Advanced Penetration

Testing With Kali Linux

Lecture 1 : Introduction
What is Penetration Testing
Offence for Defence
White hat hackers do it for security.
It is also referred to as ethical hacking
Most effective method to identify systemic
weaknesses and deficiencies
Mimics the ways of a real malicious hacker in a
non destructive way
Why Penetration Testing
Allows the business to understand if the mitigation
strategies employed are actually working as
expected
Proving that they were able to compromise the
critical systems targeted
Prove without a doubt that the vulnerabilities that
are found will lead to a significant loss of revenue
What about Kali Linux
Formerly Known as Backtrack
Linux Distribution exclusively for Security Testing
developed by Mati Aharoni and Devon Kearns of
Offensive Security
Includes tools for Pen-Testing, Reverse
Engineering, Forensics, Stress testing, Hardware
Testing and so on
Highly configurable & uses open source tools
Current Version 1.0.9
Prerequisites for a Pen-test Lab
Windows/Linux/Mac OS as Host
VM Client (Preferably VMWare Work Station)
GNS3 Virtual Network Builder
VMs: Its gonna be a long list(see next page)
VMs Required
Metasploitable2
Ubuntu 12.04+
Windows XP,7,8
MacOSX ML+
CentOS/RHEL 6
Windows Server 2003,2008,2012
Of course the one and only KALI Linux
Installing the Kali Linux in a VM
Create a new VM
MIN:1 processor, 1GB RAM, 20GB HDD
Select Kali Linux ISO for Disk Drive and change boot order
Network settings: Change to Bridged connection(Discuss about Bridge, NAT, Virtual Networks)
Turn on VM & in Kali menu select Graphical Install
Proceed up to network configuration.
If dhcp fails, set static IP
Proceed till partitioning.
In partitioning menu select Create custom layout
Make new partition of size 18GB, select / as mount point & ext4 as filesystem.
Make new partition from rest of the space. Select filesystemas swap.
Discuss about advanced partitioning: separate /home, LVM, RAID etc.
Standards of Pentesting
PTES: Penetration Testing & Execution Standards
OSSTM: Open Source Security Testing Methodology
ISSAF: Information Systems Security Assessment Framework
OWASP: Open Web Application Security Project
LPT: Licensed Penetration Testing
Penetration Testing Execution Standard
New standard designed to provide both businesses and security service providers with a
common language and scope for performing penetration testing
Started in early 2009 after discussions from founders who were then in various departments
Consists of 7 domains namely:
Pre-engagement Interactions
Intelligence Gathering
Threat Modelling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
Open Source Security
Testing Methodology
Open Source Security Testing Methodology Manual (OSSTMM) was written by
Pete Herzog, and is being distributed by Institute for Security and Open
Methodologies (ISECOM)
It gives emphasis on getting business value.
If gives helpful broad description of categories of testing, and it includes step-by-
step process description and information, but not deep with particular penetration
testing tools and commands
OSSTM covers Competitive Intelligence Review, Internet Security (port scanning,
firewalls, etc. ), Communication Security, Physical Security, Wireless Security, etc.
Includes numerous information-gathering templates.
Information Systems Security
Assessment Framework
ISSAF is one of the largest free-assessment methodologies available
Its Control tests has detailed instruction for operating testing tools and
what results to look for
Split into 2 docs
One for business aspect & other with technical
Open Web Application Security Project
created to assist web developers and security practitioners to better secure
web applications
OWASP is non-profit organization & has created number of tools for testing
web applications
OWASP testing guide has become the standard for web application testing
Version 3 was released in December of 2008
OWASP
The OWASP testing methodology is split as follows:
Information gathering
Configuration management
Authentication testing
Session management
Authorization testing
Business logic testing
Data validation testing
Denial of service testing
Denial of service testing
Web services testing
AJAX testing
OWASP project also has a subproject called WEBGOAT that enables you to load a vulnerable
website in a controlled environment to test these techniques against a live system.
Licensed Penetration Testing
The ECSA-LPT programme from EC-Council
Licensed Penetration Tester licence provides assurance to your employer or
prospective clients that you possess the ability to perform a methodological
security assessment
Developed after through analysis of other frameworks
Bolstered by incorporating the strengths of other frameworks into one
certification
PenTest Classifications
White Box
Black Box
White Box Pen Testing
Inside details of the System/Network/Programe is known
Mostly sourcecode/topology/infrastructure is given before testing starts
Deep and thorough testing
Maximizes testing time
Extends the testing area where black box testing can not reach (such as quality of
code, application design, etc.)
Non realistic attack
Black Box Pent Testing
Takes the approach of an uninformed/real attacker
No previous information about the target system/network/code
It simulates a very realistic scenario
Testing time can not be maximised in certain scenarios
Grey Box Pen Testing
In between that of White & Black
Only Minimal details are known to the Pen-tester.
Saves Reconnaissance time
Vulnerability Assessment
Vulnerability assessments are necessary for discovering potential vulnerabilities
throughout the environment
Many Automation tools available
Examples are Nessus, GFI Languard, NeXopose Lynsis etc
Systems are typically enumerated and evaluated for vulnerabilities with or without
authentication
Full exploitation is not done during Vulnerability assesment
Scope of Test determins what, when & how to test.
Scope of VAPT
Details, procedures,rules & agreements to be considered
Main details include
Contract between Company & Pentester
Black Box or White Box
Range of IP & Systems tested
How are compromised systems or dbs handled
Other legal issues
This list varies in accordance to methodology adopted
Test Profiling
Understanding Client requirements
Modifying scope on the basis of clients needs
Dealing with legal concerns
Taking necessary legal precautions
Preparing an action plan
Check listing the plan
Cross verifying that it meet the client requirements
Framing the test Boundary
Frame the boundary of test
Determine what & what not to look into
In case of urls, determine the base url
Estimate the time required testing
Deploy teams accordingly
Vulnerability Assessment V/S
Penetration Testing
Penetration Testing is the post process of Vulnerability Assessment
Exploitation of systems occurs in Pen-Tests
Complete Enumeration of a system takes place during VA
Vulnerability Report includes details of Vulnerability, Impact, and Patch
information.
Pen test report only proves that a found-out vulnerability exists & it Is
exploitable
Advanced Penetration Methodologies
Includes more secure environments
Patched environments
Managed system configuration & hardened policies
Multi layered DMZs
Highly configured Firewalls
IDS/IPS systems Both Wired & Wireless
Web-App Intrusion Detection systems
These environments make VAPT harder
Advanced PT goes beyond any standards, taking advantage of new threats & security
researches
Its the Pen-testers duty to make the client confident that their systems are hard to break into
But remember Nothing(Data) is Completely Secure