Last Day to Save $250 on SANS Baltimore 2014
Our Registration System will be undergoing scheduled maintenance on August 20th from 11:30pm - 12:30 am EDT.

Reading Room

Sorry! The requested paper could not be found.

Penetration Testing

Featuring 38 Papers as of June 26, 2014

Click Here

  • Web Application Penetration Testing for PCI Masters
    by Michael Hoehl - June 26, 2014 

    The Verizon 2014 Data Breach Investigations Report reported 3,937 total web application related incidents, with 490 confirmed unauthorized data disclosures (Verizon, 2014).

  • iPwn Apps: Pentesting iOS Applications by Adam Kliarsky - May 12, 2014 

    The growth of mobile device usage in both personal and professional environments continues to grow.

  • Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment by Jeremy Druin - October 22, 2013 

    Web application security has become increasingly important to organizations.

  • Implementing Redmine for Secure Project Management Masters
    by Russ McRee - March 12, 2013 

    One of the core tenets of a good project management practice is the safekeeping of project information in a readily available, secure resource.

  • Exploiting Embedded Devices by Neil Jones - October 25, 2012 

    The majority of routers operate using a form of embedded Linux OS. This is an advantage to the majority of penetration testers as Linux is likely to be a familiar platform to work with; however the distributions that routers tend to run are very optimised, and as such the entire firmware for a router is generally only a few Megabytes in size.

  • Exploiting Financial Information Exchange (FIX) Protocol? by Darren DeMarco - July 3, 2012 

    The FIX Protocol website defines The Financial Information eXchange ("FIX") Protocol as a series of messaging specifications for the electronic communication of trade-related messages (FIX Protocol Ltd, 2012).

  • Penetration Testing Of A Web Application Using Dangerous HTTP Methods by Issac Kim - May 22, 2012 

    HTTP methods are functions that a web server provides to process a request. For example, the "GET" method is used to retrieve the web page from the server.

  • Post Exploitation using Metasploit pivot & port forward by David Dodd - March 29, 2012 

    The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penetration test.

  • iPhone Backup Files. A Penetration Tester's Treasure by Darren Manners - February 7, 2012 

    One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.

  • OS fingerprinting with IPv6 by Christoph Eckstein - September 21, 2011 

    In real life human fingerprints are used as a method of identification. As of today no two fingerprints were found to be alike, hence fingerprints are an excellent way to positively identify a person beyond reasonable doubt.

  • Mass SQL Injection for Malware Distribution by Larry Wichman - April 20, 2011 

    Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

  • Using Windows Script Host and COM to Hack Windows by Alex Ginos - January 3, 2011 

    During the exploitation phase of penetration testing, the attacker may establish a beachhead on a target machine by running an exploit against a vulnerable network service. Often this results in a command prompt. At this point, the question becomes: How can the command line be used to advantage to access sensitive information, escalate privileges and find and attack other hosts? There are numerous useful hacking tools that can help with this but initially they are unlikely to be present on the compromised system. The attacker needs to bootstrap the process of further discovery and exploitation using only the limited tools and privileges available at the command prompt. In some cases, it may be necessary to evade detection by avoiding suspicious executables that may be flagged by anti-malware software running on the target. This paper explores the possibilities of using command line scripting tools and software components that are likely to be present on most Microsoft Windows systems to facilitate penetration testing.

  • About Face: Defending Your Organization Against Penetration Testing Teams Masters
    by Terrence OConnor - December 6, 2010 

    In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing teams time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.

  • Client Fingerprinting via Analysis of Browser Scripting Environment by Mark Fioravanti - September 22, 2010 

    During a Web Application Penetration Test, it is important to test the security of the clients that are interacting with the application. Although not all Web Application Penetration Testing engagements include this activity, when it is performed it is essential to properly identify the client that is being exploited. Beyond simply identifying the browser, it is also important to identify the operating system (O/S) before attempting to manipulate or exploit the client. An accurate assessment of the characteristics of the client allows for the execution of optimized scripts and/or executing a few exploits instead of executing all of the available exploits and hoping the client does not notice or crash.

