Six Myths about Ontologies: The Basics of Formal Ontology
Introduction to penetration testing
1. Penetration Testing
These Slides to those who want to enter and learn about the world of
Penetration Testing.
Nezar Alazzabi
2019-09-25
2. What is penetration Testing
Penetration testing, also called pen testing or ethical hacking, is the practice of testing a
computer system, network or web application to find security vulnerabilities that an attacker
could exploit, Penetration testing can be automated with software applications or performed
manually Either way.
The process of pen testing involves gathering information about the target before the test,
identifying possible entry points, attempting to break in and reporting back the findings.
The main objective of penetration testing is to identify security weaknesses. Penetration
testing can also be used to test an organization's security policy, its adherence to
compliance requirements, its employees' security awareness and the organization's ability to
identify and respond to security incidents.
3. Types of Penetration Testing
BLACKBOX TESTING
In a black-box testing assignment, the penetration
tester is placed in the role of the average hacker,
with no internal knowledge of the target system.
Testers are not provided with any architecture
diagrams or source code that is not publicly
available. A black-box penetration test determines
the vulnerabilities in a system that are exploitable
from outside the network This means that black-box
penetration testing relies on dynamic analysis of
currently running programs and systems within the
target network. A black-box penetration tester must
be familiar with automated scanning tools and
methodologies for manual penetration testing.
Black-box penetration testers also need to be
capable of creating their own map of a target
network based on their observations since no such
diagram is provided to them.
WHITEBOX TESTING
White-box testing goes by several different
names, including clear-box, open-box, auxiliary
and logic-driven testing. It falls on the opposite
end of the spectrum from black-box testing and
penetration testers are given full access to
source code, architecture documentation and
so forth. The main challenge with white-box
testing is sifting through the massive amount of
data available to identify potential points of
weakness, making it the most time-consuming
type of penetration testing.
4. Penetration
Testing Steps
Reconnaissance – It is the
process of collecting
information before deploying
any real attacks.
Enumeration – It is the process
of identifying the likely entry
points into the target system.
Vulnerability Analysis – is the
process which defines, locates,
and classifies the security
leaks in a computer, network,
or application.
Exploitation – It is the process
of enabling pen testers to
compromise a system and
expose to further attacks.
Reporting – It is the process of
documenting all the steps that
led to a successful attack
during the test.
6. What do you need to start a pentest journey?
At the beginning you should start by reading about the subject. Using articles, books and guides, and videos on
the subject , not just on pentesting but on general cybersecurity issues across the board.
In summary, you will be expected to understand:
● Cybersecurity: Techniques, tricks, vectors, threat profiles and the anatomy of cyberattacks.
● Hardware and networks
● Operating systems, databases
● Applications, including web apps and APIs
● Data analysis: At least in terms of analyzing security issues and presenting solutions
● Programming languages including Python , Ruby , php & JS.
● Scripting languages including Shell scripting , Powershell , batch files.
7. Penetration Test Terms
● CVE The common vulnerabilities and exposures , (CVE) program has been cataloging software and
firmware vulnerabilities for 18 years.
● A vulnerability is a weak point or a bug in a piece of software , hardware or operating system that
leaves a system open and vulnerable to attacks and unauthorized access, The weakness could be
simple as a weak password or complex as SQL Injection , Buffer Overflow (BOF).
● An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written
either by security researchers as a proof-of-concept (POC) or by malicious actors and attackers
for use in their operations, Exploits allow an intruder to remotely access a network and gain
elevated privileges, or move deeper into the network or computer systems.
● A payload is a piece of code that executed through exploit. Have a look at the Metasploit
Framework. It is simply a collection of exploits and payloads. Each exploit can be attached with
various payloads like reverse or bind shells, the meterpreter shell etc. [Argument: The answer
should be "What you do to the target after it is exploited".
8. Most Common Types of Cyber Attacks
● Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
● Social Engineering.
● Man in The Middle Attack (MITM).
● Phishing and spear Attacks.
● Drive-by Attack.
● SQL Injection Attack.
● Cross-Site Scripting (XSS) Attack.
● Eavesdropping Attack.
● Malware Attacks.
9. Common Web Vulnerabilities
● SQL INJECTION: SQL Injection is a security vulnerability that allows an attacker to alter backend SQL statements by
manipulating the users data ,Injection occurs when the user input is sent to an interpreter as part of command or
query and trick the interpreter into executing unintended commands and gives access to unauthorized data, The SQL
command which when executed by web application can also expose the back-end database.
