Hassan Raza Noori's Blog

Penetration Testing

Hassan Raza Noori's photo
Hassan Raza Noori
·

10 min read

What is Penetration testing?

Phases of Penetration testing?

Types of Penetration testing based on Knowledge

Types of Penetration testing based on where it's performed and tools

Definition:

A penetration test, also known as a pen test seeks to expose the inherent security flaws that may violate system integrity and end up compromising user’s confidential data. In simple terms it's a method to check or evaluate the security posture (security weaknesses) of an organization and exploit them, in a safe manner., this method or approach used in penetration testing is similar to one used by the hacker, The tester acts like an attacker and attempts to find and exploit vulnerabilities the person or group of peoples assigned for that task are called Pen testers.

Phases of Penetration testing :

Penetration tester usually begins by gathering as much information about the target as possible. Then he identifies the possible vulnerabilities in the system by scanning. After that launches an attack. In the Post-attack tester analyses each vulnerability and the risk involved. Finally, a detailed report is submitted to higher authorities summarizing the results of the penetration test. Penetration testing can be broken down into multiple phases, and vary depending on the organization and the type of penetration test. Generally, penetration testing has the following phases :

• Pre-Engagement or Planning:

In this phase, you (the pentester) discuss the scope and terms of penetration testing with the client. In this phase, you must define the scope of the pentest. Also, the pentester should educate the client about what is to be expected from the pentest. This phase includes the scope and terms of the pentest.

• Reconissance:

Reconnaissance is where testers gather as much information about the target as possible. But it’s not just about collecting random data. The goal is to gather data relevant to the tests that will be executed. This is why this stage is critical.

• Scanning and Exploitation:

Once the testers have all the required information at their disposal, they can simulate cyberattacks on the target and discover the target’s vulnerabilities. The next step is to exploit those vulnerabilities by gaining access to privileged information, stealing data, modifying system configurations, intercepting traffic, and more to estimate the amount of damage they can cause to the target system.

• Analysis and reporting:

A detailed report is compiled to outline the significant findings of the test process. The report includes all the details such as sensitive data exposed, a list of exploited vulnerabilities, the time duration for which the tester could maintain undetected access to the system, etc. upon this finding the security teams fix the most critical parts, and implement application security policies to patch vulnerabilities and protect against future threats.

Types Of Penetration Testing Based on Knowledge:

There are three types of penetration testing based on the knowledge of the target provided to a tester

1- Black Box Testing:

The black box is a type of penetration testing in the tester is blind testing or double-blind testing, with no prior knowledge of the system or any information of the target The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organization. However, this typically makes it the costliest option too. However, the lack of information can also result in vulnerabilities remaining undiscovered in the time allocated for testing.

2- White Box Testing:

When the penetration tester is given complete knowledge of the target, it is called a white box penetration test. The tester has complete knowledge of the target like IP addresses, controls in place, code samples, operating system details, source code, flowcharts, etc. It requires less time when compared to black box penetration testing. Mostly This type of penetration is done by internal security teams or security audits teams to perform auditing.

3- Grey-Box Testing:

When the tester is having partial information about the target, it is referred to as gray-box penetration testing. In this case, the attacker will have some knowledge of the target information like URLs, IP addresses, creds, etc. but will not have complete knowledge or access. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause.

Types Of Penetration Testing Based on Where its performed:

The penetration testing can be done through either manual or automatic processes and its performed on the following :

Network Penetration Testing:

In a network penetration test, the penetration tester audits a network environment for security vulnerabilities. In this testing, the tester identifies the possible exploitable vulnerabilities in the network and network devices which includes routers, switches, firewalls, IDS/IPS, VPNs, etc, and hosts.

It is important for carrying out Network VAPT to protect sensitive data. Depending upon the attack’s intensity, the attacker might gain knowledge of the network or manipulate the data for his/her advantage.

1- Internal Penetration Testing:

In this type of penetration testing, only the internal network is in scope. it includes firewalls, IPS/IDS, DNS level testing, VPNs, and data components such as database servers or file servers are of key importance from a vulnerability scanning perspective. An internal security assessment can be performed by physically being inside the network premises or by performing a remote session into the network.

The general aim here is to find vulnerabilities that could be exploited by an attacker who already has access to the internal network and can affect the security posture of the network.

2- External Penetration Testing:

In this type, the testing is conducted from outside the organization’s network.

This pen testing type’s goal is to find vulnerabilities in the network infrastructure that could be exploited by an attacker who does not have access to the internal network or security controls.

Network VAPT tools:

• NMAP — This tool is used to scan ports, and live devices within a network. It is a powerful vulnerability analysis tool. It detects ports that are closed, open, filtered, unfiltered, and so on.

WireShark — It captures network packets and analyzes them. It has built-in functionality for analyzing network traffic.

John The Ripper — As the name implies, John the Ripper is used to harvest passwords or simply crack their hashes.

Nessus — This is a commercial tool unlike the other tools above. It is a popular vulnerability scanner that identifies running ports, detects vulnerabilities and remedies them.

IP Scanner — is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.

CiscoRouter — CiscoRouter is a tool for scanning Cisco-based routers over SSH. Rules can be created using the accompanying CiscoRule application (see this repo) and stored in the "rules" directory.

Nexpose — We can use Nexpose to scan a network for vulnerabilities. Nexpose identifies the active services, open ports, and running applications on each machine, and it attempts to find vulnerabilities that may exist based on the attributes of the known services and applications. Nexpose discloses the results in a scan report, which helps you to prioritize vulnerabilities based on risk factors and determine the most effective solution to implement.

Sparta — Network Infrastructure Penetration Testing Tool

MetaSploit — The Metasploit framework is a very powerful tool that can be used by cybercriminals as well as ethical hackers to probe systematic vulnerabilities on networks and servers, the web, etc. Metasploit now includes more than 1677 exploits organized over 25 platforms, including Android, PHP, Python, Java, Cisco, and more. • Mass Scan — TCP port scanner • Rust Scan — Port scanner

Spyse — A search engine that collects, processes, and provides structured information about network elements using an OSINT mechanic. Spyse search engines have everything that pen testers might need to perform complete web reconnaissance

Dsniff — a collection of tools for network auditing and pentesting

Dshell — Network forensic analysis framework

Client-Side Penetration Test:

Client-side penetration tests identify security vulnerabilities within an organization. These are often located in the programs and applications the organization uses, such as email platforms, web browsers, and packages, like Microsoft, Adobe, or Photoshop, and Adobe Acrobat. Client-side attacks will be more focused and targeted than trying to breach a large company’s network perimeter.

Hackers may, for example, gain access to a vulnerable application through a well-crafted email directing an employee to a malicious webpage or load malware onto a USB stick that can execute the malware once it is inserted into a device. Client-side penetration tests aim to identify these risks and address all related internal vulnerabilities.

Web Application Penetration Testing :

Web Application Pen testing is a method of identifying, analyzing, and exploiting the vulnerabilities which are existing in the Web application. Web app penetration testing focuses on identifying known vulnerabilities in third parties, analyzing source code, publicly exposed sensitive information, and loopholes in features to exploit the vulnerability. Basically, the tester needs to check the OWASP Top 10 vulnerabilities in the web application.

In short Web application penetration testing is a process of simulated attacks to identify vulnerabilities in any web app and across its component, exploit it to get access to sensitive information.

WEBAPP VAPT tools:

• WPScan — WPScan is a black box WordPress vulnerability scanner.

• WhatWeb — WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognizes web technologies

• webDisco — Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences.

• w3af — web application attack and audit framework, the open source web vulnerability scanner.

• dirsearch — dirsearch is a simple command line tool designed to brute force directories and files in websites.

• Arachni — Scriptable framework for evaluating the security of web applications.

• Netsparker Application Security Scanner — Application security scanner to automatically find security flaws.

• Nikto — Noisy but fast black box web server and web application vulnerability scanner.

• SQLmate — Friend of sqlmap that identifies SQLi vulnerabilities based on a given dork and (optional) website.

• joomscan — Joomla vulnerability scanner.

• Google dorks — Google Dorking, also called Google hacking, is a search-hacking technique that uses advanced search queries to uncover hidden information of the target in Google.

• Goldeneye — Complete pen-testing tool provides CMS detection, Host discovery, Banner Grabbing, Subdomain .etc

• Redhawk — Complete pen-testing tool provides CMS detection, Host discovery, Banner Grabbing, CMS detection, Subdomain .etc

• OWASP ZAP — It automatically identifies web application security vulnerabilities during development and testing.

• Subfiner — Tool to discover the subdomains

• whois — This will provide information regarding the domain of the target

• NMAP — Port Scanning tool

• Httpx — Tool to find the Subdomains and also list the active subdomains

• Burpsuite — Burp Suite is a comprehensive platform for web application security testing. It can be used for detailed enumeration and analysis of web applications. The tool can simply intercept HTTP/S requests and act as a middle-man between the user and web pages

• Metasploit — Metasploit is a penetration testing framework that helps you find and exploit vulnerabilities.

• wafw00f — Tool to find the WAF (web application firewall behind the domain)

• Acunetix — Web application Scanner

Wireless Network Penetration Testing:

Wireless network penetration tests focus on vulnerabilities in wireless devices, such as tablets, laptops, notebooks, and smartphones. These tests aim to identify all devices used by an organization that are vulnerable to cyberattacks. These vulnerabilities may include wireless devices’ security controls, access point configurations, or weak security protocols, and admin credentials.

• Aircrack-ng — Set of tools for auditing wireless networks.

• Airgeddon — Multi-use bash script for Linux systems to audit wireless networks.

• BoopSuite — A suite of tools written in Python for wireless auditing.

• Bully — Implementation of the WPS brute force attack, written in C.

• Cowpatty — Brute-force dictionary attack against WPA-PSK.

• Fluxion — Suite of automated social engineering-based WPA attacks.

• KRACK Detector — Detect and prevent KRACK attacks in your network.

• Kismet — Wireless network detector, sniffer, and IDS.

• Reaver — Brute force attack against WiFi Protected Setup.

• WiFi-Pumpkin — Framework for rogue Wi-Fi access point attacks.

• Wifite — Automated wireless attack tool.

• infernal-twin — Automated wireless hacking tool.

• krackattacks-scripts — WPA2 Krack attack scripts.

• wifi-arsenal — Resources for Wi-Fi Pentesting.

Social Engineering Penetration Testing:

Social engineering penetration tests focus on the human aspect of an organization’s security. In a social engineering test, testers attempt to deceive employees into giving up sensitive information or allowing the tester access to the organization’s systems. This enables penetration testers to understand the organization’s vulnerability to scams or other social engineering cyberattacks.

Remote testing — involves tricking an employee to reveal sensitive information via an electronic means

Physical testing — involves the use of physical means to gather sensitive information, like threatening or blackmailing an employee