Penetration Testing

These Slides to those who want to enter and learn about the world of Penetration Testing.

Nezar Alazzabi

2019-09-25
What is penetration Testing
Penetration testing, also called pen testing or ethical hacking, is the practice of testing a
computer system, network or web application to find security vulnerabilities that an attacker
could exploit, Penetration testing can be automated with software applications or performed
manually Either way.

The process of pen testing involves gathering information about the target before the test,
identifying possible entry points, attempting to break in and reporting back the findings.

The main objective of penetration testing is to identify security weaknesses. Penetration

testing can also be used to test an organization's security policy, its adherence to compliance
requirements, its employees' security awareness and the organization's ability to identify and
respond to security incidents.
Types of Penetration Testing
BLACKBOX TESTING WHITEBOX TESTING

In a black-box testing assignment, the penetration White-box testing goes by several different
tester is placed in the role of the average hacker, names, including clear-box, open-box, auxiliary
with no internal knowledge of the target system. and logic-driven testing. It falls on the opposite
Testers are not provided with any architecture end of the spectrum from black-box testing and
diagrams or source code that is not publicly
penetration testers are given full access to
available. A black-box penetration test determines
source code, architecture documentation and
the vulnerabilities in a system that are exploitable
from outside the network This means that black-box
so forth. The main challenge with white-box
penetration testing relies on dynamic analysis of testing is sifting through the massive amount of
currently running programs and systems within the data available to identify potential points of
target network. A black-box penetration tester must weakness, making it the most time-consuming
be familiar with automated scanning tools and type of penetration testing.
methodologies for manual penetration testing.
Black-box penetration testers also need to be
capable of creating their own map of a target
network based on their observations since no such
diagram is provided to them.
Penetration Testing Reconnaissance – It is the process of Exploitation – It is the process of

Steps collecting information before deploying

any real attacks.
enabling pen testers to compromise a
system and expose to further attacks.

Enumeration – It is the process of Reporting – It is the process of

identifying the likely entry points into documenting all the steps that led to a
the target system. successful attack during the test.

Vulnerability Analysis – is the process

which defines, locates, and classifies the
security leaks in a computer, network, or
application.
Phases of a
Penetration Test
What do you need to start a pentest journey?
At the beginning you should start by reading about the subject. Using articles, books and guides, and videos on
the subject , not just on pentesting but on general cybersecurity issues across the board.
In summary, you will be expected to understand:

● Cybersecurity: Techniques, tricks, vectors, threat profiles and the anatomy of cyberattacks.
● Hardware and networks
● Operating systems, databases
● Applications, including web apps and APIs
● Data analysis: At least in terms of analyzing security issues and presenting solutions
● Programming languages including Python , Ruby , php & JS.
● Scripting languages including Shell scripting , Powershell , batch files.
Penetration Test Terms
● CVE The common vulnerabilities and exposures , (CVE) program has been cataloging software and
firmware vulnerabilities for 18 years.
● A vulnerability is a weak point or a bug in a piece of software , hardware or operating system that leaves a system open and
vulnerable to attacks and unauthorized access, The weakness could be simple as a weak password or complex as SQL Injection ,
Buffer Overflow (BOF).
● An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by security researchers
as a proof-of-concept (POC) or by malicious actors and attackers for use in their operations, Exploits allow an intruder to
remotely access a network and gain elevated privileges, or move deeper into the network or computer systems.
● A payload is a piece of code that executed through exploit. Have a look at the Metasploit Framework. It is simply a collection
of exploits and payloads. Each exploit can be attached with various payloads like reverse or bind shells, the meterpreter shell etc.
[Argument: The answer should be "What you do to the target after it is exploited".
Most Common Types of Cyber Attacks
● Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
● Social Engineering.
● Man in The Middle Attack (MITM).
● Phishing and spear Attacks.
● Drive-by Attack.
● SQL Injection Attack.
● Cross-Site Scripting (XSS) Attack.
● Eavesdropping Attack.
● Malware Attacks.
Common Web Vulnerabilities
● SQL INJECTION: SQL Injection is a security vulnerability that allows an attacker to alter backend SQL statements by
manipulating the users data ,Injection occurs when the user input is sent to an interpreter as part of command or query
and trick the interpreter into executing unintended commands and gives access to unauthorized data, The SQL
command which when executed by web application can also expose the back-end database.

● Cross Site Scripting (XSS): XSS vulnerabilities target scripts embedded in a page that are executed on the client side
i.e. user browser rather then at the server side. These flaws can occur when the application takes untrusted data and
send it to the web browser without proper validation, the attackers can use XSS to execute malicious scripts on the
users in this case victim browsers. Since the browser cannot know if the script is trusty or not, the script will be executed,
and the attacker can hijack session cookies, deface websites, or redirect the user to an unwanted and malicious
websites.

