Introduction to Penetration Testing

Penetration Testing

by Craig Miller

Penetration Testing has been around for decades, but has become more important in recent times, where an IPv4 host is attacked within five (5) minutes of coming online on the internet. At the end of the day, the goal of Penetration Testing (or pen testing), is to keep the Bad Guys out. That said many pen testing tools can be used for good and bad. We will focus on the good use of these tools.

We'll focus on Network Pen Testing, rather than Host pen testing
Include IPv4 and IPv6 pen testing, and why it is important to do IPv6 testing, even if you don't think you have IPv6 on your network
Discuss the balancing act between perfect security, but very inconvenient, and lax security, but very convenient for the user

Network Security Basics

Penetration Testing is the nice word for hacking. But there is good hacking and bad hacking. Although pen testing tools can be used for evil, they can also be used for good, such as discovering holes in your network before the bad guys do.

With the advent of the Internet, all computers are connected to every other computer on the internet. This is very convenient for downloading newer OpenWrt software for your router, or buying peanut butter cookies on Amazon. But it isn't good if random person can get to your computer, and start running attacks on it.

Many feel that IPv4 is secure because it incorporates NAT (Network Address Translation) and there is a state machine that watches outbound packets, and allows return packets (with the same destination/source addresses) to enter your network. However NAT is not security. Every home router with NAT also has a Firewall, which is where the real security lies.

Firewalls

Network Firewalls operate much the same as a real firewall, preventing the firestorm from getting past the wall. Network Firewalls (hence just referred to as firewalls) do this by inspecting different fields in the IP (Internet Protocol) header. Modern firewalls can inspect even further in the chain of headers (aka the stack) to include TCP/UDP (layer 4), and even HTTP (Layer 7).

Firewall

In IPv4, because of the lack of anything to anything connectivity, one must use tricks, such as reverse port forwarding to allow external traffic into your LAN. This is quite common in commercial home router software.

Because IPv6 does not use NAT, and each device has its own Global Unique Address (GUA), the firewall functionally is more straight forward, only allowing external access based on GUA source/destination. The home router software vendors are slow to implement a granular IPv6 firewall. Typically it is ON or OFF (Off is a bad idea).

OpenWrt has a very reasonable default set of rules for the IPv6 firewall, which will keep the bad guys at bay.

Security, build it in from the beginning

When designing networks (or writing software), it is best to build security in from the beginning (the same applies to IPv6). Sure you can add it later, but there is a good chance that something will be missed, and a gaping hole is left for the bad guys to exploit.

This is why I recommend that everyone who has a home network have a guest network, in addition to their own home network. A guest network is setup to prevent traffic from the guest network getting into your home network, but allowing access to the internet. Not only is a guest network where you can put your guests, but also all of your IoT (Internet of Things) devices.

A word about IoT

There's a security joke, "S stands for security in IoT." And that is because IoT pretty much does not have any security. It isn't part of vendor's business model. After all, what do they care if someone else changes the colour of your light bulbs, but you might. Or you may care if your furnace no longer turns on (because the thermostat was IoT connected and now someone else is controlling it.

The reason to put IoT on the guest network, is that once your IoT device is hacked, at least it won't be hacking your computers on your home network.

Basic probing tools

We have discussed nmap in the past, but it is an excellent go-to tool for network reconnaissance. nmap can do port sweeps looking for open ports (usually TCP, but it can also search for UDP ports). Any open ports nmap may find are considered the threat surface. Basic network security starts with reducing the threat surface. Don't turn on service which aren't used or needed.

[nmap](https://nmap.org/book/toc.html) has many options, but we only need a few for this lab.

$ nmap -h
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
...

OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
...
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

1. Hands On - Basic Nmap use

Use nmap to do network reconnaissance on the lab target (address/hostname posted locally)

Use nmap -v -A <target> command to:

Attempt/Answer the following:

Point NMAP at the target and record which ports are open?
Run the same command using -6 parameter, are the same ports open?
Which services are running on the open ports?
What other info is reported on those services?
How does nmap discover the open ports?

wireshark capture of nmap probe

Finding a target

Naturally nmap works well if you can give it a single (or list of) targets. However what if you don't know the address of the target? The obvious answer, is DNS (Domain Name Service). If the host has a DNS entry, then you can probably find it. For example, you probably don't know what the IP address Google's servers are. But you can easily get to them via the name www.google.ca

Adding a DNS name increases your threat surface, since your device is now easier to find. Note: make sure your devices with DNS entries are secure.

IP Address Scanners are a tool which can detect potential targets (for nmap). [zmap](https://github.com/zmap/zmap) claims:

"ZMap is capable scanning the entire public IPv4 address space on a single port in under 45 minutes."

Of course, what it is really saying is that it can scan 2^32 addresses in 45 minutes. Clearly this application is limited to IPv4. Since a single IPv6 subnet is /64, which is equal to 2^64 addresses. IF zmap could scan IPv6 (which it doesn't), it would only take 193,273,528,320 minutes or 22,063,188 years to scan a single IPv6 subnet (aka prefix). As you can see scanning IPv6 addresses with traditional scanners is not very practical.

nmap can also scan networks with a command such as nmap -F -n 192.168.1.0/24 However, this is still oriented to a brute force scan, and is not practical for IPv6 networks.

Using v6disc.sh to find targets

[v6disc.sh](https://github.com/cvmiller/v6disc) is a tool developed to find hosts (aka targets) on an IPv6 network. Rather than brute force (aka iterating through each possible IP address), the tool exploits IPv6 Neighbour Discover Protocol (NDP) to discover the targets.

Download v6disc.sh to run this lab. Note: this will only work on a *nix system.

# ./v6disc.sh -h
    ./v6disc.sh - auto discover IPv6 hosts 
    e.g. ./v6disc.sh -D -p 
    -p  Ping discovered hosts
    -i  use this interface
    -L  show link-local only
    -D  Dual Stack, show IPv4 addresses
    -N  Scan with nmap -6 -sT
    -n  disable neighbour table detection
    -q  quiet, just print discovered hosts

 By Craig Miller - Version: 2.3.4

It can also run nmap to port sweep hosts which are discovered.

2. Hands On - Finding targets

Use v6disc.sh to do network enumeration on the lab target(s) (address/hostname posted locally). After discovering the targets, use the nmap option to scan the ports on the target(s)

Attempt/Answer the following:

How many IPv6 hosts are on the network?
How many minutes did it take to do a scan?
Where there any ports open beyond ssh?
Can v6disc.sh discover IPv4 hosts?
How does v6disc.sh discover hosts?

Testing from the outside

All this pen testing is good, but how do you test you own home router? Do you have ports open that didn't know about?

The easiest solution is to do Pen Testing from an outside machine. But what if you don't have an outside machine?

Fortunately, there are a couple of outside machines which you can use for free. Unfortunately neither of the following have IPv6 connections to the internet.

Try It LXD (now incus)
SegFault servers (hosted by www.thc.org and designed for hacking, I mean, pen testing)

Conclusion

In this lab, we have only scratched the surface of Penetration Testing. We have focused primarily on finding targets and discovering/mapping the threat surface. We haven't dug into true vulnerability testing (such as using the Metasploit tool).

The important first step is to start thinking about security.

Notes:

17 February 2024