Professional Documents
Culture Documents
Penetration Testing and Vulnerability Assessment: Introduction, Phases, Tools and Methods
Penetration Testing and Vulnerability Assessment: Introduction, Phases, Tools and Methods
net/publication/333292138
CITATIONS READS
0 2,298
3 authors, including:
Some of the authors of this publication are also working on these related projects:
Direktna primena metoda nosećih vektora na učenje pravila odlučivanja u berzanskom trgovanju View project
Sinteza - International Scientific Conference on ICT and E-Business Related Research View project
All content following this page was uploaded by Saša Ž Adamović on 11 June 2019.
Abstract:
Kristina Božić,
Penetration testing is the practice of testing a computer system, network or
Nikola Penevski, web application to find security vulnerabilities by using a diverse variety of
Saša Adamović* tools and methods. This work is a brief overview of the phases, including
reconnaissance or information gathering, scanning, vulnerability analysis,
exploitation, and reporting, along with some of the basic tools and methods
Singidunum University,
of penetration testing. It’s fundamental, for every penetration tester, to be
Belgrade, Serbia
familiar with these concepts in order to successfully execute a full testing
process and forge good reports.
Keywords:
Penetration Testing, Vulnerabilities, Security Testing, Vulnerability
Assessment, Exploits.
1. INTRODUCTION
229
Sinteza 2019
DOI: 10.15308/Sinteza-2019-229-234
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2019
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
Experts have developed various tools and methods 4. Maintaining Access/Exploitation – after success-
with the aim to provide a better, more efficient and dy- fully compromising a system, tester’s goal is to
namic examination. This paper provides an overview by breach all types of securities and gain remote
going through phases, tools and methods used in pen- access to the system. If the rules of engagement
etration testing. permit this, a tester ensures that he will be able to
maintain access for further examination or pen-
2. BACKGROUND etration of the targeted system.
5. Covering Tracks/Report Generation – the attacker
Penetration Testing must not leave any trace of compromising the sys-
tem. This includes returning the system to a state
that it was in before the attack by clearing logs
Penetration Testing can be defined as “is an au- and resetting security parameters. In the case of
thorized simulated cyber attack on a computer system, report generation, a tester would write a full report
performed to evaluate the security of the system”.[1] of the Penetration test and give insight on how to
Process of penetration testing, or for short pen testing, increase the overall security of the system.[4]
is performed by trained security experts called ethical
hackers. The purpose of these tests is to find the security
vulnerabilities that the software may contain. Penetration Testing methods and benefits
The Nation Institute of Standards and Technology
(NIST) defines penetration testing as: “a specialized type Methods used in penetration testing are:
of assessment conducted on information systems or in- 1. External testing which targets the assets of a com-
dividual system components to identify vulnerabilities pany that are available on the internet
that could be exploited by adversaries”.[2]
2. Internal testing allows a tester to access an ap-
Some of the best Penetration Testing Companies in plication behind the firewall to simulate an attack
recent years are Security Assessment, Security Audit by a malicious insider
Systems and Hacklabs.[3]
3. Blind testing where a tester only knows the name
of the target
Phases of Penetration Testing 4. Double Blind testing means that the security per-
sonnel of a targeted company has no knowledge
The process of penetration testing is consisted of five about the arranged simulated attack
phases: 5. Targeted testing where both the tester and secu-
1. Reconnaissance – in the first step, a tester must rity personnel of the targeted company work to-
gather basic information of a targeted system, such gether to provide a security team with real-time
as the correct domain of web server, are there any feedback from a hacker’s perspective.
sub-domains connected to this domain, is there
Benefits of Penetration Testing are:
any firewall, relevant IP addresses and so on. The
information gathered here is used later on in the 1. Discovery of publicly available information that
testing, which makes this step very important. has vulnerabilities which can harm the system
2. Scanning – in this step the use of technical tools 2. Managing the unnecessary ports and services
is needed to further the attacker’s knowledge of open to external access despite the fact that they
the system. By doing that we can gain informa- are not being used
tion about what type of services are running on 3. Identifying poorly configured systems that allow
the server and what is the version of the given easy exploitation by a malicious attacker, or poor
server. Additional information can be identifica- patch management processes.
tion of the port that this service is running, and 4. Finding weak passwords on the system
which Operating System is used on the system.
5. Inadequate or a complete lack of antivirus software
3. Gaining Access/Discover Vulnerability – in this
6. Penetration Testing gives company clear recom-
step a tester must use the information gathered
mendations on how to improve their security and
from the previous two phases in order to success-
maintain their system.
fully penetrate the targeted system.
230
Sinteza 2019 Information Security and Digital Forensics &
submit your manuscript | sinteza.singidunum.ac.rs E-Commerce Systems
SINTEZA 2019
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
Shodan
The use of Shodan search engine will most likely in- 4. The Repeater tool allows to manually edit and
crease even more for security research around the In- reissue individual requests
ternet of things. 5. It captures detailed attack results, with all rel-
evant information about each request and re-
Burp Suite sponse presented in table form. Information
obtained with Burp Suite are most likely to be
Burp Suite is a platform for performing security test- the payload values, HTTP status code, response
ing of web applications. It’s a tool that supports the en- timers or cookies.[7]
tire testing process, from initial mapping and analysis of
an application’s attack surface, through to finding and Metasploit
exploiting security vulnerabilities.[6]
Some of the essential manual tools that are provided Metasploit is a platform which includes Metasploit
by Burp Suite are listed down below: Framework and some of the commercial counterparts,
1. It allows a manual tester to intercept all requests and it allows finding, exploiting and validating vulner-
and responses between the browser and the target abilities.
application, even with HTTPS in use. Metasploit Framework is an open source project
2. It allows the following commands: view, edit or which provides the infrastructure, content and tools
drop individual messages in order to manipulate for performing penetration tests. Anti-forensics andad-
components of the application. vanced evasion tools are also offered, and some of them
3. The fine-grained interception rules can be config- are built into the Metasploit Framework.
ured in order to control precisely which messages A module, which is a core component of the Metas-
are going to be intercepted ploit Framework, is a piece of software that can perform
232
Sinteza 2019 Information Security and Digital Forensics &
submit your manuscript | sinteza.singidunum.ac.rs E-Commerce Systems
SINTEZA 2019
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
a specific action, for example scanning or exploiting. adding or creating plugin. Wireshark is capable of cap-
Every task done in Metasploit Framework is defined turing compressed files and decompressing them on
within a module. The following module types are the the fly further making it easier to analyse the data. It’s
ones that are available on Metasploit Framework and also capable of capturing and playing VoIP in real time.
contain a brief explanation of each: Data can be collected from many protocols supported by
1. Exploit - an exploit module executes a sequence Wireshark some of which include IPsec, ISAKMP, SSL/
of commands which then target a specific vulner- TLS, WEP, and WPA/WPA2. For an easier management
ability found in a system or application. of data and a more intuitive analysis Wireshark offers
filters and coloring rules can be applied to different types
2. Auxiliary - auxiliary modules include scanners,
of packets. Traffic recorded through Wireshark can be
fuzzers, and denial of service attacks.
replayed to offer a repeatable controlled environment.
3. Post-Exploitation - a post-exploitation module
allows additional information gathering, but it
can be used to gain further access to an exploited 4. CONCLUSION
target system.
4. Payload – an executable code that runs after an Penetration testing is a very effective method used to
exploit successfully compromised a system and analyze security of a system. In testing, a variety of tools
performs malicious actions written by the at- can be used to test different parts of a system and write
tacker. a full report on one system’s weaknesses. Some of the
tools which are mostly used by pen testers are listed in
5. NOP generator - NOP generator produces a se-
this work, along with their basic usage and explanation.
ries of random bytes that you can use to bypass
The most important thing for making a successful pene-
standard IDS and IPS NOP sled signatures. [8]
tration test consists of following all the phases discussed
above and keeping a clean record of all the information
Wireshark that were gathered during the process. The testers can
choose from black box, white box and gray box types of
Wireshark is a network packet analysis tool (also testing, which depends on the amount of information
known as a network sniffer) which allows packets to be available to testers. They can also choose which method
captured in real time while displaying them in a human to use, like from the internal or external testing among
readable format. Wireshark is a passive tool that only re- others, depending on the specific objectives that need
cords network traffic without sending it. This means that to be achieved.
if used on the network Wireshark cannot be detected by This paper describes and encloses all the basic
other parties. This tool is open source and is compatible knowledge needed for the beginning of penetration test-
with both UNIX and Windows and many other operat- ing process, phases that the tester goes through with the
ing systems. It uses a graphical user interface which sets goal of creating a detailed report that helps companies
it apart from different packet analyzers such as tcpdump fix vulnerabilities, increase security and ensure safety of
which with Wireshark shares many characteristics. one company’s data.
The information captured with Wireshark can be
viewed through a GUI or the TTY mode TShark Utility. REFERENCES
Wireshark is mostly used for troubleshooting network
problems, for examining security problems, verifying [1] K. M. Henry, Penetration Testing: Protecting Net-
network applications and debugging protocol imple- works and Systems. IT Governance, ITGP, 978-1-
mentations. 849-28371-7, 2012
Wireshark allows for recording of network activ- [2] Security and Privacy Controls for Federal Informa-
ity in different formats such as XML, PostScript, CSV tion Systems and Organizations, NIST Special Pub-
or plain text so that the traffic can be analysed after- lication 800-53 (Rev. 4), 2013
wards. It can record traffic directly from the internet [3] Moseley (Raam), “Web Application Penetration
via the network adapter, PPP/HDLC, ATM, Bluetooth, Testing Checklist”, 2019. [Online]. Available: htt-
ps://cybersguards.com/web-application-penetra-
USB (natively supported on UNIX), Token Ring, etc.
tion-testing-checklist-updated-2019/
New protocols can be scrutinized within Wireshark by
233
Sinteza 2019 Information Security and Digital Forensics &
submit your manuscript | sinteza.singidunum.ac.rs E-Commerce Systems
SINTEZA 2019
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
[4] R. Corey, ” Summarizing The Five Phases of Pen- [6] D. Stuttard, “Burp Suite Package Description”,2017.
etration Testing”, 2015. [Online]. Available: https:// [Online]. Available: https://tools.kali.org/web-ap-
www.cybrary.it/2015/05/summarizing-the-five- plications/burpsuite
phases-of-penetration-testing/ [7] D. Stuttard, “Burp Suite”, 2019. [Online]. Available:
[5] M. Rouse, L. Rosencrance, “Vulnerability Assess- https://portswigger.net/burp/
ment (Vulnerability Analysis), 2018. [Online]. [8] Rapid7, Metasploit Pro User Guide, retrieved from
Available: https://searchsecurity.techtarget.com/ https://www.e-spincorp.com/pdf/product/Rapid7/
definition/vulnerability-assessment-vulnerability- Metasploit-Pro-user-guide.pdf
analysis
234
Sinteza 2019 Information Security and Digital Forensics &
submit your manuscript | sinteza.singidunum.ac.rs E-Commerce Systems