The problem of improving the efficiency of network attacks (in particular, penetration tests) is gaining importance, since the work of the pen testers requires a high level of expertise and is time and resource consuming. Pen testing frameworks have been developed to facilitate the assessment of network security - the main tools available are the open source project Metasploit and the commercial products Immunity Canvas and Core Impact. However as these tools have evolved and become more complex, with increasing number of exploits and information gathering modules available, finding attack paths (sequences of actions that lead to a given goal) became an important question.
Our work on this problem began in 2003 with the construction of a conceptual model of attacks (based on assets, actions and goals). From this model an attack graph can be constructed. Nevertheless, since the size of the attack graph grows exponentially with the number of machines and exploits, building the complete attack graph does not scale to real-size scenarios. In this presentation we show how to use Planning techniques to explore the attack graph without building the complete graph, and show how they can be integrated with a pen testing framework to apply them in real networks (we used Core Impact in our implementation). In our solution, the pen test tool becomes an API that the planner controls to execute the actions required to reach the goal. We will present the details of how to translate the information contained in the attack framework to the planning domain, and show the performance of our solution in a test bench of scenarios.