Tải bản đầy đủ - 0 (trang)
Chapter 16. Case Study: A Methodical Step-By-Step Penetration Test

Chapter 16. Case Study: A Methodical Step-By-Step Penetration Test

Tải bản đầy đủ - 0trang

Collectingtools

Planninganattackstrategy

4



Gathering

Information



Thisstepissometimescalled"footprinting"

thevictim.Itiswhereallrelevantinformation

aboutthecompanyisgatheredandusedfor

laterstepsinanattempttogainaccess.



5



Scanning

(Enumeration)



Scanningconsistsofsearchingandprobingfor

systemsandenumeratingportsandapplications

runningonthem.Thiscanalsoinclude

enumeratinguseraccountsandsharedresources

oncomputersystems.Notethatsometestersin

thefieldseparatescanningandenumeration

intoseparatesteps.



6



GainingAccess Thisisthemostexcitingyettypicallythemost

timeconsumingofallthesteps.Gainingaccess

mightjustfallintoyourlap,butmoreoftenitis

alengthyprocess.Hopefullyinsomecases,it

willresultinafailedattempt.Thisstepcan

containalmostanyapproachtogainaccess,

suchasthefollowing:

AccessviatheInternet

Dialupaccess

Socialengineering

Wirelessaccess

Denialofservice

E-mailattacks(spam)

Trojans

Dumpsterdiving



[*]



7



Maintaining

Access



8



CoveringTracks [*]Thisstepallowsthepenetrationtestersto

attempttoclearalltracesoftheattackjustlike

ahighlyskilledhackerwould.



9



Writingthe

Report



Thisstepallowstheteamtoassembleits

findingsintoadocument.Thisistheproduct

thatispresentedtothecustomer.Thisstep

consumesasignificantpartofthetimetaken

forthepenetrationtestasawhole.Sometimes

theclientretainstheonlycopyofthis

document,whichsummarizestheinformation

collectedintheprevioussteps.



10 Presentingand

Planningthe

Follow-Up



Aftertheteamcompletesthetestsandpresents

themtothecustomer,itshouldschedulea

follow-uptestonarecurringbasistoensure

thatthecustomerdoesnotbecomevulnerable

tofutureexploitsandweaknessesthatmight

occur.



Afterthepenetrationtestingteamgains

access,theymightneedtoreturntocomplete

moretesting.Thisstepincludestheinstallation

ofbackdoor-styleapplicationstoallowan

easierreturnintothesystemforfurther

penetrationattempts.Thisalsosimulatesa

scenariowherebackdoorshavebeen

maliciouslyinstalledandassesseswhether

currentsecuritymeasuresarelikelytodetect

them.



[*]Notallpenetrationtestsallowtrackstobecovered,sotestingbasicallystopsatStep6.



Tip

Foranexcellentdocumentcoveringafull,methodicalapproach,see



theOpenSourceSecurityTestingMethodologyManual(OSSTMM)

athttp://www.isecom.org/.



Therestofthechaptertakesyouthroughafictitiouspenetrationtestofa

networkfromtwoperspectives:

Theactualattack,whichprovidestheopportunitytotakeaquicklookinto

themanualtoolsused

Apostmortemandareviewofabasicreportthatwasgenerated



CaseStudy:LCNGetsTested

LCNhasjustrolledoutitswebserverapplicationandwantsapenetration

testingcompanycalledDAWNSecuritySystemstotestit.Herearetherulesset

byLCN:

Black-boxtestingrulesareineffect.(Onlythecompanywebsitenamewill

begiven.)

Useanymeansnecessarytopenetratetheinternalnetworkexceptbreaking

andenteringorphysicalaccesstothebuilding.

Atimelimitof24hoursisgiventocompletethetest.

ThetestwillstartonFridaynightandlastuntilSaturdaynightsothatitwill

notinterferewithnormalweeklybusinessactivity.

Followingarethegoalsandbasicrules:

AcquireasmuchknowledgeaboutLCNaspossible.

Gainaccesstotheinternalnetwork.

Listcomputersontheprivatesideofthefirewall.

Createabackdoorforreturningaccess.

Clearingorcoveringtracksisnotauthorized.

Rootkitinstallationsarenotauthorized.



PlanningtheAttack

DAWNSecuritySystemscommencesaplanofattackbycollectingasmallteam

consistingofthefollowingareasofexpertise:



Socialengineering

Networking

Firewalls

Wireless

Webserveradminandwebpagedevelopment

Linux

Windowsdomains

Databases

Teamleader

Reportwriting

Coffeebrewing

Theteamforthiscasestudyconsistsofthefollowingpersonnel:

DanielTeamleader,networking,Windows,database,web,firewall,and

socialengineeringspecialist

AndrewLinux,networking,firewall,andsocialengineeringspecialist

ClareWindows,database,wireless,andreportwritingspecialist

HannahSocialengineering,wireless,andofficialteamcoffeeexpert

Theteamkicksoffwithinformationgatheringandlatersplitsintodifferent

directionsasdirectedbytheteamleader.Ifwirelessdevicesaredetectedatthe

office,locationwirelessexpertsheadoffinsearchofeasyaccesstotheinternal

network.Socialengineersstartcallingtheofficenumbersposingasnewhiresor



salespersonnelinattemptstofindoutmoredetailsabouttheinternalsofthe

company.Coffeebrewingpersonnelkeepthebloodlineflowingastheyplanto

attackthesysteminthenonstop24-hourwindowsetbyLCN.



GatheringInformation

Gatheringinformationusuallyisquitesimpleandtypicallyleadsrightbackto

feedintothePlanningtheAttacksteps.Asinformationisrevealed,theteam

leadermightredirecthispersonnelaccordinglyinthemosteffectivemannerto

acquirethebestresultsinthetimegiven.

NowbacktoLCN.Theteamheadsouttocollectasmuchdetailaspossibleto

getstarted.Asmentionedpreviously,thestartingpointisthesuppliedwebsite

name,www.littlecompanynetwork.com.

Followingarethetoolstheyuse:

http://www.centralops.net

Phone

Yellowpages

TraceRoute

Wirelesswebsitesthatpublishaccesspoints(http://www.nodedb.net)

www.terraserver.com

TeleportPro

Thefirsttoolusedishttp://www.centralops.net.Thisfantasticwebsiteoffersa

freeserviceinWhoislookupsthatcanreveallargeamountsofdataaboutthe

ownerofadomainnamefromasinglewebsite.Figure16-1displaysthe

http://www.centralops.netsite.

Figure16-1.InformationGatheringfromhttp://www.centralops.net



[Viewfullsizeimage]



Example16-1showstheinformationthathttp://www.centralops.netreturned

aboutLCN.

Example16-1.Http://www.centralops.netInformationAboutLCN

Addresslookup

canonicalnamelittlecompanynetwork.com.

aliases

addresses172.16.0.2



DomainWhoisrecord



Queriedwhois.internic.netwith"domlittlecompanynetwork.com".



WhoisServerVersion1.3



Domainnamesinthe.comand.netdomainscannowberegistered



withmanydifferentcompetingregistrars.Gotohttp://www.inte

fordetailedinformation.



DomainName:littlecompanynetwork.com

Registrar:registerthedot.com

WhoisServer:whois.dotster.com

ReferralURL:http://www.dotster.com

NameServer:NS2.littlecompanynetwork.com

NameServer:NS.littlecompanynetwork.com

Status:REGISTRAR-LOCK

UpdatedDate:23-feb-2005

CreationDate:16-feb-1996

ExpirationDate:17-feb-2010



Registrant:

LCN

Rout1Box344

Corvallis,Oregon97330

US



Registrar:Registerthedot.com

DomainName:littlecompanynetwork.com

Createdon:16-FEB-96

Expireson:17-FEB-10

LastUpdatedon:23-FEB-05



AdministrativeContact:

Bates,Joejbates@littlecompanynetwork.com

LCN

Rout1Box344

Corvallis,Oregon97330

US



541-555-1212

541-555-1212



TechnicalContact:

Bates,Joejbates@littlecompanynetwork.com

LCN

Rout1Box344

Corvallis,Oregon97330

US

541-555-1212

541-555-1212



Domainserversinlistedorder:

NS.littlecompanynetwork.com

NS2.littlecompanynetwork.com



EndofWhoisInformation



NetworkWhoisrecord

Queriedwhois.arin.netwith"172.16.0.2"...

OrgName:littlecompanynetwork.com

OrgID:RSPC

Address:12W.Fish.

Address:

City:Corvallis

StateProv:OR

PostalCode:97330

Country:US



NetRange:172.16.0.1-172.16.0.7

CIDR:172.16.0.1/29

NetName:RSPC-NET-4

NetHandle:NET-172-16-0-0-1

Parent:NET-172-16-0-0-0

NetType:DirectAllocation

NameServer:NS.littlecompanynetwork.com



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 16. Case Study: A Methodical Step-By-Step Penetration Test

Tải bản đầy đủ ngay(0 tr)

×