ALOK PRASAD(pt)

8/8/2019 ALOK PRASAD(pt)

http://slidepdf.com/reader/full/alok-prasadpt 1/14

ALOK PRASAD



ACKNOWLEDGEMENT

I Alok Prasad do acknowledge and likesto express my deepest appreciation toour faculty Mr. Mohan Mishra forcontinuously guiding me in makingproject on penetration testing.

(Alok Prasad)



TABLE OF CONTENTSy What is a Penetration Test.y Why penetration testing is conducted?y What can be tested?y The Process and Methodology

P lanning and P reparation Information Gathering and Analysis V ulnerability Detection P enetration Attempt Analysis and Reporting C leaning Up

y Types of Penetration Testing.



y What is a Penetration Test?

A penetration test is a great way to identifyvulnerabilities that exists in a system ornetwork that has an existing security measuresin place. A penetration test usually involvesthe use of attacking methods conducted bytrusted individuals that are similarly used by

hostile intruders or hackers. Depending on thetype of test that is conducted, this may involvea simple scan of an I P addresses to identifymachines that are offering services with knownvulnerabilities or even exploiting knownvulnerabilities that exists in an un patchedoperating system.

A penetration test is basically an attempt tobreach the security of a network or system andis not a full security audit. This means that itis no more than a view of a system¶s security ata single moment in time. At this time, the knownvulnerabilities, weaknesses or misconfiguredsystems have not changed within the time frame

the penetration test is conducted.P enetration tests can have serious consequencesfor the network on which they are run. If it isbeing badly conducted it can cause congestionand systems crashing. In the worst case



scenario, it can result in the exactly the thingit is intended to prevent. This is thecompromise of the systems by unauthorizedintruders. It is therefore vital to have consent

from the management of an organization beforeconducting a penetration test on its systems ornetwork.

Why penetration testing is conducted?

y Preventing financial loss through fraud(hackers, extortionists and disgruntled

employees) or through lost revenue due tounreliable business systems and processes.

y P rotecting your brand by avoiding loss ofconsumer confidence and business

reputation.

y Identifying vulnerabilities and quantifyingtheir impact and likelihood so that theycan be managed proactively; budget can beallocated and corrective measuresimplemented.



What can be tested?All parts of the way that your organizationcaptures stores and processes information can beassessed; the systems that the information isstored in, the transmission channels thattransport it and the processes and personnelthat manage it. Examples of areas that arecommonly tested are:

y O ff-the-shelf products (operating systems,applications, databases, networkingequipment etc.)

y B espoke development (dynamic web sites, in-house applications etc.)

y Telephony (war-dialing, remote access etc.)y Wireless ( WIFI, B luetooth, IR, GSM, RFID

etc.)y P ersonnel (screening process, social

engineering etc.)y P hysical (access controls, dumpster diving

etc.)



The Process and Methodology

Planning and Preparation

P enetration tests may need to be run atparticular times of day. There may beconflict ensure that everything is testedand the need to avoid loading the networkduring periods of heavy and critical use.P enetration tests that involve the use ofunusual network traffic may cause some

systems on the network to crash. If thisrisk cannot be tolerated then some systemsor networks may need to be excluded fromthe test. P enetration testers should spendadequate amount of time discussing thetests with the organization before drawingup a testing plan.

No organizations will want their businesses

to be affected as a result of a penetrationtest. O ne major decision to be made withthe organization is whether the staff ofthat organization should be informed beforea penetration test is carried out.

A complete and adequate penetration testinvolves penetration testers conductingillegal activities on systems external orinternal to an organization¶s network.



I nformation Gathering and Analysis

After doing the necessary planning and

preparation with the organization the nextstep is to gather as much information aspossible about the targeted systems ornetworks. If the intended target has anonline website, this is a good place tostart our information gathering. We shouldalways remember that any kind ofinformation gathered during this stage may

prove useful to us in the other stages ofthe penetration. Their service examines anetwork connected to the Internet andreports back which hosts are visible. Italso gives the information like theoperating it is running on as well as theserver¶s uptime.

A network survey serves as an introduction

to the systems that are to be tested. Thegoal here is to find the number of systemsthat are reachable. The expected resultsthat should be obtained from a networksurveying should consist of domain names,server names, Internet service providerinformation, I P addresses of hosts involvedas well as a network map.





V ulnerability Detection

After having gathered the relevant informationabout the targeted system, the next step is todetermine the vulnerability that exists in eachsystem.

P enetration testers should have a collection ofexploits and vulnerabilities at their disposalfor this purpose. If a system running Windows 95and MS P ersonal Web Server pops up in theinformation gathered earlier, this wouldprobably be a vulnerability that might exist inthat particular system.There are tools available that can automatevulnerability detection. Such a tool is Nessus.Nessus is a security scanner that audit remotelya given network and determine whethervulnerabilities exists in it.

The completion of the vulnerability detectionwill produce a definite list of targets toinvestigate in depth. These lists of targetswill be used in the next stage. A penetrationwill be attempted at these targets that havetheir vulnerabilities defined.



Penetration Attempt

After determining the vulnerabilities that existin the systems, the next stage is to identify

suitable targets for a penetration attempt.The target chosen to perform the penetrationattempt is also important Imagine a scenariowhereby two penetration testers are required toperform a penetration test on a networkconsisting of more than 200 machines. Aftergathering sufficient information andvulnerabilities about the network, they found

out that there are only 5 servers on the networkand the rest are just normal PC s used by theorganization¶s staff.

Normally penetration tests have a certain timeconstraint and penetration testers should notwaste any time unnecessarily. There are otherways to choose a target. The above justdemonstrates some criteria used.P enetration testers an idea of what the machinedoes. B y choosing their target properly,penetration testers will not waste time andeffort doing any redundant job. Normallypenetration tests have a certain time constraintand penetration testers should not waste anytime unnecessarily. There are other ways tochoose a target. The above just demonstrates

some criteria used.

P assword cracking has become a normal practicein penetration tests.The list below shows just some of the passwordcracking methods used: -



y Dictionary Attack

y H ybrid Crack

y Brute Force

Analysis and Reporting

After conduction all the tasks above, thenext task ahead is to generate a report forthe organization. The report should startwith an overview of the penetration testingprocess done. This should be followed by ananalysis and commentary on criticalvulnerabilities that exist in the network orsystems. V ital vulnerabilities are addressedfirst to highlight it to the organization.Less vital vulnerabilities should then be

highlighted. The reason for separating thevital vulnerabilities from the less vitalones helps the organization in decisionmaking.

The contents of the report should be as follows:y Summary of any successful penetration

scenarios.y Detailed listing of all information gathered

during penetration testing.y Detailed listing of all vulnerabilities

found.y Description of all vulnerabilities found.



y Suggestions and techniques to resolvevulnerabilities found.

Cleaning Up

The cleaning up process is done to clear anymess that has been made as a result of thepenetration test. A detailed and exact list ofall actions performed during the penetrationtest must be kept. This is vital so that anycleaning up of the system can be done.

The cleaning up process should be verified bythe organization¶s staff to ensure that it hasbeen done successfully. A good example of aclean up process is the removal of user accountson a system previously created externally as aresult of the penetration test. It is always thepenetration tester¶s responsibility to informthe organization about the changes that existsin the system as a result of the penetrationtest and also to clean up this mess.



Types of Penetration Testing

Black Box Penetration Testing y P en tester has no previous knowledge of the

remote networky O nly the company name or the I P address is

knowny Simulation of a real world hacking by a

hacker who has no knowledge

White Box Penetration Testingy P en tester provided with significant

knowledge of the remote networky Type of network devices (i.e. C isco gear,

TCP /I P ),y Web Server details (i.e., Apache/*nix or

Apache/ Win2k),y O perating System type (i.e., Windows/*nix),y Database platform (i.e., O racle or MS SQL),y

Load balancers (i.e. Alteon),y Firewalls (i.e. C isco P IX)... etc

Documents

ALOK PRASAD(pt)