  • Bypassing Malware Defenses by Morton Christiansen - June 3, 2010 

    Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself. Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.

  • Writing a Penetration Testing Report by Mansour Alharbi - April 29, 2010 

    `A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: If you do not document it, it did not happen. (Smith, LeBlanc & Lam, 2004)

  • Solution Architecture for Cyber Deterrence by Thomas Mowbray - April 29, 2010 

    The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies freedom of action in cyberspace (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).

  • Identifying Load Balancers in Penetration Testing by Curt Shaffer - March 9, 2010 

    More and more applications are moving to a web-based platform because there is a need to have applications that can run on multiple platforms without the need to write different code for each. People are using different operating systems and CPU architectures such as 32 or 64 bit. Being able to write code one time to support all of these platforms is invaluable. Businesses are becoming more reliant on their web presence to offer 24-hour access to their services and goods. Thus, it is becoming more important that these applications are highly available. Over the past several years companies have dedicated substantial resources to achieve this flexibility and to use the increased ability to become more productive. One of the first methods used to achieve this was to use DNS load balancing. Using DNS to achieve redundancy is probably the easiest way to give an appearance of load balancing. It then became apparent that a better way to load balance was needed because this method has some serious limitations. The major limitation to this type of load balancing was that the DNS servers do not know if a host that a resource record points to is up and ready to receive requests or not. If someone attempts to connect to a server in this case, the request will not be successful, giving the user an error or not responding properly. Another issue with this is that DNS servers tend to cache requests. If a persons DNS server has cached the record of the server that is down, the request will again fail.

  • Penetration Testing in the Financial Services Industry by Christopher Olson - March 9, 2010 

    The financial services industry is under attack from numerous and significant cybercriminal threats. Recent breach data numbers reveal that hackers have successfully compromised many financial institutions with the trend being that more records containing personally identifiable information (PII) are being stolen each year. In many cases where systems were breached the method of compromise was attributed to simple errors that gave rise to significant vulnerability. Given the ever present competitive pressure and the current economic strain to operate more efficiently banks are allocating resources with added care and may miss the opportunity to rally and mitigate existing deficiencies in basic operational and process controls. In lieu of allocating resources to implement appropriate preventative controls, penetration testing is one alternative detective control that can highlight areas of risk created when overburdened system administrators inadvertently create vulnerabilities.

  • Pass-the-hash attacks: Tools and Mitigation by Bashar Ewaida - February 23, 2010 

    Passwords are the most commonly used security tool in the world today (Skoudis & Liston, 2006). Strong passwords are the single most important aspect of information security, and weak passwords are the single greatest failure (Burnett, 2006). Password attacks, such as password guessing or password cracking, are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly. However, there is storage cost and time consumption related to the generation of those precompiled tables; this is especially true if the algorithm used to generate these passwords is relatively strong, and the passwords are complex and long (greater than 10 characters). In a pass-the-hash attack, the goal is to use the hash directly without cracking it, this makes time-consuming password attacks less needed.

  • A Taste of Scapy by Judy Novak - December 24, 2009 

    Have you ever envisioned that there may be an easy way to craft a TCP session beginning with the TCP three-way handshake so that you can emulate a client side of a TCP connection?

  • Why Crack When You Can Pass the Hash? by Christopher Hummel - November 3, 2009 

    While the concept of passing a Windows password hash has been around for some time, the release of publicly available tools has taken the first major step towards harnessing the true power of this attack. Although such tools have not yet targeted Microsofts implementation of Kerberos, all organizations are strongly encouraged to move towards pure Kerberos deployments in preparation for PKI integration. The evolving nature of this attack puts under pressure the issue of passwords as a valid identifier thus requiring organizations to use an alternate credential form such as digital certificates.

  • A Fuzzing Approach to Credentials Discovery using Burp Intruder by Karl Dawson - October 29, 2009 

    A general overview of the components of Burp that are used to crack a password. This is followed by an analysis of usernames; a step that is often overlooked in the rush to crack a password.

  • Scanning Windows Deeper With the Nmap Scanning Engine by Ron Bowes - June 22, 2009 

    This paper will look at how SMB and Microsoft RPC services work, how the Nmap scripts take advantage of the services, what checks the scripts are able to do, and what can be done to prevent them.

  • Stack Based Overflows: Detect & Exploit by Morton Christiansen - November 6, 2007 

    Buffer overflows remain some of the most serious and widespread vulnerabilities that exist, often giving an attacker complete control over the compromised system. Thus, in depth knowledge of how these vulnerabilities and exploits work is of utmost importance to penetration testers and incident handlers. This report provides the reader with a basic understanding of how stack based overflows work in practice. This is illustrated, while at the same time uncovering new vulnerabilities in the latest version of Windows XP.

  • Penetration Testing: Assessing Your Overall Security Before Attackers Do Analyst Paper
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Sile, Steve Mancini - November 17, 2006 

    CORE IMPACT provides a stable, quality-assured testing tool that can be used to accurately assess systems by penetrating existing vulnerabilities.

  • War Dialing by Michael Gunn - June 22, 2006 

    This paper will give the reader general information on war dialing, war dialing tools and general steps you can take to protect your network from unwanted intruders who may try to gain access to your network via unauthorized or poorly managed modems.

  • Penetration Testing: The Third Party Hacker by Pieter Danhieux - May 17, 2006 

    This paper is intended to help managers decide on a penetration testing firm by providing them with some essential points of attention and critical questions to ask the prospective service providers.

  • An Overview of Remote Operating System Fingerprinting by Chris Trowbridge - October 31, 2003 

    This paper presents an overview of the various approaches to OS fingerprinting, some current tools available on the Internet together with their features, the underlying techniques they use, and suggestions for defeating these tools.

  • Battle for the Internet: The War is On! by Kevin Owens - June 3, 2003 

    There is a battle raging between security professionals and hackers. By placing people into the shoes of a hacker, and teaching them the skills to gain access to a system, one is better able to defend against them.

  • Penetration Studies - A Technical Overview by Timothy Layton - May 30, 2002 

    This paper builds on Jessica Lowery's research paper, Penetration Testing: The Third Party Hacker, by drilling down on some of the most common tools and applications used to perform penetration tests. This paper is divided into two parts: "Tools of the Trade" that identifies various tools for penetration testing and the second part is the technical breakdown and "how-to" of reconnaissance, scanning, and vulnerability testing.

  • Penetration 101 - Introduction to becoming a Penetration Tester by Dave Burrows - May 9, 2002 

    The purpose of this paper is to give you a brief and basic overview of what to look for when starting out in penetration testing and to build up an internal penetration test kit to aid you in performing both internal and external penetration tests on your company network. To also make you aware of the problems with new network technology like wireless networks, and remote access devices that can circumvent network perimeter security devices like firewalls and IDS.

  • Penetration Testing - Is it right for you? by Jimmy Braden - March 20, 2002 

    This paper will review the steps involved in preparing for and performing a penetration test.

  • A Model for Peer Vulnerability Assessment by Patricia Payne - December 17, 2001 

    This paper proposes a model for ongoing assessment to be performed by the system administrators that includes testing and assessment in a non-threatening environment that provides added value of education for those performing the assessments.

  • Finding dsniff on Your Network by Richard Duffy - November 28, 2001 

    This paper covers some ways to detect dsniff and two of its utilities, arpspoof and macof, on a network.

  • Instruments of the Information Security Trade by Mark Graff - November 27, 2001 

    This paper examines how penetration testing, if done properly, will benefit your organization's information security.

  • Security Life Cycle - 1. DIY Assessment by Lee Wai - November 13, 2001 

    This paper descibes a simplified and comprehensive way to accomplish vulnerability assessment, one phase of the Security Life Cycle.

  • Guidelines for Developing Penetration Rules of Behavior by Nancy Simpson - August 14, 2001 

    This paper examines how, If planned and executed appropriately, penetration testing can be a very useful tool for determining the current security posture of an organization.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.