An Easy-to-deploy Penetration Testing Platform

Bing Duan, Yinqian Zhang, Dawu Gu Department of Information Security Engineering

Shanghai Jiao Tong University Shanghai 200240, China

Email: {allenduan, jeffreyzhang, dwgu}@sjtu.edu.cn

Abstract

Penetration testing is an important branch of network security evaluation, which aims at providing all-round investigation to find the vulnerabilities and security threats in systems and networks. Former penetration testing platforms lack the adaptability when applied to different types of systems or networks, and the manual tests which are prevailed in those platforms are usually long and complex processes. In this paper we focus on the improvement of penetration testing platforms and strategies, and we propose a novel penetration testing platform based on a recently launched LiveDVD system—SolarSword. We also discuss the design and implementation details of this new platform, and use a real penetration test case study to demonstrate its advantages over former platforms. The platform provides an automatic, easy-to-deploy methodology for penetration testing process, and overcomes the obvious drawbacks of former penetration testing platforms.

Keywords—Penetration testing; Security evaluation; security testing Platform; SolarSword

1. Introduction

Penetration testing is more of an art than a science [1]. The key value of penetration testing does not lie in presenting well-proved theories or models, but in providing practical methodologies to evaluate the security flaws and vulnerabilities. Previously, several penetration testing models were presented, which belonged to two major categories: flaw hypothesis model [2, 3] and attack tree model [4, 5]. Flaw hypothesis model first makes hypothesis on the security flaws of target system, then perform penetration tests accordingly. This model is used in environments where vulnerabilities are relatively more fixed and obvious; however, in systems where there is less background information on security leaks, attack tree model is of more popularity. Attack tree model makes use of the top-down tree structure to represent the attack behaviors and attributes. Most of the current penetration testing platforms follow the two models to perform the tests. In 2000, J.P.McDermott [6] presented an attack net penetration testing platform which combines characteristics of the two models.

Unfortunately, current penetration testing platforms do not have clearly defined strategies to perform procedural, comprehensive tests. Previous work on penetration testing mostly focus on making trivial improvements to the two models mentioned above, but little attention was given to the design of the practical and systematic procedures to perform the tests. These former platforms suffer from several obvious setbacks: the tests are manual processes, thus time-consuming and error-prone; the testing platforms have security flaws that can be attacked; the testing systems are difficult to deploy.

Our work involves the design of a well-formed penetration testing platform that performs the tests in a much easier and comprehensive way. The new platform is based on a lately deployed penetration testing LiveDVD system called SolarSword, which is built by the authors on Opensolaris operating system. SolarSword is the first Opensolaris based penetration testing LiveDVD system in the world, and it will greatly simplify the penetration testing process. The new penetration testing platform is divided into two parts: the control center and distributed testing clients. We make SolarSword system to be the distributed client, which is quick-to-deploy, immune to attacks, thus suites our penetration testing platform very well.

The advantages of this platform over previous platforms lie in the following aspects:

1) It is quite easy and quick to deploy in various locations to perform comprehensive penetration tests.

2) The distributed clients (SolarSword) are immune to attacks. This makes the platform a secure penetration testing platform that can be applied to operational networks.

3) Most importantly, this platform performs the tests in an automatic way, which represents the trend of penetration testing.

The structure of this paper is organized as follows. The discussion of penetration testing design strategy will be presented in Section 2, followed by the implementation details of our new penetration testing platform in Section 3, the recently built penetration testing system SolarSword will also be introduced here. In Section 4 we shall present a real penetration testing case study to demonstrate the advantages

The 9th International Conference for Young Computer Scientists

978-0-7695-3398-8/08 $25.00 © 2008 IEEE

DOI 10.1109/ICYCS.2008.335

2314

and design ideology of our new penetration testing platform. Finally, conclusions will be given in Section 5.

2. Principles of our penetration testing platform design

As the networks and systems are becoming more and more complex, vulnerabilities and security flaws could be numbered in hundreds or thousands at different levels in a large corporation or organizational network. Thus the implementation of penetration test should follow a well-planned, comprehensive procedure, using an exquisitely designed penetration testing platform. In this section we’ll propose several hypothesis of penetration testing platform design principles. The design of our penetration testing platform follows these principles.

The first assumption about a well-designed penetration testing platform is that target users should be able to perform the tests in a more automatic way [7]. Current penetration tests are usually time-consuming, complex and manual process, which requires highly qualified penetration testing specialists to perform. In most cases, penetration testers have to write their own exploit scripts according to different targets, and choose from thousands of security tools to adapt to various network or system environments. Automated penetration tests have integrated the information gathering, vulnerability exploitation, security flaws evaluation as a whole procedure. The selection of penetration testing tools, attacking modes and strategies, as well as the weak points to be exploited is automatically done, and the manual errors are minimized.

The second assumption is that a practical test should start from many different positions, which means a quick deployment is needed. As the networks, servers, and applications are all becoming more and more complex, vulnerabilities and security flaws can be so varied that no tests from a single point can cover all of them completely. For example, a vulnerability scanning from outside a network could only find out information like the number of active hosts, IP addresses, open ports, etc. But the weak points of the servers or hosts behind the routers or firewalls could not be discovered in this way. And the access control or filtering rules in network control facilities are so complex and specific that even two hosts behind one router port may be applied with different rules [8]. So in order to acquire a clear, complete picture of vulnerabilities and security flaws from the target network, penetration tests have to be performed on different locations, sometimes even needed to be performed on each host. Thus a platform which is quick and simple to deploy is not only effective but also necessary.

The third assumption is that penetration testing platforms need to be immune to attacks. Most of the current penetration testing platforms or tools need to be installed somewhere in the target systems, so there is great probability that malicious codes could be attached or injected. Thus it is practical and urgent to

require a new penetration testing platform that cannot be controlled or modified by external attackers. In the following section, we’ll propose a new penetration testing platform aims at fulfilling the principles discussed in this section.

3. Platform design details

In this section, we’ll describe the modules and data flow process of our new penetration testing platform in detail. The system architecture is presented first to show an overview of this platform, then we’ll illustrate the automatic penetration testing process and data flow in this platform. In the last part, implementation details of this platform are discussed.

3.1. System Architecture

The new penetration testing platform is comprised of a central control center and several distributed testing clients.

3.1.1. Control Center. The control center is the administrative center of our penetration testing platform. One major function of the control center is to provide the administrative interface for penetration testers. The administrators can log into the platform through the control center to initial a penetration test. One may first select one of the basic testing modes or testing templates, according to various network environments and testing requirements. One may also specific a new template as he wish. This process is assisted by the testing template generator. And the control center provides a set of semantics and rules to transform the testing template to real testing scripts. This is performed by the penetration testing scripts interpreter. After the testing scripts are created, the control center will provide downloads of the scripts for the testing clients.

The other major function of the control center is automatic analysis and decision-making of the testing strategy. At first, the center will instruct the clients to do the general network scan. When the testing results are uploaded from clients, the control center will use the information as input, apply the attack tree or attack graph tools on it to generate possible attacking paths and decide what kinds of weapons to use, in order to perform the real vulnerability exploitation tests. The control center will use automatic analysis and decision-making modules to complete the tasks listed above. These modules are realized using several open source software like the attack graph software from CMU [9].

This automatic analysis and decision-making module uses the temporary results from the testing clients as input, and output possible attack paths. Inside this module, input data is organized into an xml file which conforms to the software specification of attack graph tools developed by CMU [10]. An attack graph representing all the possible attack paths is automatically generated and analyzed by model checking

2315

algorithms [10] [11]. The output of the automatic analysis and decision-making module is represented in new xml files, which represents attack paths, including the CVE number in every node of the path that represents vulnerabilities, ip address, port number, service type, etc. The attack paths can be used to generate formal testing strategies.

3.1.2. Distributed testing clients. The testing clients should be distributed in various locations of the network in order to perform a thorough, comprehensive penetration test. This means the distributed testing clients should be easy to deploy. In our platform we’ll use LiveDVD systems to be the distributed testing clients.

The testing clients are equipped with various security tools. They can communicate with the control center to download the testing scripts and upload the testing results.

3.2. Automatic penetration testing process in our new platform

The automatic testing process is divided into the following three phases: the information gathering phase, the vulnerability exploitation phase, and report generation phase. In the information gathering phase, the platform goes through the following tasks:

1) The testers from the control center first establish or select the default testing templates to generate the initial testing plan;

2) The control center interprets the testing plan into real testing scripts for the clients to download;

3) The clients use ftp program to download the scripts;

4) The distributed testing clients use the scripts to perform the initial tests;

5) The distributed testing clients upload the results.

Further, in the vulnerability exploitation phase, the control center uses the automatic analysis and decision-making module to analyze the results, decide the vulnerabilities to be exploited, and then the formal exploitation plan can be generated. After that the control center and the clients follow the same procedures as above: interpret the testing plan to scripts, download the scripts, perform the test, and upload the results. Finally, the control center analyzes the results and generates the evaluation reports. Figure 1 demonstrates the data flow process of our penetration testing platform.

