Footprinting Penetration Testing

So far, we have discussed the necessary techniques and tools that can be used to footprint a

target orga nization's network, Penetration testing (or pen testing) refers to the process of testing

the organization's security posture using similar techniques and tools as that of an attacker, but

with the knowledge and approval of the organization. Footprinting is the first step to perform in

the pen testing process. Performing footprinting in a systematic manner enables a pen tester to

discover potential security liabilities that an attacker may exploit. In the pen testing process, the

pen tester acts as a malicious outsider and simulates an attack to find security loopholes.

A footprinting pen test helps in determining an organization's information on the Internet such

as network architecture, operating systems, applications, and users. The pen tester tries to

gather publicly available sensitive information of the target by pretending to be an attacker. The

target may be a specific host or a network.

The pen tester can perform the same attacks as an attacker, The pen tester should try all possible

ways in which to gather as much information as possible in order to ensure the maximum scope

of footprinting pen testing. If the pen tester finds sensitive information on any publicly available

information resource, that information should be reported to the organization.

Footprinting Pen Testing Steps

Pen testing is a means to examine network security. Steps in the procedure should be followed

in order, to ensure maximum scope of testing. The steps involved in footprinting pen testing are:

Step 1: Get proper authorization

Always perform pen testing with authorization. The first step in a footprinting pen test is

to get proper authorization from the organization. This may or may not include the system

administrators.

Step 2: Define the scope of the assessment

Defining the scope of the security assessment is a prerequisite for pen testing. Defining

the scope of assessment determines the range of systems in the network to be tested and

the resources that can be used to test and so on. It also determines the pen tester's

limitations. Once you define the scope, you should plan and gather sensitive information

using footprinting techniques.

Step 3: Perform footprinting through search engines

Use footprint search engines such as Google, Yahoo! Search, Ask, Bing, and Dogpile to

gather the target organization's information such as employee details, login pages,

intranet portals and so on. that can help in performing social engineering and other types

of advanced system attacks.

Perform Google hacking using tools such as Google Hacking Database (GHDB) and so on.

Such use helps to expose security loopholes in the code and configuration of the websites.

Google hacking is usually done with the help of advanced Google operators that locate

specific strings of text, such as versions of vulnerable web applications.

Step 4: Perform footprinting through web services

Perform footprinting through web services such as Netcraft, Pipl, Google Finance, and

Google Alerts to gather information about target organization's website, employees,

competitor, infrastructure, and operating systems.

Step 5: Perform footprinting through social networking sites

Perform footprinting to gather target organization employee information from personal

profiles on social networking sites such as Facebook, MySpace, LinkedIn, Twitter,

Pinterest, Google+ and so on. This can assist in performing social engineering. You can

also use people search engines to obtain information about a target person.

Step 6: Perform website footprinting

Perform website footprinting using tools such as Burp Suite, Web Data Extractor, HTTrack

Web Site Copier, Metagoofil, and WebSite-Watcher in order to build a detailed map of

the website's structure and architecture.

Step 7: Perform email footprinting

Perform email footprinting using tools such as eMailTrackerPro, Yesware, and

ContactMonkey to gather information about the physical location of an individual. Use

this to perform social engineering that in turn may help in mapping the target

organization's network. Analyzing email headers can help to collect information such as

sender's IP address, sender's mail server, sender's address, data and time received by the

originator's email servers, authentication system used by sender's mail server, sender's

full name and so on.

Step 8: Gather competitive intelligence

Gather competitive intelligence using tools such as Hoover's, LexisNexis, or Business Wire.

These tools extract competitor information such as its date of establishment, location,

progress analysis, higher authorities, product analysis, marketing details and so on.

Step 9: Perform Whois footprinting

Perform Whois footprinting using tools such as Whois Lookup, SmartWhois, and Batch IP
Converter to extract information about particular domains. You can capture information

such as IP address, domain owner name, registrant name, and contact details including

phone numbers, and email IDs. The information can be used to create a detailed map of

organizational network, to gather personal information that assists to perform social

engineering, to gather other internal network details and so on.

Step 10: Perform DNS footprinting

Perform DNS footprinting using tools such as DNSstuff, DIG, and myDNSTools to

determine key hosts in the network and to perform social engineering attacks. Resolve

the domain name to learn about its IP address, DNS records and so on.

Step 11: Perform network footprinting

Perform network footprinting using tools such as a Path Analyzer Pro, VisualRoute, and

GEO Spider to learn the network range and other information about the target network

that helps to draw the network diagram of the target.

