IT infrastructure security - Term Paper Example

PENETRATION TEST: REPORT Penetration testing is termed as the authorized and proactive attempt to evaluate IT infrastructure security by safely making attempts to exploit the possible system vulnerabilities, including service application flaws, OS, risky end-user behavior and even configurations. This kind of assessment is also useful in verifying the capacity of defensive mechanisms implemented and checking end-users’s compliance to security policies. The penetration test are basically performed using automated or manual technologies to compromise systems, endpoints, network devices, web applications and other potential exposure points( Brook and Hall 2007). After successfully exploiting vulnerabilities on a particular system, the testing team may try to use the compromised node to launch subsequent attacks at other internal devices, specifically by an attempt to incrementally gain higher levels of clearance – security- and unrestricted access to electronic information and assets via privilege step-up. All information about the security vulnerabilities exploited from the penetration testing is basically aggregated and forwarded to the Network systems managers and IT department heads to help them make strategic decisions and prioritize related remedy efforts. The basic intent of penetration testing is to gauge the feasibility of systems compromise and appraise any related incidents that might stem from the exploit. The groups of technical persons who perform the penetration testing are referred to as white hackers. As opposed to black hat hackers, they are legitimate and act within the bounds of the law. Their intent is clear and stated as so from the initial point of the exercise. Black hut hackers are illegal and unauthorized intruders and often their motives are ill intended and profit oriented. Companies are hiring white hackers, well trained and professional, to test their data security and make recommendations to the vulnerabilities that might be unraveled by the penetration testing. System Description The workstation is a desktop PC and is at the study den in the home. It is predominantly used for sending and receiving e-mail, writing and printing papers, surfing the internet, making computer drawings or art, create and publish Website pages, creating graphs charts for coursework and gaming. In terms of the processing power, it has a dual core processor, 3 GB of R.A.M, windows Xp operating system and hard drive storage of 160 GB. The home computer might be a popular target for intruders who are curious to find out what you have stored in the workstation. They look for bank account information, credit card numbers and anything confidential and worth some amount they can find. After stealing your information, the intruders can use the money to buy goods and services. For a home computer, the intruders are not just interested in the money-related information; they also want the workstations resources. This refers to the fast processor, hard disk space and the internet connection. They can then use these resources to attack other computers on the internet. As a matter of fact, the more computers a hacker compromises, the harder it is for the authorities to trace the origin of the attack. Following this, if intruders cannot be traced, they cannot be stopped and they cannot be prosecuted. Intruders pay attention to home computers for some obvious reasons. First, the home computers are basically easy to break into and are not secure. When combined high-bandwidth connections are turned on, hackers can quickly find and exploit the security vulnerabilities of the home computers. In the attack, intruders will prefer workstations attached to high-speed connections, DSL modems and cable modems to dial-in connections. Regardless of the home computer’s internet connection, the intruders’ attempts are often successful. A lot of home PC owners do not know that they need to consider their home computers security. Network security perspective In the past security threats came from students with lots of time. The numbers of such intruders were relatively small. Their motivation was to prove that they could break into another network. Since then, the number of potential attackers and the sophistication of the attacks have increased exponentially. Attacks that once required attackers to have an advanced degree in computing and information systems now can be done with easily downloaded freely available tools that the average junior-high student can figure out how to use. The biggest danger today may be the changes in the attacker’s motivation. Instead of looking for a challenge or to steal millions, today’s attackers can be much more organized and motivated. Organized crime tries to steal billions by extorting companies by threatening a denial of service (DoS) attack on the web server. In other instances they might launch sophisticated attacks that, for instance, could steal thousands of credit card records information. Security, even for a single workstation, is a serious issue and one that requires serious attention. An intruder can break into a PC by sending an email with a virus program. Opening the email turns on the virus creating the security weak point for the intruder to access and enter into the workstation. In other instances, they maximize the opportunity of flaw in the computers application software vulnerability – to have access. Once the intruder accesses the PC, they are able to install other programs that let them use the PC even after plugging the security weak point they used to begin with. These loopholes are usually, disguised discretely in such a manner they blend with the other program on the computer. Often, penetration testing is confused with a vulnerability scan. The two are not the same though there is a blurring line between them when it comes to certain tools. In the true definition, the penetration test takes out the output of a vulnerability scan using the identified vulnerabilities. The point of the prior statement is to drive the point that penetration testing is not merely all about the tools. In fact the best penetration testers use a handful of tools. The most important tool to a penetration tester and most high powered is the brain. Performing a penetration test Generally, service interruptions and security breaches are costly. They can result in direct financial losses, erode customers’ loyalty, attract negative press etc. In the case of a home computer, the compromised information can be of significant value. Losses may be incurred directly or indirectly following the security exploit. For a home computer, the significance of the loss is not severe except in certain instance such as stored credit card information and banking information. In a penetration test, the aim is to identify and prioritize security risks. It involves evaluating a company’s efficacy to protect its networks, nodes, applications and computers from external and internal exploits (Hadnagy and Wilson 2010). Identifying and prioritizing risks is essential in risk management and security planning. It then follows the reporting and strategic planning. Remediation efforts to salvage the networks are planned at this point as well. When to perform penetration testing Regular test on the network should be upheld to make sure that the performance is consistent and attempt to reveal emerging threats that may be potentially harmful to the host computers. As a matter of fact, one cannot safeguard all information, all the time. If is therefore the practice of organizations and individuals to install and maintain layers of defensive security mechanisms, such as, cryptography, IDS, IPS, firewall and user access controls. The adoption of new technologies may result to introducing complexity and may make it even harder to find and eliminate all of the vulnerabilities posing a system. Further, new vulnerabilities come up each day and intrusion means constantly evolve in social and technical sophistication as well as the overall automation. Threats to data Social engineering This is where someone manipulates others and makes them reveal pass keys and user data that they can use to access data, access systems, and steal money or identity and access cellular phones. Social engineering attack can be very simple or sophisticated and it takes various forms. Phishing; this refers to where the attacker, phisher, has to persuade target to take some actions that will provide the intruder access to some information. The phisher impersonates a trusted source that the victim believes. Majority of the successful attacks of this nature have been initiated via email where the phisher sends emails to bank clients and requires they provide confidential information. Host files poisoning; this attack falls under social engineering where an intruder tampers with the Domain Name Service (DNS) server such that it redirects the users to pages not requested. When a browser access a URL of a certain website say a bank, a tampered DNs server could redirect them to another site that closely resembles the website they want. Denial of Service is another common attack where legitimate users are put off from accessing the system resources. If the user, attacker, intentionally disrupts service to a computer system or the network, it is considered a dos attack. There are several categories of dos attacks; ping of death, SYN flooding, Smurf attack and teardrop attack intrusion. To perform the Ping of Death attack, the intruder system sends an oversize packet that is intended to freeze crash or reboot the system resulting to a Denial of Service (DoS). In a SYN flooding attack, it is conducted by exploiting the security vulnerability in a TCP/IP 3 way handshake. The attacker floods the target host with unfinished SYN requests. The target host cannot see the entire request in full and has to store them temporarily hence uses up the machines resources and consequently slows down the network considerably. In a Smurf attack the intruder sends a ping request to the broadcast address and does so with a spoofed IP address. So many replies come back to the address that is spoofed, usually a critical server and over loads the ability to process the replies. Spyware and adware are also other kinds of attacks that face a single home computer. They are a large group of computer programs that infiltrate your workstation pc for various intents. When installed, they track the user’s activities, logs and send the collected information to the intruder without the knowledge of the target host or permission. They come in two forms; tracking cookies and key loggers. Key loggers are software or hardware components installed by the attacker to collect vital information from the host. The key logger, once connected, collects all information keyed in by the user that can be later viewed. Tools to launch an attack Computer viruses can be used to launch attacks to target hosts on a network. The malicious program, virus, is unsuspiciously transferred from one computer to another possible thorough a website downloaded or email attachment. The virus can collect information and send it to the attacker’s machine or simply cause problems to the host computer. Nowadays most computers are installed an antivirus program that has a preloaded list of characteristics of known viruses known as virus signatures. Through a periodic download of the latest signatures, the antivirus can also detect malicious programs. The Penetration Test To begin the test you need a Personal computer, could be a notebook computer or Desktop workstation. The computer in use is running windows XP and also a laptop computer running GNU/Linux Debian 3.0. The computers are formatted to avoid interfering with penetration tests previously run. Additionally, a clean and updated installation of the operating systems has been included before plugging them into the network. While connected to the network, the IP address in use is 192.168.4.1 and 192.168.4.11, respectively for the Windows Xp workstation and the GNU/ Linux Debian laptop. As a safety and no leakage guarantee of information, the machines are formatted safely to protect the information that is present and related to the penetration test and the network in general. The penetration test agreement details that the machines included in the test are 192.168.4. 1 -192.168.4. 50. The test is therefore limited exclusively to these addresses. This is according to the information supplied by the network administrator. Foot Printing Before any attempts of penetration, the attacker has to begin with gathering information as much as they can. The first goal in this step is to find all hosts connected to the network. The normal method is to send a ping request, ICMP and wait for a reply. All IP addresses replying are considered to be ‘up’. Efficiency here calls for the use of fping [FPING], a tool that can ping hosts in parallel. It sends a single request to every IP address within a given range. fping –a c1 –g 192.168.4.10 192.168.4. 50 The result of this command is a list of IP addresses considered to be up and it returns 10 IP addresses. 192.168.4. 12, 192.168.4. 15, 192.168.4. 21, 192.168.4. 23, 192.168.4. 35, 192.168.4. 36, 192.168.4. 37, 192.168.4. 38, 192.168.4. 44, 192.168.4. 46 and 192.168.4. 48. After the scan targeting each of the found IP addresses, the aim is to determine the open TCP ports and the running operating system. Nmap, is used to conduct the scan. It is a network scanning tool. The nmap command illustrated scans the TCP ports and trys guessing the operating system of the found hosts. nmap - 192.168.4. {12.15.21.23.35.36.37.38.44.46.48} The detected OS operating systems are grouped hereunder Windows 192.168.4. 15,192.168.4. 21, 192.168.4. 23, 192.168.4. 35, 192.168.4. 36 Debian Linux /GNU 192.168.4. 12, 192.168.4. 37, 192.168.4. 38, 192.168.4. 44, 192.168.4. 46, 192.168.4. 48 NETBIOS is also known as Windows “Network Neighborhood” Protocol. NetBios provides a nameservice that listens to port 137 of UDP. On receipt of a query on this port, it replies with a list of all offered services. Windows OS has a standard tool nbtstat that queries single IP addresses given the parameter –a. In the penetration test, run the command : nbstat –a 192.168.4.10. I t shows a development box with numerical codes(hexadecimal) and the a type identifying service being offered. C:\> nbtstat -A 192.168.1.99 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- XPDEV UNIQUE Registered UNIXWIX GROUP Registered XPDEV UNIQUE Registered XPDEV UNIQUE Registered UNIXWIX GROUP Registered MAC Address = 00-50-04-6D-50-37 For instance, the UNIQUE code of shows that the machine is running the file-sharing service. The disadvantage is that nbstat only shows the codes and it requires referencing elsewhere. The mac address of the target machine is also listed. It uniquely identifies a machine’s network interface card on the network. User accounts and passwords Running the GFI Languard, a network security scanner, gathered valuable information about the network hosts and more specifically on the existing user accounts. Some user accounts had administrator privileges and others were basically unused. The network scanner discovered several user accounts in different hosts with the same name and a good guess would be that they had the same password. Using a remote backdoor on host 192.168.4.10, the command pwdump was run to start the tool that would get the encrypted passwords. User Password John John Maxwell Mas09 Ashley Ash13 Ashton Ton15 Shared Directories Using [GNOMBA] gnomba, publicly available shared directories have been found. GNOMBA is a graphical tool used to browse shared directories. After a quick browsing of the content we found: Maxwells songs such as “Ascension. Mp3” more Maxwell.mp3 We found a shared movie folder with files such as “Sahara. wmv, Johnah Hex.avi..” The penetration test has been run over a very limited period of time and therefore has not detected all the security slip holes that a more comprehensive test would uncover. The picture drawn in the report shows the security issues that need to be addressed first hand. Technical issues are contained in the various running services and are a source of vulnerability. Poor management of the user accounts, permissions and passwords has brought an aspect of insecurity. References Brooks, J., & Hall, J.K. (2007). Unspun: Finding facts in a world of information. Westminister: Random House Trade Paperbacks. Engebrestson, P. (2011). The basics of hacking and penetration testing: Ethical hacking and penetration testing made easy. Burlington, MA: Syngress Basic Series. Gupta, A., & Laliberte, S. (2004). Defend I.T.: Security by Example. New York: Addison Wesley Professional. Hadnagy, C., & Wilson,P.(2010). Social engineering: The art of human hacking. New York: Wiley. Shon, H., Harper, A., Eagle,C., Ness,J.,& Lester,M. (2004). Gray hat hacking: The ethical hacker’s handbook. New York: McGraw-Hill Osborne Media. Wilhelm, T. (2009). Professional penetration testing: Creating and Operating a formal hacking lab. Burlington, MA: Syngress publishers. . Read More