XEN - Penetration Testing Documentation - Case Study Example

XEN [Penetration testing documentation] By Introduction The Xen show of virtual machines offered our understudies serverautonomy giving every learner control of a neighborhood arrangement and of a remarkable IP address on the "virtual" system for each one server so that people could work in groups, incorporating in separation taking in circumstances, and this office subsequently could be utilized either as a part of the showing space or as separation taking in. Learners were allocated into groups. They drilled in the classroom utilizing laptops and remote access and afterward kept on working at home, arranging their "ambushes" on one another by phone. One learner might make an impression on the other or port-filter the other understudy and both people might record the effects. The learners reacted with a lot of energy. After a week there were assorted types of strike from outside sources and the scholars started to archive these and to track down the sources. Significant devices here were tcpdump and tethereal for information catch. We needed each learner to get mindful of the powerlessness of the framework doled out to her/him, and this happened. One commonsense issue was teaching the scholars to give documentation in such a route, to the point that catch documentation gained was not excessively voluminous and troublesome to review. We were, then again, unable to actualize the sum of our objectives and set three characteristics aside for consequent emphasess of the course: (1) giving mysql and ACID to help people examine the information caught, (2) having Snort sent email cautions in regards to specific sorts of endeavors, and (3) firewall setup utilizing iptables. The accomplishment of this methodology urged us to take a gander at applying this engineering to the educating of machine systems (Infs6230). Here we embraced a methodology concentrating on subjects: convention stacks, exemplification of information units, and directing disclosure. We needed our people to have the capacity to distinguish and comprehend information units at each level. Critical apparatuses again here were tcpdump and tethereal for information catch. We picked a dynamic scope of directing revelation, starting with the arp reserve and portion steering table (netstat –rn), and continuing through static steering, and element directing (RIP and OSPF, each one recreated by the Quagga suite), to a Cisco 2610 switch. The last venture of embodiment and directing knowledge was building tunnels utilizing Generic Routing Encapsulation (GRE). The construction modeling (please see Figure 3.1. - Xen Bridged Networking Architecture) was picked on account of these objectives: people ought to get work on following different interfaces (Wilhelm 2013: 45). The tending to experienced in this taking in environment ought to make it essential the take in CIDR directing and veils of diverse sorts. The sham interface in Xen was named eth1:1 and used to given the learners the open door to utilize their frameworks as switches. We anticipated this might give an open door to utilize the FORWARD chain as a part of later use with iptables. Extra directing knowledge was given by a virtual system 10.11.0.0/16. Iptables was added to the data security course on the second cycle in 2007. We have progressively been enhancing the documentation for iptables so scholars might not crush their own (remote) get to by inappropriate setup or by flushing principles (holding their just Accepts) once again to DROP arrangements. As of now we are creating the instructional materials for Ftester so scholars can hone firewall testing. The virtual machine are intended to be insignificant but sufficient for taking in. Every virtual machine has httpd with the goal that it will be listening on port 80. Regarding utilizing netstat –an to screen their ports and nmap, they get mindful of what ports ought to be posting or partaking in settled associations. For this situation that incorporates port 5140, utilized within this environment for the focal review process. Tentative arrangements incorporate ACID, reenacting fringe portal steering, and logging utilizing iptables. Our configuration incorporates the same programming and fittings for utilization in both data security and systems administration guideline. The contrasts lie in which programming gets significant consideration and on which interface the people center in their work. This decreases the trouble in arranging the system for the two separate courses and evades the tests that might hail from utilizing two altogether different arrangements to backing the two courses. After three semesters of utilization of this structural engineering we observed that we could file a solitary coordinated building design that might serve both courses. This makes setting natures domain up every semester simpler. We want to distribute (as open source) the layouts for designing the Xen show of virtual machines. Scope This penetration test obliges a solitary Linux server with sufficient circle space, RAM, and CPU force to help singular virtual machines for all the parts of a course on data security or on systems administration, and a suitable extent of IP locations. The fittings server ("host") is parceled into virtual servers utilizing the free Xen hypervisor. The Xen host ("dom0") runs Linux with the Xen hypervisor and instruments on equipment and the virtual machines ("domu" examples) run a Linux part altered to run on Xen. Each virtual machine sees a solitary Ethernet interface, eth0, which is appended to a virtual interface for every domu in the host and connected to the hosts physical Ethernet interface as indicated in Figure 3.1. Thus, every virtual server is noticeable on the same system portion as the host. Access to the virtual machines could be limited Executive Summary Taking after broad outside testing endeavors to get access to the information recognized by Xen it is accepted that there are right now 3 separate courses to the information storehouse. Two of these courses were discovered to be impervious to get to endeavors with the principle firewalled front entryway (through the web site and freely open requisition servers) being especially solidified and impervious to infiltration/trade off. In any case, the third and less evident assault vector, that of the remote access gave to your outside provision help group was frail, and offered little imperviousness to ambush. Old and unmonitored or defectively kept up frameworks with no security characteristics empowered gave little security and the group could pick up managerial access to this spanning framework from the web. A requisition pennant on your site and old press discharge gave sufficient data to the group to distinguish a course get to was effectively acquired from their unreliability. A remote tunnel was immediately settled and the target information got to. INTRODUCTION The requisition pen testing team has surveyed requisitions composed in numerous diverse advances. The requisitions are evaluated and tried against accepted security issues, for example, Cross-Site Scripting, SQL Injection, Cross-Site Request Forgery, Document Include, Immediate Object Reference … and business rationale detour issues to survey any danger to unapproved access to data (i.e. instead of testing from the front entryway, what could be seen along the side inside a requisition with veritable yet conceivably stolen certifications SUMMARY OF METHODOLOGY USED Discovery testing - A Penetration test with no former learning of the target framework, bar a substantial IP address. No client or provision qualifications were supplied to the testing group or any data on administrations running on the target. White Box testing - A Vulnerability Analysis Inspection of the target framework to figure out what vulnerabilities exist on the framework, that in spite of the fact that straightforwardly exploitable through a Penetration Test may be used later on or by a disappointed/irritated insider. Full client and requisition qualifications were supplied to the group. Ash Box testing – Where some learning of the framework is known and a client account perhaps held. The primary kind of testing embraced for this task was discovery trying in light of its perfect nature to present overall organized tests through all the IP in the system. SYSTEM DESCRIPTION Network Ranges tested and those excluded (inc reasons) Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-07 14:04 BST Nmap scan report for firewall.companydomain (10.1.1.1) Host is up (0.00035s latency). MAC Address: 00:0C:29:EE:98:6B (VMware) Nmap scan report for Win2k3WebServer.companydomain (10.1.1.6) Host is up (0.0014s latency). MAC Address: 00:0C:29:50:99:40 (VMware) Nmap scan report for kali.companydomain (10.1.1.8) Host is up. Nmap done: 32 IP addresses (3 hosts up) scanned in 0.65 seconds .Technical Analysis Stages of testing – Classic Penetration Methodology Black Box testing stuff: Initial scan of network Information gleaned Target selected (repeat as required documenting each box separately) Services running and states on target Information gathered regarding vulnerable aspects of the system configuration. Confirmation of vulnerability Exploitation explained Access gained Leverage and potential growth avenues Summary and rectification work required. Stages of testing – Box by Box targeting 1. Initial Reconnaissance – read the information given by admin staff. 2. General Footprinting – confirm the network is as per the diagrams – VERY IMPORTANT dangerous if you attack the wrong one, embarrassing if you send exploits for the IIS web server to the apache system! 3. Target selection based upon probability of vulnerability, time allowed, easy of exploitation and value of target. 4. Attack boxes/services are required having researched information given at 1. 5. Increase privileges as necessary (within permissions of contract). 6, Secure longer-term access (within permissions of contract). 7. Progressing by leveraging access on box. Go to step 3 and select another target down the list. 8. Repeat as necessary, documenting your activities as you go. Security Policy Documentation (SPD) Policy Compliance. Where UK law, industry regulations or Xen strategy have commanded security controls that were seen to be missing and no such composed arrangement was discovered, a remark ought to be made (Whittaker & Newman 2005: 56). The effects of provision infiltration testing are recorded as a full specialized report. Each one issue recognized inside the provision infiltration test is then clarified with all specialized subtle elements alongside steps/rules on how this issue could be reproduced by our customer. Alongside each one issue distinguished throughout the web requisition security entrance testing process, Xen’s group gives suggestions on how an issue could be appropriately tended to. The requisition pen test report likewise has an official rundown segment holding administration level data, composed in plain English. We additionally exhibit a review of the general level of web requisition security and our real concerns (alongside the steps which ought to be taken to further enhance security). Xen’s provision infiltration testing group highly esteems undertaking consistent exploration to recognize new/rising dangers inside the zones of web requisition security and our allies are in this way welcomed to talk at heading IT security meetings around the globe. Why Live System must meet Policy Requirements. At the point when a framework neglects to execute the efforts to establish safety distinguished in the strategy, the framework or client perhaps working outside their legal limits (Mcdermott 2010: 16). This speaks to extra hazard to the framework, all frameworks to which it trades information, the clients and the Xen. The accompanying were watched and amendment activity ought to be made to redress these before the following administrative survey/review. Security mechanisms encountered (Auditing and Accounting) In the event that inside degree remark upon the security barriers/systems capacity to review and screen your movements. Noting the utilization of syslog servers and inspecting or bookkeeping settings on traded off boxes. Additionally, note if no reaction was made to starting interruptions or bargain of boxes it blackhat testing is continuously attempted – particularly is the system security staff should respond as ordinary (note some of this data might just be accessible after the occasion) (Lunne 1997: 102). Attaches Attach A - summary of Technical Details and investigation of problems Attach B - detailed Technical Findings – Site 1 Attach C - detailed Technical Findings – Site 2 (if 2 or more local) Attach A - Summary of Technical Details and analysis of problems “The configuration of Firewall needs to be tightened to ensure that only communication from the DMZ web server is allowed to be forwarded to the MSSQL server in the Internal LAN. Currently, any external or DMZ system can communicate with the MSSQL server. A firewalk of the external interface by HPing2 allowed an external attacker to enumerate the SQL system and the connectivity it had externally through open misconfigured ports on the FW. “ Attaches C-D - (as high as required) Detailed Technical Findings – Site 1 &2 Colour coding of problem: blue. Serial Number of problem: 222561. .Nmap scan report for kali.companydomain (10.1.1.8) Host is up. Nmap done: 32 IP addresses Prerequisite 11 of the PCI DSS standard for accomplishing PCI consistence commands the need for interior and outer entrance testing in any event once a year and after any critical foundation, provision overhaul or working framework change. The PCI DSS additionally obliges consistent quarterly interior and outside weakness filtering. Notwithstanding the quarterly helplessness checks they ought to likewise be embraced when there are any progressions to the system or framework parts. The outer powerlessness filtering must be attempted by an affirmed checking seller (ASV). However, there is a lot of disarray in the matter of what the PCI DSS really implies by each one term and what the vital contrasts are between PCI helplessness filtering and PCI entrance testing. There is additionally an immense distinction between the potential issues found throughout each one sort of PCI agreeability test and by and large an absence of seeing in respect to what ASV helplessness filtering/ infiltration testing comes about really mean (McLaughlin et al 2010: 107) Bibliography Lunne, T., Robertson, P. K., & Powell, J. J. M. (1997). Cone penetration testing. Geotechnical Practice. McDermott, J. P. (2001, February). Attack net penetration testing. InProceedings of the 2000 workshop on New security paradigms (pp. 15-21). ACM. Whitaker, A., & Newman, D. (2005). Penetration Testing and Cisco Network Defense. Cisco Press. McLaughlin, S., Podkuiko, D., Miadzvezhanka, S., Delozier, A., & McDaniel, P. (2010, December). Multi-vendor penetration testing in the advanced metering infrastructure. In Proceedings of the 26th Annual Computer Security Applications Conference (pp. 107- 116). ACM. Wilhelm, T. (2013). Professional Penetration Testing: Creating and Learning in a Hacking Lab (Vol. 1). Newnes. Read More