Penetration Testing penetration test

Source: Internet
Author: User
Tags cipher suite
Penetration Testing penetration test

Directory
0. Preface
I. Introduction
Ii. formulate implementation plans
Iii. Specific Operation Process
4. Generate Reports
References

Preface
Penetration Testing is illegal in accordance with the laws and regulations of certain regions before being authorized by the testee. All the penetration testing methods we provide here are (assuming) legal assessment services, that is, what is commonly referred to as moral
Ethicalhacking, so all our readers here should be ethical
Hackers. If you are not, I hope that you will become one of them after you arrive here ;)
Here, I want to say something to you: penetration testing focuses on practice, not that you copy this document to your website or save it to your local computer, even if you print it out and eat it with some chili sauce
No. You must perform exercises step by step according to the document. In addition, the test focuses on the use of the brain. Never use the tools mentioned in the previous two articles. I can assure that the security of the Internet is not as safe as this.
All. Good luck...

I. Introduction
What is penetration testing? The simplest and most straightforward explanation of penetration testing is the security testing process for the target system from the attacker's perspective.

What is the purpose of penetration testing? Measure the test taker's knowledge about the security of the current system and how attackers may exploit it. It allows administrators to intuitively understand the problems faced by the current system. Why is it intuitive? Just like
As mentioned in Mitnick's book, security management (Here we change it to security evaluation) needs to be complete and successful, while a hacker (penetration testing) you only need to enter
If the system is damaged, it will be very successful.

Is penetration testing equivalent to risk assessment? No. For the moment, penetration testing is part of risk assessment. In fact, risk assessment is far more complex than penetration testing. In addition to penetration testing, it also includes asset identification and risk analysis. In addition, manual review and subsequent optimization are also included (optional ).

I have performed a security review. Do I still need penetration testing? If I say to you: Hey, China's existing space theory technology has proved that China is fully capable of achieving a space walk by astronauts through computer calculus, and there is no need to launch Shen 8 again. Can you accept it?

Is penetration testing a black box? No, many technical staff have an understanding of this problem. Penetration Testing not only simulates external hacker intrusion, but also prevents internal personnel from being conscious (unintentional
Attacks are also necessary. At this time, the security tester can include some information about the system in the code snippet. In this case, it can be used for gray-box or even white-box testing.

What content does penetration testing involve? The technical aspects mainly include network devices, hosts, databases, and application systems. In addition, you can consider joining the social engineering (invasion of art/the art of intrusion ).

What are the shortcomings of penetration testing? It mainly involves high investment and high risks. It must be a professional ethical hackers to trust the final output result.
Ii. formulate implementation plans
The implementation plan should be communicated and negotiated between the tester and the customer. At the beginning, the tester provided a simple questionnaire to understand the basic acceptance of the test by the customer. The content includes but is not limited to the following:
Allow data destruction?
Are you allowed to block normal business operations?
Should the contact persons of relevant departments be informed before the test?
...
After receiving feedback from the customer, the tester will write the first draft of the implementation solution and submit it to the customer for review. After the review is completed, the customer shall entrust the test party with written authorization. Here, the two documents should contain the following content:
Implementation solution :...

Written authorization part :...
Iii. Specific Operation Process


Network This section does not directly scan the tested target. You should first search for related information from the network, including Google
Hacking, whois query, DNS, and other information (if you are considering social engineering, you can also obtain some edge information in the target system from the email list/newsgroup, such as internal staff.
Account composition, identity identification method, Email Contact address, etc ). Tools involved include: Google, demon, webhosting.info, Apollo, Athena,
Ghdb. XML, Netcraft


2. Vulnerability Scanning
This step mainly targets specific system objectives. For example, through the first step of we have obtained the IP address distribution and corresponding domain names of the target system, and we have filtered out a few attack targets through some analysis, we can scan them for specific vulnerabilities. There are several aspects to do this:
System-level tools include: ISS, Nessus, SSS, retina, Tianjing, Aurora

Tools for the Web application layer include appscan, acunetix web vulnerability compliance, webinspect, and nstalker.

Database tools include:

Tools for VoIP include PROTOS c07 SIP (which is directly used in testing) and c07 h225, sivus, and sipsak.

In fact, each penetration testing team has more or less their own test kits, and the vulnerability scan tool is more personalized for specific applications.

3. Vulnerability Exploitation
Sometimes, after a service or application scan, we can skip the vulnerability scan section and directly exploit the vulnerability. In many cases, we can obtain the target service/application version on some security websites.
Vulnerability exploitation code of the target system, such as milw0rm,
Securityfocus, packetstormsecurity, and other websites, all of which have a search module. No, we can try to search for "" on Google.
Use keywords such as "exploit" and "application Name Vulnerability.

Of course, in most cases, you may not be so troublesome. Some tools are available on the network. metasploit is the most famous one. It is an open-source free vulnerability exploitation attack platform. Others
You can see that it is from the list to the top five
100) in this regard, we can also probably understand its power. In addition, if you (your company) have enough moeny to buy commercial software, Core
Impact is worth considering. Although the price is very high, it is recognized by the industry as the Taishan Beidou in the field of penetration testing, basically fully automated testing. You can
It is said that there are many 0-day canvas purchases, but like metasploit, it needs to be manually tested. Finally, there is something to mention.
Exploitation_framework is equivalent to a vulnerability that uses code management tools to facilitate the collection of code by different languages and platforms.
It also maintains an exploit library, which can be used for your reference.

The above mentioned is for the system. In terms of web, the injection tools include nbsi, OWASP sqlix, and SQL power injector,
Sqldumper, sqlninja, sqlmap, sqlbftools, priamos, ISR-sqlget *** and so on.

Database-oriented tools include:
Database tool list
Oracle THC-orakel
Ms SQL Server
MySQL
DB2
This part is worth mentioning that many penetration testing teams have their own testing tools and even 0day code. The most common is SQL Injection tools, injection tools developed on the current network (such as nbsi)
It is for small and medium-sized enterprises or individual sites/databases, and some relatively biased database systems (such as INFORMIX and DB2) used for large target systems are basically not involved or
Not deep enough. At this time, each penetration testing team developed a testing tool that meets their usage habits.

4. Permission Improvement

5. password cracking
Sometimes, the configuration of the target system is impeccable, but it does not mean that there is no way to enter. To put it simply, a demonstration system without a complete password policy means that you have installed a system that cannot be closed.
. In many cases, some security technology researchers dismissed this, but countless security incidents have proved that the most often destructive attack originated from the smallest weakness, such as weak passwords and directory columns.
Tables, SQL injection, and so on. Therefore, this is of little significance for some specialized security technology researchers, but for an ethicalhacker, this step has
Required and required in most cases .;)

Currently, better brute-force cracking tools for network passwords include THC-Hydra and Brutus.

At present, there is a widely used type of resources in the network, that is, the rainbow table technology. To put it bluntly, it is a hash table, and some websites provide this service, it claims that the storage space is larger than GB. For example, rainbowcrack claims that its data volume is greater than 1.3 TB.
To provide online services in this way, you can:
URL description
Rainbowcrack corresponds to the hash of multiple encryption algorithms.
Http://gdataonline.com/seekhash.php
Http://www.milw0rm.com/cracker/info.php
Http://www.hashchecker.com /? _ SLS = search_hash
Http://bokehman.com/cracker/
Http://passcracking.ru/
Http://md5.neeao.com/domestic staff provide an online MD5 check platform that is said to have integrated hash results for some other sites.
Http://www.cmd5.com/website description has some interesting: for domestic users to do a lot of optimization... do not know is true or false,
Of course, some stand-alone cracking software is still essential: ophcrack, rainbowcrack (developed by Chinese people, Lian), Cain, L0phtCrack (cracking)
Windows Password), John the Ripper (cracking Unix/Linux) password, of course, there is still a findpass...

In the penetration testing process, if you have the opportunity to access some office documents and are encrypted, then rixler is the place you want to go immediately. The Office cipher suite they provide can be instantly
Open the Office document (I have not tried it in 2007. If you have the opportunity to test it, please send me a description of the test results. Thank you ). It seems that Microsoft has a reason for patching or something. For enterprises,
You can use iron coils or rms.

4. Generate Reports
The report should include:
Weak point list (sorted by severity level)
Detailed description of weak points (usage)
Solution suggestions
Participants/test time/Intranet/Internet
References:
Global penetration testing technical White Paper v1.4
Penetration Testing Framework
Report Template
Http://www.phenoelit.de/dpl/dpl.html
Http://snakeoillabs.com/downloads/GHDB.xml
Http://www.eccouncil.org/Course-Outline/Ethical%20Hacking%20and%20Countermeasures%20Course.htm
Http://www.owasp.org/index.php/OWASP_Testing_Project
References:


  • Global penetration testing technical White Paper v1.4
  • Penetration Testing Framework
  • Report Template
  • Http://www.phenoelit.de/dpl/dpl.html
  • Http://snakeoillabs.com/downloads/GHDB.xml
  • Http://www.eccouncil.org/Course-Outline/Ethical%20Hacking%20and%20Countermeasures%20Course.htm
  • Http://www.owasp.org/index.php/OWASP_Testing_Project


Posted on % 5c read (143) Comments (1) EDIT favorites



Feedback:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.