Penetration Testing Part 2

First of all thank you for reading the Penetration Testing Part 1, Lets start with Part2.

Here I will show you how to conduct a penetration test for an organization XYZ before starting the actual penetration test lets see at the types of penetration test and the methodology for penetration testing and the tools available for conducting a penetration test.

Penetration Testing Methodology:

Generally there are four phases to conduct a penetration test as we discussed before in Part1 are

1. Planning

2. Discovery

3. Attack

4. Reporting

Types of penetration test:

1. Black Box

2. White Box

3. Grey Box

Black box:

Black-box testing involves performing a security evaluation and testing with no prior knowledge of the network infrastructure or system to be tested. Testing simulates an attack by a malicious hacker outside the organization’s security perimeter

White box:

White-box testing involves performing a security evaluation and testing with complete knowledge of the network infrastructure such as a network administrator would have

Grey box:

Grey-box testing involves performing a security evaluation and testing internally.

Testing examines the extent of access by insiders within the network.

Scenario:

A firm named XYZ is consulting with a firm who conducts penetration test as a third party. Company XYZ need to have a black box pen testing due to some legal requirements and in order to evaluate the security measures placed to control the access.

Now the consulting firm only has a named XYZ to start the penetration test for the company.

Mr.RAK has been assigned the task to conduct the pen test in this consulting firm; here I will show you how the methodology will be followed.

Planning:

MR.RAK should have signed NDA so that findings should be kept confidential secondly SLA should be present in order to know at what levels or till what depth should the penetration be occur in order to completeness plus the time limit should be mentioned before starting the test

Discovery:

Passive:

Here the information gathering phase is starting now; good sources would be search engines, XYZ’s official website, job postings and more…

While looking around on search engines Mr.RAK discovered that Company XYZ has the web portal at [http://www.XYZ-Portal.com] , hmm seems good so far lets go more deep, now its time to do nslookup, from nslookup you can discover what mail server address is and what is the name and address of the name server for the company XYZ these are more than enough at this stage.

Active:

Here is the time to do some active stuff. Best way to do is mapping the services running at the addresses we found in passive phase. Best way to achieve this is port or service scanning, in the world of information security there is a very famous tool for port scanning named NMAP.

With nmap we can run port scan on the address we found in Passive info gathering phase, its now time to run the port scan

ethicalHacker/pentesterBox# nmap -A -v wwwDotXYZ-PortaldOTcom -P0 -oA outputfileName

The above command will do a complete port scan on the XYZ-Portal and will generate the out put file named outputfileName to use in reporting phase.Below is the output of the port scan with nmap.

Starting Nmap 4.20 ( insecuredotorg ) at 2007-07-02 21:19 GMT

Interesting ports on [http://www.XYZ-Portal]

PORT STATE SERVICE

445/tcp filtered microsoft-ds

Interesting ports on [http://www.XYZ-Portal.com]

PORT STATE SERVICE

445/tcp open microsoft-ds

23/tcp open telnet

80/tcp IIS 5.0

PORT STATE SERVICE

445/tcp open microsoft-ds

Nmap finished: 1 IP addresses (1 hosts up) scanned in 19.097 seconds

Here you can see that the wwwDotXYZ-PortalDotcom is running web server IIS5.0 which shows that the server is running on windows machine.

Here is the time to run a vulnerability scan on the windows machine to check the known vulnerabilities on the server.

To perform vulnerability scan there are many commercial and non-commercial tools available, among them the best tool which I would recommend is Nessus, it can be downloaded easily. Vulnerability scans to reporting would be in Part3.