Pluralsight is not an official partner or accredited training center of
EC-Council. In this course, you will learn the ins and outs of planning and executing a penetration test against your own or your clients network.
Pluralsight is not an official partner or accredited training center of
EC-Council. What's penetration testing? Well it's simple, as security professionals our job is to make it extremely difficult to get inside our systems. Remember, you can't stop attackers, your job is to slow them down. How? Let's start by doing exactly what the attacker will do. Penetration testing (pen testing) is the practice of attacking your own network or that of a client's, using the same tools, techniques, and steps that an attacker would. The purpose of pen testing is to expose gaps, weaknesses, and possible entry points without doing any real damage. In this course, you will learn how to prepare, execute a pen test, and how you should report your results in a way that will add value to your time and efforts.
Dale Meredith received his Certified Ethical Hacker and Certified EC-Counsel Instructor certifications back in 2006, as well as being a Microsoft Certified Trainer since 1998 (yes we had computers back then). Dale takes great pride in helping students comprehend and simplify complex IT concepts.
Pen Testing: Reconning and/or Footprinting the Target Okay, so let's first talk about pen testing, reconning, and/or footprinting the target. Now if we all want to have a flashback because I know you've all gone back and watched the course on reconnaissance, you guys know that what the purpose is here, right. It's actually to go through and determine what the information that is available publicly is of your client and/or target, information that's available on the internet, such as network architecture, operating systems, applications, users. This is very, very passive as far as the research is concerned. Now the tester is going to go through and try any possible way that he can to go after either hosts or networks. It could be either, but he's going to use any possible way that he can to gather as much information to make sure that he has as much information before he gets into the next stage of the pen test. Now if you find some sensitive information on any site or any location that's publicly available, that information needs to be reported to the organization in your report. If it's information that you think is critical that can't wait a month of two before you submit the full report, then you need to notify your emergency contact. Now this stage of the attack should help to prevent information leakage, as well as help us with social engineering attempts.
Pen Testing: Scanning the Target So next up, we talk about scanning the target during a penetration test, and when you think about it, it's very similar to Johnny 5 is alive from the movie, Short Circuit. See, gave you another homework assignment. Whip out the Netflix or Hulu account, see if it's available. Johnny 5 was a robot that got consciousness out of all these other robots and that's what we're doing here is we're going through trying to figure out which systems are alive on the network, and more importantly, how often are they alive on the network? Are they only up during certain times? We'll also want to discover the ports that are currently open on these nodes, as well as the services that are running. Each one of these things will help us to determine if there's any vulnerabilities that we can go after on the target. Another purpose of scanning the network is to discover any banners that we might be able to grab. Now if you're not familiar with any of these subjects, again you're going to hear me say this over and over, you need to go back and watch the course on ethical hacking and scanning the network. So by going through this process, what does it teach us? Well it teaches which ports we need to close, as well as if we're offering up banners, can we hide them or customize them, and when I say customize, you know I'm a big fan of misdirection, right. I'll put a banner that makes it look like a Linux box on a Windows box and vice versa because if an attacker hits the box and gets the box and gets the banner that it's a Linux box, he's going to throw Linux attacks at it when in actuality, it's a Windows box. We'll also be able to see which services aren't needed, and if they're not needed, let's turn them off. It should also give us a feel of how we can standardize our firewall and intrusion detection system rules, and we're also able to see the vector of misconfiguration and what we need to do to go to fix those misconfiguration errors. So let's see how we start scanning in a pen test.
Pen Testing: Enumerating the Target Okay, so after we've found our targets, the next step is enumeration. Now through enumeration, the attacker is going to go through hand gather as much information as he can about the box or about the target itself and some of the information that he can pull off these systems could include things like groups, as well as user accounts and my favorite, service accounts because let's face it, nobody looks at those things anyway, right. We should also be able to determine network resources, as well as possibly our network shares or other resources that are shared from that device. In many cases, we can also enumerate the applications that are installed on those boxes. Now the enumeration step here actually builds on the data that we collected from the reconnaissance stage and we look at targets, we're not looking at specifically computers themselves, we would also want to look at enumerating the devices of the network. These would include things like routers, switches, intrusion detection systems, as well as possibly intrusion prevention systems, or IPSs. So the pen tester is actually going to do several different types of enumeration techniques in order to make sure that he gets all the information that he can from every device visible. And the reason why we do this is we discussed in our reconnaissance course is to determine the weaknesses and/or vulnerabilities of the organization's network and the main purpose here is for us to try to determine the weaknesses or vulnerabilities of the network infrastructure of the target, or as I like to say, sorry, you are the weakest link. Now again, the weak link could be caused by the network infrastructure, as well as the human aspect, right.
Pen Testing: Sniffing the Target Okay, so now in your pen test, you've gotten a hold of a system, what do you do from there? Well, that's where sniffing the target comes into play and I'm not necessarily sniffing an individual target, it's actually in reference to the target of being the network or the company itself. Now the purposes here of doing a sniff pen test is to first of all, audit the traffic that's going across, and so if we can see if anything is being exposed that shouldn't be exposed. We also will use it to identify possible rogue applications out there. Some of those applications could actually end up being a sniffing program itself. We also use this to find rogue DHCP servers, as well as DNS servers that may be on the network and to possibly find any unauthorized network devices that somebody may have placed on the network because your users never do that, right. So the steps that we go through when pen testing and sniffing include going through the process of doing a MAC flood, as well as a DHCP starvation. We'll also attempt to do a rogue server to see if I can trick people into using my machine instead of the company's systems. I'll also attempt to do an ARP poison, as well as a MAC spoof, and then we'll check to see if the routers are sharing too much info by doing an IRDP spoofing attack. And then we also have the obvious, a DNS spoof, as well as cache poisoning. And to wrap it all up, one of the other tests that I'll do is a proxy server DNS poison. I know, there seems to be a lot of spoofing and poisoning going on here. And so, yes, you could say that the steps that we go through are extremely active on the network and the reason why we want to make sure that we go through each of these steps is to make sure that we look at all possible ways that we can attempt to do a sniffing attack on the network so that we can help protect our company.
How to Bring It All Together Okay, so you've heard me ask you over, and over, and over at the end of each module what we do next and we've always answered that with documentation. Now, if you're like me, documentation or coming up with these reports is one of the most painstaking things to do. I'm one of those guys that I like to do, I don't necessarily like to document and I've learned to do so over the years because I've actually found that many times, it's actually helped me to cover my donkey. I'll let you change that one up any way you want to. But we're going to go through in this module and we're going to take a look at the reports, what are they're purposes? Well they're purpose is first of all as we go through and do our pen testing, we're bringing everything together into one place and in doing so, because of how much information we have, we need to make sure that we present it in a clear and precise explanations and we've got to do so, it's kind of weird, we have to do this without turning on our geek. We've got to turn it off and put things into Laymen terms. Now this is typically a huge challenge because when it comes to dealing with really in-depth technical issues, to get somebody to understand what it is you discovered at the same level is an art form to be able to put that into words. You have to assume that not everybody knows the same technical jargon that you're used to dealing with. We also want to make sure that we don't necessarily focus in on ha ha, look what I found. Go ahead and show the cool things that you found or the great protection that is in place at certain areas, as well as providing solutions. That's where you get repeat customers because not only did you just come in there and show them what they did wrong, what they need to improve on, but you gave them solutions that they could implement. And guess what, after they implement those solutions, you should probably follow up with another pen test to see if it's working, if they configured those correctly. So let's go through and take a look at some of the things we need to include in our reports.