PENETRATION TESTING

THROUGH HACKING

PREPARED BY
PRITIKA GUPTA & SAROSH ABDULLAH
 0BJECTIVE
From a business perspective, penetration testing helps
safeguard your organization against failure, through:
• Preventing financial loss through fraud (hackers, extortionists and
disgruntled employees) or through lost revenue due to unreliable
business systems and processes.
• Proving due diligence and compliance to your industry regulators,
customers and shareholders. Non-compliance can result in your
organization losing business, receiving heavy fines, gathering bad PR
or ultimately failing. At a personal level it can also mean the loss of
your job, prosecution and sometimes even imprisonment.
• Protecting your brand by avoiding loss of consumer confidence and
business reputation.
From an operational perspective, penetration testing helps shape
information security strategy through:  
• Identifying vulnerabilities and quantifying their impact and likelihood
so that they can be managed proactively; budget can be allocated and
corrective measures implemented.
 SYNOPSIS
Penetration testing is the practice of a trusted third party attempting to compromise the
computer network of an organization for the purpose of assessing the level and scope of its
security. In this chapter, you learned that the need for penetration testing is warranted
because of the following factors: 
• Proliferation of viruses and Trojans
• Wireless security
• Complexity of networks today
• Frequency of software updates
• Ease of hacking tools
• The nature of open source
• Reliance on the Internet
• Unmonitored mobile users and telecommuters
• Marketing demands
• Exercise caution when choosing a penetration testing vendor, because the results of the tests could
be damaging to your company if they fall into the wrong hands. Choose an experienced and ethical
firm that uses a methodical and multifaceted approach to testing.
• After you choose a penetration testing vendor, agree on rules of engagement, nondisclosure
agreements, and procedures for exchange and destruction of sensitive reports.
 METHODOLOGY
Defining the scope
 
• The scope should be clearly defined, not only in the context of the components to be (or not to be) assessed and the constraints
under which testing should be conducted, but also the business and technical objectives. For example penetration testing may
be focused purely on a single application on a single server, or may be more far reaching; including all hosts attached to a
particular network.
 
• Choosing a security partner
 
• Another critical step to ensure that your project is a success is in choosing which supplier to use.
 
• As an absolute fundamental when choosing a security partner, first eliminate the supplier who provided the systems that will
be tested. To use them will create a conflict of interest (will they really tell you that they deployed the systems insecurely, or
quietly ignore some issues).
 
• Detailed below are some questions that you might want to ask your potential security partner:
 
• Is security assessment their core business?

• How long have they been providing security assessment services?

• Do they offer a range of services that can be tailored to your specific needs?
• Are they vendor independent (do they have NDAs with vendors that prevent them passing
information to you)?
• Do they perform their own research, or are they dependent on out-of-date information that is
placed in the public domain by others?
• What are their consultant’s credentials?
• How experienced are the proposed testing team (how long have they been testing, and what is
their background and age)?
• Do they hold professional certifications, such as PCI, CISSP, CISA, and CHECK?
• Are they recognized contributors within the security industry (white papers, advisories, public
speakers etc)?
• Are the CVs available for the team that will be working on your project?
• How would the supplier approach the project?
• Do they have a standardized methodology that meets and exceeds the common ones, such as
OSSTMM, CHECK and OWASP?
• Can you get access to a sample report to assess the output (is it something you could give to your
executives; do they communicate the business issues in a non-technical manner)?
• What is their policy on confidentiality?
• Do they outsource or use contractors?
• Are references available from satisfied customers in the same industry sector?
• Is there a legal agreement that will protect you from negligence on behalf of the supplier?
• Does the supplier maintain sufficient insurance cover to protect your organisation?
STEPS TAKEN BY A BLACK HAT HACKER OR
A CRACKER TO CONQUER A SYSTEM-
 
1. PREPARING THE ATTACK
2. GATHERING INFORMATION FOR THE
ATTACK
3.EXECUTING THE ATTACK
 
 PREPARING THE ATTACK
• IP ADDRESSES
• AN IP ADDRESS IS NOTHING BUT A SYSTEM’S ADDRESS ON A NETWORK LIKE WE HAVE HOME ADDRESSES IN THIS WORLD
• EVERY SYSTEM ON THE INTERNET HAS SOME IP ADDRESS
• AS U HAVE TO KEEP YOUR HOUSE ADDRESS A SECRET FROM UNKNOWN PEOPLE .SIMILARLY U HAVE TO KEEP IP ADDRESS A
SECRET FROM ATTACKERS ON THE NET.
•  
• PREPARING THE ATTACK
•  
• DOMAIN NAME
• IT IS DIFFICULT TO REMEMBER A SYSTEM’S ADDRESS ON THE INTERNET WHICH WILL BE IN THE FORM 168.116.220.100
•  
• WHEREAS IT IS EASY TO REMEMBER
• Www.yahoo.com. THIS IS CALLED A DOMAIN NAME. BUT WHILE TYPING IN THE URL ON THE IE U CAN TYPE EITHER OF THE
TWO.
•  
• U CAN FIND IP ADDRESS OF ANY DOMAIN NAME BY TYPING FOLLOWING IN DOS-
• NSLOOKUP DOMAIN NAME
•  
• PORT NUMBERS
•  
• PORTS ARE BASICALLY VIRTUAL DOORS THAT ALLOW INFLOW AND OUTFLOW OF DATA PACKETS.
•  
• THESE ARE DIFFERENT CHANNELS RUNNING A PARTICULAR SERVICE
•  
• Eg. SMTP -25,TELNET-23,HTTP-80,FTP-21.
 FINDING IP ADDRESSES
FINDING IP
ADDRESSES  FRIEND’S SYSTEM

YAHOO SERVER
64.11.22.111

UR SYSTEM 172.111.22.11

168.64.221.11 WHILE CHATTING

DURING FILE
TRANSFER

FRIEND’S SYSTEM

64.11.22.111
UR SYSTEM

168.64.221.11
Command for finding IP Addresses of
computer system
E-MAIL HEADERS

E-mail without the IP Address headers

E-mail with the IP Address Header
 ANONYMOUS
SURFING

VICKY WWW.ANONYMIZER.RU WWW.YAHOO.COM

Ur system Proxy sever Destination system

192.64.55.1 112.56.43.11 64.112.1.1
 IS IT POSSIBLE TO COMMIT A PERFECT
CRIME
ATTACKER PROXY 1 PROXY 2

VICTIM PROXY 5 PROXY 4 PROXY 3

SOME PROXY SERVERS :-

 WINGATE (WINDOWS BASED)
 SQUID(LINUX BASED)
 WINPROXY(WINDOWS)
 MICROSOFTPROXYSERVER(WINDOWS)
 GATHERING INFORMATION FOR THE ATTACK
PING AND PING SWEEP
PING IS USED TO DETERMINE WHETHER A HOST IS ALIVE OR NOT
OR
IT IS ON THE INTERNET OR NOT

Using the Ping command

 TRACERT
• TRACERT IS A TOOL USED TO DETERMINE THE PATH TAKEN UP BY A DATA PACKET
FROM ONE SYSTEM TO ANOTHER 
• HELPS IN KNOWING NETWORK TOPOLOGY 
• HELPS IN OS DETECTION

Use of command Tracert

Tracing the Location on the map by Tracert command using Tracert tool
 PORT SCANNING
THE PROCESS OF FINDING OUT WHICH PORTS ARE OPEN ON A PARTICULAR SERVER
OR
WHICH SERVICE IS RUNNING ON A PARTICULAR SYSTEM

Port scanning by command nMap

 DAEMON BANNER GRABBING

DAEMON BANNER GRABBING MEANS GRABBING THE SOFTWARE

INFORMATION OF A DAEMON OR A SERVICE.
Eg .
HTTP IS A SERVICE AND APACHI WEB SERVER IS A SOFTWARE RUNNING
HTTP SO THE BANNER IS APACHI

Daemon Grabbing by command nMap

 FINGERPRINTING
FINGERPRITING IS THE PROCESS OF DETERMINING THE OS RUNNING ON A SYSTEM
THERE ARE TWO TYPES OF FINGERPRINTING METHOD –
1. ACTIVE FINGERPRINTING
2. PASSIVE FINGERPRINTING

