First of all, thanks for reading Penetration Testing Part 1, Let’s start with Part 2.
Here I will show you how to perform a penetration test for an XYZ organization before starting the actual penetration test, let’s look at the types of penetration testing and the methodology for penetration testing and the tools available to perform a penetration test.
Penetration Test Methodology:
In general, there are four phases to performing a penetration test, as we discussed earlier in Part 1:
1. Schedule
2. Discovery
3. Attack
4. Reports
Penetration Test Types:
1. Black box
2. White Box
3. gray box
black box:
Black box testing involves performing a security assessment and test without prior knowledge of the network infrastructure or system to be tested. The tests simulate an attack by a malicious hacker outside the organization’s security perimeter
White box:
White box testing involves performing a security assessment and test with full knowledge of the network infrastructure, as a network administrator would have done.
Gray box:
Gray box testing involves conducting a security assessment and internal testing.
The tests examine the extent of access by insiders within the network.
Script:
A company called XYZ is consulting with a company that performs penetration testing as a third party. Company XYZ needs to have a black box pen test due to some legal requirements and to assess the security measures in place to control access.
Now the consultancy only has a named XYZ to start the penetration test for the company.
Mr. RAK has been assigned the task of conducting the penetration test at this consulting firm; Here I will show you how the methodology will be followed.
Timeline:
MR.RAK should have signed an NDA so that the findings are kept confidential, secondly, SLA must be present to know at what levels or to what depth the penetration must occur for it to be complete, plus the time limit must be mentioned before to start the test.
Discovery:
Passive:
Here the information gathering phase is starting now; good sources would be search engines, XYZ official website, job postings and more…
While searching on search engines, Mr. RAK discovered that XYZ Company has the web portal at [http://www.XYZ-Portal.com] hmm looks good so far, let’s dig deeper, now it’s time to do nslookup, from nslookup you can find out what the mail server address is and what the nameserver name and address is for company XYZ. These are more than enough at this point. internship
Active:
This is the time to do some active things. The best way to do this is to map the services running to the addresses we found in the passive phase. The best way to achieve this is by scanning ports or services, in the world of information security there is a very famous tool for scanning ports called NMAP.
With nmap we can run a port scan on the address we found in the passive information gathering phase, now it’s time to run the port scan
ethicsHacker/pentesterBox# nmap -A -v wwwDotXYZ-PortaldOTcom -P0 -oA output file name
The above command will perform a full port scan on the XYZ portal and generate the output file named output filename to use in the report generation phase.
As of Nmap 4.20 (insecuredotorg) at 2007-07-02 21:19 GMT
Interesting ports in [http://www.XYZ-Portal]
PORT STATE SERVICE
445/tcp filtered microsoft-ds
Interesting ports in [http://www.XYZ-Portal.com]
PORT STATE SERVICE
445/tcp open microsoft-ds
23/tcp telnet open
80/tcp IIS 5.0
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap finished: 1 IP address (1 host above) scanned in 19,097 seconds
Here you can see that wwwDotXYZ-PortalDotcom is running the IIS5.0 web server, which shows that the server is running on a Windows machine.
This is the time to run a vulnerability scan on the Windows machine to check for known vulnerabilities on the server.
To perform a vulnerability scan, there are many commercial and non-commercial tools available, among them, the best tool I would recommend is Nessus, it can be easily downloaded. The vulnerability scans to report would be in Part 3.
