From: SecurIT Informatique Inc. (securit@iquebec.com)
Date: Thu Dec 16 2004 - 14:28:14 EST
The problem probably lies in the fact that to do penetration testing, one
simply has to apply the same tools and techniques as any would-be intruder
would do, the difference being in the motive and the "get out of jail free"
card. These tools and techniques vary greatly depending of the environment
to pentest, so it is very difficult to set up one clear course of action
that could be determined by research. Also, seeing the success rates of
script kiddies (people with little technical knowledge) is a good sign that
experienced professionnals should not have much problems to achieve the
same success rates with pen-testing. What I mean here is that the
technical considerations for performing pen-testing is not the biggest
issue right now in computer security research.
In short, a typical intrusion attempt (pen test or not) is made by applying
the following steps:
1)information gathering about our target;
2)analysis of this data to determine our best course of action (which
services are available on the net, which versions are they, selection of
vulnerabilities to exploit);
3)apply one or more exploits as determined in 2) in order to gain
unauthorized access;
4)evaluation of the new compromised environment and our progression towards
our goal;
5)repeat step 1 to 5 until target is reached.
A typical intrusion attempt usually follows these steps. If you absolutely
want to pursue research in the pen test field (aside from discovering new
vulnerabilities), I don't see that many options. Maybe you could try to
make an automated tools that will perform all these steps automatically
(the tools does the info gathering, checks in a database for exploits in
this info, then applies the exploit), but I don't know if these kind of
software already exists. Close to that are vulnerability scanners, which
does the same except that it won't go as far as applying the exploit (it
can test the if it is vulnerable to an exploit, but it won't actually
exploit the system as if in an intrusion).
Another thing you could look for is a tool that can test software for
vulnerabilities like buffer overflows and malformed strings, in order to
find unknown vulnerabilities in the software. Mark Litchfield made similar
software to test database server software for these kind of vulnerabilities
(www.ngssoftware.com).
Other than that, I think that academical research opportunities in the
field of pen-testing are pretty limited. A better area for such research
IMHO would be the field of intrusion detection/prevention, as this field
consists of the other side of the same coin. It is usually the bad guys
that "pen-test" networks (notice the ""), and the challenge is to detect
all these attempts by relying on proper techniques. Most of the
current-day technologies work by knowing in advance the signatures of
existing threats, which means that these systems have a problem by design
with 0-day exploits and unknown vulnerabilities. I, for one, made much
research in this direction (http://securit.iquebec.com), but I'd be happy
to see more academics look into it.
Of course, I may be wrong, but seeing how quick the first anwsers were
about making research on the ROI of pen-tests, I effectively think that the
technical aspects of pen-tests are not such in bad shape in terms of research.
Hope it helps.
Adam Richard
SecurIT Informatique Inc.
At 04:18 PM 15/12/2004, leonardo wrote:
>* Monday 13 December 2004, alle 13:56, Rishi Pande scrive:
> >
> > I do not know if you would like your research to be more technically
>
>it's a pity not to have, as far as I know, a research branch dedicated to
>pen-test, under a technical view. I think, technical research on security has
>been done in the past much more from vendors than from universities or
>research centres, apart from the cryptography field. It wolud be an
>intresting discussion the attempt to find a way to introduce pen-testing,
>and security in general, as a scientific subject and find a field that can
>be researched in a long/middle-term project, as research project shoud be.
>
>as a person working in a university and trying to push this subject in
>teaching and research I'm really interested in links, documents, ideas,
>activities other people do that can define this.
>
>ciao,
>leonardo.
>--
>GPG fingerprint = 2C20 A587 05AC 42E5 1292 D0D4 3EED CFB5 52FD AD1E
>_____________________________________________________________________
>
>Envie de discuter gratuitement avec vos amis ?
>Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT