Penetration testing - common examples?
Attact surface
First of all, you should get an idea of the attack surface. Since you talk of a 'penetration test' you should start with no previous information.
For that, you could use nmap
. If your objective is no stealth, just use connect scan. If you want to be more stealthy, use syn scan or any of the other scan methods. If you want to use it with other tools, you better configure XML output (alongside human, to be able to read it yourself).
If you have time, use the full port range and set operating system and service identification -O -sV
. Be careful with UDP scan, as it can be quite slow.
The result should give you an idea of the different network services you could potentially penetrate.
You can also try NSE scripts from nmap which extends nmap capacity for discovery.
Vulnerability discovery
Next, try to find vulnerabilities to those services. You could do this on several ways:
- Use an automated tool:
- Mostly network: Nessus, OpenVAS
- Application: nikto, skipfish, w3af
- Search vulnerabilities databases based on version of services: OSVDB, securityfocus vulnerabilities, NVD, etc.
- Test by hand, using curl, netcat, etc. if you know the service and can interact with it directly (e.g. mail servers, web servers, IMAP servers, etc.)
Exploit
After discovering vulnerabilities, if you are entitled to, you could try to really exploit them. This could mean:
- Bruteforce authentication systems for the services found (including web sites). There are lots of tools for this. Nessus and OpenVAS can have dictionaries for common services.
- Use metasploit with the results from Nmap and Nessus or OpenVAS to test if there are already exploits available (
db_create
anddb_import_nmap_xml
anddb_import_nessus_nbe
). - Look for exploits on sites like packetstorm or milw0rm or exploit-db. And care to analyze the code before launching them... or else...
- Use the tools for exploiting vulnerabilities from w3af.
If you can exploit some system or service, try to pivot from there to expand your attack surface.
Results communication
It is important how you communicate your results. Try to tell all your tests (whether successfull or not). Try to give some metrics about the results (number of open ports (total and mean by host), number and importance of vulnerabilities, etc.). If you exploit a vulnerability, record it as a video and take some screenshots.
Explain the importance of your discoveries and, if you can, relate it to business loss.
More information
This is a very short review and I may have overlooked lots of information, you should read OSSTMM and OWASP testing guide for more information.
And don't forget that...
...penetration testing is not conclusive. At the end, you will be somewhere of the following indicator about the state of your network (as Markus said, wrote and showed in his rear guard security podcast).
(source: rearguardsecurity.com)
Have you considered using tools such as Nessus or OpenVAS that will do that for you ?
I'm a novice, but the Official Nmap handbook is not only incredibly comprehensive and well-written, but provides general procedures for network vulnerability scanning. If that's what you're looking for, I recommend that.