Penetration Testing Introduction: Scanning & Reconnaissance
Tools and methods of penetration testing
Learning Goals
- What pen testing is and how it is used
- Penetration testing methodology
- Penetration testing environment — kali linux & virtual machine tools
- Information gathering — scanning & reconnaissance
- Information gathering tools — nmap, wireshark, google dorking etc.
Reminder: Attacking systems you do not have permission to attack is illegal. Only perform attacks on machines and networks you own or have permission for.
Current State Cybersecurity
Over the past year or so hacking has gained mainstream attention from some high profile attacks. Theses attacks such as the Equifax data breach, Wanna Cry ransomware and many others have cost companies millions of dollars. With so much attention placed on data breaches, questions have been brewing of how safe user data is with each company. As long as these attacks keep happening companies will have to place more and more emphasis on their security procedures. Within cybersecurity penetration testing (pen testing) is one of the ways of mitigate attacks by plugging up security holes.
What is penetration testing?
Penetration testing is a process used by companies to test the security of their software and infrastructure. In penetration testing, a group of security professionals act as attackers in order to identify holes before hackers do. A pen tester’s goal is to provide information to the company about their vulnerabilities. In the world of security this is commonly referred to as red teaming. On the other side of penetration testing the company’s security team, the blue team, figure out what areas of their security need to be strengthened.
Is a Penetration Tester Just a Hacker?
A major difference between a malicious hacker and pen tester is permission and reporting. Most companies provide a scope of areas where they would like the pen tester to focus. These could be specific domains, networks, systems etc. Pen testers also record any vulnerabilities found during their testing and can suggest solutions to patch the issue.
Types of Penetration Testing
The types of penetration testing can vary depending on the technology. Here are some of the common types of pen testing:
- Network Testing
- Mobile Application Testing
- Web Application Testing
- Cloud Testing
- Social Engineering Testing
Even though each area of penetration testing have differing tool sets, they share a common methodology.
Penetration testing methodology
- Scanning and Reconnaissance — Getting to know the target using passive methods like researching publicly available information and network scanning.
- Threat Modeling — A description or model of all the security concerns and why they should be resolved.
- Vulnerability Analysis — Identifying vulnerabilities and determining their severity.
- Exploitation — Gaining access by breaching security of a system or finding an bug to exploit in the software.
- Post-Exploitation Reporting — Detailing the vulnerabilities found and providing information on potential impact on the company if exploited.
With the general methodology laid out, let’s jump into the initial steps to get up and running with penetration testing.
Introducing the environment
Cybersecurity like other technology fields has an abundance of tools available. To make this simpler Kali Linux was developed to bring together the most common tools in one OS environment. Kali Linux is a debian based linux system that can be used in a virtual environment such as Virtualbox or VMware. With virtual machines we can make a closed off network of multiple machines. This is a great way to practice attacks without opening up your own machine to attacks.
Going deeper into Scanning and Reconnaissance
Unlike the movies hackers don’t just start typing and automatically get access to a system. Scanning and reconnaissance is a key part of an attack in that it can detail vulnerable areas of a system. The first step of information gathering can be as simple as a quick google search.
One way to think about information gathering is like breaking into a house. There’s no need to break down the door to get inside when there is a window open. In information gathering we want to find if the company we are testing has left any doors unlocked or maybe a window open.
What are we looking for?
Information gathering starts in a passive way. We want to get clues on what the company architecture looks like and if there is any routine we can map out. This comes down to finding some key publicly available information such as:
- Email addresses
- Phone numbers
- System information
- Job Postings
- Resumes
- Contact Names
Nmap
Nmap is a powerful command line scanning tool. Using nmap network architectures and open ports are easier to locate. As a command line tool the main interaction with the tool is based on giving the correct commands for the job. To get a better understanding of how nmap could be used, let’s run through a couple commands.
To do a simple scan we can just provide an address to scan.
We will use scanme.nmap.org which gives permission for scanning. Make sure you have permission before you scan a system you do not own.
nmap scanme.nmap.org
The results show the open ports of the target. With this simple scan you could identify if any vulnerable ports are open. By adding additional modifiers we can focus on certain aspects of the targets.
nmap -A scanme.nmap.org
In this case the nmap scan also finds the OS type, version and any open ports. Nmap is a powerful tool with many more commands to do specific tests. Checkout nmap’s official website for a the learning guide or take a look at the variety of nmap cheat sheets available online.
Wireshark
During a penetration test we may want to monitor what is on the network. To do this we can use Wireshark which is a network monitoring tool. Wireshark has shows collects information on all network traffic by providing information on IP addresses, protocols, requests etc.
By filtering the network information we can focus on particular systems and interactions on the network. In a work setting we could filter for any network traffic going to YouTube or Netflix to identify how heavily they are used during work ours. In the same way during a penetration test we could identify what systems
Google Hacking (a.k.a Google Dorking)
Even though their are great tools for doing scanning and recon, we can just use google to find the same information. Many security issues happen because of misconfiguration of software or accidentally opening information up to public. By querying google with specific strings we can find information not available on a website itself. Using these searches we can find files with user information, passwords, vulnerable servers etc. These search queries are being included into more scanning tools so that this process of searching for these files is automated.
Checkout the Google Hacking Database to see some current examples of
Up Next — Exploitation
The exploitation phase of a penetration test also utilizes its own set of tools. The go to tool for many penetration testers attacking other systems on a network is the Metasploit Framework.
The Metasploit Framework
The Metasploit Framework is developed by Rapid7 and comes pre-installed on Kali Linux. Metasploit has a database of exploitation and payloads built-in that updated regularly. Check out our other article — Kali Linux & Metasploit: Getting Started with Pen Testing — to learn more about using metasploit.
Additional Resources
There are many courses out in the wild that cover penetration testing. Below are a few options that I have found to be good investments of time. If you have any suggestions then comment below!
Courses
Offensive Security Certified Professional Certificate — A very in depth course on penetration testing provided by the developers of Kali Linux.
Books
Grey Hat Hacking: The Ethical Hacker’s Handbook — Introduction to both hacking and penetration testing.
Penetration Testing: A Hands-On Introduction to Hacking — A good introduction to the main concepts of pen testing with hands-on exercises.
Websites
PentesterLab — Provides walkthroughs and vulnerable machines to learn and practice on.
