Professional Documents
Culture Documents
M odule 20
t r a
t i o
s t i n
M o d u le 20
C E H
E th ic a l H a c k in g
a n d
C o u n te rm e a s u re s v 8
M o d u le 2 0 : P e n e tr a t io n T e s tin g E xam 3 1 2 -5 0
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
r i t y
U rlA H
E H c 1 ItbKjl
Home
^ News
Company
Products
Contacts
O c to b e r 0 2 , 2 0 1 2
T h e C it y o f T u ls a , O k la h o m a la s t w e e k b e g a n n o t i f y i n g r e s id e n t s t h a t t h e i r p e r s o n a l d a t a m a y h a v e been accessed h a d h ir e d . " C it y o f f ic i a ls d i d n 't r e a liz e t h a t t h e a p p a r e n t b r e a c h w a s c a u s e d b y t h e s e c u r it y f i r m , U t a h - b a s e d S e c u r it y M e t r ic s , u n t il a f t e r 9 0 , 0 0 0 le t t e r s h a d b e e n s e n t t o p e o p le w h o h a d a p p lie d f o r c i t y jo b s o r m a d e c r i m e r e p o r t s o n li n e o v e r t h e p a s t d e c a d e , w a r n in g t h e m t h a t t h e i r p e r s o n a l id e n t if ic a t i o n in f o r m a t i o n m i g h t h a v e b e e n a c c e s s e d , " w r i t e s T u ls a W o r l d 's B r ia n B a r b e r . " T h e m a ili n g c o s t t h e c i t y $ 2 0 , 0 0 0 , o f f ic i a ls s a id . " " A n a d d i t i o n a l $ 2 5 , 0 0 0 w a s s p e n t o n s e c u r it y c o n s u lt in g s e r v ic e s t o a d d p r o t e c t i o n m e a s u r e s t o th e w e b s ite ," FO X 23 N e w s re p o rts . b u t it n o w t u r n s o u t t h a t t h e a tta c k w a s a p e n e t r a t io n te s t b y a c o m p a n y t h e c it y
'
'
'
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
N l \VS S e c u r ity N e w s
C it y o f T u ls a C y b e r A tta c k W a s P e n e tr a tio n T e s t, N o t H a c k S o urce : h t t p : / / w w w . e s e c u r i t y p l a n e t . c o m T h e C ity o f Tulsa, O k l a h o m a last w e e k b e g a n n o t i f y i n g r e s id e n ts t h a t t h e i r p e rs o n a l d a ta m a y h ave b e e n a ccessed -- b u t i t n o w t u r n s o u t t h a t t h e a t t a c k w a s a p e n e t r a t i o n t e s t by a c o m p a n y t h e c ity had h ir e d . " C ity o ffic ia ls d i d n ' t re a liz e t h a t t h e a p p a r e n t b re a c h w a s c a u s e d by t h e s e c u r it y f i r m , U t a h b ase d S e c u r i t y M e t r i c s , u n t i l a f t e r 9 0 ,0 0 0 l e t t e r s had b e e n s e n t t o p e o p le w h o had a p p li e d f o r c i t y jo b s o r m a d e c r im e r e p o r t s o n l i n e o v e r t h e p a st d e c a d e , w a r n i n g t h e m t h a t t h e i r p e r s o n a l i d e n t i f i c a t i o n i n f o r m a t i o n m i g h t h a v e b e e n a c c e s s e d ," w r i t e s Tulsa W o r l d 's B ria n B a rb e r. "T h e m a ilin g co s t t h e c i t y $ 2 0 ,0 0 0 , o ffic ia ls s a id ." " A n a d d i t i o n a l $ 2 5 , 0 0 0 w a s s p e n t o n s e c u r it y c o n s u l t i n g s e rv ic e s t o a d d p r o t e c t i o n m e a s u r e s t o t h e w e b s i t e , " FOX23 N e w s r e p o r ts . "T h e t h i r d - p a r t y c o n s u l t a n t h ad b e e n h ir e d t o p e r f o r m a n a s s e s s m e n t o f t h e c ity 's n e t w o r k f o r v u ln e r a b i l it ie s , " w r i t e N e w s O n 6 . c o r n 's Dee D u r e n a n d Lacie L o w ry . " T h e f i r m u sed a n u n f a m i l i a r t e s t i n g p r o c e d u r e t h a t c a u se d t h e C ity t o b e lie v e its w e b s i t e had b e e n c o m p r o m i s e d . 'W e had
Ethical Hacking and Countermeasures Copyright by EC-C0IMCil All Rights Reserved. Reproduction is Strictly Prohibited.
t o t r e a t t h i s like a c y b e r - a t t a c k b e ca u se e v e r y in d i c a t i o n i n i t i a ll y p o i n t e d t o an a tta c k ,' said C ity M a n a g e r Jim T w o m b l y . " "T h e c h ie f i n f o r m a t i o n o f f i c e r w h o fa ile d t o d e t e r m i n e t h a t t h e hack w a s a c t u a lly p a r t o f a p e n e t r a t i o n t e s t has b e e n p la c e d o n a d m i n i s t r a t i v e le a v e w i t h p a y ," w r i t e s S o ftp e d ia 's E d ua rd Kovacs. " I n t h e J o n a th a n B r o o k ." m e a n tim e , his p o s it io n w i ll be f ille d by Tulsa Police D e p a r t m e n t C a p ta in
http://www.esecurityplanet.com/network-securitv/citv-of-tulsa-cyber-attack-waspenetration-test-not-hack.html
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
l e
j e
t i v
C E H
J Security Assessments J Vulnerability Assessment J Penetration Testing J What Should be Tested? O I on Penetration Testing J R J Types of Penetration Testing J Common Penetration Testing Techniques 0
J J J J
Pre-Attack Phase Attack Phase Post-Attack Phase Penetration Testing Deliverable Templates J Pen Testing Roadmap J Web Application Testing J Outsourcing Penetration Testing Services
C o p y r ig h t b y
IC-Ccuncil. A ll
R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
M o d u le 1 All
th e
t e c h n i q u e s s p e c ific t o t h e r e s p e c tiv e e l e m e n t ( w e b a p p li c a t i o n , etc.), m e c h a n is m (IDS, f i r e w a l l , e tc.), o r p h a se ( re c o n n a is s a n c e , s c a n n in g , etc.). This m o d u l e s u m m a r iz e s all t h e p e n e t r a t i o n te s ts . T his m o d u l e h elps y o u in e v a lu a t in g t h e s e c u r it y o f an o r g a n i z a t i o n a n d also g u id e s y o u t o m a k e y o u r n e t w o r k o r s y s te m m o r e s e c u r e w i t h its c o u n t e r m e a s u r e s . T h e m o d u l e w i ll m a k e y o u f a m i l i a r i z e w i t h : S S S S S s 2 S e c u r ity A s s e s s m e n ts V u l n e r a b i l i t y A s s e s s m e n ts P e n e t r a t io n T e s tin g W h a t S h o u ld b e T e s te d ROI o n P e n e t r a t io n T e s tin g T ype s o f P e n e t r a t io n T e s tin g C o m m o n P e n e t r a t io n T e s tin g T e c h n iq u e s P r e -a tta c k Phase A t t a c k Phase P o s t- a t ta c k Phase P e n e t r a t io n T e s tin g D e liv e r a b le T e m p la te s Pen T e s t in g R o a d m a p W e b A p p l i c a t i o n T e s tin g O u t s o u r c in g P e n e t r a t io n T e s tin g Services
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
l e
l o
C E H
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
M o d u le
F lo w
For b e t t e r u n d e r s t a n d in g o f p e n e t r a t i o n te s t in g , th is m o d u l e is d iv id e d i n t o v a r io u s
s e c tio n s . Let's b e g in w i t h p e n e t r a t i o n t e s t i n g c o n c e p ts .
Pen T e s t in g C o n c e p ts
Pen T e stin g T e c h n iq u e s
Pen T e stin g R o a d m a p
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
e c u r i t y
A s s e s s m
e n t s
II
Level of Security
E v e ry o r g a n iz a tio n u s e s d if f e r e n t t y p e s o f s e c u r it y a s s e s s m e n t s t o v a l i d a t e t h e l e v e l o f s e c u r i t y o n it s
n e tw o r k re s o u rc e s
I
Security A u dits
S e c u r it y A s s e s s m e n t C a t e g o r ie s
I
Penetration Testing
Vulnerability Assessments
EF
o ca
E a c h t y p e o f s e c u r it y a s s e s s m e n t r e q u ir e s t h e p e o p l e c o n d u c t in g t h e a s s e s s m e n t t o h a v e d i f f e r e n t s k ill s
S e c u r ity A s s e s s m e n ts
u
Every o r g a n iz a t io n uses d i f f e r e n t t y p e s o f s e c u r it y a s s e s s m e n ts t o v a li d a t e th e leve l o f
e m p lo y e e s o r o u t s o u r c e d s e c u r it y e x p e r t s m u s t h a v e a t h o r o u g h e x p e r ie n c e o f p e n e t r a t i o n te s tin g . S e c u r ity a s s e s s m e n t c a te g o r ie s i n c l u d e s e c u r it y a u d it s , v u l n e r a b i l i t y a s s e s s m e n ts , a n d p e n e t r a t i o n t e s t i n g o r e t h i c a l h a c k in g .
-
'^
S e c u r ity A s s e s s m e n t C a te g o rie s T he s e c u r it y a s s e s s m e n t is b r o a d l y d iv id e d i n t o t h r e e c a te g o r ie s : 1. S e c u r i t y A u d i t s : IT s e c u r it y a u d it s t y p i c a l l y fo c u s o n t h e p e o p le a n d p ro c e s s e s used t o d e sig n , i m p l e m e n t , a n d m a n a g e s e c u r it y o n a n e t w o r k . T h e r e is a b a s e lin e in v o lv e d f o r p ro ce sse s a n d p o lic ie s w i t h i n an o r g a n iz a tio n . In a n IT s e c u r it y a u d it , t h e a u d i t o r a nd t h e o r g a n iz a tio n 's s e c u r it y p o lic ie s a n d p r o c e d u r e s use t h e s p e c ific b a s e lin e t o a u d i t t h e o r g a n iz a tio n . T h e IT m a n a g e m e n t u s u a lly i n it ia t e s IT s e c u r it y a u d its . T he N a t io n a l
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
2.
e m p lo y e e s , i n t e r n a l e m p lo y e e s , e tc. ca n be d e t e r m i n e d .
3.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
C o p y r ig h t b y
IC-Ccuncil. A ll
R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
|j J)
S e c u r ity A u d it A s e c u r it y a u d it is a s y s te m a tic , m e a s u r a b le te c h n ic a l a s s e s s m e n t o f h o w t h e s e c u r it y
p o lic y is e m p lo y e d by t h e o r g a n iz a t io n . A s e c u r it y a u d it is c o n d u c t e d t o m a i n t a i n t h e s e c u r it y level o f t h e p a r t i c u l a r o r g a n iz a tio n . It h e lp s y o u t o i d e n t i f y a tta c k s t h a t p o se a t h r e a t t o t h e n e t w o r k o r a tta c k s a g a in s t r e s o u r c e s t h a t a re c o n s id e r e d v a lu a b l e in ris k a s s e s s m e n t. T h e s e c u r it y a u d i t o r is r e s p o n s ib le f o r c o n d u c t i n g s e c u r i t y a u d it s o n t h e p a r t i c u l a r o r g a n i z a t i o n . The s e c u r it y a u d ito r w orks w ith th e fu ll k n o w le d g e o f th e o r g a n iz a t io n , at tim e s w ith c o n s id e r a b le in s id e i n f o r m a t i o n , in o r d e r t o u n d e r s t a n d t h e re s o u r c e s t o be a u d it e d . 9 A s e c u r it y a u d it is a s y s te m a tic e v a l u a t i o n o f an o r g a n iz a t io n 's c o m p li a n c e t o a s e t o f e s ta b lis h e d i n f o r m a t i o n s e c u r it y c r it e r ia . 9 T he s e c u r it y a u d it in c lu d e s assessm ent of a s y s te m 's s o ftw a re and h a rd w a re
c o n f i g u r a t io n , p h y s ic a l s e c u r it y m e a s u re s , d a ta h a n d lin g processes, a n d u ser p ra c tic e s a g a in s t a c h e c k lis t o f s t a n d a r d p o lic ie s a n d p r o c e d u r e s . 9 A s e c u r it y a u d i t e n s u re s t h a t an i n f o r m a t i o n s e c u r it y p o licie s. 9 It is g e n e r a l l y used t o a c h ie v e a n d d e m o n s t r a t e c o m p li a n c e t o legal a n d r e g u l a t o r y r e q u i r e m e n t s su ch as H IP P A SOX, PCI-DSS, etc. o r g a n iz a t io n has a n d d e p lo y s a s e t o f s ta n d a r d
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
l n
r a
i l i t y
s s e s s m
e n t
C E H
U flNM IU kjI * * . u .
S c a n n in g T o o ls
V u l n e r a b i l i t y s c a n n in g t o o l s s e a r c h n e t w o r k s e g m e n t s f o r I P - e n a b l e d d e v ic e s a n d e n u m e r a te s y s te m s , O S 's , a n d a p p l i c a t i o n s ^
T e s t S y s te m s /N e tw o rk Additionally, vulnerability scanners can identify common security configuration mistakes Vulnerability scanners can test systems and network devices for exposure to common attacks
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
V u ln e r a b ility
A s s e s s m e n t
A v u l n e r a b i l i t y a s s e s s m e n t is a basic t y p e o f s e c u r ity . T h is a s s e s s m e n t h e lp s y o u in f i n d i n g t h e k n o w n s e c u r it y w e a k n e s s e s by s c a n n in g a n e t w o r k . W i t h t h e h e lp o f v u l n e r a b i l i t y s c a n n in g to o ls , y o u can s e a rch n e t w o r k s e g m e n ts f o r IP - e n a b le d d e v i c e s a nd e n u m e r a t e s y s te m s , o p e r a t i n g s y s te m s , a n d a p p l i c a t i o n s . V u l n e r a b i l i t y s c a n n e rs a re c a p a b le o f i d e n t i f y i n g d e v ic e c o n f i g u r a t io n s i n c lu d in g t h e OS v e r s io n r u n n i n g o n c o m p u t e r s o r d e vice s, IP p r o t o c o ls a n d T r a n s m is s io n C o n tr o l P r o t o c o l / U s e r D a t a g r a m P r o to c o l (TC P /U D P ) p o r t s t h a t a re lis te n in g , a n d a p p li c a t i o n s t h a t a re in s t a lle d o n c o m p u t e r s . By using v u l n e r a b i l i t y s c a n n e rs , y o u ca n also i d e n t i f y c o m m o n s e c u r it y m is ta k e s su ch as
a c c o u n ts t h a t h ave w e a k p a s s w o r d s , file s a n d f o l d e r s w i t h w e a k p e r m is s io n s , d e f a u l t s e rv ic e s a n d a p p li c a t i o n s t h a t m i g h t n e e d t o be u n in s t a lle d , a n d m is t a k e s in t h e s e c u r it y c o n f i g u r a t i o n o f c o m m o n a p p lic a tio n s . T h e y can s e a rc h f o r c o m p u t e r s e x p o s e d t o k n o w n o r p u b li c l y r e p o r t e d v u ln e r a b i l it ie s . T h e s o f t w a r e p acka ge s t h a t p e r f o r m v u l n e r a b i l i t y s c a n n in g scan t h e c o m p u t e r a g a in s t t h e C o m m o n V u l n e r a b i l i t y a n d E xp o s u re s (CVE) in d e x a n d s e c u r it y b u lle ts p r o v id e d by t h e s o f t w a r e v e n d o r . T h e CVE is a v e n d o r - n e u t r a l lis tin g o f r e p o r t e d s e c u r it y v u ln e r a b i l it ie s in m a j o r o p e r a t i n g s y s te m s a n d a p p li c a t i o n s a nd is m a i n t a i n e d a t h t t p : / / c v e . m i t r e . o r g / . V u l n e r a b i l i t y s c a n n e rs can t e s t s y s te m s a n d n e t w o r k d e v ic e s f o r e x p o s u r e t o c o m m o n a tta c k s . This in c lu d e s c o m m o n a tta c k s such as t h e e n u m e r a t i o n o f s e c u r it y - r e l a t e d i n f o r m a t i o n a n d d e n ia l- o f- s e r v ic e a tta c k s . H o w e v e r , i t m u s t be n o t e d t h a t v u l n e r a b i l i t y s c a n n in g r e p o r t s can
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
e x p o s e w e a k n e s s e s in h id d e n a re as o f a p p li c a t i o n s a nd f r e q u e n t l y in c lu d e m a n y fa lse p o s itiv e s . N e t w o r k a d m i n i s t r a t o r s w h o a n a ly z e v u l n e r a b i l i t y scan re s u lts m u s t h a v e s u f f i c i e n t k n o w l e d g e a n d e x p e r ie n c e w i t h t h e o p e r a t i n g sy s te m s , n e t w o r k d e vice s, a n d a p p li c a t i o n s b e in g s c a n n e d a n d t h e i r roles in t h e n e t w o r k . You can use t w o ty p e s o f a u t o m a t e d v u l n e r a b i l i t y s c a n n e rs d e p e n d i n g u p o n t h e s i t u a t i o n : n e t w o r k - b a s e d a n d h o s t- b a s e d . N e t w o r k - b a s e d s c a n n e rs a t t e m p t t o d e t e c t v u ln e r a b i l it ie s f r o m t h e o u ts id e . T h e y a r e n o r m a l l y la u n c h e d f r o m a r e m o t e s y s te m , o u t s i d e t h e o r g a n iz a t io n , a n d w i t h o u t an a u t h o r i z e d u se r access. For e x a m p le , n e t w o r k - b a s e d s c a n n e r s e x a m i n e a s y s te m f o r such e x p lo its as o p e n p o rts , a p p li c a t i o n s e c u r it y e x p lo its , a n d b u f f e r o v e r f l o w s . H o s t-b a s e d s c a n n e rs u s u a lly r e q u i r e a s o f t w a r e a g e n t o r c l i e n t t o b e i n s t a lle d o n t h e h o s t. T he c l i e n t t h e n r e p o r t s b a ck t h e v u ln e r a b i l it ie s it fin d s t o t h e s e rv e r. H o s t - b a s e d s c a n n e rs l o o k f o r f e a t u r e s su ch as w e a k f ile access p e r m is s io n s , p o o r p a s s w o r d s , a n d l o g g in g fa u lts .
Ethical Hacking and Countermeasures Copyright by EC-C0lMCil All Rights Reserved. Reproduction is Strictly Prohibited.
