ncia2013_submission_77.pdf
TRANSCRIPT
-
8/14/2019 ncia2013_submission_77.pdf
1/4
Learning Penetration Testing in Ethical Hacking
Zeshan Hameed
Office of Technology Support
University of Management and Technology
Lahore, Pakistan
AbstractThe boundaries of the companies have changed
with the expansion of the Internet. In network security whenwe talk about penetration testing its mean to test the security
implementations and security policy of an organization. A
penetration test simulates methods that intruders use to gain
unauthorized to an organizations network and systems and tocompromise them. In Ethical hacking we detailed study and
using tools to check Network holes. In this paper we discuss
penetration testing, what should be tested, Penetration types,phases and tools.
KeywordsPenetration Testing, Ethical Hacking, Network
Security
I. WHAT IS PENETRATION TESTINGEvery organization uses different types of securityassessments to validate the level of security on its network
resources. Organizations need to choose the assessment
method that suits the requirements of its situation mostappropriately. People conducting different types of Security
assessments must possess different skills. Therefore, pen
testers (if they are Employees or outsourced security experts)must have a thorough experience o f penetration Testing.
Security assessment categories include security audits,
vulnerability assessments, and penetration testing or ethical
hacking.
II. TYPES OF PENETRATION TESTINGA.External TestingAn external testing tests and analyzes publicly availableinformation, conducts network scanning and enumeration, and
runs exploits from outside the network perimeter, usually via
the internet.
B.Internal TestingAn internal testing is performed on the network from within
the organization, with the tester acting either as an employeewith some access to the network or as a black hat with no
knowledge of the environment.
III. WHAT SHOULD BE TESTED?It is always ideal to conduct a vulnerability assessment in an
organization so that various potential threats can be known
well before they occur. You can test various network or
system components for security vulnerabilities, such as:
Communication failure E-Commerce Failure Loss of Confidential information Public facing systems websites Email Gateways Remote Access platforms Mail DNS Firewalls FTP IIS Web Servers
IV. PENTERATION TESTING STEPSPenetration testing includes three phases:
1. Pre-attack phase2. Attack phase3. Post-attack Phase
1. Pre-attack PhaseThe pre-attack phase involves reconnaissance or data
gathering. This is the first step for a pen tester. Gathering data
from Whois, DNS, and network scanning can help you map a
target network and provide valuable information regarding the
operating system and applications running on the systems. The
pen test involves locating the IP block and using Whois
domain name lookup to find personnel contact information, as
well as enumerating information about hosts. This informationcan then be used to create a detailed network diagram and
identify targets. You should also test network filtering devices
to look for legitimate traffic, stress-test proxy servers, and
check for default installation of firewalls to ensure that default
-
8/14/2019 ncia2013_submission_77.pdf
2/4
users IDs, passwords, and guest passwords have been disabled
or changed and no remote login is allowed.
2. Attack PhaseDuring this phase tools can range from exploitive to
responsive. Theyre used by professional hackers to monitor
and test the security of systems and the network. These
activities include but arent limited to the following:
Penetrating the Perimeter:This activity includes looking at error reports, checking access
control lists by forging responses with crafted packets, and
evaluating protocol filtering rules by using various protocols
such as SSH, FTP, and telnet. The tester should also test for
buffer overflows, SQL injections, bad input validation, output
sanitization, and DoS attacks. In addition to performing
software testing, you should allocate time to test internal web
applications and wireless configurations, because the insider
threat is the greatest security threat today.
Acquiring the Target:
This set of activities is more intrusive and challenging than a
vulnerability scan or audit. You can use an automated exploittool like CORE IMPACT or attempt to access the system
through legitimate information obtained from social
engineering. This activity also includes testing the
enforcement of the security policy, or using password cracking
and privilege escalation tools to gain greater access to
protected resources.
Escalating Privileges:
Once a user account has been acquired, the tester can attempt
to give the user account more privileges or rights to systems
on the network. Many hacking tools are able to exploit a
vulnerability in a system and create a new user account with
administrator privileges.
Executing, Implanting, and Retracting:
This is the final phase of testing. Your hacking skills are
challenged by escalating privileges on a system or network
while not disrupting business processes. Leaving a mark can
show where you were able to gain greater access to protected
resources. Many companies dont want you to leave marks or
execute arbitrary code, and such limitations are identified and
agreed upon prior to starting your test.
3. Post-attack PhaseThis phase involves restoring the system to normal pretest
configurations, which includes removing files, cleaning Registry
entries if vulnerabilities were created, and removing shares and
connections.
V. PENETRATION TESTING TOOLSThe Following Should be considered the top pen testing
tools in a hackers toolkit:
Nessus:
This freeware network vulnerability scanner has more than
11,000 plug-ins available. Nessus includes remote and local
security checks, a client/server architecture with a GTK
graphical interface and an embedded scripting language for
writing your own plugins or understanding the existing ones.
GFI LANguard:
This is a commercial network security scanner for Windows.
GFI LANguard scans IP networks to detect what machines are
running. It can determine the host operating system, what
applications are running, what Windows service packs are
installed, whether any security patches are missing, and more.
Retina:
This is a commercial vulnerability assessment scanner from
eEye. Like Nessus, Retina scans all the hosts on a network and
reports on any vulnerability found.
Core Impact:
CORE IMPACT is an automated pen testing product that iswidely considered to be the most powerful exploitation tool
available (its also very costly). It has a large, regularly
updated database of professional exploits. Among its features,
it can exploit one machine and then establish an encrypted
tunnel through that machine to reach and exploit other
machines.
ISS Internet Scanner:
This is an application-level vulnerability assessment. Internet
Scanner can identify more than 1,300 types of networked
devices on your network, including desktops, servers,
routers/switches, firewalls, security devices, and applicationrouters.
X-Scan:
X-Scan is a general multithreaded plug-in-supported network
vulnerability scanner. It can detect service types, remote
operating system types and versions, and weak username and
passwords.
SARA:Security Auditors Research Assistant (SARA) is a
vulnerability assessment tool derived from the System
Administrator Tool for Analyzing Networks (SATAN)
scanner. Updates are typically released twice a month.
QualysGuard:
This is a web-based vulnerability scanner. Users can securely
access QualysGuard through an easy-to-use web interface. It
-
8/14/2019 ncia2013_submission_77.pdf
3/4
features more than 5,000 vulnerability checks, as well as an
inference-based scanning engine.
SAINT:
Security Administrators Integrated Network Tool (SAINT) is
a commercial vulnerability assessment tool.
MBSA:
Microsoft Baseline Security Analyzer (MBSA) is built on the
Windows Update Agent and Microsoft Update infrastructure.
It ensures consistency with other Microsoft products and, on
average, scans more than 3 million computers each week. In
addition to this list, you should be familiar with the following
vulnerability exploitation tools:
Metasploit Framework:
This is an open source software product used to develop, test, and
use exploit code.
Canvas:
Canvas is a commercial vulnerability exploitation tool. It includes
more than 150 exploits.
Acunetix:
Available free and paid version.This hacking tool has many
uses but in essence it tests and reports on SQL injection and
Cross Site scripting testing. It has a state of the art crawler
technology which includes a client script analyzer engine. This
security tool generates detailed reports that identify security
issues and vulnerabilities. The latest version, Acunetix WVS
version 8, includes several security features such as a new
module that tests slow HTTP Denial of Service. This latest
version also ships with a compliance report template for ISO
27001.
Aircrack-ng:
Aircrack-ng is a comprehensive set of network security tools
that includes, aircrack-ng (which can cracks WEP and WPA
Dictionary attacks), airdecap-ng (which can decrypts WEP or
WPA encrypted capture files), airmon-ng (which places
network cards into monitor mode, for example when using the
Alfa Security Scanner with rtl8187), aireplay-ng (which is a
packet injector), airodump-ng (which is a packet sniffer),
airtun-ng (which allows for virtual tunnel interfaces), airolib-
ng (which stores and manages ESSID and password lists),
packetforge-ng (which can create encrypted packets forinjection), airbase-ng (which incorporates techniques for
attacking clients) and airdecloak-ng (which removes WEP
cloaking).
Cain & Abel:
Cain & Abel or just Cain for short, has a reputation of being a
bit of a script-kiddie tool, but it is still awesome nonetheless.
Cain & Abel is defined as being a password recovery tool.
This tool allows a penetration tester to recover various types
of passwords by sniffing the network, and cracking encrypted
passwords using either a dictionary or brute-force attacks. The
tool can also record VoIP conversations and has the ability to
decode scrambled passwords, discover WiFi network keys and
cached passwords.
Ettercap:
Often accompanies Cain (third in our list). Ettercap is a free
and open source network security tool for man-in-the-middle
attacks (MITM) on LAN. The security tool can be used to
analyze computer network protocols within a security auditing
context.
Kismet:
Kismet is a wireless network detector, sniffer, and intrusion
detection security pentesting tool. Kismet can monitor andsniff 802.11b, 802.11a, 802.11g, and 802.11n traffic.
Wireshark:
Wireshark has been around for ages and is extremely popular.
Wireshark allows the pentester to put a network interface into
a promiscuous mode and therefore see all traffic. This tool has
many features such as being able to capture data from live
network connection or read from a file that saved already-
captured packets. Wireshark is able to read data from a wide
variety of networks, from Ethernet, IEEE 802.11, PPP, and
even loopback.
Nmap:
Nmap is another massive giant of a security tool which has
been around for forever and is probably the best known. Nmap
has featured on many movies including the Matrix just
Google it and youll see what we mean. Written in C, C++,
Python, Lua by Gordon Lyon (Fyodor) starting from 1997,
Nmap (Network Mapper) is the defacto security scanner
which is used to discover hosts and services on a computer
network. To discover hosts on a network Nmap sends
specially built packets to the target host and then analyzes the
responses. The program is really sophisticated because unlike
other port scanners out there, Nmap sends packets based upon
network conditions by taking into account fluctuations,
congestion and more.
-
8/14/2019 ncia2013_submission_77.pdf
4/4
CONCLUSION
Finally, a penetration test alone provides no improvement in
the security of a computer or network. Action to taken to
address these vulnerabilities that is found as a result ofconducting the penetration test.
REFERENCES
[1] Budiarto, R.; Ramadass, S.; Samsudin, A.; Noor, S., "Development ofpenetration testing model for increasing network security,"Informationand Communication Technologies: From Theory to Applications, 2004.Proceedings. 2004 International Conference on, vol., no., pp.563,564,19-23 April 2004
[2] Antunes, N.; Vieira, M., "Enhancing Penetration Testing with AttackSignatures and Interface Monitoring for the Detection of InjectionVulnerabilities in Web Services," Services Computing (SCC), 2011
IEEE International Conference on, vol., no., pp.104,111, 4-9 July 2011doi: 10.1109/SCC.2011.67
[3] Madhavan, Y.; Cangussu, J.W.; Dantu, R., "Penetration Testing forSpam Filters," Computer Software and Applications Conference, 2009.COMPSAC '09. 33rd Annual IEEE International , vol.2, no.,
pp.410,415, 20-24 July 2009doi: 10.1109/COMPSAC.2009.168.
[4] Wang LanFang; Kou HaiZhou, "A Research of Behavior-BasedPenetration Testing Model of the Network," Industrial Control andElectronics Engineering (ICICEE), 2012 International Conference on ,vol., no., pp.1680,1683, 23-25 Aug. 2012
doi: 10.1109/ICICEE.2012.444[5] Shanmugapriya, R., "A study of network security using penetration
testing," Information Communication and Embedded Systems (ICICES),2013 International Conference on , vol., no., pp.371,374, 21-22 Feb.2013doi: 10.1109/ICICES.2013.6508375
[6] Wai, Chan Conducting a Penetration Test on an Organizaiton, SANSInstitute InfoSec Reading Room