LPTv4 Module 11 Penetration Testing Methodologies_NoRestriction

/ECSA/LPT

EC CouncilModule XI

EC-Council Penetration Testing Methodologies

Module Objective

The objective of this module is to frame a guideline The objective of this module is to frame a guideline that a penetration tester can adopt while doing a penetration test.

The module is by no means an all exhaustive one as it is not possible to map all the approaches that a hacker can adopthacker can adopt.

It is not necessary that the test progresses in the It is not necessary that the test progresses in the order of the steps outlined.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow

What is Penetration T i ?

Common Penetration Testing Scope of Penetration

Testing?Penetration Testing

Techniques Testing

Strategies of Bl T i /

St ateg es o Penetration

Testing

Types of Penetration Testing

Blue Teaming/Red Teaming

Hiring a Penetration Tester

Profile of a Good Penetration Tester

Penetration Testing Methodologies List

Penetration Test vs. Vulnerability Test

Guidelines for Security Checking

Penetration Testing Roadmap



What is Penetration Testing?

A penetration test is the process of actively evaluating company’s i f ti it information security measures.

Security measures are actively analyzed for design weaknesses Security measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities.

The results are delivered comprehensively in a report, to executive, management, and technical audiences.



Why Penetration Testing?

Identify the threats facing an organization's information assets Identify the threats facing an organization s information assets

Reduce an organization's IT security costs and provide a better Return On IT Security Investment (ROSI) by identifying and resolving vulnerabilities IT Security Investment (ROSI) by identifying and resolving vulnerabilities and weaknesses

Provide an organization with assurance - a thorough and comprehensive assessment of organizational security covering policy procedure design and assessment of organizational security covering policy, procedure, design and implementation

Gain and maintain certification to an industry regulation (BS7799, HIPAA )etc)

Adopt best practice by conforming to legal and industry regulations



Adopt best practice by conforming to legal and industry regulations

Why Penetration Testing? (cont’d) (cont d)

It focuses on high severity vulnerabilities and emphasizes application-level security issues to development teams and management security issues to development teams and management

For testing and validating the efficiency of security protections and controls

For enabling vulnerability perspectives to the organization internally and externally

Providing indisputable information usable by audit team’s gathering data for regulatory compliance

Providing comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation

Evaluating the efficiency of network security devices such as firewalls, routers, and web servers

For changing or upgrading existing infrastructure of software hardware or



For changing or upgrading existing infrastructure of software, hardware, or network design

What Should be Tested?

An organization should conduct a riskassessment operation before the penetrationassessment operation before the penetrationtesting that will help to identify the mainthreats, such as:

• Communications failure, e-commerce failure, and loss of confidential information.

• Public facing systems; websites, email gateways, and remote access platformsplatforms.

• Mail, DNS, firewalls, passwords, FTP, IIS, and web servers.

Testing sho ld be performed on all hard are and soft are components Testing should be performed on all hardware and software components of a network security system.



What Makes a Good Penetration Test?Penetration Test?

Establishing the parameter for penetration test such as objectives, limitations and the justification of procedures limitations, and the justification of procedures.

Hiring skilled and experienced professional to perform the test.

Choosing suitable set of tests that balance cost and benefits.

Following a methodology with proper planning and documentation.

i h l f ll d ki i h ibl f hDocumenting the result carefully and making it comprehensible for the client.

i h i l i k d fi di l l i h fi l



Stating the potential risks and findings clearly in the final report.

Common Penetration Testing TechniquesTechniques

Passive research:

• Is used to gather all the information about an organization's system configurations.

Open source monitoring:

• Facilitates an organization to take necessary steps to ensure its confidentiality and integrity.

• Is used to get an idea of the network’s configuration being t t d

Network mapping and OS fingerprinting:



tested.

Common Penetration Testing Techniques (cont’d)Techniques (cont d)

Spoofing:

• Is the act of using one machine to pretend to be another.• Is used here for both internal and external penetration tests.

p g

Network sniffing:

• Is used to capture the data as it travels across a network.

Trojan attacks:

• Are malicious code or programs usually sent into a network as email attachments or transferred via “Instant Message” into chat rooms

j



into chat rooms.

Common Penetration Testing Techniques (cont’d)Techniques (cont d)

A brute-force attack:

• Is the most commonly known password cracking method.• Can overload a system and possibly stop it from responding

to the legal requeststo the legal requests.

Vulnerability scanning:

• Is a comprehensive examination of the targeted areas of an organization's network infrastructure.

• Is the final phase of testing, making a risk assessment of

A scenario analysis:



p g gvulnerabilities much more accurate.

Penetration Testing Process

D fi i th i l d t i i

• The extent of testing.• What will be tested

Defining the scope involves determining:

• What will be tested.• From where it will be tested.• By whom it will be tested.

I l th i ll th i f ti i ifi t t it

Performing the penetration test:

• Involves gathering all the information significant to security vulnerabilities.

• Involves testing the targeted environment such as network configuration topology hardware and software



configuration, topology, hardware, and software.

Penetration Testing Process (cont’d)(cont d)

Reporting and delivering results

• Listing the vulnerabilities. • Categorizing risks as high medium or low

involves:

• Categorizing risks as high, medium, or low. • Recommending repairs if vulnerabilities are found.



Scope of Penetration Testing

A non-destructive test:

• Scans and identifies the remote system for t ti l l biliti

A non destructive test:

potential vulnerabilities.• Investigates and verifies the findings.• Maps the vulnerabilities with proper

exploitsexploits.• Exploits the remote system with proper

care to avoid disruption.• Provides a proof of concept• Provides a proof of concept.• Does not attempt a Denial of Service (DoS)

attack.



Scope of Penetration Testing (cont’d)(cont d)

A destructive test:

• Scans and identifies the remote system for potential vulnerabilities.

• Investigates and verifies the findings.• Maps the vulnerabilities with proper exploits.• Attempts Denial of Service (DoS) and Buffer Overflow

attacks.



Blue Teaming/Red Teaming

• Involves performing a penetration test with the knowledge and consent of the organization's IT staff.

• Is the least expensive and most frequently used. Primary role is to think about how surprise attacks

Blue teaming:• Primary role is to think about how surprise attacks

might occur.

• Involves performing a penetration test without the knowledge of the organization's IT staff with the

i i f h permission from the upper management.• May be conducted with or without warning.• Is proposed to detect network and system

vulnerabilities and check security by an attacker’s h k

Red teaming:



perspective approach to network, system, or information access.

Types of Penetration Testing

There are three types of penetration testing:

• 1. Black-box penetration testing (External)• 2. White-box penetration testing (Internal):

testing:

p g ( )• Announced Testing• Unannounced Testing

• 3. Grey-box Penetration Testing



Black-box Penetration Testing

No prior knowledge of the infrastructure to be tested

You will be given just a company name

Penetration test must be carried out after extensive information gathering and research

This test simulates the process of a real hacker

It t k id bl t f ti ll t d f th j t It takes considerable amount of time allocated for the project on discovering the nature of the infrastructure and how it connects and interrelates



Time consuming and expensive type of test

White-box Penetration Testing

You will be given complete knowledge of the infrastructure that knowledge of the infrastructure that needs to be tested.

This test simulates the process of

Company infrastructure.

This test simulates the process of company’s employees. Network type.

Current security You will be provided information such as:

yimplementations.

IP address / firewall / IDS details.

Company policies do’s and don’ts.



Announced Testing/ Unannounced TestingUnannounced Testing

Announced testing:

• Is an attempt to compromise systems on the client with the full cooperation and knowledge of the IT staff.

• Examines the existing security infrastructure of g ypossible vulnerabilities.

• Involves the security staff on the penetration testing teams to conduct these audits.

• Is an attempt to compromise systems on the client networks without the knowledge of IT security

Unannounced testing:

g ypersonnel.

• Allows only the upper management to be aware of these tests.

• Examines the security infrastructure and



• Examines the security infrastructure and responsiveness of the IT staff.

Grey-box Penetration Testing

In a grey box test, the tester usually has a limited knowledge of In a grey box test, the tester usually has a limited knowledge of information.

It performs security assessment and testing internally.

Approaches towards the application security that tests for all vulnerabilities which a hacker may find and exploit.

Performed mostly when a penetration tester starts a black box test on well protected systems and finds that a little prior knowledge is required i d t d t th h i



in order to conduct a thorough review.

Strategies of Penetration Testing

External Penetration Testing

Internal Security Assessment

Application Security Assessment

N k S i ANetwork Security Assessment

Wireless/Remote Access Assessment (RAS) Security Assessment

Telephony Security Assessment

Social Engineering



External Penetration Testing

It is the traditional approach to penetration testing.

The testing is focused on the servers, infrastructure and the underlying software comprising the target.

It may be performed with no prior knowledge of the site (black It may be performed with no prior knowledge of the site (black box).

Full disclosure of the topology and environment (crystal/white box)box).

External penetration testing involves a comprehensive analysis of publicly available information about the target such as:

• Web servers.• Mail servers.• Firewalls

information about the target, such as:



• Firewalls.• Routers.

Internal Security Assessment

Testing will be performed from a number of g pnetwork access points, representing each logical and physical segment.

For example, this may include tiers and DMZs within the environment, the corporate network or partner company connectionsconnections.

An internal security assessment follows a similar methodology to external testing, but similar methodology to external testing, but provides a more complete view of the site security.



Application Security Assessment

Even in a well-deployed and secured infrastructure, a weak application can expose the organization's crown-jewels to unacceptable risk.

Application Security Assessment is designed to identify and assess threats to the organization through bespoke, proprietary applications or systems.

This test checks on application so that a malicious user cannot access, modify or destroy data or services within the system.



Types of Application Security AssessmentAssessment

Significant components of application testing are as follows:

Source code review:

g p pp g

• Analyzes the application-based code to confirm that it does not contain any sensitive information that an attacker might use to exploit an applicationexploit an application.

Authorization testing:

• Tests the systems responsible for the commencement and maintenance of user sessions.

• Identifies the permission status of logged-in system in case of



unauthorized access.

Types of Application Security Assessment (cont’d)Assessment (cont d)

Functionality testing:

• Involves the testing of systems that are responsible for the application's functionality accessible to a user.

• Involves a web application such as J2EE, ASP.NET, and PHP

Web penetration testing:

vo ves a web app cat o suc as J , S .N , a d etc.

• Helps to identify web application vulnerabilities such as SQL injection problems, XSS, XSRF, weak authentication, and source code exposure.



Network Security Assessment

It scans the network environment for identifying vulnerabilities and helps y g b pto improve an enterprise’s security policy.

It uncovers network security faults that can lead to data or equipment It uncovers network security faults that can lead to data or equipment being cooperated or destroyed by Trojans, denial of service attacks, and other intrusions.

It ensures that the security implementation actually provides the protection that the enterprise requires when any attack takes place on a network, generally by “exploiting” a vulnerability of the system., g y y p g y y

It is performed by a team attempting to break into the network or servers.



Wireless/Remote Access AssessmentAssessment

Wireless/Remote Access Assessment addresses the security risks associated with an increasingly mobile security risks associated with an increasingly mobile workforce.

• Wireless networks:

Wireless testing:

• Wireless networks:• 802.11a,b and g• Bluetooth• GHz signalsGHz signals• Wireless radio transmissions• Radio communication channels



Telephony Security Assessment

A telephony security assessment addresses security concerns relating A telephony security assessment addresses security concerns relating to corporate voice technologies.

Thi i l d b f PBX b id ll h This includes abuse of PBXs by outsiders to route calls at the targets expense, mailbox deployment and security, voice over IP (VoIP) integration, unauthorized modem use, and associated risks.



Social Engineering

Social engineering addresses a non-technical kind of intrusion.

It usually involves a scam; trying to gain the confidence of a trusted source by relying on the natural helpfulness of people as well as their weaknesses, appealing to their vanity, their authority and eavesdropping are natural techniques usedeavesdropping are natural techniques used.



Penetration Testing Consultants

The quality of the penetration testing results in hiring The quality of the penetration testing results in hiring qualified penetration tester.

A penetration test of a corporate network will examine A penetration test of a corporate network will examine numerous different hosts (with a number of different operating systems), network architecture, and policies and procedures.

Each area of the network must be examined in-depth.

Penetration testing skills cannot be obtained without years of experience in IT fields, such as development, systems



experience in IT fields, such as development, systems administration, or consultancy.

Required Skills Sets

A professional penetration tester ll h k ll

• Networking – TCP/IP concepts, cabling techniques• Routers firewalls IDS

will possess these skill sets:

• Routers, firewalls, IDS• Ethical Hacking techniques – exploits, hacking tools

etc.• Databases – Oracle, MSSQL • Open source technologies – Mysql, Apache• Operating system skills – Windows, Linux,

Mainframe, Mac• Wireless protocols and devices – Bluetooth, GhzWireless protocols and devices Bluetooth, Ghz• Telecommunication skills – broadband, ISDN,

ATM, VoIP• Troubleshooting skills

W b il SNMP t ti



• Web servers, mail servers, SNMP stations, access devices

Hiring a Penetration Tester

Companies usually ask the following questions before hiring a

• Is the supplier a specialist first and foremost, or is

following questions before hiring a penetration tester:

pp p ,the security practice a secondary concern?

• Does the supplier offer a comprehensive suite of services, tailored to your specific requirements? Does the supplier's methodology follow and exceed • Does the supplier s methodology follow and exceed those such as OSSTMM, CHECK and OWASP?

• Does the supplier have a policy of employing ex hackers?

• Are the supplier's staff experienced security professionals, holding recognized certifications such as CEH, ECSA, CISSP, CISA, and CHECK?



Hiring a Penetration Tester (cont’d)(cont d)

Can they distinguish and articulate between infrastructure and li i iapplication testing?

How many technical consultants does the supplier have who work on security and assessments and how many of them are work on security and assessments and how many of them are dedicated solely to security?

Does the supplier present the deliverables, such as the final report in an informed manner with concise and practical report, in an informed manner, with concise and practical information for technical and non-technical parties?

Is the supplier a recognized contributor within the security pp g yindustry?

Are references available for attesting the quality of past work



Are references available for attesting the quality of past work performed?

Responsibilities of Penetration TesterTester

Performing penetration testing and risk assessment of the target system Performing penetration testing and risk assessment of the target system

Clearly defining the goals of the penetration test, ensuring superior li d ff i l i i h l quality, and effectively communicating the results

Exploiting the system vulnerabilities and justifying found vulnerabilitiesExploiting the system vulnerabilities and justifying found vulnerabilities

Presenting reports to superiors regarding efficiency of the penetration d k d k l f ktests and risk assessments and making proposals for risk mitigation

Understanding the security of the organization’s servers, network



systems, and firewalls relevant to the specific business risks

Profile of a Good Penetration TesterTester

A good penetration tester will have h f ll i i hi /h

• Conducted research and development in the security area

the following in his/her resume:

security area.• Published research papers.• Presented at various local and International

seminars.• Holds various certifications.• Member of many respectable organizations such as

IEEE.W itt d bli h d it l t d b k• Written and published security related books.