Step 12: Perform social engineering

Implement social engineering techniques such as eavesdropping, shoulder surfing,

dumpster diving, impersonation on social networking sites and phishing to gather critical

information about the target organization. Through social engineering, you can gather

target organization's security products in use, OS and software versions, network layout

information, IP addresses and names of servers, and important personnel.

Step 13: Document all the findings

When finished with the implementation of footprinting techniques, collect and document

the information obtained in each stage of testing. You can use this document to study,

understand, and analyze the security posture of the target organization. This also enables

you to find and fix security loopholes to prevent exploitation.

Scanning Pen Testing

It is advisable to pen-test the target network to identify its security posture. Pen-testing in

anticipation of a possible problem helps to find and fix any security loopholes present in the

target network. Such proactive prevention practices can keep an entire network from being

compromised. This section describes the steps involved in pen-testing the target network and

the various scanning tools used to accomplish this task.

The network scanning penetration test helps to determine a network's security posture by

identifying live systems, discovering open ports and associated services, and grabbing system

banners from a remote location to simulate a network hacking attempt. You, as an ethical hacker

or pen-tester, should scan and test the network in every manner possible to ensure that there is

no security loophole in the system.

Once you are done with the penetration testing, document all your findings at every stage of the

testing. This documentation will help the system administrators to:

Close unused ports if unnecessary/unknown open ports are found

Disable unnecessary services

Hide or customize banners

Troubleshoot service configuration errors

Calibrate firewall rules to impose more restriction

The more ports that are open on the server, the easier it will be for an attacker to connect to it.

The first thing an attacker does is monitor network traffic for vulnerabilities such as open ports

and services running, through which the network could be compromised. Admins may install,

configure some unwanted services, leave services with default settings, and turn them on during

OS and application installations. This can cause unwanted traffic to the server or a way for an

attacker to intrude into the system. Attackers might also "banner grab" to trace the server name

and its version, and then use this information to break into a network. Therefore, close all the

unused/unnecessary open ports, unwanted services, and so on, and configure the server in such

a way that it hides the display of the banner. Also create inbound and outbound firewall rules to

block all the unwanted ports from allowing any connections from outside the network.

Here is how you can conduct a pen-test of a target network.

Step I: Perform host discovery

The first step of network penetration testing is to detect live hosts on the target network.

You can attempt to detect the live hosts (i.e., accessible hosts in the ta rget network), using

network scanning tools such as Nmap, Angry IP Scanner, SolarWinds Engineer's toolset,

and NetScanTools Pro. It is difficult to detect live hosts behind a firewall.

Step 2: Perform port scanning

Perform port scanning using tools such as Nmap, NetScanTools Pro, Hping3, PR TG

Network Monitor, and SuperScan. These tools help to probe a server or host an the target

network for open ports. Open ports are the doorways through which an attacker installs
malware on a system. Therefore, you should always check for open ports and close them

if they are not necessary.

Step 3: Scan beyond IDS and firewall

Scan beyond IDS and firewall; this helps you to understand the organization's security

limitations. Use IDS/firewall evasion techniques such as packet fragmentation, source

routing, IP address spoofing, etc. to bypass IDS and firewall rules.

Use proxy tools such as Proxy Switcher, Proxy Workbench, CyberGhost, Tor, and Burp

Suite to hide yourself from detection.

Step 4: Perform banner grabbing or OS fingerprinting

Perform banner grabbing/OS fingerprinting by sending specially crafted packets to the

target machine and then comparing the responses with the database. This determines

the operating system running on the target host of a network and its version. Once you

know the version and the operating system running on the target system, find and exploit

the vulnerabilities related to that OS. Try to gain control over the system and compromise

the whole network.

Step 5: Draw network diagrams

Draw a network diagram of the vulnerable hosts that helps you to understand the logical

connection and path to them in the network. You can draw the network diagram with the

help of tools such as Network Topology Mapper, OpManager, The Dude, NetSurveyor,

and NetBrain. The network diagrams provide valuable information about the network and

its architecture.

Step 6: Document all the findings

The last but the most important step in penetration testing is to preserve all the outcomes

of tests conducted in previous steps in a document. This document will assist in finding

potential vulnerabilities in the network which you can use to suggest countermeasures.

Thus, penetration testing helps in assessing the security posture of the network and fixing

any security loopholes before they can cause trouble and result in severe organizational

loss.
Enumeration Pen Testing

This section describes the importance of enumeration pen testing, the framework of pen testing

steps, and the tools used to conduct pen testing.

Through enumeration, an attacker may gather sensitive information on organizations with weak

security. That sensitive information can be used to hack and break into the organization's

network, potentially resulting in huge loss in terms of information, service, or finance. To prevent these
kinds of attacks, every organization must test its own security, Enumeration pen testing

builds on the data collected in the reconnaissance phase. It is used to identify valid user accounts

or poorly protected resource shares using active connections to systems and directed queries.

A pen tester should conduct pen tests against various enumeration techniques in order to check

if the target network is revealing any sensitive information that may help an attacker in

performing an attack. This may reveal sensitive information such as user accounts, IP address,

email contacts, DNS, network resources and shares, application information, etc. The pen tester

should try to discover as much information as possible regarding the target, This helps to

determine the vulnerabilities/weaknesses in the target organization's security,

A pen tester should perform all possible enumeration techniques to enumerate as much

information as possible about the target. To ensure the full scope of the test, enumeration pen

testing includes a series of steps to provide information.

Step 1: Find the network range

Find the network range using tools such as Whois Lookup. Finding network range helps in
enumerating important servers in the target network.

Step 2: Calculate the subnet mask

Calculate the subnet mask required for the IP range using tools such as Subnet Mask

Calculator. The calculated subnet mask can serve as an input to many of the ping sweep

and port scanning tools for further enumeration, which includes discovering hosts and

open ports.

Step 3: Undergo host discovery

Find the important servers connected to the Internet using tools such as Nmap. Use the

Nmap syntax to find the servers connected to Internet is as follows: nmap - sp <network-

range>. In place of the network range, enter the network range value obtained in the first

step.

Step 4: Perform port scanning

Find any open ports and close them if they are not required. Open ports are doorways for

an attacker to break into a target's security perimeter, Therefore, perform port scanning

to check for the open ports on the nodes. Pen testers and security auditors use tools such

as Nmap to perform port scanning,

Step 5: Perform NetBIOS enumeration

Perform NetBIOS enumeration to identify the network devices over TCP/IP and to obtain

a list of computers that belong to a domain, a list of shares on individual hosts, and

policies and passwords. Tools such as Hyena, Nsauditor Network Security Auditor, and

NetScanTools Pro can perform NetBIOS enumeration.

Step 6: Perform SNMP enumeration

Perform SNMP enumeration by querying the SNMP server in the network. The SNMP

server may reveal information about user accounts and devices. Tools such as OpUtils

Network Monitoring Toolset and Engineer's Toolset can perform SNMP enumeration.

Step 7: Perform LDAP enumeration

Perform LDAP enumeration by querying the LDAP service. Enumerating LDAP service

provides valid user names, departmental details, and address details. An attacker can use

this information to perform social engineering and other kinds of attacks. Tools such as

Softerra LDAP Administrator can perform LDAP enumeration.

Step 8: Perform NTP enumeration

Perform NTP enumeration to extract information such as the host connected to an N TP

server, client IP address, OS running on client systems, etc. Commands such as ntptrace,

ntpdc, and ntpq can obtain this information.

Step 9: Perform SMTP enumeration

Perform SMTP enumeration to determine valid users on the SMTP server. Tools such as

NetScanTools Pro can query the SMTP server for this information.

Step 10: Perform DNS enumeration

Perform DNS enumeration to locate all the DNS servers and their records. The DNS servers

provide information such as system names, user names, IP addresses, etc. The Windows

utility nslookup can extract this information.

Perform VoIP enumeration to extract information about VoIP gateway/servers, IP-PBX

systems, client software (softphones) /VolP phones User-agent IP addresses and user

extensions, etc. Use tool such as Svmap and Metasploit to collect this information.

Perform RPC enumeration to identify any vulnerable services on the RPC service ports.

Use tools such as Nmap and NetScan Tools Pro to extract this information.

Perform Unix/Linux user enumeration to extract information about system users.

Commands such as rusers, rwho, and finger can obtain this information.

Step 11: Document all the findings

The last step is to document all the findings obtained during the enumeration pen testing.

Analyze the results and suggest countermeasures for the client to improve their security.

Penetration Testing System Hacking

Pen testers use their system hacking knowledge to assess the security of target systems. As a

pen tester, you should evaluate the security posture of your target system, by trying to break its

security through simulating various attacks in the same way an outside attacker would do.

There are certain steps you need to follow to conduct a system penetration test. This section

will teach you how to conduct a system hacking pen test, with the help of knowledge gained

through the CEH system hacking steps.

Penetration Testing Malware
Malware Penetration Testing

Penetration testers should follow the strategies of an attacker to test the network or system

efficiently against malware. A penetration tester performs a wide range of available and

emerging attack to find loopholes or vulnerabilities in the target organization's IT infrastructure

and suggest countermeasures to enhance the security.

Sniffing Penetration Testing

Conducting a security assessment to identify vulnerabilities can protect a network from sniffing

attacks. This section describes the pen testing process that simulates sniffing attacks. It involves

series of steps during which the pen tester uses different techniques and tools to sniff the target

network.

You have learned how the attacker sniffs the conversation in a target network to gain confidential

information. This section describes how to test a ta rget network for sniffing attacks. A pen tester

should simulate the actions of an attacker performing a sniffing attack to check the target

network for sniffing. Pen testing will determine whether the network is vulnerable to any type of

sniffing or interception attacks.

Sniffing pen test helps administrators to:

Audit the network traffic for malicious content

Implement security mechanism such as SSL and VPN to secure the network traffic

Identify rogue sniffing application in the network

Discover rogue DHCP and DNS servers in the network

Discover the presence of unauthorized networking devices

A pen test simulates sniffing attacks that an attacker might carry out. A pen tester should try all
possible ways of sniffing the network. This ensures the full scope pen test, which will reveal the maximum
possible vulnerabilities in the network.

Follow specific pen testing steps to perform the test successfully. Let us begin with the sniffing

pen testing steps:

Step 1: Perform MAC Flooding Attack

Flood the switch with many Ethernet frames, each containing different source MAC

addresses. Check whether the switch enters into the fail-open mode, in which the switch

broadcasts data to all ports rather than just to the port intended to receive the data. If

this happens, the attackers have the ability to sniff network traffic. You can use tools such

as Yersinia and macof for detection.

Step 2: Perform DHCP Starvation Attack

Broadcast the DHCP requests with spoofed MAC addresses. At a certain point, this may

exhaust the DHCP server' address space available for a period. If this happens, the

attackers will have the chance to sniff network traffic or DHCP requests of clients by

building a rogue DHCP server. Test for DHCP starvation attacks by using tools such as

Yersinia and Hyenae.

Step 3: Perform Rogue Server Attack

Perform rogue server attacks by running a rogue DHCP server in the network and

responding to DHCP requests with bogus IP addresses.

Step 4: Perform ARP Poisoning

Try to compromise the ARP table and change the MAC address so that the IP address

points to another machine. If this is successful, the attackers can also do the same thing

and steal information by changing the MAC address to their own system. To perform ARP

poisoning, use tools such as Ufasoft Snif, BetterCAP, and Ettercap,

Step 5: Perform MAC Spoofing

Try to spoof the MAC address on the network card, Try to change the factory-assigned

MAC address of a networked device, If this succeeds, an attacker can bypass the access

control lists on routers or servers by pretending to be another device on the network. If

the network allows this kind of attack, then attackers can also break into the network and

steal data. To prevent this, use tools such as Technitium MAC Address Changer (T MAC).

Step 6: Perform IRDP Spoofing

Perform Internet Router Discovery Protocol (IRDP) spoofing by sending spoofed IRDP

router advertisement messages to the host on the subnet, Check whether the router

changes its default router to the malicious route suggested by the advertisement

messages. If the router changes its default path, then it is vulnerable to DOS attacks,

passive sniffing, and/or MI TM attacks.

Step 7: Perform DNS Spoofing

Perform DNS spoofing using techniques such as arpspoof/dnsspoof. The DNS spoofing

attack misdirects the victim to another address that is under the control of the attacker,

The attacker intercepts the DNS request of the victim and sends a response with a spoofed

IP address before the actual response arrives at the victim's system, The spoofed DNS

redirects the victim to the attacker's site, To prevent this kind of attack, maintain proper

IDS/IPS across the network.

Step 8: Perform Cache Poisoning

Perform cache poisoning by sending a Trojan to the victim's machine that changes proxy

server settings in IE, thus redirecting to a fake website.

Step 9: Perform Proxy Server DNS Poisoning

Perform proxy server DNS poisoning to test for sniffing. In this type of attack, the attacker

sets up a proxy server and a rogue DNS as the primary DNS entry in the proxy server

system. The attacker lures the victim to use the attacker's proxy server, If the victim uses

the attacker's proxy server, the attacker can sniff all the traffic between the victim and

the website being visited,

Step 10: Document all the Findings

After performing all these tests, document all findings and tests conducted. Analyze the

target's security and plan countermeasures to cover any security gaps.

