Importance of IP Fragmentation in Penetration Testing
Penetration testing is an extremely important testing aspect when we consider the optimum level of security for any system pertaining to crucial importance. It can be defined as a simulation testing done to check how the system security reacts to an actual attack. As it would be evident, penetration testing is done to check the weak points in the system and test the security features incorporated by the security team and gauge the overall security level of the system. A system referred to in the article can range from a simple computer system to a complex network.
Penetration testing types:
Depending upon who performs the penetration testing, who all in the company is viewing the test results and the level of brutality if the test penetration testing is classified into various categories:
- Target testing: Just like a doctor performs tests to confirm his diagnosis, these types of tests are carried out in specific areas, and the test and its results are open for viewing to all.
- External testing: This type of testing, as the name suggests, is carried out to check how far can an external attacker enter into the system from outside.
- Internal testing: This type of testing tests a hypothetical situation when some employee of the office from within attacks the security system of the company and poses a threat. This test checks the extent of damage done in such situations.
- Blind testing: A blind testing is generally done secretly with just the security team knowing about it. The rest of the company is unknown about the test. Due to the added levels of secrecy to be maintained and high sophistication required to fabricate a real attack, the cost of these tests is high.
- Double Blind testing: In this type of testing, the level of security is taken yet another notch higher and not even the complete security team knowing about the attack. This type of penetration testing checks the actual disaster response and security level of an organization’s information system.
The process of fragmentation, in general, refers to the breakdown of data into small and manageable bits which adds to the ease of data operations such as inspection, repair, or transfer. In certain conditions, during transfer, an entire file, due to its size can be difficult to work with due to limitations of the transfer channel. In such cases, the file is fragmented into smaller pieces at the source and then transferred efficiently over the channel. At the destination, a process like the fragmentation but in reverse action is adapted for the ideal defragmentation of the file.
Though the process of fragmentation is adapted to ease the operations on data, it is also used for malpractices and found its way into hacking after information and data has gained crucial importance in the world. Generally, the data transfer channels have very small data packets, and the large files are fragmented into bits as small as these packets during transfer. In most of the operating systems, the first data packet of the file is given a stringent review regarding its source and destination, but the packets which follow it often go unnoticed. The hackers put this to their advantage and redirect the rest of the packets to another system. To avoid such attacks, it is quite essential to understand the process behind such hacking in real time.
IP fragmentation is not much different from normal data fragmentation. The difference lies in the application of fragmentation. The IP network layer for transmitting data typically consists of 3 layers. The base layer is the physical layer of signals in the form of binary codes. The second layer consists of the data link, which is the actual channel for data communication. The third layer is the network layer which comprises of the actual data to be transmitted which is visible. The data link layer or the frame is limited in size, and each frame is known as a packet.
Utilities for Penetration testing
There are numerous tools available in the market for efficient fragmentation related penetration testing. We are covering the general information about a few of them to get a better insight into the process.
Fragtest: Fragtest is a basic service and not some sophisticated tool of software. This service makes use of the Internet Control Message Protocol for fragment inspection and auditing. Fragtest simply sends a message to the remote host using ICMP and reviews the replies that bounce back from the same for audit purposes. Though fragtest is simple in operation and does not require much dedicated efforts, the downside to this service is that fragtest can only audit the fragments whose remote host responds to the ICMP message.
Fragtest performs its test in three general ways:
1) By sending an 8-byte fragment as an ICMP echo message.
2) By overlapping a 16-byte fragment along with the existing 8-byte ICMP echomessage request fragment in favor of new data during reassembly.
3) By overlapping a 16-byte fragment along with the existing 8-byte ICMP echo message request fragment in favor of older data during reassembly
- Fragroute: Fragroute is an official software by monkey.org for ethical hacking and penetration testing. It is the most easily available software for penetration testing in Linux Kali. What this software exactly does is that it performs a certain set of operations over the data packets when they are being sent from the source. Unlike fragtest, fragroute is quite invasive in operation. The list of operations this software includes delay, overlap, drop, segment, duplicate, source-route, print reorder and a combination of them all. More than penetration testing, fragroute is used by ethical hackers to avoid firewalls and other security protocols and alarms.
- Nmap: Nmap refers to network mapper, which an open source utility used for security audit and ethical is hacking. Available across almost all operating systems including Windows, Linux, and Mac OS, Nmap is referred to as the most utilitarian utility available in the market. It makes use of the raw packets of data for getting a plethora of information. This information includes available hosts over the network channels, what all services are offered by these hosts, the level of system security and types of packet filters used by the hosts such as firewalls and other alarms and much more. As it is evident by its description and scope of application, Nmap is a beast of a utility in comparison with Fragroute and other similar line products. Due to its large scale of operation, Nmap is widely used by system administrators, network administrators, penetration testers as well as security auditors.
Along with the mentioned tools and utilities, there are many other tools present in the market for penetration testing. The list of utilities varies with the type of data being communicated, level of security, level of data encryption and many other security factors.
Any organization which is using an IP without dedicated server and channel is vulnerable to hacking through fragmentation. The process of penetration testing detects the weak areas in the system and tests the efficiency of the data packet filters like firewalls. Post this; the organization can discuss the outcomes with the company security team and devise ways to improve the security level whether it be by using proxy IP or an additional layer of filters and so on. It must also be noted that the process of penetration testing is not a one-time process and needs to be performed regularly to troubleshoot various problems arising in the future run as well as to stay abreast with the improving security levels.