Tracks Covering in Penetration Testing

Tracks Covering in Penetration TestingEr. Ramesh NarwalEr. Gaurav GuptaAbstractAfter completing beset, covering tracks is the next measuring rod in penetration testing. In tracks covering after completing attack we will return to each exploited transcription to erase tracks and clean up every(prenominal) told footprints we left behind. Tracks covering is of the essence(predicate) because it gives clue to forensics analyst or Intrusion Detection ashes (IDS). Some terms its difficult to hide whole tracks but an assaulter can manipulate the carcass to confuse the examiner and make it almost impossible to identify the extent of the attacker. In this research melodic theme we calculate all of the methods used in tracks covering and their future scope.Keywords Exploit, Payload, Vulnerability Assessment, Penetration Testing, Track CoveringIntroductionPenetration testing is nowadays an important organisation security testing method. Penetration testing is also known as Pentestin g. Main objective of penetration testing is to identify the security threats in vanes, systems, servers and applications. Penetration testing consists of various human bodys which we discuss in overview of penetration testing. After doing administrative access on a system or server, attacker for the first time task is to cover their tracks to prevent detection of his current and past presence in the system. An attacker or intruder may also try to unpack evidence of their identity or activities on the system to prevent tracing of their identity or location by authorities. To prevent himself an attacker usually erases all error messages, alerts or security events that have been logged.Overview of Penetration TestingPenetration Testing used for validation and effectiveness of security protections and controls of an organisation. It reduce an organisations expenditure on IT security by identifying an remediating vulnerabilities or loopholes. It provides preventive steps that can pre vent upcoming evolution. Penetration testing gradesPre-engagement InteractionsIntelligence Gathering affright ModelingVulnerability AnalysisExploitationPost ExploitationCovering TracksReportingPre-engagement InteractionsPlanning is the first step in pre-engagement. During this phase scope, goal and call of the penetration test is finalised with the client. Target and methods of planned attacks are also finalised in this phase.Intelligence GatheringThis is most important phase if we miss something here we efficiency miss an entire opportunity of attack. All information regarding target is gathered by using social media networks, google hacking and other methods. Our primary goal during this phase to gain accurate information about target without revealing our presence, to learn how organisation operates and to determine the best entry point.Threat ModelingThe information acquired in perception gathering phase used in this phase to identify existing vulnerabilities on the target system. In threat modelling, we determine the most effective attack methods, the information type we need and how attack can be implemented at an organisation.Vulnerability AnalysisVulnerability is loophole or weakness in the system, network or product by using which can compromise it. After identification of most effective attack method, we consider how we can access the target. During this phase we combine information acquired in previous phases and use that information to find out most effective attack. Port and Vulnerability scans are performe in this phase and all data is also gathered from previous phases.ExploitationExploit is a code which allows an attacker to take advantage of the flaw or vulnerability within system, application or service. We mustiness perform exploit only when we are authentic that the particular exploit will be roaring. May be unforeseen protective measures might be on the target that inhibit a particular exploit. Before trigger a vulnerability we mu st sure that the system is vulnerable.Our exploit must do proper clean-up after execution at compromised system and must not cause the compromised system to grow into seismal state. Given below figure shows some system shutdown prompt at compromised windows machine due to without proper clean-up of exploit after execution.After successful exploitation the compromised system is under the control of an attacker. Many times attacker or penetration tester need to alter the compromised or breached systems to attain right escalation.Post ExploitationPayload is actual code which executed on the compromised system after exploitation. Post Exploitation phase begins after compromised mavin or more systems. In this phase penetration tester identifies critical infrastructure, targets specific systems, targets information and data that values most and that must be attempted to secure. In Post Exploitation while attacking systems we should take time to understand what the system do and their d ifferent user roles. Every tester and attacker in general spend time in compromised system to understand the information he have and how he can take benefit from that information.After gaining access of one system an attacker can access other systems in that network by using compromised as a staging point. This method is known as pivoting. Sometimes attackers creates backdoor into the compromised system to regain access of the system in the futureCovering TracksIn the previous phases penetration tester or attacker ofttimes make significant changes to the compromised systems to exploit the sytems or to gain administrative rights. This is the final stage in penetration test in which an attack clears all the changes made by himself in the compromised systems and returns the system and all compromised hosts to the precise configurations as they are before conducting penetration test.ReportingAll of the information like vulnerability answer fors, diagrams and exploitation results gener ated during penetration testing must be deleted after handover to the client. If any information is not deleted it should be in the knowledge of client and mentioned in the technical report which is generated after penetration testing.Reporting is the last phase in penetration test in which penetration tester organise available data and relate result sets into report and present that report to the client. This report is highly confidential which have all the results of penetration tests like vulnerabilities list in the organisation systems, networks or products and recommendations to solve these problems related to the security of the organisation assets, which helps organisation in stopping future attacks.How to cover tracksTo compromise system successfully an attacker need to be stealthy and avoid detection by various security systems like firewalls, Intrusion detection systems (IDS). System administrators and other security personals uses similar techniques to identify despitef ul activities, so its very important for attacker to be remains undetected. A system administrator can examine processes and log files to check malevolent activities. There are various challenges which are faced by a penetration tester after successfully compromise of target system. Now we describe various problem faced by a penetration tester in covering tracksManipulating Log Files DataTo manipulate log files data an attacker must have nice knowledge of commonly used operating systems. An attacker must aware of two types of log files system generated and application generated.Penetraion tester or attacker have two options when manipulating log data first one is to delete entire log and second one is to modify the subject matter of the log file. After deleting entire log an attacker there is surety of undetectability. But there is drawback of deletion of entire log is detection.Second option an attacker have to manipulation of log files data within the log files so that system ad ministrator is not able to notice attacker presence in the system. But sometimes if attacker removal of so much information make gap between logs files makes it noticeable.Log Files counsel in Various SystemMain purpose of log files in various operating systems is to check health and state of operating system, to detect malicious activity, to analysis system if something pernicious happens(system troubleshooting). Here we show locations of log files in commonly used operating systems Windows, Linux/Unix, Mac.WindowsIn windows log files or stored in event viewer, which is easy to find scarce search event viewer and run it. Event viewer is simply look like the figure as given below, where we can see all log files of the system and applications.Figure Log Files Managements in WindowsLinux/UnixIn mainly all linux and unix operating systems log files are stored in the /var/log directory. in general system log files are hidden in linux and unix operating systems to see complete list of log files from shell simply type ls l /var/log/ command in shell. In the below figure we show log files in BackTrack linux operating systemFigure Log Files Management in Linux/UnixMacTo get or access log files in MAC operating system simply open finder and select Go to Folder in the Go menu. Type in /Library/Logs and hit Enter here you get the screen like as given in figure which contains all log files.Figure Log Files Management in Mac OS XTo manipulation of log files data an attacker must have root privileges.Challenges in Manipulation of Log FilesIf the system administrator configures its system to transfer all log files on the remote server time to time, in that case an attacker or penetration tester can only stop log files transfer process except it they have no other way.Hiding FilesVarious Tools for Covering TracksThere are so many to compromise a system but after compromising the system the attack must need to cover their tracks because each and every activity that atta cker can do is stored or recorded by the system. Every system have different way to record the activity that occurs in the system. Every attacker must covers their tracks that are recorded by the system so that no one can identify him.