VULNERABILITY ASSESSMENT

& PENETRATION TESTING

“
Give me six hours to chop down a
tree and I will spend the first four
sharpening the axe. ”
- Abraham Lincoln

2
TABLE OF CONTENTS
1. Introduction
2. The Need for VAPT
3. What is VAPT?
4. Approaches
5. Methodology
6. Services
7. Issues We Identify
8. Tools

3
Intro Need VAPT Appr. Method. Services Issues Tools
INTRODUCTION
Over the past few years, we have seen all the hype surrounding cybersecurity
finally transform into a frightening new reality.

Intro Need VAPT Appr. Method. Services Issues Tools

SIMPLIFIED ATTACK LIFECYCLE
● Initial Reconnaissance: It has two main steps, Selection of target and Research of Target
● Penetration: The intruder uses certain methods to compromise the target.
● Gaining Foothold: Maintain foothold of the compromised system. It is generally achieved by setting up a backdoor so that the machine can
be accessed later.
● Escalate Privileges: Intruder will obtain a higher level access to the compromised machine by multiple methods with the aim of obtain the
administrator login.
● Lateral Movement: The intruder generally does not find the desired information on the first machine he has compromised. The attacker now
tries to expand the exploitation process to other systems within the same network. If the intruder is caught during lateral movement we get
the exact intent of the intruder or exactly what information he might be after.
● Maintain Presence: The intruder will ensure remote access to the complete environment by installing multiple variants of malware
backdoors.
● Mission Complete

Initial Gaining a Escalating Mission

Penetration
Reconnaissance Foothold Privileges Successful

Internal Maintain
Recon Presence
Lateral
Movement

5
Intro Need VAPT Appr. Method. Services Issues Tools
NEED FOR
VAPT
Is there a need for computer system that looks for
security weaknesses, potentially gaining access to
the computer's features and data?

6
Intro Need VAPT Appr. Method. Services Issues Tools
THE NEED
● Improve information security and awareness
● Assess risk
● Mitigate risk immediately
● Reinforce the information security process
● Assist in decision making process
● Validate that current security mechanisms are working
● Compliance to various security standards and regulations such as NIST, ISO 27001, Information
Technology Act, 2000, SOX, HIPAA, PCI etc.

7
Intro Need VAPT Appr. Method. Services Issues Tools
WHAT IS
VAPT?
It is the process intended to reveal flaws in the
security mechanisms, protect data and maintain
functionality as intended.

Intro Need VAPT Appr. Method. Services Issues Tools

WHAT IS VAPT?
● A form of stress testing, which exposes weakness or flaws in a computer system
● The art of finding an Open Door
● A valued Assurance Assessment tool
● VAPT can be used to find flaws in
○ Specifications, Architecture, Implementation, Software, Hardware, and many more..
● Vulnerability assessment is the process of identifying, quantifying, and prioritizing the
vulnerabilities in a system.
● Penetration test is an attack on a computer system that looks for security weaknesses, potentially
gaining access to the computer's features and data.

9
Intro Need VAPT Appr. Method. Services Issues Tools
APPROACHES
Typically VAPT is performed using three approaches

● Blackbox
● Graybox
● Whitebox

Intro Need VAPT Appr. Method. Services Issues Tools

 BLACKBOX TESTING GRAYBOX TESTING WHITEBOX TESTING

● Also known as “Internal Testing”,

testers are given full information
● This usually is a combination of
about the target system they are
● Also known as “Zero-Knowledge” blackbox and whitebox testing
supposed to attack. Information
testing, tester needs to acquire ● The aim of this testing is to search
includes:
Knowledge and Penetrate for the defects if any due to
○ Technology overviews
○ Acquire Knowledge using improper structure or improper
○ Data flow and network
tools or Social Engineering usage of applications.
diagrams
Techniques ● The tester simulates an inside
○ Code snippets
○ Publicly available Employee. The tester is given an
● Benefits:
information may be given account on the internal network and
○ Reveals more
to the penetration tester standard access to the network.
vulnerabilities and may be
● Benefit: This test assess internal threats
faster
Intended to closely replicate the from employees within the
○ Compared to replicate an
attack made by an outsider without company.
attack from a criminal
any information of the system. This ● Benefit:
hacker that knows the
kind of testing can give an insight Takes the straightforward technique
company infrastructure
of the robustness of the security of black-box testing and combines
very well.
when under attack by script kiddies it with the code-targeted systems in
○ Checks robustness against
white-box testing.
internal threats

11
Intro Need VAPT Appr. Method. Services Issues Tools
METHODOLOGY
It is the process intended to reveal flaws in the security mechanisms, protect
data and maintain functionality as intended.

Intro Need VAPT Appr. Method. Services Issues Tools

ASSESSMENT DESCRIPTION
1. Vulnerability Assessment and Penetration Testing
Synclature’s methodology is derived from the following best practices:
● OWASP, OSSTMM and WASC security guidelines
● Business logic vulnerability verification
● False positive elimination
● Utilization of automated commercial, proprietary and other industry leading tools
● Manual testing for identification and verification of critical and exploitable vulnerabilities
● Reassessment to ensure all gaps are fixed

Test Plan Automated Report Knowledge

Understanding Threat Profiling Manual Testing
Generation Testing Generation Transfer

Intro Need VAPT Appr. Method. Services Issues Tools

METHODOLOGY - FLOW
INFORMATION TARGET SCANNING & INFORMATION
GATHERING DISCOVERY FINGERPRINTING GATHERING

Identifying Underlying
Active & Passive Active & Passive
Finalizing The Scope Technology & Service
Reconnaissance Reconnaissance
Version

PERIMETER WEB BASED OPERATING

APPLICATIONS
DEVICES APPLICATIONS SYSTEMS

E-Commerce, B2B, Web Servers,

Network & Security Windows, Linux, Unix
Custom Websites & Database Servers,
Appliances & Solaris
Appliances Mail Servers, SSH, FTP

VULNERABILITY VULNERABILITY PENETRATION IMPACT DATA

REPORTS
IDENTIFICATION ANALYSIS EXPLOITATION ANALYSIS CORRELATION
Extent of Business Detailed Findings,
Locating Known & Filtering & Confirmation of
Impact due to MITIGATION Management
Unknown Confirming Attack Existing
Vulnerability STRATEGIES Report Executive
Vulnerabilities Methods Vulnerabilities
Exploitation Summary

Intro Need VAPT Appr. Method. Services Issues Tools

METHODOLOGY - OUTCOMES
Methodology Expected Outcome
▪ Domain Names
Information Gathering
▪ Server Names
1. The point of this exercise is to find the number of reachable systems to be tested
▪ IP Addresses
without exceeding the legal limits.
▪ Network Map
2. In this parameter, no intrusion is being performed directly on the systems.
▪ ISP / ASP information
3. The hosts discovered later may be inserted in the testing as a subset of the defined
▪ System and Service Owners
testing with concurrence of the Client's internal security team.
▪ Possible test limitations
▪ Open, closed or filtered ports
▪ IP addresses of live systems
Port Scanning
▪ List of discovered tunneled and
1. Port scanning is the invasive probing of system ports on the transport level.
encapsulated protocols
2. This parameter is to enumerate live or accessible Internet services as well as
▪ List of discovered routing protocols
penetrating the firewall to find additional live systems.
supported
▪ Active services

Operating System Fingerprinting

▪ OS Type
1. System fingerprinting will be done for active probing of system for responses that can
▪ Other information such as uptime
distinguish unique systems to operating system and version level.

Intro Need VAPT Appr. Method. Services Issues Tools

METHODOLOGY - OUTCOMES
Methodology Expected Outcome
Services Fingerprinting
1. This is the active examination of the application listening behind the
service. In certain cases more than one application exists behind a
service where one application is the listener and the others are ▪ Service Types
considered components of the listening application. ▪ Service Application Type and Patch Level
2. A good example of this is PERL installed for use in a Web application.
In that case the listening service is the HTTP daemon and the
component is PERL.
▪ List of system vulnerabilities
Vulnerability Scanning
▪ Type of application or service by vulnerability
1. Testing for vulnerabilities using commercial tools to determine
▪ Patch levels of systems and applications
existing holes and system patch level.
▪ List of possible denial of service vulnerabilities
Denial of Service Testing
1. Denial of Service (DoS) is a situation where a circumstance, either ▪ List weak points in the Internet presence including single
intentionally or accidentally, prevents the system from functioning points of failure
as intended. ▪ List system behaviors to heavy use
2. Ascertain whether the system functions exactly as designed and ▪ List of systems/ applications susceptible to DoS vulnerability
handles the load, scope, or parameters being imposed upon it.
Buffer Overflow Administrative access to the vulnerable servers/ protected
1. Buffer overflow attacks are used to exploit specific vulnerabilities in resource
OS and applications by giving inputs that are longer than defined
memory buffers

Intro Need VAPT Appr. Method. Services Issues Tools

ASSESSMENT DESCRIPTION
2. Penetration Testing for Perimeter Host's / Public IP Addresses
● Assessment of perimeter devices such as firewalls, routers, intrusion detection systems is done for
○ Identifying IP addresses of live systems
○ Identifying open, closed or filtered ports at firewall
○ Active services and versions
○ Internal system network addressing
○ Routing protocols supported
○ Mapping firewall rule-sets
○ Verifying possibility of enumeration of internal assets with SYN stealth scanning through the firewall
○ Fire-walking and scanning with specific source ports through the firewall

● Operating Systems and applications are tested for identifying weaknesses associated with the installed version
of operating system
○ Determine operating system type and patch level.
○ Verifying possibility for the TCP sequence number prediction
○ Identify and confirm known vulnerabilities associated with the installed version of applications
○ Horizontal and vertical privilege escalation

● Deliverable: Detailed Penetration Testing Reports:

○ Detailed Technical Report discarding false positives
○ Comprehensive Management Report
○ Consulting Knowledge Transfer

Intro Need VAPT Appr. Method. Services Issues Tools

Phase Description
Holistic understanding of the application’s features, functions and other modules in scope is extremely important for
team of security analysts to develop appropriate test plan.
Understanding the Application
Browsing the application, reading user manuals and discussions with application owners and developers ensures our
team has adequate knowledge to comprehensively assess it.
Our Security Analysts develop a comprehensive list of threats based on the knowledge they have acquired from the
Threat Profiling first phase and create a threat profile for every application. This threat profile is used for actual testing and our team
makes sure that it has shared the same with the client and has got approval to go ahead and test the application.
Based on the threat profile, our Security Analysts generate a test plan which identifies attacks to be performed on the
Test Plan Generation
application in order to realize the threats related to the application.
Automated and Manual testing is the most important step of our methodology. Our team conducts automated testing
with best of breed tools in the industry. This is usually a combination of several tools which are known to be leaders in
their own module.
Automated & Manual Testing
Our testing cycle does not end with only Automated Testing; our team conducts thorough Manual testing in order to
ensure all the tests have been conducted and false positives are minimized.
The goal is to generate a report which is concise, meaningful and adds value to the customer’s application.

Generating reports which represent information and findings which truly bring in value for our customers is the main
goal. Our reports are detail oriented at the same time being concise with appropriate evidences and remedial actions.
Structure of the technical report is as follows:
o Introduction
Report Generation
o Summary of findings
o Detailed findings (with evidences)
o Short term and long term recommendations
o Comprehensive test plan with results
o List of Targets

Intro Need VAPT Appr. Method. Services Issues Tools

SAMPLE THREAT MODELLING

Intro Need VAPT Appr. Method. Services Issues Tools

SAMPLE LIST OF CHECKS
Business Logic Technical
▪ Authentication ▪ SQL Injection
▪ Brute Force ▪ Cross-site Scripting
▪ Insufficient Authentication ▪ Command Execution
▪ Weak Password Recovery Validation ▪ Buffer Overflow
▪ Authorization ▪ Format String Attack
▪ Credential/Session Prediction ▪ LDAP Injection
▪ Insufficient Authorization ▪ OS Commanding
▪ Insufficient Session Expiration ▪ SSI Injection
▪ Session Fixation ▪ XPath Injection
▪ Logical Attacks ▪ XML/SOAP tests
▪ Abuse of Functionality ▪ Information Disclosure
▪ Denial of Service ▪ Directory Indexing
▪ Insufficient Anti-automation ▪ Information Leakage
▪ Insufficient Process Validation ▪ Path Traversal
▪ Weak encryption ▪ Predictable Resource Location
▪ Client-Side
▪ Content Spoofing

Intro Need VAPT Appr. Method. Services Issues Tools

ASSESSMENT SERVICES

21
Intro Need VAPT Appr. Method. Services Issues Tools
VAPT
VULNERABILITY ASSESSMENT PENETRATION TESTING
● Compliance-based reports (ISMS, PCI, HIPAA, NIST and SOX) ● Executive summaries (jargon-free, true executive-level
● Customizable, multi-view reports that make the most of summaries and action plan)
existing security investment ● Identify technical and logical vulnerabilities such as SQL
● Internal and external vulnerability scans injection, cross site scripting, I/O data validation, exception
● Best practices (OWASP, ITIL, OSSTMM and ISO 27001 management, etc.
standard) ● Impact analysis of the identified vulnerabilities
● Provide on-demand proactive vulnerability management for ● Findings and recommendations to improve security
organizations postures
● Bring visibility, awareness and consistency to your ● Knowledge transfer to clients’ internal security team
organization ● Reduced investment in employing full time security
● Track asset ownership, pinpoint rogue devices, and view analyst, tools and technology
detailed asset discovery and profile reporting ● Part of an overall risk management solution that addresses
● Reduce investment in tools and technology the audit requirement of policy & compliance frameworks
● Comprehensive solutions and countermeasures to mitigate such as ISO 27001, SOX, HIPAA, PCI etc.
identified vulnerabilities

VIEW SAMPLE REPORT

22
Intro Need VAPT Appr. Method. Services Issues Tools
APPLICATION SECURITY TESTING (AST)
DYNAMIC AST STATIC AST API TESTING

● Black box testing

● Vulnerability detection
● White box testing
toward the end of SDLC
● Earlier detection of
● Run-time and environment ● 100+ test cases categorized
vulnerabilities in the SDLC
related issues discovery into 9 distinct groups
● Source code analysation
● Web applications and web ● Total security of web server,
without app execution
services check database and its
● Memory leakage check
● Configuration check implementation
● Network layer analysis
● SDK’s/Libraries check ● On-demand scanning with
● Insecure data storage
● Compliance check the push of a button from
● Thorough analysis of data
● CVSS scoring your dashboard
flow with 20+ test cases to
● Detailed reporting of all your
detect dangerous loopholes
threats with suggestions on
how to fix them

23
Intro Need VAPT Appr. Method. Services Issues Tools
ISSUES WE
IDENTIFY

Intro Need VAPT Appr. Method. Services Issues Tools

OWASP Top 10 Business Logic Authentication
● SQL Injection ● Abuse of functionality ● Password guessing
● Cross Site Scripting (XSS) ● Insufficient Process Validation ● Password cracking
● Broken Authentication and Session ● Information Leakage ● Bypass authentication
Management ● Predictable Resource Location and ● Session Id prediction
● Insecure Direct Object References Insufficient Authorization ● Cryptographic strength validation
● Cross Site Request Forgery (CSRF) ● Transaction details manipulation ● Cookie tampering
● Security Misconfiguration ● Bypass payment process validation
● Insecure Cryptographic Storage ● Weak password recovery validation WASC Classification
● Failure to Restrict URL Access ● User Account Hijack ● Brute Force
● Insufficient Transport Layer ● Escalation of user privilege ● Buffer Overflow
Protection ● Credential / Session Prediction
● Invalidated Redirects and Forwards Other Vulnerabilities ● Fingerprinting
● Server/service fingerprinting ● HTTP Response Splitting
Insecure Configuration ● Default passwords ● Integer Overflows
● SSL configuration ● Backup / Sensitive files Security ● Null Byte Injection
● Directory Listing Enabled Vulnerability ● Session Fixation
● Directories with executable ● Code execution Vulnerability ● Server Misconfiguration
permission enabled ● Directory Traversal
● Directories with write permissions ● Local / Remote File inclusion
enabled ● Path disclosure
● Insecure (TRACE / DELETE / PUT / ● Possible sensitive files
HTTP) Method Enabled ● Sensitive data not encrypted
● Source code disclosure

25
Intro Need VAPT Appr. Method. Services Issues Tools
TOOLS

Intro Need VAPT Appr. Method. Services Issues Tools

Information Gathering Application Security Assessment Network & System Vulnerability
● Bile-Suite ● AppCheck ● Assessment
● Cisco torch ● Tenable / Qualys ● Metasploit
● SpiderFoot ● Burp Suite ● Nessus
● W3af ● Sandcat ● SAINT
● Maltego ● Greenbone ● Inguma
● In-House sdFinder ● W3af ● SARA
● Nikto ● Nipper
Privilege Escalation ● Paros ● GFI
● Cain & Abel ● OWASP ZAP ● Safety-Lab
● OphCrack ● SonarQube ● Firecat
● Fgdup ● OWASP CLASP
● Nipper Port Scanning ● Themis
● Medusa ● Nmap
● Hydra ● Amap Commercial Tools
● Ncrack ● hPing ● Rapid7
● Qualys
Social Engineering Exploitation ● Tenable Nessus
● Social-Engineering Toolkit (SET) ● Saint ● F-secure Radar
● Firecat ● SQL Ninja ● Fortify WebInspect
● People Search ● SQL Map ● Fortify SCA
● Hoxhunt ● Inguma
● Metasploit

27
IT RISK ASSESSMENT | VISO
IT RISK ASSESSMENT

● Action Plan - Short term & long term to achieve compliance and business objectives
● Technical Security Evaluation - Analyzes the security architecture in the context of security policies and control objectives to uncover vulnerabilities
● Threat Management Assessments - Examines threat Identification, Investigation, and incident response processes
● Disaster Recovery & Business Continuity Planning - Ensures that plans for returning systems to operational standards are in place
● Security Policy Audit - Evaluates security policies based on availability, business continuity, and compliance requirements; it also establishes key risk factors
and security metrics

VISO - CONTINUAL SECURITY IMPROVEMENT

● Strategic and operational consulting on security with on-demand availability.

● Virtual Information Security Officer (VISO) require no training, can hit the ground running, and don’t feel obliged to play nice with office politics.
● Purely result oriented. VISO will provide reasonable KPIs/reporting.
● VISO offer different skill sets, many should be able to cover myriad tasks, from the tactical to strategic
● Coaching newly established CISOs, or even managing the board relationship while full-time CISOs - “keep the lights on”.
● Best fit for SMEs, for supplementing the existing management team or simply as an interim solution. Some benefits of the VISO model are:
○ Client focus on core business.
○ Manage costs, save without losing on quality. Estimated to cost between 30-40% of a full-time CISO.
○ Improve information protection.
○ Pick and choose from a list of tasks that can be carried out during security consulting tenure.
○ Charged based on service select enabling to allocate budget rationally.

28
Intro Need VAPT Appr. Method. Services Issues Tools
HIGHLIGHTS
● Broad compliance with regulatory security standards (OSSTMM, OWASP, WASC)
● Conformity and complete utilization of automated commercial, proprietary, and other industry leading tools
● Extensive manual testing for deeper analyses and greater visibility
● Controlled environment testing, without compromising on routine business activities
● Reassessment, to ensure discovered vulnerabilities are remediated.
● Action plan - short and long term to achieve compliance and business objectives
● Technical security evaluation - Analysis of the security architecture in the context of security policies and control
objectives to uncover vulnerabilities
● Threat management - Threat identification, investigation and incident response cycle

Customer Benefits:
● Comprehensive threat visibility
● Identify security issues
● Optimized security management
● Security specialists (VISO) - Extension of in-house IT security team

29
Intro Need VAPT Appr. Method. Services Issues Tools
THANK YOU

Synclature Consultancy Pvt. Ltd. Synclature Solutions LLP

(CIN: U74999MH2016PTC282067) (LLPIN: AAB-3628)

C-1003, One BKC, Rise, 1902B, Peninsula Business Park,

G Block, Bandra Kurla Complex, G. K. Marg, Lower Parel,
Mumbai, MH 400 051. Mumbai, MH 400 013.
[email protected]
+91-22-6236-4402

30