You will need to market yourself with above activities if you want



y ycompanies to consider you as Pen-tester.

Why Should the Company Hire You?You?

You have the following:

• Well-qualified and trained engineers with at least five to ten years of experience in network security

• Performance ratings are quite high when compared to those Performance ratings are quite high when compared to those of competitors

• Number of satisfied customers• Worked on similar projects for companies with similar Worked on similar projects for companies with similar

security issues



Companies’ Concerns

Companies usually work with established and well-known security firms.p y b y

Companies will deploy a fake honey pot to see if you can detect it.Companies will deploy a fake honey pot to see if you can detect it.

Companies will check the types of tools used and what operating systemsh d d hthey are used on and how many.

Companies will ask for referencesCompanies will ask for references.

Companies will ask for a proposal in writing



Companies will ask for a proposal in writing.

Companies’ Concerns (cont’d)

Other security related services provided

List of security related certifications such as CISSP, CEH, and TICSA

Do you employ hackers?

Companies might ask for a security clearance

Companies will ask where will the data be stored after the test is over and for howlong



Companies will run a background check on you if there is any doubt

Methodology

A penetration test will involve the systematic analysis of all the security measures in place.

A f ll j h ld i l d ll f h

• Social Engineering– Request Testing

– Guided Suggestion Testing A full project should include some or all of the following areas:

• Network Security– Network Surveying

– Port Scanning

Guided Suggestion Testing

– Trust Testing

• Wireless Security– Wireless Networks Testing

– Cordless Communications Testing Port Scanning

– System Identification

– Services Identification

– Vulnerability Research & Verification

– Application Testing & Code Review

R t T ti

– Privacy Review

– Infrared Systems Testing

• Communications Security– PBX Testing

– Voicemail Testing – Router Testing

– Firewall Testing

– Intrusion Detection System Testing

– Trusted Systems Testing

– Password Cracking

g

– FAX review

– Modem Testing

• Physical Security– Access Controls Testing

P i t R i – Denial of Service Testing

– Containment Measures Testing

• Information Security– Document Grinding

– Competitive Intelligence Scouting

– Perimeter Review

– Monitoring Review

– Alarm Response Testing

– Location Review

– Environment Review



Competitive Intelligence Scouting

– Privacy Review

Penetration Testing Methodologies ListMethodologies List

Proprietary methodologies:

• IBM• ISS

Proprietary methodologies:

ISS• Found Stone• EC-Council’s LPT

• OSSTIMM

Open source and public methodologies:

• OSSTIMM• CISSP• CISA• CHECK



CHECK• OWASP

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d



Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

Guidelines for Security Checking

Perform network security testing such as system configuration operations and administration on a configuration, operations and administration on a regular basis

Test the critical systems

Follow warning instructions properly while testing

Ensure that the security policy correctly reflects the organization’s needs and requirements



organization s needs and requirements

Guidelines for Security Checking (cont’d)(cont d)

Include security testing policy into the risk management y g p y gsystem that will help to find out unknown vulnerabilities.

System and network administrators must be trained and proficient.

All the systems should be updated with proper patches.

Understand the limitations of the vulnerability testing that are beyond the detection capacity of the tools



are beyond the detection capacity of the tools.

Operational Strategies for Security TestingSecurity Testing

The object of performing security test is to maximize the benefit of the i tiorganization.

The types and frequency of penetration testing during the operational yp q y p g g pand maintenance phase involves a prioritization process based on:

• Security category of the information system. • Cost of conducting tests for each test type• Cost of conducting tests for each test type.• Identifying benefits to the organization’s system.

The decisions of what to test during the implementation phase involves the s stemthe system.

The prioritization process should be considered for the interconnectivity



p p yof the systems.

Security Category of the Information SystemInformation System

The security category of an organization’s information y g y gsystem is useful in developing a priority ranking of the information’s systems for testing.

Security categories are to be used in the combination with vulnerability and threat information in assessing the risk to

i ti b ti i f ti tan organization by operating an information system.



Identifying Benefits of Each Test TypeTest Type

Identifying the system vulnerabilities before an attacker exploits themIdentifying the system vulnerabilities before an attacker exploits them

Security and vulnerability assessment of critical applications and servers

Knowledge about systems and networks is gained after the testing is performed

Significantly decreased possibility of any intrusion or business interruption



Prioritizing the Systems for TestingTesting

The results of security category, cost of conducting test, and benefits are e esu ts o secu ty catego y, cost o co duct g test, a d be e ts a e evaluated and ranked for prioritizing the systems.

The result is a detailed analysis that serves as a roadmap to prioritize areas of weakness in the organization that needs attention.

This analysis should give up a list of systems ordered by security category, cost of testing, and benefit.

The list will include required resources for conducting each type of test for each system



for each system.

ROI on Penetration Testing

Penetration testing helps the companies in identifying, g p p y gunderstanding, and addressing the vulnerabilities, which saves them a lot of money resulting in ROI.

Demonstration of ROI is a critical process for the success in selling the Pen-test.

Demonstrate the ROI for Pen-test with the help of a business case scenario, which includes the expenditure and the profits involved in it.p

Companies will spend on the pen-test only if they have a proper knowledge on the benefits of the Pen-test.



proper knowledge on the benefits of the Pen test.

Determining Cost of Each Test TypeType

Cost of the test depends on the following factors:

• Size of the company and the application involved

Cost of the test depends on the following factors:

• Size of the company and the application involved• Complexity of the system for testing• Skills of the pen testers engaged• Level of human interaction required for each test• Level of human interaction required for each test• Selecting sample hosts for penetration testing• Duration of the time spent in performing penetration testing• Scope of the engagement and travel expenses• Scope of the engagement and travel expenses



Need for a Methodology

I h b b d h h k It has been observed that even hackers go about their attacks in a strategic manner.

A methodology ensures that the exercise is done in a standard manner with documented and repeatable results for a given security posture.

It helps testers plan their testing / attack strategy according to the input gained in the

di h f th t ti



preceding phases of the testing process.

Penetration Test vs. Vulnerability TestVulnerability Test

Penetration testing goes one step ahead of vulnerability testing; while l bilit t t if f k l biliti t ti t ti vulnerability tests verify for known vulnerabilities, penetration testing

adopts the concept of ‘defense in depth’.

It goes beyond testing for known vulnerabilities and adopts innovative means of demonstrating where security fails in an organization.

As there are automated tools for vulnerability testing, so there are automated penetration testing tools.

However, it cannot be overemphasized that the human element cannot be done a a ith in the conte t of penetration testing



be done away with in the context of penetration testing.

Reliance on Checklists and TemplatesTemplates

The basic difference in the approach of vulnerability The basic difference in the approach of vulnerability testing and penetration testing makes it impractical to rely on checklists and templates alone in the latter’s context.

There is a decision-making aspect involved at each stage of the test and this cannot be met solely by ticking off of the test and this cannot be met solely by ticking off checklists or filling templates.

It is possible that checklists and templates overshadow the critical ability of the tester to think ‘out-of-the-box’.



Phases of Penetration Testing

Pre-Attack Phase

Attack PhaseAttack Phase

Post-Attack Phase



Pre-Attack Phase

Pre-Attack Phase:

• Passive Reconnaissance• Active Reconnaissance



Best Practices

It is vital to maintain a log of all the activities carried out the results It is vital to maintain a log of all the activities carried out, the results obtained or note the absence of it.

E th t ll k i ti t d d i t d t th Ensure that all work is time stamped and communicated to the concerned person within the organization if it is so agreed upon in the rules of engagement.

While planning an attack strategy, make sure that you are able to reason out your strategic choices to the input or output obtained from the pre-attack phase.p

Look at your log and start either developing the tools you need or acquiring them based on need. This will help reduce the attack area that



might be inadvertently passed over.

Results that can be Expected

This phase can include information i l h

• Physical and logical location of the organization.Analog connections

retrieval, such as:

• Analog connections.• Any contact information.• Information about other organizations.

A th i f ti th t h t ti l t lt i • Any other information that has potential to result in a possible exploitation.



Passive Reconnaissance

Pre-Attack Phase:

• Directory MappingC titi I t lli

Pre Attack Phase:

• Competitive Intelligence• Gathering• Asset Classification

R t i i R i t ti• Retrieving Registration• Information• Product/Service

Off i• Offerings• Document Sifting• Social Engineering



Passive Reconnaissance (cont’d)

Activities involve:

• Mapping the directory structure of the web servers and FTP servers.

• Gathering competitive intelligence.• Determining worth of infrastructure that is interfacing with

the web.R i i k i i i f i• Retrieving network registration information.

• Determining the product range and service offerings of the target company that is available online or can be requested onlineonline.

• Document sifting refers to gathering information solely from published material.

• Social engineering



• Social engineering.

Active Reconnaissance

Some of the activities involved are:

• Network mapping.• Perimeter mapping

Some of the activities involved are:

• Perimeter mapping.• System and Service Identification:

• Through port scans.• Web profiling• Web profiling.

• This phase will attempt to profile and map the Internet profile of the organization.



Attack Phase

Attack Phase:

• Penetrate PerimeterAcquire Target

Attack Phase:

• Acquire Target• Escalate Privileges• Execute, Implant, Retract



Activity: Perimeter Testing

Testing methods for perimeter security include, b t t li it d t

• Evaluating error reporting and error management with ICMP probes.• Checking access control lists by forging responses with crafted

but are not limited to:

• Checking access control lists by forging responses with crafted packets.

• Measuring the threshold for denial of service by attempting persistent TCP connections, evaluating transitory TCP connections and attempting streaming UDP connection.

• Evaluating protocol filtering rules by attempting connection using various protocols such as SSH, FTP, and Telnet.

• Evaluate the IDS capability by passing malicious content (such as • Evaluate the IDS capability by passing malicious content (such as malformed URL) and scanning the target variously for response to abnormal traffic.

• Examine the perimeter security system’s response to web server l l h d h d



scans using multiple methods such as POST, DELETE, and COPY.

Activity: Web Application Testing - ITesting I

Testing methods for web application testing include, but are not limited to:

• Tests include OS command injection, script injection, SQL injection, LDAP injection and cross site scripting.Input Validation:

• Tests include parsing special characters and verifying error checking in the application.

Output Sanitization:

• Tests include attacks against stack overflows, heap overflows and format string overflows.

Checking for Buffer Overflows:

• Check for access to administrative interfaces, sending data to Check for access to administrative interfaces, sending data to manipulate form fields, attempt URL query strings, change values on the client-side script and attack cookies.

Access Control:

• Test for DoS induced due to malformed user input, user lockout d li i l k d ffi l d i D i l f S i



and application lockout due to traffic overload, transaction requests or excessive requests on the application.

Denial of Service:

Activity: Web Application Testing – II Testing II

Component checking:

• Check for security controls on web server/application component that might expose the web application to vulnerabilities.

• Check for data related security lapses such as storage of

Data and Error Checking:

y p gsensitive data in the cache or throughput of sensitive data using HTML.

C fid ti lit Ch k

• For applications using secure protocols and encryption, check for lapses in key exchange mechanism, adequate key length

Confidentiality Check:



and weak algorithms.

Activity: Web Application Testing – II (cont’d)Testing II (cont d)

Session Management:

• Check time validity of session tokens, length of tokens, expiration of session tokens while transiting from SSL to non-SSL resources, presence of any session tokens in the non SSL resources, presence of any session tokens in the browser history or cache and randomness of session ID (check for use of user data in generating ID).

