1

Vulnerability Exploitation and Defense

Penetration Testing (Lec # 4)

A penetration test simulates methods that intruders use to gain unauthorized access to an organization's
networked systems and then compromise them
In the context of penetration testing, the tester is limited by resources e.g.
Time, Skill, Access to Equipment
Most attackers follow a common approach to penetrate a system
Security Assessments
Every organization uses different types of security assessments to validate
the level of security on its network resources
Each type of security assessment requires the people conducting the
assessment to have different skills
Vulnerability Assessment
Network Scanning: Vulnerability Assessment scans a NW for known
security weaknesses
Scanning Tools: Vulnerability Scanning tools search network segments for IP-enabled devices and
enumerate systems, OSs and applications
Security Mistakes: Additionally, vulnerability scanners can identify common security config mistakes
Test Systems/Network: Vulnerability scanners can test sys and NW devices for exposure to common
attacks
Limitations of Vulnerability Assessment
Vulnerability Scanning software is limited in its ability to detect vulnerabilities at a given point in time
It must be updated when new vulnerabilities are discovered or modifications made to the SW being used
This can influence the result of the assessment
Methodology used as well as the diverse vulnerability scanning SW packages assess security differently
Penetration Testing
A Penetration testing not completed professionally can result in the loss of services & disruption of
business continuity
Penetration testing assesses the security model of the organization as a whole
It reveals potential consequences of a real attacker breaking into the network
A penetration tester is differentiated from an attacker only by his intent and lack of malice
Why Penetration Testing
Identify the threats facing an organizations information assets
Reduce an orgs IT security costs and provide a better ROI by identifying and resolving vulnerabilities &
weaknesses
Provide an organization with assurance, a thorough and comprehensive assessment of organizational
security covering policy, procedure, design and implementation
Gain and maintain certification to an industry regulation
Adopt best practice by conforming to legal and industry regulations
For testing and validating the efficiency of security protections and controls
It focuses on high severity vulnerabilities and emphasizes application-level security issues to dev teams
Providing comprehensive approach of preparation steps that can be taken to prevent upcoming
exploitation
Evaluating the efficiency of network security devices such as firewalls, routers, and web servers
For changing and upgrading existing infrastructure of software, hardware, or network design
What should be Tested? An organization should conduct a risk assessment operation before the penetration
testing that will help to identify the main threats, such as
Communications failure, E-commerce failure and loss of confidential information
Public facing systems, websites, email gateways, and remote access platforms
Mail, DNS, firewalls, passwords, web servers
What makes a good Penetration Test
Establishing parameters of penetration test such as objectives, limitations, and justification of procedures
Hiring skilled and experienced professionals to perform the test
Choosing a suitable set of tests that balance cost and benefits
Following methodology with proper planning and documentation
Documenting the result carefully and making it comprehensible for the client
Stating the potential risks and findings clearly in the final report
 2

ROI on Penetration Testing

Companies will spend on the pen-test only if they have a proper knowledge on the benefits of pen-test
Penetration testing helps the companies in identifying, understanding, and addressing the vulnerabilities,
which saves them a lot of money resulting in ROI
Demonstration of ROI is a critical process for the success for the success in selling the Pen-test
Demonstrate the ROI for Pen-Test with the help of business case scenario, which includes the
expenditure and the profits involved in it
Testing Points
Organizations have to reach a consensus on the extent of information that can be divulged to the testing
team to determine the starting point of the test
Providing a penetration testing team with additional information may give them an unrealistic advantage
Similarly, the extent to which the vulnerabilities need to be exploited without disrupting critical services,
needs to be determined
Testing Locations
The pen-testing team may have a choice of doing the test either remotely or on-site
Remote assessment may simulate an external hacker attack, it may miss assessing internal guards
An on-site assessment may be expensive and may not simulate an external threat exactly
Types of Penetration Testing
External Penetration Testing: External testing involves analysis of publicly available information, a
network enumeration phase, and the behavior of the security devices analyzed
It involves a comprehensive analysis of publicly available information about the target such as:
Web Servers, Mail Servers
Firewalls, Routers
It is the traditional approach to penetration testing
It is focused on servers, infrastructure and the underlying software comprising the target
It may be performed with no prior knowledge of the site (black box)
Internal Testing
Performed from a number of NW access points, representing each logical and physical segment
Black hat testing
Grey hat testing
White hat testing
Announced Testing
Unannounced Testing
Internal Security Assessment
It will be performed from a number of NW access points, representing each logical and physical segment
E.g., this may include tiers and DMZ within the environment, the corporate network or partner of the coy
An internal security assessment follows a similar methodology to external testing, but provides a more
complete view of the site security
Blackbox Penetration Testing
No prior knowledge of the infrastructure to be tested
You will be given just a company name
Penetration test must be carried out after extensive information gathering and research
This test simulates the process of a real hacker
It takes considerable amount of time allocated for the project on discovering the nature of the
infrastructure and how it connects and how it interrelates
Time consuming and expensive type of test
Grey Box Penetration Testing
In a grey-box test, the tester usually has a limited knowledge of information
It performs security assessment and testing internally
Approaches towards the app security that tests for all vulnerabilities which a hacker may find and exploit
Performed mostly when a penetration tester starts a black box test on well protected systems and finds
that a little prior knowledge is required in order to conduct a thorough review
White Box Penetration Testing
Complete knowledge of the infrastructure that needs to be tested is known
This test simulates the process of companys employees
Information is provided such as
Company infrastructure, Network Type, Current Security implementations, IP address/ firewall/ IDS
details, Company policies dos and donts
 3

Announced Testing
It is an attempt to compromise systems on the client with the full coop and knowledge of the IT staff
Examines the existing security infrastructure for possible vulnerabilities
Involves the security staff on the penetration testing teams to conduct audits
Unannounced Testing
It is an attempt to compromise systems on the client NW without the knowledge of IT security pers
Allows only the upper management to be aware of these tests
Examines the security infrastructure and responsiveness of the IT staff
Automated Testing
Automated testing can result in time and cost savings over a long term; however, it cannot replace an
experienced security professional
Tools can have a high learning curve and may need frequent updating to be effective
With automated testing, there exists no scope for any of the architectural elements to be tested
As with vulnerability scanners, there can be false negatives or worse, false positives
Manual Testing
It is the best option an org can choose to benefit from the experience of a security professional
The obj of the professional is to assess the security posture of the org from an attackers perspective
A manual approach requires planning, test designing, scheduling, and diligent documentation to capture
the results of the testing process
Phases of Pen Testing
Pre Attack Phase
Attack Phase
Post Attack Phase
Metasploit Framework (Lec # 5)
Exploitation
Establishing access to a system/machine/resource by bypassing security restrictions.
For a Pen Tester exploitation is gaining access to a machine to run commands on it
Possibly with limited privileges
Perhaps with super user privileges
Piece of code that makes a target machine do something on behalf of an attacker against
vulnerabilities
Exploitation Lifecycle
Discovery: A security researcher or the vendor discovers critical security vulnerability in the software.
Disclosure: The security researcher either adheres to a responsible disclosure policy and informs the
vendor, or discloses it on a public mailing list. Either way, the vendor needs to come up with a patch for
the vulnerability
Analysis: The researcher or others across the world begin analyzing the vulnerability to determine its
exploitability. Can it be exploited? Remotely? Would the exploitation result in remote code execution, or
would it simply crash the remote service? What is the length of exploit code that can be injected? This
phase also involves debugging the vulnerable application as malicious input is injected to the vulnerable
piece of code.
Exploit Development: Once the answers to the key questions are determined, the process of developing
the exploit begins. This has usually been considered a bit of a black art, requiring an in-depth
understanding of the processors registers, assembly code, offsets, and payloads
Testing: This is the phase where the coder now checks the exploit code against various platforms,
service pack, or patches
Release: Once the exploit is tested, and the specific parameters required for its successful execution
have been determined, the coder releases the exploit, either privately or on a public forum. Often, the
exploit is tweaked so that it does not work right out of the box. This is usually done to dissuade script
kiddies from simply downloading the exploit and running it against a vulnerable system.
Risks after Successful Exploitation
Service Crash, System Crash, System Stability Impacted, System Integrity Violated, other issues?
Categories of Exploits
Exploits fall into one of three categories
Server Side Exploits
Client Side Exploits
Local Privilege Escalation
Penetration tester may need to use anyone or more likely a combination of these kinds of attacks
 4

What is Metasploit Framework?

An open-source tool, which provides a framework for security researchers to develop exploits, payloads,
payload encoders, and tools for reconnaissance and other security testing purposes
Although, it initially started off as a collection of exploits and provided the ability for large chunks of code
to be re-used across different exploits, in its current form it provides extensive capabilities for the design
and development of reconnaissance, exploitation, and post-exploitation security tools
The MSF was originally written in the Perl scripting language and included various components written in
C, assembler, and Python. However, the 3.0 version of the product is now completely re-written in Ruby
and comes with a wide variety of APIs
The prime intent is security research, not black hat hacking. Its considered to be the most useful tool for
understand vulnerability exploitation.
MSF Working
Exploit
An exploit is the means by which an attacker, or pen tester for that matter, takes advantage of a flaw
within a system, an application, or a service. An attacker uses an exploit to attack a system in a way
that results in a particular desired outcome that the developer never intended. Common exploits
include buffer overflows, web app vulnerabilities (such as SQL injection), and configuration errors.
An exploit takes advantage of a vulnerability in a target machine
Payload
A payload is code that we want the system to execute and that is to be selected and delivered by the
Framework. For example, a reverse shell is a payload that creates a connection from the target
machine back to the attacker as a Windows command prompt.
The payload makes the target do something the attacker wants ( remote access, create new account
with privileges etc.)
Issues with Post Exploitation
Most often, penetration testing discussions center on reconnaissance and exploitation. But not much
importance is given to the post-exploitation phase, especially the objective of exploiting vulnerable
systems in as flexible and stealthy a manner as possible
Some of the common challenges during post exploitation are
When attempting to run a process after exploitation, it would show up in the systems list of running
processes. Even attempts at Trojanising the operating system commands would still leave enough
trails for the experienced forensics investigator. Host intrusion detection systems (HIDS) would also
raise an alarm if a command prompt is executed on the system.
Besides the red flag that would be raised by launching a command shell, the shell itself might be
restricted. For instance, if the process is running in a restricted environment, where access to libraries
and commands might be severely restricted, or if certain binaries have been removed from the system, it
might be extremely difficult to do much damage.
Often before launching the exploit, the payload and the specific actions to be executed are decided.
Thus, you would have to decide whether you would like to tunnel a reverse shell back to your system, or
add a user on the remote system, or simply run any specific command once the exploit succeeds. But
theres no flexibility beyond that.
Meterpreter
The Meterpreter is designed to overcome these limitations and provide APIs that would enable the
attacker to code various post-exploitation attacks that would run on the Meterpreter shell
The Meterpreter shell is essentially an attack platform that gets injected into the memory of the running
process. Thus it avoids detection by HIDS as well as bypasses the limitations of the operating systems
native command shell
Moreover, it provides APIs with which various actions can be carried out without significantly altering the
system state
Java_Rhino
This Java malware uses social engineering methods to lure users into performing certain actions that
may, directly or indirectly, cause malicious routines to be performed. Specifically, this malware arrives
through an email campaign that makes use of Pro-Tibetan sentiments as social engineering ploy.
Once it successfully exploits certain vulnerability, it drops and executes other malware on the affected
system. The dropped file varies depending on the affected computer's operating system.
As a result, malicious routines of the said files are exhibited on the affected system.
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly
by users when visiting malicious sites.