Penetration Testing

00:01

Hey, guys, Welcome to another episode of the S S C P Exam prep. I'm your host, Peter Civility.

00:08

This is the fifth lesson in the third do mean

00:11

so far in the third domain, we've taken a look at the risk management process. How to determine the rest, Get no organization faces. We've looked at four ways of handling risk properly. We've looked in mourning, but just simply an evaluation off the framework of a security organization.

00:29

And we've looked at vulnerability, scanning in analysis,

00:33

which is identifying weaknesses that may lie within a system.

00:37

Now finally, in today's lesson, we're gonna look at penetration testing.

00:42

Penetration. Testing is simply an extension of vulnerability scanning, so it's similar to vulnerability scanning in the sense that we look for weaknesses in the system. But penetration testing goes one step further. We actively exploit these weaknesses, trying to expose other weaknesses.

01:02

Let's get started

01:03

penetration. Testing simply takes the vulnerability assessment one step for

01:10

So in the last lesson, we looked at all of those vulnerabilities and found a whole bunch. From now, we're gonna take that one step further. We're gonna try to actively exploit these vulnerabilities through penetration testing penetration. Testing is good because when you exploit certain vulnerabilities, this can lead to

01:30

new vulnerabilities.

01:32

Countries. You testing consists of five general phases preparation, information, gathering,

01:38

information, evaluation at risk analysis,

01:41

active penetration and analysis and reporting.

01:44

We'll be looking all these in the coming lesson.

01:48

Penetration Testing also has

01:49

three different moods. It has the white box moon,

01:53

the grey box and the black box

01:57

book box testing

01:59

White box testing is basically just testers who perform with

02:05

the knowledge of the security and I NT staff. So the I T department knows that these guys are coming in and they will be doing different penetration tests on the system. They're also given a lot of the system. Resource is right. There are. They're given, like network blueprints, plan test times

02:23

and any type of assistance from the I T department.

02:27

Now, this is good and bad. It's good because they have the full cooperation of the organization

02:36

and the fixes can occur much, much faster.

02:40

And it's good for testing incident response procedures, right? It sees how well you're incident response plan. Um, it's

02:51

cons off white box testing. An accurate picture off the network is produced

02:57

um the organization is prepared for attack during white box testing, so defenses might be beefed up more than what they normally would be

03:10

breadbox testing some information is given to the penetration testing team.

03:16

A lot of organizations used his approach when they want the focus to be on accessing the system and not

03:24

information discovery. So with the great box testing the penetration testing team, they have some information rather than all of the single information.

03:38

Now, this is really great because it is like the best of both worlds between white box testing and black box testing, and really allows for focus testing scenarios, considering they have all the necessary information to do your job properly. But at the same time, they don't have everything too

03:58

skewed. The picture of the system

04:00

problem of the problems of this testing coverage maybe a little bit limited due to the access level that has been granted since they don't have access to everything, they might not be able to do certain aspects of testing.

04:15

Now, I'm sure you realize at this point that black box testers is really just testing that is completely unannounced that nobody knows about on The objective is to whatever they can get into, obviously, without causing harm on black box testing. Usually, only upper management knows they're doing this. Even the like the I T staff

04:35

has no idea this is even

04:39

going on, and this is great.

04:41

I personally like the concept of black box testing simply because it gives

04:46

a good look from the organization's true responses. Right It gives it shows with the organization, truly is, and also gives you the point of view from an attacker who's trying to attack from the outside. In

05:01

some of cons of this

05:02

staff like it, their feelings a little bit hurt, especially if, um,

05:09

black box testing guys. They get into quite a lot of things right. They could easily make the ikey staff look bad if they are not up to date on security,

05:19

Let's get the penetration Testing

05:21

step. One is to define goals for the penetration testing exercise. It's very important to be find a scope here, right? You want to be very specific on what your test that you can't just say, Oh, I'm testing the system

05:34

bad. That tells nobody anything. That's a huge scoop. And at that pulling its

05:42

country step things almost pointless. And it's going to be very, very costly if you choose to do that.

05:46

So you never wanna have a very good scope. You want to know exactly what you'll be testing? Not part of this step is to choose the right penetration tools, those important as setting the goals right. You want to let the environment drives the tools, right? You want to see your environment first, and then you want to pick

06:06

penetration testing tools which matched that environment. You do not want to always use certain tools simply because you like those tools and you try to use them for re environment. Some tools are very specific

06:19

to the environment in which they work, and so you definitely wanna mac set up as good as possible for best results.

06:26

Also, you want to analyze any put off testing results, right? You want to use you wanna set up a graphics one steps ratings or reading vulnerability index whenever possible that when you're actually done tests that you put all the results and have the analysis together, you get a very clear picture of how

06:46

adequate or inadequate your system is

06:48

don't

06:49

step. Number two is the information gathering. You definitely want to know about the network and get re con on any type of information from the organization.

07:01

And the other type of information gathering is network mapping, right? You definitely want to.

07:06

I had to piece together how the network has been set up and how it works and how the information flows just so you can kind of get a good idea of your organization In general, you can do this through automated software. There's a lot of software

07:25

that you confined or you can use, which will give you a really good network mapping picture.

07:31

Reconnaissance is definitely needed by a pen tester who has not been granted regular access to a system. So really any kind of pentastar who's doing black box pen testing so infinitely greater access to the system? They need to rely on one thing such a social engineering

07:49

and, you know, kind of like low tech reconnaissance.

07:53

So in case anyone doesn't know, social engineering is an activity that involves the manipulation of persons to get information

08:01

this usually involves, you're talking people wore calling them up and pretending to be something else trying to trick them too, revealing some sort of sensitive information.

08:09

They can also acquire information from the website Any type of news articles about the organization you can google around and find things and especially social media specifically linked in

08:24

a little more higher mid tech re Kon is using who is or central ops for Is this a system that records Internet registration information? So this gives you information about

08:37

D. N s? Usually it's some sort of contact number for someone in the department who the websites registered to that that kind of thing. Also a good way to get the reconnaissance information is D. N s stone transfers, which is really in easy way for D. N s administrators

08:58

to move DNA databases to different Dina servers.

09:01

So our class directed at D. N s server that asked the server for information of the domain. That service was basically to asking for the Dean s database, right, that could come to you the new Mogo, to find some information based on that

09:18

network mapping process that paints a picture of which hosts are up and running.

09:22

Now we're mapping, get very deep, very fast. So it was important to kind of limited to the scope off the project. It's also could be considered a precursor to vulnerability testing.

09:35

Network mapping techniques include you know, a lot of things like Echo over Quest connects can since gan thin skin you different types of skin, using, um, TCP and network flags. We'll get into TCP on I c M P a little bit later.

09:54

But these air just different ways that a person king

09:58

figure out which hosts are on and which ones are often kind of get an idea of how the network works.

10:07

There's also a bunch of built in operating system commands and network mapping of these things, like, you know, trace route, which shows all the different routers or the different path a packet gooses. It goes a system. You have the ping, which I'm sure most people are familiar with. You have

10:26

tell that also and

10:28

who is

10:28

now. There's also plenty of other available tools, which you can acquire

10:33

on. There's a lot of free ones. There's also a lot off what you could pay for, obviously and maths always really good. And then solar winds Super Stan and Lance are also very good tools as well.

10:46

So finally we got all the information. We define our project. So this is the risk analysis part we have to figure out based on all the information. We want to figure out what are the most critical on most important things, which we can

11:03

formulate risk now salon and find any risks which we can actively exploit. Now we have to be careful with this because there are

11:15

certain devices which are mission critical in business. So if we decide to, you know, play around with them a little bit, we could disrupt normal business operations.

11:26

Finally, time for the pen testing. We started doing our thing. We start exploiting different vulnerabilities and seeing we could get into a couple of heads up a warning. Always think twice before attempting to exploit a phoner build and may harm the system.

11:43

Always think twice. Always, please err on the side of caution. Sometimes it's better to just

11:50

say here's a vulnerability that spirit serious and needs to be fixed immediately rather than showing them have serious it is and bringing down the whole says

12:01

So Step five. After the penetration testing is done, it's very important that documentation and analysis are reported to management. Always present the problems that things they should be working on but also present solutions. Give them ideas to work on or to implement that in their organization, which

12:20

they might not even be aware of. Some of these things

12:22

always Taylor to the report to the person looking at it. So as always, usually you people speaking with someone who has very low I t related knowledge and skills. So you always want to use your charts, graphs, summaries, that kind of thing.

12:41

In today's lecture, we discussed the five steps of pen testing

12:46

with Time

12:46

John from ABC. Penetration testing is given the job of testing a system

12:52

he is given system documentation notes at a time. What kind of penetration tester would jump be considered

12:58

a gray box tester?

13:01

Be white box tester,

13:03

see black box tester or D social engineering tester.

13:11

If you said big white box tester than you are correct, remember, white box testing is when all of the system documentation and notes are given ahead of time so the pen tester can actually focus on the test thing and not so much on the reconnaissance and network mapping.