For Penetration Testing

Document Sample
For Penetration Testing Powered By Docstoc
					                    Agreement

                        with


                    CLIENT




            Client LOGO
                        For

         Penetration Testing



                     Presented by
            Netswitch Hong Kong Limited
(Subsidiary of Netswitch Technology Management, USA)


                     March, 2010
                      Version 3.0
                                              Executive Summary

PURPOSE
Netswitch Hong Kong Limited (hereinafter “Netswitch”) is entering into this agreement with The CLIENT
COMPANY’s (hereinafter “HSH”) for Netswitch to conduct an Internally-based Penetration Test of the Tokyo and
Beijing guest networks. To further clarify Netswitch’s scope of work, we have provided the following definitions
commonly used in connection with penetration testing programs


DEFINITIONS
White-Box Testing: The testing team has complete carte blanche access to the target network and has been
supplied with network diagrams, hardware, operating system and application details etc. prior to the test being
carried out. This does not equate to a truly blind test, but it can speed up the process a great deal and leads to a
more accurate results being obtained. The prior knowledge leads directly to tests targeting specific operating
systems, applications and network devices that reside on the network rather than spending time enumerating what
could possibly be on the network. A White-Box test simulates the situation where an attacker has complete
knowledge of the internal network.


Black-Box Testing: No prior knowledge of the target network is known. An example of this situation is when an
external or internal web based test is to be carried out and the website URL or IP address is supplied to the testing
team. It is their role to attempt to break into the company website/ network. This simulates an external attack
carried out by a malicious hacker. This is also known as Blind Testing.


Grey-Box Testing: The testing team simulates an attack that could be carried out by a disgruntled/ disaffected
staff member. The testing team is be supplied with appropriate user-level privileges and a user account and
password(s) to permit access to the internal network by relaxation of specific security policies present on the
network, e.g. port level security.




Confidential – Penetration Testing for HSH March 2010                                                      Page 1 of 15
Network Penetration Test: Network Penetration Test refers to a set of penetration techniques used to detect
various security issues with the network and servers in general. It leverages various known exploits, publicly
known information, social engineering, system vulnerabilities, spoofing etc. to gain access to the servers or
networks.


Web Application Penetration Test: Web Application Penetration Test refers to a set of penetration techniques
used to detect various security issues with web applications and identify vulnerabilities and risks, including: known
vulnerabilities, URL manipulation, SQL injection, cross-site scripting, back-end authentication, password-in-
memory, session hijacking, buffer overflow, etc.


Wireless Penetration Test: Wireless Penetration Test refers to a set of penetration techniques and attacks
against wireless (Wi-Fi) networks to reveal various security issues. Techniques include, for example, denial of
service attacks, man in the middle attacks, ARP poisoning attacks, and encryption cracking.




SCOPE
In this engagement, Netswitch will be conducting a “Black-Box” procedure incorporating Network Penetration,
Web Application Penetration and Wireless (Wi-Fi) Penetration tests. Social Engineering and Denial of Service
attacks are excluded.




OBJECTIVES
It is our understanding that CLIENTintends that the Penetration Test against their guest network verify that the LAN
and Wi-Fi network implementation is secured without exposing any private information to the public, and at the
same time protects the guest network from being abused by the intruders.


DELIVERABLES
Netswitch will provide a combination of Network Penetration, Application Penetration and Wi-Fi Penetration Testing
as follow:


Confidential – Penetration Testing for HSH March 2010                                                     Page 2 of 15
    1. Internal penetration testing which will include the discovery of all host-based systems accessible via the
         designated guest network with and without the use of credentials provided by CLIENTNetwork
         Administration. If CLIENTengages Netswitch to conduct further testing in the future, the technical details
         may be updated to reflect technological developments, the emergence of new threats and changes in the
         CLIENTguest networks.
    2. A series of attacks against the Wi-Fi guest network including passively monitoring and collecting traffic
         information, attempts to de-authorize legitimate users to gain Wi-Fi network access, attempts to decrypt
         and “brute-force” the encryption and authentication method.
    3. Manually checking each page, folder and structure of customer login web pages for any code jeopardizing
         network securities and trust verification.
    4. A comprehensive report of all findings including recommendations to eliminate the vulnerabilities found
         and/or exploited. Netswitch will also conduct a review of the report with CLIENTIT staff to ensure a full
         understanding of the penetration results and of any required corrective action.
    5. At the conclusion of the penetration tests of the two guest networks, Netswitch will provide a Management
       Summary of the penetration results. The Management Summary will include the following sections:

              a) An identification of the two locations;
              b) A statement of the penetration test objectives;
              c) A description of the methodology used for the penetration tests;
              d) An explanation of the scheme used to classify assessment findings (Risk, Impact and Mitigation
                 Difficulty)
              e) A graphical summary of the results for each location. The plot for each location will present the
                 total number of Security Informational Notes, Security Warnings and Security Holes for that
                 location and their associated Impact level;
              f) A statement summarizing Netswitch’s judgment of the overall security posture of the included
                 CLIENTGuest Networks based on our testing.

Note: Network penetration testing includes the possibility of connecting to the target network and
retrieving sensitive information. Netswitch takes no responsibility for any loss that occurs due to the
assessment, though we will do our best to minimize such event.




Confidential – Penetration Testing for HSH March 2010                                                      Page 3 of 15
ASSESSMENT FRAMEWORK
Netswitch will conduct the Penetration Testing using a combination of the COBIT IT Governance framework, the
Open Source Security Testing Manual (OSSTMM) and the Open Web Application Security Project (OWASP) as a
guideline for the testing procedures. Specifically, the assessment will be based on the following control structure:

        Control Objective                               Relevant Control                         Control Tests*
Active Detection Verification                  Test whether controls are in place      Determine and account for
                                               for blocking and/or monitoring          interferences.
                                               intrusion attempts and signal
                                               tampering.                              Test with both interferences active
                                                                                       and inactive.

                                                                                       Determine limitations on testing
                                                                                       procedures


Visibility Audit                               Determine the ability to intercept or   Determine targets through all
                                               interfere with communication            enumeration tasks.
                                               channels.
                                                                                       Determine new targets by
                                               Determine which frequencies and         researching known targets.
                                               signals can leak into or out of the
                                               target area using passive detection
                                               means.
Access Verification                            Enumerate and determine the             Verify interactions with access
                                               authentication mechanism and test       points and gateways to all targets
                                               for inadequacies in authentication      within scope.
                                               and authorization methods exist.
                                                                                       Determine type of interaction for all
                                               Determine the access control level      access points and network devices.
                                               and the ability to intercept or
                                               interfere with communication.           Determine source of interaction
                                                                                       defined as a service or process.

                                                                                       Verify depth of access.

                                                                                       Verify known security limitations of
                                                                                       discovered access points and
                                                                                       network devices.

                                                                                       Search for novel circumvention
                                                                                       techniques and security limitations
                                                                                       of discovered access points and
                                                                                       network devices.


Confidential – Penetration Testing for HSH March 2010                                                            Page 4 of 15
Trust Verification                             Tests for trusts between systems      Verify interactions which rely on
                                               within the scope, where “trusts”      other interactions to complete the
                                               refers to access to information or    test interaction according to the
                                               physical property without the need    tasks
                                               for authentication credentials.
                                                                                     Determine targets with trust
                                                                                     relationships to other targets in the
                                                                                     scope to complete interactions.

                                                                                     Determine targets with trust
                                                                                     relationships to other targets outside
                                                                                     the scope to complete interactions.

                                                                                     Verify known security limitations of
                                                                                     discovered trusts between the trusts.

                                                                                     Verify known security limitations of
                                                                                     discovered trusts between targets in
                                                                                     the scope and the trusted
                                                                                     interactions.

                                                                                     Search for novel circumvention
                                                                                     techniques and security limitations
                                                                                     of discovered trusts.
Privileges Audit                               Test where credentials are supplied   Confirm that legitimate guest
                                               to the user and permission is         privileges cannot be expanded or
                                               granted for testing with those        extended.
                                               credentials.
                                                                                     Verify the use of fraudulent
                                                                                     identification to obtain Privileges.

                                                                                     Verify the means of circumventing
                                                                                     authentication Requirements.

                                                                                     Verify the means of taking non-
                                                                                     public authentication privileges.

                                                                                     Verify the means hijacking other
                                                                                     authentication Privileges.

                                                                                     Verify known security limitations of
                                                                                     discovered authentication
                                                                                     mechanisms to escalate privileges.

                                                                                     Search for novel circumvention


Confidential – Penetration Testing for HSH March 2010                                                           Page 5 of 15
                                                                                       techniques and security limitations
                                                                                       of discovered authentication
                                                                                       mechanisms to escalate privileges.

                                                                                       Determine depth of all discovered
                                                                                       authentication privileges.

                                                                                       Determine re-usability of all
                                                                                       discovered authentication privileges
                                                                                       on the authentication mechanisms
                                                                                       on all targets.


Survivability Validation                       Determining and measuring the           Determine measures applicable to
                                               resilience of targets within scope to   disrupt or stop service continuity to
                                               excessive or hostile changes            and from the targets.
                                               designed to cause service failure.
                                                                                       Verify continuity processes and
                                                                                       safety mechanisms active for the
                                                                                       targets.

                                                                                       Verify known security limitations of
                                                                                       discovered safety and service
                                                                                       continuity processes and
                                                                                       mechanisms.

                                                                                       Searched for novel circumvention
                                                                                       techniques and security limitations
                                                                                       of discovered safety and service
                                                                                       continuity processes and
                                                                                       mechanisms.

*The technical details of each test procedure are described under Methodology


METHODOLOGY
Netswitch will ship our specially prepared Penetration Testing laptop equipped with multiple NIC cards, multiple
operating systems and wireless radio to the two designated hotel sites. The laptop includes a feature to “phone
home,” which allows Netswitch Engineers to securely logon to the laptop to perform the Penetration Testing as if
they were physically present in the designated hotel.
The scans will originate from the Netswitch Penetration Testing laptop. Netswitch performs Penetration Testing
using a combination of virtual machines running Linux and Windows and we execute both open source and

Confidential – Penetration Testing for HSH March 2010                                                            Page 6 of 15
proprietary software tools. We attempt to initially remain unnoticed by the systems by passively monitoring the
traffic and collecting any published information, but eventually our scanning activities should be logged by various
systems and may trigger an alarm. After the scans we compile a list of systems, ports, and software versions and
begin to map the network. Using the map we check all security based web sites, forums and news groups for
known vulnerabilities. This initial reconnaissance is very thorough and accurate as it is the foundation for a
penetration test.
The assessment then proceeds to check for weak passwords, known exploits, and software version vulnerabilities
such as: stack overflows, remote code execution, DNS poisoning, elevation of privileges, information disclosure,
spoofing, cross-site scripting, Malicious File Execution, etc. against any network device deployed on the guest
network. Then we perform a series of attacks, including packet injections, deauth clients, MAC spoofing, replay
attack etc., against both LAN and Wi-Fi networks, to allow Netswitch Engineers to gain further access or retrieve
possibly privately-held information. During these tests, we conduct certain testing that will require the Peninsula
Network Administration to act as if they were hotel guests and Netswitch Engineers will attempt to leverage the
“guests” connection to gain further access. This controlled environment approach will allow Netswitch to find any
possible vulnerability on the networks while keeping true CLIENTguests from being exposed.
Once the three Penetrating Test components (Network Penetration Test, Web Application Penetration Test and Wi-
Fi Penetration Test) are completed, the data is consolidated into a report together with Netswitch’s expert
recommendations for any required or suggested mitigations. The report is presented to the CLIENT’S IT
department for review and repair. Netswitch can also provide solutions under a separate contract.




Confidential – Penetration Testing for HSH March 2010                                                      Page 7 of 15
There are five stages to the Netswitch Penetration Testing:
Stage 1
Network                        In this stage we query the internal DNS server and information published on the internal
Penetration                    guest login web page to determine subnet and various server and network information.


                               Stage one is performed on a Linux workstation using several Java and PHP based tools.


Web Application                In this stage we collect information for the customer login web page by utilizing a crawler
Penetration                    to attempt locating all the web application related files.


                               Stage one is performed on a Linux workstation using several Java and PHP based tools


Wireless                       In this stage we perform tasks to identify both authorized networks and unauthorized
Penetration                    points of access. We gather Information on network signal strength, security protocols
                               and connected devices and we sniff traffic streams of sensitive data.

                               Stage one is performed on a Linux workstation using various Wi-Fi tools.



Stage 2
Network                        In stage two, we conduct port scans using a variety of protocols and scanners.
Penetration                    Commonly referred to as “fingerprinting”, this is the longest stage of the audit and
                               commonly continues throughout the duration of the audit. We use the results of these
Web Application                scans to attempt to identify services and software versions running machines that may
Penetration                    be vulnerable to exploitation or reveal confidential system configuration information.

                                    1. Port scans are performed and a list of “open” ports is compiled.
                                    2. Various types of connections are made to the “open” ports to determine what
                                       service is running on each port.
                                    3. Requests for information are sent to the “open” ports. Information such as
                                       software type and version.

                               This stage of the Penetration Test is performed on Linux and MS Windows workstations.
                               We use a variety of port scanners and programs to connect to the “open” ports. Only
                               banners are collected at this point in order to determine software versions.

Confidential – Penetration Testing for HSH March 2010                                                         Page 8 of 15
Wireless                       In this stage, we begin sniffing Wi-Fi traffic using various tools and attempt to associate
Penetration                    our testing platform to the network by deauth valid clients and by spoofing valid trusted
                               MAC addresses. We also generate and inject traffic into the wireless network in an
                               attempt to capture further handshake information. There is a possibility that the network
                               switches may be taken down and require the Network Administrator to reset the device.

                               This stage of Penetration Test is performed on Linux and MS Windows workstations.

Stage3
Network                        In this stage, we attempt manual probing of the operating system layer of the servers
Penetration                    and network devices. Manual and automated account and password-guessing attacks
                               are also be used: Secure Shell, Telnet, VPN and other types of remote management
                               protocols are tested for default and common account names and passwords.

                               This stage of the assessment is performed on Linux and MS Windows workstations.
                               Various client-based programs are used to connect to the different ports and protocols to
                               test the authentication levels.
Web Application                In this stage, we attempt manual probing of the application layer of the servers and
Penetration                    network devices. We may try specific malformed URLs and different authentication
                               techniques to gain information and access to the servers and networks to determine
                               account lockout, IDS levels, automated IP blocking levels, and to identify the use of any
                               access control lists and VPNs. Manual and automated account and password-guessing
                               attacks are also used. We attempt SQL injection: adding extra characters or commands
                               into an http request may reveal information the guest and/or hotel might not want
                               revealed. See Appendix II.

                               This stage of the assessment is performed on Linux and MS Windows workstations.
                               Various client based programs are used to connect to the different ports and protocols to
                               test the authentication levels.
Wireless                       In this stage, we attempt to replicate attack and decrypt various encryption methods
Penetration                    using a combination of dictionary attack against the captured handshake information
                               from previous stage.

                               This stage of the assessment is performed on Linux and MS Windows workstations.
                               Various client based programs are used to connect to the different ports and protocols to
                               test the authentication levels.




Confidential – Penetration Testing for HSH March 2010                                                          Page 9 of 15
Stage 4
Network                        In this stage, we use automated vulnerability scanners in an attempt to identify
Penetration                    vulnerabilities that are leading edge and difficult or impossible to identify manually. We
                               use a number of vulnerability scanners, depending on the services available and the
                               security layer being tested. We employ software-based scanners that are available on
                               the Internet, as this is more realistic of a real world hacker attack.
                                    1. When an operating system, software or hardware version is identified Netswitch
                                         uses automated assessment software to check against several databases of
                                         known vulnerabilities.
                                    2. Netswitch checks against all of the well known databases (Bugtraq, Security
                                         Focus, CAN, CVE, SANS, etc.) as well as our own custom database that the
                                         Netswitch IT team updates daily.
                               This stage of the Penetration Test is performed on Linux and MS Windows workstations.
                               Software versions are checked against a several databases.
Web Application                In this stage, we use automated web vulnerability scanners in an attempt to identify
Penetration                    vulnerabilities that are leading edge and difficult or impossible to identify manually. We
                               use a number of web vulnerability scanners. We employ software based scanners that
                               are available on the Internet along with custom built scanners modified by the Netswitch
                               IT team, as this is more realistic of a real world hacker attack.

                               This stage of the Penetration Test is performed on Linux and MS Windows workstations.
Wireless                       In this stage if the Stage 3 attempts are not deemed valid, we attempt to create a Rogue
Penetration                    Access Point to capture guest traffic and compromise guest security by acquiring
                               passphrases and certificates. This test must be conducted with the participation of an
                               CLIENTNetwork Administrator in order to avoid exposing guest information and to
                               maintain privacy; we estimate that this support will be required for approximately 4
                               hours.

                               This stage of the Penetration Test is performed on Linux and MS Windows workstations.




Confidential – Penetration Testing for HSH March 2010                                                       Page 10 of 15
Stage 5
Network                        In this stage, we combine the techniques used above and the information collected from
Penetration                    previous stages and performs further assessments as indicated. This includes packet
                               injections, deauth clients, MAC spoofing, replay attack, session injection/stealing along
Web Application                with brute-force and dictionary attacks. These processes are very “noisy” and should
Penetration                    allow the system administrator to verify the effectiveness of the IPS and/or event log
                               systems.
Wireless
Penetration
                               This stage of the Penetration Test is performed on Linux and MS Windows workstations.


PROJECT, COSTS AND TIMEFRAME
The schedule and the cost are set forth in Appendix I.




Key Personnel
Please copy all communication and for any contract information to the following:

Project Manager for CLIENT-




Project Manager for Netswitch –
Mr. Scott Powers
Tel: +1-415-566-6228
Mobile : +1-415-370-0922
email: scott@netswitch.net

Principal Engineer for Netswitch –



Confidential – Penetration Testing for HSH March 2010                                                       Page 11 of 15
Mr. Gabriel Tam
Tel: +1-415-566-6228
Mobile : +1-415-823-1087
email: gabriel@netswitch.net

Mr. Stanley Li, CEO
Tel: +1 -415- 566-6228
Mobile: +1-415-623-8383
email: stanley@netswitch.net

Other Terms
Proprietary Rights
All services and service products created, performed, or prepared by Netswitch for CLIENT COMPANY pursuant to
this Agreement and any related Project Assignment(s), are and shall be the property of CLIENTunless otherwise
provided by written agreement. Netswitch reserves all rights over materials owned by or licensed to Netswitch
which are utilized in the course of performing services under this Agreement and over any intellectual property
including without limitation inventions, innovations, discoveries, and copyrights conceived or made by Netswitch of
its work for HSH.

Confidentiality of Information
All information and data furnished between Netswitch Hong Kong Limited and CLIENT COMPANY, and all other
documents, to which the Netswitch and The CLIENT COMPANY’s employees have access during the term of the
contract, shall be treated as confidential to the respective company. Any oral or written disclosure to unauthorized
individuals is prohibited. All documents are confidential and should not be distributed or duplicated in any part
without permission from Netswitch or CLIENTas appropriate.


Netswitch Hong Kong Limited                               CLIENT COMPANY


Sign:                                                     Sign:


Name: Mr. Stanley Li                                      Name:


Date:                                                     Date:




Confidential – Penetration Testing for HSH March 2010                                                   Page 12 of 15
Appendix I – Schedule and Costs

            Location                               Cost per site (USD)
            The Tokyo                                                $xxxxx.00
            The Beijing                                             $xxxxx.00
            Total                                                $xxxxxxx.00



Netswitch will invoice each site as the assessment for that site is completed according to the cost
schedule above.

We estimate the testing and preparation of reports can be completed over a four week period for each
site. The final Management Summary report will require one week to prepare. The engagement schedule
will be determined by mutual agreement.




Confidential – Penetration Testing for HSH March 2010                                          Page 13 of 15
Appendix II –Malformed URLs
It is possible to browse the remote web server directories by appending a ?open at the end of the URL. Like:

http://www.example.com/?open


Data that can be accessed by unauthorized users may include: usernames, server names and IP addresses, dial-up
server phone numbers, administration logs, files names, and data files (including credit card information,
proprietary corporate data, and other information stored in
eCommerce related databases.) In some instances, it may be possible for an unauthorized user to modify these
files or perform server administration functions via the web administration interface.

Reference : http://online.securityfocus.com/archive/1/10820

Recommended Solution :
Disable the database browsing. To do this :
1. From the Domino Administrator, click the Configuration tab, and open the Server document,
2. Click the Internet Protocols - HTTP tab,
3. In the 'Allow HTTP clients to browse databases' field, choose No,
4. Save the document.




Confidential – Penetration Testing for HSH March 2010                                                Page 14 of 15

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:1/15/2013
language:English
pages:15