Penetration Testing in Secure Environments
Penetration testing involves identification of the services running on a host and find and exploit vulnerabilities in theses services sometimes referred to as daemons .
Vulnerabilities is just a weakness in the computer systems that the attacker can take the advantage of . The Act of identifying the specific vulnerabilities in a computer system / Computer network is called Vulnerability Assessment . But in corporate environments that are secured with the Firewalls / IDS / IPS and other devices that prevent the penetration testers for further assessing the vulnerabilities .
In this post we will see how to perform penetration testing in a environment that has been secured by a firewall .
The First Step here is going to be to check the IP level connectivity between the attacker and the Target .
If you get a ping response that means the target system is alive and we can further proceed to identifying what ports are open on the Target . But before that we must know what network devices our packet passes through before it reaches the Target system.
For this the Traceroute Utility comes handy ,
In case of a firewall deployed , you are likely to see more “ * ” than IP addresses which is an indication that a firewall has been deployed on the network . You might not find any results for a traceroute in a scenario where the firewall is deployed .
To our rescue comes the Nmap Firewalk Script .
NMAP supports scripts that are run by NSE : Nmap Scripting Engine .
To bypass the firewall use the NMAP FIREWALK Script .
Here we use the firewalk script for Nmap in conjunction with traceroute .
nmap --script=firewalk --traceroute <target-ip>
Once this is done , we are aware what is the network architecture , we can proceed to perform an advanced port scan on the network . To do this we use : HPING 3 .
Hping 3 is a command line packet analyser / assembler used for Firewall Testing , Advanced Port Scanning , Manual Path MTU Dicovery and lots of other interesting things .
root@kali:~# hping3 -h usage: hping3 host [options] -h --help show this help -v --version show version -c --count packet count -i --interval wait (uX for X microseconds, for example -i u1000) --fast alias for -i u10000 (10 packets for second) --faster alias for -i u1000 (100 packets for second) --flood sent packets as fast as possible. Don't show replies. -n --numeric numeric output -q --quiet quiet -I --interface interface name (otherwise default routing interface) -V --verbose verbose mode -D --debug debugging info -z --bind bind ctrl+z to ttl (default to dst port) -Z --unbind unbind ctrl+z --beep beep for every matching packet received hping3 -S <target-ip> -c 100 -p ++1