This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Penetration testing, commonly known as pen testing, is the act of testing a computer system, network, or company for vulnerabilities to a cyber-attack. Pen testing seeks to breach systems, people, processes, and code to uncover vulnerabilities which could be exploited, with the purpose of using information garnered to harden, or make the system more secure and thus more readily able to withstand future cyber-attacks. Penetration testing is often done as a five-step process:planning and reconnaissancescanninggaining accessmaintaining accessproviding feedback and updating security
Penetration Testing Stages
Step 1: Planning & Reconnaissance
In the planning and reconnaissance phase, the penetration tester seeks to gather as much information as possible about the target. This includes conducting passive reconnaissance or footprinting, active reconnaissance or footprinting, and vulnerability research all in an attempt to gain information about targeted computers and networks, their potential vulnerabilities, and exploits to use against them.
STEP 1: Planning & Reconnaissance
Step 2: Scanning
In the scanning phase, active reconnaissance is used to collect information about a target by probing the target system or network to identify potential weaknesses which, if exploited, could provide access to the system or network. Active reconnaissance can include:port scanning looking for openings into the systemvulnerability scanningenumeration of a target by actively connecting to it to identify the user account, system account and admin account
STEP 2: Scanning
Click to enlarge
Port Scanning and OS Footprinting
Port scanning involves connecting with TCP and UDP ports on a system, once you have found the IP addresses of a target organization. Port scanning allows the pen tester to determine what state the target systems UDP and TCP most common ports are in and what services and versions that are likely being run on those ports. OS footprinting enables a pen tester to know the system OS, which allows identification of the potential exploits or vulnerabilities associated with that OS. Tools like nmap (http://nmap.org) can be used for port scanning and OS footprinting. Tools like Shodan (http://www.shodan.io) can be used to find host devices connected to the Internet using particular protocols or tools. Choosing a specific IP address or technology allows the acquisition of additional information including which ports and services are being used, information available from banner grabs, vulnerable web cameras, and OS of web servers.
Step 3: Gaining Access
In the gaining access phase, the pen tester will attempt to gain access to the systems and sniff network traffic. The pen tester will use various methods to exploit the system including:launching an exploit with a payload onto the systembreaching physical barriers to assetssocial engineeringexploiting website vulnerabilitiesexploiting software and hardware vulnerabilities or misconfigurationsbreach access controls securitycracking weak encrypted WiFiTools like Metasploit (http://www.metaspolit.com), Armitage (http://www.fastandeasyhacking.com/), Aircrack-ng (http://www.aircrack-ng.org/) and Social Engineering Toolkit (all of which are part of the Kali Linux distribution) are used to gain access to and exploit vulnerable systems.
Social Engineering Toolkit
STEP 3: Gaining Access
Step 5: Analysis & Reporting
Using the information gathered by the pen tester, a report is prepared and presented to the target organization. The target organization will need to analyze the feedback and use it to perform updates to their security. Updates will need to be made to policies, products, and people to enhance security of the confidentiality, integrity, and availability of information (CIA triad) based on the pen testers output.
STEP 5: Analysis & Reporting
Passive reconnaissance or footprinting is an attempt to gain information about targeted computers and networks without actively engaging with the systems. Passive reconnaissance uses public information which can include:observing a target’s physical locationresearching the target through common Internet tools like domain name registration for primary top-level domain names, and sitereports from Netcraft (http://netcraft.com) for identification of public IP ranges, web server OS hosts and typesresearching the target through traditional Google searches, the target website, and social media accounts for information things like employee names and contact information, email address structure, identification of technology vendor products in use, and organizational chartsperforming email analysis
Observe physical location
Research using Google search
Research using internet tools
Active reconnaissance or footprinting is where the penetration tester is more exposed to being questioned or identified as engaging in reconnaissance activity. Active reconnaissance can include:social engineering techniques such as shoulder surfing, eavesdropping on employee conversations, andimpersonating an employee in an attempt to collect informationdumpster diving to find equipment or discarded paper that contains sensitive dataDNS zone transfer to examine the network topology
DNS zone transfer
Impersonating an employee
Google Hacking Database
National Vulnerability Database (http://nvd.nist.gov)
Vulnerability research involves identifying vulnerabilities to potentially use against the identified target systems. This research might include using the Google Hacking Database for potential Google Hacks to exploit the target’s website, or to search for specific products that have known vulnerabilities via resources such as the National Vulnerability Database (http://nvd.nist.gov), the Common Vulnerabilities and Exposures (CVE) (http://www.cvedetails.com), and the Securiteam (http://securiteam.com) websites.
Common Vulnerabilities and Exposures (CVE) (http://www.cvedetails.com)
Vulnerability scanning is used to identify potentially exploitable vulnerabilities of a particular target. A web server vulnerability scanner tool like Nikto (within Kali Linux http://www.kali.org/ or Sparta http://sparta.secforce.com/) can be used to find vulnerabilities in the server, including cross-site scripting, password files, and weaknesses in web applications.
Enumeration of a target is accomplished by actively connecting to it to identify the user account, system account and admin account that may be used for further exploitation of the system. Enumeration is used to gather:Usernames, Group namesHostnamesNetwork shares and servicesIP tables and routing tablesService settings and Audit configurationsApplication and bannersSNMP and DNS Details
Kali Linux http://www.kali.org/
STEP 4: Maintaining Access
Step 4: Maintaining Access
Pen testers will need to maintain access to the system to ascertain what data and systems are vulnerable to exploitation. Thus, for a pen tester to continue to access the system it will be important to remain undetected, which will require undertaking further steps to obscure their presence. Typically the installation of hidden infrastructure for repeated and unfettered access is based on backdoors, Trojan horses, rootkits, and other covert channels. When this infrastructure is in place, the pen tester can then proceed to acquire whatever data he or she considers valuable.
a communication channel whose existence is hidden.
Packet sniffing enables penetration testers to understand network traffic. Packet sniffing is done by connecting to the network, perhaps through a wireless connection or via an exploited network device, and using a tool to intercept packets as they are transmitted across the network. Tools like Wireshark (http://www.wireshark.org/) can be used to examine network traffic.
Product updates can include adding or updating products that were not being used, or configuring existing products to most effectively limit access and enhance security.
For example, the following should be used, enabled, updated and maintained:physical security of assetsweb application firewalls (WAP)internal encryption using Transport Layer Security (TLS)secure backupshardening or segmentation of Internet of Thing (IoT) devicesmulti-factor authentication
web application firewalls (WAP)
Web Application Firewalls (WAP)
help secure your web applications by inspecting inbound web traffic to block SQL injections, cross-site scripting, malware uploads, application DDoS, and other attacks.
a computer user is granted access only after successfully presenting two or more pieces of evidence to authenticate them.
internal encryption using Transport Layer Security (TLS)
Internet of Thing (IoT)
the connection via the Internet of everyday objects with embedded computing devices which enables them to send and receive data.
STEP 5: Analysis & Reporting
hardening or segmentation of Internet of Thing (IoT) devices
physical security of assets
password selection and security
bring your own device (BYOD)
third party access of your data
Organization policies outline access controls to systems, how personnel securely interact with systems, how personnel physically access company assets, and how personnel prevent social engineering attacks. A written policy serves as a formal guide to all cybersecurity measures used in your company. It allows security specialists and employees to be on the same page and gives you a way to enforce rules that protect your data and other assets. Policies should be created and updated to include information regarding:
least privilege as the default for access controlsmulti-factor authenticationpassword selection and securitythird party access of your databring your own device (BYOD)
least privilege as the default for access controls
All personnel in an organization may need to be trained on new policies and product usage to come into compliance, as well as periodic retraining on existing policies and products. Specifically, training can raise security awareness of phishing, social engineering, password selection and protection, and policies for bring your own device (BYOD).
security awareness of phishing
policies for bring your own device (BYOD)
password selection and protection
cracking weak encryption
Match the actions to the phase by dragging it to the correct box associated with that phase.
installing a Trojan horse
Correct! You really know your pen testing phases!
recommend updates to products, and policies
summarizing your findings
installing a covert channel
exploiting website vulnerabilities
launch an exploit
gathering data on the company website
performing email analysis
impersonating an employee
observing a company’s physical location
Correct! You really know your active and passive reconnaissance techniques!
gathering data through google searches
Match the techniques to either passive or active reconnaissance by dragging it to the correct box associated with that binocular lens.
examining a company’s social media sites
Match the tool to its use by dragging it to the correct box associated with that phase.
Correct! You really know your tool uses!
Social Engineering Toolkit (SET)
Common Vulnerabilities and Exposures (CVE)
National Vulnerability Database (NVD)
Congratulations on learning the activities in the stages of pen testing, the activities associated with active and passive reconnaissance, and the tools uses!