How to do Penetration Testing

Professional Penetration Testing

 When it comes to hacking, whether it is ethical or not, many of us imagine a dark room with monitors and a bespectacled professional with red eyes from constant lack of sleep. Can only a professional geek really hack a system, and is it really necessary to involve only such experts in order to test the security of your systems? Is it possible to equip a competent IT specialist with hacker tools and a logical methodology and get a high-quality result? Let's try to figure it out.

In order to understand the components of a modern security testing methodology, we need to consider its main “building blocks” - basic approaches: a classic penetration test, scanning for vulnerabilities and configuration analysis.

Penetration test

During a penetration test, a security tester acts like a real hacker: he finds the vulnerabilities that are easiest to exploit, exploits them, and gains access to the information he needs. Typically, the goal is the need to gain administrative access or access to specific information (for example, data on the salaries of top managers).

The key feature of penetration testing is that not all available vulnerabilities are searched, but only those that are necessary to achieve the selected goals (as in the case of a real hack). Since there is a combat exploitation of vulnerabilities, negative consequences are possible in the form of frozen services, server reboots, headaches for system administrators, and the information security manager listening to a mat from the company's management.

Scanning for vulnerabilities

Imagine that you decide to hack a website with your bare hands. What will you do? First of all, try to determine the version of the Web server and / or CMS system you are using. What for? In order to "google" and find information about already known vulnerabilities and available exploits. This is what the attackers did 15 years ago, and they are doing the same now.

This process can be automated, which has been done by numerous developers of security analysis tools: vulnerability scanners have appeared. Of course, scanners do not use Google, but search for information about vulnerabilities in their own database.

Vulnerability scanning allows you to quickly “shovel” the IT infrastructure and find problem areas. But the scanner operates in a linear fashion and can miss interesting combinations of vulnerabilities that combine to create a serious security hole.

Consider the following example. A large manufacturing company has ordered security testing. On the first day of internal testing at the reception, we notice the account password on the sticker, written down by the secretary's caring hand. We secretly photograph it and after five minutes with this account we launch a special utility to search for "shared" folders (now such a scanner is included in the same Metasploit Framework). As a result, we find the workstation of a technical support employee responsible for rolling OS images onto the machines of new employees of the company.

For his own and our convenience, the IT specialist "shared" a folder with prepared images for everyone. We did not fail to take advantage of this courtesy and "pulled out" the hash of the local administrator password, which we "untwisted" overnight. Full access to all workstations of the enterprise was obtained in one day! Using a regular scanner would allow you to find the "shared" folder, but the scanner could neither look inside nor spin the hash.

An important interim takeaway: Vulnerability scanners speed up testing, but by no means make it complete.

Configuration analysis

Any component of the IT infrastructure (OS, DBMS, active network equipment, etc.) contains a lot of settings that determine the level of security. The correct settings can be found in the vendor's documentation or in articles from experts sharing their experience. Based on such materials, organisations such as the National Institute of Standards and Technology and the Center of Internet Security have been preparing checklists for many years, allowing them to audit the configuration of various systems. There are similar closed projects and within the communities of IT auditors of the Big Four companies (BIG4).

Configuration analysis can be carried out both manually and using automated tools, but in any case it implies the availability of administrative access to the system being checked. It's like having a pretty girl sysadmin on our lap and showing us everything. Configuration analysis is the safest option for security analysis, but also the longest.

Having dealt with the three approaches to security testing, it's time to remember that all this should be done with a specific purpose.

Security testing objectives

Increasingly, security testing customers are voicing the following two goals: to identify the maximum number of real vulnerabilities in order to quickly close them and check the vigilance of company employees.

To achieve the set goals, it is impossible to conduct full testing using only one of the considered approaches. We will not cover all available vulnerabilities with a pure penetration test, limiting ourselves to scanning for vulnerabilities, we will bury ourselves in a large number of garbage detection, and errors in settings discovered during configuration analysis will not always lead to a real penetration opportunity. It is necessary to combine approaches.

Comprehensive security testing

To form an approach to comprehensive security testing, it is advisable to take the sequence of actions of attackers and add the use of effective tools that real hackers cannot afford because of their unmasking features.

We divide the security testing process into the following stages in accordance with the stages of real hacking:
  • search for targets;
  • search for vulnerabilities;
  • exploitation;
  • expansion of privileges and zones of influence.
Step 1. Finding targets

The only stage that may not be in a security testing project if the customer immediately gave us a list of goals.

If the testing is external, and the customer told us only the name of the company, then at this stage we are engaged in full-fledged Internet intelligence, the goals of which are the information resources of the customer and his employees (especially if the project involves the use of social engineering methods).

At this step, we study:
  • sites related to the customer's company, namely: we find out domain names, email addresses, organisation structure, etc .;
  • job sites: we carefully read who the customer's CIO is looking for (job descriptions often describe in detail the technologies used in the company);
  • social networks: we collect data on employee-users;
  • websites of IT solution / service providers that boast what, when and how they did for our customer;
  • make inquiries to the whois service and find out which networks are registered for the customer or which IP address providers he uses;
  • we make queries to DNS servers and find out if the customer has resources with third-level domains:,, etc. We determine which postal services are used.
As a result, we generate a list of IP addresses of information resources associated with the customer, lists of employees, etc.

In the case of internal security testing, an ethical hacker gains physical access to an outlet, eavesdrops on network traffic, and determines the ranges of IP networks from which he can start.

Step 2. Search for vulnerabilities

Knowing the goals, you can safely start looking for vulnerabilities. Basically, we do this with the help of vulnerability scanners, but we also do not abandon the manual search for vulnerabilities, especially in the case of web applications.

As a result, we get a list of potential vulnerabilities that have yet to be tested.

Important note: if we act with you at this step without administrative access to systems, then do not expect that any scanner will show you all the vulnerabilities on a particular node. To find as many vulnerabilities as possible, you will have to repeat this exercise with administrative accounts already mined with sweat and blood.

Step 3. Operation

After we have compiled a list of potential vulnerabilities, it would be nice to check them for exploitation and also look for additional ones that cannot be found using scanners and Google. Why do you need to do this? There are several reasons for this.

Firstly, closing any vulnerability is a real headache for system administrators who have a lot of other jobs. Also, there is always a chance that something will "fall off" after rolling a patch or changing settings. Therefore, it is more advisable to load our beloved system administrators with only standing problems: those vulnerabilities that are really dangerous, and this can only be established by checking the possibility of exploitation.

Secondly, there are many vulnerabilities that can only be tested during exploitation: for example, a weak password, the possibility of SQL injection or XSS.
At this step, we are with you:
  • carefully launch exploits;
  • we intercept traffic using ARP-poisoning;
  • we select passwords;
  • "Spinning" the extracted password hashes;
  • check for the possibility of SQL injection / XSS and other attacks specific to Web applications;
  • we do much more, depending on the specific IT infrastructure of the customer.
As a result of this step, we find out which of the discovered vulnerabilities are real, we find new vulnerabilities by "combat" testing and see what we can get if we exploit them.

If we get the desired administrative access, we can go back to the previous step and find even more vulnerabilities.

Step 4. Privilege Extension

After gaining access to a system, we try to understand what we got access to and whether it can be expanded within one system (for example, to the administrator level) or across the entire IT infrastructure.

A simple example. Having picked up the user's password for one system, we check if this login / password pair is suitable for accessing other systems.

Thus, the considered approach makes it possible to detect the maximum number of real vulnerabilities using the available tools.

Since Scanner-VS is built on the basis of Kali Linux, all standard utilities from this assembly of hacking tools are available to the user. The following tools are also implemented, which are used to assess the effectiveness of information security tools:
  • security analysis of Astral Linux configuration;
  • analysis of the level of Windows updates;
  • checksum;
  • search for residual information;
  • analysis of the used software and hardware;
  • guaranteed destruction of information on the disk.

Previous Post Next Post