Penetration Testing Report

Penetration Testing ReportPenetration Testing Report

Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

[email protected]

Penetration Testing Report(Recommendation for Security)

Perspective of AdversaryPerspective of Adversary

Reconnaissance Scanning System Access Damage Clear Tracks

Web-basedInformationCollection

SocialEngineering

BroadNetworkMapping

TargetedScan

ServicevulnerabilityExploitation

PasswordCracking

DDOSCode

Installation

System FileDeletion

Use StolenAccounts

For Attack

Log FileChanges

Reactive Security(Incident Response)

Proactive Security(Real Time)

Preventive Phase(Defense)

Lab2

Lab3

Lab4

Lab5

Lab6

Lab7

Lab8

Lab1

SecurityPolicy

ObjectivesObjectives

This module will familiarize you with the following:

• Legal aspects of penetration testing.• How to conduct penetration testing?• Penetration testing reports• Penetration Testing Training

Legal Aspects of PTLegal Aspects of PT

• U.S. Cyber Security Enhancement Act 2002: Life sentences for hackers who “recklessly” endanger the lives of others.

• U.S. Statute 1030, Fraud and Related Activity in Connection with Computers. Whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years.

• Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out. , Thus, it's vital that you receive specific written permission to conduct the test from the most senior executive.

Legal Aspects of PTLegal Aspects of PT

• Your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re-distributed, deleted, copied, modified or destroyed.

• The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.

Footprinting Port Scanning

Enumerating

• Whois• SmartWhois• NsLookup• Sam Spade

• NMap• Ping• Traceroute• Superscan

Determine the Network Range

Identify Active Machines

Discover Open Ports and Access Points

Fingerprint the Operating System

Uncover Services on Ports

Map the Network

Gather Initial Information

Discovery Phase of PTDiscovery Phase of PT

• Netcat• NeoTrace• Visual Route

Penetration Test Report (1)Penetration Test Report (1)

• Introduction

• Summary of Findings

• Network Assessment:– Information Gathering– Port Scanning – ICMP Packet Filtering

• SSL Security Analysis:– HTTPS Not Enforced– SSL Protocol/Cipher Suite Evaluation

Source: Net Dense


• Web Application Security:– Content Analysis– Malicious Input/SQL Injection– Information Leakage – Cross-Site Scripting

• Web Server Assessment:– Apache Tomcat Directory Traversal – Apache Tomcat Directory Listing (CVE-2006-3835)– Apache Tomcat Buffer Overflow (CVE-2007-0774) – Web Server Configuration


Executive Summary:• Summary

– Approach

• Scope• Key Findings• Recommendations:

– Tactical recommendations– Strategic recommendations

• Tabular Summary• Graphic Summary

Source: NII


Technical Report:• Network Security

– Port Scan status

– Service Banner Disclosure

• Web Application Vulnerabilities

Conclusions

Appendix– SQL Injection

Penetration Testing Report (3)Penetration Testing Report (3)

• Introduction• Date Carried Out• Testing Team Details• Network Details• Scope of Test• Executive Summary• Technical Summary• Annexes

Source: Template 1

Network DetailsNetwork Details

• Peer to Peer, Client-Server, Domain Model, Active Directory integrated.

• Number of Servers and workstations.

• Operating System Details.

• Major Software Applications.

• Hardware configuration and setup.

• Interconnectivity and by what means i.e. T1, Satellite, Wide Area Network, Lease Line Dial up etc.

• Encryption/ VPN's utilized etc.

• Role of the network or system.

Scope of TestScope of Test

• Constraints and limitations imposed on the team i.e. Out of scope items, hardware, IP addresses.

• Constraints, limitations or problems encountered by the team during the actual test

• Purpose of Test: Deployment of new software release etc.; Security assurance for the Code of Connection; Interconnectivity issues.

• Type of Test: Compliance test, vulnerability assessment or penetration test.

• Test Type: White box, Black-box, Grey Box.

Executive SummaryExecutive Summary

• OS Security issues discovered with appropriate criticality level specified.

