Pentesting Methodology Tutorial

Hi Friends ,

Today i wish to share about the pentesting methodology which i used to practice with the kali linux :

The Methodology

We can’t begin an article about mapping Kali to a penetration testing methodology without first selecting the methodology. When it comes to penetration testing methodologies you can basically narrow the field down to three. These are:

1. Open Source Security Testing Methodology Manual (OSSTMM): Series of standard tests designed to deliver results as verified facts that provide actionable information in order to strengthen security operations.
2. Penetration Testing Execution Standard (PTES): Standard for penetration testing execution along with technical guidelines.
3. National Institute of Standards and Technology: Guide to Security Testing and Assessment (NST 800-115): Guide for conducting technical security assessments. Contains guidance on techniques and methods that an assessor should use when performing an Information Security Assessment.

While all three are good methodologies we find that PTES and NIST 800-115 provide a bit more flexibility during our penetration tests. Also, the methodologies more closely align with what’s taught in security course curriculum such as SANS. For this article we will be using NIST 800-115. Both PTES and NIST are similar so it should be easy to transition between the two. Also, the folks over at PTES have done a fairly decent job mapping tools to the methodology.

Planning

The Planning Phase is where we begin and where we will experience our first little roadblock. This phase is focused on tasks such as establishing rules of engagement, objectives, task assignment, testing management, and engagement tracking. If we break this down further we can think in terms of project management and penetration testing documentation.
Kali provides a few tools that can be used for planning and penetration testing documentation. Here is a quick rundown of the tools as well as a brief description.

Tool/Capability	Description
Dradis	Open-source framework for sharing information during a penetration test.
Keep-note	Cross platform note taking application.
* Redmine	Open-source web-based project management tool.

Discovery

The next step and one of the most important steps in the penetration testing methodology is discovery. The interesting thing about discovery is that its a constant cycle during a penetration test. You are typically re-engaging the discovery phase within the Attack process to perform privilege escalation or pivot and attack other systems until the objectives have been met.
The discovery phase consists of two parts. The first part is information gathering and scanning. During this part of the engagement the team identifies as much information about the company, people, systems, services, and applications as possible. The second part is vulnerability analysis where the testing team synthesizes all the information gathered in part 1 of discovery to identify vulnerabilities and possible attack vectors. The discovery phase is one of the most important phases that can and should be repeated as the penetration test progresses into the Attack phase.

Information Gathering and Scanning

Kali contains many tools that can be used for information gathering and open-source intelligence gathering (OSINT). Here is a quick breakdown of the tools.

Tool/Capability	Description
Maltego	Maltego is an open-source intelligence and forensics application developed by Paterva. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.
TheHarvester	The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
Creepy	Creepy is a geolocation tool that helps social engineers perform successful information gathering.
Dmitry	Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. Dmitry is used to gather information such as sub-domains, email addresses, whois lookups,etc.
Jigsaw	Email enumeration tool that accesses the Jigsaw business directory. Can also be used to generate email addresses using common formats.
Metagoofil	Information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

Kali has many tools we could use to meet various scanning requirements. Here is a quick table broken out by requirement type.

Technique	Tool/Capability	Description
Network Discovery	Fierce.pl	DNS interrogation tool. Uses several techniques including DNS zone transfers, DNS brute-force, and DNS reverse lookups.
	dnsdict6	Utility used to enumerate IPv6 domains.
	Fping/fping6	Ping on steroids. Has the ability to query systems via ICMP.
Network Port and Service Identification	dnmap	Distributed nmap framework with client and server components. Map hosts, ports, and services across networks.
	nmap	Map hosts, ports, and services across networks. Also, has ability to run scripts to identify vulnerabilities.
	hping3	Hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies.
Wireless Discovery / Scanning	Kismet	A 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
	Wireshark	A network protocol analyzer for Unix and Windows.
Web Application Discovery / Scanning	Burpsuite	An integrated platform for performing security testing of web applications.
	Webscarab	A framework for analysing applications that communicate using the HTTP and HTTPS
	Nikto	An Open Source (GPL) web server scanner which performs comprehensive tests against web servers

Vulnerability Analysis

During vulnerability analysis we review information gathering and scanning data to identify possible attack vectors. Typically, this involves reviewing service and OS version information against online vulnerability databases. We can also identify vulnerabilities through automated tools provided by Kali.
We've included a table of these tools below. Please note that we did include additional tools that could be installed. Keep in mind that Kali is Linux and most things that can be installed on a Linux platform will install on Kali. It's not unusual for us to install Nessus right after installing Kali on our primary penetration testing systems.

Technique	Tool/Capability	Description
Vulnerability Scanning	Nmap -sC or –script	Switches used to initiate vulnerbility scanning with nmap.
	OpenVAS	Open-source vulnerability scanner. A fork of the Nessus project.
	*Nessus	Commercial vulnerability scanner.
Database Vulnerability Scanning	oscanner	An Oracle assessment framework developed in Java.
	Tnscmd10g	Tool used to gather information from the TNS listener port.
Network Vulnerability Scanning	Cisco-global-exploiter	Is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco devices.
	Yersinia	Is a network tool designed to take advantage of some weakeness in different network protocols.
Web Vulnerability Scanning	Arachni	A Free/Open Source Web Application Security Scanner Framework.
	W3af	Is a Web Application Attack and Audit Framework.
	Owasp-zap	The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
Fuzzing Tools	bed	BED (aka Bruteforce Exploit Detector) is a plain-text protocol fuzzer that checks software for common vulnerabilities like buffer overflows, format string bugs, integer overflows, etc.
	spike	API for fuzzer development written in C.

That's it for today! will share the next part of methodology soon..stay tuned for updates..