Ethical Hacking and Penetration Testing Guide-02

Ethical Hacking and Penetration Testing Guide by RAFAY BALOCH 

VULNERABILITY 

Vulnerability is defined as a flaw or a weakness inside the asset that could be used to gain unauthorized access to it. The successful compromise of a vulnerability may result in data manipulation, privilege elevation, etc. 

THREAT 

A threat represents a possible danger to the computer system. It represents something that an organization doesn’t want to happen. A successful exploitation of vulnerability is a threat. A threat may be a malicious hacker who is trying to gain unauthorized access to an asset. 

EXPLOIT 

An exploit is something that takes advantage of vulnerability in an asset to cause unintended or unanticipated behavior in a target system, which would allow an attacker to gain access to data or information. 

RISK 

A risk is defined as the impact (damage) resulting from the successful compromise of an asset. For example, an organization running a vulnerable apache tomcat server poses a threat to an organization and the damage/loss that is caused to the asset is defined as a risk. Normally, a risk can be calculated by using the following equation: 

Risk = Threat * vulnerabilities * impact 

WHAT IS A PENETRATION TEST? 

A penetration test is a subclass of ethical hacking; it comprises a set of methods and procedures that aim at testing/protecting an organization’s security. The penetration tests prove helpful in finding vulnerabilities in an organization and check whether an attacker will be able to exploit them to gain unauthorized access to an asset. 

VULNERABILITY ASSESSMENTS VERSUS PENETRATION TEST 

Oftentimes, a vulnerability assessment is confused with a penetration test; however, these terms have completely different meanings. In a vulnerability assessment, our goal is to figure out all the vulnerabilities in an asset and document them accordingly. In a penetration test, however, we need to simulate as an attacker to see if we are actually able to exploit a vulnerability and document the vulnerabilities that were exploited and the ones that turned out to be false-positive. 

PREENGAGEMENT 

Before you start doing a penetration test, there is whole lot of things you need to discuss with clients. This is the phase where both the customer and a representative from your company would sit down and discuss about the legal requirements and the “rules of engagement.” 

RULES OF ENGAGEMENT 

Every penetration test you do would comprise of a rules of engagement, which basically defines how a penetration test would be laid out, what methodology would be used, the start and end dates, the milestones, the goals of the penetration test, the liabilities and responsibilities, etc. All of them have to be mutually agreed upon by both the customer and the representative before the penetration test is started. Following are important requirements that are present in almost every ROE: 

■ A proper “permission to hack” and a “nondisclosure” agreement 

   should be signed by both the parties. 

■ The scope of the engagement and what part of the organization 

   must be tested. 

■ The project duration including both the start and the end date. 

■ The methodology to be used for conducting a penetration test. 

■ The goals of a penetration test. 

■ The allowed and disallowed techniques, whether denial-ofservice testing 

    should be performed or not. 

■ The liabilities and responsibilities, which are decided ahead of time. 

   As a penetration tester you might break into something that should not be accessible, causing a denial    of service; also, you might access sensitive information such as credit cards. Therefore, the liabilities      should be defined prior to the engagement. 

If you need a more thorough documentation, refer to the “PTES Preengagement” document (http://www.penteststandard. org/index.php/Pre-engagement)

MILESTONES

Before starting a penetration test, it’s good practice to set up

milestones so that your project is delivered as per the dates given in

the rules of engagement.

   You can use either a GANTT chart or a website like Basecamp that

helps you set up milestones to keep track of your progress. The

following is a chart that defines the milestones followed by the date

they should be accomplished.

PENETRATION TESTING METHODOLOGIES

In every penetration test, methodology and the reporting are the most

important steps. Let’s first talk about the methodology. There are

several different types of penetration testing methodologies that

address how a penetration test should be performed. Some of them

are discussed in brief next.

OSSTMM

An open-source security testing methodology manual (OSSTMM) basically includes almost all the steps involved in a penetration test. The methodology employed for penetration test is concise yet it’s a cumbersome process which makes it difficult to implement it in our everyday life. Penetration tests, despite being tedious, demands a great deal of money out of company’s budgets for their completion which often are not met by a large number of organizations. 

NIST

NIST, on the other hand, is more comprehensive than OSSTMM, and it’s something that you would be able to apply on a daily basis and in short engagements. The screenshot indicates the four steps of the methodology, namely, planning, discovery, attack, and reporting. The testing starts with the planning phase, where how the engagement is going to be performed is decided upon. This is followed by the discovery phase, which is divided into two parts—the first part includes information gathering, network scanning, service identification, and OS detection, and the second part involves vulnerability assessment. After the discovery phase comes the attack phase, which is the heart of every penetration test. If you are able to compromise a target and a new host is discovered, in case the system is dual-homed or is connected with multiple interfaces, you would go back to step 2, that is, discovery, and repeat it until no targets are left. The indicating arrows in the block phase and the attack phase to the reporting phase indicate that you plan something and you report it—you attack a target and report the results. The organization also has a more detailed version of the chart discussed earlier, which actually explains more about the attack phase. It consists of things such as “gaining access,” “escalating privileges,” “system browsing,” and “install additional tools.” We will go through each of these steps in detail in the following chapters.

OWASP

As you might have noticed, both the methodologies focused more on

performing a network penetration test rather than something

specifically built for testing web applications. The OWASP testing

methodology is what we follow for all “application penetration tests”

we do here at the RHA InfoSEC. The OWASP testing guide basically

contains almost everything that you would test a web application for.

The methodology is comprehensive and is designed by some of the

best web application security researchers.

Categories of Penetration Test

When the scope of the penetration test is defined, the category/type of

the penetration test engagement is also defined along with it. The

entire penetration test can be Black Box, White Box, or Gray Box

depending upon what the organization wants to test and how it wants

the security paradigm to be tested.

BLACK BOX

A black box penetration test is where little or no information is

provided about the specified target. In the case of a network

penetration test this means that the target’s DMZ, target operating

system, server version, etc., will not be provided; the only thing that

will be provided is the IP ranges that you would test. In the case of a

web application penetration test, the source code of the web

application will not be provided. This is a very common scenario that

you will encounter when performing an external penetration test.

WHITE BOX

A white box penetration test is where almost all the information about

the target is provided. In the case of a network penetration test,

information on the application running, the corresponding versions,

operating system, etc., are provided. In the case of a web application

penetration test the application’s source code is provided, enabling us

to perform the static/dynamic “source code analysis.” This scenario is

very common in internal/onsite penetration tests, since organizations

are concerned about leakage of information.

GRAY BOX

In a gray box test, some information is provided and some hidden. In

the case of a network penetration test, the organization provides the

names of the application running behind an IP; however, it doesn’t

disclose the exact version of the services running. In the case of a

web application penetration test, some extra information, such as test

accounts, back end server, and databases, is provided.

TYPES OF PENETRATION TESTS

There are several types of penetration tests; however, the following

are the ones most commonly performed:

Network Penetration Test

In a network penetration test, you would be testing a network

environment for potential security vulnerabilities and threats. This

test is divided into two categories: external and internal penetration

tests.

An external penetration test would involve testing the public IP

addresses, whereas in an internal test, you can become part of an

internal network and test that network. You may be provided VPN

access to the network or would have to physically go to the work

environment for the penetration test depending upon the engagement

rules that were defined prior to conducting the test.

Web Application Penetration Test

Web application penetration test is very common nowadays, since

your application hosts critical data such as credit card numbers,

usernames, and passwords; therefore this type of penetration test has

become more common than the network penetration test.

Mobile Application Penetration Test

The mobile application penetration test is the newest type of

penetration test that has become common since almost every

organization uses Android- and iOS-based mobile applications to

provide services to its customers. Therefore, organizations want to

make sure that their mobile applications are secure enough for users

to rely on when providing personal information when using such

applications.

