Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
18 views72 pages

Securities and Vulnerabilities Testing

The document outlines the CSCM28 course on Security Vulnerabilities and Penetration Testing, focusing on methodologies, core phases, tools, and legal issues related to penetration testing. It emphasizes the importance of reconnaissance, including footprinting and the distinction between active and passive reconnaissance. Additionally, it provides an overview of assessment methods and popular toolkits used in penetration testing.

Uploaded by

samhitha.p22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views72 pages

Securities and Vulnerabilities Testing

The document outlines the CSCM28 course on Security Vulnerabilities and Penetration Testing, focusing on methodologies, core phases, tools, and legal issues related to penetration testing. It emphasizes the importance of reconnaissance, including footprinting and the distinction between active and passive reconnaissance. Additionally, it provides an overview of assessment methods and popular toolkits used in penetration testing.

Uploaded by

samhitha.p22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

CSCM28 – Security Vulnerabilities and Penetration Testing

Week 1 - Reconnaissance

Jens Blanck

Jens Blanck CSCM28 Pen Testing 1 / 25


Course Overview

Explore the role of penetration testing in system analysis, which will include exploring:

Methodologies for Penetration Testing


Core Phases and Techniques
Supporting Tools
Common Security Vulnerabilities
Legal Issues

Jens Blanck CSCM28 Pen Testing 2 / 25


Course Overview

Explore the role of penetration testing in system analysis, which will include exploring:

Methodologies for Penetration Testing


Core Phases and Techniques
Supporting Tools
Common Security Vulnerabilities
Legal Issues

Jens Blanck CSCM28 Pen Testing 2 / 25


Course Overview

Explore the role of penetration testing in system analysis, which will include exploring:

Methodologies for Penetration Testing


Core Phases and Techniques
Supporting Tools
Common Security Vulnerabilities
Legal Issues

Jens Blanck CSCM28 Pen Testing 2 / 25


Course Overview

Explore the role of penetration testing in system analysis, which will include exploring:

Methodologies for Penetration Testing


Core Phases and Techniques
Supporting Tools
Common Security Vulnerabilities
Legal Issues

Jens Blanck CSCM28 Pen Testing 2 / 25


Course Overview

Explore the role of penetration testing in system analysis, which will include exploring:

Methodologies for Penetration Testing


Core Phases and Techniques
Supporting Tools
Common Security Vulnerabilities
Legal Issues

Jens Blanck CSCM28 Pen Testing 2 / 25


Course Overview

Explore the role of penetration testing in system analysis, which will include exploring:

Methodologies for Penetration Testing


Core Phases and Techniques
Supporting Tools
Common Security Vulnerabilities
Legal Issues

Jens Blanck CSCM28 Pen Testing 2 / 25


Teaching and Assessment

Assessment
Weekly Assignments 30%
Teaching Coursework 20%
10 lectures Exam 50%
20 lab hours
The continuous assessment will be
challenging in places.

Jens Blanck CSCM28 Pen Testing 3 / 25


Contact

Jens Blanck

CoFo Room 333

[email protected]

Jens Blanck CSCM28 Pen Testing 4 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Phases of Penetration Testing

Reconnaissance

Scanning

Gaining Access

Maintaining Access

Covering Tracks

6 Key Phases
Report
Often repeated over and over.

Jens Blanck CSCM28 Pen Testing 5 / 25


Overview of Penetration Testing

Testing, not Hacking

Penetration testing is a testing methodology designed to assess the security of a system.

Whereas hacking (even ethical) is much wider.

Before penetration testing starts, companies should:


Define boundaries of engagement
Define report formats
Consider contracts carefully

Rule
We will only run the tests covered in lectures on systems provided by the lecturer.

Jens Blanck CSCM28 Pen Testing 6 / 25


Overview of Penetration Testing

Testing, not Hacking

Penetration testing is a testing methodology designed to assess the security of a system.

Whereas hacking (even ethical) is much wider.

Before penetration testing starts, companies should:


Define boundaries of engagement
Define report formats
Consider contracts carefully

Rule
We will only run the tests covered in lectures on systems provided by the lecturer.

Jens Blanck CSCM28 Pen Testing 6 / 25


Overview of Penetration Testing

Testing, not Hacking

Penetration testing is a testing methodology designed to assess the security of a system.

Whereas hacking (even ethical) is much wider.

Before penetration testing starts, companies should:


Define boundaries of engagement
Define report formats
Consider contracts carefully

Rule
We will only run the tests covered in lectures on systems provided by the lecturer.

Jens Blanck CSCM28 Pen Testing 6 / 25


Overview of Penetration Testing

Popular Toolkits

Jens Blanck CSCM28 Pen Testing 7 / 25


Overview of Penetration Testing

Popular Toolkits

Kali Linux
Open source Linux distro
with a lot of useful software.

Jens Blanck CSCM28 Pen Testing 7 / 25


Overview of Penetration Testing

Popular Toolkits

Kali Linux
Open source Linux distro
with a lot of useful software.

Metasploit
Pen-testing framework,
basically a collection of exploits.

Jens Blanck CSCM28 Pen Testing 7 / 25


Overview of Penetration Testing

Popular Toolkits

Kali Linux Burpsuite


Open source Linux distro Web application
with a lot of useful software. vulnerability scanner.

Metasploit
Pen-testing framework,
basically a collection of exploits.

Jens Blanck CSCM28 Pen Testing 7 / 25


Overview of Penetration Testing

Popular Toolkits

Kali Linux Burpsuite


Open source Linux distro Web application
with a lot of useful software. vulnerability scanner.

Metasploit Aircrack
Pen-testing framework, Wifi network tools for
basically a collection of exploits. monitoring/replacing packets.

Jens Blanck CSCM28 Pen Testing 7 / 25


Reconnaissance

Reconnaissance

A fancy name for looking around.

Jens Blanck CSCM28 Pen Testing 8 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

Footprinting

Aim: Document naturally disclosed information.

Examples:
Organizational websites (public/private)
IP addresses / DNS schemes / Whois
Access Points (Shoulder surfing? Eavesdropping)
Patents

Usage: Use in social engineering, spear phishing attacks, …

Jens Blanck CSCM28 Pen Testing 9 / 25


Reconnaissance

The theoretical picture

Target

Jens Blanck CSCM28 Pen Testing 10 / 25


Reconnaissance

The theoretical picture

Firewall

Target

Jens Blanck CSCM28 Pen Testing 10 / 25


Reconnaissance

The theoretical picture

Internally (hard)
Externally (easy)

Firewall
Pentester

Target

Jens Blanck CSCM28 Pen Testing 10 / 25


Reconnaissance

The theoretical picture

Internally (hard)
Externally (easy)

Firewall
Pentester

Target

Internal DNS
Intranet
Shoulder surfing
Eavesdropping

Jens Blanck CSCM28 Pen Testing 10 / 25


Reconnaissance

The theoretical picture

Internally (hard)
Externally (easy)

Firewall
Pentester

Target

Whois/DNS
Social networks Internal DNS
Job sites Intranet
URL analysis Shoulder surfing
Patents Eavesdropping
Customers …

Jens Blanck CSCM28 Pen Testing 10 / 25


Reconnaissance

Active vs Passive

Active reconnaissance
Active reconnaissance is where we engage with the targeted system to gather information
about vulnerabilities.

Passive reconnaissance
Passive reconnaissance is an attempt to gain information about target computers and
networks without actively engaging with the systems.

Exercise: Classify the approaches on the previous slide.

Jens Blanck CSCM28 Pen Testing 11 / 25


Reconnaissance

Active vs Passive

Active reconnaissance
Active reconnaissance is where we engage with the targeted system to gather information
about vulnerabilities.

Passive reconnaissance
Passive reconnaissance is an attempt to gain information about target computers and
networks without actively engaging with the systems.

Exercise: Classify the approaches on the previous slide.

Jens Blanck CSCM28 Pen Testing 11 / 25


Reconnaissance

Active vs Passive

Active reconnaissance
Active reconnaissance is where we engage with the targeted system to gather information
about vulnerabilities.

Passive reconnaissance
Passive reconnaissance is an attempt to gain information about target computers and
networks without actively engaging with the systems.

Exercise: Classify the approaches on the previous slide.

Jens Blanck CSCM28 Pen Testing 11 / 25


Reconnaissance

The Practice

Phone-Alt There are a number of tools that can help with footprinting.

Wifi From generic: Telephone, Email, Websites, …


Envelope
To specific: Network infrastructure, intranets, DNS
GLOBE information, …

Jens Blanck CSCM28 Pen Testing 12 / 25


Reconnaissance Tools and Techniques

Ping

First few lines of man page


PING (8) iputils PING (8)

NAME
ping - send ICMP ECHO_REQUEST to network hosts

Jens Blanck CSCM28 Pen Testing 13 / 25


Reconnaissance Tools and Techniques

Ping

First few lines of man page


PING (8) iputils PING (8)

NAME
ping - send ICMP ECHO_REQUEST to network hosts

Jens Blanck CSCM28 Pen Testing 13 / 25


Reconnaissance Tools and Techniques

Ping

First few lines of man page


PING (8) iputils PING (8)

NAME
ping - send ICMP ECHO_REQUEST to network hosts

Hey dude, you there?


(ICMP echo request)

Jens Blanck CSCM28 Pen Testing 13 / 25


Reconnaissance Tools and Techniques

Ping

First few lines of man page


PING (8) iputils PING (8)

NAME
ping - send ICMP ECHO_REQUEST to network hosts

Hey dude, you there?


(ICMP echo request)

Hey dudess, I am
(ICMP echo response)

Jens Blanck CSCM28 Pen Testing 13 / 25


Reconnaissance Tools and Techniques

Ping

First few lines of man page


PING (8) iputils PING (8)

NAME
ping - send ICMP ECHO_REQUEST to network hosts

Hey dude, you there?


(ICMP echo request) Useful options:

-c Count of pings to
send
-f Flood (dangerous)
Hey dudess, I am
(ICMP echo response)

Jens Blanck CSCM28 Pen Testing 13 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

TTL 1
(Time to live)

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

TTL 1
(Time to live)

TTL exceeded

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

TTL 2 TTL 1

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

TTL 2 TTL 1

TTL exceeded TTL exceeded

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

TTL 3 TTL 2 TTL 1

TTL exceeded TTL exceeded TTL exceeded

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

Traceroute

traceroute - print the route packets trace to network host

TTL 3 TTL 2 TTL 1

TTL exceeded TTL exceeded TTL exceeded

Allows us to see:
The entire path that a packet travels.
Names and identity of routers and devices along path.
Network latency or more specifically the time taken to send and receive data to each
devices on the path.

Jens Blanck CSCM28 Pen Testing 14 / 25


Reconnaissance Tools and Techniques

NS Lookup

nslookup - query Internet name servers interactively

Simple operation: Queries DNS records to give details on hostname/ip address.

Useful options:
-querytype=MX Lookup MX records (mail servers).
- server-ip As second argument, change DNS server to server ip.

Jens Blanck CSCM28 Pen Testing 15 / 25


Reconnaissance Tools and Techniques

Googling

Many basic operators:

Operator Effect Example


“search term” Force an exact-match. “steve jobs”
OR / | Return results related to X or Y, or both. jobs OR gates
AND / & Return only results related to both X and Y.1 jobs AND gates
- Exclude a term or phrase. jobs –apple*
* Match and word or phrase. steve * apple
() Group operators. (ipad OR iphone) apple

1
It doesn’t really make much difference for regular searches, as Google defaults to “AND” anyway. But it’s very useful
when paired with other operators.
Jens Blanck CSCM28 Pen Testing 16 / 25
Reconnaissance Tools and Techniques

Google Hacking

Get to know Google’s advanced operators:

operator:search-term
(no spaces)

Examples:

inurl:passlist.txt
intitle:”Index of” config.php
filetype:bak inurl:”htaccess|passwd|shadow|htusers”

Jens Blanck CSCM28 Pen Testing 17 / 25


Reconnaissance Tools and Techniques

Google Operators

Jens Blanck CSCM28 Pen Testing 18 / 25


Reconnaissance Tools and Techniques

Some Examples

Note that operators overlap.

Jens Blanck CSCM28 Pen Testing 19 / 25


Reconnaissance Tools and Techniques

Some Examples

Jens Blanck CSCM28 Pen Testing 20 / 25


Reconnaissance Tools and Techniques

Leaving Traces (TCP Dump)

When we access web pages, we inherently leave traces on the server.

Can we avoid this?

Jens Blanck CSCM28 Pen Testing 21 / 25


Reconnaissance Tools and Techniques

Leaving Traces (TCP Dump)

When we access web pages, we inherently leave traces on the server.

Can we avoid this?

Jens Blanck CSCM28 Pen Testing 21 / 25


Reconnaissance Tools and Techniques

Anonymous Googling

A lot of people believe using cached pages from Google avoids this.

But this will still access the server. Why?

Jens Blanck CSCM28 Pen Testing 22 / 25


Reconnaissance Tools and Techniques

Anonymous Googling

A lot of people believe using cached pages from Google avoids this.

But this will still access the server. Why?

Jens Blanck CSCM28 Pen Testing 22 / 25


Reconnaissance Tools and Techniques

Text-only Anonymous Googling

Images and other resources are not completely cached by Google.

Selecting ‘Text-only’ version should stop any requests to the destination server.

Shortcut: append ‘&strip=1’

Jens Blanck CSCM28 Pen Testing 23 / 25


Reconnaissance Tools and Techniques

Text-only Anonymous Googling

Images and other resources are not completely cached by Google.

Selecting ‘Text-only’ version should stop any requests to the destination server.

Shortcut: append ‘&strip=1’

Jens Blanck CSCM28 Pen Testing 23 / 25


Reconnaissance Tools and Techniques

Text-only Anonymous Googling

Images and other resources are not completely cached by Google.

Selecting ‘Text-only’ version should stop any requests to the destination server.

Shortcut: append ‘&strip=1’

Jens Blanck CSCM28 Pen Testing 23 / 25


Reconnaissance Tools and Techniques

So what next?

Automation! We can automate searches and data collection.

We will use Lynx2 .


lynx -dump https://www.google.com/[email protected] > test.html

What does this do?

And if I add &num=100?

Next grep!
grep -E -o "b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}b" test.html

Result: a list of gmail addresses scraped from Swansea university web pages. Great way
to lock down your own site.
2
A text based browser
Jens Blanck CSCM28 Pen Testing 24 / 25
Reconnaissance Tools and Techniques

So what next?

Automation! We can automate searches and data collection.

We will use Lynx2 .


lynx -dump https://www.google.com/[email protected] > test.html

What does this do?

And if I add &num=100?

Next grep!
grep -E -o "b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}b" test.html

Result: a list of gmail addresses scraped from Swansea university web pages. Great way
to lock down your own site.
2
A text based browser
Jens Blanck CSCM28 Pen Testing 24 / 25
Reconnaissance Tools and Techniques

So what next?

Automation! We can automate searches and data collection.

We will use Lynx2 .


lynx -dump https://www.google.com/[email protected] > test.html

What does this do?

And if I add &num=100?

Next grep!
grep -E -o "b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}b" test.html

Result: a list of gmail addresses scraped from Swansea university web pages. Great way
to lock down your own site.
2
A text based browser
Jens Blanck CSCM28 Pen Testing 24 / 25
Reconnaissance Tools and Techniques

So what next?

Automation! We can automate searches and data collection.

We will use Lynx2 .


lynx -dump https://www.google.com/[email protected] > test.html

What does this do?

And if I add &num=100?

Next grep!
grep -E -o "b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,6}b" test.html

Result: a list of gmail addresses scraped from Swansea university web pages. Great way
to lock down your own site.
2
A text based browser
Jens Blanck CSCM28 Pen Testing 24 / 25
Reconnaissance Tools and Techniques

Summary

The phases of Pen-testing


Phase 1: Reconnaissance
Techniques for footprinting:
Ping / Traceroute / NS Lookup
Google hacking

Lab: Exploring the above + tools that help.

Next week: Scanning

Jens Blanck CSCM28 Pen Testing 25 / 25

You might also like