Penetration Testing

“Penetration testing can be defined as a security-oriented probing of a system or network or
application to seek out vulnerabilities that an attacker could exploit”. The purpose of this testing is to identify loopholes, methods of gaining access to a system, network and application by using common tools and techniques used by attackers and natural extension of auditing practice to improve the security of an organization.
This process involves a through active and passive analysis of all the security related features of the systems in questions, followed by an attempt to break into the system by breaching these security features.
Attackers are becoming cleverer and their attacks more complex. To keep up with the latest attack methods, you need a strong desire to learn, the support of others, and the opportunity to practice and build experience. This course provides attendees with in-depth knowledge of the most prominent and attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes beyond simple scanning to the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.



Areas Penetration testing performed to Identify, Improve and Validate:
1. Identify areas where the IT infrastructure puts the organization at risk
2. Identify ongoing malicious behavior (i.e. unauthorized internal and external access to systems and data)
3. Identify ongoing violations of Information Security Policies (i.e. file swapping, inappropriate
content, etc)
4. Identify rogue WLAN, WAP and modem installations that put your organization at risk
5. Identify the risks associated with your extended network (remote sites, home-based VPN Users, Extranet Partners)
6. Improve your compliance by providing ongoing validation of your systems’ information security
posture in accordance with most audit frameworks
7. Validate compliance with key laws and regulations (Intellectual Property, data confidentiality, privacy, etc)
There are a wide variety of tools that are used in penetration testing. These tools are of two main types; reconnaissance or vulnerability testing tools and exploitation tools. While penetration testing is more directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less intrusive tools. Then once the targets have been identified the exploitation attempts can begin.

ABOUT METASPLOIT

Metasploit is an all-inclusive exploitation and vulnerability validation tool that helps you divide the Penetration testing workflow into smaller and more manageable tasks. With Metasploit, you can leverage the power of the Metasploit Framework and its exploit database through a web based user interface to perform security assessments and vulnerability validation.
Metasploit enables you to automate the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test. You can use Metasploit to scan for open ports and services, exploit vulnerabilities, pivot further into a network, collect evidence, and create a report of the test results.
Metasploit is a multi-user, collaborative tool that lets you share tasks and information with the members of a penetration testing team. With team collaboration capabilities, you can divide a penetration test into multiple parts, assign members a specific network segment to test, and let members leverage any specialized knowledge that they may have. Team members can share host data, view collected evidence, and create host notes to share knowledge about a particular target.
Ultimately, Metasploit helps you identify the weakest point to exploit a target and prove that a vulnerability or security issue exists.

ABOUT KALI LINUX

Kali Linux is a GPL-compliant Linux distribution built by penetration testers for penetration testers with development staff consisting of individuals spanning different languages, regions, industries, and nationalities. The evolution of Kali took place over many years of development, penetration tests, and unprecedented help from the security community. Kali Linux originally started with earlier versions of live Linux distributions called BackTrack, Whoppix, IWHAX, and Auditor.
When it was initially developed, Kali was designed to be an all-in-one live CD to be used on security audits and was specifically crafted to not leave any remnants of itself on the system. With millions of downloads, it has become the most widely adopted penetration testing framework in existence and is used by the security community all over the world.

LEGAL ASPECT IN PT

As you might imagine, the role of a Penetration Tester is fraught with legal concerns. Primarily though, what it boils down to is whether or not you have permission from the owner of the computer system or website you are probing and have obtained their consent (written consent is the norm in the business). It is also very important that you and your client have agreed the scope of your probe. Basically, everything you do for a company when performing your role as a penetration tester needs to have specific consent for. A Statement of Intent is drawn up and signed by both parties prior to any work is commenced that clearly outlines the scope of the job and what you may and may not do while performing vulnerability tests. It is important to know who owns the systems you are being requested to work on, and the infrastructure between testing systems and their targets that may potentially be affected by testing.
It is very important to get permission in writing. This is very important even in an internal penetration test, performed by internal staff, because testing may affect system performance, and raise confidentiality and integrity issues. Regulations change from country to country, so make yourself aware of the laws that affect you. You know what they say, better safe than sorry. One thing that is universal however, and that is that you’re probing cannot affect any third parties.
If the penetration testing work you are doing is via the internet, it is a good idea to notify the relevant ISPs, mainly your customers and your own. This can be important for different reasons like legal, informational and technical reasons. Also, intervening infrastructure may be adversely affected by penetration tests, such as vulnerability assessment tools, ports and scanners.
Most companies will have no idea what a penetration tester would need to do to successfully complete their job, so it is important that the pen-tester outline what they will need to do in order to get the requested result, which is usually a confirmation that the security is unbreakable or a list of measures the company should enact to further tighten their system. If you are planning to run your own small business it is important that you hire an attorney to draw up a proper Statement of Intent so you can protect yourself to the fullest extent of the law. In doing so you will also better understand what you can or cannot do, as the attorney can clarify these matters for you.
There are federal laws that govern penetration testers in the USA and some states have their own additions. It is said that the USA have some of the most complex cyber laws in the world. A quick summary of the US Federal laws a penetration tester should be aware of are:

• Title 18 of the Criminal Code, Sections 1029 prohibiting fraud in relation to access devices, account numbers, passwords, credit cards etc.
• Section 1030 prohibits unauthorized computer access for government, financial and commerce systems.
• Section 1362 prohibits injury or destruction of communications equipment.
• Section 2510 prohibits unauthorized interception of traffic there are also clauses to enable service providers to monitor, and procedures for law enforcement to gain access.
• Section 2701 prohibits access to stored information without permission of owner.
• Cyber Security Enhancement Act (2002) covers attacks which recklessly causes or attempts to cause death and has severe penalties including life in prison!

So basically what it comes down to is making sure you have permission, in writing, with clearly defined parameters, letting everyone know (ahead of time!) who has a need to, reporting everything you find and not leaving holes open for yourself or someone else to exploit in the future. All in all, just be thorough.

IT SECURITY

The security of IT systems is threatened by attacks by hackers, crackers, script kiddies, etc., and whether the security measures in place are currently capable of ensuring IT security. To understand the risks to IT security of various summary of threats, describing the most common intruder profiles and widespread techniques for attacking IT systems. This is followed by a brief account of typical IT security measures, some of which can be tested with penetration tests.

THREATS

In computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. An Intruders can have a range of motives for carrying out attacks on IT infrastructure. The major intruder groups and their motives are outlined below.

INTRUDERS PROFILES

In the media, the term “hacker” is used to refer to any person who intrudes into other IT systems without authorization. However, a finer distinction is often made between “hackers”, “crackers” and “script kiddies”. Whereas “hackers” are regarded as being experimentally-minded programmers who target security loopholes in IT systems for technical reasons, “crackers” are people with criminal energy who exploit weak points of IT systems to gain illegal advantages, social attention or respect.
“Script kiddies” are usually intruders lacking in-depth background knowledge and driven by curiosity who mainly direct attack tools downloaded from the internet against arbitrary or prominent targets.
Crackers possessing privileged knowledge about the organization they are attacking are termed “insiders”. Insiders are often frustrated (former) employees of an organization who use their knowledge of internal affairs to harm that organization. The danger posed by insiders is particularly great because they are familiar with the technical and organizational infrastructure and may already know about existing vulnerabilities.

IT SECURITY MEASURES

Measures to improve IT security are needed to combat the threats described above. However, one hundred-percent security can never be attained. Organizational measures, such as IT security organization and escalation rules, and technical measures, such as access controls, encryption and firewalls, are employed to establish a certain level of IT security.
In line with the company IT security policy, all such measures are described in an IT security concept that is valid for the entire organization.
If the organization being tested is unable to present a security concept or security policies, it is doubtful whether penetration testing is meaningful, especially when the IT landscape is complex. In such cases, IT security could probably be improved far more efficiently by first devising and implementing an appropriate security concept.