The history of crime prevention is similar to the history of warfare. First
an offense takes place and to counter it a defense is developed. Modern age
bandits are malicious hackers who strategically infringe into a network and get
away with sensitive data. The worst that they can do with your data is, selling
the data to competitors or can even blackmail you over your personal stuff. The
hacking business has surpassed illegal drug trafficking as a criminal money
maker. Every 4 minutes a network is hacked and this costs the organization
millions to cover for the losses. So instead of spending millions on covering
losses the organizations prefer to protect their network by hiring people who
penetrate the company network under a signed contract. These people are called
ethical hackers or pen-testers who try to gain access into the network without
knowing usernames and passwords. These people run various rigorous tests on the
network and test its security infrastructure. The techniques and software used
to carry out pen-tests are called pen-tools or penetration tools. These tools
are also used by hackers to hack into the systems and networks, so the basic
difference between a pen-tester and hacker is permission. The pen-tester is
permitted to actually hack into the network (up to a certain extent only), while
the hacker hacks the network without permission and steals information.
Pen-testing is a precautionary exercise that lets the organization know if there
is any vulnerability in its security infrastructure so that they can correct
them as instructed by the pen-tester. Pen-testing can be categorized as Black
Box testing; where the pen-tester has no knowledge of the system he will
penetrate (simulation of the real time situation where the hacker works on an
alien system), another type is White Box penetration testing, where a pen-tester
is provided significant knowledge about the network and in many cases these
tests are done in conjunction with the IT team of the company. After the tests
are conducted a well documented report is written and presented.
Direct Hit! |
Applies To: IT managers Price: NA USP: Learn how ethical hacking can alert you on possible security threats Primary Link: None Keywords: ethical hacking, penetration testing tools |
Benefits of pen-testing
What is the need for us to pen test our network? Who will hack our network
and what would he get in return? These obvious questions pop up in the mind of
many business owners when probed about security. Small enterprises lack a
dedicated force for security of their information and if it exists it is more or
less business driven, experts if any are not well experienced. The goal of the
organization is liquidity and security is not given much concern. Some
businesses just get fine with automatic software updates, strong passwords, and
a firewall, whereas others need some more control. For intruders it's about
getting access to resources the easiest way possible and if we go by records
there has been a sharp increase in security breaches within small enterprises.
The big money is now in stealing personal identification number (PIN)
information together with associated credit and debit accounts. PIN based frauds
are directly related to withdrawing cash from a person's account. Small
enterprises may be attacked as an opportunity or they may be randomly selected
from large population of vulnerable organizations.
Unlike small and medium enterprises which are quite ignorant about their
security, large enterprises spend significant amounts of capital on their
security and privacy. Since the security of the large enterprises is directly
related to their reputation, they take a lot of pain in ensuring that their
networks are safe and secure. Another reason for large enterprises to protect
their network is growing competition, as recently we have seen a lot of large
emerging companies that are ready to meet any end to capture the market. As
organizations become more and more aware they have started budgeting over IT
security practices and lot of small and medium business are also becoming
savvier in making decisions over IT security concerns. The organizations are
constantly thriving to gain the customer confidence, and so are spending huge
amounts on their security practices and this is where penetration testing comes
into picture.
We launched a Brute Force attack using a tool called Cain & Abel to decrypt the encrypted passwords added to the network. |
Cain & Abel was used to launch an ARP Poisoning and Sniffing attack on the target network to fetch passwords. |
Cain & Abel used for retrieving passwords of duped users on the network. You can see all the passwords and names of users who were duped on the network. |
Pen-test vs vulnerability assessment
The vulnerability test gets into system till it isn't compromised while the
penetration tests can compromise a system as per the contract with the company.
Most organizations carry out vulnerability tests instead of penetration
tests. Vulnerability test is only about identifying and quantifying the security
flaws, while penetration testing is active analysis of the system for any
weaknesses or flaws and can involve active exploitation of security
vulnerabilities. Security issues are reported to the owner and often a technical
solution is suggested.
Penetration tools
Many penetration tools are existent today and most are freeware, however our
focus is on two important tools, VoIP and firewall testing tools.
To test VoIP we selected Cain & Abel since this tool is developed for
Microsoft operating systems. It is basically a password recovery tool with many
useful utilities like dictionary attack, cryptanalysis, brute forcing attack,
and ARP poisoning, recovering local security asserts secrets. An important
feature of Cain and Abel is that it works within in an established LAN as soon
as we move out from LAN this test is of little use. We performed some
interesting tests with this tool, namely brute forcing attack, ARP poisioning
and recovered LSA secrets for a local machine. Some useful and tested features
of this test are:
Protected password recovery: Reveals locally stored passwords of Outlook,
Outlook Express, Outlook Express Identities, Outlook 2002, Internet Explorer and
MSN Explorer.
Brute force attack: The most effective technique to generate password based
on various combinations. It is applied to hash files generated through PwDump
utility.
LSA Secrets Dumper: Dumps the contents of the Local Security Authority
Secrets.
Sniffer: Captures passwords, hashes and authentication information while they
are transmitted on the network. Includes several filters for application
specific authentications and routing protocols. The VoIP filter enables the
capture of voice conversations transmitted with the SIP/RTP protocol saved later
as WAV files.
ARP Poisoning Attack: This attack is based on poisoning of the ARP cache of
the switch, as it is known that all the traffic in a LAN is passed through a
switch which maintains ARP (Address Resolution protocol) cache.
The attack basically poisons the ARP cache of the switch so that all traffic
will move through the attacker's machine without the knowledge of the user. Cain
and Abel is user friendly and its results are 99% accurate. The newest version,
v49.35, has added support for Windows 2008 Server in APR-RDP sniffing filter.
For more references you can log on to www.oxid.it. A limitation with Cain and
Abel is that you have to get into the network to use it. Another limitation is
that since it is free and created for use in educational and security purposes,
it can also be used by hackers to hack into your network.
There are many network tools which are used for mapping networks, however the
most popular of them is Firewalk which is used to gather information about the
remote network. The principle of firewalk is based on traceroute.
However, the limitation of traceroute is that with this we can only trace the
response of the gateways but the knowledge about its internal network is not
known. If we want to trace the network behind the firewall, we have to run a
slightly different kind of probe.
This probe lets us know the kind of traffic a firewall can pass through. To
extract information with the traceroute probe it is necessary that we know the
IP address of the gateway. Once we get the gateway IP we can now run a scan
which will let us know the kind of protocol packets that are accepted by the
firewall. This is simple. Run a scan and if you don't get a response then the
protocol used by you is blocked by the firewall. Try sending packets for
different protocols and monitor the response. By sending packets to every host
behind the firewall an accurate map about network topology can be generated.
Firewalk
It is one of the popular reconnaissance and an open source tool used for
determining what four layers will a given IP forwarding device will pass. The
working includes sending TCP/UDP packets with TTL (Time to Live) one greater
than the targeted gateway.
The gateway will forward the packets to the next hop where they will expire
and an error message stating ICMP_TIME_ EXCEEDED is displayed, however if the
gateway blocks the packet it will give no response. To get the correct IP TTL
that will expire one hop beyond the gateway, we need to ramp up hop counts.
After ramping we can start scanning the network. Firewalk can be used as an
hacking tool by hackers and can also be used by pen-testers to examine that ACLs
(Access control lists are used on routers to limit the protocols allowed to
pass through the host system behind the router) are doing what they are intended
to do.
When we opened two ports SMTP (25) and HTTP (80) by port forwarding in the firewall and tried to scan them using NETCAT, these results were obtained. |
We tried a similar test to determine the network behind the firewall by
creating a dummy network and running test over it. The network included a
firewall (Endian), a mail server and a client computer. The three interfaces of
firewall — WAN , internal and DMZ were connected as a network. The WAN interface
was connected to the Internet terminal while an internal network behind the
firewall was made to which a mail pop3 server was connected and this was
connected to the DMZ interface. A test machine running backtrack was used as an
Attacking machine.
A firewall probe was then run on the machine and results were recorded. As
the setup was very simple and didn't have any misconfiguration in our case,
Firewalk was not able to detect any configuration error in the setup.
NETCAT
NETCAT is a computer networking service for reading and writing network
connections using TCP and UDP protocols. At the same time, it is a feature-rich
network debugging and investigation tool, since it can produce almost any kind
of correlation you would need. It is basically a UNIX based utility but its
Windows compatible versions are also available. NETCAT can also be used as a
port scanner which detects the open ports on the target machine. We used NETCAT
for scanning the open ports on the target machine and to get the information of
the network behind the firewall.
One may think, it is even possible to connect to an arbitarary ports using
even a simple tool like Telnet so what is the USP of this tool. The explanation
lies in the fact that Telnet has standard input EOF problem so one must
introduce calculated delays in driving scripts to allow network output to
finish. Telnet also will not transfer arbitrary binary data, because certain
characters are interpreted as Telnet options and are thus removed from the data
stream.
Nidhi Sharma