First of all, thanks for reading Part 1 of Penetration Testing, let’s start with Part 2.
Here I will show you how to perform a penetration test for an XYZ organization before starting the actual penetration test. Let’s look at the types of penetration testing and the methodology for penetration testing and the tools available to perform a penetration test.
Penetration testing methodology:
In general, there are four phases to conducting a penetration test, as we discussed earlier in Part 1:
1. Planning
2. Discovery
3. Attack
4. Reporting
Types of penetration test:
1. Black box
2. White box
3. Gray box
Black box:
Black box testing involves conducting a security assessment and testing without prior knowledge of the network infrastructure or system to be tested. The tests simulate an attack by a malicious hacker outside the organization’s security perimeter.
White box:
White box testing involves conducting a security assessment and testing with a thorough understanding of the network infrastructure, just like a network administrator would.
Gray box:
Gray box testing involves conducting a security assessment and testing internally.
The tests examine the extent of insider access within the network.
Screenplay:
A company called XYZ is consulting with a company that performs penetration testing as a third party. XYZ Company needs to have a black box pen test due to some legal requirements and to evaluate the security measures in place to control access.
Now the consultancy only has a named XYZ to start the penetration test of the company.
Mr. RAK has been assigned the task of conducting the penetration test at this consulting firm; here I will show you how the methodology will be followed.
Planning:
MR.RAK should have signed a confidentiality agreement so that the findings are kept confidential; secondly, the SLA must be present to know at what levels or to what depth penetration must occur for further completion the time limit must be mentioned before starting the test
Discovery:
Passive:
Here the information gathering phase is beginning now; good sources would be search engines, XYZ official website, job postings and more …
While looking around in search engines, Mr. RAK discovered that XYZ Company has the web portal at [http://www.XYZ-Portal.com] , hmm seems good so far let’s go deeper, now is the time to do nslookup, from nslookup you can find out what mail server address is and what is the name and name server address for company XYZ these are more enough in this practice.
Active:
This is the time to do some active things. The best way to do this is to map the services running at the addresses we found in the passive phase. The best way to achieve this is port or service scanning, in the information security world there is a very famous tool for port scanning called NMAP.
With nmap we can run a port scan at the address we found in the passive information gathering phase, now is the time to run the port scan
EthicalHacker / pentesterBox # nmap -A -v wwwDotXYZ-PortaldOTcom -P0 -oA outputfileName
The above command will do a full port scan in the XYZ-Portal and generate the output file called outputfileName to use in the reporting phase.
Starting Nmap 4.20 (insecuredotorg) on 2007-07-02 21:19 GMT
Interesting ports in [http://www.XYZ-Portal]
PORT STATE SERVICE
445 / tcp leaked microsoft-ds
Interesting ports in [http://www.XYZ-Portal.com]
PORT STATE SERVICE
445 / tcp open microsoft-ds
23 / tcp telnet open
80 / tcp IIS 5.0
PORT STATE SERVICE
445 / tcp open microsoft-ds
Nmap finished: 1 IP addresses (1 hosts above) scanned in 19.097 seconds
Here you can see that wwwDotXYZ-PortalDotcom is running IIS5.0 web server, showing that the server is running on a Windows machine.
This is the time to run a vulnerability scan on the Windows machine to check for known vulnerabilities on the server.
To perform a vulnerability scan there are many commercial and non-commercial tools available, among them the best tool I would recommend is Nessus, it can be downloaded easily. Reporting vulnerability scans would be in Part 3.