8/14/2019 ncia2013_submission_77.pdf

1/4

Learning Penetration Testing in Ethical Hacking

Zeshan Hameed

Office of Technology Support

University of Management and Technology

Lahore, Pakistan

zeshan.hameed@umt.edu.pk

AbstractThe boundaries of the companies have changed

with the expansion of the Internet. In network security whenwe talk about penetration testing its mean to test the security

implementations and security policy of an organization. A

penetration test simulates methods that intruders use to gain

unauthorized to an organizations network and systems and tocompromise them. In Ethical hacking we detailed study and

using tools to check Network holes. In this paper we discuss

penetration testing, what should be tested, Penetration types,phases and tools.

KeywordsPenetration Testing, Ethical Hacking, Network

Security

I. WHAT IS PENETRATION TESTINGEvery organization uses different types of securityassessments to validate the level of security on its network

resources. Organizations need to choose the assessment

method that suits the requirements of its situation mostappropriately. People conducting different types of Security

assessments must possess different skills. Therefore, pen

testers (if they are Employees or outsourced security experts)must have a thorough experience o f penetration Testing.

Security assessment categories include security audits,

vulnerability assessments, and penetration testing or ethical

hacking.

II. TYPES OF PENETRATION TESTINGA.External TestingAn external testing tests and analyzes publicly availableinformation, conducts network scanning and enumeration, and

runs exploits from outside the network perimeter, usually via

the internet.

B.Internal TestingAn internal testing is performed on the network from within

the organization, with the tester acting either as an employeewith some access to the network or as a black hat with no

knowledge of the environment.

III. WHAT SHOULD BE TESTED?It is always ideal to conduct a vulnerability assessment in an

organization so that various potential threats can be known

well before they occur. You can test various network or

system components for security vulnerabilities, such as:

Communication failure E-Commerce Failure Loss of Confidential information Public facing systems websites Email Gateways Remote Access platforms Mail DNS Firewalls FTP IIS Web Servers

IV. PENTERATION TESTING STEPSPenetration testing includes three phases:

1. Pre-attack phase2. Attack phase3. Post-attack Phase

1. Pre-attack PhaseThe pre-attack phase involves reconnaissance or data

gathering. This is the first step for a pen tester. Gathering data

from Whois, DNS, and network scanning can help you map a

target network and provide valuable information regarding the

operating system and applications running on the systems. The

pen test involves locating the IP block and using Whois

domain name lookup to find personnel contact information, as

well as enumerating information about hosts. This informationcan then be used to create a detailed network diagram and

identify targets. You should also test network filtering devices

to look for legitimate traffic, stress-test proxy servers, and

check for default installation of firewalls to ensure that default

8/14/2019 ncia2013_submission_77.pdf

2/4

users IDs, passwords, and guest passwords have been disabled

or changed and no remote login is allowed.

2. Attack PhaseDuring this phase tools can range from exploitive to

responsive. Theyre used by professional hackers to monitor

and test the security of systems and the network. These

activities include but arent limited to the following:

Penetrating the Perimeter:This activity includes looking at error reports, checking access

control lists by forging responses with crafted packets, and

evaluating protocol filtering rules by using various protocols

such as SSH, FTP, and telnet. The tester should also test for

buffer overflows, SQL injections, bad input validation, output

sanitization, and DoS attacks. In addition to performing

software testing, you should allocate time to test internal web

applications and wireless configurations, because the insider

threat is the greatest security threat today.

Acquiring the Target:

This set of activities is more intrusive and challenging than a

vulnerability scan or audit. You can use an automated exploittool like CORE IMPACT or attempt to access the system

through legitimate information obtained from social

engineering. This activity also includes testing the

enforcement of the security policy, or using password cracking

and privilege escalation tools to gain greater access to

protected resources.

Escalating Privileges:

Once a user account has been acquired, the tester can attempt

to give the user account more privileges or rights to systems

on the network. Many hacking tools are able to exploit a

vulnerability in a system and create a new user account with

administrator privileges.

Executing, Implanting, and Retracting:

This is the final phase of testing. Your hacking skills are

challenged by escalating privileges on a system or network

while not disrupting business processes. Leaving a mark can

show where you were able to gain greater access to protected

resources. Many companies dont want you to leave marks or

execute arbitrary code, and such limitations are identified and

agreed upon prior to starting your test.

3. Post-attack PhaseThis phase involves restoring the system to normal pretest

configurations, which includes removing files, cleaning Registry

entries if vulnerabilities were created, and removing shares and

connections.

V. PENETRATION TESTING TOOLSThe Following Should be considered the top pen testing

tools in a hackers toolkit:

Nessus:

This freeware network vulnerability scanner has more than

11,000 plug-ins available. Nessus includes remote and local

security checks, a client/server architecture with a GTK

graphical interface and an embedded scripting language for

writing your own plugins or understanding the existing ones.

GFI LANguard:

This is a commercial network security scanner for Windows.

GFI LANguard scans IP networks to detect what machines are

running. It can determine the host operating system, what

applications are running, what Windows service packs are

installed, whether any security patches are missing, and more.

Retina:

This is a commercial vulnerability assessment scanner from

eEye. Like Nessus, Retina scans all the hosts on a network and

reports on any vulnerability found.

Core Impact:

CORE IMPACT is an automated pen testing product that iswidely considered to be the most powerful exploitation tool

available (its also very costly). It has a large, regularly

updated database of professional exploits. Among its features,

it can exploit one machine and then establish an encrypted

tunnel through that machine to reach and exploit other

machines.

ISS Internet Scanner:

This is an application-level vulnerability assessment. Internet

Scanner can identify more than 1,300 types of networked

devices on your network, including desktops, servers,

routers/switches, firewalls, security devices, and applicationrouters.

X-Scan:

X-Scan is a general multithreaded plug-in-supported network

vulnerability scanner. It can detect service types, remote

operating system types and versions, and weak username and

passwords.

SARA:Security Auditors Research Assistant (SARA) is a

vulnerability assessment tool derived from the System

Administrator Tool for Analyzing Networks (SATAN)

scanner. Updates are typically released twice a month.

QualysGuard:

This is a web-based vulnerability scanner. Users can securely

access QualysGuard through an easy-to-use web interface. It

8/14/2019 ncia2013_submission_77.pdf

3/4

features more than 5,000 vulnerability checks, as well as an

inference-based scanning engine.

SAINT:

Security Administrators Integrated Network Tool (SAINT) is

a commercial vulnerability assessment tool.

MBSA:

Microsoft Baseline Security Analyzer (MBSA) is built on the

Windows Update Agent and Microsoft Update infrastructure.

It ensures consistency with other Microsoft products and, on

average, scans more than 3 million computers each week. In

addition to this list, you should be familiar with the following

vulnerability exploitation tools:

Metasploit Framework:

This is an open source software product used to develop, test, and

use exploit code.

Canvas:

Canvas is a commercial vulnerability exploitation tool. It includes

more than 150 exploits.

Acunetix:

Available free and paid version.This hacking tool has many

uses but in essence it tests and reports on SQL injection and

Cross Site scripting testing. It has a state of the art crawler

technology which includes a client script analyzer engine. This

security tool generates detailed reports that identify security

issues and vulnerabilities. The latest version, Acunetix WVS

version 8, includes several security features such as a new

module that tests slow HTTP Denial of Service. This latest

version also ships with a compliance report template for ISO

27001.

Aircrack-ng:

Aircrack-ng is a comprehensive set of network security tools

that includes, aircrack-ng (which can cracks WEP and WPA

Dictionary attacks), airdecap-ng (which can decrypts WEP or

WPA encrypted capture files), airmon-ng (which places

network cards into monitor mode, for example when using the

Alfa Security Scanner with rtl8187), aireplay-ng (which is a

packet injector), airodump-ng (which is a packet sniffer),

airtun-ng (which allows for virtual tunnel interfaces), airolib-

ng (which stores and manages ESSID and password lists),

packetforge-ng (which can create encrypted packets forinjection), airbase-ng (which incorporates techniques for

attacking clients) and airdecloak-ng (which removes WEP

cloaking).

Cain & Abel:

Cain & Abel or just Cain for short, has a reputation of being a

bit of a script-kiddie tool, but it is still awesome nonetheless.

Cain & Abel is defined as being a password recovery tool.

This tool allows a penetration tester to recover various types

of passwords by sniffing the network, and cracking encrypted

passwords using either a dictionary or brute-force attacks. The

tool can also record VoIP conversations and has the ability to

decode scrambled passwords, discover WiFi network keys and

cached passwords.

Ettercap:

Often accompanies Cain (third in our list). Ettercap is a free

and open source network security tool for man-in-the-middle

attacks (MITM) on LAN. The security tool can be used to

analyze computer network protocols within a security auditing

context.

Kismet:

Kismet is a wireless network detector, sniffer, and intrusion

detection security pentesting tool. Kismet can monitor andsniff 802.11b, 802.11a, 802.11g, and 802.11n traffic.

Wireshark:

Wireshark has been around for ages and is extremely popular.

Wireshark allows the pentester to put a network interface into

a promiscuous mode and therefore see all traffic. This tool has

many features such as being able to capture data from live

network connection or read from a file that saved already-

captured packets. Wireshark is able to read data from a wide

variety of networks, from Ethernet, IEEE 802.11, PPP, and

even loopback.

Nmap:

Nmap is another massive giant of a security tool which has

been around for forever and is probably the best known. Nmap

has featured on many movies including the Matrix just

Google it and youll see what we mean. Written in C, C++,

Python, Lua by Gordon Lyon (Fyodor) starting from 1997,

Nmap (Network Mapper) is the defacto security scanner

which is used to discover hosts and services on a computer

network. To discover hosts on a network Nmap sends

specially built packets to the target host and then analyzes the

responses. The program is really sophisticated because unlike

other port scanners out there, Nmap sends packets based upon

network conditions by taking into account fluctuations,

congestion and more.

8/14/2019 ncia2013_submission_77.pdf

4/4

CONCLUSION

Finally, a penetration test alone provides no improvement in

the security of a computer or network. Action to taken to

address these vulnerabilities that is found as a result ofconducting the penetration test.

REFERENCES

[1] Budiarto, R.; Ramadass, S.; Samsudin, A.; Noor, S., "Development ofpenetration testing model for increasing network security,"Informationand Communication Technologies: From Theory to Applications, 2004.Proceedings. 2004 International Conference on, vol., no., pp.563,564,19-23 April 2004

[2] Antunes, N.; Vieira, M., "Enhancing Penetration Testing with AttackSignatures and Interface Monitoring for the Detection of InjectionVulnerabilities in Web Services," Services Computing (SCC), 2011

IEEE International Conference on, vol., no., pp.104,111, 4-9 July 2011doi: 10.1109/SCC.2011.67

[3] Madhavan, Y.; Cangussu, J.W.; Dantu, R., "Penetration Testing forSpam Filters," Computer Software and Applications Conference, 2009.COMPSAC '09. 33rd Annual IEEE International , vol.2, no.,

pp.410,415, 20-24 July 2009doi: 10.1109/COMPSAC.2009.168.

[4] Wang LanFang; Kou HaiZhou, "A Research of Behavior-BasedPenetration Testing Model of the Network," Industrial Control andElectronics Engineering (ICICEE), 2012 International Conference on ,vol., no., pp.1680,1683, 23-25 Aug. 2012

doi: 10.1109/ICICEE.2012.444[5] Shanmugapriya, R., "A study of network security using penetration

testing," Information Communication and Embedded Systems (ICICES),2013 International Conference on , vol., no., pp.371,374, 21-22 Feb.2013doi: 10.1109/ICICES.2013.6508375

[6] Wai, Chan Conducting a Penetration Test on an Organizaiton, SANSInstitute InfoSec Reading Room