2. EDITOR’S NOTE
01/2011 (01)
Dear Readers,
Welcome to Penetration Test Magazine, a new publication
from Hakin9 team, with its focus on the penetration testing
field. What you are looking at right is what you might call the
“zero” teaser issue, which we’ve decided to publish to reach
you and – hopefully – encourage you to stay with us and
become our avid readers in the future.
For there are surely good reasons to take a closer look at
Penetration Test Magazine, especially if you are a pen tester,
TEAM security assessment provider or client, or simply an IT security
enthusiast. Our main goal is to create a platform, where like-
Editor: Sebastian Bula
sebastian.bula@software.com.pl minded specialists as well as amateurs could exchange their
views, discuss important issues, or just observe the trends
Proofreaders: Michael Munt on the market. The penetration test market is thriving and it
deserves a magazine that can deal with its issues. As for now,
Betatesters: Michael Munt, Edward Werzyn Jr we are the only magazine of its kind on the market.
Senior Consultant/Publisher: Paweł Marciniak
The magazine proper will be available by paid subscription, 29
CEO: Ewa Dudzic USD per issue. What we offer for this price is more than fifty
ewa.dudzic@software.com.pl
pages of top-quality, non-commercial technical writings by IT
security specialists, who are more than happy to share their
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
knowledge and expand yours.
DTP: Ireneusz Pogroszewski
The following teaser mag features two splendid pieces of
Production Director: Andrzej Kuca writing. Iftach Ian Amit from Security Art and Chris Nickerson
andrzej.kuca@software.com.pl
from Lares joined forces to present their views on the industry
and how Penetration Testing Execution Standard can “fix” it.
Marketing Director: Sebastian Bula
sebastian.bula@software.com.pl If you feel, like the writers do, that the term “penetration test”
has been “cannibalized”, “commercialized”, and attracted too
Publisher: Software Press Sp. z o.o. SK many “charlatans” – the article is just for you. The second
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
article, by Bill Mathews from Hurricane Labs, will give you
www.hakin9.org/en some practical advice on how to operationalize penetration
testing results using network monitoring software, and – as
Whilst every effort has been made to ensure the high quality of the author highlights – for free.
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for We would like to thank the contributors for submitting great
informative purposes.
content and meeting very close deadlines at the same time,
especially Iftach Ian Amit, whose assistance and commitment
All rights to trade marks presented in the magazine are
reserved by the companies which own them. was truly invaluable for us.
To create graphs and diagrams we used program
by
We hope you enjoy the magazine – and don’t forget to check
out our first issue in May!
Mathematical formulas created by Design Science MathType™
Enjoy your reading
Sebastian Buła
DISCLAIMER! & Penetration Test Magazine Team
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
01/2011 (1) April Page 2 http://pentestmag.com
3. CONTENTS
Contribute
Penetration Testing Magazine is a community-oriented Are you a student? We’re looking forward to you
magazine. We want IT security specialists and articles! Fresh attitude, opinions and beliefs of the
enthusiasts to work together and create a magazine young and budding IT security gurus are invaluable for
of the best quality, attractive to every individual and us. You will give your career a great start when you write
enterprise interested in the penetration testing field. to a respectable IT magazine. Showing an issue with
your name among the names of other authors – and
If you are interested in being a part of our community often famous ones – will be your great asset during a
– submit an article or bring up a subject you consider job interview.
important and up-to-date. Are there any trends on the
market you’d like to take a closer look at? Are there any If you think you don’t have enough time to create an
tools or solutions worth reviewing or presenting to the article from scratch, but feel interested in the magazine
community? Are there any touchy and controversial – become one of our beta testers. This way you will get
issues you feel have to be discussed in public? Then the opportunity to look at a new issue’s contents before
share your opinions with us. it’s even published, and your name, too, will appear in
the magazine. If you feel the need to contribute and
If you run an IT security company, your contribution share you knowledge, but don’t have enough spare
is the most welcome. Tell us about your solutions and time for creative writing – beta testing is just for you.
advertise in the magazine for free, or have a special
issue devoted exclusively to you. As long as you provide
top-notch quality of you writings, we are always ready to
cooperate and help your company develop with us.