Figure 1 Data Flow process of the new penetration testing platform

3.3. Implementation of the Platform 3.3.1. Control center UI. The control center UI is designed to facilitate the penetration testers. The keynote technology is the implementation of testing strategy generator and testing scripts interpreter modules. We choose xml files as our strategy templates, and provide several preconfigured xml templates. For instance, the following xml template is pre-stored in the control center, and is used as a default template for initial testing:

<subnet name=192.168.0.0> <host ip=192.168.0.105> <test name=scan tool=Nmap> <port>1-1024</port> </test> </host> </subnet> The testing scripts interpreter module is used to

automatically interpret the xml files to executable UNIX scripts. We use xercesc library to implement this function, turning the xml template into UNIX bash files (executables). For example, the testing template above can be interpreted into the following UNIX script:

2316

Nmap –sP –s 192.168.0.105 –p 1-1024 Then the testing clients can use this command to perform the network scan task. 3.3.2. LiveDVD clients. Previous implementation ideology of the penetration testing system is to install it on the hosts as an independent program. But given the consideration that the clients should be easy to deploy, we integrate the testing clients into a LiveDVD operating system. This methodology has several advantages: 1) The file system of LiveDVD system is read only, which is

immune to virus and rootkit attack;

2) The LiveDVD system does not need any installation, thus it is flexible and easy to be deployed in various locations. And the LiveDVD system will not interrupt the normal operations of workstations and servers.

3) The LiveDVD system will facilitate the pre-configurations of the testing weapons.

By the time this paper is presented, we’ve launched a LiveDVD penetration testing system called SolarSword, based on the Opensolaris operating system. SolarSword is the first Opensolaris based LiveDVD system in the world aims at performing comprehensive penetration tests. We have integrated hundreds of penetration testing weapons in the LiveDVD image, which can be used to perform various kinds of penetration tests at different levels. The system is perfect to be used in our platform as the distributed client, and it is convenient to communicate with the control server to perform automatic tests.

3.3.3. Automatic control. In order to realize the automatic

control, we need to pre-configure the testing clients on the LiveDVD. A daemon process on the testing clients can connect to the ftp server on the control center to download the scripts and upload the results. Currently we have not taken into consideration the dual certification of client and server. Meanwhile, some testing tools need to be pre-configured in order to automatically start and run. For instance, Nessus client needs to configure the users and certificates before running.

4. A real test case study

In order to demonstrate our new penetration testing platform strategy, we provide a real test case study with three procedures: gathering information of target network and finding active hosts, vulnerability scanning on selected host, performing a real vulnerability exploit with the security leaks found in the second step of this test. The network tested is a 100Mbps Ethernet with around 30 hosts. The Ethernet is in 192.168.0.0/24 network segment. The selected host is an AMD Sempron 3400+ machine with 1G RAM. We make use of our SolarSword LiveDVD to perform the test, with the security tools Nmap 4.03 and SPIKE 2.9.

The first step of the test is information gathering. We insert SolarSword into the DVD ROM of one random selected machine inside the Ethernet; download the testing scripts with default template from control center. This template is used to do the general network scan. In this case, we use Nmap 4.03 to do the overall scan of this network, with the following command:

nmap –v –sP 192.168.0.0/24

The results list the hosts scanned in this network:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2008-01-11 16:55 CST

……

Host 192.168.0.105 appears to be up.

MAC Address: 00:18:F3:37:04:2D (Unknown)

Host 192.168.0.106 appears to be down.

Host 192.168.0.107 appears to be down.

……

Nmap finished: 256 IP addresses (16 hosts up) scanned in 16.692 seconds

Raw packets sent: 495 (20.790KB) | Rcvd: 15 (630B)

In the vulnerability scanning phase, we use nmapfe (nmap with front end) to perform the deeper vulnerability scanning of that host. Figure 2 shows the results of the scan:

Figure2 Scan results of the open ports in 192.168.0.105

In the final step, the testing results are uploaded to the control center. The results are then analyzed by the server to find which vulnerabilities would be used to perform further penetrations. After the analysis, the server finds out that the Microsoft IIS web server 5.1 would be the weak point to exploit, so it transfers the corresponding testing scripts to the testing terminal. SolarSword follows the instructions from the scripts to start the web fuzz tool SPIKE 2.9 to do the remote Denial of Service attack. The command used is:

2317

./closed_source_web_server_fuzz 192.168.0.105 POST / _vti_bin/ shtml .exe 0 0

This program makes use of the IIS 5.1 remote DOS leak in the target host 192.168.0.105. During the execution process, the CPU usage accounted for 100%, as shown in figure 3, which means no other normal requests will be processed by the web server on 192.168.0.105. Thus the attack is completed. The results are uploaded to control center to generate the final report which contains the detailed information of the vulnerabilities penetrated. Thus the security experts can analyze the reports and provide suggestions to make amendments of the systems and networks tested.

Figure 3 CPU usage of 192.168.0.105 when the IIS 5.1 web server

is attacked

Thus after the three steps we complete a whole process of penetration test, demonstrating the use of our new penetration testing platform. This platform greatly minimizes the complex and time-consuming process of former penetration tests. And as this paper already presented, the testing clients are distributed in various points of the network, because of the easy-to-deploy SolarSword LiveDVD system.

5. Conclusion This paper proposes a novel penetration testing platform

design strategy. The platform makes use of a control center and distributed clients to perform simple, automatic penetration tests. This platform differentiates itself from former penetration testing models: the centrally managed control center can generate various test strategies, make automatic analysis of security leaks and vulnerabilities of target systems, transform the testing strategies to real testing scripts; and the clients are very easy to be deployed in distributed ways, which are also immune to attacks. We present a newly developed Opensolaris based LiveDVD system called SolarSword, which greatly facilitates the implementation of distributed clients.

To demonstrate the advantages of our new penetration testing platform, we design and implement a real test scenario. The test is performed in an operational 100Mbps Ethernet, and most part of the test is an automatic process, completed by the communication of control center and testing client—SolarSword LiveDVD system. From the testing process, it is clearly shown that our platform makes the test an automatic, controllable procedure, which is easy to perform, without the need of introducing highly-qualified penetration testing specialists.

In the future, we’ll update our SolarSword system to cover more security tools like wireless tools, make the system support more types of operating systems or hardware, and customize a complete set of server scripts to better facilitate the users. And we’ll also improve the robustness of the platform, such as using more secure protocols for the testing server and client to communicate with each other. More importantly, we’ll strengthen the design ideology of the new penetration testing platform to improve the analysis and decision-making module, in order to identify more attacking models, and perform the test in a more automatic and intelligent way.

Acknowledgement

This work was supported by 863 High-Tech Research and

Development Program of China (No.2006AA01Z405); as well as the Program for New Century Excellent Talents in University by Ministry of Education (NCET-05-0398).

References

[1] D. Geer, J. Harthorne, “Penetration testing: A Duet”,

Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC’02), pp185-198.

[2] C. WEISSMAN, “System Security Analysis/Certification Methodology and Results”, SP-3728, System Development Corporation, Santa Monica, CA, October 1973.

[3] WEISSMAN, C., Penetration Testing, In Handbook for the Computer Security Certification of Trusted Systems. Naval Research Laboratory Technical Memorandum 5540:082a, 24 January 1995.

[4] C. SALTER, O. SAYDJARI, B. SCHNEIER, and J.WALLNER, “Toward a Secure System Engineering Methodology”, Proceedings of New Security Paradigms Workshop, Charlottesville, Virginia, September, 1998.

[5] SCHNEIER, B., Attack Trees, Dr. Dobbs Journal, December 1999.

[6] McDermott J., “Attack net penetration testing”, Proceedings of 2000 NewSecurity Paradigms Workshop (NSPW'00), Cork, Ireland, ACM/SIGSAC, 2000:15 -21.

[7] Kaarina, K., Reijo, S., Mikko, R., Esa, T., “Security Objectives within a Security Testing Case Study”, Proceedings of Second International Conference on Availability, reliability and Security (ARES’07), Vienna, Austria, 0-13 April 2007 Page(s):1060 - 1065

[8] R. Lippmann and K.Ingols, “An Annotated Review of Past Papers on Attack Graphs”, Technical report, MIT Lincoln Laboratory, March 2005.

[9] http://www.cs.cmu.edu/~scenariograph/ [10] O. Sheyner et al., “Automated generation and analysis of attack

graphs”, in Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, 2002, pp. 273–284.

[11] S. Jha, O. Sheyner, and J. Wing, “Two formal analyses of attack graphs”, In Proceedings of the 2002 Computer Security Foundations Workshop, pages 49–63, Nova Scotia, June 2002.

2318