CEHv8 Module 20 Penetration Testing

Penetration T esting
M odule 20
Ethical Hacking and Countermeasures Penetration Testing
Exam 312-50 Certified Ethical Hacker
t r a
t i o
s t i n
M o d u le 20
Engineered by Hackers. Presented by Professionals.
C E H
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 2 0 : P e n e tr a t io n T e s tin g E xam 3 1 2 -5 0
Module 20 Page 2873
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
r i t y
U rlA H
E H c 1 ItbKjl
Home
^ News
Company
Products
Contacts
O c to b e r 0 2 , 2 0 1 2
T h e C it y o f T u ls a , O k la h o m a la s t w e e k b e g a n n o t i f y i n g r e s id e n t s t h a t t h e i r p e r s o n a l d a t a m a y h a v e been accessed h a d h ir e d . " C it y o f f ic i a ls d i d n 't r e a liz e t h a t t h e a p p a r e n t b r e a c h w a s c a u s e d b y t h e s e c u r it y f i r m , U t a h - b a s e d S e c u r it y M e t r ic s , u n t il a f t e r 9 0 , 0 0 0 le t t e r s h a d b e e n s e n t t o p e o p le w h o h a d a p p lie d f o r c i t y jo b s o r m a d e c r i m e r e p o r t s o n li n e o v e r t h e p a s t d e c a d e , w a r n in g t h e m t h a t t h e i r p e r s o n a l id e n t if ic a t i o n in f o r m a t i o n m i g h t h a v e b e e n a c c e s s e d , " w r i t e s T u ls a W o r l d 's B r ia n B a r b e r . " T h e m a ili n g c o s t t h e c i t y $ 2 0 , 0 0 0 , o f f ic i a ls s a id . " " A n a d d i t i o n a l $ 2 5 , 0 0 0 w a s s p e n t o n s e c u r it y c o n s u lt in g s e r v ic e s t o a d d p r o t e c t i o n m e a s u r e s t o th e w e b s ite ," FO X 23 N e w s re p o rts . b u t it n o w t u r n s o u t t h a t t h e a tta c k w a s a p e n e t r a t io n te s t b y a c o m p a n y t h e c it y
h ttp ://w w w . esecurityplonet. com
'
'
'
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
N l \VS S e c u r ity N e w s
C it y o f T u ls a C y b e r A tta c k W a s P e n e tr a tio n T e s t, N o t H a c k S o urce : h t t p : / / w w w . e s e c u r i t y p l a n e t . c o m T h e C ity o f Tulsa, O k l a h o m a last w e e k b e g a n n o t i f y i n g r e s id e n ts t h a t t h e i r p e rs o n a l d a ta m a y h ave b e e n a ccessed -- b u t i t n o w t u r n s o u t t h a t t h e a t t a c k w a s a p e n e t r a t i o n t e s t by a c o m p a n y t h e c ity had h ir e d . " C ity o ffic ia ls d i d n ' t re a liz e t h a t t h e a p p a r e n t b re a c h w a s c a u s e d by t h e s e c u r it y f i r m , U t a h b ase d S e c u r i t y M e t r i c s , u n t i l a f t e r 9 0 ,0 0 0 l e t t e r s had b e e n s e n t t o p e o p le w h o had a p p li e d f o r c i t y jo b s o r m a d e c r im e r e p o r t s o n l i n e o v e r t h e p a st d e c a d e , w a r n i n g t h e m t h a t t h e i r p e r s o n a l i d e n t i f i c a t i o n i n f o r m a t i o n m i g h t h a v e b e e n a c c e s s e d ," w r i t e s Tulsa W o r l d 's B ria n B a rb e r. "T h e m a ilin g co s t t h e c i t y $ 2 0 ,0 0 0 , o ffic ia ls s a id ." " A n a d d i t i o n a l $ 2 5 , 0 0 0 w a s s p e n t o n s e c u r it y c o n s u l t i n g s e rv ic e s t o a d d p r o t e c t i o n m e a s u r e s t o t h e w e b s i t e , " FOX23 N e w s r e p o r ts . "T h e t h i r d - p a r t y c o n s u l t a n t h ad b e e n h ir e d t o p e r f o r m a n a s s e s s m e n t o f t h e c ity 's n e t w o r k f o r v u ln e r a b i l it ie s , " w r i t e N e w s O n 6 . c o r n 's Dee D u r e n a n d Lacie L o w ry . " T h e f i r m u sed a n u n f a m i l i a r t e s t i n g p r o c e d u r e t h a t c a u se d t h e C ity t o b e lie v e its w e b s i t e had b e e n c o m p r o m i s e d . 'W e had
Module 20 Page 2874
Ethical Hacking and Countermeasures Copyright by EC-C0IMCil All Rights Reserved. Reproduction is Strictly Prohibited.
t o t r e a t t h i s like a c y b e r - a t t a c k b e ca u se e v e r y in d i c a t i o n i n i t i a ll y p o i n t e d t o an a tta c k ,' said C ity M a n a g e r Jim T w o m b l y . " "T h e c h ie f i n f o r m a t i o n o f f i c e r w h o fa ile d t o d e t e r m i n e t h a t t h e hack w a s a c t u a lly p a r t o f a p e n e t r a t i o n t e s t has b e e n p la c e d o n a d m i n i s t r a t i v e le a v e w i t h p a y ," w r i t e s S o ftp e d ia 's E d ua rd Kovacs. " I n t h e J o n a th a n B r o o k ." m e a n tim e , his p o s it io n w i ll be f ille d by Tulsa Police D e p a r t m e n t C a p ta in
C opyrig ht 2012 Q uinStreet Inc By Je ff Goldm an
http://www.esecurityplanet.com/network-securitv/citv-of-tulsa-cyber-attack-waspenetration-test-not-hack.html
Module 20 Page 2875
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
l e
j e
t i v
C E H
J Security Assessments J Vulnerability Assessment J Penetration Testing J What Should be Tested? O I on Penetration Testing J R J Types of Penetration Testing J Common Penetration Testing Techniques 0
J J J J
Pre-Attack Phase Attack Phase Post-Attack Phase Penetration Testing Deliverable Templates J Pen Testing Roadmap J Web Application Testing J Outsourcing Penetration Testing Services
C o p y r ig h t b y
IC-Ccuncil. A ll
R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
M o d u le 1 All
O b je c tiv e s m o d u le s d iscu ss e d so fa r co n c e n tra te d on v a r io u s p e n e tra tio n te s tin g
th e
t e c h n i q u e s s p e c ific t o t h e r e s p e c tiv e e l e m e n t ( w e b a p p li c a t i o n , etc.), m e c h a n is m (IDS, f i r e w a l l , e tc.), o r p h a se ( re c o n n a is s a n c e , s c a n n in g , etc.). This m o d u l e s u m m a r iz e s all t h e p e n e t r a t i o n te s ts . T his m o d u l e h elps y o u in e v a lu a t in g t h e s e c u r it y o f an o r g a n i z a t i o n a n d also g u id e s y o u t o m a k e y o u r n e t w o r k o r s y s te m m o r e s e c u r e w i t h its c o u n t e r m e a s u r e s . T h e m o d u l e w i ll m a k e y o u f a m i l i a r i z e w i t h : S S S S S s 2 S e c u r ity A s s e s s m e n ts V u l n e r a b i l i t y A s s e s s m e n ts P e n e t r a t io n T e s tin g W h a t S h o u ld b e T e s te d ROI o n P e n e t r a t io n T e s tin g T ype s o f P e n e t r a t io n T e s tin g C o m m o n P e n e t r a t io n T e s tin g T e c h n iq u e s P r e -a tta c k Phase A t t a c k Phase P o s t- a t ta c k Phase P e n e t r a t io n T e s tin g D e liv e r a b le T e m p la te s Pen T e s t in g R o a d m a p W e b A p p l i c a t i o n T e s tin g O u t s o u r c in g P e n e t r a t io n T e s tin g Services
Module 20 Page 2876
l e
l o
C E H
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
M o d u le
F lo w
For b e t t e r u n d e r s t a n d in g o f p e n e t r a t i o n te s t in g , th is m o d u l e is d iv id e d i n t o v a r io u s
s e c tio n s . Let's b e g in w i t h p e n e t r a t i o n t e s t i n g c o n c e p ts .
Pen T e s t in g C o n c e p ts
T ypes o f Pen T e stin g
Pen T e stin g T e c h n iq u e s
Pen T e stin g Phases
Pen T e stin g R o a d m a p
O u ts o u rc in g Pen T e s tin g S ervices
This s e c tio n s ta r t s w i t h basic c o n c e p t o f p e n e t r a t i o n te s t i n g . In t h i s s e c tio n , y o u w i l l le a rn t h e r o le o f p e n e t r a t i o n t e s t i n g in t h e s e c u r it y a s s e s s m e n t a n d w h y v u l n e r a b i l i t y a s s e s s m e n t a lo n e is n o t e n o u g h t o d e t e c t a n d r e m o v e v u ln e r a b i l it ie s in t h e n e t w o r k . L a te r in th is s e c tio n , y o u w i ll e x a m in e w h y p e n e t r a t i o n t e s t in g is n ece ssary, h o w t o p e r f o r m a g o o d p e n e t r a t i o n t e s t , h o w t o d e t e r m i n e t e s t in g p o in t s , t e s t i n g lo c a tio n s , a n d so o n .
Module 20 Page 2877
e c u r i t y
A s s e s s m
e n t s
II
Level of Security
E v e ry o r g a n iz a tio n u s e s d if f e r e n t t y p e s o f s e c u r it y a s s e s s m e n t s t o v a l i d a t e t h e l e v e l o f s e c u r i t y o n it s
n e tw o r k re s o u rc e s
I
Security A u dits
S e c u r it y A s s e s s m e n t C a t e g o r ie s
I
Penetration Testing
Vulnerability Assessments
EF
o ca
E a c h t y p e o f s e c u r it y a s s e s s m e n t r e q u ir e s t h e p e o p l e c o n d u c t in g t h e a s s e s s m e n t t o h a v e d i f f e r e n t s k ill s
Copyright <D by EC Cm h ic H. All Rights Reserved. Reproduction is Strictly P rohibited.
S e c u r ity A s s e s s m e n ts
u
Every o r g a n iz a t io n uses d i f f e r e n t t y p e s o f s e c u r it y a s s e s s m e n ts t o v a li d a t e th e leve l o f
s e c u r it y o n its n e t w o r k r e s o u r c e s . O r g a n iz a tio n s n e e d t o c h o o s e t h e a s s e s s m e n t m e t h o d t h a t su its t h e r e q u i r e m e n t s o f its s i t u a t i o n m o s t a p p r o p r i a t e l y . P e o p le c o n d u c t i n g d i f f e r e n t ty p e s o f s e c u r it y a s s e s s m e n ts m ust possess d iffe r e n t skills. T h e re fo re , pen t e s t e r s if th e y a re
e m p lo y e e s o r o u t s o u r c e d s e c u r it y e x p e r t s m u s t h a v e a t h o r o u g h e x p e r ie n c e o f p e n e t r a t i o n te s tin g . S e c u r ity a s s e s s m e n t c a te g o r ie s i n c l u d e s e c u r it y a u d it s , v u l n e r a b i l i t y a s s e s s m e n ts , a n d p e n e t r a t i o n t e s t i n g o r e t h i c a l h a c k in g .
-
'^
S e c u r ity A s s e s s m e n t C a te g o rie s T he s e c u r it y a s s e s s m e n t is b r o a d l y d iv id e d i n t o t h r e e c a te g o r ie s : 1. S e c u r i t y A u d i t s : IT s e c u r it y a u d it s t y p i c a l l y fo c u s o n t h e p e o p le a n d p ro c e s s e s used t o d e sig n , i m p l e m e n t , a n d m a n a g e s e c u r it y o n a n e t w o r k . T h e r e is a b a s e lin e in v o lv e d f o r p ro ce sse s a n d p o lic ie s w i t h i n an o r g a n iz a tio n . In a n IT s e c u r it y a u d it , t h e a u d i t o r a nd t h e o r g a n iz a tio n 's s e c u r it y p o lic ie s a n d p r o c e d u r e s use t h e s p e c ific b a s e lin e t o a u d i t t h e o r g a n iz a tio n . T h e IT m a n a g e m e n t u s u a lly i n it ia t e s IT s e c u r it y a u d its . T he N a t io n a l
I n s t i t u t e o f S ta n d a rd s a n d T e c h n o l o g y (NIST) has an IT s e c u r it y a u d it m a n u a l a n d a s s o c ia te d t o o l s e t t o c o n d u c t t h e a u d it ; t h e NIST A u t o m a t e d S e c u r ity S e lf- E v a lu a te d T o o l (ASSET) can be d o w n l o a d e d a t h t t p : / / c s r c . n i s t . R 0v / a s s e t / . In a c o m p u t e r , t h e s e c u r it y a u d i t t e c h n i c a l a s s e s s m e n t o f a s y s te m o r a p p li c a t i o n is d o n e m a n u a l ly o r a u t o m a t i c .
Module 20 Page 2878
You can p e r f o r m a m a n u a l a s s e s s m e n t by u sin g t h e f o l l o w i n g te c h n i q u e s : 9 e 6 I n t e r v i e w i n g t h e s ta f f R e v ie w in g a p p li c a t i o n a n d o p e r a t i n g s y s te m s access c o n t r o l s A n a ly z in g p hy sical access t o t h e s y s te m s .
You can p e r f o r m a n a u t o m a t i c a s s e s s m e n t by using t h e f o l l o w i n g t e c h n i q u e s : 9 9 G e n e r a t in g a u d i t r e p o r t s M o n i t o r i n g a n d r e p o r t i n g t h e c h a n g e s in t h e files
2.
V u ln e r a b ility A ssessm ents: A v u l n e r a b i l i t y a s s e s s m e n t h e lp s y o u in i d e n t i f y i n g s e c u r it y

v u ln e r a b ilitie s . To p e r fo r m p ro fe s s io n a l. T h r o u g h a v u l n e r a b i l i t y a s s e s s m e n t y o u s h o u ld be a v e r y skille d p r o p e r a s s e s s m e n t, t h r e a t s f r o m h a c k e rs ( o u ts id e rs ) , f o r m e r
e m p lo y e e s , i n t e r n a l e m p lo y e e s , e tc. ca n be d e t e r m i n e d .
3.
P e n e tra tio n T e s tin g : P e n e t r a t io n t e s t i n g is th e a c t o f t e s t i n g an o r g a n i z a t i o n ' s s e c u r it y

