Ethical Hacking

9. Using the Framework for Penetration Testing

Vulnerability Analysis: Planning the pen-test

After Foot-printing

The combination of information gathering tools like Maltego, Wifi attack tools such as Aircrack-ng and the use of network sniffing tools like Ettercap and Wireshark will provide considerable information about the target system. Especially useful, will be such information as:-

  • The size of the computer network providing information about possible access points.
  • Operating systems used which will give an indication to the type of 'payload' and exploit that can be used.
  • The nature of any internet or social media presence to reveal possible credential harvesting, spoofing or web application attacks.
  • If a social engineering attack is to be considered, who to pretend to be, who to contact and how to go about it.

These and other sources of information provide pointers to possible attacks. The next step is seeing how vulnerable the target might be with regard to possible likely attack avenues. Everyone and everything is ultimately hackable, it all depends on how much effort, time, money and brain power hackers are prepared to expend on to gain access to their target.

The goal of most security companies is to make the hackers job sufficiently difficulty to cause them to move onto more vulnerable targets. There are enough of them around after all.

More reasons to reconnoiter networks.

Planning the hack!

This is where successful hackers detail the plan of attack using the information acquired from foot-printing. Typical plans will set out:-

  • The nature of the attack - social engineering, spear-fishing, web site spoofing, brute-force, DDoS etc. The plan might include various stages and various combinations of attack.
  • Preparation of resources required for a successful attack e.g. construction of fishing emails, acquisition of suitable hacking tools, gathering appropriate payloads and exploits, collecting word-lists, dictionaries and rainbow tables for password cracking etc.
  • Collecting names and IP addresses of networked computers or servers.
  • Times and sequence at which the attack(s) will be launched. For large organisations this might be a shift changeovers, or late at night when little is happening and only a skeleton staff is on to reduce the chances of being spotted. Or, conversely attack at peak times when a small event could be hidden in a mass of activity.

The preparation of attack plans is a cyclic process. A plan is prepared. The the targets vulnerability to the initial plan is tested, then the plan is amended in the light of testing and the process is repeated until a feasible plan is generated.

Testing Vulnerability

Assessing a targets' vulnerability to possible attacks has to be done very quietly so as not to raise alarms in the target. Such vulnerability testing might include:

  • Checking the names and addresses of key personnel exist and spelt correctly. Nothing sets alarm bells off quicker than misspelt names or using the names of personnel who no longer work for the target.
  • Checking the OS systems being used and identifying the version of the OS. The version of the OS will give an indication of which exploit to use. Loopholes might have been closed in more recent versions.
  • Checking and confirming Wifi protocols and password, confirming IP addresses, open ports and services being run by the operating system.

Some Vulnerability testing will require scanning with the use of tools. However scanning sites, computers or networks without permission is illegal and can lead to prosecution. But this is where the Rules of Engagement agreed by ethical hackers come into play. The RoE will grant permissions to ethical hackers for scanning and the conditions in which it can occur.


Great care has to be taken when scanning. Security conscious Targets often have "Intrusion Detection Software (IDS)" that can detect scans and if they do detect scanning, can trace them back to the source IP address.

The aim of the ethical hacker then, is rather like a submarine trying to get past defences without being pinged by sonar of opposing forces.

  1. Research on the internet to find the 'quietest' scanning method.
  2. Choose a suitable scanning tool from within Kali Linux
  3. Use it to discover the IP address, open ports and any services running on the Victim Machine in the School Lab. Record these in your notebook.
Sonar Detection

Time to work up a brief plan. Use the results from the scan to:-

  1. Choose a suitable tool(s) for conducting 'the hack' on the Victim Machine
  2. List and gather any resources you might need for the hack; word-lists, dictionaries.
  3. Select and list any payloads or exploits required for the hack.
  4. List the sequence of actions or steps that have to be completed in order to carry out the hack.
Metasploit Payload
You should be able to:-

  • Explain how the results from reconnaissance feed into or influences the planning process.
  • Prepare a short plan for a hack
  • Choose an appropriate scanning method suitable for quiet scanning.
  • Conduct an unobtrusive scan on a target machine.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee