Before a penetration test even begins, penetration testers spend time with their clients working out the scope, rules, and goals of the test. The penetration testers may break in using any means necessary, from using information found in the dumpster, to locating web application security holes, to posing as the cable guy. After pre-engagement activities, penetration testers begin gathering information about their targets.
- Type of firewall implemented, either hardware or software or a combination of both
- IP address range associated with the target
- Purpose of the organization and why it exists
- How big is the organization? What class is its assigned IP Block?
- Does the organization freely provide information about the type of operating systems employed and network topology in use?
- Does the organization allow wireless devices to connect to wired networks?
- Type of remote access used, either SSH or VPN
- Is help sought from IT positions that give information on network services provided by the organization?
- Identify organization’s users who can disclose their personal information that can be used for social engineering and assume such possible usernames
Building on exercises from our information gathering and threat modeling, we can now begin to actively query our victims for vulnerabilities that may lead to a compromise. We have narrowed down our attack surface considerably since we first began the penetration test with everything potentially in scope.
- Check live systems and open ports
- Perform banner grabbing and OS fingerprinting
- Identify network vulnerabilities
- Draw network diagrams of vulnerable hosts
Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted in an intranet environment.
- User name and user groups
- Lists of computers, their operating systems, and ports
- Machine names, network resources, and services
- Lists of shares on individual hosts on the network
- Policies and passwords
The goal of system hacking is to gain access, escalate privileges, execute applications, and hide files.
The objective of this lab is to help students learn to monitor a system remotely and to extract hidden files and to complete other tasks that include:
- Extracting administrative passwords
- Hiding files and extracting hidden files
- Recovering passwords
- Monitoring a system remotely
Trojans and Backdoors
A Trojan is a program that contains malicious or harmful code inside apparently harmless programming or data in such a way that it can gain control and cause damage, such as ruining the file allocation table on a hard disk. With the help of a Trojan, an attacker gets access to stored passwords in a computer and would be able to read personal documents, delete files, display pictures, and/or show messages on the screen.
- Creating a server and testing a network for attack
- Detecting Trojans and backdoors
- Troubleshoot the network for performance
- Attacking a network using sample Trojans and documenting all vulnerabilities and flaws detected
Viruses and Worms
A virus is a self-replicating program that produces its own code by attaching copies of it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until a predetermined logical circumstance is met.
- Create viruses using tools
- Create worms using worm generator tool
Sniffing is performed to collect basic information from the target and its network. It helps to find vulnerabilities and select exploits for attack. It determines network information, system information, and organizational information.
- Sniff the network
- Analyze incoming and outgoing packets
- Troubleshoot the network for performance
Social engineering is the art of convincing people to reveal confidential information. Social engineers depend on the fact that people are aware of certain valuable information and are careless in protecting it.
- Clone a website
- Obtain user names and passwords using the Credential Harvester method
- Generate reports for conducted penetration tests
Denial of Service
Denial-of-Service (DoS) is an attack on a computer or network that prevents legitimate use of its resources. In a DoS attack, attackers flood a victim’s system with illegitimate service requests or traffic to overload its resources and prevent it from performing intended tasks.
- Create and launch a Denial-of-Service attack on a victim
- Remotely administer clients’ systems
- Perform a DoS attack by sending a large number of SYN packets continuously
- Perform a DoSHTTP attack
Session hijacking refers to the exploitation of a valid computer session where an attacker takes over a session between two computers. The attacker steals a valid session ID, which is used to get into the system and sniff the data. In TCP session hijacking, an attacker takes over a TCP session between two machines. Since most authentications occur only at the start of a TCP session, this allows the attacker to gain access to a machine.
- Intercept and modify web traffic
- Simulate a Trojan, which modifies a workstation’s proxy server settings
Hacking Web Servers
A web server, which can be referred to as the hardware, the computer, or the software, is the computer application that helps to deliver content that can be accessed through the Internet. Most people think a web server is just the hardware computer, but a web server is also the software computer application that is installed in the hardware computer. The primary function of a web server is to deliver web pages on the request to clients using the Hypertext Transfer Protocol (HTTP).
- Footprint web servers
- Crack remote passwords
- Detect unpatched security flaws
Hacking Web Applications
Web applications provide an interface between end users and web servers through a set of web pages generated at the server end or that contain script code to be executed dynamically within the client Web browser.
- Parameter tampering
- Directory traversals
- Cross-Site Scripting (XSS)
- Web Spidering
- Cookie Poisoning and cookie parameter tampering
- Securing web applications from hijacking
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database.
- Understanding when and how a web application connects to a database server in order to access data
- Extracting basic SQL injection flaws and vulnerabilities
- Testing web applications for blind SQL injection vulnerabilities
- Scanning web servers and analyzing the reports
- Securing information in web applications and web servers
Hacking Wireless Networks
A wireless network refers to any type of computer network that is wireless and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves such as radio waves for the carrier. The implementation usually takes place at the physical level or layer of the network.
- Crack WEP using various tools
- Capture network traffic
- Analyze and detect wireless traffic
Evading IDS, Firewalls and Honeypots
An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
- Install and configure Snort IDS
- Run Snort as a service
- Log snort log files to Kiwi Syslog server
- Store snort log files to two output sources simultaneously
Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security.
- Prepare a script to overflow buffer
- Run the script against an application
- Perform penetration testing for the application
- Enumerate a password list
Cryptography is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Cryptology prior to the modern age was almost synonymous with encryption, the conversion of information from a readable state to one that didn’t make sense.
- Use encrypting/decrypting commands
- Generate hashes and checksum files