Help for Pen Testing Assignment
This document is information that may help you decide what steps to take when conducting your pen test and hopefully give you some suggestions for software.
Every penetration tester has their own set of steps, but these all fall into the same Penetration testing assesses the strengths and weaknesses of an organization’s IT security, as well as the readiness of the facility and/or employees to respond to an attack. Pen testing, as it is often called, can be as much of an art as it is a science. It can be done by security professionals who are part of the organization being tested, or it can be done by professionals hired by that organization to assure that its IT defenses are sound (at least as sound as reasonably possible) and consistent with policy, or it can be done by black-hat hackers (the bad guys) as a part of their targeting rituals. In many cases, pen testing is done by those clueless beginners—known as script kiddies—in their search for a great story to tell.
In any case, effective penetration testing consists of five main steps: reconnaissance, scanning, vulnerability analysis (enumeration), exploitation (the actual attack), and post-attack activities, including remediation of the vulnerabilities. Before attacking a system, the pen tester first utilizes an automated tool or tools, at least initially, to scan for and identify the various vulnerabilities that can be exploited. It is important to realize that not all automated tools are the same. Some tools work against a variety of target environments (any device with an IP address on the network), whereas other tools work against only a subset of possible targets (for example, 802.11 Wi-Fi network, ERP system, email server, and so on). Often, pen testers use more than one tool to help identify vulnerabilities from a number of sources. Regardless of their effectiveness against specific targets, all share the characteristic that they replace the laborious, time-consuming job of typing commands out the old-fashioned way. Many times, the automated tools can be used to complete the entire task of identifying vulnerabilities, but many times the automated tools are used only for targeting with humans typing specialized commands for specialized circumstances.
Using Nessus Essentials, run a Basic Network Scan. This will list all the vulnerabilities and give solutions to fix the vulnerabilities.
Note: Network vulnerability scanners such as Nessus go far deeper than port scans, but also take much longer to complete as a result. These scans interrogate the services running on a system and test those services for the presence of known vulnerabilities. Administrators may then evaluate those vulnerabilities and prioritize them for remediation.
While Nessus is quite popular, it is a commercial tool that requires payment of a licensing fee for unrestricted use in most environments. OpenVAS originated as a fork of Nessus after its developers decided to convert Nessus into a proprietary solution in 2005. While OpenVAS is licensed under the open-source GNU General Public License, the primary developer behind OpenVAS, Greenbone Networks, offers both free and paid versions of the Greenbone Security Manager, as well as dedicated physical appliances for use in enterprise IT infrastructures. The OpenVAS project is constantly evolving, particularly as Greenbone further clarifies its branding and relationship to OpenVAS. A complete history of OpenVAS and Greenbone is available here: http://www.openvas.org/
Note: Like Nessus, the OpenVAS scan results list shows all of the vulnerabilities OpenVAS was able to detect during the selected scan. If you selected the most recent scan link from the previous page, the list shows the vulnerabilities detected in the most recent scan. The Greenbone Security Manager displays a brief description of each vulnerability, which is itself a hyperlink to a page with much more detail about each vulnerability. After the name, the GSM displays the vulnerability’s severity (how bad it is) and the QoD (Quality of Detection) score, which is a measure of how reliable the finding is, followed by the IP address and port, and finally, the date and time the vulnerability was detected. You can click any column heading to sort the report by that column to make it easier to group and view vulnerabilities. Always remember that if you want to know more about any vulnerability on the report, just click the vulnerability’s name (column).
Penetration Testing Agreement
This document serves to acknowledge an engagement between the Business Owner and Data Custodian (see descriptions page 2), collectively of the following system(s) or application, the University Chief Information Officer, and the University IT Security Officer.
Systems(s) to be tested:
Testing Time Frame: (begin) (end)
Penetration Testing Components (see descriptions page 2). Indicate the testing components that are to be completed, by initial.
Gathering Publicly Available Information
All parties, by signing below, accept and agree that:
1. The Information Security and Policy Office (ISPO) will take reasonable steps to preserve the operational status of systems, but it cannot be guaranteed.
2. The ISPO is authorized to perform the component tests listed above, at their discretion using appropriate tools and methods.
3. Test results are related to specific tests only. They indicate, but do not and cannot measure, the overall security posture (quality of protections) of an application system.
4. All information related to this testing will be treated as highly confidential Level III security data, with commensurate protections.
Signed: (Business Owner)
Testing Complete: Date:
Review/Closeout Discussion Completed (Date):
Data Custodian ‐ The technical contact(s) that have operational‐level responsibility for the capture, maintenance, and dissemination of a specific segment of information, including the installation, maintenance, and operation of computer hardware and software platforms.
Business Owner ‐ The senior official(s) within a college or departmental unit (or his/her designee) that are accountable for managing information assets.
Penetration Testing Component Descriptions:
1. Gathering Publicly Available Information ‐ Researching the environment using publicly available data sources, such as search engines and web sites.
2. Network Scanning – Performing automated sweeps of IP addresses of systems provided and/or discovered, from on‐campus and off‐campus.
3. System Profiling ‐ Identification of the operating system and version numbers operating on the system, to focus subsequent tests.
4. Service Profiling – Identification of the services and applications as well as their version numbers operating on the system, to further focus testing on vulnerabilities associated with the identified services discovered.
1. Vulnerability Identification ‐ Potential vulnerabilities (control weaknesses) applicable to the system are researched, tested, and identified.
2. Vulnerability Validation/Exploitation ‐ After vulnerabilities are identified, they must be validated to minimize errors (false reports of problems), which involves attempts to exploit the vulnerability.
3. Privilege Escalation ‐ Should exploitation of vulnerability be successful, attempts are made to escalate the privileges to obtain “complete control” of the system.
Assignment: Preparing for a Penetration Test and Responding with a Report
80 points total
Learning Objectives and Outcomes
· Prepare a toolbox for penetration testing
· Prepare a report and recommendations to contractor
Preparing for a Penetration Test – Part 1
You have just been hired to do a penetration test on a network you are not familiar with.
Think about how you will prepare and conduct this penetration test.
Here are some of the things you want to consider:
· How will you use Reconnaissance?
· What websites will you use?
· How will you use Footprinting?
· What are some of the websites you will need to footprint the network you have been assigned?
· How will you use Fingerprinting to find out essential information?
· What about scanning?
· How do you determine the Network Range and map the network?
· What if some of the Oss used are Linux?
· How will you conduct Enumeration?
· What about password cracking?
· What applications will you use?
· What password cracking techniques will you use?
· Will you escalate privileges?
· What about installing a backdoor? Is that something you want to do?
· How will you assess the wireless aspect of the network?
· What about their website?
· What kind of suggestions will you make for Incident Response?
· What kind of Defensive Technologies will you recommend?
Assume you will take your laptop and a USB drive with you to conduct the penetration test.
You may need some virtual machines with various OSs on your laptop.
List all the applicable programs and website URLs you will need on your laptop and/or USB drive.
This can take the form of a file hierarchy or a table of contents.
List the steps you will take to conduct the penetration test.
You will need to include any steps you take before the test in preparation and the steps you take to conduct the actual test.
Recommendations: Part 2
Write a report to your contractors explaining what you did to conduct the penetration test and what kind of vulnerabilities, problems, and recommendations that you have after conducting the test.
Be sure to include a security plan, incident response recommendations, and defensive technologies.
This is your opportunity to examine what is involved when conducting a penetration test.
Also, it will give you experience writing suggestions and recommendations to the parties that hired you.
Remember, this report should be written to address the people that hired you.
If you have questions, please contact me.