Applied Aspects of Security Testing Alexander V. Dorofeev Yrii V. Rautkin Training Center Echelon, NPO Fedorova Institute of Applied Geophysics Moscow, Russia Moscow, Russia mail@npo-echelon.com niira7@mail.ru Abstract—The article is concerned with the procedure for ethical control [12]. This reason allows us to identify the following testing of computer systems’ resource security. The capabilities of pain points confirmed by our penetration testing practice [1, 4, the Metasploit Framework testing tool are considered. The key “pain 6, 8, 9, 14, 18-20, 23, 24]. points” of modern corporate systems are identified. The general scheme and the security testing procedure are suggested.  Systems outsourced to third parties. Normally, these Vulnerability collection phases, checking the probability of are accounting, security and process systems. Contractors exploiting discovered vulnerabilities, influence zone extension and do not care about their security as this is the customer’s privilege escalation are discussed in detail. It is shown that the area of responsibility rather than theirs. Administrators proposed approach allows the maximum number of vulnerabilities to be detected. tend to dodge liability, being unable to understand the process. Keywords— information security; security testing, penetration  Test and design environment. Since these are not testing, exploit, Metasploit Framework, Scanner-VS production systems, administrators will leave them in the hands of developers who may bring in vulnerabilities.  Conditionally isolated systems. If a network is I. INTRODUCTION physically isolated and has no access to the Internet, Very few experts specializing in security testing have ever “responsible” specialists may decide there is no point in faced the situation when they were unable to fully compromise installing antivirus software and other protection tools a network in the course of internal penetration testing [7]. The reasons for ethical hackers to succeed are trite: weak passwords, and, certainly, it is not worth updating anything. no critical security updates, configuration errors [11, 13]. This  Shared network locations. File servers, shared folders brings up the questions: if vulnerability causes are so trite, could on servers and workstations. This is where backup files, they devise a list of key tests to be carried out independently by scripts with credentials and passwords, and system logs a system administrator and is there a tool that could help him can be easily found. do it? The tool of our choice is Metasploit Framework that can  Critical IT infrastructure elements. The domain be installed by the user or advantage can be taken of what is offered by the Scanner VS complex [6, 10, 15, 16, 21]. Note controller contains a credentials database and may that it is not our intention in this article to focus on testing systems support authorization by a domain credential. security of web applications as these represent a separate testing The domain controller, therefore, is the number-one area [2]. priority for any attacker in the Windows network. Before coming to grips with engineering problems, we IV. METASPLOIT FRAMEWORK GENERAL HANDLING should understand what may interest potential attackers and PROCEDURE how they will act. As we have chosen Metasploit Framework as a security II. INFORMATION ATTACKERS ARE INTERESTED IN testing tool, we need to describe the basic algorithm of handling As a rule, cyber-attackers are motivated by money earned its constituent modules. on successful hacking (theft of funds, blackmail, carrying out The module is handled by performing the following steps: orders for a party concerned) or by their own curiosity and willing to check what they are capable of. Attackers may aim at 1. Search for a suitable module using the search command whatever permitting them either to steal or earn. Apart from any or Google. system operated by an organization, their aim may be folders 2. Select the module by the use command. on file servers and documents on users’ workstations. 3. View the chosen module settings using show options or show advanced commands. III. HIGH RISK AREAS 4. Specify a specific setting using the set command. The main reason why somebody fails to update security or 5. Set verbose output using the set verbose true command. change a default password is a lack of responsible and proper 6. Run the module using the run command. 49 V. GENERAL SECURITY TESTING PROCEDURE VI. INFLUENCE ZONE EXTENSION AND PRIVILEGE Security testing of information systems is often a creative ESCALATION process that, nevertheless, can and should be structured to obtain comparable and complete testing results [1, 4, 5, 8, 9]. Phase 1. Task definition The following sources provide a good description of Security testing of any IT infrastructures starts with task security testing methodologies [3, 17, 18, 22]: definition. In our case we will confine ourselves to searching for the maximum number of real vulnerabilities that may be  Penetration Testing Execution Standard (PTES); exploited by potential attackers having physical access to an  Open Source Security Testing Methodology Manual organization’s computer network. (OSSTMM); Phase 2. Information gathering and target search  Technical Guide to Information Security Testing and In order to perform security testing, experts are provided Assessment (NIST SP 800-115); with access to a company’s network. In the course of  OWASP Testing Guide. preliminary information gathering, they will scan subsystems, identify computers’ names, and find public network locations PTES offers a detailed structure of the tasks to be tackled and critical resources. during security testing and exemplifies the use of various tools, while giving hardly any details of Metasploit Framework. Port scanning OSSTM is largely intended for information security managers Ports can be scanned using the “db_nmap – wrapping and contains a very restricted amount of technical information. utility” command for nmap in Metasploit Framework, which NIST SP 800-115 was adopted in 2008 and only partially allows scanning results to be saved to the database. covers modern approaches to security testing. OWASP Testing Guide is only concerned with security testing of web It should be borne in mind that if we do not specify the port applications and contains a detailed and structured description range explicitly, 1,000 most commonly used ports will be of testing methods and a variety of tool options. scanned; if we specify the keys -F or -p-, 100 or 65,535 ports will be scanned, respectively. The following diagram (figure 1) depicts a generalized structure of the proposed security testing process. What we can learn from port scanning results is not only which network ports are open, but also service versions (if the key “-sV” has been used) as well as the presumable OS version (key “-О”) and the equipment manufacturer by the MAC address. The completed port scanning shows which IP addresses hide domain controllers, DBMS servers, WEB, network equipment and workstations. Search for public network locations As discussed above, public network locations may contain a wealth of information useful for an attacker. It makes sense to search for such locations both with an anonymous credential (blank login/blank password) and a normal user’s credential. The “auxiliary/scanner/smb/smb_enumshares” and “auxiliary/scanner/nfs/nfsmount” modules should be used to search for SMB and NFS resources, respectively. DBMS search It is worth using the “auxiliary/scanner/mssql/mssql_ping” module to search for DBMS MS SQL as it helps not only find DBMS servers by the open UDP port 1434, but also identify the TCP port, via which the database is waiting to be connected. NetBIOS name definition It is often useful to define NetBIOS names (as they may also contain helpful information, for example, on which system a subsystem pertains to) by taking advantage of the auxiliary/scanner/netbios/nbname module. Fig. 1. Security testing flow chart Phase 3. Vulnerability Search The table below lists the key vulnerability detection methods. 50 Table 1. The key vulnerability detection methods version +vulnerability +exploit” type to find pages of Type of specialized resources describing vulnerabilities and exploits. detected N Method vulnerabilitie Examples Metasploit Framework contains a set of fuzzing modules to s execute protocols, such as dns, ftp, http, smb, smtp, ssh etc. 1 Identifying Published Identifying a product These modules are available at auxiliary/fuzzers/. vulnerabilities version by the network It should be noted that, since security testing projects are by product service banner and normally restricted to a period of 2-3 weeks, security testers version browsing for confine themselves to automated and manual search of information on the vulnerabilities by version and to exploitation attempts. known vulnerabilities of the product Phase 4. Exploitation and execution of attacks 2 Exploitation Configuration Attempting to connect In order to exploit vulnerabilities, network services and attempt errors, to the Windows system applied software make use of exploits from Metasploit published through a zero session Framework exploit section. The current number of Metasploit vulnerabilities and unloading the list of Framework’s ready-to-use exploits is nearing 2,000. user credentials In order to find suitable exploits, security testers utilize the Starting an exploit “search” command by the CVE code, service name or version against a network (for example, search vsftpd). service without its prior analysis for conformity When exploiting a vulnerability, the so-called payload is to to the service be specified. The payload is a code run on a compromised machine. There are a variety of payloads in Metasploit Attempting to intercept Framework, such as a remote command line, creating a traffic by means of ARP credential, booting a remote administration system etc. Using poisoning the remote command line is often the best choice. Metasploit 3 Configuration Configuration Analyzing the Windows Framework has an extended command line version, analysis errors, register contents Meterpreter, which is now particularly popular with testers. published vulnerabilities Password brute forcing 4 Reverse Zero-day Disassembling an Password brute forcing has been the most dangerous attack engineering vulnerability executable file to study over decades. Metasploit Framework contains a lot of modules the logic of program designed to execute such attacks. The table below lists the execution and data modules that experts typically come across in security testing. handling 5 Source code Zero-day Searching the php code Table 2. The testing modules analysis vulnerability for fragments related to Protocol/ filtration of data entered N Module path application by the user to get 1 smb auxiliary/scanner/smb/smb_login around filtration rules and introduce 2 ftp auxiliary/scanner/ftp/anonymous JavaScript code (checking for anonymous entry possibility) 6 Fuzzing Zero-day Entry into a web form auxiliary/scanner/ftp/ftp_login vulnerability of SQL queries and analysis of received 3 ssh auxiliary/scanner/ssh/ssh_login error messages 4 telnet auxiliary/scanner/telnet/telnet_login 5 postgresql auxiliary/scanner/postgres/postgres_login 6 mysql auxiliary/scanner/mysql/mysql_login From this list, Metasploit Framework implements modules 7 oracle auxiliary/admin/oracle/oracle_login for the methods “Exploitation attempt”, “Fuzzing” and partially 8 tomcat auxiliary/scanner/http/tomcat_mgr_login “Identifying vulnerabilities by product version”. The reason why “Identifying vulnerabilities by product A complete list of Metasploit Framework’s similar modules version” is not fully implemented in Metasploit Framework is can be obtaining by typing the “search login” command. because it primarily uses vulnerability scanners, such as one from Scanner VS, to automatically detect potential Noteworthy is that most of the modules require specifying vulnerabilities. Note, however, that some exploitation modules a list of credentials and verifiable passwords, but some of them in Metasploit Framework support the “check” method that can already contain compiled lists of default values worth taking be used to identify a vulnerability before its exploitation. advantage of. Data on network service versions obtained at the port Metasploit Framework has modules for specific computer scanning phase is suitable for manual vulnerability analysis. A attacks. This article considers only the most typical ones. security tester generates Google search queries of the "service 51 ARP-poisoning Post-exploitation modules in Metasploit Framework When executing such an attack, the attacker seeks to Metasploit Framework has a set of so-called post- “poison” ARP tables of two subsystems, the traffic between exploitation modules designed to perform the following tasks which he wants to intercept. An attack is often undertaken for access extension and privilege escalation: against the workstation of a particular user (system administrator, chief accountant etc.) and a domain controller or  Searching for suitable local exploits router. Once ARP tables are poisoned, both victim subsystems (post/multi/recon/local_exploit_suggester); share network packets via the attacker’s computer. Having run  Running a keylogger a sniffer, the attacker captures the data of interest, for example, (post/windows/capture/keylog_recorder); sessions of authentication with password hashes.  Gathering credentials and hashes An ARP poisoning attack in Metasploit Framework can be (post/windows/gather/credentials/credential_collector) executed by making use of the etc. “auxiliary/spoof/arp/arp_poisoning” module. With this step performed, security testers obtain maximum Pass-the-hash access and pinpoint actual local vulnerabilities. Successful authorization when executing the NTLM protocol does not require knowing the password – it is enough Phase 6. Report development to have the password hash and credential name. Any operating The outcome of security testing is a report on discovered system using the NTLM protocol can be susceptible to this vulnerabilities. The report’s key component is information on vulnerability. vulnerabilities, which is normally provided to the customer in the structured form: A pass-the-hash attack can be executed using the “exploit/windows/smb/psexec” module.  Detection – information on vulnerability name and codes This security testing phase provides us with a list of and a list of vulnerability-prone subsystems. vulnerabilities that can be exploited by attackers remotely. The  Exploitation – screenshots and logs demonstrating exploits run and attacks executed have provided us with access vulnerability exploitation; to various systems and with information about compromised  Risk – what vulnerability exploitation may result in; credentials.  