• Application Security issues discovered with appropriate criticality level specified

• Physical Security issues discovered with appropriate criticality level specified

• Personnel Security issues discovered with appropriate criticality level specified

• General Security issues discovered with appropriate criticality level specified

Executive SummaryExecutive Summary

Exploited:• Causes:

– Hardware failing

– Software failing

– Human error

Unable to exploit - problem area

• Causes:– Hardware failing

– Software failing

– Human error

Technical SummaryTechnical Summary

• Operating Systems Security

• Web Server Security

• Database Server Security

• General Applications Security

• Business Continuity Policy:– Backup Policy– Replacement premises, personnel,

software, hardware, document provisioning

Technical SummaryTechnical Summary

• File System Security:– Details of finding– Recommendation and fix

• Password Policy• Auditing Policy• Patching Policy• Lockdown Policy• Anti-virus Policy• Trust Policy

AnnexesAnnexes

• Glossary of Terms• Network Map/Diagram• Accompanying Scan Results - CD-ROM• Vulnerability Definitions: Critical, important,

information leak, concern, unknown.• Details of Tools Utilized.• Methodology Utilized: Reconnaissance,

Enumeration, Scanning, Obtaining Access, Maintaining Access, Erasing Evidence.


• Front page with Co Logo, disclaimer and other legal stuff as required by your enabling contract, your company practices and regulations under which you and the client operate.

• Headlines (This should be at most 2 pages and is for executive consumption): write this last to ensure it matches the contents of the report.

• Introduction (1 paragraph): Who you are and what you do (2 lines – they wont read any more). When you did it for whom and who lead the team.

• Scope (the executive version): An executive version of what your task was and why you were invited to undertake the test. This is a useful reminder before the next test when you review this report.

• Executive Summary (1½ pages MAX – so it fits on two facing pages): Headline stuff, the big impacts with some lead for future business subtly interlaced. Confirm here if the main objective test was passed of failed, it is very annoying for execs to read a report and not know it the bit you were contracted to do was done, and if they passed.

Source: Template 2


• Executive Recommendations (5 Max): Identify the immediate high risks/vulnerabilities that can/should be fixed in the immediate timeframe.

– High Priority. It is suggested that the following be tackled before the next stage of testing takes place:

– Medium Priority. It is suggested that the following be tackled in the short (days) to medium term (weeks):

• Further Information: This should cover the format of the report and provide easy links should the execs want to drill down. Consider the use of page breaks to improve the layout of the document. Use internal hyper links and physical tabs on printed versions – it all adds to readability and the professional appearance of the report.

• Main Body of Report.

Main Body of ReportMain Body of Report

• Introduction.

• Summary of Methodology Used.

• System Description.

• Documented Configuration and Architecture.

• Technical Analysis:– Critical Vulnerabilities or Mis-Configurations

– Assessed Impact of current risks

– Significant Threat Attack vectors

• Stages of Testing.

• Security Policy Documentation (SPD).

• Annexes.

IntroductionIntroduction

• Outline the type of tests that were undertaken:– Application testing

– Firewall penetration

– Firewall hole detection/testing.

• Identify the time frame or testing and numbers of systems, sites and days testing conducted (on site).

Summary of Methodology UsedSummary of Methodology Used

• Outline the type of testing methodology, as this will have bearing on the rest of the report body.

• Black Box Testing - A Penetration test with no prior knowledge of the target system, bar a valid IP address. No user or application credentials were supplied to the testing team or any information on services running on the target.

• White Box Testing - A Vulnerability Analysis Inspection of the target system to determine what vulnerabilities exist on the system, that although directly exploitable via a Penetration Test may be utilised in the future or by a disgruntled/disaffected insider. Full user and application credentials were supplied to the team.

• Gray Box Testing – Where some knowledge of the infrastructure is known and a user account maybe held.

Types of Penetration TestTypes of Penetration Test

PenetrationTest

ExternalTest

InternalTest

• Black Box

• White Box

• Gray Box

• Curious Employee

• Disgruntled End User

• Disgruntled Administrator

Types of Security TestsTypes of Security Tests

BlindGray Box Tandem

Double Blind Reversal

Attacker’s Knowledge of Target

Tar

get’

s K

now

led

ge o

f A

ttac

k

Double Gray BoxBlack Box

Red team

White BoxBlue team

System DescriptionSystem Description

• Infrastructure. The Target network/system was believed (or given to be) as detailed below: Insert network diagram or details of the given/derived/discovered infrastructure. Pictures are better than words. Ensure to mark what information was provided and what was learned/ discovered.

• Key or Critical Points. The following were therefore seen to be critical infrastructure elements in terms of Confidentiality, Availability or they were deemed to be potentially vulnerable or high value assets (to either the test of the normal day-to-day running).

