Embed Size (px)
Citation preview
Phases of Penetration Test
Abdul RehmanIOC Bahauddin Zakariya University Multan
What is Penetration Test?
• A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.
• A penetration test target may be a ”white box” or ”black box” .
• A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient and which defenses were defeated in the penetration test.
Phases of Penetration Test
• Reconnaissance
• Scanning
• Exploitation
• Maintaining Access
Reconnaissance
• Reconnaissance refer as information gathering before attack. It is the work of gathering information before planning attack.
• The more information we gather, our chances of success in later phases of penetration Testing are greater.
• Abraham Lincoln Quote “if I had six hours to chop down a tree, I'd spend the first four of them sharpening my axe.”
• Reconnaissance conducted by white hat and black hat as well as.
Main Goals and Types of Reconnaissance
Two main Goals of Reconnaissance listed below
• Gather information as much as possible
• Create a list of attachable IP addresses
Two main Types of Reconnaissance listed below
• Active Reconnaissance
• Passive Reconnaissance
Famous Tools use for Reconnaissance(I)
• HTTrack
• Harvester
• Whois
• Netcraft
Famous Tools use for Reconnaissance(II)
• Host
• Extracting information from DNS NS Lookup
Dig
• Extracting information from Emails
• Metagoofill
• Social Engineering
Famous Tools use for Reconnaissance(III)
• HTTrack(Win ,B.T) Tool for make identical copy of the target site.
Copy consist of Pages, Pics, links etc.
• Google Properly use of Google=Vital skill for penetration tester.
Directives (Keywords, enable accurate information from Google)site, inurl, cache
Use of directive 1)name 2)colon 3)term e.g. site:bzu.edu filetype ppt
Famous Tools use for Reconnaissance(IV)
• Harvester(Win, B.T)
Use for catalog emails and subdomains that are belong to our target.
• Whois(Online, B.T)
Whois service allow us to access specific information about our target including IP addresses ,host names ,contact info ,phone no. ,Address etc.
• Netcraft(Win, B.T)
It give us information about site report ,IP address ,OS of the web server.
Famous Tools use for Reconnaissance(V)
• Host
Use for Translate host name to IP address.
• Social Engineering
Is exploiting the “human” weakness that inherit in every organization.
Scanning
• Scanning is the process of finding the system is alive, ports and vulnerability of the target.
• Ethical hacker use scanning tools to determine open ports and services presence of known weaknesses on target systems.
Types of Scanning
• Types of scanning are listed below
1. System Scanning
2. Port Scanning
3. Vulnerability Scanning
System Scanning
• In system scanning we determine if the system alive and it can interact with other machine or not.
• It is important to conduct this step and make note of any machines that respond as alive.
• If the system is alive then the penetration test will more fruitful.
Port Scanning(I)
• Port scanning is to finding the open port. It is a process of finding the channel from where the attack can be launched.
• The basic idea is to analysis the network port and keep information about them so that it can be used In future.
• In port scanning we find open port and services such as FTP, Printing or e-mail that are available.
• There are total 65536 ports on every computer may be UDP or TCP.
Port Scanning(II)Port Number Description
1 TCP Port Service Multiplexer (TCPMUX)
20 FTP Data
21 FTP Control
53 Domain Name System (DNS)
69 Trivial File Transfer Protocol (TFTP)
115 Simple File Transfer Protocol (SFTP)
156 SQL Server
190 Gateway Access Control Protocol (GACP)
443 HTTPS
Vulnerability Scanning
• Vulnerability scanning is performed in which the weakness of target are find out for attack.
• Usually the vulnerability scanners find operating system and version number that is installed on target.
• Then find weakness in O.S, get information and use this information for exploit it in future.
Tools Used for Scanning
• For System Scanning
1. Ping and ping sweeps
• For Port Scanning
1. NMap
• For Vulnerability Scanning
1. Nessus
Ping and Ping Sweep
• Special type of network packet called an ICMP packet.
• Work by sending specific types of network traffic, called ICMP echo request packets, to the target.
• Telling us that a host is alive and accepting traffic, pings provide other valuable informationincluding the total time it took for the packet to travel to the target and return.
• Ping Sweep is work with Fping, in this Ping sent to the series of IP addresses.
Ping and Ping Sweep(II)
Results of ping
NMap
• Using Nmap to perform a TCP Connect Scan
NMap
• Using Nmap to perform UDP Scans
Nessus
• Nessus is a GUI bases Vulnerability Scanning tool.
• Available for free.
• One of the key components of Nessus is the plug-ins.
• A plug-in is a small block of code that is sent to the target machine to check for a known vulnerability. Nessus has literally thousands of plug-ins.
Nessus
Nessus
Exploitation
• Exploitation is the process of gaining control over a system.
• Exploitation is the attempt to turn the target machine into a puppet that willexecute your commands and do your bidding.
Password Cracker
• Using online password crackers, the potential for success can be greatlyincreased if you combine this attack with information gathered.• Remote access systems employ a password throttling technique that can
limit the number of unsuccessful log-ins you are allowed.• Medusa and Hydra are famous password cracker for exploitation.• JOHN THE RIPPER: KING OF THE PASSWORD
CRACKERS
Medusa
• Medusa is described as a parallel log-in brute forcer that attempts to gain access to remote authentication services.
• Medusa is capable of authenticating with a large number of remote services including AFP, FTP, HTTP, IMAP, MS-SQl , MYSQl , NetWare NCP, NNTP etc.
• You need several pieces of information for medusaTarget IP AddressA username or username listA password or dictionary file containing multiple passwords
Medusa
METASPLOITHACKING, HUGH JACKMAN STYLE!
• Metasploit is a powerful, flexible and free tool.
• Truly open source exploit framework.
• Open Source meant that for the first time everyone could access, collaborate, develop and share exploits for free.
• It allows you to select the target and choose from a wide variety ofpayloads.
• A payload is the “additional functionality” or change in behavior that you wantto accomplish on the target machine.
MSFCONSOLE
• We focus on Menu-driven Non-GUI text-based system called msfconsole.
• msfconsole is fast, friendly and easy to use.
MSFCONSOLE
Result of Metaspoilt
SNIFFING NETWORK TRAFFIC
• Sniffing is the process of capturing and viewing traffic as it ispassed along the network. • Popular technique that can be used to gain access to systems
is network sniffing.• Sniffing clear text network traffic is a trivial but effective
means of gaining access to systems.• Macof Tool is used for Sniffing
Maintaining Access
• In maintaining access, create backdoors in the Target system for future use.
• Backdoor is a piece of software that resides on the target computer and allows the attacker to return to the machine at any time.
• In some cases, the backdoor is a hidden process that runs on the targetmachine
• There are many tools now-a-days for creating backdoor e.g. netcat ,netcat cryptic cousin ,Netbus , rootkits.
NETCAT THE SWISS ARMY KNIFE
• A tool for communication and control network traffic flow.• Excellent choice for a backdoor.• Can be used to transfer files between machines.• Conduct port scans.• Serve as a simple instant messenger.• even function as a simple web server.
NETCAT THE SWISS ARMY KNIFE
• Supports sending and receiving both TCP and UDP traffic.
• Netcat can connect from any port on your local machine to any port on the target machine.
NETBUS: A CLASSIC
• Backdoor and remote control software.
Hacker Defender It Is Not What You Think
• Hacker defender is a Rootkit.
• Easy to understand and configure.
• There are three main fileso hxdef100.exe
o hxdef100.ini
o bdcli100.exe
Hacker Defender
DETECTING AND DEFENDING AGAINST ROOTKITS
• Closely monitor the information you put onto the internet.• Properly configure your firewall and other access control lists.• Patch your systems.• Install and use antivirus software.• Make use of an intrusion detection system.• Tools like rootkit revealer, Vice, and F-secure’s ,Backlight are some great
free options for revealing the presence of hidden files and rootkits.
Questions?
