Hacking: A 101 Hacking Guide (2015)
Chapter 7: Penetration Testing
Penetration testing, also known as pen testing or PT, is legally hacking into a system to determine its vulnerabilities, and is part of the white hat hacker world. However, it usually goes beyond just determining the vulnerabilities to demonstrating how they can be exploited. Sometimes this last step is necessary to convince users that the danger is real and must be addressed in a timely manner.
Remember earlier when we discussed the difference between vulnerabilityand a threat? Pen testing looks for vulnerabilities in the system–unintentional loopholes that leave the system open to attack. Think of it as being similar to hiding a key to your house under a rock in your flowerbed. Everything is fine…until someone finds it that shouldn’t have access to your house. Vulnerabilities work the same way: everything is fine, until a less than ethical hacker decides to use those vulnerabilities to stage an attack.
There are many different ways to approach pen testing. In this book, we are going to look at Zero-Entry Pen Testing, which consists of four phases: reconnaissance, scanning, exploitation, and maintaining access.
The reconnaissance stage involves gathering information about your target, and the most important result of this step is a list of IP addresses–but that is not all. Many people don’t realize that this is the most important step in pen testing: finding out everything you can about your target. Care is required in this stage to make sure that the target isn’t alerted to the fact you are prowling around. A skilled black hat hacker doesn’t reveal their presence, and neither should a white hat hacker.
To study your target’s website without gathering attention, you might want to make a copy of their entire webpage–that way you are only accessing it one time, which shouldn’t arouse suspicion. HTTrack is a commonly used tool for this. Basically, it makes a copy of the entire webpage, allowing you to carefully mine the HTML code for valuable information and clues. Another well-known tool for gathering additional information is called Harvester: it searches the web for employee names, email addresses, subdomains, etc. Yet another tool you can put in your toolback is the website WhoIs. NetCraft has an interesting tool available on their webpage. You can see it in the figure below.
Just as an example, I am going to type in snopes.com (a well-known website for debunking hoaxes and investigating internet rumors).
As you can see, www.snopes.com is running Linux.
Once you have finished the reconnaissance stage and have the IP addresses, they feed directly into the scanning stage, which starts with scanning the ports at the given IP addresses. Once open ports and the services running on them have been identified, then vulnerability scanning takes place. This was discussed in the previous chapter on ports, however we will take some time to discuss a few of the tools available. The first is the Angry IP Scanner, which works on just about any platform you need and can export the IP scan data to a variety of file formats. NMap is another very powerful scanner, which comes with most modern Linux system, but is available for Windows also.
Once you know what ports are open and what their vulnerabilities are, you begin the exploitation stage. The end goal of this step is to obtain administrative access over your target. This can happen remotely (from a different physical location) or locally.
Now, what exactly does administrative access mean to a hacker? It means the or she can take down the remaining defenses, install and run their own code, corrupt or delete files, make copies of files, and more.
After the hacker has administrative access, his or her payload (the program that gives the access to the command line) is deployed. Image you are a thief, and you found an unsecured window in your targets home. The payload is the tool you use to get the window open just enough to get in, but to carry anything out you need a bigger opening. This leads to the phase of maintaining access, where the hacker would modify security settings, set themselves up as a user, etc. to keep that access open long enough to accomplish their task.
As a white hat ethical hacker, the only time you do penetration testing is to reveal the weaknesses in the system so it can be strengthened, not to take advantage of it. As part of strengthening the system, the ethical hacker will create a detailed report of how they gained access, a discussion of weaknesses discovered, and recommendations/solutions for eliminating those weaknesses.
Angry IP Scanner: http://angryip.org/
Nmap examples: http://www.tecmint.com/nmap-command-examples/