Penetration Testing in Secure Environments
Penetration testing involves identification of the services running on a host and find and exploit vulnerabilities in theses services sometimes referred to as daemons .
Vulnerabilities is just a weakness in the computer systems that the attacker can take the advantage of . The Act of identifying the specific vulnerabilities in a computer system / Computer network is called Vulnerability Assessment . But in corporate environments that are secured with the Firewalls / IDS / IPS and other devices that prevent the penetration testers for further assessing the vulnerabilities .
In this post we will see how to perform penetration testing in a environment that has been secured by a firewall .
The First Step here is going to be to check the IP level connectivity between the attacker and the Target .
ping <target-ip>
If you get a ping response that means the target system is alive and we can further proceed to identifying what ports are open on the Target . But before that we must know what network devices our packet passes through before it reaches the Target system.
For this the Traceroute Utility comes handy ,
traceroute <target-ip>
In case of a firewall deployed , you are likely to see more “ * ” than IP addresses which is an indication that a firewall has been deployed on the network . You might not find any results for a traceroute in a scenario where the firewall is deployed .
To our rescue comes the Nmap Firewalk Script .
NMAP supports scripts that are run by NSE : Nmap Scripting Engine .
To bypass the firewall use the NMAP FIREWALK Script .
Here we use the firewalk script for Nmap in conjunction with traceroute .
nmap --script=firewalk --traceroute <target-ip>
Once this is done , we are aware what is the network architecture , we can proceed to perform an advanced port scan on the network . To do this we use : HPING 3 .
Hping 3 is a command line packet analyser / assembler used for Firewall Testing , Advanced Port Scanning , Manual Path MTU Dicovery and lots of other interesting things .
root@kali:~# hping3 -h
usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
hping3 -S <target-ip> -c 100 -p ++1
Leave a Reply