerability assessment is the process of reviewing services and systems for potential security flaws and differs from penetration testing, as its scope is limited to discovering potential vulnerabilities in a system without practically exploiting them. Penetration Testing goes one step further by adding exploitation and proof of concept attacks into the mix, removing any guess work from the security equation. The proof of concept attacks help determine whether the discovered security vulnerabilities are real and how much potential damage such a vulnerability may cause in-case of an actual hacking attack. A successful exploit during penetration testing proves that the system can be compromised, providing black-hats an unauthorized access to the most confidential of corporate information. Penetration testing ensures that the employed security solutions are actually up to the task in a real world security attack scenario.
Why penetration testing?
An unauthorized access to an organization’s networks can compromise sensitive personal and financial information of its clients as well as the organization itself, resulting in a serious security breach. For businesses, a breach usually entails huge financial penalties in terms of expensive law suits, loss of business and reputation. A breach can lead to identity theft of individuals and potentially damage their financial history or credit rating. Recovering from such information breaches can take years and the costs are huge.
Cyber-security dilemmas: Recent 2012 exploits
The following examples illustrate why penetration testing is so important.
LinkedIn: June 6
LinkedIn, a professional networking site, fell victim to a security breach resulting in more than 6 million user passwords being made public. LinkedIn confirmed that the exposed passwords actually correspond to user accounts. The passwords were stored as unsalted SHA-1 hashes. While SHA-1 is generally a secure algorithm, it can still be cracked, allowing hackers to peer into the user accounts. LinkedIn was slapped with a $5 million lawsuit over the security breach, filed in the United States District Court.
Yahoo Voices: July 12
Yahoo Voices, which features articles penned by average Yahoo users, was attacked by a hacker group D33DS Company, and resulted in more than 450,000 passwords and usernames being compromised. According to TrustedSec, a security research firm, “the most alarming part of the breach is the fact that the passwords were stored completely unencrypted and the full 450,000 usernames and passwords are now public.”
Gamigo: July: 24
Gamigo, an online game publisher based in Germany, was the subject of a security breach back in late February. Five months after being hacked, the fruits of that security breach are now online in the form of 8.24 million passwords set loose over the Internet.
The list of victims of such breaches continues with Last.FM, eHarmony, TechRadar and many more. This should be treated as a wake-up call by all others to ensure that they have got enough defenses to protect against active hacking community. It is very important to understand that deploying a defense line with all the right security products ranging from firewalls and VPNs through intrusion-detection and prevention systems to authentication software might not (be all that good) tick all the boxes for a bullet-proof defense, unless it has proven its muscle in a real combat (penetration test). Overconfidence can prove a killer here. Just one oversight and someone with the guts will blow a gaping hole through the (theoretically) best defenses, you boast of. To avoid a security nightmare, it is essential to put your security suite through a thorough penetration testing and keeping the defenses updated against the latest hacking tools and tactics.
Penetration testing tools
Here are a few tools that can be used for conducting penetration tests.
BackTrack Linux tools
BackTrack is based on the Debian GNU/Linux distribution and is aimed at penetration testing and digital forensics. It is named after a search algorithm, backtracking. The current version is BackTrack 5 R2, codenamed “Revolution and its Revision.” BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to password crackers. BackTrack supports Live CD and Live USB functionality to boot directly from portable media without requiring installation along with an option of permanent installation to the hard disk. An introduction and basic level use of BackTrack is discussed in the book The Basics of Hacking and Penetration Testing, and if you are looking for a deeper look, grab a copy of Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide.
Metasploit was created by HD Moore in 2003 as a computer security project for accessing security vulnerabilities and penetration testing. The Metasploit Framework, an open-source sub-project, is the tool for developing and executing exploit code against a remote target machine. The Metasploit project was acquired by Rapid7, a security company that provides unified vulnerability management solutions, in October 2009. Since the acquisition, the Metasploit project is available in three flavors with varying feature sets: Metasploit Community edition, Metasploit Express and Metasploit Pro. Rapid7 has recently introduced a penetration testing tool based on the Metasploit framework. The Metasploit Community edition and Metasploit Penetration Testing Tool are available as free downloads at Metasploit’s website. The complete feature set and hands-on use of Metasploit is detailed in the books mentioned above and also in BackTrack 5 Wireless Penetration Testing.
Node Zero is an Ubuntu based penetration testing distribution, formally known as Ubuntu Pentest Edition. Available as a free download, NodeZero is a reliable, stable, and powerful penetration testing tool compilation that comes with around 300 tools and a complete set of basic services required for penetration testing. Node zero is especially famous for its inclusion of THC IPV6 Attack Toolkit with a host of IPV6 attack tools. Node Zero can be run live from CD or USB or installed on the hard drive for better performance.
Automated Penetration Testing Software Suites
The automated penetration testing frameworks provide discovery tools and exploit code for remote and local vulnerabilities, remote agents, and other handy gadgets for exploring and exploiting a network all without a deep knowledge of penetration testing. Applications like Core Security’s Impact and Immunity’s Canvas are stand out penetration testing software suites that enables network administrators and expert penetration testers alike to conduct automated penetration tests as per their requirements.
Core Impact, developed by Core Technologies, is an automated GUI-based penetration testing software solution used to assess the security of web applications, network systems, endpoint systems, email users and wireless networks. The breadth of tools and exploits, persistent workspace interface, flexible agents, regular updates to exploits and some useful built-in automation features helps it come on top of the line despite a vast price disparity with Canvas. A user with very little knowledge of how exploits work or even with only basic networking knowledge can launch attacks and own a machine within minutes by using Rapid Penetration Tests (RPTs). Core Security updates the attack database when new attacks are available. Exploits and tools are written in Python and compiled at run-time, so Impact can be customized and extended by experienced developers. A very heavy price tag and lack of a command line interface are the only cons.
Where Impact is a fully functional discovery and exploit product, Canvas is streamlined to provide a powerful exploitation experience to the penetration testers. The licensing is more attractive compared to Impact, but Canvas lacks the point-and-attack features of Impact. Inclusion of a command line interface and lower asking price are the attractive pros for Canvas. However, users are supposed to have a considerable knowledge of penetration testing, exploits and system insecurity to put Canvas to maximum use. To help users get up to speed on Canvas, Immunity provides a training course making the learning curve a little easier.
GPU Accelerated Password Cracking
Passwords are generally stored in hashed form and most popular algorithms are the SHA family, SHA-1, SHA-256 etc. The Dictionary attacks and the Brute force attacks on hashed passwords can be accelerated using the massive parallel computing resources of GPUs. HashCat is an example of GPU accelerated hash-cracker.
You may have a situation at hand where you’ve deployed all of the required security products: firewalls, intrusion-detection and intrusion-prevention systems, authentication software and secure wireless gear. You’ve configured access control lists on routers and firewalls, and locked down access to the best of your knowledge. So theoretically, you have a seamless defense! But is it good enough? The answer is surprisingly NO! This is because your defense has never been tested from a hacker’s perspective and might not survive a real combat against a malicious attack. Being network security personnel, you can only trust your line of defense and sleep sound, once your network has survived a thorough penetration testing.
Safari Books Online has the content you need
Take advantage of these penetration testing resources in Safari Books Online:
|Wireless has become ubiquitous in today’s world. The mobility and flexibility provided by it makes our lives more comfortable and productive. But this comes at a cost. Wireless technologies are inherently insecure and can be easily broken. BackTrack is a penetration testing and security auditing distribution that comes with a myriad of wireless networking tools used to simulate network attacks and detect security loopholes. BackTrack 5 Wireless Penetration Testing Beginner’s Guide takes you through the journey of becoming a Wireless hacker. You will learn various wireless testing methodologies taught using live examples, which you will implement throughout this book. The engaging practical sessions very gradually grow in complexity giving you enough time to ramp up before you get to advanced wireless attacks.|
|The internet security field has grown by leaps and bounds over the last decade. Everyday more people around the globe gain access to the internet and not all of them with good intentions. The need for penetration testers has grown now that the security industryhas had time to mature. Simply running a vulnerability scanner is a thing of the past and is no longer an effective method of determining a business’s true security posture. Learn effective penetration testing skills so that you can effectively meet and manage the rapidly changing security needs of your company. Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide will teach you how to efficiently and effectively ensure the security posture of environments that have been secured using IDS/IPS, firewalls, network segmentation, hardened system configurations and more. The stages of a penetration test are clearly defined and addressed using step-by-step instructions that you can follow on your own virtual lab.|
About the authors
|Salman Ul Haq is a techpreneur, co-founder and CEO of TunaCode, Inc., a startup that delivers GPU-accelerated computing solutions to time-critical application domains. He holds a degree is Computer Systems Engineering. His current focus is on delivering the right solution for cloud security. He can be reached at email@example.com.|
|Aamir Majeed is Senior Solutions Engineer at TunaCode, Inc. He holds a degree in Avionics Engineering. His interest areas are anything and everything GPUs – from writing highly optimized, performance oriented GPU code to experimenting with latest tools and solutions to porting existing frameworks/codebase to GPUs. When not working, Aamir spends his time trekking snow capped mountains.|