Penetration Testing- Writing Inquiry

AKA Ethical Hacking

Penetration testing can be defined as a legal and authorized attempt to locate and
successfully exploit computer systems for the purpose of making those systems more secure
-Use of the same tools an attacker would make use of
-Purpose to increase security of a computer or network
Vulnerability assessment is the process of reviewing services and systems
for potential security issues unlike in pen testing, theres no exploitation
White hat and Black Hat Hackers
-Authorization: obtaining approval before performing pen testing scope of the test
-Motivation: help vs extort
-Intent: White box testing (overt testing) no concern for stealth, through but
unrealistic
Black box testing (covert testing) stealthy and realistic penetration test,
single exploitation

Kali Linux
Offensive Security
Virtual Machine
Advance Package Tool
LINUX IS HUGE

Phases of Penetration Testing

Organized process
Four to Seven steps processes usually
1-Reconnaissance: information gathering get IPs
2-Scanning: Port scanning (find open and running ports) and vulnerability scanning
(weaknesses of software and services)
3-Exploitation: Local or remote, objective of eventually taking control of the
machine
4-Post Exploitation: Creating a permanent way to control and access, Exploitation
is nly temporary

5-Hiding and or Report

From broad to specific
Pivoting: hacking a machine to attack another and so on, repeating these steps in
circle

Recognizance
Gathering of information, requires techonological ,social and researching skills
overlook no details
Open-source intelligence: common knowledge on a company or any possible target
Important to stay in the scope of the testing
This is where related vulnerable systems are found
-Active recongnaissance: direct interaction with the target; higher likelihood
of being detected
-Passive recognissance: using the information available on the web; almost
impossible for a single target to track it

HTTrack: Website copier

Makes an exact offline copy of a website; allows to explore thoroughly a website
with a lower risk of being detected
Cloning a website is easier to trace and offensive ask for
authorization first
There are also automated tools that automatically extract information from a
website
News and Announcements are priority targets due to the possible leaks of
information
GUI version

Google Hacking

Social Engineering

Scanning

-Mapping IP addresses to open ports and services

-Most networks allow some information to flow in and out
Ports data connections that provide a way for networks, services and software to
communicate with the hard drive multiple ports = multiple simultaneous
connections
Some ports receive more traffic than others (front door vs backdoor)
Attackers can gather information of what the system is being used for based on
what ports are being used.
Port Number

Service

20
21
22
23
25
53
80
137139
443
445
1433
3306
3389
5800
5900

FTP data transfer

FTP control
SSH
Telnet
SMTP (e-mail)
DNS
HTTP
NetBIOS
HTTPS
SMB
MSSQL
MySQL
RDP
VNC over HTTP
VNC

4 Sub-steps:
-Determining if the system is alive:
-Identifying the ports and services running every open port is a potential
door to the system
-Leverage the NSE to further interrogate the ports and other findings.
NSE = TOOL that extends Nmaps power and flexibility makes use of custom or
premade scrypts to discover processes and vulnerabilities
Vulnerabilities may be very different. Some will allow the attacker to take complete
control of a system, while others will just give him a small window to attack or non
at all

FIRST SCAN PERIMETER DEVICES (USUALLY LESS PROTECTED), THEN MAIN TARGET
not easy to get into a network unless you chain machines PIVOTING

PINGS and PING sweeps