SANS InfoSec Reading Room - Penetration Testing

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 34 papers as of May 24, 2013

Implementing Redmine for Secure Project Management

By: Russ McRee (posted on March 15, 2013)

One of the core tenets of a good project management practice is the safekeeping of project information in a readily available, secure resource.

Exploiting Embedded Devices

By: Neil Jones (posted on October 25, 2012)

The majority of routers operate using a form of embedded Linux OS. This is an advantage to the majority of penetration testers as Linux is likely to be a familiar platform to work with; however the distributions that routers tend to run are very optimised, and as such the entire firmware for a router is generally only a few Megabytes in size.

Exploiting Financial Information Exchange (FIX) Protocol?

By: Darren DeMarco (posted on July 3, 2012)

The FIX Protocol website defines The Financial Information eXchange ("FIX") Protocol as “a series of messaging specifications for the electronic communication of trade-related messages” (FIX Protocol Ltd, 2012).

Penetration Testing Of A Web Application Using Dangerous HTTP Methods

By: Issac Kim (posted on May 22, 2012)

HTTP methods are functions that a web server provides to process a request. For example, the "GET" method is used to retrieve the web page from the server.

Post Exploitation using Metasploit pivot & port forward

By: David Dodd (posted on March 29, 2012)

The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities that assist in performing a penetration test.

iPhone Backup Files. A Penetration Tester's Treasure

By: Darren Manners (posted on February 7, 2012)

One of the noticeable changes in recent technology history is the emergence of the smart phone. Technological advances in these fields have created devices that have almost the equivalent power and functionality of desktop computers.

OS fingerprinting with IPv6

By: Christoph Eckstein (posted on September 21, 2011)

In real life human fingerprints are used as a method of identification. As of today no two fingerprints were found to be alike, hence fingerprints are an excellent way to positively identify a person beyond reasonable doubt.

Mass SQL Injection for Malware Distribution

By: Larry Wichman (posted on April 28, 2011)

Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

Using Windows Script Host and COM to Hack Windows

By: Alex Ginos (posted on January 3, 2011)

During the exploitation phase of penetration testing, the attacker may establish a “beachhead” on a target machine by running an exploit against a vulnerable network service. Often this results in a command prompt. At this point, the question becomes: “How can the command line be used to advantage to access sensitive information, escalate privileges and find and attack other hosts?” There are numerous useful hacking tools that can help with this but initially they are unlikely to be present on the compromised system. The attacker needs to bootstrap the process of further discovery and exploitation using only the limited tools and privileges available at the command prompt. In some cases, it may be necessary to evade detection by avoiding suspicious executables that may be flagged by anti-malware software running on the target. This paper explores the possibilities of using command line scripting tools and software components that are likely to be present on most Microsoft Windows systems to facilitate penetration testing.

About Face: Defending Your Organization Against Penetration Testing Teams

By: TTerrence OConnor (posted on December 6, 2010)

In the following paper, we outline several methods for obscuring your network from attack during an external penetration test. Understanding how a penetration testing team performs a test and the tools in their arsenal is essential to defense. The penetration testing cycle in the next section. Following that, we discuss defeating recon and enumeration efforts, how to exhaust the penetration testing team’s time and effort, how to properly scrub outbound and inbound traffic, and finally, we present some obscure methods for preventing a successful penetration test.

Client Fingerprinting via Analysis of Browser Scripting Environment

By: Mark Fioravanti (posted on September 22, 2010)

During a Web Application Penetration Test, it is important to test the security of the clients that are interacting with the application. Although not all Web Application Penetration Testing engagements include this activity, when it is performed it is essential to properly identify the client that is being exploited. Beyond simply identifying the browser, it is also important to identify the operating system (O/S) before attempting to manipulate or exploit the client. An accurate assessment of the characteristics of the client allows for the execution of optimized scripts and/or executing a few exploits instead of executing all of the available exploits and hoping the client does not notice or crash.

Bypassing Malware Defenses

By: Morton Christiansen (posted on June 3, 2010)

Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself. Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.

Solution Architecture for Cyber Deterrence

By: ThomasJ. Mowbray (posted on April 29, 2010)

The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).

Writing a Penetration Testing Report

By: Mansour A. Alharbi (posted on April 29, 2010)

`A lot of currently available penetration testing resources lack report writing methodology and approach which leads to a very big gap in the penetration testing cycle. Report in its definition is a statement of the results of an investigation or of any matter on which definite information is required (Oxford English Dictionary). A penetration test is useless without something tangible to give to a client or executive officer. A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems (Whitaker & Newman, 2005). Report Writing is a crucial part for any service providers especially in IT service/ advisory providers. In pen-testing the final result is a report that shows the services provided, the methodology adopted, as well as testing results and recommendations. As one of the project managers at major electronics firm Said "We don't actually manufacture anything. Most of the time, the tangible products of this department [engineering] are reports." There is an old saying that in the consulting business: “If you do not document it, it did not happen.” (Smith, LeBlanc & Lam, 2004)

Penetration Testing in the Financial Services Industry

By: Christopher Olson (posted on March 9, 2010)

The financial services industry is under attack from numerous and significant cybercriminal threats. Recent breach data numbers reveal that hackers have successfully compromised many financial institutions with the trend being that more records containing personally identifiable information (PII) are being stolen each year. In many cases where systems were breached the method of compromise was attributed to simple errors that gave rise to significant vulnerability. Given the ever present competitive pressure and the current economic strain to operate more efficiently banks are allocating resources with added care and may miss the opportunity to rally and mitigate existing deficiencies in basic operational and process controls. In lieu of allocating resources to implement appropriate preventative controls, penetration testing is one alternative detective control that can highlight areas of risk created when overburdened system administrators inadvertently create vulnerabilities.

Identifying Load Balancers in Penetration Testing

By: Curt Shaffer (posted on March 9, 2010)

More and more applications are moving to a web-based platform because there is a need to have applications that can run on multiple platforms without the need to write different code for each. People are using different operating systems and CPU architectures such as 32 or 64 bit. Being able to write code one time to support all of these platforms is invaluable. Businesses are becoming more reliant on their web presence to offer 24-hour access to their services and goods. Thus, it is becoming more important that these applications are highly available. Over the past several years companies have dedicated substantial resources to achieve this flexibility and to use the increased ability to become more productive. One of the first methods used to achieve this was to use DNS load balancing. Using DNS to achieve redundancy is probably the easiest way to give an appearance of load balancing. It then became apparent that a better way to load balance was needed because this method has some serious limitations. The major limitation to this type of load balancing was that the DNS servers do not know if a host that a resource record points to is up and ready to receive requests or not. If someone attempts to connect to a server in this case, the request will not be successful, giving the user an error or not responding properly. Another issue with this is that DNS servers tend to cache requests. If a person’s DNS server has cached the record of the server that is down, the request will again fail.

Pass-the-hash attacks: Tools and Mitigation

By: Bashar Ewaida (posted on February 23, 2010)

Passwords are the most commonly used security tool in the world today (Skoudis & Liston, 2006). Strong passwords are the single most important aspect of information security, and weak passwords are the single greatest failure (Burnett, 2006). Password attacks, such as password guessing or password cracking, are time- consuming attacks. Tools that make use of precomputed hashes reduce the time needed to obtain passwords greatly. However, there is storage cost and time consumption related to the generation of those precompiled tables; this is especially true if the algorithm used to generate these passwords is relatively strong, and the passwords are complex and long (greater than 10 characters). In a pass-the-hash attack, the goal is to use the hash directly without cracking it, this makes time-consuming password attacks less needed.

A Taste of Scapy

By: Judy Novak (posted on December 24, 2009)

Have you ever envisioned that there may be an easy way to craft a TCP session beginning with the TCP three-way handshake so that you can emulate a client side of a TCP connection?

Why Crack When You Can Pass the Hash?

By: Christopher Hummel (posted on November 3, 2009)

While the concept of passing a Windows password hash has been around for some time, the release of publicly available tools has taken the first major step towards harnessing the true power of this attack. Although such tools have not yet targeted Microsoft’s implementation of Kerberos, all organizations are strongly encouraged to move towards pure Kerberos deployments in preparation for PKI integration. The evolving nature of this attack puts under pressure the issue of passwords as a valid identifier thus requiring organizations to use an alternate credential form such as digital certificates.

A Fuzzing Approach to Credentials Discovery using Burp Intruder

By: Karl Dawson (posted on October 29, 2009)

A general overview of the components of Burp that are used to crack a password. This is followed by an analysis of usernames; a step that is often overlooked in the rush to crack a password.

Scanning Windows Deeper With the Nmap Scanning Engine

By: Ron Bowes (posted on June 22, 2009)

This paper will look at how SMB and Microsoft RPC services work, how the Nmap scripts take advantage of the services, what checks the scripts are able to do, and what can be done to prevent them.

Stack Based Overflows: Detect & Exploit

By: Morton Christiansen (posted on November 6, 2007)

Buffer overflows remain some of the most serious and widespread vulnerabilities that exist, often giving an attacker complete control over the compromised system. Thus, in depth knowledge of how these vulnerabilities and exploits work is of utmost importance to penetration testers and incident handlers. This report provides the reader with a basic understanding of how stack based overflows work in practice. This is illustrated, while at the same time uncovering new vulnerabilities in the latest version of Windows XP.

War Dialing

By: Michael Gunn (posted on January 18, 2007)

This paper will give the reader general information on war dialing, war dialing tools and general steps you can take to protect your network from unwanted intruders who may try to gain access to your network via unauthorized or poorly managed modems.

Penetration Testing: The Third Party Hacker

By: Pieter Danhieux (posted on May 17, 2006)

This paper is intended to help managers decide on a penetration testing firm by providing them with some essential points of attention and critical questions to ask the prospective service providers.

Guidelines for Developing Penetration Rules of Behavior

By: Nancy Simpson (posted on October 31, 2003)

This paper examines how, If planned and executed appropriately, penetration testing can be a very useful tool for determining the current security posture of an organization.

Security Life Cycle - 1. DIY Assessment

By: Lee Wan Wai (posted on October 31, 2003)

This paper descibes a simplified and comprehensive way to accomplish vulnerability assessment, one phase of the Security Life Cycle.

Instruments of the Information Security Trade

By: Mark Graff (posted on October 31, 2003)

This paper examines how penetration testing, if done properly, will benefit your organization's information security.

Finding dsniff on Your Network

By: Richard Duffy (posted on October 31, 2003)

This paper covers some ways to detect dsniff and two of its utilities, arpspoof and macof, on a network.

A Model for Peer Vulnerability Assessment

By: Patricia Payne (posted on October 31, 2003)

This paper proposes a model for ongoing assessment to be performed by the system administrators that includes testing and assessment in a non-threatening environment that provides added value of education for those performing the assessments.

Penetration Testing - Is it right for you?

By: Jimmy Braden (posted on October 31, 2003)

This paper will review the steps involved in preparing for and performing a penetration test.

Penetration 101 - Introduction to becoming a Penetration Tester

By: Dave Burrows (posted on October 31, 2003)

The purpose of this paper is to give you a brief and basic overview of what to look for when starting out in penetration testing and to build up an internal penetration test kit to aid you in performing both internal and external penetration tests on your company network. To also make you aware of the problems with new network technology like wireless networks, and remote access devices that can circumvent network perimeter security devices like firewalls and IDS.

Penetration Studies - A Technical Overview

By: Timothy Layton (posted on October 31, 2003)

This paper builds on Jessica Lowery's research paper, Penetration Testing: The Third Party Hacker, by drilling down on some of the most common tools and applications used to perform penetration tests. This paper is divided into two parts: "Tools of the Trade" that identifies various tools for penetration testing and the second part is the technical breakdown and "how-to" of reconnaissance, scanning, and vulnerability testing.

Battle for the Internet: The War is On!

By: Kevin J. Owens (posted on October 31, 2003)

There is a battle raging between security professionals and hackers. By placing people into the shoes of a hacker, and teaching them the skills to gain access to a system, one is better able to defend against them.

An Overview of Remote Operating System Fingerprinting

By: Chris Trowbridge (posted on October 31, 2003)

This paper presents an overview of the various approaches to OS fingerprinting, some current tools available on the Internet together with their features, the underlying techniques they use, and suggestions for defeating these tools.