Wednesday, April 2, 2008

Network Penetration Testing Framework: From A-to-Z

A lean towards security assessment or penetration testing starts with numerous steps following number of different or relative operations under each of them. Following are the major steps that would lead into the depth security analysis on the target host or network being penetrated successfully from Information Gathering to Exploitation.

-Information Gathering or Footprinting
(Public database (whois), Netcraft, Telephone directories, Physical Locations, Blogs, Newsgroups)

-
Network Scanning
(Nmap, Unicorn Scan, Scanrand, Superscan)

-
Enumeration & Service Identification
(Netcat, DumpSec, NBTScan, DNS Zone Transfers (nslookup), p0f, NetE, SNMPWalk)

-
Password Cracking
(LC5 (LM/NTLM Hashes), LCP Tool, Cain and Abel (Multi-cracking tool), Passcracking.com (MD5, SHA1, MySQL), THC-Hydra)

-
Vulnerability Assessment
(Tenable Nessus, NeXpose, QualysGaurd, X-Scan, Shadow Security Scanner(SSS), SARA, SAINT, ISS Scanner, eEye Retina, Matta Colossus)

-
Exploitation & Privilege Escalation
(Metasploit Framework, InGuma Toolkit, *nix Local Root Exploits-http://www.linuxrootkit.cn/localroot/, WebShells(like c99/r57shell for PHP and others for ASP,JSP,ASPX,PL) including web-based backdoors, IIS/Apache based privilege escalation tools etc.)

-
Maintaining Access
Rootkits (AFXRootkit, AphexRootkit, FURootkit, hxdef100r, Nuclear-Rootkit, MBR Rootkits)
Trojans (Shark, Nuclear RAT, ProRat, Poison Ivy, Bifrost)
NTFS ADS (Alternative Data Streams to hide data inside another file)
Steganography (Mp3Stego, ImageHide, Camera/Shy)

-
Covering Tracks
(AuditPool, Evidence Eliminator, WinZapper)

NOTE:
Apart from assisting yourself with these tools and their techniques in your labs and understanding their procedures and usage can evaluate a successful penetration test against your chosen target. Beside these tools, there are number of other security auditing tools exists, mentioning all of them is far away from blogging them. But to name some of those
in their relevant categories worth looking:

-
Static Code Analysis
(FindBugs, RATS, CodeSecure, Coverity Prevent, Pixy, SWAAT, MZTools, Fortify, Ounce, Parasoft, Sprajax)

-
Fuzzing Tools
(SPIKE, Sulley, PROTOS, WSFuzzer, Codenomicon, Peach, beSTORM, EFS, ISIC, zzuf, Scratch, LXAPI, antiparser, FileFuzz)

-
Advanced Automated Exploitation
(ImmunitySec Canvas, Argeniss 0day, CoreImpact, GLEG VulnDisco)

-
Web Application & Database PenTesting Tools
(Acunetix Scanner, Watchfire Appscan(IBM), SPI Dynamics WebInspect(HP), NGSSQuirreL, AppDetectivePro, Typhon III, Paros Proxy, BurpSuite, Cenzic Hailstorm, WebScarab, Wapiti, Nikto, w3af)

-
Penetration Testing Methodologies and Assessment Frameworks
(OSSTMM, ISSAF, VulnerabilityAssessment.co.uk)


Vulnerabilities Database Online:

SecurityFocus (http://www.securityfocus.com)
milw0rm (http://www.milw0rm.com)
Packet Storm (http://www.packetstormsecurity.org)
FrSIRT (http://www.frsirt.com)
MITRE Corporation CVE (http://cve.mitre.org)
NIST National Vulnerability Database (http://nvd.nist.gov)
ISS X-Force (http://xforce.iss.net)
CERT vulnerability notes (http://www.kb.cert.org/vuls)




Pruebas de Penetración: De la "A" a la "Z"



Una vía hacia la evaluación de seguridad o la prueba de penetración se inicia con numerosos pasos, siguiendo un número de diferentes operaciones o relativa relación con cada uno de ellos. Los siguientes, son los principales pasos que conduzcan a fondo en el análisis de la seguridad en el blanco o en la red a ser penetrada con éxito desde la obtención de Información a la explotación.

