Automating Penetration Tests - Part 1

This article is written based on the literature survey of my Master's theses on Automating Penetration Tests. The main objective of this research is to look into ways that penetration tests can be automated. However, I strongly believe that the capabilities of a good penetration tester cannot be automated using a computer program. So the intention is to automate systematic steps of penetration tests to save time and effort for the penetration tester.

Basic Automation of Penetration tests

There have been various attempts to simplify penetration tests by automating various steps of the penetration test. The simplest attempt is Autopwn [3] in the Metasploit framework [4]. The first penteser gathers information about target systems using Nmap or Nessus. This information is imported to a database using a database module in Metasploit. Autopwn query the database for open ports and services. Then it loads the exploits in Metasploit that match these services and launch them against the target systems.

Exploits are specific to operating system, service pack, language, version numbers, etc. This is because the length of the string that causes the buffer overflow and memory location where the operating systems load its core libraries (user.dll, kernel.dll, etc.) is different. Therefore the exploit needs to be selected for a specific target. However, autopwn lacks the ability to select the target, thus the successfulness of the exploit is less.

Using Attack Graphs and Attack Planning for Pentest Automation

Although the concept of modeling infrastructure security using graphs was introduced in 1998 by C. A. Phillips and L. P. Swiler in their paper “A graph-based system for network-vulnerability analysis”[5]. However their attack graphs were not based on vulnerabilities of the system, rather they were focused on the organization of the network and network devices. 

Then attacks graphs generation on based on vulnerability data was proposed by C.R. Ramakrishnan and R. Sekar in 1998 in their “Model-based analysis of configuration vulnerabilities” [6]. At the same period, Bruce Schneier introduced the concept of attack graphs in his article “Attack Trees: Modeling security threats” [7]. Ritchey and Ammann first proposed a systematic approach to the generation of attack graphs for the purpose of vulnerability assessment in their papers [8][9]. Since then there have been many theoretical studies the automatic generation of attack graphs [10][11][12][13][14][15].

Introduction to Attack Graphs

An attack graph is a graph or a tree structure whose nodes represents goals and sub-goals. The single tree generally has one root node – which is the final goal. Figure 1 illustrates a simplified version of attack graphs.

Figure 1: Simplified attack graph [16]

The process starts at a leaf node and starts moving towards the root – which is the ultimate goal. In order to move to a parent node, a set of actions must be carried out. These actions are attached to the edge between the two nodes. If the actions carried out yields positive results, then the process moves to the parent node; if not a different leaf node is selected. This process of moving from one node to another and analyzing the results to if the attack is successful is done using automated planners.

Attack Graphs Generation and Analysis

In order to automate the attacking process, there should be an automated mechanism to generate an attack graph. Since all the proceeding steps are based on the attack graphs, it’s crucial that that graph captures necessary information about the hosts, network connectivity, services running, vulnerabilities and exploits.

Different researches have proposed different approaches to generation and analysis of attack graphs. However, it’s important to note that some approaches do not reflect real-world attack scenarios and therefore the approach is not suitable to automate a penetration test. Here, I have divided different approaches into two categories: classical approaches and modern approaches.

Classical Approaches to Attack Graphs Generation and Analysis

In the classical approach, the attack graph generation is manual or semi-automatic. The analysis of the graphs is simple – depth-first, breath-first or exhaustive search based algorithm. The analysis also does not have a learning process. They generate the attack

graphs using the information that was collected prior to the attack. This also produces another assumption: the attacker has all the information about the network prior to the attack. The rest of this section discusses different classical approaches to attach graph generation and analysis.

Sheyner et al. [10] models the network as a finite state machine where state transitions correspond to a single exploit. The final goal of the attack is to violate the desired security property (for an example: obtain root access to the machine). Then using a tool called NuSMV [18], an attack graph are generated from the state machine, which also allows visualization of the graph. The graph is then transformed into a different state machine for analysis. In this model the graph is not meant for analysis purposes; it only serves the purpose of visualization. This model also does not scale because the complexity of the state machine increases as the number of node increases.

Atrz introduced [19] a mechanism to generate attack graphs from Nessus scan results and ICTA CVE vulnerability database. The graph has multiple goals and forward-chaining-depth-first-search is used to find attacks. Attacks are modeled using an attack description language known as REM. Artz system considers all the real world parameters, but the main problem is that it does an exhaustive search on the graphs and therefore it’s time not optimal.

