Types and Phases of Penetration Testing

Types and Phases of Penetration Testing

Phases of penetration testing :

Reconnaissance :

Reconnaissance is the process of investigating, examining and analyzing the target organization in order to gather information about it from publicly available sources, such as domain registration services, websites, and so on. Several people include techniques such as social engineering and dumpster diving in the recon phase or reconnaissance phase.IT is basically, information gathering phase.The more you will be able to gather information about target the more will be the success.

Scanning :

Scanning is the process of finding openings in the target organization, such as wireless access points, lnternet gateways, available systems, vulnerability lists, and port listening.

vulnerability Scanning :

The automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.

Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

 Example of vulnerability with Nessus:

                               

Port Scanning : 

Port scanner is an application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify services running on a host and exploit vulnerabilities. A port scan or portscan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port; this is not a nefarious process in and of itself.^[1] The majority of uses of a port scan are not attacks, but rather simple probes to determine services available on a remote machine.

Types of scanning :

TCP scanning

The simplest port scanners use the operating system's network functions and are generally the next option to go to when SYN is not a feasible option (described next). Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a Denial of service. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is "noisy", particularly if it is a "portsweep": the services can log the sender IP address and Instrusion detection system can raise an alarm.

SYN scanning

SYN scan is another form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers. There are no conclusive arguments either way.

UDP scanning

UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by afirewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g., nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g., nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

ACK scanning

ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.^[5]

Window scanning

Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1's before it returns to the sender. Using this scanning technique with systems that no longer support this implementation returns 0's for the window field, labeling open ports as closed.

FIN scanning

Since SYN scans are not surreptitious enough, firewalls are, in general, scanning for and blocking packets in the form of SYN packets. FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall.

Other scan types

Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these.

• X-mas and Null Scan - are similar to FIN scanning, but:
  • X-mas sends packets with FIN, URG and PUSH flags turned on like a Christmas tree
  • Null sends a packet with no TCP flags set
• Protocol scan - determines what IP level protocols (TCP, UDP, GRE etc.) are enabled.
• Proxy scan - a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers.
• Idle scan - Another method of scanning without revealing one's IP address, taking advantage of the predictable IP ID flaw.
• CatSCAN - Checks ports for erroneous packets.
• ICMP scan - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

Example of port scanning with NMAP :

Types of penetration tests :

• Denial of Service (DoS) testing
  Denial of service testing involves attempting to exploit specific weaknesses on a system by exhausting the target's resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of Service testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. Denial of service can take a number of formats; those that are important to test for are listed below:
  • Resource overload – these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds.
  • Flood attacks – this involves sending a large amount of network requests with the intention of overloading the target. This can be performed via:
    ICMP (Internet Control Message Protocol), known as "smurf" attacks
    UDP (User Datagram Protocol), known as "fraggle" attacks
  • Half open SYN attack - this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started.
• Out-of-band attacks – these attempt to crash targets by breaking IP header                 standards:
  • • Oversized packets (ping of death) – the packet header indicates that there is more data in the packet than there actually is.
    • Fragmentation (teardrop attack) – sends overlapping fragmented packets (pieces of packets) which are under length.
    • IP source address spoofing (land attack) – causes a computer to create a TCP connection to itself.
    • Malformed UDP packet header (UDP bomb) – UDP headers indicate an incorrect length.
• Application security testing
  With the growth of ebusiness, core business functionality is now being offered through Web-based applications. While Internet facing applications give an organization the much needed global customer reach, providing access to partners inside the intranet introduces new security vulnerabilities because, even with a firewall and other monitoring systems, security can be compromised, since traffic must be allowed to pass through the firewall. The objective of application security testing is to evaluate the controls over the application (electronic commerce servers, on-line financial applications, distributed applications, and Internet front ends to legacy systems) and its process flow. Topics to be evaluated may include the application's usage of encryption to protect the confidentiality and integrity of information, how users are authenticated, integrity of the Internet user's session with the host application, and use of cookies – a block of data stored on a customer's computer that is used by the Web server application.
  Let's take a look at some important components of application testing:
• Code review: Code reviews involve analysing all the application-based code to ensure that it does not contain any sensitive information that an intruder might use to exploit an application. For example: Publicly available application code may include test comments, names or clear text passwords that will give an intruder a great deal of information about the application.
• Authorization testing: Involves testing the systems responsible for the initiation and maintenance of user sessions. This will require testing:
  • Input validation of login fields – bad characters or overlong inputs can produce unpredictable results;
  • Cookie security – cookies can be stolen and legitimate sessions can be used by an unauthorised individual; and
  • Lockout testing – testing the timeout and intrusion lockout parameters set in the application, to ensure legitimate sessions cannot be hijacked.
  This is performed to discover whether the login system can be forced into permitting unauthorised access. The testing will also reveal whether the system is susceptible to denial of service attacks using the same techniques.
• Functionality testing: This involves testing the systems responsible for the application's functionality as presented to a user. This will require testing:
  • Input validation – bad characters, specific URLs or overlong inputs can produce unpredictable results; and
  • Transaction testing – ensuring that the application performs to specification and does not permit the user to abuse the system.
• War dialing
  War dialling is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance connections of computers that may exist on an organization's network. Using war dialing tactics, a hacker maybe able to locate vulnerable out of band entry points into an organization and manipulate them to access the network. The ignorance of IT staff in considering the phone network, as a possible primary access point is one of the main factor in the growth of these attacks. For example: leaving open modems on critical network servers, routers and other devices can inadvertently expose an entry point inside the organization's network. In this testing, once a modem or other access device has been identified, analysis and exploitation techniques are performed to assess whether this connection can be used to penetrate the organization's information systems network.
• Penetration testing for wireless networks
  The introduction of wireless networks, whether inside corporate network infrastructure or common homes, introduces additional security exposures that are much more threatening than wired network attacks. Since, the only boundary wireless networks know are their signals, it becomes easy for hackers to identify wireless networks simply by "driving" or walking around office buildings with their wireless network equipment- this technique is known as "war driving". Once an open wireless access point is found, the war driver usually maps it, so at the end he would have a map of access points with their properties (SSID, WEP, MAC etc.). The goal of wireless network testing is to identify security gaps or flaws in the design, implementation or operation of the organization's wireless network.
• Social engineering 
  Often used in conjunction with blind and double blind testing, social engineering refers to techniques of exploiting the very human nature (the most exploited of all being the human sense of trust and helping gesture) with the objective of gathering information. This is done using social interaction, typically with the organization's employees, suppliers and contractors, to gather information and penetrate the organization's systems. Such techniques could include:
  • Non face-to-face: Posing as a representative of the IT department's help desk and asking users to divulge their user account and password information;
  • Face-to-face or advanced social engineering: Posing as an employee and gaining physical access to restricted areas that may house sensitive information; intercepting mail, courier packages or even trash (dumpster diving) to search for sensitive information on printed materials.
  Social engineering activities can test a less technical, but equally important, security component: the ability of the organization's people to contribute to or prevent unauthorized access to information and information systems. This also helps determine the level of security awareness among employees.