A typical network penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilities. Firewall mis-configuration, router mis-config of ACLs, incorrect configuration of switches, unpatched servers and non-compliance towards managing the desktops and laptops, are few reasons why a network is vulnerable to internal and external attacks. As a result, internal and external network penetration testing and vulnerability assessment needs to be carrid out periodically.
DoS attacks today are part of every Internet user's life. They are happening all the time, and all the Internet users, as a community, have some part in creating them, suffering from them or even loosing time and money because of them. DoS attacks do not have anything to do with breaking into computers, taking control over remote hosts on the Internet or stealing privileged information like credit card numbers. Using the Internet way of speaking DoS is neither a Hack nor a Crack. It is a whole new and different subject. This section is entirely devoted to denial of service attacks and its variants. Here, we present a broad definition of this kind of network threat, and examples of the most common attacks.
Definitions The sole purpose of DoS attacks is to disrupt the services offered by the victim. While the attack is in place, and no action has been taken to fix the problem, the victim would not be able to provide its services on the Internet. DoS attacks are really a form of vandalism against Internet services. DoS attacks take advantage of weaknesses in the IP protocol stack in order to disrupt Internet services. DoS attacks can take several forms and can be categorized according to several parameters. Particularly, in this study we differentiate denial of service attacks based on where is the origin of the attack being generated.
DoS attacks are being generated by a single host (or small number of hosts at the same location). The only real way for DoS attacks to impose a real threat is to exploit some software or design flaw. Such flaws can include, for example, wrong implementations of the IP stack, which crash the whole host when receiving a non-standard IP packet (for example ping-of-death). Such an attack would generally have lower volumes of data. Unless some exploits exist at the victim hosts, which have not been fixed, a DoS attack should not pose a real threat to high-end services on today's Internet.
DDoS (Distributed Denial of Service) attacks would, usually, be generated by a very large number of hosts. These hosts might be amplifiers1 or reflectors2 of some kind, or even might be zombies' (agent program, which connects back to a pre-defined master hosts) who were planted on remote hosts and have been waiting for the command to attack' a victim. It is quite common to see attacks generated by hundreds of hosts, generating hundreds of megabits per second floods. The main tool of DDoS is bulk flooding, where an attacker or attackers flood the victim with as many packets as they can in order to overwhelm the victim.
The best way to demonstrate what a DDoS attack does to a web server is to think on what would happen if all the population of a city decided at the same moment to go and stand in the line of the local shop. These are all legitimate requests for service all the people came to buy something, but there is no chance they would be able to get service, because they have a thousand other people standing in line before them!
DDoS attacks require a large number of hosts attacking together at the same time This can be accomplished by infecting a large number of Internet hosts with a zombie'. This way, an attacker can be anyone with a certain knowledge and access privilege with the master host (such as the correct password to an Internet Relay Chat (IRC) channel).
All he has to do is enter a few commands, and the whole zombie army would wake up and mount a massive attack against the victim of his or hers choice.  The zombie program can be planted on the infected hosts in a variety of ways, such as attachment to spam email, the latest cool flash movie, a crack to a game, or even the game itself. Communication from the zombie to its master can be hidden as well by using standard protocols such as HTTP, IRC, ICMP or even DNS. DDoS attacks are quite common today, and they pose the main threat to public services because when a distributed attack is being generated against an Internet service, it is quite hard to block thousands of hosts sending flood data. This can be particularly painful if attacking packets are legitimate requests, since they cannot be easily associated to a DDoS attack. Another aspect of most DDoS is that they consume a vast amount of resources from the network infrastructure, such as ISP networks and network equipment. This fact makes such attacks even more troublesome, because a single attack targeted against a minor web server, might bring the whole ISP's network down, and with it affect service for thousands of users.
Some Solutions to DoS Attacks - The way DoS and DDoS attacks are perpetrated, by exploiting limitations of protocols and applications, is one of the main factors why they are continuously evolving, and because of that presenting new challenges on how to combat or limit their effects. Even if all of these attacks cannot be completely avoided, some basic rules can be followed, to protect the network against some, and to limit the extent of the attack
* Make sure the network has a firewall up that aggressively keeps everything out except legal traffic.
* Implement router filters. This will lessen the exposure to certain denial-of-service attacks. Additionally, it will aid in preventing users on network from effectively launching certain denial-of-service attacks.
* Install patches to guard against TCP/IP attacks. This will substantially reduce the exposure to these attacks but may not eliminate the risk entirely.
* Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack.
* Observe the system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic.
* Keep the anti-viral software up to date. This will prevent the site becoming a home for DDoS agents like TFN.
* Invest in redundant and fault-tolerant network configurations. Besides the rules listed above, it is important for a network administrator, or even a machine administrator, to keep current on the latest DDoS developments.
Also, since there is no silver bullet for DDoS attacks several companies offer program and services that can help a network administrator to manage DDoS assaults. Essentially, these corporate approaches consist of intense real-time monitoring of the network looking for telltale signs of incoming DDoS attacks.
What Is a Firewall? A firewall is a system that enforces an access control policy between two networks?such as your private LAN and the unsafe, public Internet. The firewall determines which inside services can be accessed from the outside, and vice versa. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one to block traffic, and one to permit traffic. A firewall is more than the locked front door to your network?it's your security guard as well.
Why a Firewall?Am I Really at Risk? Anyone can become a hacker. It doesn't require a technological whiz kid to wreak havoc on your network. A wide range of tools and utilities can be easily downloaded from the Internet; and with their help, almost anyone can become a competent hacker at the touch of a button There are experts who say, If you are connected to the Internet, you need a firewall.' The decision may not be more complicated than that. However, you'll probably consider a combination of factors. Start with the basic questions you'd ask about any other security system.
A firewall can screen both incoming and outgoing traffic. Because incoming traffic poses a greater threat to the network, it's usually screened more closely than outgoing traffic. When you are looking at firewall hardware or software products, you'll probably hear about three types of screening that firewalls perform:
* Screening that blocks any incoming data not specifically ordered by a user on the network
* Screening by the address of the sender
* Screening by the contents of the communication
Types of Attack
Before determining exactly what type of firewall you need, you must first understand the nature of security threats that exist. The Internet is one large community, and as in any community it has both good and bad elements. The bad elements range from incompetent outsiders who do damage unintentionally, to the proficient, malicious hackers who mount deliberate assaults on companies using the Internet as their weapon of choice.
Generally there are three types of attack that could potentially affect your business:
* Information theft: Stealing company confidential information, such as employee records, customer records, or company intellectual property
* Information sabotage: Changing information in an attempt to damage an individual or company's reputation, such as changing employee medical or educational records or uploading derogatory content onto your Web site
* Denial of service (DoS): Bringing down your company's network or servers so that legitimate users cannot access services, or so that normal company operations such as production are impeded.
Firewall Technologies Firewalls come in all shapes, sizes, and prices. Choosing the correct one depends mainly on your business requirements and the size of your network. This section discusses the different types of firewall technologies and formats available. Above all, no matter what type of firewall you choose or its functionality, you must ensure that it is secure and that a trusted third party, such as the International Computer Security Association (ICSA), has certified it. The ICSA classifies firewalls into three categories: packet filter firewalls, application-level proxy servers, and stateful packet inspection firewalls.
Designing a Firewall into Your Network
Once you have familiarized yourself with all of the different firewalls on the market, the next step is to define your firewall policy. For example, will the firewall explicitly deny all services except those critical to the mission of connecting to the Internet? Or is it intended to provide a metered and audited method of queuing' access in a nonthreatening manner? Decisions like these are less about engineering than politics. The next decision is what level of monitoring, redundancy, and control you want. This involves juggling needs analysis with risk assessment, and then sorting through the often conflicting requirements in order to determine what to implement. Where firewalls are concerned, the emphasis should be on security rather than connectivity. You should consider blocking everything by default, and only allowing the services you need on a case-by-case basis. If you block all but a specific set of services, you make your job much easier. Conclusion Security breaches are very real and very dangerous. Every company now recognizes how easily it can become the victim of deliberate or random attacks, and how much damage these attacks can cause. While firewalls are only one component of an overall security system, they are a vital component, and companies must invest the time required to evaluate the best system for their needs?and then deploy it as quickly as possible. Security breaches are an ever-present danger, and there's no time like the present to protect your company's valuable data.
The only way to ensure a secure firewall is to perform Firewall Configuration Audit and External Vulnerability Assessment and Penetration Testing. This ensures that the perimeter of the organization is protected from internal and external attacks. Testing firewall and IDS rules is a regular part of penetration testing or security auditing. However, because of the unique complexity involved of different environments, automated scanners are not able to provide much use in this area. Several free and open source tools exist to help craft packets to test firewalls and IDS rules, which can aid in general assessment. A general working knowledge of TCP/IP is required to make use of such tools, as well as recommended access to a Linux or OS X laptop for portable testing. After obtaining a general assessment of a firewall and its rules, corrections to rules can be updated as appropriate.
Modern firewalls from major vendors, by default today, have a strict rule set that generally is fairly secure. Vendors are much more security aware than in previous years and products now thankfully reflect a more security conscious environment and internet. Various testing is still required to ensure the rules in place are operating as they should or to test and locate areas of improvement in configuration.
Each TCP or UDP packet has four basic parts of information in the header in regards to routing: source port : source ip | destination port : destination ip
Firewall rules are often setup to inspect packets and route them based on these source/destination indications in the packet headers. The problem with this is that the source ip or port can be altered to attempt to bypass a firewall if poor rules are in place. Firewall rules should be configured to process DENY rules first, followed by ACCEPT rules later to avoid many of these security issues in most cases.
Network scanning involves using a port scanner to identify all hosts potentially connected to an organization's network, the network services operating on those hosts, such as the file transfer protocol (FTP) and hypertext transfer protocol (HTTP), and the specific application running the identified service, such as WU-FTPD, Internet Information Server (IIS) and Apache for the HTTP service. The result of the scan is a comprehensive list of all active hosts and services, printers, switches, and routers operating in the address space scanned by the port-scanning tool, i.e., any device that has a network address or is accessible to any other device.
Port scanners, such as nmap , first identify active hosts in the address range specified by the user using Transport Control Protocol/Internet Protocol (TCP/IP) Internet Control Message Protocol (ICMP) ECHO and ICMP ECHO_REPLY packets. Once active hosts have been identified, they are scanned for open TCP and User Datagram Protocol (UDP) ports9 that will then identify the network services operating on that host. A number of scanners support different scanning methods that have different strengths and weaknesses that are usually explained in the scanner documentation. For example, certain scans are better suited for scans through firewalls and others are better suited for scans that are internal to the firewall. Individuals not familiar with the details of TCP/IP protocols should review.
All basic scanners will identify active hosts and open ports, but some scanners provide additional information on the scanned hosts. The information gathered during this open port scan will often identify the target operating system. This process is called operating system fingerprinting. For example, if a host has TCP port 135 and 139 open, it is most likely a Windows NT or 2000 host. Other items such as the TCP packet sequence number generation and responses to ICMP packets, e.g., the TTL (Time To Live) field, also provide a clue to identifying the operating system. Operating system fingerprinting is not foolproof. Firewalls filter (block) certain ports and types of traffic, and system administrators can configure their systems to respond in nonstandard ways to camouflage the true operating system.
In addition, some scanners will assist in identifying the application running on a particular port. For example, if a scanner identifies that TCP port 80 is open on a host, it often means that the host is running a web server. However, identifying which web server product is installed can be critical for identifying vulnerabilities. For example, the vulnerabilities for Microsoft's IIS server are very different from those associated with Apache web server. The application can be identified by listening' on the remote port to capture the banner' information transmitted by the remote host when a client (web browser in this example) connects. Banner information is generally not visible to the end-user (for web servers /browsers); however when it is transmitted, it can provide a wealth of information, including the application type, application version and even operating system type and version. Again this is not foolproof since a security conscious administrator can alter the transmitted banners. The process of capturing banner information is sometimes called banner grabbing. Vulnerability scanners take the concept of a port scanner to the next level. Like a port scanner, a vulnerability scanner identifies hosts and open ports, but it also provides information on the associated vulnerabilities (as opposed to relying on human interpretation of the results). Most vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities.
Vulnerability scanners provide system and network administrators with proactive tools that can be used to identify vulnerabilities before an adversary can find them. A vulnerability scanner is a relatively fast and easy way to quantify an organization's exposure to surface vulnerabilities. Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. Vulnerability scanners can also help identify out-of-date software versions, applicable patches or system upgrades, and validate compliance with, or deviations from, the organization's security policy. To accomplish this, vulnerability scanners identify operating systems and major software applications running on hosts and match them with known exposures.
Scanners employ large databases of vulnerabilities to identify flaws associated with commonly used operating systems and applications. The scanner will often provide significant information and guidance on mitigating discovered vulnerabilities. In addition vulnerability scanners can automatically make corrections and fix certain discovered vulnerabilities. This assumes that the operator of the vulnerability scanners has root' or administrator access to the vulnerable host.
However, vulnerability scanners have some significant weaknesses. Generally, they only identify surface vulnerabilities and are unable to address the overall risk level of a scanned network. Although the scan process itself is highly automated, vulnerability scanners can have a high false positive error rate (reporting vulnerabilities when none exist). This means an individual with expertise in networking and operating system security and in administration must interpret the results. Since vulnerability scanners require more information than port scanners to reliably identify the vulnerabilities on a host, vulnerability scanners tend to generate significantly more network traffic than port scanners. This may have a negative impact on the hosts or network being scanned or network segments through which scanning traffic is traversing. Many vulnerability scanners also include tests for denial of service (DoS) attacks that, in the hands of an inexperienced tester, can have a considerable negative impact on scanned hosts.
Another significant limitation of vulnerability scanners is that they rely on constant updating of the vulnerability database in order to recognize the latest vulnerabilities. Before running any scanner, organizations should install the latest updates to its vulnerability database. Some vulnerability scanner databases are updated more regularly than others. The frequency of updates should be a major consideration when choosing a vulnerability scanner.
Vulnerability scanners are better at detecting well-known vulnerabilities than the more esoteric ones, primarily because it is difficult to incorporate all known vulnerabilities in a timely manner. Also, manufacturers of these products keep the speed of their scanners high (more vulnerabilities detected requires more tests which slows the overall scanning process).
Wireless security is something that most everyone wants, but which few actually use. Barriers to use include throughput loss in older 802.11b products, WEP's ability to be cracked, and di culty in getting the darned thing working!
What are the risk of wifi security
Unauthorized connections, Stealing bandwidth, Attacks on your systems from inside firewall, Attacks on 3, rd party systems that appear to be from you! Information leakage, Eavesdroppers capturing sensitive information, Often can be done from greater range than normal.
Typical Options There are three basic strategies: Leave WiFi wide open, roll with whatever, comes Leave WiFi open, secure it further, upstream and/or on a higher level Secure the WiFi layer itself. Open Strategy Leave your SSID wide open and, completely unsecured very generous of you! Be prepared for the repercussions:, Attackers and virus infested machines, Accusations of bad things other connected, users did If popular, you may not have any, bandwidth left over!
