Perimeter
10/14/2011
04:36 PM
Vincent Liu
Vincent Liu
Commentary
50%
50%

Pro Pen Testing: The Zero-Knowledge Approach

Special care must be taken in a penetration test that locates targets with 'zero-knowledge'

Do you ever wonder how many kinds of penetration-testing approaches exist? Broadly speaking, there are three types of penetration testing: zero-knowledge, partial-knowledge, and full-knowledge. The difference between each type is the amount of information that the assessor is given before the testing begins. Within each one of those types, two perspectives are usually taken: external and internal. Combining these, you get six different ways of conducting a penetration test.

The two that we’ll focus on here are both variances of zero-knowledge: zero-knowledge, external penetration testing; and zero-knowledge, internal penetration testing.

Zero-Knowledge
Zero-knowledge testing is defined by having little to no information before the assessment begins. In the strictest interpretation, the assessor would not be given any information at all. However, it’s very rare to receive no information whatsoever from a client. A tester usually needs to be given a set of acceptable targets lest they attack unknowing victims. In-scope URLs and IP addresses are usually provided along with exclusions, such as IP address blacklists and restrictions, on testing time windows.

In some cases, the scope of testing will be an organization’s entire external presence. With this approach, it’s common for the assessor to begin with zero-knowledge, and to attempt to identify all external assets as an exercise in replicating what a real-world attacker might find.

Special care must be taken when you ask an assessor to locate targets with zero-knowledge. In particular, no testing should take place until every asset identified has been confirmed to belong to the organization being tested. You don’t want the assessor attacking someone unrelated who happens to be in an adjacent IP range or who might have been assigned a range previously belonging to you. I’ve often found that being asked to identify and confirm the initial target set proves to be a beneficial exercise that helps my clients verify their asset databases and keep them up-to-date.

Internal Testing
Most penetration testing is performed from the external perspective, with the most common scenario being an external attacker who has targeted the company but has no prior knowledge. While this is a popular scenario, there’s a lot to be gained from conducting an internal penetration test. Several major studies indicate that around 50 percent of security incidents involve an insider threat. So if you want to better understand the other side of the coin, then consider testing from an insider’s perspective.

Common scenarios in which an inside attacker might begin with zero-knowledge include contractors who have been granted temporary access to the network for the duration of their project. With targeted attacks against users and the increasing popularity of malware, the compromised user workstation is another situation that is frequently simulated.

Final Suggestions
When conducting a pen test from the zero-knowledge standpoint, it’s best to try and limit the amount of information provided to a tester to stay as close as possible to a real-world situation. One thing you should never give to any applications or systems in a zero-knowledge pen test is credentials. That only occurs in partial- or full-knowledge testing situations. That being said, those types of situations can be extremely valuable as well. In our next entry, we’ll take a closer look at the partial-knowledge testing approach.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless 1st and 2nd editions, Hacking Exposed Web Applications 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.