Social Engineering Pen Testing

Considering that you are now familiar with all the necessary concepts of social engineering,

techniques to perform social engineering, and countermeasures to implement various threats,

we will proceed to penetration testing. Social engineering pen testing is the process of testing

the target's security against social engineering by simulating the actions of an attacker.

This section describes social engineering pen testing and the steps to conduct the test.

The main objective of social engineering pen testing is to test the strength of human factors in a

security chain within the organization. Social engineering pen testing helps to raise the level of

security awareness among employees. The tester should demonstrate extreme care and

professionalism in the social engineering pen test, as it might involve legal issues such as violation

of privacy, and may result in an embarrassing situation for the organization.

As a pen tester, first you should get proper authorization from the organization administrators

to perform social engineering. Then implement various social engineering techniques to lure

employees into revealing organization's sensitive information. Collect all possible information

and then organize a meeting. Explain to employees the techniques you used to grab information

and how the attackers can use that information against the organization and the penalties for

leaking information. Try to educate and give practical knowledge to employees about social

engineering, because this is the only preventive measure against social engineering.

Users should list and follow the standard steps of social engineering in a systematic manner to

reap maximum benefit. Following steps are used in typical social engineering pen testing:
Step 1: Obtain authorization

First, obtain permission and authorization from the management to conduct the test.

Step 2: Define scope of pen testing

Before commencing the test, you should know the purpose of conducting the test and to

what extent you can test. Thus, the second step in social engineering pen testing is to

define the scope. In this step, gather basic information such as no of departments,

employees that need to be tested, or level of physical intrusion permitted, and so on that

defines the scope of the test.

Step 3: Obtain a list of emails and contacts of predefined targets

Obtain a list of emails and contact details of predefined targets from the organization. If

the organization provides you the information, then create a script with specific pretexts,

or try to collect emails and contact details of employees in the target organization.

Step 4: Collect emails and contact details of employees in the target organization

If the required information is not provided by the organization, then try to collect email

addresses and contact details of the target organization's human resources on your own

by implementing techniques such as dumpster diving, email guessing, USENET, web

search, and email spiders.

Step 5: Collect information using footprinting techniques

After collecting email addresses and contact details of the target organization's

employees, implement various footprinting techniques, such as email footprinting,

footprinting through social networking sites, and so on, to collect more information about

the identified targets.

Obtain sufficient useful information, then create a script with specific pretexts or else try

again to collect emails and contact details of other employees in the target organization.

Step 6: Create a script with specific pretexts

Create a script based on the information considering both positive and negative results

of an attempt.
After obtaining email addresses and contact details of employees of the target organization, you

can launch social engineering in three possible ways: by email, by phone, and in person.

Discussed below are the steps to perform social engineering via emails:

Step 7: Email employees asking for personal information

As you already have email addresses of the target organization's employees, send emails

asking for personal information such as their user names and passwords by pretending to

be a network administrator, senior manager, tech support, or anyone from a different

department on pretext of an emergency. Your email should look like a genuine one.

If you succeed in luring the target employees, your job is easy. When the victims reply,

document the information obtained, including their names. If you fail to get a response

from some victims, do not worry; there are other ways to mislead them.

Step 8: Send and monitor emails with malicious attachments to target victims

Send emails with malicious attachments that launch spyware or other stealthy

information-retrieving software on the victims' machines on opening the attachment.

Thereafter, monitor the victims' email using tools such as ReadNotify to check whether

they have opened the attachment. When victims open the attachment, you can extract

the information easily. Document the information extracted along with the victims'

names.

If some victims fail to open the document, then apply other techniques such as phishing

emails.
Step 9: Send phishing emails to target victims

Send a phishing email to target employees, and (only after you obtain explicit permission

to do so) make it appear to be from a bank asking for their sensitive information.

If you receive the target employees' response, document the information extracted along

with the victim's name.

If there is no response from some victims, then proceed to perform social engineering via

telephonic methods.

To succeed in performing social engineering via phone, one has to engage in polite conversation

in an effort to extract sensitive company information. Be natural, rehearse before making the

call, and have follow-up questions for every question. Record the conversation for reporting

purposes.

Listed below are the steps to perform social engineering by phone:

Step 10: Call the target, introduce yourself as his or her colleague, and then ask for the

sensitive information.

Step 11: Call a target posing as an important user.

Step 12: Call a target posing as a technical support administrator. Tell the person that to

maintain a record of all the employees, information about their system and log in time,

etc., you need a few details from employees. This way, you can convince the target to

divulge sensitive information.

Step 13: Call a target, introduce yourself as one of the important people in the
organization, and try to extract information.

Step 14: Call a target and offer him or her rewards in lieu for exchange of personal

information.

