5 - Network Pen Test External

Question 1

What is Network Pen Testing?

Answer 1

Involves detecting security weaknesses in the network infrastructure of the target organization. Can be conducted inside or outside of organization. Tests commonly include:

• Detecting open ports, services running, sensitive info exposed through default banners.
• Firewall bypass testing
• IDS evasion testing
• Testing switching or routing issues
• Discovering live systems

Question 2

External vs Internal testing

Answer 2

External involves evaluation of:

• Publicly available network applications such as websites/apps, FTP, etc.
• Network infrastructure devices such as firewalls, IDS, routers, switches, etc
• Wireless networks

Internal involves evaluation of:

• All internal networks
• Infrastructure devices and applications including servers
• End points

Question 3

What is the Network Pen Testing process?

Answer 3

• Info Gathering (OSINT)
• Port Scanning
• OS and Service Fingerprinting
• Vulnerability Research
• Exploit Verification
• Reporting

Question 4

Differences between White-Box, Black-Box, and Gray-Box Pen testing?

Answer 4

• White-Box: Org provides info in advance
  
  • Network diagrams
  • IP addresses
  • Domain names
  • Device Types
  • Apps and versions
  • Security defenses (IDS, IPS)
  • OS details
  • Infrastructure Details
• Black-Box: Organization does not provide any info about their infrastructure
• Gray-Box: Organization may provide you some of the info about their network infrastructure.

Question 5

What are the network Pen Testing steps?

Answer 5

• Port Scanning
• OS and Service Fingerprinting
• Vulnerability Research
• Exploit Verification

Question 6

What kind of info is found in port scanning?

Answer 6

• Discover live hosts
• Find open ports on live host
• Fingerprint the services running on open ports
• Scan the services found for Vulnerabilities

Question 7

What approaches can be used to discover live hosts/Ips?

Answer 7

• Ping each IP for a response (ICMP) - (Sends ICMP ECHO requests to a host)
  
  • Can also be used for determining if passing through a firewall
• Send SYN packets to popular ports
• Send SYN packets to all 64k ports
• Send SYN packets to a few specific ports

Question 8

What are some common scans Pen Testers use?

Answer 8

• Identifying Default Ports
  
  • Most FW’s have default ports in use for various purposes
  • Port scanners will extract info about open ports and relevant services in order to creat a profile of target organization.
• Full Open Scan (Connect Scan)
  
  • Nmap with -sT switch
  • Establishes a connection
• SYN scan (Half-Open/Stealth)
  
  • Sends SYN packet to target and waits for response
  • If response is SYN/ACK then port is open
  • If response is RST, port is closed
• XMAS Scan
  
  • Does not work against any current version of Windows
  • Sends FIN, URG, PSH
  • No response is open port
  • RST is closed port
• FIN Scan
  
  • Does not work against any current version of Windows
  • Sends FIN flag to host
  • No response is open port
  • RST is closed port
• NULL scan
  
  • Does not work against any current version of Windows
  • Sends packet with no flag set
  • No response is open port
  • RST is closed port
• ACK Flag Probe Scan
  
  • Packet with ACK flag set
  • Analyze header info from RST packet (TTL and WINDOW field)
    
    • TTL value will be lower on an Open port than a closed port
    • WINDOW value of RST packet from closed ports is zero, open ports are non-zero value
• UDP Scan:
  
  • Send UDP packets to a target system
  • No response is open/filtered port
  • ICMP port unreachable error: Type 3 Code 3 is a close port
  • ICMP port unreachable error: Type 3 Code 0,1,2,9,10,13 filtered port
• Fragmentation Scanning
  
  • Break packet into small IP fragments
  • Splitting up TCP header to evade packet filters
  • Nmap with -f switch
• Port scan DNS servers (TCP/UDP 53)
  
  • UDP scan works by sending empty UDP header to every port
  • UDP nmap scan: -sU
  • TCP nmap scan: -sS
• Port Scan TFTP Servers (Port 69)
• Port Scan NTP Ports (Port 123)
• Port Scan SNMP Ports (Port 161)
• Port Scan Telnet Ports (Port 23)
• Port Scan LDAP Ports (Port 389)
• Port Scan Netbios Ports (Ports 135-139, 445)
• Port Scan Citrix Ports (Port 1495)
• Port Scan Oracle Ports (Port 1521)
• Port Scan NFS Ports (Port 2049)
• Port Scan Compaq, HP Inside Manager Ports (Ports 2301, 2381)
• Port Scan Remote Desktop Ports (Port 3389)
• Port Scan Sybase Ports (Ports 5000)
• Port Scan SIP Ports (Port 5060)
• Port Scan VNC Ports (Ports 5900/5800)
• Port Scan Test for X11 Ports (Port 6000)
• Port Scan for Jet Direct Ports (Port 9100)
• Port Scan for FTP data (Port 20)
• Port Scan Web Servers (Port 80)
• Port Scan SSL Servers (Port 443)
  
  • Nmap with -sV
• Port Scan for Kerberos-Active Directory (Port TCP/UDP 88)
• Port Scan for SSH Servers (Port 22)

Question 9

What is Fingerprinting the OS?

Answer 9

• Gathering Information about the target with interaction
• Nmap with -O
• Passive
  
  • Without direct interaction
  • Use Netcraft

Question 10

What is Service fingerprinting?

Answer 10

• Performed to determine services running on various ports and their versions
• Nmap with -sV
• If services come back as ‘Unknown’ you need a more aggressive detection
  
  • -sV or -A

Question 11

What is an external vulnerability assessment?

Answer 11

Identifying vulnerabilities on internet facing hosts

Question 12

What is exploit verification?

Answer 12

Executing exploits against vulnerabilities found in services, OS, or devices

Question 13

What is documented in the results?

Answer 13

• Open ports, OS, services, versions
• Also not which ports/services where exploitation is possible

Question 14

What are some countermeasures?

Answer 14

• Avoid insecure protocols
• Close open ports and services
• Install updates and patches to OS and software
• Reconfigure FW’s, IDS’s, servers, workstations, network services, etc.