Protection first: Attack and Defense in penetration testing

The Penetration Test (Penetration Test) fully simulates possible attack technologies and vulnerability discovery technologies used by hackers. It thoroughly detects the security of the target system and finds the most vulnerable part of the system. Penetration Testing allows managers to understand the problems they face in their networks.

In fact, penetration testing does not have a strict classification method, even in the software development lifecycle, it also contains the penetration test link:

However, according to the actual application, the following classification methods are widely recognized:

Classification by penetration method

Black box test

The black box test, also known as the "Zero-knodge DGE Testing", is a type of test in which the hacker is completely in a state that does not know anything about the system, the initial information is obtained from DNS, Web, Email, and various public servers.

White box testing

The white box test is the opposite of the black box test. Testers can obtain various information from the tested unit through normal channels, including the network topology, employee information, and even code snippets of websites or other programs, it can also work with other employees (sales, programmers, managers, etc.) of the organization ......) Face-to-face communication. The purpose of such tests is to simulate unauthorized operations by employees within an enterprise.

Secret test

The confidential test is for the unit under test. Generally, the network management department of the unit that receives the penetration test will receive a notification that the test will be conducted in some time periods. Therefore, it can monitor changes in the network. However, only a very small number of people in the unit are aware of the existence of the test. Therefore, the Unit can effectively check whether monitoring, response, and recovery of information security incidents are in place.

Classification by penetration target

Host operating system penetration

Perform penetration tests on Windows, Solaris, AIX, Linux, SCO, SGI, and other operating systems.

Database System penetration

Perform penetration tests on database application systems such as MS-SQL, Oracle, MySQL, Informix, Sybase, and DB2.

Application System penetration

Perform penetration tests on various applications provided by penetration targets, such as ASP, CGI, JSP, and php www applications.

Network device penetration

Performs penetration tests on various firewalls, intrusion detection systems, and network devices.

Penetration from the attacker's perspective

Attackers include potential hackers, intruders, and security experts authorized by enterprises. From the perspective of many hackers, there is never an impossible target in the world. The difference is only in time and patience.

At present, we only discuss the attack path and possible technical means of penetration testing from the perspective of authorization penetration.

The testing objectives are different, and the technologies that need to be used are also different. Therefore, the following briefly describes the technologies that may be used in different locations.

Intranet Test

Intranet testing refers to a Penetration Tester initiating a test on the internal network. Such tests can simulate the behaviors of non-compliant operators in the enterprise. The main advantage is to bypass firewall protection. The main internal penetration methods may be: remote buffer overflow, password speculation, and B/S or C/S APPLICATION TESTING (if a C/S program test is involved, prepare relevant client software for testing in advance ).

Internet Test

Internet testing refers to the penetration testing personnel completely in the external network (such as dial-up, ADSL or external optical fiber), simulate the behavior of external attackers who do not know about the internal status. This includes remote attacks to network devices, password management security tests, firewall rule testing, and avoidance, and Web and other open application service security tests.

Penetration between different network segments/VLANs

This penetration method is to try to penetrate another network segment/Vlan from an internal/external network segment. Technologies that may be used in such tests include remote attacks on network devices, remote attacks on firewalls, and rule detection and avoidance attempts. The flowchart 2 of the penetration test is shown in.

Information collection and analysis is accompanied by each penetration test step. Each step has three components: operation, response, and result analysis.

Port Scan

By scanning the TCP/UDP ports of the target address, you can determine the number and type of services it opens. This is the basis of all penetration tests. Through port scanning, you can basically determine the basic information of a system. Based on the experience of security engineers, you can determine its possible existence and the security vulnerabilities exploited to provide a basis for in-depth penetration.

Remote Overflow

This is the most frequent, most threatening, and most easily implemented penetration method, an attacker with general network knowledge can exploit existing tools to launch remote overflow attacks within a short period of time.

This risk also exists for systems in the firewall. As long as a host inside and outside the firewall is successfully attacked, it is easy to use this host to attack hosts in the firewall.

Password Prediction

Password Guessing is also a high probability of occurrence, and almost no attack tool is required. You can guess the password by using a simple brute-force attack program and a comprehensive dictionary.

