IBM Penetration Testing

What is penetration testing?

→ security testing in which assessors mimic real-world attacks to identify methods for circumventing
the security features of an application, a system, or a network.
→ It often involves launching real attacks on real systems and data with tools and techniques
commonly used by hackers.

The importance of penetration testing

→ With cyber-attacks becoming the norm, it is more important than ever to undertake regular
vulnerability scans and penetration testing to find vulnerabilities and ensure the cyber controls in
place are working.

Social Engineering
→ creating a feeling or a mentality of anxiety within somebody to gain access to information that you
normally would not.

Penetration Testing Phases

→ Planning.
→ Discovery.
→ Attack.
→ Report.

1. Planning

Setting objectives
→ What are the goals of the pentest? What are your targets?
Establishing Boundaries
→ There are legal and ethical ramifications to consider. Since the attacks are real, they
have the potential to interrupt availability of key functions and services

Informing need-to-know employees

→ Since there will be always some social engineering it might be wise to inform local
security so no one is arrested during the test.

2. Discovery

→ What is vulnerability analysis and its role in pentest?

vulnerability scan can help find outdated software versions, missing patches, and
misconfigurations, and confirm compliance with or deviations from a security policy.
 It finds the operating systems and major applications that are being used on the host and it
matches that with known vulnerabilities from the tools vulnerabilities database.

→ Different tools and methods to gather information:

Google Dorks Records
→ are special commands we can use on → Passive record:
Google to get more information about an • Monitoring employees
item like: • Listening to network traffic
• Admin login pages. → Active record:
• Username and password. • Network mapping
• Vulnerable entities • Port scanning
• Sensitive documents • Password cracking
• Email lists
• Govt/military data

→ Different methods of gaining access to a system:

Passive online → Wire sniffing: capturing data packets across the computer network.
→ Man in the middle: hijacking a session in real-time to obtain access.
→ Replay attack: a valid data transmission is maliciously or fraudulently
repeated or delayed.

Active online → Password guessing: known as "Brute Force Attack.”

→ Trojan/Spyware/Keyloggers: spy software collects several types of data
from the session.
→ Hash Injection: authenticate to a remote server or service by using the
underlying NTLM or LanMan hash of a user's password.
→ Phishing: users are tricked into clicking a malicious link, which can lead
to the installation of malware, a ransomware attack or disclosure of
information.

Offline attacks → Pre-computed hashes: data structures that use a hash function to store,
order, or access data in an array.
→ Distributed Network Attack (DNA):
- a password cracking system sold by Access Data.
- can mine suspects hard drive for potential passwords.
→ Rainbow:
- Rainbow table is a pre-computed table for reversing cryptographic hash
functions, usually for cracking password hashes.
 Without → Social Engineering: related to the act of deceiving the user to surrender
technology enough information to obtain access or data.
→ Shoulder surfing: active spying by obtaining optic access input.
→ Dumpster diving: retrieval of information by examining the trash in
search of discarded but not destroyed information.

3. Attack
→ Gaining Access
→ Escalating Privileges
→ System Browsing
→ Install Additional Tools

➢ Exploited Vulnerabilities:

Misconfigurations • vulnerabilities that are introduced through security settings,

particularly insecure default settings that are usually easily
exploitable.
Kernel flaws • Kernel code is the core of an operating system.
• any security flaw in the kernel will put the entire system in
danger.
insufficient input • Many applications fail to fully validate the input they receive
validation from users.

Symbolic link • a file that points to another file.

• a user could strategically create sym-links to trick these
programs into modifying or listing critical system files.

file descriptor attacks • are numbers used by the system to keep track of files in lieu of
file names.
• Specific types of file descriptors have implied uses.

Race conditions • can occur during the time a program or process has entered a
privileged mode.

Buffer overflows • can occur when programs do not check input for appropriate
length.

Incorrect file&
Directory permissions
• File and directory permissions control the access assigned to
users and processes.
• Poor permissions could allow many types of attacks, including
the reading or writing of password files or additions to the list
of trusted remote hosts.
4. Reporting

→ Executive summary (the who, what, when, and where of the penetration test)
- Background: providing an overview of everyone that was involved, the timeframe and goals of the
test
- Overall Posture: You can give a brief description of the issues that you encountered and if you
were able to overcome them and meet the goals.
- Risk Ranking: let them know where they are on the risk scale.
- General Findings: provide a summary of the issues found during the penetration test in a basic
statistical or graphical format. In addition, the cause of the issue should be presented in an easy-
to-read format.
- Recommendations: It is your recommendation to the company, letting them know what they
need to do to address the vulnerabilities that you exploited.
- Roadmap: breaking down your recommendations into a 30, 60, 90-day action plan. The most
critical or high-risk action items to be addressed first.

→ Technical Review