Penetration Testing For Dummies^®

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2020934346

ISBN 978-1-119-57748-5 (pbk); ISBN 978-1-119-57747-8 (ebk); ISBN 978-1-119-57746-1 (ebk)

Penetration Testing For Dummies®

To view this book's Cheat Sheet, simply go to www.dummies.com and search for “Penetration Testing For Dummies Cheat Sheet” in the Search box.

Table of Contents

Cover

Introduction

About This Book
Foolish Assumptions
Icons Used in This Book
What You’re Not to Read
Where to Go from Here

Part 1: Getting Started with Pen Testing

Chapter 1: Understanding the Role Pen Testers Play in Security
1. Looking at Pen Testing Roles
2. Getting Certified
3. Gaining the Basic Skills to Pen Test
4. Introducing Cybercrime
5. What You Need to Get Started
6. Deciding How and When to Pen Test
7. Taking Your First Steps
Chapter 2: An Overview Look at Pen Testing
1. The Goals of Pen Testing
2. Scanning Maintenance
3. Hacker Agenda
4. Doing Active Reconnaissance: How Hackers Gather Intelligence
Chapter 3: Gathering Your Tools
1. Considerations for Your Toolkit
2. Nessus
3. Wireshark
4. Kali Linux
5. Nmap

Part 2: Understanding the Different Types of Pen Testing

Chapter 4: Penetrate and Exploit
1. Understanding Vectors and the Art of Hacking
2. Examining Types of Penetration Attacks
3. Cryptology and Encryption
4. Using Metasploit Framework and Pro
Chapter 5: Assumption (Man in the Middle)
1. Toolkit Fundamentals
2. Listening In to Collect Data
Chapter 6: Overwhelm and Disrupt (DoS/DDoS)
1. Toolkit Fundamentals
2. Understanding Denial of Service (DoS) Attacks
3. Buffer Overflow Attacks
4. Fragmentation Attacks
5. Smurf Attacks
6. Tiny Packet Attacks
7. Xmas Tree Attacks
Chapter 7: Destroy (Malware)
1. Toolkit Fundamentals
2. Malware
3. Ransomware
4. Other Types of Destroy Attacks
Chapter 8: Subvert (Controls Bypass)
1. Toolkit Fundamentals
2. Attack Vectors
3. Phishing
4. Spoofing
5. Malware

Part 3: Diving In: Preparations and Testing

Chapter 9: Preparing for the Pen Test
1. Handling the Preliminary Logistics
2. Gathering Requirements
3. Coming Up with a Plan
4. Having a Backout Plan
Chapter 10: Conducting a Penetration Test
1. Attack!
2. Looking at the Pen Test from Inside
3. Documenting Your Every Move
4. Other Capture Methods and Vectors
5. Assessment
6. Prevention

Part 4: Creating a Pen Test Report

Chapter 11: Reporting
1. Structuring the Pen Test Report
2. Creating a Professional and Accurate Report
3. Delivering the Report: Report Out Fundamentals
4. Updating the Risk Register
Chapter 12: Making Recommendations
1. Understanding Why Recommendations Are Necessary
2. Seeing How Assessments Fit into Recommendations
3. Networks
4. Systems
5. General Security Recommendations: All Systems
6. More Recommendations
Chapter 13: Retesting
1. Looking at the Benefits of Retesting
2. Understanding the Reiterative Nature of Pen Testing and Retesting
3. Determining When to Retest
4. Choosing What to Retest
5. Running a Pen Retest

Part 5: The Part of Tens

Chapter 14: Top Ten Myths About Pen Testing
1. All Forms of Ethical Hacking Are the Same
2. We Can’t Afford a Pen Tester
3. We Can’t Trust a Pen Tester
4. We Don’t Trust the Tools
5. Pen Tests Are Not Done Often
6. Pen Tests Are Only for Technical Systems
7. Contractors Can’t Make Great Pen Testers
8. Pen Test Tool Kits Must Be Standardized
9. Pen Testing Itself Is a Myth and Unneeded
10. Pen Testers Know Enough and Don’t Need to Continue to Learn
Chapter 15: Ten Tips to Refine Your Pen Testing Skills
1. Continue Your Education
2. Build Your Toolkit
3. Think outside the Box
4. Think Like a Hacker
5. Get Involved
6. Use a Lab
7. Stay Informed
8. Stay Ahead of New Technologies
9. Build Your Reputation
10. Learn about Physical Security
Chapter 16: Ten Sites to Learn More About Pen Testing
1. SANS Institute
2. GIAC Certifications
3. Software Engineering Institute
4. (Assorted) Legal Penetration Sites
5. Open Web Application Security Project
6. Tenable
7. Nmap
8. Wireshark
9. Dark Reading
10. Offensive Security

Index

About the Author

Advertisement Page

Connect with Dummies

End User License Agreement

List of Illustrations

Chapter 1

FIGURE 1-1: Adding an IP range to scan.
FIGURE 1-2: Examining the OSI model.
FIGURE 1-3: Digging into a network packet capture.
FIGURE 1-4: Review a firewall log.
FIGURE 1-5: Metasploit is one tool for pen testing.
FIGURE 1-6: Use Nessus to conduct an assessment.
FIGURE 1-7: Examining a Retina CS scan.

Chapter 2

FIGURE 2-1: Sample output from Nessus.
FIGURE 2-2: Nmap is a tool you use to conduct to ping sweeps.
FIGURE 2-3: Examples of commonly used AV programs.

Chapter 3

FIGURE 3-1: Nessus output.
FIGURE 3-2: Using Nessus to scan a network router.
FIGURE 3-3: Select a scan template type.
FIGURE 3-4: Create your first Nessus scan.
FIGURE 3-5: Using Wireshark Network Analyzer.
FIGURE 3-6: Launching and using Wireshark to analyze traffic.
FIGURE 3-7: Drilling down into captured data.
FIGURE 3-8: Examining the traffic between host endpoints with Wireshark.
FIGURE 3-9: Testing FTP access with Wireshark.
FIGURE 3-10: Using tcdump on Kali Linux.
FIGURE 3-11: Explore the Kali Linux toolset.
FIGURE 3-12: Loading and using Nmap in Kali Linux.
FIGURE 3-13: Creating a network map with Nmap.

Chapter 4

FIGURE 4-1: Accessing the Kali Linux menu to begin a social engineering attack.
FIGURE 4-2: From the Toolkit menu, choose Social-Engineering Attacks.
FIGURE 4-3: Choose Website Attack Vectors from this list.
FIGURE 4-4: Cloning a site re-creates an exact replica of it.
FIGURE 4-5: The options I chose to create a clone website.
FIGURE 4-6: I set up a clone Google.com — for pen-testing purposes only!
FIGURE 4-7: The different areas of attack vectors.
FIGURE 4-8: A password crack via Metasploit.
FIGURE 4-9: Using Wireshark to capture and expose data protected by SSL.
FIGURE 4-10: Metasploit Pro’s Quick PenTest wizard.
FIGURE 4-11: Running a quick pen test with Metasploit Pro.

Chapter 5

FIGURE 5-1: Using Burp Suite for pen testing.
FIGURE 5-2: Viewing an N-tier application.
FIGURE 5-3: Using Wireshark to pen test.
FIGURE 5-4: Using Wireshark to grab packets in a sniffing operation.
FIGURE 5-5: A card skimmer on an ATM.

Chapter 6

FIGURE 6-1: Using Kali for pen testing disruption attacks.
FIGURE 6-2: Launching an attack from outside the network.
FIGURE 6-3: Using Kali T50 to send a flood attack to a host.
FIGURE 6-4: Viewing resources with the Linux top command.
FIGURE 6-5: How a distributed denial of service (DDoS) attack works.
FIGURE 6-6: How the buffer overflow attack works.
FIGURE 6-7: Use Kali’s fragroute and fragmentation6 to determine your level of ...
FIGURE 6-8: Sending malformed packets to hosts with Kali’s fragtest.
FIGURE 6-9: Using ping to generate a sweep and smurf attack.
FIGURE 6-10: Use Wireshark to identify tiny packet attacks.

Chapter 7

FIGURE 7-1: Nessus offers various scan types for pen testing destroy attacks.
FIGURE 7-2: Looking for hosts that are vulnerable to known threats.
FIGURE 7-3: A typical external vector attack with the goal of destroying a data...
FIGURE 7-4: An example of a ransomware attack.
FIGURE 7-5: An example of AV endpoint protection.

Chapter 8

FIGURE 8-1: Kali’s Information Gathering menu can help you perform subvert and ...
FIGURE 8-2: Using Nmap to launch an attack against a router/routing device scan...
FIGURE 8-3: Conducting a SYN scan to identify open ports.
FIGURE 8-4: Identifying possible hosts and ports.
FIGURE 8-5: Learning the MAC address of the scanned device and distance by netw...
FIGURE 8-6: Internal and external subvert attacks operate under the same concep...
FIGURE 8-7: Host-based AV software indicates there’s an issue requiring attenti...
FIGURE 8-8: Updating and fixing your AV.

Chapter 9

FIGURE 9-1: Use a RACI chart to identify roles and responsibilities.
FIGURE 9-2: Consult past results to help with future tests.
FIGURE 9-3: Reviewing threats on the risk register.
FIGURE 9-4: Reviewing attack vectors to devise a test plan.
FIGURE 9-5: Reviewing Nessus scan templates.
FIGURE 9-6: Tuning tools with filters for prep.

Chapter 10

FIGURE 10-1: Doing a WhoIs search to gain intel.
FIGURE 10-2: Pinging at a command prompt to get an IP address or range to scan.
FIGURE 10-3: Using Kali (Xhydra) to crack a router password.
FIGURE 10-4: A network map with IP addressing.
FIGURE 10-5: Building a network map with Nessus.
FIGURE 10-6: Building a network map with Nmap.

Chapter 11

FIGURE 11-1: An example executive summary.
FIGURE 11-2: Documenting and reporting attack vectors is part of your narrative...
FIGURE 11-3: An example of a Tools, Methods, and Vectors section.
FIGURE 11-4: Include your main findings in your report.
FIGURE 11-5: An example of a report conclusion.

Chapter 12

FIGURE 12-1: Reviewing Nessus for hardening tips.
FIGURE 12-2: A large network map.
FIGURE 12-3: Disabling unneeded services, such as telnet services.
FIGURE 12-4: Changing a default port to help secure a system.
FIGURE 12-5: Using a firewall allows you to monitor access in and out.
FIGURE 12-6: Antivirus software is still an effective way to protect devices fr...
FIGURE 12-7: Finding SMB issues on the network with Nessus.
FIGURE 12-8: Use encryption such as SSL.
FIGURE 12-9: Saving copies of logs in case a hacker interferes.

Chapter 13

FIGURE 13-1: The pen testing and retesting processes are very similar.
FIGURE 13-2: Prioritizing retesting tasks with a tier system.
FIGURE 13-3: My updated documentation to reference during the retest.
FIGURE 13-4: Using Nessus to find ways to reduce risks in web architecture.
FIGURE 13-5: Mapping a network and finding new problems.
FIGURE 13-6: Using Nmap to exploit NTP.

Chapter 14

FIGURE 14-1: A sample metric of cyber threats and their growth.
FIGURE 14-2: Wireshark’s bug fix list.
FIGURE 14-3: A schedule of tests.

Chapter 15

FIGURE 15-1: Using Kali and VMware virtualization.
FIGURE 15-2: Using a plan B alternative.
FIGURE 15-3: Creating a viable lab.

Chapter 16

FIGURE 16-1: SANS.org.
FIGURE 16-2: The GIAC GPEN certification.
FIGURE 16-3: The top ten application risks on the Open Web Application Security...
FIGURE 16-4: Downloading Nessus.
FIGURE 16-5: Gain access to Kali.

Introduction

Welcome to Penetration Testing For Dummies! It is my goal to start you down the path to learning more about pen testing and why it’s such a hot topic for anyone interested in information technology security. This book shows you how to target, test, analyze, and report on security vulnerabilities with pen testing tools.

I break down the most complex of topics into easily digestible chunks that familiarize you with the details of conducting a pen test, but also why you need to do it and how the hackers you are trying to access your systems are doing so. Your purpose as a pen tester is to test systems, identify risks, and then mitigate those risks before the hackers do.

It takes a person with hacking skills to look for the weaknesses that make an organization susceptible to hacking. The topics in this book aim to equip IT professionals at various levels with the basic knowledge of pen testing.

About This Book

One of my main goals in writing this book is to give you an understanding of the different attacks, vectors, vulnerabilities, patterns, and paths that hackers use to get into your network and systems. Pen testing is intended to follow those same steps, so security pros know about them (and can fix or monitor them) before the hackers do.

For this book, I use a Windows workstation and where I must, I use Linux tools run from a virtual machine. I have chosen this because this is where many beginners are likely to start their pen testing journey. For this book, you can use any current supported version of Windows (Windows 7 and above) on a device that has a network connection (wired and wireless).

A highly experienced pen tester will likely use a native Linux system like Ubuntu (as an example), but you do not need to use it now.

If you are using Linux or Apple, you can follow the same steps throughout the book with a few modifications here and there.

Foolish Assumptions

As I was writing this book, I assumed you work in IT and want to transition to security. It is the go-to book for those who have some IT experience but desire more knowledge of how to gather intelligence on a target, learn the steps for mapping out a test, and discover best practices for analyzing, solving, and reporting on vulnerabilities.

You might have an entry-level or junior position, or you might be a manager or director, with more experience but coming from a different area of expertise. Either way, you want to know more about how pen testing fits into the big picture. As such, you’ll find that I explain even simple concepts to clarify things in the context of penetration testing and overall security.

Icons Used in This Book

Throughout the book, I use various icons to draw your attention to specific information. Here’s a list of those icons and what they mean.

This icon highlights pointers where I provide an easier way of doing something or info that can save you time. This icon points to content you definitely don’t want to miss, so be sure to read whatever’s next to it.

When you see this icon, you know it’s next to information to keep in mind — or something I’ve discussed elsewhere, and I’m reminding you of it. It’s often advice to help keep you out of trouble.

Pay close attention to this icon, which I use to point out pitfalls to avoid or where doing something (or not doing something) could land you in legal trouble (like pen testing something you don’t have permission to test).

Sometimes I provide particularly sticky details about an issue, which can get technical and which may not be of interest (or help). You could ignore any text marked with this icon, and you won’t miss it a whit.

What You’re Not to Read

This book is written so you aren’t required to read it beginning to end. If you’re familiar with the basics of penetration testing, for example, you can probably skip the first part. You can skip Part 2 if you feel you have a pretty good handle on attack types and various pen testing tools. Technical Stuff icons are truly technical pieces of information that I file under “nice to know” — skip those, as well, if you’re looking for need-to-know content only.

Where to Go from Here

If you’re truly new to the world of penetration testing, I recommend you begin with Chapter 1 and read from there. Readers with a grasp on pen testing fundamentals — what it is, the role of the pen tester, types of hackers, types of attacks, and so on — but who want to hone their testing and/or reporting skills, for example, can go straight to Parts 3 and 4, respectively.

Looking for information about a particular tool or attack? Use the Table of Contents or Index to find where I cover that thing and go straight to that discussion. More advanced readers might want to read only those sections that cover any area they need to bone up on.

Of course, I recommend Chapters 15 and 16 for everyone because continual learning is so important to becoming and remaining an excellent pen tester.

You can also find more pen testing topics on the book’s cheat sheet, such as pen testing terminology and specific certifications you’ll find useful in your career. Go to dummies.com and search for “Pen Testing For Dummies cheat sheet” to find it.

The more you study, read, and work in the field, the more you’ll learn as your journey continues. It can be something you eventually have a really good understanding of … but by that time, the technology will have changed many times! As a journey of lifelong learning and study that can be very rewarding and exciting as you progress, becoming a pen tester is a true commitment.

Part 1

Getting Started with Pen Testing

IN THIS PART …

Dive into the world of pen testing by exploring the skills and certifications necessary to get started.

Learn what kind of hackers there are, what goals you’ll have as a pen tester, and the basics of scan maintenance.

Build your pen testing toolkit.