2. What is Penetration Test?
• A penetration test is a method of evaluating the security of a computer
system or network by simulating an attack from a malicious source.
• A penetration test target may be a ”white box” or ”black box” .
• A penetration test can help determine whether a system is vulnerable to
attack, if the defenses were sufficient and which defenses were defeated in
the penetration test.
3. Phases of Penetration Test
• Reconnaissance
• Scanning
• Exploitation
• Maintaining Access
4. Reconnaissance
• Reconnaissance refer as information gathering before attack. It is the work
of gathering information before planning attack.
• The more information we gather, our chances of success in later phases of
penetration Testing are greater.
• Abraham Lincoln Quote “if I had six hours to chop down a tree, I'd spend
the first four of them sharpening my axe.”
• Reconnaissance conducted by white hat and black hat as well as.
5. Main Goals and Types of Reconnaissance
Two main Goals of Reconnaissance listed below
• Gather information as much as possible
• Create a list of attachable IP addresses
Two main Types of Reconnaissance listed below
• Active Reconnaissance
• Passive Reconnaissance
6. Famous Tools use for Reconnaissance(I)
• HTTrack
• Google
• Harvester
• Whois
• Netcraft
7. Famous Tools use for Reconnaissance(II)
• Host
• Extracting information from DNS
NS Lookup
Dig
• Extracting information from Emails
• Metagoofill
• Social Engineering
8. Famous Tools use for Reconnaissance(III)
• HTTrack(Win ,B.T)
Tool for make identical copy of the target site.
Copy consist of Pages, Pics, links etc.
• Google
Properly use of Google=Vital skill for penetration tester.
Directives (Keywords, enable accurate information from Google)site, inurl, cache
Use of directive 1)name 2)colon 3)term e.g. site:bzu.edu filetype ppt
9. Famous Tools use for Reconnaissance(IV)
• Harvester(Win, B.T)
Use for catalog emails and subdomains that are belong to our target.
• Whois(Online, B.T)
Whois service allow us to access specific information about our target including
IP addresses ,host names ,contact info ,phone no. ,Address etc.
• Netcraft(Win, B.T)
It give us information about site report ,IP address ,OS of the web server.
10. Famous Tools use for Reconnaissance(V)
• Host
Use for Translate host name to IP address.
• Social Engineering
Is exploiting the “human” weakness that inherit in every organization.
11. Scanning
• Scanning is the process of finding the system is alive, ports and vulnerability
of the target.
• Ethical hacker use scanning tools to determine open ports and services
presence of known weaknesses on target systems.
12. Types of Scanning
• Types of scanning are listed below
1. System Scanning
2. Port Scanning
3. Vulnerability Scanning
13. System Scanning
• In system scanning we determine if the system alive and it can interact with
other machine or not.
• It is important to conduct this step and make note of any machines that
respond as alive.
• If the system is alive then the penetration test will more fruitful.
14. Port Scanning(I)
• Port scanning is to finding the open port. It is a process of finding the
channel from where the attack can be launched.
• The basic idea is to analysis the network port and keep information about
them so that it can be used In future.
• In port scanning we find open port and services such as FTP, Printing or e-
mail that are available.
• There are total 65536 ports on every computer may be UDP or TCP.
15. Port Scanning(II)
Port Number Description
1 TCP Port Service Multiplexer (TCPMUX)
20 FTP Data
21 FTP Control
53 Domain Name System (DNS)
69 Trivial File Transfer Protocol (TFTP)
115 Simple File Transfer Protocol (SFTP)
156 SQL Server
190 Gateway Access Control Protocol (GACP)
443 HTTPS
16. Vulnerability Scanning
• Vulnerability scanning is performed in which the weakness of target are find
out for attack.
• Usually the vulnerability scanners find operating system and version number
that is installed on target.
• Then find weakness in O.S, get information and use this information for
exploit it in future.
17. Tools Used for Scanning
• For System Scanning
1. Ping and ping sweeps
• For Port Scanning
1. NMap
• For Vulnerability Scanning
1. Nessus
18. Ping and Ping Sweep
• Special type of network packet called an ICMP packet.
• Work by sending specific types of network traffic, called ICMP echo request
packets, to the target.
• Telling us that a host is alive and accepting traffic, pings provide other
valuable information
including the total time it took for the packet to travel to the target and return.
• Ping Sweep is work with Fping, in this Ping sent to the series of IP addresses.
22. Nessus
• Nessus is a GUI bases Vulnerability Scanning tool.
• Available for free.
• One of the key components of Nessus is the plug-ins.
• A plug-in is a small block of code that is sent to the target machine to check
for a known vulnerability. Nessus has literally thousands of plug-ins.
25. Exploitation
• Exploitation is the process of gaining control over a system.
• Exploitation is the attempt to turn the target machine into a puppet that will
execute your commands and do your bidding.
26. Password Cracker
• Using online password crackers, the potential for success can be
greatly
increased if you combine this attack with information gathered.
• Remote access systems employ a password throttling technique
that can limit the number of unsuccessful log-ins you are allowed.
• Medusa and Hydra are famous password cracker for exploitation.
• JOHN THE RIPPER: KING OF THE PASSWORD
CRACKERS
27. Medusa
• Medusa is described as a parallel log-in brute forcer that attempts to gain
access to remote authentication services.
• Medusa is capable of authenticating with a large number of remote services
including AFP, FTP, HTTP, IMAP, MS-SQl , MYSQl , NetWare NCP, NNTP
etc.
• You need several pieces of information for medusa
Target IP Address
A username or username list
A password or dictionary file containing multiple passwords
29. METASPLOIT
HACKING, HUGH JACKMAN STYLE!
• Metasploit is a powerful, flexible and free tool.
• Truly open source exploit framework.
• Open Source meant that for the first time everyone could access, collaborate,
develop and share exploits for free.
• It allows you to select the target and choose from a wide variety of
payloads.
• A payload is the “additional functionality” or change in behavior that you want
to accomplish on the target machine.
30. MSFCONSOLE
• We focus on Menu-driven Non-GUI text-based system called msfconsole.
• msfconsole is fast, friendly and easy to use.
32. SNIFFING NETWORK TRAFFIC
• Sniffing is the process of capturing and viewing traffic as it is
passed along the network.
• Popular technique that can be used to gain access to systems is
network sniffing.
• Sniffing clear text network traffic is a trivial but effective means of
gaining access to systems.
• Macof Tool is used for Sniffing
33. Maintaining Access
• In maintaining access, create backdoors in the Target system for future use.
• Backdoor is a piece of software that resides on the target computer and allows the
attacker to return to the machine at any time.
• In some cases, the backdoor is a hidden process that runs on the target
machine
• There are many tools now-a-days for creating backdoor e.g. netcat ,netcat cryptic
cousin ,Netbus , rootkits.
34. NETCAT
THE SWISS ARMY KNIFE
• A tool for communication and control network traffic flow.
• Excellent choice for a backdoor.
• Can be used to transfer files between machines.
• Conduct port scans.
• Serve as a simple instant messenger.
• even function as a simple web server.
35. NETCAT
THE SWISS ARMY KNIFE
• Supports sending and receiving both TCP and UDP traffic.
• Netcat can connect from any port on your local machine to any port on the
target machine.
37. Hacker Defender
It Is Not What You Think
• Hacker defender is a Rootkit.
• Easy to understand and configure.
• There are three main files
o hxdef100.exe
o hxdef100.ini
o bdcli100.exe
39. DETECTING AND DEFENDING
AGAINST ROOTKITS
• Closely monitor the information you put onto the internet.
• Properly configure your firewall and other access control lists.
• Patch your systems.
• Install and use antivirus software.
• Make use of an intrusion detection system.
• Tools like rootkit revealer, Vice, and F-secure’s ,Backlight are some great
free options for revealing the presence of hidden files and rootkits.