Brief introduction of penetration test in various network environmentsPosted by Cahill Humphrey on February 9th, 2021 transferred from: note: I've no capability to enter T00ls, but I will still learn something. This article comprehensively and clearly introduces the meaning, means, process and intent behind penetration testing, and well summarizes the present techniques and processes of penetration testing in China, and hereby records I. penetration testing concept penetration testing There's absolutely no standard definition. Some foreign security businesses reach a consensus that penetration test is an evaluation solution to evaluate the security of computer network system by simulating the attack method of malicious hackers. This method includes the active analysis of any weakness, technical defect or vulnerability of the system. The analysis is completed from the possible location of an attacker, and conditionally and actively exploit the security vulnerability out of this location. Penetration testing also offers two significant characteristics: penetration testing is a gradual and in-depth process. Penetration test is always to select the attack method which will not affect the standard operation of the business enterprise system. Penetration test fully simulates the attack technology and vulnerability detection technology that hackers may use, makes in-depth exploration of the security of the goal system, finds the most susceptible area of the system, and intuitively lets the administrator know the difficulties faced by his network. So penetration testing is amongst the types of safety assessment. Guidelines: security assessment usually includes tool assessment, manual assessment, consultant interview, questionnaire survey, application assessment, management assessment, network architecture assessment, penetration test, etc . The huge difference between penetration testing and other evaluation methods: generally, the evaluation method is always to find all relevant security problems based on known information assets or other evaluated objects. Penetration testing is to find out whether you will find corresponding information assets in line with the known available security vulnerabilities. Generally, the evaluation method is more comprehensive to the evaluation results, while penetration testing pays more focus on the severe nature of security vulnerabilities. On the main one hand, penetration testing can test whether the security measures of the business enterprise system are effective and whether various security policies are implemented from the perspective of attackers; on the other hand, it may highlight the potential security risks in the form of real events, which helps you to enhance the understanding level of relevant personnel on security problems. Following the penetration test, the security reinforcement is completed instantly to solve the security problems found in the test, so as to effortlessly stop the occurrence of real security incidents. 2、 Penetration test classification based on the penetration method and perspective classification, penetration test could be divided into - A, black box test "zero knowledge testing" / (black box) the Infiltrator is wholly ignorant of the machine. Aside from the known public information of the tested object, no other information is provided. Generally, penetration testing is conducted from outside the organization. Often, because of this kind of test, the original information is obtained from DNS, web, email and various public servers. B. White box test the tester can are accountable to the tested unit through normal channelsGet all kinds of information, including network topology, employee information, as well as code fragments of websites or other programs, and communicate in person with other employees in the unit. It often includes penetration testing from beyond your organization and from inside the organization. The objective of this type of test is to simulate the ultra vires operation of employees in enterprises. C. Gray box is involving the above two tests are conducted secretly. Often, the network management department of the unit receiving the penetration test will be informed that the test will be completed at some point. Consequently , it may detect the changes in the network. In the trick test, just a few people in the tested unit know about the existence of the test, therefore it can efficiently test whether the monitoring, response and recovery of information security events in the system are in position. According to penetration target classification, penetration test could be split into - 1) host operating-system penetration windows, Solaris, AIX, Linux, SCO, SGI 2) database system penetration MSSQL, Oracle, mysql, Informix, Sybase 3) application system penetration 3 Penetration target provides a selection of applications, such as ASP, CGI, JSP, PHP and other aspects of the WWW application 4) network device penetration various fire walls, intrusion detection systems, network devices 3. Penetration test process information collection and analysis → formulation and implementation of penetration scheme → previous information summaryAnalysis → privilege promotion and internal penetration → penetration result summary → output penetration test report → propose security solutions tips: time selection in order to reduce steadily the impact of penetration test on the network and host, the penetration test time must certanly be arranged in the time of low traffic and evening so far as possible strategy selection in order to reduce the impact of penetration test on the network and host In order to prevent the business interruption of network and host brought on by penetration test, the test strategy with denial of service isn't used in penetration test for host systems that can not accept any possible risks, such as for instance bank bill verification system, power dispatching system, and so on, the following conservative strategies could be selected: for the host systems that can not accept any possible risks, such as for example bank bill verification system, power dispatching system, etc Copy a copy of the target environment, including hardware platform, os, database management system, application computer software, etc . Along the way of evaluation, due to the particularity of penetration testing, users can request to monitor the entire testing process authorization of penetration testing Automatic control of the testing Party: the penetration testing party records the three areas of data along the way with this penetration test: operation, response and analysis, and finally forms a complete and effective penetration test report and submits it to an individual user monitoring: there are four forms for monitoring whole process monitoring: using sniffing software similar to ethereal for whole process packet capture and sniffing user monitoring: you will find four forms for monitoring Optional monitoring: do not record the scanning process, only start the application for sniffing following the security engineer analyzes the information and before initiating penetration host monitoring: only monitor the survival status of the host under test in order to avoid accidents specify the attack source: the consumer specifies a specific attack source address to attack, and the host of the foundation address is monitored by the consumer for process, network connection, data transmission, etc . the implementation plan is formulated the implementation plan ought to be communicated and negotiated involving the tester and the consumer. In the beginning, the tester provided a simple questionnaire to know the customer's basic acceptance of the test. The contents include but aren't limited by the next: introduction of target system, key protected objects and features. Is data corruption allowed? Can it be allowed to block the conventional operation of business? If the relevant department contact person be informed before testing? Access mode? Extranet and Intranet? Test is to find problems, even if successful, or even to find as much problems that you can? Does the infiltration process have to consider social engineering? After receiving customer comments, the tester writes the first draft of the implementation plan and submits it to the consumer for review. After the completion of the audit, the customer shall authorize the tester on paper. Here, the two areas of the document will include the implementation scheme part and the written authorization part respectively: the next series covers the information points - 1) penetration between different network segments / VLANs make an effort to penetrate yet another network segment / VLAN from an interior / external network segment. Often, the technologies that may be used include: remote attacks on network devices; remote attacks on fire walls or rule detection and evasion attempts. The collection and analysis of information is followed by each penetration test step, and each step has three components: operation, response and resultanalysis. 2) Port scanning through the TCP / UDP port scanning of the mark address, the number and form of services opened by the mark address can be determined, which is the foundation of penetration tests. Through port scanning, we could ostensibly determine the essential information of a method. Combined with experience of security engineers, we are able to determine its possible existence and exploited security weaknesses, in order to supply the basis for deep penetration. 3) Remote overflow here is the most typical, the absolute most serious threat, and the absolute most simple to implement penetration method. An intruder with general network knowledge may use ready-made tools to implement remote overflow attack in a very limited time. There's also such a risk for the device in the firewall. Provided that the host inside and outside the firewall is successfully attacked, you can easily attack the host in the firewall through this host. 4) Password guessing password guessing is also a type of risk with large probability of occurrence. It nearly does not need any attack tools. With a simple violent attack program and a comparatively perfect dictionary, you can guess the password. Guessing a system account usually includes two aspects: the foremost is guessing an individual name, and the second reason is guessing the password. 5) Local overflow identifies the strategy of obtaining administrator privileges through a special command code after having a regular user's account. Premise: first get a normal user password. In other words, one of the key conditions resulting in local overflow is that it can't be setWhen the password policy. Years of practice has proved that following the ordinary account obtained in the early password guessing stage logs into the system, the area overflow attack on the machine can acquire the control and management authority of the machine without active security defense. 