Penetration Testing Methodology – The Visual Guide – German Federal Bureau of Information Security
ITIL rules in the UK, whereas the German Federal Bureau of Information Security is IMHO, the greatest and easiest system to put into action. The Germans live and breathe data protection – these guys are the ones to follow.
Penetration Methodology – The Visual Guide
The Bureau have adopted some BSI guides…
Just draw circles around each box, so that the outline of the Penetration Test is scoped within 2 minutes. Easy right, when we work in visual mode.
Just get a pen and put a circle around the level of aggressiveness and scope, and you’re half way there. It’s literally that simple. The devil may be in the detail, but with diagrams and visual guides it’s easy to get agreement.
Tools such as NMAP can be customised to be less aggressive than the default. Whereas T4 is the default scan, prehaps a T1 or T2 scan might be more appropriate.
T0 = Paranoid. A port scan every 5 minutes – this would be too slow, but a hacker may need this.
T1 = Sneaky and a port scan every 15 seconds.
T2 = Polite. If you’re on production servers you may not want to add pressure to the network.
Focused – how to target specific production servers
NMAP offers 2 files – a file of IP’s to include and a file of those IP’s to exclude.
EXCLUSION ALWAYS HAS PRIORITY
We can create a file that lists only one or two IP’s of say webservers, or a list of subnets.
Next we have an exclude file. If an IP is in this exclude file, then NMAP won’t scan it. There maybe production servers that must not be scanned, and we would add the IP to this file.
AVOID NOISY SCANS – PORT Mnemonic.
-sP = ICMP Echoes – lots of network traffic generated
-sO = Protocol Decode – looks odds and gives away the attacker in a heartbeat
-sR = RPC Grind, lots of packets, listed in App logs, Avoid this.
-sT = Opens a session, the attackers IP is logged, lots of RST’s are generated. SCAN OF LAST RESORT!!
The Mnemonic of noisy scans to avoid is PORT. -sP, -sO, -sR and -sT (the scan of last resort).
-P0 = Disable Ping – for heavens sake, use -P0, -PD or -PN. PLEASE!!!
-n = Turn off Reverse DNS. Use the IP not the hostname. If you must use hosts, enter then in the local LMHOSTS file.
So you can see how easily the visual penetration testing methodology converts into NMAP scans, and how it may switch off many default settings to protect the network.
Even more important, if you’re the attacker, you now why you should NOT be using the NMAP default settings. Think of the logs as more a sonar in a submarine. You can tell so much from the bounced signals. In an -O scan we see sets of 6 pings. So if anyone mentions seeing 6 pings in the logs, we know it’s an attack profile.
OS Recon -O
Step 1 – IPID = 6 probes = sequence generation. The IPID monitors the sequence ID of the packet. Often used with the Zombie Scan or Idle Scan -sI. If you see 6 pings… look out for a Zombie Scan. Of course, look for a UDP and ECN just in case it’s a -O scan underway.
Step 2 – ICMP = 2 probes
Step 3 – UDP = 1 probe = must be sent to a closed port to generate a RST. Remember to think of this as SONAR, the reflected signal, from a closed port is more important, so the port MUST be closed to assist in the attack, in order to get a bounced signal and hence a footprint.
Step 4 – ECN (Congestion Notice) = 1 probe
Step 5 – TCP = 6 probes = malformed TCP packets.
NMAP will issue malformed TCP packets, including:
**** No Flags set
**** F, S, P, U Flags set
**** F, P, U Flags set
So suddenly the methodology has come to life. The visual guides assist us in getting the settings right for the production environment.