Likepractically any IT
or security project, ethical hacking needs to be planned in advance. Strategic
and tactical issues in the ethical hacking process should be determined
and agreed upon. Planning is important
for any amount of testing — from a simple password-cracking test to an all-out
penetration test on a Web application.
Formulating
your plan
Approval for ethical
hacking is essential. Make what
you’re doing known
and visible — at least to
the decision makers. Obtaining
sponsorship of the project is the first step. This could be your manager, an executive, a customer, or
even yourself
if you’re the boss. You need someone to back you up and
sign off on your plan. Otherwise, your testing may be called off unexpectedly if
someone claims they never authorized you
to perform the tests.
The
authorization can be as simple as an internal memo from your
boss if you’re performing these
tests on your own systems. If you’re testing for a customer, have a signed contract in place, stating the
customer’s support and authorization. Get written approval on this sponsorship as soon as possible to ensure
that none of your time or effort is
wasted. This documentation is your Get
Out of Jail Free card if anyone questions what
you’re doing.
You need a detailed plan, but
that doesn’t mean you have to
have volumes of testing procedures. One
slip can crash your systems — not necessarily what anyone wants. A well-defined
scope includes the following information:
Specific systems to be tested
Risks that
are involved
When
the tests are performed and your
overall timeline
How the tests are performed
How much
knowledge of the systems you have before you start testing
What is done
when a major vulnerability is discovered
The specific
deliverables — this includes
security-assessment reports and a higher-level report outlining the general vulnerabilities to be addressed,
along with countermeasures that should
be implemented
When
selecting systems to test, start with the
most critical or vulnerable systems. For instance, you can test computer
passwords or attempt social- engineering attacks before drilling down
into more detailed systems.
It pays to have
a contingency plan for your ethical hacking process in case something
goes awry. What if you’re assessing your firewall
or Web applica- tion, and you take
it down? This can cause system
unavailability, which can reduce system performance or employee productivity.
Even worse, it could cause loss of data
integrity, loss of data, and bad
publicity.
Handle social-engineering and denial-of-service attacks carefully.
Determine how they can affect the systems you’re testing and
your entire organization.
Determining
when the
tests are performed is something that you must think long and hard about. Do you test during normal
business hours? How about late at night
or early in the morning so that
production systems aren’t affected? Involve
others to make sure they approve
of your timing.
The best
approach is an unlimited attack, wherein any type of test is possi- ble. The bad guys aren’t hacking your systems within a limited scope, so why should
you? Some exceptions to this approach
are performing DoS, social- engineering, and
physical-security tests.
Don’t stop
with one security hole. This can
lead to a false sense of security. Keep
going to see what else you can discover. I’m not saying
to keep hacking until the
end of time or until you crash
all your systems. Simply pursue the path
you’re going down until you can’t hack
it any longer (pun intended).
One of
your goals may be to perform the tests without being detected. For example, you may be performing
your tests on remote systems or on a
remote office, and you don’t want
the users to be aware of
what you’re doing.
Other- wise, the users may be on
to you and be on their best behavior.
You
don’t need extensive knowledge of
the systems you’re testing — just a basic understanding. This will help you protect the tested systems.
Understanding
the systems you’re testing shouldn’t be difficult if you’re
hack- ing your own in-house
systems. If you’re hacking a customer’s
systems, you may have to dig deeper. In
fact, I’ve never had a customer ask for
a fully blind assessment. Most people are scared of these assessments. Base
the type
of test you will perform on your
organization’s or customer’s needs.
Chapter 19
covers hiring “reformed” hackers.
Selecting
tools
As with any
project, if you don’t have the
right tools for ethical hacking, accom-
plishing the task effectively is difficult. Having said
that, just because you use
the right tools doesn’t mean that you will discover all
vulnerabilities.
Know the personal and
technical limitations. Many security-assessment tools generate false
positives and negatives (incorrectly identifying vulnerabilities). Others may
miss vulnerabilities. If you’re performing tests such as social- engineering
or physical-security assessments, you may miss
weaknesses.
Many tools focus on specific tests, but no one tool can test for everything. For
the same reason that you wouldn’t drive in a nail with a screwdriver, you shouldn’t
use a word processor to scan your network for open ports. This is why you need
a set of specific tools that you can
call on for the task at hand. The more tools you have, the
easier your ethical hacking
efforts are.
Make sure you
that you’re using the
right tool for the task:
To crack passwords, you need a cracking tool
such as LC4, John the
Ripper, or pwdump.
A general
port scanner, such as SuperScan, may not
crack passwords.
For an in-depth analysis of a Web
application, a Web-application assess- ment tool (such as Whisker or
WebInspect) is more appropriate than a network analyzer (such as Ethereal).
When selecting the right
security tool for the task, ask around. Get advice from your colleagues and from other people online. A simple Groups
search on Google (www.google.com) or perusal of security portals, such as
SecurityFocus.com, SearchSecurity.com, and
ITsecurity.com, often produces
great feedback from other security experts.
Hundreds, if
not thousands, of tools can be used for
ethical hacking — from your own words
and actions to software-based
vulnerability-assessment pro- grams to hardware-based network analyzers. The
following list runs down some of my
favorite commercial, freeware, and
open-source security tools:
Nmap
EtherPeek
SuperScan
QualysGuard
WebInspect
LC4
(formerly called L0phtcrack)
LANguard
Network Security Scanner
Network
Stumbler
ToneLoc
Here are
some other popular tools:
Internet
Scanner
Ethereal
Nessus
Nikto
Kismet
THC-Scan
I discuss these tools
and many
others in Parts II through V when
I go into the specific hack attacks.
Appendix A contains a more comprehensive listing of these tools for your reference.
The
capabilities of many security and hacking tools are often misunderstood. This misunderstanding has shed negative light on some excellent tools,
such as SATAN (Security Administrator Tool for Analyzing Networks) and
Nmap (Network Mapper).
Some of these
tools are complex. Whichever tools you use,
familiarize yourself with them before you start using them. Here are ways to do that:
Read
the readme and/or online help
files for your tools.
Study
the user’s guide for your
commercial tools.
Consider
formal classroom training from the security-tool vendor or another third-party
training provider, if available.
Look for these characteristics in tools for ethical
hacking:
Adequate
documentation.
Detailed
reports on the discovered
vulnerabilities, including how they may be exploited and fixed.
Updates
and support when needed.
High-level
reports that can be presented to managers or nontechie types. These features
can save you time and effort when
you’re writing the
report.
Executing
the plan
Ethical
hacking can take persistence. Time
and patience are important. Be careful
when you’re performing your ethical hacking tests. A hacker in your
network or a seemingly benign employee looking
over your shoulder may watch what’s going on. This person could use this
information against you.
It’s not practical to make sure that no hackers are on
your systems before you start. Just make sure you keep everything as quiet and private as possi- ble. This is especially critical when transmitting and storing your
test results. If possible, encrypt these e-mails and files using
Pretty Good Privacy (PGP) or something similar. At a minimum,
password-protect them.
You’re now on
a reconnaissance mission. Harness as much information as possible about
your organization and systems, which is what malicious hack- ers do. Start with a broad view and narrow your
focus:
1. Search
the Internet for your
organization’s name, your computer and
network system names, and your IP
addresses.
Google is a
great place to start for this.
2. Narrow your scope, targeting the specific
systems you’re testing.
Whether
physical-security structures or Web applications, a casual assessment can turn
up much information about your systems.
3. Further narrow your focus
with a more critical eye. Perform
actual scans and other detailed tests on your systems.
4. Perform
the attacks, if that’s what you
choose to do.
Evaluating results
Assess
your results to see what
you uncovered, assuming that the
vulnerabil- ities haven’t been
made obvious before now. This is where knowledge counts. Evaluating the results and
correlating the specific
vulnerabilities discovered
is a skill that gets
better with experience. You’ll end
up knowing your systems as well
as anyone else. This makes the evaluation process much simpler moving
forward.
Submit a formal
report to upper management or to your
customer, outlining your results.
Keep these other parties in the
loop to show that your
efforts and their money are well
spent. Chapter 17 describes this
process.
Moving
on
When you’ve
finished your ethical hacking tests, you
still need to implement your analysis
and recommendations to make sure your systems are secure.
New security
vulnerabilities continually appear. Information systems con- stantly change
and become more complex. New hacker
exploits and security vulnerabilities
are regularly uncovered. You may discover new ones! Security tests are a
snapshot of the security posture of
your systems. At any time, everything
can change, especially after software
upgrades, adding computer systems, or applying patches. Plan to test regularly
(for example, once a