The most common factor that drives hackers is the will and ability to cause damage to technological systems. Penetration testing is, in fact, a deliberate act on behalf of security specialists to initiate a moderated hack into a technological system or application, using common technologies and tactics available to hackers worldwide, in order to locate problems and weak points.

Ron Porat, Hacktics CEO

In the early hours of the 22^nd of June 2007, the AP news service published a bulletin describing a crash of the Pentagon’s communication network due to a hacker attack. The headline hinted to readers that this is one more doomsday scenario, very common since 9/11. A full investigation report was never published, but professional assessment is that several Pentagon e-mail mailboxes (not necessarily the 1500 mailboxes published) were hacked or infected with a virus, causing the communications personnel to immediately shut down all E-mail services until it was cleaned and restored to a working state.

Secretary of defense Robert Gates was quoted saying “The Pentagon deals daily with hundreds of hacking attempts through the Internet and this latest attack did not negatively affect the activities of the office.”

On October 20^th 2007, the popular Israeli news site Ynet published an article that stated: “Knesset Website: Parliament member resumes’ were doctored” (The Knesset is Israel’s parliament). In fact, under this anemic headline lies a sophisticated hack into the Knesset’s website using a well known exploit in the world of hacking and information security called “SQL Injection”. The response of the Knesset’s chief of staff was “mistakes happen”. Mistakes do happen, both in the world of physical security (terrorist attacks, plane hijacking etc.) and in the world of technology (information security vulnerability, exploitation of networks). The real question should be: are these mistakes a force of reality?

Simulating a hack

It is obvious that in order to prevent mistakes from happening, an auditing procedure must take place. The goal of the auditing procedure is to check thoroughly on one hand and objectively on the other, that the product undergoing auditing does in fact meet the high standards demanded by the manufacturer. In the older, brick and mortar industries, the auditing process was and still is an integral part of the manufacturing process. By relying on this auditing process, a consumer buying milk in a local grocery shop can be assured that the milk underwent rigorous checking. These tests do not constitute a 100% assurance that the milk is indeed safe to drink, but they do prevent most of the negative effects of drinking spoiled milk…

In the modern world of computing, product auditing is entrusted in the hand of the manufacturer’s quality assurance (QA) department. This being the fact, did the QA departments of both the Pentagon and Israeli Knesset fail in doing their job? To answer this question, there are several facts that need be known:

The digital world in which we live today offers us both challenges and threats, the likes of which did not exist in the past. Thieves and criminals are not a very positive surprise, but hackers are definitely a sign of the times. The common goal of hackers is the will and ability to inflict damage on technological systems. Other than this common goal, there really is no similarity between one hacker and another. There are groups consisting of young hackers and groups made up of aging hackers (sixties remnants). There are those who specialize in breaking into communication lines and those who find their thrill hacking applications. Many are based in the former Soviet Union and a multiplication of that number will describe the amount based in China and south East Asia. There are veteran experts and beginners.

Let’s turn back to our question: Are quality assurance departments to blame in the cases described? The answer to that question is that these departments are in charge of the product’s quality, not chasing criminals.

So who’s responsible for the exhausting daily war against hackers?

An organization’s information security department is the responsible entity of protecting the organization from penetrations and electronic damages, just as the security division is in charge of physical security of the facility and its employees.

It seems we have another question on our hands. Who audits the information security department? Since the people who work in this department are responsible for the planning and execution of information security projects throughout the organization, the organization will more than likely be interested in hiring an independent contractor to audit the state of his security level. What is this independent external auditing? Is it safe to use the words “penetration tests”?

The answer to that question is yes. This type of auditing is defined by the regulator as penetration testing. These tests are deliberate acts made by information security experts to try and hack into a technological system, recording the process as they go along, using conventional methodologies and technologies commonly used by the hacker community.

These hacking attempts will consist of several stages:

1. Know the system

a. Information gathering

b. Infrastructure recognition

This stage involves what we like to call “intelligence gathering prior to operations”. It is at this phase that the attacker tries to gather as much pin pointed information on the system he is about to hack. This will include information regarding the communications infrastructure, the different components available such as routers and switches, information regarding defense measures such as firewalls as well as any other kind of information he can get his hands on. An important note on this matter is that this stage is done as passively as possible using the most gentle of techniques so to not trigger any system alerts.

2. Network mapping

a. Map network components

b. Sketching the network (Passive sniffing)

c. Attack and penetrate network components

d. Scan and penetrate wireless systems

e. RPC logging

f. Windows logging

g. Finger printing

h. Passive system finger printing

i. Advanced scanning

This stage allows the attacker to create a map of the system and the infrastructure he is about to attack. Mapping the system will allow for a better understanding of the system’s weakness points that offer the best chance of entering, as well as creating a prioritization scenario for the attacks.

3. Scanning and sketching systems and network components

a. Port scan

b. Locating and mapping applications

c. Unauthorized access to resources (SSH, rexec)

d. Database registration

It is at this stage that the attacker begins scanning the attacked system in an attempt to identify weaknesses and components that prior attempts failed to locate. This is an active phase, and the system will clearly recognize a foreign element trying to scan it. An experienced hacker will try and hide his scan throughout the system’s regular data transfer, attracting as little attention as possible.

4. System and network components penetration

a. Scanning for vulnerabilities and weakness points

b. Exploiting weakness points

c. Usage of Trojan horses, backdoors and root kits

d. Covering up and log erasing

The final stage in the process in which the attacker tries to exploit the weaknesses located during scans. If the hack was successful, a backdoor will usually be left behind for system re-entry, all the while covering tracks or damages made. Early discovery of the hack or the origin of which will, of course, cause it to fail.

Penetration testing simulates this attack only not with the goal of exploiting the weakness so that the organization can be penetrated but rather identifying the weakness so that the situation can be amended.

These types of tests can be made in different modes:

“Black Box” mode means that the penetration tester (A.K.A “attacker”) knows nothing on the subject of his attack, other than an IP or URL, attempting to hack using common public knowledge and in fact, sift through the darkness trying to find fox holes to enter.

“White Box” mode means penetration testing using vast knowledge of the system available to the attacker about the subject of his attack, such as source code or a network map. The search for places to hack through is based on knowledge and therefore much more thorough.

“Gray Box” mode is a combination of the better of two worlds. The tester knows enough of the system to search for specific weakness points yet does not know the whole of the system architecture through and through.

Performing penetration testing, in either the infrastructure or application level, is the equivalent of a well played chess game against the system architects and information security department personnel. But let’s not forget one thing – hacking into technological systems is not a game but a crime. Using the techniques specified in this article must only be made when specific authorization was given, and a full criminal background check was made.

This article was written by Ron Porat, one of the industry’s leading figures on information security. Ron is the founder and CEO of Hacktics, one of the world’s leading companies in the field of ethical hacking and penetration testing.

Hacktics offers unique expertise in the technology and methodology of application security, together with out of the box thinking abilities and a keen understanding of the operational patterns of Hackers. A leading provider of professional and creative solutions to information security problems in applications, databases, and corporate infrastructure. Among its clients are major financial institutes and leading companies around the world.