● Insecure Direct Object Reference: It occurs when a developer exposes a reference to an internal implementation
object, such as a file, directory, or database key as in URL or as a FORM parameter. The attacker can use this
information to access other objects and can create a future attack to access the unauthorized data.

● Cross Site Request Forgery (CSRF): CSRF attack is an attack that occurs when a malicious website, email, or program
causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated,a
CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie
and any other automatically included authentication information, to a vulnerable web application.
Common Network Attacks
CDP Manipulation: CDP packets are enabled by default on Cisco switches and transmitted in a clear text which allows the
attacker to analyze the packets and gain information about the network device, so the attacker can search for a known
vulnerability and execute against this device.

Telnet Enabled VTY: Telnet also transmits packets in clear text which can reveal to an attacker who’s sniffing the network , as
well as SSH v1 which is also vulnerable and compromised.

Mac Flooding: The attacker floods the Mac table with Mac Address more than the switch can store or handle , which makes
the switch operating as a hub giving the attacker the opportunity to sniff all traffic on the segment.

DHCP Spoofing: the attacker listens for DHCP requests and answers them , giving it’s IP address the default gateway for the
clients , the attacker becomes a (MITM).

ARP Spoofing: similar to dhcp spoofing but related to ARP Messages.

VLAN Hopping: is when a station is able to access VLAN other than it’s own , this can be done trough one of the following:

A- Switch Spoofing.

B- 802.1q Double Tagging.

Common Pentest Tools
● Nmap: it’s not necessarily a pen-testing tool, it is a must-have tool for ethical hackers , sysadmin’s , network admin’s.
This is a very popular tool that predominantly aids in understanding the characteristics of any target network, the
characteristics include host, services, OS, packet filters/firewalls etc. It works on most of the environments and is open
sourced.
● Nessus: is a scanner and it needs to be watched out for, It’s one of the most robust vulnerability identifier tools
available. It specializes in compliance checks, Sensitive data searches, IPs scan, website scanning etc. and aids in
finding the ‘weak-spots’.
● Acunetix: is a fully automated web vulnerability scanner that detects and reports on over 4500 web application
vulnerabilities including all variants of SQL Injection and XSS.
● Metasploit: This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the
concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If entered, it runs
a ‘payload’, a code that performs operations on a target machine, thus creating a perfect framework for penetration
testing.
● Wireshark: This is basically a network protocol analyzer ,popular for providing the minutest details about your network
protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and
many other systems
● Burp-Suite: Burp suite is also essentially a scanner (with a limited “intruder” tool for attacks), although many security
testing specialists swear that pen-testing without this tool is unimaginable. The tool is not free, but very cost effective.
Pentest roles and responsibilities
● Network and application tests to check the general security vulnerabilities across a network, the
pentester will be involved in designing these tests or keeping existing ones up to date. You will be
expected to know how to implement and apply pentesting tools
● Physical security tests such as checking for disaster hardening of servers to non-cyber threats
(vandalism, climate impacts and so on)
● Security audits: This is a fundamental and ongoing aspect of the penetration tester’s role. You will be
expected to assess the security of a given process, protocol or system. You will also need to write up
reports of audits
● General security report writing and the use of metrics from tests to help develop security strategies
● Involvement in security team and security policy review: You will need to be able to communicate with
your wider team and help with security policy review
Penetration Testing certificates
Here is a list of the most common certificates in penetration Testing:

● EC-Council Licensed Penetration Tester (LPT) Master.

● EC-Council Certified Ethical Hacker (CEH).
● IACRB Certified Penetration Tester (CPT).
● Certified Expert Penetration Tester (CEPT).
● Offensive Security Certified Professional (OSCP).
● Certified Penetration Testing Engineer (CPTE).
● Certified Penetration Testing Consultant ( CPTC)
● GIAC Exploit Researcher and Advanced Penetration Tester (GXPN).
● Certified Powershell Hacker (CPSH).
● GIAC Web Application Penetration Tester (GWAPT).
● GIAC Penetration Tester (GPEN).
● Certified Information Systems Security Professional (CISSP).
● GIAC Certified Forensic Analyst.
● Certified Reverse Engineering Analyst.
References
● SANS: https://www.sans.org/

● Trend Micro: https://www.trendmicro.com

● Infosec Institute: http://infosecinstitute.com/

● Offensive Security: https://www.offensive-security.com/

● Security Bloggers Network: https://securityboulevard.com/