Sections:
White Box Wireless Security
Application Security Standards and Methodologies
Black Box How To…
Web Security Open Source Intelligence
Network Security Vulnerabilities
STANDARDS
Fixing the Industry
by Iftach Ian Amit and Chris Nickerson
HOW TO…
…Operationalize Penetration Testing
Results Using Network Monitoring
Software – All For Free
by Bill Mathews
01/2011 (1) April Page 3 http://pentestmag.com
4. STANDARDS
Fixing the Industry
Penetration testing has been a skill (some say an art) for as long
as we can remember information security and the computer
industry. Nevertheless, over the past decade or so, the term
has been completely ambiguated. It has been cannibalized,
commercialized, and transformed into a market where charlatans
and professionals are on the same playing field.
T
he commercial industry has embraced the lack of value presented by the Scanner type of testing
Sexyness of penetration tests, built products and some brainstorming of how that could be resolved
around it uprooted its values with product marketing worldwide. This issue was not localized or specific to any
and sales speak, and conned organizations into buying vertical but it was something that InfoSec professionals
deeper and deeper to the dreaded pentest unit (as in I from all around the globe were experiencing. From these
need 2 units of pentest to complete this compliance effort). sessions happening at EVERY security conference
Backed by a thriving regulatory compliance rush to check- thrown an idea was born. The idea – to finally standardize
off as many items as they can on audit lists, pentesting and define what a penetration test really is. This would
was given the final blow to its heritage of value. A once help the testers increase the quality and repeatability of
surgical skill that required innovation, critical thinking, the testing while also giving the organizations doing the
technical savvy, business understanding, and good old testing, a reference list of what is to be done during the
hacker-sense was reduced to a check box on the back of test. This is where the Penetration Testing Execution
a consulting companies marketing material. Standard (PTES) started. After a couple of months of
This type of market commoditization has led to the working behind the scenes, a group of about a dozen
frustration of many businesses and consultants alike. security practitioners from different parts of the industry
With this in mind, a group of security veterans (each one put forth a basic mind map of how they did penetration
Commercializing security tools and Compliance tests. Later on, that blended map was released to a larger
are giving the industry a double-blow group of InfoSec professionals. This group tore apart the
original map and streamlined it to fit a larger and wider
with at least a decade under their belts, and numerous audience. At that point a final rendition of the mindmap
successful penetration tests in various industries) have was constructed between 25+ International InfoSec
gotten together to discuss the state of the industry, and a Professionals. With over 1800 revisions to the Alpha
common gripe was echoed. Many of the venting sessions mindmap, the team then opened up the stage for more
from professionals around the world centered around massive collaboration and started building one of the
the wide array of testing quality within penetration tests. more exciting concepts in the security industry. Currently
This huge gap was often boiled down to the Scanner/ the Penetration Testing Execution Standard is backed by
Tool Tests and the Real Testing arguments. Another dozens of volunteers from all around the world, working in
common theme for these sessions was the decided teams on writing the finer details of what will be the golden
01/2011 (1) April Page 4 http://pentestmag.com
5. standard for penetration testing for organizations as small perceived by an investigative attacker. A lot of information
as a 15 people company, and as large as a government is being spilled out through unauthorized (and seemingly
agency or a nation’s critical infrastructure. legitimate) channels, social media, and just plain old bad
The standard spans seven sections that define the policies. It is crucial for the tested organization to see
content of a penetration test. These sections cover exactly what information is available out there in order to
everything from how to formalize the engagement either prepare for such information being used against them
legally and commercially, up to what areas the final or fix any policy/training gaps that it may have in relation to
report should cover. Following is an overview of the information disclosure. Until this exercise is performed, most
seven sections and what they reflect in terms of how a companies do not understand the gravity of the information
penetration test should be conducted. that can be collected about them. For example: If a tester
can identify that the customer is using an unpatched version
Pre-Engagement interaction of Acrobat (found through the analysis of metadata within
In this section the standard defines some basic rules a published document), they are a prime candidate for a
of engagement, scoping, points of contact, and most client side/malicious file attachment attach. Also, if there
importantly goals for the engagement. It is often neglected are sensitive documents published on corporate directed
and overlooked (as in our previous example of two pentest locations, it may pose an even bigger risk (i.e. VPN Login
units – that are usually followed by a website or an IP instructions on a public webserver; Yes…we ran into these
address to be tested), and one of the main reasons for many times in the past).
organizations not getting any value out of such testing. The The information and intelligence gathering phase
section goes on to define what are the allowed resources aims to gather as much information as possible about
that the tester can utilize in the business, and the tester is the target and fully explore the increased threat surface
given an opportunity to gain a better understanding of what to attack. The standard covers digital collection through
is the business aspect that is being scrutinized, and what open source intelligence resources as well as paid for
are the real goals of the test (which are NEVER a server, resources, physical on-site collection and observation,
an application, or even a network). In addition to the goal/ and human intelligence collection. After all, the more a
value oriented approach of the tester, the organizations tester has to attack the more comprehensive the results
receiving the test (customer) will also be able to reference will be. This is the most aggressive approach available
this section. The customer will be able to set guidelines for but will not be required for all strengths of tests. It’s
the test, understand the safeguards put in place and have important to note that the standard will also define levels
a full understanding of the communication pathways that or strength of operations within each section – which
will be open throughout the test. Often times, customers would allow small engagements to employ the more
do not have the appropriate channel of communication standard OSINT (Open Source Intelligence) methods,
with the testing group and it causes confusion in the testing and larger scale or higher level/strength engagements
process. We aim to make the goals and tests performed to include the more elaborate on-site, physical and
clear to both sides well before the testing begins. HUMINT (Human Intelligence) elements.
Information and Intelligence Gathering Threat Modeling
In this section the standard really kicks in. This is where The threat-modeling section provides the tester and the
we were receiving the most comments in the lines of this organization with clear documentation of the relevant
is too expensive, we don’t know how to do this, and this threat communities as well as the assets and their values.
is not really necessary. From our collective experience The threat modeling is performed around two central
(at least the founding team) we can clearly state that lines – the attacker, and the business assets. From an
when this phase is done right, we can already know the attacker perspective, all the relevant threat communities
outcome of the pentest. During the intelligence-gathering are identified, researched, documented, and their
phase, the tester aims to build a comprehensive as capabilities are fully analyzed and documented.
possible picture of the target organization. Everything From a business asset perspective, all the critical business
from corporate information, the vertical in which the assets (physical, logical, process, 3rd party, intellectual,
organization is operating in, business processes that are etc.) are identified. During the documentation phase of
crucial to the business, financial information and all the way these assets, every relevant supporting technology system
up to mapping out specific personnel, their online social is mapped, along with the relevant personnel, interaction,
presence and how to use all of that information in a way that processing, and the information lifecycle.
an attacker would use. On the other hand, the organization The main output from this phase is a well-documented
being tested will finally get a clear overview of how it is being threat model that takes into account the data gathered
01/2011 (1) April Page 5 http://pentestmag.com
6. STANDARDS
and analyzed at the intelligence gathering phase, and can intelligence, threat modeling and vulnerability analysis in
be used to create attack trees and map out venues for place; this phase becomes much more focused and more
vulnerability analysis of key processes and technologies. importantly much more fine-tuned to the organization being
This is another key component to providing value in tested. In a proper penetration test, we should not just see
Penetration Testing. If the customer does not know what the spread-spectrum scans and exploitation attempts on
threat is to the business or the actual risk, why should they every conceivable technology from a tool or two, but also
resolve the issue. Threat Modeling provides a weighting (and again – much more importantly) a dedicated attack
system so that testers can rely less on a screenshot of a path that lends from the true assets that the organization
shell and more on the overall value to the business. holds and the specific vulnerabilities (either technology
related or human/process related). This type of validation
Vulnerability Analysis is a process that is often lost in the throw all the attacks we
Only at this stage we run into what more traditional have at it type automation. Here, the standard aims to act
penetration tests actually include in their scope. As we on the vulnerabilities identified and confirm or refute their
can clearly see, the new penetration testing execution existence. Many testers and testing tools, due to lack of
standard provides a much more thorough background actionable intelligence or poor planning, will run exploits
– both from a business understanding, as well as from a against hosts that do not have the exploitable package
technical perspective to the test. Leveraging this extensive running or even installed. This causes undue increased
research, the vulnerability analysis phase (which can traffic and potential risk to the business environment.
sometimes be considered as a technology centric threat
modeling) defines the extensive coverage of mapping Post-Exploitation
out and documenting any vulnerability in processes, At this point most pentests conclude the engagement
physical infrastructure, and of course technology related and provide a report that includes every finding with
elements. This phase does include some interaction some sort of traffic light rating (low, medium, high...) that
with the organization, as the testers probe for services is pre-baked into the reporting tool. However, real world
and equipment, confirm assumptions made at the attacks would not suffice in getting a foothold inside the
threat modeling and intelligence gathering phases, and organization, and would try to leverage it further – either
fingerprint the underlying software being deployed. trying to obtain additional information/resources, or to
One of the deliverables from this phase (on top of the actually find a way to exfiltrate the information/control
actual vulnerability mapping and assertion) is attack trees outside of the organization. The exfiltration and access
that correspond to the entire process thus far. This by to the data types or control systems will fit directly into
itself can provide a lot of value to the organization as a the threat modeling conducted earlier in the process.
living document that can be updated with relevant threats, The tester will be able to show the real company impact
vulnerabilities and exposure that is used as one of the of certain attacks and why they are relevant to the
parameters for the ongoing risk management practice. company (i.e. there is a big difference in showing an
Mind you, this is not just running a scan or port executive a screenshot of a shell than showing them
mapping. This is a comprehensive process to analyze the interface THEY use to change the General Ledger
the data collected for attack routes as well as identify within the ERP system. This type of focus provides an
venues for attacks. The tester will leverage conventional instant impact and is formatted in the language that
and unconventional ways to identify vulnerabilities from makes sense to the business).
missing patches, open services, misconfigurations, The post-exploitation phase defines the scope of
default passwords, Intellectual Property leakage, such additional tasks, that provide the organization with
increased threat through information (leaked passwords/ a way to see how would it really stand up to such an
docs), and much more. This hybrid approach allows attack, and whether it would be able to identify related
the testers to collect actionable information and rank data breaches and leaks. Conducting this focused
the ease of attacks. Once the tester has analyzed the attack on resources paints a very clear and concise
potential vulnerabilities present, they will have a clear picture of the threats capability and its possible effects
picture of what/why/how/where and when to execute on the business as a whole.
attacks to confirm the validity of that vulnerability.
Reporting
Exploitation Finally – this trip through an attackers modus-operandi
The exploitation section is very close to the common scope needs to be concluded with a clear and useful report,
of penetration tests these days. It includes the actual attack for the organization to actually see value from such an
execution against the organization. With all the proper engagement. The value is not limited to documenting
01/2011 (1) April Page 6 http://pentestmag.com
7. the technical gaps that need to be addressed, but also an additional value to the customer as they are allowed
needs to provide a more executive-level report that to test the effectiveness of their defensive monitoring
reflects the organization’s exposure to loss in business systems and/or outsources solutions.
terms (financial). This would include the actual meaning At the end of the day, the forces of the industry will
of which assets are at the highest risk, how much dictate what a penetration test will look like and what
resources are used to protect different assets, and a would it contain. Nevertheless, the PTES is aimed to
recommendation on how to more efficiently close any provide the industry with a baseline it clearly lacks now.
gaps in exposure by spending resources on controls The term has been mutated over many iterations and
and protections more intelligently. it has been given a very narrow freedom to operate
Such a recommendation would not have been possible between the minimum that has been dictated by
without the surrounding activities that provide the business regulatory requirements (which did good and actually
relevance of the exercise and the tested business forced more businesses to test themselves), and the
elements. This is also where the organization would “glass ceiling” that has been created de-facto by the
end up finding the most value out of the engagement, hordes of pentesters that know nothing better than
as opposed to most common pentests which leave it using some product to push out a report to the customer
with a laundry-list of exploits and vulnerabilities, without and move on to the next. By clearly defining the term
their actual relevance or business impact. In the report, (which is used in a multitude of standards without an
the tester will be required to identify the symptomatic adequate definition of what it means or consists of)
vulnerabilities (like a patch missing) as well as tie out the and what the purpose, value and components of a
systemic vulnerabilities – a patch is missing BECAUSE Penetration Test are, PTES will increase the confidence
there are gaps in policy and procedure in x/y/z area which of customers and testers alike. For quite some time
allowed for the patch to not be now, organizations expect
installed in a timely manner or
Measuring detection and incident response is an the value of conducting a
within the specified time)
integrated part of a penetration test Penetration test to be not
It’s important to note that although there isn’t a much more than a rubber stamp on the audit report or a
dedicated section for detection and incident response, ticked checkbox on their compliance worksheet. PTES
the organizations capabilities to identify, and react to is attempting to increase that value and blow some wind
anything from the intelligence gathering, through the into the dwindling sails of what once was a critical part
vulnerability analysis, exploitation and post exploitation of running a secure operations. In the modern days
is also put to the test. The penetration test includes where everyone being so easily hacked by an APT isn’t
direct references to such capabilities in each section (as it time our testers start acting like one? Or would you
well as in the reporting section), and can be extremely rather an Automated Penetration Test (APT) that you
useful to clearly identify the organization maturity in pay for and does not even attempt to learn WHY they
terms of risk management and handling. This provides are doing the test in the first place?
IFTACH IAN AMIT CHRIS NICKERSON
brings over a decade of experience in Chris Nickerson, CEO of LARES, is just
the security industry, and a mixture of another Security guy with a whole
software development, OS, network bunch of certs whose main area of
and Web security expertise as Vice expertise is focused on Real world Attack
President Consulting to the top-tier Modeling, Red Team Testing and Infosec
security consulting firm Security- Testing. At Lares, Chris leads a team
Art. Prior to Security-Art, Ian was of security professional who conduct
the Director of Security Research at Risk Assessments, Penetration testing,
Aladdin and Finjan. Ian has also held Application Testing, Social Engineering, Red Team Testing and
leadership roles as founder and CTO Full Adversarial Attack Modeling. Prior to starting Lares, Chris
of a security startup in the IDS/IPS was Dir. of Security Services at Alternative Technology, a Sr. IT
arena, and a director at Datavantage. Prior to Datavantage, compliance at KPMG, Sr. Security Architect and Compliance
he managed the Internet Applications as well as the UNIX Manager at Sprint Corporate Security. Chris is a member of
departments at the security consulting firm Comsec. many security groups and was also a featured member of TruTV’s
Ian is a frequent speaker at the leading industry conferences Tiger Team. Chris is the cohost of the Exotic liability Podcast, the
such as BlackHat, DefCon, Infosec, Hacker-Halted, FIRST, author of the upcoming RED TEAM TESTING book published by
BruCon, SOURCE, ph-neutral, and many more. Elsevier/Syngress and a founding member of BSIDES Conference.
01/2011 (1) April Page 7 http://pentestmag.com
8. HOW-TO
Operationalize
Penetration Testing Results Using Network Monitoring
Software – All For Free
We will model the results of a penetration test using network and
application monitoring tools. The end result will be a dashboard
showing you the vulnerabilities that still exist and the ones
that have been remediated. This gives you a quick view of your
vulnerabilities and the speed with which they’re resolved.
P
enetration Testing these days is often done on • DVWA – Damn Vulnerable Web Application (http://
a one-off basis, meaning companies do them www.randomstorm.com/dvwa-security-tool.php) –
once a month, once a quarter or once a year An intentionally naughty web application.
and then never think about them again. I find that to • A Linux operating system. I used Ubuntu 10.10 for
be a shame and think that penetration testing can be everything, but you may use what you wish.
an invaluable tool in vulnerability management when
performed properly. You will obviously need network connectivity between
One of my hobbies/passions/interests/whatever in the the machines and virtual machines are recommended
industry is finding a way to effectively operationalize for this exercise. You will also have to be able to talk
security. That is, moving security out of the this is to the web application on the desired ports (typically
theoretically possibly realm and into the hey, we should ports 80, 443).
fix this because it’s happening now realm. Part of Setting up these tools is beyond the scope of this
this, I think, is finding a way to utilize the tools used article, but the installation documentation for all three
by our compatriots in the network and applications tools is excellent, plus there are LiveCDs for two
management domains. This article will use two very out of the three of them, so go ahead and get your
popular (well... one very popular and one really- environment set-up.
should-be popular) tools in the network monitoring and In our theoretical world, let’s pretend we just received
application monitoring spaces respectively. This will a penetration test report that our web application
give us a way to display that the vulnerabilities from the (DVWA) has a weak password associated with it. For
report still exist as reported and measure the response/ this example the login is admin/password. We begin
remediation time. by using Webinject to test that the login does indeed
work. This is done by creating a testcase in Webinject
Tools Needed: language: see Listing 1.
• Icinga (http://www.icinga.org) – A fork of the The first test, cleverly given the id of ‘1’, verifies
popular Nagios (www.nagios.org) monitoring suite. that the login.php page loads correctly, we want to be
• Webinject (http://www.webinject.org) – A very sure it’s there before we try to login to it. The second
powerful Perl script tool that allows you to build test test then posts our username (admin) and our weak
cases for web applications. password to login.php and then verifies we can see
01/2011 (1) April Page 8 http://pentestmag.com
9. Listing 1.
---testcases.xml
<testcases repeat="1">
<case
id="1"
description1="Load Login Page"
description2="verify Page Loads"
method="get"
url="http://192.168.38.156/login.php"
verifypositive="Damn Vulnerable Web Application"
/>
<case
id="2"
description1="Verify Weak Login Works"
method="post"
url="http://192.168.38.156/login.php"
postbody="username=admin&password=password"
verifypostive="Welcome to Damn Vulnerable Web App"
/>
</testcases>
the content behind the login. We can further extend you on how fast vulnerabilities are getting resolved.
this to test cases encompassing everything on our This can be a powerful tool in your arsenal and it
reports. SQL Injections, XSS bugs, etc., can all be speaks the languages of your network and application
modeled this way and monitored for. The beauty of teams, as well as, articulating the vulnerabilities to
using Webinject is it allows us to use it easily as a your security team while, providing metrics for your
nagios/Icinga plugin. Simply add <reporttype>nagios</ business team.
reporttype> to config.xml and you will get nagios/Icinga
compatible output.
Now you could very easily be done at this point. You
have some test cases to run that verifies the issues
found in the report. You could put this in a cron job
that emails you the status every couple of days and
be perfectly happy. However, with a little more work BILL MATHEWS
you can integrate this verification with Icinga and Bill Mathews is co-founder and
then have a near real-time dashboard showing the lead geek of Hurricane Labs,
status of your remediation efforts. This integration an information security firm
will do a few things for you, most importantly, it will founded in 2004. Bill wrote
provide some perspective on how much badness this article while recovering
was really found during your penetration test. It will from pneumonia so any
also add some accountability as you can break up errors are purely the result of
the dashboard by responsible groups. This way the medication. :-) You can reach
server administrators can see what is going on with Bill @billford on Twitter and be
the servers and the application team can see just the read other musings on http://
applications. Finally, it can provide some reporting for blog.hurricanelabs.com
01/2011 (1) April Page 9 http://pentestmag.com
