Cracking the Perimeter – A Framework For Ethical Hacking
March 15, 2016
Perimeter security is generally the most hardened part of a network. It’s not uncommon to see the inner workings of a network are relatively defenseless from other in network devices. Today we’ll be looking at some of the methodology and theory that ethical hackers use to breach perimeter security, and potential pitfalls that ethical hackers need to avoid in their efforts to crack the perimeter.
First off, I need to give the usual legal warning. This information is meant to help people who are aspiring to be or who are ethical hackers. Accessing devices or networks that you don’t own or have written permission to access can lead to legal issues.
Information Gathering: Passive & Active Reconnaissance
Before you can break into the network, you’ll need to do some reconnaissance. Your goal should be to gather as much information as you can about your target network. To begin, start with information that doesn’t require you to do anything that would actually be illegal under normal circumstances. This is known as passive reconnaissance. Do a little research on the target and see if you can find any of the following information:
- Employee names
- Employee E-mail addresses
- Social media posts by the company or employees
- DNS tables
- Web page source code
Social Media can be a great source of information. People love to post about anything and everything. If you can find employees with public Facebook accounts, you might find something useful. You can also potentially use images to identify hardware or software. For example an employees work selfie might reveal that the company uses Windows 7 on their workstations.
From here you can move into active reconnaissance, including port scans, ARP scans, ICMP sweeps, and so on. You want to be gathering information such as:
- Host names
- Operating system types
- Applications in use
- Open ports
- IP ranges
- User accounts
- MAC addresses
Take Reasonable Precautions Before Hacking the Network
Now that you spotted potential vulnerabilities, is it time to test them out? Nope, reel it back in for a second and let’s go over a few things.
First, think for a moment. Are there backups of all the systems you’re about infiltrate? Make sure that this is taken care of. It only takes a few keystrokes to wipe an entire computer. I know, you’re a professional (or maybe an aspiring professional) right? Well accident’s happen. Play it safe.
Now review any restrictions that were placed on your penetration test and ensure that you aren’t stepping out of bounds. It might help to draw yourself a network map and mark the restricted devices, or just make note of their information. There are few ways to lose a job quicker than breaching a confidentiality agreement and hacking into the wrong device. Speaking of confidentiality, destroy that network map when you’re done, and ensure the integrity of the clients data at all times.
Check out this example of how a network is hacked. Notice that once the perimeter was breached, it was just a matter of time before the entire network was taken over. This little walk through is a great example of the knowledge that actually goes into an exploit. Every network is different. Don’t expect that you’ll be on easy street once you’re in!
Last but not least, you need to make sure you fully understand the tools you intend to use. You could easily cause serious damage to a system or entire network if you don’t understand exactly what’s happening. The last thing you want to do is cause harm to the very thing you are employed to protect.
Crack the Perimeter by Tricking Others Into Giving You Access
Every networks greatest flaw is the human element. Employees can be tricked into giving unauthorized building access, giving out passwords and/or usernames, and more. This is something you’ll need to discuss ahead of time with the group who has contracted you. It may bring to light the need for employee training regarding of these attacks. Here’s an example of a social engineering attack:
Let’s say you’ve been watching the target networks building and noticed someone takes a smoke break each day around ten in the morning. You can wait for them while smoking a cigarette yourself (or a nicotine free e-cig if you don’t smoke) and when they come out, introduce yourself as a new employee. Talk about information you’ve dug up on the company via social media, their website, and then try to follow them back inside and see what you can do from there. In general, if you can bond with someone, they are more likely to trust you and allow you access.
If you can get inside the building physically, you’ve effectively cracked the perimeter. What you do from there will depend on inner security systems, and the restrictions of your contract. Again, talk about this sort of technique ahead of time with the person hiring you to do the pen test. You don’t want to deal with an armed security guard that isn’t expecting you, or enter a restricted area without permission.
Pitfalls to Avoid
An open avenue of attack doesn’t indicate that it’s a good idea to use it. For example, if you’ve compiled a list of employee e-mail addresses, you may be able to open a shell on an employee’s PC by sending an e-mail to them with an executable attachment. If they run it, you can likely take control of their PC from this point. While it sounds good on paper, there is a flaw in this approach. An employee might check their e-mail from home or a personal mobile device. In this case you could cross a legal boundary.
USB Drop Tactic
This holds true for the USB drop tactic as well. You have no guarantee that the person who finds the USB drive even works for the company. A delivery person, someone from another company, or a visiting family member may pick it up. If you can’t guarantee that the payload will be delivered to a PC/Network that you are authorized to attack, find another method.
While testing a network, you need to be sure that you are keeping a close watch over any sensitive information that you have gained access to. All documentation needs to be secured, and your testing computer’s drives should be encrypted. Again, the last thing you want to do is leak information about vulnerabilities before a company has a chance to fix them.
Leave Nothing to Chance When During a Pen Test
As you can see there is a lot to think about before and during the process of breaching a networks perimeter security. The main point I’m trying to get across here, is that when you do a pen test cover yourself! Double check everything, leave nothing to chance, and always back up (their data!) before you exploit!