2. Introduction
Penetration Testing is the process of assessing the security of a computer
system by attacking it with the intention of finding security weaknesses,
potentially gaining access to it, it's functionality and data
There's several available methodologies to conduct a successful
penetration testing and there's no such thing called the right
methodology but if a team choose to improvise and not choosing any
then that might lead to:
(Incomplete Testing, Time Consumption, Waste of Efforts, Ineffective Testing)
There's no 100% secured system, a human made the system and a
human will break it!
Early in 1970's, Department of Defense (DOD) used penetration testing
to demonstrate the security weaknesses in computer systems and to
initiate the development of programs to create more secure systems.
3. Methodology
DTS - Methodology to Conduct
a Successful Penetration Testing
Information Team Tools
WhiteBox
BlackBox
Roles
Responsibilities
Information Gathering
4. Give me six hours to chop down a
tree and I will spend the first four
sharpening the axe
Abraham Lincoln
5. Information
The most important element of any successful penetration testing, without
the proper knowledge of your target you'll be just a skiddie who's firing
random attacks which will probably trigger all kinds of red-flags more than
doing any penetration!
White Box Penetration Testing:
is a penetration testing approach that uses the knowledge of the internals of
the target system to elaborate the test cases, it's non realistic attack but it
maximizes testing time and enable penetration testers to conduct deep
testing.
Black Box Penetration Testing:
is a penetration testing approach that requires no previous information and
usually takes the approach of an uninformed attacker, it simulates a very
realistic scenario but testing time can't be maximized in certain scenarios
and some area of the infrastructure might remain untested.
7. Deep Gathering
Information Gathering
Network Survey
You're blind and this
is your first phase
which is opening your
eyes to the system to
be tested, you will
have a network map
that you'll use to find
reachable systems
to be tested
Objectives
Domain Names
Server Names
IP Addresses
Network Map
ISP Information
Systems Owner
Services Owner
OS Identification
Every OS has special
characteristics and if
a comparison of
variations in OS
TCP/IP stack
implementation
behavior is made, a
remote OS can
be identified (TCP/IP
Fingerprinting)
Objectives
OS Type
System Type
Example
NMAP
Port Scanning
Each internet enabled
system has 65536
TCP and UDP ports,
the first 1023 ports
are called the well-
known ports, probing
ports on the transport
and network level can
reveal the running
services on
A computer system
Objectives
Open Ports
Closed Ports
Filtered Ports
Attack Surface
Depending on the last
three phases you can
perform banner
grabbing to identify
the installed services,
name and version
along with their
patch level
Objectives
Services Type
Application Type
Patch Level
Attack Vector
Example
Nessus
8. Only two things are infinite, the
universe and human stupidity, and
I'm not sure about the former
Albert Einstein
10. Responsibilities:
A team of penetration testers is most effective and efficient when it's crew members
are elites and everyone knows exactly his role and responsibility during a pen-testing
process otherwise a distraction, waste of time and resources will arise.
Tools:
Every penetration tester has his own tools which he feels comfortable with and can
get the best out of during a pen-testing process, most penetration testers use tools to
automate the work, make their work most effective and to save time that's why a
good penetration tester doesn't know all the tools but he can make use of the one he
knows best!
Team
12. NOOOOOO STOP!
Even if you had the perfect payload to compromise a remote vulnerable
system there's a huge chances that your attack will be filtered and
detected because it's not the 90's anymore and there's probably IDS's,
IPS's, Firewalls, UTM's, Anti-Viruses, Anti-Malware, Anti-Rootkits, WAF's,
Honeybots and zillion of traps so if you did your information gathering
phase right, you already know about their presence and now it's time
for you to bypass them to deliver your payload and compromise the
remote system!
I am not going through bypassing security mechanisms for the sake of
time but you can always revert to our session on Evasion of
Infrastructure Security for a couple of hints!
13. Some Famous Attacks
Brute Forcing Sniffing MITM Hash Injection
DHCP Starvation Rogue DHCP ARP Poisoning DNS Poisoning
Spoofing Phishing Amplified DDOS Session Hijacking
XSS Session Fixation Directory Traversal Unvalidated Input
Parameter Tampering SQL Injection LDAP Injection File Injection
CSRF Buffer Overflow Cookie Poisoning Rogue AP
Routing Attacks VOIP Sniffing DOS Open Relay
Replay Attacks HTML Injection SNMP Attacks
SMB Attacks Evil Twin Worm Attacks Trojan Attacks
Virus Attacks Zeroday Attacks Malware Attacks Cryptanalysis
NTP Attacks
14. Documentation and Patching
After performing the penetration testing with successful exploitation,
compiling the results in an understandable format is the key element for
selling your hard work which no one will understand specially if it came as
pure technical (decision makers in any company are mostly non-technical
and if they couldn't understand your report then all your hard work is
wasted) that's why including Executive Summary and Management Summary
inside your report is a very good idea also in my opinion stating a deep
technical information about the security risk is not advisable since the target
in question is probably a high hack value and it probably invested in his
engineers good, if they knew too much about the vulnerabilities they will
probably patch them and they'll not use you in patching phase, which mean
in business terms Loss of Potential Business!
15. DTS Solution – Assessment Services
Security Assessment Services
Penetration Testing and Vulnerability Assessment
Black Box Ethical Testing
Vulnerability Management
Unified Communications Audit
VoIP / UC / Tele-presence security
SCADA Security Evaluation Toolkit
Industrial Control Systems Security Readiness
Mobile Network Security
UMTS / LTE – GTP Scan / Spoofed TEID / SCTP Scan / APN bruteforce
Fixed Mobile Convergence – SeGW and IMS Security
Endpoint IP Discovery and Network Leakage Detection
Rogue and Unknown Network Detection
Backdoor connections (3G / xDSL / Rogue WiFi and leaking endpoints discovery and classification)
Availability Assessment
DDoS Protection – Botnet / Zombie Detection
Web Portal Availability / DNS Server Protection – Protocol Fuzzing, DDoS attack simulation
Core Network Security
MPLS – MP-BGP and VRF Security (RT import and export analysis) / PE-CE security and label insertion
VPLS – Spanning Tree, ARP poisoning, MAC spoofing