Penetration Testing

Lecture 1

Dr. Fawaz Al-Ghfari

 Who am I?
Name: Dr. FAWAZ MOKBAL
Field of Specialization Computer Science and Technology (AI for Cybersecurity).
Academic Doctor of Engineering, Computer Science and Technology, Beijing
Qualifications University of Technology, Beijing, China.
Master of Information Technology, Networking, The University of
Agriculture, CS&IT, Peshawar, Pakistan.
Bachelor of Computer Science,
Research Interests • Web Applications Security.
• Internet of Things (IoT) Security.
• Machine learning & Deep Learning Intersection with Cybersecurity.
• Data Science and Data Modeling.
• High Dimension Reduction & Feature Selection.
• Ad-hoc Networks Security.
• Brain-Computer interface -Electroencephalography (BCI-EEG)
Contact Information [email protected]

Webpage Google scholar , ResearchGate , LinkedIn
 Contents
1: Introduction to Penetration Testing
- Overview of Information Security
- Penetration Testing Concepts
- LPT Penetration Testing Methodology
- Guidelines and Recommendations for Penetration
Testing
2: Penetration Testing Scoping and Engagement
- Penetration Testing Scoping and Engagement
- Setting the Rules of Engagement
- Establishing Communication Lines
- Identifying Personnel for Assistance
- Handling Legal Issues in Penetration Testing
Engagement
- Handling Scope Creeping During Pen Testing
3: Open-Source Intelligence (OSINT) Methodology
- OSINT through the WWW
- OSINT through Website Analysis
- OSINT through DNS Interrogation
- Automating the OSINT Process using
Tools/Frameworks/Scripts
- Social Engineering Penetration Testing Concepts
- Social Engineering Penetration Testing Using E-mail
Attack Vector
4: Social Engineering Penetration Testing Methodology
- Social Engineering Penetration Testing Using Telephone
Attack Vector
- Social Engineering Penetration Testing Using Physical
Attack Vector
- Reporting and Countermeasures/Recommendations
 Contents
5: Network Penetration Testing Methodology - External and
7- Midterm Exam
Internal
- External:
8: Network Penetration Testing Methodology - Perimeter
- Port Scanning
Devices
- OS and Service Fingerprinting
- Assessing Firewall Security Implementation
- Vulnerability Research
- Assessing IDS Security Implementation
- Exploit Verification
- Assessing Security of Routers
- Internal:
- Assessing Security of Switches
- Footprinting
- Midterm Exam
- Network Scanning
- OS and Service Fingerprinting
9: Web Application Penetration Testing Methodology
- Enumeration
- Discover Web Application Default Content
- Vulnerability Assessment
- Discover Web Application Hidden Content
- Conduct Web Vulnerability Scanning
6: Network Penetration Testing Methodology - Internal
- Test for SQL Injection Vulnerabilities
(continued)
- Test for XSS Vulnerabilities
- OS Exploitation
- Test for Parameter Tampering
- Other Internal Network Exploitation Techniques
- Automating Internal Network Penetration Test Effort
- Post Exploitation Advanced Tips and Techniques
 Contents
10: Web Application Penetration Testing Methodology
12-Report Writing and Post Testing Actions
(continued)
- Tests for Security Misconfiguration Vulnerabilities Penetration Testing Report: An Overview
- Test for Client-Side Attack Phases of Report Development
- Tests for Broken Authentication and Authorization Report Components
Vulnerabilities Penetration Testing Report Analysis
- Tests for Broken Session Management Vulnerabilities Penetration Testing Report Delivery
- Test for Web Services Security Post-Testing Actions for Organizations
- Test for Business Logic Flaws
- Test for Web Server Vulnerabilities
- Test for Thick Clients Vulnerabilities

11: Specialized Penetration Testing Areas

- Wireless Penetration Testing
- WLAN Penetration Testing
- RFID Penetration Testing
- NFC Penetration Testing
- IoT Penetration Testing
- IoT Attacks and Threats
- IoT Penetration Testing
 Information Security Overview
• Frequency: Cyberattacks occur once every 39 seconds.
• Protection: Only about 5% of a company's sensitive
information is adequately protected.
• Ransomware Growth: Ransomware attacks increase
yearly by 93%.
• Small Business Target: 43% of hackers target small
businesses.
• Malware Creation: Hackers create 300,000 new
malware daily.
• Email Attacks: 75% of cyberattacks begin with an email.
• Human Error: 95% of data breaches are due to human
error.
❑These statistics highlight the pervasive and evolving
nature of cyber threats.
 What is Security?
• In general, security is “the quality or state of being secure--to be free from danger.”
• A successful organization should have multiple layers of security in place:
• Physical security: to protect the physical items, objects, or areas of an organization
from unauthorized access and misuse.
• Personal security: to protect the individual or group of individuals who are
authorized to access the organization and its operations
• Operations security : to protect the details of a particular operation or series of
activities
• Communications security :to protect an organization’s communications media,
technology, and content.
• Network security: to protect networking components, connections, and contents.
• Information security:
Information System (IS)

• What it is ???
What is Information System (IS)?

• Information System (IS) is entire set of software, hardware, data, people,

procedures, and networks necessary to use information as a resource in the
organization
Information Security and Cyber ​Security
Information security is the protection of information
and its critical elements, including the systems and
hardware that use, store, and transmit that Information
information against unauthorized access, Security
destruction, disruption, or tampering.

The ability to defend or protect cyberspace from

cyber attacks. Cyber ​Security
 Components of Information Security
The diagram visually represents the interconnected aspects
that make up information security:
1. Network Security: Protects the integrity and usability of
network and data.
2. Policy: Encompasses guidelines and rules that govern
security measures and practices.
3. Computer & Data Security: Safeguards individual
computers and the data stored within.
• Components overlap in the "Management of Information
Security" zone, indicating that effective information security
management requires integrating all three components.
• The entire structure falls under the broader umbrella of
"Information Security," symbolizing the detailed attention
required for comprehensive protection.
• This diagram highlights the holistic approach needed to
secure information systems
The Importance of Information Security

• The CIA Triad:

• Confidentiality: Only authorized users can access data, like your online
banking password.
• Integrity: Ensuring data accuracy. Imagine someone changing your grades in
the school database – that's a breach of integrity.
• Availability: Ensuring access to data when needed. Think about a website
crashing during a sale – that's an availability issue.
• Why is it Crucial? Data breaches can lead to identity theft, financial
loss (like when Target was hacked), and reputational damage.
 C.I.A. triangle
•C.I.A. triangle was standard based on confidentiality, integrity, and availability
•C.I.A. triangle now expanded into list of critical characteristics of information
CIA Risk Control
Loss of privacy. Encryption.
Unauthorized access to Authentication.
Confidentiality
information. Access Control
Identity theft.
Information is no longer Maker/Checker.
Integrity reliable or accurate. Quality Assurance.
Fraud. Audit Logs
Business disruption. Business continuity.
Loss of customer’s Plans and test.
Availability
confidence. Loss of Backup storage.
revenue. Sufficient capacity.
 Critical Characteristics of Information
• The value of information comes from the characteristics it possesses:

1. Availability: Information is readily accessible and usable when needed by authorized individuals.
Think "being there when you need it."
2. Accuracy: Information is free from errors and correctly reflects the real-world state. Think "getting
it right."
3. Authenticity: Information is genuine and its source is verifiable. Think "knowing it's the real deal."
4. Confidentiality: Information is only disclosed to authorized individuals and kept secret from
unauthorized ones. Think "keeping secrets safe."
5. Integrity: Information is complete and hasn't been improperly altered or destroyed. Think
"keeping it whole and untainted."
6. Utility: Information is useful and relevant to the purpose for which it is intended. Think "serving its
intended purpose."
7. Possession: An individual or entity has legitimate control over the information. Think "rightful
ownership and control."
•While a breach of confidentiality always results in a breach of possession, the reverse is not true.
Introduction to Penetration Testing
• What is Penetration Testing?
• Definition :A penetration test or pen test is a test evaluating the strengths of
all security controls on the computer system. Penetration tests evaluate
procedural and operational controls as well as technological controls.
• "Penetration testing is a simulated cyberattack against a computer system, network, or
web application to find security vulnerabilities."
• "It's not about breaking things; it's about finding weaknesses and recommending
solutions."
• Goals: Find security gaps, assess potential damage, and suggest fixes.
• Example : "Imagine a website that allows users to log in. A penetration tester
might try to bypass the login process using different techniques to see if there
are any vulnerabilities that a hacker could exploit."
 Who needs Penetration Testing
• Banks/Financial Institutions, Government Organizations, Online Vendors, or any
organization processing and storing private information

• Most certifications require or recommend that penetration tests be performed on a

regular basis to ensure the security of the system.
▪ security standards compliance certifications (such as ISO 27001 or PCI DSS),

• PCI Data Security Standard's Section 11.3 requires organizations to perform

application and penetration tests at least once a year.
▪ This standard is for the security of payment card data.

• HIPAA Security Rule's section 8 of the Administrative Safeguards requires

security process audits, periodic vulnerability analysis and penetration testing.
▪ HIPAA is a US law related to the protection of health information.
 Penetration Testing Viewpoints
❑-External vs. Internal

Penetration Testing can be performed from the viewpoint of

an external attacker or a malicious employee.

❑- Overt vs. Covert

❑ Penetration Testing can be performed with or without the

knowledge of the IT department of the company being tested.
Types of Penetration Testing:
• Black Box: Testers have zero prior knowledge of the system, like
trying to break into a house you've never seen before.
• White Box: Testers have full system information, like having a
blueprint of the house and its security systems.
• Grey Box: Testers have some information, like knowing the house
layout but not the security alarm code.
 The Licensed Penetration Testing (LPT) Methodology -
A Structured Approach
• 1. Reconnaissance: Gathering information about the target. Like a burglar
casing a house, observing routines and weak points.
• 2. Enumeration/ Scanning : Identifying potential vulnerabilities. This is like
checking all the doors and windows of the house to see if any are unlocked.
• 3. Vulnerability Analysis: Examining found weaknesses. Figuring out if a
slightly open window is big enough to climb through.
• 4. Exploitation: Trying to use the vulnerabilities to gain access.
• 5. Post-Exploitation: What happens after gaining access. Once inside, the
Penetester might look for valuables or try to disable the alarm system.
• 6. Reporting: Documenting findings and providing solutions. This is like the
security expert providing a report of all the weaknesses they found and how
to fix them.
 Reconnaissance and Information Gathering

Purpose: To discover as much information about a target

(individual or organization) as possible without actually making
network contact with said target.

Methods:
• Organization info discovery via WHOIS
• Google search
• Website browsing
• Google Dorks
• Shodan (for internet-connected devices)
• TheHarvester (email and subdomain enumeration)
 WHOIS Results for www.clemson.edu
Domain Name: CLEMSON.EDU Technical Contact:
Registrant: Mike S. Marshall
Clemson University DNS Admin
340 Computer Ct Clemson University
Anderson, SC 29625 Clemson University
340 Computer Court
UNITED STATES Anderson, SC 29625
Administrative Contact: UNITED STATES
Network Operations Center (864) 247-5381
Clemson University [email protected]
340 Computer Court Name Servers:
EXTNS1.CLEMSON.EDU 130.127.255.252
Anderson, SC 29625 EXTNS2.CLEMSON.EDU 130.127.255.253
UNITED STATES EXTNS3.CLEMSON.EDU 192.42.3.5
(864) 656-4634
[email protected]
 Network Enumeration and Scanning
Purpose: To discover existing networks owned by a target as well as live
hosts and services running on those hosts.

Methods:
• Scanning programs that identify live hosts, open ports, services, and
other info (Nmap, autoscan)
• DNS Querying (nslookup)
• Route analysis (traceroute)
 Network Enumeration and Scanning
• Nmap: A powerful open-source tool for network discovery and security
auditing.
• AutoScan: A network scanner with a graphical interface that allows for
easy identification of hosts and services.
• Automatic network discovery.
• Service detection and OS fingerprinting.
• DNS Querying
• Query DNS servers to resolve domain names to IP addresses.
• nslookup: A network administration command-line tool used for querying the
Domain Name System (DNS) to obtain domain name or IP address mapping.
• Route Analysis (Traceroute)
• Identify the path data packets take from one network to another.
• traceroute: A network diagnostic tool that traces the route packets take to a
destination.
 NMap Results
The command nmap -sS 127.0.0.1 performs a TCP SYN scan on
the local machine (127.0.0.1). Here is a typical output you
might expect:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-05 03:59
Arabian Standard Time
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

Explanation:22/tcp open ssh: Indicates that port 22 is open and is running the SSH service.Host is up:
Confirms that the local machine is responsive.
This scan checks for open ports and running services, which is useful for identifying potential entry
points for security assessments.
 Vulnerability Testing and Exploitation
Purpose: To check hosts for known vulnerabilities and
to see if they are exploitable, as well as to assess the
potential severity of said vulnerabilities.

Methods:
• Remote vulnerability scanning (Nessus, OpenVAS)
• Active exploitation testing
➢ Login checking and bruteforcing
➢ Vulnerability exploitation (Metasploit, Core
Impact)
➢ Zero-day and exploit discovery (Fuzzing,
program analysis)
➢ Post exploitation techniques to assess severity
➢ (permission levels, backdoors, rootkits, etc)
 Reporting
Purpose: To organize and document information
found during the reconnaissance, network
scanning, and vulnerability testing phases of a
pentest.
Methods:
• Documentation tools (Dradis )
• pen-source documentation framework designed for
security assessments and penetration testing.
• It helps streamline the reporting and collaboration
process by allowing you to combine the output of
different security scanning tools, manual findings,
and notes into a single, consistent report
Organizes information by hosts, services,
identified hazards and risks, recommendations
to fix problems
• Examples/Tools:
• Nmap: Network mapping.
• Angry IP Scanner: Network range
scanning
• OpenVAS: Vulnerability scanning.
• Qualys: Security assessment.
• CCTV Analysis: Reviewing camera
footage.
• Physical Penetration Testing:
Testing physical access controls.
• Metasploit: Exploit testing.
• Burp Suite: Web vulnerability
identification.
Ethical and Effective Penetration Testing
• Legal and Ethical Considerations: Always get written permission
before testing. Imagine testing a neighbor's house security without
their consent – that's illegal!
• Scope Definition: Clearly define what will be tested. You wouldn't
want a tester checking your car security if you hired them to test your
house.
• Communication: Keep the client informed.
• Reporting and Remediation: Provide detailed reports and help fix the
issues. The security expert shouldn't just point out the open window;
they should also recommend getting a better lock.
• Confidentiality: Keep test results secret.
Penetration Testing: A Critical Security Measure
• Penetration testing is essential for proactive security. It's like getting
regular health checkups to prevent serious illness.
• Regular tests find and fix vulnerabilities before attackers can exploit
them.
• The LPT methodology helps organizations improve their security
posture.
Questions ???