© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_16

16. Penetration Testing

Ahmed Sheikh1  
(1)
Miami, FL, USA
 

In this chapter, you will learn about security assessments, penetration testing, risk management, and various testing tools.

By the end of this chapter, you will be able to
  1. 1.

    Identify security assessments.

     
  2. 2.

    Identify the steps of penetration testing.

     
  3. 3.

    Examine risk management.

     
  4. 4.

    Identify various penetration testing tools.

     

Penetration Testing Overview

A penetration test , also known as a pen test, is used to simulate methods that an attacker would use to gain unauthorized access to a network and compromise the systems. A penetration test is considered a security assessment.

Each type of assessment serves a purpose, and it is important to understand the differences between them. Penetration testing assesses the security model of the network and can help administrators and management understand the potential consequences of an attack.

Security Assessments

Security assessments involve the process of validating the security level of network resources using security audits, vulnerability assessments, and penetration tests.

  • Security audits: Security audits focus on the people and processes used to design, implement, and manage security on a network. The National Institute of Standards and Technology (NIST) has several special publications that can be used as guides—SP 800-53 for the specification of security controls and SP 800-53A for the assessment of security control effectiveness. For more information, visit the National Institute of Standards and Technology (www.nist.gov/).

  • Vulnerability assessments: Vulnerability assessments scan the network for known security weaknesses. Vulnerability scanning tools compare the computer against the Common Vulnerability and Exposure (CVE) Index and security bulletins provided by software vendors. The CVE is a vendor-neutral listing of reported security vulnerabilities and is maintained. For information, visit the CVE website (http://cve.mitre.org/).

Vulnerability scanning software that runs under the security context of a domain administrator will return different results that if it is run under the context of an authenticated user.

  • Penetration testing: A penetration test goes a step beyond vulnerability scanning because not only will it point out vulnerabilities, but it will also document how weaknesses can be exploited and how minor vulnerabilities can be escalated by an attacker.

Phases of Penetration Testing

External tests can be black-box (zero-knowledge testing), gray-box (partial-knowledge testing), or white-box (complete-knowledge testing). Internal testing can be used for organizations that have the resources available. If there is insufficient expertise in-house, outsourcing is recommended.

For automated testing, organizations rely on security firms. Manual testing requires the expertise of a security professional and may be done from the perspective of a potential hacker.
  1. 1.

    Planning phase: In the planning phase, rules are identified and testing goals are set. Information about the target is gathered in the preattack phase. The information gathered will form the basis of the attack strategy. After the attack, the tester needs to restore the network back to its original state.

     
A pen test, an enumerating device, can cause systems to crash accidentally, data to be destroyed, or performance to be affected. The client risk should be properly evaluated. The main factor that plays into the planning phase is client risk. Due to the inherent risks of pen testing, management might want to first confirm that the testing organization has professional liability insurance. There are also a few dependencies to be considered in the planning phase. Certain steps need to be carried out before others.
  1. 2.

    Preattack phase: The preattack phase includes identifying threats to help conduct a risk assessment and to calculate the relative criticality of the threat. Business impact of threats can be designated as high, medium, or low. Internal metrics use data available within an organization to assess the risk of attack while external metrics are derived from data collected outside the organization. Assigning probability values to an exploit’s success allows the calculation of relative criticality. During this phase, the testing team will gather as much information as possible about the target company. There are a number of ways that information can be retrieved, as detailed.

     
  2. 3.

    Attack phase: The attack phase involves the actual compromise of the target by perhaps exploiting a vulnerability found during the preattack phase or using security loopholes such as a weak security policy to gain access.

     
  3. 4.

    Post-attack phase: It is the responsibility of the tester to restore any systems to the pretest state. Remember, the purpose of pen testing is to show where the failures of security exist, not to correct the problems.

     

Documentation

Reports detail the incidents that occurred during the testing process and the range of activities that were carried out by the testers. Three types of reports that can be used for documentation purposes are penetration testing reports, fault tree (attack tree), and gap analysis.

  • Penetration testing reports highlight incidents that occurred and the range of activities.

  • Fault tree and attack trees specify root events and identify events related to the root. Attack trees in particular look at who, when, why, how, and what.

  • Gap analysis evaluates the gaps between where an organization wants to be and where it currently stands. External standards can be used as part of the gap analysis to provide recommendations as to how the organization can reduce the gaps found.

Creating Payloads

You can build payloads with Metasploit that connect to the attacker’s machine when the victim runs them. Payloads for Windows, Linux, and Mac OS X operating systems can be created. When creating the payload, you can define the attacker’s port number, IP address, or fully qualified domain name (FQDN) and payload type, like meterpreter or Windows Command Shell.

If a Windows user launches the executable, their machine connects to port 22 at 216.6.1.100 (Figure 16-1). For that to work, the attacker machine needs to listen on that port.
../images/505537_1_En_16_Chapter/505537_1_En_16_Fig1_HTML.jpg
Figure 16-1

Network Attack 1

Exploiting a Victim Machine

After the MSF payload is created, FTP the iexplore.exe file. An attacker may use SQL injection to build an answer file for FTP that allows them to upload a file via the stored procedure xp_cmd shell. If the uploaded file is a meterpreter payload, it can also be operated via the xp_cmd shell to create a meterpreter session between the attacker and the victim. See Figures 16-2 and 16-3.
../images/505537_1_En_16_Chapter/505537_1_En_16_Fig2_HTML.jpg
Figure 16-2

FTP session

../images/505537_1_En_16_Chapter/505537_1_En_16_Fig3_HTML.jpg
Figure 16-3

Running the exploit

Summary

In this chapter, you learned about penetration testing. You gained an understanding of what security assessments entail and what is involved in risk management. This chapter also highlighted tools that can be used to conduct penetration testing.

Resources

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.15.59.163