Penetration Testing For Dummies
Book image
Explore Book Buy On Amazon
As a pen tester you need a solid understanding of how attackers operate and how potential attacks occur. Here, you discover a few items you need to make sure your system, identity, session, or other form of communications are not assumed by an attacker. Many of these tools — such as Kali, Nessus, Wireshark — should be in your penetration testing toolkit.

What makes assumption attacks so difficult to detect is that when they’re pulled off correctly, the hackers act like a pen tester, security analyst, or the CEO of the company! They can infiltrate quickly and be gone before you know there was a breach. For this reason, the lessons learned will highlight the need to harden (fortify) systems as the best form of defense against these types of attacks.

Burp Suite

Burp Suite is a web security pen testing tool that allows you to conduct web vulnerability scans as well as other types of scans to identify issues with cross site scripting (XSS), SQL injection, cross site request forgery (CSRF), and other advanced web attacks.

It also uses the Burp Proxy that allows you to capture and intercept all requests sent and responses received between a web browser and a target system or application to conduct session hijacking and eavesdropping attacks.

Here, the examples are simple, but you can customize Burp Proxy for more complex scenarios. For example, you can have it generate certificates and sign from its internal Certification (or Certificate) Authority (CA).

Burp Suite Using Burp Suite for pen testing

Burp Suite generates the tests that show how vulnerable your web architecture is. Web architecture (say, the Amazon’s shopping cart) consists of three tiers:

  • Tier 1: This is client facing and generally called web and is exactly as it sounds: You access a web page as a client and browse the web.
  • Tier 2 (or N tier): This is the middleware tier where many of the cross-connection technology exists, such as COM and COM+ components, applications functions, and other software that provides functionality to the web access layer and helps to further connect users to the database tier. For example, in a shopping cart, the actual shopping cart software may reside on the middleware.Some applications have architectures that collapse or expand into other tiers; those are called N-tier architecture. N is any number more than 2.
  • Tier 3: This tier is where the databases for all transactions are stored and conducted. It’s where an attacker finds the most useful information, such as credit card numbers, account information, and other valuable data.
The following image shows this tier architecture. Using Burp Suite or other pen testing tool, you can start to see where an advanced persistent threat (APT) attack, MiTM attack, or other assumption, can be very valuable for both parties. For the attacker who gains access, there’s a treasure trove of valuables to acquire. The pen tester might just be able to find the weaknesses before the hacker does.

Viewing an N-tier application Viewing an N-tier application

With Burp Suite, you can set up a proxy that allows you to test your web architecture by routing all web traffic through it. You can then conduct an MiTM scenario that allows you to capture (and further analyze) all traffic back and forth to find any weaknesses, looking for areas where hackers have the potential to conduct replay attacks, eavesdrop, data gather, and find injection. After you have this information, your next step is to tighten security.

If you can get Burp Suite running these pen tests, you have encountered one issue: Can a hacker do the same? If you then run it and find weaknesses, you have a second problem to address, which is the culmination of a pen test report on the weaknesses that are found.

Other advanced attacks you can find using the Burp Suite tool are SQL injection attacks, cross-site scripting (XSS), fuzzing attacks, and others. A tool such as Burp Suite really focuses on these areas in particular, so if you’re conducting more advanced-level tests on web applications, Burp Suite can help you identify those threats more easily.

Wireshark

Vectors, paths and places where hackers can exploit a weakness, are just as important as the penetration itself. Wireshark gives you the ability to find vulnerable vectors. The image below shows how a hacker can use Wireshark to divert legitimate traffic from the user (victim) to the server or resource being used.

Wireshark Using Wireshark to pen test

The gateway to more advanced level attacks is gaining access in the first place. Because of this, you need to see firsthand what gaining access from the vector of network access can provide you.

Consider the scenario shown above. You’re either playing the role of hacker or pen tester. How can you connect to the network to get in the middle of this conversation? The picture is actually simplified. Quite a few steps need to take place for that to happen. Here are some key considerations to think about before you pen test:

  • You need to have a computer with Wireshark installed. This is likely the system you use with your pen test toolkit on it. This way you have your tools available to test with.
  • You need to connect to the network that the systems you want to interrupt and the data you want to intercept is riding on.
  • You need to connect to the network in a way where you can be undetected and remain so. You might want to assume the IP address of a computer (IP spoofing), so you can appear to be the victim and or the resource based on the vector of your attack.
  • You can run Wireshark and have a network interface card (or NIC) running in promiscuous mode, so you can capture all traffic on the network, not just the traffic intended to be sent to you. You need to do this in a switched environment where the communications are controlled.
  • You can run the capture on a computer and have enough space to capture the data on your toolkit system. The only alternative to this is to know exactly when the communication will take place to shorten the capture or set up a capture filter with the specific details of the source and or destination IPs that will send and receive traffic.
  • You need to filter for and isolate the communications to review the captured data.
  • You can set up new tests (or hacks) based on what you previously captured.

Penetration tests are only beneficial if you take measures to eliminate your vulnerabilities.

About This Article

This article is from the book:

About the book author:

Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to architect, design, strategize and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for over 25 years and has written his books from the trenches of experience.

This article can be found in the category: