Penetration testing - methods. Penetration testing Social engineering testing

Penetration testing(jarg. pentest) - a method for assessing the security of computer systems or networks by means of simulating an attack by an intruder. The process includes an active analysis of the system for potential vulnerabilities that can provoke incorrect operation of the target system, or a complete denial of service. The analysis is carried out from the perspective of a potential attacker and may include active exploitation of system vulnerabilities.

Test objects can be both individual information systems, for example: CMS (content management system), CRM (customer relationship management system), Internet client-bank, and the entire infrastructure as a whole: network perimeter, wireless networks, internal or corporate network, as well as the outer perimeter.

Penetration Testing Challenge- search for all possible known software vulnerabilities, shortcomings in the password policy, shortcomings and subtleties of the IS configuration settings. During such a test, a tester specialist arranges a pseudo-attack on a corporate network, staging the actions of real intruders or an attack carried out by malicious software without the direct participation of the tester himself. The purpose of these tests is: to identify weaknesses in the protection of a corporate network from such attacks and to eliminate vulnerabilities found in the course of pseudo-attacks.

Penetration testing is usually divided into BlackBox, WhiteBox and GreyBox:

BlackBox- "black box". The specialist has only publicly available information about the purpose of the study, its network and parameters. This option is as close as possible to the real situation. As the initial data for testing, the contractor is only given the name of the company or its website, and all other information, such as the IP addresses used by the company, websites, points of exit of the company's offices and branches to the Internet, the contractor will have to find out himself.

WhiteBox- the complete opposite of BlackBox. In this case, the specialist is provided with the maximum information necessary for him, up to administrative access to any servers. This method allows you to get the most complete study of the vulnerability of an object. With WhiteBox, the performer will not have to spend time collecting information, drawing up a network map, and other actions before starting testing, and will also reduce the testing time itself, because some of the checks simply do not have to be done. The advantage of this method is in a more complete and comprehensive approach to research. The downside is that it is less close to the situation of a real attack by an intruder.

Graybox- this is a middle option between WhiteBox and BlackBox, when the performer acts on the BlackBox option and periodically requests information about the system under test in order to shorten the research time or more effectively make his efforts. This option is the most popular, as it allows you to conduct testing without spending too much time on collecting information, and to devote more time to searching for vulnerabilities, while this option remains quite close to the real situation of the attacker's actions.

1. FEATURES OF PENETRATION ON A REMOTE COMPUTER SYSTEM.

Any objective and complete penetration testing has a number of features and should be performed taking into account the recommendations and rules.

The rules and framework for informational penetration testing are provided in the OSSTMM and OWASP methodologies. Subsequently, the obtained data can be easily adapted to conduct conformity assessment with any industry standards and "world best practices" such as Cobit, ISO / IEC 2700x series standards, CIS / SANS / NIST / etc recommendations and PCI DSS standard.

Technological data alone will not be sufficient to carry out such an assessment in full. A full assessment requires interviewing employees of various divisions of the assessed company, analysis of administrative documents, various information technology (IT) and information security (IS) processes, and much more.

Penetration testing for the payment card industry data security standard is not much different from conventional testing using OSSTMM and OWASP. Moreover, the PCI DSS standard recommends adhering to the OWASP rules when conducting both a penetration test (AsV) and an audit (QSA).

The main differences between PCI DSS testing and penetration testing in the broadest sense of the word are as follows:

  • The standard does not regulate (and therefore does not require) attacks using social engineering.
  • All checks performed should minimize the threat of Denial of Service (DoS). Consequently, the testing carried out should be carried out by the "gray box" method with the obligatory warning of the administrators of the corresponding systems.
  • The main purpose of such testing is to try to implement
    unauthorized access to payment card data (PAN, Cardholder Name, etc.).

The GrayBox method allows you to reduce the risk of denial of service when carrying out such work in relation to information resources operating in 24/7 mode.

In general, PCI penetration testing must meet the following criteria:

  • Clause 11.1 (b) - Analysis of the security of wireless networks
  • p.11.2 - Scanning the information network for vulnerabilities (AsV)
  • p. 11.3.1 - Carrying out checks at the network level (Network-layer
    penetration tests)
  • Clause 11.3.2 - Application-layer penetration tests

Determination of the boundaries of the research. First of all, it is necessary to identify the boundaries of penetration testing, to determine and agree on the sequence of actions to be performed. In the best case, from the side of the information security department, a network map can be obtained, which schematically shows how the processing center interacts with the general infrastructure. At worst, you will have to communicate with a system administrator who knows his own shortcomings and obtaining comprehensive data about the information system will be hampered by his unwillingness to share his IP data. One way or another, in order to conduct a PCI DSS penetration test, at a minimum, you need to obtain the following information:

  • network segmentation (user, technological, DMZ, processing, etc.);
  • firewalling at subnet boundaries (ACL / ITU);
  • Web applications and DBMS used (both test and production);
  • used wireless networks;
  • any security details that need to be taken into account during the survey (for example, account lockout for N attempts of incorrect authentication), infrastructure features and general wishes during testing.

2. STAGES OF PENETRATION TESTING

Let's consider the possible stages of penetration testing. Depending on the information available (BlackBox / WhiteBox / GreyBox), the sequence of actions can be different: data collection, network scanning, system hacking, malware, social engineering.

2.1 Data collection.

Collection of data from open sources of information. Open sources are sources of information that are accessed legally, legally. The search for the necessary information using open sources has been adopted by many civil and military structures working in the field of intelligence and industrial espionage.

Access to the necessary information on the Internet can be realized in various ways. These can be hyperlinks, search in various directories (sites, blogs, etc.), you can view search results. For certain purposes, one cannot do without searching through specialized databases.

Information can also be provided by internal site URLs, e-mail addresses, phone numbers, faxes, DNS server, IP address range, routing information.

With the development of the Internet, WHOIS services have become widespread. Whois (from the English "who is" - "who is") is a network protocol based on the TCP protocol. Its main purpose is to obtain information about the "registrant" (domain owner) and "registrar" (the organization that registered the domain), DNS server names, registration date and expiration date. IP address records are grouped by ranges (for example, 8.8.8.0 - 8.8.8.255) and contain information about the organization to which the range has been delegated.

2.2 Network Scanning.

Network scanning can be divided into components:

1. Scanning a range of IP addresses to identify "live" hosts

2. Port scan

3. Discovery of services and their versions

4. Scanning to determine the OS

5. Scanning vulnerabilities

1. Scanning a range of IP addresses.

The fundamental challenge when exploring any network is to reduce the set of IP ranges to a list of active hosts. Scanning every port of every IP address is slow and unnecessary. The interest in researching specific hosts is largely determined by the purpose of the scan. While the administrator's task of discovering running hosts on the network can be satisfied with regular ICMP ping, people who are testing the network's ability to resist attacks from the outside need to use a variety of sets of requests to bypass the firewall.

The host discovery task is sometimes called ping scan, but it far surpasses the usual ICMP requests associated with the ubiquitous ping utilities. Scan the network preferably using arbitrary combinations of multiport TCP SYN / ACK, UDP and ICMP requests. The purpose of all these requests is to receive responses indicating that the IP address is currently active (in use by a host or network device). On most networks, only a small percentage of IP addresses are active at any given time. This is especially true for address spaces like 10.0.0.0/8. Such networks have 16 million IP addresses, but there are times when they are used by companies with no more than a thousand machines. Host Discovery can find these machines in this vast sea of ​​IP addresses.

2. Scanning ports.

There are many different port scanning techniques and you can choose the one that suits your particular task (or a combination of several). Let's consider the most popular scanning techniques:

TCP SYN scan
SYN is the default and most popular scan type. It can be launched quickly, it is capable of scanning thousands of ports per second on fast connections, and is not hampered by restrictive firewalls.

Different types of UDP scan
While most of the services on the Internet use the TCP protocol, UDP services are also widespread. The three most popular are DNS, SNMP, and DHCP (use ports 53, 161/162, and 67/68). Because Since UDP scanning is generally slower and more complex than TCP, many security professionals ignore these ports. This is a mistake because there are UDP services that are used by attackers.

TCP NULL, FIN and Xmas scans
These three types of scans exploit a hidden loophole in the TCP RFC to distinguish between open and closed ports. \

TCP ACK scan
This type of scan is very different from all others in that it is not able to detect an open port. They are used to identify firewall rules, determine if they are stateful or not, and to determine which ports they filter.

3. Discovery of services and their versions.

Scanning the remote system may reveal that ports 25 / tcp, 80 / tcp, and 53 / udp are open. Using the information, you can find out that these ports are likely to correspond to the mail server (SMTP), the web server (HTTP), and the domain name server (DNS), respectively. This information is usually correct because the vast majority of services using TCP port 25 are actually mail servers. However, you should not rely entirely on this information. People can and do run services using non-standard ports.

After detecting any TCP and / or UDP ports, the procedure of their identification is carried out in order to determine which applications (services) use them. By using a database of requests to access various services and appropriate expressions for recognizing and parsing responses, you can define the service protocols (e.g. FTP, SSH, Telnet, HTTP), application name (eg ISC BIND, Apache httpd, Solaris telnetd), version number, hostname, device type (eg printer, router), OS family (eg Windows, Linux) and sometimes various details such as: is it possible to connect to the X server, SSH protocol version, or username.

4. Scanning to determine the OS.

It is possible to determine the OS on a remote system based on an analysis of the TCP / IP stack. A series of TCP and UDP packets are sent to the remote host and almost every bit of the response is examined. After performing many tests such as TCP ISN sampling, support for TCP options, IP ID sampling, and analysis of the duration of the initialization procedure, the results are compared with a database containing known sets of typical results for different operating systems and, if a match is found, it is possible to draw a conclusion about the installed OS.

5. Scanning for vulnerabilities.

Vulnerability scanning is a fully or partially automated process of collecting information about the availability of a network node of an information network (personal computers, servers, telecommunications equipment), network services and applications used on this node and their identification, used by these services and applications ports, in order to determine existing or possible vulnerabilities.

2.3 Hacking the system.

The success of implementing one or another hacking algorithm in practice largely depends on the architecture and configuration of the specific operating system that is the object of this hacking.

However, there are approaches that can be applied to almost any operating system:

  1. Stealing a password.
  2. Observing the user at the time of his entering a password, which gives the right to work with the operating system.
  3. Retrieving a password from the file in which this password was saved by the user.
  4. Search for a password that users often write on paper.
  5. Theft of an external storage device for password information (a floppy disk or electronic key that stores the user's password for entering the operating system).
  6. Complete enumeration of all possible password options.
  7. Selection of a password by the frequency of occurrence of characters and bigrams, using personal dictionaries and the most frequently used passwords.
  8. Scanning computer hard drives.
  9. Garbage collection.
  10. Exceeding authority (by using errors in software or in operating system administration, the researcher receives authority that exceeds the authority granted to him according to the current security policy).
  11. Run the program on behalf of a user with the necessary permissions, or as a system program (driver, service, daemon, etc.).
  12. Substitution of a dynamically loaded library used by system programs, or changing environment variables that describe the path to such libraries.
  13. Modification of the code or data of the protection subsystem of the operating system itself.
  14. Denial of service (the purpose of this attack is to partially or completely disable the operating system).
  15. Capturing resources (the controlled program captures all the resources available in the operating system, and then enters an endless loop).
  16. Bombardment with requests (the controlled program constantly sends requests to the operating system, the reaction to which requires the involvement of significant computer resources).
  17. Exploiting bugs in software or administration.

2.4 Malicious software.

Very often, malware is used to gain access over an infected system. Usually malware with functionality backdoor spread on a file-sharing resource under the guise of a legitimate program.

Malicious software is software that is developed to gain unauthorized access to the computing resources of a computer, as well as the data stored on it. Such programs are designed to harm the owner of information or computers by copying, distorting, deleting or substituting information.

Trojans are malicious programs that perform actions not authorized by the user. Such actions may include:

  1. Deleting data
  2. Blocking data
  3. Data change
  4. Copying data
  5. Slowdown of computers and computer networks.

Trojans are classified according to the type of actions they perform on the computer.

  1. Backdoors. The backdoor Trojan provides cybercriminals with the ability to remotely control infected computers. Such programs allow the author to perform any action on the infected computer, including sending, receiving, opening and deleting files, displaying data, and restarting the computer. Backdoor Trojans are often used to combine a group of victim computers into a botnet or zombie network for criminal use.
  2. Exploits. Exploits are programs with data or code that exploit a vulnerability in applications running on a computer.
  3. Rootkits . Rootkits are programs designed to hide certain objects or actions in the system. Often, their main purpose is to prevent antivirus software from detecting malicious programs in order to increase the running time of these programs on the infected computer.

2.5 Social engineering.

Social engineering is used in order for malware to appear on the attacked IS. Social engineering is a method of unauthorized access to information resources based on the peculiarities of human psychology. The main goal of social engineers is to gain access to secure systems in order to steal information, passwords, credit card information, etc. It is not the machine that is chosen as the object of attack, but its operator. Therefore, all methods and techniques of social engineers are based on the use of the weaknesses of the human factor.

There are several common attack techniques and types used by social engineers. But a common feature of all these methods is misleading, in order to force a person to perform any action that is not beneficial to him and is necessary for a social engineer. To achieve the desired result, the social engineer uses a number of all kinds of tactics: impersonating another person, distracting attention, building up psychological stress, etc. The ultimate goals of deception can also be quite varied.

Social Engineering Techniques:

  • Pretesting. Pretext is a set of actions carried out according to a specific, pre-prepared script (pretext).
  • Phishing. Phishing (English phishing, from fishing - fishing, fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. The purpose of phishing is to illegally obtain confidential information.
  • Quid pro quo. Quid about quo (ref. Quid pro quo- "then for that") - in English this expression is usually used in the meaning of "quid for a quid". Often, the social engineer introduces himself as a technical support employee who reports technical problems in the employee's workplace and offers assistance in resolving them.

A 2003 study by the Information Security Program found that 90% of office workers are willing to divulge confidential information, such as their passwords, for a service or fee.

  • Trojan horse. A Trojan horse is a malicious program used by cybercriminals to collect, destroy, or modify information, disrupt computer performance, or use user resources for their own purposes. This technique often exploits curiosity, or any other emotion of the target.

Organization of a pseudo-attack.

To organize a pseudo-attack on a computer system, we use software Social Engineering Toolkit(SET) and Metasploit Framework(MFS). These utilities are included by default in the Backtrack 5 distribution, designed to test the possibility of system and network hacking. We also use two virtual machines with such operating systems as:Windows7 and Backtrack 5.

Backdoor generation. We will use SET to create a backdoor with a reverse TCP, and MFS to create a handler (handler) to process packets from the created backdoor, which will maintain a communication channel between a potential attacker and the system on which the backdoor will be launched.

All actions are performed in console mode on OS Backtrack 5. The creation of the payload is achieved through the SET utility, p. 4 Create a Payload and Listerer

Create a reverse TCP payload (to establish feedback) by selecting item 2 Windows ReverseTCP Meterpreter and then p. 16 Backdoored Executable... This operation completes the creation of the backdoor. When it is created, the port number through which the feedback will take place is also indicated. In the folder / pentest/ exploits/ SET msf.exe will be generated based on the options we selected.

Exploit configuration. The exploit is designed to receive TCP requests from the created backdoor. Its configuration is done by launching MFS and choosing a handler exploit (listener): use exploit / multi / handler.

As a consequence, MFS switches to the context of the exploit handler. The next task is to configure the payload for this exploit. Since the backdoor is oriented (created) with the Revers_TCP Meterpretor, information is exchanged over a TCP connection: set/ payload windows/ meterpreter/ revers_ tcp. In addition, it is necessary to indicate in the Local Host options (ip-addresses of a potential attacker).

Running handler leads to the meterpretor context, where sessions to which you can connect will be presented. The session will appear after the backdoor is launched on a remote machine, which in some cases is achieved in practice by means of social engineering.

To simulate this process, the backdoor is launched on a second virtual machine. After that, a session on this system will be available in meterpretor, that is, our backdoor provides a communication channel, and we get control over the infected machine.

Penetration testing is a combination of methods that take into account various system problems and tests, analyzes and provides solutions. It is based on a structured procedure that performs step-by-step penetration testing. Following are the seven stages of penetration testing:

Planning and preparation

Planning and preparation begins with defining goals and objectives for penetration testing.

The client and tester jointly define goals so that both parties have the same goals and understanding. The general objectives of penetration testing are:

  • Determine the vulnerability and improve the security of technical systems.
  • Provide IT security by an external third party.
  • Improve the security of the organizational / human infrastructure.

Study

Intelligence includes the analysis of preliminary information. Many times, the tester does not have much information other than preliminary information, i.e. the IP address or the block of IP addresses. The tester begins by analyzing the available information and, if necessary, requests from the user for additional information such as system descriptions, network plans, etc. This step is a passive penetration test, of a kind. The sole purpose is to obtain complete and detailed information about the systems.

Opening

At this point, the penetration tester will most likely use automated tools to scan targeted assets to detect vulnerabilities. These tools usually have their own databases providing information on the latest vulnerabilities. However, the tester detects

  • Network discovery- for example, opening additional systems, servers and other devices.
  • Host Discovery- defines open ports on these devices.
  • Service Interrogation- polling ports to discover the actual services that are running on them.

Analysis of information and risks

At this stage, the tester analyzes and evaluates the information collected before the testing stages for dynamic penetration into the system. Due to the large number of systems and the size of the infrastructure, this is time consuming. When analyzing, the tester considers the following elements:

  • Specific objectives of the penetration test.
  • Potential risks to the system.
  • Estimated time required to assess potential security flaws for subsequent active penetration testing.

However, from the list of identified systems, the tester can choose to test only those that contain potential vulnerabilities.

Active invasion attempts

This is the most important step and must be done with due care. This step entails the extent to which potential vulnerabilities, discovered during the discovery phase, have real risks. This step should be performed when checking for potential vulnerabilities is required. For those systems that have very high integrity requirements, potential vulnerabilities and risks must be carefully considered prior to critical cleanup procedures.

Final analysis

This step first looks at all the steps taken (discussed above) up to this time and the assessment of the vulnerabilities present as potential risks. In addition, the tester recommends eliminating vulnerabilities and risks. First of all, the tester must ensure the transparency of the tests and the vulnerabilities found.

Preparing of report

The preparation of the report should start with general testing procedures and then analyze the vulnerabilities and risks. High risks and critical vulnerabilities should be prioritized and then lower order.

However, when documenting the final report, the following points should be considered:

  • An overview of penetration testing.
  • Details of each step and information gathered during pen testing.
  • Detailed information about all discovered vulnerabilities and risks.
  • Details of cleaning and fastening systems.
  • Proposals for future security.
70% of sites have high-risk vulnerabilities that lead to resource compromise and data leakage.

Penetration test (abbreviated pentest) or penetration test - modeling the actions of a hacker on a site in order to obtain an absolutely objective assessment of the current level of information security of the resource under investigation.

The implementation of these works allows us to develop an adequate and comprehensive program of measures to increase the security level of a web application, which in turn leads to a decrease in operational, financial and reputational risks to an acceptable level. In simple terms, this is the final logical step in the development of your site if you are really serious about security.

Why conduct a penetration test?

Penetration testing primarily solves the following tasks:

  • identification of shortcomings in the information security measures applied by the client and assessment of the possibility of their use by the violator
  • practical demonstration of the possibility of exploiting vulnerabilities (on the example of the most critical)
  • obtaining, based on objective evidence, a comprehensive assessment of the current security level of a web application
  • development of recommendations for eliminating identified vulnerabilities and shortcomings in order to increase the security level of a web application

In most cases, testing is done using the black box method.

With this method, the following intruder model is used: a highly qualified external intruder (skill level - a hacker), acting from the side of the Internet, having no privileges and having no data about the investigated resource, carrying out attacks aimed at gaining unauthorized access to a web application. The only information that the performer owns is the site address.

The penetration test uses generally recognized information security standards and guidelines, such as:

  • OWASP Testing Guide
  • OWASP Top10
  • Web Application Security Consortium Threat (WASC) Classification
  • ISO 17799/27000 series standards

The work can be logically divided into the following stages:

1. Collection and analysis of information

2. Identification of vulnerabilities

3. Implementation of an attack on a web application

4. Analysis and reporting

5. Elimination of vulnerabilities

Collection and analysis of information.

At this stage, the ports of the investigated resource are scanned, as well as the identification of the available services, services, and security tools.

Identification of vulnerabilities.

Collection and analysis of information about existing vulnerabilities in the detected versions of services, services, scripts. Identifying ways to exploit vulnerabilities, assessing the risks of exploiting vulnerabilities. OWASP Top10 Vulnerability Testing (https://www.owasp.org). Analyzing and testing the logic of web applications, checking the possibility of revealing sensitive data, testing input validation mechanisms (SQL Injection, XML Injection, XSS, Code Injection, B / H / S overflows), etc.

Implementation of an attack on a web application.

Checking the execution of arbitrary code on the server side, obtaining the rights to read or write files / db on the server, access to private information, etc.

Analysis and reporting.

This is where the information obtained in the testing process is combined and ordered. A report is drawn up that contains: an overview report, a report on the detected vulnerabilities, a conclusion on the information security status of the resource under investigation and a plan to eliminate the identified vulnerabilities.

What should the list of checks and tests look like?

The following groups of tests and checks are used as priority attack vectors to test their feasibility in relation to web application scenarios:

1. "Abuse of Functionality". Abuse of functionality. Using the functions of a web application in order to bypass access control mechanisms.

2. "Brute Force". Enumeration of passwords using dictionaries of simple and standard passwords.

3. "Directory Indexing" Search directory listing.

4. "Content Spoofing". Substitution of site content. display remote

5. "Credential / Session Prediction". The predicted value of the identifier

session allows you to intercept the sessions of other users. Similar attacks

performed by predicting or guessing a unique identifier

user session.

6. "CrossSite Scripting". Web Application Injection Attack

into the page of malicious code issued by the web system (which will

executed on the user's computer when he opens this page) and

how this code interacts with the attacker's web server.

7. "CrossSite Request Forgery". Cross-site request forgery. Attack on

website visitors using the flaws of the HTTP protocol.

8. "HTTP Response Smuggling". Bad Transfer Attacks

HTTP responses.

9. "HTTP Response Splitting". Split HTTP Response Attacks.

10. "HTTP Request Smuggling". Incorrect HTTP request transmission attacks.

11. "HTTP Request Splitting". Split HTTP requests.

12. "LDAP Injection". Injection of LDAP operators attack on a web server,

making requests to the LDAP service based on the input

user.

13. "Null Byte Injection". Bypassing the web infrastructure filter check by

adding a null byte character to the url, in order to change the logic

web applications and receiving unauthorized documents for files.

14. "OS Commanding". Executing OS commands through manipulation

application input.

15. "Path Traversal". Accessing files, directories and commands,

located outside the main directory of the web server.

16. "Predictable Resource Location". Predictable resource allocation,

allowing access to hidden data or functional

opportunities.

17. "Remote File Inclusion" (RFI) .A type of attack that allows the use of

a remote file on the server side, via a script on the web server.

18. "Routing Detour". SOAP message routing.

19. "Session Fixation". Session fixation. Using this class of attacks,

the attacker assigns the specified user session ID

meaning.

20. "SOAP Array Abuse". Injection of dataset definitions into a SOAP message.

21. "SSI Injection". Implementation of server extensions. Inserting server commands into

HTML code or run them directly from the server.

22. "SQL Injection". Arbitrary SQL injection into the query.

23. "URL Redirector Abuse". Redirects without verification for spam.

24. "XPath Injection". Injection of XPath operators attacks against

a web server that makes XPath queries based on input

user.

25. "XML Attribute Blowup." "Blowup" parameters.

26. "XML External Entities". Include external file.

27. "XML Entity Expansion". Injection of variables from the body of the message.

28. "XML Injection". Arbitrary XML code injection into the request.

29. "XQuery Injection". Injecting arbitrary XQuery code into the query.

What should the report look like?

The report should contain an introduction, which will describe the method of work, the object of the audit, the scope of testing (scope), it should also contain information about the security analysis tools used, which will be used during testing. Each vulnerability discovered during testing is assigned a certain degree of risk - high, medium, low.

The classification of vulnerabilities should be described in the report, for example, a vulnerability is assigned a high degree of risk if its exploitation can lead to data compromise, server or service availability, arbitrary code execution, data manipulation. This also includes denial of service vulnerabilities, weak or standard passwords, lack of encryption, access to arbitrary files or confidential data.

The Common Vulnerability Scoring System (CVSSv2), MITER (CAPEC) and OWASP classifications are used to describe the degree of risk and assess the severity of the detected vulnerabilities. Also, all vulnerabilities should be classified according to the complexity of exploitation and detection.

An example of a vulnerability:

Unrestricted upload

A potential attacker could bypass the file extension check script, which would allow him to load the web shell, gain control over the application, and gain access to the server.

The complexity of operation is easy.

Type - remote.

Impact (CVSSv2) - Business Impact - 10 points

CWE-434: Unrestricted Upload of File

OWASP Unrestricted File Upload

Is it necessary ...?

Everyone determines the need for a penetration test for himself. The tasks of carrying out are listed at the beginning of the article. If the resource contains critical and valuable data, has a high traffic, the processing of pers. data, or the site just makes good money - the need for a test is obvious. Suffice it to recall the recent FL.ru data leak http://siliconrus.com/2015/02/fl-hacked.

From experience I can say that they break all sites that are of some interest to a cracker. Sometimes hacking happens just for the sake of interest or the promotion of political ideas, etc. (http://ru.wikipedia.org/?oldid=65240870). This month there were many defaces (substitution of the content of the main page) by the Islamic state. The sites featured prayer and various images, scaring off customers.

Every business owner, IT specialist and just a computer user has faced cyber threats at least once. In the modern world, they are gaining more and more strength and the ability to cause enormous damage not only to business but also to the state.

Among hackers, there are two categories:

White hackers- work to ensure security, counteract illegal intrusions.

Black hackers (Black hat)- they break the law, steal personal data, empty bank accounts.

Our team will take on the task of conducting vulnerability tests on your corporate office network, on your websites and in applications. And also with the help of social engineering, we will be able to identify the most weakly protected departments in your company and issue recommendations for strengthening protection.

What is included in Pentesting (Security Test)?

Company security testing may include:
  • External network and perimeter analysis
  • Pentest (penetration test)
  • Internal network testing
  • Vulnerability search and exploitation
  • Social engineering
  • Testing company websites
  • Testing of mobile applications of the company
  • Test report and recommendations

The exact list of tests is determined at the negotiation stage, after studying the client's needs.

Penetration testing cost

External testing of the corporate network

Price on request

Penetration testing

Price on request

Testing web and mobile applications

Price on request

Social engineering

Price on request

Turnkey security test

Price on request

Cybercrime investigation

Price on request


IMPORTANT

"Unfortunately, most often companies start to think about information security when they have already suffered. Hackers do not care about the size of your company and its turnover, they care about the number of hacked companies."

Protect your company from cyber threats!

So what is a pentest?

Testing is a search, and penetration testing is one of the varieties of the deepest and most effective search for the maximum number of points and areas with varying degrees of vulnerability for the penetration of third-party resources and users. Such intrusions can be carried out both maliciously and indirectly to introduce or obtain certain data.


This technique can be carried out separately and be included in regular or one-time test systems to create effective protective measures against the widest range of third-party attacks and intrusions.

Etiology of systemic vulnerability

The loss of a share of safety can be formed at different stages of the functioning of any system, but in any case it depends on the influence of such factors as:

  • design error,

  • incorrect setup process when choosing a low-functional configuration of a combination of software and equipment associated with the system,

  • flaws in the security of the network exit system. The higher the degree of security of the network connection, the less the likelihood of negative impact and the possibility of penetration of harmful effects into the system,

  • the human factor, expressed in the occurrence of a malicious or unintentional error in the design, use or maintenance of the network in the course of personal or team work with it,

  • the communicative component, expressed in the unprotected transmission of confidential data,

  • an unreasonably high degree of system complexity. It is always easier to establish control over the degree of its security than to track down the channels of data leakage from it. What is much easier to do in simple and functional systems than in their complex counterparts,

  • lack of knowledge. Lack of an appropriate level of professional training in safety issues from specialists directly or indirectly associated with the use of the system.

Testing is different from assessing vulnerability

Despite the kinship of the purpose of their use. Namely, the search and organization of the most secure software product. They work in different ways.


Penetration testing is carried out through real monitoring, carried out both manually and using certain highly specialized systems and tools. What is done through the emulation of malicious influences, allowing you to identify the places of vulnerability.


Determining the degree of vulnerability goes by carefully examining workflows to identify possible holes through which data can escape when carrying out attacks of certain types. This helps to find areas vulnerable to hacking, which determines the degree of overall security of the system under test. In the course of its implementation, the identified "weaknesses" are identified, corrected and eliminated.


So determining the severity of the vulnerability is an established workflow. And penetration testing works "on the spot" with the single goal of maximizing the impact on systems to identify gaps in its protection.

What is it for

It allows you to find and fix gaps in the security system of the program you are using yourself. This is work proactively to prevent the possibility of penetration of negative external influences, regardless of its goals and levels of implementation. This helps to create the most competent system of protection against expected, and not just existing threats from outside.

Such monitoring allows:

  • find weaknesses / vulnerabilities in the system before they are exposed to external negative influences and give a hole for data leakage. It is a great alternative to frequent system updates. Because the latter affect the compatibility and speed of the previously debugged system without taking them into account. Updates are better controlled than uncontrolled;

  • evaluate the safety tool that has been launched. Allows developers to get a real assessment of their competence, as well as the level of compliance with applicable safety standards. In addition, penetration testing allows you to identify business risks, as well as other components of protection, which may be mitigated during the trade-off between the combined use of authorized and newly activated software components. It makes it possible to structure and prioritize, reducing and excluding the degree of detected risks and the negative impact of possible threats;
  • identify risks for the improvement of current safety standards.

Monitoring process

Penetration testing today can be carried out using many methods, but the main and most preferred of them are:

Manual testing is carried out according to the following algorithm

  • planning or careful collection of data, taking into account the needs, scope, goals of the forthcoming monitoring, taking into account the level of existing protection. Specific areas of control of the degree of protection, the type of desired / planned impact and other requirements for the upcoming monitoring can also be indicated here,

  • reconnaissance manipulations aimed at searching and cumulating the obtained data on system and third-party, combinedly used, protective mechanisms necessary for targeting and specially organized attacks on specified blocks or the entire system. Purpose: getting the most effective testing. Hence, there are two types: passive and active, where the first is carried out without active influence on the system, and the second is its complete opposite,

  • analysis of the identified results. This stage allows you to identify the most vulnerable spots that will be used for further aggressive penetration into the system,

  • use of the results obtained. Based on the identified places of "easy penetration" of protection systems, a prepared aggression is carried out against the software, both in the form of external and internal attacks. External influence is a threat to the system from outside, where direct external threats affecting the system and specialized attempts of unauthorized access to data of the protected system are simulated. Internal attacks represent the second stage of exposure that begins after successful penetration into the system from outside. The range of goals for their further impact is wide and varied. Chief among them is the compromise of the system into which they penetrated,

  • the results of operation, allow us to identify the tasks of each identified threat and determine its potential for the internal business processes of the system as a whole and its individual components in particular,
  • a conclusion is a block of documentary registration of the work carried out and the results obtained with a description of potential threats and the degrees of their negative impact when achieving impact goals.

    • Testing with automated tools is not only an effective but highly rewarding way to use highly specialized tools. It is convenient to use it, the time is minimal, and the effectiveness allows you to create "crystal clear" conclusions about the work done.


    The list of the most popular tools includes: Nessus, Matesploit, Nmap, OpenSSL, Wireshark, w3af. System collections from Linux offer a lot of interesting and functional.


    For work, choose tools that meet certain requests, for example:

    • practicality of launch, use and further maintenance,

    • ease of scanning,

    • the level of automation when vulnerabilities are detected,

    • the degree of accessibility of testing previously discovered areas weak for external attacks,

    • the degree of possibility in the creation of detailed and simple reporting documents on the work performed and the results obtained.

    Combination of the above techniques together. This is the best method of penetration testing, because it is able to combine the advantages of both methods and become as fast and detailed as possible.

    Varieties of penetration tests

    The division is made depending on the tools and monitoring objects used:


    • social or human, where people are connected who can remotely or locally necessary information and clearly process it,

    • software application used to identify security flaws. At the same time, several variants of web offers and specialized services of the used service or third-party sources are used,

    • a network resource that allows you to identify the possibilities of unauthorized hacker access or penetration of an unauthorized user,

    • the client part, uses special applications installed on the site or in the client application in the work,

    • remote access is carried out by vpn testing, or a similar object that allows you to provide proper access to this system,

    • wireless connection, aims to test wireless applications, services and their tools.

    The classification of monitoring methods is also carried out taking into account the type of approach to its implementation. What allows you to highlight:

    • white, where the tester has access to the use of data on the functions and tools of the system under test. What makes his work as efficient and productive as possible. Because the possession of such information allows you to understand the subtleties and features of the system under test, and therefore to carry out the test with maximum immersion,

    • black gives access to basic or high-level information about the system. The tester feels more like a hacker than an employee working from within the system. The high degree of labor intensity of this method requires time and thorough knowledge, as well as experience in its implementation. Therefore, there is a high probability of skipping or incomplete testing,

    • gray or limited access to information about the system, sufficient to create an imitation of an external attack.

    Penetration testing boundaries

    There are many restrictions on the range of such effects, but the main ones are:

    • a short time period with a high initial cost of this procedure,

    • limitation on the number of tests per unit of time,

    • the possibility of a denial of penetration from the system,

    • high degree of vulnerability of the received data.

    Conclusion

    Modern hackers with a constantly updated set of programs and effective tools to carry out effective attacks. Therefore, they often end up in systems of interest to them with the direct intention of compromising the network or using its resources. In this case, penetration monitoring is most effective as a tool for detecting vulnerabilities in any protection systems. And it allows you to minimize the potential of external threats for software as a whole.


The last couple of years have been rich in events that have sharply increased public interest in the topic of hacker attacks. The scandal with the hacking of the systems of the US Democratic Party, the disabling of the energy systems of the infrastructure of the Ministry of Finance and the Treasury of Ukraine, ransomware viruses that not only encrypt files, but also block the operation of industrial and medical equipment, MIRAL, a giant botnet made of household devices that left no connection half of the United States and Liberia, malefactors, massively gutting banks, like wolves of defenseless sheep ... Even SWIFT is under attack! Movie geek hackers have become part of the reality of billions of people.

It is only natural that business today primarily invests resources in practical safety, as opposed to formal compliance with regulatory requirements with minimal means. And it is also natural for him to want to check how effectively the built security system protects against network sharks.

This time we decided to focus exclusively on the practical aspects of information security (IS) associated with computer attacks and direct protection against them. For hacking in the performance of "white hats", ie specialists who legally imitate the actions of intruders, the term "penetration test" (pentest) is used. This term hides several areas of security research at once, and each of them has its own narrow specialists. In this article, we will understand what a penetration test is, why it is needed, and where is the border between a hacker attack and penetration testing.

Pentest in essence is one of the types of information security audit. And this is its main difference from a real hack. The hacker is looking for the shortest path to control the victim's systems. If a hole is found on the perimeter, the attacker focuses on consolidating and developing the attack inward. And the pentester, who was ordered external network testing, must scrupulously examine host after host, even if a whole bunch of holes have already been found. If the hosts are of the same type (for example, 1000 identical workstations), the researcher, of course, can make a control sample, but it is unacceptable to skip fundamentally different systems. This is probably the easiest way for a customer to identify a low-quality penetration test.

Pentest is not a substitute for a full-fledged IS audit. It is characterized by a narrowly focused view of the systems under study. Pentest in essence deals with the consequences, and not with the causes of the shortcomings of information security. Why hold it at all? When the industry releases a new model of military equipment, engineers carefully calculate the properties of armor, characteristics of weapons, but at military acceptance, the equipment is still rolled out to the range, fired at, undermined, etc. Experiment is the criterion of truth. The penetration test allows us to understand whether our information security processes are as good as we think, whether the security systems are reliable, whether the configuration on the servers is correct, whether we understand the path that a real hacker will take. Thus, one might get the impression that penetration testing is necessary for companies that have already invested heavily in information security. In theory this is true, but in practice it is often very different.

I came up with the following pentest formula:

Research is the most obvious part of a pentest. Just like in the movies: strange guys in hoodies smash IT defenses at night. In fact, everything is often somewhat more prosaic, but this image allows pentesters not to comply with the corporate dress code.

Reporting is usually not the most favorite part of the job for pen testers, but it is critically important. The customer of the work should receive a detailed description of all successful and unsuccessful attempts to penetrate, a clear description of the vulnerabilities and, which is very important, recommendations for their elimination. It is rational to involve specialized information security specialists in the last part, because knowing how to break it does not mean knowing how to correct it correctly and safely in the reality of a corporate IT infrastructure.

And the last component, for the sake of which the entire pentest is often organized, is the show. Such an audit is an order of magnitude superior to any other in terms of visibility, especially for non-professionals. This is the best way to demonstrate the flaws of information security to the company's management in a form accessible to non-specialists. A short (a couple of pages) Executive Summary with a scan of the CEO's passport, the title page of a confidential report and a client base can bring more benefits to information security in the company than the entire 200-page report that follows. That is why pentests are often ordered by companies where cybersecurity was not really involved before, and business, and often IT, do not understand the seriousness of the existing risks.

Test parameters

Pentests can be classified in a variety of ways. Let's dwell only on those that are of practical value when configuring a pentest for yourself.

The target of the attack set by the customer can be very different from a penetration test to a penetration test. “Just hack us” usually means taking control of the IT infrastructure (domain administrator rights, network equipment), compromising business systems and confidential information. And there are narrowly targeted penetration tests. For example, as part of the PCI DSS card data security certification, the goal of the annual mandatory pentest is to compromise card data. Here, on the very first day of work, the bank's network can be completely captured, but if the last bastion with secret data does not fall, the organization will successfully pass the test.

The system knowledge model determines the starting position of the pentester. From complete information about the system (White box) to its complete absence (Black box). Often, the middle version (Gray box) is also highlighted, when, for example, a pentester imitates the actions of an unprivileged user who has some data about the system. This can be an ordinary clerk, a partner company, a client with access to a personal account, etc. White box is more of an audit, not a classic penetration test. It is used when you need to study in detail the security in a narrow area. For example, a new customer portal is being checked. The researcher is provided with all the information on the system, often the source code. This helps to examine the system in detail, but hardly simulates real-life attacks. Black box pentest customers want to get a complete simulation of an attack by a hacker who does not have insider information about the system.

The knowledge model overlaps strongly with the concept of an intruder model. Who is attacking us: external hacker, insider, administrator? This division is very arbitrary. Compromising the workstation of an ordinary user or a contractor from a technical point of view instantly turns an external hacker into an internal violator.

The level of awareness of information security specialists determines who knows about the work and how much in detail. Often, in addition to technology, personnel are also tested, so the work is coordinated by the director of information security or IT, and administrators believe that they are fighting real hackers, if, of course, they even notice an attack. Such cyber exercises allow assessing not only the presence of vulnerabilities in systems, but also the maturity of information security processes, the level of interaction between departments, etc. The exact opposite is imitation of the actions of an attacker in order to train security systems. In this case, the pentester works in a small area, and administrators record the reaction of security tools and IT systems, adjust settings, prepare rules for SIEM, etc. For example, a situation is simulated when a hacker has already penetrated a closed segment. How will he elevate his privileges on the systems? The pentester one by one works out all the attack vectors known to him for the most complete training of security systems.

Types of attacks

How many pentesters, so many classifications of types of attacks. Below I will give the classification of basic attacks that we use. Of course, the most complete penetration test is an attack in all possible directions. But the limitations of budget, time, scope and pentest tasks force you to choose.

External infrastructure penetration test - analysis of the network perimeter from the Internet. The pentester tries to compromise the available network services and, if possible, develop an attack inside the network. Many believe that this is a simulation of a real attack aimed at penetrating the company's network from the outside. In fact, attackers today in 80-90% of cases overcome the network perimeter using social engineering methods. There is no need to break into the fortress walls if there is a wonderful tunnel under them. However, there are often holes here as well. For example, we recently carried out work for a large aircraft plant, within the framework of which, even at the stage of automatic analysis, the scanner picked up the password for the remote control system of the automated process control system. The negligence of the contractor, who forgot to turn off the remote access, allowed the hacker to increase the pressure in the pipelines with technical fluids by an order of magnitude. With all the consequences in the literal and figurative sense.

Such a penetration test is like an examination at the dentist: it is better to carry it out regularly to prevent problems in the early stages.

Shadow IT

Often, penetration takes place using systems that are out of sight of IT. All servers on the perimeter were updated, but they forgot about IP-telephony or a video surveillance system. And the hacker is already inside. For such an infrastructure, which fell out of sight of administrators, there is a special term - Shadow IT. According to Gartner, by 2020, up to a third of all hacks will take place using Shadow IT. In our opinion, this is a completely realistic assessment.

For example, once our pentester found non-updated call center systems on the ideally protected perimeter of the bank, through which all the main banking systems were completely compromised in 2 days. It turned out that it was not the IT department that was responsible for them, but the telephone operators. In another case, the entry point for the penetration test was the network of receptionists, completely isolated from the corporate one. Imagine the surprise of the customer of the work when, a couple of days later, the pentester reported on the complete capture of the network. He managed to hack an un-updated printer, flood it with a shell, and gain access to the VLAN for managing printers. Having compromised all of them, the pen tester gained access to all office segments of the company.

Internal infrastructure penetration test simulates the actions of an insider or an infected host within the network. The network should be designed in such a way that the compromise of individual workstations or servers does not lead to a complete drop in defense. In fact, in more than half of the cases from our practice, from “access to a network outlet” to “domain administrator” it takes no more than one business day.

The company's network can be very large, therefore, in some cases, the customer should clearly define the target of the attacks for the pentester. For example, access to SAP and financial documents classified as "Confidential". This will allow more rational use of the pentester's time and simulate a real custom hacker attack.

Web resources represent a separate world from the point of view of penetration testing with a huge range of different technologies and specific attacks. It is clear that the web can be understood as anything that has access to the network. Here we mean the various websites, portals and specific APIs available from the web. Practice shows that, on average, for a company, the analysis of its entire network perimeter takes less time than one website, especially if there are some interactive elements, a personal account, etc. This area is experiencing a real boom, primarily due to the development of e-business by banks and the massive outbreak of retail on the Internet.

The main results of an attack on a web resource are usually the compromise of data from the DBMS and the possibility of attacking clients (for example, various types of XSS are found on the websites of every second bank). A little less often, compromising a web server allows you to penetrate the company's network itself, but often, if the required data has already been compromised, an attacker may not need it.

When analyzing the web, it is important to check not only the technical part, but also the very logic of work and the implementation of business functions. Until now, sometimes you can get a 99% discount in an online store or use someone else's bonus points by slightly modifying the server request line in the address bar.

Attacks on the web can be carried out inside the network, because the security of internal resources is usually not thought about, but in fact, most hackers attack the infrastructure first, since this is the shortest path to the domain administrator. The web is taken up when nothing else has helped or when it is necessary to get into isolated network segments.

The rise in interest in DDoS resistance testing has been particularly noticeable in the last couple of years. Information about major attacks is constantly appearing in the press, but the matter is not limited to them. In the online retail segment, for example, at peak sales (before the holidays), attacks go on almost continuously. It is generally clear what to do with primitive attacks aimed at exhausting the communication channel or server resources by sending huge volumes of traffic. It is more interesting to study the resistance of the resource to application-level attacks. Even a single client that generates a relatively small number of specific requests to a website can render it unusable. For example, specific queries in a site's search box might put a back-end entirely.

Social engineering, i.e. the use of human inattention, carelessness or lack of training for hacking has become the most popular way to penetrate the company's network today.

Moreover, there is an opinion that there is no reception from this scrap. This term combines a huge number of techniques, including sending fraudulent messages by mail, telephone and personal communication to gain access to a facility or systems, throwing flash drives with a malicious attachment near the victim's office, and much more.

Wi-Fi attacks are mistakenly referred to as internal penetration testing. If your smartphone does not catch corporate Wi-Fi outside the gateway, this does not guarantee that intruders will not be able to reach it. A $ 100 directional antenna from ebay allowed us to conduct work from a distance of more than a kilometer from the access point. In pentesting, Wi-Fi is not always considered a point of network penetration. More often it is used to attack users. For example, a pentester parks at the checkpoint of an enterprise before the start of the working day and deploys a network with the same name (SSID) as the corporate Wi-Fi. Devices in bags and pockets of employees are trying to join a familiar network and send ... domain login and password for authentication in it. The pen tester then uses these leaks to access user mail, VPN servers, etc.

The analysis of mobile applications for an attacker is simplified by the fact that they can be easily downloaded from the store and investigated in detail in the sandbox by restoring the source code. For ordinary web resources, such a luxury can only be dreamed of. This is why this attack vector is so popular today. Mobile clients are now very common not only among banks and retail. They are released by everyone, and safety is the last thing they think about.

Conventionally, the study of a mobile application can be divided into 3 components: analysis of the recovered source code for security holes, study of the application in the "sandbox" and analysis of the methods of interaction between the application and the server (package content, API, vulnerabilities of the server itself). We recently had a case where the API of the back-end of a mobile banking application worked in such a way that it was possible to form a package that caused the transfer of an arbitrary amount of money from any bank account to any other account. And this was not a study before the launch of the application - it had been in production for a long time. Many fraudulent schemes today are also implemented using mobile applications, since the fight against fraud is forgotten even more often than information security.

It is not entirely correct to consider the analysis of the source code as a penetration test, especially if the customer submits the source codes for research in open form. Rather, it is a white-box security audit of an application. However, these works are often carried out in conjunction with pentests to provide a higher level of vulnerability detection, so they are worth mentioning here. Pentest allows you to confirm or deny the flaws found in the code analysis (after all, in a particular infrastructure, not all security problems can actually be exploited). This significantly reduces the number of false positives that code analysis, especially automated code analysis, is guilty of. At the same time, as a result of code analysis, holes are often found that the penetration tester did not guess about.

In our experience, the most often ordered analysis of the code of mobile applications and web services, as the most susceptible to attacks.

Pentest is like a dentist check-up: it is better to do it regularly to prevent problems in the early stages

Pentest limitations

The main limitations that differentiate a penetration test from a real attack, making it harder for white hats, are the criminal code and ethics. For example, a pentester most often cannot attack the systems of the customer's partners, home computers of employees, the infrastructure of telecom operators; he does not use intimidation, threats, blackmail, bribery and other very effective methods of criminals in social engineering. All the more convincing are the results of successful penetration within the framework of a "clean" penetration test. If your pentester breaks the law in the course of work, think ten times whether it is worth allowing such a person to approach your key systems.

Finally

Pentest, like a medical examination, most standards recommend passing at least once a year. At the same time, it is good to periodically change the specialists who carry out the work in order to avoid blurring the eyes and assess security from different angles. After all, any specialist or team, to one degree or another, develops some specialization.

Pentest is both time and expense and stress for security personnel, but it is difficult to find a more visual and realistic way to assess the security of an IT infrastructure. In any case, it is better for a contracted specialist to find the hole than a hacker. After all, the first one often ends up for the information security service with the allocation of additional funds for security, and the second - with the search for a new job.