Penetration Testing Execution Phases

Muhammad Nasir Mumtaz Bhutta
College of Computer Science and Information Systems
King Faisal University, Saudi Arabia
Email: mmbhutta@kfu.edu.sa,
Tel: +966 – 13589-9207
Office: 2088, first floor, CCSIT Building
www.kfu.edu.sa
CCSIT Cyberlympics 2017
Penetration Testing Execution
Phases
28 February 2017

Dr M Nasir Mumtaz Bhutta www.kfu.edu.sa
Presentation Overview
• Ethical Hacking Definition
• Pre-Engagement Discussions for Penetration Test
• Penetration Testing Phases
– Reconnaissance
– Vulnerability Analysis (Scanning)
– Exploitation
– Post Exploitation
– Reporting
• Threat Modeling (during Testing Phases)
• Assignment 2 Description
2

Ethical Hacking Term and
Definition
• Ethical Hacking (Penetration Testing)
– Penetration Testing or Ethical Hacking is to execute a simulated
attack on a computer system with permission of owner to:
• Gain access to system’s features and data.
• Find out weakness in the system.
– The target systems or particular goals are identified to attack and
to find out weakness.
• Black Box Penetration Testing (focus of this
training)
– Ethical hacker is provided no information except company name.
• White Box Penetration Testing
– Ethical hacker is provided with background and system
information.
3

Testing Organization’s Security
• Penetration Testers (PTs) are hired by
organizations to test their security.
– PT identifies the important cyber resources of
organization e.g. Payroll System, Organizational
secret document’s storage etc.
– Threats (events, processes, people who can harm
organization) are identified.
– Attacks are planned and are launched on selected
assets.
– Found vulnerabilities are reported to the organization.
– All Pen tests are different and are executed
differently.4

Today’s workshop Scope
• Today’s workshop is not focusing on risk management
and wide aspect of planning of organization’s security
evaluation e.g.
– Threats modeling for whole organization.
– Planning and Budgeting for all attacks.
• Rather, the focus is to learn technical aspects of
planning and launching attack for an assigned task.
– The managers have already identified the risks associated with
all the systems of organization.
– Managers assign a task to Penetration Tester (you):
• For example, “Try to hack the Linux based File server where trade secret’s
documents of an organization are stored.”
• Penetration tester will gather information about this assigned task and
execute attack.
5

Can Hacking be learned in a
systematic way?
• Yes, Hacking has been organized as a discipline over a
period of time and it can be learnt and practiced to
become successful ‘Ethical Hacker’.
– Many different phases proposed by different books, authors,
organizations
– All have same theory but different scopes to describe
‘Penetration Testing’.
• Today’s Training is focusing on technical aspects of
Penetration Testing.
– So, hacking phases described will be from technical aspect of an
assigned task as discussed before.
– It will focus on ‘Black Box Penetration Testing’.
6

Penetration Testing Phases
• These phases are to plan and execute a test technically.
• Reconnaissance:
– Collecting detailed information about system (e.g. all machines IP addresses, usernames,
email addresses of organizations etc. )
• Scanning (Vulnerability Analysis):
– Port Scanning: (finding open ports on systems and services being run).
– Vulnerability Scanning: (finding known vulnerabilities for services / softwares running on the
system).
• Exploitation:
– Attacking the system for found vulnerabilities.
• Maintaining Access (Post Exploitation):
– After exploitation, creating a permanent backdoor for easy access to the system later on.
• Reporting:
– Details about the found issues, detailed procedures and presenting solutions to mitigate the
security issues found.
• However, “Penetration Testing Execution Standard (PTES)” describe these phases
differently. We shall also get some processes (information) from there along with
above described phases to build better understanding about Penetration Testing.
7

Pre-engagement Interaction
8

Pre-Engagement Activities
• Scope: Discuss about number of computers or
software systems to be tested for penetration.
– In this workshop, there is one task given to tester
(Hack a Linux based server or test a website for
hacking).
• Time Estimation: The execution of time depends
on experience of tester.
– If a tester is more experienced in executing a specific
type of task, then less time will be spent on that test.
• Establish line of communications and contact
information before tests.
9

Examples or Possible Scenarios
of Penetration Testing
• Let’s discuss and fill the sheets distributed
to you about:
– Network Penetration Test
– Web Application Penetration Test
– Wireless Network Penetration Test
– Social Engineering Test
• This exercise will give you idea about
different types of Penetration tests.
10

Network Penetration Test
• Why is the customer having the penetration test performed against their environment?
• Is the penetration test required for a specific compliance requirement?
• When does the customer want the active portions (scanning, enumeration, exploitation,
etc...) of the penetration test conducted?
– During business hours?
– After business hours?
– On the weekends?
• How many total IP addresses are being tested?
– How many internal IP addresses, if applicable?
– How many external IP addresses, if applicable?
• Are there any devices in place that may impact the results of a penetration test such as
a firewall, intrusion detection/prevention system, web application firewall, or load
balancer?
• In the case that a system is penetrated, how should the testing team proceed?
– Perform a local vulnerability assessment on the compromised machine?
– Attempt to gain the highest privileges (root on Unix machines, SYSTEM or Administrator on Windows
machines) on the compromised machine?
– Perform no, minimal, dictionary, or exhaustive password attacks against local password hashes
obtained (for example, /etc/shadow on Unix machines)?
11

Web Application Penetration Test
• How many web applications are being assessed?
• How many login systems are being assessed?
• How many static pages are being assessed? (approximate)
• How many dynamic pages are being assessed? (approximate)
• Will the source code be made readily available?
• Will there be any kind of documentation?
– If yes, what kind of documentation?
• Will static analysis be performed on this application?
• Does the client want fuzzing performed against this application?
• Does the client want role-based testing performed against this
application?
• Does the client want credentialed scans of web applications
performed?
12

Wireless Network Penetration Test
• How many wireless networks are in place?
• Is a guest wireless network used? If so:
– Does the guest network require authentication?
– What type of encryption is used on the wireless
networks?
– What is the square footage of coverage?
– Will enumeration of rogue devices be necessary?
– Will the team be assessing wireless attacks against
clients?
– Approximately how many clients will be using the
wireless network?
13

Social Engineering Test
• Does the client have a list of email addresses they would
like a Social Engineering attack to be performed
against?
• Does the client have a list of phone numbers they would
like a Social Engineering attack to be performed
against?
• Is Social Engineering for the purpose of gaining
unauthorized physical access approved? If so:
– How many people will be targeted?
• It should be noted that as part of different levels of testing, the
questions for Business Unit Managers, Systems
Administrators, and Help Desk Personnel may not be
required. Why?
14

Scope of Penetration Test for
CCSIT Cyberlympics 2017
• The above questions have given you insight
about:
– What are important systems to target and how to plan
a test against them.
• The above discussion has not discussed:
– What kind of attacks will be launched?
– What vulnerabilities will be targeted?
• For Cyberlympics 2017, the focus is on:
– Network Penetration Testing
– Web Application Penetration Testing
•
15

Reconnaissance (Intelligence
Gathering)
Penetration Testing Execution Phases
16

Reconnaissance (Intelligence
Gathering) Background
• Reconnaissance is a process to gather
information about selected target.
– It is important to find out the targeted organization
(Military, Corporate or other).
• Basically, there are different levels of maturity of
Penetration Testing “PenTesting”. These levels
define:
– Expected output of test.
– Real world constraints
– Time, Effort and Access to information
17

Levels of Information Gathering - I
• There are three levels of information gathering.
• Level 1
– Compliance Driven: For certain industries, government has laid
down security standards or regulations to follow for secure IT
systems.
– Usually, tests are performed to test whether IT systems have
followed the guidelines of security standard and regulations e.g.
PCI DSS is standard for Card Payment Industry.
– Some automated tools are used to perform these tests specially
designed for specific standard.
• Example: A health organization is required to be
compliant with PCI / FISMA / HIPAA. For this kind of
tests, level 1 information gathering is done.
18

Levels of Information Gathering - II
• Level 2
– This level defines the best practices adapted by
PenTesters. (Most of the time, this level is followed for
information gathering).
– For information gathering at this level, some automated
tools are used as in level 1 + some manual analysis is
performed.
– A good understanding of business under test is developed.
– Important information like physical location, business
relationship, organizational chart are obtained.
• Example for Level2: An organization wants to test their PCI
compliance but also interested in their long term security strategy
evaluation.
19

Levels of Information Gathering - III
• Level 3
– This level of information is usually gathered for very
sensitive tasks like hacking for state (country).
– Level 1, 2 level of information gathering + more deep
manual analysis.
• More deep understanding of business processes, business
relations are gained.
• Example for Level 3:
– An Army intelligence team is tasked to attack on
segment of army in foreign country. The target is to
find out the vulnerabilities in the network so that
foreigners can’t exploit these vulnerabilities.
20

Reconnaissance – I
• What is it?
– Collecting maximum information about the target
according to levels discussed above.
– This information helps in planning the attacks to be
launched on selected targets (as discussed above in
pre-engagement section).
• Why do it?
– Open Source Intelligence (OSINT) is a form of
intelligence collection management:
• To collect information from public sources.
• To analyze the collected information to produce actionable
intelligence.
21

Reconnaissance – II
– OSINT, helps to gather various entrance points to the
targeted organization.
• These entrance points can be physical, electrical or human.
– Weakness:
• Many organizations don’t realize what information is made public
and how hackers can use that information to exploit it.
• For example, usually organizations use same username for
employees as their email addresses. So, you can easily find the
usernames of people to gain access to computers from website of
the organization.
• What is it not?
– Information gathered is not valid for long term.
– Organizations may change the things over period of
time.
22

OSINT (Three Forms)
• Passive Information Gathering
– This is covert type of gathering. The target is not to be detected.
– Most difficult type of information gathering as no traffic can be sent to
organization.
– This means only stored or archived information is used.
• Semi Passive Information Gathering
– This is also type of semi covert information gathering.
– Companies can trace back to the computer gaining information but there will be
no susceptible activity.
– Only published name servers are targeted to query about some desired
information. No in-depth search is tried in this approach.
• Active Information Gathering
– In this the type, it can be detected easily that some one is trying to gain
information.
– Without worrying about detection or being suspicious, full focus is done on
getting information.
– Unpublished servers, files, directories are searched to get information.
23

Goals of Information Gathering
(OSINT)
• In short, information gathering goals is to
collect information about:
– Target Selection
– Corporate Details
• Physical, Logical Details, organizational chart,
Financial details and information about individuals
are of importance.
– HUMINT (Human Intelligence)
– Footprinting
– Protection Mechanisms
24

Target Selection - I
• Identification and Naming of Target
– In pre-engagement phase, less information is
provided by customer like their top level domain
information e.g. kfu.edu.sa
– In Reconnaissance, more in depth information is tried
to be achieved like hierarchy of domain e.g.
kfu.edu.sa/ccsit etc.
• But, permission should be obtained from owner to explore
these things.
• Remember in white hat hacking, most of the time, active
reconnaissance can be used as allowed by owner
organization.
– So a list of target servers is obtained.
25

Target Selection – II
• Consider any Rules of Engagement Limitations
– Always stick with the rules decided in pre-engagement.
• For example, only launch attacks on allowed IP addresses in the company
or use those IP addresses to launch attacks.
• Usually, tester can deviate from these rules but it can have legal
consequences. So, always remain within rules and limitations set at
engagement.
• Consider Time Length and Goal for Test
– Remain focused on the goal and try to get information only relevant to
goal in mind. Get the relevant, secondary and tertiary elements as well.
But, avoid exploring the 3rd parties information.
– Remaining focused can save time as well. Remember usually,
organizations allow 3 – 6 months only for performing the testing for
whole organization’s critical and important assets.
– So, spend appropriate time on information gathering activity.
26

Corporate Details – I
• Physical Details
– Locations: (Level 1)
• Full listing of all physical addresses including City, full addresses etc., is
obtained.
• Full listing of all physical secure measures for locations (CCTV camera,
sensors, guards, entry controls, gates etc.,) is obtained as well.
– Pervasiveness (Level 1)
• Central office location as well as remote office locations information is
obtained as well.
• Security controls at central office may be good, but remote locations can
have poor security controls.
– Relationships (Level 1)
• Business Partners, customs, suppliers, open corporate web pages, rental
companies information is obtained.
• So, these people can be targeted targeted for social engineering attacks.
27

Corporate Details – II
• Logical Details
– Accumulated information for partners, clients and
competitors is obtained.
• Business Partners (L1)
• Business Clients (L1)
• Competitors (L1)
• Touchgraph (Employees connections inside or outside
organizations) (L1)
• Meetings (L2)
• Job Openings (L1)
• Charity Affiliations (L1)
• Political Donations (L2) etc.
28

Corporate Details – III
• Organizational Chart
– Position Identification (L1)
• Important people in organization
• Individuals to specifically targeted.
– Transactions (L1)
– Affiliates (other organizations tied with business). (L1)
• Electronics Details (L1)
– Document Metadata
– Marketing Communication
• Infrastructure Assets Details
– Network blocks owned by DNS or whois searches. (L1)
– Email addresses (L1)
– Technologies Used (L1)
– Remote Access (L1)
– Purchase Agreements (L1)
29

Corporate Details – IV
• Financial Details
– Market Analysis (L1)
– Published Financial Reports (L1)
• Information about Individuals in Organization
– History (Court Records, Political Donations, Professional
Licenses etc.,) (L2)
– Social Network Profile (L2)
– Social Media Presence and frequency to use or publish
information over there (L2)
– Internet Presence, Email Addresses (L1)
– Mobile Footprints (Phone Number, Device, Use, Installed
Applications etc.,).
30

More Information Gathering
• HUMINT (Human Intelligence) information is obtained:
– Feelings, History, Relationships between key individuals etc.
– People can be monitored via CCTV Cameras, recording web
activities, webcams etc.
• Footprinting
– It means getting information about target that this activity can be
traced later.
• Identify Protection Mechanisms
– Information about groups/persons/relevant locations security
must be obtained. For example:
• Network Based Protections (Simple Packet Filters, Encryption etc.,).
• Host Based Protections (Anti Viruses, Stack Protections etc.,).
• Application Level protections (Encodings, Bypass Avenues etc.,)
• Storage Protections (Storage Controllers etc.)
31

Threat Modeling
32

Threat Modeling
• The standard threat modeling (not a specific
approach) focuses on two key elements:
– Assets
– Attacker (Threat agent)
• As information obtained in Reconnaissance
phase, it can be analyzed here:
– Identify and Categorize primary and secondary assets
– Identify and categorize threats and threat
communities
– Map these threat communities against primary and
secondary assets
33

High Level Modeling Process
• Identify Assets (Business Assets and Business Processes Analysis) and
Select attack Targets:
– Technical Information
– Employee Data, Customer Data
– Technical Infrastructure Supporting Process
– Human Assets Supporting Process
– 3rd Party Integrations
– Information available from Reconnaissance phase is used here.
• Identify Threats and Threat Communities
– Internal Threats (Employees, Management, Administrators, Developers,
Engineers, Technicians, Remote Support etc.,)
– External Threats (Business Partners, Competitors, Contractors, Suppliers,
Hacktivists, Script Kiddies etc.,).
– Threat Capability Analysis and mapping of threats against assets (Tools in use
by identified threats, access to attack launching sources (exploits) etc., is
performed
34

Scanning (Vulnerability Analysis)
35

Scanning (Vulnerability Analysis)
• It is process of discovering flaws in systems
which can be leveraged by attacker.
– From Host and Service misconfigurations to insecure
application design.
• Vulnerability analysis should be scoped
according to goals in mind and desired outcome.
• Vulnerability Analysis Goals:
– Finding out that mitigation is in place and known
vulnerability is not accessible. Or
– Trying everything to find out maximum number of
vulnerabilities.
36

Types of Vulnerability Testing - I
• Active
– Direct interaction with component being tested for security
vulnerabilities.
• This can be low level components like TCP/IP stack or network device.
• Or it can be high level component like web based interface for administrator
etc.
• Passive
– Covertly observe and gather data to perform analysis.
– Examples can include ‘Metadata Analysis’ or ‘Traffic Monitoring’
• Validation
– Finding correlations between findings. Linking found things,
footprints with each other.
37

