The result of an ethical hacker or pen-tester's work is the report. This will generally follow an established format.
- Executive summary: Summarises the overall results, findings and recommendations.
- Context: Details what the pen-tester has been hired to do and sets out the 'rules of engagement' for example What they will test for, what they will do when testing, what precautions they will take, how success will be judged, who they will report to etc.
- Results of Reconnaissance: Much of this will be optional as much of this will fall into the publicly accessible information. Some may be included though especially if that information has a bearing on the discovery of later vulnerabilities which are subsequently exploited.
- Scanning and any results, especially those indicating possible areas of weakness.
- The Pen-test Plan guided by the results of earlier stages.
- The identification of vulnerabilities revealed in the process of attempting to gain access.
- Recommendations as to further action and actions to take close down any vulnerabilities.
The aim in writing the report, is to create a clear chain of events or audit trail between each stage. So that a reader can follow what's been asked for, to what's been tested and why, through to the pen-test plan, its results and recommendations.
Why Pen-test? aka Vulnerability Assessment
This unit has focussed on the first stages of a hack, namely Reconnaissance, Scanning, Planning and Gaining Access. The remaining stages, Maintaining Access and Covering Tracks are beyond the scope of this unit. Those with a particular interest can find more on the internet and are covered in greater detail in University based courses.
No tool or set of tools will work all of the time in every situation. Like the engineer or woodworker choosing tools for a particular tasks, ethical hackers will choose tools according to the context. And one of the aims of this unit has been to provide experience of as broad range of tools as possible in the time available. Each tool has its own strengths and weaknesses and has to be selected accordingly.
- In reconnaissance Maltego, Dmitry, Recon-ng are popular tools. Of the 3, Maltego is perhaps the most powerful and comprehensive. The downside is that it's one the most difficult to use.
- Crossing the boundary between reconnaissance and scanning are Zenmap and The Harvester. Both involve scanning, with Zenmap helping to establish the nature of networks and the Harvester helping to gather email addresses and contact information.
- Experience was gained with the use of Uniscan and Sparta scanning tools. Sparta is graphical user interface that lies upon the powerful nmap scanning tool and nikto tool.
- Metasploit and Armitage were introduced as powerful tools that lie on the boundary between reconnaissance and tools for gaining access. Hackers in particular like Metasploit for its extensive and growing range of exploits and payloads that can be used. With Armitage, it was shown how access to one computer in a network could be used to attack others in a pivot attack.
- As an alternative to actual 'breaking and entering' the Social Engineering Toolkit (SET) was introduced as method for gaining access. SET is a collection of powerful methods that can be used to help trick entry into a system. Such methods include Credential Harvesting, Redirecting Mail, MITM, DNS Spoofing and Spear Fishing.
- Organisations now make considerable use of Browser based apps. The Browser Exploitation Framework (BeEF) was introduced as a tool for gaining access via the internet. Like Metasploit, BeEF is a collection of methods that can be used to break in using the browser.
- BURP is another framework used for hacking web applications. For practice it was used to hack into the DVWA web app that comes with Metasploitable 2, a vulnerable 'operating system'. BURP is a versatile tool. It can be used for conducting Brute force and Dictionary attacks on passwords as well as SQL Injection attacks on web hosted databases.
While the list of tools introduced appears extensive, they are only a small sample of what's available. These are not necessarily the best which is a matter of opinion. They are perhaps the best known but the number and type of tools are constantly changing, with new improved one's replacing older much established one's on a regular basis.