• Network Ranges Tested and Those Excluded (inc reasons). Spell out what was in test and what was not (and why). Include IP address ranges and or host names. If too much data reference an Annex but summarise here for flow purposes.

Configuration and ArchitectureConfiguration and Architecture

• If the discovered LAN is at odds to the live system, a comment should be made.

• Getting into the main part of the report here and the next parts will be determined by the type of task or testing employed. Ensure each part/system/site is concluded before moving onto the next – except if further information was discovered on a different stage. This allows the reader to follow the tester’s methodology and therefore understand why the information discovered was so important.

• Depending on the processes used either describe how each system was identified, mapped, scanned and ultimately compromised. Alternatively outline the each stage of testing and how this resulted in targeting of vulnerable systems and again to the inevitable compromise.

Technical AnalysisTechnical Analysis

• Critical Vulnerabilities or Mis-Configurations: Here we give the bad news straight. Explain what the big issues (this time about the top 4-8) are give these in semi technical speak so the reader can comprehend which box has exactly what problem. Don’t use too much detail as this will be in the annex, sorted per box (usually on IP Address or role i.e. DC, App server, F&P Server, down to client).

• Assessed Impact of Current Risks: The problems above need to be placed in context, so ensure the risk is present in a creditable format. For example if local access is required to exploit a server in a lights out data centre, then it is probably not the critical risk Nessus would have you believe.]

• Significant Threat Attack Vectors: Having identified the valid risks identify, the main attack vectors and if possible identify all ‘online’ attack avenues based upon your findings.

Stages of Testing Stages of Testing (Classic Penetration Methodology)(Classic Penetration Methodology)

• Initial scan of network • Information gleaned• Target selected (repeat as required documenting each box

separately)• Enumeration. Services running and states on target• Information gathered regarding vulnerable aspects of the

system configuration.• Confirmation of vulnerability• Exploitation explained• Access gained• Leverage and potential growth avenues• Summary and rectification work required.

Stages of Testing (Box by Box Targeting) Stages of Testing (Box by Box Targeting)

• Initial Reconnaissance – read the information given by admin staff.

• Footprinting – confirm the network is as per the diagrams . Very Important dangerous if you attack the wrong one, embarrassing if you send exploits for the IIS web server to the apache system!

• Target selection based upon probability of vulnerability, time allowed, easy of exploitation and value of target.

• Attack boxes/services are required having researched information given at 1.

• Increase privileges as necessary (within permissions of contract).

• Secure longer-term access (within permissions of contract).

• Progressing by leveraging access on box. Go to step 3 and select another target down the list.

• Repeat as necessary, documenting your activities as you go.

Attack Phase Steps with LoopbackAttack Phase Steps with Loopback

DiscoveryPhase

GainingAccess

EscalatingPrivilege

SystemBrowsing

Install Add. Test Software

Enough data has been gathered in the discovery phase to make an informed attempt to access the target

If only user-level access was obtained in the last step, the tester will now seek to gain complete control of the system

The information-gathering process begins again to identify mechanisms to gain access to trusted systems

Security Policy Documentation Security Policy Documentation

• Policy Compliance. Where UK law, industry regulations or company policy have mandated security controls that were observed to be missing and no such written policy was found, a comment should be made.

• Live System must meet Policy Requirements. When a system fails to implement the security measures identified in the policy, the system or user maybe operating outside their lawful boundaries. This represents additional risk to the system, all systems to which it exchanges data, the users and the company. The following were observed and rectification action should be made to correct these before the next regulatory review/audit.

• Security mechanisms encountered (Auditing and Accounting). If within scope comment upon the security barrier's/mechanism's ability to audit and monitor your actions. Noting the use of syslog servers and auditing or accounting settings on compromised boxes. Additionally, note if no response was made to initial intrusions or compromise of boxes it blackhat testing is being undertaken – especially is the network security staff were supposed to react as normal (note some of this information may only be available after the event).

Annexes Annexes

• Annex A - Summary of Technical Details and analysis of problems

• Annex B - Detailed Technical Findings – Site 1

• Annex C - Detailed Technical Findings – Site 2 (if 2 or more sites)

• Annex D - Logs of activities

• Annex E - Output of any automated tool used (raw data)

• Annex F - Details of background work conducted (research)

• Annex G - Equipment used and post work cleaning actions

• Annex H - Details of suggested follow up action

• Annex I - Reference Sites

• Annex J - Glossary

Become CertifiedBecome Certified

Penetration Testing Report

Documents

Transcript of Penetration Testing Report