In an effort to broaden the audience and topic base for the VRT blog, this week we are going to take a very high level view of what a network penetration test looks like from the tester's perspective. Some of the techniques and ideas behind a high-level network penetration test will be described. This entry is not intended to be create a world of savvy pentesters out there, as nothing can replace knowledge and experience gained from previous tests, but it should at least get people started down the road toward successful penetration testing. Also, knowing what a network pentester does during their assessment will also help the pentester's customers have a better understanding of the process.
This overview is written with an interest in ease of use with no regard for stealth.
A network penetration test, in its most simple form, can be described as multiple iterations of three steps -- reconnaissance, exploitation, and penetration. Each step leads to the next as well as back to the previous, providing more data for subsequent tests and attacks. Penetration adds new targets as more and more resources become available from new attack positions.
The first step of any penetration test is to become familiar with your target. For this discussion, we will assume the IP addresses for the target are known. The two most obvious steps for getting a high level view of your target are to find what ports are listening by using nmap and to get a basic understanding of your target's security posture by using a vulnerability scanner such as Nessus. Nmap will provide a list of all ports that are open (and are therefore potential attack vectors) and Nessus will attempt to provide a list of vulnerabilities found on the target hosts. Nessus's results cannot be taken at face value due to the nature of its testing, but it does provide a fairly broad view of what services are available, what service banners were provided, and guesses as to what vulnerabilities are present.
Using the reports from nmap and Nessus, we can begin to focus our attacks on hosts and services that further our goals of getting into the network. Most tests from Nessus do not actually perform an exploit. To attempt to exploit a vulnerability, an exploitation framework such as Metasploit, sample exploits from securityfocus.com or elsewhere on the 'Net, or a custom exploit needs to be used.
There are many types of exploits in the wild - denial of service, information leakage, arbitrary code execution, and escalation of privilege are but a few. Denial of service attacks are generally not very useful in penetration tests. If you DoS a machine, you cannot use that device to further your own attacks. This is, of course, unless that machine is preventing you from gaining deeper penetration into the network or provides logging functionality and stealth is desired. This is an advanced topic that won't be covered by this post. For now, we'll shuffle DoS attacks to the "store for the report" file and concentrate on vulnerabilities for which a working exploit that provides machine access is available.
Information leakage, which often does not get the credit its due when compared to the sexy arbitrary code execution, is an integral part of any pentest. Gaining additional information from a service, then feeding that new data through the complete penetration test cycle, is probably the single largest contributor to a successful pentest unless the network is widely vulnerable to a single code execution. For example, imagine a Web exploit that required knowledge of the valid Web root to work. Suddenly, a 404 Not Found that leaked the system path to the page is extremely useful.
Finally, the ultimate class of exploit, arbitrary code execution. With the ability to execute arbitrary code, anything is possible. This ability leads us to the next section, Penetration.
The goal of a network penetration test is to gain deep access into the network. This is different than a network vulnerability assessment, where the breadth of vulnerabilities is sought. By exploiting vulnerabilites in a penetration test, we attempt to access more and more systems as we get behind obstacles. The most obvious way to achieve this goal is to install our tools and agents on devices as we compromise them and then use those new hosts as launch points for further attacks. Once we have system level access on a device, we can connect to any other device available to that machine. Another means of achieving deeper access is by abusing a trust relationship where a deeper machine can be made to act inappropriately due to data put on a device we can reach directly. The cycle then repeats with reconnaissance, exploitation, and penetration using this new host as our starting point.
This discussion was of a high-level view of network penetration testing. Several components of a more advanced test were not covered, such as identifying target hosts, the large amount of research required for a successful penetration test, or how to actually do the exploitation. The key takeaway from this post should be that penetration tests are a very iterative process -- gather information, act upon that information, feed new information into the cycle, and repeat until the goal has been achieved.