Ethical Hacking

8. Planning the Scope of a Penetration Test

Penetration Planning

Most actual hacks are carried out after after the information gathering phase. Because this means gathering information available in the public domain, it's step often missed out in pen-testing.

Pen-testing often begins with the process of scanning and enumeration to identify weaknesses. Scanning with tools identifies the services and open ports running on the target computer. Scanning builds up in stages, stopping when sufficient information is gathered. It begins with stealthy hard to detect scans and slowly steps up to noisy easily detectable scans involving pinging.

Enumeration involves arranging these weaknesses in order according to their chances of success. Knowing the possibility of success requires some knowledge of the possible exploits that could be used to take advantage of the identified vulnerability.

Matching weaknesses to likely exploits is a vital part of the planning process. The planning process also requires fall-back alternatives to try in case the initial attempt fails.

Some practical exercises in scanning and identifying weaknesses have already been completed. In earlier exercises NMAP, Zenmap, Uniscan and Sparta have been used for 'foot-printing networks'. Maltego, specially the full version of Maltego Pro is also very good at foot-printing networks.

Penetration Planning

More about Foot-printing ...

Foot-printing is all about discovering as much about the computing system used by the target. It includes:-

  • The size of their related network of computers and related devices if possible (laptops, phones etc) also includes routers, WiFi access points and wireless devices like printers or network storage systems (NAS)
  • The types of devices together with their manufacturers and the versions of their operating systems.
  • Their IP addresses, services and ports.
  • Internet, social media and web applications used by the target.

Essentially foot-printing is all about discovering and identifying possible entry points for hackers and for ethical hackers then testing them for possible vulnerabilities.

Making WiFi Connections

Enabling Wireless Connections

Even though many computers have built in wireless network cards (though the ones at school don't), these are often unsuitable for ethical hacking because:-

  1. Many wireless cards don't allow network monitoring or packet sniffing. - only certain chipsets have this function.
  2. Vitual Machines working as a 'guest' within VirtualBox and other VMWare can't access the host network card directly.

Watch the video below to see how to setup wireless networking with the wireless dongle provided. Even though the model is slightely different (Alfa AWUS036NHA) and it uses a different chipset (Atheros AR9271) the principles of setting it up are exactly the same.

Using your browser

In school, the browser will not connect to the outside world over the wireless network set up in the previous exercise. This is because:-

  1. The browser is configured to access the internet through a proxy server using the eth0 (ethernet card) interface.
  2. The test router is not connected to an external WAN network.

However, to attack other computers on the network via a browser attack or similar, the connection settings can be changed. Go to network settings, choose No Proxy. Make sure to change it back again to go use the internet from within the browser.

Important: You can't join Wireless networks, if the wirless dongle is in monitor mode.

Cracking WiFi

WiFi represents an obvious access point for hackers. WiFi networks can easily be discovered through such methods of Wardriving or War-walking. Some enterprising hackers have even developed mobile robots that drive around collecting data on WiFi networks. I'm sure the possibilities of using drones for the same job isn't far behind.

The following exercise builds on earlier work with Aircrack-ng. A teacher will provide you with a wireless dongle and demonstrate how to configure it for use with Kali Linux.

Using the video as a guide see if you can gain entry to the target router in the class room.

Remember, the four-way handshake is the process that describes how a computer links to a the wireless network when it's switched on. De-authentication of the computer, forces it to resend its authentication credentials to the router. By capturing the all the signals sent from the target device we can theoretically capture the authentication credentials or the relevant addresses and then use a brute force attack to crack the password.

If you want to target an individual or create custom word-lists to use in the brute force attack with aircrack or other brute forcing attacks Cewl is another useful tool. You can learn how to use it by clicking on Cewl: Custom Dictionary Generation

Sharknado - Wireshark

Wireshark is the world's foremost and widely used network analyser. It allows users to examine what's happening on networks in great detail and has become go to network auditing tool across commercial and non-profit enterprises, government agencies, and educational institutions.

Particularly useful is the feature that allows attackers to decrypt and view router activity transmitted over the air in plain-text.

Using the information from the previous exercise together with the steps shown in the movie and using the skills and knowledge acquired in the rest of the course, see what else you can uncover about the target network.

When Wireshark starts, you may get an error message about operating it as a superuser, ignore this and click continue to start the program. If you have activated the wireless interfaces, you will see them in the interface screen, otherwise click the Ethernet (eth0) interface or any.

The start up interface of the most recent version of Wireshark, looks on the surface slightely different from the older version in the video. It only presents the list of interfaces from which data can be captured. To choose another after a 'capture' has started. Choose Capture ˃ Options.

Aircrack-ng and wireshark will have revealed useful information about the target's WiFi system. It's time to do a bit more foot-printing.

  • Use appropriate reconnaissance tools to discover:
    • The Operating System and version used by the target machine.
    • Local IP addresses.
    • Services run by the target
    • A list of open ports.
  • Record this information in your notebook.
Danger from Open Ports
You should be able to:-
  • Explain the purpose of 'foot-printing'
  • Use appropriate tools to gather information on a Wifi network
  • Select and use appropriate tools to reveal information about the target network.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee