1

A penetration test (pen test, in brief) is an authorized simulated attack to a computer system. The aim is to determine the security level of a system and report to the system’s owner the possibly found vulnerabilities. A penetration test can be white-box, black-box, or gray-box. In white-box penetration tests, the pentester is given full knowledge of the system details, and the organization is aware that a penetration test is ongoing. White-box pen tests are generally cheaper and quicker, and they can find lots of vulnerabilities. However, they are generally less realistic. In black-boxpenetration test, the system details are hidden to the pentester, and (most of) the organization is unaware that a penetration test is ongoing. Black-box pen tests are more expensive, and they usually find only the easiest and most exploitable vulnerabilities. However, they are more realistic, and they also evaluate the reaction capabilities of the security team of the organization. Gray-box pen test are a mix of white-box and black-box.

2

There are several operating system distributions, usually Linux-based, dedicated to penetration testing. Such distributions contain large sets of pre-installed and pre-configured tools for vulnerability analysis and exploitation. An example of these operating system is Kali Linux, which is based on Debian.

3

An exploit is a piece of software that takes advantage of a vulnerability of a victim compute. Different exploits leverages different attack vectors, for example emails, network packets, HTTP requests, etc., and they can cause different damage. The piece of code that causes such a damage is called the payload of the exploit. Examples of payloads are remote shells, spam-sending programs, self-replicating worms, etc. An exploit kit is a collection of exploits and payloads, which lets you match specific exploits to specific payloads, in such a way to be capable of more flexible attacks. Of course, not every payload can be run by every exploit. If an exploit lets you provoke only denials of service, it is not possible to run any other payload.

4

5

Intelligence gathering involves the discovery of person names, phone numbers, email addresses, domain names and hostnames, IP addresses, subnetworks, hosts, routers, etc. regarding a company or an organization.

6

Most of this information is often publicly available on social networking sites (e.g., Facebook), professional networking sites (e.g., Linkedin), career management sites (e.g., monster.com), etc. Here, an attacker can find names, titles, email addresses, phone numbers, work locations, and other information that may help her in mounting phishing and social engineering attacks. Job offers are also a good information source. For example, if an organization is searching for a security professional with experience with CheckPoint firewalls and Snort IDS, it is probable that they use exactly these products to protect their networks. Resumes of past or present employees can also give hints about the employed security technologies, because they reveal employees’ skills in using such technologies.

7

Another way to gather information is through the WHOIS service, which is used to retrieve information on the owner of a particular IP address or a particular domain name. In order to gather information about the owner of, e.g., “unipi.it”, an attacker must first identify the related domain name registry, which is an organization authorized by IANA (now ICANN) to manage the uniqueness and the allocation of domains in a specific top-level domain. The registry of the “.it” top-level domain is “Registro.it” lead by the IIT-CNR in Pisa. The WHOIS server of “Registro.it” is reachable at “nic.it”, and it can be queried via the whois tool or via web interface. From here, the attacker can learn a lot of information about the owner of the domain (domain name registrant). For example she can learn the technical contact details (person names, email addresses, phone numbers), which can be pose as for phishing or social engineering, and the “unipi.it”’s DNS servers, which can be used to gather further intelligence.

8

An attacker can also gather intelligence from an IP address or a network prefix. To do this, she must first identify the related regional Internet registry (RIR), which is an organization authorized by IANA (now ICANN) to manage the uniqueness and the allocation of IP addresses in a specific world region. The RIR associated to Europe and ex-USSR countries is RIPE, which can be queried via the whois tool or via web interface at “ripe.net”. From here, the attacker can learn the subnet prefixes allocated to the owner of a specific IP address, and his BGP autonomous system numbers.

9

Another way to gather intelligence is by interrogating DNS servers. Companies and organizations that own a domain (e.g., example.com) typically instantiate many host names (e.g., host.example.com) for different purposes under them same domain. Such host names refer to hosts having an IP address inside the subnetworks managed by the domain owner. Some of these host names are publicly known (e.g., www.example.com), some others may be hidden to the public but still available via Internet (e.g., admin.example.com).

10

DNS can be exploited to gather information about all the host names under a given domain and the relative IP addresses. This is useful since the discovered hosts are possible targets of further investigations or attacks. To do this it is possible to query the DNS server to perform a DNS zone transfer, by which the server tells all the domains it is resolving. In order to mount this attack, the DNS server must be misconfigured to reply to DNS zone transfer queries to everyone who asks. Nowadays, this rarely happens. An alternative way is to query the DNS servers with a predefined list of common host names, for example www.example.com, web.example.com, admin.example.com, dns.example.com, whois.example.com, etc. This attack is called DNS bruteforcing. Domain owners sometimes instantiate hosts to provide standard services like LDAP and XMPP. Such hosts assume standard host names in the form [_service].[_transportprotocol].example.com, e.g., _ldap._tcp.example.com or _xmpp-client._tcp.example.com. Information about these service hosts held in the DNS servers is called SRV records. SRV records are easy to bruteforce too, in order to discover additional possible attack targets.

11

Network sniffing (aka passive network scanning) is a technique aimed at eavesdroppingand analyzing traffic in a local area network, in order to steal unencrypted data or gain information like available hosts, open ports, available services, etc. An example of network sniffer is wireshark. Network sniffing can gain the same information thatnetwork scanning can, including service type/version and operating systemtype/version, but in a completely stealthy way. It requires the attacker to be in the same local area network of the target hosts.

12