PENTEST WORKPLAN

IT DEPARTMENT
We have been tasked with checking for vulnerabilities on servers

The company currently does not have best practices on IT

security on its servers, so these tests are not meant to in any
way replace an official certification test but rather serve as a
reference for the IT team.

BACKGROUND
Penetration testing execution standard consists of seven (7)
main sections. These cover everything related to a penetration
test - from the initial communication and reasoning behind a
pentest, through the intelligence gathering and threat modeling
phases where testers are working behind the scenes in order to
get a better understanding of the tested organization, through
vulnerability research, exploitation and post exploitation,
where the technical security expertise of the testers come to
play and combine with the business understanding of the
engagement, and finally to the reporting, which captures the
entire process, in a manner that makes sense and provides the
most value to it.

Following are the main sections defined by the standard as the

basis for penetration testing execution:

 Pre-engagement Interactions
 Intelligence Gathering
 Threat Modeling
 Vulnerability Analysis
 Exploitation
 Post Exploitation
 Reporting

Since this is an in-house test and there are time limitations,

steps required for social engineering and intelligence gathering
will not be executed.

SCOPE OF PENTEST

Information gathering and vulnerability analysis:

We will use and test vulnerability and information gathering
tools against server xx.xx.xx.x since this is the main server
and has a more robust architecture as compared to yy.yy.yy.yy.

Web Application Analysis and Database assessment:

Web application and Database exploits will be applied to server
yy.yy.yy.yy, being the fail over server, risk of failure will
not actively affect users.

TYPE OF PENTESTS
We will run tools and technology that will allow us to execute
the following, but not limited to, types of attacks.

• Denial of Service (DoS)

• Cross Site Scripting (XSS)
• Authentication Bypass
• Directory Traversal
• Session Management
• SQL injection
• Database Attacks
• Password Attacks
• Firewall/Router Attacks
• Operating System Attacks

TOOLS & OS’s

We will multiple tools from the following OS’s / frameworks:

Parrot Security OS:

Parrot Security OS (or ParrotSec) is a Linux distribution based
on Debian with a focus on computer security. [1] It is designed
for penetration testing, vulnerability assessment and
mitigation, computer forensics and anonymous web browsing. It is
developed by the Frozenbox Team.

Kali Linux:
Kali Linux is a Debian-derived Linux distribution designed for
digital forensics and penetration testing. It is maintained and
funded by Offensive Security Ltd.

PentestBox:
Is a tool that allows security software packages to be run
natively from windows without using virtual machine or dualboot
environments in windows.
Blackarch:
BlackArch Linux is an Arch-derived Linux distribution designed
for penetration testing and security research. It may be used as
a standalone live CD or live USB, run from a virtual machine, or
be installed to a computer's hard disk.

OS TOOLS

Blackarch Linux: https://blackarch.org/tools.html

Kali Linux: https://tools.kali.org/tools-listing
PentestBox: https://tools.pentestbox.org/

SPECIFIC TOOLS - INFORMATION GATHERING

Golismero: is an open source framework for security testing.

It’s currently geared towards web security, but it can easily be
expanded to other kinds of scans.

DMitry: gathers as much information as possible about a host.

Base functionality can gather possible subdomains, email
addresses, uptime information, tcp port scan, whois lookups, and
more.

Maltego: is a unique platform developed to deliver a clear

threat picture to the environment that an organization owns and
operates. Maltego’s unique advantage is to demonstrate the
complexity and severity of single points of failure as well as
trust relationships that exist currently within the scope of
your infrastructure.

SPECIFIC TOOLS - VULNERABILITY ANALYSIS

Cisco Global Exploiter: simple and fast security testing tool

for overflow, DOS, http Auth, SSH, Flood Denial, memory leak and
other vulnerabilities.

BBQSQL: is a blind SQL injection framework written in Python. It

is extremely useful when attacking tricky SQL injection
vulnerabilities. BBQSQL is also a semi-automatic tool, allowing
quite a bit of customization for those hard to trigger SQL
injection findings. The tool is built to be database agnostic
and is extremely versatile. It also has an intuitive UI to make
setting up attacks much easier.
jSQL Injection: is a lightweight application used to find
database information from a distant server. jSQL is free, open
source and cross-platform

sqlmap: is an open source penetration testing tool that

automates the process of detecting and exploiting SQL injection
flaws and taking over of database servers. It comes with a
powerful detection engine, many niche features for the ultimate
penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database,
to accessing the underlying file system and executing commands
on the operating system via out-of-band connections.

SPECIFIC TOOLS - EXPLOITATION TOOLS

Armitage: is a scriptable collaboration tool for Metasploit that

visualizes targets, recommends exploits, and exposes the
advanced post-exploitation features in the framework.

Commix: can be used, from web developers, penetration testers or

even security researchers to test web applications with the view
to find bugs, errors or vulnerabilities related to command
injection attacks.

Metasploit: is a penetration testing platform that enables you

to find, exploit, and validate vulnerabilities. It provides the
infrastructure, content, and tools to perform penetration tests
and extensive security auditing. New modules are added on a
regular basis, which means that the latest exploit is available
to you as soon as it’s published.

SPECIFIC TOOLS - WEB APPLICATION

Apache-users: will enumerate the usernames on any system

that uses Apache with the UserDir module.

Burp Suite: is an integrated platform for performing

security testing of web applications. Its various tools
work seamlessly together to support the entire testing
process, from initial mapping and analysis of an
application’s attack surface, through to finding and
exploiting security vulnerabilities.
Vega: is a free and open source scanner and testing
platform to test the security of web applications. Vega
can help you find and validate SQL Injection, Cross-
Site Scripting (XSS), inadvertently disclosed sensitive
information, and other vulnerabilities. It is written
in Java, GUI based, and runs on Linux, OS X, and
Windows.

Webslayer: is a tool designed for brute forcing Web

Applications, it can be used for finding resources not
linked (directories, servlets, scripts,files, etc),
brute force GET and POST parameters, bruteforce Forms
parameters (User/Password), Fuzzing, etc. The tools
have a payload generator and an easy and powerful
results analyzer.

JavaSnoop: for Java apps, allows you to attach to an

existing process (like a debugger) and instantly begin
tampering with method calls, run custom code, or just
watch what’s happening on the system.

TESTING STRATEGY
GSS IT team does not have a security protocol or best practices
for penetration testing so we will use open source tools that
automate the process.

Tests will be executed at nights and following a calendar that

will be set by IT Director.

Coordinated attacks will occur one server at a time. Dates and

tests will be advised in advance.

HARDWARE
Testing will be done with company assigned hardware.

TEAM
To be assigned by IT Director