technical guide to information security testing and assessment pot

fNIST Special Publication 890-118 Notional Institute of

Standards and Technology US Deporiment of Commerce

Technical Guide to

Information Security Testing and Assessment

Recommendations of the National Institute

of Standards and Technology

Karen Scarfone Murugiah Souppaya Amanda Cody

Special Publication s00-115 T©chnieal Guide to Information Security Testing and Assessment Recommendations of the National

Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh COMPUTER SECURITY " Secusity Division Information Technology Laboratory

Reports on Computer Systems Technology

‘The lnfrmaton Technology Laborstory (TL atthe National Insite of Sandals and Technology (NIST) promotes he US, econoray and public welfare by providing technical leadership the ngon + ‘masurement and standards ifestucere ITL develops tess test methods, reference dl proof ‘concept implementations, and tshnicl analysis to advance the development an productive use oF information technology (IT), ITL's responsible inca the development of technical, physical ‘tinstrtive, and thanagementsendands ad gvidsines forthe conte letive scart al pivacy of ‘nitive uacawiied information Feral computer stems, This Special Pubieton SDD series reports on IT's researc, guidance and eae orts i computer secur and is eallaborative ‘tities with indo, goverameat and academe organizations

‘ational Intute of Standard and echnotosy Specal Puliestion 800-115 ‘Nl Ia, Stand Techno Spec Publ NO-115, 8 pages Sep 208)

dcrnen ner to dese at expersetl promie or oboep adel Sich Metfton soe tended mpl commendation cade by the Natonal osteo Sandals and Techogy orice py ta he

Acknowledgements

The autor, Karen Scarfe snl Murusiah Souppaya ofthe National sie of Standards ad Technology (NIST) and Arians Cody aa Angela Orchauh of Bon Allen Malo, sho thnk ‘heir collagues who reviewed drafts ofthis document and cotebuted i echnical content The fautors would like to acknowledge Joh Connor, Ti Grates, Blair Herma, Arnold Jason, Richa Kissel, Ron Ros, Matt Scholl, and Pat Toh of NIST and Steve Alison, Derick Dic, Datel Ovens, ‘Vietoria Thompson, Selena Tont, Theadore Winograd Grege Zeppof Booz Allen Hanlon ta te sen a insight assistance thvgghou the development ofthe document, The authors appreciate all ‘he feoahsek provided during the public comment pred, cspcilly by Marshall Abrams, Karen Quis, nother rom MITRE Corporation; Wiliam Mill of SpheteCam Enterpeies and representatives hoạt the Fnac Manat Sie Daprie li Tey) an th Deptt Hea a

Trademark Information

Table of Contents Executive Summary 1 Introduction 11 Authority 1.2 Purpose and Scope 13 Audience: 114 Document Siucture

2 Security Testing and Examination Overview 2.1 Information Security Assessment Methodology 22 Technical Assessment Techniques

23 Comparing Tests and Examinations 24 Testing Viewpoints 24.1 Extemal and Internal 242 Overtand Covert 3 Review Techniques 3.1 Documentation Review 32 Log Review 33 Ruleset Reviow 3⁄4 System Corviguraion Review, 35 Network Saiting 3⁄8 File Integrty Checking 37 Summary 4, Target Kdentitication and Analysis Techniques 4.1 Network Discovery 4a 4.2 Network Port and Service dentiicaion 43 43 Vulnerabiliy Seannng a4

44 Wireless Seanning 4.4.1 Passive Wireless Seanning 4 4

442 Active Wireless Scanning a

44.3 Witeless Device Location Tracking +

44.4 Bluetooth Scanning 45° Summary

5 Target Vulnerability Validation Techniques 5.1 Password Cracking

52 Penetration Testing 5.2.1 Penetalion Testing Phases 5.2.2 Panetation Testing Logistics 53 Social Engineering

54 Summary

6 Security Assessment Planning,

6.1 Developing a Security Assessment Policy 52 Prortizing and Scheduling Assessments 6.3 Selecting and Customizing Techniques

6.4 Aasesement Logistics B41 Aesessor Selection and Skil 6 6

6.42 Location Satection 6

643 Technical Tools and Resaurcas Selection 6

8.5 Assessment Plan Development et 6 Legal Considerations sự 67 Summary et Security Assossment Execution 1.1 Coordination 72 Assessing 73 Analysis 74 Data Handing 741 Data Collection 742 Data Storage 7.43 Data Transmission 74a Data Destuction 8 Post-Testing Activities 8.1 Mitigation Recommendations 82 Reporting 83 Remediaionnitgaton 7 7 7 7 7 7 7 7 List of Appendices Appendix A— Live CO Distributions for Security Testing at Appendix B— Rules of Engagement Template Appendix C— Application Security Testing and Examination ‘Appendix D— Remote Access Testing, Det ‘Appondix E— Resources Appendix F— Glossary Fa ‘Appendix G— Acronyms and Abbreviations ot List of Tables

‘Table 3-4 Review Techniques a5

Table 3-2, Baseline Skil Set for Review Techniques 35

Table 4-1 Target ldeniication and Analysis Techniques Ato

Tabblo 5-1 Target Vulnerabilly Vaiation Techniques 57 Table 5-2 Secutty Testing Knowledge, Skils, and Abiil6s Sử

“Tabla A-1 BackfTrack Toolet Sample At

Table A-2 Knopoix STO Toolkt Sample ^2

Table E-1 Related NIST Documents ¬

Table E-2, Online Resouces et

List of Figures

Figure 5-1 Four-Stage Penetration Testing Methodology 53

Executive Summary

A information security assesment isthe process of dteriinig how effectively an entity bi

(erg host system, nework, procedure, porsop—knotn as the assessinen object) meets spovife secuniy hjctves, Thies eps of essestment methods can be wc o accomplish this—testng, cxamination, and imerviewing Teung isthe process of exeesing ove or more assesment objects under specified

‘onion fo compare acta and expected Behaviors, Examination fete press of eheckne, inspecting, reviewing, observing, sadying or analying one or more asessment ojos t facial anderstanding, ‘chive clarieation or obtain evidence Iniorvcwing is Ue rosess of conducting disesstons ith ‘eividdals or prope within so organization lo the location of evidence Assessment rests ae use fo suppor the dezrviation of secs eel Taine unrtanding, achieve eaifeation, o emily

effectiveness ver tne,

THis document sa guide to the bate technical aspects of conducting informatio security assessments, It

presents ccna! st nization ight use a past

fan assessment and offers insights wo assessors on thir execution andthe potential impact they may have on systems atl networks, Foran assesment tobe succesful and have a positive impact on the searity poste of asp stom (an lime the entire organization), ckements yond the exection of

fewine an examination mist suppor the technica process, Stngestns for hese actives inline & robust plannine process, ont ete analysis nd tiered reporting ane also presen this woe

‘nd examination methods and techoigues tht anor

‘Te processes and tecnica guidance presented in this document enable organizations to 1 Dexclop information scurty asessment policy, methodology, and individual roles and responsibiitios rele the technical aspccs of asseement

1 Accu pla for 2 tchaicalifoemation secu assessment by providing guidance on ‘determining which sysoms to assess and the approach fr assessment addressing logitial ‘considerations developing an assessment pan, abd ensuring lepal and policy considerations ac addres Safely and effectively excete a technical information security assessment wing the presented methods and techniques and espond to any incidents that may cut during he assessment

1 Appropsitely handle tectoiea data (collection, storage, tasmsson, and destsion) Toughout tbe ssessment process 1 Conduct analysis and eprting tae inaprove the ganization s seus pose

“The information presented inthis publication is nteed to he used for a vary of wssessment puss For example, some ssesenents cts om verifying hal a pasticalarsceuty conto or coms) meets rosirements, while other are intend ta ieny, site, and ese a systems capable security ‘weaknesses, Assesiments ae alo performed Wo erase an organization's ability to mainain 2 prosctive computer network defense Asseusiens ire ean 1 take the place of hnplemmenting security onto aml ait system secu

‘Te accomplish technical security asesoments aml ensure tht technical Security testing and examinations provide maximum vale, NIST recommends tht organizations

individuals o ensure assesements ate conducted in seconde with these requirements, Topics ‘hata arsessment policy should adress include the organizational requirements with which ‘sesements must comply, ole and responsibil, adherence to ah etabliced uscsment Inethsdology- assessment Frequeney, and documentation requiemen

i= Implement consistency and Stacie to asossineats pedies a repeatable and documented assessment methodology This provides th vaasiton of new asessnca da, and tudreses resource consrunts socal with ascesments, Using sich a methodology enables ‘nganizations to maximize the val of assessments while minimizing posible risks into hy certain echnical asovenent lecniqdes, Tes aks can range fom not gathering sient information on the organization's security poste Fr fro wpactng y tên [dnetolly

alecing the system or network avaabity by executing tetnigues Withee per Safeguards in place, Processes tha minimize sk caste by certain assessment echniues include using siled asensors, developing comprehensive asessneh pats opsiagsesesor xis porfoming esting of hours, abd conducting tess on duplicates oF production stems (x devslopment systems), Orgatizations nced to determine the level of sk they ar willing to accep for cach ascessment, and talor thee approuchesaccoedingy

Determine the objectives of each security assessment, and tallor the approach accordingly Security asexsments have specific objectives, ccopable levee of isk, and avalable resources Because no individual technique prides a comprehensive pitue of an organization's securily shen exceed alone, rganiatons should use a comnaton of techniques This al helps ‘organizations to limit sk and resource usage,

1 Analyze findings, that seeudty assessments provide their ultimate valu, organizations shout conduct root cutee and develop risk mitigation techniques to address weaknesses To ensue ‘nays upon completion ofan ssesspet to erable the translation Finns into actionable mitigation techniques These results may indicate that organizations should adress no oy technical weaknesses, hut ees in oneonzational presses ad procedure el

Introductlon 11 Authority The National Insite of Standards ad Technolgy stsutory responsibilities under the Federal loeation Seeusty Managoaeal Act (ISM) of 2002, (NIST) levelap this dcumen in furtherance ots Public Law 107-347,

NIST is esponsble for developing sandals and guidelines, including minimum requicemons or providing adequate information security for ll gency operations and assets: but such stad ad diMeine hải not apply to national security ystems, This guideline is consistent with the requirements bfthe Oifice of Management and Budget (OMB) Circular A-130, Section Sh (3),"Soeusing AzoaLy Ineracon Systems as analyzed in A-130, Appendix TV: Analysis of Key Sections Supplemental Information provided A130, Append

Thi line has bec prepare or use by federal agencies It may be use by nongovernmental ‘reunions on a voluntary basis and tse o sori toh trbtion ke deste [Nothing inthis document shoal e taken to contrac tard angeles ade mattory sn India ot Taderal agencies by the Secteary of Comilace under sttlory authority: ao should thse suidlines he atepeted a altering &supersediag the evsing authorities ofthe Secretary of Commeres, Dicecto ofthe OM, aay sir fades fc

1.2 Purpose and Scope

he purpose ofthis documeat so provide guldslines for oeganizations en panning an conducting techie information security testing and assessments analyzing findings, and developing maitgaion ‘Hategos I provides practical rcoramendations for designing ipleicsting, aad tinting teehueal information elating to security testing an assessment processes and procedute, which ean be used for several purposes—sch ae nding yulcrabliis ina sytem or network and verifying compliance with a policy rather requirements, ‘This gui is nơ intend o resent a compretiensve information security testing or assessment program, but ater an overview ofthe key elements oF techie cc testing fin! esesent ih emphasis on speci lechnupis, thse Senos an finite, and reenmmendations forthe ane “This document replaces NIST Special Publication 800-42, Guidetine ow Newark Security Testing 1⁄3 Audience

1.4 Document Structure

| Sccton 2 presents am averview a information sebrty assessments, nein polis, oes and responsibiies, methodologies, and techniques, 1 Section 3 prides tai! desripton of several foshnia!exaeinaiontchniquss inline Sacumentation view, Ing eviews, tor sifing, and file ices checkin 1 Section 4 describes several chniques for identifying targsts and analyzing them fr potential ‘olacrabities Examples ofthese techngues include network discovery and vasa

sean

1 Section $ explains techniques conumonly used to validate the existence of vulnerablies, such as passed ercking and pencvation esting 1 Section 6 presents am approach and process far lating security sessment

1 Section 7 discusses factors that re hey othe execution of security assessments, nciding csonlnsf, the escent itsel, analysis, and dư hưndine, X8 Section remediation activities 8 presents an approach for posting assessment Fin and provides an overview of “This guide also consis the fllowing appendices

1 Appundis A deseibes so five operating system (OS) CD distributions ‘computer toa CD containing «fully operational OS and testing tole that allow the use a oot

1 Appondis B provides a template for creating Roles of Engagement (ROP), 1 Appendix C biel ascasses aplication erurity assessment

1 Appenix D contains recommendations for performing resmae acess testing

Appendix ollers ait of esos that iy Faia the Security assessment process 1 Aprons Features a slossary of terms used throughout this document

“Tees Qube Yo nonunion Stout Tesi ND Assen? 2 — S@curly Testing and Examinatlon Overview

An information security anesoment i the proces of determining how effectively an emity bung asessed (cep host, system, network, procedure, person—known asthe assessment objec?) most spac security objectives, These types of assestment msthods canbe sed o accomplish this—tstng examination, ad

Interviewing Testing isthe process of exercising one o more assessinet objets under specified onion fo compare acta and expested Behaviors, Exuminaion ete press of checking, inspecting, reviewing, serving, studying analyzing one or more asessment object facilitate understanding, ‘chive clarification or oblan evidence Interviewing isthe process of conducting disessions ith individuals or groups within an organization io Taiitte understanding, achieve earifeaton, or ientiy

the leaion evidence Assessment results are used to suppor the determination af sew control effectiveness over tm,

This publication arenes technical testing and examination technigues that ean he wsed to enti ‘validate, and assess echniealvulraiiis and assist ganizations in understanding and improving the Security posture oftheir systems and networks Sceuiy Testing and examination is required by FISMA nd thee regulations is aot meant to take the place of implementing security contol and mainaiing "yom socunity, bat to help organizations confi that he systems ae propery secured and identify any “organization security roquirements that ar not mit aswell x other security vaknesss tht should Be —— “This setion provides an overview of information security assessment methodologies and technical testing sn examination echnigs

24 Information Security Assessment Methodology

A repeatable and documented security assssmeat metbodolon i Beet in that it cam 1 Provide consistency an structure to security testing, which can minimize testing sks 1 Expedite the transition of new assessment stall

1m Adress resource consrsnts associated with scurity assessments

‘Because information security assessment requires resources sue as te, staf, hudwvare and soft resource availability i often a imiting factor i he type and frequency of xe assessments Evaluating the types of security tests and examinations the organization wl exec, developing 30 appropriate methodology identifying the resources required, and staturng the assessment press to uppor expected requitements can mitigate the resource challenge This gives the organization the ability toreise pre-established resources sich a rained sta and standardized testing platforms: decreases time rere to conduct the sscssment an the noe to purchase esting equipment and softwares ad reduces ‘overal assessment cost

A phased information security assessment methodology offers a numberof advantages, ‘The svete is easy to follow, and provides atral breaking points for stalf wanton Is methodology shoold ewan ‘minim he following phases:

iu patos tb plod with aes depen of tua es eal SMA svat

“Tees Qube Yo nonunion Stout Tesi ND Assen?

1 Planning Crise t a sucessful security assessment, the planning pase i wed information ocd for assessment exceution-sueh athe asses to be assessed, the Uteats of to gather inesest agaist the asets, andthe security contol tobe used to mitigate hose teats—and evelop the assessment approach A security assessment should ‘vith project management pl to adress goals and objectives, seope, requitemens, em fos be treated as anyother projet «and responsibilities, limitations, sicces acon, assumptions, resourses, mele, an eliverables, Section 6a his guide covers planning

1 Execution Primary goals for the exeution them when appropri This phase shoul aires aetvities associated withthe intended phase are to identify vulnerabilities and validate ‘assessment meth and lehnigue Although specie aetivities or this phase die by ‘ssestmen! Spe, upon competion of ths phase sesesors will hive Meniied stem, network and organigttonal process Yulnerabiiies This phase i iscvssed in more depth in Section 7

= Post-Execution, The postcxecution phase foruses om analyzing ented vulnerabilities 0 {etermine root eases, establish mitigation recommendations, and develop a inal spor, Section ‘Sof his guide addresses reporting ad tigation

Several accepted methodologies exist for conducting different types of infemation security assessments References to several ofthese methodologies are found in Appendix." For example, NIST has ees & ‘methodology documented in Special Publication (SP) 800:59A, Gude for Assessing the Security Controls in Federal Information Systems—ich olfers suggestions for assessing the elfetveness ofthe scary comtols outlined in NIST SP S00-S3." Another widely used asesmnent methidology fe the Open Source Seeuty Testing Methodology Manual (OSSTMM).* Because thee ate numerous eas08s to conduet assessments, an organization may wan to use mulple methodologies This puliation offers ecommendaions for tchnial testing and exannaton techniques tha can he used fr many assessment ‘methodologies and leveraged for many assessment purposes

22 Technical Assessment Techniques

Dorens of tehaieal sceurity testing and examination teeiniques exist that eau be used 1 assess the curity posture of systems and networks The most commonly used techniques fom the standpoint of this document will be discussed in more depth ltr in thi gids and ae grouped into the flowing thece categories

1 Review Techniques, These networks, policies, and procedures to discover vulnerabilities, and are generally conducted ar exaninaton techniques used o evaluate spstms, applications, ‘manually They inelude documentation, log, ruleset, and system coniguation review: network *nifing an file ntcgrity checking Section 3 provides akiional information on review Techniques

1 Target Identification and Analysis Techniques These testing techniques ports, services, and potemtal vulnerabilities, and maybe performed manually but are generally ean identity systems, Performed using automated tools They include network discovery, network port and service TST docs ot caer ne metelog neater tenes poel ni gi oplim at wl allow >-ˆ NET SPNB-SÌA dicts he tumener or develope sve pra desis he poe of ing ‘Siig somtimes rch conto SISTSP A034 war dvcoplto he edn

Son oh USS 7 or heey ato et Fd fem 3e ‘Noe tomacon on OSS THN sabi ih enna

iewsiiction,sulmerabilityseapning, wireless scataing, aad aplication sceurty exaniaton Further diseussi ofthese techoiguess presente i Scion

1= Target Vulnerability Validation Tecbniques, Thess testing techniques combate the cesisence of vulrailis, and may be porormed manually vey using automate tools {epending on the specific eehuigue used and dhe ski ofthe test team Target vuleceabiliy alduina techniques include password eracking ovetation testing, socal engineering, and "pplication security testing, More information on these techniques is found in Sesion 5

Since no one technique can provide a complete pete ofthe seewriy of system or ator,

ganizations should combine appropriate technique o ensure robust secunty assessments, For example Petetaion testing usually relies Scanning identity hosts and services that may he twges fr Taturepenceation Also, multiple technical on perovming both network porUsrvice Moniicaton ad vulneabiiy ‘says exist mect an assessment rysiremen, sch as determining whether patches have heen applied propels This pabicton fctses om explaining fo these diffrent ketnisal teenies am he

Delorean aes nt specs which echngies shold he used To whic cute thục rowing organizations withthe Mlb ehoove the eclnlguex that best meet het rules,

{n ation tothe echnical techniques desried inthis publication, there are many nom eh

lecnigucs that may be used in ation ‘surly testing, which confit the existence of physical secury vulnerabilities by atempling sea ofthe etre echniqes One exaaple physical lecanent leks, badge seaders an oer pysialseewty conto ypcally wo gan unantorized sccess to specific hosts Anather example os noa-tebaicl wcbuigue s mavual asset ideatGestion Aw ‘organization nay choose to identify aes tobe assessed though sset inventories, physical

‘althroughs of facies, and wie n-toctricalmcans,istad of eying on echical techniques for set dentition, Detalson nontechnical tectnigues are ous ths scope ofthis publication, bat ienportan to reonanize the va of non-tecical eens and to comrider shen they my Be mone njt0pist lo u than hee techni! comers,

23° Comps ng Tests and Examinations

Examinations primarily involve the review of documents such a policies, procedures, security plas, scouity requirements, standard operating procedures, architecture diagrams, engineering documentation, set invenlories stem contigeratio, resis, td sytem fogs, They ate condcted to determine ‘whother a system it properly dacs, an gai aight on apes of seeriy tal are only sailhle thw documento This documentation weno ‘portion, at maiotenance ofthe systems and network, and ts evew ad erss-sefereneing ensues the intended design, instalation, sơnHgundtam

conformance and comsstey For example an envcoument's security eguiemeats shoul dive documentation sub as system se plans ad stat operatingprocedutes—s asessors sould ‘nau tha al plans, procedures, erchitavtres, and configurations are compliant with stated security Fosrements and appicalepolicis Another examples rviewine a firewalls lest ensire ts Compliance with the orgoniaton’s scart plies sanding Internet wsge, sich ae ho se of instant rmessapig, poor tpocr (P20) ile sharin, and oer prohibited acts

Examinations ically have no mipet on the seta systems or networks the target snsironment side from accessing necessary dcumentaton, logs, orruests.” However syst configuration Bes or lng are bo stoeved from a given syste sch as are o real, oly stem aint ad

sinilarly tained individuals should underiake his work ta ensse that settings ae not invert ‘mofo on dale

“Testing involves han fecuted across an ente elerpse or on selected systems, The use of scuaning and penetration "` ` and ean be techniques can provide valuable information on porta vlnerbiies and predict the liklibood tha an dversry or intruder will be abet exploit them, Testing uo allows organizations to measure level of ompliance in ares sch as plch management, password policy an configuration management

Aktough testing can provide « more accurtepctureof a organization's security posture than what ined throng examinations is more insu an ca pact sytem metsorks in he frat vironment The level of potential impact depends onthe specific 8s of esting ecniqiaes se ‘sich can ineract wth he tart s)steme and nstvorks in various ways seh a sending normal elwoik packets wo determine open an closed ports, ov sending specially rated packets fo test (or ‘ulneabiies, Anytime thats rtstr dre Interacts witha system oe stv, the potential sts for unexpected system halts and ote denial af service conditions Organizations shot determine The acceptable levels of inrusivences when deciding which eehtiqMe to ane Exsling ests known to create dena of service conditions and othr disruptions cap help reduce these negative impact

“Testing doesnot provide a comprehensive evaluation ofthe seowity posure of an organization, and often has a narrow scope because of resource Lniatons—pariculul in the aoa of time, Malicious tacks con the ether hand, can take whatever time they noe to caphit ad pence a spat oF network ALO, ‘shile organization: tnd o void wing esting ecÖniqpcx hat impact systems or networks, atacers are ‘0% hon by thin constraint and use whatever techni they fel necessary Ast os esting is ese Tikly than evaminstions Wo deny weaknesses rele security policy and eontigaaton Tv many es, combining lesting ad examination techiques can provide mane decorate Wie of set,

2.4 Testing Viewpoints,

Tests ean be perform rom a numberof viewpoints—for example, how easily could an exter atacker sorslicions insider secesfaly sack sytem? Section 21 of thse compares testing performed {rom external and internal iespoins Section 242 divcses she aspoet of Hews the previous Knowledge tat assessors have ofthe trgel or target envieoaen

2.4.4 External and Internal

"exemal secre testne is conducted rom outside the arenizstion’sscerity perimeter, This fers the shit to view the environments security poste ast appear etide the sey perimeters 35 Sc from the Tater stacker, the goal of eveaiagwulaerabilitiss hs eoeld be exploited by an exten

oeal testing olen gins with recannssance techniques tha search public registration data Bain [Name System (DNS) see information, aotsgroup postings, and wir publi aailable information collet information fe system abe, taterat Protocol [IP] addresses, persing stems, techies Pins of contact) tht way help the asessor to hnilyvuluerabilities Nex, enumeration bess by Using notwoek iscovery and scannig techniques to determine exteaal hosts a seni eevee Since perimeter defenses sch as reals, routers, and access contol Hist often imi te ps of afc allowed into the intemal nctwork, assessors often use techniques that va these defenses—jus ax xteonal ttackers would Depenngo the protocols alle though, iil tacks ae eneraly

(HOP), Servers that ane extermally accessile ae ested for vulnerabilities hat nigh allow acces 10 Fowernal servers and pivale information Extseal seurly stig ls concentrates a discovering acess ‘method vuloertiies, suchas wireless access pons, modeins, and portals to internal sever,

For iteraalseeity testing assessors wovk rom the iateraaluetwonk aad assune the deity ofa usted insider or an atacker who hs ponetated the perimeter defenses, This Kind of esting can reveal

‘ulneablitis hat could be exploited, ae! demonstrass the potent damage this peo atacker could ‘are Ineral security testing wo foowses on system-level security and coniguration including !pplicaion and service configuration, authentication, access conto, and sytem hizdsnin,

Asssioes who perform intl testing ar often gram some level of aeess othe network, normally as tener users, and are pede ith information tha ser with similar priilges woul have This evel ft temporary access depo the goals of he test, ad canbe po an eel the poviegss oF 2 ‘stem or network administrator Working fom whatever love of acces they have been granted sctessor allempt to gin addinal scees tothe network at systems trough fille escalation Le, Fncseasing user-level piilegas to allintrator-levelprivlges oF inteasg syste admlistor privileges wo domain admits privileges,

{nteral testing so as Hite ss extn testing because i takes place behind perimeter defenses, ven ‘ough there maybe internal fev, utes and switches place that pose Hiniatons Examination tectmiques such as network siffing may be used in addon to testing techies

{both eral and external esting is ob performed, the exteeal esting usually takes place est This Js paaicultlybonefiil ithe same assessors wil be pesforming oth ype of testing a iC koeps shew {fom acquiring insider information on ntvorkwrchiceture or system configuration thal would not be svalahs tam adverery—an advantage thot would reduce the Vat of he tes,

2.42 Overt and Covert

‘vee security testing also known as white hat testing, involves pesforming external andr internal testing withthe kno ledge atl eouset ofthe organization's IP Saf, enabling comprehensive evaluation gfthe network or system security posture Because the IT staffs flly aware of and involved inthe testing it maybe able to provide guidance to limit the testing’ impact, Testing may also provide a tearing opporteity, with tll observine the activities and mthas usd by assessor o eval Sd potentials cicureat inplennente security messes Tis gives context the secuf regimens Fnnpletented or maintained bythe TT sa, ad ao may hep ese IT sal hose comlet esting

{Cover seer testing, ho knowa ds hack a esting, takes an adversarial approach Ay performing testing without the knoedge of the organization T staff ba with the Pll kn sledge ad persion otuppee management Some organizations designate a tested thin! pet to cee thal he set ‘rganization docs ao inate response teases tsucited With the smack without fist verilying that aa stack is ndeet underway (eg thatthe atvty being detected dacs oo originate fram a st) In sch "ations, the trusted third party providss un agent forthe asssrs, the management the TT TP and the ‘curly saf thr motes attics and faites commuications, This typeof et x useful for testing lschniclsecrity contol, IT sft response oposceived security incents, and staff knowledge and ienplemeatation ofthe erganization’s seen policy, Cover testing may he ended with or without warning

an adversaial porspeetve, and nonallyHentifes and exploits the most aimesiary vulnerabilities uo fain network: acess Ifa organization's goal is to enitor «specie adversary, this ype of esting Fears special coosderations—such as acguting and modeling threat data The resulting scenarios Provide ah overall strates iew of th pont ret of exploit, sk, and impact of sins, {Cover testing wstally hae dened bounarss, sch s epping testing wien acetan level of access is schieved ora certain type of damage i achievable a nex sep in testing Having sic bourares prevents daniage wie il showing ha he damage could vec

{esd tine only many walrabiltis, covert tetine is often me contuning and sosfy đúc 1o ih reauireiments To operas Ina tell environment eat enn wi ave to sow is sean and tar actions to slay “under the a” of the argelorgneations security fl When testing is tore in-house, ning must als be costa tera of ne ad dg, Inv aio, a Spansion nay have stl waned 1 perform regula ctv sub as scanigy and vulnerability ‘sessment, but no spealze technigues suchas ponettion or application secu testing Ove ‘ean slovs expensive, carves les sk than cover wating, aod is mote reqbenmlỹ sử — butcoxe tesine proves beter inciaton ofthe everyday security ofthe fargo organization Bocas stem 1.1

“Tees Qube Yo nonunion Stout Tesi ND Assen? IEwmwrmm

Review teciniqus passively examine systems, applications, networks polices and procedures iscover security vulnerabilities” They also gather information to feitate and optimize oer assessment icehniques Because reviews wchnigues are passive, they pose minimal isk to systems and networks This section overs several common review tecniques—documentation, log, rulest, and *ystm configuration eviw: network snitfings ad ile intent checking

31 Documentation Review

ocumcataton view determines i the echuical aspects of polis and procedures ate cutout and ‘comprehensive, These documents provide the foundation fo an organization's security posts but are ‘often overlooked during tecnica assessments Security groups within the organization shuld povide ˆeecssore with appropriate documentation tense technical accuracy and completeness include security policies, architectures, and requitements: standard a competiensve review, Docuents to review for

‘operating procedures: system security plans and authorization agreciments memoranda of understanding tl agecment for stm interconnections and incident response pans

Documentation review ean discover gaps andl weaknesses that could fea! to ising or improperty inplementedsocurity conols Assessors ypiealy verify thal the organization's docamemation i compliant with standards and veglaions suchas FISMA, and lok for policies tht ar deficient ‘outdated, Common documentation wesknesses clade OS security procedures or protcols that are 0 longer used, and failure wo inclade a now OS and its protocols Documentation review does nt ensure that security comtols are implemented propey—only thatthe dreton and guidance exist © support security infrastructure

Resuls of documentation eview canbe use to Fine-tune other testing and examination techniques Foe example ifa password management poliey has specie requirements fr minim password Teng and ‘complexity his information can be used to configure password-racking tols for more eliient, performance

32 Log Review

Log review determines if scurty contol are loging the prope information, andi the organization i adhering ots log management policies As source of historical information aii ngs canbe we hep validate that the ssstem is operating in accordance with established polices, For example if the loging poi slates that ll authentication attempts a ciel servers mist determine his information i being collected and shows the appropriate evel be logged the log review wil of det Log evi may

Beams of log information that may be wsful when conducting tebaieal sceurity assessments ila 1 Awhewicaiun server or system logs may include success and ied sutieniealon temps 12 Syston logs may ince system and serve startup and shlown informing nstalaon of nauthorize soar ile accesses, seebrity ple changes, account eanges fe sect

‘reat ad deletion, account privilege sgnnen) and privilege oe

1 Intsion dtction and prevstton stm logs may chads malicious ativty snd inappropriate {= Firewall and rower logs may include outbound connsctions th indicate compromised intra evices (eg, roti, bls, Trojan horses, spy), 1 Firewall logs may include unautboized connsctionatenps and inappropriate we

