Design and implementation of a non-aggressive automated penetration testing tool An approach to automated penetration testing focusing on stability and integrity for usage in production environments FABIO VIGGIAN I KTH Information and Communication Technology Degree project in Communication Systems Second level, 30.0 HEC Stockholm, Sweden Design and implementation of a non-aggressive automated penetration testing tool Anapproachtoautomatedpenetrationtestingfocusingonstabilityandintegrityforusagein productionenvironments Fabio Viggiani MasterofScienceThesis May2013 Master’sProgrammeinSecurityandMobileComputing NordSecMob(NTNU+KTH) KTHRoyalInstituteofTechnology SchoolofInformationandCommunicationTechnology Stockholm,Sweden Examiner: ProfessorGeraldQ.MaguireJr. NTNUNorwegianUniversityofScienceandTechnology DepartmentofTelematics Trondheim,Norway AcademicSupervisor: ProfessorDaniloGligoroski TruesecAB Stockholm,Sweden IndustrialSupervisor: MarcusMurray (cid:13)c FabioViggiani,May2013 Abstract The focus of this Master’s thesis project is automated penetration testing. A penetration test is a practice used by security professionals to assess the security ofasystem. Thisprocessconsistsofattackingthesysteminordertorevealflaws. Automating the process of penetration testing brings some advantages, the main advantage being reduced costs in terms of time and human resources needed to performthetest. Althoughthereexistanumberofautomatedtoolstoperformthe requiredprocedures,manysecurityprofessionalsprefermanualtesting. Themain reason for this choice is that standard automated tools make use of techniques thatmightcompromisethestabilityandintegrityofthesystemundertest. Thisis usually not acceptable since the majority of penetration tests are performed in an operatingenvironmentwithhighavailabilityrequirements. Thegoalofthisthesisistointroduceadifferentapproachtopenetrationtesting automation that aims to achieve useful test results without the use of techniques that could damage the system under test. By investigating the procedures, challenges, and considerations that are part of the daily work of a professional penetration tester, a tool was designed and implemented to automate this new processofnon-aggressivetesting. The outcome of this thesis project reveals that this tool is able to provide the same results as standard automated penetration testing procedures. However, in order for the tool to completely avoid using unsafe techniques, (limited) initial accesstothesystemundertestisneeded. i Sammanfattning Det här examensarbete fokuserar i automatiserade penetrationstester. Penetrationstester används av säkerhetsspecialister för att bedöma säkerheten i ett system. Processen av ett penetrationstest består av olika attacker mot ett system för att hitta säkerhetshål. Automatiserade penetrationstester har fördelar somfaktumetattdetkostarmindreitidochimänskligaresursersomkrävs.Trots att det finns många olika automatiserade verktyg för penetrationstestning, väljer många säkerhetsspecialister att göra det manuellt. Den största anledningen till att detgörsmanuelltärförattautomatiseradeverktygenanvändersigavteknikersom kankompromissasystemetsstabilitetsamtintegritet.Dettillåtsoftainte,eftersom majoriteten av penetrationstesterna utförs i produktionsmiljöer som kräver hög tillgänglighet. Målet för det här examensarbetet är att introducera ett nytt tillvägagångssätt för automatiserad penetrationstestning, som inriktar sig på att ta fram användbara resultat utan tekniker som kan störa system under drift. Genom att undersöka procedurerna, utmaningarna samt vad som en penetrationstestare tar hänsyn till kommer ett verktyg designas och implementeras för att automatisera flödet av ett icke-aggressivttest. Resultatet av examensarbetet visar på att verktyget utvecklat kan uppnå sammaresultatsomdestandardiseradepenetrations-procedurernagivetbegränsad tillgångtillsystemet. iii Acknowledgements Iwouldliketothankeveryonewhosupportedmeduringthisthesisproject. In particular, I would like to thank Marcus Murray for welcoming me in Truesecandgivingmetheopportunitytolearnfromhighlyknowledgeablepeople and become part of an exciting organization with an amazing philosophy. I am also very grateful to everyone else in Truesec, for their friendliness, openness, andhelpfulness. I would also like to thank Professor Gerald Q. Maguire Jr. for his constant supportduringthisproject,andhiswillingnesstosharehisunlimitedknowledge. v Contents 1 Introduction 1 1.1 ProblemStatement . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 GoalsoftheThesis . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 StructureoftheThesis . . . . . . . . . . . . . . . . . . . . . . . 4 2 Background 5 2.1 Whyperformpenetrationtesting . . . . . . . . . . . . . . . . . . 5 2.2 Thepenetrationtestingprocess . . . . . . . . . . . . . . . . . . . 6 2.2.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.2 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.3 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.3.1 Targetidentification . . . . . . . . . . . . . . . 7 2.2.3.2 Portscanning . . . . . . . . . . . . . . . . . . 8 2.2.3.3 Enumeration . . . . . . . . . . . . . . . . . . . 8 2.2.3.4 Penetration . . . . . . . . . . . . . . . . . . . . 8 2.2.3.5 Escalation . . . . . . . . . . . . . . . . . . . . 9 2.2.3.6 Gettinginteractive . . . . . . . . . . . . . . . . 9 2.2.3.7 Pillage . . . . . . . . . . . . . . . . . . . . . . 9 2.2.3.8 Cleanup . . . . . . . . . . . . . . . . . . . . . 9 2.2.4 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Toolsforpenetrationtesting . . . . . . . . . . . . . . . . . . . . 10 2.3.1 MetasploitFramework . . . . . . . . . . . . . . . . . . . 10 2.3.2 Nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 vii
Description: