Penetration Testing Procedures

Penetration testing (otherwise known as pentesting, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: “What could a hacker do to harm my application, or organization, out in the real world?”.

An effective penetration test will usually involve a skilled hacker, or team of hackers. You purposefully ensure that the hacker(s) don’t have access to any source code, and ask them to try to gain access to your systems. Penetration tests can be carried out on IP address ranges, individual applications, or even as little information as a company name. The level of access you give an attacker depends on what you are trying to test.

To give a few examples of penetration tests you could run:

1. You could give a team of penetration testers a company’s office address, and tell them to try and gain access to their systems. The team could employ a huge range of differing techniques to try and break into the organization, ranging from social engineering (e.g. asking a receptionist if they can take a look in a computer room to run safety checks, and installing USB keyloggers) through to complex application specific attacks.
2. A penetration tester could be given access to a version of a web application you haven’t deployed yet, and told to try and gain access or cause damage by any means possible. The penetration tester will then employ a variety of different attacks against various parts of the application in an attempt to break in.

One thing which is common amongst all penetration tests, is that they should ALWAYS have findings. There is no perfect system, and all organizations can take additional steps to improve their security. The purpose of a penetration test is to identify key weaknesses in your systems and applications, to determine how to best allocate resource to improve the security of your application, or organization as a whole.

Here’s a general outlook on a Penetration testing methodology and the tools they use in real-world scenarios.

Part 1 : Information gathering

This step occurs BEFORE you even get into their network. Here you are trying to gather as much information as possible about the business, their websites, personnel, EVERYTHING.

Tools they use:

• Facebook/Twitter/LinkedIn/Google+
• Maltego
• Creepy
• Social Engineering (Who do I talk to, to apply for an IT job?)
• Recon-ng
• TheHarvester
• Metagoofil
• Shodan + Shodan’s API
• DNSenum/DNSrecon

Part 2: Network Discovery

Here you scan the network and map out every possible device, system, domain controller, host, and piece of equipment. This is also where they use wireshark or TCPDump and start capturing to see what’s going on in the network. If there are 2 devices communicating, you want to know about it.

Tools they use:

• NMap
• Unicorn Scan
• Maltego
• NetDiscover
• SMBClient
• Ettercap
• Wirehark
• TCPDump
• Arping
• Hping3
• Xprobe2
• TCPflow

Part 3: Enumeration

Here is where you perform port mapping, service and version checks, OS detection, service scans, domain enumeration, user enumeration locally and any amount of information that you can get a hold of.

Tools they use:

• NMap
• NSE (Nmap Scripting Engine)
• Maltego
• SCAPY
• NBTscan (NetBios shit)
• Cisco Analysis Tools
• Wireshark
• DNSEnum
• smtp-user-enum
• snmpwalk

Part 4: Vulnerability Assessment

Here is where you take the services, devices software, information you got from the enumeration part of the assessment, and we scan it for vulnerabilities.

Tools they use:

• NMap
• NSE (Nmap Scripting Engine)
• Metasploit/Armitage + Nexpose
• Nessus
• OpenVAS
• Powerfuzzer
• Custom Fuzzers
• Cisco Analysis Tools (Nipper is a great one)

Part 5: Exploitation and Security

Here you confirm that the systems are vulnerable to attacks and exploits you have found during the scanning and vulnerability assessment. If you are at that level, you can write your own tools, but I’m still only in the beginning stages on that front. This is also where I suggest security updates, software updates and add security configurations for routers, switches, and firewalls.

Tools they use:

• NSE (Nmap Scripting Engine)
• Metasploit/Armitage + Nexpose
• Wireshark + SCAPY
• Various Servers (Bind9 DNS servers, DHCP servers, SMB Servers, Radius servers, etc…)
• Yersina
• Hexinject
• Tcpreplay
• Pineapple (For wireless Pentests)

Part 6: Post Exploitation

Here is where you install some sort of backdoor that you can access in case the host disconnects or the connection is lost.

Tools they use:

• Stunnel
• SBD (Secure Back Door) ~ Linux
• Cryptcat
• Meterpreter Persistence
• Powersploit
• Iodine
• UDPTunnel

Conclusion

Organizations need to conduct regular testing of their systems for the following key reasons:

• To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls
• To ensure controls have been implemented and are effective – this provides assurance to information security and senior management
• To test applications that are often the avenues of attack (Applications are built by people who can make mistakes despite best practices in software development)
• To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities).