Penetration Testing & Tools

Penetration Testing Execution Standard (PTES)

• “Penetration Testing is a way to simulate the methods that an attacker might use to circumvent security controls and gain access to a system.”¹

​

PTES, baseline fundamentals for performing a penetration test –

​

http://www.pentest-standard.org/

​

​

​

​

​

• ¹Kennedy, David, et. al. Metasploit: The Penetration Tester’s Guide. San Francisco: No Starch Press. 2011. Print.

​

2

PTES Phases

1. Pre-Engagement
2. Intelligence Gathering
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
7. Reporting

3

Pre-Engagement

• Discussing the scope and terms of the penetration test with your client
• Convey the goals of the penetration test
• -use this opportunity to discuss what will happen, the expectations of a full scale penetration test
• - what will be tested – the need for total access to get a complete report

4

Intelligence Gathering

• - Gather information about the organization (social media, Google hacking, etc)
• - Start to probe the organization for ports with blocking (use a disposable IP address,
• you will be blocked if this is turned on)
• Test any Web Applications

​

Note: perform scans from an IP address range that cannot be traced back to you or your team. The initial probing can be performed from anywhere (except at your team’s office!).

​

5

Threat Modeling

• Using the information acquired in the intelligence gathering.
• Look at the organization as an adversary and determine
• -where the threats are coming from,
• -what form they may take
• -and what they are after.

6

Vulnerability Analysis

• You will use all the previous information from prior phases
• This is a detailed analysis taking into account port and vulnerability scans, banner grabbing, and information from intelligence gathering.

7

Exploitation

• The “glam” part of the penetration test
• Often brute force (not very “glam”) instead of precision
• Separates the “good” and the “bad” testers –
• “Bad” testers will fire off massive onslaught of exploits
• “Good” testers will perform only exploits expected to succeed based on info gathered

​

• Creating “noise” with massive exploits and hoping for a result is not the way!

​

8

Post Exploitation

• After you have compromised one or more systems (there are many more to come)
• -Targets specific systems
• -Identifies critical infrastructure
• -Targets information or data of value to the company

​

• Start with systems that will present the most business impact to the company if breached

9

Post Exploitation

• Take the time to determine what systems do and their different user roles
• Ex: suppose you compromise a domain? Big deal.
• What else could you do in terms of the systems that the business uses? Backdoor code on a financial application? What about their payroll system? Intellectual property?

10

Reporting

• Most important element of the penetration test
• Include at least:
• Executive Summary
• Executive Presentation
• Technical Findings
• Used by the client to remediate security holes
• Be sure to warn the client about the thinking that fixing the hole solves the whole problem. Ex: sql injection vulnerability – they fix their problem, but have they addressed any 3^rd party applications that are connected?

11

Types of Penetration Tests

• Overt Penetration Testing
• You work with the organization to identify the potential security threats
• Advantages: full access without blocks, detection doesn’t matter, access to insider knowledge
• Disadvantages: don’t get the opportunity to test incident response
• Covert Penetration Testing
• Performed to test the internal security team’s ability to detect and respond to an attack
• Advantages: Test incident response, most closely simulates a true attack
• Disadvantages: Costly, time consuming, require more skill
• Note: because of cost of covert – most will target only one vulnerability, the one with easiest access – gaining access undetected is key

12

Vulnerability Scanners

• Automated tools used to identify security flaws
• 1. Fingerprint a target’s operating system
• 2. Take one OS identified, use scanner to determine if vulnerabilities exist

​

• Although Vulnerability Scanners play an essential role in Penetration Testing, a penetration test CANNOT be completed automated! Most penetration testers with years of experience rarely use vulnerability scanners – they rely more on their knowledge and experience – business knowledge is also a key factor.

​

​

13

PTES Methodology

• You can use PTES or another methodology to perform a penetration test.
• More important to have a standard, repeatable process that you follow.
• OCD wins the prize!

14

Penetration Testing Tools

1. Information Gathering and Reconnaissance

• Nmap: Network scanning tool for discovering hosts and services on a computer network.
• Recon-ng: A reconnaissance framework that provides a powerful environment for gathering open-source intelligence (OSINT).
• Whois: A simple tool for querying domain registration information.
• Maltego: A platform for gathering and analyzing information about people, organizations, and infrastructure.
• Shodan: A search engine for discovering devices connected to the internet, such as routers, cameras, and servers.

15

Penetration Testing Tools

2. Vulnerability Scanning

​

• Nessus: A comprehensive vulnerability scanner used for identifying vulnerabilities, misconfigurations, and compliance issues.
• OpenVAS: An open-source vulnerability scanning tool and management platform.
• Qualys: A cloud-based vulnerability management solution.

​

16

Penetration Testing Tools

3. Web Application Testing

• Burp Suite: A powerful suite of tools for testing and securing web applications, including a proxy, scanner, and intruder.
• OWASP ZAP: A free, open-source web application security scanner designed to find vulnerabilities in web apps.
• Nikto: A web server scanner that identifies various vulnerabilities and configuration issues.
• Wfuzz: A tool used for fuzzing web applications and finding hidden resources or vulnerabilities.
• DirBuster: A tool for brute-forcing directories and file names on web servers.

​

17

Penetration Testing Tools

4. Exploitation

​

• Metasploit Framework: A comprehensive platform for developing, testing, and executing exploit code against remote targets.
• BeEF: The Browser Exploitation Framework that focuses on exploiting browser vulnerabilities to gain control over the target system.
• Social Engineering Toolkit (SET): A tool used for testing and executing social engineering attacks.

​

18

Penetration Testing Tools

5. Wireless Network Testing

​

• Aircrack-ng: A suite of tools for auditing wireless networks, including capturing packets and cracking WEP and WPA-PSK keys.
• Kismet: A wireless network detector, sniffer, and intrusion detection system.
• Wireshark: A network protocol analyzer used for capturing and analyzing network traffic, including wireless networks.

​

19

Penetration Testing Tools

6. Password Cracking and Hash Cracking

​

• John the Ripper: A password cracking software that supports various encryption methods.
• Hashcat: A powerful password-cracking tool that supports a wide range of algorithms.
• Hydra: A tool used to perform brute-force attacks on remote authentication services (SSH, FTP, HTTP, etc.).

​

20

Penetration Testing Tools

7. Post-Exploitation

​

• Empire: A post-exploitation and remote administration tool built on PowerShell and Python.
• Cobalt Strike: A commercial tool for post-exploitation that provides a full range of offensive capabilities.

​

21

Penetration Testing Tools

8. Reverse Engineering

​

• Ghidra: A free, open-source reverse engineering framework developed by the NSA.
• IDA Pro: A powerful interactive disassembler and debugger used for reverse engineering.
• OllyDbg: A 32-bit assembler-level debugger for Microsoft Windows.

​

22

Penetration Testing Tools

9. Social Engineering

​

• Phishing Frameworks (Evilginx, KingPhisher): Used for setting up phishing campaigns to steal login credentials and session cookies.

​

23

Penetration Testing Tools

10. Other Tools

​

• Netcat: A versatile networking tool for reading and writing data across network connections.
• TCPdump: A command-line packet analyzer tool to capture and display packets from the network.
• Ettercap: A network sniffer and interceptor used for man-in-the-middle attacks.
• Netdiscover: A tool for network discovery and identifying active hosts on a network.

​

24

Thank You

25