Penetration testing, better known as a pen test is the process where somebody manifests themselves as an outsider, and actually tries to grab sensitive data sensitive information from within your infrastructure. Now, you've got to be careful here, you don't want to confuse a vulnerability assessment with a penetration test, a vulnerability assessment at no time will ever actually try to grab the data, a penetration test will actually try to grab the data itself. So when we're talking about a penetration test, there's a few steps that are always going to take place number one, you're going to be discovering vulnerabilities. In this case, you're going to be doing some form of reconnaissance, you're going to be trying to get information. And in many cases, you actually end up using vulnerability scanners to do that. Second, and this is what you would never do in a vulnerability assessment is you're actually going to exploit those vulnerabilities.
You're going to go in and you're going to grab usernames and passwords. Words, are you going to pull down the database, or you're going to corrupt a web page, you're going to actually do some form of exploit that does something very concrete to that target network. So those are your first two steps. Well, your third step, actually, you know what, let's make this the first step. Your first step before you do any of this stuff is authorization. Because of the implicit naughtiness of a penetration test, the buy in from management, the authorization is incredibly important.
At the very minimum, you're going to have to do two things. Number one, you're going to have to define the targets. Most the time when you're doing a pen test, you're trying to say, you know, can you do this? Can you crack our website or something like that? But the second thing you're going to have to define is something known as the attack model. An attack model defines what the attacker knows before they do a penetration test.
The first attack model is known as a white box. In this case, the attacker has extensive knowledge about the target. They know IP addresses, they know who's running, what they might even have usernames and passwords. In this case, attackers are more like trusted insiders. This is the cheapest and fastest type of attack model for a pen test. On the other side is a blackbox attack model.
In this case, the attackers know nothing about the target. This is more where the attackers are like strangers, and invariably This is going to be some form of external hacking. The downside to black boxes is that they are potentially expensive and slow. Due to the nature of the amount of time we need for reconnaissance. An alternative is what we call a gray box. The gray box is somewhere between the two extremes.
For example, we may know where a SQL Server is, but we may not have usernames, passwords or something like that. So you've got it worked out with upper management that you're going to do some form of pen test. So let's kind of march through the processes that are actually going to take place once you've been given the go ahead to get started. So the first thing we're going to be doing is we're going to be discovering vulnerabilities. To me, this is more what I call the reconnaissance mode. Now you've got three different ways to do an exploration to discover these vulnerabilities.
First of all, you can do what's known as a passive discovery with a passive, what you're talking about is you're not putting any of your packets onto the target. So you could be doing a who is lookup, for example, or you could be making some phone calls. With a passive, you're not doing anything from a computer that's sending packets over to your target. The second thing would be semi passive. Semi passive is you're actually putting packets onto the target, but you're not doing anything that would raise any alarms or set off a intrusion detection or anything like that. So for example, If you've got a target web server that you're looking for, you could just go to the website and check it out a little bit.
And you need to do whatever reconnaissance you need to do in that particular situation. The third one is an active discovery, an active reconnaissance in this situation, you are actually putting packets downrange on the target. You're running scanners, you're running an Nmap, you're running tools like that, that could possibly alert an intrusion detection system or block you by a intrusion prevention system, or by a firewall. The bottom line is, is that you're going to go through these processes. And in these cases, you're often just using standard vulnerability scanners to get this reconnaissance information. But you do reach a point where you suddenly go, Hmm, I have a target.
I wonder if it has a particular exploit. And that's where we need to talk about exploiting the target. No bye Way, the tools that I tend to use when I'm exploiting a target are probably the most single famous one is the infamous metta sploit. And in particular, I'm a big fan if you've been watching any of my other episodes, I love Kali Linux distro. It's a big popular one. It includes meta sploit, as long as a lot of other tools go along with it.
The thing to keep in mind about meta sploit is that meta sploit is not a program. All right, it's a it's a penetration testing what we call a framework, it really gives you a little more than a command line, and a number of tools that allow you to make an exploit. So for right now, let's go ahead and talk about what we have to do to exploit a target and then we'll take a look at meta sploit. When we're in a target, we're ready to exploit it. First, we're going to start off with some initial exploitation based on the idea of banner grabbing. Here's an example of me banner grabbing a website using telnet.
I have enough information that allows me to try to Do some form of initial exploitation. Now, this initial exploitation in and of itself may be sufficient. But what we can often do is do something what's known as a pivot. A pivot is nothing more than an initial exploitation, which allows us to act as a launching point to do even more exploitation. So for example, if I were to be able to get root access to a system that is in and of itself, an exploitation However, once I have root access, I can treat that as a pivot to do all kinds of interesting things. The other thing to keep in mind is that we do what's known as persistence.
Persistence simply means that we keep doing something for a while. Most good penetration testing doesn't happen over the course of a few hours or a few days. What will normally take place as it will go over weeks, looking for a particular issue. Last and this is what it's all about. escalation of privilege. As I just described, getting Root Access is the holy grail of penetration testing.
So what I've got here in front of me is good old meta sploit. Now, menace. sploit is a framework. It's not a single program, but as a framework, it allows me to run different programs that will work together and know what each other's doing. So meta sploit is absolutely amazing. Now, what I'm doing is I'm running something called Armitage on top of meta sploit.
Armitage just helps me run with the framework a little bit. So if we take a look here, this is our montage. But down here is just good ole meta sploit right here. And that's MSF means meta sploit framework. So for example, if I want to take a look at all the stuff that's going on for SMB clients on this network, you can see that I run this end map, but I run a Metasploit script right here. So this dot NSC file is basically it's a script, and it runs through.
And it does all kinds of stuff. So it's going through and it's looking for usernames for SMB. You can see a lot of these are disabled, unfortunately. Let's keep scrolling. Ah, it took me a minute, but there it is. This is not a disabled account.
So there is an account called MSF admin on a particular system. So the cool part about this is and I jumped ahead a little bit. Remember that with pen testing, we're going to first discover vulnerabilities. So I can run an Nmap and tools like that. And it does it's pretty little graphical representation of all the different systems that it found on this network. So the reconnaissance does a really really good job.
Now if I were to run meta sploit in it It's typical way, I would then start running these very esoteric commands of one type or another. And I would be injecting all of these different types of exploits. Meta sploit, literally uses vulnerability databases, and you can look for particular vulnerabilities. But what medicine does, it's particularly nice is that it does a banner grab on the system. So it'll sit there and go, Ah, this is a window system or whatever it might be, that's running this version of Apache web server, whatever it is, and then it makes a listing of the types of attacks you can do and this is where Armitage the graphical front end becomes kind of nice. If you take a look, take a look here.
You can see I can pick different attacks. And it's only showing me the ones that can do if you take a look over here at services. You can see here's this computer 192 160 859 and look at all the open services. This thing's running just about everything there is in fact, this is a very specific type of machine called meta splittable. And it's actually a virtual machine that's designed for people to attack. It's a fun thing to practice on.
And as you can see, by looking at this, you can see it's running just about everything you could possibly think of. And the fun part is, is we can just right click on this guy. Pick an attack. Lots and lots of HTTP attacks. Let's try it again. And it will go ahead and do that attack for me Let that guy launch.
And maybe it'll work and maybe it won't. It just depends on the patch level for that particular system. So make sure you're familiar with Metasploit. It's probably the first go to pen testing tool that's out there. And don't you ever call it a program it's a framework