Pen Testing
1/8
1/22
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Back
Next
Restart
Scanning
Penetration testing, commonly known as pen testing, is the act of testing a computer system, network, or company for vulnerabilities to a cyber-attack. Pen testing seeks to breach systems, people, processes, and code to uncover vulnerabilities which could be exploited, with the purpose of using information garnered to harden, or make the system more secure and thus more readily able to withstand future cyber-attacks. Penetration testing is often done as a five-step process:planning and reconnaissancescanninggaining accessmaintaining accessproviding feedback and updating security
Penetration Testing Stages
Gaining Access
?
Planning &
Reconnaissance
Maintaining
Access
2/22
Analysis &
Reporting
Step 1: Planning & Reconnaissance
In the planning and reconnaissance phase, the penetration tester seeks to gather as much information as possible about the target. This includes conducting passive reconnaissance or footprinting, active reconnaissance or footprinting, and vulnerability research all in an attempt to gain information about targeted computers and networks, their potential vulnerabilities, and exploits to use against them.
STEP 1: Planning & Reconnaissance
Planning &
Reconnaisssance
3/22
Step 2: Scanning
In the scanning phase, active reconnaissance is used to collect information about a target by probing the target system or network to identify potential weaknesses which, if exploited, could provide access to the system or network. Active reconnaissance can include:port scanning looking for openings into the systemvulnerability scanningenumeration of a target by actively connecting to it to identify the user account, system account and admin account
7/22
STEP 2: Scanning
REQUEST
RESPONSE
Shodan (http://www.shodan.io)
Click to enlarge
8/22
Port Scanning and OS Footprinting
Port scanning involves connecting with TCP and UDP ports on a system, once you have found the IP addresses of a target organization. Port scanning allows the pen tester to determine what state the target systems UDP and TCP most common ports are in and what services and versions that are likely being run on those ports. OS footprinting enables a pen tester to know the system OS, which allows identification of the potential exploits or vulnerabilities associated with that OS. Tools like nmap (http://nmap.org) can be used for port scanning and OS footprinting. Tools like Shodan (http://www.shodan.io) can be used to find host devices connected to the Internet using particular protocols or tools. Choosing a specific IP address or technology allows the acquisition of additional information including which ports and services are being used, information available from banner grabs, vulnerable web cameras, and OS of web servers.
nmap (http://nmap.org)
Armitage (http://www.fastandeasyhacking.com/)
Step 3: Gaining Access
In the gaining access phase, the pen tester will attempt to gain access to the systems and sniff network traffic. The pen tester will use various methods to exploit the system including:launching an exploit with a payload onto the systembreaching physical barriers to assetssocial engineeringexploiting website vulnerabilitiesexploiting software and hardware vulnerabilities or misconfigurationsbreach access controls securitycracking weak encrypted WiFiTools like Metasploit (http://www.metaspolit.com), Armitage (http://www.fastandeasyhacking.com/), Aircrack-ng (http://www.aircrack-ng.org/) and Social Engineering Toolkit (all of which are part of the Kali Linux distribution) are used to gain access to and exploit vulnerable systems.
Aircrack-ng (http://www.aircrack-ng.org/)
Social Engineering Toolkit
STEP 3: Gaining Access
Analysis &
Reporting
Metasploit (http://www.metaspolit.com)
11/22
Step 5: Analysis & Reporting
Using the information gathered by the pen tester, a report is prepared and presented to the target organization. The target organization will need to analyze the feedback and use it to perform updates to their security. Updates will need to be made to policies, products, and people to enhance security of the confidentiality, integrity, and availability of information (CIA triad) based on the pen testers output.
Updating
Products
STEP 5: Analysis & Reporting
Policies
Train
People
14/22
Passive Reconnaissance
Passive reconnaissance or footprinting is an attempt to gain information about targeted computers and networks without actively engaging with the systems. Passive reconnaissance uses public information which can include:observing a target’s physical locationresearching the target through common Internet tools like domain name registration for primary top-level domain names, and sitereports from Netcraft (http://netcraft.com) for identification of public IP ranges, web server OS hosts and typesresearching the target through traditional Google searches, the target website, and social media accounts for information things like employee names and contact information, email address structure, identification of technology vendor products in use, and organizational chartsperforming email analysis
Email Analysis
Observe physical location
Research using Google search
4/22
Research using internet tools
Active Reconnaissance
Active reconnaissance or footprinting is where the penetration tester is more exposed to being questioned or identified as engaging in reconnaissance activity. Active reconnaissance can include:social engineering techniques such as shoulder surfing, eavesdropping on employee conversations, andimpersonating an employee in an attempt to collect informationdumpster diving to find equipment or discarded paper that contains sensitive dataDNS zone transfer to examine the network topology
5/22
DNS zone transfer
Dumpster diving
Impersonating an employee
Shoulder surfing
Securiteam (http://securiteam.com)
Google Hacking Database
National Vulnerability Database (http://nvd.nist.gov)
Vulnerability Research
Vulnerability research involves identifying vulnerabilities to potentially use against the identified target systems. This research might include using the Google Hacking Database for potential Google Hacks to exploit the target’s website, or to search for specific products that have known vulnerabilities via resources such as the National Vulnerability Database (http://nvd.nist.gov), the Common Vulnerabilities and Exposures (CVE) (http://www.cvedetails.com), and the Securiteam (http://securiteam.com) websites.
6/22
Common Vulnerabilities and Exposures (CVE) (http://www.cvedetails.com)
[x] close
Nitko
Vulnerability Scanning
Vulnerability scanning is used to identify potentially exploitable vulnerabilities of a particular target. A web server vulnerability scanner tool like Nikto (within Kali Linux http://www.kali.org/ or Sparta http://sparta.secforce.com/) can be used to find vulnerabilities in the server, including cross-site scripting, password files, and weaknesses in web applications.
9/22
Enumeration
Enumeration of a target is accomplished by actively connecting to it to identify the user account, system account and admin account that may be used for further exploitation of the system. Enumeration is used to gather:Usernames, Group namesHostnamesNetwork shares and servicesIP tables and routing tablesService settings and Audit configurationsApplication and bannersSNMP and DNS Details
10/22
Kali Linux http://www.kali.org/
13/22
STEP 4: Maintaining Access
Step 4: Maintaining Access
Pen testers will need to maintain access to the system to ascertain what data and systems are vulnerable to exploitation. Thus, for a pen tester to continue to access the system it will be important to remain undetected, which will require undertaking further steps to obscure their presence. Typically the installation of hidden infrastructure for repeated and unfettered access is based on backdoors, Trojan horses, rootkits, and other covert channels. When this infrastructure is in place, the pen tester can then proceed to acquire whatever data he or she considers valuable.
Covert Channels
a communication channel whose existence is hidden.
Close
12/22
Wireshark (http://www.wireshark.org/)
Packet Sniffing
Packet sniffing enables penetration testers to understand network traffic. Packet sniffing is done by connecting to the network, perhaps through a wireless connection or via an exploited network device, and using a tool to intercept packets as they are transmitted across the network. Tools like Wireshark (http://www.wireshark.org/) can be used to examine network traffic.
Products
Product updates can include adding or updating products that were not being used, or configuring existing products to most effectively limit access and enhance security.
For example, the following should be used, enabled, updated and maintained:physical security of assetsweb application firewalls (WAP)internal encryption using Transport Layer Security (TLS)secure backupshardening or segmentation of Internet of Thing (IoT) devicesmulti-factor authentication
web application firewalls (WAP)
Web Application Firewalls (WAP)
help secure your web applications by inspecting inbound web traffic to block SQL injections, cross-site scripting, malware uploads, application DDoS, and other attacks.
Multi-Factor Authentication
a computer user is granted access only after successfully presenting two or more pieces of evidence to authenticate them.
internal encryption using Transport Layer Security (TLS)
Internet of Thing (IoT)
the connection via the Internet of everyday objects with embedded computing devices which enables them to send and receive data.
STEP 5: Analysis & Reporting
secure backups
15/22
Updating Products
hardening or segmentation of Internet of Thing (IoT) devices
multi-factor authentication
physical security of assets
16/22
password selection and security
bring your own device (BYOD)
third party access of your data
Organization policies outline access controls to systems, how personnel securely interact with systems, how personnel physically access company assets, and how personnel prevent social engineering attacks. A written policy serves as a formal guide to all cybersecurity measures used in your company. It allows security specialists and employees to be on the same page and gives you a way to enforce rules that protect your data and other assets. Policies should be created and updated to include information regarding:
least privilege as the default for access controlsmulti-factor authenticationpassword selection and securitythird party access of your databring your own device (BYOD)
Policies
least privilege as the default for access controls
social engineering
Train People
17/22
All personnel in an organization may need to be trained on new policies and product usage to come into compliance, as well as periodic retraining on existing policies and products. Specifically, training can raise security awareness of phishing, social engineering, password selection and protection, and policies for bring your own device (BYOD).
security awareness of phishing
policies for bring your own device (BYOD)
password selection and protection
vulnerability research
19/22
packet sniffing
cracking weak encryption
port scanning
Match the actions to the phase by dragging it to the correct box associated with that phase.
installing a Trojan horse
enumeration
Correct! You really know your pen testing phases!
recommend updates to products, and policies
summarizing your findings
installing a covert channel
exploiting website vulnerabilities
launch an exploit
gathering data on the company website
dumpster diving
Practice
vulnerability scanning
Element
with Audio
HTML
performing email analysis
phishing
impersonating an employee
PASSIVE
RECONNAISSANCE
20/22
observing a company’s physical location
Correct! You really know your active and passive reconnaissance techniques!
gathering data through google searches
ACTIVE
RECONNAISSANCE
Match the techniques to either passive or active reconnaissance by dragging it to the correct box associated with that binocular lens.
shoulder surfing
examining a company’s social media sites
21/22
Match the tool to its use by dragging it to the correct box associated with that phase.
Shodan
Correct! You really know your tool uses!
Social Engineering Toolkit (SET)
Common Vulnerabilities and Exposures (CVE)
Nikto
Metaspolit
Aircrack-ng
Nmap
Wireshark
Armitage
National Vulnerability Database (NVD)
Congratulations on learning the activities in the stages of pen testing, the activities associated with active and passive reconnaissance, and the tools uses!
22/22
Click Next to continue
18/22