=Paper=
{{Paper
|id=Vol-2081/paper11
|storemode=property
|title=Applied Aspects of Security Testing
|pdfUrl=https://ceur-ws.org/Vol-2081/paper11.pdf
|volume=Vol-2081
|authors=Alexander V. Dorofeev,Yrii V. Rautkin
}}
==Applied Aspects of Security Testing==
https://ceur-ws.org/Vol-2081/paper11.pdf
Applied Aspects of Security Testing
Alexander V. Dorofeev Yrii V. Rautkin
Training Center Echelon, NPO Fedorova Institute of Applied Geophysics
Moscow, Russia Moscow, Russia
mail@npo-echelon.com niira7@mail.ru
Abstract—The article is concerned with the procedure for ethical control [12]. This reason allows us to identify the following
testing of computer systems’ resource security. The capabilities of pain points confirmed by our penetration testing practice [1, 4,
the Metasploit Framework testing tool are considered. The key “pain 6, 8, 9, 14, 18-20, 23, 24].
points” of modern corporate systems are identified. The general
scheme and the security testing procedure are suggested. Systems outsourced to third parties. Normally, these
Vulnerability collection phases, checking the probability of are accounting, security and process systems. Contractors
exploiting discovered vulnerabilities, influence zone extension and do not care about their security as this is the customer’s
privilege escalation are discussed in detail. It is shown that the
area of responsibility rather than theirs. Administrators
proposed approach allows the maximum number of vulnerabilities
to be detected. tend to dodge liability, being unable to understand the
process.
Keywords— information security; security testing, penetration Test and design environment. Since these are not
testing, exploit, Metasploit Framework, Scanner-VS production systems, administrators will leave them in the
hands of developers who may bring in vulnerabilities.
Conditionally isolated systems. If a network is
I. INTRODUCTION
physically isolated and has no access to the Internet,
Very few experts specializing in security testing have ever “responsible” specialists may decide there is no point in
faced the situation when they were unable to fully compromise
installing antivirus software and other protection tools
a network in the course of internal penetration testing [7]. The
reasons for ethical hackers to succeed are trite: weak passwords, and, certainly, it is not worth updating anything.
no critical security updates, configuration errors [11, 13]. This Shared network locations. File servers, shared folders
brings up the questions: if vulnerability causes are so trite, could on servers and workstations. This is where backup files,
they devise a list of key tests to be carried out independently by scripts with credentials and passwords, and system logs
a system administrator and is there a tool that could help him can be easily found.
do it? The tool of our choice is Metasploit Framework that can Critical IT infrastructure elements. The domain
be installed by the user or advantage can be taken of what is
offered by the Scanner VS complex [6, 10, 15, 16, 21]. Note controller contains a credentials database and may
that it is not our intention in this article to focus on testing systems support authorization by a domain credential.
security of web applications as these represent a separate testing The domain controller, therefore, is the number-one
area [2]. priority for any attacker in the Windows network.
Before coming to grips with engineering problems, we IV. METASPLOIT FRAMEWORK GENERAL HANDLING
should understand what may interest potential attackers and PROCEDURE
how they will act.
As we have chosen Metasploit Framework as a security
II. INFORMATION ATTACKERS ARE INTERESTED IN testing tool, we need to describe the basic algorithm of handling
As a rule, cyber-attackers are motivated by money earned its constituent modules.
on successful hacking (theft of funds, blackmail, carrying out The module is handled by performing the following steps:
orders for a party concerned) or by their own curiosity and
willing to check what they are capable of. Attackers may aim at 1. Search for a suitable module using the search command
whatever permitting them either to steal or earn. Apart from any or Google.
system operated by an organization, their aim may be folders 2. Select the module by the use command.
on file servers and documents on users’ workstations. 3. View the chosen module settings using show options or
show advanced commands.
III. HIGH RISK AREAS
4. Specify a specific setting using the set command.
The main reason why somebody fails to update security or 5. Set verbose output using the set verbose true command.
change a default password is a lack of responsible and proper
6. Run the module using the run command.
49
� V. GENERAL SECURITY TESTING PROCEDURE VI. INFLUENCE ZONE EXTENSION AND PRIVILEGE
Security testing of information systems is often a creative ESCALATION
process that, nevertheless, can and should be structured to
obtain comparable and complete testing results [1, 4, 5, 8, 9]. Phase 1. Task definition
The following sources provide a good description of Security testing of any IT infrastructures starts with task
security testing methodologies [3, 17, 18, 22]: definition. In our case we will confine ourselves to searching
for the maximum number of real vulnerabilities that may be
Penetration Testing Execution Standard (PTES); exploited by potential attackers having physical access to an
Open Source Security Testing Methodology Manual organization’s computer network.
(OSSTMM);
Phase 2. Information gathering and target search
Technical Guide to Information Security Testing and
In order to perform security testing, experts are provided
Assessment (NIST SP 800-115);
with access to a company’s network. In the course of
OWASP Testing Guide. preliminary information gathering, they will scan subsystems,
identify computers’ names, and find public network locations
PTES offers a detailed structure of the tasks to be tackled
and critical resources.
during security testing and exemplifies the use of various tools,
while giving hardly any details of Metasploit Framework. Port scanning
OSSTM is largely intended for information security managers Ports can be scanned using the “db_nmap – wrapping
and contains a very restricted amount of technical information. utility” command for nmap in Metasploit Framework, which
NIST SP 800-115 was adopted in 2008 and only partially allows scanning results to be saved to the database.
covers modern approaches to security testing. OWASP Testing
Guide is only concerned with security testing of web It should be borne in mind that if we do not specify the port
applications and contains a detailed and structured description range explicitly, 1,000 most commonly used ports will be
of testing methods and a variety of tool options. scanned; if we specify the keys -F or -p-, 100 or 65,535 ports
will be scanned, respectively.
The following diagram (figure 1) depicts a generalized
structure of the proposed security testing process. What we can learn from port scanning results is not only
which network ports are open, but also service versions (if the
key “-sV” has been used) as well as the presumable OS version
(key “-О”) and the equipment manufacturer by the MAC
address.
The completed port scanning shows which IP addresses
hide domain controllers, DBMS servers, WEB, network
equipment and workstations.
Search for public network locations
As discussed above, public network locations may contain
a wealth of information useful for an attacker. It makes sense to
search for such locations both with an anonymous credential
(blank login/blank password) and a normal user’s credential.
The “auxiliary/scanner/smb/smb_enumshares” and
“auxiliary/scanner/nfs/nfsmount” modules should be used to
search for SMB and NFS resources, respectively.
DBMS search
It is worth using the “auxiliary/scanner/mssql/mssql_ping”
module to search for DBMS MS SQL as it helps not only find
DBMS servers by the open UDP port 1434, but also identify the
TCP port, via which the database is waiting to be connected.
NetBIOS name definition
It is often useful to define NetBIOS names (as they may also
contain helpful information, for example, on which system a
subsystem pertains to) by taking advantage of the
auxiliary/scanner/netbios/nbname module.
Fig. 1. Security testing flow chart
Phase 3. Vulnerability Search
The table below lists the key vulnerability detection methods.
50
�Table 1. The key vulnerability detection methods version +vulnerability +exploit” type to find pages of
Type of specialized resources describing vulnerabilities and exploits.
detected
N Method
vulnerabilitie
Examples Metasploit Framework contains a set of fuzzing modules to
s execute protocols, such as dns, ftp, http, smb, smtp, ssh etc.
1 Identifying Published Identifying a product These modules are available at auxiliary/fuzzers/.
vulnerabilities version by the network It should be noted that, since security testing projects are
by product service banner and normally restricted to a period of 2-3 weeks, security testers
version browsing for confine themselves to automated and manual search of
information on the
vulnerabilities by version and to exploitation attempts.
known vulnerabilities of
the product Phase 4. Exploitation and execution of attacks
2 Exploitation Configuration Attempting to connect In order to exploit vulnerabilities, network services and
attempt errors, to the Windows system applied software make use of exploits from Metasploit
published through a zero session
Framework exploit section. The current number of Metasploit
vulnerabilities and unloading the list of
Framework’s ready-to-use exploits is nearing 2,000.
user credentials
In order to find suitable exploits, security testers utilize the
Starting an exploit “search” command by the CVE code, service name or version
against a network (for example, search vsftpd).
service without its prior
analysis for conformity When exploiting a vulnerability, the so-called payload is to
to the service be specified. The payload is a code run on a compromised
machine. There are a variety of payloads in Metasploit
Attempting to intercept Framework, such as a remote command line, creating a
traffic by means of ARP credential, booting a remote administration system etc. Using
poisoning the remote command line is often the best choice. Metasploit
3 Configuration Configuration Analyzing the Windows Framework has an extended command line version,
analysis errors, register contents Meterpreter, which is now particularly popular with testers.
published
vulnerabilities Password brute forcing
4 Reverse Zero-day Disassembling an Password brute forcing has been the most dangerous attack
engineering vulnerability executable file to study over decades. Metasploit Framework contains a lot of modules
the logic of program designed to execute such attacks. The table below lists the
execution and data modules that experts typically come across in security testing.
handling
5 Source code Zero-day Searching the php code Table 2. The testing modules
analysis vulnerability for fragments related to
Protocol/
filtration of data entered N Module path
application
by the user to get
1 smb auxiliary/scanner/smb/smb_login
around filtration rules
and introduce 2 ftp auxiliary/scanner/ftp/anonymous
JavaScript code (checking for anonymous entry
possibility)
6 Fuzzing Zero-day Entry into a web form
auxiliary/scanner/ftp/ftp_login
vulnerability of SQL queries and
analysis of received 3 ssh auxiliary/scanner/ssh/ssh_login
error messages 4 telnet auxiliary/scanner/telnet/telnet_login
5 postgresql auxiliary/scanner/postgres/postgres_login
6 mysql auxiliary/scanner/mysql/mysql_login
From this list, Metasploit Framework implements modules
7 oracle auxiliary/admin/oracle/oracle_login
for the methods “Exploitation attempt”, “Fuzzing” and partially
8 tomcat auxiliary/scanner/http/tomcat_mgr_login
“Identifying vulnerabilities by product version”.
The reason why “Identifying vulnerabilities by product A complete list of Metasploit Framework’s similar modules
version” is not fully implemented in Metasploit Framework is can be obtaining by typing the “search login” command.
because it primarily uses vulnerability scanners, such as one
from Scanner VS, to automatically detect potential Noteworthy is that most of the modules require specifying
vulnerabilities. Note, however, that some exploitation modules a list of credentials and verifiable passwords, but some of them
in Metasploit Framework support the “check” method that can already contain compiled lists of default values worth taking
be used to identify a vulnerability before its exploitation. advantage of.
Data on network service versions obtained at the port Metasploit Framework has modules for specific computer
scanning phase is suitable for manual vulnerability analysis. A attacks. This article considers only the most typical ones.
security tester generates Google search queries of the "service
51
�ARP-poisoning Post-exploitation modules in Metasploit Framework
When executing such an attack, the attacker seeks to Metasploit Framework has a set of so-called post-
“poison” ARP tables of two subsystems, the traffic between exploitation modules designed to perform the following tasks
which he wants to intercept. An attack is often undertaken for access extension and privilege escalation:
against the workstation of a particular user (system
administrator, chief accountant etc.) and a domain controller or Searching for suitable local exploits
router. Once ARP tables are poisoned, both victim subsystems (post/multi/recon/local_exploit_suggester);
share network packets via the attacker’s computer. Having run Running a keylogger
a sniffer, the attacker captures the data of interest, for example, (post/windows/capture/keylog_recorder);
sessions of authentication with password hashes. Gathering credentials and hashes
An ARP poisoning attack in Metasploit Framework can be (post/windows/gather/credentials/credential_collector)
executed by making use of the etc.
“auxiliary/spoof/arp/arp_poisoning” module.
With this step performed, security testers obtain maximum
Pass-the-hash access and pinpoint actual local vulnerabilities.
Successful authorization when executing the NTLM
protocol does not require knowing the password – it is enough Phase 6. Report development
to have the password hash and credential name. Any operating The outcome of security testing is a report on discovered
system using the NTLM protocol can be susceptible to this vulnerabilities. The report’s key component is information on
vulnerability. vulnerabilities, which is normally provided to the customer in
the structured form:
A pass-the-hash attack can be executed using the
“exploit/windows/smb/psexec” module. Detection – information on vulnerability name and codes
This security testing phase provides us with a list of and a list of vulnerability-prone subsystems.
vulnerabilities that can be exploited by attackers remotely. The Exploitation – screenshots and logs demonstrating
exploits run and attacks executed have provided us with access vulnerability exploitation;
to various systems and with information about compromised Risk – what vulnerability exploitation may result in;
credentials. Recommendations – technical and organizational
Testers collect screenshots confirming access as evidence of recommendations on elimination of vulnerabilities.
successful penetration.
Since Metasploit Framework has no security testing report
Phase 5. Influence zone extension and privilege escalation generation feature, the report is developed by testers.
The existing access to a system often allows it to be
extended to other systems. Privilege escalation permitting a VII. CONCLUSION
normal user to become an administrator is also possible We have considered a comprehensive approach to security
sometimes. testing, which can be implemented through Metasploit
Let us consider two standard situations that a tester should Framework. Metasploit Framework is an aid in completing the
key phases of security testing, except for automated
be aware of to make security testing easier.
vulnerability search and report generation. These phases,
Lazy users making use of identical passwords however, are implemented in the Scanner VS complex that
Users like utilizing identical passwords in different systems, comprises Metasploit Framework. When used in conjunction,
so it is worth checking once selected pairs “login:password” in the described methodology, Scanner VS and Metasploit
all accessible systems. Framework help discover the maximum number of actual
vulnerabilities.
Lazy administrators forgetting to delete critical data from the
test environment REFERENCES
Serious systems implemented by major companies normally [1] Scaner-VS. http://scaner-vs.ru/trial/
have a test environment used to try out modifications, train [2] Abraham K White. Hacking: The Underground Guide to Computer
users etc. Test environments are often created by restoring from Hacking, Including Wireless Networks, Security, Windows, Kali Linux
production backups. Because they are test environments, and Penetration Testing. – CreateSpace Independent Publishing Platform,
2017. 230 p.
administrator sometimes fail to pay due attention to information
[3] Barabanov A.V., Lavrov A.I., Markov A.S., Polotnyanschikov I.A.,
security issues. For example, they may create an administrator’s Tsirlov V.L. The study into cross-site request forgery attacks within the
credential with an easily guessed password or fail to set critical framework of analysis of software vulnerabilities. Trudy ISP RAN/Proc.
OS updates. Upon receiving access to a test environment, ISP RAS, vol. 29, issue 5, 2017, pp. 7-18. DOI: 10.15514/ISPRAS-2017-
security testers unload user data (logins/password hashes) that 29(5)-1.
are largely consistent with those employed in a production [4] Chris McNab. Network Security Assessment: Know Your Network. –
system. O'Reilly Media, 2017. 508 p.
[5] Corey P. Schultz, Bob Perciaccante. Kali Linux Cookbook - Second
Edition: Effective penetration testing solutions. – Packt Publishing, 2017.
438 p.
52
�[6] Daniel W. Dieterle. Basic Security Testing with Kali Linux 2. – [16] Nipun Jaswal. Metasploit Bootcamp: The fastest way to learn Metasploit
CreateSpace Independent Publishing Platform, 2016. 380 p. Paperback. – Packt Publishing, 2017. 230 p.
[7] David Kennedy, Jim O'Gorman, Devon Kearns. Metasploit: The [17] Open Source Security Testing Methodology Manual. Online
Penetration Tester's Guide. – No Starch Press, 2011. 328 p. http://www.isecom.org/research/
[8] Dorofeev A. Preparing for CISSP: telecommunications and network [18] OWASP Testing Guide. Online
security. Voprosy kiberbezopasnosti [Cybersecurity issues], 2014, No https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_o
4(7). P. 69-74. (In Rus). f_Contents
[9] Evan Lane. Hacking with Python: Beginner's Guide to Ethical Hacking, [19] Penetration testing execution standard. Online http://www.pentest-
Basic Security, Penetration Testing, and Python Hacking. – CreateSpace standard.org
Independent Publishing Platform, 2017. 106 p. [20] Peter Kim. The Hacker Playbook 2: Practical Guide to Penetration
[10] Georgia Weidman. Penetration Testing: A Hands-On Introduction to Testing. – CreateSpace Independent Publishing Platform, 2015. 358 p.
Hacking. – No Starch Press, 2014. 528 p. [21] Raphael Hertzog, Mati Aharoni, Jim O'Gorman. Kali Linux Revealed:
[11] Jessey Bullock, Jeff T. Parker. Wireshark for Security Professionals: Mastering the Penetration Testing Distribution. – Offsec Press, 2017. 314
Using Wireshark and the Metasploit Framework. – John Wiley & Sons, p.
2017. 288 p. [22] Scaner-VS. Online http://scaner-vs.ru/trial/
[12] Josh Thompsons. Hacking: Hacking For Beginners Guide On How To [23] Technical Guide to Information Security Testing and Assessment. Online
Hack, Computer Hacking, And The Basics Of Ethical Hacking. – http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
CreateSpace Independent Publishing Platform, 2017. 112 p. 115.pdf
[13] Joshua Picolet. Hash Crack: Password Cracking Manual (v2.0). [24] Tedi Heriyanto, Lee Allen. Kali Linux – Assuring Security by Penetration
CreateSpace Independent Publishing Platform, 2017. 112 p. Testing. – Packt Publishing, 2014. 454 p.
[14] Matt Walker. CEH Certified Ethical Hacker All-in-One Exam Guide, [25] Wil Allsopp. Advanced Penetration Testing: Hacking the World's Most
Third Edition. – Oracle Press, 2016. 525 p. Secure Networks. – John Wiley & Sons, 2017. 288 p..
[15] Michael Hixon, Justin Hutchens. Kali Linux Network Scanning
Cookbook - Second Edition: A Step-by-Step Guide Leveraging Custom
Scripts and Integrated Tools in Kali Linux. – Packt Publishing, 2017. 634
p.
53