-Obtención de la Información o Footprinting
(Public database (whois), Netcraft, Telephone directories, Physical Locations, Blogs, Newsgroups)

-Escaneando la Network
(Nmap, Unicorn Scan, Scanrand, Superscan)

-Enumeración & Identificación de Servicios
(Netcat, DumpSec, NBTScan, DNS Zone Transfers (nslookup), p0f, NetE, SNMPWalk)

-Password Cracking
(LC5 (LM/NTLM Hashes), LCP Tool, Cain and Abel (Multi-cracking tool), Passcracking.com (MD5, SHA1, MySQL), THC-Hydra)

-Evaluación de Vulnerabilidades
(Tenable Nessus, NeXpose, QualysGaurd, X-Scan, Shadow Security Scanner(SSS), SARA, SAINT, ISS Scanner, eEye Retina, Matta Colossus)

-Explotación & Escalando Privilegios
(Metasploit Framework, InGuma Toolkit, *nix Local Root Exploits-http://www.linuxrootkit.cn/localroot/, WebShells(like c99/r57shell for PHP and others for ASP,JSP,ASPX,PL) including web-based backdoors, IIS/Apache based privilege escalation tools etc.)

-Manteniendo el Acceso
Rootkits (AFXRootkit, AphexRootkit, FURootkit, hxdef100r, Nuclear-Rootkit, MBR Rootkits)
Trojans (Shark, Nuclear RAT, ProRat, Poison Ivy, Bifrost)
NTFS ADS (Alternative Data Streams to hide data inside another file)
Steganography (Mp3Stego, ImageHide, Camera/Shy)

-Cubriendo Rastros
(AuditPool, Evidence Eliminator, WinZapper)

NOTA:
Además de ayudar con estas herramientas y sus técnicas en tu laboratorio y la comprensión de sus procedimientos y el uso, puede evaluar el éxito de la prueba de penetración en su destino elegido. Además de estas herramientas, hay otra serie de herramientas de auditoría de seguridad que existen, mencionar todas ellas está muy lejos. Sin embargo, nombre de algunas de esas en sus correspondientes categorías, vale la pena analizar:

-Análisis de Código
(FindBugs, RATS, CodeSecure, Coverity Prevent, Pixy, SWAAT, MZTools, Fortify, Ounce, Parasoft, Sprajax)

-Herramientas para Fuzzing
(SPIKE, Sulley, PROTOS, WSFuzzer, Codenomicon, Peach, beSTORM, EFS, ISIC, zzuf, Scratch, LXAPI, antiparser, FileFuzz)

-Explotación Automática Avanzada
(ImmunitySec Canvas, Argeniss 0day, CoreImpact, GLEG VulnDisco)

-Herramientas para Prueba de penetración de aplicaciones Web & Base de Datos
(Acunetix Scanner, Watchfire Appscan(IBM), SPI Dynamics WebInspect(HP), NGSSQuirreL, AppDetectivePro, Typhon III, Paros Proxy, BurpSuite, Cenzic Hailstorm, WebScarab, Wapiti, Nikto, w3af)

-Metodologías de Penetración y Evaluación
(OSSTMM, ISSAF, VulnerabilityAssessment.co.uk)

DB de Vulnerabilidades Online:
SecurityFocus (http://www.securityfocus.com)
milw0rm (http://www.milw0rm.com)
Packet Storm (http://www.packetstormsecurity.org)
FrSIRT (http://www.frsirt.com)
MITRE Corporation CVE (http://cve.mitre.org)
NIST National Vulnerability Database (http://nvd.nist.gov)
ISS X-Force (http://xforce.iss.net)
CERT vulnerability notes (http://www.kb.cert.org/vuls)



Translated by: Rafael M and Alfredo G.