Penetration Testing

What is?

Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network
or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be
automated with software applications or performed manually. Either way, the process involves gathering
information about the target before the test, identifying possible entry points, attempting to break in -- either
virtually or for real -- and reporting back the findings.
The main objective of penetration testing is to identify security weaknesses. Penetration testing can also be used
to test an organization's security policy, its adherence to complains requirements, its employees' security
awareness and the organization's ability to identify and respond to security incidents.

Penetration tests are also sometimes called white hat attacks because in a pen test, the good guys are attempting
to break in.
Examples :

• Web Application Pentesting (Website) , Android Application Pentestin

g, Development Pentesting.
 Tool ?Project
Metasploit
• the Metasploit Project is an open source project owned by the security company Rapid7, which licenses full-feature
d versions of the Metasploit software. It collects popular penetration testing tools that can be used on servers, onlin
e-based applications and networks. Metasploit can be used to uncover security issues, to verify vulnerability mitigati
ons and to manage security processes.

• Others:Wireshark,Nmap,,etc.
 How to do Penetration Testing
Following are activities needs to be performed to execute Penetration
Phase 1) The reconnaissance phase

The idea of this phase is to gather as much info about the subject as you possibly can.
Some often want to:
Skip this and get straight to the fun part?
Not if you want to succeed.
It’s really important that you have a clear understanding of the client’s systems and operations before you begin expl
oiting.
Some people call this phase “foot-printing”.

• Common reconnaissance methods include:

- Search engine queries.
- Domain name searches, WHOIS lookups, and reverse DNS to get subdomains, people’s names, and data about the
attack surface.
- Social Engineering to find out positions, technologies, email addresses

Once you are satisfied that you have a good understanding of the target, you’re ready to move on to the next phase.
Phase 2)Scanning and identification phase

Once you feel you have sufficient info about the client’s systems, you can start modeling the threats that the client
would realistically face and identify vulnerabilities that will allow for those attacks.
It’s kind of a pre-attack phase in which you get everything ready.
And
All that data you gathered during reconnaissance will pay off.
You might start using scanning tools or port scanners to find open ports, live hosts, etc.

Or you may use a vulnerability scanner to find possible vulnerabilities on the network.
In short
You’re looking to get as many details about the systems as you can.
Are the systems up?
What OS are they?

Then
It’s time to start thinking like an attacker.
Think about the company’s assets and how they may be used.
Things like employee info:
Who works in what departments, what is their role, can the employee be exploited as a stepping stone in the
attack?
Phase 3) The exploitation phase

If you’ve completed all of the steps leading to this one, you are on the road to a successful penetration testing e
ngagement.
But
Don’t relax now
There’s still a lot to do.

The time has come:

You can begin exploiting those opportunities to gain access to systems.
Dependent upon the scope, you’ll want to see just how far you can get.
Can you get a shell going on the computer?
 Can you use it to pivot to another computer or
Can you get credentials off of it?
server?

Or you may try creating an admin account.

That’s kind of the goal of this phase – to gain as

high of administrator access as possible.

Don’t get me wrong

There may be other goals and a ton of damage

can still be done even without admin rights.

Once you’ve fully exploited the information

systems or your engagement time has run out,
it’s time to go to the phase that the client is
expecting.
 Phase 4) Maintinaing Access
Once a pentester manages to gain access to the target system, he should work hard to keep his boat afloat, metaph
orically speaking. He can choose either to use the hijacked system as a launching-pad (i.e., to be part of a botnet for
DDoS attacks or spam campaigns), at this moment attack, scan and exploit other systems, or keep on exploiting the c
urrent system in stealth mode. Both actions can entail a great deal of damage.

For those who want to remain undetected, it will be imperative to undertake further steps to secure their presence.
There are different ways through which that can happen, but typically through the installation of hidden infrastructu
re for repeated and unfettered access based on backdoors, Trojan horses, rootkits, and covert channels . When this i
nfrastructure is all set to go, the pentester can then proceed to exfiltrate whatever data he considers being valuable

• Tools and Methods :

-Rootkit.
-Backdoor,Much like remote access Trojans (RATs).
• Tools and Methods :
-Rootkit.
-Backdoor,Much like remote access Trojans (RATs).
While maybe not the most enjoyable of the penetration testing phases, reporting is probably the most
important phase.
Why?
Because it’s here that you tell your client their systems’ weaknesses and give them suggestions to
resolve those weaknesses.
You should tell the client exactly what the exploits where that you used to compromise their systems
as well as exactly what steps should be taken to remediate them.
The whole point in this penetration testing engagement was to make their systems more secure,
right?
So don’t hold anything back.
To make things totally clear for the client, I like to:
Weight each exploit or weakness using a metric based on their risk level – Low, moderate, hig
h, or extreme.

This weight is based on how easy it was to exploit and how much damage it could cause.
Then, always add a suggested remediation timeline.
Critical items are in the 1 – 3 month timeline and non-critical findings are in the 3 – 6 month bracket.
It's prefered to make it very easy for the client to see what they need to address, what is most critical, and just
how critical it is.
Who ?
Penetration testing can be:
• 1- automated with software applications.
• 2- performed manually.