335.2 - Penetration Testing
Key Knowledge Areas:
- Understand the concepts of penetration testing and ethical hacking
- Understand legal implications of penetration testing
- Understand the phases of penetration tests, such as active and passive information gathering, enumeration, gaining access, privilege escalation, access maintenance, covering tracks
- Understand the architecture and components of Metasploit, including Metasploit module types and how Metasploit integrates various security tools
- Use nmap to scan networks and hosts, including different scan methods, version scans and operating system recognition
- Understand the concepts of Nmap Scripting Engine and execute existing scripts
- Awareness of Kali Linux, Armitage and the Social Engineer Toolkit (SET)
Partial list of the used files, terms and utilities:
- nmap
Utilities
nmap
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
Nmap Scripting Engine
The Nmap Scripting Engine (NSE) automates networking tasks by executing scripts written in Lua. It runs multiple scripts in parallel, such as all scripts with filenames ending in .nse from a directory specified through the --script argument. If a relative path to a script is passed, it is searched in the scripts/ sub-dir of:
--datadir $NMAPDIR~/.nmap- directory containing the
nmapbinary - directory containing the
nmapbinary +../share/nmap $NMAPDATADIR- current directory
Besides (globs of) filenames, also categories of scripts are accepted through the --script argument (e.g., "not intrusive", "default or safe", "default and safe", "(default or safe or intrusive) and not http-*").
After making changes to local scripts (e.g., scripts added / removed from the default scripts directory, category change of any script) update scripts/script.db through: nmap --script-updatedb
Notes
Metasploit
Metasploit is a penetration testing framework written in Ruby.
module types
Modules are stored in type-specific sub-directories at:
/usr/share/metasploit-framework/~/.msf4/modules/
There are several types:
- exploits: modules that use payloads
- auxiliary: port scanners, fuzzers, sniffers, etc.
- payloads: code that runs remotely
- encoders: payload integrity at the destination
- nops: payload size consistency across exploit attempts
integration
Plugins can be used to add new features, new user interface commands, etc. A plugin can be automatically loaded by adding the following snippet to ~/.msf4/msfconsole.rc:
load plugin_name
plugin_name_command --option
Some examples include:
- besecure: Integrates with the beSECURE - open source vulnerability management
- nessus: Nessus Bridge for Metasploit
- nexpose: Integrates with the Rapid7 Nexpose vulnerability management product
- openvas: Integrates with the OpenVAS - open source vulnerability management
- wiki: Outputs stored database values from the current workspace into DokuWiki or MediaWiki format
Kali Linux
Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering.
Armitage
Poorly-maintained, graphical frontend to Metasploit. The official homepage is at fastandeasyhacking.com, and the original source repository is hosted at Google Code. There is an automatically exported source repository at GitHub, which has two tiers of forks leading to the sources that Kali Linux refers:
Social Engineer Toolkit (SET)
The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. Its sources are available on GitHub.
Certifications
Some cybersecurity-related certifications are: