Penetration testing - common examples?

security testing

Attact surface

First of all, you should get an idea of the attack surface. Since you talk of a 'penetration test' you should start with no previous information.

For that, you could use nmap. If your objective is no stealth, just use connect scan. If you want to be more stealthy, use syn scan or any of the other scan methods. If you want to use it with other tools, you better configure XML output (alongside human, to be able to read it yourself).

If you have time, use the full port range and set operating system and service identification -O -sV. Be careful with UDP scan, as it can be quite slow.

The result should give you an idea of the different network services you could potentially penetrate.

You can also try NSE scripts from nmap which extends nmap capacity for discovery.

Vulnerability discovery

Next, try to find vulnerabilities to those services. You could do this on several ways:

  • Use an automated tool:
    • Mostly network: Nessus, OpenVAS
    • Application: nikto, skipfish, w3af
  • Search vulnerabilities databases based on version of services: OSVDB, securityfocus vulnerabilities, NVD, etc.
  • Test by hand, using curl, netcat, etc. if you know the service and can interact with it directly (e.g. mail servers, web servers, IMAP servers, etc.)

Exploit

After discovering vulnerabilities, if you are entitled to, you could try to really exploit them. This could mean:

  • Bruteforce authentication systems for the services found (including web sites). There are lots of tools for this. Nessus and OpenVAS can have dictionaries for common services.
  • Use metasploit with the results from Nmap and Nessus or OpenVAS to test if there are already exploits available (db_create and db_import_nmap_xml and db_import_nessus_nbe).
  • Look for exploits on sites like packetstorm or milw0rm or exploit-db. And care to analyze the code before launching them... or else...
  • Use the tools for exploiting vulnerabilities from w3af.

If you can exploit some system or service, try to pivot from there to expand your attack surface.

Results communication

It is important how you communicate your results. Try to tell all your tests (whether successfull or not). Try to give some metrics about the results (number of open ports (total and mean by host), number and importance of vulnerabilities, etc.). If you exploit a vulnerability, record it as a video and take some screenshots.

Explain the importance of your discoveries and, if you can, relate it to business loss.

More information

This is a very short review and I may have overlooked lots of information, you should read OSSTMM and OWASP testing guide for more information.

And don't forget that...

...penetration testing is not conclusive. At the end, you will be somewhere of the following indicator about the state of your network (as Markus said, wrote and showed in his rear guard security podcast).

Badness-o-meter
(source: rearguardsecurity.com)


Have you considered using tools such as Nessus or OpenVAS that will do that for you ?


I'm a novice, but the Official Nmap handbook is not only incredibly comprehensive and well-written, but provides general procedures for network vulnerability scanning. If that's what you're looking for, I recommend that.

Related

Is it "OK" to use a low end NIC for a dedicated heart beat between two servers?
Published software not displayed in Add/Remove Programs
Puppet causes endless restarts of CUPS (how does one prevent this)
Any security tips for my first server? (complete beginner) [closed]
sudo or acl or setuid/setgid?
cron output options when using curl
cpio VS tar and cp
Use linefeed or carriage return in Subversion commit message from the command line
MySQL command appends '@localhost' to username
Hosting an NTP server on a standalone network
Using modem for sending voice recording
Monitoring hardware RAID on VMWare ESXi