First of all thank you for reading the Penetration Testing Part 1, Lets start with Part2.Here I av uncenwill show you how to conduct a penetration test for an organization XYZ before starting the actual penetration test lets see at the types of penetration test and the methodology for penetration testing and the tools available for conducting a penetration test.
Penetration Testing Methodology:
Generally there หนังใหม่ชนโรงare four phases to conduct a penetration test as we discussed before in Part1 are
Types of penetration test:
- Black Box
- White Box
- Grey Box
Black-box testing involvesเว็บดูหนัง performing a security evaluation and testing with no prior knowledge of the network infrastructure or system to be tested. Testing simulates an attack by a malicious hacker outside the organization’s security perimeter
White-box testingหลุดดารา involves performing a security evaluation and testing with complete knowledge of the network infrastructure such as a network administrator would have
Grey-box testing involves performing a security evaluation and testing internally.
Testing examines the extent of access by insiders within the network.
A firm named XYZ is consulting with a firm who conducts penetration test as a third party. Company XYZ need to have a black box pen testing due อมควยto some legal requirements and in order to evaluate the security measures placed to control the access.Now the consulting firm only has a named XYZ to start the penetration test for the company.Mr.RAK has been assigned the task to conduct the pen test in this consulting firm; here I will show you how the methodology will be followed.
MR.RAK should have signed NDA so that findings should be kept confidential secondly SLA should be present in order to know at what levels or till what depth should the penetration be occur in order to completeness plus the time limit should be mentioned before starting the test
Here the information gathering phase is starting now; good sources would be search engines, XYZ’s official website, job postings and more…
While looking around on search engines Mr.RAK discovered that Company XYZ has the web portal at [http://www.XYZ-Portal.com] , hmm seems good so far lets go more deep, now its time to do nslookup, from nslookup you can discover what mail server address is and what is the name and location of the server.
Here is the time to do some active stuff. Best way to do is mapping the services running at the address we are trying to penetrate, in this case its the mail server, in order to discover what is the name and location of the mail server.
Here are the services available at the address we are trying to penetrate:
Currently at least one mail server is unreadable to the naked eye, might be due to the reverse DNS lookup based mail directory or a clean package install. Its best to contact the maintainers of the unreadable mail server using the provided links or ask for proxy details.
In order to contact the maintainers of the unreadable mail server see the attached file, which is a set of instructions to perform a reverse lookup of the name of the mail server as well as a set of instructions regarding the services available at the given URL
Is very important to mention that for the successful completion of this pen test, the mails must be sent in HTML format to the given URL as its simplest to perform a reverse lookup utilizing the information axed.
Guide To Penetrate:
Lets start with the basics, for those who are not familiar with the terms.
Nessus is free software hence is available to anyone.
Lets start with the webmail account configuration, in order to achieve high visibility and trust on the part of the customer.
To complete the configuration, you will have to go through many pages, which may vary depending on your choice of service but will contain the same features and therefore will leave you wondering if they are all the same.
But if you go through all the pages one by one, you will find some very curious things, like these:
1) Not all web mail services are the same, in fact some of them are not web based but email based. They may be mail folders, email blocks, list boxes etc.ailmail accounts.