Social Engineering Penetration Test

A social engineering penetration test can be part of a network

penetration test. In a social engineering penetration test the

organization may ask you to attack its users. This is where you use

speared phishing attacks and browser exploits to trick a user into

doing things they did not intend to do.

Physical Penetration Test

A physical penetration test is what you would rarely be doing in your

career as a penetration tester. In a physical penetration test, you

would be asked to walk into the organization’s building physically

and test physical security controls such as locks and RFID

mechanisms.

REPORT WRITING

In any penetration test, the report is the most crucial part. Writing a

good report is key to successful penetration testing. The following are

the key factors to a good report:

■ Your report should be simple, clear, and understandable.

■ Presentation of the report is also important. Headers, footers,

appropriate fonts, well-spaced margins, etc., should be

created/selected properly and with great care. For example, if

you are using a red font for the heading, every heading in the

document should be in that style.

■ The report should be well organized.

■ Correct spelling and grammar is important too. A misspelled

word leaves a very negative impact upon the person who is

reading your report. So, you should make sure that you

proofread your report and perform spell-checks before

submitting it to the client.

■ Always make sure that you use a consistent voice and style in

writing a report. Changing the voice would create confusion in

the reader; so you should choose one voice and style and stick

to it throughout your report.

■ Make sure you spend time on eliminating false-positives

(vulnerabilities that are actually not present), because falsenegatives

will always be there no matter what you do.

Eliminating the false-positives would enhance the credibility of

the report.

■ Perform a detailed analysis of the vulnerability to find out its

root cause. A screenshot of a RAW http request or the

screenshot that demonstrates the evidence of the finding would

give a clear picture to the developer of the status.

UNDERSTANDING THE AUDIENCE

Understanding the audience that would be reading your penetration

testing report is a very crucial part of the penetration test. We can

divide the audience into three different categories:

1. Executive class

2. Management class

3. Technical class

While writing a report, you must understand which audience would

read which part of your report; for example, the company’s CEO

would not be interested in what exploit you used to gain access to a

particular machine, but on the flip side, your developers will probably

not be interested in the overall risks and potential losses to the

company; instead, they would be interested in fixing the code and

therefore in reading about detailed findings. Let’s briefly talk about

the three classes.

Executive Class

This category includes the CEOs of the company. Since they have a

very tedious schedule and most of the times have less technical

knowledge, they would end up reading a very small portion of the

report, specifically the executive summary, remediation report, etc.,

which we will discuss later in this chapter.

Management Class

Next, we have the management class, which includes the CISOs and

CISSPs of the company. Since they are the ones who are responsible

for implementing the security policy of the company, they would

probably be a bit more interested in reading about overall strengths

and weaknesses, the remediation report, the vulnerability assessment

report, etc.

Technical Class

This class includes the security manager and developers, who would

be interested in reading your report thoroughly. They would

investigate your report as they are responsible for patching the

weaknesses found and for making sure that the necessary patches are

implemented.

Writing Reports

Now we are going to get into the essentials of the reporting phase,

which will teach you about the structure of a report. We have

discussed what a good report should look like. I pointed out that

knowing your audience was essential. One of the key factors about a

good report is that it should meet the needs for each audience and be

presented in a clear and understandable manner.

The next major part of writing a report is the analysis, where we

perform risk assessment and calculate the overall risk to the

organization based upon our findings; along with this, your report

should also provide remediation on how the risk can be averted.

Structure of a Penetration Testing Report

Let’s look step by step on how a good report should be laid out. At

the end of this chapter, I have provided links to some of the best

reports which have been provided to the local mass.

COVER PAGE

We start with the cover page; this is where you would include details

such as your company logo, title, and a short description about the

penetration test. I would suggest you hire a good designer and work

on a professional and appealing cover page because if your cover

page looks great, it would make a good first impression upon the

customer reading it.

To be continue