● Cross Site Scripting (XSS): XSS vulnerabilities target scripts embedded in a page that are executed on the client
side i.e. user browser rather then at the server side. These flaws can occur when the application takes untrusted data
and send it to the web browser without proper validation, the attackers can use XSS to execute malicious scripts on
the users in this case victim browsers. Since the browser cannot know if the script is trusty or not, the script will be
executed, and the attacker can hijack session cookies, deface websites, or redirect the user to an unwanted and
malicious websites.
● Insecure Direct Object Reference: It occurs when a developer exposes a reference to an internal implementation
object, such as a file, directory, or database key as in URL or as a FORM parameter. The attacker can use this
information to access other objects and can create a future attack to access the unauthorized data.
● Cross Site Request Forgery (CSRF): CSRF attack is an attack that occurs when a malicious website, email, or program
causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated,a
CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie
and any other automatically included authentication information, to a vulnerable web application.
10. Common Network Attacks
CDP Manipulation: CDP packets are enabled by default on Cisco switches and transmitted in a clear text which allows the
attacker to analyze the packets and gain information about the network device, so the attacker can search for a known
vulnerability and execute against this device.
Telnet Enabled VTY: Telnet also transmits packets in clear text which can reveal to an attacker who’s sniffing the network ,
as well as SSH v1 which is also vulnerable and compromised.
Mac Flooding: The attacker floods the Mac table with Mac Address more than the switch can store or handle , which makes
the switch operating as a hub giving the attacker the opportunity to sniff all traffic on the segment.
DHCP Spoofing: the attacker listens for DHCP requests and answers them , giving it’s IP address the default gateway for the
clients , the attacker becomes a (MITM).
ARP Spoofing: similar to dhcp spoofing but related to ARP Messages.
VLAN Hopping: is when a station is able to access VLAN other than it’s own , this can be done trough one of the following:
A- Switch Spoofing.
B- 802.1q Double Tagging.
11. Common Pentest Tools
● Nmap: it’s not necessarily a pen-testing tool, it is a must-have tool for ethical hackers , sysadmin’s , network admin’s.
This is a very popular tool that predominantly aids in understanding the characteristics of any target network, the
characteristics include host, services, OS, packet filters/firewalls etc. It works on most of the environments and is open
sourced.
● Nessus: is a scanner and it needs to be watched out for, It’s one of the most robust vulnerability identifier tools
available. It specializes in compliance checks, Sensitive data searches, IPs scan, website scanning etc. and aids in
finding the ‘weak-spots’.
● Acunetix: is a fully automated web vulnerability scanner that detects and reports on over 4500 web application
vulnerabilities including all variants of SQL Injection and XSS.
● Metasploit: This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the
concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If entered, it
runs a ‘payload’, a code that performs operations on a target machine, thus creating a perfect framework for
penetration testing.
● Wireshark: This is basically a network protocol analyzer ,popular for providing the minutest details about your
network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD,
NetBSD, and many other systems
● Burp-Suite: Burp suite is also essentially a scanner (with a limited “intruder” tool for attacks), although many security
testing specialists swear that pen-testing without this tool is unimaginable. The tool is not free, but very cost effective.
12. Pentest roles and responsibilities
● Network and application tests to check the general security vulnerabilities across a network, the
pentester will be involved in designing these tests or keeping existing ones up to date. You will be
expected to know how to implement and apply pentesting tools
● Physical security tests such as checking for disaster hardening of servers to non-cyber threats
(vandalism, climate impacts and so on)
● Security audits: This is a fundamental and ongoing aspect of the penetration tester’s role. You will be
expected to assess the security of a given process, protocol or system. You will also need to write up
reports of audits
● General security report writing and the use of metrics from tests to help develop security strategies
● Involvement in security team and security policy review: You will need to be able to communicate with
your wider team and help with security policy review
13. Penetration Testing certificates
Here is a list of the most common certificates in penetration Testing:
● EC-Council Licensed Penetration Tester (LPT) Master.
● EC-Council Certified Ethical Hacker (CEH).
● IACRB Certified Penetration Tester (CPT).
● Certified Expert Penetration Tester (CEPT).
● Offensive Security Certified Professional (OSCP).
● Certified Penetration Testing Engineer (CPTE).
● Certified Penetration Testing Consultant ( CPTC)
● GIAC Exploit Researcher and Advanced Penetration Tester (GXPN).
● Certified Powershell Hacker (CPSH).
● GIAC Web Application Penetration Tester (GWAPT).
● GIAC Penetration Tester (GPEN).
● Certified Information Systems Security Professional (CISSP).
● GIAC Certified Forensic Analyst.
● Certified Reverse Engineering Analyst.