MODULE: Security Audit Protocols

Part 1: Penetration Test

Part 2
Part 3: Audit

1
 PART 1: PENETRATION TEST
I- Prepare your intrusion test
I-1- Generalities
. Penetration test, Intrusion test, Pentest
Intrusion testing, penetration testing, or pentest, is a method that
consists of analyzing a target by putting oneself in the shoes of an attacker. This target
maybe:
an IP;
an application;
a web server;
- or a complete network.
In this course, you will practice on a web server.

. Vulnerability scan
The vulnerability scan is a component of penetration testing, that is to say, a sub-
Part. It is more precisely a scan (as its name indicates) of the target that
allows to enumerate vulnerabilities, without trying to qualify them or verify if they
are exploitable.
. Link between pentesting and auditing
The penetration test can be considered the more technical and practical aspect of a
security audit process. It will reveal for example, an application that is not up to date or
yet another port opened by mistake in the firewall.
. Objective of the penetration test
The objectives are clear:

identify the vulnerabilities of its IS or its application;

evaluate the level of risk of each identified vulnerability;
Propose corrective measures in a prioritized manner.
Thanks to the penetration test, we can qualify:

the severity of the vulnerability;

the complexity of the correction;
and the order of priority that should be given to the corrections.
 . When to conduct the penetration test?
In order to secure the infrastructure or the application, penetration tests can be conducted on
different moments:
During the project design, in order to anticipate potential attacks;
during the usage phase, at regular intervals;
following a cyberattack so that it does not happen again.
The conduct of a penetration test is initiated by the company that wants to test itself.
The penetration test can be done from the outside (external penetration test). This test
Intrusion can be carried out from any Internet connection.

The penetration test can also be done from inside the infrastructure (test
of internal intrusion). In this case, the test will be conducted on the LAN (internal network of
the company).

. Who does it?

The penetration test is conducted by a cybersecurity expert or also
call test driver.

To become a pentester, one must have a strong mastery of systems and networks, as the
The world of security is transversal. It is necessary to know the different equipment and
technologies on the market to understand and exploit the vulnerabilities within them
are present.
It is a highly sought-after profile by companies, but these professionals generally have
at least 5 to 10 years of experience.

I-2- The different types of pentest

There are two types of penetration testing: internal testing and external testing.

. External
In this type of intrusion, the attacker or the pentester in our case, is placed on the Internet.
So in the situation where a hacker would attempt to penetrate the company from the outside.
The public IP address of the internet connection of the pentester and the public IP address of the
The company's internet connection is used in this scenario.

3
 . Internal
Conversely, in this case, the pentester is on the internal network of the company. He is in the
situation of an internal malicious person.

For example, this could be the case of a provider who has physical access to
company office as a telecom technician, an electrician, etc. It is
also the case of a malicious employee, for example for espionage
industrial or out of vengeance. The employee may also be unaware of the risks,
and click on an infected attachment or share credentials. Finally, one can
also imagine a pirate who has the ability to physically infiltrate
the company and to find itself in one of these scenarios.
There are therefore two types of tests that we carry out, internal and external, because these are
two types of scenarios that occur in the real life of businesses.

I-3- Conducting a penetration test

Depending on the level of knowledge of the pentester about the target, three qualifiers
Different tools are used to identify penetration tests:

the black box

the grey box
the white box
Let's look at this in detail.

I-3-1- Black box

In this case, the pentester has no information about the target network at the start of the test.
and does not know any username or password.

The first step is to search for information on:

the company,
the employees
know the geographical situation,
general information,
the Internet service provider,
and all other data to gather as much information as
could help to find vulnerabilities.
We are here in the scenario of a hacker who wishes to infiltrate a company.
that he does not know.
I-3-2- Gray box
The tester has a limited amount of information. In general, during tests
In gray box intrusion mode, the tester only has an identifier pair /
password that the target company provided him before starting the test phase. This
allows to bypass the authentication step, and to delve deeper into the test
inside the application or system.
The objective of this type of test is to put oneself in the shoes of an "average user".
the target company.

I-3-3- White box

Finally, under this condition, the pentester may possess numerous
information. Among them, the most common are:

the architectural diagrams,

a user account for authentication,
the source code of the application,
- etc.
In this case, the pentester will look for vulnerabilities as exhaustively as possible.
In this scenario, the research is very thorough and comprehensive.
The objective of this type of test is to put oneself in the shoes of a 'system administrator.'
and network" of the target company.

I-4-Choice of the test

The choice of the penetration test to be conducted is very important, as it will be necessary to
determine based on what the client wants to test. Depending on the strategy
adopted, the results are different. It is therefore necessary to clearly identify what the target company is.
wants to protect and from what type of attack it wants to defend itself. From there, it is necessary to determine the
best type of scan and the best knowledge conditions for the pentester beforehand
the beginning of the test.

. A few examples

You are the CISO for the company SECURITYFIRST. You are concerned that a
An online pirate steals the data you host. In this case, you
you should prefer an external black box type test because it is the
scenario that is closest to the threat for which you want to prepare yourself
protect.

5
 You are the CISO in a company that is going through a period of social crisis.
with strikes and layoffs. You are wondering about the consequences that
could have a malicious collaborator. The wisest choice will be a test
internal intrusion in gray box. The pentester will then have a login and password
to log in to the system as a standard user and you
can you identify the internal vulnerabilities in this scenario.

II- Adapted operating systems

II-1- Kali Linux
Kali Linux is a distribution that brings together all the tools necessary for testing.
security of an information system. This distribution has taken over
deBacktrack.

Kali is available in several versions:

32 or 64 bits;
Live CD
- Vbox and VMWare images;
Versions for ARM processors (usable on hardware like Raspberry Pi)
All versions are available for free download on the official site.
www.kali.org)

This distribution includes over 600 pre-installed programs such as:

Nmap: The most famous free port scanner distributed by Insecure.org. It is

designed to detect open ports, identify hosted services, and obtain
information about the operating system of a remote computer.
Wireshark: Free and open-source packet analyzer. It is used in troubleshooting
and the analysis of computer networks
Metasploit: open source program that provides information on
computer system vulnerabilities and exploits them.
Burp Suite: application used for securing or penetration testing of
web applications.
This is really the main toolbox of a pentester. We will actually...
linger longer on this operating system a little further into the course.

II-2- Windows
The Microsoft Windows 7, 8, or 10 operating system can also be used.
In the vast majority of cases, an equivalent version of the Kali Linux tools is
available in Windows version. This is obviously the case for the most well-known among
them:
 -NMAP
PuTTY
Metasploit Framework
Burp Suite
OWASP Zed Attack Proxy
-Nessus
John the Ripper
II-3-Android
Mobile platform tools are sometimes very handy when you need to test.
in an itinerant manner. Very efficient and well-designed tools are available.
for use on Android:

-zANTI
FaceNiff
AndroRAT
-cSploit

In this lab, we will work with Kali Linux.

III- Configure your LAB environment

Now that we have identified the operating systems and the main tools to
used for a penetration test, you will install and configure your environment
training.

. Install Kali
We will install Kali Linux together. To do this, you can go to the
official site at this link,www.kali.organd download the version that corresponds to your
material.

Once the ISO file is downloaded, launch the operating system.

Installing Kali Linux on a VirtualBox virtual machine is recommended because

Otherwise, it requires a lot of resources to run it in RAM.
only.

It may also be interesting to install the VirtualBox graphics drivers for

get all available resolutions with the following command:

apt-get install virtualbox-guest-x11

7
At the first start-up, and then before each penetration test, I advise to carry out the small
following manipulations:

Check for updates by typing the following 2 commands in a

terminal :
apt-get update && apt-get upgrade
apt-get dist-upgrade
And finally, check if your Kali system is clean and free of any malware. To do this,
type the following 2 commands in a terminal:
/usr/sbin/chkrootkit
rkhunter-c

. Install Nessus
Nessus is a very powerful vulnerability scanning tool, easy to use, all
while being very powerful. It is paid software for professionals, but it can
to be used for free in a personal way.

In this free version, there are limitations but they will not be bothersome for
our course. It is also possible to use OpenVAS, equivalent to Nessus in the
free world, but it is a little less user-friendly so we will address Nessus in this
course.

To do this, one must go to theofficial site of Nessus: www.tenable.com

Download the version suitable for your Kali distribution. Then, for the installation
we will type the following command line in a terminal:
dpkg -i Nessus-*.deb
Then, for Nessus to start, we will enter the following command in a
terminal :
/etc/init.d/nessusd start
Finally, for the Nessus service to start at every boot of Kali
automatically, you need to write the command below in a terminal:
update-rc.d nessusd enable

. Install Metasploit
The Metasploit framework is a very powerful vulnerability exploitation tool. It is
entirely through command line. It has an enormous database with the
existing vulnerabilities to date.
In our example, update the Metasploit framework by typing 2
following commands in a terminal:
msfconsole
apt update; apt install metasploit-framework

It is advisable to update this database before each penetration test.

to access the latest available vulnerabilities.
IV- Preparing a pentest

. Define the scope of the penetration test

As you have seen in the previous chapters, it is very important to determine
the threat you want to protect yourself from: internal attacks or the
external attacks.

Then, based on that, a scope needs to be defined which can be:

A server: in the case of an online application, a web server, or a

internal server of the company that hosts various services.
A part of the network: for example, the DMZ part of the network, the machines of
development, or also the production servers.
The public IP of the company: in the case of a small company that does not have
that an Internet connection and the goal is to ensure that no one
could penetrate from the outside.
Multiple public IPs: in the case of a larger company that owns
a range of public IPs with several servers hosted.
The entire internal network: the complete local LAN network in the case where the company
please ensure that all its internal machines are secure.
For example, if you want to test an application used internally, it will need to be integrated
within the perimeter all the servers hosting the application components (server
Web, database, etc.

It is therefore necessary to discuss and determine this between the client and the pentester who
will carry out the penetration test. As you understood, it is very important that the
The perimeter perfectly matches the expectations and the threat assessment.

. The authorizations, interlocutors, and documents

Before starting any penetration test, it is essential to have an agreement.
write the signature of the target that we will test.

The 'penetration test authorization mandate' must be signed by the representative.

legal of the company or the information systems manager. Below is a
example request for mandate:

9
I, the undersigned (first name, last name), as (position) of the company (name) by the
presents, authorizes the company ExpInfo, specialized in cybersecurity, to carry out a
penetration test in our information system.

It may also be specified in this mandate the date and time at which the
penetration test, the public IP address from which the tests will be performed
external intrusion test case.

V- Are you aware of more complex attacks

. Denial of service
Service DoS, for 'Denial of Service' in English, is an attack that aims to
but to make a service unavailable. In other words, this attack prevents users
legitimate access to an online resource. This attack can be launched on:

a web server
a mail server,
a database server,
all other resources accessible online.
It's an attack that is very easy to set up. The principle is solely
desaturate the target connection so that it can no longer respond to requests from
users. This attack can take several forms:

the flooding of a network to prevent its operation,

the disruption of connections between two machines, preventing access to a
specific service
the obstruction of access to a service for a particular person,
also the act of sending billions of bytes to an internet box.
To launch this attack, you need to have a good connection, with a very good bandwidth.
bandwidth compared to the target bandwidth. This being expensive, and little
Currently, pirates have invented the distributed denial of service attack or DDoS.
for Distributed Denial of Service.
Oneworld mapis available with a history of these attacks.

It is complicated to protect oneself against this type of attack. That is why some
attacks of this type occur every second. Only the internet service providers have
really the possibility of spotting and warning them. A tutorial on the LOIC tool for
conducting a denial of service attack can be referenced at this link:The provided text is not translatable.
informatique.seb30.overblog.com/2014/11/ddos-attacks-loic.html

. The Web attack

Web attacks are attacks targeting web servers. There are many techniques that
allow to bypass the protections of a Web server:
 The use of known vulnerability
The use of the middleman technique
Forging HTTP packets
The integration of parameters
Cross-site scripting or XSS
Let's take a detailed look at this in the following table:

Known flaw These vulnerabilities can be found with a vulnerability scanner such as
Nessus, and exploited with software like Metasploit.

MITM The use of the man-in-the-middle technique.

attack. This attack involves positioning oneself in the middle in the
communication between a client and a server to intercept and modify the
packets exchanged between the two machines. The software "Burp suite"
allows it to be done.

Forge of This technique consists of manually writing HTTP requests, which will
HTTP packets then sent to the server. These requests will be non-standard, with
malformations that can cause crashes on the web server. The
The integrated Wfetch software in Microsoft IIS allows you to do it.

Here, we can add or modify parameters in the paths.

settings HTTP that will be misinterpreted by the server and will allow
to exploit it. No software is necessary as it can be done manually.

XSS Cross-site scripting or XSS. It is a type of security vulnerability in websites.

Web allowing to inject content into a page, thus causing
actions on web browsers visiting the page. For example, on a server
vulnerable, in an area where users can post a comment,
if we add the string <script>alert("This Website has been
hacked")</script> on the next page display, a script will execute at
the place to display the comment.
There are indeed many other web attacks, but these are the 5 main techniques.

To protect yourself against web attacks, you must therefore regularly

examine your web servers to test them. It is especially important to check
the vulnerability of the content of pages and the versions of applications that run
on top.

. SQL injection
In the same vein as before, SQL servers can be vulnerable to
attacks. They can be attacked either directly or through the website for which they
hosts a database. The name of this attack is called SQL injection because the
The principle is to inject characters to exploit vulnerabilities.

11
In Kali Linux, there are a multitude of applications for performing SQL injection such as
BSQL. That said, the injection can be done perfectly manually.
When you have a field in a web form, if the SQL server behind is not
protege, and therefore it accepts apostrophes, there is a good chance of an SQL injection.
it may be possible.

. Wireless networks
In the early 2000s, WiFi networks were not encrypted. Then the WEP standard was
arrival. This standard was for a long time the reference in securing
WiFi networks. But vulnerabilities have been discovered, allowing the key to be found.
decoding in less than 10 minutes. The WPA protocol has arrived, and now
leWPA2. These protocols are much more secure!

The tools at your disposal to test your wireless network are as follows:

InSSIDer on Windows These are applications that allow you to scan the
Nearby WiFi networks.
LinSSID on Linux,

Wifi Analyzer on Android

airodump-ng + airmon-ng Two command-line tools, pre-installed in

Kali. Their goal is to inject traffic onto a
unknown wifi network, in order to obtain sufficient
packages to guess the key.

Wireshark Multi-platform tool for listening and

record all traffic of a connection, even without
connect to the wifi network.

Cain and Abel Two tools available on Windows and Kali for
decrypt a WEP, WPA, and WPA2 key.
or aircrack-ng

To protect yourself against WIFI attacks, use these tools to test your network.
You must also absolutely use the latest encryption protocols.
Available WIFI.
Today, it is clearly WPA2 that will protect you the best. You also need to
use a long password, with numbers, uppercase, lowercase, and characters
specials. The character sequences you use must not be in the
dictionary. Otherwise, your wifi connection will be vulnerable to dictionary attacks.
 . Social engineering
Social engineering attacks exploit the human flaw. This practice aims to
obtain confidential information through mental manipulation. The hacker uses
the gullibility of a user in order to obtain sensitive information such as their name
user or their password.

For example, every time you receive an email asking you to click on
a link to connect to your bank site: Beware! Banks do not
they usually do not include a link in their email. It is therefore very likely that this is
a copy imitating the real bank site hosted on a pirate server. After having
Enter the username and password, an error message will appear and the hacker will be
so in possession of your identifiers

To do this, there are several techniques:

The non-computer method: The hacker can for example call by

call a user, present oneself physically in front of him, or even make oneself
pretend to be a legitimate person like IT support. A user
credulous can give his password upon simple request, open doors,
to show around, etc.
Robbing: this technique remains the most common with
the sending of an email which is SPAM. This email is an imitation of a letter
official like taxes, the bank, or even the post office. The hacker uses a
credible reason for the user to click on the link and enter their credentials.
The user believes they are on the official site while they are actually on a copy of it.
site owned by the hacker. Tools like 'social engineering toolkit' are
available in Kali to create these cloned sites.
The best prevention against this type of attack is far and away awareness and
The company and its collaborators are like a chain, which is
as strong as its weakest link. That's why it is very important that
all collaborators who have access to the information system should be at a minimum
aware.

. Bypass a firewall, an IDS, and an IPS

Let's return now a little more to the technique. Two hardware devices
are essential for ensuring the security of a network: The firewall and the IDS.

A firewall is a network boundary device that

allows filtering traffic by permitting or blocking packets.
UnIDS, Intrusion Detection System in English, is a detection system
intrusion that allows for real-time traffic analysis to raise alerts
in case of detection of hacking or spreading of malware.
UnIPS, intrusion prevention system, is an intrusion prevention system.
It allows detecting like an IDS, but also blocking traffic that
would be considered malicious.
13
These 3 pieces of equipment are formidable for pirates. It is therefore difficult, but essential.
for them to know how to circumvent them in order to infiltrate a secure network.

To do this, tools are available in Kali:

Nmapethping3 are tools that allow you to manage fragmentation. This

allows an attack to be sent in small fragmented pieces, without that
detection equipment identifies malicious action.
HTTHost (server side) and HTTPort (client side) is a very practical tool for
establish a tunnel on port 80. This allows malicious traffic to pass through
this tunnel, without being detected by security equipment.
DNS2TCP is also an interesting tool that allows you to establish a tunnel over the
port DNS 53. This type of traffic is often not analyzed because it is considered, at
tort, as trivial.
And of course the most famous of all, Metasploit, which obviously allows
to exploit a vulnerability to obtain and maintain remote access to a
machine inside the target network.
The penetration test is therefore very important to determine if your infrastructure
you are vulnerable if your security equipment can be bypassed. It is very
It is important that all machines in a network infrastructure are secured, because
a single poorly secured machine can allow a hacker to breach.
to maintain a good level of security on a network infrastructure, one must be well
obviously having a firewall, an IPS and an IDS. To reduce the risks of
Bypassing, they all need to be up to date and properly secured.

. Honeypots
Honey pots, also called honey traps in French, are systems that you can
installers at the entrance of a network. Their purpose is to simulate machines on a network.
computer science that is actually just a decoy. The goal is to divert the hacker so that he spends time on
time to try to attack these machines rather than targeting the real network of the company.

Two examples:

KFsensor: a really easy-to-use honeypot that installs in a few clicks

on Windows.
Snort: the most used honeypot that is very comprehensive and very efficient, but
more complex to configure.
These tools also have the advantage of remembering every action taken by the hacker on the
system. This allows for a better understanding of the methods and techniques used
to gain access to the network, and thus to protect oneself from it.
However, there are tools to detect these honeypots. Therefore, you need to ensure that your
honeypot is not detectable with a tool like 'Send-Safe Honeypot Hunter'. Otherwise, the
a pirate targeting your infrastructure is not going to linger on that and will focus on your
real network infrastructure.
If you want to go further and practice specifically on types of attacks
like the one you just saw in this chapter, feel free to go to the famous
hacking training platformRootMeAt the following linkwww.root-me.org

You will then be able to create an account and practice on hacking challenges.
proposed.

15