LECTURE 7: PENETRATION TESTING

Penetration testing is a cybersecurity best practice that helps ensure that IT environments are
properly secured and vulnerabilities are appropriately patched.
A penetration test seeks to determine whether and how a malicious user can gain unauthorized
access to information assets.

Penetration Testing is mainly required for:

 Financial or critical data must be secured while transferring it between different systems or
over the network.
 Many clients are asking for pen testing as part of the software release cycle.
 To secure user data.
 To find security vulnerabilities in an application.
 To discover loopholes in the system.
 To assess the business impact of successful attacks.
 To meet the information security compliance in the organization.
 To implement an effective security strategy in the organization.

Types of Testing
Internal Networks Testing
Threats do not only come from outside; you also need to be on the lookout for vulnerabilities that
originate within your system. Our pentesters use every tool at their disposal to mimic the
behaviors of a malicious staff member or other attacker.
Tactics we use include privilege escalation, installing malware specifically targeted to your
business systems and even the exfiltration of critical data, all designed to pinpoint potential
chinks in your armor.

External Network Testing

Testing of external networks for hosting services. This is done (blind), without relying on
privileged information from the infrastructure or network diagrams or account and user
information. To accomplish the task, a standard framework based on Open Source Security
Testing Methodology Manual (OSSTMM) may be adopted.
The protocol includes:
 Finding system vulnerabilities and exploiting them;
 A review of your security posture that includes mechanisms to avoid false positive findings;
 Describing targets and visibility audits;
 Verifying controls, trust, access, processes, configuration, the information and data involved,
exposure, quarantine measures in place and survivability;
 Describing user privilege management and network segregation;
 Reviewing alerts and logs.
Customizability also extends to the scope of the external network test. It can be confined to a
certain IP range or could include wider vigilance through the use of open-source intelligence
(OSINT). During the external network penetration testing, identify and exploit vulnerabilities
throughout the applications and network infrastructure that is exposed to the internet.
Web Applications Testing
Applications such as web application penetration testing is based on a solid framework that
employs several standards: Open Web Application Security Project (OWASP), Open Source
Security Testing Methodology Manual (OSSTMM) and the Penetration Testing Execution
Standard (PTES). Using these structures, our pentest tests for and discovers vulnerabilities. In
addition, we can find application security elements such as data validation weaknesses or
integrity checks, vulnerabilities that only manual testing can reveal.
Automated scanning is insufficient in detecting misconfiguration, cross-site scripting, flaws in
authentication and session privileges and management, the exposure of sensitive data and
vulnerabilities in access controls.

Internet of Things (IOT) Testing

The Internet of Things encompasses both home and commercial applications, including
industrial control systems (ICS). Along with the convenience and scope of these tools, however,
also comes added vulnerability to security breaches.
Penetration tests assess the security of these devices and then take it a step further to encompass
the entire ecosystem, including communications channels, cryptography and encryption, APIs,
firmware, hardware and other critical components. With our deep dive manual analysis, we can
test for and detect known and previously undiscovered weaknesses in this area.

Social Engineering Testing

Many bad actors are now successfully breaching networks by taking advantage of exploitable
human tendencies. For instance, people are likely to trust email that appear to come from
someone they know when, in reality, it is infected with malware from someone impersonating
that friend.
Elaborate phishing schemes enable threat actors to infiltrate systems and steal or compromise
valuable data. In response, penetration testing runs a comprehensive assessment of your
company’s overall security awareness and controls, determining your risk of human
manipulation through physical access, email and phone calls. By mounting an adversarial
customized attack execution model, also known as red team testing,

Wireless Networks Testing

Using the power of the Open Source Security Testing Methodology Manual (OSSTMM) and the
Penetration Testing Execution Standard (PTES) frameworks, Pentesters emulate real-world
hackers in order to test for weaknesses in your wireless network infrastructure. This may include
802.x, Bluetooth, zigbee and other alternatives.

API's Testing
Whether you want to assess REST, mobile or web-based APIs, Pentest will use accepted
protocols including the OWASP Top 10, the OWASP ASVS and the OWASP Testing Guide to
determine which authentication type is being used. Our testers use expertise in API structures,
request methods and responses, customizing their testing to your specific needs. For instance,
they can focus on your specified end points for either a real production or a staging API
environment. Hidden weaknesses in your applications are no match against our team’s
understanding and exploitation of your infrastructure and scope.
Mobile Applications Testing
Along with the convenience and power of tablets and mobile phones also comes a greater
potential for theft, insecure application integration, privacy violations and other security breaches
that penetration testing can assess and help you to guard against. We provide testing on all
platforms: Windows, iOS and Android. Using Open Web Application Security Project
(OWASP), Open Source Security Testing Methodology Manual (OSSTMM), and Penetration
Testing Execution Standard (PTES) methodologies, We assess your applications’ vulnerability to
code tampering, reverse engineering and other intrusions.
In addition, our assessment will quantify any risks you may be experiencing from newly
developed or updated web applications or company-owned mobile devices.

Amazon Web Services (AWS) Testing

For companies that utilize the Amazon cloud-based environment, pentesting is an indispensable
tool to protect your system security. Pentesters will assess all allowed internal and external
environments, following Amazon’s CIS Security Standard and additional security testing
methodologies such as OWASP ASVS and the OWASP Top 10.
The steps we use include target scope reconnaissance, target enumeration, automated component
configuration assessment, assessments of internet-exposed services, architectural design analysis,
reporting and remediation tracking.

Open Source Security Testing Methodology Manual (OSSTMM) Testing Channels &
Methodology
The OSSTMM provides guidance on how to test the operational security of five channels so
organizations can understand the full extent of their security and determine how well their
security processes actually function. It’s about what your operations actually do, and not just
what they are supposed to do.

These five channels include:

1. Human Security: The security of human interaction and communication is evaluated
operationally as a means of testing
2. Physical Security: The OSSTMM tests physical security defined as any tangible element
of security that takes physical effort to operate
3. Wireless Communications: Electronic communications, signals, and emanations are all
considered wireless communications that are part of the operational security testing
4. Telecommunications: Whether the telecommunication network is digital or analog, any
communication conducted over telephone or network lines are tested in the OSSTMM
5. Data Networks: The security testing of data networks includes electronic systems and
data networks that are used for communication or interaction via cable and wired network lines

Gray Box Penetration Testing

Enables security professionals to have knowledge of the application’s source code to allow for a
more thorough understanding of the application. The tester can approach the system as an
authenticated user with user-level access and try to escalate user privileges or gain access to
restricted data.
Black Box Penetration Testing
Assessors have limited to no information about the security environment. Armed only with the
IP address and the URL of the target, our testers try to gain unauthenticated access to the inner
workings of your networks.

Pen Testing Techniques

 Manual Penetration Test
 Using automated penetration test tools
 Combination of both manual and automated process
The third process is more common to identify all kinds of vulnerabilities.

Manual Penetration Test

It’s difficult to find all vulnerabilities using automated tools. There are some vulnerabilities that
can be identified by manual scan only. Penetration testers can perform better attacks on
applications based on their skills and knowledge of the system being penetrated.
The methods like social engineering can be done by humans only. Manual checking includes
design, business logic as well as code verification.

Penetration Test Process:

Identifying vulnerabilities present in the system is the first important step in this process.
Corrective action is taken on this vulnerability and the same penetration tests are repeated until
the system is negative to all those tests.

We can categorize this process in the following methods:

#1) Data collection: Various methods including Google search are used to get target system
data. One can also use the web page source code analysis technique to get more info about the
system, software and plugin versions.
There are many free tools and services available in the market which can give you information
like database or table names, DB versions, software versions, the hardware used and various
third-party plugins used in the target system.
#2) Vulnerability Assessment: Based on the data collected in the first step one can find the
security weakness in the target system. This helps penetration testers to launch attacks using
identified entry points in the system.
#3) Actual Exploit: This is a crucial step. It requires special skills and techniques to launch an
attack on the target system. Experienced penetration testers can use their skills to launch an
attack on the system.
#4) Result in analysis and report preparation: After completion of penetration tests, detailed
reports are prepared for taking corrective actions. All identified vulnerabilities and recommended
corrective methods are listed in these reports. You can customize vulnerability report format
(HTML, XML, MS Word or PDF) as per your organization’s needs.

Penetration Testing Tools And Companies

Automated tools can be used to identify some standard vulnerabilities present in an application.
Pentest tools scan code to check if there is a malicious code present which can lead to the
potential security breach. Pentest tools can verify security loopholes present in the system by
examining data encryption techniques and figuring out hard-coded values like username and
password.

Criteria to select the best penetration tool:

 Easy to deploy, configure and use.
 Scan your system easily.
 Categorize vulnerabilities based on severity that needs an immediate fix.
 Able to automate the verification of vulnerabilities.
 Re-verify exploits found previously.
 Generate detailed vulnerability reports and logs.
Once you know what tests you need to perform you can either train your internal test resources
or hire expert consultants to do the penetration task for you.

Recommended Penetration Testing Tools

Acunetix
Acunetix WVS offers security professionals and software engineers alike a range of stunning
features in an easy, straight-forward, and very robust package.
Intruder is a powerful vulnerability scanner that finds cybersecurity weaknesses in your digital
estate, explains the risks & helps with their remediation before a breach can occur. It is the
perfect tool to help automate your penetration testing efforts.
NMap- This tool is used to do port scanning, OS identification, Trace the route and for
Vulnerability scanning.
Nessus- This is traditional network-based vulnerabilities tool.
Pass-The-Hash - This tool is mainly used for password cracking.

Below are some generic test cases and not necessarily applicable to all applications.
1. Check if the web application is able to identify spam attacks on contact forms used on the
website.
2. Proxy server – Check if network traffic is monitored by proxy appliances. The proxy
server makes it difficult for hackers to get internal details of the network thus protecting
the system from external attacks.
3. Spam email filters – Verify if incoming and outgoing email traffic is filtered and
unsolicited emails are blocked.
4. Many email clients come with inbuilt spam filters that need to be configured as per your
needs. These configuration rules can be applied to email headers, subject or body.
5. Firewall – Make sure the entire network or computers are protected with firewalls. A
Firewall can be software or hardware to block unauthorized access to a system. A
Firewall can prevent sending data outside the network without your permission.
6. Try to exploit all servers, desktop systems, printers, and network devices.
7. Verify that all usernames and passwords are encrypted and transferred over secure
connections like https.
8. Verify information stored in website cookies. It should not be in a readable format.
9. Verify previously found vulnerabilities to check if the fix is working.
10. Verify if there is no open port in the network.
11. Verify all telephone devices.
12. Verify WIFI network security.
13. Verify all HTTP methods. PUT and Delete methods should not be enabled on a web
server.
14. Verify if the password meets the required standards. The password should be at least 8
characters long containing at least one number and one special character.
15. Username should not be like “admin” or “administrator”.
16. The application login page should be locked upon a few unsuccessful login attempts.
17. Error messages should be generic and should not mention specific error details like
“Invalid username” or “Invalid password”.
18. Verify if special characters, HTML tags, and scripts are handled properly as an input
value.
19. Internal system details should not be revealed in any of the error or alert messages.
20. Custom error messages should be displayed to end-users in case of a web page crash.
21. Verify the use of registry entries. Sensitive information should not be kept in the registry.
22. All files must be scanned before uploading them to the server.
23. Sensitive data should not be passed in URLs while communicating with different internal
modules of the web application.
24. There should not be any hardcoded username or password in the system.
25. Verify all input fields with long input string with and without spaces.
26. Verify if reset password functionality is secure.
27. Verify application for SQL Injection.
28. Verify application for Cross-Site Scripting.
29. Important input validations should be done at the server-side instead of JavaScript checks
at the client-side.
30. Critical resources in the system should be available to authorized persons and services
only.
31. All access logs should be maintained with proper access permissions.
32. Verify user session ends upon log off.
33. Verify that directory browsing is disabled on the server.
34. Verify that all applications and database versions are up to date.
35. Verify URL manipulation to check if a web application is not showing any unwanted
information.
36. Verify memory leak and buffer overflow.
37. Verify if incoming network traffic is scanned to find Trojan attacks.
 38. Verify if the system is safe from Brute Force Attacks – a trial and error method to find
sensitive information like passwords.
39. Verify if the system or network is secured from DoS (denial-of-service) attacks. Hacker
can target network or a single computer with continuous requests due to which resources
on the target system gets overloaded resulting in the denial of service for legit requests.
40. Verify application for HTML script injection attacks.
41. Verify against COM & ActiveX attacks.
42. Verify against spoofing attacks. Spoofing can be of multiple types – IP address spoofing,
Email ID spoofing,
43. ARP spoofing, Referrer spoofing, Caller ID spoofing, Poisoning of file-sharing networks,
GPS spoofing.
44. Check for an uncontrolled format string attack – a security attack that can cause the
application to crash or execute the harmful script on it.
45. Verify XML injection attack – used to alter the intended logic of the application.
46. Verify against canonicalization attacks.
47. Verify if the error pages are displaying any information that can be helpful for a hacker to
enter into the system.
48. Verify if any critical data like the password is stored in secret files on the system.
49. Verify if the application is returning more data than it is required.
These are just the basic test scenarios to get started with Pentest. There are hundreds of advanced
penetration methods which can be done either manually or with the help of automation tools.

Disadvantages of Penetration Testing

Penetration Testing cannot find all vulnerabilities in the system. There are limitations of time,
budget, scope, skills of Penetration Testers
Following will be side effects when we are doing penetration testing:
 Data Loss and Corruption
 Down Time
 Increase Costs

Further Reading:
Pen Testing Standards
 PCI DSS (Payment Card Industry Data Security Standard)
 OWASP (Open Web Application Security Project)
 ISO/IEC 27002, OSSTMM (The Open Source Security Testing Methodology Manual)
Certifications
 GPEN
 Associate Security Tester (AST)
 Senior Security Tester (SST)
 Certified Penetration Tester (CPT)