Home > Information Security, Security > Understanding Penetration Testing A generic framework

Understanding Penetration Testing A generic framework

This post highlights on the Penetration Testing Generic Framework for Ethical Hackers. Let’s discuss what it’s all about…

Penetration Testing is the process of evaluating one’s own network by assessing vulnerabilities and penetrating it. This exercise is to simulate the methods that are used by a real attacker to penetrate your network. Every attempt should be made to access every resource via every entry point.

There are two major frameworks that pen testers use

  1. One is just following there instincts and experience
  2. The other is a formal approach, though it is believed that pen-testing is an art than a step-by-step process much effort has been put into these frameworks so that they do not hinder the creative process.

There are three major approaches to Penetration Testing, They are

  1. Black Box :- With no knowledge of the Infrastructure to be tested.
  2. White Box :- With a complete knowledge of the Infrastructure to be tested.
  3. Gray Box (Internal Testing):- Tests the possibility of insiders accessing the network.

Three mostly followed Pen-Testing Frameworks are :

  1. OSSTMM ( Open Source Security Testing Methodology Manual).
  2. NIST SP 800-42 ( National Institute of Standards and Technology).
  3. ISSAF (Information Systems Security Assessment Framework).

Any basic Pen-test Framework would contain the following steps to be followed.

  1. Pre-Inspection Visit
  2. Network Foot printing/Reconnaissance
  3. Scanning
  4. User Enumeration
  5. Password cracking
  6. Vulnerability assessment
  7. Risk Assessment
  8. Final Report

Various phases of Penetration testing are:

  • Reconnaissance: Reconnaissance is the first phase where the attacker/tester gathers much information about the target’s infrastructure before launching the attack. It involves network scanning either externally or internally. In a broader view Reconnaissance can be  divided into four phases :
    • Intelligence gathering: Learn about the targets business and it’s organizational structure, this gives the list of DNS domain names, reflecting the entire target organization. (web Search, whois, netcraft)
    • Foot Printing: Determine the IP address range for the organization by extracting  the DNS host names and there associated IP addresses.(DNS, WHOIS, SMTP, Wikito)
    • Verification: Verify that the addresses obtained in the previous phase are correct and it is possible to find other DNS domains that were not found in the prior stages (DNS (reverse lookup), WHOIS IP).
    • Vitality: IP addresses determined are reachable or not.
  • Scanning: This is one the three major components of intelligence gathering, which involves finding information about specific IP address, the operating system it uses, and the services running on it. The different types of scanning are
    • Port Scanning: Used to find out the services running associated to each port (NMap)
    • Network Scanning: Finding all reachable hosts on the network (Angry IP scanner, Global Network Inventory Scanner)
    • Vulnerability scanning: Identifying vulnerabilities of computer systems in a network (Nikto, Nessus, Retina).
  • Enumeration: Enumeration is the process of extracting user names, machine names and shares from the computers, user names can be enumerated using Win2k enumeration, SNMP, email Id’s, or Brute force the Active Directory. Banner Grabbing is one of the most used techniques in Enumeration, Using Null sessions list of users and machines can be obtained from windows systems. Though it is not possible to use null sessions on windows 2003 servers on all other windows systems they can be accessed through the ports 139 and 445. Tools like Dumpsec, NetView, Nbtstat, and SuperScan4 can be used to Enumerate users and shares on windows networks. On UNIX systems a different set of tools can be used to enumerate users, showmount can be used to display the shares on a machine, Finger enables us to view user’s home directory,login time and location. Rpcinfo can be used to enumerate Remote Procedure Call Protocol. Snmpwalk tool can be used to enumerate SNMP agents on UNIX platforms.
  • Password Cracking: Password cracking is the oldest form of attack on computer systems. Password guessing was one of the first of this kind. If a proper user Name is known password’s can be either guessed or brute forced. Dictionary attack is also quite useful in pen-testing but these kind of attacks are not easy on complex passwords they may take many years to be cracked if they are sufficiently complicated. An easier way to crack password is to sniff the network traffic and extract the credentials from it. It is also possible to crack encrypted passwords if the algorithm used to encrypt is known, you can simply calculate the hashes for all the possible letter, number and special character combination. And compare it with the password hash. The only way to mitigate this kind of an attack would be to use a more complicated password that is not related to the user and use a combination of numeric alphabet and special characters. Password cracking tools like John the Ripper, OPH cracker, lopth cracker are available for free.
  • Vulnerability Assessment: Passwords can be cracked or social engineered, but its not easy to get a root access to any system. All of the new Operating Systems restrict the access to users other than the Administrator or the Root Account. To be able to use the services or do any malicious activity the attacker needs a root privilege which can be obtained by exploiting existing vulnerabilities in either the OS or the Applications running on the system, this is known as Privilege escalation. Vulnerability can help the attacker in exploiting buffer overflows and stack overflows that can result in privilege escalation. “x.exe” is a well known privilege escalation tool.
  • Risk Assessment: There are several methods of calculating Risk assessment, that range from complex mathematical formula to a simple conversation with the owner. It involves calculating the costs of down time and virtually any risk factor. The pen test team must plan for risks to enable contingency plans in order to use the time and resources effectively.

The information contained in this post is compiled from various sources and do not validate the steps mentioned above if followed ensures secured network 🙂

  1. July 7, 2013 at 9:08 PM

    Zoom in on people’s faces to show their excitement. The circle, plus sign, or brackets in the middle of your viewfinder is for focusing and isn’t necessarily for centering the subject.
    Consider aspects like angle, perspective, facial
    expressions, composition, lighting, etc.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: