See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/312593208

A Model for Penetration Testing

Research · January 2017

DOI: 10.13140/RG.2.2.36221.15844

CITATION READS

1 262

1 author:

Chuck Easttom
Collin College
35 PUBLICATIONS 16 CITATIONS

SEE PROFILE

All content following this page was uploaded by Chuck Easttom on 22 January 2017.

The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
 Research Gate Publication

A Model for Penetration Testing

Chuck Easttom
Collin College Professional Development
chuck@chuckeasttom.com

Abstract— Penetration testing is an

increasingly integral part of cyber security. A wide range
of techniques exist to conduct penetration testing. The industry is also replete with tools to assist in
the process of penetration testing. What is missing is a cohesive model of penetration testing the
brings together a wide range of standards into a single, comprehensive model that can be applied to a
wide range of penetration testing scenarios.

Keywords— Penetration testing, pen testing, hacking.

I. INTRODUCTION AND LITERATURE REVIEW

The field of penetration testing is a growing subset of cyber security (Yeo, 2013). The process of
penetration testing needs to be a methodical process that includes a detailed analysis of the threats
and potential attackers (Bishop, 2007). The industry is replete with penetration testing certifications
such as GPEN from the SANS Institute, Certified Ethical Hacker from EC-Council, and Offensive
Securities OCSP (Easttom, 2016). Each of these certifications and their associated training courses,
emphasizes a different aspect of penetration testing.
In addition to the training and certifications in the field of penetration testing, there are
industry tools that have become widely accepted in the penetration testing community. Kali Linux is
a Linux distribution that includes several security tools, including widely used penetration testing
tools (Beggs, 2014). Perhaps the most widely used penetration testing tool is Metasploit (Jaswal,
2016).
Each of the current, widely accepted, penetration standards recommends a particular sequence of
tasks. There is overlap between the different methodologies, but each has its own elements,
particular to that specific standard. The Pen Testing Execution Standard (PTES, 2016) recommends
seven stages
• Pre-engagement Interactions
• Intelligence Gathering
• Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post Exploitation
• Reporting
It is noteworthy that in this process, the first four stages involve pre-penetration test information
gathering.
NIST 800-115 (U.S. Department of Commerce, 2015) uses four phases
• Planning
• Discovery
• Attack
• Reporting
The National Security Agency InfoSec Assessment Methodology (NSA- IAM) describes three
general phases, each sub-divided into specific tasks to be conducted during that phase (Cross, 2000;
Johnson, 2004).
• Pre-Assessment
o Determine and manage the customer’s expectations
o Gain an understanding of the organization’s information criticality
o Determine customer’s goals and objectives
o Determine the system boundaries
© 2014, IJIRIS All Rights Reserved Page | 1
 Research Gate Publication

o Coordinate with customer

o Request documentation
• On-Site Assessment
o Conduct opening meeting
o Gather and validate system information (via interview, system demonstration, and document
review)
o Analyze assessment information
o Develop initial recommendations
o Present out-brief
• Post-Assessment
o Additional review of documentation
o Additional expertise (get help understanding what you learned)
o Report coordination (and writing)
The Payment Card Industry Data Security Standards (PCI-DSS) also define a process for
penetration testing (PCI-DSS, 2015). The overview of that process is provided here:
• Scope
• Qualifications of a Penetration tester
• Penetration Testing Components
• Methodology
• Pre-engagement
• The actual penetration test
• Post-Engagement
Each of these standards provides a starting point for penetration testing. They each have a specific
perspective in mind. For example, the PCI-DSS standard specifically addresses credit card
processing needs, while the NSA-IAM is concerned about United States Government cyber security.
While each of these standards has a different focus, even a casual review reveals some
commonalities.
II. THE METHOD

The method described in this paper is a four-phase process that combines elements from each of
the previously described standards and is consistent with those standards. Thus, this four-phase
methodology could be used in conjunction with any of the aforementioned standards. The
methodology describes your approach to penetration testing for a particular test. This will include:
1. The amount of information given (i.e. black box, white box, gray box testing).
2. Is this testing for some standard (NSA-IAM, PCI, etc.)?
3. Will this test involve internal and external testing, or just one of those options?
4. Will this test include physical penetration testing and/or social engineering?
5. What is the mix of manual and automated testing?
Most importantly, the methodology should describe the reasons for choosing a specific
methodology. An example methodology statement might look something like the following example:
This test is being conducted for PCI-DSS requirements. The test will involve internal and
external testing, and be conducted with the tester being given extensive information (i.e. a
white box test). This specific test sill not include physical testing or social engineering. The
test will involve both automated and manual tasks with the primary tools used being:
 Metasploit
 OWASP-ZAP
 Vega
 Nmap
 Nessus
These tools will be used in conjunction with manual testing techniques.

Page | 2
 Research Gate Publication

The test will begin with internal and external vulnerability scans. This will be followed by
assessing specific PCI-DSS required security controls. Then manual attempts will be made to
penetrate the network.
Of course, more detail is usually preferred. This preceding example is merely meant as a starting
point of a basic methodology statement might look.

Pre- Engagement
The most important element of the pre-engagement is a thorough contract. It must include the
following
1. Scope of the test
2. Any items not to be tested
3. Goals of the test
4. Time frame of the test
5. Any standards to be met (PCI, NIST, etc.)

Any ambiguities in the contract are likely to lead to dissatisfaction for the penetration testing
customer. Clearly legal advice is preferred for any contract, but the preceding list provides an
overview of the technical issues that must be addressed in the contract.
In addition to the contract, information gathering is also critical in the pre-engagement phase.
Failure to gather the appropriate information in this phase can lead to incorrect test focus or
execution. Gather information regarding the following;
1. Any past breaches. Details on such breaches are important. Obviously, you wish to begin by
testing these, to ensure the network is no longer susceptible to them.
2. Any recent risk analysis or audits. This information can also assist you in determining what
areas are most critical to test.
3. Any specific concerns the customer has. This can also guide you to testing the appropriate
areas.
4. Ensure that you and the client agree on the scope as well as what a penetration test can do. It
is important that the client have realistic expectations.
The preceding list is exemplary, not exhaustive. More information is always desirable.

The actual test

Once the pre-engagement phase is complete, the next step is to conduct the actual penetration
test. Pen testing is a multi-step process. Each step is equally important. The actual test is further
divided into four sub-phases.

1) Phase 1 – Passive Scanning

You begin the penetration test by gathering as much data on the target as you can. This phase
is the passive data gathering phase. This includes social media, netcraft.com, archive.org, etc. All the
passive data you can obtain. Advanced Google searching combined with resources such as shodanhq
can provide a wealth of information regarding the target network.

2) Phase 2 – Active Scanning

This phase involves actively scanning the target network. At a minimum, you will use nmap
to port scan all available IP addresses. Then use at least two different vulnerability scanners (Vega,
OWASP ZAP, Burp Suite, etc.) to scan all available websites. You will also conduct a vulnerability
scan of any accessible IP address (Nessus, MBSA, OpenVAS, etc.)
Gather as much possible data about services, ports, etc. If appropriate use Metasploit to scan for
SQL Servers, SSH, FTP, SMB, etc.

Page | 3
 Research Gate Publication

Network scanning along with wireless and Bluetooth scanning are also recommended1. This
can determine if the wireless is secured, if unencrypted data is being sent over the network, and give
a general overview of the network traffic.

3) Phase 3 - Breaching
Now you must attempt to breach. This will include manually conducting SQL Injection and Cross-
site scripting, trying to deliver malware from Metasploit, attempting phishing, delivering a harmless
virus, etc. It is recommended that the penetration tester combine both automated and manual
methods. Specific tools may vary depending on current trends, vulnerabilities identified, and the
target network. For example, a Windows network may require attempts to exploit using Power Shell.
In almost all cases, Metasploit will be useful in attempting to exploit identified vulnerabilities.

4) Phase 4 – Completing the test

In some cases, it is beneficial to do at least a basic vulnerability scan after the issues found in the
penetration test are remediated. This checks to see if the remediation was successful.

Reporting

The report must be thorough, with the following sections

I. Executive summary
1 to 3 paragraphs explaining the scope of the test and results.

II. Introduction
This is where you describe testing goals and objectives. This section must also include
what the testing goals were, what was tested and what was excluded. This is often
referred to as the scope of work.

This section should include rules of engagement and any past breaches or risk
assessments. Such past activity should be guiding the prioritization of your penetration
testing.

III. Detailed Analyses

This must include every test you conducted, preferably with step by step discussion and
screen shots. If you used tools that produced reports, those reports are attached as
appendices.

When you identify vulnerabilities, whenever possible identify them by a well-known

standard. For example

Page | 4
 Research Gate Publication

IV. Conclusions & Risk Rating

Provide general description of what you found and what the risk level is. A risk rating of
the network can be helpful to the customer. This need not be an absolute mathematical
scale. It can be simply a description such as low, moderate, high. Or it can be expanded
such as low, moderate, elevated, high, extreme.

V. Remediation steps
This section provides details on how the flaws found in penetration testing can be
addressed and mitigated. These should be detailed enough to allow any competent
technical person to be able to correct the problems you discovered. This is a critical part
of the report. It is not enough to simply state that there are problems, you must provide
clear guidance on how to address those problems.

5) Example Pen Test

What tests and tools you use will depend on the target network, the scope of work, and the
items being tested. For illustration purposes, consider a small network that has 1 gateway router, 30
workstations, 3 servers, and 1 web server. The following would be a very basic penetration test for a
small network. Note that this is just an example. Your test assessment plan should be based on the
criticality of systems within the target network.

External
After completing the pre-engagement activities and the phase 1- passive scanning, the active
scanning is the next step. In a small network, such as the one described in this scenario, active
scanning will flow naturally into phase 3 – breaching. It is often easiest to start with external testing.
1. Begin with port scanning all public facing IP addresses (the web server and gateway router.
2. Then use vulnerability scanners to scan the website (Vega, OWASP Zap, Burp Suite, etc.)
3. Manually attempt several common attacks on the web server (Cross Site Scripting, SQL
Injection, Website path traversal, etc.)
4. Try appropriate Metasploit attacks on the web server (depending on the server) and on the
router. You may wish to use some Metasploit scans on the web server, particularly
anonymous FTP scan.
5. Attempt to access the wireless. This should include both trying to break into the Wi-Fi as
well as attempts to access the administrative screen for the wireless access point.

Page | 5
 Research Gate Publication

6. Attempt standard attacks such as grab the banner, zone transfer, etc.
7. Try default passwords on any public facing device.

Internal
Now move internally. This part is done from inside the network
1. Begin with network enumeration which is internal active scanning.
2. Now a network wide vulnerability scan using one or more tools
3. Nmap scan the entire network. Identify what ports and services are running to determine if
they all need to be running.
4. Use a packet sniffer to scan network traffic including wireless traffic. Note any sensitive data
that is being sent unencrypted and whether the wireless traffic is secure.
5. Perform the standard Metasploit scans (Anonymous FTP, SMB, SSH, SQL Server, Etc.)
6. Attempt to exploit any vulnerabilities found.
7. Attempt standard attacks including
a. Try to connect to computers shares
b. Try to crack passwords on key machines
c. Try to telnet or ssh to printers
d. Attempt default passwords on any servers, printers, switches or routers and wireless
access points.

Of course, you must test all items indicated by any standard you are using. For example, PCI
requires all external communication of credit card data to be encrypted. I suggest you test all internal
and external data communication.

Optional Items
1. Send employees anonymous phishing email that will do something harmless such as redirect
them to a page admonishing them not to click on links or a harmless malware attachment that
just has a voice or popup telling them not to download attachments.
2. Attempt social engineering via phone or in person.
3. A penetration test is not a vulnerability scan, but can include vulnerability scanning (as
already shown in this document). In the same way, a penetration test is not an audit, but can
sometimes include elements of an audit. With that in mind, you may wish to check the
following items:
a. Password policies
i. Lockout policy
ii. Minimum requirements
iii. How often passwords are changed
b. Are there any unauthorized devices or software anywhere on the network?
c. Are there still accounts active for employees no longer with the organization?
This outline is a basic outline for a rather small network. Feel free to expand it and add to it as you
see fit. This should be considered the bare minimum of a pen test.

III. CONCLUSIONS

Page | 6
 Research Gate Publication

Penetration testing is more than simply hacking. And therefore, it requires a methodology
that can be consistently applied. An appropriate methodology is based on well-established standards.
In this paper a methodology for penetration testing was described. This is meant as a general
template for penetration testing. Clearly, specific penetration tests will have individual requirements
that need to be addressed. It is also likely that further research would expound upon the
methodology espoused in this paper.

REFERENCES

Alharbi, M. (2010). Writing a Penetration Testing Report. The SANS Institute.

Retrieved from https://www.sans.org/reading-room/whitepapers/testing/writing-penetration-
testing-report-33343
Beggs, R. (2014). Mastering Kali Linux for Advanced Penetration Testing. Birmingham, UK:
Packet Publishing
Bishop, M. (2007). About Penetration Testing. IEEE Security & Privacy. 5(6). DOI:
10.1109/MSP.2007.159
Cross, K. (2000). Application of the NSA InfoSec Assessment Methodology. SANS Institute
Easttom, C. (2016). Computer Security Fundamentals Third Edition. New York City, NY:
Pearson Press
Jaswal, N. (2016). Mastering Metasploit - Second Edition. Birmingham, UK: Packet Publishing
Johnson, B. (2004). National Security Agency(NSA) INFOSEC Assessment Methodology
(IAM). http://systemexperts.com/pdf/NSAIAM.pdf
NIST (2008). A Technical Guide to Information Security Testing and Assessment. Retrieved
from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Offensive Security (2013). Penetration Test Reporting. Retrieved from https://www.offensive-
security.com/reports/sample-penetration-testing-report.pdf
Penetration Testing Standard (2016). Accessed October 2016. http://www.pentest-
standard.org/index.php/Main_Page
Penetration Test Guidance Special Interest Group (2015). Penetration Testing Guidance.
Payment Card Industry Data Security Standards.
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_201
5.pdf
U.S. Department of Commerce (2015). Technical Guide to Information Security Testing and
Assessment. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Yeo, J. (2013). Using penetration testing to enhance your company's security. Computer Fraud
& Security. 2013 (4). doi.org/10.1016/S1361-3723(13)70039-3

Page | 7

View publication stats