Anex: Automated Network Exploitation Through
Total Page:16
File Type:pdf, Size:1020Kb
ANEX: AUTOMATED NETWORK EXPLOITATION THROUGH PENETRATION TESTING A Thesis presented to the Faculty of California Polytechnic State University, San Luis Obispo In Partial Fulfillment of the Requirements for the Degree Master of Science in Computer Science by Eric Francis Dazet June 2016 c 2016 Eric Francis Dazet ALL RIGHTS RESERVED ii COMMITTEE MEMBERSHIP TITLE: ANEX: Automated Network Exploitation through Penetration Testing AUTHOR: Eric Francis Dazet DATE SUBMITTED: June 2016 COMMITTEE CHAIR: Bruce Edward DeBruhl II, Ph.D. Assistant Professor of Computer Science COMMITTEE MEMBER: Zachary J. Peterson, Ph.D. Associate Professor of Computer Science COMMITTEE MEMBER: Phillip Nico, Ph.D. Professor of Computer Science iii ABSTRACT ANEX: Automated Network Exploitation through Penetration Testing Eric Francis Dazet Cyber attacks are a growing concern in our modern world, making security evalua- tion a critical venture. Penetration testing, the process of attempting to compromise a computer network with controlled tests, is a proven method of evaluating a sys- tem's security measures. However, penetration tests, and preventive security analysis in general, require considerable investments in money, time, and labor, which can cause them to be overlooked. Alternatively, automated penetration testing programs are used to conduct a security evaluation with less user effort, lower cost, and in a shorter period of time than manual penetration tests. The trade-off is that automated penetration testing tools are not as effective as manual tests. They are not as flexible as manual testing, cannot discover every vulnerability, and can lead to a false sense of security. The development of better automated tools can help organizations quickly and frequently know the state of their security measures and can help improve the manual penetration testing process by accelerating repetitive tasks without sacrificing results. This thesis presents Automated Network Exploitation through Penetration Test- ing (ANEX), an automated penetration testing system designed to infiltrate a com- puter network and map paths from a compromised network machine to a specified target machine. Our goal is to provide an effective security evaluation solution with minimal user involvement that is easily deployable in an existing system. ANEX demonstrates that important security information can be gathered through auto- mated tools based solely on free-to-use programs. ANEX can also enhance the manual penetration testing process by quickly accumulating information about each machine to develop more focused testing procedures. iv Our results show that we are able to successfully infiltrate multiple network levels and exploit machines not directly accessible to our testing machine with mixed suc- cess. Overall, our design shows the efficacy of utilizing automated and open-source tools for penetration testing. v ACKNOWLEDGMENTS I'd like to thank my parents for their constant belief and support, Dr. DeBruhl for his guidance, the lights in the grad security lab for always working, and Andrew Gunther for uploading this template. vi TABLE OF CONTENTS Page LIST OF TABLES . .x LIST OF FIGURES . xi CHAPTER 1 INTRODUCTION . .1 1.1 Problem . .2 1.2 Solution . .4 2 BACKGROUND . .6 2.1 Popular Penetration Testing Tools . 12 2.1.1 Metasploit Framework . 12 2.1.2 Nmap . 12 2.1.3 Nessus . 13 2.1.4 Burp Suite . 13 2.1.5 Wireshark . 13 2.1.6 BeEF . 14 3 IMPLEMENTATION . 15 3.1 Components . 15 3.1.1 Metasploit Framework . 15 3.1.2 Armitage . 16 3.1.3 Cortana . 17 3.1.4 Nmap . 18 3.2 Architecture . 19 3.2.1 Initialization . 20 3.2.1.1 User Input . 21 3.2.1.2 Service Startup . 22 3.2.1.3 Exploit Database Generation . 23 3.2.2 Recon . 24 3.2.2.1 Vulnerability Scanning . 24 3.2.2.2 Service Database Generation . 25 vii 3.2.2.3 Host Database Generation . 25 3.2.3 Exploitation . 26 3.2.3.1 Attack Generation and Exploitation . 26 3.2.3.2 Post-Exploitation . 28 3.2.3.3 Data Copying . 29 3.2.4 Reporting . 30 3.2.4.1 Targeting . 30 3.2.4.2 Exploit Ranking Modification . 31 3.2.4.3 Reporting . 31 4 VALIDATION . 33 4.1 Experimental Procedure . 33 4.1.1 Exploit Launching . 33 4.1.2 Handling Found Networks . 33 4.1.3 Target Mapping . 34 4.2 Testing Goals and Parameters . 35 4.3 Development and Testing Components . 37 4.3.1 Kali Linux 2016.1 . 37 4.3.2 VMware Workstation 12.0 . 37 4.3.3 Virtual Machines . 38 4.3.4 Installed Services . 39 4.4 Expected Results . 41 4.5 Results . 41 4.5.1 Analysis . 42 4.5.1.1 Exploitation Success . 45 4.5.1.2 Runtime . 45 4.5.1.3 Exploit Rank Updating . 46 5 RELATED WORK . 48 5.1 Fast-Track . 48 5.2 Tool developed by Haubris and Pauli . 48 5.3 Core Impact Pro . 49 5.4 Immunity's Canvas . 50 5.5 Beyond Security's AVDS . 50 viii 5.6 Impact on Design . 51 6 FUTURE WORK . 53 6.1 Post-Exploitation . 53 6.2 Information Gathering . 54 6.3 Passive Exploitation and User Evaluation . 54 6.4 Exploration of Different Attack Vectors . 54 7 CONCLUSION . 56 BIBLIOGRAPHY . 58 APPENDICES A Testing Specifics . 63 A.1 Test 1 . 64 A.2 Test 2 . 65 A.3 Test 3 . 66 A.4 Test 4 . 67 A.5 Test 5 . 68 A.6 Test 6 . 69 A.7 Test 7 . 70 ix LIST OF TABLES Table Page 2.1 Comparison Between Vulnerability Assessment and Penetration Test- ing, from [29] . 10 4.1 Installed Services . 40 A.1 Results for Test 1 . 64 A.2 Results for Test 2 . 65 A.3 Results for Test 3 . 66 A.4 Results for Test 4 . 67 A.5 Results for Test 5 . 68 A.6 Results for Test 6 . 69 A.7 Results for Test 7 . 70 x LIST OF FIGURES Figure Page 1.1 High level architecture diagram of ANEX . .5 3.1 Relationship between Metasploit, Armitage, and Cortana, from [19] 18 3.2 Relationship between ANEX, Metasploit, Armitage, and Cortana . 19 3.3 ANEX's Flow Diagram . 20 3.4 Diagram for the Initialization Group . 21 3.5 Diagram for the Recon Group . 24 3.6 Diagram for the Exploitation Group . 26 3.7 Diagram for the Reporting Group . 30 4.1 Single Network Template . 34 4.2 Two Subnets Template . 35 4.3 Secondary Network Template . 36 4.4 All Services . 39 4.5 Test Network with Unreachable Machines . 43 4.6 Test Network with Multiple Exploitation Paths . 44 4.7 Exploit Rank Updating Results . 47 A.1 Configuration for Test 1 . 64 A.2 Configuration for Test 2 . 65 A.3 Configuration for Test 3 . 66 A.4 Configuration for Test 4 . 67 A.5 Configuration for Test 5 . 68 A.6 Configuration for Test 6 . ..