1 Applicaton loạt nay nelul vathorzed connection tempts, aout changes, se of privileges, and application or database usage information, 1 Ansivinis logs may nchúc update feiures another ndstons of outdo signteres ad software

Secu log particlar patch management and some IDS and intaston prevention system UPS) produits, may record information an known vulnerable services atl applications

Manually eeviowing logs ean be extremely ine consuming aud eumbersonte, Automated ani rol ae valle thar can sigatiealyeeduce review time and generate predeiaed sad eytomized report tha Summarize lg contents and ack thm i ase of specific activities Assessors can also use these ‘sutomated costo fiat log analysis by converting loge in diferent formats toa singe, standard format for analysis, In addition, if assessor are reviewing a specific action-—sich asthe mambo of ied logon atemps in an erganization-—tey eam se hese wok lo Filer hogs asd nthe asi eng

3.3 Ruleset Review

‘A ulcset i collsction of rules signatures that oetwork wafic or system activity is compared agaist te deerine ht action te ake for example, forwarding or escne a packet, crating am alr, ot allowing a sytem event, Review of these roles is done tense eomprhesveness a identity gas fin! weihaceses on socrily vies ad thotghonk lyere đierces sóc 9s network netics, Potcy vila, an unintendad oe vulbeablecomutusiaton pals” A ravi cag abo uncover ineficiencies dat negatively pact a ulese's peformanes

‘Rulescs to review ine network: and host hae Hrewall and IDSIIPS ruleset, aad router access contol ists The following list provides examples ofthe pes of checks mst comes perfor in fuleslsviews

“Tees Qube Yo nonunion Stout Tesi ND Assen? Bach ul is til eguited

= Rules enforce least privilege eees,sbch a6 specifying ony sequel IP addresses and prs ~ More specific ules are triggered before general ules

~ There are no unnecessary open ports tht could te closed 1 tighten the perimeter security = The eset doesnot allow wai to bypass other security defenses

For host-based frewal ruleset, dhe ules do aot indicate the presence of hackdoors, spy wate setvity or peohibited applications suchas poor-to-poor ile sharing programs

1 For IDSAPS ralses

= Unnccestry signatures hve son disabled or removed Io stminate fale positives and improve performance —_Novossay signatures are coabled and have hss fine-tuned and properly maintained, 3.4 Systom Configuration Reviow

System configuration review is the process of identifying Weaknesses in seewity configuration combos Such as systems ot being hardened or configured according wo security plies For example tis ype of review will eveal unnecessary services and applications improper user account and pasword setnss, fn improper logging and backup stings, Examples of security configuration files that may be reviewed fre Windows security policy settings and Unix security configuration files suchas those in

Assessors sing manual review techniques rely on security configuration guides or checklists to verify that system settings are configured to minimize security risks.” To perform a manual syst

‘configuration review, assessor acess various sectity settings onthe device being evaluated and compare them wi commended settings from the eek Siting thal do at meet iim ‘Security standards ae lagged and eporte

“The Security Content Automation Protocol (SCAP) isa method for using speific standards to enable automated Yuneraility management, measurement td policy complianes evaluation.” NIST SCAP fies ae weten for FISMA compliance be use to velieve and vepot security stings and provide emmediaionguldanes, Automated tools ae and NIST SP 800-334 seeurty contol esting Other tols ean

‘often executed dicey on the device being assessed, but ca also be executed ova system with network tcces tothe device being assessed While automated system configuration reviews are asst than ‘manual methods there may stil be stings dat must be checked manually Both manual and automated ‘methods require rot or administrator privileges to view selected security stings

Generally itis preferable to use automated checks instead of manual chocks whenevs Feasible

‘Automated checks can be done very quickly and provide consistent, repeatable results Having ‘manvally checking hundreds or thousand of stings i tedious and ero pre, a person

35 Network Sniffing

[Natwork sifing isa pasive technique tha monitors notwork communication, dees protocols, snd ‘samines headers and payloads wo lag information of interest Besides being used as a eve: echoige, fctwork suiting ea also he we a tage identification and analysis tehaigue sce Section 4.1) Reasons for using network sniffing folude the following

1 Capnuing and eplaying network wale

15 Perioming passive network discovery (elev ate devices onthe nebwork)| '8_ MeniBÍng oberadng ydems applications, services, and protools, including unsecured o telnet) ant unauthorized fe, pestto poe ile sharing) potas | Lsostying unauthoriz and inappeopriae actives, such asthe unencrypted transmission of

7 111

[Network sifing as ite ict on systems and networks, wh the most noticable emputbeing on hoeuideh or eomputine power iia, The siffer—the fool used to conduct Retweorksiling— reales a neans to connect de network, such 8 ub, tp, switch with por spanning Port Spanning the process of copying the trafic ansmited on all eher ports the por where de afer ix installed Organiation can deploy network suffers in 4 numberof locations within ao enviccomen, These commly ingle the loloning

1 Acids perimeter, to sess walle entering and eating the network 1m Behind irewall tosses that ruleset te accurately filtering wali

1 Bchind IDSWIPSs, wo determine signatures ae tiggring an being responded sppropdstly 1 In oat ofa xtc systom or appicition ro asess activity

Oma specific network segment to validate sreryped protocols

(Ons linitation to nctwork sting isthe se of enerypton Many stacker ake advantage of encryption to ide thể activites while assessor can soe tht communication is aking place, they are unable ‘ew the eoplents Aber lmiaton is tha eter sir soy ale at he trafic ofthe local Segment whore its ins, ‘Thisragoirs the assessor ta move it rom segmenl 4 egret, asta rulliple ser Uoughout te twa, andor use port spain, Assessors may also Fd ie

‘halengng to loeate an open physical nctwork prt for scanning on each segment In ation nstwork Soiing isfy Tabor imensve seisity Mat oaultes a High deste of human involvement wo aerpet network wai

3.6 File Integrity Checking

File inteprityeheckors provide way 1 emily thar system Ges have beer changed computing sad Soring a checksun for ever guarded ile, onl establishing file chocksum database Stor checksums se Tale computed to compare their custom value withthe stored value, which idee ils

11111 111,

‘modification A ile iategrtychocker capability is usually included with any commercial host ase DS, and sak avaable ges standalone uty

Although an integrity checker dos no segue high degeee of human iatractio, it must be used ‘eafully to ensue is effectiveness Fle itopity checking is most efective when system Files ate ‘compared witha reference database erated using a system knovn tobe secure—this helps ensue that the Feference database was not built with compromised files, The reference database should he stored ofline

to provent atakers fom compromising te sytem and covering their racks by modifying the database In addition, because patches abd ther updates change ile, the checksum database should be kept up

For fil inoprity checking, tong exyptographie checksums such ss Secure Hash Algorithm | (SHA-I) shouldbe used to ensure the inegriy of dat stored inthe checksum database Federal agencies ae requized by Federal Information Processing Stanand (FIPS) PUB 140-2 Securiy Reguremens for Crpographic Moduler” tse SHA (e., SHA-1, SHA-250)

37° Summary

‘Table 3-1 summarizes the major capabilites of review techniques discussed i

Table 9.1 Review Techniques

‘oviecke i ‘T+ Proioshstoalifomaton + Galva ptt and oy dato on system ue, coniureton a madison Sysem Coniguelon |» Evans he erongh of yt songurton

Revaw | 2 _vaigtes nat estore ae congue in secotance wih ardning okey

Netwo Siting + Vente srenpion ot commutators ‘atoms, operating systems, communication polocol, sens, nổ seplealens [= Mentos changes io importa ls ean avo Welly tan Toma oT unwaad

Fis ney Chechira

Risk are associated with ch technique an thee combinaions, To ensure thal are executed safely sn aeurately, cach assessor should havea eetan bassline sil st, Table 32 provides guielnes for ‘he minimum sil set need lạ ch technique presente in Section 3

Table 9:2 Baseline Sill et for Revow Techniques

Decameron Review | Ganstalkrowleye of secuny fom poly prepecive [owed og lamate ad aly to inerpet and naj og daa aly use

Sviomtadog stay sndoneolaton ols

TargetJdentItcatlon and Analysls Technlques

Thịt secfo akftses chia target identtcation ad analysis teliniques, which focus on Ídenifting sective doves and het associated ports and services, ao analyzing them fr polenta vulaerabiiis, “The assessor wes this information fo continue w explore devices tht wil valde existence of the

ulnerabiltes Organizations ofen use non-tcehuialtchaigues in alton or asad of tecaical techniques to Meniythesesets to he analyze For example, organ ations may have existing ass lnwentorce or other Hse of aes the treeless aneer example fe assessors performing ywallthoagh ‘ota fcity to seis ane ha were mot found by echrialecĐvjqpee sóc as host a were sha ol ‘esconnected fom the network when the tecnica techies Were nse, Target ieniication and analysis echniqds for aplication security examination ae rey seus in Appendix C 4.1 Network Discovery

[Natwork discovery uses a munber of methods ta discover ative and responding host on a newer ‘entity weaknesses, and learn fn the network erates Both pasive featinaen) and active esting) tectniqacs exist for dvcovering devices ønehvurk, Passive echnighes une a stork sie 6 ‘tunity ntvork rafi and wesod the IP adverse ofthe active host and eam report which pots ae ia

tse and which operating systems have heen discovered an the uetwork Passive discuvery can also “ntty the elatioasips otveeshosts—inclung which hots eommunieat wih ech eet ow ‘Requetly their commanicatop eur and the type of wae Hat aking place—and is uslly perform from a host on the internal network where it can monitor hos! communications This x done ‘without sending ou a ingle probing packet, Passive discovery takes mone ime to gather information than docs active discovery, al hows at ot send oe rceive trate during the monitoring period ‘wight te epoted

Active techniques send varius typos of nctwork packets, sch as Interact Conta Message Protocol LACM pine sei responses from netvork hosts, generally through hese of an astomsted oo ‘ne ett, known a8 OS Fingerpnting, enbles te ssseaoe fo Uelermine the systems OS by sending it a ix of oral, abnormal adie gal wetoork atic, Another activity iavlves sending packets to oman pir BH la geHerle responses thal iicate the pnts esse, ‘The ol sealzes the

responses fm these sctiiies, and compares dhe with kot tis of packets hon specific operating ‘ystems and network sericesenabling iw Mriiybnst, the operating systems they un, the ports, Ain he sate of those pots, This information canbe uscd or purposes ha ace guhering information ‘om targets for pensation testing, gencrting opology mops, determining firewall and IDS configurations, Sn iscovering vulnerabilities n s)slems ad etwork configurations,

[Network discovery tls have many ways to acquire formation through seansing Enterprise firewalls in! intson detection systems cat ientty san instances of scat, parculely hose that we the mos Suspicions packs (e.g, SYNIFIN scan, NULL sean, Assessors whe plan om performing discovery theongh firewalls ad ftrasion detection systems should consider which fypes Of cans ace most ely fo provide ovis without drawing the atetion of secucy slninisttlrs, an how cans eam be conducted fea mot telthy tanger (9h 35 mop sly oe fom a are of soe TP addesss) 1 mypeave thể chances of sucess, Assessors should aso be cautious when selecting types of scune to se aginst ol Stems, particularly dhose known o have weak security because some sans can cause system failures “Typically the cose the scan to normal activity, theless ikely iso ease operational problems,

[Network discovery may als detect unauthorized or 0 < devices operating ona network Fo exampls zation that uses ony afew operating ystems cull quickly natty rogue devices tha utilize

JisTezont ones Once a wie sng deve is Meni! it ean he located by using existing nero ‘maps a iformation scaly collected on th device's nctwork activity co enti the sich t which it is connected It may be neessary to generate additonal network activity withthe rogue device —sush ts Pingt—to find the comect switch The net stp iso identify the switch port onthe sich associated ‘ithe ote device and a physically tae the cable connecting thal sich pore oe ree deve, A numberof ool exis fr use in network discovery, and t should be noted that many ative discovery tools canbe ase for passive nstiork sniffing ad port scanring aswell Most offer graphical wer ieterface (GUD, and come als fer conman-line interlace, Comman-ine interfaces ti take

longer to learn than GUI because ofthe number af eons a suites thal spit ha ests he tool sould perform and which an assessor mus em lo use the to elfectvey, Also, developers have ‘writen a number of modules for opensource tools that allow assessors to easily parse tool culpa, Por xaple,conhining tool's Extensible Markup Language (XML) output capabilites, «ie sritng tnd «database creates a more powerful ool that can monitor the aettork for unauthorized services and ‘machines, Learing what the many comands do and howto combine them is est acheved with he

hoip of experencea sscuiy engines Most xperiened TT professionals, cing syn mini and oer nto ensiners, sould beable omer ets working with th tiscavery tos themselves more efficiently Nanded hy an engines

Some ofthe advantages of active discovery as compared to passive discovery, ae tha am assesment can lẻ c0mlaeteÐ rom alert network and wells ries tle Gime to gather inoemation Tn passive discovers ensring that al ost are eaplred rete rai hit al pons, which en he ine ‘svsiingepectall larger enerprise notes

A isodvantage to setivedieovery i tha it ends to generate network aise, which sometimes resus a network Inleney Since alive isconery sends oat queries to revive rexpanses this alional netvek scl could slow down traffic or cause packets ta be dropped in poorly coatigued networks if Ptfonmed a high volume Active discovery ea also eggs IDS alr, since use passive discovery £ reveal is ceiginaton poi The ability to sucess discover ll network sjstems can e affected by ‘vironments with protect octwork sgments and perimeter security devies and techniques, For trample, an environment using network adress rslaton (NAT)—hich allows organization to have jeter nonpublic outed TP adresses that ae anslate oa erent set of ple IP arses for "extemal aiie—may note aerate discover fom points external to the peter oF from protected Scuments Personal an! host-based few on arg! deviews aaa hock discovery trafic

‘Misiformalion ony be received asa raul of ying ta insigas activi from devices Active discovery resents nfarmation fom which conclusions aus be daa aut stings on the trgetaework,

For bth passive and ative discovery, the information rece is seldom completely auras, To ittustate only hosts that are on aed counected during active discover wil identified i systems ora sent ofthe network ae ollie during the ssessintt thre Is pte] fra lage ap in discovering deviees ANhoush passive discovery will only find devices that anemit or receive communications Shsing he discovery vid, prvet such as atwork mana

discovery capabilites and sotomatially generale alerts when anew device f present on the nth {Cantino iscovery cn scan IP ares macs for new adreses or monitor now Hades resets Also, many discovery tools ean he scheduled to run replay such as nee every sec ammount of ays a3 Pricular ine This provides more aceate asus than runing these tos spac

cient sofware can provide eotinueus

42 Network Port and Service Identification

[Network port an service iemifcaion volves using a dt team oem network ports ad services operating on ative hoste—such ge FTP an HTTP-—and the application tha is unping each iMenified service sich s Microsoft tne formation Server (IS) Apaehe lờ thế HTTP xen (Organizations should conduct network port and service ienlieation to identify hosts itis has wot already ben done by other means e.g nctwork discovery) and lag prtentallyvulirable services “This information ea be used to dotrine targets for pensation West

Al base scanners can deny ative sts and open por but some scanners at also abe to provide ‘xtional information on the scanned hosts, Ifommstion gare ring am open por scan ca asin identifying the target operating spstem tush process called OS fingerprinting For example, hos, học TCP podk 135, 13, an 445 open, iis pray a Windoses hos or possily a Unis host ring Samba Other items—such a the TCP packet sequence nuber geneiation a esponss to packet ako provide cle wo ientlying the OS, But OS hegerpriating not folpeoat Foe example, vewalls bok certain ports and types of tai, an system adoinstralos an eonigure thee systems Jong 1n porstandard ways to camourlage the woe OS

Some scanners can help deaf the application running ona particular post dough & process called Service Metiiaton Many scaubes use a series ile dat Iss combion port nuers an pial stsociated services—for example, a veanner hat kdenfies hat TCP port 80s open on a bost nay rpbxt hata we server i stening ttt port—hutaGonal eps ae needed before ths can hệ conimmed, Some scanners cn ntat communications with an shssrved por and aly 2s communications ta dctermine what service fs there, aftn hy comparing the observed aetvity ta repository of information inl service implementations These lecnigdes may also De use eaiy the Service apliation ad application Yasin, sch as which We server solar sm use-—this proces Known at terion seaneing A wellknown form of version seaming, called banner grabbing, voles “apuring Daas formation tassv by the remote pot when 3 consection iit, This

Jnformation can ialode he application type aplication version, and even OS type and version Version scanning snot foolproof, because «serty-consciousadminisator ean alter the tansmied bankers or ‘her characteristics in hopes of concealing the service's tue oatre However, version scanning far

‘oe accurate thn simply relying ona scanners services fle

‘Sanne mode support the various scanning methods wih stengths and weaknesses that are nornally ‘aplaned in tcir documentation, Tor example, some seaners work best scanning though fra, ‘oie cers are eter tite for sans inside the real Rests si] đe depeedng eanner use Sone scanners respond witha simple open o Closed response foreach port while others n the pón

flee addons dtl ee ier or nieve) that ean asin the senor in dtersning hal oer ‘ypes of sears woul be elpfl to gan ina information,

Network ort and service Mdontifeation often wes IP addess results of network discovery asthe devices to sean, Port seas cae also be sun independently on entie Docks of IP aldreses—here, port Scanning perfocs network discovery hy defaul though Mentifying the ative hosts on the aetwork, The ‘esult of network dsenvery abd network port and service identification a ist ofall active devices ‘operating in the adress space tht respond to te port scanning to long with esponding pons Aditona active devices ould exit that id ot respond to sanming such a those th are shielded by firewalls or tre ol, Assessors can try Find these devices by scanning th devises themselw,

placing the scanner ona segment that ean access the devices, a aempting to evade the reall hough the use of alterate scan ips (eg SYNVFIN or Xia sean”

{tis eecommened tht i both extemal an internal scanning ae tobe sel and dhe seers are

intentionally perforavng the testing “Mind” tht external seanning be performed fis, Done in his nde tog can he reviews ad comparsd before an during itera esting When performing external

scamming, assestore may use ay existing stealth tecigues to got packets through firewalls while evading Astecton hy IDS and IPS." Tools that be ragtefaion,tupleslen, oweigp mựcol onlr mổ ưng tectigest alter packets so tht they len int aed appear mors like norma aie are recommended Internal testing tends to use less aggressive scanning methods becavse ese sans are WocKed ls offen than external scans, Using move aggressive sans stray sigifcanly increases the changes

disrupting operations without necessarily improving san eslls, Being able to scan a network with ‘stomzed packets also works well for interna esting, boca checking fr specific vulnerabilities Fouls highly castomized packets Tools with packet hue ability ac elpfl with this process Once hut packets can he sei hough a sceond Seung program tha wil eollee the resus Because stomized pockets ca trgter a denial of servis (DoS) atack, this ype of est should be conducted Ching perins of low network rlic—sch as ernie ron the weekend,

Although port scanners dcuiy active hosts operating systems, ports services and apliestons, they do ot identity vulnerabilities Additional investigation is needed wo conim the presence of insecure Proocols Trivial File Tramsr Pratcol (TFTPI telnet), malware, east appiations nd ulneabie series, To Meni) vuhcrble services, he sssessor compares Weniied version numbers of services wih is of hrosinwlnrable versions, perform some vlnerbiiy scanning a

Slacassed in Section 4.3 With por scabners the scanning process is highly automated ut interpretation ofthe scanned datas ot

loa ba scanning ean supe network operations by consuming bandwith ad slowing neswork response Hes, enables organization to ee tals host te conlsttad to ns any approved hotwork services Scaming software should he earful selexted to minimize distuptions w operations Port scanning can also he conducted alice hours o cause minimal impact to options,

43° Vulnerability Scanning

Like network port snd service idenifiestion, vulnerability seunsing isms hosts anl hoat tributes (e- operaling systems, applications, open pot) but it alo attempt o idesly vulnerable eter thao elyine human iteration of te Scanning results Many vulborailiyScanocs ase eaulppe accep esl fom nctwork discovery and network port and service wntfcalion, which reduces he ‘moti of werk neces for vuherabiiy scanning Aso, sme scanners ea perform their un net discovery and network pot and service henticaion, Valera scanning an el ỏenHy tated softer versions, ssins patches, and miscoigerations and validate compliance wilh a dvistions from an organization’ secu policy, ‘This done by Ideniyng the operating systems and major softwae applications running onthe hosts and matching them with information on know valaeaBiflet ‘ore io he scanners" vulerabiity databases

'Vulnerily seanaer căn

Check compliance with host application wag al security pices

ws For penetration testing

18 Provide information on how to mitigate discovered vara,

Valnerabity scanners can e run against ost either tealy of fom the network, Somme network-based scanners have administrator level eedentiah on indvidal hosts ad can extract wulnerabity information from hosts sing those credentials Other nesworkhased scammers fo Wot have such recess

rely on contig scanning of neivorks to late hosts an then sea tase hot foe valraiis ly ch ase, networks scaning is prmaily used o perform net diteotery ah lỏenƒy an posts aml elated yurabiies —in most eases, is mot ited by the OS of te targeted systems, ‘Network-based scanning witout Roc credential can be performed both intrall a externally and

slthough internal cunning usually uncovers more vulnersbilites than external scanning esting fom oh ‘iewpoints is mportant, Extroal scanning must contend with perimots security devices that look tefl, limiting assessors oseannin only the ports aherzod to pars aie

Assessors performing exeralscanbiog may Fi cllenges similar to those faced with netvof discovery, such asthe use of NAT or personal and host hse firewalls To overcome the challnges of INATand condvetsiceestl networksbwed scanning, ssssor can ak the firewall instar to able pot forwarding om specific UP adresses propo eters if this supovte by the trea dr rquest network access bed the device performing NAT Assessors cm als rues hal personal Gr host-based firewalls be configured to pert alec ow ts sytem IP xresses daring the astess nent

Potod These steps Will give assessors increase sight ino the Hetvork, bu dd aot accurately fect the eapubiles ofan extemal stacker although they may oer a beter indication of the capable svalable to a nalicous insider or an external attacker with access Uo ant boston the introal ator ‘Assessors can alse perform scanning on individual hosts

For local vulnsability scanning «scant is install on each host to be scanned This is done primarily to deatiy hos O8 aid epplication misconfiguations and vulnerabilities oth network-xploitahe and Ioedly splotable, Local scanning i able to detect vulnerabilities wih a higher vel of detail than rnotworktned scanning hssauss focal sean ally egies both host lca access a9 or ‘Ministrativeaecourt Some scanners alo olfer the eapaiityofrepsiring foal misanfigrations,

A vulnerability scanners a rlatvey fast and easy way te quantify an organization's exposure to surface ulnerablties\ surlacevsnerabiy sa weakness that eins in olin, pendent rom other uinerablties ‘The sstes behaviors and tps in response ta attack piers smitty the tenner ae compared ug hove that characterize the signatures of known vuerablies an thet bo any matches tha ate fond Besides signature-based seabaing some Yuleraiity seanness tempt simulate the econnaissanee atackpateras used to probe for expose, exploitable ‘ulneabilties, and report the vulnerabilities found when tess techniques are sexsi

‘One difcity in dentiying te ak level of vulneablis i that they rarely exist in iolaon, For {sample thefe could he several low-risk vlnerabilies tha presenta Dighe 3k whew combined Scanners are unable o detect vulnerablies tht are vealed oly asthe result of potentially woending combinations of atack patterns The tool may assign alow risk lo each vulncabiy, lating the assessor falsely confident inte security meas in ple A more reliable way of emtfyng the risk

‘uineabilties n sgsre#ae is thrch penetration testing, whic isdiseussed in Seton 5.2,

Another problem ith ifeniying the sk level of volmerabilisis hat vlnerahiityseamners tn ase their own proprietary nets fordetining te eves For example, ane senor mh vet evs Ho ‘medium, ad high, white another seaner might Use the lvels formations, ks, met, high, and trical This makes iithul to compare findings among multiple sestiners Also, the rk levels assign bya scmner May’ Bo slet he etal rk othe nygsi23M0 for example, a sean ight

abel an ETP server asa nora risk because it uansmits passwords in cleartext, hu if the organization nly uses the FTP server a snoaymous public server Hat docs ao se passwords the the lak ‘might he consierably lower Assesors shoul determine the appropriate risk level foreach vulnerability tnd simply accept the rsk levels seigool hy vlnsgabli0 seanner,

[Network-based vulacabiity scanning has some Significant weaknesses, As ith acovork ssf and discovery, this type of scanning uncovers eulneriies only fr active systems, This generally covers surface valerate, an unable to adress the overall ik esl ofa scanned network Alou the process el is highly atomsted, verily scannets cn havea high lake postive em nức

‘eporting vlverabiiies when none exit) Ar invial with expedtise in networking and OS security Seoul etepet the esl, And because nettn-ased vlnerahiy scanning segues more

information tha hot seamnig to eably ienlfy the vlnerbiilies om a host esto generate Sgniiauysnoce ator tafe than pot Scanaing This hay have 3 negate impact onthe boss or ‘network being seamed oron aetworksepments through which seaoning tafe is tuvesing Many ‘ulneabity scanners aso inch network-baso tests for DoS aftacks thin the de ofan

‘experienced assessor, can havea marked mesa iat om scanned hows "Scanners fen allow al Date este oe suppresses as ds the is of mpoetng hosts throb fests,

Another significant linitatin of vulerailty scanners is that ke virus scanners and IDSS, they rly on ‘repository of signatires, This requires the assessors to update these signatures frequently to enable the anno orecogive the Its vrais ore ning ay seer, an ssc shod ital he Tatestupates wo ts vulnerability database, Sowe verily scanner databases are uplated more regularly than chests update requeuey shouldbe a masjr consideration when selecting a

‘alnerabiityseanaer

‘Mest vulnerability seanners slow the asessor option ifaent eves of seaming that vay aces of thoroughness, While more comprehensive scanaing may detect a grester qunber of wulneabliis, un slow the overall seaning process, Lea comprehensive seanning can tae less ie, but denies only wel-Anowa vulnerabilities Wis generally commended hat asesors conduct a thorough | ‘ulnerability sean if esoures permit

‘Vulnerability scaming isa somewhat lborintensve activity tat requires high degree of human Tavolvement ietespret results Itmay aso disrupt network operations by taking up bandwith and slowing response ies, Nevertheless, vulacrablty scanning fs extremely important in cosuring that Yalnerbiile are mitigated before they are discovered and exploit hy adversaries

‘Ac with ll patsrm-matehing at signatar-hssed tos, application valarability scanners typically hase high false posive ates Assessors should configure and calibrate thoi scanners to minimize bah alse file and flee nepasive othe ereatst posible ext ad meanineully interpre esis fo ds the weal vlnstbilities, Seannrs signatie-based tols hut vulperailiis that go undetsied by aulomated seater also suet fom the high false nestive rales tht charters ether cm poenilly De

aught axing multiple vray scanners o ational forms of testing © common prac is use ‘multiple seanaers—ihis provides sensors witha way to compare reslls

44° Wireless Seanning

‘Wireless technologies, i ther smplet sense, enable one or more devices to commute without he neal forphyseal connections such ay network or perral ables, They range fom impe lechưuloiex Tike wizeles Keybesds and mice 1 comps cellphone ters and colerpise Wiel oc area networks (WLAN) AS dhe umber and availabilty of wieless-enbled devices continues 1 increase

“Tees Qube Yo nonunion Stout Tesi ND Assen? is important for organization wo actively test and secure their coterie wireless environments ®

‘Wireless sans can help organizations determine corrective actions to mitigate sks posed by wireless

tabled technologies

“The following factors i he oepanization’s environment should he tea into consideration whoa planing echnical wireless security assessments

1 The location ofthe Facility Being seanned, because the py sea proximity ofa building to a public area e, sweets and public common afea) ois location ina busy meopoitanatea may Increase the risk of wireless threat

1m The security level ofthe data oe tansnited using wireless technologies

1 How often wicless devices connect to and disconnet from the environment an the typical traffic levels for wireles devices (6 occasional aetivty or fay constant activity) thin Doeause only active wireless devices ane discoverable dung a wieless sean

1 Existing deployments of wireless intrusion detection and prevention systems (WIDPS"), which may alr collet most ofthe information that would be gathered by testing, Wircessscansing should be conducted using a mole device with wireless analyzer software installed nd eonigured-such asa laptop, handheld device, o specialty device, The reanning software or tol Should allo the operator to configure the device for spel seans and to Scan in bo passive and active ‘modes The scanning software shoul also be configurable by the operator to deni deviations fom the “organization's witeles security conliguration requirments

“The wireless scanning tol should [Engineers (IEEE) 802.1 1bein channels, whether domestic or iteration I sme cases, the device he capable of seaning al Intute of Electrical and Electronics should also be ited witha external antenna to provide a aiional love of ado frequency (RE) <apturing capability Suppor for other wiclestechuologies, such as Buetosh, wll help evaluate the presence of additional wieless dats and vulnerabilities Not that devices using nonstandard technology o frequencies outside ofthe scanning tool's RF range will uot be detected r propetty recognize by the scanning oo A tool such as an RF spectrum analyze wil esis organizations in identifying transmissions that occur within the frequency range ofthe spectrum analyzer Spectrum analyzers generally analyze a large tequeney range (310 18 GHz) —and akthough these devies do rot analyze trai they enable sn assessor to determine wireless setvily within a specifi re

ange and tile aisonal esting and examination accordingly

Some devices also support mapping and physical location ploting through we of a mapping oo, an in Some eases support Global Positioning S¥stom (GPS)-based mapping Sophisticated wireless scanning tool allow the use oisport oor pla or map to assis in pltig the physical location a discovered devices (Its important t note that GPS has linited eapabiltiesindoces)

sis shou be employed ta analyze the data and ess acquired ftom witless scans, Scanaing ool ‘perators should be aware of other RF signals authorized Tor se within the ate being scanned 4.4.1 Passive Wireless Scanning

Passive canning should be eonducted regularly Wo supplement wireless security measures area n Place, suchas WIDPSs.” Wivles scanning ols used to conduct completely pasive sens transit no fata nor doth ool in aby way affect th operation of deployed witless devives Ry oot anmiting data apusive scanning ool remains uneteted by malicious uses and ober devices This reduces the Tiklinood of individuals avosing detection by disconnecting or disabling unauthorized witless doves

Passive scanning tools capture wireless wafficheing ‘Most tools provide several key atibutsreparding discovered wireless devices, including service set, ansmited within she range of the tos antemn, identifier SSID), device type, channel, media acess contol (MAC) adress, igo strength, and ub ft packets being ans, This inerraton an he ured to eae the secon of the wireless

“vionien, lt Men polenil rogue devices am unanthoizs ad huc network dincovsred thin Tange othe scanning deview The witeless vammjng 'eol salt alo be able tosses the eapred packets to determine i any operations) anomalies ce teeats exis