Open WiFi, Secure Upstream Treat WiFi as insecure link think Internet, Any WiFi facing hosts must be thoroughly, secured bastion hosts Any leaks will allow users to bypass filters, ping, DNS, Web, nocat.net, OpenVPN.org
Correct implementation of the security controls in wireless networks is critical nowadays, since it directly affects the profitability of some businesses and information confidentiality. Wireless security tools, should be used to test (audit) wireless implementations regularly. Good wireless security audit is not only practical testing, but also proper documentation, including recommendations of how to make WLAN more secure. There is a bunch of possible audits, one can try to perform:
* Layer 1 Audit
* Layer 2 Audit
* WLAN Security Audit
*Wired Infrastructure Audit
*Social Engineering Audit
*Wireless Intrusion Prevention System (WIPS) Audit
*Wi-Fi Security Auditing Tool In the previous part, we listed a set of audits that can be carried out, in order to assess the security of the wireless implementation. We will try to go through the points one by one and see firstly, why a particular audit is relevant and secondly, how one can perform it. Layer 1 and Layer 2 Audit The goal of a Layer 1 Audit is to determine the RF coverage (part of performance-based site survey) and find out about potential sources of RF interferences (part of the security audit for identification of sources of Layer 1 DoS). During a Wireless Security Audit, one conducts spectrum analysis to detect any continuous transmitters or intentionally put RF jammers (that causes a Layer 1 DoS). As for a Layer 2 Wireless Audit, the goal is to detect any rogue devices or unauthorized 802.11 devices. Performing a Layer 2 Audit is critical in environments, that do not have a Wireless IPS (WIPS) monitoring deployed (otherwise WIPS will do that work automatically, since this is its job). A list of points that the auditor should concentrate on, while performing layer 2 site survey is: MAC addresses, SSIDs, types of devices being used, types of traffic, channels that are in use, possible default configurations, possible layer 2 attacks taking place, ad-hoc clients, etc. While performing layer 1 or layer 2 audit, the auditor might use the following tools: Protocol sniffers/analyzers (ex. Wireshark)? 2.4/5 GHz signal injectors.? Offensive tools (mdk3, Void11, Bugtraq, IKEcrack, FakeAP, etc.)? 30. Wireless Security Tools Wireless Security 79 As an example I will show you a Swiss-army knife tool called mdk3. It is a proof-ofconcept tool that allows for exploiting wireless network. Just to name few options, it allows you to do: Flood fake beacon tools (as a way to imitate a fake AP).? DoS of authentication frames (may lead to AP's freeze or restart if vulnerable).? Flood of disassociation/de-authentication frames (to kick out valid users out from? the network). 802.1X wireless security testing.
WLAN Security Audit The goal of WLAN security audit is to investigate if and how a particular WLAN may be compromised. The types of weaknesses, the potential attacker would look for (and weaknesses that wireless security auditor should concentrate on) are mainly related to authentication, encryption, types of the deployed WLANs, weak keys in use and similar. The tools that are a good match for that use are: Protocol sniffers/analyzers (ex. Wireshark).? Wireless discovery tools (ex. NetStumbler, Kismet, Win Sniffer, WiFiFoFum, etc.).? Encryption/Authentication breaking (testing) tools (aircrack-ng, custom scripts, all? kinds of cryptoanalysis tools).
Wired Infrastructure Audit With respect to the wireless network communication, it's wired part also needs to be secured in order for the whole system to be considered safe. Wired infrastructure audit should cover the following pointers: Inspection of the firewall used to restrict WLAN user access to certain network? resources. Switchport interfaces that are unused should be disabled.? A strong password should be used, and protocols with built-in encryption should be? used (HTTPS, SSH), if possible. Social Engineering Audit Social Engineering is the type of "attack" that uses non-technical approaches to get the information. Instead of trying to crack the wireless password, maybe it's easier to ask for it? Maybe it would be easier to get the WPS PIN, that would allow you to connect to protected WLAN? Those scenarios sound amazing, but I can assure you, that they happen in real life too. In order to protect against it, the most important thing is to be aware of what data should be kept private and what to be shared. In home environments where you are the "admin" of the network, it is only you who can decide what should be kept private. On the other hand, in enterprise environments, it would be a role of security departments to issue Wireless Security 82 security awareness campaigns to educate personnel, of what would be a right use of the wireless network and what would be a misuse. Wireless Intrusion Prevention Systems On the wired network, the Intrusion Prevention System (IPS) is used to perform deep packet inspection of the traversing packets, in order to look for anomalies, Trojans or other malicious pieces of code. In the wireless world, it is similar, however focuses on reacting to rogue wireless devices, rather than security events. Wireless Intrusion Prevention System (WIPS), concentrates on detecting and preventing the usage of unauthorized wireless devices. The whole idea behind WIPS, is to have some APs in your infrastructure dedicated configured in WIPS mode (do not broadcast any WLAN network or allow user to associate). Those AP's are preconfigured for a particular frequency channel and they just listen to the frequency spectrum all the time, looking for anomalies. Another approach is to have a set of dedicated passive sensors (instead of APs) to perform this job. The different type of anomalies, that you may expect to see are: flood of deauthentication frames, or flood of disassociation frames, detecting WLANs broadcasted by AP's with unknown BSSID, etc. If you think of deep packet inspection or malicious code detection, they still need to be detected on the wired network, using dedicated IPS/IDS devices. You as an attacker have no means to run a WIPS solution as it is a defensive technical measure. Due to its price and management overhead, only bigger enterprises may have it running (still it's quite rare). One of the possible deployments of WIPS solution, can be based on the Cisco Wireless Infrastructure model. The Cisco Wireless solution (in its simplest form) is based on the Wireless LAN Controller (WLC) and set of APs. WIPS solution, would assume that some AP's are taken out of regular WLAN service, and are set to IPS mode, and dedicated purely to inspect the frequency spectrum. The main page of the Cisco Wireless LAN Controller (WLC) is shown below (confidential fields were covered with the circle filled with black).
Wireless Penetration Testing Pentesting of the wireless systems is easier task than doing that on the wired network. You cannot really apply good physical security measures against a wireless medium, if you are located close enough, you are able to "hear" (or at least your wireless adapter is able to hear) everything, that is flowing over the air. As you have seen so far, there are numerous tools ready and waiting for you to use. The additional software and hardware you need for performing Wireless Network Pentesting would be as below. This is the set that I am personally using and it works very well. Kali Linux (old backtrack) You can either install Kali as the only OS on your PC or you can run the .iso file. The second option is the one I am using which is the Oracle VM VirtualBox (freeware), you open the .iso of the Kali Linux. Wireless Card If you are running a Kali Linux as the Virtual Machine in VM VirtualBox, you can use the wireless card of your PC directly in VM. For that use, you would need an external wireless adapter (description of the good wireless cards were conducted in the initial chapters of this tutorial). Personally, I am using ALFA AWUS036NH, and I can definitely feel its "power". It has a high output power (1W) and built-in antenna with 5dBi. You can try to use it for your Wi-Fi connectivity as it is much faster than some "intel" ones, that most of the laptops are shipped with. Having all that, you are good to go. Wireless Penetration Testing Framework Penetration testing of the wireless networks is always divided into 2 phases: Passive Phase and Active Phase. Every possible attack (either wireless one or any other) you can imagine, always start with some kind of passive phase. During the passive phase, the penetration tester (or an attacker) collects the information about its target. Different types of passive parts of the attack may be: Making a reconnaissance of the environment.? Reading about the target security measures on internet, from the news.? Talking to legitimate users about security controls.? 31. Wi-Fi Pen Testing Wireless Security 88 Sniffing of the traffic.? Some of the tests may already stop at that point. There is a chance, that the attacker got all the data he needs directly from the unaware legitimate users or the traffic that was sniffed was enough to perform some offline attacks (offline brute-force, offline dictionary or relevant information like password was transferred in clear-text in the sniffed packets). On other hand, if it was not enough, there is a second phase, the active one. This is where attackers directly interact with the victim. Those can be: Sending phishing e-mails asking directly for credentials of the user.? Injecting wireless frames in order to stimulate some specific action (example: deauthentication? frames) Creating fake AP, that legitimate users will use to connect to the wireless network? All the attacks described in this chapter belong to passive or a combination of passive and active ones. As the reader will go through them, m, it will be very easy to spot when passive phase ends and when the active one starts.
Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.