• Attempt manipulation of resources using HTTP methods such as DELETE d PUT h k f i t t il bilit d

Configuration Verification:

DELETE and PUT, check for version content availability and any visible restricted source code in public domains, attempt directory and file listing, test for known vulnerabilities and accessibility of administrative interfaces in server and server components.



Activity: Wireless Testing

Testing methods for wireless testing include, but are not limited to:

• Check if the access point’s default Service Set Identifier (SSID) is easily available. Test for “broadcast SSID” and accessibility to the LAN th h thi T t i l d b t f i th SSID h t t i

but are not limited to:

through this. Tests can include brute forcing the SSID character string using tools like Kismet.

• Check for vulnerabilities in accessing the WLAN through the wireless router, access point or gateway. This can include verifying if the default Wired Equivalent Privacy (WEP) encryption key can be captured and decrypted.

• Audit for broadcast beacon of any access point and check all protocols available on the access points. Check if layer 2 switched networks are p ybeing used instead of hubs for access point connectivity.

• Subject authentication to playback of previous authentications in order to check for privilege escalation and unauthorized access.

• Verify that access is granted only to client machines with registered



Verify that access is granted only to client machines with registered MAC addresses.

Activity: Acquiring Target

We refer to acquiring a target as the set of activities undertaken where the tester subjects the suspect machine to more intrusive challenges such as vulnerability

dscans and security assessment.

Testing methods for acquiring target include, but are not limited to:

• This can use results of network scans to gather further information that can lead to a compromise

Active probing assaults: further information that can lead to a compromise.assaults:

• Vulnerability scans are completed in this phase.Running

l bili Vulnerability scans are completed in this phase.

vulnerability scans:

• Attempting to access the machine’s resources using legitimate information obtained through social

Trusted systems and trusted process



legitimate information obtained through social engineering or other means.

trusted process assessment:

Activity: Escalating Privileges

Once the target has been acquired, the tester attempts to exploit th t d i t t t t d

i i i i l d (b li i d )

the system and gain greater access to protected resources.

• The tester may take advantage of poor security policies and emails or

Activities include (but are not limited to):

y g p y punsafe web code to gather information that can lead to escalation of privileges.

• Use of techniques such as brute force to achieve privileged status. An example of tools includes tools such as getadmin and password example of tools includes tools such as getadmin, and password crackers.

• Use of Trojans and protocol analyzers.• Use of information gleaned through techniques such as social



engineering to gain unauthorized access to privileged resources.

Activity: Execute, Implant, and Retractand Retract

In this phase the tester effectively compromises the acquired In this phase, the tester effectively compromises the acquired system by executing arbitrary code.

The objective here is to explore the extent to which security fails.

Executing exploits already available or specially crafted to k d f h l bili i id ifi d i h take advantage of the vulnerabilities identified in the target

system.



Post-Attack Phase and ActivitiesActivities

This phase is critical to any penetration test as it is the responsibility p y p p yof the tester to restore the systems to the pre-test state.

Post-attack phase activities include some of

• Removing all files uploaded on the system.Cl i ll i t t i d i l biliti

Post attack phase activities include some of the following:

• Cleaning all registry entries and removing vulnerabilities created.

• Removing all tools and exploits from the tested systems.• Restoring the network to the pre test stage by removing shares • Restoring the network to the pre-test stage by removing shares

and connections.• Analyzing all results and presenting the same to the

organization.



g

Summary

It is advisable to adopt a methodology while doing a pen-It is advisable to adopt a methodology while doing a pentest.

The methodology should be open flexible and applicable at The methodology should be open, flexible and applicable at a broad level.

E h i i d k i d b f ll Each test is unique and attack strategies need to be carefully planned.

It is imperative to document every action taken.







Documents

LPTv4 Module 11 Penetration Testing Methodologies_NoRestriction