penetration testing execution phases

Muhammad Nasir Mumtaz Bhutta

College of Computer Science and Information Systems

King Faisal University, Saudi Arabia

Email: [email protected],

Tel: +966 – 13589-9207

Office: 2088, first floor, CCSIT Building

www.kfu.edu.sa

CCSIT Cyberlympics 2017

Penetration Testing Execution

Phases

28 February 2017

http://www.kfu.edu.sa/

Dr M Nasir Mumtaz Bhutta www.kfu.edu.sa

Presentation Overview

• Ethical Hacking Definition

• Pre-Engagement Discussions for Penetration Test

• Penetration Testing Phases – Reconnaissance

– Vulnerability Analysis (Scanning)

– Exploitation

– Post Exploitation

– Reporting

• Threat Modeling (during Testing Phases)

• Assignment 2 Description

2



Ethical Hacking Term and

Definition

• Ethical Hacking (Penetration Testing)

– Penetration Testing or Ethical Hacking is to execute a simulated

attack on a computer system with permission of owner to:

• Gain access to system’s features and data.

• Find out weakness in the system.

– The target systems or particular goals are identified to attack and

to find out weakness.

• Black Box Penetration Testing (focus of this

training)– Ethical hacker is provided no information except company name.

• White Box Penetration Testing – Ethical hacker is provided with background and system

information.3



Testing Organization’s Security

• Penetration Testers (PTs) are hired by

organizations to test their security.

– PT identifies the important cyber resources of

organization e.g. Payroll System, Organizational

secret document’s storage etc.

– Threats (events, processes, people who can harm

organization) are identified.

– Attacks are planned and are launched on selected

assets.

– Found vulnerabilities are reported to the organization.

– All Pen tests are different and are executed

differently. 4



Today’s workshop Scope

• Today’s workshop is not focusing on risk management

and wide aspect of planning of organization’s security

evaluation e.g.

– Threats modeling for whole organization.

– Planning and Budgeting for all attacks.

• Rather, the focus is to learn technical aspects of

planning and launching attack for an assigned task.

– The managers have already identified the risks associated with

all the systems of organization.

– Managers assign a task to Penetration Tester (you):

• For example, “Try to hack the Linux based File server where trade secret’s

documents of an organization are stored.”

• Penetration tester will gather information about this assigned task and

execute attack.

5



Can Hacking be learned in a

systematic way?

• Yes, Hacking has been organized as a discipline over a

period of time and it can be learnt and practiced to

become successful ‘Ethical Hacker’.

– Many different phases proposed by different books, authors,

organizations

– All have same theory but different scopes to describe

‘Penetration Testing’.

• Today’s Training is focusing on technical aspects of

Penetration Testing.

– So, hacking phases described will be from technical aspect of an

assigned task as discussed before.

– It will focus on ‘Black Box Penetration Testing’.

6



Penetration Testing Phases

• These phases are to plan and execute a test technically.

• Reconnaissance:

– Collecting detailed information about system (e.g. all machines IP addresses, usernames,

email addresses of organizations etc. )

• Scanning (Vulnerability Analysis):

– Port Scanning: (finding open ports on systems and services being run).

– Vulnerability Scanning: (finding known vulnerabilities for services / softwares running on the

system).

• Exploitation:

– Attacking the system for found vulnerabilities.

• Maintaining Access (Post Exploitation):

– After exploitation, creating a permanent backdoor for easy access to the system later on.

• Reporting:

– Details about the found issues, detailed procedures and presenting solutions to mitigate the

security issues found.

• However, “Penetration Testing Execution Standard (PTES)” describe these phases

differently. We shall also get some processes (information) from there along with

above described phases to build better understanding about Penetration Testing.

7



Pre-engagement Interaction

8



Pre-Engagement Activities

• Scope: Discuss about number of computers or

software systems to be tested for penetration.

– In this workshop, there is one task given to tester

(Hack a Linux based server or test a website for

hacking).

• Time Estimation: The execution of time depends

on experience of tester.

– If a tester is more experienced in executing a specific

type of task, then less time will be spent on that test.

• Establish line of communications and contact

information before tests.

9



Examples or Possible Scenarios

of Penetration Testing

• Let’s discuss and fill the sheets distributed

to you about:

– Network Penetration Test

– Web Application Penetration Test

– Wireless Network Penetration Test

– Social Engineering Test

• This exercise will give you idea about

different types of Penetration tests.

10



Network Penetration Test

• Why is the customer having the penetration test performed against their environment?

• Is the penetration test required for a specific compliance requirement?

• When does the customer want the active portions (scanning, enumeration, exploitation,

etc...) of the penetration test conducted?

– During business hours?

– After business hours?

– On the weekends?

• How many total IP addresses are being tested?

– How many internal IP addresses, if applicable?

– How many external IP addresses, if applicable?

• Are there any devices in place that may impact the results of a penetration test such as

a firewall, intrusion detection/prevention system, web application firewall, or load

balancer?

• In the case that a system is penetrated, how should the testing team proceed?

– Perform a local vulnerability assessment on the compromised machine?

– Attempt to gain the highest privileges (root on Unix machines, SYSTEM or Administrator on Windows

machines) on the compromised machine?

– Perform no, minimal, dictionary, or exhaustive password attacks against local password hashes

obtained (for example, /etc/shadow on Unix machines)?

11



Web Application Penetration Test

• How many web applications are being assessed?

• How many login systems are being assessed?

• How many static pages are being assessed? (approximate)

• How many dynamic pages are being assessed? (approximate)

• Will the source code be made readily available?

• Will there be any kind of documentation?

– If yes, what kind of documentation?

• Will static analysis be performed on this application?

• Does the client want fuzzing performed against this application?

• Does the client want role-based testing performed against this

application?

• Does the client want credentialed scans of web applications

performed?

12



Wireless Network Penetration Test

• How many wireless networks are in place?

• Is a guest wireless network used? If so:

– Does the guest network require authentication?

– What type of encryption is used on the wireless

networks?

– What is the square footage of coverage?

– Will enumeration of rogue devices be necessary?

– Will the team be assessing wireless attacks against

clients?

– Approximately how many clients will be using the

wireless network?13



Social Engineering Test

• Does the client have a list of email addresses they would

like a Social Engineering attack to be performed

against?

• Does the client have a list of phone numbers they would

like a Social Engineering attack to be performed

against?

• Is Social Engineering for the purpose of gaining

unauthorized physical access approved? If so:

– How many people will be targeted?

• It should be noted that as part of different levels of testing, the

questions for Business Unit Managers, Systems

Administrators, and Help Desk Personnel may not be

required. Why?14



Scope of Penetration Test for

CCSIT Cyberlympics 2017

• The above questions have given you insight

about:

– What are important systems to target and how to plan

a test against them.

• The above discussion has not discussed:

– What kind of attacks will be launched?

– What vulnerabilities will be targeted?

• For Cyberlympics 2017, the focus is on:

– Network Penetration Testing

– Web Application Penetration Testing

•15



Reconnaissance (Intelligence

Gathering)

Penetration Testing Execution Phases

16



Reconnaissance (Intelligence

Gathering) Background

• Reconnaissance is a process to gather

information about selected target.

– It is important to find out the targeted organization

(Military, Corporate or other).

• Basically, there are different levels of maturity of

Penetration Testing “PenTesting”. These levels

define:

– Expected output of test.

– Real world constraints

– Time, Effort and Access to information

17



Levels of Information Gathering - I

• There are three levels of information gathering.

• Level 1

– Compliance Driven: For certain industries, government has laid

down security standards or regulations to follow for secure IT

systems.

– Usually, tests are performed to test whether IT systems have

followed the guidelines of security standard and regulations e.g.

PCI DSS is standard for Card Payment Industry.

– Some automated tools are used to perform these tests specially

designed for specific standard.

• Example: A health organization is required to be

compliant with PCI / FISMA / HIPAA. For this kind of

tests, level 1 information gathering is done.

18



Levels of Information Gathering - II

• Level 2

– This level defines the best practices adapted by

PenTesters. (Most of the time, this level is followed for

information gathering).

– For information gathering at this level, some automated

tools are used as in level 1 + some manual analysis is

performed.

– A good understanding of business under test is developed.

– Important information like physical location, business

relationship, organizational chart are obtained.

• Example for Level2: An organization wants to test their PCI

compliance but also interested in their long term security strategy

evaluation.

19



Levels of Information Gathering - III

• Level 3

– This level of information is usually gathered for very

sensitive tasks like hacking for state (country).

– Level 1, 2 level of information gathering + more deep

manual analysis.

• More deep understanding of business processes, business

relations are gained.

• Example for Level 3:

– An Army intelligence team is tasked to attack on

segment of army in foreign country. The target is to

find out the vulnerabilities in the network so that

foreigners can’t exploit these vulnerabilities.

20



Reconnaissance – I

• What is it?

– Collecting maximum information about the target

according to levels discussed above.

– This information helps in planning the attacks to be

launched on selected targets (as discussed above in

pre-engagement section).

• Why do it?

– Open Source Intelligence (OSINT) is a form of

intelligence collection management: • To collect information from public sources.

• To analyze the collected information to produce actionable

intelligence.

21



Reconnaissance – II

– OSINT, helps to gather various entrance points to the

targeted organization. • These entrance points can be physical, electrical or human.

– Weakness: • Many organizations don’t realize what information is made public

and how hackers can use that information to exploit it.

• For example, usually organizations use same username for

employees as their email addresses. So, you can easily find the

usernames of people to gain access to computers from website of

the organization.

• What is it not?

– Information gathered is not valid for long term.

– Organizations may change the things over period of

time. 22



OSINT (Three Forms)

• Passive Information Gathering

– This is covert type of gathering. The target is not to be detected.

– Most difficult type of information gathering as no traffic can be sent to

organization.

– This means only stored or archived information is used.

• Semi Passive Information Gathering

– This is also type of semi covert information gathering.

– Companies can trace back to the computer gaining information but there will be

no susceptible activity.

– Only published name servers are targeted to query about some desired

information. No in-depth search is tried in this approach.

• Active Information Gathering

– In this the type, it can be detected easily that some one is trying to gain

information.

– Without worrying about detection or being suspicious, full focus is done on

getting information.

– Unpublished servers, files, directories are searched to get information.

23



Goals of Information Gathering

(OSINT)

• In short, information gathering goals is to

collect information about:

– Target Selection

– Corporate Details

• Physical, Logical Details, organizational chart,

Financial details and information about individuals

are of importance.

– HUMINT (Human Intelligence)

– Footprinting

– Protection Mechanisms 24



Target Selection - I

• Identification and Naming of Target

– In pre-engagement phase, less information is

provided by customer like their top level domain

information e.g. kfu.edu.sa

– In Reconnaissance, more in depth information is tried

to be achieved like hierarchy of domain e.g.

kfu.edu.sa/ccsit etc.

• But, permission should be obtained from owner to explore

these things.

• Remember in white hat hacking, most of the time, active

reconnaissance can be used as allowed by owner

organization.

– So a list of target servers is obtained.

25



Target Selection – II

• Consider any Rules of Engagement Limitations

– Always stick with the rules decided in pre-engagement.

• For example, only launch attacks on allowed IP addresses in the company

or use those IP addresses to launch attacks.

• Usually, tester can deviate from these rules but it can have legal

consequences. So, always remain within rules and limitations set at

engagement.

• Consider Time Length and Goal for Test

– Remain focused on the goal and try to get information only relevant to

goal in mind. Get the relevant, secondary and tertiary elements as well.

But, avoid exploring the 3rd parties information.

– Remaining focused can save time as well. Remember usually,

organizations allow 3 – 6 months only for performing the testing for

whole organization’s critical and important assets.

– So, spend appropriate time on information gathering activity.

26



Corporate Details – I

• Physical Details

– Locations: (Level 1)

• Full listing of all physical addresses including City, full addresses etc., is

obtained.

• Full listing of all physical secure measures for locations (CCTV camera,

sensors, guards, entry controls, gates etc.,) is obtained as well.

– Pervasiveness (Level 1)

• Central office location as well as remote office locations information is

obtained as well.

• Security controls at central office may be good, but remote locations can

have poor security controls.

– Relationships (Level 1)

• Business Partners, customs, suppliers, open corporate web pages, rental

companies information is obtained.

• So, these people can be targeted targeted for social engineering attacks.

27



Corporate Details – II

• Logical Details

– Accumulated information for partners, clients and

competitors is obtained.

• Business Partners (L1)

• Business Clients (L1)

• Competitors (L1)

• Touchgraph (Employees connections inside or outside

organizations) (L1)

• Meetings (L2)

• Job Openings (L1)

• Charity Affiliations (L1)

• Political Donations (L2) etc.

28



Corporate Details – III

• Organizational Chart

– Position Identification (L1)

• Important people in organization

• Individuals to specifically targeted.

– Transactions (L1)

– Affiliates (other organizations tied with business). (L1)

• Electronics Details (L1)

– Document Metadata

– Marketing Communication

• Infrastructure Assets Details

– Network blocks owned by DNS or whois searches. (L1)

– Email addresses (L1)

– Technologies Used (L1)

– Remote Access (L1)

– Purchase Agreements (L1)

29



Corporate Details – IV

• Financial Details

– Market Analysis (L1)

– Published Financial Reports (L1)

• Information about Individuals in Organization

– History (Court Records, Political Donations, Professional

Licenses etc.,) (L2)

– Social Network Profile (L2)

– Social Media Presence and frequency to use or publish

information over there (L2)

– Internet Presence, Email Addresses (L1)

– Mobile Footprints (Phone Number, Device, Use, Installed

Applications etc.,).

30



More Information Gathering

• HUMINT (Human Intelligence) information is obtained:

– Feelings, History, Relationships between key individuals etc.

– People can be monitored via CCTV Cameras, recording web

activities, webcams etc.

• Footprinting

– It means getting information about target that this activity can be

traced later.

• Identify Protection Mechanisms

– Information about groups/persons/relevant locations security

must be obtained. For example:

• Network Based Protections (Simple Packet Filters, Encryption etc.,).

• Host Based Protections (Anti Viruses, Stack Protections etc.,).

• Application Level protections (Encodings, Bypass Avenues etc.,)

• Storage Protections (Storage Controllers etc.)

31



Threat Modeling


32



Threat Modeling

• The standard threat modeling (not a specific

approach) focuses on two key elements:

– Assets

– Attacker (Threat agent)

• As information obtained in Reconnaissance

phase, it can be analyzed here:

– Identify and Categorize primary and secondary assets

– Identify and categorize threats and threat

communities

– Map these threat communities against primary and

secondary assets 33



High Level Modeling Process

• Identify Assets (Business Assets and Business Processes Analysis) and

Select attack Targets:

– Technical Information

– Employee Data, Customer Data

– Technical Infrastructure Supporting Process

– Human Assets Supporting Process

– 3rd Party Integrations

– Information available from Reconnaissance phase is used here.

• Identify Threats and Threat Communities

– Internal Threats (Employees, Management, Administrators, Developers,

Engineers, Technicians, Remote Support etc.,)

– External Threats (Business Partners, Competitors, Contractors, Suppliers,

Hacktivists, Script Kiddies etc.,).

– Threat Capability Analysis and mapping of threats against assets (Tools in use

by identified threats, access to attack launching sources (exploits) etc., is

performed

34



Scanning (Vulnerability Analysis)


35



Scanning (Vulnerability Analysis)

• It is process of discovering flaws in systems

which can be leveraged by attacker.

– From Host and Service misconfigurations to insecure

application design.

• Vulnerability analysis should be scoped

according to goals in mind and desired outcome.

• Vulnerability Analysis Goals:

– Finding out that mitigation is in place and known

vulnerability is not accessible. Or

– Trying everything to find out maximum number of

vulnerabilities. 36



Types of Vulnerability Testing - I

• Active

– Direct interaction with component being tested for security

vulnerabilities.

