Carding 4 Carders
Professional
What is a pentest?
Pentest - penetration testing, analysis of network infrastructure, company servers, or applications for vulnerabilities.
The purpose of this analysis is to find vulnerabilities and create possible attack vectors, simulating the actions of a real attacker.
After testing, a report is prepared for management, which describes the vulnerabilities found and recommendations for their elimination.
Some security standards (such as PCI DSS and 382-P for financial sector organizations) require such testing to be performed once a year or more often.
The orders of the FSTEC of Russia also contain a requirement to conduct penetration testing every 3 years for organizations that work with personal data.
Types of pentesting based on the knowledge model
Whitebox-code and infrastructure Audit. In this case, the pentester team is given the source code of the SOFTWARE, or a copy of the infrastructure, which can be deployed at home and studied “from the inside”.
Graybox – Before testing, the team of specialists is provided with information about the organization's structure.
Blackbox – the pentester does not Have any information about the organization of information security. Only General information about the organization is given. You have to act like a real attacker, starting testing with data collection.
The “Red Team" principle is the closest approach to the real scenario. The pentester team does not have information about the attack targets, and the organization's employees do not know about the testing being conducted.
Types of penetration testing
Infrastructure scanning – Testing the network with security scanners and providing a report. The simplest type of testing that allows you to find obvious security holes.
External pentest – an attack only on the external network segment. The purpose of such testing is to make sure that an attacker from outside will not be able to get into the internal perimeter of the network. For example, an organization has web services that are accessible from the outside and are included in the internal network. The task of the pentester is to get access to the internal network through such an external service.
Internal pentest-simulates an attack on the internal perimeter by a user who has basic rights within the organization. Typical scenario: an attacker gets a job in an organization disguised as an employee. The purpose of the internal pentest is to make sure that they can't upgrade their rights in the network and get protected data.
WIFI testing-searches for vulnerabilities in the organization's WIFI network.
Web application pentest – search for vulnerabilities on the organization's websites. These can be configuration errors, session management errors, or authorization mechanism errors. The most common vulnerabilities are described in the OWASP Top 10 methodology.
Load testing-Checks the readiness of the network infrastructure in case of a DDOS attack on the organization.
Testing social networksemployee networks-Checks whether the organization's employees comply with internal security protocols. After all, often the reason for hacking a well-protected network can be the human factor.
Testing methodology
There are several basic methodologies that are used for conducting a pentest.
Stages of penetration testing
The work of a pentester consists of several main stages.
At this stage, they search for as much information as possible about the goal. This will increase the scope of testing, because each new host may have vulnerabilities.
First, using search engines (Yandex, Google, Bing). You can use the organization's name to find domains, employee names, addresses, and phone numbers. All this will be useful in the next stages.
Further, specialized search engines are used, for example https://spyse.com/.
You can use it to get:
All this is uploaded to a report that will be used during the analysis stage.
The following tools can also be useful when collecting information::
Wayback Machine – a Web archive that stores old versions of pages. Allows you to view changes on the site by the specified dates.
Maltego is a full-Fledged complex for collecting information, which, in addition to the main tools, has the ability to build a map of the target's infrastructure. This visual representation helps you avoid missing out on possible attack vectors.
Vulnerability analysis of targets
The next stage of the pentester's work is to search for vulnerabilities in the testing area it has found. The organization's hosts found are scanned for open ports and the software versions installed are checked for up-to-date. Phishing mailings are generated for the found list of addresses of employees of the company.
Where physical access to the infrastructure is possible, attacks on WIFI OR the use of BadUSB (a device that can be connected to the computer's USB port and get remote access) can be used.
When it comes to testing a website, the pentester checks possible vulnerabilities in business logic, configuration, as well as the most common errors (SQL, XSS, and so on).
Automation tools can be used for analysis, such as Burp Suite, Nessus, Nmap, and others. Automatic scanning helps you narrow down your search area and focus on potentially vulnerable areas. Then the manual work begins.
Data operation and processing
At this stage, the pentester tries to exploit the found vulnerabilities. Exploits and phishing emails with attachments are all tools that can be used to get inside the infrastructure.
After that, you need to raise your rights and gain a foothold in the system. For this purpose, local exploits and other methods of privilege escalation are used. For securing in the system – backdoors.
Once the system is established, the pentester collects data. This is the proof of network infrastructure vulnerability required for the report.
Often, the collected data allows you to conduct several more iterations of analysis and operation, because they may contain credentials or information about new hosts.
Creating a report
After identifying vulnerabilities, the team collects evidence and creates a report indicating the vulnerabilities found and attack vectors. The report includes information on vulnerabilities that were used for hacking, information about vulnerable SOFTWARE, incorrect network configuration, and so on.
The report specifies the servers, applications, data, and network sections that were accessed. After viewing the report, the company Manager can assess the dangerous consequences that a real hack can lead to and draw up a roadmap for fixing the shortcomings.
It is necessary to conduct regular testing of your network infrastructure. A real hacker attack can result in serious financial and reputational losses. Therefore, conducting such testing is mandatory for the financial sector, and it is highly recommended for any medium and large business.
Pentest - penetration testing, analysis of network infrastructure, company servers, or applications for vulnerabilities.
The purpose of this analysis is to find vulnerabilities and create possible attack vectors, simulating the actions of a real attacker.
After testing, a report is prepared for management, which describes the vulnerabilities found and recommendations for their elimination.
Some security standards (such as PCI DSS and 382-P for financial sector organizations) require such testing to be performed once a year or more often.
The orders of the FSTEC of Russia also contain a requirement to conduct penetration testing every 3 years for organizations that work with personal data.
Types of pentesting based on the knowledge model
Whitebox-code and infrastructure Audit. In this case, the pentester team is given the source code of the SOFTWARE, or a copy of the infrastructure, which can be deployed at home and studied “from the inside”.
Graybox – Before testing, the team of specialists is provided with information about the organization's structure.
Blackbox – the pentester does not Have any information about the organization of information security. Only General information about the organization is given. You have to act like a real attacker, starting testing with data collection.
The “Red Team" principle is the closest approach to the real scenario. The pentester team does not have information about the attack targets, and the organization's employees do not know about the testing being conducted.
Types of penetration testing
Infrastructure scanning – Testing the network with security scanners and providing a report. The simplest type of testing that allows you to find obvious security holes.
External pentest – an attack only on the external network segment. The purpose of such testing is to make sure that an attacker from outside will not be able to get into the internal perimeter of the network. For example, an organization has web services that are accessible from the outside and are included in the internal network. The task of the pentester is to get access to the internal network through such an external service.
Internal pentest-simulates an attack on the internal perimeter by a user who has basic rights within the organization. Typical scenario: an attacker gets a job in an organization disguised as an employee. The purpose of the internal pentest is to make sure that they can't upgrade their rights in the network and get protected data.
WIFI testing-searches for vulnerabilities in the organization's WIFI network.
Web application pentest – search for vulnerabilities on the organization's websites. These can be configuration errors, session management errors, or authorization mechanism errors. The most common vulnerabilities are described in the OWASP Top 10 methodology.
Load testing-Checks the readiness of the network infrastructure in case of a DDOS attack on the organization.
Testing social networksemployee networks-Checks whether the organization's employees comply with internal security protocols. After all, often the reason for hacking a well-protected network can be the human factor.
Testing methodology
There are several basic methodologies that are used for conducting a pentest.
- PTES (Penetration Testing Execution Standard)
- OWASP (Open Web Application Security Project)
- OSSTMM (Open Source Security Testing Methodology Manual)
- NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
- ISSAF (Information Systems Security Assessment Framework)
Stages of penetration testing
The work of a pentester consists of several main stages.
- Collection of information
- Vulnerability analysis
- Data operation and processing
- Generating a report
At this stage, they search for as much information as possible about the goal. This will increase the scope of testing, because each new host may have vulnerabilities.
First, using search engines (Yandex, Google, Bing). You can use the organization's name to find domains, employee names, addresses, and phone numbers. All this will be useful in the next stages.
Further, specialized search engines are used, for example https://spyse.com/.
You can use it to get:
- Information about DNS records
- WHOIS
- Subdomains
- Host IP addresses
- Sites located on the specified IP address (other than the target one)
- Open ports
- Banners for running services (type, version, and even possible vulnerabilities)
All this is uploaded to a report that will be used during the analysis stage.
The following tools can also be useful when collecting information::
Wayback Machine – a Web archive that stores old versions of pages. Allows you to view changes on the site by the specified dates.
Maltego is a full-Fledged complex for collecting information, which, in addition to the main tools, has the ability to build a map of the target's infrastructure. This visual representation helps you avoid missing out on possible attack vectors.
Vulnerability analysis of targets
The next stage of the pentester's work is to search for vulnerabilities in the testing area it has found. The organization's hosts found are scanned for open ports and the software versions installed are checked for up-to-date. Phishing mailings are generated for the found list of addresses of employees of the company.
Where physical access to the infrastructure is possible, attacks on WIFI OR the use of BadUSB (a device that can be connected to the computer's USB port and get remote access) can be used.
When it comes to testing a website, the pentester checks possible vulnerabilities in business logic, configuration, as well as the most common errors (SQL, XSS, and so on).
Automation tools can be used for analysis, such as Burp Suite, Nessus, Nmap, and others. Automatic scanning helps you narrow down your search area and focus on potentially vulnerable areas. Then the manual work begins.
Data operation and processing
At this stage, the pentester tries to exploit the found vulnerabilities. Exploits and phishing emails with attachments are all tools that can be used to get inside the infrastructure.
After that, you need to raise your rights and gain a foothold in the system. For this purpose, local exploits and other methods of privilege escalation are used. For securing in the system – backdoors.
Once the system is established, the pentester collects data. This is the proof of network infrastructure vulnerability required for the report.
Often, the collected data allows you to conduct several more iterations of analysis and operation, because they may contain credentials or information about new hosts.
Creating a report
After identifying vulnerabilities, the team collects evidence and creates a report indicating the vulnerabilities found and attack vectors. The report includes information on vulnerabilities that were used for hacking, information about vulnerable SOFTWARE, incorrect network configuration, and so on.
The report specifies the servers, applications, data, and network sections that were accessed. After viewing the report, the company Manager can assess the dangerous consequences that a real hack can lead to and draw up a roadmap for fixing the shortcomings.
It is necessary to conduct regular testing of your network infrastructure. A real hacker attack can result in serious financial and reputational losses. Therefore, conducting such testing is mandatory for the financial sector, and it is highly recommended for any medium and large business.