Featuring 53 Papers as of January 30, 2017
Attack and Defend: Linux Privilege Escalation Techniques of 2016 STI Graduate Student Research
by Michael Long II - January 30, 2017
Recent kernel exploits such as Dirty COW show that despite continuous improvements in Linux security, privilege escalation vectors are still in widespread use and remain a problem for the Linux community. Linux system administrators are generally cognizant of the importance of hardening their Linux systems against privilege escalation attacks; however, they often lack the knowledge, skill, and resources to effectively safeguard their systems against such threats. This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them. Additionally, this paper will offer remediation procedures in order to inform system administrators on methods to mitigate the impact of Linux privilege escalation attacks.
Triaging the Enterprise for Application Security Assessments STI Graduate Student Research
by Stephen Deck - November 4, 2016
Conducting a full array of security tests on all applications in an enterprise may be infeasible due to both time and cost. According to the Center for Internet Security, the purpose of application specific and penetration testing is to discover previously unknown vulnerabilities and security gaps within the enterprise. These activities are only warranted after an organization attains significant security maturity, which results in a large backlog of systems that need testing. When organizations finally undertake the efforts of penetration testing and application security, it can be difficult to choose where to begin. Computing environments are often filled with hundreds or thousands of different systems to test and each test can be long and costly. At this point in the testing process, little information is available about an application beyond the computers involved, the owners, data classification, and the extent to which the system is exposed. With so few variables, many systems are likely to have equal priority. This paper suggests a battery of technical checks that testers can quickly perform to stratify the vast array of applications that exist in the enterprise ecosystem. This process allows the security team to focus efforts on the riskiest systems first.
In but not Out: Protecting Confidentiality during Penetration Testing STI Graduate Student Research
by Andrew Andrasik - August 22, 2016
In but not Out: Protecting Confidentiality during Penetration Testing Abstract:Penetration testing is imperative for organizations committed to security. However, independent penetration testers are rarely greeted with open arms when initiating an assessment. As firms implement the Critical Security Controls or the Risk Management Framework, independent penetration testing will likely become standard practice as opposed to supplemental exercises. Ethical hacking is a common tactic to view a company’s network from an attacker’s perspective, but inviting external personnel into a network may increase risk. Penetration testers strive to gain superuser privileges wherever possible and utilize thousands of open-source tools and scripts, many of which do not originate from validated sources. Penetration testers may gain access to all compartmented sections of a network and document how to repeat successful exploits while saving restricted data to their laptops. This paper illustrates secure Tactics, Techniques, and Procedures (TTPs) to enable ethical hackers to complete their tests within scope while reducing managerial stress regarding confidentiality. A properly conducted independent penetration test should provide essential intelligence about a network without jeopardizing the confidentiality of proprietary data.
Using Sulley to Protocol Fuzz for Linux Software Vulnerabilities STI Graduate Student Research
by Aron Warren - April 25, 2016
Fuzzers are useful for discovering vulnerabilities in software services. Sulley is a common fuzzer with an ability to fuzz network protocols. This paper will describe the process for using Sulley to fuzz for a vulnerability in an implementation of the unencrypted telnet protocol. Specifically, Sulley will be used to detect the vulnerability that was found in CVE-2011-4862 implemented on the RedHat Enterprise Linux 3 distribution.
Intrusion Detection and Prevention Systems Cheat Sheet: Choosing the Best Solution, Common Misconfigurations, Evasion Techniques, and Recommendations. STI Graduate Student Research
by Phillip Bosco - January 25, 2016
There are many decisions a company must make while choosing an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) for their infrastructure. Pricing questions will arise to determine if it will fit into their budget.
Testing stateful web application workflows by András Veres-Szentkirályi - January 14, 2016
When technology made it possible for web servers to return dynamic content, web applications started out simple. As the development of more and more applications shifted from desktop operating systems to the web, complexity grew.
Clickbait: Owning SSL via Heartbleed, POODLE, and Superfish STI Graduate Student Research
by Matthew Toussain - December 23, 2015
SSL is dead. Security researchers have now broken nearly every method of implementing the Secure Socket Layer (SSL). Unfortunately, the Internet is struggling to catch up to the new world order. SSL version 3.0 is still supported by 31.5% of public web servers (Kario, 2015). As a result attackers can gain access to key confidential information.
Web Application File Upload Vulnerabilities STI Graduate Student Research
by Matthew Koch - December 7, 2015
File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration an attacker can quickly compromise an affected system. This paper will discuss types of file upload vulnerabilities, how to discover, exploit, and maintain persistence using upload vulnerabilities.
Cloud Assessment Survival Guide STI Graduate Student Research
by Edward Zamora - November 10, 2015
The time has come where the society at large is living in the cloud. Many have questioned the security of information in the cloud and many have been told that information is safe there. But how can one be sure that information is indeed safe in the cloud? In this day and age where there is an increased dependence on such complex technology as cloud systems, there are needs for methodologies to test cloud deployments. For organizations that have or seek to implement cloud technology in their environment, this paper will present a brief background on cloud technology and a methodology for assessing the security of their cloud implementation based on penetration testing principles.
Tunneling, Pivoting, and Web Application Penetration Testing STI Graduate Student Research
by Gordon Fraser - August 3, 2015
When conducting a web application penetration test there are times when you want to be able to pivot through a system to which you have gained access, to other systems in order to continue testing. There are many channels that can be used as avenues for pivoting. This paper examines five commonly used channels for pivoting: Netcat relays, SSH local port forwarding, SSH dynamic port forwarding (SOCKS proxy), Meterpreter sessions. and Ncat HTTP proxy; within the context of using them with key tools in the penetration tester’s arsenal including: Nmap, the Burp Suite, w3af, Nikto, Iceweasel, and Metasploit.
Automated Security Testing of Oracle Forms Applications by Balint Varga-Perke - May 26, 2015
To keep up with the increasing rate of web application attacks (Imperva, 2014) a wide variety of automated security testing tools have been developed (OWASP, 2014).
Powercat by Mick Douglas - March 4, 2015
Powercat started as a proof-of-concept tool that I initially developed.
Penetration Testing: Alternative to Password Cracking by Maxim Catanoi - February 2, 2015
Penetration testing success directly depends on the skills, knowledge and resources available to each member of the penetration testing team (Wilhelm).
AIX for penetration testers by Zoltan Panczel - January 8, 2015
AIX (Advanced Interactive eXecutive) is a series of UNIX operating systems developed by IBM. AIX is based on System V UNIX with 4.2 BSD extensions. Nowadays it supports only RISC based machines. The operating system is widely used by banks, governments, hospitals and power plants.
H.O.T. | Security by Luis Rocha - August 21, 2014
The information security industry will continue to grow in size, density and specialization (Tipton, 2010). The demand for qualified security professionals who possess relevant knowledge and required skills is growing and will increase substantially (Miller, 2012) (Suby, 2013).
iPwn Apps: Pentesting iOS Applications by Adam Kliarsky - May 12, 2014
The growth of mobile device usage in both personal and professional environments continues to grow.
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment by Jeremy Druin - October 22, 2013
Web application security has become increasingly important to organizations.
Implementing Redmine for Secure Project Management STI Graduate Student Research
by Russ McRee - March 12, 2013
One of the core tenets of a good project management practice is the safekeeping of project information in a readily available, secure resource.
Exploiting Embedded Devices by Neil Jones - October 25, 2012
The majority of routers operate using a form of embedded Linux OS. This is an advantage to the majority of penetration testers as Linux is likely to be a familiar platform to work with; however the distributions that routers tend to run are very optimised, and as such the entire firmware for a router is generally only a few Megabytes in size.
Exploiting Financial Information Exchange (FIX) Protocol? by Darren DeMarco - July 3, 2012
The FIX Protocol website defines The Financial Information eXchange ("FIX") Protocol as “a series of messaging specifications for the electronic communication of trade-related messages” (FIX Protocol Ltd, 2012).
Penetration Testing Of A Web Application Using Dangerous HTTP Methods by Issac Kim - May 22, 2012
HTTP methods are functions that a web server provides to process a request. For example, the "GET" method is used to retrieve the web page from the server.
Post Exploitation using Metasploit pivot & port forward by David Dodd - March 29, 2012
The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penetration test.
iPhone Backup Files. A Penetration Tester's Treasure by Darren Manners - February 7, 2012
One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.
OS fingerprinting with IPv6 by Christoph Eckstein - September 21, 2011
In real life human fingerprints are used as a method of identification. As of today no two fingerprints were found to be alike, hence fingerprints are an excellent way to positively identify a person beyond reasonable doubt.
Mass SQL Injection for Malware Distribution by Larry Wichman - April 20, 2011
Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.
Using Windows Script Host and COM to Hack Windows by Alex Ginos - January 3, 2011
During the exploitation phase of penetration testing, the attacker may establish a “beachhead” on a target machine by running an exploit against a vulnerable network service. Often this results in a command prompt. At this point, the question becomes: “How can the command line be used to advantage to access sensitive information, escalate privileges and find and attack other hosts?” There are numerous useful hacking tools that can help with this but initially they are unlikely to be present on the compromised system. The attacker needs to bootstrap the process of further discovery and exploitation using only the limited tools and privileges available at the command prompt. In some cases, it may be necessary to evade detection by avoiding suspicious executables that may be flagged by anti-malware software running on the target. This paper explores the possibilities of using command line scripting tools and software components that are likely to be present on most Microsoft Windows systems to facilitate penetration testing.
About Face: Defending Your Organization Against Penetration Testing Teams STI Graduate Student Research
by Terrence OConnor - December 6, 2010
In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing team’s time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.
Client Fingerprinting via Analysis of Browser Scripting Environment by Mark Fioravanti - September 22, 2010
During a Web Application Penetration Test, it is important to test the security of the clients that are interacting with the application. Although not all Web Application Penetration Testing engagements include this activity, when it is performed it is essential to properly identify the client that is being exploited. Beyond simply identifying the browser, it is also important to identify the operating system (O/S) before attempting to manipulate or exploit the client. An accurate assessment of the characteristics of the client allows for the execution of optimized scripts and/or executing a few exploits instead of executing all of the available exploits and hoping the client does not notice or crash.
Bypassing Malware Defenses by Morton Christiansen - June 3, 2010
Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself. Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.
Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010
`A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)
Solution Architecture for Cyber Deterrence by Thomas Mowbray - April 29, 2010
The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).
Identifying Load Balancers in Penetration Testing by Curt Shaffer - March 9, 2010
More and more applications are moving to a web-based platform because there is a need to have applications that can run on multiple platforms without the need to write different code for each. People are using different operating systems and CPU architectures such as 32 or 64 bit. Being able to write code one time to support all of these platforms is invaluable. Businesses are becoming more reliant on their web presence to offer 24-hour access to their services and goods. Thus, it is becoming more important that these applications are highly available. Over the past several years companies have dedicated substantial resources to achieve this flexibility and to use the increased ability to become more productive. One of the first methods used to achieve this was to use DNS load balancing. Using DNS to achieve redundancy is probably the easiest way to give an appearance of load balancing. It then became apparent that a better way to load balance was needed because this method has some serious limitations. The major limitation to this type of load balancing was that the DNS servers do not know if a host that a resource record points to is up and ready to receive requests or not. If someone attempts to connect to a server in this case, the request will not be successful, giving the user an error or not responding properly. Another issue with this is that DNS servers tend to cache requests. If a person’s DNS server has cached the record of the server that is down, the request will again fail.
Penetration Testing in the Financial Services Industry by Christopher Olson - March 9, 2010
The financial services industry is under attack from numerous and significant cybercriminal threats. Recent breach data numbers reveal that hackers have successfully compromised many financial institutions with the trend being that more records containing personally identifiable information (PII) are being stolen each year. In many cases where systems were breached the method of compromise was attributed to simple errors that gave rise to significant vulnerability. Given the ever present competitive pressure and the current economic strain to operate more efficiently banks are allocating resources with added care and may miss the opportunity to rally and mitigate existing deficiencies in basic operational and process controls. In lieu of allocating resources to implement appropriate preventative controls, penetration testing is one alternative detective control that can highlight areas of risk created when overburdened system administrators inadvertently create vulnerabilities.
Pass-the-hash attacks: Tools and Mitigation by Bashar Ewaida - February 23, 2010
Passwords are the most commonly used security tool in the world today (Skoudis & Liston, 2006). Strong passwords are the single most important aspect of information security, and weak passwords are the single greatest failure (Burnett, 2006). Password attacks, such as password guessing or password cracking, are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly. However, there is storage cost and time consumption related to the generation of those precompiled tables; this is especially true if the algorithm used to generate these passwords is relatively strong, and the passwords are complex and long (greater than 10 characters). In a pass-the-hash attack, the goal is to use the hash directly without cracking it, this makes time-consuming password attacks less needed.
A Taste of Scapy by Judy Novak - December 24, 2009
Have you ever envisioned that there may be an easy way to craft a TCP session beginning with the TCP three-way handshake so that you can emulate a client side of a TCP connection?
Why Crack When You Can Pass the Hash? by Christopher Hummel - November 3, 2009
While the concept of passing a Windows password hash has been around for some time, the release of publicly available tools has taken the first major step towards harnessing the true power of this attack. Although such tools have not yet targeted Microsoft’s implementation of Kerberos, all organizations are strongly encouraged to move towards pure Kerberos deployments in preparation for PKI integration. The evolving nature of this attack puts under pressure the issue of passwords as a valid identifier thus requiring organizations to use an alternate credential form such as digital certificates.
A Fuzzing Approach to Credentials Discovery using Burp Intruder by Karl Dawson - October 29, 2009
A general overview of the components of Burp that are used to crack a password. This is followed by an analysis of usernames; a step that is often overlooked in the rush to crack a password.
Scanning Windows Deeper With the Nmap Scanning Engine by Ron Bowes - June 22, 2009
This paper will look at how SMB and Microsoft RPC services work, how the Nmap scripts take advantage of the services, what checks the scripts are able to do, and what can be done to prevent them.
Stack Based Overflows: Detect & Exploit by Morton Christiansen - November 6, 2007
Buffer overflows remain some of the most serious and widespread vulnerabilities that exist, often giving an attacker complete control over the compromised system. Thus, in depth knowledge of how these vulnerabilities and exploits work is of utmost importance to penetration testers and incident handlers. This report provides the reader with a basic understanding of how stack based overflows work in practice. This is illustrated, while at the same time uncovering new vulnerabilities in the latest version of Windows XP.
Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006
- Sponsored By: Core Security Technologies
CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.
War Dialing by Michael Gunn - June 22, 2006
This paper will give the reader general information on war dialing, war dialing tools and general steps you can take to protect your network from unwanted intruders who may try to gain access to your network via unauthorized or poorly managed modems.
Penetration Testing: The Third Party Hacker by Pieter Danhieux - May 17, 2006
This paper is intended to help managers decide on a penetration testing firm by providing them with some essential points of attention and critical questions to ask the prospective service providers.
An Overview of Remote Operating System Fingerprinting by Chris Trowbridge - October 31, 2003
This paper presents an overview of the various approaches to OS fingerprinting, some current tools available on the Internet together with their features, the underlying techniques they use, and suggestions for defeating these tools.
Battle for the Internet: The War is On! by Kevin Owens - June 3, 2003
There is a battle raging between security professionals and hackers. By placing people into the shoes of a hacker, and teaching them the skills to gain access to a system, one is better able to defend against them.
Penetration Studies - A Technical Overview by Timothy Layton - May 30, 2002
This paper builds on Jessica Lowery's research paper, Penetration Testing: The Third Party Hacker, by drilling down on some of the most common tools and applications used to perform penetration tests. This paper is divided into two parts: "Tools of the Trade" that identifies various tools for penetration testing and the second part is the technical breakdown and "how-to" of reconnaissance, scanning, and vulnerability testing.
Penetration 101 - Introduction to becoming a Penetration Tester by Dave Burrows - May 9, 2002
The purpose of this paper is to give you a brief and basic overview of what to look for when starting out in penetration testing and to build up an internal penetration test kit to aid you in performing both internal and external penetration tests on your company network. To also make you aware of the problems with new network technology like wireless networks, and remote access devices that can circumvent network perimeter security devices like firewalls and IDS.
Penetration Testing - Is it right for you? by Jimmy Braden - March 20, 2002
This paper will review the steps involved in preparing for and performing a penetration test.
A Model for Peer Vulnerability Assessment by Patricia Payne - December 17, 2001
This paper proposes a model for ongoing assessment to be performed by the system administrators that includes testing and assessment in a non-threatening environment that provides added value of education for those performing the assessments.
Finding dsniff on Your Network by Richard Duffy - November 28, 2001
This paper covers some ways to detect dsniff and two of its utilities, arpspoof and macof, on a network.
Instruments of the Information Security Trade by Mark Graff - November 27, 2001
This paper examines how penetration testing, if done properly, will benefit your organization's information security.
Security Life Cycle - 1. DIY Assessment by Lee Wai - November 13, 2001
This paper descibes a simplified and comprehensive way to accomplish vulnerability assessment, one phase of the Security Life Cycle.
Guidelines for Developing Penetration Rules of Behavior by Nancy Simpson - August 14, 2001
This paper examines how, If planned and executed appropriately, penetration testing can be a very useful tool for determining the current security posture of an organization.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.