Recommendations – technical and organizational Testers collect screenshots confirming access as evidence of recommendations on elimination of vulnerabilities. successful penetration. Since Metasploit Framework has no security testing report Phase 5. Influence zone extension and privilege escalation generation feature, the report is developed by testers. The existing access to a system often allows it to be extended to other systems. Privilege escalation permitting a VII. CONCLUSION normal user to become an administrator is also possible We have considered a comprehensive approach to security sometimes. testing, which can be implemented through Metasploit Let us consider two standard situations that a tester should Framework. Metasploit Framework is an aid in completing the key phases of security testing, except for automated be aware of to make security testing easier. vulnerability search and report generation. These phases, Lazy users making use of identical passwords however, are implemented in the Scanner VS complex that Users like utilizing identical passwords in different systems, comprises Metasploit Framework. When used in conjunction, so it is worth checking once selected pairs “login:password” in the described methodology, Scanner VS and Metasploit all accessible systems. Framework help discover the maximum number of actual vulnerabilities. Lazy administrators forgetting to delete critical data from the test environment REFERENCES Serious systems implemented by major companies normally [1] Scaner-VS. http://scaner-vs.ru/trial/ have a test environment used to try out modifications, train [2] Abraham K White. Hacking: The Underground Guide to Computer users etc. Test environments are often created by restoring from Hacking, Including Wireless Networks, Security, Windows, Kali Linux production backups. Because they are test environments, and Penetration Testing. – CreateSpace Independent Publishing Platform, 2017. 230 p. administrator sometimes fail to pay due attention to information [3] Barabanov A.V., Lavrov A.I., Markov A.S., Polotnyanschikov I.A., security issues. For example, they may create an administrator’s Tsirlov V.L. The study into cross-site request forgery attacks within the credential with an easily guessed password or fail to set critical framework of analysis of software vulnerabilities. Trudy ISP RAN/Proc. OS updates. Upon receiving access to a test environment, ISP RAS, vol. 29, issue 5, 2017, pp. 7-18. DOI: 10.15514/ISPRAS-2017- security testers unload user data (logins/password hashes) that 29(5)-1. are largely consistent with those employed in a production [4] Chris McNab. Network Security Assessment: Know Your Network. – system. O'Reilly Media, 2017. 508 p. [5] Corey P. Schultz, Bob Perciaccante. Kali Linux Cookbook - Second Edition: Effective penetration testing solutions. – Packt Publishing, 2017. 438 p. 52 [6] Daniel W. Dieterle. Basic Security Testing with Kali Linux 2. – [16] Nipun Jaswal. Metasploit Bootcamp: The fastest way to learn Metasploit CreateSpace Independent Publishing Platform, 2016. 380 p. Paperback. – Packt Publishing, 2017. 230 p. [7] David Kennedy, Jim O'Gorman, Devon Kearns. Metasploit: The [17] Open Source Security Testing Methodology Manual. Online Penetration Tester's Guide. – No Starch Press, 2011. 328 p. http://www.isecom.org/research/ [8] Dorofeev A. Preparing for CISSP: telecommunications and network [18] OWASP Testing Guide. Online security. Voprosy kiberbezopasnosti [Cybersecurity issues], 2014, No https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_o 4(7). P. 69-74. (In Rus). f_Contents [9] Evan Lane. Hacking with Python: Beginner's Guide to Ethical Hacking, [19] Penetration testing execution standard. Online http://www.pentest- Basic Security, Penetration Testing, and Python Hacking. – CreateSpace standard.org Independent Publishing Platform, 2017. 106 p. [20] Peter Kim. The Hacker Playbook 2: Practical Guide to Penetration [10] Georgia Weidman. Penetration Testing: A Hands-On Introduction to Testing. – CreateSpace Independent Publishing Platform, 2015. 358 p. Hacking. – No Starch Press, 2014. 528 p. [21] Raphael Hertzog, Mati Aharoni, Jim O'Gorman. Kali Linux Revealed: [11] Jessey Bullock, Jeff T. Parker. Wireshark for Security Professionals: Mastering the Penetration Testing Distribution. – Offsec Press, 2017. 314 Using Wireshark and the Metasploit Framework. – John Wiley & Sons, p. 2017. 288 p. [22] Scaner-VS. Online http://scaner-vs.ru/trial/ [12] Josh Thompsons. Hacking: Hacking For Beginners Guide On How To [23] Technical Guide to Information Security Testing and Assessment. Online Hack, Computer Hacking, And The Basics Of Ethical Hacking. – http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- CreateSpace Independent Publishing Platform, 2017. 112 p. 115.pdf [13] Joshua Picolet. Hash Crack: Password Cracking Manual (v2.0). [24] Tedi Heriyanto, Lee Allen. Kali Linux – Assuring Security by Penetration CreateSpace Independent Publishing Platform, 2017. 112 p. Testing. – Packt Publishing, 2014. 454 p. [14] Matt Walker. CEH Certified Ethical Hacker All-in-One Exam Guide, [25] Wil Allsopp. Advanced Penetration Testing: Hacking the World's Most Third Edition. – Oracle Press, 2016. 525 p. Secure Networks. – John Wiley & Sons, 2017. 288 p.. [15] Michael Hixon, Justin Hutchens. Kali Linux Network Scanning Cookbook - Second Edition: A Step-by-Step Guide Leveraging Custom Scripts and Integrated Tools in Kali Linux. – Packt Publishing, 2017. 634 p. 53