• This can be low level components like TCP/IP stack or network device.

• Or it can be high level component like web based interface for administrator

etc.

• Passive

– Covertly observe and gather data to perform analysis.

– Examples can include ‘Metadata Analysis’ or ‘Traffic Monitoring’

• Validation

– Finding correlations between findings. Linking found things,

footprints with each other.

37



Active Vulnerability Testing - I

• Active vulnerability testing is usually automated or manual.

• Automated (Active Scanning)

– Tools are used to interact with target, examine responses from target and determine

whether a vulnerability exist or not.

– General Vulnerability Scanners

• Port Based

– In traditional Pentesting, it helps to obtain basic overview of available network targets or

hosts.

– All 65, 535 ports are tested to find out open, filtered or closed ports.

– Protocols like IP, TCP, UDP, ICMP etc., are used as technique to find out information

about ports.

– Open ports can give information about services running on that ports (service is not

checked rather service is identified from designated port no).

• Service Based

– More advanced than Port scan as tools try to communicate with service available on

open ports using relevant protocols and confirm status of service running or not.

• Banner Grabbing

– It is more advanced concept that it analyzes the data returned from communication on a

specific port with service and application and find the version of application or service

running.

38



Active Vulnerability Testing - II

• Automated (Active Scanning)

– Web Application Scanners

• General Application Flaw Scanners

– Most scanners start with the top level address of website.

– Scanners then crawls the site by following links and directory

structures. (This information is usually gathered in Reconnaissance

phase as well).

– The scanner then performs tests against these resulted links obtained.

– Different attack vectors like SQL Injection, croos site scripting etc.

(discussed later).

• Directory Listing Brute Force

– Suppose, directories information is not gathered in Reconnaissance

phase or pre-engagement phase, then general scanners can’t get this

information following links crawling.

» So, either already compiled lists of directory is try to be figured out.

(This list is usually custom and managed by attacker itself).

» Or a brute force kind of approach can be used to find out directories.

39



Active Vulnerability Testing - II

• Specific Protocols or Network Vulnerability

Scanners

– Some special protocol scanners are available for

figuring out the running protocols and services

because general scanners can’t detect these

services.

• VPN Scanner: If VPN is running, then simple tools can’t

perform correct protocol negotiations, so special tools for

VPN are used.

• Voice Network Scanners: VoIP special tools are used to find

out vulnerabilities for VoIP services. These vulnerabilities can

be leveraged to gain access to infrastructure systems or

record phone conversation on target network.

40



Passive Vulnerability Testing

• Metadata Analysis

– Metadata about files or directories is analyzed.

– This metadata can provide information about author,

company, internal IP addresses, paths to servers etc.

• Traffic Monitoring

– It is monitoring the internal network and collected

traffic data to analyze offline.

– Different approached can be used for this purpose.

41



Validation (Vulnerability Testing)

• Correlation Between Tools

– When working with multiple tools, the need for

correlation between findings can become

complicated.

• Styles and/or Categorical relations.

– In most cases, testers focus on micro issues

of specific vulnerabilities found in redundancy

between multiple hosts.

– So, relation should be found to target to

launch the attack.

42



Manual Vulnerability Testing

• More advanced analysis of target is

performed to found vulnerability.

– VPN Fingerprinting:

• Device information and correct version of VPN

code released and installed can be obtained from

fingerprints which be analyzed manually.

– Attack Avenues:

• As vulnerabilities are found, attack tree should be

developed and regularly updated.

43



Research about Vulnerability

• The found vulnerabilities should be validated

from:

– Vulnerability Databases: Many security vendors or

companies maintain big database of found

vulnerabilities.

• The results of tools should be validated from these

databases.

– Vendor Advisories: Many services, products vendors

update their tools information on their websites.

• To tell customers about capabilities of their tool or recent

developments happening in versions.

• Vulnerabilities can be identified from such information as

well. 44



EXPLOITATION


45



Purpose of Exploitation Phase

• Exploitation executes the attacks actually.

– The purpose is to establish “Access to a system or

resource” by bypassing security restrictions.

– Vulnerability analysis can provide the list of available

vulnerabilities in the system.

