EC-Council E-Business Certification Series
Copyright © by EC-Council
Developer - Thomas Mathew
Publisher - OSB Publisher
ISBN No - 0972936211
By explaining computer security and outlining methods to test computer systems
for possible weaknesses, this guide provides the tools necessary for
approaching computers with the skill and understanding of an outside
hacker.
Introduction
This
module attempts to bridge various aspects of ethical hacking by
suggesting an approach for undertaking penetration testing. There are
different ways of approaching a penetration test.
- External Approach
- With some prior knowledge
- Without prior knowledge
-
- Internal Approach
- With some prior knowledge
- With deep knowledge
-
Whatever the approach adopted, it is a fact that
penetration testing is constrained by time and availability of
resources, which varies from client to client. To effectively utilize
both these telling factors, penetration testers adopt some form of
structure or methodology. These can be checklists developed by
consulting practices, widely available resources such as Open Source
Security Testing Methodology or a customized attack strategy.
There
are is no single set of methodology that can be adopted across client
organizations. The skeletal frame of testing however is more or less
similar. The terms of reference used for various phases may differ, but
the essence is the same. As discussed in preceding modules, the test
begins with:
- Footprinting / Information Gathering phase
- Discovery and Planning / Information Analysis phase
- Detecting a vulnerability / security loophole
- Attack / Penetration / Compromise
- Analysis of security posture / Cover up / Report
- Clean up
The general objective of a penetration test is to reveal where security fails. The result of a penetration test can be:
- successful attack - when the objective is met within the scope of the attack
- a partial success - when there has been a compromise, but not enough to achieve the objective
- a failure - when the systems have been found to be robust to the attack methodology adopted
Foot printing / Information Gathering phase:
- Client site intelligence
- Infrastructure fingerprinting
- Network discovery and Access point discovery
Discovery and Planning / Information Analysis phase
- Target Identification
- Resource and Effort Estimation
- Modeling the Attack strategy (s)
- Relationship Analysis
Detecting a vulnerability / security loophole
- Vulnerability Analysis
- Scanning
- Enumeration
- Zeroing the target
Attack / Penetration / Compromise
- Exploring viable exploits (new / created / present)
- Executing the attack / Alternate attack strategy
- Target penetration
- Escalating the attack
Analysis of security posture / Cover up / Report
- Consolidation of attack information
- Analysis and recommendations
- Presentation and deliverables
Clean up
- Clean up tasks and procedures
- Restoring security posture
Download Here:
No comments:
Post a Comment