Penetration testing

Introduction

What is penetration testing?

Security of any 
system in the world  depends  from its 
weakest link .Being aware of it 
,monitoring and fixing it is a key duty for system overall wellbeing and
security concerns. But when the topic comes to IT infrastructure, web
application or computer system  ,
penetration test is the “man” who does this job.

Governments, private companies, and other national and
international organizations used
installation of defensive layers such as access control ,cryptography ,ips and
firewalls to find and eliminate the vulnerabilities. But with the new
technologies incomings and adoptions this is not enough .

That’s why penetration testing is  vital for accessing and monitor the security
of the critical resources. Other benefits of pen testing are ensuring availability
of your system,managing risk properly, ensuring quality of products and
assurance and protecting  your
clients  and partners.

Pen testing Is  an
authorized simulated attack in order to exploit vulnerabilities which exist in
OS ,services application flaws ,improper configuration or risky end-user
behavior. Methods of conducting pen test are similar with those used from
hostile intruders or other hackers.

Main types of pen testing are  Network Penetration Testing ,  Application Penetration Testing ,  Website Penetration Testing , Physical
Penetration Testing , Cloud Penetration Testing , Social Engineering.

In this paper i will start with a description of Kali Linux
as a core information to treat then some of the most popular open source tools
like Metasploit, Wireshark, Nmap.

We will go through a general and specific description of
each of these open source tools and make an analysis for them.

Kali Linux

The first thing you will deal with when starting to google
or ask about security auditing or penetration testing is definitely Kali Linux.
Kali is a linux distribuition ,open source , that is used for deep penetration
testing. Kali linux is free of charge and free to learn and has an wonderful
community support .

 It comes with more
than 600 preinstalled penetration testing programs .Lets mention the most
important ones .

Armitage is  graphical
cyber attack management tool , John the ripper password cracker  and Aircrack-ng that is a software for pen
testing wiresless LANs. Kali Linux 
include also tools like Nmap, Wireshark and Metasplot Framework

You can download from their official website tenth of tools
for Information gathering, Vulnerability analysis, Wireless attack web
applications Exploitation tools Stress testing ,Sniffing and spoofing tools,
password attack and hardware hacking .

Kali linux is very efficient when matter is Sql injection
,Cross-site scripting and testing for local file inclusion. Which are core
problems before going further for more advanced examination or pen testing possibilities.

Kali has got a costum-built kernel that is patched for
wireless injections.It is developed under a secure and safe environment with
only a small number of people allowed to commit packages.

Other functional advantages of kali linux is Fhs compliant
that allows user to easily locate binaries,support files  and other libraries and a very wide range of
wireless device support.

I will give below an example for illustrative purposes how
easy is to launch Metasplot framework from kali linux.

First launch Postgre SQl as It is the database of
Metasploit. Run command ss –ant  and
check if port is 5432 , now Initialise the Metasploit PostgreSQL Database msfdb
init. After that run msfconsole and veruify database with msf > db_status,
that’s all .

Wireshark

Wireshark is the best and most popular open source packet
analyzer . You can download it for free and in works on linux and windows .

Wireshark is used for network troubleshooting ,examining
security problems and debugging protocol implementation. Wireshark is also a
great learning tool and is very useful for those are writing
networking protocol.

 Its GUI is easy and very practical and
includes features which make sifting through packets easier. Once the interface
is selected, Wireshark will start capturing all packets arriving and leaving
the selected network interface.

Wireshark is very rich of features .It has the ability of
powerful inspection of hundreds of network protocols and has the ability access
data in different  layers.

It captures packet data within great details and so you can
analyze every last bit flowing through a network interface making it go further
than other tools to conceptualize problem.

Another feature is it can capture and
decompress gzip files on the fly. Wireshark 
has VoIP features which can analyze voice data and reveal information of
their time , who initiated  who started
who stopped  and can replay a captured
VoIp call for a select codec .

Metasploit  framework

The Metasploit Framework is a program and
sub-project developed by Metasploit LLC. open source community and Rapid7’s It
is used to exploit modules and is a great penetration testing system.

Metasploit framework is an open source
tools that is used to research security vulnerabilities and also is used to
develop executing exploit code against a remote target
machine that help administrator to identify security risks . Metasploit only
executes vulnerabilities you tell it to.

Another good quality of Metasplot
framework is its anti-forensic and evasion tools which exist in the metasplot
framework.

Like other applications there is an agenda how it does the
job. First step is information gathering than we start by scanning
vulnerabilities. After these we start to exploit in depth and at the end we
have post Exploitation and reporting.

Before targeting the exploit or payload we need
some extra information of the target operation system or other installed
network applications or services. To do that we can use port scanning and OS
fingerprinting. To obtain them we need the help of programs that scan for
vulnerabilities like nessus or OpenVAS. This process is included into
information gathering.

Most used interfaces are Msfconsole is the most used because
of its flexibility,richness in features and tool supporting. Other used
interfaces are Msfcli ,Msfweb and MsfGUI. Their difference is the approaches of
providing access to the framework.

msfd – Provides an instance of
msfconsole that remote clients can connect to

msfrpc – Connects to an RPC
instance of Metasploit

msfrpcd – Provides an RPC
interface to Metasploit

msfvenom – Standalone
Metasploit payload generator

msfdb – Manages the Metasploit
Framework database

Below I am going to illustrate a simple
example of how to use metasploit framework

1-Use-sets
explot/auxillary/..

2-Set sets parameters and global
parameter

3-Show list all

4-Exploit-run the selected modules .

You can list all active sessions or
interval with a given session

 

Msf> show exploits ,Msf>show auxiliary, Msf>show
options,Msf>show payloads,Msf>show targets

Nmap

Nmap (network mapper) is an open source security scanner
tool .It is very helpful for network mapping and port scanning. Nmap is used to
scan a range of IP addresses and identify active systems, to determine if the
ports are opened and find operating system.

Nmap has got a rich features for probing computer networks
that include host discovery and operation-system detection. One good thing of
Nmap is that it can adapt to network conditions including latency and
congestion during a scan.

Nmap is a very powerful tool as the thing that a hacker
would to after he gains access to your network is  reconnaissance which is performed with a
network scan through the Nmap. All this information is  very important for the administrator or the
person who is conducting the pen testing.

The way it function is like this. User selects a range of
ports so it can allow him to see what services the identified system is
running. After that it will examine the system based on the responses to
unusual packets so that it can find what operating system is used to his
target.

The attacker carefully runs a successful series of nmap
scans gathering information on what systems are active and what exploits he
should pay attention.

Nmap operates with random scan category that is when SYN
packets are sent pots at a certain range of values. Which end up with a several
packets to a large number of tcp and udp ports. And the second type of traffic
is called exploit plus. It is similar with the with the random scan that
explained above but the difference is the exclusion of the random destination
ports in favor of a well known service ports.

The latest version of Nmap has 171 new scripts and 20
libraries. Below are some of its most used NSE.

File firewall-bypass-detecting
vulnerabilities in firewall which are used from helpers to dynamically open
ports for ftp protocol.

File oracle-brute-stealth- It is used when we
want to initiate an authentication attemptas a valid user . In this case the
servers responds with a session key and salt. After they are received the
script will disconnect so that It 
doesn’t record other login attempting.

File dns-ip6-arpa-scan-Script for
host discovery-it performs a dns lookup by using a technique which analyzes dns
servers response code. This technique works by adding octet(byte) to a given ip
prefix.If the added octet is correct the server returns no error else returns
that no domain is found.

 And File rpc-grind-Fingerprints
the target RPC port to extract the target service, RPC number and version.