Perimeter
10/14/2011
04:36 PM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Pro Pen Testing: The Zero-Knowledge Approach

Special care must be taken in a penetration test that locates targets with 'zero-knowledge'

Do you ever wonder how many kinds of penetration-testing approaches exist? Broadly speaking, there are three types of penetration testing: zero-knowledge, partial-knowledge, and full-knowledge. The difference between each type is the amount of information that the assessor is given before the testing begins. Within each one of those types, two perspectives are usually taken: external and internal. Combining these, you get six different ways of conducting a penetration test.

The two that we’ll focus on here are both variances of zero-knowledge: zero-knowledge, external penetration testing; and zero-knowledge, internal penetration testing.

Zero-Knowledge
Zero-knowledge testing is defined by having little to no information before the assessment begins. In the strictest interpretation, the assessor would not be given any information at all. However, it’s very rare to receive no information whatsoever from a client. A tester usually needs to be given a set of acceptable targets lest they attack unknowing victims. In-scope URLs and IP addresses are usually provided along with exclusions, such as IP address blacklists and restrictions, on testing time windows.

In some cases, the scope of testing will be an organization’s entire external presence. With this approach, it’s common for the assessor to begin with zero-knowledge, and to attempt to identify all external assets as an exercise in replicating what a real-world attacker might find.

Special care must be taken when you ask an assessor to locate targets with zero-knowledge. In particular, no testing should take place until every asset identified has been confirmed to belong to the organization being tested. You don’t want the assessor attacking someone unrelated who happens to be in an adjacent IP range or who might have been assigned a range previously belonging to you. I’ve often found that being asked to identify and confirm the initial target set proves to be a beneficial exercise that helps my clients verify their asset databases and keep them up-to-date.

Internal Testing
Most penetration testing is performed from the external perspective, with the most common scenario being an external attacker who has targeted the company but has no prior knowledge. While this is a popular scenario, there’s a lot to be gained from conducting an internal penetration test. Several major studies indicate that around 50 percent of security incidents involve an insider threat. So if you want to better understand the other side of the coin, then consider testing from an insider’s perspective.

Common scenarios in which an inside attacker might begin with zero-knowledge include contractors who have been granted temporary access to the network for the duration of their project. With targeted attacks against users and the increasing popularity of malware, the compromised user workstation is another situation that is frequently simulated.

Final Suggestions
When conducting a pen test from the zero-knowledge standpoint, it’s best to try and limit the amount of information provided to a tester to stay as close as possible to a real-world situation. One thing you should never give to any applications or systems in a zero-knowledge pen test is credentials. That only occurs in partial- or full-knowledge testing situations. That being said, those types of situations can be extremely valuable as well. In our next entry, we’ll take a closer look at the partial-knowledge testing approach.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless 1st and 2nd editions, Hacking Exposed Web Applications 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.