CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [90]
Next is the attack phase, and during the attack phase tools can range from exploitive to responsive. They're used by professional hackers to monitor and test the security of systems and the network. These activities include but aren't limited to:
Penetrating the perimeter This includes looking at error reports, checking Access Control Lists by forging responses with crafted packets, and evaluating protocol filtering rules by using various protocols such as SSH, FTP, and Telnet. The tester should also test for buffer overflows, SQL injections, bad input validation, output sanitization, and DoS attacks. In addition to software testing, you should allocate time to test internal web applications and wireless configurations, because the insider threat is the greatest security threat today.
Acquiring the target This set of activities is more intrusive and challenging than a vulnerability scan or audit. You can use an automated exploit tool like CORE IMPACT or attempt to access the system through legitimate information obtained from social engineering. This activity also includes testing the enforcement of the security policy, brute-force password crackers, or the use of get admin tools to gain greater access to protected resources.
Escalating privileges Once a user account has been acquired the tester can attempt to give the user account more privileges or rights to systems on the network. Many hacking tools are able to exploit a vulnerability in a system and create a new user account with administrator privileges.
Executing, implanting, and retracting This is the final phase of testing. Your hacking skills are challenged by escalating privileges on a system or network while not disrupting business processes. Leaving a mark can show where you were able to gain greater access to protected resources. Many companies don't want you to leave marks or execute arbitrary code, and such limitations are identified and agreed upon prior to starting your test.
The post-attack phase involves restoring the system to normal pre-test configurations, which includes removing files, cleaning registry entries if vulnerabilities were created, and removing shares and connections.
Finally, you analyze all the results and presenting them in a comprehensive report and a report for management. These reports include your objectives, your observations, all activities undertaken, and the results of test activities, and may recommend fixes for vulnerabilities.
Overview of the Pen-Test
Legal Framework
A penetration tester must be aware of the legal ramifications of hacking a network, even in an ethical manner. The laws applicable to hacking were discussed in Chapter 1 of this book. The documents that an ethical hacker performing a penetration test must have signed with the client are as follows:
■ Scope of work, to identify what is to be tested
■ Nondisclosure agreement, in case the tester sees confidential information
■ Liability release, releasing the ethical hacker from any actions or disruption of service caused by the pen test
List the Automated Penetration
Testing Tools
A 2006 survey of the hackers mailing list created a top-10 list of vulnerability scanning tools; more than 3,000 people responded. Fyodor (http://insecure.org/fyodor/), which created the list, says, "Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with." The following should be considered the top pen testing tools in a hacker's toolkit:
Nessus This freeware network vulnerability scanner has more than 11,000 plug-ins available. It includes remote and local