What is Pen Tes�ng?

Tes�ng a computer for vulnerabili�es has become a fundamental part of

deployment. The so�ware development lifecycle includes tes�ng as the final stage.
The advent of the internet and online services provided a rich environment for
hackers to find flaws in a so�ware
The typical hacker was a bored teenager with a computer, a modem and plenty of
spare �me. Due to these atacks, there was a need for Tes�ng by thinking like an
atacker.
Hacking
The name hacker was originally used to describe someone who was very skilled at
modifying computer so�ware. Over the years, the term is now used to describe
someone who uses the same skills for malicious purposes
As the internet grew, hackers started pos�ng their hacking so�ware on bulle�n
boards and then on shared underground websites. These were scripts that
automated the atacks using Python or Perl. This community then became known as
script kiddies..
As businesses started using hacking techniques to check their own so�ware in a
controlled environment. The term white hat was used to differen�ate the authorized
testers from the black hat – the unauthorized hacker.
As the internet grew, a number of different types of black hat hackers emerged i.e.
research hackers who find and sell exploits o�en in order to sell them to other black
hats on the dark net. Many countries now have state sponsored hackers also known
as cyber warriors who hack for military or espionage purposes. Organized Crime has
seen the financial gain possible with hacking Organized crime has now seen the
financial gain possible with hacking and now cyber criminals form one of the biggest
groups of hackers targe�ng industry
State sponsored hackers and cyber criminals are very skilled and will o�en deploy
zero day exploits which can punch holes through the best defended networks.
The increasing black hat ac�vity has seen a massive demand for penetra�on tes�ng
and a demand for a much higher skill level to match that of the black hats.
The Cyber Kill Chain
The cyber kill chain views an atack in 7 stages
1) Reconnaissance
2) Weaponiza�on
3) Delivery
4) Exploita�on
5) Installa�on
6) Command and control
7) Ac�on

1) Reconnaissance
Reconnaissance is the term given to finding out about a target. Individuals typically
have one internet addressed assigned to them by their service provider whereas
businesses will have mul�ple addresses. An atacker will first start with the web
address and then perform scans to find other addresses for systems used by the
target. This is known as an IP Address Scan.
When an atacker has a list of ac�ve hosts, they will scan each host to find out what
entry points are exposed.
When an atacker has a list of ac�ve hosts, they will scan each host to find out what
entry points are exposed. This is known as port scan.
2) Weaponiza�on
Weaponiza�on means taking a known vulnerability and customizing it to a specific
target or group of targets and integra�ng it to run from an automated cyber atack
pla�orm. Cyber criminals will o�en purchase the weaponized malware from
dedicated developers.
3) Delivery
The most common way of delivering mal ware is to atach an infected PDF document,
image or other electronic item in a way that when the document is opened, the
malware will self-install. This process is known as phishing
Another way is to find a vulnerable website, infect it with malware and send an email
invita�on to the target to visit the website.
A third way might be to use default user id’s and passwords or a stolen user id and
password to enter the target system and directly implant the malware.
Its also possible to find flaws in so�ware that is exposed to the internet and to
manually deliver the malware.
Finally an infected flash drive can be used if the target system is not directly
connected to the internet.
4) Exploita�on
For email atachments and flash drive atacks, the infected item will exploit a
vulnerability in the target so�ware post-delivery. For a browser-based atack, the
infected item will take advantage of a vulnerability in the browser. In the case of
remote access, the exploita�on phase is simply the unauthorized use of creden�als.
5) Installa�on
Once the malware has been installed, the malware will install a payload into memory
or disk of the target system. A mechanism will also have to be introduced to ensure
the payload is restarted every �me the system is rebooted. This can be achieved in
Windows using the Windows Registry
The payload will o�en be or include a means of maintaining ongoing access to a
command shell.
6) Command and Control
A system compromised is o�en automated. Once a payload is installed, the first step
it will perform is to connect to the command and control server to register as a
compromised host. The atacker will then want to send back commands for some
ac�on to be taken.
7) Ac�on
The type of ac�on carried out by the payload depends upon the mo�ves of the
atacker. A hack�vist may want to deface a website. A state sponsored agent may
want to steal sensi�ve informa�on. A cyber criminal may want to access a bank
account to steal money.
Understanding Malware Techniques and MITRE's Atack Framework
MITRE provides a comprehensive repository of tac�cs and techniques used in
malware. Based on the Lockheed Mar�n cyber kill chain, MITRE's repository covers
the en�re atack lifecycle.
The MITRE Atack Matrix

MITRE provides a comprehensive repository of tac�cs and techniques used in

malware. Based on the Lockheed Mar�n cyber kill chain, MITRE's repository covers
the en�re atack lifecycle.
Pen Tes�ng Tools
1) Scan Networks with Nmap
Nmap is used for scanning networks to discover what hosts are present and what
services are available on those hosts. Nmap’s primary func�on is to scan a network
and probe the host that it detects to determine the services running.
The command to discover what hosts are available is:
Nmap -sn <ip address>
The SN op�on uses the ICMP ping protocol to see whether a host responds. Nmap
only reports the hosts that respond providing their IP Address and MAC Address.

Having iden�fied which hosts are responding, we can probe the TCP and UDP Ports to
iden�fy what services are running.
This can be performed for TCP ports using the following command:
Nmap -PS <ip address>
Nmap checks the most common services to see if they’re open for the host. It does
this by star�ng to open a connec�on to the service and then closing it down before
the connec�on is complete. This is called a TCP SYN ping. It works by sending an
empty TCP packet with the SYN flag set and wai�ng for the server to respond with
the standard SYN-ACK response.
For UDP ports, we shall use the following command:
Nmap -sU -P0 <ip address>
The P0 op�on is used to skip the ping check as it has already been performed, the
UDP scan will scan the most common UDP ports.
We can also use nmap to drill down into an individual service and get more details
about what is running using the following command
Nmap -sV <ip address>
Nmap will try to iden�fy the version of so�ware being used for a service. For a more
sophis�cated scan, you can limit the scan to a par�cular service using the -P op�on
Nmap -sV -p <service number> <ip address>
All of these scans can also be combined into a single command illustrated below
Nmap -sSUV -p U:<port range>, T:<port range> <ip address>
Example:

This command will perform both TCP and UDP port detec�on and service
iden�fica�on using just one command.
To determine what opera�ng system is running on the fevice, we use the command
Nmap -PS -O <ip address>
 Penetra�on Tes�ng with Metasploit
Understanding Metasploit
History
HD Moore, a cybersecurity professional realized he spent major chunk of his �me
sani�zing public exploits rather than focusing on exploita�on strategies.
Moore released the first version of Metasploit in 2003 with a total of 11 exploits. The
ini�al release was writen in Perl and then rewriten in Ruby in 2007.
Metasploit was then acquired by Rapid7 in 2009. Currently Metasploit supports more
than 2300 exploits, over 3300 modules and payloads.
The Metasploit framework operates as an open source project backed by over
200,000 users and contributors. It has exploits available for most OS pla�orms,
products and OEMs
Metasploit Timeline

Overview of Metasploit
Metasploit is neither a rou�ne tool or a common so�ware. It is a framework that you
can use off the shelf or use as base to build your own exploits. It supports most
phases of a penetra�on tes�ng exercise. It integrates with majority of 3rd party tools
like nmap, acune�x, nieces etc. Metasploit is not the only framework out there but it
is the most commonly used.

Architecture of Metasploit

At the center of our diagram, we have our 3 Metasploit libraries. The libraries help us
run our exploits without having to write addi�onal code. All of these 3 libraries
interact with the Metasploit User interface
Rex is a basic library for most of the tasks such as
• Handling socket connec�ons
• TCP/IP Protocol stack
• Secure Socket Layer issues
The core deals with the basic API of metasploit. The Base provides the friendly API
and also helps in dealing with other APIs used within the framework. It offers
features like logging, session management
Addi�onally, there is the Metasploit User Interface where we can use the command
line, msfconsole, the web UI and the GUI
On the extreme right of the diagram, we have all the various modules that are
available within metasploit such as Auxilliary, Encoders, Exploits, No Opera�ons and
Payloads

Penetra�on Modules
Metasploit provides us with various modules that we can use for penetra�on tes�ng.
These include:
a) Exploits
An exploit is a piece of code that when executed will take advantage of a specific
vulnerability on the target.
b) Payloads
A payload is a piece of code that runs on the target a�er successful exploita�on. It
defines the ac�ons that we want to perform on the target a�er we have successfully
compromised the system.
c) Auxiliary
Auxiliary are modules that provide non exploita�on features such as scanning,
fuzzing, sniffing. Auxiliary doesn’t require payloads
d) Encoders
Encoders are used to obfuscate modules to avoid detec�on through mechanisms
such as an�virus, firewall, intrusion detec�on
e) NOPS – No Opera�on
It is used to ensure that if we are using mul�ple payloads, they can all be of the same
size. They are par�cularly useful for successful exploita�on of our exploit codes.

What can Metasploit do?

The six stages of a penetra�on test are:
Metasploit has implicit support for the first five stages. During the
reconnaissance/Informa�on Gathering Stage, we can take advantage of the Auxiliary
Modules to run sniffers, banner grabs, perform whois lookups
During the ac�ve informa�on gathering/ Scanning stage, we can run map scans
directly from the Metasploit console. We can also use the auxiliary modules to
perform a more target specific scan
For the next 3 stages that is Gaining Access, Maintaining Access and Clearing Tracks,
we rely on the exploits, payloads and NOPS modules of Metasploit. We can also
import modules from GitHub and run them through Metasploit
The best part of Metasploit is that gives us a framework to write our own exploits.
We can use Metasploit libraries to write our own exploit codes, payloads couple
them with the exis�ng libraries and use on a target
The last stage of Pen Tes�ng i.e. Repor�ng is available on the pro version of
Metasploit. You can export scan results from the MSF console
Vulnerability Assessments
A vulnerability assessment is where we enumerate all vulnerabili�es that we can find
against a specific technology, process service or a manufacturer.
Penetra�on Tes�ng
This is where exploit certain specific vulnerabili�es with the objec�ve of
demonstra�ng an effec�ve compromise or establishing a flag in the target
environment
Vulnerability
A vulnerability is a flaw in the system being tested
Threat
A threat is an event that takes advantage of a vulnerability
Risk
Risk is the damage that will be incurred if the vulnerability is exploited by the threat
actor.
Exploit
An exploit is the means by which an atacker or a pentester takes advantage of a flaw
within the system
Payload
Payload is a piece of code that we want the target system to execute a�er we have
successfully exploited the target