– Attack vectors can be decided for known

vulnerabilities and available payloads and then

attacks can be launched.

– Main focus of attacks is on:

• Main entry points in the organization.

• Attacking high valued assets to show high impact.

46



Planning Attacks Execution - I

• Consider Countermeasures (Already in Place in Organizations).

• The security measures applied by organizations should be

considered for successful launch of attack.

– The sole purpose is to remain in stealth mode.

• Different kind of security technologies can be in place:

– Anti Virus (Protect deployment of malicious softwares).

– Intrusion Detection/Prevention System (Detect and prevent malicious

activity)

– Encoding (obfuscated data to confuse the reader).

– Encryption (converting the data to unintelligible form, similar to

encoding).

– Whitelist Bypass (Only identified traffic is allowed to pass)

– Data Execution Prevention (A technique implemented in OS to protect

against attacks by monitoring any overwrite in memory).

47



Planning Attacks Execution - II

• Evasion Techniques Planning

• Evasion is technique to escape detection during

Penetration test.

– Circumventing camera system to be seen by guard or

– Obfuscating the payloads (attacking code) to by pass

the intrusion detection system or

– Encoding requests/responses (payloads in web

applications) to bypass web application firewalls.

• It is better to formulate evasion techniques

to be applied during launching of attack.

48



Planning Attacks Execution - III

• Precision Strike

– Attacks should be planned to launch specific

attacks according to research on

vulnerabilities and available payloads.

– All available payloads should not be tried on

found vulnerability.

• It shows that attackers are not experienced.

• Also, Intrusion Detection systems can figure out

these kinds of approach with high chances.

49



Planning Attacks Execution - IV

• Customized Exploitation Avenue

– Depending upon technology, location, proper

technology should be selected to launch attacks.

– All attacks and conditions are different. Not, same

attack be launched on all avenues.

• Tailored Exploits

– Most of times, the exploit payloads available on public

locations (like internet) are not 100% working for all

identified scenarios.

– These payloads should be modified to tailor for

specific needs of tester.

50



Planning Attacks Execution - V

• Zero Day Angle

– Zero Day attacks are payloads not known in

public domains.

– Usually, high profile Pentest companies

maintain their own exploits (payloads) to

launch attacks for known vulnerabilities.

– But, before launching such attacks, it should

be assured that operating system, patches

and countermeasures are same as assumed

for designing these zero day payloads.

51



POST EXPLOITATION


52



Purpose of Post Exploitation Phase

• This phase purposes are:

– Determine value of compromised machine and

maintain control for that machine:

• Machine is valuable if sensitive data is available on that

machine or it can be useful to compromise the network.

– Tester document the sensitive data, identify configuration

settings, communication channels and relationships with

network devices.

– Clean the fingerprints:

• Any mistakes done or information left about attacking

machine is wiped in this phase.

53



REPORTING


54



Objectives of Reporting

• The objectives of this phase are:

– Report the identified vulnerabilities to the

hiring organization.

– Explain the procedure followed to hack their

targeted system.

– Provide the technical details to launch the

attacks.

– Propose the solutions to them to improve their

security measures to protect against future

attacks. 55



Report Structure

• Every Pentester can has its own structure to describe its

work. But, usually following sections are recommended

to be there in report.

• Executive Summary

– Background

– Overall Posture

– Risk Ranking Profile

– General Findings

– Recommendation Summary

– Strategic Roadmap

– Technical Details of all phases/approaches used for testing

– Conclusion

56



Samples for Different Report Sections

57

Overall Risk Ranking Profile of Organization General Findings

Security Strategy

Recommendations



Assignment 2

• Plan an attack to “Hack a Linux Based

Server/Machine and Stealing critical

important documents from there”.

– Consider all knowledge gained today.

– Plan for each phase of Penetration Execution

Phases.

• Next workshop, we shall take this scenario

and launch attack using tools already

provided to you in Assignment 1.

58


Dr M Nasir Mumtaz Bhutta www.kfu.edu.sa59

Thanks for listening !

»Questions ?


penetration testing execution phases

Software