Penetration testing methodology
- Scanning and Reconnaissance — Getting to know the target using passive methods like researching publicly available information and network scanning.
- Threat Modeling — A description or model of all the security concerns and why they should be resolved.
- Vulnerability Analysis — Identifying vulnerabilities and determining their severity.
- Exploitation — Gaining access by breaching security of a system or finding an bug to exploit in the software.
- Post-Exploitation Reporting — Detailing the vulnerabilities found and providing information on potential impact on the company if exploited.
Going deeper into Scanning and Reconnaissance
Unlike the movies hackers don’t just start typing and automatically get access to a system. Scanning and reconnaissance is a key part of an attack in that it can detail vulnerable areas of a system. The first step of information gathering can be as simple as a quick google search.One way to think about information gathering is like breaking into a house. There’s no need to break down the door to get inside when there is a window open. In information gathering we want to find if the company we are testing has left any doors unlocked or maybe a window open.
What are we looking for?
Information gathering starts in a passive way. We want to get clues on what the company architecture looks like and if there is any routine we can map out. This comes down to finding some key publicly available information such as:- Email addresses
- Phone numbers
- System information
- Job Postings
- Resumes
- Contact Names
Nmap
Nmap is a powerful command line scanning tool. Using nmap network architectures and open ports are easier to locate. As a command line tool the main interaction with the tool is based on giving the correct commands for the job. To get a better understanding of how nmap could be used, let’s run through a couple commands.To do a simple scan we can just provide an address to scan.
nmap scanme.nmap.org
The results show the open ports of the target. With this simple scan you could identify if any vulnerable ports are open. By adding additional modifiers we can focus on certain aspects of the targets.
nmap -A scanme.nmap.org
In this case the nmap scan also finds the OS type, version and any open ports. Nmap is a powerful tool with many more commands to do specific tests. Checkout nmap’s official website for a the learning guide or take a look at the variety of nmap cheat sheets available online.
Wireshark
During a penetration test we may want to monitor what is on the network. To do this we can use Wireshark which is a network monitoring tool. Wireshark has shows collects information on all network traffic by providing information on IP addresses, protocols, requests etc.
https://upload.wikimedia.org/wikipedia/commons/0/03/Wireshark_screenshot.png
By filtering the network information we can focus on particular systems and interactions on the network. In a work setting we could filter for any network traffic going to YouTube or Netflix to identify how heavily they are used during work ours. In the same way during a penetration test we could identify what systems
Google Hacking (a.k.a Google Dorking)
Even though their are great tools for doing scanning and recon, we can just use google to find the same information. Many security issues happen because of misconfiguration of software or accidentally opening information up to public. By querying google with specific strings we can find information not available on a website itself. Using these searches we can find files with user information, passwords, vulnerable servers etc. These search queries are being included into more scanning tools so that this process of searching for these files is automated.Checkout the Google Hacking Database to see some current examples of
Up Next — Exploitation
The exploitation phase of a penetration test also utilizes its own set of tools. The go to tool for many penetration testers attacking other systems on a network is the Metasploit Framework.The Metasploit Framework
The Metasploit Framework is developed by Rapid7 and comes pre-installed on Kali Linux. Metasploit has a database of exploitation and payloads built-in that updated regularly. Check out our other article — Kali Linux & Metasploit: Getting Started with Pen Testing — to learn more about using metasploit.
Opening the metasploit console
Additional Resources
There are many courses out in the wild that cover penetration testing. Below are a few options that I have found to be good investments of time. If you have any suggestions then comment below!Courses
Offensive Security Certified Professional Certificate — A very in depth course on penetration testing provided by the developers of Kali Linux.Books
Grey Hat Hacking: The Ethical Hacker’s Handbook — Introduction to both hacking and penetration testing.Penetration Testing: A Hands-On Introduction to Hacking — A good introduction to the main concepts of pen testing with hands-on exercises.
