next up previous contents
Next: The Future of Security Up: Pen-Tester : The job Previous: Integration into the IT   Contents

The process of Pen-Testing

First, I'd like to remind the reader the principal goals of a pirate to show how important it is to secure a network and what pen-testing tries to protect corporations against :

Pen-Testers will attack the machines the same manner pirates would. This leads to an estimation of the safety level of a network and shows what vulnerabilities should be fixed. A security audit (more or less an extended pen-test) is done as a Blackbox Test, that means that it's done in the same conditions a pirate would be : knowing nothing about the machines he's got to hack into.
Here are the 6 recurrent steps of a penetration-test :
  1. Gather informations about the target
  2. Detect systems & services running and do a map of the network
  3. Look for and exploit network security flaws
  4. Look for and exploit system vulnerabilities
  5. Look for and exploit application vulnerabilities
  6. Progress into the network
In step 1, the pen-tester will use all kind of indirect methods to get informations about his target. This means looking on the internet for information about the company, its network architecture, etc. He will also take a look in forums, mailing-lists, chats, and use search bots4 (aka spiders) to learn about the N.A.s administrating the network and their skills.
The next step will be less furtive and time-consuming : scan the network & services using network scanners like Nmap [9, Nmap], query specific services (Finger, Whois, DNS, etc) if possible, get through the firewalls and make a map of the network and its organisation. This data will be very useful later on for the attack.
Step 3, 4, 5 are similar but applied at different levels. Step 3 will examine and exploit network flaws, vulnerabilities in the way the network was thought, and can lead to various large scale attacks (IP Spoofing, Man in the Middle Attack, TCP Session Hijacking, ARP Spoofing, DNS Cache Poisonning, etc), whereas step 4 will seek system scale vulnerabilities (using vulerabilities scanners like Nessus for example). Finally, security breaches will be looked for in programs running on the machine. Those breaches can lead to the capture of the machine exploiting different kinds of programming errors (Buffer/Integer Overflows, Format Bugs, Injections, walk-arounds, Race Conditions, CSS, etc).
If a system could be corrupted through one of those steps, the same algorithm is used to try to get into other machines of the DMZ5 (step 6).

All the bugs/vulnerabilities found (human ones as well as technical ones ;) are then subject to a report done at the end of the security audit and presented to the security specialist (and the direction staff).


next up previous contents
Next: The Future of Security Up: Pen-Tester : The job Previous: Integration into the IT   Contents
Christian Vincenot 2004-04-12