L i m
i t a t i o n s e n t
o f
V u l n e r a b i l i t y C E H
it k t j l
A s s e s s m
The methodology used as well as the diverse vulnerability scanning software packages assess security differently
Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time
It must be updated when new vulnerabilities are discovered or modifications are made to the software being used
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
L im ita tio n s
o f V u ln e r a b ility
A s s e s s m e n t
V u l n e r a b i l i t y s c a n n in g s o f t w a r e a llo w s y o u t o d e t e c t l i m i t e d v u ln e r a b i l it ie s a t a g ive n p o i n t in t i m e . As w i t h a n y a s s e s s m e n t s o f t w a r e , w h i c h r e q u ir e s t h e s ig n a t u r e f ile t o be u p d a t e d , v u l n e r a b i l i t y s c a n n in g s o f t w a r e m u s t b e u p d a t e d w h e n n e w v u l n e r a b i l i t i e s a re d is c o v e r e d o r i m p r o v e m e n t s m a d e t o t h e s o f t w a r e a re b e in g used. T h e v u l n e r a b i l i t y s o f t w a r e is o n l y as e ff e c t i v e as t h e m a i n t e n a n c e p e r f o r m e d o n i t by t h e s o f t w a r e v e n d o r a n d by t h e a d m i n i s t r a t o r w h o uses it. V u l n e r a b i l i t y s c a n n in g s o f t w a r e i t s e lf is n o t i m m u n e t o s o f t w a r e e n g in e e r in g fla w s t h a t m i g h t lead t o n o n - d e t e c t i o n o f s e rio u s v u ln e r a b i l it ie s . A n o t h e r a s p e c t t o be n o t e d is t h a t t h e m e t h o d o l o g y used m i g h t h ave a n im p a c t o n t h e r e s u lt o f t h e te s t. For e x a m p le , v u l n e r a b i l i t y s c a n n in g s o f t w a r e t h a t r u n s u n d e r t h e s e c u r it y c o n t e x t o f t h e d o m a i n a d m i n i s t r a t o r w i l l y ie ld d i f f e r e n t re s u lts t h a n if it w e r e r u n u n d e r t h e s e c u r it y c o n t e x t o f an a u t h e n t i c a t e d u s e r o r a n o n - a u t h e n t i c a t e d user. S im ila rly , d iv e rs e v u l n e r a b i l i t y s c a n n in g s o f t w a r e p a c k a g e s assess s e c u r it y d i f f e r e n t l y a n d h a v e u n i q u e fe a t u r e s . T his can in f lu e n c e t h e r e s u lt o f t h e a s s e s s m e n t. E x a m p le s o f v u l n e r a b i l i t y s c a n n e rs in c lu d e N e ssu s a nd R e tin a .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
I n t r o d u c t i o n T e s t in g
to
P e n e t r a t io n C E H
A pentest simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them
l&
In the context of penetration testing, the tester is limited by resources - namely time, skilled resources, and access to equipment - as outlined in the penetration testing agreement
IF
11
to
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
m
y o u w i ll
p o r t r a y e d a s tr e a k o f g e n iu s o r b rillia n c e in t h e a b i l it y t o c o n j u r e p r e v io u s ly u n k n o w n w a y s o f d o in g th in g s . In t h i s c o n t e x t , t o a d v o c a t e a m e t h o d o l o g y t h a t can be f o l l o w e d t o s i m u l a t e a re a l-w o rld hack th ro u g h e th ic a l h a c k in g or p e n e tra tio n te s tin g m ig h t com e acro ss as a c o n t r a d i c t i o n . P e n e t r a t io n t e s t i n g is a process o f e v a lu a t in g t h e s e c u r it y o f t h e n e t w o r k by try in g all p o s s ib le a t t a c k v e c t o r s like an a t t a c k e r does. T h e r e a s o n b e h in d a d v o c a tin g a
m e t h o d o l o g y in p e n e t r a t i o n t e s t i n g arises f r o m t h e f a c t t h a t m o s t a tt a c k e r s f o l l o w a c o m m o n u n d e r l y in g a p p r o a c h w h e n it c o m e s t o p e n e t r a t e a s y s te m . In t h e c o n t e x t o f p e n e t r a t i o n t e s tin g , as a t e s t e r y o u w i ll be l i m i t e d by r e s o u r c e s su ch as t i m e , sk ille d re s o u rc e s , a n d access t o e q u i p m e n t , as o u t l i n e d in t h e p e n e t r a t i o n t e s t in g a g r e e m e n t . T h e p a r a d o x o f p e n e t r a t i o n t e s t i n g is t h e fa c t t h a t t h e i n a b i l i t y t o b re a c h a t a r g e t d oe s n o t n e c e s s a r ily i n d ic a te t h e a b s e n c e o f v u l n e r a b i l i t y . In o t h e r w o r d s , t o m a x im iz e t h e r e t u r n s f r o m a p e n e t r a t i o n te s t, y o u m u s t be a b le t o a p p ly y o u r s kills t o t h e r e s o u r c e s a v a ila b le in su ch a m a n n e r t h a t t h e a t t a c k a rea o f t h e t a r g e t is r e d u c e d as m u c h as p ossible . A pen te s t s im u la te s m e th o d s th a t in tru d e rs use to g a in u n a u th o riz e d access to an
o r g a n iz a t io n 's n e t w o r k e d s y s te m s a nd t h e n c o m p r o m i s e t h e m . It in v o lv e s u sin g p r o p r i e t a r y a n d
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
o p e n s o u r c e t o o l s t o t e s t f o r k n o w n a n d u n k n o w n te c h n ic a l v u l n e r a b i l i t i e s in n e t w o r k e d sy s te m s . A p a r t f r o m a u t o m a t e d t e c h n i q u e s , p e n e t r a t i o n t e s t i n g in v o lv e s m a n u a l t e c h n i q u e s
f o r c o n d u c t i n g t a r g e t e d t e s t i n g o n s p e c ific s y s te m s t o e n s u r e t h a t t h e r e a r e n o s e c u r it y f l a w s t h a t m a y h a v e g o n e u n d e t e c t e d e a r lie r. T h e m a in p u r p o s e b e h in d f o o t p r i n t i n g p e n t e s t i n g is t o g a t h e r d a ta r e la t e d t o a t a r g e t s y s te m o r n e t w o r k a n d f i n d o u t its v u ln e r a b i l it ie s . You can p e r f o r m th is t h r o u g h v a r io u s t e c h n i q u e s such as DNS q u e rie s , n e t w o r k e n u m e r a t i o n , n e t w o r k q u e rie s , o p e r a t i n g s y s t e m i d e n t i f i c a t i o n , o r g a n iz a tio n a l q u e r ie s , p in g s w e e p s , p o i n t o f c o n t a c t q u e rie s , p o r t s c a n n in g , r e g i s t r a r q u e rie s , a n d so on.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
t r a
t i o
s t i n
C E H
Penetration testing that is not completed professionally can result in the loss of services and disruption of the business continuity
I #
Apenetration tester is differentiated from an attacker only by his intent and lack of malice
C o p y r ig h t b y I C - C c u n c i l . A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
P e n e tr a tio n
T e s tin g
P e n e t r a t io n t e s t i n g goes a s te p b e y o n d v u l n e r a b i l i t y s c a n n in g in t h e c a t e g o r y o f s e c u r it y a s s e s s m e n ts . W i t h v u l n e r a b i l i t y s c a n n in g , y o u can o n l y e x a m in e t h e s e c u r it y o f t h e i n d iv id u a l c o m p u t e r s , n e t w o r k d e vice s , o r a p p lic a tio n s , b u t p e n e t r a t i o n t e s t i n g a ll o w s y o u t o assess t h e s e c u r it y m o d e l o f t h e n e t w o r k as a w h o l e . P e n e t r a t io n t e s t i n g ca n h e lp y o u t o reve al p o te n tia l consequences of a real a tta c k e r b r e a k in g in to th e n e tw o rk to n e tw o rk
w e a k n e s s e s can be e x p l o i t e d a n d h o w s e v e ra l m i n o r v u l n e r a b i l it ie s can be e s c a la te d by an a t t a c k e r t o c o m p r o m i s e a c o m p u t e r o r n e t w o r k . P e n e t r a t io n t e s t i n g m u s t b e c o n s i d e r e d as an a c t i v i t y t h a t s h o w s t h e h oles in t h e s e c u r it y m o d e l o f an o r g a n iz a tio n . P e n e t r a t io n t e s t i n g h e lp s o r g a n iz a tio n s t o re a c h a b a la n c e b e t w e e n t e c h n ic a l p r o w e s s a n d b u s in e s s f u n c t i o n a l i t y f r o m t h e p e r s p e c tiv e o f p o t e n t i a l s e c u r it y b r e a c h e s . This t e s t can h e lp y o u in d is a s te r r e c o v e r y a n d b u s in e s s c o n t i n u i t y p la n n i n g . M o s t v u l n e r a b i l i t y a s s e s s m e n ts a r e c a r r ie d o u t s o le ly b ase d o n s o f t w a r e a n d c a n n o t assess s e c u r it y t h a t is n o t r e l a t e d t o t e c h n o l o g y . B o th p e o p le a n d p ro cesse s ca n b e t h e s o u r c e o f s e c u r it y v u l n e r a b i l i t i e s as m u c h as t h e t e c h n o l o g y ca n be. U sing social e n g in e e r in g te c h n i q u e s , p e n e t r a t i o n te s ts ca n re ve a l w h e t h e r e m p lo y e e s r o u t i n e l y a ll o w p e o p le w i t h o u t i d e n t i f i c a t i o n
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
t o e n t e r c o m p a n y f a c ilitie s a n d w h e r e t h e y w o u l d h a v e p h ysica l access t o c o m p u t e r s . P ra ctices such as p a tc h m a n a g e m e n t cy cles can be e v a lu a te d . A p e n e t r a t i o n t e s t can re ve a l p ro ces s p r o b le m s , such as n o t a p p ly in g s e c u r it y u p d a t e s u n t i l t h r e e days a f t e r t h e y a re re le a s e d , w h i c h w o u l d g iv e a tt a c k e r s a t h r e e - d a y w i n d o w t o e x p l o i t k n o w n v u l n e r a b i l i t i e s o n se rv e rs . You can d i f f e r e n t i a t e a p e n e t r a t i o n t e s t e r f r o m an a t t a c k e r o n l y by his o t h e r i n t e n t a nd lack o f m a lic e . T h e r e f o r e , e m p lo y e e s or e x te r n a l e x p e r ts m ust be c a u t i o n e d a g a in s t c o n d u c t i n g p e n e t r a t i o n te s ts w i t h o u t p r o p e r a u t h o r i z a t i o n . P e n e t r a t io n t e s t i n g t h a t is n o t c o m p l e t e d
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
t r a
t i o
s t i n
C E H
o f s e c u r it y p r o t e c t io n s a n d c o n tr o ls
a
a p p ro a c h
R e d u c e a n o r g a n iz a t io n 's e x p e n d i t u r e on IT s e c u r it y a n d e n h a n c e R e tu rn O n
I t fo c u s e s o n h ig h s e v e r it y v u ln e r a b ilitie s a n d e m p h a s iz e s
a p p lic a t io n - le v e l s e c u r it y is s u e s t o d e v e lo p m e n t te a m s a n d m an ag em en t
v u ln e r a b ilitie s
P r o v id e a s s u r a n c e w i t h
c o m p r e h e n s iv e
P r o v id in g c o m p r e h e n s iv e o f p r e p a r a tio n
a s s e s s m e n t o f o r g a n iz a t io n 's s e c u r it y in c lu d in g p o lic y , p r o c e d u r e , d e s ig n , a n d
s te p s th a t c a n b e
ta k e n t o p r e v e n t u p c o m in g e x p lo ita tio n
Im p le m e n ta tio n
E v a lu a tin g
th e
e f f ic ie n c y o f
n e t w o r k s e c u r it y d e v ic e s s u c h a s ( B S 7 7 9 9 , H IP A A fir e w a lls , r o u te r s , a n d w e b s e r v e rs
F o r c h a n g in g o r u p g r a d in g e x is tin g in fr a s tr u c tu r e o f s o ftw a re ,
h a r d w a r e , o r n e t w o r k d e s ig n
C o p y r ig h t b y iG - G c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
W h y
P e n e tr a tio n
T e s tin g ?
P e n e t r a t io n t e s t i n g plays a v ita l r o le in e v a lu a tin g a n d m a i n t a i n in g s e c u r it y o f a s y s te m o r n e t w o r k . It h e lp s y o u in f i n d i n g o u t t h e l o o p h o l e s by d e p lo y i n g a tta c k s . It in c lu d e s b o t h s c r ip t- b a s e d t e s t i n g as w e l l as h u m a n - b a s e d t e s t i n g o n n e t w o r k s . A p e n e t r a t i o n t e s t n o t o n l y re v e a ls n e t w o r k s e c u r it y h oles, b u t also p r o v id e s r is k a s s e s s m e n t. Let's see w h a t y o u can d o w i t h t h e h e lp o f p e n e t r a t i o n t e s tin g : 9 Q You can i d e n t i f y t h e t h r e a t s f a c in g an o r g a n iz a t io n 's i n f o r m a t i o n assets. You can r e d u c e an o r g a n iz a t io n 's IT s e c u r it y co sts a n d p r o v id e a b e t t e r R e tu rn On IT S e c u r ity I n v e s t m e n t (ROSI) by i d e n t i f y i n g a n d r e s o lv in g v u l n e r a b i l it ie s a n d w e a k n e s s e s . 9 You can p r o v id e of an o rg a n iz a tio n w ith a s s u ra n c e : c o v e r in g a th o ro u g h p o lic y , and c o m p re h e n s iv e d e s ig n , and
assessm ent
o r g a n iz a tio n a l
s e c u r it y
p ro ced ure,
im p le m e n ta tio n . 9 9 9 9 You can g a in a n d m a i n t a i n c e r t i f i c a t i o n t o a n i n d u s t r y r e g u l a t i o n (BS7799, HIPAA, e tc.). You can a d o p t b e s t p ra c tic e s by c o n f o r m i n g t o legal a n d i n d u s t r y r e g u la tio n s . You can t e s t a n d v a li d a t e t h e e ff ic ie n c y o f s e c u r it y p r o t e c t io n s a n d c o n t r o l s . It fo c u s e s o n h ig h - s e v e r it y v u l n e r a b i l it ie s a n d e m p h a s iz e s a p p li c a t i o n - l e v e l s e c u r it y
issues t o d e v e l o p m e n t t e a m s a n d m a n a g e m e n t .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
It p r o v id e s a c o m p r e h e n s i v e a p p r o a c h o f p r e p a r a t i o n s te p s t h a t ca n be t a k e n t o p r e v e n t u p c o m in g e x p lo ita tio n .
You ca n e v a lu a t e t h e e ff ic ie n c y o f n e t w o r k s e c u r it y d e v ic e s su c h as f i r e w a l l s , r o u te r s , a n d w e b s e rv e rs .
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
C o m p a r in g
A s s e s s m e n t, a n d P e n e tr a tio n T e s tin g
S e c u r it y A u d it
A s e c u r it y a u d i t j u s t c h e c k s w h e t h e r t h e o r g a n iz a t i o n is fo llo w in g a s e t o f s ta n d a rd s e c u r it y p o lic ie s a n d p ro c e d u re s
V u ln e r a b ility A s s e s s m e n t
6 A v u ln e r a b ilit y a s s e s s m e n t fo c u s e s o n d is c o v e r in g t h e v u ln e r a b ilit ie s in t h e i n f o r m a t i o n s y s t e m b u t p r o v id e s n o in d i c a t i o n i f t h e v u l n e r a b i l i t i e s c a n b e e x p lo it e d o r th e a m o u n t o f d a m a g e th a t m a y r e s u lt f r o m t h e s u c c e s s f u l e x p lo it a tio n o f t h e v u ln e r a b ilit y 6
P e n e tr a tio n T e s tin g
P e n e t r a t io n t e s t i n g is a m e t h o d o lo g ic a l a p p r o a c h to s e c u r it y a s s e s s m e n t t h a t e n c o m p a s s e s t h e s e c u r it y a u d it a n d v u ln e r a b ility a s s e s s m e n t a n d d e m o n s tra te s if th e v u l n e r a b i l i t i e s in s y s t e m c a n b e s u c c e s s f u lly e x p lo it e d b y a tta c k e r s
C o m p a r in g A s s e s s m e n t, a n d
C o p y r ig h t b y
IC-Ccuncil. A ll
R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
S e c u r ity A u d it,
V u ln e r a b ility T e s tin g
P e n e tr a tio n
A l t h o u g h a l o t o f p e o p le use t h e t e r m s s e c u r it y a u d it , v u l n e r a b i l i t y a s s e s s m e n t, a nd p e n e t r a t i o n t e s t i n t e r c h a n g e a b ly t o m e a n s e c u r it y a s s e s s m e n t, t h e r e a re c o n s i d e r a b le d if f e r e n c e s b e t w e e n th e m . S e c u r ity A u d it A security audit just checks whether the organization is following a set of standard security policies and procedures V u ln e r a b ility A s s e s s m e n t A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability P e n e t r a t io n T e s t in g Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers
TABLE 20.1: Comparison between Security Audit, Vulnerability Assessment, and Penetration Testing
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
l d
e s t e d
C E H
An organization should conduct a risk assessment operation before the penetration testing that will help to identify the main threats, such as:
C o m m u n ic a t io n s fa ilu r e a n d e c o m m e r c e f a ilu r e
L oss o f c o n f id e n t ia l in fo r m a tio n
N o t e : T e s tin g s h o u ld b e p e r f o r m e d o n a ll h a r d w a r e a n d s o f t w a r e c o m p o n e n t s o f a n e t w o r k s e c u r it y s y s t e m
C o p y r ig h t b y I C - C c u n c i l . A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
W h a t S h o u ld
b e
T e s te d ?
It is a lw a y s ide al t o c o n d u c t a v u l n e r a b i l i t y a s s e s s m e n t in a n o r g a n iz a t io n so t h a t v a r io u s p o t e n t i a l t h r e a t s can b e k n o w n w e l l b e f o r e t h e y o c c u r . You ca n t e s t v a r io u s n e t w o r k o r s y s te m c o m p o n e n t s f o r s e c u r it y v u l n e r a b i l i t i e s , s u c h as: 9 e 9 9 Q Q e e 9 9 e e 9 C o m m u n ic a t i o n f a i lu r e E - c o m m e r c e fa i lu r e Loss o f c o n f i d e n t i a l i n f o r m a t i o n P u blic f a c in g s y s te m s w e b s ite s Em ail g a te w a y s R e m o t e access p l a t f o r m s M a il DNS F ire w a lls P a s s w o rd s FTP IIS W e b s e rv e rs
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
h a t
a k e s
G o o d
P e n e t r a t io n E H
T e s t?
C o n s id e r t h e f o l l o w i n g f a c to r s t o p e r f o r m a g o o d p e n e t r a t i o n te s t: 9 Establish t h e p a r a m e t e r s f o r t h e p e n e t r a t i o n t e s t su ch as o b je c t iv e s , l i m i t a t i o n s , a n d t h e j u s t i f i c a t i o n o f p r o c e d u r e s . T h e e s t a b l is h m e n t o f th e s e p a r a m e t e r s h e lp s y o u in k n o w t h e p u r p o s e o f c o n d u c t i n g p e n e t r a t i o n te s t. 9 H ire sk ille d a nd e x p e r ie n c e d p ro fe s s io n a ls t o p e r f o r m t h e te s t. If t h e p e n e t r a t i o n t e s t i n g is n o t d o n e by t h e s k ille d a n d e x p e r ie n c e d p ro fe s s io n a ls t h e r e a r e c h a n c e s o f d a m a g in g t h e live d a ta a n d m o r e h a r m ca n h a p p e n t h a n t h e b e n e fits . 9 9 C h o o se a s u it a b le s e t o f te s ts t h a t b a la n c e c o s t a n d b e n e fits . F o llo w a m e t h o d o l o g y w i t h p r o p e r p la n n in g a n d d o c u m e n t a t i o n . It is v e r y i m p o r t a n t t o d o c u m e n t t h e t e s t a t each p h a se f o r t h e f u r t h e r r e fe r e n c e s . 9 9 D o c u m e n t t h e r e s u lt c a r e f u l l y a n d m a k in g it c o m p r e h e n s i b l e f o r t h e c lie n t. S ta te t h e p o t e n t i a l ris k s a n d fi n d i n g s c le a r ly in t h e fin a l r e p o r t .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
o n
e n e t r a t i o n
T e s t i n g
C E H
(*A t* Itfctul * m u .
D e m o n s t r a t e t h e R O I f o r P e n - t e s t w i t h t h e h e lp o f a b u s in e s s c a s e s c e n a r io , w h ic h in c lu d e s t h e e x p e n d it u r e a n d t h e p r o f i t s in v o lv e d in it
C o m p a n ie s w il l s p e n d o n t h e p e n - t e s t o n ly i f t h e y h a v e a p r o p e r k n o w le d g e o n t h e b e n e f it s o f t h e P e n - te s t
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
R O I o n
P e n e tr a tio n
T e s tin g
P ayback p e rio d : In t h is m e t h o d t h e t i m e t a k e n t o g e t t h e p ay b a c k ( g e t t i n g t h e a m o u n t
in v e s te d ) o n a p a r t i c u l a r p r o je c t is c a lc u la te d .
Q 9
N e t p re s e n t v a lu e : F u t u r e b e n e f i t s a re c a lc u la te d in t h e t e r m s o f t o d a y 's m o n e y . In te rn a l ra te o f re tu r n : T h e b e n e f i t s b ase d o n t h e i n t e r e s t ra te .
o f b e n e fits a re
So w h e n e v e r a p e n e t r a t i o n t e s t is c o n d u c t e d , a c o m p a n y ch e c k s w h a t kin d s
v u ln e r a b i l it ie s , w h i c h saves t h e m a l o t o f m o n e y r e s u lt in g in ROI.
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
s t i n
i n
t s
C E H
M
V I
t to
PenetrJ ! : 9vidi" ia
dvar't*ge
SBSsss'
servteeS
C o p y rig h t ID ^ ^ ^ M l l l C i l . A ll R ig h ts R e se rv e d . R e p ro d u c tio n is S tr ic tly P ro h ib ite d .
T e s tin g
P o in ts
d e t e r m i n e th is ? W h i l e p r o v id i n g a p e n e t r a t i o n - t e s t i n g t e a m w i t h i n f o r m a t i o n s u c h as t h e e x a c t c o n f i g u r a t io n o f t h e f i r e w a l l used by t h e t a r g e t n e t w o r k m a y s p e e d u p t h e te s t in g , i t can w o r k n e g a tiv e ly by p r o v id i n g t h e t e s t e r s w i t h a n u n r e a lis t ic a d v a n ta g e . If t h e o b j e c t iv e o f t h e p e n e t r a t i o n e f f o r t is t o fin d as m u c h v u l n e r a b i l i t y as p o s s ib le , it m i g h t be a g o o d ide a t o o p t f o r w h i t e b o x t e s t i n g a n d s h a r e as m u c h i n f o r m a t i o n as p o s s ib le w i t h t h e te s te r s . T his ca n h e lp in d e t e c t i n g h id d e n v u ln e r a b i l it ie s t h a t a re o f t e n u n d e t e c t e d b e c a u s e o f o b s c u r it y . On t h e o th e r hand, if th e purpose of th e p e n e tra tio n t e s t is t o e v a lu a t e t h e
e ffe c tiv e n e s s o f t h e s e c u r it y p o s t u r e o f t h e o r g a n i z a t i o n i r r e s p e c t iv e o f a n y " s e c u r i t y b y o b s c u r i t y " m e a s u r e s w i t h h o l d i n g i n f o r m a t i o n w i ll d e r iv e m o r e r e a lis tic re s u lts . S im ila rly , by m a k in g h ig h ly s e n s itiv e i n f o r m a t i o n , s u ch as t h e n a m e s a n d u ser IDs o f s y s te m a d m in i s t r a t o r s , t h e o r g a n i z a t i o n m a y b e d e f e a t in g t h e p u r p o s e o f a c o m p r e h e n s i v e p e n te s t. T h e r e f o r e , b a la n c e m u s t b e r e a c h e d b e t w e e n a ssis tin g t h e t e s t i n g t e a m in c o n d u c t i n g t h e i r te s t f a s t e r a n d p r o v id i n g a m o r e r e a lis tic t e s t in g e n v i r o n m e n t by r e s t r i c t i n g i n f o r m a t i o n . S o m e o rg a n iz a tio n s m a y c h o o s e t o g e t t h e in itia l p e n t e s t a u d it e d by a s e c o n d p e n t e s t t e a m so t h a t t h e r e is a t h i r d p a r t y a s s u ra n c e o n t h e r e s u lts o b t a i n e d .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
s t i n
c a
t i o
C E H
If f
The pentest team may have a choice of doing the test either remotely or on-site
A remote assessment may simulate an 4 external hacker attack. However, it may miss assessing internal guards
An on-site assessment may be expensive and may not simulate an external threat exactly
C o p y r ig h t b y
IC-Ccuncil. A ll
R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
T e s tin g
L o c a tio n s
T he p e n e t r a t i o n t e s t t e a m m a y h a v e a p r e f e r e n c e o n t h e l o c a t io n f r o m w h e r e t h e y w o u l d p r o b e t h e n e t w o r k . A l t e r n a t i v e l y , t h e o r g a n iz a t io n m a y w a n t t h e n e t w o r k t o be assessed f r o m a r e m o t e lo c a tio n . If t h e p en t e s t t e a m is b ase d o v e rse a s, an o n s i t e a s s e s s m e n t m a y be e x p e n s iv e t h a n a r e m o t e o ne . T h e l o c a t io n o f t h e a s s e s s m e n t has an in f lu e n c e o n t h e t e s t r e s u lts . T e s tin g o v e r t h e I n t e r n e t m a y p r o v id e a m o r e r e a lis tic t e s t e n v i r o n m e n t . H o w e v e r , t h e p e n t e s t t e a m m a y le a rn l i t t l e i f t h e r e is a w e l l - c o n f i g u r e d p e r i m e t e r f i r e w a l l a nd r o b u s t w e b a p p li c a t i o n d e fe n s e s . A p u r e l y e x te r n a l a s s e s s m e n t m a y n o t b e a b le t o t e s t a n y a d d it io n a l in n e r n e t w o r k d e fe n s e s p u t in p la ce t o g u a r d a g a in s t an in t e r n a l i n t r u d e r . S o m e tim e s , t h e o r g a n iz a t io n m a y h a v e a n e t w o r k t h a t is d is p e r s e d g e o g r a p h ic a lly across
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
M o d u le
i
F lo w
!H I
T y p e s o f Pen T e s t in g
Pen T e stin g T e c h n iq u e s
Pen T e stin g R o a d m a p
% ;
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
In th is s e c tio n , y o u w i ll le a rn d i f f e r e n t ty p e s o f p e n e t r a t i o n t e s t i n g su c h as e x te r n a l t e s tin g , in te rn a l te s t in g , B la c k -b o x , gra y-b ox p e n e tra tio n te s t in g , w h ite -b o x p e n e tra tio n t e s tin g ,
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
T y p e s
f P
e n e t r a t i o n
T e s t i n g
C E H
E x t e r n a l T e s tin g External testing involves analysis of publicly available information, a network enumeration phase, and the behavior of the security devices analyzed
I n t e r n a l T e s tin g Internal testing involves testing computers and devices within the company
& B la c k - h a t te s tin g /z e r o - k n o w le d g e te s tin g
W h it e - h a t te s t in g / c o m p le t e k n o w le d g e te s tin g
A n no un ced
te s tin g
U se r 1
U se r 2
C o p y r ig h t b y
IC-Ccuncil. A ll
R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
T y p e s
o f P e n e tr a tio n
T e s tin g
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
9 9 9 9 9
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
x t e r n a l
e n e t r a t i o n
T e s t i n g
C E H
External penetration testing involves a comprehensive analysis of company's externally visible servers or devices, such as:
J J I t is t h e t e s tin g tr a d itio n a l a p p ro a c h to p e n e t r a t io n
T h e g o a l o f a n e x t e r n a l p e n e t r a t io n d e m o n s tra te t h a t c o u ld
te s tin g
is t o
th e e x is te n c e o f k n o w n v u ln e r a b ilit ie s b y a n e x te r n a l a tta c k e r
b e e x p lo ite d
It c a n b e p e rfo rm e d ta rg e t to b e te s te d
w it h o u t p r io r k n o w le d g e o r w ith
o f th e
is p r o p e r l y th e b u s in e s s
f u ll d is c lo s u r e o f t h e t a r g e t 's
p r o t e c t in g
t o p o lo g y a n d e n v ir o n m e n t
lo s t a n d d is c lo s u r e
C o p y r ig h t C b y IG - G c u n c il. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
E x te r n a l P e n e tr a tio n
T e s tin g
A p e n t e s t e r c o n d u c t s e x te r n a l p e n e t r a t i o n t e s t f o r d e t e r m i n i n g t h e e x t e r n a l t h r e a t s t o t h e n e t w o r k o r s y s te m . T h e a t t a c k e r can p e r f o r m a n e x te r n a l a t t a c k w i t h o u t accessing a s y s te m by u sin g c r e d e n t i a l s o r t h e a p p r o p r i a t e rig h ts . T h e m a in a im b e h in d c o n d u c t i n g t h i s p e n t e s t is t o i d e n t i f y p o t e n t i a l w e a k n e s s e s in t h e s e c u r it y o f t a r g e t n e t w o r k s y s te m . E x te rn a l t e s t in g is fo c u s e d o n t h e s e rve rs, i n f r a s t r u c t u r e , a nd u n d e r l y in g s o f t w a r e p e r t a i n i n g t o t h e t a r g e t . It m a y be p e r f o r m e d w i t h n o p r i o r k n o w l e d g e o f t h e s ite ( b la c k b o x) o r w i t h f u ll d is c lo s u r e o f t h e t o p o l o g y a n d e n v i r o n m e n t ( w h i t e box). This t y p e o f t e s t i n g w i l l t a k e in a c o m p r e h e n s i v e a n a ly s is o f p u b li c l y a v a ila b le i n f o r m a t i o n a b o u t t h e t a r g e t , a n e t w o r k e n u m e r a t i o n p ha se w h e r e t a r g e t h o s ts a re i d e n t i f i e d a n d a n a ly z e d , a n d t h e b e h a v i o r o f s e c u r it y d e v ic e s su ch as s c r e e n in g n e t w o r k - f i l t e r i n g d e v ic e s . V u l n e r a b i l i t i e s a re t h e n i d e n t i f i e d a n d v e r i f i e d , a n d t h e i m p l ic a t i o n s assessed. It is t h e t r a d i t i o n a l a p p r o a c h t o p e n e t r a t i o n te s tin g .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
I n t e r n a l
e c u r i t y
A s s e s s m
e n t
E H
ItbKJl N kw
In te r n a l p e n e t r a t io n te s tin g fo c u s e s o n c o m p a n y 's i n t e r n a l r e s o u r c e s s u c h a s D M Z s , n e t w o r k c o n n e c t i o n s , a p p l i c a t i o n s e r v ic e s , e t c . a n d c o m p r e h e n s i v e a n a ly s is o f t h r e a t s a n d r i s k s t h a t a r is e w i t h i n t h e c o m p a n y
The goal of internal penetration testing is to demonstrate the exposure of information or other organization assets to an unauthorized user
An internal security assessment follows a similar methodology to external testing, but provides a more complete view of the site security
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
:) . :
access t h e
s y s te m
in s id e
n e tw o rk
b y m is u s in g
u se r p riv ile g e s .
It is used t o
id e n tify th e
w e a k n e s s e s o f c o m p u t e r s y s te m in s id e t h e p a r t i c u l a r n e t w o r k . T h e i n t e r n a l s e c u r it y a s s e s s m e n t g ive s a c le a r v i e w o f t h e s ite 's s e c u r ity . I n t e r n a l s e c u r it y a s s e s s m e n t has s i m i l a r m e t h o d o l o g y lik e e x te r n a l p e n e t r a t i o n t e s tin g . T h e m a in p u r p o s e b e h in d t h e i n t e r n a l p e n e t r a t i o n t e s t i n g is t o f i n d o u t t h e v a r io u s v u l n e r a b i l it ie s in s id e t h e n e t w o r k . Risks a s s o c ia te d w i t h s e c u r it y a sp e cts a re c a r e f u l l y c h e c k e d . E x p lo it a t io n can be d o n e by a h a c k e r, a m a lic io u s e m p lo y e e , e tc.: 9 T e s tin g w i ll be p e r f o r m e d f r o m a n u m b e r o f n e t w o r k access p o in ts , r e p r e s e n t i n g e ach lo g ica l a n d p hysical s e g m e n t. Q For e x a m p le , t h i s m a y i n c lu d e tie r s a n d D M Z s w i t h i n t h e e n v i r o n m e n t , t h e c o r p o r a t e n e t w o r k , o r p a r t n e r c o m p a n y c o n n e c t io n s .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
B l a c k - b o x
P e n e t r a t i o n
T e s t i n g
C E H
P e n e tr a tio n te s t m u s t b e c a r r ie d o u t a f t e r e x t e n s iv e in fo r m a tio n re s e a rc h g a th e r in g a n d
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
B la c k -b o x
P e n e tr a tio n
T e s tin g
i n f o r m a t i o n o r a s s is ta n c e f r o m t h e c lie n t) a n d m a p t h e n e t w o r k w h i l e e n u m e r a t i n g services, s h a re d f ile s y s te m s a n d o p e r a t i n g s y s te m s d is c r e e tly . A d d i t i o n a l ly , t h e p en t e s t e r can u n d e r t a k e w a r d ia lin g t o d e t e c t l is te n in g m o d e m s a n d w a r d r iv in g t o d is c o v e r v u ln e r a b l e access p o in t s i f it is legal a n d w i t h i n t h e s c o p e o f t h e p r o je c t. T h e f o l l o w i n g p o in t s s u m m a r i z e t h e b la c k - b o x p en t e s tin g : 9 e e It d o e s n o t r e q u i r e p r i o r k n o w l e d g e o f t h e i n f r a s t r u c t u r e t o b e t e s t e d P e n e t r a t io n t e s t m u s t be c a r r ie d o u t a f t e r e x te n s iv e i n f o r m a t i o n g a t h e r i n g a n d re s e a rc h It ta k e s a c o n s id e r a b le a m o u n t o f t i m e f o r t h e p r o je c t i n f r a s t r u c t u r e a n d h o w it c o n n e c t s a n d i n t e r r e l a t e s 9 9 9 You w i ll be g iv e n o n l y a c o m p a n y n a m e T his t e s t s i m u l a t e s t h e p ro c e s s o f a real h a c k e r T im e c o n s u m i n g a n d e x p e n s iv e t y p e o f te s t t o d is c o v e r t h e n a t u r e o f th e
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
r e y - b o x
P e n e t r a t i o n
T e s t i n g
E H
I
In a g r e y b o x t e s t . t h e t e s t e r u s u a lly
A p p ro a c h e s to w a rd s t h e a p p lic a t io n s e c u r it y t h a t t e s t s f o r a ll v u ln e r a b ilit ie s w h ic h a h a c k e r m a y f in d a n d e x p lo it
P e r fo r m e d m o s tly w h e n a p e n e tr a tio n t e s te r s ta r ts a b la c k b o x t e s t o n w e l l
protected systems
and
fin d s t h a t a l it t le p r io r k n o w l e d g e is r e q u i r e d in
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
GD
G ra y -b o x
P e n e tr a tio n
T e s tin g
In g r a y - b o x p e n e t r a t i o n te s t i n g , t h e t e s t is c o n d u c t e d w i t h l i m i t e d k n o w l e d g e a b o u t i n f r a s t r u c t u r e , d e fe n s e m e c h a n is m , a n d c o m m u n i c a t i o n c h a n n e ls o f t h e t a r g e t o n w h i c h t e s t is t o be c o n d u c t e d . It is s i m u l a t i o n o f t h o s e a tta c k s t h a t is p e r f o r m e d by t h e in s i d e r o r o u t s i d e r w i t h l i m i t e d accesses p r i v i le g e s . In t h i s case, o r g a n iz a tio n s w o u l d p r e f e r t o p r o v id e t h e p e n t e s t e r s w i t h p a r tia l k n o w l e d g e o r i n f o r m a t i o n t h a t h a c ke rs c o u ld f i n d such as d o m a i n n a m e s e rv e r. This can save t i m e a n d e x p e n s e s o f t h e o r g a n iz a tio n . In g r a y - b o x te s t in g , p e n t e s t e r s m a y a lso i n t e r a c t w i t h s y s te m a n d n e t w o r k a d m in i s t r a t o r s .
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
h i t e - b o x
P e n e t r a t i o n
T e s t i n g
C E H
J Complete knowledge of the infrastructure that needs to be tested is known J This test simulates the process of company's employees
O
C o m p a n y p o li c ie s d o 's a n d d o n ' t s
*s
In fo r m a t io n is p ro v id e d s u c h a s
C o m p a n y in fr a s tru c tu re
IP a d d r e s s / f i r e w a l l / ID S d e t a ils
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
W h ite -b o x In w h i t e - b o x
P e n e tr a tio n te s tin g ,
T e s tin g th e te st is c o n d u c t e d w ith fu ll k n o w le d g e of
p e n e tra tio n
i n f r a s t r u c t u r e , d e fe n s e m e c h a n is m , a n d c o m m u n i c a t i o n c h a n n e ls o f t h e t a r g e t o n w h i c h te s t is b e in g c o n d u c t e d . T h is t e s t s i m u l a t e s t h e in s id e r a t t a c k e r w h o has f u l l p riv ile g e s a nd u n l i m i t e d access t o t h e t a r g e t s y s te m . This ty p e o f p e n e t r a t i o n t e s t is b e in g c o n d u c t e d w h e n t h e o r g a n iz a t io n n e e d s t o assess its s e c u r it y a g a in s t a s p e c ific k in d n e tw o rk to p o lo g y d ocu m e nts, o f a t t a c k o r a s p e c ific t a r g e t . asset in v e n to ry , and v a lu a t io n In t h i s case, t h e c o m p l e t e in fo rm a tio n . T y p ic a lly , an i n f o r m a t i o n a b o u t t h e t a r g e t is g iv e n t o t h e p en te s te r s . T h e i n f o r m a t i o n p r o v id e d can in c lu d e
o r g a n iz a t io n w o u l d o p t f o r t h i s w h e n it w a n t s a c o m p l e t e a u d i t o f its s e c u r ity .
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
A n n o u n c e d / U n a n n o u n c e d
T e s t in g
C E H
A n n o u n c e d T e s t in g
J Is a n a t t e m p t t o c o m p r o m i s e s y s te m s o n t h e c lie n t w it h t h e f u ll J
U n a n n o u n c e d T e s t in g
Is a n a t t e m p t t o c o m p r o m i s e s y s te m s o n t h e c lie n t n e tw o r k s
c o o p e r a tio n a n d k n o w le d g e o f
t h e IT s t a f f J E x a m in e s t h e
w i t h o u t t h e k n o w l e d g e o f IT
s e c u r ity p e r s o n n e l
e x is tin g s e c u r ity
A llo w s o n ly t h e
upper
in f r a s t r u c t u r e f o r p o s s ib le v u ln e r a b ilit ie s J I n v o lv e s t h e s e c u r it y s t a f f o n t h e p e n e t r a t io n t e s t in g te a m s t o J
m a n a g e m e n ts b e a w a re o f
th e s e te s ts E x a m in e s t h e s e c u r it y
in fr a s tr u c tu r e a n d r e s p o n s i v e n e s s o f t h e IT s t a f f
c o n d u c t a u d its
r s
6 !*
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
A n n o u n c e d /U n a n n o u n c e d
T e s tin g
o r g a n iz a tio n 's s e c u r it y s t a f f a re p a r t o f t h e p e n e t r a t i o n t e a m a llo w s f o r a t a r g e t e d a t t a c k a g a in s t t h e m o s t w o r t h w h i l e hosts. U n a n n o u n c e d t e s t i n g is an a t t e m p t t o access a n d r e t r i e v e p r e - i d e n t i f i e d fla g file ( s ) o r t o c o m p r o m i s e s y s te m s o n t h e c l i e n t n e t w o r k w i t h t h e a w a r e n e s s o f o n l y t h e u p p e r leve ls o f m a n a g e m e n t. Such te s tin g e x a m in e s If i n t r u s io n b o th th e e x is t in g s e c u r it y in fra s tru c tu re and th e
r e s p o n s iv e n e s s o f t h e sta ff.
d e t e c t i o n a n d i n c i d e n t r e s p o n s e p la ns h a v e b e e n
c r e a te d , t h is t y p e o f te s t w i l l i d e n t if y a n y w e a k n e s s e s in t h e i r e x e c u tio n . U n a n n o u n c e d t e s tin g o ffe r s a t e s t o f t h e in fra s tru c tu re . In b o t h cases, t h e IT r e p r e s e n t a t i v e in t h e o r g a n i z a t i o n w h o w o u l d n o r m a l l y r e p o r t s e c u r it y b re a c h e s t o legal a u t h o r i t i e s s h o u ld be a w a re o f th e te s t to p r e v e n t e s c a la tio n to la w e n fo r c e m e n t o rg a n iz a tio n s . o r g a n iz a t io n 's s e c u r it y p r o c e d u r e s in a d d i t i o n t o t h e s e c u r it y o f t h e
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
t o
t e
s t i n
C E H
U tlilM itfcu l *ck*
Automated testing can result in time and cost savings over a long term; however, it cannot replace an experienced security professional
Tools can have a high learning curve and may need frequent updating to be effective
With automated testing, there exists no scope for any of the architectural elements to be tested
As with vulnerability scanners, there can be false negatives or worse, false positives
C o p y r ig h t b y E C - C 0 M C il. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
A u to m a te d
T e s tin g
In s te a d o f r e ly in g o n s e c u r it y e x p e rts , s o m e o r g a n iz a t io n s a n d s e c u r it y - t e s t i n g f i r m s p r e f e r t o a u t o m a t e t h e i r s e c u r it y a s s e ssm e n ts. H ere, a s e c u r it y t o o l is ru n a g a in s t t h e t a r g e t a n d t h e s e c u r it y p o s t u r e is assessed. T h e t o o l s a t t e m p t t o r e p lic a t e t h e a tta c k s t h a t i n t r u d e r s h ave b e e n k n o w n t o use. T his is s i m i l a r t o v u l n e r a b i l i t y s c a n n in g . Based o n t h e success o r fa i lu r e o f t h e s e a tta c k s , t h e t o o l a t t e m p t s t o assess a n d r e p o r t s e c u r it y v u ln e r a b i l it ie s . H o w e v e r , i t m u s t b e n o t e d t h a t a t h o r o u g h s e c u r it y a s s e s s m e n t a ls o in c lu d e s e le m e n t s o f a rc h ite c tu ra l r e v i e w , s e c u r it y p o lic y , f i r e w a l l ru le -b a s e a n a ly s is , a p p l i c a t i o n te s tin g , and g e n e r a l b e n c h m a r k i n g . A u t o m a t e d t e s t i n g is g e n e r a l l y l i m i t e d t o e x t e r n a l p e n e t r a t i o n t e s t i n g u sin g th e b la c k - b o x a p p r o a c h a nd d o e s n o t a l l o w an o r g a n iz a t io n t o p r o f i t c o m p l e t e l y f r o m t h e e xe rcise . As an a u t o m a t e d p ro ce ss, t h e r e is n o s c o p e f o r a n y o f t h e p o lic y o r a r c h it e c t u r a l e le m e n t s in t h e te s tin g , a n d it m a y n e e d t o be s u p p l e m e n t e d by a s e c u r it y p r o fe s s io n a l's e x p e rtis e . O n e a d v a n ta g e a t t r i b u t e d t o a u t o m a t e d t e s t i n g is t h a t it re d u c e s t h e v o l u m e o f t r a f f i c r e q u i r e d fo r each te s t. This g ive s an im p r e s s io n th a t th e o rg a n iz a tio n can s e rv ic e its c u s t o m e r s
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
s t i n
E H
UflrfM Itfeul K mU *
Manual testing is the best option an organization can choose to benefit from the experience of a security S?E?l professional
Q The objective of the professional is to assess the security posture of the organization from an attacker's perspective
A manual approach requires planning, test designing, scheduling, and diligent documentation to capture the results of the testing process
a seasoned
p ro fe s s io n a l is t o assess t h e s e c u r it y p o s t u r e o f t h e o r g a n i z a t i o n f r o m an a t t a c k e r 's p e r s p e c tiv e . U n d e r t h e m a n u a l a p p r o a c h , t h e s e c u r it y p r o fe s s io n a l a t t e m p t s t o u n e a r t h h oles in t h e s e c u r it y m o d e l o f t h e o r g a n iz a t io n b y a p p r o a c h i n g it in a m e t h o d i c a l m a n n e r . T h e p ha ses o f t e s t i n g can in v o lv e b a s ic i n f o r m a t i o n g a t h e r i n g , so cia l e n g i n e e r i n g , s c a n n in g , v u l n e r a b i l i t y a s s e s s m e n t, e x p l o i t i n g v u l n e r a b i l i t i e s , etc. A m anual app ro ach r e q u ir e s p la n n in g , te st d e s ig n in g and s c h e d u lin g , a nd d il i g e n t
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
l e
l o
C E H
C o p y r ig h t b y i C - C c u n c i l. A ll R ig h ts R e s e rv e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
M o d u le
F lo w
C o n s id e rin g t h a t y o u b e c a m e f a m i l i a r w i t h p e n t e s t i n g c o n c e p ts a n d t h e t y p e s o f
jh & |
gmi Biilii.iB
Pen T e s t in g T e c h n i q u e s
Pen T e stin g R o a d m a p
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
C o m
o n
P e n e t r a t io n
T e s t in g C E H
T e c h n iq u e s
P a s s iv e R e s e a rc h
Is used to ga th e r all th e in fo rm a tio n a b o u t an o rganization's system c o n fig u ra tio n s Facilitates an organization to ta k e necessary steps to ensure its c o n fid e n tia lity and in te g rity Is used to get an idea o f th e n e tw o rk 's c o n fig u ra tio n being tested Is th e act o f using one m achin e t o pre te n d to be a n o th e r
O p e n S o u rc e M o n it o r in g N e t w o r k M a p p in g a n d OS F in g e r p r in t in g S p o o fin g
Is used here fo r b o th in te rn a l and e x ternal p e n e tra tio n tests Is used t o c a pture th e data as it trave ls across a n e tw o rk
N e t w o r k S n if fin g
T r o ja n A tta c k s
A re m alicious code o r p rogram s u sua lly sent in to a n e tw o rk as em ail a tta c h m e n ts o r tra n s fe rre d v ia " In s ta n t M essage" in to ch a t room s Is th e m ost c o m m o n ly k n o w n passw ord cracking m e th o d .
A B r u t e - fo r c e A t ta c k
Can ov e rlo a d a system and possibly stop it fro m respond ing to th e legal requests Is a com prehensive e x a m in a tio n o f th e ta rg e te d areas o f an organ iz a tio n 's n e tw o rk in fra s tru c tu re Is th e fin a l phase o f te s tin g , m aking a risk assessm ent o f v u ln e ra b ilitie s m uch m ore accurate
V u ln e r a b ilit y S c a n n in g
A S c e n a r io A n a ly s is
C o p y r ig h t b y IG - G c u n c il. A ll R ig h ts R e s e r v e d . R e p r o d u c t io n is S t r i c t l y P r o h ib it e d .
C o m m o n
P e n e tr a tio n
T e s tin g
T e c h n iq u e s
DNS
r e c o r d s , n a m e r e g is t r ie s ,
ISP
lo o k in g -
r 9
j|
= 9 9 9
G r a p h in g a n d s e e in g t r e n d s f o r : 9 D a ta b a s e
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
e 9 e
S p o o fin g
S p o o f i n g is a n a t t e m p t b y s o m e o n e o r s o m e t h i n g t o m a s q u e r a d e a s s o m e o n e e l s e . F o r e x a m p l e : o n e m a c h i n e p r e t e n d s t o b e a n o t h e r . S p o o f i n g is u s e d h e r e f o r b o t h i n t e r n a l a n d external p e n etratio n tests.
N e tw o rk s n iffin g
N etw ork spoofing occurs when the attacker forges the source or destination IP
a d d r e s s i n t h e IP h e a d e r . It is u s e d t o c a p t u r e d a t a a s it t r a v e l s a c r o s s a n e t w o r k .
T ro ja n a tta c k s
A T r o j a n a t t a c k is i n s t a l l i n g a T r o j a n ( m a l i c i o u s s o f t w a r e ) o n t o t h e v i c t i m ' s s y s t e m . It g e ts installed t h r o u g h e m a il, C D-RO M , I n t e r n e t E xplorer, etc.
%
W l
B ru te fo rc e a tta c k s
........................................... S e s s i o n IDs c a n b e guessed by using t h e brute force technique. It t r i e s m ultiple
/o
\V u ln e ra b ility s c a n n in g
S c e n a rio a n a ly s is
S c e n a r i o a n a l y s i s h e l p s in d e a l i n g w i t h u n c e r t a i n t i e s . It is t h e f i n a l p h a s e o f t e s t i n g , m a k i n g a risk a s s e s s m e n t o f v u l n e r a b i l i t i e s m u c h m o r e a c c u r a t e .
M o d u le 2 0 P ag e 2912
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0lMCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
U sin g D N S D o m a in
N a m e
a n d
IP
A d d re s s I n fo rm a tio n
D a ta f r o m t h e D NS s e rv e rs re la te d t o t h e ta r g e t n e t w o r k c a n b e u s e d t o m a p a t a r g e t o r g a n iz a t io n 's n e t w o r k
U s i n g
D N S
D o m a i n
N a m
a n d
I P
A d d r e s s
I n f o r m a t i o n
D a ta f r o m t h e DNS s e r v e r s r e l a t e d t o t h e t a r g e t n e t w o r k c a n b e u s e d t o m a p a t a r g e t organization's netw ork. DNS zones can be analyzed for inform ation about the target
o r g a n i z a t i o n ' s n e t w o r k . T h i s c a n r e s u l t in o b t a i n i n g f u r t h e r d a t a , i n c l u d i n g t h e
serv er h o st's
n a m e s , s e r v i c e s o f f e r e d b y p a r t i c u l a r s e r v e r s , IP a d d r e s s e s , a n d c o n t a c t d a t a f o r t h e m e m b e r s o f t h e IT s t a f f . M any attackers have public, t o create been know n to u s e s o f t w a r e , w h i c h is e a s i l y a v a i l a b l e t o t h e g e n e r a l diagram s of th e target netw ork. IP a d d r e s s data
w ell-organized
netw ork
r e g a r d i n g a p a r t i c u l a r s y s t e m c a n b e g a i n e d f r o m t h e DNS z o n e o r t h e A m e r i c a n R e g is t ry o f I n t e r n e t N u m b e r s (ARIN). A n o t h e r w a y o f o b t a i n i n g a n IP a d d r e s s is b y u s i n g p o r t - s c a n n i n g
so ftw are to d e d u c e a ta rg e t o rg an izatio n 's n e tw o rk d iag ram . By e x a m i n i n g t h e D N S r e c o r d s , y o u c a n g e t a g o o d u n d e r s t a n d i n g a b o u t w h e r e t h e s e r v e r s o f the target netw ork the OS are or located. The DNS r e c o r d are being also run provides on the som e server. valuable The IP inform ation block of an
regarding
applications
that
organization can
b e d is c e rn e d by looking u p t h e d o m a i n
n a m e a n d c o n ta c t in fo rm a tio n for
M o d u le 2 0 P ag e 2 9 1 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
E n u m e r a t i n g o n P u b l i c l y
I n f o r m a t i o n
a b o u t H o s t s
A v a i l a b l e
N e t w o r k s
E n u m e r a t io n c a n b e d o n e u s in g p o r t s c a n n in g t o o ls , IP p r o t o c o l s , a n d lis t e n in g t o T C P /U D P p o r t s
T h e t e s t in g t e a m c a n t h e n v is u a liz e a d e t a ile d n e t w o r k d ia g r a m t h a t c a n b e p u b l i c ly a c c e s s e d
E n u m e r a t i n g A v a i l a b l e W ith the IP a d d r e s s e s
I n f o r m a t i o n
a b o u t
H o s t s
o n
P u b l i c l y
n e tw o rk to explore possible points of en try fro m th e p ersp ectiv e of an attack er. T e ste rs achieve t h i s b y a n a l y z i n g all d a t a a b o u t t h e hosts th a t a re u n covered to th e In te rn e t by t h e ta r g e t
o r g a n i z a t i o n . T h e y c a n u s e p o r t - s c a n n i n g t o o l s a n d IP p r o t o c o l s , a n d t h e y c a n l i s t e n t o T C P / U D P ports. P o r t s c a n s w i l l a l s o r e v e a l i n f o r m a t i o n a b o u t h o s t s s u c h a s t h e c u r r e n t o p e r a t i n g s y s t e m t h a t is ru n n in g o n t h e s y s te m a n d also o th e r application s. An effective p o rt-s c a n n in g tool ca n also help to deduce how the r o u t e r a n d firewall IP f i l t e r s a r e c o n f i g u r e d . T h e t e s t i n g t e a m can then
visualize a d e ta ile d n e t w o r k d ia g r a m t h a t c a n b e publicly a c c e s s e d . A d d i t i o n a l l y , t h e e f f o r t c a n p r o v i d e s c r e e n e d s u b n e t s a n d a c o m p r e h e n s i v e list o f t h e t y p e s o f t r a f f i c t h a t is a l l o w e d in a n d o u t o f t h e n e t w o r k . W e b s i t e c r a w l e r s c a n m i r r o r e n t i r e s i t e s a n d allow t h e testin g g r o u p to ch eck for faulty s o u rc e c o d e or in a d v e r te n t inclusions of sensitive i n f o r m a t i o n . M a n y t i m e s , o r g a n i z a t i o n s h a v e g i v e n i n f o r m a t i o n t h a t is n o t i n t e n d e d f o r u s e b y t h e p u b l i c , b u t is p o s t e d o n t h e w e b s i t e . 9 If t h e r u l e s o f e n g a g e m e n t p e r m i t , t h e p e n - t e s t t e a m m a y p u r c h a s e r e s e a r c h r e p o r t s o n the organization available for sale and use the inform ation available therein for
M o d u le 2 0 P ag e 2 9 1 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
com prising th e security of t h e ta r g e t organization. T h e se can include c o v e rt m e a n s , such as social e n g in e e r in g , as well. It is n e c e s s a r y t o point out that prior approval from
m a n a g e m e n t is a c r i t i c a l a s p e c t t o b e c o n s i d e r e d b e f o r e i n d u l g i n g i n s u c h a c t i v i t i e s .
M o d u le 2 0 P ag e 2 9 1 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
o d u l e
F l o w
C E H
w eakness
o d u l e
F l o w
fr&j
P en Testing C o n cep ts
! lilii.iB
P en Testing T ec h n iq u e s
_^
Pen Testing P h a se s
P en Testing R o a d m a p
M o d u le 2 0 P ag e 2 9 1 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P h a s e s
o f P e n e t r a t i o n
T e s t in g
C E H
] P re -a tta c k P h a s e
T h i s p h a s e is f o c u s e d o n g a t h e r i n g a s m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t t h e t a r g e t
o r g a n i z a ti o n o r n e t w o r k t o b e a t t a c k e d . This c a n b e n o n - i n v a s i v e o r in v a s iv e .
A tta c k P h a s e
The inform ation gathered in t h e pre-attack phase form s the basis of th e attack
s tra te g y . B efo re d e c id in g t h e a tt a c k s tr a te g y , t h e t e s t e r m a y c h o o s e to c a r r y o u t a n invasive inform ation g ath erin g process such as scanning.
P o st-a tta c k P h a s e
T h i s is a c r u c i a l p a r t o f t h e t e s t i n g p r o c e s s , a s t h e t e s t e r n e e d s t o r e s t o r e t h e n e t w o r k t o its o r i g i n a l s t a t e . T h i s i n v o l v e s c l e a n u p o f t e s t i n g p r o c e s s e s a n d r e m o v a l o f v u l n e r a b i l i t i e s c r e a t e d ( n o t t h o s e t h a t e x is te d originally), e x p lo its c r a f t e d , etc.
M o d u le 2 0 P ag e 2 9 1 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P re -A tta c k
P h a s e : D e fin e R u le s o f C E H
E n g a g e m e n t (R O E )
A ssistan t H ules 0f
ROE helps testers to overcome legal, federal, and policy related restrictions to use different penetration testing tools and techniques
9e % >
R u le s o f
-leve / ^
P h a s e :
D e f i n e
R u l e s
o f E n g a g e m e n t
(ROE)
are
the
guidelines
and
constraints
about
the
execution
of
M o d u le 2 0 P ag e 2 9 1 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P re -A tta c k
P h a s e : U n d e rs ta n d
* _ .... ~
C u s to m e r R e q u ir e m e n ts
B e fo re p r o c e e d in g w it h t h e p e n e t r a t io n t e s tin g , a p e n t e s t e r s h o u ld i d e n t i f y w h a t n e e d s t o b e te s te d
Item s to b e T ested
C re a te a c h e c k lis t o f te s tin g r e q u ir e m e n ts s I d e n tify t h e t i m e fr a m e a n d t e s t in g h o u rs
* U Servers W o rksta tio n s Routers Firew alls N e tw o rk in g d evices Cabling D atab ases A p p lic a tio n s P hysical se cu rity T e le co m m u n ica tio n s Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No
No No No No No No
IS
9 I d e n t i f y w h o w ill b e in v o lv e d in t h e r e p o r tin g a n d d o c u m e n t d e liv e ry
B>
n
B
No No No
P r e - a t t a c k
P h a s e :
U n d e r s t a n d
C u s t o m e r
R e q u i r e m e n t s
O n c e R O E is d e f i n e d t o c o n d u c t p e n e t r a t i o n t e s t , t h e s e c o n d s t e p in t h e p r e - a t t a c k p h a s e , y o u s h o u l d c l e a r l y u n d e r s t a n d t h e c u s t o m e r r e q u i r e m e n t s , i.e., w h a t t h e c u s t o m e r e x p e c t s f r o m t h e p e n e t r a t i o n te s t. B e fo re p r o c e e d i n g w ith t h e p e n e t r a t i o n te s tin g , a p e n t e s t e r sh o u ld identify w h a t n e e d s t o b e t e s t e d in t h e t a r g e t o r g a n i z a t i o n . To clearly identify t h e c u s t o m e r r e q u ir e m e n ts , d o t h e follow ing things: Q 9 Q C re a te a checklist of te s tin g r e q u ir e m e n ts Identify t h e ti m e f r a m e a n d te s tin g h o u rs I d e n t i f y w h o w i l l b e i n v o l v e d in t h e r e p o r t i n g a n d d o c u m e n t d e l i v e r y
M o d u le 2 0 P ag e 2 9 1 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
It e m Servers Workstations Routers g Firewalls Networking devices Q ^ ,? Cabling Databases Applications Physical security Telecommunications
to Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
b e
T e s te d No No No No No No No No No No
M o d u le 2 0 P ag e 2 9 2 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P r e - A t t a c k o f t h e
P h a s e :
C r e a t e
C h e c k l i s t
T e s t i n g
R e q u i r e m
e n t s
C E H
Do you have any se curity related policies and standards? If so, do you w an t us to review them ?
W hat is th e IP address co n fig u ra tio n fo r internal and external n etw o rk connections? If th e client organization requires analysis o f its In te rn e t presence? If th e organization requires pen testing o f in d iv id u a l hosts?
rxrr P r e - a t t a c k P h a s e : C r e a t e a C h e c k l i s t o f t h e T e s t i n g
R e q u i r e m e n t s To collect the penetration test requirem ents from the custom er, ask the custom er the
f o l l o w i n g q u e s t i o n s . T h e a n s w e r s o f t h e s e q u e s t i o n s will h e l p y o u t o d e f i n e t h e s c o p e o f t h e test. D o y o u h a v e a n y s e c u r i t y - r e l a t e d p o l i c i e s a n d s t a n d a r d s ? If s o , d o y o u w a n t u s t o r e v i e w them ? Q Q 9 9 9 W h a t is t h e n e t w o r k l a y o u t ( s e g m e n t s , D M Z s , IDS, IPS, e t c . ) ? If t h e c l i e n t o r g a n i z a t i o n r e q u i r e s a n a l y s i s o f i t s I n t e r n e t p r e s e n c e ? If t h e o r g a n i z a t i o n n e e d s p h y s i c a l s e c u r i t y a s s e s s m e n t ? W h a t is t h e IP a d d r e s s c o n f i g u r a t i o n f o r i n t e r n a l a n d e x t e r n a l n e t w o r k c o n n e c t i o n s ? It t h e organization requires pen testing of netw orking devices such as routers and
M o d u le 2 0 P ag e 2921
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P r e - A t t a c k o f t h e
P h a s e :
C r e a t e
C h e c k l i s t ( c o n t d )
T e s t i n g
R e q u i r e m
e n t s
C E H
M S.
V V
P r e - a t t a c k
P h a s e :
C r e a t e
C h e c k l i s t
o f t h e
T e s t i n g
R e q u i r e m e n t s
( C o n t d )
The follow ing a re a few m o r e q u e stio n s th a t you sh o u ld ask th e c u s to m e r to c o m p le te th e checklist of p e n e tr a ti o n te s tin g re q u ir e m e n ts : 9 9 9 9 W h a t security controls a re d e p lo y ed across th e organization? If t h e o r g a n i z a t i o n r e q u i r e s a s s e s s m e n t o f w i r e l e s s n e t w o r k s ? If t h e o r g a n i z a t i o n r e q u i r e s a s s e s s m e n t o f a n a l o g d e v i c e s i n t h e n e t w o r k ? If t h e o r g a n i z a t i o n d e p l o y a m o b i l e w o r k f o r c e ? If s o ; if t h e m o b i l e s e c u r i t y a s s e s s m e n t is required? 9 9 9 W h a t a re t h e w e b application a n d services offered by t h e client? If t h e o r g a n i z a t i o n r e q u i r e s t h e a s s e s s m e n t o f w e b i n f r a s t r u c t u r e ? W h at w orkstation and server operating system s are d eployed across th e organization?
M o d u le 2 0 Page 2922
P re -A tta c k
P h a s e : D e fin e S c o p e
th e C E H
P e n -T e s tin g
P r e - a t t a c k
P h a s e :
D e f i n e
t h e
P e n - t e s t i n g
S c o p e
Y o u s h o u l d d e f i n e t h e s c o p e o f y o u r p e n e t r a t i o n t e s t e x p l i c i t l y a n d in w r i t i n g . T h i s w il l h e l p y o u t o i d e n t i f y w h a t n e e d s t o b e t e s t e d in t h e t a r g e t o r g a n i z a t i o n , a n d h e l p t o d e v e l o p t h e procedure to test particular com ponent once identified. This also help you to identify
l i m i ta t io n s , i.e., w h a t s h o u l d n o t b e t e s t e d . P e n t e s t i n g t e s t c o m p o n e n t s d e p e n d o n t h e c l i e n t ' s o p e r a t i n g e n v i r o n m e n t , t h r e a t p e r c e p t i o n , s e c u r i t y a n d c o m p l i a n c e r e q u i r e m e n t s , ROE, a n d b u d g e t. T he follow ing a r e t h e possible a re a s of t h e s c o p e of t h e p e n e tr a tio n test: 0 0 0 0 0 0 0 0 0 0 0 0 N e tw o rk Security S ystem S o ftw are Security C lient-side A pplication Security Server-side A pplication Security Social E n g i n e e r i n g A pplication C o m m u n ic a tio n Security Physical S ecu rity D u m p s t e r Diving Inside A c co m p lices S ab o tag e Intruder Confusion Intrusion D etection Intrusion R esp o n se
M o d u le 2 0 P ag e 2 9 2 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P re -A tta c k
P h a s e : S ig n C E H
The penetration testing contract must be drafted by a law yer and signed by the penetration tester and the company
O b je c tiv e o f th e p e n e tr a tio n te s t
N o n -d is c lo s u re clau se
Fees a n d p ro je c t s c h e d u le
R e p o rtin g a nd re s p o n s ib ilitie s
P r e - a t t a c k
P h a s e :
S i g n
P e n e t r a t i o n
T e s t i n g
C o n t r a c t
O n c e t h e r e q u i r e m e n t s a n d s c o p e o f t h e p e n e t r a t i o n t e s t is c o n f i r m e d f r o m t h e c l i e n t , y o u n e e d t o sign t h e c o n t r a c t w ith t h e c o m p a n y t o c o n d u c t t h e p e n e t r a t i o n te s t. This c o n tr a c t m u s t b e d r a f te d by a la w y e r a n d duly sig n ed by t h e p e n e t r a t i o n t e s t e r a n d t h e c o m p a n y . T h e c o n tra c t sh o u ld include t h e follow ing t e r m s a n d conditions: 9 9 9 9 Q 9 9 N on-disclosure clause O bjective of th e p e n e tra tio n te s t Fees and project schedule Sensitive in fo rm a tio n C onfidential in fo rm atio n Indem nification clause R eporting a n d responsibilities
M o d u le 2 0 P ag e 2 9 2 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
Pen testers should sign C o nfiden tiality and Non-Disclosure (NDA) A greem ents that guarantees that the company's inform ation will be treated confidentially
It also protects testers from legal liabilities in the event of some u n tow ard happening during pen testing
pen-test contain critical inform ation that could dam age one o r both parties if im properly disclosed
P r e - a t t a c k D i s c l o s u r e
P h a s e : ( N D A )
S i g n
C o n f i d e n t i a l i t y
a n d
N o n -
A g r e e m e n t s
As a p e n t e s t e r , y o u will a l s o n e e d t o s i g n C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (NDA ) A g r e e m e n t s to m aintain th e confidentiality of th e c o m p a n y 's sensitive inform ation. M an y d o c u m e n ts an d o t h e r i n f o r m a t i o n r e g a r d i n g t h e p e n t e s t c o n t a i n critical i n f o r m a t i o n t h a t c o u l d d a m a g e o n e o r b o t h p a r t i e s if d i s c l o s e d t o o t h e r p a r t i e s . B o t h ( p e n t e s t e r a n d c o m p a n y ) p a r t i e s s h o u l d a g r e e a n d d u l y s i g n e d o n t h e t e r m s a n d c o n d i t i o n s i n c l u d e d in t h e C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (NDA) A g r e e m e n t s b e f o r e c o n d u c t i n g p e n e t r a t i o n t e s t . The follow ing are the advantages of signing C onfidentiality and N on-D isclosure (NDA)
M o d u le 2 0 P ag e 2 9 2 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
J
_
Both parties bear responsibility to protect tools, techniques, vulnerabilities, and inform ation from disclosure beyond the terms specified by a w ritten agreement
'
Non-disclosure agreem ents should be n arro w ly draw n to protect sensitive inform ation
A re a s
J
Copyright C by IC-C cuncil. All Rights Reserved. Reproduction is S trictly Prohibited
P r e - a t t a c k D i s c l o s u r e
P h a s e : ( N D A )
S i g n
C o n f i d e n t i a l i t y ( C o n t d )
a n d
N o nT-
A g r e e m e n t s
T h e C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e a g r e e m e n t s d o c u m e n t is a p o w e r f u l t o o l . O n c e y o u s i g n t h e N D A a g r e e m e n t , t h e c o m p a n y h a s t h e r i g h t t o f i l e a l a w s u i t a g a i n s t y o u e v e n if y o u d i s c l o s e the inform ation to third party either intentionally or unintentionally. The follow ing points
s h o u l d b e c o n s i d e r e d w h i l e c r a f t i n g C o n f i d e n t i a l i t y a n d N o n - D i s c l o s u r e (NDA) A g r e e m e n t s : 9 B oth p a rtie s s h o u ld b e a r resp o n sib ility to p r o t e c t to o ls , t e c h n i q u e s , v u ln e r a b ilitie s , a n d in fo rm a tio n fro m disclosure b e y o n d t h e t e r m s specified by a w ritte n a g r e e m e n t 9 Q N on-disclosure a g re e m e n ts should be narrow ly d ra w n to p ro tect sensitive inform ation. Specific a r e a s t o c o n s i d e r include: 9 9 O w nership Use of th e ev a lu a tio n re p o rts
R e s u l t s ; u s e o f t h e t e s t i n g m e t h o d o l o g y in c u s t o m e r d o c u m e n t a t i o n
M o d u le 2 0 P ag e 2 9 2 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P re -A tta c k G a th e rin g
P h a s e : In fo rm a tio n c E H 1
P r e - a tta c k p h a s e a d d re s s e s t h e m o d e o f t h e a t t a c k a n d t h e g o a ls t o b e a c h ie v e d
R e c o n n a is s a n c e is c o n s id e r e d a s t h e f i r s t in t h e p r e - a tt a c k p h a s e , w h ic h a t t e m p t s t o c o lle c t i n f o r m a t i o n a b o u t t h e t a r g e t
J J
H a c k e rs t r y t o f in d o u t a s m u c h i n f o r m a t i o n as p o s s ib le a b o u t a t a r g e t
*7
H a c k e rs g a t h e r in f o r m a t i o n in d if f e r e n t w a y s t h a t a llo w s t h e m t o f o r m u la t e a p la n o f a t t a c k
'
T yp es of R e c o n n a issa n c e
P assive R e c o n n a is s a n c e
In v o lv e s c o lle c tin g in f o r m a tio n a b o u t a ta r g e t f r o m t h e p u b lic ly a c c e s s ib le s o u rc e s
A c tiv e R e c o n n a is s a n c e
In v o lv e s in f o r m a tio n g a th e r in g th r o u g h s o c ia l e n g in e e r in g , o n - s ite v is its , in te r v ie w s , a n d q u e s tio n n a ir e s
[Uf v^
P r e - a t t a c k
P h a s e :
I n f o r m a t i o n
G a t h e r i n g
The pre-attack p h a se a d d re s se s th e m o d e of th e attack an d th e goals to be achieved. R e c o n n a i s s a n c e is c o n s i d e r e d a s t h e f i r s t in t h e p r e - a t t a c k p h a s e a n d is a n a t t e m p t t o l o c a t e , g a th e r , identify, a n d re c o r d in f o rm a tio n a b o u t t h e ta r g e t. An a t t a c k e r s e e k s to find o u t as m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t t h e v i c t i m . A t t a c k e r s g a t h e r i n f o r m a t i o n in d i f f e r e n t w a y s t h a t allow s t h e m to f o r m u la te a plan of a tta c k . T h e re a re tw o ty p e s of re c o n n a isa n c e :
[T
P a ssiv e re c o n n a issa n c e
It c o m p r i s e s t h e attacker's attem p ts to sco u t for or survey potential targ ets and gathering and may
It a l s o i n c l u d e s
inform ation
involve c o m p e t it iv e in te llig e n c e g a th e r in g , social e n g in e e r in g , b r e a c h in g physical se cu rity , etc. A tta c k e rs typically s p e n d m o r e t i m e on t h e p r e - a tta c k or re c o n n a i s s a n c e activity th a n t h e a ctu a l attack. B eginning w ith passive re c o n n a issa n c e , th e te ste r g ath ers as much inform ation as possible
a b o u t t h e ta r g e t c o m p a n y . M u c h of t h e leak e d in fo rm a tio n c a te rs to t h e n e tw o r k to p o lo g y a n d the types of services running within. The tester can use this sensitive inform ation to
M o d u le 2 0 P ag e 2 9 2 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
A c tiv e r e c o n n a is s a n c e
The perpetrator enum eration inform ation may send gathering to process target encroaches in t h e on of the target territory. netw ork Here, the
probes
the
form
port
scans,
sw eeps,
of shares an d
social e n g in e e r in g , e m p lo y in g to o ls su ch as s c a n n e r s a n d sniffers t h a t a u t o m a t e t h e s e tasks. T he fo o tp rin ts th a t t h e a tta c k e r leav e s a re larger, a n d novices ca n b e easily identified.
M o d u le 2 0 P ag e 2 9 2 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P re -A tta c k G a th e rin g
P h a s e : In fo rm a tio n ( c o n t d) C E H
oooooooooo
r \ r \
w
A n y o th e r in fo rm a tio n th a t has th e p o te n tia l to re s u lt in a p ossible e x p lo ita tio n
w
DNS and m a il se rv e r in fo rm a tio n
u
A u th e n tic a tio n c re d e n tia ls in fo rm a tio n
u
C o n ta c t and w e b s ite in fo rm a tio n
,
Product range and service offerings of the target company that are available online
P r e - a t t a c k ,' 9 Q 9 Q Q 9 9 9 9 9 9 9
P h a s e :
I n f o r m a t i o n
G a t h e r i n g
( C o n t d )
T h e f o l l o w i n g i n f o r m a t i o n is r e t r i e v e d d u r i n g t h e p r e - a t t a c k p h a s e :
C o m p etitiv e intelligence N etw o rk registration inform ation DNS a n d m a i l s e r v e r i n f o r m a t i o n O perating sy stem inform ation U ser's in fo rm atio n A uthentication creden tials inform ation A nalog c o n n e c tio n s C ontact inform ation W eb site inform ation P hysical a n d logical l o c a t i o n o f t h e o r g a n i z a t i o n P ro d u c t ra n g e a n d service offerings of t h e ta r g e t c o m p a n y t h a t a r e available online A n y o t h e r i n f o r m a t i o n t h a t h a s t h e p o t e n t i a l t o r e s u l t in a p o s s i b l e e x p l o i t a t i o n
M o d u le 2 0 P ag e 2 9 2 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
t t a c k
P h a s e
C E H
U ftrfM IUK4I IU U .
Escalate Privileges .
A cquire Target
S B
A t t a c k
P h a s e
This s t a g e involves t h e a c tu a l c o m p r o m i s e o f t h e ta r g e t. T h e a t t a c k e r m a y exploit a vulnerability d isc o v e re d d u ring t h e p re -a tta c k p h a s e or use secu rity lo o p h o le s such as a w e a k s e c u r i t y p o l i c y t o g a i n r i g h t s t o t h e s y s t e m . T h e i m p o r t a n t p o i n t h e r e is t h a t t h e a t t a c k e r n e e d s o n ly o n e p o r t o f e n t r y , w h e r e a s t h e o r g a n i z a t i o n s a r e left t o d e f e n d s e v e r a l . O n c e in s id e, t h e a t t a c k e r m a y e s c a l a t e his p r i v il e g e s a n d install a b a c k d o o r s o t h a t h e o r s h e s u s t a i n s a c c e s s t o t h e s y s t e m a n d e x p l o i t s it i n o r d e r t o a c h i e v e h i s / h e r m a l i c i o u s i n t e n t . D uring t h e a tta c k p h a s e , t h e a tt a c k e r o r p e n t e s t e r n e e d s to: Q 9 e e P enetrate perim eter Execute, im plant, re tra c t Acquire ta rg e t E scalate rrivileges
M o d u le 2 0 P ag e 2 9 3 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
A c tiv ity : P e r i m
e t e r T e s t i n g
c *1ltb U flrfW K 4 l
E H
Testing methods for p e rim e te r security include but are not limited to:
A
1
M J W / /
\ \
^ -------------- #
Evaluating e rro r re p o rtin g anc| e rro r m anagem ent w ith ICMP probes
by a tte m p tin g connections using ^ __________# various protocols such as SSH, FTP, and Telnet
J W
A. /
Measuring the threshold fo r denial o f service by attempting persistent TCP connections, evaluating transitory TCP connections, and attem pting to stream UDP connections
Examining th e p e rim e te r security system's response to w eb server ^ __________# scans using m u ltip le methods such as POST, DELETE, and COPY
L 4 _ /
jp
\ i m
---------------
Evaluating the IDSs capability by passing malicious content (such as malformed URL) and scanning the target variously for responding to abnormal traffic
A c t i v i t y : Social
P e r i m e t e r is a n
engineering
ongoing
i n f o r m a t i o n c a n b e a c q u i r e d a t a n y s t a g e o f t e s t i n g . T h e t e s t s t h a t c a n b e c a r r i e d o u t in t h i s c o n te x t include sensitive (but are not lim ited to) im personating gathered or mocking phone calls t o as capture
inform ation,
verifying
inform ation
through
activities
such
dum pster
diving. O t h e r m e a n s in c lu d e em a il te s tin g , t r u s t e d p e r s o n a c q u isitio n , a n d a t t e m p t s t o r e t r ie v e leg itim a te a u t h e n t ic a t io n d etails su c h as p a s s w o r d s a n d a c c e ss privileges. In fo rm a tio n g a t h e r e d h e r e c a n b e u s e d l a t e r in w e b a p p l i c a t i o n t e s t i n g a l s o . Firewall T esting: T h e in fo rm a tio n g a in e d du rin g t h e p r e - a tt a c k p h a s e using te c h n iq u e s su ch as f i r e w a l k i n g is f u r t h e r e x p l o i t e d firewall. T h e p r o c e s s e s in clu d e b u t a r e n o t lim ited to: C r a f t i n g a n d s e n d i n g p a c k e t s t o c h e c k f i r e w a l l r u l e s . F o r e x a m p l e , s e n d i n g SYN p a c k e t s t o t e s t s t e a lt h d e t e c t i o n . This d e t e r m i n e s t h e n a t u r e o f v a rio u s p a c k e t r e s p o n s e s t h r o u g h t h e firewall. A SYN p a c k e t c a n b e u s e d t o e n u m e r a t e t h e t a r g e t n e t w o r k . S i m i l a r l y , o t h e r p o r t s c a n s w i t h d ifferen t flags se t can be used to a tte m p t enum eration of th e n e t w o r k . This a ls o g iv e s a n here. A ttem pts are m ad e to evade the IDS a n d bypass th e
M o d u le 2 0 P ag e 2931
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
U sually, p e r i m e t e r t e s t i n g m e a s u r e s t h e f i r e w a l l 's a b ility t o h a n d l e f r a g m e n t a t i o n : big p a c k e t fragm ents, overlapping fragm ents, flood of packets, etc. Testing m ethods for perim eter
s e c u r ity in clu d e b u t a r e n o t lim ited to: 9 6 9 E v a lu a t in g e r r o r r e p o r t i n g a n d e r r o r m a n a g e m e n t w i t h ICMP p r o b e s C h e c k i n g a c c e s s c o n t r o l lists w i t h c r a f t e d p a c k e t s M e a s u r i n g t h e t h r e s h o l d f o r d e n i a l - o f - s e r v i c e by a t t e m p t i n g p e r s i s t e n t TCP c o n n e c t i o n s , e v a l u a t i n g t r a n s i t o r y TCP c o n n e c t i o n s , a n d a t t e m p t i n g s t r e a m i n g U D P c o n n e c t i o n e Evaluating protocol-filtering rules by a tt e m p t in g connections using various protocols
M o d u le 2 0 P ag e 2932
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
E n u m
e r a t i n g
D e v i c e s
U flrfW * Itfc u lN k M
C E H
A device inventory is a collection of n etw o rk devices together w ith some relevant inform ation about each device that is recorded in a d ocum ent
A fter the netw ork has been m apped and the business assets identified, the next logical step is to make an inventory o f th e devices
A physical check may be conducted additionally to ensure that the e n u m e ra te d devices have been located
E n u m e r a t i n g .
D e v i c e s
A d e v i c e i n v e n t o r y is a c o l l e c t i o n o f n e t w o r k d e v i c e s , t o g e t h e r w i t h s o m e r e l e v a n t
i n f o r m a t i o n a b o u t e a c h d e v i c e , w h i c h is r e c o r d e d in a d o c u m e n t . A f t e r t h e n e t w o r k h a s b e e n m a p p e d a n d t h e b u s i n e s s a s s e t s i d e n t i f i e d , t h e n e x t l o g i c a l s t e p is t o m a k e a n i n v e n t o r y o f t h e devices. D u rin g t h e initial s t a g e s o f t h e p e n t e s t , t h e d e v i c e s m a y b e r e f e r r e d t o b y t h e i r i d e n t i f i c a t i o n o n t h e n e t w o r k s u c h a s IP a d d r e s s , M A C a d d r e s s , e t c . T h i s c a n b e d o n e b y p i n g i n g all d e v i c e s o n t h e n e t w o r k o r by using d e v ic e e n u m e r a t i o n tools. L a t e r , w h e n t h e r e is a p h y s i c a l s e c u r i t y c h e c k , d e v i c e s m a y b e c r o s s c h e c k e d r e g a r d i n g t h e i r lo catio n a n d identity. This s t e p c a n h e lp t o identify u n a u t h o r i z e d d e v ic e s on t h e n e tw o r k . T h e o t h e r m e t h o d is t o d o p i n g s w e e p s t o d e t e c t r e s p o n s e s f r o m d e v i c e s a n d l a t e r c o r r e l a t e t h e results w ith th e actual inventory. T h e l i k e l y p a r a m e t e r s t o b e c a p t u r e d in a n i n v e n t o r y s h e e t w o u l d b e : 9 9 9 9 9 9 D e v i c e ID D escription H ostnam e Physical lo c atio n IP a d d r e s s MAC a d d re s s
M o d u le 2 0 P ag e 2 9 3 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
N e tw o rk accessibility
M o d u le 2 0 P ag e 2 9 3 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
A c tiv ity : A c q u i r i n g
T a r g e t
C E H
Acquiring a target refers to t h e set of activities undertaken whe r e t h e t e s t er subjects t h e suspect machi ne to more intrusive challenges such as vulnerability scans and security assessment Testing me t h od s for acquiring tar get include but are not limited to:
T ru s te d syste m s a n d tru s te d p roce ss a ssessm e n t: A tte m p tin g to access th e m a chin e 's resources using le g itim a te in fo rm a tio n o b ta in e d
kv
9 -J
* . u
- u
Aft* SU
A c t i v i t y :
A c q u i r i n g
T a r g e t
U s u a l l y , t a r g e t a c q u i s i t i o n r e f e r s t o all t h e a c t i v i t i e s t h a t a r e u n d e r t a k e n t o u n e a r t h a s m u c h i n f o r m a t i o n a s p o s s i b l e a b o u t a p a r t i c u l a r m a c h i n e o r s y s t e m s s o t h a t it c a n b e u s e d l a t e r in t h e actual process of exploitation. w here the Here, acquiring subjects the a target targeted is r e f e r r e d t o m achine to as th e m ore set of
activities
undertaken
tester
intrusive m ore
R u n n i n g v u l n e r a b i l i t y s c a n s : V u l n e r a b i l i t y s c a n s a r e c o m p l e t e d in t h i s p h a s e . T ru sted sy s te m s a n d tr u ste d p ro ce ss a s s e s s m e n t: A ttem pting to access th e m achin e's re so u rc e s using legitim ate in fo rm atio n m eans. obtained through social e n g in e e r in g o r o t h e r
M o d u le 2 0 P ag e 2 9 3 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P r iv ile g e s
C E H
Once the target has been acquired, the tester attem pts to exploit th e system and gain greater access to th e protected resources
Use o f techniques such as b ru te force to achieve privileged status. Examples o f tools include get adm in and password crackers
Use o f in fo rm a tio n gleaned th ro u g h te ch n iq u es such as social engineering to gain unauthorized access to the privileged resources
A c t i v i t y :
E s c a l a t i n g
P r i v i l e g e s
W h e n a n a t t a c k e r s u c c e e d s in g a i n i n g u n a u t h o r i z e d a c c e s s i n t o a s y s t e m o r n e t w o r k , t h e d e g r e e o f e s c a la tio n d e p e n d s o n t h e v a rio u s a u th o r iz a t io n s p o s s e s s e d by a n a tt a c k e r . T h e u ltim a te aim of a n a tt a c k e r w o u ld b e to gain t h e h ig h e s t p o ssib le a d m in is tr a tio n privilege t h a t gives a c c e ss t o t h e e n ti r e n e t w o r k , s e n s itiv e in f o r m a t io n , o n lin e b a n k in g etc. O n ce t h e ta r g e t has b e e n acq u ired , t h e te s te r a tt e m p t s to exploit th e s y s te m a n d gain g r e a te r access to th e protected resources A ctivities in c lu d e ( b u t a r e n o t lim ite d to): 9 T he t e s t e r m a y t a k e a d v a n t a g e of p o o r se c u rity policies a n d ta k e a d v a n t a g e of e m ail or u n sa fe w e b c o d e t o g a th e r in fo rm a tio n t h a t ca n lead to t h e e scalatio n of privileges e Use of te c h n i q u e s su ch as b ru te fo rce t o a c h ie v e privileged sta tu s. E xam ples of to o ls include g e t a d m in a n d p a s s w o rd crackers 9 9 Use of T rojans a n d p rotocol analyzers Use of inform ation gleaned through techniques such as social engineering to gain
u n a u th o r iz e d a c c e s s t o t h e privileged re s o u rc e s
M o d u le 2 0 P ag e 2 9 3 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
A c tiv ity : E x e c u te , I m p la n t, R e tr a c t
Compromise System
In this phase, the tester effectively com prom ises the acquired system by executing th e a rb itra ry code The objective of system penetration is to explore th e exten t to which the security fails
a n d c
U 'trfM
E H
Itfeul lUckw
Execute Exploits
Execute Exploits already available or specially crafted to take advantage of th e vulnerabilities iden tified in the target system
Ip H 'l
A c t i v i t y :
E x e c u t e ,
I m p l a n t ,
a n d
R e t r a c t by executing
In t h i s p h a s e , t h e t e s t e r e f f e c t i v e l y c o m p r o m i s e s t h e a c q u i r e d s y s t e m
Activities include: 9 Executing system . 9 9 E xp loiting b u f f e r o v e r f l o w s in o r d e r t o tr ic k t h e s y s t e m i n t o r u n n i n g a r b i t r a r y c o d e . Executing activities t h a t a r e usually s u b je c te d t o c o n t a i n m e n t m e a s u r e s s u c h as t h e u se of T rojans an d rootkits. A c t i v i t i e s in t h e r e t r a c t p h a s e i n c l u d e m a n i p u l a t i o n o f a u d i t log fi le s t o r e m o v e t r a c e s o f t h e activities: E x a m p l e s i n c l u d e u s e o f t o o l s s u c h a s a u d i t poll. T h e t e s t e r m a y a ls o c h a n g e s e t t i n g s w ithin the system to rem ain inconspicuous during a re-entry and change log exploits t o take advantage of th e vulnerabilities identified on the target
settings. T he t e s t e r m a y r e - e n te r t h e s y s te m using t h e b a c k d o o r im p la n te d by t h e te s te r.
M o d u le 2 0 P ag e 2 9 3 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P o s t-A tta c k
P h a s e
a n d
A c tiv itie s I
C E H
0
C leaning a ll re g is try e n trie s and re m o v in g v u ln e ra b ilitie s cre ate d
A
P o s t-a tta c k phase activities
0
V -J
R em o ving all to o ls a n d e x p lo its fr o m th e te s te d system s
include s om e of th e fo llo w in g : s - J
R e sto rin g th e n e tw o r k to th e p re -te s t s ta te by re m o v in g shares a nd c o n n e c tio n s
P o s t - a t t a c k
P h a s e
a n d
A c t i v i t i e s
T h i s p h a s e is c r i t i c a l t o a n y p e n e t r a t i o n t e s t a s it is t h e r e s p o n s i b i l i t y o f t h e t e s t e r t o r e s t o r e t h e s y s t e m s t o a p r e - t e s t s t a t e . T h e o b j e c t i v e o f t h e t e s t is t o s h o w w h e r e s e c u r i t y f a i l s , a n d u n l e s s t h e r e is a s c a l i n g o f t h e p e n e t r a t i o n t e s t a g r e e m e n t , w h e r e b y t h e t e s t e r is a s s i g n e d th e responsibility to c o rre c t t h e security p o s tu re of t h e sy s te m s , this p h a s e m u s t b e c o m p le te d . A c t i v i t i e s in t h i s p h a s e i n c l u d e ( b u t a r e n o t r e s t r i c t e d t o ) : 9 9 9 Q 9 9 9 9 9 R e m o v i n g all f i l e s u p l o a d e d o n t h e s y s t e m C l e a n i n g all r e g i s t r y e n t r i e s a n d r e m o v i n g v u l n e r a b i l i t i e s c r e a t e d R e v e r s i n g all f i l e a n d s e t t i n g m a n i p u l a t i o n s d o n e d u r i n g t h e t e s t R e v e r s i n g all c h a n g e s i n p r i v i l e g e s a n d u s e r s e t t i n g s R e m o v i n g all t o o l s a n d e x p l o i t s f r o m t h e t e s t e d s y s t e m s R esto rin g t h e n e t w o r k t o t h e p r e - t e s t s t a g e by r e m o v in g s h a r e s a n d c o n n e c t i o n s M apping of th e n etw o rk state D o c u m e n t i n g a n d c a p t u r i n g all l o g s r e g i s t e r e d d u r i n g t h e t e s t A n a l y z i n g all r e s u l t s a n d p r e s e n t i n g t h e m t o t h e o r g a n i z a t i o n
M o d u le 2 0 P ag e 2 9 3 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
T h e p e n e t r a t i o n t e s t e r s h o u l d d o c u m e n t all h i s o r h e r a c t i v i t i e s a n d r e c o r d all o b s e r v a t i o n s a n d results so t h a t t h e te s t c a n b e r e p e a t a b le a n d verifiable for t h e given se c u r ity p o s t u r e of th e o r g a n i z a t i o n . F o r t h e o r g a n i z a t i o n t o q u a n t i f y t h e s e c u r i t y r i s k i n b u s i n e s s t e r m s , it is e s s e n t i a l t h a t t h e t e s t e r s h o u l d i d e n t if y critical s y s t e m s a n d critical r e s o u r c e s a n d m a p t h e t h r e a t t o these.
M o d u le 2 0 P ag e 2 9 3 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0lMCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P e n e tr a tio n T e s tin g T e m p la te s
D e liv e r a b le C E H
A pentest re p o rt w ill carry details o f th e incidents th a t have occurred during th e tes tin g process and th e range o f activities carried o u t by th e testing te a m
T g f
Broad areas covered include objectives, observations, activities und ertaken , and incidents reported
The te a m m ay also recom m end c o rre c tive actions based on th e rules o f th e engagem ent
P e n e t r a t i o n
T e s t i n g
D e l i v e r a b l e
T e m p l a t e s during th e testing
A p en te s t re p o r t carries details of th e incidents th a t h a v e o c c u rre d p ro cess a n d t h e ra n g e of activities t h a t t h e te s tin g t e a m carries out. It c a p t u r e s t h e o b j e c t i v e s a s a g r e e d upon in t h e rules of e n g a g e m e n t a n d
p rovides a brief
description of th e ob serv atio n s fro m th e te stin g e n g a g e m e n t. U n d e r t h e a c t i v i t i e s c a r r i e d o u t w i l l b e all t h e t e s t s , t h e d e v i c e s a g a i n s t w h i c h t h e t e s t s w e r e conducted, and the prelim inary observations. These are usually cross-referenced to the
a p p r o p r i a t e t e s t log e n tr y . O th e r in fo rm a tio n t h a t c a n b e c a p tu r e d u n d e r in c id e n t d escrip tio n can include: 9 e 9 9 6 A d etailed descrip tio n of th e incident The d a te and tim e w h e n th e incident occurred C o n tact in fo rm atio n for th e p e rs o n w h o o b s e rv e d th e incident The stage of testing during w hich th e incident occurred A d e s c r ip tio n o f t h e s t e p s t a k e n t o c r e a t e t h e in c id e n t. This c a n screen captures 9 O b serv atio n s on w h e th e r t h e incident can be re p e a te d or n o t be supplem ented by
M o d u le 2 0 P ag e 2 9 4 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
Under
risk
analysis,
the
im pact
of th e
test
is c a p t u r e d
from
business
perspective.
The
M o d u le 2 0 P ag e 2941
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
o d u l e
F l o w
Q O Q
Q O y
P e n T e s t i ng Concepts
Types of Pen T e s t i ng
P e n T e s t i ng Techniques
: : I , i
P e n T e s t i ng Phases
P e n T es t i n g Roadmap
1
I b d
o d u l e
F l o w
P e n T e stin g R o a d m a p
A p e n e t r a t i o n t e s t is a t e c h n i q u e t h a t e v a l u a t e s o r a u d i t s t h e s e c u r i t y o f a c o m p u t e r s y s t e m o r o t h e r f a c i l i t y b y l a u n c h i n g a n a t t a c k f r o m a m a l i c i o u s s o u r c e . It a l s o p r o v e s h o w v u l n e r a b l e t h a t a c o m p u t e r s y s t e m w o u l d b e in t h e e v e n t o f t h e r e a l a t t a c k . T h e r u l e s , p r a c t i c e s , m e t h o d s a s well as p r o c e d u r e s i m p l e m e n t e d , fo llo w e d d u rin g t h e c o u rs e of a n y in f o rm a tio n se c u rity a u d it p r o g r a m a r e d e f in e d by p e n te s ti n g m e t h o d o l o g y . This m e t h o d o l o g y d e fin e s y o u a r o a d m a p w ith p ro v e n practices as w ell as practical ideas th a t a re t o b e h a n d le d w ith c a re for assessin g t h e s y s t e m s e c u r i t y c o r r e c t l y . A d e t a i l e d e x p l a n a t i o n a b o u t t h e p e n t e s t i n g r o a d m a p is g i v e n in t h e n e x t slides.
P en Testing C on cepts
ililllli
P en Testing T ec h n iq u e s
Pen Testing P h a se s
Pen Testing R o a d m a p % ;
M o d u le 2 0 P ag e 2942
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
C E H
In fo r m a t io n G a th e r in g
V u ln e r a b ilit y A n a ly s is
E x te rn a l P e n e tr a tio n T e stin g
In te r n a l N e tw o rk P e n e tr a tio n T e s tin g
D e n ia l o f S e rv ic e P e n e tr a tio n T e s tin g
P a s s w o rd C ra c k in g P e n e tr a tio n T e s tin g
S o u rc e C o de P e n e tr a tio n T e stin g
P e n e t r a t i o n
T e s t i n g
e t h o d o l o g y
T h e f o l l o w i n g a r e t h e v a r i o u s p h a s e s in t h e p e n e t r a t i o n t e s t i n g m e t h o d o l o g y :
In fo rm a tio n G a th e rin g
I n f o r m a t i o n g a t h e r i n g is o n e o f t h e m a j o r s t e p s o f t h e p e n e t r a t i o n t e s t i n g . It is t h e f i r s t p h a s e i n t h e p e n e t r a t i o n t e s t i n g p r o c e s s . It is d o n e u s i n g v a r i o u s t o o l s , s c a n n e r s , online so u rc e s, s e n d in g sim p le h ttp re q u e s ts , specially c ra fte d re q u e s ts , etc.
V u ln e ra b ility A n a ly sis
V ulnerability analysis is a m ethod of identifying vulnerabilities on a netw ork. It
p r o v i d e s a n o v e r v i e w o f t h e f l a w s t h a t e x i s t in a s y s t e m o r n e t w o r k .
M o d u le 2 0 P ag e 2 9 4 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
9 9 9 9 9 9 9 9 9
DNS A n a l y s i s & D N S B r u t e f o r c i n g Port Scanning S y stem Fingerprinting Services Probing Exploit R e s e a r c h M a n u a l V ulnerability T esting a n d Verification of Identified V ulnerabilities Intrusion D e te c tio n /P r e v e n tio n S y stem Testing P a ss w o rd Service S tre n g th Testing R e m e d ia tio n R etest (optional)
internal n e tw o rk p e n e tr a tio n testin g are: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 Internal N e tw o rk Scanning Port Scanning S y stem Fingerprinting Services Probing Exploit R e s e a r c h M a n u a l V ulnerability T estin g a n d V erification M a n u a l C on figuration W e a k n e s s T esting a n d V erification Limited A p p licatio n Layer T estin g Firewall a n d A C L T estin g A d m in i s t r a to r Privileges E scala tion T estin g P assw o rd S tren g th Testing N e tw o rk E q u ip m e n t Security C ontrols Testing D a ta b a s e Security C ontrols Testing Internal N e tw o rk Scan for K now n T rojans T h ird -P a rty /V e n d o r Security C onfiguration T esting
------------9 9
M o d u le 2 0 P ag e 2 9 4 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
9 9 9
effectiveness. T h rough
a g a in s t t h e a tta c k s p e r f o r m e d by n e tw o r k intruders.
ID S P e n e t r a t i o n T e s t in g
An intrusio n d e te c tio n s y s te m ( I DS) can be softw are or hardw are. IDS penetration
o f t h e IDS. It c a n b e p e r f o r m e d w i t h t h e h e l p o f
t o o l s s u c h a s IDS i n f o r m e r , a n e v a s i o n g a t e w a y , e t c .
n e t w o r k s a r e c h e a p e r , t h e r e a r e v a r i o u s r i s k s a s s o c i a t e d w i t h t h e m . A w i r e l e s s n e t w o r k is l e s s protected than a w ired one. T herefore, w ireless netw orks must be tested strictly a n d t h e
D e n i a l o f S e r v i c e P e n e t r a t i o n T e s t i n g
T h e m a i n p u r p o s e o f a d e n i a l - o f - s e r v i c e ( D o S ) a t t a c k is t o s l o w d o w n t h e w e b s i t e o r e v e n t o c r a s h it b y s e n d i n g t o o m a n y r e q u e s t s , m o r e t h a n a p a r t i c u l a r s e r v e r c a n h a n d l e . If t h e attacker knows the details of th e server and its t e c h n i c a l specifications, it b e c o m e s m ore
a l t e r n a t i v e w a y t o r e a c t t o t h e s i tu a t io n w h e n t h e limit e x c e e d s .
P a ss w o rd cracking p e n e tr a ti o n te s tin g identifies t h e vuln erabilities a ss o c ia te d w ith m a n a g e m e n t . This h e l p s in a v o i d i n g v a r i o u s k in d s o f m a l i c i o u s a t t a c k s s u c h a s a tta c k s, hybrid a tta c k s, a n d d ic tio n a ry a tta c k s, etc.
passw ord
brute force
S o c ia l E n g in e e r in g P e n e tr a tio n T e s tin g
Social e n g i n e e r i n g is a m ethod used by a tt a c k e r s t o g e t crucial inform ation of a much the
c o m p a n y . A tta c k e rs esp ecially t a r g e t individuals w ith in t h e inform ation as possible about the
c o m p a n y . T h i s is c o m p l e t e l y
then
M o d u le 2 0 P ag e 2 9 4 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
S to le n L a p to p s , P D A s, a n d C e ll P h o n e s P e n e tr a tio n T e s tin g
T h e p e n e t r a t i o n t e s t e r s h o u l d f i n d o u t t h e p o s s i b l e l o o p h o l e s in p h y s i c a l l o c a l i t y a n d identify t h e v ario u s w a y s th a t an in tru d e r can e n t e r into t h e c o m p a n y . O n ce t h e im p o r t a n t electronic devices th a t co n tain sensitive in fo rm atio n of t h e c o m p a n y a re stolen, you can ex tract inform ation from these stolen devices. Therefore, such penetration testing proves very
a p p l i c a t i o n i n o r d e r t o f i n d o u t v u l n e r a b i l i t i e s in t h e a p p l i c a t i o n . T h e p e n t e s t e r s h o u l d t r y t o s i m u l a t e d i f f e r e n t t y p e s o f SQL i n j e c t i o n a t t a c k s t o fin d t h e p o s s i b l e v u l n e r a b i l i t i e s .
M o d u le 2 0 P ag e 2 9 4 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
( E H
( C o n t d) * ~
D a ta b a s e P e n e tr a tio n T e stin g
V PN P e n e tr a tio n T e stin g
C lo u d P e n e tr a tio n T e stin g
V iru s a n d T ro ja n D e te c tio n
File In t e g r it y C h e ckin g
T e le c o m a n d B ro a d b a n d P e n e tr a tio n T e s tin g
P e n e t r a t i o n
T e s t i n g
e t h o d o l o g y
surveillance c a m e ra : 9 Q 9 9 The w e b interface should be com pletely deb u g g ed Try t o look fo r t h e in je c tio n p o in ts f r o m w h e r e t h e m o t io n im a g e s a r e in c lu d e d r e m o t e l y V alidate th e im ag e p a th C r e a t e t h e d i f f e r e n t m o t i o n p i c t u r e r e c o r d e r a n d e d i t o r in o r d e r t o v a l i d a t e m o t i o n o r p ictu re re c o d e d by t h e surveillance c a m e r a w h e t h e r th e y a r e s a m e or n o t
d a t a b a s e o r indirectly a c c e ss in g t h e d a ta t h r o u g h trig g e rs or s t o r e d p r o c e d u r e s e x e c u t e d by a d a t a b a s e e n g i n e . T h i s m e t h o d h e l p s in a v o i d i n g u n a u t h o r i z e d a c c e s s o f d a t a .
M o d u le 2 0 P ag e 2 9 4 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
V o IP P e n e tr a tio n T e s tin g
( ^ w IP In V o I P p e n e t r a t i o n t e s t i n g , a c c e s s t o t h e V O I P n e t w o r k is a t t e m p t e d t o r e c o r d t h e conversations and s e c u r ity policies. even a DoS a tt a c k m a y also b e u sed to find out the com p an y 's
situations, th e r e
lot o f se c u r ity
associated
So t h e
penetration
W a r D ia lin g
Dial-up modem s used by the com panies have various vulnerabilities. These allow
V iru s a n d T ro ja n D e te c tio n
V iruses a n d T rojans a re t h e m o s t w id e s p r e a d m alicious s o f tw a r e to d a y . Onceon the
s y s t e m a n d n e t w o r k s , t h e s e a r e v e r y d a n g e r o u s . E a r l y d e t e c t i o n o f v i r u s e s a n d T r o j a n s is v e r y im portant.
M o d u le 2 0 P ag e 2 9 4 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
F ile In te g rity C h e c k in g
C h e c k i n g t h e i n t e g r i t y o f a f i l e is t h e b e s t w a y t o t e l l w h e t h e r it is c o r r u p t e d o r n o t . It involves ch e c k in g t h e fo llow ing things: 9 9 Q 9 Q Q Filesize Version W h e n it w a s c r e a t e d W h e n it w a s m o d i f i e d T h e l o g i n n a m e o f a n y u s e r w h o m o d i f i e s t h e file It s a t t r i b u t e s ( e . g . , R e a d - O n l y , H i d d e n , S y s t e m , e t c . )
m m
en g in ee rin g , u p lo ad in g m alicious co d e, etc. M obile device p e n e tr a tio n pin p o in ts a n d a d d r e s s e s g a p s in e n d - u s e r a w a r e n e s s a n d s e c u r i t y e x p o s u r e s i n t h e s e d e v i c e s b e f o r e a t t a c k e r s a c t u a l l y m isuse and co m p ro m ise th em .
attacks.
Poorly d esig n ed
security p atch e s
vulnerability so
t e s t i n g t h e m h e l p s in r e s o l v i n g s u c h i s s u e s .
M o d u le 2 0 P ag e 2 9 4 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
fraud
attacks
business-critical
penetration
t e s t e r t r i e s t o f i n d t h e v u l n e r a b i l i t i e s in t h e
a t t a c k s , a n d t h e n c h e c k s w h e t h e r h e o r s h e is a b l e t o b r e a k i n t o t h e S A P p l a t f o r m .
M o d u le 2 0 P ag e 2 9 5 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
A p p lic a tio n
S e c u rity A s s e s s m e n t
C E H
Application security assessment is an in-d ep th analysis o f applications to identify and assess security vulnerabilities that can expose the organization's sensitive inform ation This test checks on application so that a malicious user cannot access, m odify, or destroy data or services w ithin the system
A p p l i c a t i o n
S e c u r i t y
A s s e s s m e n t
A p p l i c a t i o n s e c u r i t y a s s e s s m e n t is d o n e b y a s e c u r i t y p r o f e s s i o n a l t o i d e n t i f y s e c u r i t y vulnerabilities a n d significant issues. A pp licatio n se c u rity a s s e s s m e n t involves: Q Inspection of application validation and bounds checking for both accidental and
m ischievous input. Q M anipulation of client-side code and locally stored inform ation such as session
i n f o r m a t i o n a n d c o n f i g u r a t i o n files. 9 Exam ination of application-to-application interaction b e tw e e n sy stem c o m p o n e n ts such as t h e w e b service a n d b a c k -e n d d a ta so u rces. e D iscovery of opportunities that could be utilized by an attacker to escalate their
perm issions. 9 9 E x a m in a tio n o f e v e n t logging fu n ctionality. Exam ination of a u th en ticatio n m ethods in u s e f o r t h e i r r o b u s t n e s s a n d resilience to
M o d u le 2 0 P ag e 2951
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
Even
in
w ell-deployed
and
secured
infrastructure,
weak
application
can
expose
the
M o d u le 2 0 P ag e 2952
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
e b
A p p l i c a t i o n
T e s t i n g
C E H
T e s t s i n c l u d e OS c o m m a n d injection, s c r i p t i n j e c t i o n , SQL i n j e c t i o n , LDAP injection, a n d crosssite scripting Checks for ac ces s t o administrative interfaces, sen ds d a t a t o m a n i p u l a t e f o r m f i e l d s, a t t e m p t s URL q u e r y s t r i n g s , c h a n g e s v a l u e s o n t h e c l i en t s i d e s cr i p t , a n d a t t a c k s c o o k i e s
e b
A p p l i c a t i o n
T e s t i n g
This t e s t p h a s e c a n b e c a rrie d o u t as t h e t e s t e r p r o c e e d s to a c q u ir e t h e ta r g e t.
In p u t v a lid a tio n
T ests in clu d e OS c o m m a n d i n j e c t i o n , s c r i p t i n j e c t i o n , SQL i n j e c t i o n , LDAP i n j e c t i o n ,
O u tp u t sa n itiz a tio n
T e s t s i n c l u d e p a r s i n g s p e c i a l c h a r a c t e r s a n d v e r i f y i n g e r r o r c h e c k i n g in t h e a p p l i c a t i o n .
A c c e ss c o n tro l I
form The te s te r checks access to adm inistrative interfaces, tran sfers data for m anipulating fields, c h e c k s URL q u e r y s t r i n g s , c h a n g e s t h e v a l u e s o f c l i e n t - s i d e s c r i p t , a n d attacks
cookies. O th e r te s ts include checking for a u th o riz a tio n b re a c h e s , e n u m e r a ti n g a sse ts accessible t h r o u g h t h e a p p l i c a t i o n , l a p s e s in e v e n t h a n d l i n g s e q u e n c e s , p r o x y h a n d l i n g , a n d c o m p l i a n c e w ith least privilege access rule.
M o d u le 2 0 P ag e 2 9 5 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
e b
A p p l i c a t i o n
T e s t i n g
- I I
C E H
DoS checking tests fo r DoS induced by m alform ed user input, user lockout, and a p p lica tio n lo cko u t due to tra ffic overload, transaction requests, o r excessive requests on th e application
S* .v
Data and error checking checks fo r data -re la te d se curity lapses such as storage o f sensitive data in th e cache or th ro u gh p ut o f sensitive data using HTML 4. D ata a n d E rro r C h e ckin g ! 0 > 01
e b
A p p l i c a t i o n
T e s t i n g
I I
C h e c k in g fo r B u ffer O v e rflo w s
Tests include attacks against stack overflow s, heap overflow s, and form at string overflow s.
D e n ia l-o f-se rv ic e
T e s t f o r D o S is i n d u c e d d u e t o m a l f o r m e d user input, user lockout, a n d application lo c k o u t d u e t o traffic o v e rlo a d , t r a n s a c t i o n r e q u e s t s , o r e x c e s s iv e r e q u e s t s o n t h e a p p lic a tio n .
C o m p o n e n t c h e c k in g
Check for secu rity co n tro ls on w e b s e r v e r/a p p lic a tio n c o m p o n e n t s m ight e x p o se th e w e b a p p licatio n t o vulnerabilities, su ch as basic a u th e n tic a tio n .
D a ta a n d e rro r c h e c k in g
C h e c k f o r d a t a - r e l a t e d s e c u r i t y l a p s e s s u c h a s s t o r a g e o f s e n s i t i v e d a t a in t h e c a c h e o r input of sensitive d a ta u s i n g HTML. C h e c k f o r v e r b o s e e r r o r m e s s a g e s t h a t g iv e a w a y m o r e
M o d u le 2 0 P ag e 2 9 5 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
SQ L in je c tio n te c h n iq u e s
S QL i n j e c t i o n m a y b e a t t e m p t e d a g a i n s t w e b a p p l i c a t i o n s t o g a i n a c c e s s t o t h e t a r g e t system .
M o d u le 2 0 P ag e 2 9 5 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
e b
A p p l i c a t i o n
T e s t i n g
- I I I
C E H
Confidentiality Check 9
Session Management
Configuration Ve r i f i c at i o n R N V N V W P I W
For applications using secure protocols and encryption, check for lapses in key exchange mechanism, adequate key length, and w eak algorithms
It checks tim e v a lid ity o f session to k e n s , le n g th o f to k e n s , e x p ira tio n o f session to k e n s w h ile tra n s itin g fro m SSL to non-SSL re s ou rce s, p rese n ce o f any session to k e n s in th e b ro w s e r h is to ry o r cache, and ra n d o m n e s s o f session ID (ch eck fo r use o f user data in g e n e ra tin g ID) ,
It a tte m p ts to m a n ip u la te re sou rce s u sing HTTP *9 m e th o d s such as DELETE and PUT, c h eck fo r v e rs io n c o n te n t a v a ila b ility a n d any v is ib le re s tric te d so urce c o d e in p u b lic d o m a in s , a tte m p t d ire c to ry and file lis tin g , and te s t fo r k n o w n v u ln e ra b ilitie s a nd a c c e s s ib ility o f a d m in is tra tiv e in te rfa c e s in se rvers a nd s e rv e r c o m p o n e n ts
e b
A p p l i c a t i o n
T e s t i n g
I I I
u s e r e n u m e r a t i o n t h r o u g h login o r a r e c o v e r y p ro c e s s . C h e c k digital
S e ssio n m a n a g e m e n t
j
brow ser
C heck t i m e validity of s e s s io n to k e n s ,
length
of tokens,
and
expiration
of session
t o k e n s w h i l e t r a n s i t i n g f r o m SSL t o n o n - S S L r e s o u r c e s , p r e s e n c e o f a n y s e s s i o n t o k e n s in t h e history or cache, and random ness of session ID ( c h e c k for use of user data in
g e n e r a t i n g a n ID).
c h e c k f o r v e r s i o n c o n t e n t a v a ilab ility , a n d a n y visib le r e s t r i c t e d s o u r c e c o d e in p u b li c d o m a i n s , attem pt directory, and file listing, test for known vulnerabilities, and accessibility of
a d m i n i s t r a t i v e i n t e r f a c e s in t h e s e r v e r a n d s e r v e r c o m p o n e n t s .
M o d u le 2 0 P ag e 2 9 5 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
N e tw o r k
S e c u r ity
A s s e s s m e n t
I !
C E H
It e n su re s th a t th e s e c u rity im p le m e n ta tio n a c tu a lly p ro v id e s th e p r o te c tio n th a t th e e n te rp ris e re q u ire s w h e n a n y a tta c k ta k e s p la ce o n a n e tw o r k , g e n e ra lly b y " e x p lo itin g " a v u ln e r a b ility o f th e system
0
is p erfo rm ed by a te a m a tte m p tin g to break into th e n etw o rk or servers
N e t w o r k N etw ork
S e c u r i t y
security
assessm ent
e e
It s c a n s t h e n e t w o r k e n v i r o n m e n t f o r i d e n t i f y i n g v u l n e r a b i l i t i e s a n d h e l p s t o i m p r o v e a n e n t e r p r i s e 's s e c u r ity policy It u n c o v e r s n e t w o r k s e c u r i t y f a u l t s t h a t c a n l e a d t o d a t a o r e q u i p m e n t b e i n g e x p l o i t e d or d e s tro y e d by Trojans, denial-of-service attacks, a n d o t h e r intrusions It e n s u r e s t h a t t h e s e c u r i t y i m p l e m e n t a t i o n a c t u a l l y p r o v i d e s t h e p r o t e c t i o n t h a t t h e e n te r p ris e re q u ire s w h e n any a tta c k ta k e s place on a n etw o rk , gen erally by "e x p lo itin g " a vulnerability of th e sy stem
It is p e r f o r m e d b y a t e a m a t t e m p t i n g t o b r e a k i n t o t h e n e t w o r k o r s e r v e r s
M o d u le 2 0 P ag e 2 9 5 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
ir e le s s /R e m o te
A c c e s s c
UrtM
A s s e s s m e n t
E H
ItbKJl N M hM
W ireless/R em ote Access assessment involves assessing risks associated w ith wireless/cellular networks, VPN systems, and m obile devices
^ e le s s T e * ,^
L i 11 1
Bluetooth
8 0 2 .1 1 a ,b a n d g
GHz signals
W ir e le s s n e t w o r k s
W ir e le s s r a d io t r a n s m is s io n s
Radio c o m m u n i c a t i o n c h a n n e ls
W ' ------- ^
i r e l e s s / R e m o t e
A c c e s s
A s s e s s m e n t
W i r e l e s s / r e m o t e a c c e s s a s s e s s m e n t a d d r e s s e s t h e s e c u r i ty risks a s s o c i a te d w ith a n
i n c r e a s i n g m o b i l e w o r k f o r c e . W i r e l e s s n e t w o r k i n g h a s v a r i o u s b e n e f i t s a s w ell a s s e c u r i t y risks. A s s e s s m e n t includes te s tin g t h e follow ing things: 9 9 9 9 9 9 B luetooth 8 0 2 . 1 1 a ;b a n d g W ireless n etw o rk s Radio c o m m u n ic a t io n c h a n n e ls W ireless radio tran sm issio n s GHz signals
M o d u le 2 0 P ag e 2 9 5 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
i r e l e s s
T e s t i n g
C E H
M e t h o d s f o r w i r e l e s s t e s t i n g i n c l u d e b u t a r e n o t l i mi t e d t o :
Check if th e access p oint's d efa ult Service Set Id e n tifie r (SSID) is easily available. Test for "broadcast SSID" and accessibility to th e LAN through this. Tests can include b rute fo rcing th e SSID character string using tools like Kismet
Check fo r v u ln e ra b ilitie s in accessing th e WLAN through th e wireless router, access point, or gateway. This can include verifying if th e default W ired Equivalent Privacy (WEP) encryption key can be captured and decrypted
A u d it fo r broadcast beacon o f any access point and check all protocols available on the access points. Check if Layer 2 sw itche d n etw o rk s are being used instead o f hubs fo r access point co nn e ctivity
Subject auth en tica tio n to playback o f previous a uthentications in o rder to check fo r privilege escalation and u na u th o rize d access
i r e l e s s
T e s t i n g
A w i r e l e s s n e t w o r k c a n b e a t t a c k e d in m u l t i p l e w a y s a n d c o n d u c t i n g a p e n e t r a t i o n test is d i f f i c u l t p r o c e s s here, com pared to a w ired netw o rk . To launch the attack against
M e t h o d s for w ire le s s te s ti n g in c lu d e b u t a r e n o t lim ited to: 9 C h e c k if t h e a c c e s s p o i n t ' s d e f a u l t S e r v i c e S e t I d e n t i f i e r ( S S I D ) is e a s i l y a v a i l a b l e . T e s t f o r " b r o a d c a s t S SI D " a n d a c c e s s i b i l i t y t o t h e LAN t h r o u g h t h i s . T e s t s c a n i n c l u d e b r u t e f o r c i n g t h e SSID c h a r a c t e r s t r i n g u s i n g t o o l s li ke K i s m e t 9 C h e c k f o r v u l n e r a b i l i t i e s in a c c e s s i n g t h e p o in t, o r g a t e w a y . This c a n WLAN th r o u g h the w ireless router, access
i n c l u d e v e r i f y i n g if t h e d e f a u l t W i r e d
E q u iv alen t Privacy
(WEP) e n c r y p t i o n key c a n b e c a p t u r e d a n d d e c r y p t e d
M o d u le 2 0 P ag e 2 9 5 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
p l a y b a c k o f p r e v i o u s a u t h e n t i c a t i o n s in o r d e r t o c h e c k f o r
M o d u le 2 0 P ag e 2 9 6 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
T e le p h o n y
S e c u rity A s s e s s m e n t
C E H
U flrfW * tfeul
A te le p h o n y s e c u rity a ssessm ent is p e rfo rm e d to id e n tify v u ln e ra b ilitie s in c o rp o ra te v o ice te c h n o lo g ie s th a t m ig h t re s u lt in to ll fra u d , e a ve sd ro p p in g on calls, u n a u th o riz e d access to v o ice m a il system s, DoS a tta ck, etc.
T e l e p h o n y
S e c u r i t y
A s s e s s m e n t
T h e m a i n o b j e c t i v e o f a t e l e p h o n y a s s e s s m e n t is t o c o n d u c t : 9 9 9 Toll f r a u d E a v e s d r o p p i n g o n t e l e p h o n e calls U n au th o rized access to voicem ail sy s te m security This assessm ent the addresses of security by concerns to relating route to calls corporate at the voice
includes
abuse
PBXs
outsiders over
targ et's
m ailbox
security, voice
IP ( V o I P ) i n t e g r a t i o n ,
unauthorized
M o d u le 2 0 Page 2961
S o c i a l
n g i n e e r i n g
C E H
S o c i a l
E n g i n e e r i n g
Social e n g i n e e r i n g r e f e r s t o t h e m e t h o d o f in f l u e n c i n g a n d p e r s u a d i n g p e o p l e t o r e v e a l s e n s i t i v e i n f o r m a t i o n in o r d e r t o p e r f o r m s o m e m a l i c i o u s a c t i o n . Y o u c a n u s e t h i s t o g a t h e r confidential inform ation, authorization details, and access details by deceiving and
e n g i n e e r e d " by s tra n g e rs . S o m e e x a m p le s of social e n g in e e r in g in clude u n w ittin g ly a n s w e r in g t h e q u e s t i o n s o f s t r a n g e r s , r e p l y i n g t o s p a m e m a i l s , a n d b r a g g i n g in f r o n t o f c o - w o r k e r s . M o s t o fte n , p e o p le a r e n o t e v e n a w a r e of a s e c u r ity la p s e o n th e i r p art. Possibilities a r e t h a t t h e y d i v u l g e i n f o r m a t i o n t o a p o t e n t i a l a t t a c k e r i n a d v e r t e n t l y . A t t a c k e r s t a k e s p e c i a l i n t e r e s t in d e v e l o p i n g s o c i a l e n g i n e e r i n g s ki l l s , a n d a r e s o p r o f i c i e n t t h a t t h e i r v i c t i m s d o n ' t e v e n r e a l i z e t h a t t h e y h a v e b e e n s c a m m e d . D e s p i t e h a v i n g s e c u r i t y p o l i c i e s in t h e o r g a n i z a t i o n t h e y c a n b e c o m p r o m i s e d b e c a u s e social e n g in e e r in g a tta c k s ta r g e t t h e w e a k n e s s of p e o p le to be helpful for la u n c h in g th e ir attack . A tta c k e rs a lw a y s look fo r n e w w a y s to g a t h e r in fo rm a tio n ; th e y e n s u re th a t th e y k n o w th e p e o p le on th e p e r i m e t e r secu rity g u a rd s, re c e p tio n ists, a n d help d e s k w o r k e r s in o r d e r t o e x p l o i t t h e h u m a n ' s o v e r s i g h t . P e o p l e h a v e b e e n c o n d i t i o n e d n o t t o be overly suspicious; th e y a ss o c ia te c ertain b e h a v io r a n d a p p e a r a n c e s w ith k n o w n entities.
M o d u le 2 0 P ag e 2962
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
T e s tin g D e v ic e s
N e tw o rk - F ilte r in g C E H
P e n e tra tio n te s tin g is a m e th o d o f e v a lu a tin g th e s e c u rity o f an in fo rm a tio n system o r n e tw o rk by s im u la tin g an a tta c k to fin d o u t v u ln e ra b ilitie s th a t an a tta c k e r c o u ld e x p lo it T e s tin g in v o lv e s a c tiv e a n a ly s is o f s y s te m c o n f ig u r a tio n s , d e s ig n w e a k n e s s e s , n e t w o r k a r c h ite c t u r e , te c h n ic a l fla w s , a n d v u ln e r a b ilit ie s
I f
Black b ox te s tin g s im u la te s an a tta c k fro m s o m e o n e w h o has n o p r io r k n o w le d g e o f th e system , a nd w h ite box te s tin g s im u la te s an a tta c k fro m s o m e o n e w h o has c o m p le te k n o w le d g e a b o u t th e system
T e s t i n g
N e t w o r k - f i l t e r i n g
D e v i c e s
T h e r e a r e v a r i o u s w a y s t o c o n f i g u r e n e t w o r k - f i l t e r i n g d e v i c e s . In s o m e i n s t a n c e s , t h e y m a y b e c a r e l e s s t o c h e c k m a l i c i o u s t r a f f i c , w h i l e in o t h e r s ; t h e y m a y b e s t r i c t t o a l l o w l e g i t i m a t e traffic. T h e o b je c tiv e of t h e p e n t e s t t e a m flows through the filtering device. w o u ld b e to a s c e r ta in t h a t only le g itim a te traffic if m ultiple filters are used, like a DMZ
H ow ever,
c o n f i g u r a t i o n t h a t u s e s t w o f i r e w a l l s , e a c h f i l t e r h a s t o b e t e s t e d t o m a k e s u r e t h a t it h a s b e e n c o n f i g u r e d in t h e c o r r e c t w a y . It is a f a c t , h o w e v e r , t h a t e v e n t h e m o s t p r e v e n t i v e f i r e w a l l c a n n o t r e s t r i c t n e t w o r k i n t r u s i o n w h e n t h e i n t r u s i o n is i n i t i a t e d w i t h i n t h e o r g a n i z a t i o n . M o s t f i r e w a l l s h a v e t h e a b i l i t y t o l o g all activities. But, if t h e logs are unm onitored over a period of tim e, they may hinder the
by checking t h e
logs a n d e n s u r in g t h a t t h e logging activity d o e s n o t in t e r f e r e w ith t h e firew all's p r im a r y activity. Proxy se rv e rs may be subjected to tests to d e t e r m i n e th e i r ability to filter o u t unw anted
p a c k e t s . T h e p e n t e s t e r s m a y r e c o m m e n d t h e u s e o f a l o a d b a l a n c e r if t h e t r a f f i c l o a d s e e m s t o be affectin g t h e filtering cap ab ilities of t h e devices. T e s t i n g f o r d e f a u l t i n s t a l l a t i o n s o f t h e f i r e w a l l c a n b e d o n e t o e n s u r e t h a t d e f a u l t u s e r IDs a n d passw ords have been disabled or changed. Testers can also check for any rem ote login
M o d u le 2 0 Page 2963
D e n i a l - o f - S e r v i c e
S i m u l a t i o n
C E H
U rtifM Itfeul Km U*
r
These tests are m eant to check the effectiveness of anti-DoS devices
r Some online services can be used to simulate DoS attacks for a nominal charge ^
D e n i a l o f S e r v i c e
-
E m u l a t i o n
T h e r e a r e t w o c l a s s e s o f DoS: m a g i c p a c k e t a t t a c k s a n d r e s o u r c e - e x h a u s t i o n a t t a c k s . packet attacks usually take advantage of the existing vulnerability in the OS or
M agic
a p p l i c a t i o n f o r v a s t a b n o r m a l r e s p o n s e a n d e x c e s s i v e C P U u t i l i z a t i o n o r a f ul l s y s t e m c r a s h b y s e n d in g o n e o r a fe w p a rtic u la r p a c k e ts , fo r e x a m p le , W i n N u k e a n d Ping of D e a th . R e s o u r c e - e x h a u s ti o n a tt a c k s d o n o t c o m p l e te l y rely o n t h e v u ln erab ilities; in s te a d t h e y m a k e u s e o f t h e a v a i l a b l e c o m p u t e r r e s o u r c e s . A r e s o u r c e - e x h a u s t i o n D o S a t t a c k is i m p l e m e n t e d b y in te n tio n a l utilization of t h e m a x i m u m r e s o u rc e s a n d th e n stealin g t h e m . W h i l e s m a l l DoS a t t a c k s c a n b e d u p l i c a t e d by r u n n i n g D oS f r o m o n e m a c h i n e c o n n e c t e d t o t h e target netw ork, large te s ts that seek to duplicate DoS a tt a c k s may need to utilize many
m a c h in e s a n d large a m o u n t s of n e tw o r k b a n d w id th . T h e s e m a y p ro v e t o b e ti m e c o n s u m in g a n d r e s o u r c e in te n siv e , a s w ell. In s te a d of d e p l o y i n g s e v e r a l g e n e r i c s e r v e r s , h a r d w a r e d e v ic e s m a y b e u s e d t o c r e a t e la rg e v o l u m e s of n e t w o r k traffic. T h e y c a n a ls o c o m e w ith a t t a c k / t e s t i n g m o d u l e s t h a t a r e d e s i g n e d t o e m u l a t e t h e m o s t c o m m o n DoS a tta c k s . S i m u l a t i n g h a c k e r a t t a c k s c a n i n c l u d e s p o o f i n g t h e DoS s o u r c e a d d r e s s t o t h a t o f a r o u t e r o r d e v i c e o n t h e n e t w o r k i t s e l f s o t h a t if t h e IDS a r e t r i g g e r e d , t h e n e t w o r k c u t s i t s e l f o f f a n d t h e objective is a c h i e v e d . A n o t h e r option is t o em ulate th e and DoS f r o m route an online site over th e
traffic
over the
Internet to
M o d u le 2 0 P ag e 2 9 6 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
There
are
several
tools
available
to
sim ulate
denial-of-service
attack
and
assess
the
M o d u le 2 0 P ag e 2 9 6 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
o d u l e
F l o w
P e n t e s t i n g r e s u l t s c a n b e e f f e c t i v e w h e n t h e t e s t is p e r f o r m e d b y a s k i l l e d p e n t e s t e r .
H iring a hig h ly skilled p r o f e s s i o n a l o n p e r m a n e n t b a s i s m a y b e a h u g e i n v e s t m e n t ; t h e r e f o r e , m o s t c o m p a n ie s p re fe r o u tso u rc in g th e ir p e n testin g services. O u tso u rc in g th e p e n testin g can i n c r e a s e t h e f r e q u e n c y , s c o p e , a n d c o n s i s t e n c y o f its s e c u r i t y e v a l u a t i o n s .
P en Testing C o n cep ts
wwm B iilii 11
P en Testing T ec h n iq u e s
P en T esting P h a se s
P en Testing R o a d m a p
A d e t a i l e d e x p l a n a t i o n a b o u t o u t s o u r c i n g p e n e t r a t i o n t e s t i n g s e r v i c e s is e x p l a i n e d o n t h e n e x t slides.
M o d u le 2 0 P ag e 2 9 6 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
To get the netw ork audited by an external agency to acquire an intruder's p oint of view The organization may require a specific security assessment and suggestive corrective measures
Professional liability insurance pays for settlem ents or judgm ents for which pen testers become liable as a result of their actions, or failure to perform professional services
O u t s o u r c i n g
P e n e t r a t i o n
T e s t i n g
S e r v i c e s
m a y re q u ire a specific se c u rity a s s e s s m e n t a n d s u g g e s te d c o rre c tiv e m e a s u r e s . A lternatively, t h e o r g a n i z a t i o n m a y c h o o s e t o g e t its n e t w o r k a u d i t e d b y a n e x t e r n a l a g e n c y t o a c q u i r e a n in tru d e r's p o in t of view . T h e n e e d to o u ts o u r c e m a y also be d u e t o insufficient staff tim e a n d resources. The baseline audit m ay require an ongoing external a s s e s s m e n t or th e organization m a y w a n t t o build c u s t o m e r a n d p a r t n e r c o n f i d e n c e . F r o m a n o r g a n i z a t i o n ' s p e r s p e c t i v e , it w o u l d b e p r u d e n t t o a p p o i n t a c u t o u t . A c u t o u t is a
c o m p a n y ' s i n - h o u s e m o n i t o r o v e r t h e c o u r s e o f t h e t e s t . T h i s p e r s o n will b e fu l ly a w a r e o f h o w t h e t e s t wi l l b e c o n d u c t e d , t h e t i m e f r a m e i n v o l v e d , a n d t h e c o m p r e h e n s i v e n a t u r e o f t h e t e s t . T h e c u t o u t will a l s o b e a b l e t o i n t e r v e n e d u r i n g t h e t e s t t o s a v e b o t h p e n t e s t e r s a n d c r u c i a l production system s from u n ac c e p ta b le d a m a g e . U n d e rw ritin g P e n e tr a tio n Testing 9 T h e r e is a n i n h e r e n t r i s k i n v o l v e d i n u n d e r t a k i n g a p e n e t r a t i o n t e s t . M o s t o r g a n i z a t i o n s w ould like t o know if t h e penetration testing organization has professional liability
M o d u le 2 0 P ag e 2 9 6 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
o t h e r r e l a t e d e x p e n d i t u r e s i n v o l v e d in
investigation, a n d this also in clu d es t h e e x p e n d it u r e of t h e s e t t l e m e n t p ro cess. F rom a pen tester's professional perspective, service professional liability i n s u r a n c e known as is m a l p r a c t i c e insurance or in s u ra n c e for professional
providers.
It is a l s o
E&O
M o d u le 2 0 P ag e 2 9 6 8
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0lMCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
a g a in s t a n y o f its p r o d u c t io n s y s te m s a f t e r it a g re e s u p o n e x p lic it ly s ta te d ru le s o f e n g a g e m e n t
It m u s t s ta te t h e t e r m s o f r e fe r e n c e u n d e r w h ic h t h e a g e n c y c a n i n t e r a c t w i t h t h e o r g a n iz a t io n
T e r m s
o f E n g a g e m e n t
Source: http://seclists.orR T erm s of e n g a g e m e n t a re essential to p ro tect bo th th e o rg an izatio n 's in te re sts an d th e pen t e s t e r ' s liabilities. T h e t e r m s lay d o w n c le a r ly d e f i n e d g u i d e l i n e s w i t h i n w h i c h t h e t e s t e r s c a n te s t th e sy stem s. T hey can specify th e d esired c o d e of c o n d u c t, th e p ro c e d u re s to be follow ed, and th e n a tu re of interaction b e tw e e n th e te ste rs an d th e organization. It is p r u d e n t f o r a n o r g a n i z a t i o n t o s a n c t i o n a p e n e t r a t i o n t e s t a g a i n s t a n y o f its p r o d u c t i o n
s y s t e m s o n l y a f t e r it a g r e e s u p o n e x p l i c i t l y s t a t e d r u l e s o f e n g a g e m e n t . T h i s c o n t r a c t a g r e e d u p o n w ith th e p e n te s t a g e n c y m u st s ta te th e te r m s of re fe re n c e u n d e r w hich th e ag en cy can interact w ith th e organization. F o r i n s t a n c e , if t h e p e n t e s t a g e n c y is u n d e r t a k i n g n e t w o r k m a p p i n g , t h e r u l e s o f e n g a g e m e n t m a y re a d as follow s: " P e n t e s t a g e n c y can o b ta in m u c h o f t h e re q u ir e d in f o rm a tio n re g a rd in g th e site's general n e tw o r k profile, s u c h as IP a d d r e s s r a n g e s , t e l e p h o n e n u m b e r ranges, and other Internet registration a b o u t t h e site's
services, w e b
inform ation
n e t w o r k a r c h i t e c t u r e c a n b e o b t a i n e d t h r o u g h t h e u s e of d o m a i n n a m e s e r v e r (DNS) q u e rie s , ping sw eeps, port scans, and connection route tracing. Informal inquiries, not related to
M o d u le 2 0 P ag e 2 9 6 9
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 2 0 P ag e 2 9 7 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P r o j e c t
S c o p e
D e t e r m in in g t h e s c o p e o f t h e p e n te s t is e s s e n tia l t o d e c id e if t h e t e s t is a t a r g e te d t e s t o r a c o m p r e h e n s iv e te s t
C o m p r e h e n s iv e a s s e s s m e n ts a re c o o r d in a t e d e ffo r ts b y t h e p e n te s t a g e n c y t o u n c o v e r as m u c h v u ln e r a b i l it y as p o s s ib le t h r o u g h o u t th e o r g a n iz a tio n
M
1
P r o j e c t
S c o p e
D e t e r m i n i n g t h e s c o p e o f t h e p e n t e s t is e s s e n t i a l t o d e c i d e if t h e t e s t is a t a r g e t e d
te s t or a c o m p r e h e n s i v e test. O n e of t h e fa c to rs th a t h av e a significant effect o n t h e effort e s t i m a t i o n a n d c o s t c o m p o n e n t o f t h e p e n e t r a t i o n t e s t is w h e t h e r o r n o t t h e p e n t e s t a g e n c y can u n d e r t a k e a z e ro k n o w l e d g e t e s t or a partial k n o w le d g e te s t. Providing e v e n partial know ledge to the pen testers r e s u l t s in t i m e and co st savings. T he
R e m o t e a c c e ss te c h n o lo g ie s su c h as dial-in m o d e m s , w ire le s s , a n d VPN P erim eter d efen ses of In te rn e t-c o n n e c te d system s Security of w e b applicatio n s a n d d a ta b a s e applications V u l n e r a b i l i t y t o d e n i a l - o f s e r v i c e a t t a c k s
9
9 9
n e tw o rk e d infrastructure.
M o d u le 2 0 P ag e 2971
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
P e n T e st S e rv ic e L e v e l A g re e m e n ts
C E H
f define f
d:
testers and deter mi ne what actions will be taken in the event of serious disruption
P e n The provides is
T e s t
L e v e l A g r e e m e n t s that Level describes the term s (SLA). of SLAs service should that an outsourcer the testing
contract known as
A greem ent
m atch
t h e y g e t b a c k o n t r a c k q u i c k l y . M a n y o r g a n i z a t i o n s a l s o a s k f o r r e f e r r a l s a n d e x a m p l e s o f SLAs th e y h a v e u se d w ith o th e r c u s t o m e r s w h o h a d sim ilar testin g n e e d s. T h e o rg a n iz a tio n m a y w a n t to verify t h e m e tric s u s e d a n d t h e q u ality of t h e re s u lts a c h ie v e d to a s s e s s t h e ability of th e p e n - t e s t t e a m t o m e e t its r e q u i r e m e n t s . From a p e n t e s t e r ' s p e r s p e c t i v e , it m a y b e d i f f i c u l t t o p r o v i d e e x a m p l e s o f r e a l - w o r l d SLAs
b e c a u s e th e y a re c o n s id e re d confidential b u sin ess in fo rm a tio n , sim ilar to o t h e r c o n tr a c t te r m s . The bottom l i n e is t h a t S L A s d e f i n e t h e m inim um levels of availability fr o m t h e te s t e r s a n d
d e t e r m i n e w h a t a c t i o n s c a n b e t a k e n in t h e e v e n t o f s e r i o u s d i s r u p t i o n . N orm ally, resolution the of contract disputes, covers and those issues as com pensation, It basically w arranties the and rem edies, and
legal
com pliance.
fram es
relationship,
M o d u le 2 0 P ag e 2972
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
the
m ajor
responsibilities,
both
during
norm al
testing
and
in
an
em ergency
M o d u le 2 0 P ag e 2 9 7 3
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-COUIICil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
A proficient pen tester should posses experience in d iffe re n t IT fields such as softw are developm ent, systems adm inistration, and consultancy
9 Each area of the network must be examined in-depth. 9 Penetration testing skills cannot be obtained without years of experience in IT fields, such as development, systems administration, or consultancy.
M o d u le 2 0 P ag e 2 9 7 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0linCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .
CEH
A pen test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network Internal testing involves testing computers and devices within the company Pen testing test components depends on the client's operating environment, threat perception, security and compliance requirement, ROE and budget The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company Security assessment categories are security audits, vulnerability assessments, and penetration testing
Copyright
Module Summary
9 A pen test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and then compromise them. 9 Penetration testing assesses the security model of the organization as a whole and reveals potential consequences of a real attacker breaking into the network.
Q Internal testing will be performed from a number of network access points, representing each logical and physical segment. 9 9 9 Pen testing test components depend on the client's operating environment, threat perception, security and compliance requirement, ROE, and budget. The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company. Security assessment categories are security audits, vulnerability assessments, and penetration testing.
M o d u le 2 0 P ag e 2 9 7 5
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0lMCil All Rights R eserved. R ep ro d u ctio n is S trictly P ro h ib ite d .