The illustration for the BackTrack testing process is also given below.
Target scoping
Before starting the technical security assessment, it is important to observe and understand the given scope of the target network environment. It is also necessary to know that the scope can be defined for a single entity or set of entities that are given to the auditor. What has to be tested, how it should be tested, what conditions should be applied during the test process, what will limit the execution of test process, how long will it take to complete the test, and what business objectives will be achieved, are all the possible outlines that should be decided under target scoping. To lead a successful penetration testing, an auditor must be aware of the technology under assessment, its basic functionality, and interaction with the network environment. Thus, the knowledge of an auditor does make a significant contribution towards any kind of security assessment.
Information gathering
Once the scope has been finalized, it is time to move into the reconnaissance phase. During this phase, a pentester uses a number of publicly available resources to learn more about his target. This information can be retrieved from Internet sources such as forums, bulletin boards, newsgroups, articles, blogs, social networks, and other commercial or non-commercial websites. Additionally, the data can also be gathered through various search engines such as Google, Yahoo!, MSN Bing, Baidu, and others. Moreover, an auditor can use the tools provided in BackTrack to extract network information about a target. These tools perform valuable data mining techniques for collecting information through DNS servers, trace routes, Whois database, e-mail addresses, phone numbers, personal information, and user accounts. The more information that is gathered it will increase the chances for the success of penetration testing.
Target discovery
This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides a complete image of the current technologies or devices interconnected and may help further in enumerating various services running over the network. By using the advanced network tools from BackTrack, one can easily determine the live network hosts, operating systems running on these host machines, and characterize each device according to its role on the network system. These tools generally implement active and passive detection techniques on the top of network protocols which can be manipulated in different forms to acquire the useful information, such as operating system fingerprinting.
Enumerating target
This phase takes all the previous efforts forward and finds the open ports on the target systems. Once the open ports have been identified, they can be enumerated for the running services. By using a number of port scanning techniques such as full-open, half-open, and stealth, scan can help determining the port visibility, even if the host is behind a firewall or Intrusion Detection System (IDS). The services mapped to the open ports help in further investigating the vulnerabilities that may exist on the target network infrastructure. Hence, this phase serves as a base for finding vulnerabilities in various network devices which can lead to a serious penetration. An auditor can use some automated tools given in the BackTrack to achieve the goal of this phase.
Vulnerability mapping
Until the previous phase, we have gathered sufficient information about the target network. It is now time to identify and analyze the vulnerabilities based on the disclosed ports and services. This process can achieved via a number of automated network and application vulnerability assessment tools present under BackTrack OS. It can also be done manually but takes an enormous amount of time and requires expert knowledge. However, combining both approaches should provide an auditor a clear vision to carefully examine any known or unknown vulnerability that may otherwise exist on the network systems.
Social engineering
Practicing the art of deception is considerably important when there is no open gate available for an auditor to enter the target network. Thus, using a human attack vector, it is still possible to penetrate the target system by tricking a user into executing malicious code that should give backdoor access to the auditor. Social engineering comes in different forms. This can be anybody pretending to be a network administrator over the phone forcing you to reveal account information, or an e-mail phishing scam leading to hijack your bank account details. There is an immense set of possibilities that could be applied to achieve the required goal. It is essential to note that for a successful penetration, sometimes it may require additional time drawing the human psychology before applying any suitable deception against the target.
Target exploitation
After carefully examining the discovered vulnerabilities, it is possible to penetrate the target system based on the types of exploits available. Sometimes it may require additional research or modifications to the existing exploit in order to make it work properly. This sounds a bit difficult, but may get easier when considering a work under advanced exploitation tools, which are already provided with BackTrack. Moreover, an auditor can also apply client-side exploitation methods mixed with a little social engineering to take control of a target system. Thus, this phase mainly focuses on target acquisition process. And the process coordinates three core areas, which involve pre-exploitation, exploitation, and post-exploitation activities.
Privilege escalation
Once the target is acquired, the penetration is successful. An auditor can now move freely into the system depending on his access privileges. These privileges can also be escalated using any local exploits matching the system environment, which once executed, should attain super-user or system-level privileges. From this point of entry, an auditor might also be able to launch further attacks against the local network systems. This process can be restricted or non-restricted depending on the given target scope. There is also a possibility to learn more about the compromised target by sniffing the network traffic, cracking passwords of various services, and applying local network spoofing tactics. Hence, the purpose of privilege escalation is to gain the highest level access to the system.
Maintaining access
Sometimes an auditor may be asked to retain access to the system for a specified time period. Such activity can be used to demonstrate illegitimate access to the system without hindering the penetration testing process again. This saves time, cost, and resources being served for gaining access to the system for security purposes. By employing some secreting tunneling methods, which make a use of protocol, proxy, or end-to-end connection strategy that can lead to establish a backdoor access, can help an auditor to maintain his footsteps into the target system as long as required. This kind of
system access provides a clear view on how an attacker can maintain his presence in the system without noisy behavior.
Documentation and reporting
Documenting, reporting, and presenting the vulnerabilities found, verified, and exploited will conclude our penetration testing methodology. From an ethical perspective this is extremely important because the concerning managerial and technical team can inspect the method of penetration and try to close any security loopholes that may exist. The types of reports created for each relevant authority at the contracting organization may have different outlooks to understand and analyze the weak points that exist in their IT infrastructure. Additionally, these reports can serve the purpose of capturing and comparing the target system integrity before and after the penetration process.
See Also:
biOos
No comments:
Post a Comment