6) Script and application testing is specifically for web and database servers. According to the latest technology statistics, script security vulnerability is among the most serious security weaknesses of current web system, especially the web system with dynamic content. Using script related weaknesses, you'll be able to access other directories of the machine, or control permissions of the system. Consequently , web script and application testing will be an important part for the web, database and other systems with dynamic pages. In Web script and application testing, the parts that will need to be checked include: ● checking the applying system architecture, To avoid users from bypassing the machine to change the database directly; ● check the identity authentication module to avoid illegal users from bypassing the identity authentication; > check the database interface module to stop users from obtaining system permissions; > check the file interface module to prevent users from obtaining system files; check the file interface module to prevent users from obtaining system files Check other security threats; 7) wireless test China's wireless network is still in the construction period, but as a result of simple deployment of wireless network, the penetration rate in certain big cities has been high. Access points can be found in at least 80% of the business districts in Beijing and Shanghai. Through the test of wireless network, we could judge the expense of the enterpriseLAN security has become an extremely important element of penetration testing. Besides the above testing methods, additionally, there are some technologies that may be utilized in penetration testing, including: social engineering, denial of service attack, and man in the centre attack. 8) Information collection network information collection: in this department, we will not directly scan the tested target, we have to first search some relevant information from the network, including Google hacking, whois query, DNS and other information (if social engineering is considered, some edge information in the target system can also be obtained from the mailing list / newsgroup, such as for instance internal employee account composition, identification method, email contact address, and so on ). Target system information collection: through the above mentioned step, we must have the ability to simply describe the network structure of the mark system, including the area where in actuality the company network is found, Internet protocol address distribution of subsidiaries, VPN access address, and so forth Here, we ought to pay special attention to some partial host names and addresses. For instance , some domain names with backup or temp switch may be a backup server, and its security may not be enough. Judge the machine from the obtained address list to know its organizational structure and operating-system usage. The most typical method is to scan all IP ADDRESS segments of the mark. Port / service information collection: this part can begin direct scanning operation 9) vulnerability scanning this is principally for specific system objectives. If the passage through of paragraphThrough one-step information collection, we have obtained the Ip distribution and the corresponding domain name of the mark system, and we've filtered out a couple of attack targets through some analysis. Currently, we are able to carry out targeted vulnerability scanning for them. There are numerous aspects which can be carried out: the equipment for the system level include ISS, Nessus, SSS, retina, sky mirror, Aurora the equipment for the internet application level include appscan, Acunetix, web vulnerability scanner, webinspect, nstalker the various tools for the database level include shadowdatabase scanner, Ngssquirrel the equipment for VoIP include PROTOS C07 sip, C07 h225, sivus, sipsak, etc . Actually each penetration testing team will have its own testing kit just about, and the vulnerability scanning tool for specific applications is more personalized. 10) Vulnerability exploitation sometimes, after scanning the service / application, we can miss out the vulnerability scanning part and go straight to vulnerability exploitation. Because most of the time, based on the version of the goal service / application, we can get the exploit code for the target system on some security websites, such as for example milW0rm, SecurityFocus, packetstormsecurity and other websites all have corresponding search modules. No, we are able to also make an effort to search "application name expand", "application name vulnerability" and other keywords on Google. For system: Metasploit for database: XOXO for web server: XOXO, (11) web security testing information gathering: general information leakage, including path leakage under abnormal conditions, file archive search, and so on business logic testing: business logic processing attacks, oftentimes used for business bypass or deception, and so on authentication Testing: whether there is a verification code, whether there exists a limit on how many times, and so forth. In a nutshell, it depends on whether it may be cracked violently or whether it is easy to pass the authentication. The more direct one is the "default password" or weak password. session management testing: session management attacks are best when cookie carries authentication information. data validation testing: data validation is best understood, which is SQL Injection and cross siteScript and so on 12) web testing tools at the moment, many tools you can use for web testing can be found on the net. Based on the different functions, they truly are mainly: 1 ) Enumeration: dirbuster, HTTP dir enum, WGet 2. Proxy based testing tools: Paros, webscarab, Burp suite there are a few immature tools for WebService testing, such as for example wsbang, wschess, wsmap, wsdigger, wsfuzzer in this part, it really is worth mentioning that lots of penetration testing teams have their particular testing tools, even 0day code, the most frequent of which are SQL injection tools and injection tools (such as nbsi, etc . ) developed on the Internet At the moment, they all are targeted at small and medium-sized enterprises or personal sites / databases, plus some relatively biased database systems (such as Informix, DB2) used in large-scale target systems are basically not involved or not deep enough. At the moment, each penetration testing team is promoting testing tools to meet their own usage habits. Attacks against wireless environment include: WiFi zoo 13) privilege upgrade in certain previous work, you could have obtained some control privileges, nonetheless it is not enough for further attacks. For example: maybe you are very easyYou will get use of Oracle database, or get a basic account permission of UNIX (AIX, HP-UX, SunOS), but when you want to do further penetration test, the situation comes. You will find you don't have enough permission to open some password storage files, you cannot put in a sniffer, and you do not even have permission to execute some basic commands. At this time, you will naturally consider how you can upgrade the permissions. At present, some enterprises have a whole lot of issues with patch management. They may not have thought about updating some servers or applications with patches or delaying updates at all. This is a very good time for penetration testers. Experience: the Oracle account or AIX account with general permissions is simply corresponding to root, because this is actually the real life 14) password cracking sometimes, the configuration of any aspect of the prospective system is impeccable, however it will not mean that it is completely impossible to enter. Most of the time, the absolute most destructive attack often originates from the smallest weakness, such as weak password, directory list, SQL injection and so forth. Therefore , for some special security technology researchers, this really is of little significance, however for a penetration test engineer, this is important & most of the time necessary. At the moment, there's a kind of resource widely used in the network, that is rainbow table technologyThat is, a hash dining table. Some websites provide this sort of service, claiming that the storage space is greater than g. for instance , rainbow rack claims that its data volume is higher than 1 ) 3t. Further penetration into the DMZ area, under normal circumstances, we will not get much valuable information. In order to further consolidate the results, we have to carry out further internal penetration. Now, it's really impossible. The most typical and effective way is sniff packet capture (ARP Spoofing can be added). Obviously, the best way is always to search through some files on the intruded machine, which might contain some connection accounts you will need. For instance , in the event that you invade a web server, in most cases, you can find the account connecting to the database in the page code or a configuration file. You may also open some log files to really have a look. In addition , you can go back to the 2nd step of vulnerability scanning. 4、 The generated report will include: - List of disadvantages (sorted by severity level) 2. Detailed description of flaws (utilization method) 3. Ideas for solutions 4. Participants / test time / Intranet / Extranet five. Risks and avoidance in the test process 3 Penetration testing uses network security scanners, special security testing tools and the experience of experienced security engineersThe core servers and essential network devices in the network, including servers, network devices, firewalls and so forth, perform non-destructive simulated hacker attacks to be able to invade the device and acquire confidential information, and report the intrusion process and details to users. Penetration testing and tool scanning can complement one another. Tool scanning has good efficiency and speed, but there exists a certain false alarm rate and missing rate, and can not find high-level, complex and interrelated security problems Problems: penetration testing needs a wide range of recruiting, and requires high professional skills of testers (the value of penetration testing report directly depends upon the professional skills of testers), but it is very accurate, and it may find more logical and deeper weaknesses. When people with penetration test attack experience stand in the perspective of system administrators to guarantee the security of a large network, we will discover that the difficulties that require to get worried are very different: from the perspective of attackers, it really is "attack one point, attack one point, attack one point", Nevertheless , from the perspective of the defenders, it is often discovered that "the dike of 1000s of miles is destroyed by the ant nest". Consequently , it is crucial to have good theoretical guidance and pay attention to security from technology to management to make the network solid. PS: the article is transferred from "chieftain" and the writer is "liulovely". The content is concise, clear and clear immediately. Although there are a lot of words, it is a rare good "composition", hoping to make the finishing point in most of network security people Køb den her spo to clubLike it? Share it! |