Penetration Testing
Module 20
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
P e n e t r a t i o n T e s t i n g
M o d u le 2 0
Engineered by Hackers. Presented by Professionals.
C E H
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u le 2 0 : P e n e t r a tio n T e s t in g
E x a m 3 1 2 - 5 0
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2873
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
S e c u r i t y N e w s
c
UrlAH 1
E H
ItbKjl
Home ^ News Company Products Contacts
O c to b e r 0 2 , 20 1 2
T h e C ity o f T u ls a , O k la h o m a la st w e e k b eg an n o tif y in g re s id e n t s th a t th e ir p e r s o n a l d a ta m a y h av e
b ee n ac c es s ed - b u t it n o w t u r n s o u t t h a t t h e a tta c k w a s a p e n e tr a t io n t e s t b y a c o m p a n y t h e c ity
h a d h ire d .
"C it y o ffic ia ls d i d n 't re aliz e t h a t t h e a p p a re n t b re a c h w a s c a u se d b y t h e s e c u rity f ir m , U ta h - b a se d
S e c u rit y M e tric s , u n til a ft e r 9 0 , 0 0 0 le tte rs h ad b ee n s e n t t o p e o p le w h o h ad a p p lie d f o r c it y jo b s o r
m a d e c rim e r e p o rt s o n lin e o v e r t h e p as t d e c a de , w a rn in g t h e m t h a t th e ir p e r s o n a l id e n tif ic a tio n
in f o r m a t io n m ig h t h a ve b e e n a c c e s se d ," w r ite s T ulsa W o rld 's B ria n B a rb e r. "T h e m a ilin g c o s t th e
c ity $ 2 0 ,0 0 0 , o ffic ia ls s a id ."

"A n a d d it io n a l $ 25 ,0 0 0 w a s s p e n t o n s e c u rit y c o n s u ltin g s e rv ic e s t o a d d p r o t e c tio n m e a s u re s t o
th e w e b s ite ," F O X2 3 N e w s re p o rt s .
h ttp://w ww . esecurityplonet. com
Q ' ' '׳ ״
C o p y rig h t © b y IG - G c u n c il. A ll R ig h ts R e se rv e d. R e p ro d u c tio n is S t ric tly P ro h ib it e d .
\VS
Nl
S e c u r i t y N e w s
C i t y o f T u l s a C y b e r A t t a c k W a s P e n e t r a t i o n T e s t , N o t H a c k
Source: http://w w w .esecurityplanet.com
The City of Tulsa, Oklahoma last week began notifying residents that th e ir personal data may
have been accessed but it now turns out th a t the attack was a penetration test by a company
the city had hired.
"City officials didn't realize th a t the apparent breach was caused by the security firm , Utah-
based SecurityMetrics, until after 90,000 letters had been sent to people w ho had applied for
city jobs or made crime reports online over the past decade, warning them that their personal
identification inform ation might have been accessed," writes Tulsa W orld's Brian Barber. "The
mailing cost the city $20,000, officials said."
"An additional $25,000 was spent on security consulting services to add protection measures
to the w ebsite," FOX23 News reports.
"The third-party consultant had been hired to perform an assessment of the city's netw ork fo r
vulnerabilities," w rite NewsOn6.corn's Dee Duren and Lacie Lowry. "The firm used an unfamiliar
testing procedure that caused the City to believe its website had been compromised. 'W e had
Ethical Hacking and Countermeasures Copyright © by EC-C0IMCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2874
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
to treat this like a cyber-attack because every indication initially pointed to an attack,' said City
Manager Jim Twom bly."

"The chief inform ation officer w ho failed to determ ine that the hack was actually part of a
penetration test has been placed on adm inistrative leave w ith pay," writes Softpedia's Eduard
Kovacs. "In the m eantime, his position will be filled by Tulsa Police Departm ent Captain
Jonathan Brook."
Copyright 2012 QuinStreet Inc
By Jeff Goldman
/>penetration-test-not-hack.html
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2875
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
M o d u l e O b j e c t i v e s
C E H
J
Security Assessments
J Pre-Attack Phase
J
Vulnerability Assessment
J
Attack Phase
J
Penetration Testing
J
Post-Attack Phase
J
What Should be Tested?
0
u
s

J
Penetration Testing Deliverable
Templates
J
ROI on Penetration Testing
J
Pen Testing Roadmap
J
Types of Penetration Testing
J
Web Application Testing
J
Common Penetration Testing
J
Outsourcing Penetration Testing
Techniques
Services
C o p y rig h t © b y IC-Ccuncil. A ll R ig hts R e s e rv e d . R e p r o d u c t io n is S tr i c t ly P ro h ib it e d .
M o d u l e O b j e c t i v e s
1 All the modules discussed so far concentrated on various penetration testing
techniques specific to the respective element (web application, etc.), mechanism (IDS, firewall,
etc.), or phase (reconnaissance, scanning, etc.). This module summarizes all the penetration
tests. This m odule helps you in evaluating the security of an organization and also guides you to
make your netw ork or system more secure w ith its counterm easures.
Pre-attack Phase
Attack Phase
Post-attack Phase
Penetration Testing Deliverable
Templates
Pen Testing Roadmap

Web Application Testing
Outsourcing Penetration Testing
Services
The module will make you familiarize with:
S Security Assessments
S Vulnerability Assessments
S Penetration Testing
S W hat Should be Tested
S ROI on Penetration Testing
s Types of Penetration Testing
2 Common Penetration Testing
Techniques
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2876
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C E HM o d u l e F l o w
C o p y rig h t © b y iC - C c u n c il. A ll R ig h ts R e s e rv e d . R e p r o d u c tio n is S t ric tly P ro h ib it e d .
M o d u l e F l o w
1
For better understanding of penetration testing, this m odule is divided into various
sections. Let's begin w ith penetration testing concepts.
Pen Testing Concepts ןןןזןןן Types o f Pen Testing
Pen Testing Techniques
Pen Testing Phases
Pen Testing Roadmap
O utsourcing Pen Testing Services
This section starts w ith basic concept o f penetration testing. In this section, you w ill learn the
role of penetration testing in the security assessment and why vulnerability assessment alone is

not enough to detect and remove vulnerabilities in the network. Later in this section, you will
examine why penetration testing is necessary, how to perform a good penetration test, how to
determ ine testing points, testing locations, and so on.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2877
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
II
S e c u r i t y A s s e s s m e n t s
E v e ry o r g a n iz a ti o n u s e s d if fe r e n t t y p e s o f s e c u r ity
a s s e s s m e n ts t o v a lid a t e t h e le v e l o f s e c u r it y o n its
n e t w o r k r e s o u rc e s
w
Level of
Security
I
Penetration
Testing
S e c u rity
A s s e s s m e n t C a te g o r ie s
Vulnerability
Assessments
I I
Security
Audits
E F
o ca —׳
E a ch t y p e o f s e c u rity a s s e s s m e n t re q u ir e s th e p e o p le c o n d u c tin g t h e a s s e s sm e n t
t o h av e d if f e r e n t s k ills

Copyright <D by EC Cm h ic H. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r i t y A s s e s s m e n t s
C u
Every organization uses different types of security assessments to validate the level of
security on its netw ork resources. Organizations need to choose the assessment m ethod that
suits the requirements of its situation most appropriately. People conducting different types of
security assessments must possess different skills. Therefore, pen testers — if they are
employees or outsourced security experts— m ust have a thorough experience of penetration
testing. Security assessment categories include security audits, vulnerability assessments, and
penetration testing or ethical hacking.
- '^
S e c u r i t y A s s e s s m e n t C a t e g o r i e s
The security assessment is broadly divided into three categories:
1. Security Audits: IT security audits typically focus on the people and processes used to
design, im plem ent, and manage security on a network. There is a baseline involved for
processes and policies w ithin an organization. In an IT security audit, the auditor and the
organization's security policies and procedures use the specific baseline to audit the
organization. The IT m anagem ent usually initiates IT security audits. The National
Institute of Standards and Technology (NIST) has an IT security audit manual and
associated toolset to conduct the audit; the NIST A utom ated Security Self-Evaluated
Tool (ASSET) can be downloaded at t.R0v/asse t/.
In a computer, the security audit technical assessment of a system or application is done
manually or autom atic.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2878
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
You can perform a manual assessment by using the following techniques:
9 Interviewing the staff

e Reviewing application and operating systems access controls
6 Analyzing physical access to the systems.
You can perform an automatic assessment by using the follow ing techniques:
9 Generating audit reports
9 M onitoring and reporting the changes in the files
2. V uln e ra b ility Assessm ents: A vulnerability assessment helps you in identifying security
vulnerabilities. To perform a vulnerability assessment you should be a very skilled
professional. Through proper assessment, threats from hackers (outsiders), form e r
employees, internal employees, etc. can be determ ined.
3. Pen e tration Testing: Penetration testing is the act of testing an organization's security
by simulating the actions of an attacker. It helps you in determ ining various levels of
vulnerabilities and to what extent an external attacker can damage the network, before
it actually occurs.
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2879
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C o p y rig h t © b y IC-Ccuncil. A ll R ig hts R e s e rv e d . R e p r o d u c t io n is S tr i c t ly P ro h ib it e d .
מ S e c u r i t y A u d i t
|j י ■ ■J)
A security audit is a systematic, measurable technical assessment of how the security
policy is employed by the organization. A security audit is conducted to m aintain the security
level of the particular organization. It helps you to identify attacks th at pose a threat to the
netw ork or attacks against resources that are considered valuable in risk assessment. The
security auditor is responsible for conducting security audits on the particular organization.
The security auditor works w ith the full knowledge of the organization, at times with
considerable inside inform ation, in order to understand the resources to be audited.
9 A security audit is a systematic evaluation of an organization's compliance to a set of
established inform ation security criteria.

9 The security audit includes assessment of a system's softw are and hardware
configuration, physical security measures, data handling processes, and user practices
against a checklist of standard policies and procedures.
9 A security audit ensures th at an organization has and deploys a set of standard
inform ation security policies.
9 It is generally used to achieve and dem onstrate compliance to legal and regulatory
requirem ents such as HIPPA׳ SOX, PCI-DSS, etc.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2880
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
V u l n e r a b i l i t y A s s e s s m e n t C E H
UflNM IUkjI **.u .
Scanning Tools
V u l n e r a b ilit y s c a n n in g t o o ls s e a rc h n e t w o r k
s e g m e n ts fo r I P -e n a b le d d e v ic e s
a n d e n u m e ra te s y s te m s ,
O S 's , a n d a p p l ic a t i o n s ^
כ
Test S y ste m s/N etw ork
Vulnerability scanners can test
systems and network devices
for exposure to common
attacks
Additionally, vulnerability
scanners can identify
common security
configuration mistakes
C o p y rig h t © b y iC - C c u n c il. A ll R ig h ts R e s e rv e d . R e p r o d u c tio n is S t ric tly P ro h ib it e d .

V u l n e r a b i l i t y A s s e s s m e n t
A vulnerability assessment is a basic type of security. This assessment helps you in
finding the known security weaknesses by scanning a network. W ith the help of vulnerability-
scanning tools, you can search netw ork segments for IP-enabled devices and enum erate
systems, operating systems, and applications. Vulnerability scanners are capable of identifying
device configurations including the OS version running on computers or devices, IP protocols
and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening,
and applications that are installed on computers.
By using vulnerability scanners, you can also identify com m on security mistakes such as
accounts that have weak passwords, files and folders w ith weak permissions, default services
and applications that might need to be uninstalled, and mistakes in the security configuration
of com m on applications. They can search for computers exposed to known or publicly reported
vulnerabilities. The software packages that perform vulnerability scanning scan the com puter
against the Com m on Vulnerability and Exposures (CVE) index and security bullets provided by
the softw are vendor. The CVE is a vendor-neutral listing of reported security vulnerabilities in
major operating systems and applications and is maintained at h ttp ://cve.m itre .org /.
Vulnerability scanners can test systems and network devices for exposure to common attacks.
This includes com m on attacks such as the enum eration of security-related inform ation and
denial-of-service attacks. However, it m ust be noted th at vulnerability scanning reports can
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2881
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
expose weaknesses in hidden areas of applications and frequently include many false positives.
Network adm inistrators w ho analyze vulnerability scan results m ust have sufficient knowledge
and experience with the operating systems, network devices, and applications being scanned
and their roles in the netw ork.
You can use tw o types of autom ated vulnerability scanners depending upon the situation:
network-based and host-based. N etwork-based scanners attem pt to detect vulnerabilities from

the outside. They are normally launched from a remote system, outside the organization, and
w ithout an authorized user access. For example, network-based scanners exam ine a system for
such exploits as open ports, application security exploits, and buffer overflows.
Host-based scanners usually require a software agent or client to be installed on the host. The
client then reports back the vulnerabilities it finds to the server. Host-based scanners look for
features such as weak file access permissions, poor passwords, and logging faults.
Ethical Hacking and Countermeasures Copyright © by EC-C0lMCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2882
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C E H
itk t j l
L i m i t a t i o n s o f V u l n e r a b i l i t y
A s s e s s m e n t
Vulnerability scanning software is
limited in its ability to detect
vulnerabilities at a given point
in time
It must be updated when
new vulnerabilities are
discovered or modifications are
made to the software being used
The methodology used as well as
the diverse vulnerability scanning
software packages assess
security differently
It does not measure the
strength of security controls
C o p y rig h t © b y iC - C c u n c il. A ll R ig h ts R e s e rv e d . R e p r o d u c tio n is S t ric tly P ro h ib it e d .

L i m i t a t i o n s o f V u l n e r a b i l i t y A s s e s s m e n t
Vulnerability scanning softw are allows you to detect lim ited vulnerabilities at a given
point in tim e. As with any assessment software, which requires the signature file to be updated,
vulnerability scanning software must be updated when new vulnerabilities are discovered or
improvements made to the software are being used. The vulnerability software is only as
effective as the m aintenance perform ed on it by the software vendor and by the adm inistrator
who uses it. Vulnerability scanning software itself is not imm une to software engineering flaws
that might lead to non-detection of serious vulnerabilities.
Another aspect to be noted is th a t the m ethodology used might have an impact on the result of
the test. For example, vulnerability scanning softw are that runs under the security context of
the dom ain administrator will yield different results than if it w ere run under the security
context of an authenticated user or a non-authenticated user. Similarly, diverse vulnerability
scanning software packages assess security differently and have unique features. This can
influence the result of the assessment. Examples of vulnerability scanners include Nessus and
Retina.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2883
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C E H
I n t r o d u c t i o n t o P e n e t r a t i o n
T e s t i n g
l&
A pentest simulates methods that intruders use to
gain unauthorized access to an organization's
networked systems and then compromise them
In the context of penetration testing, the tester is
limited by resources - namely time, skilled
resources, and access to equipment - as outlined in

the penetration testing agreement
Most attackers follow a common approach
to penetrate a system
11
IF
C o p y rig h t © b y IG - G c u n c il. A ll R ig h ts R e se rv e d. R e p ro d u c tio n is S t ric tly P ro h ib it e d .
I n t r o d u c t i o n t o P e n e t r a t i o n T e s t i n g
1
m
This module marks a departure from the approach followed in earlier modules; here
you will be encouraged to think "outside the box." Hacking as it was defined originally
portrayed a streak of genius or brilliance in the ability to conjure previously unknown ways of
doing things. In this context, to advocate a methodology that can be followed to simulate a
real-world hack through ethical hacking or penetration testing might come across as a
contradiction. Penetration testing is a process o f evaluating the security of the network by
trying all possible attack vectors like an attacker does. The reason behind advocating a
m ethodology in penetration testing arises from the fact that most attackers follow a comm on
underlying approach w hen it comes to penetrate a system.
In the context of penetration testing, as a tester you will be limited by resources such as time,
skilled resources, and access to equipment, as outlined in the penetration testing agreement.
The paradox of penetration testing is the fact that the inability to breach a target does not
necessarily indicate the absence of vulnerability. In other words, to maximize the returns from
a penetration test, you must be able to apply your skills to the resources available in such a
manner th at the attack area of the target is reduced as much as possible.
A pen test simulates m ethods that intruders use to gain unauthorized access to an
organization's netw orked systems and then comprom ise them . It involves using proprietary and
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2884
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

Penetration Testing
open source tools to test for known and unknown technical vulnerabilities in networked
systems. Apart from automated techniques, penetration testing involves m anual techniques
for conducting targeted testing on specific systems to ensure th at there are no security flaws
that may have gone undetected earlier.
The main purpose behind foo tp rintin g pen testing is to gather data related to a target system
or netw ork and find out its vulnerabilities. You can perform this through various techniques
such as DNS queries, network enum eration, network queries, operating system identification,
organizational queries, ping sweeps, point of contact queries, port scanning, registrar queries,
and so on.
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2885
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C E H
P e n e t r a t i o n T e s t i n g
Penetration testing that is not completed professionally
can result in the loss of services and disruption of the
business continuity
C o p y rig h t © b y IC - C c u n c il . A ll R ig h ts R e s e rv e d . R e p r o d u c tio n is S t ric tly P ro h ib it e d .
I # Penetration testing assesses the security model of the
organization as a whole
It reveals potential consequences of a real attacker
breaking into the network
A penetration tester is differentiated from an attacker only
by his intent and lack of malice
k P e n e t r a t i o n T e s t i n g
Penetration testing goes a step beyond vulnerability scanning in the category of
security assessments. W ith vulnerability scanning, you can only examine the security of the

individual computers, network devices, or applications, but penetration testing allows you to
assess the security model of the netw ork as a whole. Penetration testing can help you to reveal
potential consequences of a real attacker breaking into the netw ork to netw o rk
adm inistrators, IT managers, and executives. Penetration testing also reveals the security
weaknesses th at a typical vulnerability scanning misses.
A penetration test will not only point out vulnerabilities, it will also docum ent how the
weaknesses can be exploited and how several m inor vulnerabilities can be escalated by an
attacker to compromise a com puter or netw ork. Penetration testing m ust be considered as an
activity that shows the holes in the security model of an organization. Penetration testing helps
organizations to reach a balance between technical prowess and business functionality from
the perspective of potential security breaches. This test can help you in disaster recovery and
business contin uity planning.
Most vulnerability assessments are carried out solely based on softw are and cannot assess
security th a t is not related to technology. Both people and processes can be the source of
security vulnerabilities as much as the technology can be. Using social engineering techniques,
penetration tests can reveal w hether employees routinely allow people w ithout identification
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2886
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
to enter company facilities and w here they w ould have physical access to computers. Practices
such as patch management cycles can be evaluated. A penetration test can reveal process
problems, such as not applying security updates until three days after they are released, which
would give attackers a three-day w in d o w to exploit know n vulnerabilities on servers.
You can differentiate a penetration tester from an attacker only by his ot her intent and lack of
malice. Therefore, employees or external experts must be cautioned against conducting
penetration tests witho u t proper authorization. Penetration testing that is not com pleted
professionally can result in the loss of services and disruption of business continuity.
M anagement needs to give written approval for penetration testing. This approval should

include a clear scoping, a description of w hat will be tested, and w hen the testing will take
place. Because of the nature of penetration testing, failure to obtain this approval m ight result
in com m itting com puter crime, despite the best intentions.
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2887
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
W h y P e n e t r a t i o n T e s t i n g
C E H
a
« F o r t e s t in g a n d
- ^ v a l i d a ti n g t h e e f f ic ie n c y
o f s e c u r i t y p r o te c t io n s
a n d c o n t r o l s
© I t fo c u s e s o n h i g h s e v e r i t y
v u l n e r a b il i t i e s a n d e m p h a s i z e s
a p p l ic a t i o n - l e v e l s e c u r it y i s s u e s t o
d e v e lo p m e n t t e a m s a n d
m a n a g e m e n t
S P r o v i d i n g c o m p re h e n s i v e a p p r o a c h
o f p r e p a r a ti o n s t e p s t h a t c a n b e
t a k e n t o p r e v e n t u p c o m i n g
e x p lo i t a t i o n
S E v a l u a t i n g t h e e f f i c i e n c y o f
n e t w o r k s e c u r it y d e v i c e s s u c h a s
f i r e w a l ls , r o u t e r s , a n d w e b s e r v e r s
8 F o r c h a n g in g o r u p g r a d i n g e x i s t in g
i n f r a s t r u c t u r e o f s o f t w a r e ,
h a r d w a r e , o r n e t w o r k d e s ig n

© I d e n t if y t h e t h r e a t s
f a c i n g a n o r g a n iz a ti o n 's
i n f o r m a t i o n a s s e t s
e R e d u c e a n o r g a n i z a t i o n ' s e x p e n d i t u r e
o n IT s e c u r i t y a n d e n h a n c e R e t u r n O n
S e c u r i t y I n v e s t m e n t ( R O S I ) b y
i d e n t i fy i n g a n d r e m e d ia t in g
v u l n e r a b il i t i e s o r w e a k n e s s e s
8 P r o v id e a s s u r a n c e w it h c o m p r e h e n s iv e
a s s e s s m e n t o f o r g a n i z a t i o n ' s s e c u r i t y
i n c l u d i n g p o li c y , p r o c e d u r e , d e s i g n , a n d
I m p l e m e n t a t io n
8 G a i n a n d m a i n t a i n c e r t i f ic a t i o n t o a n
i n d u s t r y r e g u la t i o n ( B S 7 7 9 9 , H I P A A
e t c . )
S A d o p t b e s t p r a c t i c e s i n c o m p l i a n c e
t o l e g a l a n d i n d u s t r y r e g u l a t io n s
C o p y rig h t © b y iG - G c u n c il. A ll R ig h ts R e s e rv e d . R e p r o d u c tio n is S t ric tly P ro h ib it e d .
W h y P e n e t r a t i o n T e s t i n g ?
Penetration testing plays a vital role in evaluating and maintaining security of a system
or network. It helps you in finding out the loopholes by deploying attacks. It includes both
script-based testing as well as human-based testing on networks. A penetration test not only
reveals network security holes, but also provides risk assessment. Let's see w hat you can do
w ith the help of penetration testing:
9 You can identify the threats facing an organization's inform ation assets.
Q You can reduce an organization's IT security costs and provide a better Return On IT
Security Investment (ROSI) by identifying and resolving vulnerabilities and weaknesses.
9 You can provide an organization w ith assurance: a thorough and com prehensive
assessment of organizational security covering policy, procedure, design, and
im plem entation.

9 You can gain and m aintain certification to an industry regulation (BS7799, HIPAA, etc.).
9 You can adopt best practices by conform ing to legal and industry regulations.
9 You can test and validate the efficiency of security protections and controls.
9 It focuses on high-severity vulnerabilities and emphasizes application-level security
issues to development teams and managem ent.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2888
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
e It provides a com prehensive approach of preparation steps th a t can be taken to prevent
upcoming exploitation.
9 You can evaluate the efficiency of netw ork security devices such as firewalls, routers,
and web servers.
6 You can use it fo r changing or upgrading existing infrastructure of software, hardware,
or netw ork design.
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2889
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C o m p a r i n g S e c u r i t y A u d i t , V u l n e r a b i l i t y
A s s e s s m e n t , a n d P e n e t r a t i o n T e s t in g
C E H
P e n e tra tio n T e s tin g
6 P e n e tr a tio n t e s tin g is a
m e th o d o lo g ic a l a p p ro a c h to
s e c u rity a s s e s s m e n t th a t
e n c o m p a s s e s t h e s e c u r it y a u d it
a n d v u ln e r a b il it y a s s e ss m e n t a n d

d e m o n s tr a te s i f t h e
v u ln e r a b ilitie s in s ys te m ca n be
s u c c e s s fu lly e x p lo ite d b y
a tta c k e rs
V uln e rab ility Assessm ent
6 A v u ln e r a b ility a s se s sm e n t fo c u s e s
o n d is c o v e rin g t h e v u ln e r a b ilit ie s
in t h e in f o r m a t io n s y s t e m b u t
p ro v id e s n o in d ic a tio n if t h e
v u ln e r a b ilitie s c a n b e e x p lo ite d o r
th e a m o u n t o f d a m a g e t h a t m a y
r e s u lt f r o m t h e s u c c e s s fu l
e x p lo it a tio n o f t h e v u ln e r a b ilit y
©
S e c u rity A u d it
© A s e c u rit y a u d it ju s t c h e ck s
w h e t h e r th e o rg a n iz a tio n is
fo l lo w in g a s e t o f s ta n d a r d
s e c u r i t y p o lic ie s a n d
p ro c e d u re s
©
C o p y rig h t © b y IC-Ccuncil. A ll R ig hts R e s e rv e d . R e p r o d u c t io n is S tr i c t ly P ro h ib it e d .
C o m p a r i n g S e c u r i t y A u d i t , V u l n e r a b i l i t y
A s s e s s m e n t , a n d P e n e t r a t i o n T e s t i n g
Although a lot of people use the term s security audit, vulnerability assessment, and penetration
test interchangeably to mean security assessment, there are considerable differences between
them.
S e c u rity A u d it
V u ln e ra b ilit y A s s e s s m e n t
P e n e tra tio n T e s tin g

A security audit just checks
whether the organization is
following a set of standard security
policies and procedures
A vulnerability assessment focuses
on discovering the vulnerabilities
in the information system but
provides no indication if the
vulnerabilities can be exploited or
the amount of damage that may
result from the successful
exploitation of the vulnerability
Penetration testing is a
methodological approach to
security assessment that
encompasses the security audit
and vulnerability assessment and
demonstrates if the vulnerabilities
in system can be successfully
exploited by attackers
TABLE 20.1: Comparison between Security Audit, Vulnerability Assessment, and Penetration Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2890
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C E H
W h a t S h o u l d b e T e s t e d ?
An organization should conduct a risk assessment operation
before the penetration testing that will help to identify the main

threats, such as:
FTP, IIS ,
a n d w e b s e rv e rs
P u b lic f a c in g s y s te m s ;
w e b s ite s , e m a il g a te w a y s ,
a n d re m o t e a cc e s s p la t f o r m s
C o m m u n ic a tio n s
f a i l u r e a n d e -
c o m m e r c e f a ilu r e
M a il, D N S , f ir e w a lls ,
a n d p a s s w o r d s
L os s o f c o n f i d e n tia l
in fo r m a tio n
N o t e : T e s ti n g s h o u ld b e p e r fo r m e d o n a ll h a r d w a r e a n d s o ft w a r e c o m p o n e n ts o f a n e t w o r k s e c u r it y s y s te m
C o p y rig h t © b y IC - C c u n c il . A ll R ig h ts R e s e rv e d . R e p r o d u c tio n is S t ric tly P ro h ib it e d .
W h a t S h o u l d b e T e s t e d ?
It is always ideal to conduct a vulnerability assessment in an organization so that
various potential threats can be known well before they occur. You can test various network or
system components for security vulnerabilities, such as:
9 Com m unication failure
e E-commerce failure
9 Loss of confidential inform ation
9 Public facing systems websites
Q Email gateways
Q Remote access platforms
e Mail
e DNS
9 Firewalls
9 Passwords
e FTP

e IIS
9 Web servers
Module 20 Page 2891 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
E H
W h a t M a k e s a G o o d P e n e t r a t i o n
T e s t ?
Consider the following factors to perform a good penetration test:
9 Establish the parameters for the penetration test such as objectives, limitations, and the
justification of procedures. The establishment of these parameters helps you in know
the purpose of conducting penetration test.
9 Hire skilled and experienced professionals to perform the test. If the penetration testing
is not done by the skilled and experienced professionals there are chances of damaging
the live data and more harm can happen than the benefits.
9 Choose a suitable set of tests that balance cost and benefits.
9 Follow a m ethodology w ith proper planning and docum entation. It is very im portant to
docum ent the test at each phase for the further references.
9 D ocum ent the result carefully and making it comprehensible for the client.
9 State the potential risks and findings clearly in the final report.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2892
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
R O I o n P e n e t r a t i o n T e s t i n g C E H
(•*•At* Itfctul * mu .
D e m o n s t r a t e t h e R O I f o r P e n - t e s t w it h t h e h e lp o f a b u s in e s s
c a s e s c e n a r io , w h ic h in c l u d e s t h e e x p e n d it u r e a n d t h e p r o f it s

in v o lv e d in it
C o m p a n ie s w i ll s p e n d o n t h e p e n - te s t o n ly if t h e y h a v e
a p r o p e r k n o w le d g e o n t h e b e n e fi ts o f t h e P e n - te s t
C o p y rig h t © b y IG - G c u n c il. A ll R ig h ts R e se rv e d. R e p ro d u c tio n is S t ric tly P ro h ib it e d .
R O I o n P e n e t r a t i o n T e s t i n g
ROI (return on investm ent) is a traditional financial measure. It is used to determ ine
the business results of for the future based on the calculations of historical data. The ROI is
calculated based on three things:
e Payback p e rio d: In this m ethod the tim e taken to get the pay back (getting the am ount
invested) on a particular project is calculated.
Q N et pre sen t valu e : Future benefits are calculated in the terms of today's money.
9 Inte rnal rate o f re tu rn: The benefits based on the interest rate.
So w henever a penetration test is conducted, a company checks w hat kinds of benefits are
there associated w ith the penetration testing. W hat could be the costs to be incurred for the
for penetration testing? Costs related to the hiring of skilled professionals?
All these things to be kept in view and penetration testing should be conducted through proper
planning.
9 Penetration testing helps companies in identifying, understanding, and addressing
vulnerabilities, which saves them a lot of money resulting in ROI.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2893
e Demonstrate the ROI for a pen test w ith the help of a business case scenario, which
includes the expenditure and the profits involved in it.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Penetration Testing
Ethical Hacking and Countermeasures Copyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2894
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures

Penetration Testing
C E H
T e s t i n g P o i n t s
M
V
“ I
t to
■״SBSsss'
servteeS׳
O r g a n i z a t io n s h a v e
t o re a c h a c o n s e n s u s
o n t h e e x t e n t o f information
that can be divulged to t h e
t e s t in g t e a m t o d e t e r m in e
t h e s t a r t in g p o i n t o f t h e t e s t
Co p yrig h t ID ^ ^ ^ M l llC i l. A ll Rig hts Re served . R e p roduction is Strictly Proh ibited .
PenetrJ ! : 9vidi" ia
team with adH eStine
lnf0r1r)ati0n tl0n3l '
^ a u> ? ׳Ve
^ reallstic
dvar't*ge
T e s t i n g P o i n t s
Every penetration test will have a start- and end-point, irrespective of w hether it is
zero knowledge or partial knowledge test. How does a pen test team or an organization
determ ine this? While providing a penetration-testing team with inform ation such as the exact
configuration of the firew all used by the target netw ork may speed up the testing, it can work
negatively by providing the testers w ith an unrealistic advantage.
If the objective of the penetration effo rt is to find as much vulnerability as possible, it m ight be
a good idea to opt for white box testing and share as much inform ation as possible w ith the

testers. This can help in detecting hidden vulnerabilities that are often undetected because of
obscurity. On the other hand, if the purpose of th e penetration test is to evaluate the
effectiveness o f the security posture of the organization— irrespective of any "security by
obscurity" measures— w ithholding inform ation will derive more realistic results.
Similarly, by making highly sensitive inform ation, such as the names and user IDs of system
administrators, the organization may be defeating the purpose of a com prehensive pen test.
Therefore, balance must be reached between assisting the testing team in conducting their test
faster and providing a m ore realistic testing environment by restricting inform ation.
Some organizations may choose to get the initial pen test audited by a second pen test team so
that there is a third party assurance on the results obtained.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2895
Exam 312-50 Certified Ethical HackerEthical Hacking and Countermeasures
Penetration Testing
C E H
T e s t i n g L o c a t i o n s
The pentest team may have a choice of
doing the test either remotely or on-site
A remote assessment may simulate an
4־ external hacker attack. However, it may
miss assessing internal guards
An on-site assessment may be expensive
* and may not simulate an external threat
exactly
I f f
C o p y rig h t © b y IC-Ccuncil. A ll R ig hts R e s e rv e d . R e p r o d u c t io n is S tr i c t ly P ro h ib it e d .
T e s t i n g L o c a t i o n s
The penetration test team may have a preference on the location from where they
would probe the network. Alternatively, the organization may w ant the netw ork to be assessed

from a remote location. If the pen test team is based overseas, an onsite assessment may be
expensive than a remote one.
The location of the assessment has an influence on the test results. Testing over the Internet
may provide a m ore realistic test environm ent. However, the pen test team may learn little if
there is a well-configured perim eter firewall and robust web application defenses. A purely
external assessment may not be able to test any additional inner netw ork defenses put in place
to guard against an internal intruder.
Sometimes, the organization may have a netw ork that is dispersed geographically across
locations and that contains several systems. In this case, the organization may choose to
prioritize locations or the team may choose locations depending on critical applications.
If a com plete knowledge test is being undertaken, the pen test team can undertake an asset
audit to determine w hich systems are critical to the business, and plan the test accordingly.
Ethical Hacking and Countermeasures Copyright © by EC-C0linCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 20 Page 2896