Penetration Testing

(PenTest)

Dr. Tran The Son

Vietnam – Korea University
 Bio
[Link]
Hometown: Quang Tri, Hue, Binh Dinh, HCMC
Degree:
Msc (2004)
Ph.D (2014)
Northumbria Unniversity, Newcatle Upon
Tyne, UK.
Major: Computer Networks and
Communications.
Thesis title: “An Mobility State Adaptive
Routing Protocol for Mobile Ad Hoc Netwoks”.

Research Interests:
Mobile Ad Hoc and Sensor Networks, QoS
Routing, Network Security, Visible Light
Communications (VLC), Chaos theory.
Institute:
Vietnam – Korea University (VKU)
 Bio
[Link]

• Teaching
– Computer networks
– Broadband networks
– Wireless and Sensor networks
– Cloud computing
– Linux OS
– IP routing
– Web programming

– Network security
– Malware analysis • C/C++
– PenTest • Python
– Cryptography • MATLAB
 Course Outline
– Penetration Testing Primer
• Pen testing Roles
• Basic Skills to Pen Testing
• The Goals of Pen Testing
• The Stages of the Penetration Test
– Basic knowledge and tools
• Basic networking and security: TCP/IP, IP Switching, Firewall, etc.
• Virtual lab: VMWare, Kali, Win XP SP3, Win 7, Ubuntu
• Lab: Using Nesus, Kali, Metasploit Framework, nmap, etc.
– Assessment
• Information Gathering
• Finding Vulnerabilities
• Capturing Traffic
– Attack/Exploitation:
• Exploitation, Password Attacks, Social Engineering, Bypassing Anti-virus App, etc.
– Exploit Development
 Text-books
• Georgia Weidman, “Penetration
Testing: A Hands-On
Introduction to Hacking”, No
Starch Press, ISBN-13: 978-
1593275648, June 2014, 528 pp.

• Robert Shimonski, “Penetration

Testing For Dummies”, John
Wiley & Sons, Inc, ISBN-13 978-1-
119-57747-8, 2020

• Phillip L. Wylie, Kim Crawley, “The

 Web Resources
• Penetration Testing Lab ([Link]/log)
 Basic Networking and Security
• Architecture
 General security technology
• In the general security technology category are
firewalls

• Other general: intrusion

prevention and detection
systems, load balancers,
access control lists (ACLs)
on routers and wireless
access points,
controllers, and mobile
extenders
Systems infrastructure and applications
• Servers:
– web, mail,
DNS, etc.
• Devices:
– Routers,
switches,
hubs, load
balancers,
• Security
– Firewalls,
intrusion
prevention
devices
 Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or disclosed to
unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and authorized
manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to authorized
users
CIA Triad
 Possible additional concepts:

Authenticity Accountability
• Verifying that users are • The security goal that
who they say they are generates the
and that each input requirement for
arriving at the system actions of an entity to
came from a trusted be traced uniquely to
source that entity
Breach of Security - Levels of Impact
• The loss could be expected to have a severe or
catastrophic adverse effect on organizational
operations, organizational assets, or individuals
High

• The loss could be expected to have a

serious adverse effect on organizational

Moderate operations, organizational assets, or

individuals

• The loss could be expected to

have a limited adverse effect
on organizational operations,

Low organizational assets, or

individuals
Computer Security Challenges
• Security is not simple • Security mechanisms
• Potential attacks on the typically involve more than a
security features need to particular algorithm or
be considered protocol
• Procedures used to • Security is essentially a
provide particular services battle of wits between a
are often counter-intuitive perpetrator and the
designer
• It is necessary to decide
• Little benefit from security
where to use the various
investment is perceived until
security mechanisms
a security failure occurs
• Requires constant • Strong security is often
monitoring viewed as an impediment to
• Is too often an efficient and user-friendly
afterthought operation
 OSI* Security Architecture
• Security attack
– Any action that compromises the security of information
owned by an organization
• Security mechanism
– A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security
attack
• Security service
– A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
– Intended to counter security attacks, *(OSI)
andOpen
they make use of
Systems Interconnection model
one or more security mechanisms to provide the service
 Table 1.1
Threats and Attacks (RFC 4949)
Security Attacks

A means of classifying security attacks,

used both in X.800 and RFC 4949, is in
terms of passive attacks and active
attacks
• A passive attack attempts to
learn or make use of
information from the system
but does not affect system
resources
• An active attack attempts to
alter system resources or
affect their operation
Passive Attacks

• Are in the nature of

eavesdropping on, or
monitoring of, transmissions
• Goal of the opponent is to
obtain information that is
being transmitted
• Two types of passive
attacks are:
– The release of message
contents
– Traffic analysis
 Active Attacks
• Involve some modification of the • Takes place when one entity
pretends to be a different
data stream or the creation of a
false stream Masquerade entity
• Usually includes one of the
• Difficult to prevent because of the other forms of active attack
wide variety of potential physical,
• Involves the passive capture
software, and network of a data unit and its
vulnerabilities Replay subsequent retransmission to
• produce an unauthorized
Goal is to detect attacks and to effect
recover from any disruption or
delays caused by them • Some portion of a legitimate
message is altered, or
Modification messages are delayed or
of messages reordered to produce an
unauthorized effect

• Prevents or inhibits the

Denial of normal use or management
service of communications facilities
 Security Services
• Defined by X.800 as:
• A service provided by a protocol layer of communicating
open systems and that ensures adequate security of the
systems or of data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a
system to give a specific kind of protection to system
resources

A central issue for Security Service design and implementation:

Policy and Mechanism ! Policy versus Mechanism ?
 X.800 Service Categories

• Authentication
• Access control
• Data confidentiality
• Data integrity
• Non-repudiation
 Table 1.2

Security
Services
(X.800)

(This table is found on page

18 in textbook)
Security Mechanisms (X.800)

Specific Security Mechanisms

• Encipherment
• Digital signatures
• Access controls
• Data integrity
• Authentication exchange Pervasive Security Mechanisms
• Traffic padding • Trusted functionality
• Routing control • Security labels
• Notarization • Event detection
• Security audit trails
• Security recovery
 Table 1.3

Security
Mechanisms
(X.800)

(This table is found on pages

20-21 in textbook)
Model for Network Security
Network Access Security Model
 Unwanted Access
• Placement in a computer system of logic
that exploits vulnerabilities in the system and that
can affect application programs as well as utility
programs such as editors and compilers
• Programs can present two kinds of threats:
– Information access threats
• Intercept or modify data on behalf of users who
should not have access to that data
– Service threats
• Exploit service flaws in computers to
inhibit use by legitimate users
Security technologies and techniques
• Encryption: can ensure all 3 factors to ensure
information security
– Symmetric: DES, AES, …
– Asymmetric: RSA, Diffie-Hellman
– Hash: MD-5, SHA, …
• Authentication - Authorization & Access Control
– Username/password, certificate, digital signature,
CHAP, Kerberos, ….
• Firewall & Intrusion Detection

© 2023, Vietnam-Korea University of ICT 28

 Vulnerability

• Vulnerability: where an attacker can exploit to

perform attacks on the system. Vulnerabilities may
exist in the network system or in network
administration procedures.
• Program vulnerabilities (back-door)
• OS: Windows, Linux
• Application: Web, Mail, Database, …
• Protocols: TCP/IP 3-way handshake
• Physical
• Policies/management (password, sharing,…)
• Social engineering
© 2023, Vietnam-Korea University of ICT 29
 Vulnerability
• Common web vulnerability

• Authentication and Authorization

• Injection Flaws
• Broken Authentication
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive data exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
…..

© 2023, Vietnam-Korea University of ICT 30

 Risk Assessment

Vulnerabilities Threats

Risk

Techniques/Policies

© 2023, Vietnam-Korea
31
University of ICT
 Penetration testing (pen testing)
• Penetration testing, or pen testing involves
simulating real attacks to assess the risk associated
with potential security breaches
• On a pen testing (as opposed to a vulnerability
assessment), the testers not only discover
vulnerabilities that could be used by attackers but
also exploit vulnerabilities, where possible, to assess
what attackers might gain after a successful
exploitation.
 The Stages of the Penetration Test
• Pre-engagement
• Information Gathering (Reconnaissance)
• Threat Modeling
• Vulnerability Analysis/Assessment
• Exploitation
• Post Exploitation
• Reporting
 Pentest Types
• Penetrate and Exploit
• Social engineering; Client-side and server-side attacks
• Password cracking.
• Assumption (Man in the Middle)
• Address spoofing; Eavesdropping; Packet capture and analysis
• Overwhelm and Disrupt
• DoS/DDoS; Buffer Overflow
• Destroy
• Malware; Ransomware
• Subvert (Controls Bypass)
• Attack vectors, Phishing, Spoofing, Malware
 Pentest Targets and Specializations
• Generalist (network, Wi-Fi, and light web app)
• Application (web app, mobile, thick client, and cloud)
• Internet of Things (IoT)
• Industrial Control Systems (ICS)
• Hardware (including medical devices)
• Social engineering (people)
• Physical (buildings)
• Transportation (vehicles, airplanes)
• Red team (adversarial simulation)
 Job opportunity
• Pentester
• Cryptanalyst
• Reverse Engineer

© 2023, Vietnam-Korea University of ICT 36

 Homework
• Implement
– Chapter 1
– Chapter 2
– Chapter 3