Penetration Testing Overview

Peter Burgess Click to Continue

 What is Penetration Testing?
There are several popular definitions of a
Penetration Test:
Penetration testing is the process of
identifying security vulnerabilities in
your IT infrastructure by mimicking
an attacker.
Penetration testing is the practice of
testing a computer system, network
or web application to find
vulnerabilities that an attacker could
A penetration test is an authorised
exploit.
simulated attack on a computer
system that looks for security Click to Continue
weaknesses, which could potentially
provide access to the system's
2
features and data.
 What is Penetration Testing?
Note the common word in all those definitions –
which is “ATTACK”

Do not confuse vulnerability

scanning with penetration
testing, thinking they are
one and the same.

NOT SO – vulnerability
scanning is PASSIVE and
Click to Continue
AUTOMATED – penetration
testing is largely ACTIVE and
3 MANUAL
 What is Penetration Testing?
SO …
The aim of Penetration Testing is to DETERMINE
whether and/or how a malicious user can gain
UNAUTHORISED ACCESS to sensitive data by finding
an EXPLOITABLE vulnerability in one of the target
systems.

Click to Continue

4
 Vulnerability Scanning vs
Penetration Testing
Think of the Network as a House:
Vulnerability scanning is observing - walking
around the house and identifying all the doors,
windows and locks that are reportedly insecure
based on information available from the vendor.
Penetration testing is like trying to break into the
house by picking the weak locks and taking
advantage of an open window.

Click to Continue

5
 Types of Penetration Test
A Penetration Test can be referred to as:
WHITE BOX – Where prior information is provided
to the tester about the network and/or systems
to be tested
BLACK BOX – Where NO prior information is given
to the tester
And GREY BOX – Somewhere between the two,
where SOME prior information is given to the
tester

Click to Continue

6
 Types of Hacker
In the same way HACKERS are referred to as:

WHITE HAT – “Ethical” Hackers – the

“good” guys
BLACK HAT – The
“bad” guys
And GREY HAT – Somewhere between the two,
who might exploit a vulnerability and then bring
it to the attention of the “owners”

Click to Continue

7
 Documented Methodology
A Penetration Test should be performed
according to a formal documented methodology
and include at least the following:
• Based on industry-accepted penetration
testing approaches (for example, NIST SP800-
115)
• A defined scope including a list of critical
• systems to be
A definition tested
of any limitations applicable to the
test – eg the tester will stop short of
compromising any system and simply identify
• vulnerabilities
Documented approval by the
system approach
• Testing owner – What tests will be
• performed
Rules of Engagement for the Test Click to Continue

8
 From here on it
gets more
technical
Read on if you
want to know
more…
Click to Continue

9
 Scope of a Penetration Test
The Scope of a Penetration Test specifies the
environment and systems that are going to be
tested and the level of testing
There are TWO main types of Penetration Test
• External Penetration Test
• Internal Penetration Test

In addition, testing can be conducted at the

following “layers”
• Network Layer (on network devices)
• Application Layer (on applications)
IDEALLY TESTING SHOULD INCLUDE ALL
THE ABOVE More detail follows….. Click to Continue

10
 External Penetration Test
An EXTERNAL Penetration Test is performed from
OUTSIDE the network trying to break in

Click to Continue

11
 Internal Penetration Test
An INTERNAL Penetration Test is performed from
INSIDE the network – but from a non-critical
segment (like an Administration segment)

Click to Continue

12
 Application and Network Level
Testing
Application Level Testing - application-layer
penetration tests are performed on applications
and should include common application
vulnerabilities
Examples:
SQL Injection
Cross-site scripting
Buffer overflows

Network Level Testing will be performed on

components that support network functions
(firewalls, routers) as well as operating
systems Click to Continue

13
 Web Application Test
A WEB Application Test is an example of
Application Level Testing and is a targeted test
aimed at a Web Server Application (usually
internet-facing)

Click to Continue

14
 Pen Testing Approach
The Penetration Test will usually follow this type
of approach:
Port Scanning – To identify possible vulnerable
Ports, Protocols and Services (Using a tool like
Nmap)
Vulnerability scanning – To identify any
vulnerabilities (Using a tool like Qualys)
Identification of possible compromises using
tools like Metasploit and Backtrack or a manual
attack
Followed by a detailed report identifying
areas of compromise and recommended
fixes
Click to Continue

15
 What is “Port Scanning”? (Common
Terminology)
Ports – like the “ears” and “mouth” of a computer
system – handle incoming and outgoing signals – a
system “listens” and “speaks” via a Port
Protocols – the “spoken language” of computers
eg TCP-IP, FTP
Services – Activities - things the system does or
can
This do – eg systems
is how web services,
“speak”network
to oneservices,
another
remote communication services

Click to Continue

16
 Approach Example – Port Scanner

Click to Continue

17
 Approach Example – Port Scanner

Click to Continue

18
 Approach Example – Vulnerability
Scanner

Click to Continue

19
 Approach Example – Vulnerability
Scanner

Click to Continue

20
 Approach Example – Metasploit

Click to Continue

21
 Some Point & Click Tools
Test the validity and status of many popular online stores and services,
Including Amazon,
American Express,
eBay, Facebook,
iTunes, PayPal and
Skype

Click to Continue

22
 Sample Penetration Test Report
Extract
Admin Webserver Interface Compromise
The admin.megacorpone.com webserver was found to be running an Apache webserver on port 81. Accessing the root URL of this site
resulted in the display of a blank page. We next conducted a quick enumeration scan of the system looking for common directories and
files (Figure 4).

Figure 4 – Enumeration of the admin.megacorpone.com host partially discloses the webserver’s folder structure.
The scan results revealed that along with common Apache default files (Please see Appendix A for more
information), we identified an “/admin” directory that was only accessible after authentication. (Figure 5).

Click to Continue

23
 BACS Penetration Test Report

BACS Gateway Pen Test

Click to Continue

24
 Why would someone want to Hack
my PC?

Click to Continue

25
 Microsoft DDE (Dynamic Data
Exchange) attack
Phishing email with fake
MSWord document (invoice)
attachment
Poisoned document fetches
a downloader which in turn
fetches a copy of Locky
malware
Locky is launched and
encrypts the victim’s hard
drive
Locky is deleted and a
demand for 0.25 Bitcoin is
issued
MS DDE has been around since 1987 – a Click to Continue
feature that lets MSOffice applications
exchange data
26
 SWIFT Attack – October 2017 – Bank in
Taiwan Malware planted on PC’s
and Servers in the Bank
network
Access gained to SWIFT
terminal
Credentials compromised

$60 million wired to fake

accounts in banks in US,
Cambodia and Sri Lanka

Numerous attacks on the SWIFT messaging system

August 2016 - Hackers of unknown origin stole some

US$81 million from Bangladesh Bank and nearly scored
almost US$1 billion save for the presence of a typo which
Click to Continue
raised suspicion, preventing two transactions of US$850
million and US$870 million.
27
 The United States' Department of Homeland Security
issues alert that warns of “advanced persistent threat
(APT) actions targeting government entities and
organizations in the energy, nuclear, water, aviation, and
critical manufacturing sectors.” – using Phishing tactics
and targeting SCADA systems
StuxNet –
2010 Iran
Nuclear
Program –
More on Request US / Israel
Thanks for
watching…
www.theregister.
co.uk

North Korea hacks 140 000

computers – began in 2014 and Click to End
noticed in February 2017

28