Tutorial 12

Question 01. Elaborate the necessity of the Penetration Testing Execution Standard
(PTES).

Answer:

The Penetration Testing Execution Standard (PTES) is necessary because the

main aim of PTES is to provide a format and steps for a test to be performed in a
consistent, thorough and reliable way. It consists of seven phases that can be adapted to
any environment and to any circumstances that may be put in front of you by the client.
This standard is also necessary because of the complexity, difficulty and sensitivity that
is deep-rooted in the pen testing process. And this standard gives a step-by-step
guidance through that complexity and difficulty.

Question 02. Simply list down, the seven phases of the PTES.
Answer:

The seven phases of PTES are:

 Pre-engagement analysis
 Intelligence gathering
 Threat modeling
 Vulnerability analysis
 Exploitation
 Post exploitation
 Reporting
Question 03. Elaborate the seven phases of the PTES in as much detail as you can.

Answer:

 Pre-engagement interactions
In this phase, the interactions span form the first contact between the client
and the pen tester to the final negotiation before the pen test begins. In this
interaction, the Goal of the pen test, Scope of the analysis and Rules of the
engagement are discussed.
 Intelligence gathering
This phase represents the start of the actual test. It consists of three levels.
 Level 1 is basic information gathering which is to gather information
from simple sources.
 Level 2 is executing the information-gathering process by using
automated and manual tools to gain much better understanding
about target.
 Level 3 is aggressive and complete level. In this level, the team is
involved to gather intimate details about the target.
 Threat modeling
This phase involves mapping out the particular asset that are most likely to
be targeted by the ethical hacker, as well as the resources that will be used to
target these assets. The tester will identify the assets that are most valuable and
assets that are most vulnerable. The PTES specifies distinct four-steps process
for threat modeling:
 Gathering documents
 Categorizing assets (primary and secondary)
 Categorizing threats (primary and secondary)
 Mapping threat communities corresponding to assets.
 Vulnerability analysis
This phase involves further gathering of information, this time related to
specific flaws or weaknesses in the client’s system. This stage finally uses all
 intelligence to prioritize specific known or suspected vulnerabilities. The analysis
comprises of two main modes and they are Passive and Active analysis.
 Exploitation
Once a target has been scanned and vulnerabilities are determined, the
actual penetration of the target can proceed. This step is intended to exploit
weakness found in the system with the intention of compromising the system and
gaining some level of access. Password cracking, Traffic sniffing, session
hijacking, brute-force attacks and man-in-the-middle attacks are the possible
attacks during this phase.
 Post exploitation
Now that you are in the system, the first thing you must do is to maintain
that access. You could plant a key logger on the system with the goal of capturing
keystrokes and perhaps passwords or similar information. You could locate
encryption keys on the system and take control of them. You could even use this
time to plant a backdoor on the system and cover your tracks to avoid detection.
 Reporting
The report should start with a brief overview of the penetration-testing
process. This section will be followed by an analysis of what vulnerabilities were
discovered during the test. Vulnerabilities should be organized in a way that draws
attention to their respective security levels such as critical, important or even low.
The report should also contain summary of any successful penetration scenarios,
detailed list and description of all vulnerabilities found. It should also contain
suggestions and techniques to resolve vulnerabilities that are discovered.

Question 04. List down 4 common network vulnerabilities and elaborate them in detail.

Answer:

A computer network is made up of numerous devices such as routers, switches

etc. which are used to create a network. Thus, the devices can communicate through
ports and services. The flaw and weakness in a computer network that can be exploited
by an attacker are called as network vulnerabilities. These vulnerabilities depend on the
hardware and software components in a network. Some common network vulnerabilities
in a computer network are:

 Brute force and password cracking

A brute force attack uses trial-and-error to guess login info, encryption keys,
or find a hidden web page. Hackers work through all possible combinations hoping
to guess correctly. These attacks are done by ‘brute force’ meaning they use
excessive forceful attempts to try and ‘force’ their way into your private account(s).
This is an old attack method, but it's still effective and popular with hackers.
Because depending on the length and complexity of the password, cracking it can
take anywhere from a few seconds to many years. These are the benefits of a
brute force attack:
 Stealing personal data and valuables
 Spreading malware to cause disruptions
 Hijacking your system for malicious activity
 Ruining a website’s reputation
 Denial of Service (DoS)
A Denial of service attack (DoS) is an attack that is meant to shut down a
server or a network, making it inaccessible to its users. DoS attacks accomplish
this by flooding the target with traffic or sending it information that triggers a crash.
In both instances, the DoS deprives legitimate users of the resources the
employees or members expected. Victims of DoS attacks often target web servers
of high-profile organizations such as banking, commerce and media companies.
Though DoS attacks, do not result in the theft or loss of significant information or
other assets, they can cost the victim a great deal of time and money to handle.
Some popular flood attacks include: Buffer overflow attacks, ICMP flood and SYN
flood attacks.
 Spoofing layer 2 and 3 address
A spoofing attack is when a malicious party impersonates another device or
user on a network in order to launch attacks against network hosts to steal data,
spread malware or bypass access controls.
 In 2006, unknown hackers carried out a major DNS spoofing attack – the
first of its kind – against three local banks in Florida. The attackers hacked the
servers of the internet provider that hosted all three websites and rerouted traffic
to fake login pages designed to harvest sensitive data from unsuspecting victims.
This has allowed them to collect an undisclosed number of credit card numbers
and PINs along with other personal information belonging to their owners.
Layer 2 and layer 3 Spoofing refers to MAC and IP spoofing and they are
described below:
 MAC spoofing
In every network adapter built into a connected device should
have a unique Media Access Control (MAC) address that is not
repeated in any other device. An attacker might modify or spoof the
MAC address in a hardware. This way, attacker can disguise and
enroll in a target network which will bypass all the restrictions.
 IP Spoofing
To perform this attack, the adversary sends Internet Protocol
(IP) packets that have a false source address. This is a way to hide
the actual online identity of the packet sender and act as another
computer. IP spoofing is often used to set DDoS attacks in motion.
Furthermore, this technique can be leveraged to get around
authentication systems that use a device’s IP address as a critical
identifier.
 Packet sniffing
Packet sniffing is the practice of gathering, collecting, and logging some or
all packets that pass through a computer network, regardless of how the packet is
addressed. In this way, every packet, or a defined subset of packets, may be
gathered for further analysis. You as a network administrator can use the collected
data for a wide variety of purposes like monitoring bandwidth and traffic. A packet
sniffer, sometimes called a packet analyser, is composed of two main parts. First,
a network adapter that connects the sniffer to the existing network. Second,
 software that provides a way to log, see, or analyse the data collected by the
device.

Question 05. List down and elaborate any 2 web application vulnerabilities in brief.

Answer:

A web application is an application that runs on a remote server and is accessed

through a client. Two common vulnerabilities in a web application are:

 DoS and DDoS

When it is carried out against a web server, all the resources on that server
can be rapidly consumed, slowing down its performance. In a DDoS, many more
systems are used to attack a target, crushing it under the weight of multiple
requests at once (ICMP Flooding attack, SYN Flooding, etc.).
 Cross-site Scripting
A Cross-site Scripting (XSS) is a common web application attack where a
malicious script is echoed back into HTML returned form a trusted site and runs
under trusted content. An XSS attack can give the following outcome:
 Steal your cookies for the domain that you are browsing
 Completely modify the content of any page that you see on this
domain
 Track every actions you do in that browser
 Redirect you to a phising site
 Exploit browser vulnerabilities to take over the machine

Question 06. Elaborate the life cycle of a software vulnerability.

Answer:

Software vulnerabilities can be defined as a flaw or fault in a computer software

that interrupts an implicit or explicit procedures which might be associated to security.
The three primary methods of discovering vulnerabilities in a software are:
 o Source code auditing where, the source code of the software is
compulsory for examining the data flows to discover flaws.
o Reverse engineering which does not need the source code of the software
but necessitates the binary values of the software and requires high
technical expertise.
o Fuzzing which sends mutated data into an application to test for
vulnerabilities.

The life cycle of software vulnerabilities is listed below:

 Step 1. Unknowingly creation of the software vulnerability.

 Step 2. The discovery of the software vulnerability.
 Step 3. The disclosure of the software vulnerability.
 Step 4. The correction of the software vulnerability.
 Step 5. The revealing of the software vulnerability.
 Step 6. The creation of specific exploit for that software vulnerability.
 Step 7. The passing of the software vulnerability.
 Step 8. The end-of-life of the software vulnerability.