CEH Study Group -- Module 22: Penetration Testing

[Dengar13]

Penetration Testing

Need for a Methodology

Penetration Test vs. Vulnerability Test

Reliance on Checklists and Templates

Phases of Penetration Testing

Passive Reconnaissance

Best Practices

Results that can be expected

Indicative passive reconnaissance steps include (but are not limited to)

Introduction to Penetration Testing

Type of Penetration Testing Methodologies

Open Source Vs Proprietary Methodologies

Security Assessment Vs Security Auditing

Risk Analysis

Types of Penetration Testing

Types Ethical Hacking

Vulnerability Assessment Vs Penetration Testing

Do-it Yourself Testing

Firms Offering Penetration Testing Services

Penetration Testing Insurance

Explication of Terms of Engagement

Pen-Test Service Level Agreements

Offer of Compensation

Starting Point and Ending Points of Testing

Penetration Testing Locations

Black Box Testing

White Box Testing

Grey Box Testing

Manual Penetration Testing

Automated Penetration Testing

Selecting the Right Tools

Pen Test Using Appscan

HackerShield

Pen-Test Using Cerberus Internet Scanner

Pen-Test Using CyberCop Scanner

Pen-Test Using Foundscan

Pen-Test  Using Nessus

Pen-Test Using NetRecon

Pen-Test Using Retina

Pen-Test Using SAINT

Pen-Test Using SecureNET

Pen-Test Using SecureScan

Pen-Test Using SATAN, SARA and Security Analyzer

Pen-Test Using STAT Analyzer

Pen-Test Using Twwscan

VigilEnt

WebInspect

Evaluating Different Types of Pen-Test Tools

Platform on Which Tools Will be Used

Asset Audit

Fault Tree and Attack Trees

GAP Analysis

Device Inventory

Perimeter Firewall Inventory

Web Server Inventory

Load Balancer Inventory

Local Area Network Inventory

Demilitarized Zone Firewall

Internal Switch Network Sniffer

Application Server Inventory

Database Server Inventory

Name Controller and Domain Name Server

Physical Security

ISP Routers

Legitimate Network Traffic Threat

Unauthorized Network Traffic Threat

Unauthorized Running Process Threat

Loss of Confidential Information

Business Impact of Threat

Pre-testing Dependencies

Post-testing Dependencies

Failure Management

Test Documentation Processes

Penetration Testing Tools

Defect Tracking Tools

Configuration Management Tools

Disk Replication Tools

Pen-Test Project Scheduling Tools

Network Auditing Tools

DNS Zone Transfer Testing Tools

Trace Route Tools and Services

Network Sniffing Tools

Denial of Service Emulation Tools

Traditional Load Testing Tools

System Software Assessment Tools

Operating System Protection Tools

Fingerprinting Tools

Port Scanning Tools

Directory and File Access Control Tools

File Share Scanning Tools

Password Directories

Password Guessing Tools

Link Checking Tools

Web site Crawlers

Web-Testing based Scripting Tools

Buffer Overflow Protection Tools

Buffer Overflow Generation Tools

Input Data Validation Tools

File encryption Tools

Database Assessment Tools

Keyboard Logging and Screen Reordering Tools

System Event Logging and Reviewing Tools

Tripwire and Checksum Tools

Mobile-Code Scanning Tools

Centralized Security Monitoring Tools

Web Log Analysis Tools

Forensic Data and Collection Tools

Security Assessment Tools

Multiple OS Management Tools

SANS Institute TOP 20 Security Vulnerabilities

All Operating System Platforms

Default installs of operating systems and applications

Accounts with no passwords or weak passwords

Nonexistent or incomplete backups

Large number of open ports

Not filtering packets for correct incoming and outgoing addresses

Nonexistent or incomplete logging

Vulnerable Common Gateway Interface (CGI) programs

Windows-specific

Unicode vulnerability-Web server folder traversal

Internet server application programming interface (ISAPI) extension buffer overflows

IIS Remote Data Services (RDS) exploit

Network Basic Input Output System (NetBIOS), unprotected Windows networking shares

Information leakage via null session connections

Weak hashing in SAM (Security Accounts Manager)-LanManager hash

UNIX-specific

Buffer overflows in Remote Procedure Call (RPC) services

Sendmail vulnerabilities

Bind weaknesses

Remote system command (such as rcp, rlogin, and rsh) vulnerabilities

Line Printer Daemons (LPD) vulnerabilities

Sadmind and mountd exploits

Default Simple Network Management Protocol (SNMP) strings

Penetration Testing Deliverable Templates

Test Status Report Identifier

Test Variances

Test Comprehensive Assessment

Summary of Results (Incidents)

Test Evaluation

Names of Persons (Approval)

Template Test Incident Report

Template Test Log

Active Reconnaissance

Attack Phase

Activity: Perimeter Testing

Activity: Web Application Testing – I

Activity: Web Application Testing – II

Activity: Wireless Testing

Activity: Acquiring Target

Activity: Escalating Privileges

Activity: Execute, Implant & Retract

Post Attack Phase & Activities

Automated Penetration Testing Tool - CORE Impact

[Dengar13]

Some of the tools listed on this module are commercial and you won't see but a few questions on the exam.  How can you have a question about WebInspect when it costs 25k?  This is the are where I have the most experience.  There are many free tools but the reporting isn't fun, in fact it is mostly manual.  The commercial ones offer very robust reporting and for some people who need this for their clients the time saved is invaluable. 

[Dengar13]

What are your favorite tools to use people???

[Oyle]

I really like the SuperScan program from (I think) Foundstone that came on the CD I got from doing the CEH class, but it's really old, and along with Nmap, it really gives me hassle when I try to install it on my Inspiron XP Pro notebook. It refuses to run, don't know why.

I try to install the newest version of the Windows version of Nmap on my Inspriron, and after it Installs, I try to run it and it puts up a command window, what looks like the Nmap man page whizzes by, and then the command windows shuts. the Nmap GUI never runs. Don't know why.

[don]

Works fine on my XP system. Did you let the Nmap installation create the desktop icon or did you create it yourself? If need be, we can compare settings of the shortcut.

Don

[Negrita]

Firstly, you should read through the Windows Install Guide. This helped me get around the same problem that you have.

Secondly, Microsoft purpously broke Nmap with XP SP2. Fyodor made a workaround, which should work with any version later than 3.55. If you have XP SP2 and a version of Nmap  earlier than 3.55 then it's time to update.

[Oyle]

Oooooo, that's a big help. Explains a lot. I don't have time to play with it right now, but I should be able to later on tonight. I'll let ya know.

Thanks a lot!!!   

(my favorite smiley. really says a lot).