Active Vulnerability Testing - I
• Active vulnerability testing is usually automated or manual.
• Automated (Active Scanning)
– Tools are used to interact with target, examine responses from target and determine
whether a vulnerability exist or not.
– General Vulnerability Scanners
• Port Based
– In traditional Pentesting, it helps to obtain basic overview of available network targets or
hosts.
– All 65, 535 ports are tested to find out open, filtered or closed ports.
– Protocols like IP, TCP, UDP, ICMP etc., are used as technique to find out information
about ports.
– Open ports can give information about services running on that ports (service is not
checked rather service is identified from designated port no).
• Service Based
– More advanced than Port scan as tools try to communicate with service available on
open ports using relevant protocols and confirm status of service running or not.
• Banner Grabbing
– It is more advanced concept that it analyzes the data returned from communication on a
specific port with service and application and find the version of application or service
running.
38

Active Vulnerability Testing - II
• Automated (Active Scanning)
– Web Application Scanners
• General Application Flaw Scanners
– Most scanners start with the top level address of website.
– Scanners then crawls the site by following links and directory
structures. (This information is usually gathered in Reconnaissance
phase as well).
– The scanner then performs tests against these resulted links obtained.
– Different attack vectors like SQL Injection, croos site scripting etc.
(discussed later).
• Directory Listing Brute Force
– Suppose, directories information is not gathered in Reconnaissance
phase or pre-engagement phase, then general scanners can’t get this
information following links crawling.
» So, either already compiled lists of directory is try to be figured out.
(This list is usually custom and managed by attacker itself).
» Or a brute force kind of approach can be used to find out directories.
39

Active Vulnerability Testing - II
• Specific Protocols or Network Vulnerability
Scanners
– Some special protocol scanners are available for
figuring out the running protocols and services
because general scanners can’t detect these
services.
• VPN Scanner: If VPN is running, then simple tools can’t
perform correct protocol negotiations, so special tools for
VPN are used.
• Voice Network Scanners: VoIP special tools are used to find
out vulnerabilities for VoIP services. These vulnerabilities can
be leveraged to gain access to infrastructure systems or
record phone conversation on target network.
40

Passive Vulnerability Testing
• Metadata Analysis
– Metadata about files or directories is analyzed.
– This metadata can provide information about author,
company, internal IP addresses, paths to servers etc.
• Traffic Monitoring
– It is monitoring the internal network and collected
traffic data to analyze offline.
– Different approached can be used for this purpose.
41

Validation (Vulnerability Testing)
• Correlation Between Tools
– When working with multiple tools, the need for
correlation between findings can become
complicated.
• Styles and/or Categorical relations.
– In most cases, testers focus on micro issues
of specific vulnerabilities found in redundancy
between multiple hosts.
– So, relation should be found to target to
launch the attack.
42

Manual Vulnerability Testing
• More advanced analysis of target is
performed to found vulnerability.
– VPN Fingerprinting:
• Device information and correct version of VPN
code released and installed can be obtained from
fingerprints which be analyzed manually.
– Attack Avenues:
• As vulnerabilities are found, attack tree should be
developed and regularly updated.
43

Research about Vulnerability
• The found vulnerabilities should be validated
from:
– Vulnerability Databases: Many security vendors or
companies maintain big database of found
vulnerabilities.
• The results of tools should be validated from these
databases.
– Vendor Advisories: Many services, products vendors
update their tools information on their websites.
• To tell customers about capabilities of their tool or recent
developments happening in versions.
• Vulnerabilities can be identified from such information as
well.
44

EXPLOITATION
45

Purpose of Exploitation Phase
• Exploitation executes the attacks actually.
– The purpose is to establish “Access to a system or
resource” by bypassing security restrictions.
– Vulnerability analysis can provide the list of available
vulnerabilities in the system.
– Attack vectors can be decided for known
vulnerabilities and available payloads and then
attacks can be launched.
– Main focus of attacks is on:
• Main entry points in the organization.
• Attacking high valued assets to show high impact.
46

Planning Attacks Execution - I
• Consider Countermeasures (Already in Place in Organizations).
• The security measures applied by organizations should be
considered for successful launch of attack.
– The sole purpose is to remain in stealth mode.
• Different kind of security technologies can be in place:
– Anti Virus (Protect deployment of malicious softwares).
– Intrusion Detection/Prevention System (Detect and prevent malicious
activity)
– Encoding (obfuscated data to confuse the reader).
– Encryption (converting the data to unintelligible form, similar to
encoding).
– Whitelist Bypass (Only identified traffic is allowed to pass)
– Data Execution Prevention (A technique implemented in OS to protect
against attacks by monitoring any overwrite in memory).
47

Planning Attacks Execution - II
• Evasion Techniques Planning
• Evasion is technique to escape detection during
Penetration test.
– Circumventing camera system to be seen by guard or
– Obfuscating the payloads (attacking code) to by pass
the intrusion detection system or
– Encoding requests/responses (payloads in web
applications) to bypass web application firewalls.
• It is better to formulate evasion techniques
to be applied during launching of attack.
48

Planning Attacks Execution - III
• Precision Strike
– Attacks should be planned to launch specific
attacks according to research on
vulnerabilities and available payloads.
– All available payloads should not be tried on
found vulnerability.
• It shows that attackers are not experienced.
• Also, Intrusion Detection systems can figure out
these kinds of approach with high chances.
49

Planning Attacks Execution - IV
• Customized Exploitation Avenue
– Depending upon technology, location, proper
technology should be selected to launch attacks.
– All attacks and conditions are different. Not, same
attack be launched on all avenues.
• Tailored Exploits
– Most of times, the exploit payloads available on public
locations (like internet) are not 100% working for all
identified scenarios.
– These payloads should be modified to tailor for
specific needs of tester.
50

Planning Attacks Execution - V
• Zero Day Angle
– Zero Day attacks are payloads not known in
public domains.
– Usually, high profile Pentest companies
maintain their own exploits (payloads) to
launch attacks for known vulnerabilities.
– But, before launching such attacks, it should
be assured that operating system, patches
and countermeasures are same as assumed
for designing these zero day payloads.
51

POST EXPLOITATION
52

Purpose of Post Exploitation Phase
• This phase purposes are:
– Determine value of compromised machine and
maintain control for that machine:
• Machine is valuable if sensitive data is available on that
machine or it can be useful to compromise the network.
– Tester document the sensitive data, identify configuration
settings, communication channels and relationships with
network devices.
– Clean the fingerprints:
• Any mistakes done or information left about attacking
machine is wiped in this phase.
53

REPORTING
54

Objectives of Reporting
• The objectives of this phase are:
– Report the identified vulnerabilities to the
hiring organization.
– Explain the procedure followed to hack their
targeted system.
– Provide the technical details to launch the
attacks.
– Propose the solutions to them to improve their
security measures to protect against future
attacks.
55

Report Structure
• Every Pentester can has its own structure to describe its
work. But, usually following sections are recommended
to be there in report.
• Executive Summary
– Background
– Overall Posture
– Risk Ranking Profile
– General Findings
– Recommendation Summary
– Strategic Roadmap
– Technical Details of all phases/approaches used for testing
– Conclusion
56

Samples for Different Report Sections
57
Overall Risk Ranking Profile of Organization General Findings
Security Strategy
Recommendations

Assignment 2
• Plan an attack to “Hack a Linux Based
Server/Machine and Stealing critical
important documents from there”.
– Consider all knowledge gained today.
– Plan for each phase of Penetration Execution
Phases.
• Next workshop, we shall take this scenario
and launch attack using tools already
provided to you in Assignment 1.
58

Dr M Nasir Mumtaz Bhutta www.kfu.edu.sa59
Thanks for listening !
»Questions ?

Penetration Testing Execution Phases

More Related Content

What's hot

Similar to Penetration Testing Execution Phases

More from Nasir Bhutta

Recently uploaded

Penetration Testing Execution Phases