Step 15: Threaten the target with dire consequences (for example, the company will

disable the account) to get information.

Step 16: Use reverse social engineering techniques so that the targets yield personal

information themselves.

The success of any social engineering technique depends on how well a tester can enact the

testing script and on her/his interpersonal skills. There could be countless other social

engineering techniques based on available information and the scope of the test.

Always scrutinize your testing steps for legal issues. To succeed in performing social engineering

in person, you should dress appropriately and always maintain direct eye contact while speaking

with the target employee. Use the mirror technique by mimicking the gestures of the target

person to gain his/her trust. For example, if the target person is smiling, you should respond with

a smile. This technique forges interconnection and engenders trust.

Listed below are the steps to perform social engineering in person.

Step 17: Befriend employees in the organization's cafeteria,

information.

Step 18: Try to enter the facility posing as an external auditor.

Step 19: Try to enter the facility posing as a technician.

step 20. Try to tailgate wearing a fake ID badge or by piggybacking.

Step 21. Try eavesdropping and shoulder surfing on systems and users.

Step 22: Document all your results and findings in a formal report.

Social Engineering Penetration Testing Tools

Social Engineering Toolkit (SET)

The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at

penetration testing via social engineering. It is a generic exploit designed to perform

advanced attacks against human elements to compromise a target to offer sensitive

information. SET categorizes attacks such as email, web, and USB according to the attack

vector used to trick humans. The toolkit attacks human weakness, exploiting trust, fear,

avarice, and the helping nature of humans.

DoS/DDoS Penetration Testing

DoS/DDoS attacks can cause huge financial losses, reputation damage, and customer attrition,

among other things. This section deals with penetration testing methodology to identify the

scope of DoS/DDoS attacks beforehand.

Denial-of-Service (DOS) Attack Penetration Testing

DOS attacks can compromise the computers in a network. They can disorganize an

organization's functioning, depending on the nature of the attack. Organizations can lose a

great deal of money while network resources are disabled. DOS attacks come in a variety of

forms and target a variety of services.

In general, in a DOS attack, the attacker sends illegitimate SYN or ping requests that overwhelm

the capacity of a network, thus leaving the network unable to handle legitimate connection

requests. Services running on the remote machines crash due to the specially crafted packets
that are flooded over the network. In such cases, the network cannot differentiate between

legitimate and illegitimate data traffic. DOS attacks can easily bring down a server. Attackers do

not need to have a great deal of knowledge to conduct them, making it essential to test for DOS

vulnerabilities.

Penetration testers should incorporate DOS attack into penetration testing plans to determine

whether a network server is susceptible to DOS attacks. DOS penetration testing determines a

minimum threshold for DOS attacks on a system, but the tester cannot ensure that the system

is resistant to DOS attacks. The penetration tester floods the target network with traffic,

mimicking hundreds of people repeatedly requesting the service to check the system stability.

Thus, results of penetration test help administrators to determine and adopt suitable network

perimeter security controls such as load balancing, IDS, IPS, and firewalls.

Launching a DOS attack can have a negative impact on the business of an organization.

Therefore, prior to verifying a vulnerability to a DOS attack by actually launching it, the

penetration testing team should check with the client. The result of the attack can lead to a loss

of reputation along with economic losses. A successful DOS attack can disable computers and,

subsequently, an entire network. An attack launched by a moderately configured system can

crash PCs that are of high value.

Penetration Testing Steps

Steps discussed below are the steps involved in the DoS-attack penetration testing process:

Step 1: Define the objective: The first step in any penetration testing process is to

define an objective. This helps you to plan and determine the actions that help you

accomplish the goal of the test.

Step 2: Test for heavy loads on the server: To perform load testing, the penetration

tester should put an artificial load on a server or application to test its stability and

performance. This involves the simulation of a real-time scenario. Test a web server for

load capacity, server-side performance, locks, and other scalability issues, using

automated tools such as Webserver Stress Tool and Apache JMeter.

Step 3: Check for DOS vulnerable systems: The penetration tester should scan the

network to discover any systems that are vulnerable to DOS attacks, using automated

tools such as Nmap, GFI LanGuard, and Nessus.

Step 4: Run a SYN attack on the server: A penetration tester should try to run a SYN

attack on the main server by bombarding or flooding the target with connection request
packets, using tools such as Dirt Jumper DDoS Toolkit, HOIC, and DOS HTTP.

Step 5: Run port flooding attacks on the server: Port flooding sends a large number of

TCP or UDP packets to a particular port, creating a DOS on that port. The primary

purpose of this attack is to make the ports unusable and increase the CPU's usage to

100%. Both TCP and UPD ports are vulnerable to port flooding attacks. Use tools such as

LOIC and Moihack Port Flooder to automate a port flooding attack.

Step 6: Run an email bomber on the email servers: The penetration tester should send

a large number of emails to test the target mail server, using tools such as Mail Bomber.

If the server is not protected or strong enough, it will crash.

Step 7: Flood the website forms and guestbook with bogus entries: The penetration

tester should fill the online website forms and guestbook with arbitrary and lengthy

entries, and then submit them to check whether the data server is able to handle the

load.

Step 8: Document all the findings: Finally, document all the findings at each step of the

DOS pen-testing methodology for analysis and future reference.

Penetration Testing

Various hijacking methods exist, using which attackers exploit design flaws inherent in the

TCP/IP protocol suite to hijack a valid session. Therefore, it is a good practice to pen-test

regularly for session hijacking attacks.

This section deals with a pen-testing method that helps in identifying session hijacking attacks

at both the application-level and the network-level.

Session Hijacking Pen Testing

Session hijacking pen-testing involves the same process as that of the session hijacking attack.

For this, first the pen tester should locate a session, then check for various possibilities to hijack

a session. This may vary, depending on the network and mechanisms used for communication.

Given below is the standard procedure for session hijacking pen-testing:

Step 1: Locate a session

As already mentioned, the first step is to locate a target active session through packet
sniffing. After locating a session, check whether the URL uses a session ID; if it does,

then check whether the session is encrypted. If a session ID is not used, then proceed to

step 2.

Step 4: Send Phishing email for Session Fixation

If you succeed in cracking the session ID encryption, or if the session ID is not encrypted,

then send phishing mails to the victim to employ session fixation.

Firewall/IDS Penetration Testing

A penetration tester needs to examine the organization's network perimeters such as firewalls,

IDS systems to reduce the risks to the network from outside threats. Firewall/lDS penetration

testing helps in evaluating the firewall and IDS for ingress and egress traffic filtering capabilities.

Checking and updating the firewall and IDS rules is an essential component of penetration testing.

Depending upon these rules traffic coming from outside the network is filtered and analyzed

against various threats. A pen-tester can even craft malicious packets to test firewall and IDS

rules which can help in the security assessment. After obtaining the security assessment report,

changes in the firewall and IDS rules can be made to enhance the network security.

Why Firewall/lDS Pen Testing?

To check if firewall/lDS properly enforces an organization's firewall/ IDS policy.

To check if the IDS and firewalls enforce organization's network security policies.

To check if the firewall/lDS is good enough to prevent the external attacks.

To check the effectiveness of the network's security perimeter.

To check the amount of network information accessible to an intruder.

To check the firewall/lDS for potential breaches of security that can be exploited.

To evaluate the correspondence of firewall/lDS rules concerning the actions performed

by them.

To verify whether the security policy is enforced correctly by a sequence of firewall/lDS

rules or not.
Web Server Penetration Testing

This section describes the web servers pen testing performed to test the security posture of a

web server by simulating attacks on it much like an attacker, in order to find vulnerable areas in

the web server environment. Pen testing is a step-by-step process performed by a pen tester

with the help of pen testing tools.

Web Sewer Penetration Testing

To be become a successful pen tester, think like an attacker!

Pen or Usecurity testing" is a methodology in which a pen tester simulates different types of

attacks on an organizations' information system to assess its security. Web server pen testing

tests an organization's web server security. Web server pen testing is used to identify, analyze,

and report vulnerabilities such as authentication weaknesses, configuration errors, protocol

related vulnerabilities, and so on in a web server. The best way to perform penetration testing

is to conduct a series of methodical and repeatable tests, and to work through all of the
different application vulnerabilities. Pen testing tools can automate the process.

Why Web server Pen Testing?

Verification of Vulnerabilities

To exploit the vulnerability in order to test and fix the issue

Remediation of Vulnerabilities

To retest the solution against vulnerability to ensure that it is completely secure.

Identification of Web Infrastructure

To identify make, version, and update levels of web servers; this helps in selecting

exploits to test for associated published vulnerabilities.

Web Application Pen Testing

To secure web applications from various attacks, organizations adopt penetration

methodologies that help them assess the security of their web applications against known

attacks, Organizations hire pen testers to gauge their security by simulating known attacks on

target web applications, This section provides a brief overview of the steps involved in web

application penetration testing.

Web application pen testing is used to identify, analyze, and report vulnerabilities such as input

validation, buffer overflow, SQL injection, bypassing authentication, code execution, etc. in a

given application. The best way to perform penetration testing is to conduct a series of

methodical and repeatable tests and to work through all of the different application

vulnerabilities.

Why web application pen testing?

Identification of ports: Scan the ports to identify the associated running services and

analyze them through automated or manual tests to find weaknesses.

Verification of vulnerabilities: To exploit the vulnerability in order to test and fix the

issue.

Remediation of vulnerabilities: To retest the solution against vulnerability to ensure

that it is completely secure.

Web Application Pen Testing Steps

A web application penetration test evaluates the security of a web application. The process

detects various security weaknesses, flaws, or vulnerabilities and presents them to the system

owner, along with an assessment of potential impacts and possible solutions. As a pen tester,

you must test web applications for vulnerabilities such as input validation, buffer overflow, SQL

injection, bypassing authentication, code execution, and so on. The best way to penetration

test is to conduct a series of methodical and repeatable tests and to work through all of the

different application vulnerabilities.

The general steps involved in web-application penetration testing are listed below to give you

an idea of how to proceed.

Step 1: Define objective

You should define the aim of the penetration test before conducting it. This would help

you to move in right direction towards your aim of penetration test.

Step 2: Information gathering

You should gather as much information as possible about your target system or

network.

Step 3: Configuration management testing

Most web application attacks occur because of improper configuration. Therefore, you

should conduct configuration management testing. This also helps you to protect

against known vulnerabilities by installing the latest updates.

Step 4: Authentication testing

Test the authentication mechanism of the application by trying to bypass authentication

mechanism anyway and to determine the possible exploits in it.

Step 5: Session management testing

Perform session management testing to check your web application against various

attacks that attacker carries out on session ID such as session hijacking, session fixation,

and so on.

Step 6: Denial-of-service testing

Send a vast amount of requests to the web application until the server is saturated.

Analyze the behavior of application when the server is saturated. In this way, you can

test your web application against denial-of-service attacks.

Step 7: Data validation testing

Failing to adopt a proper data validation method is a common security weakness

observed in most web applications, which can further lead to major vulnerabilities.

Thus, before a hacker finds those vulnerabilities and exploits your application, you must

perform data validation testing and protect it.

Step 8: Business logic testing

Web application security flaws may be present even in the context of business logic,

such as improper error handling. Try to exploit such flaws. Attackers may do something

that a business does not allow, which could in turn lead to great financial losses. Testing

business logic for security flaws often requires unconventional thinking.

Step 9: Authorization testing

Analyze how a web application authorizes users, then try to find and exploit the

vulnerabilities present in the authorization mechanism. For example, once

authenticated by the application, you should try to escalate your privileges to access

sensitive areas such as an admin page.

Step 10: Web services testing

Web services use HTTP protocol in conjunction with SML, WSDL, SOAP, and UDDI

technologies. Therefore, they have XML parser—related vulnerabilities in addition to SQL

injection, information disclosure, and so on. You should conduct web services testing to

determine their vulnerabilities.

Step 11: AJAX testing

Though developers develop more responsive web applications using AJAX, it is likely

that they are just as vulnerable as traditional web applications. Testing for AJAX is

challenging, because developers are given full freedom to design the method of client-

server communication.

Step 12: Document all the findings

Once you conduct all the tests mentioned above, document all your findings and the

testing techniques you employed at each step. Analyze the document, explain the

current security posture to the concerned parties, and suggest how they can enhance

their security.
Wireless Pen Testing

Conduct pen tests on the WLAN to determine security loopholes and then repair them. A pen

tester tries to simulate an attack on the security of the target wireless network. This section

describes the steps the pen tester should perform to conduct a pen test on a wireless network.
Wireless Penetration Testing

Wireless penetration testing is a process of actively evaluating information security measures

implemented in a wireless network to analyze design weaknesses, technical flaws and

vulnerabilities. A comprehensive detailed report about the findings along with the suite of

recommended countermeasures is delivered to executive, management, and technical

audiences.

Threat Assessment: Identify the wireless threats facing an organization's information

assets.

Upgrading Infrastructure: Change or upgrade existing infrastructure of software,

hardware, or network design.

Risk Prevention and Response: Provide comprehensive approach of preparation steps

that can be taken to prevent inevitable exploitation.

Security Control Auditing: To test and validate the efficiency of wireless security

protections and controls.

Data Theft Detection: Find streams of sensitive data by sniffing the traffic

Information System Management: Collect information on security protocols, network

strength, and connected devices.