Fingerprinting by nMap
 EXECUTING THE ATTACK
SOME OF THE MAJOR ATTACKS ARE-
 
 
• DOS ATTACKS
• IP SPOOFING ATTACKS
• TROJAN ATTACKS
• KEYLOGGER ATTACKS
• INPUT VALIDATION ATTACK
• BUFFER OVERFLOW ATTACK
 
 
 
 
DOS ATTACKS(DENIAL OF SERVICE)
MALICIOUS INFINITE PACKET ATTACKER SENDING
INFINITE MALICIOUS DATA

WWW.YAHOO.COM
USERS AROUND
THE WORLD
 SOME DOS ATTACKING TOOLS
ARE-
• TRINOO
• TRIBLE FLOOD NETWORK
• STACHELDRAHT
• SHAFT
• MSTREAM
 
 IP SPOOFING

IP SPOOFING HAPPENS WHEN AN ATTACKER TRICKS OR BLUFFS THE

TARGET SYSTEM INTO BELIEVING THAT DATA PACKETS BEING SENT TO
THEM STARTED FROM A SOURC OTHER THAN THE ACTUAL SOURCE
SYSTEM.IN TOTHER WORDS IT IS A PROCESS THAT ENABLES THE
ATTACKER TO HIDE HIS REAL IDENTITY WHEN COMMUNICATING WITH
THE TARGET SYSTEM:THEREFORE THE DATA PACKETS THE ATTACKER
SENDS WILL APPEAR TO ORIGINATE AT ANOTHER SYSTEM
 PASSWORD CRACKING ATTACKS

• PASSWORD GUESSING
• DEFAULT PASSWORD
• DICTIONARY BASED ATTACKS
• BRUTE FORCE ATTACKS
 TROJAN ATTACKS
TROJAN IS A SPYWARE WHICH IF INSTALLED ON SOMEBODY’S
SYSTEM CAN BE USED TO HAVE A COMPLETE CONTROL
OVERTHAT SYSTEM REMOTELYOR WITHOUT HAVING ANY
PHYSICAL ACCESS TO IT

PROCESS FOR TROJAN ATTACK BY

NETBUS.
Steps Involved in the Process
 KEYLSOGGER ATTACK

• KEYLOGGER IS ALSO A KIND OF SPYWARE WHICH WHEN INSTALLED ON A

SYSTEM RECORDS ALL THE KEYSTROKES MADE BY THE USER IN A LOG FILE
 
• THE FILE CAN BE CONFIGURED TO BE AUTOMATICALLY E-MAILED TO AN
ADDRESS PREDEFINED BY THE ATTACKER
 E-MAIL FORGING

• DID YOU JUST RECEIVE AN E-MAIL FROM BILL GATES OFFERING YOU A
JOB?
• ARE YOUR EMPLOYEES ,DEALERS,PARTNERS OR ALLIANCES
RECEIVINGABUSIVE E-MAILSTHAT SEEM TO ORIGINATE FROM YOUR E-
MAIL ACCOUNT?
• IS YOUR RELATIONSHIP WITH YOUR WIFE BEING SPOILT DUE TO
MALICIOUS E-MAILS THAT SEEM TO ORIGINATE FROM YOUR E-MAIL
ACCOUNT?
• ARE YOU BEING BLACKMAILEDTHROUGH E-MAILS FOR HUFE AMONTS
OF MONEY?
• EXAMPLE IS GIVEN IN THE NEXT PAGE.
E-MAIL FORGING ALLOWS AN ATTACKER TO DISGUISE THE SOURCE OF AN E-MAIL
AND SEND IT TO VICTIM.MOST ATTACKERS USE THIS TECHNIQUE TO FOOL THE
VICTIM INTO BELIEVING THAT SOMEBODY ELSE HAS SENT THE PARTICULAR MAIL

Example of E-mail forging

 CONCLUSION
Security is continuum, not an absolute. The value of
penetration testing lies in its results -- the ones that
answer the big question "WHY?" A successful
penetration test indicates more than a particular flaw; it
identifies the process failures that produced the
vulnerability, at the first place. Fixing or patching the
vulnerability detected does not mean an end to your
security worries or nightmares -- it is just the beginning
of a never-ending cycle.
 
 
THANK YOU