Speculation on a system account usually involves two aspects: first, the user name, and second, the password.

Local Overflow

Local overflow refers to obtaining administrator permissions through a special instruction code after an account of a common user is owned. To use local overflow, you must first obtain a common user password. That is to say, an important condition for local overflow is the improper password policy.

Years of practice have proved that, after logging on to the system with a common account obtained in the early password speculation phase, local overflow attacks are carried out on the system, you can obtain the control and management permissions of a system that does not perform active security defense.

Script and application testing

Web scripts and application tests are specifically targeted at Web and database servers. According to the latest technical statistics, the Script Security Weakness is one of the serious security weaknesses of the current Web system, especially the Web system with dynamic content. By exploiting the vulnerabilities related to scripts, you can obtain access permissions from other directories of the system. Therefore, Web scripts and application testing are essential for Web and database systems that contain dynamic pages. In Web scripts and application tests, you may need to check the following items:

◆ Check the application system architecture to prevent users from directly modifying the database without bypassing the system;

◆ Check the identity authentication module to prevent illegal users from bypassing identity authentication;

◆ Check the database interface module to prevent users from obtaining system permissions;

◆ Check the file interface module to prevent users from obtaining system files;

◆ Check other security threats;

Wireless Testing

China's wireless networks are still under construction, but due to the ease of deployment of wireless networks, the penetration rate in some major cities is already high. Access points can be found in at least 80% of the business districts in Beijing and Shanghai.

By testing wireless networks, you can determine the security of Enterprise LAN, which has become an increasingly important penetration test.

In addition to the above testing techniques, there are also some technologies that may be used during penetration testing, including social engineering, denial of service attacks, and man-in-the-middle attacks.

Penetration from the defender's perspective

When people with penetration testing attack experience stand on the system administrator's point of view and want to ensure the security of a large network, we will find that the issues to be concerned are completely different: from the perspective of the attacker, the attacker can attack the entire front if only one vulnerability is found. However, from the perspective of the defender, the attacker often finds that, ". Therefore, it is necessary to have good theoretical guidance and focus on security from technology to management so that the network can become solid.

Necessity of Penetration Testing

Penetration testing uses network security scanners, dedicated security testing tools, and the Manual experience of experienced security engineers to provide core servers and important network equipment on the network, it includes servers, network devices, firewalls, and other non-destructive simulated hacker attacks to intrude into the system, obtain confidential information, and report the intrusion process and details to users.

Penetration Testing and tool scanning can complement each other. Tool scanning has good efficiency and speed, but there is a certain amount of false positive rate and false negative rate, and it cannot find high-level, complex, and associated security problems; penetration Testing requires a large amount of human resources and a high requirement on the professional skills of testers (the value of the penetration testing report is directly dependent on the professional skills of testers), but it is very accurate, we can find more logical and deeper vulnerabilities.

Microsoft mentioned in its IT attack and penetration testing team's task description that they have an internal penetration testing team. The daily workflow is as follows:

Time Selection

To reduce the impact of penetration testing on networks and hosts, the penetration testing time should be arranged at a time or at night when the business volume is small.

Policy Selection

To prevent network and host service interruption caused by penetration testing, no denial-of-service testing policy is used in penetration testing.

Authorized penetration testing monitoring means

In the evaluation process, due to the particularity of penetration testing, users can require monitoring of the overall testing process (which may increase the cost of penetration testing ).

Tester self-control

The Penetration Tester completely records the three aspects of data during this test: operation, response, and analysis, and finally forms a complete and effective penetration test report to the user.

User monitoring

There are four forms of user monitoring: Full-Process Monitoring: Full-process packet capture sniffing using Ethereal-like sniffing software; second, monitoring: no recording during the scanning process, only after the security engineer analyzes the data, the software is enabled for sniffing before initiating penetration; three host monitoring: only monitor the survival status of the tested host to avoid unexpected situations; four specified attack sources: the User specifies a specific attack source address for attack. The host of the source address is monitored by the user through processes, network connections, data transmission, and other parties.

Figure 1: software development lifecycle and penetration testing status

Figure 2 penetration testing technical Flowchart