Perimeter
10/14/2011
04:36 PM
Vincent Liu
Vincent Liu
Commentary
50%
50%

Pro Pen Testing: The Zero-Knowledge Approach

Special care must be taken in a penetration test that locates targets with 'zero-knowledge'

Do you ever wonder how many kinds of penetration-testing approaches exist? Broadly speaking, there are three types of penetration testing: zero-knowledge, partial-knowledge, and full-knowledge. The difference between each type is the amount of information that the assessor is given before the testing begins. Within each one of those types, two perspectives are usually taken: external and internal. Combining these, you get six different ways of conducting a penetration test.

The two that we’ll focus on here are both variances of zero-knowledge: zero-knowledge, external penetration testing; and zero-knowledge, internal penetration testing.

Zero-Knowledge
Zero-knowledge testing is defined by having little to no information before the assessment begins. In the strictest interpretation, the assessor would not be given any information at all. However, it’s very rare to receive no information whatsoever from a client. A tester usually needs to be given a set of acceptable targets lest they attack unknowing victims. In-scope URLs and IP addresses are usually provided along with exclusions, such as IP address blacklists and restrictions, on testing time windows.

In some cases, the scope of testing will be an organization’s entire external presence. With this approach, it’s common for the assessor to begin with zero-knowledge, and to attempt to identify all external assets as an exercise in replicating what a real-world attacker might find.

Special care must be taken when you ask an assessor to locate targets with zero-knowledge. In particular, no testing should take place until every asset identified has been confirmed to belong to the organization being tested. You don’t want the assessor attacking someone unrelated who happens to be in an adjacent IP range or who might have been assigned a range previously belonging to you. I’ve often found that being asked to identify and confirm the initial target set proves to be a beneficial exercise that helps my clients verify their asset databases and keep them up-to-date.

Internal Testing
Most penetration testing is performed from the external perspective, with the most common scenario being an external attacker who has targeted the company but has no prior knowledge. While this is a popular scenario, there’s a lot to be gained from conducting an internal penetration test. Several major studies indicate that around 50 percent of security incidents involve an insider threat. So if you want to better understand the other side of the coin, then consider testing from an insider’s perspective.

Common scenarios in which an inside attacker might begin with zero-knowledge include contractors who have been granted temporary access to the network for the duration of their project. With targeted attacks against users and the increasing popularity of malware, the compromised user workstation is another situation that is frequently simulated.

Final Suggestions
When conducting a pen test from the zero-knowledge standpoint, it’s best to try and limit the amount of information provided to a tester to stay as close as possible to a real-world situation. One thing you should never give to any applications or systems in a zero-knowledge pen test is credentials. That only occurs in partial- or full-knowledge testing situations. That being said, those types of situations can be extremely valuable as well. In our next entry, we’ll take a closer look at the partial-knowledge testing approach.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless 1st and 2nd editions, Hacking Exposed Web Applications 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.