Final Penetration Test Proposal

docx

School

University of Maryland, University College *

*We aren’t endorsed by this school

Course

321

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

12

Uploaded by mdshay

Report
Penetration Test Proposal Deliverable 4: Final Penetration Test Proposal Course Number and Section: CMIT 321 6387 Date: July 7, 2020
Rules of Engagement Overview Centralia Security Lab (CSL) has been hired by Haverbrook Investment Group L.L.L.P. (HIG) to perform a penetration test (pentest) on their networks. These tests will determine the vulnerability of CSL’s networks and specifically identify potential vectors of malicious access (Information Supplement: Penetration Testing Guidance, 2017). These tests are meant to mimic real-life scenarios and by identifying vulnerabilities, keep them from happening. Any identified security issues will be documented and issued to CSL stakeholders to assist in changes and updates to current security controls. Scope The CSL grey box pentest will cover HIG’s corporate network, including computers operating in the IP range of 10.4.12.20-31, the printer on 10.X.X, and all attached servers and networking systems. HIG can limit the scope of the pentest at any time, including barring access to specific ip ranges or IT systems. Testing will be conducted during regular business hours (9:00 AM to 5:00 PM) Monday through Friday. The testing will begin at an agreed-upon time with HIG’s stakeholders, leaving a five- day window open prior to the initiation of the pentest. At this point, stakeholders will be given an initial pentest brief, containing a general overview of the pentest. At the conclusion of each day, the testers will compile results to be sent to stakeholders the following morning. The pentest will last five days and after the conclusion, CSL will prepare an after-action report that will detail findings and recommendations. Prior to the initiation of testing, HIG and CSL will ratify an agreement that will give permission to CSL to conduct the pentest. This agreement will also guarantee that HIG’s IT systems and data will not be compromised tangibly, legally, or ethically. HIG will encrypt any data regarding HIG’s networks and destroy any HIG data that has been accessed as a result of the pentest. CSL testers will also be bound by a non-disclosure agreement. During the five-day testing window, reporting of criminal activity related to HIG’s networks will be routed through one of the company stakeholders to ensure that testing activity is not mistaken for criminal activity (EC-Council, n.d.). Checklist CSL will attempt the following actions: - Discovery and enumeration of network - Data Exfiltration - Acquire user/administrator credentials and passwords - Escalate permissions - Install or alter software
- Gain access to secure files - Social Engineering CSL will use a number of tools to perform the pentest, such as Kali Linus, Nmap, and Wireshark. Ethical Considerations CSL’s pentest team will only engage the specified IP range during the specified times. The CSL team will not operate outside of these parameters or engage HIG networks in any way other than what has been previously specified. The CSL team will also sign a non-disclosure agreement, protecting both sensitive information that may be observed by the team during the penetration test and information about any discovered network vulnerabilities. .
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Reconnaissance Plan Overview The pentest begins with the reconnaissance or footprinting phase. These actions are conducted to collect data pertaining to the network that is being evaluated prior to the actual engagement with the network. This information is collected from the company, the company’s network, and open source sources such as social media. There are two types of footprinting that will be utilized: passive and active footprinting. Passive reconnaissance efforts utilize methods that do not actually involve engaging the network. Because they do not touch the network, they can’t present any signatures that the network is being reconnoitered. Active reconnaissance efforts engage the network or organization to collect data for the pentest. Because of this, they can possibly alert the company to the attempts at collecting the data. Reconnaissance Methods Passive Reconnaissance Methods: Search Engine Search engines, such as Google, can be used to uncover some data regarding the network that is being evaluated. Google has advanced search operators that can be constructed in such a way that search for specific things in specific places that might reveal vulnerabilities. Web services/social media Websites such as linkedin, or social media like facebook can reveal a lot about the company and potential targets. It could reveal the personnel structure, identifying higher ranking targets in the company that might lead to more sensitive data. There are also sites that can reveal characteristics of the network, once the domain has been determined. Sites like Netcraft or SHODAN can reveal the operating systems or information about devices connected to the internet from the target network (EC-Council, 2018). Active Reconnaissance Methods: Website Tracking Utilities called web spiders, such as Web Data Extractor pull all pertinent data out of the website. This data that is pulled out include items like email addresses and phone numbers. There are also mirroring applications, like HTTrack that create copies of websites that can examined offline (Roeder, 2020). Email Footprinting There is quite a bit of data that can be extracted from the header of an email, including the sender’s name, email and IP address, and information about the mail server (Ghahrai, 2019). There are also programs, such as eMailTrackerPro that can produce information about the email recipient, including things like internet browser or operating system that is being used.
Whois Lookup Regional Internet Registries store information about the owners of domains in searchable databases. The information that is obtained from these searches, such as the domain owner’s phone number or email address, can be used in social engineering attempts (EC-Council, 2018). Traceroute Traceroute tools, such as path analyzer pro, send packets to a destination and show all the devices that the packet passes through to get there. This can help outline the topology of the network, identifying devices such as servers, routers, and firewalls. Social Engineering Social engineering efforts may not actually touch on the network, but they can reveal some of the most sensitive data. Common methods include eavesdropping, shoulder surfing and dumpster diving (Footprinting Methodology, n.d.) Documentation After the reconnaissance phase is complete, testers will document any vulnerabilities and prepare mitigation recommendations.
Scanning Plan Overview During the scanning phase of the pentest, testers use information uncovered during the reconnaissance phase to acquire more specific details about the network and its topology. It identifies things like hosts, ports, or services that are active on the network. These details can help identify vectors of access to the network for the exploitation phase of the pentest. Tactics, Techniques, and Procedures In order to conduct the exploitation phase of the pentest, testers will have to have information about the network and devices and services on the network, including details such as usernames and operating systems. There are several types of scanning that are utilized in this process, including port scanning, network scanning and vulnerability scanning. Port scanning identifies ports that are being utilized by the network, network scanning detects IP addresses on the network, and vulnerability scanning recognizes vulnerabilities on a system that may be exploitable (EC-Council, 2018). Host Recognition Testers can determine live hosts using Nmap or other tools by running a ping sweep. Ping sweeps send out messages to all hosts and if the hosts are active, a message is returned. This allows the tester to determine the IP addresses that will be targeted. Port Scanning Once again, the utility Nmap can be used to detect open ports on the network. Ports that are left unnecessarily open represent potential vulnerabilities that can be used to gain access to the network. OS Fingerprinting The Nmap utility sends a number of different modified TCP packets to different TCP ports. The responses that come back identify the operating system that is being used. Determining the version of the operating system that systems are running will allow the testers to know the vulnerabilities of the systems. Documentation The known topology of the network should be appropriately diagramed, using a tool such as network topology mapper. The network diagram will be integral to the pentest. Additionally, noted vulnerabilities should be documented with potential remedies.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Gaining Access Plan Overview Provide a summary of the Gaining Access phase. Vulnerable Resources Identify the resources where vulnerabilities can be located and include a brief description of those resources. Be sure to include a reference to the vulnerability, i.e., NVD. Techniques and Software Provide the techniques and any software, applications, or scripts that will be used in gaining access to the network(s) or system(s) along with a description of each technique. Refer to Chapter 6 in the textbook for additional information. Overview The Gaining Access portion of the pentest can be described as using the results of our reconnaissance to try and penetrate the target network through a user account with lower privilege levels. These accounts provide an opportunity because they are not monitored as closely, and their owners may not be as careful. The goal is to leverage those accounts to escalate privilege and be able to extract data or install malware. Vulnerable Resources There are several resources that can be utilized to identify vulnerabilities based on initial reconnaissance.  Specific operating systems, software, and services could have known and noted security vulnerabilities that could be exploited to gain access.  The following are a few of these resources. National Vulnerability Database (NVD) – The NVD is maintained by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) and is the U.S. government’s official databse of cybersecurity vulnerabilities. This is a list of discovered and public vulnerabilities that include things like known software vulnerabilities or hardware/software misconfigurations that could provide a vector of ingress. Many times, these vulnerabilities can also be used to escalate privilege. Common Vulnerabilities and Exposures (CVE) list – This list of vulnerabilities actually feeds into the NVD. It is managed by the nonprofit organization MITRE and is sponsored by the federal government (Amerding, 2017). It compiles vulnerabilities and exposures in software into a free and searchable database. Google Hacking Database (GHDB) – The GHDB is a resource that allows you to expose files or data that may have otherwise been hidden. It originally did this by manipulating search terms in
google but can now be used in other web search engines. Potentially, it can reveal usernames and passwords that would allow access. Techniques and Software There are several techniques and tools that are used to gain access, generally specifically to acquire credentials to access the lower-privilege level accounts.  The following are some of those techniques and methods. Techniques Social Engineering - Social engineering tries to take advantage of the people in the organization.  It includes methods such as phishing, in which an email is used to try and get an individual to divulge credentials.  Another common method is dumpster diving, which involves going through trash to try and find sensitive information. Pasword Cracking – Password cracking is an attempt to obtain a password using techniques, such as brute force, which is just trying ever possible combination of characters until the password is discovered.  There are also Password Guessing/Default Passwords – Sometimes passwords used by individuals might be obvious.  In some cases, passwords may be surmised using details known about an individual.  In other cases, default passwords may not have been changed.   DLL Hijacking – DLL Hijacking is a method of escalating privilege by substituting an application’s library file (extension .dll) with a compromised version (EC-Council, 2018). When the application tries to utilize the compromised file, it will allow remote access for the pentester. Software Backdoor/Trojan - This type of software can be place on machines on the target network in a number of ways, but most commonly will be implemented via email.  Once installed on the computer, the backdoor provides remote access. Kali Linux – Kali Linux is an operating system often used in penetration tests.  Several password cracking applications are used via this operating system, as are many of the tools used by the pentest team.
Keylogger – A keylogger is useful for the pentest team because it stores and sends every keystroke that is made on the system that it is installed on.  The output would produce the credentials in plain text.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Maintaining Access Plan Overview Once access has been acquired, it becomes a priority to attempt to preserve that access. The goal is to maintain persistent access or find a way that access can be easily replicated. This period of extended access can be used to alter files, increase access levels, exfiltrate data, and more. Another important goal of this particular part of the pentest is to make sure that you’re not detected. This means taking cautions such as limiting and masking data that is exfiltrated. Some of the methods that were utilized in the gaining access plan will continue to be used in the maintaining access portion of the pentest, such as password cracking. Techniques and Software Backdoor Backdoors have been previously mentioned, but they are also key to this portion of the pentest plan as well. Backdoors can continue to collect credentials and restricted data, enabling the escalation of privilege which will preserve and enhance access. Rootkits Rootkits are programs that loiter on a systems for long periods of time, remaining undetected and gathering data like credentials in order to escalate privilege.  Usually introduced to a system via a Trojan horse, a rootkit can allow remote connections or exfiltrate data, including sensitive data or login credentials. Covert Channels Covert Channels are ways for pentesters to mask or disguise data while exfiltrating it (Penetration Testing: Maintaining Access, 2018). These channels can be encrypted to disguise the content of the transmission, as well. Covert channels can be difficult to block because they commonly piggy-back off of legitimate protocols.
Covering Your Tracks Plan Overview Ideally, for a hacker, the victims of the attack would never know that they were attacked. In order to accomplish this the pentest team will need to remove or hide any traces that they were on the system. The goal is to make it difficult or impossible to detect that they system has been exploited, while preserving the potential for access. Getting caught means that vulnerable security issues might be caught by a victim and access could be lost forever. Techniques and Software Delete/Alter Logs Logs are used to maintain a record of activity on a system and analysis of those records can indicate that there has been a breach (Penetration Testing: Covering Tracks, 2016).  In order to make sure that this data can't be discovered and analyzed, there are two forms of action.  First, the logs can just be deleted from the system.  This can be problematic because the absence of a log may seem suspicious.  Secondly, the content of the logs can be altered to cover any suspicious activity.  This can be difficult because it requires a high level of access. Disable Auditing Disabling auditing keeps logs from even being created, making it so data that might be evidence of an intrusion isn’t even created. Using a tool like Auditpol, the pentest team can shut down auditing or just determine the kind of items that are being audited. Steganography Steganography can be used to hide data in other file types. There are quite a few variations in the methods used, but they all essentially create space somewhere in the file to store data undetected. Any file type can be used and there are several programs available that easily accomplish this, including programs such as OpenStego, StegoStick, OmniHide Pro, and DeepSound (ref). Alternative Data Streams Any system (including almost all Windows operating systems) that utilizes a file system called New Technology File System (NTFS) that can be leveraged to hide files on a system. An attacker uses the alternate data streams contained in a file to mask the true purpose of the file. NTFS streams can be altered from the command line.
References Armerding, T. (2017, July 10). What is CVE, its definition and purpose? Retrieved from https://www.csoonline.com/article/3204884/what-is-cve-its-definition-and-purpose.html EC-Council. (05/2018). Certified Ethical Hacker (CEH) Version 10 eBook (Volumes 1 through 4) . [eVantage]. Retrieved from https://evantage.gilmoreglobal.com/#/books/9781635671919/ Penetration Testing: Covering Tracks. (2016, August 04). Retrieved from https://resources.infosecinstitute.com/penetration-testing-covering-tracks/ Penetration Testing: Maintaining Access. (2018, October 6). Retrieved from https://resources.infosecinstitute.com/penetration-testing-maintaining-access/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

CJ Week 6.docx
Individual Assignment Manoj Kumar Reddy Mule MM99806N@pac.edu U01942405.docx
MHY6750 Milestone 2 - Chiedozie Ilechie v100.pdf
M7L2 Summary.docx
CMGTCB 556 Enterprise Models Security Analysis Threat Competency 3.docx
Quiz Week 6.docx
Week 6 Discussion.docx
Reconnaissance Plan and Scanning Plan.docx
Rules of Engagement.docx
CMGTCB 555 Systems Analysis and Development Competency 3 Assessment Part 1.docx
The Pitfalls of Reinforcement answers.docx
Building and Launching a Software Application.docx