‘Wirsess seaming took scan each IEEE N02 albg/n channelirequeney separately, often for only several bindredwlliseconds at tine, The pssive scanning toot way nt receive al iansrisions on a Specific channel, For example, he tl may have ben seaaning hel | the preese moment when & ‘tees devivetrnsnied a packet o channel 5, This makes importa st te dell tne ofthe too! to be log enough to cafur packets, yet short enough to efficiently scan each channel, Dwell time configurations wil depend onthe devive or tol used to coodut the wiles scans In adlon, scary persons! endctng the scan sould slosly wove veh the area sing scanned ors the nome Sf devios tha po undstected

Rogue devies can be idsoified in several ways though passive scanning

The MAC adres ofa discovered witeloss deve indiats the vendor ofthe device's wireless interface, Wan organization nly deploys witeless interfaces from vendors A and Bde presence ‘ofnterfacs from any other vendor incaes potential rage doves,

11 an organization has accurate recon ots deployed wireless devies, assessors the MAC addresses of discover devices withthe MAC addresses of authorized devices Most ea compare scanning tool allow assessors entra list of auihorized devices Becauxe MAC alressex cat he spoofs aecesore shold no assume thatthe MAC adresses of dncnvered devices are acchate—bit checking MAC aireses con deny rope devices that do et wse spoon

J devices may wee SSIDs thar are ot authorized by the organization,

1 Some rogue doves may use SSDs that are authorized by the ganization but a aot aber 10 its wielss security configuration requitemens The signal ste

organization's coins night sl pose siguticant sks hese the organization's devices might inadvertently associate wo the

4.42 Active Wireless Scanning

Organizations can "1

information coleted daring passive scans, an lems lla to disevered deiess atl eanduct Pponetation oe vulnerability elated tosting, For example, organizations can cont active wireless

Sannin on their authorized wireless devices to ensure that they mel wireless scurty configuration Fesurcncnts—includng authentication mechanisms, data encrspion and sinstration acess th Feformation i ot aleeady available through ster cans

Organizations shouldbe cautious i conducting active seas wo mae sue they do ao inadvertently sean hosing organization hat are within ange is mpostant evaluate

devices owned ot operated by ne

the physeal letion of devices hefore aetisey scanning em Organizations hot ao he eas tlie ssi wean of ra devices hal apps oe operating within the crgapizaton' oh Soch devices ent belong wa visitor othe organiza who inadvertently has wireless geese enabled, tt aeightoring organization with a device dat is lone to, bt a within, the organization facility Generally organizations should focus on eating and lest potential /ogue devices aer than tefonning sei seats of such devices,

(Orpantations may use ative soning whe conducting penetation testing Other ommn wireless đe se, Tools ae available hat employ serpud sachs sa funetions step to clean Fnppementedsecurgy measures and evaluate the security vel of devices Fx example ol used 89

conduct wirsess pensation testing attempt to connect o access pints (AP) thcuh various method 9 Sircumvensccutyconfitrations, Ih tool can gan acess to the AP it can sain infoeraon and Men the vird neteurkv and wireless devices to which the APs canncte, Some alive too may eo identity vnerahilties scorer onthe wireless client devices, cr conduct wired eter ‘tinea esl ined in Section 4,

‘While active searing is heing performed, the argnzaion’s WIDISs can be monitored oevahte dit cipabiliis and peclonwance, Depeoing on assessment goals, assessors conducting ete reams ‘need to inform the WIDPS ainistrators al wiles network nines of pending sesnin Prepare them fox posible slams and lets In ation, sone WIDPSs can be configure to ignore sare a alr triggered by specific devioe—such stone used to porm scanai

Toul and proceses to Menify wnauthorind devices and valerabiles on wired networks canals be sod wo heoify rogue and msconligured wireless devices Wired-sde scanning ie another process hat an be conducted i discover, and possibly leat, rogue wireless devices, Sections 3.5 and.) discus ‘wired scanning

4.43 Wireless Device Location Tracking

Seeusity pasonnel who operate the wireless scanning tool should stomp locate suspeious devies RP signals propagate in manne eative l the environmen, which makes ortant forthe opertor to undetstand how witelos echoology support this proces Mapping capabilites ane wef hte, ut ‘he ma actors needed fo sppoet this capability ars krewiedgeable operator and an appropiate ‘wires anc,

sting it dowa, secon guing ito comply with the organization's policies, ar emaving the device completely Ifthe device ito be removed, seewsty personel shoul evalvte the atsty of the fopue device heore itis confsated This can be done tough monitoring transmissions and aưemling to ces the device

I iscovered wieless devices cana be leat daring the sean, seeuty personnel should tempt 1 use ‘a WIDPS to support the location af discovered devices, This equires the WIDPS to Toca specie [MAC aos hat was disenserd during te sean, Propery deployed WIDPSs should ave the ability 8

sist scurty personel in locating these devices, and aly mses thease of multiple WIDPS encore to increase location entiation gratuity Because the WIDPS wil oy be ale wo heate a

Akvice within several lo 9 wireless scanning tol may til be needed (© papi the location of he die,

4.44 Bluotooth Scanning

For organizations that want contin compliance with bs Moto security roquiremens passive scning fr Btooth erable wireless devices sald he onde oevaate potential presence ad Sthily” Because Bluctot has avery shor range (on average 9 meters [3 fet, with some davies faving ranges of lie a | meter (3 fest, scanning for devices Assesses should ake tau nitions ilo eousieration when seopine dhs fype of seanning ean be dificult and tne-consuming ‘Oepaizations may sa to postoun scanning ooly ia acas of thot fais that ave seessble bythe Bi t0 xe if atackers could gn accor o devices va Mluctooth—or to perfor seaming in ‘sampling of physical lations rather than throughout te ent facility Because many Bhitoot- ‘abled devices (seh as cellphones and personal digital asians [PDA ate mobile, conducting pusive scanning several ims over perio of dine may’ e necessity Organizations shuld ao sean ony Blustothinfstucire, such a acess pos, tat hey dephy, Ifrogue acces polo are ‘izcovered the organization should handle them in accordance wih established polices and processes,

Wels Snag

{hun provaes wives on eaugating acovered wineries, Tas unst wiles doves tinh nhượng tần s2annSB {Sowers poten backers and ther sec visabone

“Tee are sks associat sd with each technique sod combinaGon ofecnigues To ensue that ll ae executed safely and ecuriely, each assessor shoul have a crtaiahacline skill et Table 4-2 provides ‘lins forthe minimum skill ct need foreach technique presented in Section 4

Target Vulnerability Validation Techniques

Tis seth areca earget vulnerability validation techniques, which use information produced from taygtidenteaion ai analysis wo further explore te existence of potential vlueeabiiies The

jective is to prove tha a vulnerability exists and io demonstrate de curity exposures tha oocur when itis exploited Target vulocrabiity validation involves the greatest amount of ick in assesses, ince this techniques hive more potential o impact the target system or two Han ther echnigde=

‘Targotvuloeraily validation techniques for application security testing are rely discussed in Appendix 541 Password Cracking

‘When a user cots a password, a hash ofthe entered password is ponerated and compared witha stored hash of the user's actal password, I the hashes mash, the users authenticated Password cracking lx the process of covering passwords {rom password hashes stored in a computer system or ansmnited tvernetwarks, Its asially performed daring wssesinents to deny ascents wth wok passes Paswsond cracking is performed on mae tht are ele iolrsoptd bya network sniffer while Deg transite serosa network, or etrievd fromthe lange de, khch peneraly apiret gi ra level access on, lyse aves othe target spster, Once these hast are obfAjned, an aưomated pssword cracker rapidly generates additonal hashes ual a maths fou or the stesso halls the ‘racking temp

enerating hase it dvsonary attack which uses all words in etionsry oF ex fe ‘There are mumecins dlcionades avaiable om the Interne that encompass shor an hieLangusges ‘ames poplar tlevision shows ete Avothor cracking metiod is Kiowa as a Byrd aac which buds fn te uitionary method by sing numeric and spite chatacters to dictinaty words- Depending the password cracker Reng usc, this fe of tack ean ry a numberof variations, sch as wring common sulsitions f huracters and numbers fr leer ee, pes and Infekme), Some wll ko

‘eiding characters std namhers ta the Binning and end of Gctonary wos 8, password, psswordS)

‘Yor anhor pasenord-crackng method call there force meta This generates al possibe psscords upto evan enath an thse sowie hese ere ares many poses, ican "ake month crack password Altai bre for an ake along tne, it sl Takes fares ine than most password policies specify fr password changing Consequently passwords found ding bts foes atacks are sill to wea, Theoretically all passwords cn be cracked bya ute fore attack given ‘enough Une and processine power although could take many yeas and regu serious comput power, Assessors and attuckers often have multiple machines Over which they can spread the ask oF ‘racking passwords, which greatly shortens the Ue involved

salted pasword hashing echaniunstoedue tế eTecfiMenes of eahow tables and er Forms of pastwoed ercking

Paseo crackers enn be tun during an assessment ta ensure policy compliance by verifying acceptable password composition, For example if the organization hạ pasivond expiration policy en pass fackers canbe sun at iotervals that coacide with the intended password Hite, Password cracking that is performed fine praduces ite or no impact on te system or network, and the heeft of this ‘operation include valating the organization's passwort poiey and verifying policy compliance 5.2 Penetration Testing

Penetration testing i sce testing in which asessors nmi real-world stacks to ienty methods fa circumventing the scourity features of an aplication, system, or uetwork Totten involves launching teal attacks onal systems and data tai use tool and schoigues commonly used by attackers Most

petetraton texts jolve Toning for coninaians dÍ vlneribIiies on on or ore stems that ean be tse to gain more acces than coal he achieved though a single wera, Pension ein cam kobe vel er determining

lw well he syste teats eal wordt tack paterns

12 The likly level of sophistication an ataker aed to successfully compromise he system 1 Aditona countermeasures tha could mitigate ets agains the system

1"

Penctation testing can he valuable, butts labornsasive and requires great expertise to minimize the risk to rgsted systems, Systems may he damaged or oerise rendered inoperable during the course of Penetration testing, even th te organization hens in koowing how sytem could fe eared fouperable by an nike Although experienced penetration testers can mitigate thi sk, ican ever be fully ginhgtel Ponatrdie teuing should be prorat only afer carel eamsideration, nition, ah planning,

Penetration testing often incides nontechnical method of attack, For example, a penstraion stor ould breach physical security conto and procedures Wo connect tom network, sel equipment apes Scosiive information (possibly hy installing key logs devices), or dssup conmmpnicatons- Caution should he exereised oon perforin pysieal security testing security quae should he ade sate of how 0 erty the valcity of txter activity, such as vin «pot of contact or documentation, Another on technical cas f attack the use of social enpinesiog, such as posing 3s ap desk agent and cling to mquest a users passvords, or eallng Me helpdesk posing sss user abd asking fora passtord to be resst Additional information on physisal secu Yetng cca engincering eshaiguss, ana other non lectncal means af attack inlet in penetration sin Hes oss the seape ol his pubiaton

5.2.1 Penetration Testing Phases

Figure $-1 represents the four phases of petaton testing" tn the planing phase rules are ened, ‘managemsot approval is inalzed an documented ad testing goals are st, The plamine phase sets he rouralwork fra soeceesfl penetration est No ata tông eects this phase

“Tees Qube Yo nonunion Stout Tesi ND Assen?

Figure 1, FourStage Ponatraton Testing Methodology

‘The discovery and eovers information gathering stl scanning Network ort abd serve deniieaon, described i phase of penetration testing includes wo pats The Fit part isthe sta of acta testing, Section 4.2, fs conducted to idem pote targets In ation wo pot and service ideatfcation, eter techniques are used to gather information onthe targeted network

1 Host name and IP address information can be gathored dough many methods, including DNS interogation, InterNIC (WHOIS) queries and network sifing (generally only during internal tes)

'= Employee names and contact information can be obtained by searching the organization's We servers dictny servers 1m System information, [NaiBIOS enumeration (generally only dusing internal tests) and Network Information System such as names and shares ca be found throug methods seh as

(NES) (generally only daring itera ests)

'= Application and service information, sich as version nbs

robbing «cam he econ through banner

In some cases, techniques suchas dumpster diving and physical walkthoughs of faites may be used «0 ‘collect ional information on the targstd network, ad may also uncover akional information to Be ‘nod ring the penetration tests, sh as passwort writen om paper

“The second pat ofthe discovery phase is wulerabilty analysis, whic involves comparing the services applications, and operating systems of scanned hosts aginst vulnerability databases (a process tha x bloat for vulnerability senners) and the eden" oụn knoalelse of vulnernhilies' Human testers căn their in databases —or publi datahases such a the National Vlerabiity Database (NV) — to deny vulnerabilities manually Appendis E has more information oa these publily aailable Vulnerability databases Manual processes can identity new or obseurevulneablits that automated Scanners may mis, but are much slower than an automated scanner

Exeouing an tach isa the heart of any entation test Figue 5-2 represous the individual steps of the attack phase—te process of verifying previously identified potential vulnrablies by attempting © ‘exploit them Han attack is succesful, the vulnerability imitate the associated security exposure, In many cases, exploits" tha are executed do not grant the s verified and safeguards are ieatied to

‘maximum level of pote sceoss tam attacker, Thay may instead sul ig the testers lesen more shout the targeted network and its pte vulnerabilities, or induce chang in the sae ofthe targeted network's security, Some exploits enable tetsrt to escalate fin access to aional resources, H this occurs, adliional analysis and esting are required to their privileges on the syst o Belwork to Actesmi the tre lev of rik for te nebo, sch as ety he types nrmaton ha a be flemed, changed, or reinone frm te aster Ine even an tack ona specific vulnerability pees fesse the weslee should attempt expo another eisenverd vlerabiiy WU esters are able to exploit Valeriy, they ean install moe fool onthe target system or network to Cae the lesing process These tools ace used o gain access 10 alitional systems or esources on theAeurk sai al ccs to information shout te network oe exgasizaion Testing aad snalsis on mule systems should bo conducted during a penetration tet wo determine the level of access an adversary could gain, Tk proces is epeesented in he feedback loop in Figure 5-1 Petcen the atack and discovery phse of & Penetraion txt — ot =

Pracovey |_| Ess [aiing Ll setting | sytem | eee GÌ Hưng hưng Mao

noua onan Te Tan

fester” eases erston.—pratan

feiecin ha eoouints errata Sean ba ¬ gun "na Sa red fow atte - vn 8 m—n Somme me ng ren tem Cnidh XHƠm mm #neae Tem)

Figure 92 tack Phase Steps with Loopback o Discovery Phase

Wile vulnerability seers chick only for the possible existence of a vulnerability, the mack phase ofa petetation test expt the vuloeabiit to confi is existence, Most vulnrablies exploit by Ptetaion testing flint the folowing catego:

1 Misconfigurations Misconfiure sally easily exploitable sce set0ngt, anlculely insecure dau stings, ae 1 Kernel Flaws, Kemel co is the cone of a OS, ad enfores the overall seu mod forthe systent—so any soeity win de Kernel puts de entice syste in danger, 12 Buffer Overtions, 4 baller overflow accars when programs do not adequately cheek inp or anpmpriate leah Whar this aces, rita cane ea be nied nto the systems a

Insufficient Input Validation, Many applications fir aly vada the from users, Aa example a Web application that emda value frm a user na database the cetive ‘query If the user enters SQL commands insteud of or ination othe requested vals, andthe ‘Web application does nt filtr the SOL commands, the gucry may be run with malicious change thal the user rested casing what ie known ae 8 SQL injection tack,

Symbol Links A symbolic Unk (symlink) file that poins 9 anther file Opera

‘stems ialude eogeams thr can change tke permissions granted ule IF teseproptams von with privileged permissions, a ser could statically creat symlinks rick these programs lmlo mong or Isũng cnhical sự tem le:

1 File Deseriptor Attacks, File descriptors are umburs used by the pst to ep ack of es in fou of filenames, Specific types of le descriptors have implied uses When a privileged Prosram assigns un inapproprite ile descriptor, exposes hs fie to compromise

I8 Race Conditions Race cowitions can acer during the Ge a program or press hss entered ino a privileged mods A user ean toe an attack ake advantage of elevated piileges while the peotam or process is tl nthe pivileged mode

1 Incorrect File and Directory Permissions File and dicctory permissions signed to uses and processes, Poor permissions cal allow may Iypes of stacks, inclaing conn the access the eading or writing of password fies or addons he ist af used mote hosts

The reporting phase occurs simultaneously withthe oer thse phases ofthe penetration test (see Fieve 5-1) Inthe planning phase the assesinerplan—or ROE—is developed, lathe discovery and attack pases, writen logs ate usally Kept and periodic reports are made to system administrators andl ‘management, Atihe conclusion ofthe tesa reports goteally developed to deseibe ented ‘ulnerabilitic, present a sk cating, and give guidance om how to mii

Section § discusses pttextng asi stich a goi im mac de the discovered weaknesses,

52.2 Penetration Testing Logistics

Penetration test scenarios should focus on locating and targting exploitable defects in the design ad implementation ofan application, sytem, or ctwork, Tests should reproduce both the mos ike and ‘ost damaging stack palteros incluing worst-case scenarios such at malicious actions by

Slminidrdtowe Since a penetration test scenario canbe designed to simulate an inside attack, an outside Sa or both, external an ntl security testing methods are consented I bt ner an exer ‘esting sto be performs the eaten lestng Waly ets Hs

‘aside scenarios smote the oasier atacker who has litle o no specie Knowledge of the art and ‘who works enirty from assumptions To simite am external slack, testers re provided with noel TBfaghetion boat the get ensitonment other than targeted IP adresses or adress anges,” and ptm ope souresrescarh by calleting iafonaion on the tet fom pic Web pages

tside dh network, Pete esting isa trative process tat leverages mui access giảm Insider seonaros simulate the ssions of 4 malicious insider Ae ineral penetration tests ini wo an estan est excep ha the testes rated some level of acre othe netsvork or specific network systems Using this acces, he are onthe internal petwork (chad th firewall and hays beet Penetration testers try to gain a greater level of access ta the network and its systems tough privilege Escalation, Testers ate provided with network information that somone wit ther level of access woul toemaly have—renerlly a vandanlcnployee, althosh depending on the goals ofthe tes could festa he formation tht assem natork adinisator lhl possess

Penetration testing i importa for dsetminine the wslnerabity ofan orgeneation’s network and the level of damage that con ace if the networks compromised is important wo he amare at đẹpgnding do an cngaization’s policies, testers may be pehibited from using partielar tools or techniques or tay

he nite wo sins then oly dng estan tes of the day oe day of the wack Panetrlion euing ao Poses high risk tothe eyganizaion's networks asses ease i the eal exploits ad ata

"gainst production systems and data Because of ts igh cost and potetal impact psnstaion tin of Sn crpatization's network and systems ow ap annual Basis way be sufficient Also, pentvaton testing ean be designed to stop when the tester reaches a pont when an adtional ston will ease damage Te rests of pectrtion esting should be taken seriously, and any vulncnhilies discovered should Be

ritigated Ress he avilable shod be presence the organization's wagers, Organi mons ‘hold conser conducting les ahr tensve tong activities cn argu ais medr ha he are Tmajthining the equired Sestity posture, A well-designed progr of regularly scheduled netork amd

ulneabiltyseansing imrspersed with pric poocttion esting, can help prevent way types of attacks ad roduce the poteatalipctof success oaes 5.3 Social Engineering

Social engineering isa empl wo tik somone int eveating information (eg 3 paxssonHl tạ cụt be ised to allck ystems ce networks, Is ured to ext the buna element and ser awareness of security snd can reveal weaknests in user beavior—such a failing to follow standard procedures Sovak engineering can be performed thigh many anaas, cluding analy (eg conversations conducted ia Potson or over he telephone) and digital (eg e-mail instant messaging) One frm of digital social {gineering i known as phishing, where alackesafemp o sta nfrmaton such as credit card tumbos, Social Security ninh re IDs, and passwords, Phishing uses atcntictooking emails rejest ior or dnet snes ta hogs Web sitet colle information, Other examples digital tod erating raudolen e-mails and senting tachment tha cold mime Worm

Seta engineering

Social enginesrng tay he msc to target spssidc high-value ndvidals or grows i the organization, such as executives oy may have abroad target se Specie targets may he tented when the ‘rganization knows of sa existing teat or fel ha he loss of nformation from a person or spf proup of petsows could havea significa inpsct For example, phishing tacks cab be sped based Publicly available information about specie individual (e iles, ares of interes) Individual Targeting can lead to cmburrascrent fr those ndvilals testers successfully ect infrzation o gia ‘acces, Its important hat he results of social engincering testing are wed to improve the secuft oíthệ

‘reanzation aan osngte ott individuals Tesere should pele a detailed Final repre that identifies bo suecessol und wnsoecessl tics sed, This vel of etl il belpempanizatons Wo tailor her security swareness