by s i m u l a t i n g t h e a c tio n s o f an a t t a c k e r . It h e lp s y o u in d e t e r m i n i n g v a r io u s leve ls o f v u ln e r a b i l it ie s a n d t o w h a t e x t e n t an e x t e r n a l a t t a c k e r can d a m a g e t h e n e t w o r k , b e f o r e it a c t u a lly o ccurs.
Module 20 Page 2879
IC-Ccuncil. A ll
|j J)
S e c u r ity A u d it A s e c u r it y a u d it is a s y s te m a tic , m e a s u r a b le te c h n ic a l a s s e s s m e n t o f h o w t h e s e c u r it y
p o lic y is e m p lo y e d by t h e o r g a n iz a t io n . A s e c u r it y a u d it is c o n d u c t e d t o m a i n t a i n t h e s e c u r it y level o f t h e p a r t i c u l a r o r g a n iz a tio n . It h e lp s y o u t o i d e n t i f y a tta c k s t h a t p o se a t h r e a t t o t h e n e t w o r k o r a tta c k s a g a in s t r e s o u r c e s t h a t a re c o n s id e r e d v a lu a b l e in ris k a s s e s s m e n t. T h e s e c u r it y a u d i t o r is r e s p o n s ib le f o r c o n d u c t i n g s e c u r i t y a u d it s o n t h e p a r t i c u l a r o r g a n i z a t i o n . The s e c u r it y a u d ito r w orks w ith th e fu ll k n o w le d g e o f th e o r g a n iz a t io n , at tim e s w ith c o n s id e r a b le in s id e i n f o r m a t i o n , in o r d e r t o u n d e r s t a n d t h e re s o u r c e s t o be a u d it e d . 9 A s e c u r it y a u d it is a s y s te m a tic e v a l u a t i o n o f an o r g a n iz a t io n 's c o m p li a n c e t o a s e t o f e s ta b lis h e d i n f o r m a t i o n s e c u r it y c r it e r ia . 9 T he s e c u r it y a u d it in c lu d e s assessm ent of a s y s te m 's s o ftw a re and h a rd w a re
c o n f i g u r a t io n , p h y s ic a l s e c u r it y m e a s u re s , d a ta h a n d lin g processes, a n d u ser p ra c tic e s a g a in s t a c h e c k lis t o f s t a n d a r d p o lic ie s a n d p r o c e d u r e s . 9 A s e c u r it y a u d i t e n s u re s t h a t an i n f o r m a t i o n s e c u r it y p o licie s. 9 It is g e n e r a l l y used t o a c h ie v e a n d d e m o n s t r a t e c o m p li a n c e t o legal a n d r e g u l a t o r y r e q u i r e m e n t s su ch as H IP P A SOX, PCI-DSS, etc. o r g a n iz a t io n has a n d d e p lo y s a s e t o f s ta n d a r d
Module 20 Page 2880
l n
r a
i l i t y
s s e s s m
e n t
C E H
U flNM IU kjI * * . u .
S c a n n in g T o o ls
V u l n e r a b i l i t y s c a n n in g t o o l s s e a r c h n e t w o r k s e g m e n t s f o r I P - e n a b l e d d e v ic e s a n d e n u m e r a te s y s te m s , O S 's , a n d a p p l i c a t i o n s ^
T e s t S y s te m s /N e tw o rk Additionally, vulnerability scanners can identify common security configuration mistakes Vulnerability scanners can test systems and network devices for exposure to common attacks
V u ln e r a b ility
A s s e s s m e n t
A v u l n e r a b i l i t y a s s e s s m e n t is a basic t y p e o f s e c u r ity . T h is a s s e s s m e n t h e lp s y o u in f i n d i n g t h e k n o w n s e c u r it y w e a k n e s s e s by s c a n n in g a n e t w o r k . W i t h t h e h e lp o f v u l n e r a b i l i t y s c a n n in g to o ls , y o u can s e a rch n e t w o r k s e g m e n ts f o r IP - e n a b le d d e v i c e s a nd e n u m e r a t e s y s te m s , o p e r a t i n g s y s te m s , a n d a p p l i c a t i o n s . V u l n e r a b i l i t y s c a n n e rs a re c a p a b le o f i d e n t i f y i n g d e v ic e c o n f i g u r a t io n s i n c lu d in g t h e OS v e r s io n r u n n i n g o n c o m p u t e r s o r d e vice s, IP p r o t o c o ls a n d T r a n s m is s io n C o n tr o l P r o t o c o l / U s e r D a t a g r a m P r o to c o l (TC P /U D P ) p o r t s t h a t a re lis te n in g , a n d a p p li c a t i o n s t h a t a re in s t a lle d o n c o m p u t e r s . By using v u l n e r a b i l i t y s c a n n e rs , y o u ca n also i d e n t i f y c o m m o n s e c u r it y m is ta k e s su ch as
a c c o u n ts t h a t h ave w e a k p a s s w o r d s , file s a n d f o l d e r s w i t h w e a k p e r m is s io n s , d e f a u l t s e rv ic e s a n d a p p li c a t i o n s t h a t m i g h t n e e d t o be u n in s t a lle d , a n d m is t a k e s in t h e s e c u r it y c o n f i g u r a t i o n o f c o m m o n a p p lic a tio n s . T h e y can s e a rc h f o r c o m p u t e r s e x p o s e d t o k n o w n o r p u b li c l y r e p o r t e d v u ln e r a b i l it ie s . T h e s o f t w a r e p acka ge s t h a t p e r f o r m v u l n e r a b i l i t y s c a n n in g scan t h e c o m p u t e r a g a in s t t h e C o m m o n V u l n e r a b i l i t y a n d E xp o s u re s (CVE) in d e x a n d s e c u r it y b u lle ts p r o v id e d by t h e s o f t w a r e v e n d o r . T h e CVE is a v e n d o r - n e u t r a l lis tin g o f r e p o r t e d s e c u r it y v u ln e r a b i l it ie s in m a j o r o p e r a t i n g s y s te m s a n d a p p li c a t i o n s a nd is m a i n t a i n e d a t h t t p : / / c v e . m i t r e . o r g / . V u l n e r a b i l i t y s c a n n e rs can t e s t s y s te m s a n d n e t w o r k d e v ic e s f o r e x p o s u r e t o c o m m o n a tta c k s . This in c lu d e s c o m m o n a tta c k s such as t h e e n u m e r a t i o n o f s e c u r it y - r e l a t e d i n f o r m a t i o n a n d d e n ia l- o f- s e r v ic e a tta c k s . H o w e v e r , i t m u s t be n o t e d t h a t v u l n e r a b i l i t y s c a n n in g r e p o r t s can
Module 20 Page 2881
e x p o s e w e a k n e s s e s in h id d e n a re as o f a p p li c a t i o n s a nd f r e q u e n t l y in c lu d e m a n y fa lse p o s itiv e s . N e t w o r k a d m i n i s t r a t o r s w h o a n a ly z e v u l n e r a b i l i t y scan re s u lts m u s t h a v e s u f f i c i e n t k n o w l e d g e a n d e x p e r ie n c e w i t h t h e o p e r a t i n g sy s te m s , n e t w o r k d e vice s, a n d a p p li c a t i o n s b e in g s c a n n e d a n d t h e i r roles in t h e n e t w o r k . You can use t w o ty p e s o f a u t o m a t e d v u l n e r a b i l i t y s c a n n e rs d e p e n d i n g u p o n t h e s i t u a t i o n : n e t w o r k - b a s e d a n d h o s t- b a s e d . N e t w o r k - b a s e d s c a n n e rs a t t e m p t t o d e t e c t v u ln e r a b i l it ie s f r o m t h e o u ts id e . T h e y a r e n o r m a l l y la u n c h e d f r o m a r e m o t e s y s te m , o u t s i d e t h e o r g a n iz a t io n , a n d w i t h o u t an a u t h o r i z e d u se r access. For e x a m p le , n e t w o r k - b a s e d s c a n n e r s e x a m i n e a s y s te m f o r such e x p lo its as o p e n p o rts , a p p li c a t i o n s e c u r it y e x p lo its , a n d b u f f e r o v e r f l o w s . H o s t-b a s e d s c a n n e rs u s u a lly r e q u i r e a s o f t w a r e a g e n t o r c l i e n t t o b e i n s t a lle d o n t h e h o s t. T he c l i e n t t h e n r e p o r t s b a ck t h e v u ln e r a b i l it ie s it fin d s t o t h e s e rv e r. H o s t - b a s e d s c a n n e rs l o o k f o r f e a t u r e s su ch as w e a k f ile access p e r m is s io n s , p o o r p a s s w o r d s , a n d l o g g in g fa u lts .
Module 20 Page 2882
Ethical Hacking and Countermeasures Copyright by EC-C0lMCil All Rights Reserved. Reproduction is Strictly Prohibited.
L i m
i t a t i o n s e n t
o f
V u l n e r a b i l i t y C E H
it k t j l
A s s e s s m
The methodology used as well as the diverse vulnerability scanning software packages assess security differently
Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time
It does not measure the strength of security controls
It must be updated when new vulnerabilities are discovered or modifications are made to the software being used
L im ita tio n s
o f V u ln e r a b ility
A s s e s s m e n t
V u l n e r a b i l i t y s c a n n in g s o f t w a r e a llo w s y o u t o d e t e c t l i m i t e d v u ln e r a b i l it ie s a t a g ive n p o i n t in t i m e . As w i t h a n y a s s e s s m e n t s o f t w a r e , w h i c h r e q u ir e s t h e s ig n a t u r e f ile t o be u p d a t e d , v u l n e r a b i l i t y s c a n n in g s o f t w a r e m u s t b e u p d a t e d w h e n n e w v u l n e r a b i l i t i e s a re d is c o v e r e d o r i m p r o v e m e n t s m a d e t o t h e s o f t w a r e a re b e in g used. T h e v u l n e r a b i l i t y s o f t w a r e is o n l y as e ff e c t i v e as t h e m a i n t e n a n c e p e r f o r m e d o n i t by t h e s o f t w a r e v e n d o r a n d by t h e a d m i n i s t r a t o r w h o uses it. V u l n e r a b i l i t y s c a n n in g s o f t w a r e i t s e lf is n o t i m m u n e t o s o f t w a r e e n g in e e r in g fla w s t h a t m i g h t lead t o n o n - d e t e c t i o n o f s e rio u s v u ln e r a b i l it ie s . A n o t h e r a s p e c t t o be n o t e d is t h a t t h e m e t h o d o l o g y used m i g h t h ave a n im p a c t o n t h e r e s u lt o f t h e te s t. For e x a m p le , v u l n e r a b i l i t y s c a n n in g s o f t w a r e t h a t r u n s u n d e r t h e s e c u r it y c o n t e x t o f t h e d o m a i n a d m i n i s t r a t o r w i l l y ie ld d i f f e r e n t re s u lts t h a n if it w e r e r u n u n d e r t h e s e c u r it y c o n t e x t o f an a u t h e n t i c a t e d u s e r o r a n o n - a u t h e n t i c a t e d user. S im ila rly , d iv e rs e v u l n e r a b i l i t y s c a n n in g s o f t w a r e p a c k a g e s assess s e c u r it y d i f f e r e n t l y a n d h a v e u n i q u e fe a t u r e s . T his can in f lu e n c e t h e r e s u lt o f t h e a s s e s s m e n t. E x a m p le s o f v u l n e r a b i l i t y s c a n n e rs in c lu d e N e ssu s a nd R e tin a .
Module 20 Page 2883
I n t r o d u c t i o n T e s t in g
to
P e n e t r a t io n C E H
A pentest simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them
l&
In the context of penetration testing, the tester is limited by resources - namely time, skilled resources, and access to equipment - as outlined in the penetration testing agreement
IF
11
to
Most attackers follow a common approach to penetrate a system
1 In tr o d u c tio n P e n e tr a tio n T e s tin g
m
y o u w i ll
This m o d u l e m a r k s a d e p a r t u r e f r o m t h e a p p r o a c h f o l l o w e d in e a r lie r m o d u le s ; h e r e be e n c o u r a g e d t o t h i n k " o u t s i d e th e b o x ." H a c k in g as it w a s d e f i n e d o r i g i n a l l y
p o r t r a y e d a s tr e a k o f g e n iu s o r b rillia n c e in t h e a b i l it y t o c o n j u r e p r e v io u s ly u n k n o w n w a y s o f d o in g th in g s . In t h i s c o n t e x t , t o a d v o c a t e a m e t h o d o l o g y t h a t can be f o l l o w e d t o s i m u l a t e a re a l-w o rld hack th ro u g h e th ic a l h a c k in g or p e n e tra tio n te s tin g m ig h t com e acro ss as a c o n t r a d i c t i o n . P e n e t r a t io n t e s t i n g is a process o f e v a lu a t in g t h e s e c u r it y o f t h e n e t w o r k by try in g all p o s s ib le a t t a c k v e c t o r s like an a t t a c k e r does. T h e r e a s o n b e h in d a d v o c a tin g a
m e t h o d o l o g y in p e n e t r a t i o n t e s t i n g arises f r o m t h e f a c t t h a t m o s t a tt a c k e r s f o l l o w a c o m m o n u n d e r l y in g a p p r o a c h w h e n it c o m e s t o p e n e t r a t e a s y s te m . In t h e c o n t e x t o f p e n e t r a t i o n t e s tin g , as a t e s t e r y o u w i ll be l i m i t e d by r e s o u r c e s su ch as t i m e , sk ille d re s o u rc e s , a n d access t o e q u i p m e n t , as o u t l i n e d in t h e p e n e t r a t i o n t e s t in g a g r e e m e n t . T h e p a r a d o x o f p e n e t r a t i o n t e s t i n g is t h e fa c t t h a t t h e i n a b i l i t y t o b re a c h a t a r g e t d oe s n o t n e c e s s a r ily i n d ic a te t h e a b s e n c e o f v u l n e r a b i l i t y . In o t h e r w o r d s , t o m a x im iz e t h e r e t u r n s f r o m a p e n e t r a t i o n te s t, y o u m u s t be a b le t o a p p ly y o u r s kills t o t h e r e s o u r c e s a v a ila b le in su ch a m a n n e r t h a t t h e a t t a c k a rea o f t h e t a r g e t is r e d u c e d as m u c h as p ossible . A pen te s t s im u la te s m e th o d s th a t in tru d e rs use to g a in u n a u th o riz e d access to an
o r g a n iz a t io n 's n e t w o r k e d s y s te m s a nd t h e n c o m p r o m i s e t h e m . It in v o lv e s u sin g p r o p r i e t a r y a n d
Module 20 Page 2884
o p e n s o u r c e t o o l s t o t e s t f o r k n o w n a n d u n k n o w n te c h n ic a l v u l n e r a b i l i t i e s in n e t w o r k e d sy s te m s . A p a r t f r o m a u t o m a t e d t e c h n i q u e s , p e n e t r a t i o n t e s t i n g in v o lv e s m a n u a l t e c h n i q u e s
f o r c o n d u c t i n g t a r g e t e d t e s t i n g o n s p e c ific s y s te m s t o e n s u r e t h a t t h e r e a r e n o s e c u r it y f l a w s t h a t m a y h a v e g o n e u n d e t e c t e d e a r lie r. T h e m a in p u r p o s e b e h in d f o o t p r i n t i n g p e n t e s t i n g is t o g a t h e r d a ta r e la t e d t o a t a r g e t s y s te m o r n e t w o r k a n d f i n d o u t its v u ln e r a b i l it ie s . You can p e r f o r m th is t h r o u g h v a r io u s t e c h n i q u e s such as DNS q u e rie s , n e t w o r k e n u m e r a t i o n , n e t w o r k q u e rie s , o p e r a t i n g s y s t e m i d e n t i f i c a t i o n , o r g a n iz a tio n a l q u e r ie s , p in g s w e e p s , p o i n t o f c o n t a c t q u e rie s , p o r t s c a n n in g , r e g i s t r a r q u e rie s , a n d so on.
Module 20 Page 2885
t r a
t i o
s t i n
C E H
Penetration testing that is not completed professionally can result in the loss of services and disruption of the business continuity
I #
Penetration testing assesses the security model of the organization as a whole
It reveals potential consequences of a real attacker breaking into the network
Apenetration tester is differentiated from an attacker only by his intent and lack of malice
C o p y r ig h t b y I C - C c u n c i l . A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
P e n e tr a tio n
T e s tin g
P e n e t r a t io n t e s t i n g goes a s te p b e y o n d v u l n e r a b i l i t y s c a n n in g in t h e c a t e g o r y o f s e c u r it y a s s e s s m e n ts . W i t h v u l n e r a b i l i t y s c a n n in g , y o u can o n l y e x a m in e t h e s e c u r it y o f t h e i n d iv id u a l c o m p u t e r s , n e t w o r k d e vice s , o r a p p lic a tio n s , b u t p e n e t r a t i o n t e s t i n g a ll o w s y o u t o assess t h e s e c u r it y m o d e l o f t h e n e t w o r k as a w h o l e . P e n e t r a t io n t e s t i n g ca n h e lp y o u t o reve al p o te n tia l consequences of a real a tta c k e r b r e a k in g in to th e n e tw o rk to n e tw o rk
a d m i n i s t r a t o r s , IT m a n a g e r s , a n d e x e c u t i v e s . P e n e t r a t io n t e s t i n g a lso re v e a ls t h e s e c u r it y w e a k n e s s e s t h a t a t y p ic a l v u l n e r a b i l i t y s c a n n in g misses. A p e n e tra tio n te s t w ill n o t o n l y p o i n t o u t v u ln e r a b i l it ie s , it w i l l also d o c u m e n t h o w t h e
w e a k n e s s e s can be e x p l o i t e d a n d h o w s e v e ra l m i n o r v u l n e r a b i l it ie s can be e s c a la te d by an a t t a c k e r t o c o m p r o m i s e a c o m p u t e r o r n e t w o r k . P e n e t r a t io n t e s t i n g m u s t b e c o n s i d e r e d as an a c t i v i t y t h a t s h o w s t h e h oles in t h e s e c u r it y m o d e l o f an o r g a n iz a tio n . P e n e t r a t io n t e s t i n g h e lp s o r g a n iz a tio n s t o re a c h a b a la n c e b e t w e e n t e c h n ic a l p r o w e s s a n d b u s in e s s f u n c t i o n a l i t y f r o m t h e p e r s p e c tiv e o f p o t e n t i a l s e c u r it y b r e a c h e s . This t e s t can h e lp y o u in d is a s te r r e c o v e r y a n d b u s in e s s c o n t i n u i t y p la n n i n g . M o s t v u l n e r a b i l i t y a s s e s s m e n ts a r e c a r r ie d o u t s o le ly b ase d o n s o f t w a r e a n d c a n n o t assess s e c u r it y t h a t is n o t r e l a t e d t o t e c h n o l o g y . B o th p e o p le a n d p ro cesse s ca n b e t h e s o u r c e o f s e c u r it y v u l n e r a b i l i t i e s as m u c h as t h e t e c h n o l o g y ca n be. U sing social e n g in e e r in g te c h n i q u e s , p e n e t r a t i o n te s ts ca n re ve a l w h e t h e r e m p lo y e e s r o u t i n e l y a ll o w p e o p le w i t h o u t i d e n t i f i c a t i o n
Module 20 Page 2886
t o e n t e r c o m p a n y f a c ilitie s a n d w h e r e t h e y w o u l d h a v e p h ysica l access t o c o m p u t e r s . P ra ctices such as p a tc h m a n a g e m e n t cy cles can be e v a lu a te d . A p e n e t r a t i o n t e s t can re ve a l p ro ces s p r o b le m s , such as n o t a p p ly in g s e c u r it y u p d a t e s u n t i l t h r e e days a f t e r t h e y a re re le a s e d , w h i c h w o u l d g iv e a tt a c k e r s a t h r e e - d a y w i n d o w t o e x p l o i t k n o w n v u l n e r a b i l i t i e s o n se rv e rs . You can d i f f e r e n t i a t e a p e n e t r a t i o n t e s t e r f r o m an a t t a c k e r o n l y by his o t h e r i n t e n t a nd lack o f m a lic e . T h e r e f o r e , e m p lo y e e s or e x te r n a l e x p e r ts m ust be c a u t i o n e d a g a in s t c o n d u c t i n g p e n e t r a t i o n te s ts w i t h o u t p r o p e r a u t h o r i z a t i o n . P e n e t r a t io n t e s t i n g t h a t is n o t c o m p l e t e d
p r o fe s s io n a lly ca n r e s u lt in t h e loss o f s e rv ic e s a n d d i s r u p t i o n o f b u s in e s s c o n t i n u i t y . M a n a g e m e n t n e e d s t o g iv e w r i t t e n a p p r o v a l f o r p e n e t r a t i o n t e s tin g . T h is a p p r o v a l s h o u ld i n c lu d e a c le a r s c o p in g , a d e s c r ip t i o n o f w h a t w i ll be t e s t e d , a n d w h e n t h e t e s t i n g w i ll t a k e place. B ecause o f t h e n a t u r e o f p e n e t r a t i o n t e s tin g , f a i lu r e t o o b t a i n t h i s a p p r o v a l m i g h t r e s u lt in c o m m i t t i n g c o m p u t e r c r im e , d e s p it e t h e b e s t i n t e n t i o n s .
Module 20 Page 2887
t r a
t i o
s t i n
C E H
Id e n tify t h e th r e a t s f a c in g a n o r g a n iz a t i o n 's in fo r m a tio n a s s e ts - ^
F o r te s tin g a n d v a lid a tin g t h e e f f ic ie n c y
o f s e c u r it y p r o t e c t io n s a n d c o n tr o ls
a
a p p ro a c h
R e d u c e a n o r g a n iz a t io n 's e x p e n d i t u r e on IT s e c u r it y a n d e n h a n c e R e tu rn O n
I t fo c u s e s o n h ig h s e v e r it y v u ln e r a b ilitie s a n d e m p h a s iz e s
S e c u r i t y I n v e s t m e n t ( R O S I) b y id e n tify in g a n d r e m e d ia tin g o r w eaknesses
a p p lic a t io n - le v e l s e c u r it y is s u e s t o d e v e lo p m e n t te a m s a n d m an ag em en t
v u ln e r a b ilitie s
P r o v id e a s s u r a n c e w i t h
c o m p r e h e n s iv e
P r o v id in g c o m p r e h e n s iv e o f p r e p a r a tio n
a s s e s s m e n t o f o r g a n iz a t io n 's s e c u r it y in c lu d in g p o lic y , p r o c e d u r e , d e s ig n , a n d
s te p s th a t c a n b e
ta k e n t o p r e v e n t u p c o m in g e x p lo ita tio n
Im p le m e n ta tio n
S 8 G a in a n d m a i n t a i n in d u s tr y e tc .) 8 S A d o p t b e s t p r a c t ic e s in c o m p lia n c e to le g a l a n d in d u s t r y r e g u la t io n s r e g u la t io n c e r tific a tio n to an
E v a lu a tin g
th e
e f f ic ie n c y o f
n e t w o r k s e c u r it y d e v ic e s s u c h a s ( B S 7 7 9 9 , H IP A A fir e w a lls , r o u te r s , a n d w e b s e r v e rs
F o r c h a n g in g o r u p g r a d in g e x is tin g in fr a s tr u c tu r e o f s o ftw a re ,
h a r d w a r e , o r n e t w o r k d e s ig n
C o p y r ig h t b y iG - G c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
W h y
P e n e tr a tio n
T e s tin g ?
P e n e t r a t io n t e s t i n g plays a v ita l r o le in e v a lu a tin g a n d m a i n t a i n in g s e c u r it y o f a s y s te m o r n e t w o r k . It h e lp s y o u in f i n d i n g o u t t h e l o o p h o l e s by d e p lo y i n g a tta c k s . It in c lu d e s b o t h s c r ip t- b a s e d t e s t i n g as w e l l as h u m a n - b a s e d t e s t i n g o n n e t w o r k s . A p e n e t r a t i o n t e s t n o t o n l y re v e a ls n e t w o r k s e c u r it y h oles, b u t also p r o v id e s r is k a s s e s s m e n t. Let's see w h a t y o u can d o w i t h t h e h e lp o f p e n e t r a t i o n t e s tin g : 9 Q You can i d e n t i f y t h e t h r e a t s f a c in g an o r g a n iz a t io n 's i n f o r m a t i o n assets. You can r e d u c e an o r g a n iz a t io n 's IT s e c u r it y co sts a n d p r o v id e a b e t t e r R e tu rn On IT S e c u r ity I n v e s t m e n t (ROSI) by i d e n t i f y i n g a n d r e s o lv in g v u l n e r a b i l it ie s a n d w e a k n e s s e s . 9 You can p r o v id e of an o rg a n iz a tio n w ith a s s u ra n c e : c o v e r in g a th o ro u g h p o lic y , and c o m p re h e n s iv e d e s ig n , and
assessm ent
o r g a n iz a tio n a l
s e c u r it y
p ro ced ure,
im p le m e n ta tio n . 9 9 9 9 You can g a in a n d m a i n t a i n c e r t i f i c a t i o n t o a n i n d u s t r y r e g u l a t i o n (BS7799, HIPAA, e tc.). You can a d o p t b e s t p ra c tic e s by c o n f o r m i n g t o legal a n d i n d u s t r y r e g u la tio n s . You can t e s t a n d v a li d a t e t h e e ff ic ie n c y o f s e c u r it y p r o t e c t io n s a n d c o n t r o l s . It fo c u s e s o n h ig h - s e v e r it y v u l n e r a b i l it ie s a n d e m p h a s iz e s a p p li c a t i o n - l e v e l s e c u r it y
issues t o d e v e l o p m e n t t e a m s a n d m a n a g e m e n t .
Module 20 Page 2888
It p r o v id e s a c o m p r e h e n s i v e a p p r o a c h o f p r e p a r a t i o n s te p s t h a t ca n be t a k e n t o p r e v e n t u p c o m in g e x p lo ita tio n .
You ca n e v a lu a t e t h e e ff ic ie n c y o f n e t w o r k s e c u r it y d e v ic e s su c h as f i r e w a l l s , r o u te r s , a n d w e b s e rv e rs .
You can use i t f o r c h a n g in g o r u p g r a d i n g e x is t in g i n f r a s t r u c t u r e o f s o f t w a r e , h a r d w a r e , o r n e t w o r k d e s ig n .
Module 20 Page 2889
C o m p a r in g
S e c u rity A u d it, V u ln e r a b ility C E H
A s s e s s m e n t, a n d P e n e tr a tio n T e s tin g
S e c u r it y A u d it
A s e c u r it y a u d i t j u s t c h e c k s w h e t h e r t h e o r g a n iz a t i o n is fo llo w in g a s e t o f s ta n d a rd s e c u r it y p o lic ie s a n d p ro c e d u re s
V u ln e r a b ility A s s e s s m e n t
6 A v u ln e r a b ilit y a s s e s s m e n t fo c u s e s o n d is c o v e r in g t h e v u ln e r a b ilit ie s in t h e i n f o r m a t i o n s y s t e m b u t p r o v id e s n o in d i c a t i o n i f t h e v u l n e r a b i l i t i e s c a n b e e x p lo it e d o r th e a m o u n t o f d a m a g e th a t m a y r e s u lt f r o m t h e s u c c e s s f u l e x p lo it a tio n o f t h e v u ln e r a b ilit y 6
P e n e tr a tio n T e s tin g
P e n e t r a t io n t e s t i n g is a m e t h o d o lo g ic a l a p p r o a c h to s e c u r it y a s s e s s m e n t t h a t e n c o m p a s s e s t h e s e c u r it y a u d it a n d v u ln e r a b ility a s s e s s m e n t a n d d e m o n s tra te s if th e v u l n e r a b i l i t i e s in s y s t e m c a n b e s u c c e s s f u lly e x p lo it e d b y a tta c k e r s
C o m p a r in g A s s e s s m e n t, a n d
IC-Ccuncil. A ll
S e c u r ity A u d it,
V u ln e r a b ility T e s tin g
P e n e tr a tio n
A l t h o u g h a l o t o f p e o p le use t h e t e r m s s e c u r it y a u d it , v u l n e r a b i l i t y a s s e s s m e n t, a nd p e n e t r a t i o n t e s t i n t e r c h a n g e a b ly t o m e a n s e c u r it y a s s e s s m e n t, t h e r e a re c o n s i d e r a b le d if f e r e n c e s b e t w e e n th e m . S e c u r ity A u d it A security audit just checks whether the organization is following a set of standard security policies and procedures V u ln e r a b ility A s s e s s m e n t A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability P e n e t r a t io n T e s t in g Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers
TABLE 20.1: Comparison between Security Audit, Vulnerability Assessment, and Penetration Testing
Module 20 Page 2890
l d
e s t e d
C E H
An organization should conduct a risk assessment operation before the penetration testing that will help to identify the main threats, such as:
C o m m u n ic a t io n s fa ilu r e a n d e c o m m e r c e f a ilu r e
P u b lic f a c i n g s y s t e m s ; w e b s ite s , e m a il g a te w a y s , a n d r e m o te a c c e s s p la tfo r m s F T P , IIS , a n d w e b s e rv e rs
L oss o f c o n f id e n t ia l in fo r m a tio n
M a il, D N S , fir e w a lls , a n d p a s s w o rd s
N o t e : T e s tin g s h o u ld b e p e r f o r m e d o n a ll h a r d w a r e a n d s o f t w a r e c o m p o n e n t s o f a n e t w o r k s e c u r it y s y s t e m
C o p y r ig h t b y I C - C c u n c i l . A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
W h a t S h o u ld
b e
T e s te d ?
It is a lw a y s ide al t o c o n d u c t a v u l n e r a b i l i t y a s s e s s m e n t in a n o r g a n iz a t io n so t h a t v a r io u s p o t e n t i a l t h r e a t s can b e k n o w n w e l l b e f o r e t h e y o c c u r . You ca n t e s t v a r io u s n e t w o r k o r s y s te m c o m p o n e n t s f o r s e c u r it y v u l n e r a b i l i t i e s , s u c h as: 9 e 9 9 Q Q e e 9 9 e e 9 C o m m u n ic a t i o n f a i lu r e E - c o m m e r c e fa i lu r e Loss o f c o n f i d e n t i a l i n f o r m a t i o n P u blic f a c in g s y s te m s w e b s ite s Em ail g a te w a y s R e m o t e access p l a t f o r m s M a il DNS F ire w a lls P a s s w o rd s FTP IIS W e b s e rv e rs
Module 20 Page 2891
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
h a t
a k e s
G o o d
P e n e t r a t io n E H
T e s t?
C o n s id e r t h e f o l l o w i n g f a c to r s t o p e r f o r m a g o o d p e n e t r a t i o n te s t: 9 Establish t h e p a r a m e t e r s f o r t h e p e n e t r a t i o n t e s t su ch as o b je c t iv e s , l i m i t a t i o n s , a n d t h e j u s t i f i c a t i o n o f p r o c e d u r e s . T h e e s t a b l is h m e n t o f th e s e p a r a m e t e r s h e lp s y o u in k n o w t h e p u r p o s e o f c o n d u c t i n g p e n e t r a t i o n te s t. 9 H ire sk ille d a nd e x p e r ie n c e d p ro fe s s io n a ls t o p e r f o r m t h e te s t. If t h e p e n e t r a t i o n t e s t i n g is n o t d o n e by t h e s k ille d a n d e x p e r ie n c e d p ro fe s s io n a ls t h e r e a r e c h a n c e s o f d a m a g in g t h e live d a ta a n d m o r e h a r m ca n h a p p e n t h a n t h e b e n e fits . 9 9 C h o o se a s u it a b le s e t o f te s ts t h a t b a la n c e c o s t a n d b e n e fits . F o llo w a m e t h o d o l o g y w i t h p r o p e r p la n n in g a n d d o c u m e n t a t i o n . It is v e r y i m p o r t a n t t o d o c u m e n t t h e t e s t a t each p h a se f o r t h e f u r t h e r r e fe r e n c e s . 9 9 D o c u m e n t t h e r e s u lt c a r e f u l l y a n d m a k in g it c o m p r e h e n s i b l e f o r t h e c lie n t. S ta te t h e p o t e n t i a l ris k s a n d fi n d i n g s c le a r ly in t h e fin a l r e p o r t .
Module 20 Page 2892
o n
e n e t r a t i o n
T e s t i n g
C E H
(*A t* Itfctul * m u .
D e m o n s t r a t e t h e R O I f o r P e n - t e s t w i t h t h e h e lp o f a b u s in e s s c a s e s c e n a r io , w h ic h in c lu d e s t h e e x p e n d it u r e a n d t h e p r o f i t s in v o lv e d in it
C o m p a n ie s w il l s p e n d o n t h e p e n - t e s t o n ly i f t h e y h a v e a p r o p e r k n o w le d g e o n t h e b e n e f it s o f t h e P e n - te s t
R O I o n
P e n e tr a tio n
T e s tin g
ROI ( r e t u r n o n i n v e s t m e n t ) is a t r a d i t i o n a l fin a n c ia l m e a s u r e . It is u sed t o d e t e r m i n e t h e b u sin e ss re s u lts o f f o r t h e f u t u r e based o n t h e c a lc u la tio n s o f h is t o r ic a l d a ta . T h e ROI is c a lc u la te d b ase d o n t h r e e th in g s :
P ayback p e rio d : In t h is m e t h o d t h e t i m e t a k e n t o g e t t h e p ay b a c k ( g e t t i n g t h e a m o u n t
in v e s te d ) o n a p a r t i c u l a r p r o je c t is c a lc u la te d .
Q 9
N e t p re s e n t v a lu e : F u t u r e b e n e f i t s a re c a lc u la te d in t h e t e r m s o f t o d a y 's m o n e y . In te rn a l ra te o f re tu r n : T h e b e n e f i t s b ase d o n t h e i n t e r e s t ra te .
o f b e n e fits a re
So w h e n e v e r a p e n e t r a t i o n t e s t is c o n d u c t e d , a c o m p a n y ch e c k s w h a t kin d s
t h e r e a s s o c ia te d w i t h t h e p e n e t r a t i o n t e s tin g . W h a t c o u ld be t h e co sts t o be in c u r r e d f o r th e f o r p e n e t r a t i o n t e s t i n g ? Costs r e l a t e d t o t h e h ir in g o f s k ille d p ro fe s s io n a ls ? All th e s e t h i n g s t o be k e p t in v i e w a n d p e n e t r a t i o n t e s t i n g s h o u ld b e c o n d u c t e d p la n n in g . 9 P e n e t r a t io n t e s t i n g h e lp s c o m p a n i e s in id e n t if y in g , u n d e r s t a n d in g , a n d a d d re s s in g th ro u g h p ro p e r
v u ln e r a b i l it ie s , w h i c h saves t h e m a l o t o f m o n e y r e s u lt in g in ROI.
Module 20 Page 2893
D e m o n s t r a t e t h e ROI f o r a p e n t e s t w i t h th e h e lp o f a b u s in e s s case s c e n a r io , w h i c h in c lu d e s t h e e x p e n d i t u r e a n d t h e p r o f i t s in v o lv e d in it.
Module 20 Page 2894
s t i n
i n
t s
C E H
O r g a n iz a t io n s h a v e to re a c h a c o n s e n s u s o n t h e e x t e n t o f information that can be divulged t o t h e t e s t in g te a m t o d e t e r m in e t h e s ta r tin g p o in t o f t h e t e s t
M
V I
t to
PenetrJ ! : 9vidi" ia
team with adH eStine lnf0r1r)ati0n tl0n3l '

^ a u > ? Ve ^ reallstic
dvar't*ge
SBSsss'
servteeS
C o p y rig h t ID ^ ^ ^ M l l l C i l . A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
T e s tin g
P o in ts
Every p e n e t r a t i o n t e s t w i ll h ave a s t a r t - a n d e n d - p o i n t , i r r e s p e c t iv e o f w h e t h e r it is z e ro k n o w l e d g e o r p a r tia l k n o w le d g e te s t. H o w d o e s a p e n t e s t t e a m o r an o r g a n iz a tio n
d e t e r m i n e th is ? W h i l e p r o v id i n g a p e n e t r a t i o n - t e s t i n g t e a m w i t h i n f o r m a t i o n s u c h as t h e e x a c t c o n f i g u r a t io n o f t h e f i r e w a l l used by t h e t a r g e t n e t w o r k m a y s p e e d u p t h e te s t in g , i t can w o r k n e g a tiv e ly by p r o v id i n g t h e t e s t e r s w i t h a n u n r e a lis t ic a d v a n ta g e . If t h e o b j e c t iv e o f t h e p e n e t r a t i o n e f f o r t is t o fin d as m u c h v u l n e r a b i l i t y as p o s s ib le , it m i g h t be a g o o d ide a t o o p t f o r w h i t e b o x t e s t i n g a n d s h a r e as m u c h i n f o r m a t i o n as p o s s ib le w i t h t h e te s te r s . T his ca n h e lp in d e t e c t i n g h id d e n v u ln e r a b i l it ie s t h a t a re o f t e n u n d e t e c t e d b e c a u s e o f o b s c u r it y . On t h e o th e r hand, if th e purpose of th e p e n e tra tio n t e s t is t o e v a lu a t e t h e
e ffe c tiv e n e s s o f t h e s e c u r it y p o s t u r e o f t h e o r g a n i z a t i o n i r r e s p e c t iv e o f a n y " s e c u r i t y b y o b s c u r i t y " m e a s u r e s w i t h h o l d i n g i n f o r m a t i o n w i ll d e r iv e m o r e r e a lis tic re s u lts . S im ila rly , by m a k in g h ig h ly s e n s itiv e i n f o r m a t i o n , s u ch as t h e n a m e s a n d u ser IDs o f s y s te m a d m in i s t r a t o r s , t h e o r g a n i z a t i o n m a y b e d e f e a t in g t h e p u r p o s e o f a c o m p r e h e n s i v e p e n te s t. T h e r e f o r e , b a la n c e m u s t b e r e a c h e d b e t w e e n a ssis tin g t h e t e s t i n g t e a m in c o n d u c t i n g t h e i r te s t f a s t e r a n d p r o v id i n g a m o r e r e a lis tic t e s t in g e n v i r o n m e n t by r e s t r i c t i n g i n f o r m a t i o n . S o m e o rg a n iz a tio n s m a y c h o o s e t o g e t t h e in itia l p e n t e s t a u d it e d by a s e c o n d p e n t e s t t e a m so t h a t t h e r e is a t h i r d p a r t y a s s u ra n c e o n t h e r e s u lts o b t a i n e d .
Module 20 Page 2895
s t i n
c a
t i o
C E H
If f
The pentest team may have a choice of doing the test either remotely or on-site
A remote assessment may simulate an 4 external hacker attack. However, it may miss assessing internal guards
An on-site assessment may be expensive and may not simulate an external threat exactly
IC-Ccuncil. A ll
T e s tin g
L o c a tio n s
T he p e n e t r a t i o n t e s t t e a m m a y h a v e a p r e f e r e n c e o n t h e l o c a t io n f r o m w h e r e t h e y w o u l d p r o b e t h e n e t w o r k . A l t e r n a t i v e l y , t h e o r g a n iz a t io n m a y w a n t t h e n e t w o r k t o be assessed f r o m a r e m o t e lo c a tio n . If t h e p en t e s t t e a m is b ase d o v e rse a s, an o n s i t e a s s e s s m e n t m a y be e x p e n s iv e t h a n a r e m o t e o ne . T h e l o c a t io n o f t h e a s s e s s m e n t has an in f lu e n c e o n t h e t e s t r e s u lts . T e s tin g o v e r t h e I n t e r n e t m a y p r o v id e a m o r e r e a lis tic t e s t e n v i r o n m e n t . H o w e v e r , t h e p e n t e s t t e a m m a y le a rn l i t t l e i f t h e r e is a w e l l - c o n f i g u r e d p e r i m e t e r f i r e w a l l a nd r o b u s t w e b a p p li c a t i o n d e fe n s e s . A p u r e l y e x te r n a l a s s e s s m e n t m a y n o t b e a b le t o t e s t a n y a d d it io n a l in n e r n e t w o r k d e fe n s e s p u t in p la ce t o g u a r d a g a in s t an in t e r n a l i n t r u d e r . S o m e tim e s , t h e o r g a n iz a t io n m a y h a v e a n e t w o r k t h a t is d is p e r s e d g e o g r a p h ic a lly across
lo c a tio n s a n d t h a t c o n ta in s s e v e ra l sy s te m s . In t h is case, t h e o r g a n iz a t io n m a y c h o o s e t o p r i o r i t i z e lo c a tio n s o r t h e t e a m m a y c h o o s e lo c a tio n s d e p e n d i n g o n c r it ic a l a p p li c a t i o n s . If a c o m p l e t e k n o w l e d g e t e s t is b e in g u n d e r t a k e n , t h e p e n t e s t t e a m ca n u n d e r t a k e a n a sset a u d it t o d e t e r m i n e w h i c h s y s te m s a re c r itic a l t o t h e b usine ss , a n d p la n t h e te s t a c c o r d in g ly .
Module 20 Page 2896
M o d u le
i
F lo w
So fa r, w e h ave d isc u sse d v a r io u s p e n t e s t i n g c o n c e p ts . D e p e n d in g o n t h e s c o p e o f
o p e r a t i o n a n d t i m e r e q u i r e d f o r c o n d u c t i n g a p en te s t, t h e t e s t e r ca n c h o o s e t h e a p p r o p r i a t e t y p e o f p e n e t r a t i o n t e s tin g . T h e s e le c tio n o f t h e p a r t i c u l a r t y p e o f p e n e t r a t i o n t e s t i n g d e p e n d s u p o n t h e t y p e o f re s o u r c e s t o b e p r o t e c t e d a g a in s t a tta c k s . N o w , w e w i ll discuss v a r io u s ty p e s o f p e n t e s tin g .
Pen T e stin g C oncepts
!H I
T y p e s o f Pen T e s t in g
Pen T e stin g T e c h n iq u e s
% ;
Module 20 Page 2897
In th is s e c tio n , y o u w i ll le a rn d i f f e r e n t ty p e s o f p e n e t r a t i o n t e s t i n g su c h as e x te r n a l t e s tin g , in te rn a l te s t in g , B la c k -b o x , gra y-b ox p e n e tra tio n te s t in g , w h ite -b o x p e n e tra tio n t e s tin g ,
a n n o u n c e d / u n a n n o u n c e d t e s tin g , a u t o m a t e d t e s tin g , a n d m a n u a l te s tin g .
Module 20 Page 2898
T y p e s
f P
e n e t r a t i o n
T e s t i n g
C E H
E x t e r n a l T e s tin g External testing involves analysis of publicly available information, a network enumeration phase, and the behavior of the security devices analyzed
I n t e r n a l T e s tin g Internal testing involves testing computers and devices within the company
& B la c k - h a t te s tin g /z e r o - k n o w le d g e te s tin g
G ra y -h a t te s tin g /p a r tia l- k n o w le d g e te s tin g
W h it e - h a t te s t in g / c o m p le t e k n o w le d g e te s tin g
A n no un ced
te s tin g
U se r 1
U se r 2
IC-Ccuncil. A ll
T y p e s
o f P e n e tr a tio n
T e s tin g
P e n e t r a t io n t e s t i n g is b r o a d l y d iv id e d i n t o t w o ty p e s . T h e y are: hr E x te r n a l T e s tin g E x te rn a l p e n e t r a t i o n t e s t i n g is th e c o n v e n t i o n a l a p p r o a c h t o p e n e t r a t i o n te s t in g . T h e t e s t i n g is fo c u s e d o n t h e s e rv e rs , i n f r a s t r u c t u r e , a n d u n d e r l y in g s o f t w a r e p e r t a i n i n g t o t h e t a r g e t . It m a y be p e r f o r m e d w i t h n o p r i o r k n o w l e d g e o f t h e s ite (b la c k box) o r w i t h fu ll
d is c lo s u r e o f t h e t o p o l o g y a nd e n v i r o n m e n t ( w h i t e b ox). T h is t y p e o f t e s t i n g w i ll t a k e in a c o m p r e h e n s i v e a n a ly s is o f p u b li c l y a v a ila b le i n f o r m a t i o n a b o u t t h e t a r g e t . In t e r n a l T e s tin g I n te r n a l t e s t i n g m akes use o f s i m i l a r m e t h o d s as t h e e x t e r n a l te s t in g , a n d i t is
c o n s id e r e d t o be a m o r e v e r s a t ile v i e w o f t h e s e c u r it y . T e s tin g w i ll be p e r f o r m e d f r o m s e v e ra l n e t w o r k access p o in t s , i n c lu d in g b o t h lo g ic a l a n d p h y s ic a l s e g m e n ts . It is c r it ic a l t o n o t e t h a t d e s p it e e v e r y t h i n g , i n f o r m a t i o n s e c u r it y is an o n g o i n g p ro ce ss a n d p e n e t r a t i o n t e s t i n g o n l y gives a s n a p s h o t o f t h e s e c u r it y p o s t u r e o f an o r g a n iz a t io n a t a n y g iv e n p o i n t in t i m e . I n te r n a l t e s t in g w i l l be p e r f o r m e d f r o m a n u m b e r o f n e t w o r k access p o in t s , r e p r e s e n t i n g e ach lo g ic a l a nd p hysical s e g m e n t . T h e f o l l o w i n g te s ts c o m e s fa ll u n d e r i n t e r n a l t e s t i n g :
Module 20 Page 2899
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
9 9 9 9 9
B la c k -h a t te s t in g / z e r o - k n o w le d g e te s tin g G ra y -h a t te s t in g / p a r t ia l- k n o w le d g e te s tin g W h ite - h a t t e s t in g / c o m p le te - k n o w le d g e te s tin g A n n o u n c e d te s tin g U n a n n o u n c e d te s tin g
Module 20 Page 2900
x t e r n a l
e n e t r a t i o n
T e s t i n g
C E H
External penetration testing involves a comprehensive analysis of company's externally visible servers or devices, such as:
J J I t is t h e t e s tin g tr a d itio n a l a p p ro a c h to p e n e t r a t io n
T h e g o a l o f a n e x t e r n a l p e n e t r a t io n d e m o n s tra te t h a t c o u ld
te s tin g
is t o
th e e x is te n c e o f k n o w n v u ln e r a b ilit ie s b y a n e x te r n a l a tta c k e r
b e e x p lo ite d
It c a n b e p e rfo rm e d ta rg e t to b e te s te d
w it h o u t p r io r k n o w le d g e o r w ith
o f th e
I t h e lp s t h e t e s t e r s t o c h e c k if s y s te m m a n a g e d a n d k e p t u p -to -d a te fro m in fo r m a tio n
is p r o p e r l y th e b u s in e s s
f u ll d is c lo s u r e o f t h e t a r g e t 's
p r o t e c t in g
t o p o lo g y a n d e n v ir o n m e n t
lo s t a n d d is c lo s u r e
C o p y r ig h t C b y IG - G c u n c il. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
E x te r n a l P e n e tr a tio n
T e s tin g
A p e n t e s t e r c o n d u c t s e x te r n a l p e n e t r a t i o n t e s t f o r d e t e r m i n i n g t h e e x t e r n a l t h r e a t s t o t h e n e t w o r k o r s y s te m . T h e a t t a c k e r can p e r f o r m a n e x te r n a l a t t a c k w i t h o u t accessing a s y s te m by u sin g c r e d e n t i a l s o r t h e a p p r o p r i a t e rig h ts . T h e m a in a im b e h in d c o n d u c t i n g t h i s p e n t e s t is t o i d e n t i f y p o t e n t i a l w e a k n e s s e s in t h e s e c u r it y o f t a r g e t n e t w o r k s y s te m . E x te rn a l t e s t in g is fo c u s e d o n t h e s e rve rs, i n f r a s t r u c t u r e , a nd u n d e r l y in g s o f t w a r e p e r t a i n i n g t o t h e t a r g e t . It m a y be p e r f o r m e d w i t h n o p r i o r k n o w l e d g e o f t h e s ite ( b la c k b o x) o r w i t h f u ll d is c lo s u r e o f t h e t o p o l o g y a n d e n v i r o n m e n t ( w h i t e box). This t y p e o f t e s t i n g w i l l t a k e in a c o m p r e h e n s i v e a n a ly s is o f p u b li c l y a v a ila b le i n f o r m a t i o n a b o u t t h e t a r g e t , a n e t w o r k e n u m e r a t i o n p ha se w h e r e t a r g e t h o s ts a re i d e n t i f i e d a n d a n a ly z e d , a n d t h e b e h a v i o r o f s e c u r it y d e v ic e s su ch as s c r e e n in g n e t w o r k - f i l t e r i n g d e v ic e s . V u l n e r a b i l i t i e s a re t h e n i d e n t i f i e d a n d v e r i f i e d , a n d t h e i m p l ic a t i o n s assessed. It is t h e t r a d i t i o n a l a p p r o a c h t o p e n e t r a t i o n te s tin g .
Module 20 Page 2901
I n t e r n a l
e c u r i t y
A s s e s s m
e n t
E H
ItbKJl N kw
In te r n a l p e n e t r a t io n te s tin g fo c u s e s o n c o m p a n y 's i n t e r n a l r e s o u r c e s s u c h a s D M Z s , n e t w o r k c o n n e c t i o n s , a p p l i c a t i o n s e r v ic e s , e t c . a n d c o m p r e h e n s i v e a n a ly s is o f t h r e a t s a n d r i s k s t h a t a r is e w i t h i n t h e c o m p a n y
The goal of internal penetration testing is to demonstrate the exposure of information or other organization assets to an unauthorized user
An internal security assessment follows a similar methodology to external testing, but provides a more complete view of the site security
:) . :
In te r n a l S e c u r ity A s s e s s m e n t A pen t e s t e r c o n d u c t s i n t e r n a l p e n e t r a t i o n t e s t in g in o r d e r t o e n s u r e n o b o d y can
access t h e
s y s te m
in s id e
n e tw o rk
b y m is u s in g
u se r p riv ile g e s .
It is used t o
id e n tify th e
w e a k n e s s e s o f c o m p u t e r s y s te m in s id e t h e p a r t i c u l a r n e t w o r k . T h e i n t e r n a l s e c u r it y a s s e s s m e n t g ive s a c le a r v i e w o f t h e s ite 's s e c u r ity . I n t e r n a l s e c u r it y a s s e s s m e n t has s i m i l a r m e t h o d o l o g y lik e e x te r n a l p e n e t r a t i o n t e s tin g . T h e m a in p u r p o s e b e h in d t h e i n t e r n a l p e n e t r a t i o n t e s t i n g is t o f i n d o u t t h e v a r io u s v u l n e r a b i l it ie s in s id e t h e n e t w o r k . Risks a s s o c ia te d w i t h s e c u r it y a sp e cts a re c a r e f u l l y c h e c k e d . E x p lo it a t io n can be d o n e by a h a c k e r, a m a lic io u s e m p lo y e e , e tc.: 9 T e s tin g w i ll be p e r f o r m e d f r o m a n u m b e r o f n e t w o r k access p o in ts , r e p r e s e n t i n g e ach lo g ica l a n d p hysical s e g m e n t. Q For e x a m p le , t h i s m a y i n c lu d e tie r s a n d D M Z s w i t h i n t h e e n v i r o n m e n t , t h e c o r p o r a t e n e t w o r k , o r p a r t n e r c o m p a n y c o n n e c t io n s .
Module 20 Page 2902
B l a c k - b o x
P e n e t r a t i o n
T e s t i n g
C E H
P e n e tr a tio n te s t m u s t b e c a r r ie d o u t a f t e r e x t e n s iv e in fo r m a tio n re s e a rc h g a th e r in g a n d
B la c k -b o x
P e n e tr a tio n
T e s tin g
In b la c k - b o x te s t in g , a p en t e s t e r c a rrie s o u t t h e t e s t w i t h o u t h a v in g a n y p r i o r k n o w l e d g e t h e t a r g e t . In o r d e r t o s i m u l a t e r e a l - w o r l d a t t a c k s a n d m in i m i z e fa lse p o s itiv e s , p en t e s t e r s ca n c h o o s e t o u n d e rta ke b la c k - h a t t e s t i n g (or a z e ro -k n o w le d g e a tta c k , w i t h no
i n f o r m a t i o n o r a s s is ta n c e f r o m t h e c lie n t) a n d m a p t h e n e t w o r k w h i l e e n u m e r a t i n g services, s h a re d f ile s y s te m s a n d o p e r a t i n g s y s te m s d is c r e e tly . A d d i t i o n a l ly , t h e p en t e s t e r can u n d e r t a k e w a r d ia lin g t o d e t e c t l is te n in g m o d e m s a n d w a r d r iv in g t o d is c o v e r v u ln e r a b l e access p o in t s i f it is legal a n d w i t h i n t h e s c o p e o f t h e p r o je c t. T h e f o l l o w i n g p o in t s s u m m a r i z e t h e b la c k - b o x p en t e s tin g : 9 e e It d o e s n o t r e q u i r e p r i o r k n o w l e d g e o f t h e i n f r a s t r u c t u r e t o b e t e s t e d P e n e t r a t io n t e s t m u s t be c a r r ie d o u t a f t e r e x te n s iv e i n f o r m a t i o n g a t h e r i n g a n d re s e a rc h It ta k e s a c o n s id e r a b le a m o u n t o f t i m e f o r t h e p r o je c t i n f r a s t r u c t u r e a n d h o w it c o n n e c t s a n d i n t e r r e l a t e s 9 9 9 You w i ll be g iv e n o n l y a c o m p a n y n a m e T his t e s t s i m u l a t e s t h e p ro c e s s o f a real h a c k e r T im e c o n s u m i n g a n d e x p e n s iv e t y p e o f te s t t o d is c o v e r t h e n a t u r e o f th e
Module 20 Page 2903
r e y - b o x
T e s t i n g
E H
I
In a g r e y b o x t e s t . t h e t e s t e r u s u a lly
limited knowledge of information

has a
security assessment a n d testing i n t e r n a l l y

It p e r fo rm s
A p p ro a c h e s to w a rd s t h e a p p lic a t io n s e c u r it y t h a t t e s t s f o r a ll v u ln e r a b ilit ie s w h ic h a h a c k e r m a y f in d a n d e x p lo it
P e r fo r m e d m o s tly w h e n a p e n e tr a tio n t e s te r s ta r ts a b la c k b o x t e s t o n w e l l
protected systems
and
fin d s t h a t a l it t le p r io r k n o w l e d g e is r e q u i r e d in
conduct a thorough review

o rd e r to
GD
G ra y -b o x
P e n e tr a tio n
T e s tin g
In g r a y - b o x p e n e t r a t i o n te s t i n g , t h e t e s t is c o n d u c t e d w i t h l i m i t e d k n o w l e d g e a b o u t i n f r a s t r u c t u r e , d e fe n s e m e c h a n is m , a n d c o m m u n i c a t i o n c h a n n e ls o f t h e t a r g e t o n w h i c h t e s t is t o be c o n d u c t e d . It is s i m u l a t i o n o f t h o s e a tta c k s t h a t is p e r f o r m e d by t h e in s i d e r o r o u t s i d e r w i t h l i m i t e d accesses p r i v i le g e s . In t h i s case, o r g a n iz a tio n s w o u l d p r e f e r t o p r o v id e t h e p e n t e s t e r s w i t h p a r tia l k n o w l e d g e o r i n f o r m a t i o n t h a t h a c ke rs c o u ld f i n d such as d o m a i n n a m e s e rv e r. This can save t i m e a n d e x p e n s e s o f t h e o r g a n iz a tio n . In g r a y - b o x te s t in g , p e n t e s t e r s m a y a lso i n t e r a c t w i t h s y s te m a n d n e t w o r k a d m in i s t r a t o r s .
Module 20 Page 2904
h i t e - b o x
T e s t i n g
C E H
J Complete knowledge of the infrastructure that needs to be tested is known J This test simulates the process of company's employees
O
C o m p a n y p o li c ie s d o 's a n d d o n ' t s
*s
In fo r m a t io n is p ro v id e d s u c h a s
C o m p a n y in fr a s tru c tu re
IP a d d r e s s / f i r e w a l l / ID S d e t a ils
W h ite -b o x In w h i t e - b o x
P e n e tr a tio n te s tin g ,
T e s tin g th e te st is c o n d u c t e d w ith fu ll k n o w le d g e of
p e n e tra tio n
i n f r a s t r u c t u r e , d e fe n s e m e c h a n is m , a n d c o m m u n i c a t i o n c h a n n e ls o f t h e t a r g e t o n w h i c h te s t is b e in g c o n d u c t e d . T h is t e s t s i m u l a t e s t h e in s id e r a t t a c k e r w h o has f u l l p riv ile g e s a nd u n l i m i t e d access t o t h e t a r g e t s y s te m . This ty p e o f p e n e t r a t i o n t e s t is b e in g c o n d u c t e d w h e n t h e o r g a n iz a t io n n e e d s t o assess its s e c u r it y a g a in s t a s p e c ific k in d n e tw o rk to p o lo g y d ocu m e nts, o f a t t a c k o r a s p e c ific t a r g e t . asset in v e n to ry , and v a lu a t io n In t h i s case, t h e c o m p l e t e in fo rm a tio n . T y p ic a lly , an i n f o r m a t i o n a b o u t t h e t a r g e t is g iv e n t o t h e p en te s te r s . T h e i n f o r m a t i o n p r o v id e d can in c lu d e
o r g a n iz a t io n w o u l d o p t f o r t h i s w h e n it w a n t s a c o m p l e t e a u d i t o f its s e c u r ity .
Module 20 Page 2905
A n n o u n c e d / U n a n n o u n c e d
T e s t in g
C E H
A n n o u n c e d T e s t in g
J Is a n a t t e m p t t o c o m p r o m i s e s y s te m s o n t h e c lie n t w it h t h e f u ll J
U n a n n o u n c e d T e s t in g
Is a n a t t e m p t t o c o m p r o m i s e s y s te m s o n t h e c lie n t n e tw o r k s
c o o p e r a tio n a n d k n o w le d g e o f
t h e IT s t a f f J E x a m in e s t h e
w i t h o u t t h e k n o w l e d g e o f IT
s e c u r ity p e r s o n n e l
e x is tin g s e c u r ity
A llo w s o n ly t h e
upper
in f r a s t r u c t u r e f o r p o s s ib le v u ln e r a b ilit ie s J I n v o lv e s t h e s e c u r it y s t a f f o n t h e p e n e t r a t io n t e s t in g te a m s t o J
m a n a g e m e n ts b e a w a re o f
th e s e te s ts E x a m in e s t h e s e c u r it y
in fr a s tr u c tu r e a n d r e s p o n s i v e n e s s o f t h e IT s t a f f
c o n d u c t a u d its
r s
6 !*
A n n o u n c e d /U n a n n o u n c e d
T e s tin g
A n n o u n c e d t e s t i n g is an a t t e m p t t o access a nd r e t r i e v e p r e - i d e n t i f i e d fla g file (s) o r t o c o m p r o m i s e s y s te m s o n t h e c l i e n t n e t w o r k w i t h t h e fu ll c o o p e r a t i o n a n d k n o w l e d g e o f t h e IT s ta ff. Such t e s t i n g e x a m in e s t h e e x is tin g s e c u r it y i n f r a s t r u c t u r e a nd i n d i v id u a l s y s te m s f o r p o s s ib le v u ln e r a b i l it ie s . C re a tin g a t e a m - o r i e n t e d e n v iro n m e n t in w h i c h m e m b e rs o f th e
o r g a n iz a tio n 's s e c u r it y s t a f f a re p a r t o f t h e p e n e t r a t i o n t e a m a llo w s f o r a t a r g e t e d a t t a c k a g a in s t t h e m o s t w o r t h w h i l e hosts. U n a n n o u n c e d t e s t i n g is an a t t e m p t t o access a n d r e t r i e v e p r e - i d e n t i f i e d fla g file ( s ) o r t o c o m p r o m i s e s y s te m s o n t h e c l i e n t n e t w o r k w i t h t h e a w a r e n e s s o f o n l y t h e u p p e r leve ls o f m a n a g e m e n t. Such te s tin g e x a m in e s If i n t r u s io n b o th th e e x is t in g s e c u r it y in fra s tru c tu re and th e
r e s p o n s iv e n e s s o f t h e sta ff.
d e t e c t i o n a n d i n c i d e n t r e s p o n s e p la ns h a v e b e e n
c r e a te d , t h is t y p e o f te s t w i l l i d e n t if y a n y w e a k n e s s e s in t h e i r e x e c u tio n . U n a n n o u n c e d t e s tin g o ffe r s a t e s t o f t h e in fra s tru c tu re . In b o t h cases, t h e IT r e p r e s e n t a t i v e in t h e o r g a n i z a t i o n w h o w o u l d n o r m a l l y r e p o r t s e c u r it y b re a c h e s t o legal a u t h o r i t i e s s h o u ld be a w a re o f th e te s t to p r e v e n t e s c a la tio n to la w e n fo r c e m e n t o rg a n iz a tio n s . o r g a n iz a t io n 's s e c u r it y p r o c e d u r e s in a d d i t i o n t o t h e s e c u r it y o f t h e
Module 20 Page 2906
t o
t e
s t i n
C E H
U tlilM itfcu l *ck*
Automated testing can result in time and cost savings over a long term; however, it cannot replace an experienced security professional
Tools can have a high learning curve and may need frequent updating to be effective
With automated testing, there exists no scope for any of the architectural elements to be tested
As with vulnerability scanners, there can be false negatives or worse, false positives
C o p y r ig h t b y E C - C 0 M C il. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
A u to m a te d
T e s tin g
In s te a d o f r e ly in g o n s e c u r it y e x p e rts , s o m e o r g a n iz a t io n s a n d s e c u r it y - t e s t i n g f i r m s p r e f e r t o a u t o m a t e t h e i r s e c u r it y a s s e ssm e n ts. H ere, a s e c u r it y t o o l is ru n a g a in s t t h e t a r g e t a n d t h e s e c u r it y p o s t u r e is assessed. T h e t o o l s a t t e m p t t o r e p lic a t e t h e a tta c k s t h a t i n t r u d e r s h ave b e e n k n o w n t o use. T his is s i m i l a r t o v u l n e r a b i l i t y s c a n n in g . Based o n t h e success o r fa i lu r e o f t h e s e a tta c k s , t h e t o o l a t t e m p t s t o assess a n d r e p o r t s e c u r it y v u ln e r a b i l it ie s . H o w e v e r , i t m u s t b e n o t e d t h a t a t h o r o u g h s e c u r it y a s s e s s m e n t a ls o in c lu d e s e le m e n t s o f a rc h ite c tu ra l r e v i e w , s e c u r it y p o lic y , f i r e w a l l ru le -b a s e a n a ly s is , a p p l i c a t i o n te s tin g , and g e n e r a l b e n c h m a r k i n g . A u t o m a t e d t e s t i n g is g e n e r a l l y l i m i t e d t o e x t e r n a l p e n e t r a t i o n t e s t i n g u sin g th e b la c k - b o x a p p r o a c h a nd d o e s n o t a l l o w an o r g a n iz a t io n t o p r o f i t c o m p l e t e l y f r o m t h e e xe rcise . As an a u t o m a t e d p ro ce ss, t h e r e is n o s c o p e f o r a n y o f t h e p o lic y o r a r c h it e c t u r a l e le m e n t s in t h e te s tin g , a n d it m a y n e e d t o be s u p p l e m e n t e d by a s e c u r it y p r o fe s s io n a l's e x p e rtis e . O n e a d v a n ta g e a t t r i b u t e d t o a u t o m a t e d t e s t i n g is t h a t it re d u c e s t h e v o l u m e o f t r a f f i c r e q u i r e d fo r each te s t. This g ive s an im p r e s s io n th a t th e o rg a n iz a tio n can s e rv ic e its c u s t o m e r s
c o n c u r r e n t l y f o r t h e s a m e o v e r h e a d s t r u c t u r e . O r g a n iz a tio n s n e e d t o e v a lu a t e i f th is i n d e e d se rve s t h e p u r p o s e o f t h e t e s t . A n o n - a u t o m a t e d s e c u r it y a s s e s s m e n t w i ll a lw a y s be m o r e f le x ib le t o an o r g a n i z a t i o n 's r e q u i r e m e n t s a n d m o r e c o s t e ff e c t iv e , as it w i ll t a k e i n t o a c c o u n t o t h e r a re as such as s e c u r it y a r c h it e c t u r e a n d p o lic y , a nd w i ll m o s t lik e ly b e m o r e t h o r o u g h a nd t h e r e f o r e s e c u re . In a d d it io n , t e s t i n g a t f r e q u e n t in t e r v a ls a llo w s t h e c o n s u lt a n t s t o e x p la in t o
Module 20 Page 2907
t h e m a n a g e m e n t o f th e o r g a n iz a t io n a n d t h e te c h n ic a l a u d ie n c e s w h a t t h e y h a v e d is c o v e r e d , t h e p ro c e s s e s t h e y used, a n d t h e r a m i f i c a t i o n s o f all t h e r e c o m m e n d a t i o n s . A d d i t i o n a l ly , t h e y can i n f o r m in p e r s o n , as an in d iv id u a l e n t i t y h e lp in g t o s u p p o r t t h e IT s e c u r it y d e p a r t m e n t a u g m e n t in g t h e b u d g e ts r e q u i r e d .
Module 20 Page 2908
s t i n
E H
UflrfM Itfeul K mU *
Manual testing is the best option an organization can choose to benefit from the experience of a security S?E?l professional
Q The objective of the professional is to assess the security posture of the organization from an attacker's perspective
A manual approach requires planning, test designing, scheduling, and diligent documentation to capture the results of the testing process
C o p y rig h t b y IG-G*IIIICil. A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
M a n u a l T e s tin g Se vera l o r g a n iz a tio n s c h o o s e t o b e n e fit fro m th e e x p e r ie n c e of h ave a m a n u a l a s s e s s m e n t o f t h e i r s e c u r it y and s e c u r it y p ro fe s s io n a l. The o b j e c t iv e o f th e
a seasoned
p ro fe s s io n a l is t o assess t h e s e c u r it y p o s t u r e o f t h e o r g a n i z a t i o n f r o m an a t t a c k e r 's p e r s p e c tiv e . U n d e r t h e m a n u a l a p p r o a c h , t h e s e c u r it y p r o fe s s io n a l a t t e m p t s t o u n e a r t h h oles in t h e s e c u r it y m o d e l o f t h e o r g a n iz a t io n b y a p p r o a c h i n g it in a m e t h o d i c a l m a n n e r . T h e p ha ses o f t e s t i n g can in v o lv e b a s ic i n f o r m a t i o n g a t h e r i n g , so cia l e n g i n e e r i n g , s c a n n in g , v u l n e r a b i l i t y a s s e s s m e n t, e x p l o i t i n g v u l n e r a b i l i t i e s , etc. A m anual app ro ach r e q u ir e s p la n n in g , te st d e s ig n in g and s c h e d u lin g , a nd d il i g e n t
d o c u m e n t a t i o n t o c a p t u r e t h e re s u lts o f th e t e s t i n g p ro c e ss in its e n t i r e t y . D o c u m e n t a t i o n plays a s ig n if ic a n t r o le in d e c id in g h o w w e ll t h e t e a m has b e e n a b le t o assess t h e s e c u r it y p o s t u r e o f t h e o r g a n iz a tio n . S o m e o r g a n iz a tio n s m a y c h o o s e t o h a v e t h e i r o w n in t e r n a l t e a m t o d o t h e m a n u a l a s s e s s m e n t a n d an e x te r n a l a g e n c y a u d it a t t h e s a m e t i m e . S o m e o t h e r s m a y c h o o s e t o g e t a s e c o n d e x te r n a l t e a m t o a u d i t t h e fi n d i n g s o f t h e f i r s t e x t e r n a l t e a m . T h e ru le s o f e n g a g e m e n t a n d t h e e x p e c te d d e liv e r a b le s s h o u ld be c le a rly d e f i n e d . In t h e lo n g t e r m , t h e m a n a g e m e n t w i ll b e n e f i t m o r e f r o m a m a n u a l a p p r o a c h as t h e t e a m w o u l d be a b le t o e x p la in t h e g r a v it y o f t h e s i t u a t i o n f r o m an u n b ia s e d v i e w p o i n t a n d m a k e r e c o m m e n d a t i o n s o n i m p r o v i n g t h e s e c u r it y p o s tu r e .
Module 20 Page 2909
l e
l o
C E H
M o d u le
F lo w
C o n s id e rin g t h a t y o u b e c a m e f a m i l i a r w i t h p e n t e s t i n g c o n c e p ts a n d t h e t y p e s o f
p e n e t r a t i o n te s tin g , w e w i ll m o v e f o r w a r d t o p e n e t r a t i o n t e s t i n g te c h n i q u e s . This s e c tio n c o v e r s v a r io u s p e n e t r a t i o n t e s t i n g te c h n i q u e s .
jh & |
Pen T e stin g C oncepts
gmi Biilii.iB
Types o f Pen T e stin g
Pen T e s t in g T e c h n i q u e s
Module 20 Page 2910
C o m
o n
P e n e t r a t io n
T e s t in g C E H
T e c h n iq u e s
P a s s iv e R e s e a rc h
Is used to ga th e r all th e in fo rm a tio n a b o u t an o rganization's system c o n fig u ra tio n s Facilitates an organization to ta k e necessary steps to ensure its c o n fid e n tia lity and in te g rity Is used to get an idea o f th e n e tw o rk 's c o n fig u ra tio n being tested Is th e act o f using one m achin e t o pre te n d to be a n o th e r
O p e n S o u rc e M o n it o r in g N e t w o r k M a p p in g a n d OS F in g e r p r in t in g S p o o fin g
Is used here fo r b o th in te rn a l and e x ternal p e n e tra tio n tests Is used t o c a pture th e data as it trave ls across a n e tw o rk
N e t w o r k S n if fin g
T r o ja n A tta c k s
A re m alicious code o r p rogram s u sua lly sent in to a n e tw o rk as em ail a tta c h m e n ts o r tra n s fe rre d v ia " In s ta n t M essage" in to ch a t room s Is th e m ost c o m m o n ly k n o w n passw ord cracking m e th o d .
A B r u t e - fo r c e A t ta c k
Can ov e rlo a d a system and possibly stop it fro m respond ing to th e legal requests Is a com prehensive e x a m in a tio n o f th e ta rg e te d areas o f an organ iz a tio n 's n e tw o rk in fra s tru c tu re Is th e fin a l phase o f te s tin g , m aking a risk assessm ent o f v u ln e ra b ilitie s m uch m ore accurate
V u ln e r a b ilit y S c a n n in g
A S c e n a r io A n a ly s is
C o m m o n
P e n e tr a tio n
T e s tin g
T e c h n iq u e s
T he f o l l o w i n g a re a f e w c o m m o n t e c h n i q u e s t h a t can b e used f o r p e n e t r a t i o n te s t in g : P a s s iv e r e s e a r c h Passive re s e a rc h is used t o g a t h e r i n f o r m a t i o n a b o u t an o r g a n iz a t io n r e la t e d t o t h e c o n f i g u r a t io n f r o m p u b lic d o m a i n s o u rc e s s u c h as glass s e r v e r s , U s e n e t n e w s g r o u p s , etc. /
DNS
r e c o r d s , n a m e r e g is t r ie s ,
ISP
lo o k in g -
r 9
j|
= 9 9 9
O p e n s o u rc e m o n ito r in g O p e n s o u r c e m o n i t o r i n g fa c ilit a t e s an o r g a n i z a t i o n t o t a k e n e c e s s a ry ste p s t o e n s u re
its c o n f i d e n t i a l i t y a n d i n t e g r i t y . M o n i t o r i n g in c lu d e s a le r t in g in t h e f o l l o w i n g s itu a tio n s : W h e n t h e d a ta b a s e is n o t a v a ila b le W h e n a d a ta b a s e e r r o r o ccu rs T he f ile s y s te m is r u n n i n g o u t o f sp a c e etc.
G r a p h in g a n d s e e in g t r e n d s f o r : 9 D a ta b a s e
Module 20 Page 2911
Ethical Hacking a n d C o u n te rm e a s u re s P e n e tra tio n T estin g
Exam 3 1 2-50 C ertified Ethical H acker
e 9 e
T a b le locks R e p li c a ti o n lag T able c a c h e efficiency etc.
N e tw o rk m a p p in g a n d OS fin g e rp rin tin g

N e tw o rk m a p p in g a n d OS fing erp rin tin g gives a n idea a b o u t t h e c o n fig u ratio n of t h e e n t i r e n e t w o r k b e i n g t e s t e d . T h i s t e c h n i q u e is d e s i g n e d t o s p e c i f y d i f f e r e n t t y p e s o f s e r v i c e s p resen t on th e ta rg e t system .
S p o o fin g
S p o o f i n g is a n a t t e m p t b y s o m e o n e o r s o m e t h i n g t o m a s q u e r a d e a s s o m e o n e e l s e . F o r e x a m p l e : o n e m a c h i n e p r e t e n d s t o b e a n o t h e r . S p o o f i n g is u s e d h e r e f o r b o t h i n t e r n a l a n d external p e n etratio n tests.
N e tw o rk s n iffin g
N etw ork spoofing occurs when the attacker forges the source or destination IP
a d d r e s s i n t h e IP h e a d e r . It is u s e d t o c a p t u r e d a t a a s it t r a v e l s a c r o s s a n e t w o r k .
T ro ja n a tta c k s
A T r o j a n a t t a c k is i n s t a l l i n g a T r o j a n ( m a l i c i o u s s o f t w a r e ) o n t o t h e v i c t i m ' s s y s t e m . It g e ts installed t h r o u g h e m a il, C D-RO M , I n t e r n e t E xplorer, etc.
%
W l
B ru te fo rc e a tta c k s
........................................... S e s s i o n IDs c a n b e guessed by using t h e brute force technique. It t r i e s m ultiple
p o s s i b i l i t i e s o f p a t t e r n s u n t i l a s e s s i o n ID w o r k s . A n a t t a c k e r u s i n g a DSL l i n e c a n m a k e u p t o 1 0 0 0 s e s s i o n IDs p e r s e c o n d . T h i s t e c h n i q u e is u s e d w h e n t h e a l g o r i t h m t h a t p r o d u c e s s e s s i o n IDs is n o t r a n d o m .
/o
\V u ln e ra b ility s c a n n in g
---------V u l n e r a b i l i t y s c a n n i n g is u s e d t o d i s c o v e r w e a k n e s s e s in a s e c u r i t y s y s t e m i n o r d e r t o i m p r o v e o r r e p a i r b e f o r e a b r e a c h o c c u r s . It is a c o m p r e h e n s i v e e x a m i n a t i o n o f t h e t a r g e t e d a re a s of an organization's n e tw o rk in frastru ctu re
S c e n a rio a n a ly s is
S c e n a r i o a n a l y s i s h e l p s in d e a l i n g w i t h u n c e r t a i n t i e s . It is t h e f i n a l p h a s e o f t e s t i n g , m a k i n g a risk a s s e s s m e n t o f v u l n e r a b i l i t i e s m u c h m o r e a c c u r a t e .
M o d u le 2 0 P ag e 2912
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0lMCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
U sin g D N S D o m a in
N a m e
a n d
IP
A d d re s s I n fo rm a tio n
D a ta f r o m t h e D NS s e rv e rs re la te d t o t h e ta r g e t n e t w o r k c a n b e u s e d t o m a p a t a r g e t o r g a n iz a t io n 's n e t w o r k
T h e IP b lo c k o f a n o rg a n iz a tio n can be d is c e rn e d b y lo o k in g u p th e d o m a in n a m e a n d c o n ta c t in f o r m a tio n f o r p e rs o n n e l
T h e DNS re c o rd a ls o p ro v id e s s o m e v a lu a b le in fo r m a tio n re g a rd in g th e OS o r a p p lic a tio n s th a t a re ru n o n th e s e rv e r
Copyright by IC-C cuncil. All Rights Reserved. Reproduction is S trictly Prohibited.
U s i n g
D N S
D o m a i n
N a m
a n d
I P
A d d r e s s
I n f o r m a t i o n
D a ta f r o m t h e DNS s e r v e r s r e l a t e d t o t h e t a r g e t n e t w o r k c a n b e u s e d t o m a p a t a r g e t organization's netw ork. DNS zones can be analyzed for inform ation about the target
o r g a n i z a t i o n ' s n e t w o r k . T h i s c a n r e s u l t in o b t a i n i n g f u r t h e r d a t a , i n c l u d i n g t h e
serv er h o st's
n a m e s , s e r v i c e s o f f e r e d b y p a r t i c u l a r s e r v e r s , IP a d d r e s s e s , a n d c o n t a c t d a t a f o r t h e m e m b e r s o f t h e IT s t a f f . M any attackers have public, t o create been know n to u s e s o f t w a r e , w h i c h is e a s i l y a v a i l a b l e t o t h e g e n e r a l diagram s of th e target netw ork. IP a d d r e s s data
w ell-organized
netw ork
r e g a r d i n g a p a r t i c u l a r s y s t e m c a n b e g a i n e d f r o m t h e DNS z o n e o r t h e A m e r i c a n R e g is t ry o f I n t e r n e t N u m b e r s (ARIN). A n o t h e r w a y o f o b t a i n i n g a n IP a d d r e s s is b y u s i n g p o r t - s c a n n i n g
so ftw are to d e d u c e a ta rg e t o rg an izatio n 's n e tw o rk d iag ram . By e x a m i n i n g t h e D N S r e c o r d s , y o u c a n g e t a g o o d u n d e r s t a n d i n g a b o u t w h e r e t h e s e r v e r s o f the target netw ork the OS are or located. The DNS r e c o r d are being also run provides on the som e server. valuable The IP inform ation block of an
regarding
applications
that
organization can
b e d is c e rn e d by looking u p t h e d o m a i n
n a m e a n d c o n ta c t in fo rm a tio n for
personnel can be obtained.
M o d u le 2 0 P ag e 2 9 1 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
E n u m e r a t i n g o n P u b l i c l y
a b o u t H o s t s
A v a i l a b l e
N e t w o r k s
W e b s it e c r a w le r s c a n m i r r o r t h e A d d it io n a lly , t h e e f f o r t c a n p r o v id e s c r e e n e d s u b n e t s a n d a c o m p r e h e n s iv e lis t o f t h e t y p e s o f t r a f f i c t h a t a re a n d o u t o f th e n e tw o rk e n t ir e s ite s
E n u m e r a t io n c a n b e d o n e u s in g p o r t s c a n n in g t o o ls , IP p r o t o c o l s , a n d lis t e n in g t o T C P /U D P p o r t s
T h e t e s t in g t e a m c a n t h e n v is u a liz e a d e t a ile d n e t w o r k d ia g r a m t h a t c a n b e p u b l i c ly a c c e s s e d
Copyright ID by iC -C tu n c il. All R ig h ts A e & fv k d R e p ro d u c tio ri is S trictly Prohibited.
E n u m e r a t i n g A v a i l a b l e W ith the IP a d d r e s s e s
a b o u t
H o s t s
o n
P u b l i c l y
N e t w o r k s obtained in t h e preceding step, the pen-test team can outline th e
n e tw o rk to explore possible points of en try fro m th e p ersp ectiv e of an attack er. T e ste rs achieve t h i s b y a n a l y z i n g all d a t a a b o u t t h e hosts th a t a re u n covered to th e In te rn e t by t h e ta r g e t
o r g a n i z a t i o n . T h e y c a n u s e p o r t - s c a n n i n g t o o l s a n d IP p r o t o c o l s , a n d t h e y c a n l i s t e n t o T C P / U D P ports. P o r t s c a n s w i l l a l s o r e v e a l i n f o r m a t i o n a b o u t h o s t s s u c h a s t h e c u r r e n t o p e r a t i n g s y s t e m t h a t is ru n n in g o n t h e s y s te m a n d also o th e r application s. An effective p o rt-s c a n n in g tool ca n also help to deduce how the r o u t e r a n d firewall IP f i l t e r s a r e c o n f i g u r e d . T h e t e s t i n g t e a m can then
visualize a d e ta ile d n e t w o r k d ia g r a m t h a t c a n b e publicly a c c e s s e d . A d d i t i o n a l l y , t h e e f f o r t c a n p r o v i d e s c r e e n e d s u b n e t s a n d a c o m p r e h e n s i v e list o f t h e t y p e s o f t r a f f i c t h a t is a l l o w e d in a n d o u t o f t h e n e t w o r k . W e b s i t e c r a w l e r s c a n m i r r o r e n t i r e s i t e s a n d allow t h e testin g g r o u p to ch eck for faulty s o u rc e c o d e or in a d v e r te n t inclusions of sensitive i n f o r m a t i o n . M a n y t i m e s , o r g a n i z a t i o n s h a v e g i v e n i n f o r m a t i o n t h a t is n o t i n t e n d e d f o r u s e b y t h e p u b l i c , b u t is p o s t e d o n t h e w e b s i t e . 9 If t h e r u l e s o f e n g a g e m e n t p e r m i t , t h e p e n - t e s t t e a m m a y p u r c h a s e r e s e a r c h r e p o r t s o n the organization available for sale and use the inform ation available therein for
M o d u le 2 0 P ag e 2 9 1 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
Exam 3 1 2 -5 0 C ertified Ethical H acker
com prising th e security of t h e ta r g e t organization. T h e se can include c o v e rt m e a n s , such as social e n g in e e r in g , as well. It is n e c e s s a r y t o point out that prior approval from
m a n a g e m e n t is a c r i t i c a l a s p e c t t o b e c o n s i d e r e d b e f o r e i n d u l g i n g i n s u c h a c t i v i t i e s .
M o d u le 2 0 P ag e 2 9 1 5
o d u l e
F l o w
C E H
Copyright by iC -C cuncil. All Rights Reserved. Reproduction is S trictly Prohibited.
w eakness
o d u l e
F l o w
P e n t e s t i n g is t h e t e s t c o n d u c t e d in t h r e e p h a s e s f o r d i s c o v e r i n g t h e v u l n e r a b i l i t i e s o r in a n organization's system s. The th r e e phases are the pre-attack phase, attack
phase, and post-attack phase.
fr&j
P en Testing C o n cep ts
! lilii.iB
T ypes of Pen T esting
P en Testing T ec h n iq u e s
_^
Pen Testing P h a se s
P en Testing R o a d m a p
O u tso u rcin g P en T esting Services
This s e c t i o n highlights t h e t h r e e p h a s e s of p e n te s tin g .
M o d u le 2 0 P ag e 2 9 1 6
P h a s e s
o f P e n e t r a t i o n
T e s t in g
C E H
Copyright by IG-Gcuncil. All Rights Reserved. Reproduction is S trictly Prohibited.
yv r ^ < 1 ? > ( ]!Q [ P h a s e s o f P e n e t r a t i o n T e s t i n g */> T h ese a re th r e e p h a se s of p e n e tra tio n testing. m - m
] P re -a tta c k P h a s e
T h i s p h a s e is f o c u s e d o n g a t h e r i n g a s m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t t h e t a r g e t
o r g a n i z a ti o n o r n e t w o r k t o b e a t t a c k e d . This c a n b e n o n - i n v a s i v e o r in v a s iv e .
A tta c k P h a s e
The inform ation gathered in t h e pre-attack phase form s the basis of th e attack
s tra te g y . B efo re d e c id in g t h e a tt a c k s tr a te g y , t h e t e s t e r m a y c h o o s e to c a r r y o u t a n invasive inform ation g ath erin g process such as scanning.
P o st-a tta c k P h a s e
T h i s is a c r u c i a l p a r t o f t h e t e s t i n g p r o c e s s , a s t h e t e s t e r n e e d s t o r e s t o r e t h e n e t w o r k t o its o r i g i n a l s t a t e . T h i s i n v o l v e s c l e a n u p o f t e s t i n g p r o c e s s e s a n d r e m o v a l o f v u l n e r a b i l i t i e s c r e a t e d ( n o t t h o s e t h a t e x is te d originally), e x p lo its c r a f t e d , etc.
M o d u le 2 0 P ag e 2 9 1 7
P re -A tta c k
P h a s e : D e fin e R u le s o f C E H
E n g a g e m e n t (R O E )
A ssistan t H ules 0f
ROE helps testers to overcome legal, federal, and policy related restrictions to use different penetration testing tools and techniques
9e % >
R u le s o f
-leve / ^
e n g a g e m e n t (R O E) is t h e f o r m a l p e r m is s io n t o c o n d u c t p e n e t r a t io n t e s t in g ROE p r o v id e s " t o p - l e v e l" g u id a n c e f o r c o n d u c tin g th e p e n e t r a t io n t e s t in g
P r e - a t t a c k ( R O E ) Rules of engagem ent
P h a s e :
D e f i n e
R u l e s
o f E n g a g e m e n t
(ROE)
are
the
guidelines
and
constraints
about
the
execution
of
p e n e t r a t i o n t e s t i n g . It s h o u l d b e d e v e l o p e d a n d p r e s e n t e d b e f o r e c o n d u c t i n g t h e p e n e t r a t i o n test. It g i v e s a u t h o r i t y t o t h e p e n t e s t e r to c o n d u c t d e fin e d activities w ith o u t t h e n e e d for
a d d i t i o n a l p e r m i s s i o n s . R O E h e l p s p e n t e s t e r s t o o v e r c o m e l e g a l , f e d e r a l - , a n d p o l i c y - r e l a t e d restrictions to use different p en e tra tio n testing tools an d te c h n iq u e s
M o d u le 2 0 P ag e 2 9 1 8
P re -A tta c k
P h a s e : U n d e rs ta n d
* _ .... ~
C u s to m e r R e q u ir e m e n ts
B e fo re p r o c e e d in g w it h t h e p e n e t r a t io n t e s tin g , a p e n t e s t e r s h o u ld i d e n t i f y w h a t n e e d s t o b e te s te d
Item s to b e T ested
C re a te a c h e c k lis t o f te s tin g r e q u ir e m e n ts s I d e n tify t h e t i m e fr a m e a n d t e s t in g h o u rs
* U Servers W o rksta tio n s Routers Firew alls N e tw o rk in g d evices Cabling D atab ases A p p lic a tio n s P hysical se cu rity T e le co m m u n ica tio n s Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No
No No No No No No
IS
9 I d e n t i f y w h o w ill b e in v o lv e d in t h e r e p o r tin g a n d d o c u m e n t d e liv e ry
B>
n
B
No No No
P r e - a t t a c k
P h a s e :
U n d e r s t a n d
C u s t o m e r
R e q u i r e m e n t s
O n c e R O E is d e f i n e d t o c o n d u c t p e n e t r a t i o n t e s t , t h e s e c o n d s t e p in t h e p r e - a t t a c k p h a s e , y o u s h o u l d c l e a r l y u n d e r s t a n d t h e c u s t o m e r r e q u i r e m e n t s , i.e., w h a t t h e c u s t o m e r e x p e c t s f r o m t h e p e n e t r a t i o n te s t. B e fo re p r o c e e d i n g w ith t h e p e n e t r a t i o n te s tin g , a p e n t e s t e r sh o u ld identify w h a t n e e d s t o b e t e s t e d in t h e t a r g e t o r g a n i z a t i o n . To clearly identify t h e c u s t o m e r r e q u ir e m e n ts , d o t h e follow ing things: Q 9 Q C re a te a checklist of te s tin g r e q u ir e m e n ts Identify t h e ti m e f r a m e a n d te s tin g h o u rs I d e n t i f y w h o w i l l b e i n v o l v e d in t h e r e p o r t i n g a n d d o c u m e n t d e l i v e r y
P r e p a r e t h e c h e c k l i s t f o r t h e i t e m s t h a t n e e d t o b e t e s t e d i n t a r g e t o r g a n i z a t i o n a s s h o w n in follow ing figure:
M o d u le 2 0 P ag e 2 9 1 9
It e m Servers Workstations Routers g Firewalls Networking devices Q ^ ,? Cabling Databases Applications Physical security Telecommunications
to Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
b e
T e s te d No No No No No No No No No No
FIG U R E 2 0 .1 : C h e c k lis t o f t h e ite m s t h a t n e e d t o b e te s te d
M o d u le 2 0 P ag e 2 9 2 0
P r e - A t t a c k o f t h e
P h a s e :
C r e a t e
C h e c k l i s t
T e s t i n g
R e q u i r e m
e n t s
C E H
Do you have any se curity related policies and standards? If so, do you w an t us to review them ?
W hat is th e IP address co n fig u ra tio n fo r internal and external n etw o rk connections? If th e client organization requires analysis o f its In te rn e t presence? If th e organization requires pen testing o f in d iv id u a l hosts?
How many n e tw o rk in g devices exists on th e client's netw ork?
W h a t is th e n e tw o rk layo u t (segments, DMZs, IDS, IPS, etc.)?
It th e organization requires pen testing o f n e tw o rk in g devices such as routers and switches?
rxrr P r e - a t t a c k P h a s e : C r e a t e a C h e c k l i s t o f t h e T e s t i n g
R e q u i r e m e n t s To collect the penetration test requirem ents from the custom er, ask the custom er the
f o l l o w i n g q u e s t i o n s . T h e a n s w e r s o f t h e s e q u e s t i o n s will h e l p y o u t o d e f i n e t h e s c o p e o f t h e test. D o y o u h a v e a n y s e c u r i t y - r e l a t e d p o l i c i e s a n d s t a n d a r d s ? If s o , d o y o u w a n t u s t o r e v i e w them ? Q Q 9 9 9 W h a t is t h e n e t w o r k l a y o u t ( s e g m e n t s , D M Z s , IDS, IPS, e t c . ) ? If t h e c l i e n t o r g a n i z a t i o n r e q u i r e s a n a l y s i s o f i t s I n t e r n e t p r e s e n c e ? If t h e o r g a n i z a t i o n n e e d s p h y s i c a l s e c u r i t y a s s e s s m e n t ? W h a t is t h e IP a d d r e s s c o n f i g u r a t i o n f o r i n t e r n a l a n d e x t e r n a l n e t w o r k c o n n e c t i o n s ? It t h e organization requires pen testing of netw orking devices such as routers and
sw itches? 9 9 If t h e o r g a n i z a t i o n r e q u i r e s p e n t e s t i n g o f i n d i v i d u a l h o s t s ? H o w m a n y n e tw o rk in g d e v ic e s exists o n t h e client's n e t w o r k ?
M o d u le 2 0 P ag e 2921
Ethical Hacking and Countermeasures