Ritchey and Ammann introduced an algorithm to find attack paths specific to goals [8]. The algorithm can search for the shortest path (minim number of exploits to reach the goal), all the exploits that can be used to reach the goal and paths of a specific length. However, this algorithm is limited to a single goal. [11]

Based on Ritchey’s and Ammann’s algorithm researches in the references [20], [21], [17] and [9] have proposed a method for generating attack graphs using vulnerability and network reachability data gathered from Nessus scanner. Although these methods are limited to a single final goal, at the time these were the best in terms of running time complexity – N6 [22].

Anming Xie et al. [23] proposed a two-tier attack graph framework, which includes a host access graph and some sub-attack graphs, to address the scalability problem (with N3 complexity). A sub-attack graph describes attack vectors from a single source host to a single target host, while the host access graph identifies the attacker’s privilege transition through hosts. Analysis of the attack graphs is done using breadth-first-search. However, researches have overlooked how the two graphs are generated automatically. The researches later proposed a probability-based attack graph generation [24] in which they introduced prior-probability, match-probability, and transition-probability into attack graphs generation process. But the scenarios that the research has been conducted on are far away from real-world scenarios.

Read Part 2 >


[3] “Metasploit: Metasploit 3.0 Automated Exploitation.”

[4] “The Metasploit Project.”

[5] C. Phillips and L.P. Swiler, “A graph-based system for network-vulnerability analysis,” Proceedings of the 1998 workshop on New security paradigms, 1998, pp. 71–79.

[6] C.R. Ramakrishnan and R. Sekar, “Model-based analysis of configuration vulnerabilities,” Journal of Computer Security, vol. 10, 2002, pp. 189–209.

[7] B. Schneier, “Attack Trees: Modeling security threats,” Dec. 1999.

[8] R.W. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on, 2002, pp. 156–165.

[9] R. Ritchey, O. Brian, and S.N. Berry, “Representing TCP/IP connectivity for topological analysis of network security,” 2002.

[10] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing, “Automated generation and analysis of attack graphs,” 2002.

[11] S. Jajodia, S. Noel, and B. O’Berry, “Topological analysis of network attack vulnerability,” Managing Cyber Threats, 2005, pp. 247–266.

[12] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham, “Validating and restoring defense in depth using attack graphs,” Military Communications Conference (MILCOM), 2006, pp. 1–10.

[13] D. Man, B. Zhang, W. Yang, W. Jin, and Y. Yang, “A method for global attack graph generation,” Networking, Sensing and Control, 2008. ICNSC 2008. IEEE International Conference on, 2008, pp. 236–241.

[14] Z. Li, J. Lei, L. Wang, and D. Li, “A data mining approach to generating network attack graph for intrusion prediction,” Fuzzy Systems and Knowledge Discovery, 2007. FSKD 2007. Fourth International Conference on, 2007, pp. 307–311.

[15] O. Sheyner and J. Wing, “Tools for generating and analyzing attack graphs,” Formal methods for components and objects, 2004, pp. 344–371.

[16] Michael S. Pallos, “Attack Trees: It's a Jungle out there.”

[17] S. Noel and S. Jajodia, “Managing attack graph complexity through visual hierarchical aggregation,” Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, 2004, pp. 109–118.

[18] A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri, “NuSMV: a new symbolic model checker,” International Journal on Software Tools for Technology Transfer (STTT), vol. 2, 2000, pp. 410–425.

[19] M.L. Artz, “NetSPA: a network security planning architecture,” Massachusetts Institute of Technology, 2002.

[20] S. Jajodia, S. Noel, and B. O’Berry, “Topological analysis of network attack vulnerability,” Managing Cyber Threats, 2005, pp. 247–266.

[21] S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs, “Efficient minimum-cost network hardening via exploit dependency graphs,” Computer Security Applications Conference, 2003. Proceedings. 19th Annual, 2005, pp. 86–95.

[22] R.P. Lippmann, K.W. Ingols, and M.I.O.T.L.L. LAB, An annotated review of past papers on attack graphs, Massachusetts Institute of Technology, Lincoln Laboratory, 2005.

[23] A. Xie, G. Chen, Y. Wang, Z. Chen, and J. Hu, “A New Method to Generate Attack Graphs,” Secure Software Integration and Reliability Improvement, 2009. SSIRI 2009. Third IEEE International Conference on, 2009, pp. 401–406.

[24] A. Xie, L. Zhang, J. Hu, and Z. Chen, “A Probability-Based Approach to Attack Graphs Generation,” Electronic Commerce and Security, 2009. ISECS'09. Second International Symposium on, 2009, pp. 343–347.


Popular posts from this blog

Configure Policy-Based Routing On Check Point Secure Platform

Disable DNS Lookup on Cisco Routers and Switches

gnmap2csv - Generate a CSV File from Nmap Scan Results