Penetration Testing Methodologies, Processes and Approach

Most penetration test are customized to meet the specific requirements for risk reduction and tolerance, high priority applications, and your unique environment.  For the purpose of conveying a GENERAL approach, SAVANTURE’s Penetration Testing Methodologies, Processes and Approach to Penetration Testing is as follows:

 

Public Information Discovery

During this step, SAVANTURE will try to discover as much information as possible about the Customer’s infrastructure from the public domain. This involves querying public databases such as RIPE and ARIN for domain ownership records, performing DNS lookups, and searching the Internet for other information – known names, email addresses, telephone numbers, usenet postings, etc. This information is used to map the external boundaries of the Customer’s network, and to plan the next stage of the attack.

Public-Facing Address Confirmation

Once the first step is complete, SAVANTURE will confirm that any public addresses identified for penetration testing are owned by the Customer, and that the addresses are actually in scope for the test. In addition, this step will give opportunity for the Customer to add any addresses that may not have been discovered by the public search to the scope of the external test.
 

Network Mapping Phase

Using recognized security testing techniques, SAVANTURE gathers information about the network in order to characterize and map the network’s boundaries. Using a combination of public domain and proprietary network mapping tools, network sweepers, and port scanning tools, SAVANTURE will identify any probable points of entry into the targeted network.

SAVANTURE typically executes such specific steps as follows:

      • Tracing IP packets between network segments in order to determine the network topology. Typically, tools such as traceroute, ping, nmap and tcptraceroute are used in this step, and these tools are coordinated by SAVANTURE proprietary mapping scripts.
      • Querying Domain Name Services (DNS) to determine if a zone transfer can be executed and internal DNS information obtained. Tools such as dig, the bind tools and proprietary scripts are used for this step.
      • Using port scanning software such as nmap to identify any open ports or services (e.g. mail, telnet, high number ports) on devices or servers reachable via the Internet.
      • Connecting to open ports using TCP or UDP network utilities to determine the type(s) of operating system(s), firewall application(s) and network service versions in use. This is typically accomplished using tools such as bannergrab-ng, nmap, amap, netcat and proprietary scripts.

 

Vulnerability Mapping Phase

The overall objective of this phase is to map the profile of each system to be tested against publicly known, or in some cases unknown, vulnerabilities relevant to the systems under test. Performing this task facilitates the penetration testing phase by structuring the information gathered during the network mapping phase and allows the tester to perform only those exploits relevant to the system.

SAVANTURE will map the vulnerabilities listed in public sources of vulnerability information, such as Bugtraq, OSVDB and CERT, to the profiles identified in the network mapping phase and also incorporate current underground exploits and vulnerabilities if appropriate.

Expected results for the Vulnerability Mapping Phase will list the type of system, application or service by vulnerability. The vulnerabilities mapped to each system under test will include relevant tests to be applied.

This phase of the test will also include testing for mis-configurations and information leakage. Tools typically used for this phase of testing are enumeration tools such as enum, onesixtyone, the openldap toolset, hydra, oracsec, and other, proprietary tools. Some of these proprietary tools are based on the nasl scripting language, and use modified Nessus modules. A fully updated copy of Nessus is used as a catch-all vulnerability scanner.
 

Penetration Phase

This phase is where the SAVANTURE team will carry out the actual penetration attempt. This is not a mere simulation of hacking but a focused attempt to enter the target systems. The penetration phase will begin where the vulnerability mapping phase left off.  The goal of network and vulnerability mapping was to build an overall picture of the network and to begin to identify areas that may be most vulnerable in the network.

SAVANTURE will then attempt to gain access to the Customer’s network by leveraging the vulnerabilities and weaknesses discovered to a point where we are in a position to compromise information or the integrity of your network. SAVANTURE may use vulnerability scanning tools to scan the target network and systems with all its varying configurations of hardware and software, but while these scanners can perform the bulk of the scanning, manual verification is necessary to eliminate false positives, expand the scope, and to discover the data flow in and out of the network. Manual testing refers to a person or persons at the computer using creativity, experience, and ingenuity to test the target network in view of penetrating the network using SAVANTURE’s own techniques.

Please note for AWS Penetration testing there are special requirements.
 

Testing Tools

During a Penetration Test, a variety of automated tools are used to increase the thoroughness of the analysis and to increase efficiency of the Penetration Tester which allows us to deliver a thorough test at an attractive price point. The tools frequently used in performing the test performed in the SOW may include, but are not limited to, the following.
 
[slideshow_deploy id=’1642′]

SAVANTURE will also use other testing processes, including testing scripts, system commands, CGI script scanners, router configuration scanner scripts, and checklists.

Manual verification is carried out using combinations of the tools listed previously, in addition to proprietary tools and simple Customers such as those for Terminal Services, HTTP servers, MS-SQL, CIFS file shares, NFS exports, NIS, LDAP servers. Network configuration issues are not normally exploited as this can lead to network failure. However, should exploitation be desired, this is accomplished using tools such as Zebra and hping.

Exploitation of common host-based vulnerabilities is facilitated by the use of frameworks such as metasploit and canvas, whilst on-host data gathering is achieved by tools such as cachedump, lsadump and pwdump in conjunction with proprietary tools that are essentially batch files or shell scripts wrapping system tools such as the Windows net command and standard UNIX shell utilities. These and certain other techniques are considered aggressive, and will not be used on hosts providing live services without the permission of the technical contact.
 

Reporting: Coordination of Testing

SAVANTURE will carefully coordinate all tests with the Customer. This coordination will include identification of systems to be tested, tests to be conducted, testing times, and the expected impact to these systems.

Return to SAVANTURE Penetration Testing.