P e n e tra tio n T estin g
P r e - A t t a c k o f t h e
P h a s e :
C r e a t e
C h e c k l i s t ( c o n t d )
T e s t i n g
R e q u i r e m
e n t s
C E H
W h a t se c u rity c o n tro ls are d e p lo ye d across th e orga n izatio n ?
If th e orga n izatio n re qu ire s assessm ent o f w ire le ss n e tw o rk s ?
If th e orga n izatio n requires assessm ent o f ana lo g devices in th e n e tw o rk ?
M S.
If th e o rga n izatio n d e p lo y a m o b ile w o rk fo rc e ? If so, if th e m o b ile s e c u rity assessm ent is re qu ire d?
W h a t w o rk s ta tio n and se rv e r o p e ra tin g system s are d ep lo yed across th e o rga n izatio n ?
If th e orga n izatio n re qu ire s th e assessm ent o f w e b in fra s tru c tu re ?
W h a t are th e w e b a p p lic a tio n and se rv ice s o ffe re d by th e c lie n t?
V V
P r e - a t t a c k
P h a s e :
C r e a t e
C h e c k l i s t
o f t h e
T e s t i n g
R e q u i r e m e n t s
( C o n t d )
The follow ing a re a few m o r e q u e stio n s th a t you sh o u ld ask th e c u s to m e r to c o m p le te th e checklist of p e n e tr a ti o n te s tin g re q u ir e m e n ts : 9 9 9 9 W h a t security controls a re d e p lo y ed across th e organization? If t h e o r g a n i z a t i o n r e q u i r e s a s s e s s m e n t o f w i r e l e s s n e t w o r k s ? If t h e o r g a n i z a t i o n r e q u i r e s a s s e s s m e n t o f a n a l o g d e v i c e s i n t h e n e t w o r k ? If t h e o r g a n i z a t i o n d e p l o y a m o b i l e w o r k f o r c e ? If s o ; if t h e m o b i l e s e c u r i t y a s s e s s m e n t is required? 9 9 9 W h a t a re t h e w e b application a n d services offered by t h e client? If t h e o r g a n i z a t i o n r e q u i r e s t h e a s s e s s m e n t o f w e b i n f r a s t r u c t u r e ? W h at w orkstation and server operating system s are d eployed across th e organization?
M o d u le 2 0 Page 2922
Ethical H acking a n d C o u n te rm e a s u re s Copyright by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
P re -A tta c k
P h a s e : D e fin e S c o p e
th e C E H
P e n -T e s tin g
P r e - a t t a c k
P h a s e :
D e f i n e
t h e
P e n - t e s t i n g
S c o p e
Y o u s h o u l d d e f i n e t h e s c o p e o f y o u r p e n e t r a t i o n t e s t e x p l i c i t l y a n d in w r i t i n g . T h i s w il l h e l p y o u t o i d e n t i f y w h a t n e e d s t o b e t e s t e d in t h e t a r g e t o r g a n i z a t i o n , a n d h e l p t o d e v e l o p t h e procedure to test particular com ponent once identified. This also help you to identify
l i m i ta t io n s , i.e., w h a t s h o u l d n o t b e t e s t e d . P e n t e s t i n g t e s t c o m p o n e n t s d e p e n d o n t h e c l i e n t ' s o p e r a t i n g e n v i r o n m e n t , t h r e a t p e r c e p t i o n , s e c u r i t y a n d c o m p l i a n c e r e q u i r e m e n t s , ROE, a n d b u d g e t. T he follow ing a r e t h e possible a re a s of t h e s c o p e of t h e p e n e tr a tio n test: 0 0 0 0 0 0 0 0 0 0 0 0 N e tw o rk Security S ystem S o ftw are Security C lient-side A pplication Security Server-side A pplication Security Social E n g i n e e r i n g A pplication C o m m u n ic a tio n Security Physical S ecu rity D u m p s t e r Diving Inside A c co m p lices S ab o tag e Intruder Confusion Intrusion D etection Intrusion R esp o n se
M o d u le 2 0 P ag e 2 9 2 3
P re -A tta c k
P h a s e : S ig n C E H
P e n e tra tio n T e s tin g C o n tra c t
The penetration testing contract must be drafted by a law yer and signed by the penetration tester and the company
The contract must clearly state the following:
O b je c tiv e o f th e p e n e tr a tio n te s t
In d e m n ific a tio n clause
N o n -d is c lo s u re clau se
Fees a n d p ro je c t s c h e d u le
C o n fid e n tia l in fo r m a tio n
R e p o rtin g a nd re s p o n s ib ilitie s
P r e - a t t a c k
P h a s e :
S i g n
T e s t i n g
C o n t r a c t
O n c e t h e r e q u i r e m e n t s a n d s c o p e o f t h e p e n e t r a t i o n t e s t is c o n f i r m e d f r o m t h e c l i e n t , y o u n e e d t o sign t h e c o n t r a c t w ith t h e c o m p a n y t o c o n d u c t t h e p e n e t r a t i o n te s t. This c o n tr a c t m u s t b e d r a f te d by a la w y e r a n d duly sig n ed by t h e p e n e t r a t i o n t e s t e r a n d t h e c o m p a n y . T h e c o n tra c t sh o u ld include t h e follow ing t e r m s a n d conditions: 9 9 9 9 Q 9 9 N on-disclosure clause O bjective of th e p e n e tra tio n te s t Fees and project schedule Sensitive in fo rm a tio n C onfidential in fo rm atio n Indem nification clause R eporting a n d responsibilities
M o d u le 2 0 P ag e 2 9 2 4
P re -A tta c k P h a s e : S ig n C o n fid e n tia lity a n d N o n - D i s c l o s u r e (N D A ) A g r e e m e n t s E H
Pen testers should sign C o nfiden tiality and Non-Disclosure (NDA) A greem ents that guarantees that the company's inform ation will be treated confidentially
It also protects testers from legal liabilities in the event of some u n tow ard happening during pen testing
M any docum ents and o th er inform ation regarding
pen-test contain critical inform ation that could dam age one o r both parties if im properly disclosed
A g re e m e n ts a re d e sig n e d to be u sed b y b o th th e p a rtie s to p ro te c t s e n s itiv e in fo r m a tio n fr o m d is c lo s u re

P r e - a t t a c k D i s c l o s u r e
P h a s e : ( N D A )
S i g n
C o n f i d e n t i a l i t y
a n d
N o n -
A g r e e m e n t s
As a p e n t e s t e r , y o u will a l s o n e e d t o s i g n C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (NDA ) A g r e e m e n t s to m aintain th e confidentiality of th e c o m p a n y 's sensitive inform ation. M an y d o c u m e n ts an d o t h e r i n f o r m a t i o n r e g a r d i n g t h e p e n t e s t c o n t a i n critical i n f o r m a t i o n t h a t c o u l d d a m a g e o n e o r b o t h p a r t i e s if d i s c l o s e d t o o t h e r p a r t i e s . B o t h ( p e n t e s t e r a n d c o m p a n y ) p a r t i e s s h o u l d a g r e e a n d d u l y s i g n e d o n t h e t e r m s a n d c o n d i t i o n s i n c l u d e d in t h e C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (NDA) A g r e e m e n t s b e f o r e c o n d u c t i n g p e n e t r a t i o n t e s t . The follow ing are the advantages of signing C onfidentiality and N on-D isclosure (NDA)
A greem ents: Q 9 T h e y e n s u r e t h a t t h e c o m p a n y ' s i n f o r m a t i o n wi l l b e t r e a t e d c o n f i d e n t i a l l y . T h e y will a l s o h e l p t o p r o v i d e c o v e r f o r a n u m b e r o f o t h e r k e y a r e a s , s u c h a s n e g l i g e n c e a n d li a bi li ty in t h e e v e n t o f s o m e t h i n g u n t o w a r d h a p p e n i n g .
M o d u le 2 0 P ag e 2 9 2 5
P re -A tta c k P h a s e : S ig n C o n fid e n tia lity a n d N o n - D i s c l o s u r e ( N D A ) A g r e e m e n t s (C ontd) C E H
J
_
Both parties bear responsibility to protect tools, techniques, vulnerabilities, and inform ation from disclosure beyond the terms specified by a w ritten agreement
'
Non-disclosure agreem ents should be n arro w ly draw n to protect sensitive inform ation
A re a s
Specific areas to consider include:

O w n e rs h ip Use o f th e e v a lu a tio n re p o rts R esults; use o f th e te s tin g m e th o d o lo g y in c u s to m e r d o c u m e n ta tio n
J
Copyright C by IC-C cuncil. All Rights Reserved. Reproduction is S trictly Prohibited
P r e - a t t a c k D i s c l o s u r e
P h a s e : ( N D A )
S i g n
C o n f i d e n t i a l i t y ( C o n t d )
a n d
N o nT-
A g r e e m e n t s
T h e C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e a g r e e m e n t s d o c u m e n t is a p o w e r f u l t o o l . O n c e y o u s i g n t h e N D A a g r e e m e n t , t h e c o m p a n y h a s t h e r i g h t t o f i l e a l a w s u i t a g a i n s t y o u e v e n if y o u d i s c l o s e the inform ation to third party either intentionally or unintentionally. The follow ing points
s h o u l d b e c o n s i d e r e d w h i l e c r a f t i n g C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (NDA) A g r e e m e n t s : 9 B oth p a rtie s s h o u ld b e a r resp o n sib ility to p r o t e c t to o ls , t e c h n i q u e s , v u ln e r a b ilitie s , a n d in fo rm a tio n fro m disclosure b e y o n d t h e t e r m s specified by a w ritte n a g r e e m e n t 9 Q N on-disclosure a g re e m e n ts should be narrow ly d ra w n to p ro tect sensitive inform ation. Specific a r e a s t o c o n s i d e r include: 9 9 O w nership Use of th e ev a lu a tio n re p o rts
R e s u l t s ; u s e o f t h e t e s t i n g m e t h o d o l o g y in c u s t o m e r d o c u m e n t a t i o n
M o d u le 2 0 P ag e 2 9 2 6
P re -A tta c k G a th e rin g
P h a s e : In fo rm a tio n c E H 1
P r e - a tta c k p h a s e a d d re s s e s t h e m o d e o f t h e a t t a c k a n d t h e g o a ls t o b e a c h ie v e d
R e c o n n a is s a n c e is c o n s id e r e d a s t h e f i r s t in t h e p r e - a tt a c k p h a s e , w h ic h a t t e m p t s t o c o lle c t i n f o r m a t i o n a b o u t t h e t a r g e t
J J
H a c k e rs t r y t o f in d o u t a s m u c h i n f o r m a t i o n as p o s s ib le a b o u t a t a r g e t
*7
H a c k e rs g a t h e r in f o r m a t i o n in d if f e r e n t w a y s t h a t a llo w s t h e m t o f o r m u la t e a p la n o f a t t a c k
'
T yp es of R e c o n n a issa n c e
P assive R e c o n n a is s a n c e
In v o lv e s c o lle c tin g in f o r m a tio n a b o u t a ta r g e t f r o m t h e p u b lic ly a c c e s s ib le s o u rc e s
A c tiv e R e c o n n a is s a n c e
In v o lv e s in f o r m a tio n g a th e r in g th r o u g h s o c ia l e n g in e e r in g , o n - s ite v is its , in te r v ie w s , a n d q u e s tio n n a ir e s
---Copyright by IG-Gcuncil. All Rights Reserved. Reproduction is S trictly Prohibited.
[Uf v^
P r e - a t t a c k
P h a s e :
G a t h e r i n g
The pre-attack p h a se a d d re s se s th e m o d e of th e attack an d th e goals to be achieved. R e c o n n a i s s a n c e is c o n s i d e r e d a s t h e f i r s t in t h e p r e - a t t a c k p h a s e a n d is a n a t t e m p t t o l o c a t e , g a th e r , identify, a n d re c o r d in f o rm a tio n a b o u t t h e ta r g e t. An a t t a c k e r s e e k s to find o u t as m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t t h e v i c t i m . A t t a c k e r s g a t h e r i n f o r m a t i o n in d i f f e r e n t w a y s t h a t allow s t h e m to f o r m u la te a plan of a tta c k . T h e re a re tw o ty p e s of re c o n n a isa n c e :
[T
P a ssiv e re c o n n a issa n c e
It c o m p r i s e s t h e attacker's attem p ts to sco u t for or survey potential targ ets and gathering and may
investigations or explorations of t h e targ et.
It a l s o i n c l u d e s
inform ation
involve c o m p e t it iv e in te llig e n c e g a th e r in g , social e n g in e e r in g , b r e a c h in g physical se cu rity , etc. A tta c k e rs typically s p e n d m o r e t i m e on t h e p r e - a tta c k or re c o n n a i s s a n c e activity th a n t h e a ctu a l attack. B eginning w ith passive re c o n n a issa n c e , th e te ste r g ath ers as much inform ation as possible
a b o u t t h e ta r g e t c o m p a n y . M u c h of t h e leak e d in fo rm a tio n c a te rs to t h e n e tw o r k to p o lo g y a n d the types of services running within. The tester can use this sensitive inform ation to
provisionally m a p o u t t h e n e tw o r k fo r plannin g a m o r e c o o r d i n a t e d a t t a c k s t r a te g y later.
M o d u le 2 0 P ag e 2 9 2 7
W i t h r e g a r d t o p u b l i c l y a v a i l a b l e i n f o r m a t i o n , a c c e s s t o t h i s i n f o r m a t i o n is i n d e p e n d e n t o f t h e o r g a n i z a t i o n ' s r e s o u r c e s , a n d c a n t h e r e f o r e b e e f f e c t i v e l y a c c e s s e d b y a n y o n e . I n f o r m a t i o n is o ften c o n ta in e d o n sy s te m s u n re la te d to t h e organization.
A c tiv e r e c o n n a is s a n c e
The perpetrator enum eration inform ation may send gathering to process target encroaches in t h e on of the target territory. netw ork Here, the
probes
the
form
port
scans,
sw eeps,
of shares an d
u se r a c c o u n ts, etc. T he a tta c k e r m a y a d o p t te c h n iq u e s su ch as
social e n g in e e r in g , e m p lo y in g to o ls su ch as s c a n n e r s a n d sniffers t h a t a u t o m a t e t h e s e tasks. T he fo o tp rin ts th a t t h e a tta c k e r leav e s a re larger, a n d novices ca n b e easily identified.
M o d u le 2 0 P ag e 2 9 2 8
P re -A tta c k G a th e rin g
P h a s e : In fo rm a tio n ( c o n t d) C E H
Information retrieved in th is p h ase
N e tw o rk C o m p e titiv e in te llig e n c e re g is tra tio n in fo rm a tio n
O p e ra tin g system and user's in fo rm a tio n A n a lo g c o n n e c tio n s
Physical and log ica l lo c a tio n o f th e o rg a n iz a tio n
oooooooooo
r \ r \
w
A n y o th e r in fo rm a tio n th a t has th e p o te n tia l to re s u lt in a p ossible e x p lo ita tio n
w
DNS and m a il se rv e r in fo rm a tio n
u
A u th e n tic a tio n c re d e n tia ls in fo rm a tio n
u
C o n ta c t and w e b s ite in fo rm a tio n
,
Product range and service offerings of the target company that are available online
P r e - a t t a c k ,' 9 Q 9 Q Q 9 9 9 9 9 9 9
P h a s e :
G a t h e r i n g
( C o n t d )
T h e f o l l o w i n g i n f o r m a t i o n is r e t r i e v e d d u r i n g t h e p r e - a t t a c k p h a s e :
C o m p etitiv e intelligence N etw o rk registration inform ation DNS a n d m a i l s e r v e r i n f o r m a t i o n O perating sy stem inform ation U ser's in fo rm atio n A uthentication creden tials inform ation A nalog c o n n e c tio n s C ontact inform ation W eb site inform ation P hysical a n d logical l o c a t i o n o f t h e o r g a n i z a t i o n P ro d u c t ra n g e a n d service offerings of t h e ta r g e t c o m p a n y t h a t a r e available online A n y o t h e r i n f o r m a t i o n t h a t h a s t h e p o t e n t i a l t o r e s u l t in a p o s s i b l e e x p l o i t a t i o n
M o d u le 2 0 P ag e 2 9 2 9
t t a c k
P h a s e
C E H
U ftrfM IUK4I IU U .
Penetrate Perim eter .
Escalate Privileges .
A cquire Target
Execute, Im plant, R etract
S B
A t t a c k
P h a s e
This s t a g e involves t h e a c tu a l c o m p r o m i s e o f t h e ta r g e t. T h e a t t a c k e r m a y exploit a vulnerability d isc o v e re d d u ring t h e p re -a tta c k p h a s e or use secu rity lo o p h o le s such as a w e a k s e c u r i t y p o l i c y t o g a i n r i g h t s t o t h e s y s t e m . T h e i m p o r t a n t p o i n t h e r e is t h a t t h e a t t a c k e r n e e d s o n ly o n e p o r t o f e n t r y , w h e r e a s t h e o r g a n i z a t i o n s a r e left t o d e f e n d s e v e r a l . O n c e in s id e, t h e a t t a c k e r m a y e s c a l a t e his p r i v il e g e s a n d install a b a c k d o o r s o t h a t h e o r s h e s u s t a i n s a c c e s s t o t h e s y s t e m a n d e x p l o i t s it i n o r d e r t o a c h i e v e h i s / h e r m a l i c i o u s i n t e n t . D uring t h e a tta c k p h a s e , t h e a tt a c k e r o r p e n t e s t e r n e e d s to: Q 9 e e P enetrate perim eter Execute, im plant, re tra c t Acquire ta rg e t E scalate rrivileges
M o d u le 2 0 P ag e 2 9 3 0
A c tiv ity : P e r i m
e t e r T e s t i n g
c *1ltb U flrfW K 4 l
E H
Testing methods for p e rim e te r security include but are not limited to:
A
1
forging responses w ith crafted * ----------------- M packets ^
M J W / /
\ \
^ -------------- #
Evaluating e rro r re p o rtin g anc| e rro r m anagem ent w ith ICMP probes
by a tte m p tin g connections using ^ __________# various protocols such as SSH, FTP, and Telnet
J W
A. /
Measuring the threshold fo r denial o f service by attempting persistent TCP connections, evaluating transitory TCP connections, and attem pting to stream UDP connections
Examining th e p e rim e te r security system's response to w eb server ^ __________# scans using m u ltip le methods such as POST, DELETE, and COPY
L 4 _ /
jp
\ i m
---------------
Evaluating the IDSs capability by passing malicious content (such as malformed URL) and scanning the target variously for responding to abnormal traffic
Copyright by IG-Gcuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
A c t i v i t y : Social
P e r i m e t e r is a n
T e s t i n g activity through the testing phase as sensitive
engineering
ongoing
i n f o r m a t i o n c a n b e a c q u i r e d a t a n y s t a g e o f t e s t i n g . T h e t e s t s t h a t c a n b e c a r r i e d o u t in t h i s c o n te x t include sensitive (but are not lim ited to) im personating gathered or mocking phone calls t o as capture
inform ation,
verifying
inform ation
through
activities
such
dum pster
diving. O t h e r m e a n s in c lu d e em a il te s tin g , t r u s t e d p e r s o n a c q u isitio n , a n d a t t e m p t s t o r e t r ie v e leg itim a te a u t h e n t ic a t io n d etails su c h as p a s s w o r d s a n d a c c e ss privileges. In fo rm a tio n g a t h e r e d h e r e c a n b e u s e d l a t e r in w e b a p p l i c a t i o n t e s t i n g a l s o . Firewall T esting: T h e in fo rm a tio n g a in e d du rin g t h e p r e - a tt a c k p h a s e using te c h n iq u e s su ch as f i r e w a l k i n g is f u r t h e r e x p l o i t e d firewall. T h e p r o c e s s e s in clu d e b u t a r e n o t lim ited to: C r a f t i n g a n d s e n d i n g p a c k e t s t o c h e c k f i r e w a l l r u l e s . F o r e x a m p l e , s e n d i n g SYN p a c k e t s t o t e s t s t e a lt h d e t e c t i o n . This d e t e r m i n e s t h e n a t u r e o f v a rio u s p a c k e t r e s p o n s e s t h r o u g h t h e firewall. A SYN p a c k e t c a n b e u s e d t o e n u m e r a t e t h e t a r g e t n e t w o r k . S i m i l a r l y , o t h e r p o r t s c a n s w i t h d ifferen t flags se t can be used to a tte m p t enum eration of th e n e t w o r k . This a ls o g iv e s a n here. A ttem pts are m ad e to evade the IDS a n d bypass th e
indication o f t h e s o u rc e p o rt co n tro l on t h e targ et.
M o d u le 2 0 P ag e 2931
U sually, p e r i m e t e r t e s t i n g m e a s u r e s t h e f i r e w a l l 's a b ility t o h a n d l e f r a g m e n t a t i o n : big p a c k e t fragm ents, overlapping fragm ents, flood of packets, etc. Testing m ethods for perim eter
s e c u r ity in clu d e b u t a r e n o t lim ited to: 9 6 9 E v a lu a t in g e r r o r r e p o r t i n g a n d e r r o r m a n a g e m e n t w i t h ICMP p r o b e s C h e c k i n g a c c e s s c o n t r o l lists w i t h c r a f t e d p a c k e t s M e a s u r i n g t h e t h r e s h o l d f o r d e n i a l - o f - s e r v i c e by a t t e m p t i n g p e r s i s t e n t TCP c o n n e c t i o n s , e v a l u a t i n g t r a n s i t o r y TCP c o n n e c t i o n s , a n d a t t e m p t i n g s t r e a m i n g U D P c o n n e c t i o n e Evaluating protocol-filtering rules by a tt e m p t in g connections using various protocols
s u c h a s S S H , FTP , a n d T e l n e t e E v a l u a t i n g IDS c a p a b i l i t y b y p a s s i n g m a l i c i o u s c o n t e n t ( s u c h a s m a l f o r m e d s c a n n in g t h e ta r g e t fo r r e s p o n s e t o a b n o r m a l traffic URLs) a n d
M o d u le 2 0 P ag e 2932
E n u m
e r a t i n g
D e v i c e s
U flrfW * Itfc u lN k M
C E H
A device inventory is a collection of n etw o rk devices together w ith some relevant inform ation about each device that is recorded in a d ocum ent
A fter the netw ork has been m apped and the business assets identified, the next logical step is to make an inventory o f th e devices
A physical check may be conducted additionally to ensure that the e n u m e ra te d devices have been located
E n u m e r a t i n g .
D e v i c e s
A d e v i c e i n v e n t o r y is a c o l l e c t i o n o f n e t w o r k d e v i c e s , t o g e t h e r w i t h s o m e r e l e v a n t
i n f o r m a t i o n a b o u t e a c h d e v i c e , w h i c h is r e c o r d e d in a d o c u m e n t . A f t e r t h e n e t w o r k h a s b e e n m a p p e d a n d t h e b u s i n e s s a s s e t s i d e n t i f i e d , t h e n e x t l o g i c a l s t e p is t o m a k e a n i n v e n t o r y o f t h e devices. D u rin g t h e initial s t a g e s o f t h e p e n t e s t , t h e d e v i c e s m a y b e r e f e r r e d t o b y t h e i r i d e n t i f i c a t i o n o n t h e n e t w o r k s u c h a s IP a d d r e s s , M A C a d d r e s s , e t c . T h i s c a n b e d o n e b y p i n g i n g all d e v i c e s o n t h e n e t w o r k o r by using d e v ic e e n u m e r a t i o n tools. L a t e r , w h e n t h e r e is a p h y s i c a l s e c u r i t y c h e c k , d e v i c e s m a y b e c r o s s c h e c k e d r e g a r d i n g t h e i r lo catio n a n d identity. This s t e p c a n h e lp t o identify u n a u t h o r i z e d d e v ic e s on t h e n e tw o r k . T h e o t h e r m e t h o d is t o d o p i n g s w e e p s t o d e t e c t r e s p o n s e s f r o m d e v i c e s a n d l a t e r c o r r e l a t e t h e results w ith th e actual inventory. T h e l i k e l y p a r a m e t e r s t o b e c a p t u r e d in a n i n v e n t o r y s h e e t w o u l d b e : 9 9 9 9 9 9 D e v i c e ID D escription H ostnam e Physical lo c atio n IP a d d r e s s MAC a d d re s s
M o d u le 2 0 P ag e 2 9 3 3
N e tw o rk accessibility
M o d u le 2 0 P ag e 2 9 3 4
A c tiv ity : A c q u i r i n g
T a r g e t
C E H
Acquiring a target refers to t h e set of activities undertaken whe r e t h e t e s t er subjects t h e suspect machi ne to more intrusive challenges such as vulnerability scans and security assessment Testing me t h od s for acquiring tar get include but are not limited to:
A c tiv e p r o b in g a s s a u lts : U se r e s u lts o f t h e n e t w o r k s ca n s t o g a t h e r f u r t h e r in f o r m a tio n t h a t ca n le a d t o a c o m p r o m is e
R u n n in g v u ln e r a b ilit y s c a n s : In th is phase v u ln e ra b ility scans are c o m p le te d
T ru s te d syste m s a n d tru s te d p roce ss a ssessm e n t: A tte m p tin g to access th e m a chin e 's resources using le g itim a te in fo rm a tio n o b ta in e d
kv
9 -J
th ro u g h social e ng in ee ring o r o th e r m eans
* . u
- u
Aft* SU
Copyright C by IC-C cuncil. All Rights Reserved. Reproduction is S trictly Prohibited.
A c t i v i t y :
A c q u i r i n g
T a r g e t
U s u a l l y , t a r g e t a c q u i s i t i o n r e f e r s t o all t h e a c t i v i t i e s t h a t a r e u n d e r t a k e n t o u n e a r t h a s m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t a p a r t i c u l a r m a c h i n e o r s y s t e m s s o t h a t it c a n b e u s e d l a t e r in t h e actual process of exploitation. w here the Here, acquiring subjects the a target targeted is r e f e r r e d t o m achine to as th e m ore set of
activities
undertaken
tester
intrusive m ore
c h a l l e n g e s s u c h a s v u l n e r a b i l i t y s c a n s a n d s e c u r i t y a s s e s s m e n t . T h i s is d o n e t o o b t a i n i n f o r m a t i o n a b o u t t h e t a r g e t a n d c a n b e u s e d in t h e e x p l o i t p h a s e . E x am p les of su c h activities in c lu d e su b je c tin g t h e m a c h i n e to: Q
Active p ro b in g a ss a u lts : U se t h e results of n e tw o rk scan s to g a th e r fu r th e r info rm atio n th a t can lead to a co m p ro m ise.
R u n n i n g v u l n e r a b i l i t y s c a n s : V u l n e r a b i l i t y s c a n s a r e c o m p l e t e d in t h i s p h a s e . T ru sted sy s te m s a n d tr u ste d p ro ce ss a s s e s s m e n t: A ttem pting to access th e m achin e's re so u rc e s using legitim ate in fo rm atio n m eans. obtained through social e n g in e e r in g o r o t h e r
M o d u le 2 0 P ag e 2 9 3 5
A c tiv ity : E s c a la tin g
P r iv ile g e s
C E H
Once the target has been acquired, the tester attem pts to exploit th e system and gain greater access to th e protected resources
T h e t e s te r m a y ta k e a d v a n ta g e o f p o o r s e c u r ity p o lic ie s a n d ta k e a d v a n ta g e o f e m a il o r u n s a fe w e b c o d e t o g a th e r in fo r m a tio n t h a t c a n le a d t o e s c a la tio n o f p riv ile g e s
Use o f techniques such as b ru te force to achieve privileged status. Examples o f tools include get adm in and password crackers
Use o f Trojans and protocol analyzers
Use o f in fo rm a tio n gleaned th ro u g h te ch n iq u es such as social engineering to gain unauthorized access to the privileged resources
A c t i v i t y :
E s c a l a t i n g
P r i v i l e g e s
W h e n a n a t t a c k e r s u c c e e d s in g a i n i n g u n a u t h o r i z e d a c c e s s i n t o a s y s t e m o r n e t w o r k , t h e d e g r e e o f e s c a la tio n d e p e n d s o n t h e v a rio u s a u th o r iz a t io n s p o s s e s s e d by a n a tt a c k e r . T h e u ltim a te aim of a n a tt a c k e r w o u ld b e to gain t h e h ig h e s t p o ssib le a d m in is tr a tio n privilege t h a t gives a c c e ss t o t h e e n ti r e n e t w o r k , s e n s itiv e in f o r m a t io n , o n lin e b a n k in g etc. O n ce t h e ta r g e t has b e e n acq u ired , t h e te s te r a tt e m p t s to exploit th e s y s te m a n d gain g r e a te r access to th e protected resources A ctivities in c lu d e ( b u t a r e n o t lim ite d to): 9 T he t e s t e r m a y t a k e a d v a n t a g e of p o o r se c u rity policies a n d ta k e a d v a n t a g e of e m ail or u n sa fe w e b c o d e t o g a th e r in fo rm a tio n t h a t ca n lead to t h e e scalatio n of privileges e Use of te c h n i q u e s su ch as b ru te fo rce t o a c h ie v e privileged sta tu s. E xam ples of to o ls include g e t a d m in a n d p a s s w o rd crackers 9 9 Use of T rojans a n d p rotocol analyzers Use of inform ation gleaned through techniques such as social engineering to gain
u n a u th o r iz e d a c c e s s t o t h e privileged re s o u rc e s
M o d u le 2 0 P ag e 2 9 3 6
A c tiv ity : E x e c u te , I m p la n t, R e tr a c t
Compromise System
In this phase, the tester effectively com prom ises the acquired system by executing th e a rb itra ry code The objective of system penetration is to explore th e exten t to which the security fails
a n d c
U 'trfM
E H
Itfeul lUckw
Execute Exploits
Execute Exploits already available or specially crafted to take advantage of th e vulnerabilities iden tified in the target system
Ip H 'l
A c t i v i t y :
E x e c u t e ,
I m p l a n t ,
a n d
R e t r a c t by executing
In t h i s p h a s e , t h e t e s t e r e f f e c t i v e l y c o m p r o m i s e s t h e a c q u i r e d s y s t e m
t h e a r b i t r a r y c o d e . T h e o b j e c t i v e h e r e is t o e x p l o r e t h e e x t e n t t o w h i c h s e c u r i t y f a i l s . T h e t e s t e r a t t e m p t s t o e x e c u t e t h e a r b i t r a r y c o d e , h i d e s fi le s in t h e c o m p r o m i s e d s y s t e m , a n d l e a v e s t h e system w ithout raising a la rm s . He or she th e n attem p ts to re-enter the system stealthily.
Activities include: 9 Executing system . 9 9 E xp loiting b u f f e r o v e r f l o w s in o r d e r t o tr ic k t h e s y s t e m i n t o r u n n i n g a r b i t r a r y c o d e . Executing activities t h a t a r e usually s u b je c te d t o c o n t a i n m e n t m e a s u r e s s u c h as t h e u se of T rojans an d rootkits. A c t i v i t i e s in t h e r e t r a c t p h a s e i n c l u d e m a n i p u l a t i o n o f a u d i t log fi le s t o r e m o v e t r a c e s o f t h e activities: E x a m p l e s i n c l u d e u s e o f t o o l s s u c h a s a u d i t poll. T h e t e s t e r m a y a ls o c h a n g e s e t t i n g s w ithin the system to rem ain inconspicuous during a re-entry and change log exploits t o take advantage of th e vulnerabilities identified on the target
settings. T he t e s t e r m a y r e - e n te r t h e s y s te m using t h e b a c k d o o r im p la n te d by t h e te s te r.
M o d u le 2 0 P ag e 2 9 3 7
P o s t-A tta c k
P h a s e
a n d
A c tiv itie s I
C E H
This p h a s e is c ritic a l to a n y p e n e tr a tio n te s t as it is t h e re s p o n s ib ility o f t h e te s te r to re s to re t h e system s to t h e ir p r e -t e s t s ta te s
R em o ving all file s u p lo a d e d o n th e system
0
C leaning a ll re g is try e n trie s and re m o v in g v u ln e ra b ilitie s cre ate d
A
P o s t-a tta c k phase activities
0
V -J
R em o ving all to o ls a n d e x p lo its fr o m th e te s te d system s
include s om e of th e fo llo w in g : s - J
R e sto rin g th e n e tw o r k to th e p re -te s t s ta te by re m o v in g shares a nd c o n n e c tio n s
A n a lyzin g all re s u lts and p re s e n tin g th e sam e to th e o rg a n iz a tio n
P o s t - a t t a c k
P h a s e
a n d
A c t i v i t i e s
T h i s p h a s e is c r i t i c a l t o a n y p e n e t r a t i o n t e s t a s it is t h e r e s p o n s i b i l i t y o f t h e t e s t e r t o r e s t o r e t h e s y s t e m s t o a p r e - t e s t s t a t e . T h e o b j e c t i v e o f t h e t e s t is t o s h o w w h e r e s e c u r i t y f a i l s , a n d u n l e s s t h e r e is a s c a l i n g o f t h e p e n e t r a t i o n t e s t a g r e e m e n t , w h e r e b y t h e t e s t e r is a s s i g n e d th e responsibility to c o rre c t t h e security p o s tu re of t h e sy s te m s , this p h a s e m u s t b e c o m p le te d . A c t i v i t i e s in t h i s p h a s e i n c l u d e ( b u t a r e n o t r e s t r i c t e d t o ) : 9 9 9 Q 9 9 9 9 9 R e m o v i n g all f i l e s u p l o a d e d o n t h e s y s t e m C l e a n i n g all r e g i s t r y e n t r i e s a n d r e m o v i n g v u l n e r a b i l i t i e s c r e a t e d R e v e r s i n g all f i l e a n d s e t t i n g m a n i p u l a t i o n s d o n e d u r i n g t h e t e s t R e v e r s i n g all c h a n g e s i n p r i v i l e g e s a n d u s e r s e t t i n g s R e m o v i n g all t o o l s a n d e x p l o i t s f r o m t h e t e s t e d s y s t e m s R esto rin g t h e n e t w o r k t o t h e p r e - t e s t s t a g e by r e m o v in g s h a r e s a n d c o n n e c t i o n s M apping of th e n etw o rk state D o c u m e n t i n g a n d c a p t u r i n g all l o g s r e g i s t e r e d d u r i n g t h e t e s t A n a l y z i n g all r e s u l t s a n d p r e s e n t i n g t h e m t o t h e o r g a n i z a t i o n
M o d u le 2 0 P ag e 2 9 3 8
T h e p e n e t r a t i o n t e s t e r s h o u l d d o c u m e n t all h i s o r h e r a c t i v i t i e s a n d r e c o r d all o b s e r v a t i o n s a n d results so t h a t t h e te s t c a n b e r e p e a t a b le a n d verifiable for t h e given se c u r ity p o s t u r e of th e o r g a n i z a t i o n . F o r t h e o r g a n i z a t i o n t o q u a n t i f y t h e s e c u r i t y r i s k i n b u s i n e s s t e r m s , it is e s s e n t i a l t h a t t h e t e s t e r s h o u l d i d e n t if y critical s y s t e m s a n d critical r e s o u r c e s a n d m a p t h e t h r e a t t o these.
M o d u le 2 0 P ag e 2 9 3 9
P e n e tr a tio n T e s tin g T e m p la te s
D e liv e r a b le C E H
A pentest re p o rt w ill carry details o f th e incidents th a t have occurred during th e tes tin g process and th e range o f activities carried o u t by th e testing te a m
T g f
Broad areas covered include objectives, observations, activities und ertaken , and incidents reported
The te a m m ay also recom m end c o rre c tive actions based on th e rules o f th e engagem ent
T e s t i n g
D e l i v e r a b l e
T e m p l a t e s during th e testing
A p en te s t re p o r t carries details of th e incidents th a t h a v e o c c u rre d p ro cess a n d t h e ra n g e of activities t h a t t h e te s tin g t e a m carries out. It c a p t u r e s t h e o b j e c t i v e s a s a g r e e d upon in t h e rules of e n g a g e m e n t a n d
p rovides a brief
description of th e ob serv atio n s fro m th e te stin g e n g a g e m e n t. U n d e r t h e a c t i v i t i e s c a r r i e d o u t w i l l b e all t h e t e s t s , t h e d e v i c e s a g a i n s t w h i c h t h e t e s t s w e r e conducted, and the prelim inary observations. These are usually cross-referenced to the
a p p r o p r i a t e t e s t log e n tr y . O th e r in fo rm a tio n t h a t c a n b e c a p tu r e d u n d e r in c id e n t d escrip tio n can include: 9 e 9 9 6 A d etailed descrip tio n of th e incident The d a te and tim e w h e n th e incident occurred C o n tact in fo rm atio n for th e p e rs o n w h o o b s e rv e d th e incident The stage of testing during w hich th e incident occurred A d e s c r ip tio n o f t h e s t e p s t a k e n t o c r e a t e t h e in c id e n t. This c a n screen captures 9 O b serv atio n s on w h e th e r t h e incident can be re p e a te d or n o t be supplem ented by
M o d u le 2 0 P ag e 2 9 4 0
D e t a i l s o n t h e t o o l (if d e t e c t e d ) , t h e n a m e a n d v e r s i o n o f t h e t o o l , a n d if r e l e v a n t , a n y c u sto m configuration settings
Under
risk
analysis,
the
im pact
of th e
test
is c a p t u r e d
from
business
perspective.
The
i n f o r m a t i o n i n c l u d e d is: 6 9 T h e initial e s t i m a t e o f t h e r e l a t i v e s e v e r i t y o f t h e i n c i d e n t t o t h e b u s i n e s s T h e i n i t i a l e s t i m a t e o f t h e r e l a t i v e l i k e l i h o o d ( o r f r e q u e n c y ) o f t h e i n c i d e n t r e o c c u r r i n g in production 9 T h e initial e s t i m a t e o f t h e c a u s e o f t h e i n c i d e n t
M o d u le 2 0 P ag e 2941
o d u l e
F l o w
Q O Q
Q O y
P e n T e s t i ng Concepts
Types of Pen T e s t i ng
P e n T e s t i ng Techniques
: : I , i
P e n T e s t i ng Phases
P e n T es t i n g Roadmap
Outsourcing Pen Testing Services
1
I b d
o d u l e
F l o w
P e n T e stin g R o a d m a p
A p e n e t r a t i o n t e s t is a t e c h n i q u e t h a t e v a l u a t e s o r a u d i t s t h e s e c u r i t y o f a c o m p u t e r s y s t e m o r o t h e r f a c i l i t y b y l a u n c h i n g a n a t t a c k f r o m a m a l i c i o u s s o u r c e . It a l s o p r o v e s h o w v u l n e r a b l e t h a t a c o m p u t e r s y s t e m w o u l d b e in t h e e v e n t o f t h e r e a l a t t a c k . T h e r u l e s , p r a c t i c e s , m e t h o d s a s well as p r o c e d u r e s i m p l e m e n t e d , fo llo w e d d u rin g t h e c o u rs e of a n y in f o rm a tio n se c u rity a u d it p r o g r a m a r e d e f in e d by p e n te s ti n g m e t h o d o l o g y . This m e t h o d o l o g y d e fin e s y o u a r o a d m a p w ith p ro v e n practices as w ell as practical ideas th a t a re t o b e h a n d le d w ith c a re for assessin g t h e s y s t e m s e c u r i t y c o r r e c t l y . A d e t a i l e d e x p l a n a t i o n a b o u t t h e p e n t e s t i n g r o a d m a p is g i v e n in t h e n e x t slides.
P en Testing C on cepts
ililllli
T ypes of Pen Testing
Pen Testing P h a se s
Pen Testing R o a d m a p % ;
M o d u le 2 0 P ag e 2942
P e n e tra tio n T e s tin g M e th o d o lo g y
C E H
In fo r m a t io n G a th e r in g
V u ln e r a b ilit y A n a ly s is
E x te rn a l P e n e tr a tio n T e stin g
In te r n a l N e tw o rk P e n e tr a tio n T e s tin g
R o u te r a n d S w itc h e s P e n e tr a tio n T e stin g
F ire w a ll P e n e tr a tio n T e stin g
IDS P e n e tr a tio n T e s tin g
W ire le s s N e tw o r k P e n e tr a tio n T e s tin g
D e n ia l o f S e rv ic e P e n e tr a tio n T e s tin g
P a s s w o rd C ra c k in g P e n e tr a tio n T e s tin g
S o cia l E n g in e e rin g P e n e tr a tio n T e stin g
S to le n PDAs a n d L a p to p P e n e tr a tio n T e s tin g
S o u rc e C o de P e n e tr a tio n T e stin g
W eb A p p lic a tio n P e n e tr a tio n T e stin g
SQL In je c tio n P e n e tr a tio n T e stin g
P h ysica l S e c u rity P e n e tr a tio n T e stin g
T e s t i n g
e t h o d o l o g y
T h e f o l l o w i n g a r e t h e v a r i o u s p h a s e s in t h e p e n e t r a t i o n t e s t i n g m e t h o d o l o g y :
In fo rm a tio n G a th e rin g
I n f o r m a t i o n g a t h e r i n g is o n e o f t h e m a j o r s t e p s o f t h e p e n e t r a t i o n t e s t i n g . It is t h e f i r s t p h a s e i n t h e p e n e t r a t i o n t e s t i n g p r o c e s s . It is d o n e u s i n g v a r i o u s t o o l s , s c a n n e r s , online so u rc e s, s e n d in g sim p le h ttp re q u e s ts , specially c ra fte d re q u e s ts , etc.
V u ln e ra b ility A n a ly sis
V ulnerability analysis is a m ethod of identifying vulnerabilities on a netw ork. It
p r o v i d e s a n o v e r v i e w o f t h e f l a w s t h a t e x i s t in a s y s t e m o r n e t w o r k .
E x te rn a l P e n e tra tio n T e s tin g

A n e x t e r n a l p e n e t r a t i o n t e s t is c o n d u c t e d t o k n o w w h e t h e r t h e e x t e r n a l n e t w o r k is secure o r n o t . In e x t e r n a l p e n e t r a t i o n t e s t i n g , h a c k i n g is d o n e i n t h e s a m e w a y t h e
a c t u a l a t t a c k e r d o e s b u t w i t h o u t c a u s i n g a n y h a r m t o t h e n e t w o r k . T h i s h e l p s in m a k i n g t h e n e t w o r k m o r e s e c u r e . V a r i o u s m e t h o d s u s e d in e x t e r n a l p e n e t r a t i o n t e s t i n g a r e : 9 9 Footprinting Public In f o r m a tio n & In f o r m a tio n L e a k ag e
M o d u le 2 0 P ag e 2 9 4 3
9 9 9 9 9 9 9 9 9
DNS A n a l y s i s & D N S B r u t e f o r c i n g Port Scanning S y stem Fingerprinting Services Probing Exploit R e s e a r c h M a n u a l V ulnerability T esting a n d Verification of Identified V ulnerabilities Intrusion D e te c tio n /P r e v e n tio n S y stem Testing P a ss w o rd Service S tre n g th Testing R e m e d ia tio n R etest (optional)
In te rn a l N e tw o rk P e n e tra tio n T e s tin g

In i n t e r n a l n e t w o r k p e n e t r a t i o n t e s t i n g , all t h e p o s s i b l e i n t e r n a l n e t w o r k f l a w s a r e identified a n d sim u la te d a s if a r e a l a t t a c k has taken place. V ario u s m e t h o d s used for th e
internal n e tw o rk p e n e tr a tio n testin g are: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 Internal N e tw o rk Scanning Port Scanning S y stem Fingerprinting Services Probing Exploit R e s e a r c h M a n u a l V ulnerability T estin g a n d V erification M a n u a l C on figuration W e a k n e s s T esting a n d V erification Limited A p p licatio n Layer T estin g Firewall a n d A C L T estin g A d m in i s t r a to r Privileges E scala tion T estin g P assw o rd S tren g th Testing N e tw o rk E q u ip m e n t Security C ontrols Testing D a ta b a s e Security C ontrols Testing Internal N e tw o rk Scan for K now n T rojans T h ird -P a rty /V e n d o r Security C onfiguration T esting
R o u te r a n d S w itc h e s P e n e tra tio n T e s tin g

R o u t e r s w i t c h e s p e n e t r a t i o n is c a r r i e d o u t t o d e t e r m i n e : End t o e n d r o u t e r se c u rity B andw idth and sp e e d of th e internet connection
------------9 9
M o d u le 2 0 P ag e 2 9 4 4
9 9 9
Data tr a n s f e r s p e e d R outer p e rfo rm an ce R outer Security a s s e s s m e n t
F ire w a ll P e n e tra tio n T e s tin g

tc F i r e w a l l p e n e t r a t i o n t e s t i n g is o n e o f t h e m o s t u s e f u l m e t h o d s i n a n a l y z i n g s e c u r i t y this m ethod, you can identify how secure y o u r firewall netw ork is
effectiveness. T h rough
a g a in s t t h e a tta c k s p e r f o r m e d by n e tw o r k intruders.
ID S P e n e t r a t i o n T e s t in g
An intrusio n d e te c tio n s y s te m ( I DS) can be softw are or hardw are. IDS penetration
testing helps y o u to te s t th e stre n g th
o f t h e IDS. It c a n b e p e r f o r m e d w i t h t h e h e l p o f
t o o l s s u c h a s IDS i n f o r m e r , a n e v a s i o n g a t e w a y , e t c .
W ire le s s N e tw o rk P e n e tra tio n T e s tin g

W ireless netw orks are m ore econom ical than w ired netw orks. Though w ireless
n e t w o r k s a r e c h e a p e r , t h e r e a r e v a r i o u s r i s k s a s s o c i a t e d w i t h t h e m . A w i r e l e s s n e t w o r k is l e s s protected than a w ired one. T herefore, w ireless netw orks must be tested strictly a n d t h e
resp ectiv e security e n h a n c e m e n ts m u st be applied.
D e n i a l o f S e r v i c e P e n e t r a t i o n T e s t i n g
T h e m a i n p u r p o s e o f a d e n i a l - o f - s e r v i c e ( D o S ) a t t a c k is t o s l o w d o w n t h e w e b s i t e o r e v e n t o c r a s h it b y s e n d i n g t o o m a n y r e q u e s t s , m o r e t h a n a p a r t i c u l a r s e r v e r c a n h a n d l e . If t h e attacker knows the details of th e server and its t e c h n i c a l specifications, it b e c o m e s m ore
v u l n e r a b l e . S o m e t i m e s D o S is d o n e o n a t r i a l a n d e r r o r b a s i s . S o t h e p e n e t r a t i o n check how much the w ebsite or server can w ithstand. It is a l s o necessary to
tester m ust provide an
a l t e r n a t i v e w a y t o r e a c t t o t h e s i tu a t io n w h e n t h e limit e x c e e d s .
P a s s w o rd C ra c k in g P e n e tra tio n T e s tin g

Passw ords are used to protect com puter resources from unauthorized access.
P a ss w o rd cracking p e n e tr a ti o n te s tin g identifies t h e vuln erabilities a ss o c ia te d w ith m a n a g e m e n t . This h e l p s in a v o i d i n g v a r i o u s k in d s o f m a l i c i o u s a t t a c k s s u c h a s a tta c k s, hybrid a tta c k s, a n d d ic tio n a ry a tta c k s, etc.
passw ord
brute force
S o c ia l E n g in e e r in g P e n e tr a tio n T e s tin g
Social e n g i n e e r i n g is a m ethod used by a tt a c k e r s t o g e t crucial inform ation of a much the
c o m p a n y . A tta c k e rs esp ecially t a r g e t individuals w ith in t h e inform ation as possible about the
organization to g a th e r as docum ented and
c o m p a n y . T h i s is c o m p l e t e l y
then
e m p l o y e e s a re e d u c a t e d a b o u t possible social e n g in e e rin g atta c k s a n d c a u tio n e d a b o u t vario us threats.
M o d u le 2 0 P ag e 2 9 4 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S to le n L a p to p s , P D A s, a n d C e ll P h o n e s P e n e tr a tio n T e s tin g
T h e p e n e t r a t i o n t e s t e r s h o u l d f i n d o u t t h e p o s s i b l e l o o p h o l e s in p h y s i c a l l o c a l i t y a n d identify t h e v ario u s w a y s th a t an in tru d e r can e n t e r into t h e c o m p a n y . O n ce t h e im p o r t a n t electronic devices th a t co n tain sensitive in fo rm atio n of t h e c o m p a n y a re stolen, you can ex tract inform ation from these stolen devices. Therefore, such penetration testing proves very
beneficial. P e n e tr a tio n te s ts a r e d o n e especially on se n io r m e m b e r s of t h e c o m p a n y as th e ir PDAs, l a p t o p s a n d m o b i l e p h o n e s o f t e n c o n t a i n s e n s i t i v e i n f o r m a t i o n .
S o u rce C o d e P e n e tra tio n T e stin g

T he p e n e tr a tio n te s te r should p e rf o rm s o u rc e c o d e analysis by using s o m e so u rc e c o d e a n a l y s i s t o o l s . T h e s e t o o l s w i l l h e l p t h e p e n t e s t e r t o d e t e c t t h e v u l n e r a b i l i t i e s in t h e s o u r c e code.
A p p lic a tio n P e n e tra tio n T e s tin g

Program m ers may m ake som e m istakes at the tim e of so ftw a re creation. Those
m i s t a k e s c a n b e c o m e p o t e n t i a l v u l n e r a b i l i t i e s . A p p l i c a t i o n p e n e t r a t i o n t e s t i n g h e l p s in determ ining th e design error of th e softw are.
SQ L In je c tio n P e n e tra tio n T e s tin g

The penetration tester should perform SQL injection penetration testing on the
a p p l i c a t i o n i n o r d e r t o f i n d o u t v u l n e r a b i l i t i e s in t h e a p p l i c a t i o n . T h e p e n t e s t e r s h o u l d t r y t o s i m u l a t e d i f f e r e n t t y p e s o f SQL i n j e c t i o n a t t a c k s t o fin d t h e p o s s i b l e v u l n e r a b i l i t i e s .
P h y s ic a l S e c u rity P e n e tra tio n T e s tin g

H ere the penetration tester tries to gain physical access to the organizational
r e s o u r c e s b e f o r e , d u r i n g , a n d a f t e r b u s i n e s s h o u r s . All t h e p h y s i c a l s e c u r i t y c o n t r o l s m u s t b e properly tested .
M o d u le 2 0 P ag e 2 9 4 6
P e n e tra tio n T e s tin g M e th o d o lo g y
( E H
( C o n t d) * ~
S u rv e illa n c e C a m e ra P e n e tr a tio n T e s tin g
D a ta b a s e P e n e tr a tio n T e stin g
V oIP P e n e tr a tio n T e stin g
V PN P e n e tr a tio n T e stin g
C lo u d P e n e tr a tio n T e stin g
V ir t u a l M a c h in e P e n e tr a tio n T e stin g W a r d ia lin g
V iru s a n d T ro ja n D e te c tio n
Log M anagem ent P e n e tr a tio n T e s tin g
File In t e g r it y C h e ckin g
M o b ile D e vice s P e n e tr a tio n T e s tin g
T e le c o m a n d B ro a d b a n d P e n e tr a tio n T e s tin g
E m a il S e c u rity P e n e tr a tio n T e s tin g
S e c u rity P a tch e s P e n e tr a tio n T e stin g
D a ta Leakage P e n e tr a tio n T e stin g
SAP P e n e tr a tio n T e stin g
T e s t i n g
e t h o d o l o g y
S u rv e illa n c e C a m e r a P e n e tra tio n T e s tin g

A s u r v e i l l a n c e c a m e r a c a n b e u s e d t o m o n i t o r t h e live t a r g e t . T h e s u r v e i l l a n c e c a m e r a can be p ro n e to security flaws d u e to n o n -ro b u st design of th e w e b in terface c re a te d for th e s u r v e i l l a n c e c a m e r a a c t i v i t i e s . As a p e n t e s t e r , y o u s h o u l d t r y t o f i n d o u t v u l n e r a b i l i t i e s in t h e web interface of th e surveillance c a m e ra . You should do the follow ing things to test the
surveillance c a m e ra : 9 Q 9 9 The w e b interface should be com pletely deb u g g ed Try t o look fo r t h e in je c tio n p o in ts f r o m w h e r e t h e m o t io n im a g e s a r e in c lu d e d r e m o t e l y V alidate th e im ag e p a th C r e a t e t h e d i f f e r e n t m o t i o n p i c t u r e r e c o r d e r a n d e d i t o r in o r d e r t o v a l i d a t e m o t i o n o r p ictu re re c o d e d by t h e surveillance c a m e r a w h e t h e r th e y a r e s a m e or n o t
D a ta b a s e P e n e tra tio n T e s tin g

In t h i s p r o c e s s , a p e n e t r a t i o n t e s t e r t r i e s t o directly access d a ta contained in t h e
d a t a b a s e o r indirectly a c c e ss in g t h e d a ta t h r o u g h trig g e rs or s t o r e d p r o c e d u r e s e x e c u t e d by a d a t a b a s e e n g i n e . T h i s m e t h o d h e l p s in a v o i d i n g u n a u t h o r i z e d a c c e s s o f d a t a .
M o d u le 2 0 P ag e 2 9 4 7
V o IP P e n e tr a tio n T e s tin g
( ^ w IP In V o I P p e n e t r a t i o n t e s t i n g , a c c e s s t o t h e V O I P n e t w o r k is a t t e m p t e d t o r e c o r d t h e conversations and s e c u r ity policies. even a DoS a tt a c k m a y also b e u sed to find out the com p an y 's
V PN P e n e tra tio n T e s tin g

S om etim es, are em ployees are allow ed issues to w ork from w ith home VPN. or rem otely and in s u c h team
situations, th e r e
lot o f se c u r ity
associated
So t h e
penetration
a t t e m p t s to gain a c c e s s to t h e VPN t h r o u g h a r e m o t e e n d p o i n t or a VPN t u n n e l a n d c h e c k t h e vulnerabilities.
C lo u d P e n e tra tio n T e s tin g

C loud c o m p u t i n g s y s t e m s a r e w i d e s p r e a d t o d a y . T h e r e a r e risks a s s o c i a t e d w ith c lo u d c o m p u t i n g . T h e o r g a n i z a t i o n s m u s t f i g u r e o u t t h e s e risks a n d a p p l y p r o p e r s e c u r i t y m e c h a n i s m s t o p r o t e c t a g a i n s t p o t e n t i a l ri sks. T o f i n d o u t t h e v u l n e r a b i l i t i e s in a c l o u d - b a s e d a p p l i c a t i o n , c o n d u c t a p e n e t r a t i o n t e s t o n t h e cloud.
V irtu a l M a c h in e P e n e tra tio n T e s tin g

An a t t a c k e r c a n e x p lo it t h e virtual m a c h i n e s e c u r ity fla w by r u n n i n g m a lic io u s c o d e o n t h e v i r t u a l m a c h i n e . T h e p e n t e s t e r n e e d s t o f i n d o u t t h e v u l n e r a b i l i t i e s in t h e V M b y s i m u l a t i n g t h e a c tio n s of an a tt a c k e r b e f o r e a real a tta c k occurs.
W a r D ia lin g
Dial-up modem s used by the com panies have various vulnerabilities. These allow
a t t a c k e r s t o h a c k a s y s t e m o r n e t w o r k e a s i l y . W a r d i a l i n g p e n e t r a t i o n t e s t i n g will b e u s e f u l : 9 9 9 To identify t h e vulnerabilities of t h e m o d e m s . To k n o w t h e p a s s w o rd s re la te d vulnerabilities. T o k n o w w h e t h e r t h e r e is a n y o p e n a c c e s s t o o r g a n i z a t i o n s s y s t e m s o r n o t .
V iru s a n d T ro ja n D e te c tio n
V iruses a n d T rojans a re t h e m o s t w id e s p r e a d m alicious s o f tw a r e to d a y . Onceon the
s y s t e m a n d n e t w o r k s , t h e s e a r e v e r y d a n g e r o u s . E a r l y d e t e c t i o n o f v i r u s e s a n d T r o j a n s is v e r y im portant.
L og M a n a g e m e n t P e n e tra tio n T e s tin g

A m a n a g e m e n t l o g c o n t a i n s a r e c o r d o f all t h e e v e n t s t h a t u s e a d a t a g r i d n e t w o r k . It contains th e c o m p le te track of ev e n ts such as statu s of no de, a g e n t transm ission, jo b requ est, etc. Therefore, proper log m anagem ent helps in t r a c k i n g any m alicious activity such as
u n a u th o riz e d access fro m o u tsid e a tta c k e rs a t a n early stage.
M o d u le 2 0 P ag e 2 9 4 8
F ile In te g rity C h e c k in g
C h e c k i n g t h e i n t e g r i t y o f a f i l e is t h e b e s t w a y t o t e l l w h e t h e r it is c o r r u p t e d o r n o t . It involves ch e c k in g t h e fo llow ing things: 9 9 Q 9 Q Q Filesize Version W h e n it w a s c r e a t e d W h e n it w a s m o d i f i e d T h e l o g i n n a m e o f a n y u s e r w h o m o d i f i e s t h e file It s a t t r i b u t e s ( e . g . , R e a d - O n l y , H i d d e n , S y s t e m , e t c . )
m m
M o b ile D e v ic e s P e n e tra tio n T e s tin g

In m o b i l e p e n e t r a t i o n t e s t i n g , t h e p e n t e s t e r t r i e s t o a c c e s s a n d m a n i p u l a t e t h e d a t a on th e p a r t i c u l a r m o b i l e d e v i c e s i m u l a t i n g all p o s s i b l e a t t a c k s s u c h a s u s i n g s o c i a l
en g in ee rin g , u p lo ad in g m alicious co d e, etc. M obile device p e n e tr a tio n pin p o in ts a n d a d d r e s s e s g a p s in e n d - u s e r a w a r e n e s s a n d s e c u r i t y e x p o s u r e s i n t h e s e d e v i c e s b e f o r e a t t a c k e r s a c t u a l l y m isuse and co m p ro m ise th em .
T e le c o m a n d B ro a d b a n d P e n e tra tio n T e stin g

T h e p e n t e s t e r t r i e s t o d e t e r m i n e t h e v u l n e r a b i l i t i e s in t h e b r o a d b a n d c o n n e c t i o n o f th e p articu lar c o r p o r a te n e tw o rk . T h e p e n te s te r sim u la te s d iffe re n t ty p e s of a tta c k s su ch as u n a u t h o r i z e d a c c e s s , installation of m alicious s o f tw a r e , DoS a tta c k s o n b r o a d b a n d c o n n e c t io n s to ch eck w h e th e r th e n e tw o rk w ith s ta n d s th e s e ty p e s of attacks.
E m a il S e c u rity P e n e tra tio n T e s tin g

_ . E m a i l s e c u r i t y p e n e t r a t i o n t e s t i n g h e l p s t o c h e c k all t h e v u l n e r a b i l i t i e s a s s o c i a t e d w i t h an email m ech an ism .
S e c u rity P a tc h e s P e n e tra tio n T e s tin g

Unless t h e vulnerable to system or softw are is u p d a t e d w ith the latest have security m ore patches, it is
attacks.
Poorly d esig n ed
security p atch e s
vulnerability so
t e s t i n g t h e m h e l p s in r e s o l v i n g s u c h i s s u e s .
D a ta L e a k a g e P e n e tra tio n T e s tin g

P e n e t r a t i o n t e s t i n g o f d a t a l e a k a g e h e l p s in t h e f o l l o w i n g w a y s : 9 9 9 9 9 P rev en tin g confidential in fo rm a tio n fro m going o u t t o t h e m a r k e t or to c o m p e tito rs A llow s in c r e a s in g in te rn a l c o m p l i a n c e level for d a t a p r o t e c t i o n Im p ro v e sa w a re n e ss a m o n g s t e m p lo y e e s o n Safe Practices Wi l l b e u s e f u l t o e a s i l y d e m o n s t r a t e s c o m p l i a n c e t o r e g u l a t i o n s C ontrols e x p o su re w ith w o rk flo w s for m itigation
M o d u le 2 0 P ag e 2 9 4 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
= SAP P e n e tra tio n T e s tin g

A ttackers sabotage, and may be able on to break into SAP platform and can SAP perform espionage, testing
fraud
attacks
business-critical
inform ation. The
penetration
service sim u lates t h e p ro cess p e r f o r m e d
b y a n a t t a c k e r . In S A P p e n e t r a t i o n t e s t i n g , t h e p e n SAP p l a t f o r m by c o n d u c tin g d ifferen t ty p e s of
t e s t e r t r i e s t o f i n d t h e v u l n e r a b i l i t i e s in t h e
a t t a c k s , a n d t h e n c h e c k s w h e t h e r h e o r s h e is a b l e t o b r e a k i n t o t h e S A P p l a t f o r m .
M o d u le 2 0 P ag e 2 9 5 0
A p p lic a tio n
S e c u rity A s s e s s m e n t
C E H
Application security assessment is an in-d ep th analysis o f applications to identify and assess security vulnerabilities that can expose the organization's sensitive inform ation This test checks on application so that a malicious user cannot access, m odify, or destroy data or services w ithin the system
Copyright C by IC-C cuncil. All Rights Reserved. Reproduction is S trictly Prohibited
A p p l i c a t i o n
S e c u r i t y
A s s e s s m e n t
A p p l i c a t i o n s e c u r i t y a s s e s s m e n t is d o n e b y a s e c u r i t y p r o f e s s i o n a l t o i d e n t i f y s e c u r i t y vulnerabilities a n d significant issues. A pp licatio n se c u rity a s s e s s m e n t involves: Q Inspection of application validation and bounds checking for both accidental and
m ischievous input. Q M anipulation of client-side code and locally stored inform ation such as session
i n f o r m a t i o n a n d c o n f i g u r a t i o n files. 9 Exam ination of application-to-application interaction b e tw e e n sy stem c o m p o n e n ts such as t h e w e b service a n d b a c k -e n d d a ta so u rces. e D iscovery of opportunities that could be utilized by an attacker to escalate their
perm issions. 9 9 E x a m in a tio n o f e v e n t logging fu n ctionality. Exam ination of a u th en ticatio n m ethods in u s e f o r t h e i r r o b u s t n e s s a n d resilience to
various subversion techniques.
M o d u le 2 0 P ag e 2951
Even
in
w ell-deployed
and
secured
infrastructure,
weak
application
can
expose
the
o r g a n i z a t i o n ' s c r o w n j e w e l s t o u n a c c e p t a b l e r i sk . A p p l i c a t i o n s e c u r i t y a s s e s s m e n t is d e s i g n e d t o i d e n t i f y a n d a s s e s s t h r e a t s t o t h e o r g a n i z a t i o n t h r o u g h b e s p o k e o r p r o p r i e t a r y a p p li c a ti o n s o r s y s t e m s . This t e s t c h e c k s t h e a p p li c a ti o n so t h a t a m alicious u se r c a n n o t access, m odify, or d e stro y d a ta or services w ithin t h e sy stem .
M o d u le 2 0 P ag e 2952
e b
T e s t i n g
C E H
T e s t s i n c l u d e OS c o m m a n d injection, s c r i p t i n j e c t i o n , SQL i n j e c t i o n , LDAP injection, a n d crosssite scripting Checks for ac ces s t o administrative interfaces, sen ds d a t a t o m a n i p u l a t e f o r m f i e l d s, a t t e m p t s URL q u e r y s t r i n g s , c h a n g e s v a l u e s o n t h e c l i en t s i d e s cr i p t , a n d a t t a c k s c o o k i e s
Copyright C by IG-Gcuncil. All Rights Reserved. Reproduction is S trictly Prohibited.
e b
T e s t i n g
This t e s t p h a s e c a n b e c a rrie d o u t as t h e t e s t e r p r o c e e d s to a c q u ir e t h e ta r g e t.
In p u t v a lid a tio n
T ests in clu d e OS c o m m a n d i n j e c t i o n , s c r i p t i n j e c t i o n , SQL i n j e c t i o n , LDAP i n j e c t i o n ,
a n d cross-site scripting. O th e r te s ts include check in g for d e p e n d e n c y o n th e ex te rn a l d a ta an d th e s o u r c e verification.
O u tp u t sa n itiz a tio n
T e s t s i n c l u d e p a r s i n g s p e c i a l c h a r a c t e r s a n d v e r i f y i n g e r r o r c h e c k i n g in t h e a p p l i c a t i o n .
A c c e ss c o n tro l I
form The te s te r checks access to adm inistrative interfaces, tran sfers data for m anipulating fields, c h e c k s URL q u e r y s t r i n g s , c h a n g e s t h e v a l u e s o f c l i e n t - s i d e s c r i p t , a n d attacks
cookies. O th e r te s ts include checking for a u th o riz a tio n b re a c h e s , e n u m e r a ti n g a sse ts accessible t h r o u g h t h e a p p l i c a t i o n , l a p s e s in e v e n t h a n d l i n g s e q u e n c e s , p r o x y h a n d l i n g , a n d c o m p l i a n c e w ith least privilege access rule.
M o d u le 2 0 P ag e 2 9 5 3
e b
T e s t i n g
- I I
C E H
1. C he ckin g fo r B u ffe r O v e rflo w s
< > <

Checking fo r buffe r overflow s include attacks against stack o v erflo w s, heap o ve rflo w s, and fo rm a t string overflow s 2. C o m p o n e n t C h e ckin g / Component checking checks for security controls on web server/application com ponents th a t m ight expose the web application to vulnerabilities
DoS checking tests fo r DoS induced by m alform ed user input, user lockout, and a p p lica tio n lo cko u t due to tra ffic overload, transaction requests, o r excessive requests on th e application
S* .v
Data and error checking checks fo r data -re la te d se curity lapses such as storage o f sensitive data in th e cache or th ro u gh p ut o f sensitive data using HTML 4. D ata a n d E rro r C h e ckin g ! 0 > 01
e b
T e s t i n g
I I
C h e c k in g fo r B u ffer O v e rflo w s
Tests include attacks against stack overflow s, heap overflow s, and form at string overflow s.
D e n ia l-o f-se rv ic e
T e s t f o r D o S is i n d u c e d d u e t o m a l f o r m e d user input, user lockout, a n d application lo c k o u t d u e t o traffic o v e rlo a d , t r a n s a c t i o n r e q u e s t s , o r e x c e s s iv e r e q u e s t s o n t h e a p p lic a tio n .
C o m p o n e n t c h e c k in g
Check for secu rity co n tro ls on w e b s e r v e r/a p p lic a tio n c o m p o n e n t s m ight e x p o se th e w e b a p p licatio n t o vulnerabilities, su ch as basic a u th e n tic a tio n .
D a ta a n d e rro r c h e c k in g
C h e c k f o r d a t a - r e l a t e d s e c u r i t y l a p s e s s u c h a s s t o r a g e o f s e n s i t i v e d a t a in t h e c a c h e o r input of sensitive d a ta u s i n g HTML. C h e c k f o r v e r b o s e e r r o r m e s s a g e s t h a t g iv e a w a y m o r e
details of t h e application th a n n e c e ss a ry a n d e rro r type.
M o d u le 2 0 P ag e 2 9 5 4
SQ L in je c tio n te c h n iq u e s
S QL i n j e c t i o n m a y b e a t t e m p t e d a g a i n s t w e b a p p l i c a t i o n s t o g a i n a c c e s s t o t h e t a r g e t system .
M o d u le 2 0 P ag e 2 9 5 5
e b
T e s t i n g
- I I I
C E H
Confidentiality Check 9
Session Management
Configuration Ve r i f i c at i o n R N V N V W P I W
For applications using secure protocols and encryption, check for lapses in key exchange mechanism, adequate key length, and w eak algorithms
It checks tim e v a lid ity o f session to k e n s , le n g th o f to k e n s , e x p ira tio n o f session to k e n s w h ile tra n s itin g fro m SSL to non-SSL re s ou rce s, p rese n ce o f any session to k e n s in th e b ro w s e r h is to ry o r cache, and ra n d o m n e s s o f session ID (ch eck fo r use o f user data in g e n e ra tin g ID) ,
It a tte m p ts to m a n ip u la te re sou rce s u sing HTTP *9 m e th o d s such as DELETE and PUT, c h eck fo r v e rs io n c o n te n t a v a ila b ility a n d any v is ib le re s tric te d so urce c o d e in p u b lic d o m a in s , a tte m p t d ire c to ry and file lis tin g , and te s t fo r k n o w n v u ln e ra b ilitie s a nd a c c e s s ib ility o f a d m in is tra tiv e in te rfa c e s in se rvers a nd s e rv e r c o m p o n e n ts
e b
T e s t i n g
I I I
C o n fid e n tia lity c h e c k

^ exchange For a p p l i c a t i o n s m echanism , using secure protocols and encryption, check for lapses in key inadequate key length, a n d w e a k algorithm s. V alidate a u th e n tic a tio n
sch em es by attem p tin g
u s e r e n u m e r a t i o n t h r o u g h login o r a r e c o v e r y p ro c e s s . C h e c k digital
certificates a n d u se a s ig n a tu re verification process.
S e ssio n m a n a g e m e n t
j
brow ser
C heck t i m e validity of s e s s io n to k e n s ,
length
of tokens,
and
expiration
of session
t o k e n s w h i l e t r a n s i t i n g f r o m SSL t o n o n - S S L r e s o u r c e s , p r e s e n c e o f a n y s e s s i o n t o k e n s in t h e history or cache, and random ness of session ID ( c h e c k for use of user data in
g e n e r a t i n g a n ID).
C o n fig u ra tio n v e rific a tio n

A ttem pt m a n i p u l a t i o n o f r e s o u r c e s u s i n g HTTP m e t h o d s s u c h a s D EL E TE a n d PUT,
c h e c k f o r v e r s i o n c o n t e n t a v a ilab ility , a n d a n y visib le r e s t r i c t e d s o u r c e c o d e in p u b li c d o m a i n s , attem pt directory, and file listing, test for known vulnerabilities, and accessibility of
a d m i n i s t r a t i v e i n t e r f a c e s in t h e s e r v e r a n d s e r v e r c o m p o n e n t s .
M o d u le 2 0 P ag e 2 9 5 6
N e tw o r k
S e c u r ity
A s s e s s m e n t
I !
C E H
It scans th e n e tw o r k e n v ir o n m e n t fo r id e n tify in g v u ln e r a b ilitie s a n d h e lp s to im p ro v e an e n te rp ris e 's s e c u rity p o lic y
It u n co ve rs n e tw o r k s e c u rity fa u lts th a t can lea d to d a ta o r e q u ip m e n t b e in g e x p lo ite d o r d e s tro y e d b y T ro ja n s, d e n ia l o f s e rv ic e a tta c k s , a n d o th e r in tru s io n s
It e n su re s th a t th e s e c u rity im p le m e n ta tio n a c tu a lly p ro v id e s th e p r o te c tio n th a t th e e n te rp ris e re q u ire s w h e n a n y a tta c k ta k e s p la ce o n a n e tw o r k , g e n e ra lly b y " e x p lo itin g " a v u ln e r a b ility o f th e system
0
is p erfo rm ed by a te a m a tte m p tin g to break into th e n etw o rk or servers
N e t w o r k N etw ork
S e c u r i t y
A s s e s s m e n t is a n effective m ethod to protect th e system s from
security
assessm ent
e x t e r n a l a t t a c k s . V u l n e r a b i l i t i e s p r e s e n t in r o u t e r s , f i r e w a l l s , D N S , w e b a n d d a t a b a s e s e r v e r s , an d o th e r sy s te m s b e c o m e a d o o rw a y to a tta c k e rs to p e rfo rm attacks. N e tw o rk a s s e s s m e n t h e l p s in r e d u c i n g t h e r i s k s r e l a t e d t o n e t w o r k s . It g i v e s a m o r e c l e a r i d e a a b o u t t h e r i s k s p o s e d by e x te r n a l a n d in tern al a tta c k e rs .
e e
It s c a n s t h e n e t w o r k e n v i r o n m e n t f o r i d e n t i f y i n g v u l n e r a b i l i t i e s a n d h e l p s t o i m p r o v e a n e n t e r p r i s e 's s e c u r ity policy It u n c o v e r s n e t w o r k s e c u r i t y f a u l t s t h a t c a n l e a d t o d a t a o r e q u i p m e n t b e i n g e x p l o i t e d or d e s tro y e d by Trojans, denial-of-service attacks, a n d o t h e r intrusions It e n s u r e s t h a t t h e s e c u r i t y i m p l e m e n t a t i o n a c t u a l l y p r o v i d e s t h e p r o t e c t i o n t h a t t h e e n te r p ris e re q u ire s w h e n any a tta c k ta k e s place on a n etw o rk , gen erally by "e x p lo itin g " a vulnerability of th e sy stem
It is p e r f o r m e d b y a t e a m a t t e m p t i n g t o b r e a k i n t o t h e n e t w o r k o r s e r v e r s
M o d u le 2 0 P ag e 2 9 5 7
ir e le s s /R e m o te
A c c e s s c
UrtM
A s s e s s m e n t
E H
ItbKJl N M hM
W ireless/R em ote Access assessment involves assessing risks associated w ith wireless/cellular networks, VPN systems, and m obile devices
^ e le s s T e * ,^
L i 11 1
Bluetooth
8 0 2 .1 1 a ,b a n d g
GHz signals
W ir e le s s n e t w o r k s
W ir e le s s r a d io t r a n s m is s io n s
Radio c o m m u n i c a t i o n c h a n n e ls
Copyright by IG-Gcuncil. All Rights Reserved. Reproduction is S trictly Prohibited
W ' ------- ^
i r e l e s s / R e m o t e
A c c e s s
A s s e s s m e n t
W i r e l e s s / r e m o t e a c c e s s a s s e s s m e n t a d d r e s s e s t h e s e c u r i ty risks a s s o c i a te d w ith a n
i n c r e a s i n g m o b i l e w o r k f o r c e . W i r e l e s s n e t w o r k i n g h a s v a r i o u s b e n e f i t s a s w ell a s s e c u r i t y risks. A s s e s s m e n t includes te s tin g t h e follow ing things: 9 9 9 9 9 9 B luetooth 8 0 2 . 1 1 a ;b a n d g W ireless n etw o rk s Radio c o m m u n ic a t io n c h a n n e ls W ireless radio tran sm issio n s GHz signals
M o d u le 2 0 P ag e 2 9 5 8
i r e l e s s
T e s t i n g
C E H
M e t h o d s f o r w i r e l e s s t e s t i n g i n c l u d e b u t a r e n o t l i mi t e d t o :
Check if th e access p oint's d efa ult Service Set Id e n tifie r (SSID) is easily available. Test for "broadcast SSID" and accessibility to th e LAN through this. Tests can include b rute fo rcing th e SSID character string using tools like Kismet
Check fo r v u ln e ra b ilitie s in accessing th e WLAN through th e wireless router, access point, or gateway. This can include verifying if th e default W ired Equivalent Privacy (WEP) encryption key can be captured and decrypted
A u d it fo r broadcast beacon o f any access point and check all protocols available on the access points. Check if Layer 2 sw itche d n etw o rk s are being used instead o f hubs fo r access point co nn e ctivity
Subject auth en tica tio n to playback o f previous a uthentications in o rder to check fo r privilege escalation and u na u th o rize d access
Verify th a t access is granted o n ly to c lie n t m achines w ith registered MAC addresses
i r e l e s s
T e s t i n g
A w i r e l e s s n e t w o r k c a n b e a t t a c k e d in m u l t i p l e w a y s a n d c o n d u c t i n g a p e n e t r a t i o n test is d i f f i c u l t p r o c e s s here, com pared to a w ired netw o rk . To launch the attack against
w i r e l e s s n e t w o r k s , a t t a c k e r s u s e v a r i o u s m e t h o d s s u c h as: Q 6 9 Denial-of-service a ttack s M an-in-the-m iddle attacks ARP p o i s o n i n g a t t a c k s
M e t h o d s for w ire le s s te s ti n g in c lu d e b u t a r e n o t lim ited to: 9 C h e c k if t h e a c c e s s p o i n t ' s d e f a u l t S e r v i c e S e t I d e n t i f i e r ( S S I D ) is e a s i l y a v a i l a b l e . T e s t f o r " b r o a d c a s t S SI D " a n d a c c e s s i b i l i t y t o t h e LAN t h r o u g h t h i s . T e s t s c a n i n c l u d e b r u t e f o r c i n g t h e SSID c h a r a c t e r s t r i n g u s i n g t o o l s li ke K i s m e t 9 C h e c k f o r v u l n e r a b i l i t i e s in a c c e s s i n g t h e p o in t, o r g a t e w a y . This c a n WLAN th r o u g h the w ireless router, access
i n c l u d e v e r i f y i n g if t h e d e f a u l t W i r e d
E q u iv alen t Privacy
(WEP) e n c r y p t i o n key c a n b e c a p t u r e d a n d d e c r y p t e d
M o d u le 2 0 P ag e 2 9 5 9
A u d i t f o r a b r o a d c a s t b e a c o n o f a n y a c c e s s p o i n t a n d c h e c k all p r o t o c o l s a v a i l a b l e o n t h e a c c e s s p o i n t s . C h e c k if L a y e r 2 s w i t c h e d n e t w o r k s a r e b e i n g u s e d i n s t e a d o f h u b s f o r access point connectivity
Subject a u th e n tic a tio n to
p l a y b a c k o f p r e v i o u s a u t h e n t i c a t i o n s in o r d e r t o c h e c k f o r
privilege e s c a la tio n a n d u n a u th o r iz e d acc e ss 6 V e r i f y t h a t a c c e s s is g r a n t e d o n l y t o c l i e n t m a c h i n e s w i t h r e g i s t e r e d M A C a d d r e s s e s
M o d u le 2 0 P ag e 2 9 6 0

T e le p h o n y
S e c u rity A s s e s s m e n t
C E H
U flrfW * tfeul
A te le p h o n y s e c u rity a ssessm ent is p e rfo rm e d to id e n tify v u ln e ra b ilitie s in c o rp o ra te v o ice te c h n o lo g ie s th a t m ig h t re s u lt in to ll fra u d , e a ve sd ro p p in g on calls, u n a u th o riz e d access to v o ice m a il system s, DoS a tta ck, etc.
T e le p h o n e s e c u r ity a s s e s s m e n t in c lu d e s s e c u r ity a s s e s s m e n t o f PBXs, V o ic e o v e r IP (V o IP ) s y s te m s , m o d e m s , m a ilb o x e s , e tc .
T e l e p h o n y
S e c u r i t y
A s s e s s m e n t
T h e m a i n o b j e c t i v e o f a t e l e p h o n y a s s e s s m e n t is t o c o n d u c t : 9 9 9 Toll f r a u d E a v e s d r o p p i n g o n t e l e p h o n e calls U n au th o rized access to voicem ail sy s te m security This assessm ent the addresses of security by concerns to relating route to calls corporate at the voice
A telephony technologies. expense,
includes
abuse
PBXs
outsiders over
targ et's
m ailbox
deploym ent and
security, voice
IP ( V o I P ) i n t e g r a t i o n ,
unauthorized
m o d e m u s e , a n d a s s o c i a t e d risks. T e l e p h o n y s e c u r i t y a s s e s s m e n t c o n s i s t s of: 9 9 9 9 PBX t e s t i n g V oicem ail te stin g FAX r e v i e w M o d e m testing
Ethical H acking a n d C o u n te rm e a s u re s Copyright by EC-COUIICil
S o c i a l
n g i n e e r i n g
C E H
S o c ia l e n g in e e r in g re fe rs t o t h e n o n te c h n ic a l in f o r m a tio n s y s te m a tta c k s t h a t r e ly o n tr ic k in g p e o p le t o d iv u lg e s e n s itiv e in f o r m a tio n
It e x p lo its t r u s t , fe a r , a n d h e lp in g n a t u r e o f h u m a n s t o e x tr a c t th e s e n s itiv e d a ta s u c h as s e c u r ity p o lic ie s , s e n s itiv e d o c u m e n ts , o ffic e n e t w o r k in f r a s t r u c t u r e , p a s s w o rd s , e tc .
S o c i a l
E n g i n e e r i n g
Social e n g i n e e r i n g r e f e r s t o t h e m e t h o d o f in f l u e n c i n g a n d p e r s u a d i n g p e o p l e t o r e v e a l s e n s i t i v e i n f o r m a t i o n in o r d e r t o p e r f o r m s o m e m a l i c i o u s a c t i o n . Y o u c a n u s e t h i s t o g a t h e r confidential inform ation, authorization details, and access details by deceiving and
m anipulating people. All s e c u r i t y m e a s u r e s a d o p t e d b y t h e o r g a n i z a t i o n a r e in v a i n w h e n e m p l o y e e s g e t " s o c i a l l y
e n g i n e e r e d " by s tra n g e rs . S o m e e x a m p le s of social e n g in e e r in g in clude u n w ittin g ly a n s w e r in g t h e q u e s t i o n s o f s t r a n g e r s , r e p l y i n g t o s p a m e m a i l s , a n d b r a g g i n g in f r o n t o f c o - w o r k e r s . M o s t o fte n , p e o p le a r e n o t e v e n a w a r e of a s e c u r ity la p s e o n th e i r p art. Possibilities a r e t h a t t h e y d i v u l g e i n f o r m a t i o n t o a p o t e n t i a l a t t a c k e r i n a d v e r t e n t l y . A t t a c k e r s t a k e s p e c i a l i n t e r e s t in d e v e l o p i n g s o c i a l e n g i n e e r i n g s ki l l s , a n d a r e s o p r o f i c i e n t t h a t t h e i r v i c t i m s d o n ' t e v e n r e a l i z e t h a t t h e y h a v e b e e n s c a m m e d . D e s p i t e h a v i n g s e c u r i t y p o l i c i e s in t h e o r g a n i z a t i o n t h e y c a n b e c o m p r o m i s e d b e c a u s e social e n g in e e r in g a tta c k s ta r g e t t h e w e a k n e s s of p e o p le to be helpful for la u n c h in g th e ir attack . A tta c k e rs a lw a y s look fo r n e w w a y s to g a t h e r in fo rm a tio n ; th e y e n s u re th a t th e y k n o w th e p e o p le on th e p e r i m e t e r secu rity g u a rd s, re c e p tio n ists, a n d help d e s k w o r k e r s in o r d e r t o e x p l o i t t h e h u m a n ' s o v e r s i g h t . P e o p l e h a v e b e e n c o n d i t i o n e d n o t t o be overly suspicious; th e y a ss o c ia te c ertain b e h a v io r a n d a p p e a r a n c e s w ith k n o w n entities.
M o d u le 2 0 P ag e 2962

T e s tin g D e v ic e s
N e tw o rk - F ilte r in g C E H
P e n e tra tio n te s tin g is a m e th o d o f e v a lu a tin g th e s e c u rity o f an in fo rm a tio n system o r n e tw o rk by s im u la tin g an a tta c k to fin d o u t v u ln e ra b ilitie s th a t an a tta c k e r c o u ld e x p lo it T e s tin g in v o lv e s a c tiv e a n a ly s is o f s y s te m c o n f ig u r a tio n s , d e s ig n w e a k n e s s e s , n e t w o r k a r c h ite c t u r e , te c h n ic a l fla w s , a n d v u ln e r a b ilit ie s
I f
Black b ox te s tin g s im u la te s an a tta c k fro m s o m e o n e w h o has n o p r io r k n o w le d g e o f th e system , a nd w h ite box te s tin g s im u la te s an a tta c k fro m s o m e o n e w h o has c o m p le te k n o w le d g e a b o u t th e system
A c o m p re h e n s iv e r e p o r t w ith d e ta ils o f v u ln e ra b ilitie s d is c o v e re d a nd s u ite o f re c o m m e n d e d c o u n te rm e a s u re s is d e liv e re d to th e e x ecu tive , m a n a g e m e n t, and te c h n ic a l a u d ie nce s
T e s t i n g
N e t w o r k - f i l t e r i n g
D e v i c e s
T h e r e a r e v a r i o u s w a y s t o c o n f i g u r e n e t w o r k - f i l t e r i n g d e v i c e s . In s o m e i n s t a n c e s , t h e y m a y b e c a r e l e s s t o c h e c k m a l i c i o u s t r a f f i c , w h i l e in o t h e r s ; t h e y m a y b e s t r i c t t o a l l o w l e g i t i m a t e traffic. T h e o b je c tiv e of t h e p e n t e s t t e a m flows through the filtering device. w o u ld b e to a s c e r ta in t h a t only le g itim a te traffic if m ultiple filters are used, like a DMZ
H ow ever,
c o n f i g u r a t i o n t h a t u s e s t w o f i r e w a l l s , e a c h f i l t e r h a s t o b e t e s t e d t o m a k e s u r e t h a t it h a s b e e n c o n f i g u r e d in t h e c o r r e c t w a y . It is a f a c t , h o w e v e r , t h a t e v e n t h e m o s t p r e v e n t i v e f i r e w a l l c a n n o t r e s t r i c t n e t w o r k i n t r u s i o n w h e n t h e i n t r u s i o n is i n i t i a t e d w i t h i n t h e o r g a n i z a t i o n . M o s t f i r e w a l l s h a v e t h e a b i l i t y t o l o g all activities. But, if t h e logs are unm onitored over a period of tim e, they may hinder the
fu n c tio n a lity of t h e firewall. P en te s t e r s m a y t e s t t h e firewall for e n d u r a n c e
by checking t h e
logs a n d e n s u r in g t h a t t h e logging activity d o e s n o t in t e r f e r e w ith t h e firew all's p r im a r y activity. Proxy se rv e rs may be subjected to tests to d e t e r m i n e th e i r ability to filter o u t unw anted
p a c k e t s . T h e p e n t e s t e r s m a y r e c o m m e n d t h e u s e o f a l o a d b a l a n c e r if t h e t r a f f i c l o a d s e e m s t o be affectin g t h e filtering cap ab ilities of t h e devices. T e s t i n g f o r d e f a u l t i n s t a l l a t i o n s o f t h e f i r e w a l l c a n b e d o n e t o e n s u r e t h a t d e f a u l t u s e r IDs a n d passw ords have been disabled or changed. Testers can also check for any rem ote login
c a p a b ility t h a t a r e e n a b le d a n d allo w a n in tru d e r to d is a b le t h e firewall.
Ethical H acking a n d C o u n te rm e a s u re s Copyright by EC-C0linCil
D e n i a l - o f - S e r v i c e
S i m u l a t i o n
C E H
U rtifM Itfeul Km U*
r
These tests are m eant to check the effectiveness of anti-DoS devices
r Some online services can be used to simulate DoS attacks for a nominal charge ^
D e n i a l o f S e r v i c e
-
E m u l a t i o n
T h e r e a r e t w o c l a s s e s o f DoS: m a g i c p a c k e t a t t a c k s a n d r e s o u r c e - e x h a u s t i o n a t t a c k s . packet attacks usually take advantage of the existing vulnerability in the OS or
M agic
a p p l i c a t i o n f o r v a s t a b n o r m a l r e s p o n s e a n d e x c e s s i v e C P U u t i l i z a t i o n o r a f ul l s y s t e m c r a s h b y s e n d in g o n e o r a fe w p a rtic u la r p a c k e ts , fo r e x a m p le , W i n N u k e a n d Ping of D e a th . R e s o u r c e - e x h a u s ti o n a tt a c k s d o n o t c o m p l e te l y rely o n t h e v u ln erab ilities; in s te a d t h e y m a k e u s e o f t h e a v a i l a b l e c o m p u t e r r e s o u r c e s . A r e s o u r c e - e x h a u s t i o n D o S a t t a c k is i m p l e m e n t e d b y in te n tio n a l utilization of t h e m a x i m u m r e s o u rc e s a n d th e n stealin g t h e m . W h i l e s m a l l DoS a t t a c k s c a n b e d u p l i c a t e d by r u n n i n g D oS f r o m o n e m a c h i n e c o n n e c t e d t o t h e target netw ork, large te s ts that seek to duplicate DoS a tt a c k s may need to utilize many
m a c h in e s a n d large a m o u n t s of n e tw o r k b a n d w id th . T h e s e m a y p ro v e t o b e ti m e c o n s u m in g a n d r e s o u r c e in te n siv e , a s w ell. In s te a d of d e p l o y i n g s e v e r a l g e n e r i c s e r v e r s , h a r d w a r e d e v ic e s m a y b e u s e d t o c r e a t e la rg e v o l u m e s of n e t w o r k traffic. T h e y c a n a ls o c o m e w ith a t t a c k / t e s t i n g m o d u l e s t h a t a r e d e s i g n e d t o e m u l a t e t h e m o s t c o m m o n DoS a tta c k s . S i m u l a t i n g h a c k e r a t t a c k s c a n i n c l u d e s p o o f i n g t h e DoS s o u r c e a d d r e s s t o t h a t o f a r o u t e r o r d e v i c e o n t h e n e t w o r k i t s e l f s o t h a t if t h e IDS a r e t r i g g e r e d , t h e n e t w o r k c u t s i t s e l f o f f a n d t h e objective is a c h i e v e d . A n o t h e r option is t o em ulate th e and DoS f r o m route an online site over th e
In tern et. S o m e firm s offer this service for a c h a rg e e m u la te th e attack.
traffic
over the
Internet to
M o d u le 2 0 P ag e 2 9 6 4
There
are
several
tools
available
to
sim ulate
denial-of-service
attack
and
assess
the
e f f e c ti v e n e s s o f anti-D o S d ev ic e s. For e x a m p l e , W e b A v a la n c h e c a n b e c o n f i g u r e d t o in c r e a s e the connection-per-second rate and bandw idth u s a g e . T h i s f o r m u l a t e s c o n n e c t i o n s w h i c h is
less l a t e n t a n d u s u a l l y f a s t e r t h a n t h e a v e r a g e u s e r ' s HTTP c o n n e c t i o n . H o w e v e r , th i s m a y n o t e ssen tially a ffe c t t h e cap ab ilities o f t h e d e v ic e s t h a t a r e t e s t e d to s tu d y traffic.
M o d u le 2 0 P ag e 2 9 6 5
Copyright ffi by E C -C o n cil. All Rights Reserved. Reproduction is S trictly Prohibited.
o d u l e
F l o w
P e n t e s t i n g r e s u l t s c a n b e e f f e c t i v e w h e n t h e t e s t is p e r f o r m e d b y a s k i l l e d p e n t e s t e r .
H iring a hig h ly skilled p r o f e s s i o n a l o n p e r m a n e n t b a s i s m a y b e a h u g e i n v e s t m e n t ; t h e r e f o r e , m o s t c o m p a n ie s p re fe r o u tso u rc in g th e ir p e n testin g services. O u tso u rc in g th e p e n testin g can i n c r e a s e t h e f r e q u e n c y , s c o p e , a n d c o n s i s t e n c y o f its s e c u r i t y e v a l u a t i o n s .
P en Testing C o n cep ts
wwm B iilii 11
T ypes of Pen T esting
P en T esting P h a se s
P en Testing R o a d m a p
A d e t a i l e d e x p l a n a t i o n a b o u t o u t s o u r c i n g p e n e t r a t i o n t e s t i n g s e r v i c e s is e x p l a i n e d o n t h e n e x t slides.
M o d u le 2 0 P ag e 2 9 6 6
O u ts o u rc in g P e n e tra tio n T e s tin g S e rv ic e s C E H

itk tjl H..U1
To get the netw ork audited by an external agency to acquire an intruder's p oint of view The organization may require a specific security assessment and suggestive corrective measures
Professional liability insurance pays for settlem ents or judgm ents for which pen testers become liable as a result of their actions, or failure to perform professional services
It is also known as E&O insurance or professional ind em n ity insurance
O u t s o u r c i n g
T e s t i n g
S e r v i c e s
A n o r g a n i z a t i o n m a y c h o o s e t o o u t s o u r c e p e n e t r a t i o n - t e s t i n g s e r v i c e s if t h e r e is a lack o f s p e c ific t e c h n i c a l k n o w l e d g e a n d ex p ertise within t h e organization. T he organization
m a y re q u ire a specific se c u rity a s s e s s m e n t a n d s u g g e s te d c o rre c tiv e m e a s u r e s . A lternatively, t h e o r g a n i z a t i o n m a y c h o o s e t o g e t its n e t w o r k a u d i t e d b y a n e x t e r n a l a g e n c y t o a c q u i r e a n in tru d e r's p o in t of view . T h e n e e d to o u ts o u r c e m a y also be d u e t o insufficient staff tim e a n d resources. The baseline audit m ay require an ongoing external a s s e s s m e n t or th e organization m a y w a n t t o build c u s t o m e r a n d p a r t n e r c o n f i d e n c e . F r o m a n o r g a n i z a t i o n ' s p e r s p e c t i v e , it w o u l d b e p r u d e n t t o a p p o i n t a c u t o u t . A c u t o u t is a
c o m p a n y ' s i n - h o u s e m o n i t o r o v e r t h e c o u r s e o f t h e t e s t . T h i s p e r s o n will b e fu l ly a w a r e o f h o w t h e t e s t wi l l b e c o n d u c t e d , t h e t i m e f r a m e i n v o l v e d , a n d t h e c o m p r e h e n s i v e n a t u r e o f t h e t e s t . T h e c u t o u t will a l s o b e a b l e t o i n t e r v e n e d u r i n g t h e t e s t t o s a v e b o t h p e n t e s t e r s a n d c r u c i a l production system s from u n ac c e p ta b le d a m a g e . U n d e rw ritin g P e n e tr a tio n Testing 9 T h e r e is a n i n h e r e n t r i s k i n v o l v e d i n u n d e r t a k i n g a p e n e t r a t i o n t e s t . M o s t o r g a n i z a t i o n s w ould like t o know if t h e penetration testing organization has professional liability
i n s u r a n c e . P r o f e s s i o n a l liability i n s u r a n c e p a y s f o r s e t t l e m e n t s o r j u d g m e n t s f o r w h i c h p e n t e s t e r s b e c o m e liable a s a re s u lt of th e i r a c ti o n s o r fa ilu re t o p e r f o r m p r o f e s s i o n a l s e r v i c e s . T h e y t a k e c a r e o f t h e c o s t s i n v o l v e d in d e f e n d i n g a g a i n s t t h e claim, w h ich
M o d u le 2 0 P ag e 2 9 6 7
includes t h e a tto rn e y 's fees, c o u rt costs, a n d
o t h e r r e l a t e d e x p e n d i t u r e s i n v o l v e d in
investigation, a n d this also in clu d es t h e e x p e n d it u r e of t h e s e t t l e m e n t p ro cess. F rom a pen tester's professional perspective, service professional liability i n s u r a n c e known as is m a l p r a c t i c e insurance or in s u ra n c e for professional
providers.
It is a l s o
E&O
indem nity insurance.
M o d u le 2 0 P ag e 2 9 6 8
A n o r g a n iz a tio n s a n c tio n s a p e n e tr a tio n te s t
a g a in s t a n y o f its p r o d u c t io n s y s te m s a f t e r it a g re e s u p o n e x p lic it ly s ta te d ru le s o f e n g a g e m e n t
It m u s t s ta te t h e t e r m s o f r e fe r e n c e u n d e r w h ic h t h e a g e n c y c a n i n t e r a c t w i t h t h e o r g a n iz a t io n
It can s p e c ify th e d e s ire d c o d e o f co n d u c t, th e
p ro c e d u re s to be fo llo w e d , and th e n a tu re o f th e in te ra c tio n b e tw e e n th e te s te rs and th e o rg a n iz a tio n
T e r m s
o f E n g a g e m e n t
Source: http://seclists.orR T erm s of e n g a g e m e n t a re essential to p ro tect bo th th e o rg an izatio n 's in te re sts an d th e pen t e s t e r ' s liabilities. T h e t e r m s lay d o w n c le a r ly d e f i n e d g u i d e l i n e s w i t h i n w h i c h t h e t e s t e r s c a n te s t th e sy stem s. T hey can specify th e d esired c o d e of c o n d u c t, th e p ro c e d u re s to be follow ed, and th e n a tu re of interaction b e tw e e n th e te ste rs an d th e organization. It is p r u d e n t f o r a n o r g a n i z a t i o n t o s a n c t i o n a p e n e t r a t i o n t e s t a g a i n s t a n y o f its p r o d u c t i o n
s y s t e m s o n l y a f t e r it a g r e e s u p o n e x p l i c i t l y s t a t e d r u l e s o f e n g a g e m e n t . T h i s c o n t r a c t a g r e e d u p o n w ith th e p e n te s t a g e n c y m u st s ta te th e te r m s of re fe re n c e u n d e r w hich th e ag en cy can interact w ith th e organization. F o r i n s t a n c e , if t h e p e n t e s t a g e n c y is u n d e r t a k i n g n e t w o r k m a p p i n g , t h e r u l e s o f e n g a g e m e n t m a y re a d as follow s: " P e n t e s t a g e n c y can o b ta in m u c h o f t h e re q u ir e d in f o rm a tio n re g a rd in g th e site's general n e tw o r k profile, s u c h as IP a d d r e s s r a n g e s , t e l e p h o n e n u m b e r ranges, and other Internet registration a b o u t t h e site's
n etw ork topology through pages, and te le p h o n e
public in fo rm a tio n so u rc e s, su ch as directories. M ore detailed
services, w e b
inform ation
n e t w o r k a r c h i t e c t u r e c a n b e o b t a i n e d t h r o u g h t h e u s e of d o m a i n n a m e s e r v e r (DNS) q u e rie s , ping sw eeps, port scans, and connection route tracing. Informal inquiries, not related to
M o d u le 2 0 P ag e 2 9 6 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
organization, m a y also be a t t e m p t e d to g a th e r in fo rm a tio n fro m users a n d a d m in is tra to rs th a t c o u l d a s s i s t in g a i n i n g a c c e s s t o n e t w o r k r e s o u r c e s . "
M o d u le 2 0 P ag e 2 9 7 0
P r o j e c t
S c o p e
D e t e r m in in g t h e s c o p e o f t h e p e n te s t is e s s e n tia l t o d e c id e if t h e t e s t is a t a r g e te d t e s t o r a c o m p r e h e n s iv e te s t
C o m p r e h e n s iv e a s s e s s m e n ts a re c o o r d in a t e d e ffo r ts b y t h e p e n te s t a g e n c y t o u n c o v e r as m u c h v u ln e r a b i l it y as p o s s ib le t h r o u g h o u t th e o r g a n iz a tio n
A ta r g e te d te s t w ill s e e k t o id e n t i f y v u ln e r a b ilit ie s in s p e c ific s y s te m s a n d p ra c tic e s
M
1
P r o j e c t
S c o p e
D e t e r m i n i n g t h e s c o p e o f t h e p e n t e s t is e s s e n t i a l t o d e c i d e if t h e t e s t is a t a r g e t e d
te s t or a c o m p r e h e n s i v e test. O n e of t h e fa c to rs th a t h av e a significant effect o n t h e effort e s t i m a t i o n a n d c o s t c o m p o n e n t o f t h e p e n e t r a t i o n t e s t is w h e t h e r o r n o t t h e p e n t e s t a g e n c y can u n d e r t a k e a z e ro k n o w l e d g e t e s t or a partial k n o w le d g e te s t. Providing e v e n partial know ledge to the pen testers r e s u l t s in t i m e and co st savings. T he
b u r d e n is o n t h e c l i e n t t o m a k e s u r e t h a t t h e i n f o r m a t i o n p r o v i d e d is c o m p l e t e t o t h e e x t e n t i n t e n d e d t o b e . T h i s is i m p o r t a n t b e c a u s e if s e n s i t i v e s y s t e m d a t a a b o u t c r i t i c a l s y s t e m s is g i v e n b e f o r e h a n d , it m i g h t d e f e a t t h e p u r p o s e o f t h e p e n e t r a t i o n t e s t . If t h e a g e n c y is g o i n g t o u n d e r t a k e a t a r g e t e d t e s t , it c a n s e e k t o i d e n t i f y v u l n e r a b i l i t i e s in spe c ific s y s t e m s a n d p r a c t i c e s s u c h as:

9
R e m o t e a c c e ss te c h n o lo g ie s su c h as dial-in m o d e m s , w ire le s s , a n d VPN P erim eter d efen ses of In te rn e t-c o n n e c te d system s Security of w e b applicatio n s a n d d a ta b a s e applications V u l n e r a b i l i t y t o d e n i a l - o f s e r v i c e a t t a c k s
9
9 9
O n th e o t h e r h a n d , c o m p r e h e n s iv e a s s e s s m e n ts a re c o o rd in a te d efforts by th e p e n te s t a g e n c y to u n co v er as m u c h vulnerability as possible th r o u g h o u t a n organization's IT p r a c t i c e s a n d
n e tw o rk e d infrastructure.
M o d u le 2 0 P ag e 2971
P e n T e st S e rv ic e L e v e l A g re e m e n ts
C E H
The bottom line is that SLAs
A service level a g r e e m e n t is a contract t h a t details t h e t e r ms of service t h a t an o u t s o u r c e r will provide
f define f
o f availability from the
d:
the m inim um levels
testers and deter mi ne what actions will be taken in the event of serious disruption
P e n The provides is
T e s t
S e r v i c e agreem ent a Service
L e v e l A g r e e m e n t s that Level describes the term s (SLA). of SLAs service should that an outsourcer the testing
contract known as
A greem ent
m atch
r e q u i r e m e n t s a s c l o s e l y a s p o s s i b l e . P r o f i c i e n t l y d o n e SLAs c a n i n c l u d e r e m e d i e s a n d p e n a l t i e s fo r m issing p a rtic u la r se rv ic e levels. T hese penalties en co u rag e th e pen te s t te a m to a c h ie v e t h e objectives, a n d m a k e su re t h a t
t h e y g e t b a c k o n t r a c k q u i c k l y . M a n y o r g a n i z a t i o n s a l s o a s k f o r r e f e r r a l s a n d e x a m p l e s o f SLAs th e y h a v e u se d w ith o th e r c u s t o m e r s w h o h a d sim ilar testin g n e e d s. T h e o rg a n iz a tio n m a y w a n t to verify t h e m e tric s u s e d a n d t h e q u ality of t h e re s u lts a c h ie v e d to a s s e s s t h e ability of th e p e n - t e s t t e a m t o m e e t its r e q u i r e m e n t s . From a p e n t e s t e r ' s p e r s p e c t i v e , it m a y b e d i f f i c u l t t o p r o v i d e e x a m p l e s o f r e a l - w o r l d SLAs
b e c a u s e th e y a re c o n s id e re d confidential b u sin ess in fo rm a tio n , sim ilar to o t h e r c o n tr a c t te r m s . The bottom l i n e is t h a t S L A s d e f i n e t h e m inim um levels of availability fr o m t h e te s t e r s a n d
d e t e r m i n e w h a t a c t i o n s c a n b e t a k e n in t h e e v e n t o f s e r i o u s d i s r u p t i o n . N orm ally, resolution the of contract disputes, covers and those issues as com pensation, It basically w arranties the and rem edies, and
legal
com pliance.
fram es
relationship,
M o d u le 2 0 P ag e 2972
determ ines situation.
the
m ajor
responsibilities,
both
during
norm al
testing
and
in
an
em ergency
M o d u le 2 0 P ag e 2 9 7 3
Penetration Testing Consultants CEH

Hiring qualified penetration tester results in the quality of the penetration testing
Main role of penetration testing consultants include validation of security controls implemented across an organization's external or internal resources such as firewalls, servers, routers, etc., and develop security policies and procedures
Each area of the network must be examined in-depth
A proficient pen tester should posses experience in d iffe re n t IT fields such as softw are developm ent, systems adm inistration, and consultancy
Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Penetration Testing Consultants

When companies outsource penetration testing, though it is a bit costly to hire qualified professionals who are exclusively trained, it usually yields good results. More qualitative work can be done and desired goals can be achieved. 9 9 Hiring a qualified penetration tester results in the quality of the penetration testing. A penetration test of a corporate network can examine numerous different hosts (with a number of different operating systems), network architecture, policies, and procedures.
9 Each area of the network must be examined in-depth. 9 Penetration testing skills cannot be obtained without years of experience in IT fields, such as development, systems administration, or consultancy.
M o d u le 2 0 P ag e 2 9 7 4
M odule Sum m ary
CEH
A pen test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network Internal testing involves testing computers and devices within the company Pen testing test components depends on the client's operating environment, threat perception, security and compliance requirement, ROE and budget The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company Security assessment categories are security audits, vulnerability assessments, and penetration testing
Copyright
C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Module Summary
9 A pen test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them. 9 Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network.
Q Internal testing will be performed from a number of network access points, representing each logical and physical segment. 9 9 9 Pen testing test components depend on the client's operating environment, threat perception, security and compliance requirement, ROE, and budget. The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company. Security assessment categories are security audits, vulnerability assessments, and penetration testing.
M o d u le 2 0 P ag e 2 9 7 5

CEHv8 Module 20 Penetration Testing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 20 Penetration Testing

Uploaded by

Copyright:

Available Formats

Penetration T esting

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Engineered by Hackers. Presented by Professionals.

Module 20 Page 2873

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

h ttp ://w w w . esecurityplonet. com

Module 20 Page 2874

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

C opyrig ht 2012 Q uinStreet Inc By Je ff Goldm an

Module 20 Page 2875

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

O b je c tiv e s m o d u le s d iscu ss e d so fa r co n c e n tra te d on v a r io u s p e n e tra tio n te s tin g

Module 20 Page 2876

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

T ypes o f Pen T e stin g

Pen T e stin g Phases

O u ts o u rc in g Pen T e s tin g S ervices

Module 20 Page 2877

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Copyright <D by EC Cm h ic H. All Rights Reserved. Reproduction is Strictly P rohibited.

Module 20 Page 2878

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

You can p e r f o r m a n a u t o m a t i c a s s e s s m e n t by using t h e f o l l o w i n g t e c h n i q u e s : 9 9 G e n e r a t in g a u d i t r e p o r t s M o n i t o r i n g a n d r e p o r t i n g t h e c h a n g e s in t h e files

V u ln e r a b ility A ssessm ents: A v u l n e r a b i l i t y a s s e s s m e n t h e lp s y o u in i d e n t i f y i n g s e c u r it y

P e n e tra tio n T e s tin g : P e n e t r a t io n t e s t i n g is th e a c t o f t e s t i n g an o r g a n i z a t i o n ' s s e c u r it y

Module 20 Page 2879

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Module 20 Page 2880

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Module 20 Page 2881

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Module 20 Page 2882

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

It does not measure the strength of security controls

Module 20 Page 2883

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Most attackers follow a common approach to penetrate a system

1 In tr o d u c tio n P e n e tr a tio n T e s tin g

This m o d u l e m a r k s a d e p a r t u r e f r o m t h e a p p r o a c h f o l l o w e d in e a r lie r m o d u le s ; h e r e be e n c o u r a g e d t o t h i n k " o u t s i d e th e b o x ." H a c k in g as it w a s d e f i n e d o r i g i n a l l y

Module 20 Page 2884

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Module 20 Page 2885

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Penetration testing assesses the security model of the organization as a whole

It reveals potential consequences of a real attacker breaking into the network

Module 20 Page 2886

Ethical Hacking and Countermeasures Penetration Testing

Exam 312-50 Certified Ethical Hacker

Module 20 Page 2887

Ethical Hacking and Countermeasures Penetration Testing