A Penetration testing framework

▪ Importance of penetration testing

▪ Differentiating between vulnerability assessment and
penetration testing
▪ Need for a penetration testing framework
▪ A brief introduction to Metasploit
▪ Understanding the applicability of Metasploit throughout all
phases of penetration testing
▪ Introduction to supporting tools that help extend Metasploit's
capabilities
✓Virtual Machines: Kali Linux/ Parrot OS, Metasploitable,Windows 7 & 10
✓Knowledge of the virtual adapter: Bridge, NAT, Host-Only
✓Basics Linux Commands
✓Ports and Services in Computer
✓Fundamentals of Cybersecurity
A vulnerability assessment is the process of
identifying, classifying, defining and prioritizing
vulnerabilities in computer systems, applications or
network infrastructures, and report to the organization
with the necessary knowledge regarding risk and
impact of the vulnerability.
A vulnerability can be defined in two ways:
▪ A bug in code or a flaw in software design that can be exploited to cause harm;
Exploitation may occur via an authenticated or unauthenticated way.
▪ A gap in security procedures or a weakness in internal controls that when exploited,
results in a security breach.
(One should include compliance related misconfigurations in VA.)

There are three primary objectives of a vulnerability assessment.

▪ Identify vulnerabilities ranging from critical design flaws to simple
misconfigurations.
▪ Document the vulnerabilities so that developers can easily identify and reproduce
the findings.
▪ Create guidance to assist developers with remediating the identified
vulnerabilities.
▪ Penetration testing (or pen testing) is a security
exercise where a cyber-security expert attempts to
find and exploit vulnerabilities in a computer
system. The purpose of this simulated attack is to
identify any weak spots in a system’s defenses
which attackers could take advantage of.
On the bases of the amount of information shared prior to an engagement phase
▪ White Box Pen Testing

▪ Black Box Pen Testing

▪ Grey Box Pen Testing

On the bases of Network Assets to be tested; approach

▪ External Pen Test

▪ Internal Pen Test

On the bases of the amount of information shared prior to and engagement phase and approach.

▪ White Box Pen Testing: White box

penetration testing, sometimes referred to
as crystal or oblique box pen testing,
involves sharing full network and system
information with the tester, including
network maps and credentials. This helps
to save time and reduce the overall cost of
an engagement. A white box penetration
test is useful for simulating a targeted
attack on a specific system utilizing as
many attack vectors as possible.
On the bases of the amount of information shared prior to and engagement phase and approach.

▪ Black Box Pen Testing: In a black box

penetration test, no information is provided
to the tester at all. The pen tester in this
instance follows the approach of an
unprivileged attacker, from initial access
and execution through to exploitation. This
scenario can be seen as the most authentic,
demonstrating how an adversary with no
inside knowledge would target and
compromise an organization. However, this
typically makes it the costliest option too.
On the bases of the amount of information shared prior to and engagement phase and approach.

▪ Grey Box Pen Testing: In a grey box

penetration test, also known as a
translucent box test, only limited
information is shared with the tester.
Usually this takes the form of login
credentials. Grey box testing is useful to
help understand the level of access a
privileged user could gain and the
potential damage they could cause. Grey
box tests strike a balance between depth
and efficiency and can be used to simulate
either an insider threat or an attack that has
breached the network perimeter.
On the bases of Network Assets to be tested

▪ External pen test - In an external test, the

ethical hacker goes up against the
company’s external-facing technology,
such as their website and external network
servers. In some cases, the hacker may not
even be allowed to enter the company’s
building. This can mean conducting the
attack from a remote location or carrying
out the test from a truck or van parked
nearby.
▪ Internal pen test - In an internal test, the
ethical hacker performs the test from the
company’s internal network. This kind of
test is useful in determining how much
damage a dissatisfied employee can cause
from behind the company’s firewall.
▪ Testers should collect required information from the
Organization to enable penetration tests
▪ Find flaws that could allow hackers to attack a target machine
▪ Pen Testers should think & act like real hackers albeit ethically.
▪ Work done by Penetration testers should be reproducible so
that it will be easy for developers to fix it
▪ Start date and End date of test execution should be defined in
advance.
▪ A tester should be responsible for any loss in the system or
information during the Software Testing
▪ A tester should keep data and information confidential
A software/ tool cannot map the way a human mind works especially when it comes to looking at
multiple possibilities, each with multiple options.

Manual Penetration Testing Automated Penetration Testing

Automated test tools provide clear

Manual Testing requires expert
reports with less experienced
professionals to run the tests
professionals

Manual Testing requires Excel and Automation Testing has centralized and
other tools to track it standard tools to track

In Manual Testing, sample results vary In the case of Automated Tests, results
from test to test do not vary from test to test

Memory Cleaning up should be Automated Testing will have

remembered by users comprehensive cleanups.
▪ Basic security measures are not enough.
▪ Firewalls or anti-virus solutions are not sufficient to protect against attacks.
▪ Security budget; Unlike MNCs, Organizations do not have the budget to
implement everything.
▪ There is limited or no resource for security expertise.
▪ What VAPT adds value to is to streamline what is needed for the organization.
▪ Reputation; a small data breach can ruin organization’s reputation.
▪ Potential clients or business partners will feel insecure on collaboration.
▪ Contributing factors can be issues like safeguard of important data.
▪ Organizations also lose out on potential/existing business.
▪ Compared to small or medium organizations, larger organizations have a
much greater potential to survive an attack due to the help of current
investors and existing large clients. E.g. Sony (04/2011) survived through the
attack.)
CYBERSECURITY MYTHS..
▪ I have a firewall, so I’m safe from attacks; Hackers understand strategies adopted by a firewall
quite well. Disrupting codes and exploiting basic IT oversights to gain access to your system is
easy.
▪ While most cyber security threats are avoidable, your organizations can not rely solely on
firewalls for protection.
▪ My Data Isn’t Worth Anything; Data can be materialized for crime as well such as theft,
impersonation, and physical harm.
▪ I use HTTPs, so my site is secure; HTTPs safeguards the transmission of information from source to
destination. This is web security at a minimal. It does not block attacks like DDoS, brute force,
injections, etc.
▪ There is also the issue of organizations using fake SSL certificates, resulting in their organization
being compromised.
▪ SMEs are safe because they are not worthwhile targets; SMEs are considered to be low hanging
fruits for hackers because so many do not take security seriously. One of the most popular attacks
that hackers use against SMEs is ransomware.
Vulnerability Assessment
▪ A process to evaluate and review key systems, networks and applications to
identify vulnerabilities and configuration issues that may put the organization
at risk of being breached or exploited.
▪ Effective in identifying vulnerabilities, but it cannot differentiate between
exploitable vs non-exploitable vulnerabilities
Penetration Testing
▪ Goal-driven test focused on identifying all possible routes of entry an attacker
could use to gain unauthorized entry into the target.
▪ Identifies the potential damage and further internal compromise an attacker
could carry out once they are past the perimeter.
▪ Proof of concept strategy to investigate, exploit and validate the extent of the
identified vulnerability
What happens in the aftermath of a pen test?
▪ After completing a pen test, the ethical hacker will share their findings with the target
company’s security team. This information can then be used to implement security
upgrades to plug up any vulnerabilities discovered during the test. These upgrades can
include rate limiting, new WAF rules, and DDoS mitigation, as well as tighter form
validations and sanitization.
For more than over a decade or so, the use of technology has been rising
exponentially. Almost all of the businesses are partially or completely dependent on
the use of technology. From bitcoins to cloud to Internet-of-Things (IoT), new
technologies are popping up each day. While these technologies completely change
the way we do things, they also bring along threats with them. Attackers discover new
and innovative ways to manipulate these technologies for fun and profit! This is a
matter of concern for thousands of organizations and businesses around the world.
Organizations worldwide are deeply concerned about keeping their data safe.
Protecting data is certainly important, however, testing whether adequate protection
mechanisms have been put to work is also equally important. Protection mechanisms
can fail, hence testing them before someone exploits them for real is a challenging
task. Having said this, vulnerability assessment and penetration testing have gained
high importance and are now trivially included in all compliance programs. With the
vulnerability assessment and penetration testing done in the right way, organizations
can ensure that they have put in place the right security controls, and they are
functioning as expected!
 VULNERABILITY LIFE CYCLE
1. Discovery – Vul Found by researcher
2. Disclosure – Vul Disclosed (Privately or Publicly)
3. Analysis – Is it Exploitable ? / Remotely ?
4. Exploit Development – Let’s Write code
5. Testing – Let’s tests the exploit in diff systems with
existing vul
6. Release – Let’s Release the exploit
 PENETRATION TESTING CYCLE
1. Information Gathering: Scan and look for Vul or MissConfig
- Active and Passive Info-Gathering.
2. Enumeration: Filter out MissConfig or outdated version
- Services, users, shares, DNS Entries, etc..
3. Gaining Access: try entering into the system
- Bypass security controls
4. Privilege Escalation: Be limitless with Admin Privileges
- full control of the system,
5. Maintaining Access: Persistent Connection
- backdoor, malware
6. Covering Trace: clear records, delete temp created accounts
- delete tools, exploits, backdoors, etc.. (as per the agreement)
 Penetration testing
Sr. Use of Metasploit
phase

Auxiliary modules: portscan/syn, portscan/tcp,

1 Information Gathering smb_version, db_nmap, scanner/ftp/ftp_version, and
gather/shodan_search

smb/smb_enumshares, smb/smb_enumusers, and

2 Enumeration
smb/smb_login

3 Gaining Access All Metasploit exploits and payloads

4 Privilege Escalation meterpreter-use priv and meterpreter-getsystem

5 Maintaining Access meterpreter - run persistence

6 Covering Tracks Metasploit Anti-Forensics Project

SECURITY AUDIT FRAMEWORK
▪ Talk to the client and discuss the needs to be addressed during the testing
▪ Prepare and sign NDA documents with the client
▪ Organize an ethical hacking team and prepare the schedule for testing
▪ Conduct the test
▪ Analyze the result of the testing and prepare a report
▪ Present the report findings to the client
LEARNINGS
▪ Vulnerability Assessment
▪ Objectives and Approach

▪ Penetration Testing
▪ Types, Importance, Automated and Manual,

▪ VA/PT Summarized
▪ Methodology

▪ Need of the Penetration Testing Framework

▪ Vulnerability Life Cycle
▪ Penetration Testing Cycle

▪ Why Metasploit ?
▪ Metasploit modules and components that can be used across all phases of PT.
REFERENCES
▪ https://www.intruder.io/guides/vulnerability-assessment-made-simple-a-step-by-step-guide
▪ https://www.cloudflare.com/en-in/learning/security/glossary/what-is-penetration-testing/
▪ https://purplesec.us/types-penetration-testing/
▪ https://www.guru99.com/learn-penetration-testing.html
▪ https://github.com/tanprathan/OWASP-Testing-
Checklist/blob/master/OWASPv4_Checklist.xlsx
▪ SONY 04/2011 - https://venturebeat.com/2011/05/04/chronology-of-the-attack-on-sonys-
playstation-network/
▪ Case study-
▪ 1) https://www.american.edu/kogod/research/cybergov/upload/what-to-do.pdf
▪ 2) https://web.mit.edu/smadnick/www/wp/2020-07.pdf

▪ SSL - https://medium.com/globant/fake-ssl-certificates-how-can-they-be-a-problem-
901cfe0b34f7
▪ Fake SSL Case Study: https://www.itnews.com.au/news/hackers-fake-ssl-certificates-for-web-
services-252211
▪ https://www.cloudflare.com/en-in/learning/security/glossary/what-is-penetration-testing/
We will start the next chapter soooon!
☺