According to some local laws, penetration testing is illegal until authorized by the tested party. All penetration testing methods we provide here are (should be) legal evaluation services, which are also commonly known as ethical hacking, so our readers here should be ethical hackers. If you are not, then I hope you will be one of them after you have been here. )
Here, I also want to say to you: the penetration test focuses on practice, and you need a never-say-die heart and an active brain. This does not mean that you can copy this document to your website or save it to your local computer. Even if you print it out and eat it with Chili sauce, you should practice it step by step according to the document. Moreover, the test focuses on using the brain. Don't use one or two tools mentioned in this article. I can assure you that the security of the internet will not be safer because of this. Good luck. . .
I. Introduction
What is penetration testing?
The simplest and direct explanation of penetration testing is that the security testing process of the target system is completely from the attacker's point of view.
What is the purpose of penetration testing?
Understand the security of the current system and the methods that attackers may use. It can make managers understand the problems faced by the current system very intuitively. Why intuitive? As Mitnick mentioned in the book, security management (here, we change it to security assessment) needs to be comprehensive to be successful, and a hacker (penetration test) can be very successful as long as he can get into the system a little.
Is penetration testing equivalent to risk assessment?
No, you can temporarily understand that penetration testing is part of risk assessment. In fact, risk assessment is much more complicated than penetration testing. In addition to penetration testing, it also includes asset identification and risk analysis. In addition, it also includes manual review and post-optimization (optional).
A security review has been conducted. Do you still need penetration testing?
If I say to you: Hey, China's existing space theory and technology can prove that China is fully capable of spacewalking, there is no need to launch Shenzhou-8 again. Can you accept it?
Is the penetration test a black box test?
No, many technicians have this wrong understanding of this problem. Penetration testing is not only to simulate the invasion of external hackers, but also to prevent the conscious (unconscious) attacks of internal personnel. At this time, you can tell security testers some information about the system, including code fragments. At this time, it meets the gray box or even white box test.
What does the penetration test include?
The technical level mainly includes network equipment, host, database and application system. In addition, social engineering (/the art of invasion) can be considered.
What are the disadvantages of penetration testing?
Mainly high investment and high risk. And you must be a professional ethical hackers to believe in the final result of the output.
What you said is so good. Why is penetrant testing not very popular in China?
I can only say: Yes, I will. The key to penetration testing is that you can't prove that your test results are perfect. Users don't know what program their security level has reached after spending money to prove that there is something wrong with the system. But obviously, users trust a professional and experienced security team, which is a serious problem in China. In some penetration tests conducted by some large security companies, the level of testers is not consistent with those prices, and it is irresponsible from the test process to the result report. I estimate that this situation will change after three years. By then, on the one hand, the technical strength of security personnel will be greatly improved, on the other hand, enterprises will have a deeper understanding of penetration testing, and it will also be added to the development process as an IT audit. The specialization and commercialization of penetration testing will become more and more mature.
Second, formulate an implementation plan.
The implementation plan should be communicated and negotiated between testers and customers. At the beginning, the tester provided a simple questionnaire survey to understand the basic acceptance of the test by customers. The contents include but are not limited to the following:
Introduction of target system, key protected objects and characteristics.
Is data corruption allowed?
Is it allowed to hinder the normal operation of business?
Should the relevant department contact be notified before the test?
Access mode? Extranet and Intranet?
Does the test succeed even if problems are found, or does it find as many problems as possible?
Should social engineering be considered in the infiltration process?
. . .
After receiving the feedback from customers, testers will prepare the first draft of the implementation plan and submit it to customers for review. After the audit is completed, the customer shall entrust the tester in writing. Here, the two documents shall respectively contain the following contents:
Implementation part:
...
Written authorization part:
...
Third, the specific operation process
1, information collection process
Network information collection:
This part will not directly scan the target, but first search some related information from the Internet, including Google Hacking, Whois query, DNS and other information (if social engineering is considered, some marginal information in the target system, such as internal employee account composition, identification method, email address, etc., can also be obtained from the mailing list/newsgroup accordingly).
1. use whois to query the DNS server of the target domain name.
2.nslookup
& gt setting type = all
& gt& lt domain & gt
& gt server & ltns server & gt
& gt set q = all.
& gtls-d & lt; Domain & gt
The tools involved are: Google, demon, webhosting.info, Apollo, Athena, ghdb.xml, netcraft and seologs. In addition, as a reminder, using Googlebot/2. 1 can bypass the access restrictions of some files.
Some Grammatical Descriptions Commonly Used by Google Hackers
1. Search for the specified site keyword site. You can search a specific site, such as site:www.nosec.org Use site:nosec.org to search the pages of all subdomains under this domain name. You can even use site:org.cn to search the websites of government departments in China.
2. Search the url for the keyword inurl. For example, if you want to search a site with parameters, you can try inurl:asp? id=
3. Search for the keyword intitle in the page title. If you want to search some login background, you can try using intitle: "admin login".
Target system information collection:
Through the above steps, we should be able to simply describe the network structure of the target system, such as the area where the company network is located, the IP address distribution of subsidiaries, VPN access addresses and so on. Pay special attention to some host names and addresses here. For example, some domain names starting with backup or temp switch are likely to be a backup server, and their security is probably not enough.
Make a systematic judgment from the obtained address book to understand its organizational structure and operating system usage. The most common method is to scan all IP network segments of the target.
Port/service information collection:
This part can start direct scanning operation, and the tools involved are: nmap, thc-amap.
1. My most commonly used parameters
nmap-sS-p 1- 10000-n-P0-oX filename . XML-open-T5 & lt; Ip address & gt
Application information collection:/The data volume ranks first in the world. If this website can't be cracked, then you can only go to worship Brother Chun. ...
Of course, some stand-alone cracking software is still essential: Ophcrack, rainbowcrack (developed by China people, praise one), cain, L0phtCrack (cracking Windows passwords), John the Ripper (cracking UNIX/LINUX passwords), and of course, a FindPass. ...
For some default accounts of network devices, you can query/and http://www.phenoelit-us.org/dpl/dpl.html..
In the process of penetration testing, if you have access to some OFFICE documents and are encrypted, then rixler is the place you will go right away. The OFFICE password suite they provide can open OFFICE documents instantly (I haven't tried it in 2007, please send me the test results if I have the chance to test it, thank you). It seems that Microsoft has a reason to get a patch or something. For enterprises, iron coils or RMS can be considered.
6. Log clearing
Actually, it is not necessary.
7. Further infiltration
Generally speaking, we won't get much useful information when we break into the DMZ area. In order to further consolidate the victory, we need to carry out further intranet penetration. At this point, it is really omnipotent. The most common and effective method is to sniff packets (ARP spoofing can be added). Of course, the simplest thing you can do is to look through some files on the hacked machine, which probably contain some connection accounts you need. For example, if you invade a Web server, in most cases, you can find the account connected to the database in the code of the page or a configuration file. You can also open some log files to have a look.
In addition, you can directly return to the second step of vulnerability scanning.
Fourth, generate a report.
The report should include:
Vulnerability list (sorted by severity)
Detailed description of weaknesses (using methods)
Solution suggestion
Participants/Test Time/Intranet/Extranet
Risk and Avoidance in verb (Verb's abbreviation) Testing
In the process of testing, many foreseeable and unpredictable risks may inevitably occur, and testers must provide evasive measures to avoid significant impact on the system. Here are some for your reference:
1. Do not execute any attacks that may cause business interruption (including resource-exhausted DoS, malformed message attacks and data destruction).
2. Testing and verification time should be carried out when the business volume is the least.
3. Make sure to back up relevant data before performing the test.
4. Before implementation, communicate with maintenance personnel and confirm all tests.
5. If there is any abnormality during the test, stop the test immediately and restore the system in time.
6. Conduct a complete mirror image environment for the original business system, and conduct penetration test for the mirror image environment.