Tải bản đầy đủ - 0 (trang)
Chapter 3. Creating a Test Plan

Chapter 3. Creating a Test Plan

Tải bản đầy đủ - 0trang

Step-by-StepPlan

Everygoodpenetrationtestinvolvesthefollowingsteps:

1. ReconnaissanceTheinitialstageofcollectinginformationonyourtarget

network

2. EnumerationTheprocessofqueryingactivesystemstograbinformationon

networkshares,users,groups,andspecificapplications

3. GainingaccessTheactualpenetration

4. MaintainingaccessAllowingthetesterabackdoorintotheexploitedsystem

forfutureattacks

5. CoveringtracksTheprocessofdeletinglogfileentriestomakeitappear

thatyouwereneverontheexploitedsystem



Chapter5,"PerformingHostReconnaissance,"addressesthereconnaissance

step.Thelastfoursteps,whicharetypicallydoneinsequence,arecoveredinthe

remainingchapters.

Beforeyoucanperformthefirststep,however,youandtheclient(or

management,ifyouaredoinganinternaltest)mustdothefollowing:

Narrowthescopeoftheproject

Determineifsocialengineeringwillbeemployed

Decideifsessionhijackingattemptswillbeallowed

AgreeontheuseofTrojanandbackdoorsoftware



DefiningtheScope



Penetrationtestingisalotlikeapiratelookingforburiedtreasure.Thepirate

doesnotknowexactlywheretheburiedtreasureis,butheknowsitisvaluable

enoughtogolookingforit.Apiratehasatreasuremapfullofcluesallgearedto

directhimtowardtheburiedtreasure.Inthesameway,penetrationtestersareon

aquesttoinfiltrateaclientnetwork.Thetestersdonotknowinadvancehow

theyaretogoaboutinfiltratingthenetwork,butintheend,theresultsofthetest

havetobeworthwhiletotheclient.Ifaclientismostconcernedwiththe

securityoftheirInternetpresence,thenyoushouldnotdevoteyourtimeto

tryingtobreakintotheinternalnetwork.Likewise,iftheclientisconcerned

onlyaboutthesecurityofhisaccountingdepartment,itdoesnotmakesenseto

devoteyourtimetootherdepartments.

Thefirststep,then,istonarrowthescopeofyourtesttowhatismeaningfulto

theclient.Asktheclientwhathehopestoachievethroughthistesting.Perhaps

heonlywantstoassesswhetherheisvulnerabletohavingaccountinformation

stolen,orthescopemightextendtoanytypeofattack.Ideally,allpossible

meansofattacksshouldbeallowedtoprovidethemostrealisticscenarioofa

realmaliciousattack,butthisisseldomthecase.Budgetconstraints,concerns

overdenialofservice(DoS)attacksdisruptingdailyinformation,andthe

protectionofemployeeprivacyareoftendeterrentsthatpreventorganizations

fromauthorizingallformsofattacks.



SocialEngineering

Socialengineering,describedinmoredetailinChapter4,"PerformingSocial

Engineering,"istheprocessofhuman-basedmanipulationtoachieveaccess.

Someorganizationspermittheuseofsocialengineering,andsomedonot.You

needtodiscussthiswiththeclient(andhaveitinwriting)beforeyoubegin

testing.



SessionHijacking

Sessionhijacking,describedinmoredetailinChapter6,"Understandingand

AttemptingSessionHijacking,"istheprocessoftakingoveraTCPsession

betweentwomachinestogainaccesstoanunauthorizedsystem,asillustratedin

Figure3-1.



Figure3-1.SessionHijacking



InFigure3-1,thepenetrationtesterislisteningtonetworktrafficbeingsent

fromUserAtotheserver.Thepenetrationtestertakesoverthesessionand

appearstotheserverasthatuser.Tomakethiswork,thepenetrationtesterhasto

dropUserAoffthenetwork(usuallythroughsendingaTCPresetpacket).This

canbedisruptivetoday-to-dayoperationsanditisoftennotpermissibleto

performthesetests.

Analternativeistocreatealabenvironmentthatcontainsequivalentnetwork

equipment.



Trojan/Backdoor

Anotherfactorrequiringauthorizationbeforeperformingtestsiswhethertheuse

ofTrojansorotherbackdoorsoftwareistobeallowed.Encouragetheclientto

allowthis.Manyofthemorecunningattacksusebackdoorapplicationsand

Trojans.Ifyouwanttohaveaccurateresults,youneedauthorizationtousethese

applications.

IfyoudoagreeontheuseofTrojanapplicationsandotherbackdoor

applications,becarefulaboutwhattoolsyouuse.Somewebsitesgiveyouthe

optionofdownloadingTrojanandbackdoortoolssuchasNetcat,butthey



containtheirownvirusembeddedintheprogram.Theseviruses,whenputona

clientmachine,canpropagatethroughoutthenetwork,causinghavoconservers

andendusercomputers.



Open-SourceSecurityTestingMethodology

Manual

Asyouknow,itispointlesstoreinventthewheelifithasalreadybeenmade.

PeterHerzog,attheInstituteforSecurityandOpenMethodologies

(http://www.isecom.org),alongwith30contributorsfromvarioussecurity

organizations,hascreatedtheOpen-SourceSecurityTestingMethodology

Manual(OSSTMM)sothatpenetrationtestersdonothavetoreinventthewheel

whendesigningamethodologyforsecurityauditing.

TheOSSTMMaddressesthefollowingareasofsecurityassessment,as

illustratedinFigure3-2:

Informationsecurity

Processsecurity

Internettechnologysecurity

Communicationssecurity

Wirelesssecurity

Physicalsecurity

Figure3-2.OSSTMMSecurityMap

©20002003PeterHerzog,ISECOM



Note

ASpanishversionoftheOSSTMMisavailableforfreedownloadat

http://www.osstmm.org.



Eachoftheareasofsecurityassessmentisfurtherbrokendownintospecific

modules.Forexample,thewirelesssecurityarea(page71intheOSSTMM

document)isbrokendownintoelevenmodules:

Electromagneticradiationtesting

802.11wirelessnetworktesting

Bluetoothtesting



Wirelessinputdevicetesting

Wirelesshandheldtesting

Cordlesscommunicationstesting

Wirelesssurveillancedevicetesting

Wirelesstransactiondevicetesting

RFIDtesting

Infraredtesting

Privacyreview

Eachofthesemodulesisfurtherbrokendowntodetailwhatasecurityauditor

shouldtest.Forexample,underBluetoothtesting(page75),theauditorshould

dothefollowing:

1.Verifythatthereisanorganizationalsecuritypolicythataddressestheuseof

wirelesstechnology,includingBluetoothtechnology.

2.PerformacompleteinventoryofallBluetoothwirelessdevices.

3.PerformbruteforceattacksagainstBluetoothaccesspointstodiscernthe

strengthofthepassword.Verifythatpasswordscontainnumbersandspecial

characters.Bluetoothaccesspointsusecase-insensitivepasswords,whichmakes

iteasierforattackerstoconductabruteforceguessingattackduetothesmaller

spaceofpossiblepasswords.

4.VerifytheactualperimeteroftheBluetoothnetwork.

5.VerifythattheBluetoothdevicesaresettothelowestpowersettingto

maintainsufficientoperationthatwillkeeptransmissionswithinthesecure

boundariesoftheorganization.

TheOSSTMM,althoughbroaderthanjustpenetrationtesting,servesasagood



frameworktostartwith.

Note

AnyonecancontributetotheOSSTMMproject.Ifyouwantto

contributetoit,gotohttp://www.isecom.org/contact.shtml.



Afteryouhavecollectedthedata,youcanbeginyourassessment.Figure3-3

illustratesthecompleteprocessfromthepointofsigningthecontracttothe

pointofwritingthereport.

Figure3-3.PenetrationTestingLifeCycle



Afteryouhavecollatedandanalyzedalldata,itistimetowriteyourreport.



Documentation

Apenetrationtestisuselesswithoutsomethingtangibletogivetoaclientor

executiveofficer.Areportshoulddetailtheoutcomeofthetestand,ifyouare

makingrecommendations,documenttherecommendationstosecureanyhighrisksystems.

Thereportshouldcontainthefollowingsections:

ExecutiveSummary

ProjectScope

ResultsAnalysis

Summary

Appendixes



ExecutiveSummary

TheExecutiveSummaryisashorthigh-leveloverviewofthetest.Itiswritten

forkeyexecutiveswhowanttoknowthebottomlineabouthowthisaffectstheir

companybutprobablydonotcaremuchaboutthetechnicaldetails.Asample

ExecutiveSummarywouldreadasfollows:



ExecutiveSummary

Thisreportdetailsarecentintrusiontestonasperformedby

betweenthedatesof.contracted
firm>ontoassessthesecurityof's

[public/private]networkbyemulatingthetechniquesofamaliciousattacker.A

combinationoftestswasexecutedagainst[public/private]

network,includingportscans,exploittests,ICMPscans,andothermeanstobe

detailedlaterinthereport.

Afterreviewingtheresultsofthetests,recommendsthe

followingtoimprovenetworksecurity:



Includedinthisreportisabriefintroductionaboutintrusiontestingandan

explanationofthescopeoftestsperformed.Thisisfollowedbythecomplete

resultsofthetestandassessmentsoftheresults.



Asthesampledemonstrates,youshouldkeeptheExecutiveSummarybrief.Itis

usuallyonlyapagelong.Youmightencounterexecutiveofficerswhostayonly

longenoughforabrieffive-minuteintroductionandoverviewoftheExecutive

Summaryfollowedbyaquestionandanswerperiod.Therefore,youshouldkeep

yourExecutiveSummarybriefandtothepointwithinthecontextofhowthe

resultsimpactthebusinessasawhole.

YourExecutiveSummaryshouldalsoincludeabusinesscasedetailingthe

impactofyourfindingsandanyassociatedcostsinfixingdiscovered

vulnerabilities.Youcanusechartstosupportyourcaseandmakethereport

easiertoread.

Asapenetrationtester,youareconsideredaspecialist.Youarehiredtogivenot

justyourfindingsbutalsoananalysis.YoushouldincludeinyourExecutive

Summaryinformationonhowyourclientcompareswithothercompaniesyou



haveperformedtestson.Topreserveconfidentiality,youshouldnotofferthe

namesofanyotherclients,butinsteadprovidegenericstatementsastowhether

thesecurityofthecompanyfallsshortorexcelswhencomparedtoother

companiesinthesameindustry.

Tip

Becausesomeoftheofficersmightbeunfamiliarwiththeneedor

purposeofpenetrationtesting,thebestpracticeistoincludeaonepagedescriptionaftertheExecutiveSummaryexplainingwhy

penetrationtestingisimportantandwhatitentails.Includestatistics

anddefinecommontermsthatyouwillusethroughouttheremainder

ofthereport.Thispiquestheinterestofthereadersandillustratesthe

importanceofyourwork.



ProjectScope

TheProjectScopeshouldincludetheIPaddressrangetestedagainstandthe

boundariesdefinedinthecontract.Theboundariesincludesuchthingsas

whetheryouemployedsocialengineering,whetheryoutestedthepublic

(Internet-facing)orprivatenetworks,andwhetheryoupermittedTrojansand

backdoorsoftwareapplicationssuchasBackOrifice.Althoughthetimeframe

forthetestisincludedintheExecutiveSummary,youshouldincludeithere,

too,becauseitrelatestotheProjectScope.

Youshouldalsoincludeanestimateofthenumberofexploitsattemptedand

theirtype.Forexample,thereportmightsaythis:



Morethan230testswereperformedagainsthosts.Theseincluded,

butwerenotlimitedto,thefollowing:

Backdoorapplicationvulnerabilities



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 3. Creating a Test Plan

Tải bản đầy đủ ngay(0 tr)

×