Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
The majority of routers operate using a form of embedded Linux OS. This is an advantage to the majority of penetration testers as Linux is likely to be a familiar platform to work with; however the distributions that routers tend to run are very optimised, and as such the entire firmware for a router is generally only a few Megabytes in size.
The FIX Protocol website defines The Financial Information eXchange ("FIX") Protocol as “a series of messaging specifications for the electronic communication of trade-related messages” (FIX Protocol Ltd, 2012).
One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.
By: Christoph Eckstein (posted on September 21, 2011)
In real life human fingerprints are used as a method of identification. As of today no two fingerprints were found to be alike, hence fingerprints are an excellent way to positively identify a person beyond reasonable doubt.
Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.
During the exploitation phase of penetration testing, the attacker may establish a “beachhead” on a target machine by running an exploit against a vulnerable network service. Often this results in a command prompt. At this point, the question becomes: “How can the command line be used to advantage to access sensitive information, escalate privileges and find and attack other hosts?” There are numerous useful hacking tools that can help with this but initially they are unlikely to be present on the compromised system. The attacker needs to bootstrap the process of further discovery and exploitation using only the limited tools and privileges available at the command prompt. In some cases, it may be necessary to evade detection by avoiding suspicious executables that may be flagged by anti-malware software running on the target. This paper explores the possibilities of using command line scripting tools and software components that are likely to be present on most Microsoft Windows systems to facilitate penetration testing.
By: TTerrence OConnor (posted on December 6, 2010)
In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing team’s time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.
By: Mark Fioravanti (posted on September 22, 2010)
During a Web Application Penetration Test, it is important to test the security of the clients that are interacting with the application. Although not all Web Application Penetration Testing engagements include this activity, when it is performed it is essential to properly identify the client that is being exploited. Beyond simply identifying the browser, it is also important to identify the operating system (O/S) before attempting to manipulate or exploit the client. An accurate assessment of the characteristics of the client allows for the execution of optimized scripts and/or executing a few exploits instead of executing all of the available exploits and hoping the client does not notice or crash.
Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself.
Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.
The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).
`A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary).
A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)
The financial services industry is under attack from numerous and significant cybercriminal threats. Recent breach data numbers reveal that hackers have successfully compromised many financial institutions with the trend being that more records containing personally identifiable information (PII) are being stolen each year. In many cases where systems were breached the method of compromise was attributed to simple errors that gave rise to significant vulnerability. Given the ever present competitive pressure and the current economic strain to operate more efficiently banks are allocating resources with added care and may miss the opportunity to rally and mitigate existing deficiencies in basic operational and process controls. In lieu of allocating resources to implement appropriate preventative controls, penetration testing is one alternative detective control that can highlight areas of risk created when overburdened system administrators inadvertently create vulnerabilities.
More and more applications are moving to a web-based platform because there is a need to have applications that can run on multiple platforms without the need to write different code for each. People are using different operating systems and CPU architectures such as 32 or 64 bit. Being able to write code one time to support all of these platforms is invaluable. Businesses are becoming more reliant on their web presence to offer 24-hour access to their services and goods. Thus, it is becoming more important that these applications are highly available. Over the past several years companies have dedicated substantial resources to achieve this flexibility and to use the increased ability to become more productive. One of the first methods used to achieve this was to use DNS load balancing. Using DNS to achieve redundancy is probably the easiest way to give an appearance of load balancing. It then became apparent that a better way to load balance was needed because this method has some serious limitations. The major limitation to this type of load balancing was that the DNS servers do not know if a host that a resource record points to is up and ready to receive requests or not. If someone attempts to connect to a server in this case, the request will not be successful, giving the user an error or not responding properly. Another issue with this is that DNS servers tend to cache requests. If a person’s DNS server has cached the record of the server that is down, the request will again fail.
Passwords are the most commonly used security tool in the world today (Skoudis & Liston, 2006). Strong passwords are the single most important aspect of information security, and weak passwords are the single greatest failure (Burnett, 2006).
Password attacks, such as password guessing or password cracking, are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly. However, there is storage cost and time consumption related to the generation of those precompiled tables; this is especially true if the algorithm used to generate these passwords is relatively strong, and the passwords are complex and long (greater than 10 characters).
In a pass-the-hash attack, the goal is to use the hash directly without cracking it, this makes time-consuming password attacks less needed.
By: Christopher Hummel (posted on November 3, 2009)
While the concept of passing a Windows password hash has been around for some time, the release of publicly available tools has taken the first major step towards harnessing the true power of this attack. Although such tools have not yet targeted Microsoft’s implementation of Kerberos, all organizations are strongly encouraged to move towards pure Kerberos deployments in preparation for PKI integration. The evolving nature of this attack puts under pressure the issue of passwords as a valid identifier thus requiring organizations to use an alternate credential form such as digital certificates.
By: Morton Christiansen (posted on November 6, 2007)
Buffer overflows remain some of the most serious and widespread vulnerabilities that exist, often giving an attacker complete control over the compromised system. Thus, in depth knowledge of how these vulnerabilities and exploits work is of utmost importance to penetration testers and incident handlers. This report provides the reader with a basic understanding of how stack based overflows work in practice. This is illustrated, while at the same time uncovering new vulnerabilities in the latest version of Windows XP.
This paper will give the reader general information on war dialing, war dialing tools and general steps you can take to protect your network from unwanted intruders who may try to gain access to your network via unauthorized or poorly managed modems.
This paper proposes a model for ongoing assessment to be performed by the system administrators that includes testing and assessment in a non-threatening environment that provides added value of education for those performing the assessments.
The purpose of this paper is to give you a brief and basic overview of what to look for when starting out in penetration testing and to build up an internal penetration test kit to aid you in performing both internal and external penetration tests on your company network. To also make you aware of the problems with new network technology like wireless networks, and remote access devices that can circumvent network perimeter security devices like firewalls and IDS.
This paper builds on Jessica Lowery's research paper, Penetration Testing: The Third Party Hacker, by drilling down on some of the most common tools and applications used to perform penetration tests. This paper is divided into two parts: "Tools of the Trade" that identifies various tools for penetration testing and the second part is the technical breakdown and "how-to" of reconnaissance, scanning, and vulnerability testing.
There is a battle raging between security professionals and hackers. By placing people into the shoes of a hacker, and teaching them the skills to gain access to a system, one is better able to defend against them.
This paper presents an overview of the various approaches to OS fingerprinting, some current tools available on the Internet together with their features, the underlying techniques they use, and suggestions for defeating these tools.