VAPT: Vulnerability Assessment And Penetration Testing
Vulnerability assessment is a process in which the IT systems such as computers and networks, and software such as operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities.
As many as 70% of web sites have vulnerabilities that could lead to the theft of sensitive corporate data such as credit card information and customer lists.
Hackers are concentrating their efforts on web-based applications – shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the world, insecure web applications provide easy access to backend corporate databases.
VAPT can be performed in the following nine-step process:
While performing assessments and tests, the scope of the assignment needs to be clearly defined. The scope is based on the assets to be tested. The following are the three possible scopes that exist.
2. Black Box Testing:
Testing from an external network with no prior knowledge of the internal networks and systems.
3. Gray Box Testing:
Testing from an external or internal network, with knowledge of the internal networks and systems. This is usually a combination of black box testing and white box testing.
4. White Box Testing:
Performing the test from within the network with the knowledge of the network architecture and the systems. This is also referred to as internal testing.
5. Information Gathering
The process of information gathering is to obtain as much information as possible about the IT environment such as networks, IP addresses, operating system version, etc. This is applicable to all the three types of scope as discussed earlier.
5. Vulnerability Detection
In this process, tools such as vulnerability scanners are used, and vulnerabilities are identified in the IT environment by way of scanning.
6. Information Analysis and Planning
This process is used to analyze the identified vulnerabilities, combined with the information gathered about the IT environment, to devise a plan for penetrating into the network and system.
7. Penetration Testing
In this process, the target systems are attacked and penetrated using the plan devised in the earlier process.
8. Privilege Escalation
After successful penetration into the system, this process is used to identify and escalate access to gain higher privileges, such as root access or administrative access to the system.
9. Result Analysis
This process is useful for performing a root cause analysis as a result of a successful compromise to the system leading to penetration, and devise suitable recommendations in order to make the system secure by plugging the holes in the system.
All the findings that are observed during the vulnerability assessment and penetration testing process need to be documented, along with the recommendations, in order to produce the testing report to the management for suitable actions.
Vulnerability assessment and penetration testing involves compromising the system, and during the process, some of the files may be altered. This process ensures that the system is brought back to the original state, before the testing, by cleaning up (restoring) the data and files used in the target machines.
- Discover – Custom Bash Scripts Used To Automate Various Penetration Testing
- Weevely – Post Exploitation Suite For Penetration Testing
- Xerosploit – A Penetration Testing Framework For Man-In-The-Middle Attack
Online Penetration Testing Resources
- Metasploit Unleashed – Free Offensive Security Metasploit course
- PTES – Penetration Testing Execution Standard
- OWASP – Open Web Application Security Project
Penetration Testing Distributions
- Kali 1 – A Linux distribution designed for digital forensics and penetration testing
- ArchStrike – An Arch Linux repository for security professionals and enthusiasts
- BlackArch – Arch Linux-based distribution for penetration testers and security researchers
- BackBox – Ubuntu-based distribution for penetration tests and security assessments
- Parrot – A distribution similar to Kali, with multiple architecture
- Fedora Security Lab – Provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.
- Nessus – Vulnerability, configuration, and compliance assessment
- Nexpose – Vulnerability Management & Risk Management Software
- Nikto – Web application vulnerability scanner
- OpenVAS – Open Source vulnerability scanner and manager
- OWASP Zed Attack Proxy – Penetration testing tool for web applications
- w3af – Web application attack and audit framework
- Wapiti – Web application vulnerability scanner
- WebReaver – Web application vulnerability scanner for Mac OS X
- Arachni – Web Application Security Scanner Framework
Network Security Auditing
- nmap – Free Security Scanner For Network Exploration & Security Audits
- pig – A Linux packet crafting tool
- tcpdump/libpcap – A common packet analyzer that runs under the command line
- Wireshark – A network protocol analyzer for Unix and Windows
- SPARTA – Network Infrastructure Penetration Testing Tool
- DNSDumpster – Online DNS recon and search service
- dnsrecon – DNS Enumeration Script
- Mass Scan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
- Zarp – Zarp is a network attack tool centered around the exploitation of local networks
- mitmproxy – An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
- mallory – HTTP/HTTPS proxy over SSH
- dsniff – a collection of tools for network auditing and pentesting
- tgcd – a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls
- smbmap – a handy SMB enumeration tool
- scapy – a python-based interactive packet manipulation program & library
- Dshell – Network forensic analysis framework
- Aircrack-ng – a set of tools for auditing wireless network
- Kismet – Wireless network detector, sniffer, and IDS
SSL Analysis Tools
- SSLyze – SSL configuration scanner
- sslstrip – a demonstration of the HTTPS stripping attacks
- sslstrip2 – SSLStrip version to defeat HSTS
- tls_prober – fingerprint a server’s SSL/TLS implementation
- HexEdit.js – Browser-based hex editing
- Hexinator (commercial) – World’s finest Hex Editor
- HxD – Freeware Hex Editor and Disk Editor
- Maltego – Proprietary software for open source intelligence and forensics, from Paterva.
- theHarvester – E-mail, subdomain and people names harvester
- creepy – A geolocation OSINT tool
- metagoofil – Metadata harvester
- Google Hacking Database – a database of Google dorks; can be used for recon
- Censys – Collects data on hosts and websites through daily ZMap and ZGrab scans
- Shodan – Shodan is the world’s first search engine for Internet-connected devices
- github-dorks – CLI tool to scan github repos/organizations for potential sensitive information leak
- vcsmap – A plugin-based tool to scan public version control systems for sensitive information
- Spiderfoot – multi-source OSINT automation tool with a Web UI and report visualizations
Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner includes many innovative features:
- AcuSensor Technology
- An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications.
- Industries’ most advanced and in-depth SQL injection and Cross site scripting testing.
- Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer.
- Visual macro recorder makes testing web forms and password protected areas easy
- Support for pages with CAPTHCA, single sign-on and Two Factor authentication mechanisms.
- Extensive reporting facilities including VISA PCI compliance reports.
8.Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease.
- Intelligent crawler detects web server type and application language.
- Acunetix crawls and analyzes websites including flash content, SOAP and AJAX.
- Port scans a web server and runs security checks against network services running on the server.
Burp Suite Free Edition – Web Application Security Testing Tool
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
ZAProxy Integrated Penetration Testing Tool
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Intercepting Proxy, Automated scanner, Passive scanner, Brute Force, scanner, Spider, Fuzzer, Port scanner, Dynamic SSL certificates, API, Beanshell integration.
FIMAP is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.
Download FiMAP – https://tha-imax.de/git/root/fimap
W3af- Web Application Attack and Audit Framework
W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins.
→ Considerably increased performance by implementing gzip encoding
→ Enhanced embedded bug report system using Trac’s XMLRPC
→ Fixed hundreds of bugs * Fixed critical bug in auto-update feature
→ Enhanced integration with other tools (bug fixed and added more info to the file)
OWASP Zed Attack Proxy (ZAP)
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Some of ZAP ‘s features:
- Intercepting Proxy
- Automated scanner
- Passive scanner
- Brute Force scanner
- Port scanner
- Dynamic SSL certificates
- Beanshell integration
WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.
[+]Autopwn – Used From Metasploit For Scan and Exploit Target Service
[+]wmap – Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector – inject reverse & bind payload into file format
[+]phpmyadmin – Search Target phpmyadmin login page
[+]lfi – Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF
[+]apache users – search server username directory (if use from apache webserver)
[+]Dir Bruter – brute target directory with wordlist
[+]admin finder – search admin & login page of target
[+]MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
[+]MITM – Man In The Middle Attack
[+]Java Applet Attack – Java Signed Applet Attack
[+]MFOD Attack Vector – Middle Finger Of Doom Attack Vector
[+]USB Infection Attack – Create Executable Backdoor For Infect USB For Windows
Uniscan Vulnerability Scanner
The Uniscan vulnerability scanner is aimed at information security, which aims at finding vulnerabilities in Web systems and is licensed under the GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3). The Uniscan was developed using the Perl programming language to be easier to work with text, has an easy to use regular expressions and is also multi-threaded.
- Identification of system pages through a Web Crawler.
- Use of threads in the crawler.
- Control the maximum number of requests the crawler.
- Control of variation of system pages identified by Web Crawler.
- Control of file extensions that are ignored.
- Test of pages found via the GET method.
- Test the forms found via the POST method.
- Support for SSL requests (HTTPS).
- Proxy support.
Official Change Log :
– Uniscan is now Modularized.
– Added directory checks.
– Added file checks.
– Added PUT method enabled check.
– Bug fix in crawler when found …/ directory.
– Crawler support POST method.
– Configuration by file uniscan.conf.
– Added checks for backup of files found by crawler.
– Added Blind SQL-i checks.
– Added static RCE, RFI, LFI checks.
– Crawler improved by checking /robots.txt.
– improved XSS vulnerability detection.
– improved SQL-i vulnerability detection.
Sources: GitHub & Hackersclub