Thursday 27 August 2015

Pentesting Methodology Tutorial

Hi Friends ,

Today i wish to share about the pentesting methodology which i used to practice with the kali linux :


The Methodology

We can’t begin an article about mapping Kali to a penetration testing methodology without first selecting the methodology. When it comes to penetration testing methodologies you can basically narrow the field down to three. These are:
  1. Open Source Security Testing Methodology Manual (OSSTMM): Series of standard tests designed to deliver results as verified facts that provide actionable information in order to strengthen security operations.
  2. Penetration Testing Execution Standard (PTES): Standard for penetration testing execution along with technical guidelines.
  3. National Institute of Standards and Technology: Guide to Security Testing and Assessment (NST 800-115): Guide for conducting technical security assessments. Contains guidance on techniques and methods that an assessor should use when performing an Information Security Assessment.
While all three are good methodologies we find that PTES and NIST 800-115 provide a bit more flexibility during our penetration tests. Also, the methodologies more closely align with what’s taught in security course curriculum such as SANS. For this article we will be using NIST 800-115. Both PTES and NIST are similar so it should be easy to transition between the two. Also, the folks over at PTES have done a fairly decent job mapping tools to the methodology.



Planning

The Planning Phase is where we begin and where we will experience our first little roadblock. This phase is focused on tasks such as establishing rules of engagement, objectives, task assignment, testing management, and engagement tracking. If we break this down further we can think in terms of project management and penetration testing documentation.
Kali provides a few tools that can be used for planning and penetration testing documentation. Here is a quick rundown of the tools as well as a brief description.
Tool/Capability
Description
Dradis
Open-source framework for sharing information during a penetration test.
Keep-note
Cross platform note taking application.
* Redmine
Open-source web-based project management tool.

Discovery

The next step and one of the most important steps in the penetration testing methodology is discovery. The interesting thing about discovery is that its a constant cycle during a penetration test. You are typically re-engaging the discovery phase within the Attack process to perform privilege escalation or pivot and attack other systems until the objectives have been met.
The discovery phase consists of two parts. The first part is information gathering and scanning. During this part of the engagement the team identifies as much information about the company, people, systems, services, and applications as possible. The second part is vulnerability analysis where the testing team synthesizes all the information gathered in part 1 of discovery to identify vulnerabilities and possible attack vectors. The discovery phase is one of the most important phases that can and should be repeated as the penetration test progresses into the Attack phase.

Information Gathering and Scanning

Kali contains many tools that can be used for information gathering and open-source intelligence gathering (OSINT). Here is a quick breakdown of the tools.
Tool/Capability
Description
Maltego
Maltego is an open-source intelligence and forensics application developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.
TheHarvester
The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
Creepy
Creepy is a geolocation tool that helps social engineers perform successful information gathering.
Dmitry
Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. Dmitry is used to gather information such as sub-domains, email addresses, whois lookups,etc.
Jigsaw
Email enumeration tool that accesses the Jigsaw business directory. Can also be used to generate email addresses using common formats.
Metagoofil
Information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.


Kali has many tools we could use to meet various scanning requirements. Here is a quick table broken out by requirement type.
Technique
Tool/Capability
Description
Network Discovery
Fierce.pl
DNS interrogation tool. Uses several techniques including DNS zone transfers, DNS brute-force, and DNS reverse lookups.
dnsdict6
Utility used to enumerate IPv6 domains.
Fping/fping6
Ping on steroids. Has the ability to query systems via ICMP.
Network Port and Service Identification
dnmap
Distributed nmap framework with client and server components. Map hosts, ports, and services across networks.
nmap
Map hosts, ports, and services across networks. Also, has ability to run scripts to identify vulnerabilities.
hping3
Hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies.
Wireless Discovery / Scanning
Kismet
A 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
Wireshark
A network protocol analyzer for Unix and Windows.
Web Application Discovery / Scanning
Burpsuite
An integrated platform for performing security testing of web applications.
Webscarab
A framework for analysing applications that communicate using the HTTP and HTTPS
Nikto
An Open Source (GPL) web server scanner which performs comprehensive tests against web servers

Vulnerability Analysis

During vulnerability analysis we review information gathering and scanning data to identify possible attack vectors. Typically, this involves reviewing service and OS version information against online vulnerability databases. We can also identify vulnerabilities through automated tools provided by Kali.
We've included a table of these tools below. Please note that we did include additional tools that could be installed. Keep in mind that Kali is Linux and most things that can be installed on a Linux platform will install on Kali. It's not unusual for us to install Nessus right after installing Kali on our primary penetration testing systems.
Technique
Tool/Capability
Description
Vulnerability Scanning
Nmap -sC or –script
Switches used to initiate vulnerbility scanning with nmap.
OpenVAS
Open-source vulnerability scanner. A fork of the Nessus project.
*Nessus
Commercial vulnerability scanner.
Database Vulnerability Scanning
oscanner
An Oracle assessment framework developed in Java.
Tnscmd10g
Tool used to gather information from the TNS listener port.
Network Vulnerability Scanning
Cisco-global-exploiter
Is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco devices.
Yersinia
Is a network tool designed to take advantage of some weakeness in different network protocols.
Web Vulnerability Scanning
Arachni
A Free/Open Source Web Application Security Scanner Framework.
W3af
Is a Web Application Attack and Audit Framework.
Owasp-zap
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
Fuzzing Tools
bed
BED (aka Bruteforce Exploit Detector) is a plain-text protocol fuzzer that checks software for common vulnerabilities like buffer overflows, format string bugs, integer overflows, etc.
spike
API for fuzzer development written in C.

That's it for today! will share the next part of methodology soon..stay tuned for updates..


5 comments:

  1. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. Need to learn
    Security Testing Services
    Test Automation Services
    Software Testing Services
    Compatibility Testing Services
    Regression Testing Services

    ReplyDelete
  2. EASY SPY” this works bad and complicated for me, confused until requested the services of a private investigator, whose service where very affordable, I’d recommended ALEXGHACKLORD to you. He is a reliable, tested and legitimate IT expert who specialize in infiltrating any systems or network operation known and unknown. Write to : ALEXGHACKLORD@ Gmail . com for any hacking services.
    He specializes in the following services :
    *Spy on Cheating Partners
    *Identification of Cheating Partner or Employee, Mole in a system.
    *Keeping Tabs on Employees or Doing Online Background Checks
    *Gaining Full Access To Any Mobile Device, Whatsapp, Email,Gps, Snapchat,instagram,facebook,kik,hangout,viber And Any Other Social Media Accounts
    *Accessing University Portals or Any Website
    *Hack into Bank, Company and Security Agents Websites
    *Hack Bank Accounts, Credit card, BTC top up, BTC investment & Mining, ETH Investment etc.
    Contact : ALEXGHACKLORD@Gmail. com
    REPLY

    ReplyDelete
  3. I am announcing this amazing testimonial on this blog, about united hacking company how the Blank ATM Card experience changed my whole life.the blank Atm Programmed Card and cash money directly in any ATM Machine around you. There is no risk of being caught, because the card has been programmed in such a way that it´s not traceable,so luckily i read about the blank ATM card exercise and how it has made people become rich. I contacted the email address i attached to the testimonial of some beneficiaries and here i am today, all thanks to united Tech Hackers Team Incorporation world wide for helping me with a blank ATM Card. Now all my financial worries are over. All you need to do is send a message to the email address provided: unitedblankatmhackcard@gmail.com

    ReplyDelete
  4. Selling USA FRESH SSN Leads/Fullz, along with Driving License/ID Number with good connectivity.

    **Price for One SSN lead 2$**

    All SSN's are Tested & Verified. Fresh spammed data.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    ->Bulk order negotiable
    ->Hope for the long term business
    ->You can asked for specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete