Posted on

How to conduct Professional Pentesting ? – Part 1

When we talk about ethical hacking, we mean the act of making controlled penetration tests on computer systems; it means that the consultant or pentester, acting from the point of view of a cracker, will try to find vulnerabilities in the audited computers that can be exploited, providing – in some cases – access to the affected system; but always in a controlled environment and never effect the operation of the computer services being audited.

Phases of hacking

Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases.
There is a general consensus among the entities and information security
professionals that these phases are 5 in the following order:
1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues
Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.

Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:

1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Writing the Report 5-> Presenting the Report
In this way, ethical hackers stop at Phase 3 of the “circle of hacking” to report their findings and make recommendations to the client.
Subsequent posts will explain each phase in detail, and how to apply software tools and common sense, coupled with the experience, to run an ethical hacking from start to finish in a professional manner.

Types of hacking
When we execute an ethical hacking is necessary to establish its scope to develop a realistic schedule of work and to deliver the economic proposal to the client. To determine the project extent we need to know at least three basic elements: the type of hacking that we will conduct, the modality and the additional services that customers would like to include with the contracted service. Depending on where we execute the penetration testing, an ethical hacking can be external or internal.

External pentesting
This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.

Internal pentesting
As the name suggests, this type of hacking is executed from the customer’s internal network, from the point of view of a company employee, consultant, or business associate that has access to the corporate network.

In this type of penetration test we often find more security holes than its external counterpart, because many system administrators are concerned about protecting the network perimeter and underestimate the internal attackers.

Black box hacking
This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information, the infrastructure of the organization is a “black box”. While this type of audit is considered more realistic, since the external attacker who chooses an X victim has no further information to start that the name of the organization that is going to attack, it is also true that it requires a greater investment of time and therefore the cost incurred is higher too. Additionally, it should be noted that the ethical hacker – unlike the cracker – does not have all the time in the world to perform penetration testing, so the preliminary analysis cannot extend beyond what is possible in practical terms because of cost/time/benefit.

Gray box hacking
This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited. Example: a list of data such as IP address and type/function of the equipment (router, web-server, firewall, etc.). When the term is applied to internal testing, it is given that name because the consultant receives the same access that an employee would have like having his laptop connected to the internal network and the NIC configured properly (IP address, subnet mask, gateway and DNS server); but does not obtain additional information such as: username/password to join a domain, the existence of related subnets, etc.

White box hacking
White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems. This means, that besides providing a connection to the network and configuration information , the consultant receives extensive information such as network diagrams, detailed equipment audit list including names, types, platforms, main services, IP addresses, information from remote subnets, etc. Because the consultant avoids having to find out this information, this kind of hacking usually takes less time to execute and therefore also reduces costs.

Additional hacking services

There are additional services that can be included with an ethical hacking; among the popular ones are: social engineering, wardialing, wardriving, stolen equipment simulation and physical security.
Social engineering
Social engineering refers to the act of gathering information through the
manipulation of people, it means that the hacker acquire confidential data using the wellknown fact that the weakest link in the chain of information security is the human component.
During the early years of Internet, access to it was mostly made by using modems, so it was common for companies to have a group of these devices (modem pool) connected to a PBX to answer the calls that required access to the company’s local network. These modems were connected to a remote access server (RAS), which through a menu entry (username/password) and using protocols such as SLIP or PPP, allowed authorized users to connect as if they were on the local network and have access to resources as applications, shared folders, printers, etc. At that time security was not something that managers meditated much, so many of these modems were not adequately protected, which made them easy prey for the first wardialing programs. What these programs did was dial phone numbers, based on the initial value provided by the user, and record those in which a modem answered instead of a person; then the cracker called these numbers manually and executed AT3 commands to gain access to the modem or ran brute force programs to overcome the key set by the system administrator. Afterward, these programs became more sophisticated and from the same application they could discover modems automatically and execute brute force password attacks.
Today, our way of connecting to the Internet has changed, yet, is a fact to notice that many system and network managers still use modems as a backup strategy to provide remote support in the event of a network failure. It should, therefore, not be dismissed as an entry point into the customer network.
The term wardriving is derived from its predecessor wardialing, but is applied to wireless networks. The hacker strikes up a wireless war from the vicinity of the client/victim company, usually from his parked car with a laptop and a signal booster antenna.The aim is to detect the presence of wireless networks that belong to the client and identify vulnerabilities that could allow entry to the hacker. expertise with customer to back up the devices prior to the audit.
Physical security audit
Although physical security is considered by many experts as an independent subject from ethical hacking, specialized companies can integrate it as part of the service. This type of audit involves difficulties and risks that you must be aware with the aim of avoiding situations that endanger those involved. I point this because a physical security audit could be as simple as an inspection accompanied by customer staff filling
out forms, a little bit more complex when we try getting to the boardroom to place a spy device pretending to be a lost customer, or something as delicate as attempting to circumvent armed guards and enter through a back door.

Finally, once you have obtained the required customer information – type of hacking, mode and optional services – we are ready to prepare a proposal that clearly defines: the scope of the service, the time it takes us to perform the ethical hacking, the deliverable (a report of findings and recommendations), costs and payment.

Write a comment