In this chapter, we will learn about penetration testing, security assessments, risk management, and types of penetration testing. We will discuss automated testing, manual testing, penetration testing techniques, and penetration testing phases. This chapter focuses on enumerating devices, denial of service emulation, outsourcing pen testing services, and identifying various penetration testing tools. 19.1 Understand penetration testing (PT) Exam Focus: Understand penetration testing (PT). Objective includes: Understand penetration testing (PT). Identify security assessments. Examine risk management. Understand various types of penetration testing. Penetration testing Penetration testing (also called pen-testing) is the method used to evaluate the security of a computer system or network by simulating an attack from a malicious source, referred to as a Black Hat Hacker, or Cracker. In penetration testing, an active analysis of the system for potential vulnerabilities may occur due to the following reasons: Poor or improper system configuration Known and/or unknown hardware or software flaws Operational weaknesses in process or technical countermeasures This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Security issues together with an assessment of their impact will be presented to the system owner and a proposal is also often presented for mitigation or a technical solution. The motive of a penetration test is to find feasibility of an attack and business impact of a successful exploit, if discovered. Areas evaluated by penetration tests Penetration testing involves testing of a computer system, network, or Web application in order to find vulnerabilities that can be exploited by an attacker. Areas evaluated by penetration tests include: Kernel flaws: Kernel flaws refer to the exploitation of kernel code flaws in the operating system. Buffer overflows: Buffer overflows refer to the exploitation of a software failure to properly check for the length of input data. This overflow can cause malicious behavior on the system. Race conditions: A race condition is a situation in which an attacker can gain access to a system as a privileged user. File and directory permissions: In this area, an attacker exploits weak permissions to gain unauthorized access to documents. Trojan horses: These are malicious programs that can exploit an information system by attaching themselves in valid programs and files. Social engineering: In this technique, an attacker uses his social skills and persuasion to acquire valuable information that can be used to conduct an attack against a system. The case for penetration testing Penetration testing is required due to the following reasons: To identify the threats faced by information assets of an organization To reduce an organization's IT security costs and identify and resolve vulnerabilities and weaknesses for providing a better Return On IT Security Investment (ROSI) To provide an assurance of thorough and comprehensive assessment of organizational security covering policy, procedure, design, and implementation to an organization To conform to legal and industry regulations for adopting best practices To test and validate the efficiency of security protections and controls To focus on high severity vulnerabilities and emphasize on application-level security issues To provide a comprehensive approach of penetration steps for preventing upcoming exploitation To evaluate the efficiency of network security devices To change or upgrade existing infrastructure of software, hardware, or network design Guidelines for conducting a pen-test A pen-test is a component of a full security audit. An organization should perform a risk assessment operation before penetration testing. Risk assessment will support in identifying the main threats. Here are some general guidelines for good penetration testing: Establish the parameters such as objectives, limitations, and justification of procedures. Appoint skilled and experienced professionals. Select a suitable set of tests that balance cost and benefits. Use a methodology with proper planning and documentation. Document the result carefully and make it comprehensible for the client. State the potential risks and findings clearly in the final report. ROI on penetration testing Unless companies have a proper knowledge of the benefits of the pen-test, they will not spend on the pen-test. Companies use penetration testing to identify, understand, and address the vulnerabilities. This saves a lot of money of companies and results in ROI. A business case scenario including the expenditure and the profit of the company is used to demonstrate the ROI for pen-test. Demonstration of ROI is considered as the critical process to successfully sell the pen-test. Testing points To determine the testing point of the test, organizations have to reach a consensus on the extent of information that can be divulged to the testing team. Giving additional information to the penetration testing team may give them an unrealistic advantage. It is required to determine the extent to which the vulnerability requires to be exploited without disrupting critical services. Testing locations The pen test team may perform the test either remotely or on-site. An external hacker attack may be simulated by a remote assessment. An onsite assessment may be expensive and may not simulate an external threat exactly. Advantages and disadvantages of penetration testing Advantages of penetration testing: Penetration testing helps in simulating hacker activities. Penetration testing helps in identifying vulnerabilities and quantifying their impacts and likelihood. Penetration testing offers vast information on actual, exploitable security threats. Disadvantages of penetration testing: Penetration testing is labor intensive. Penetration testing is also expensive. Penetration testing can do potential system damage. Types of penetration testing External testing: In this testing, publicly available information, a network enumeration phase, and the behavior of the security devices are analyzed. External penetration testing is the traditional approach of penetration testing. This testing is focused on the following: o Servers o Infrastructure o Underlying software comprising the target This testing does not require prior knowledge of the site (black box). Internal testing: This testing is performed from a number of network access points. It represents each logical and physical segment. Examine risk management Although most organizations go to great lengths to ensure that their data is private and secure, security risks are taken regularly by organizations, and are viewed as a normal cost of doing business. The key is to effectively manage these risks within a tolerable range of performance and avoid the rare but potentially catastrophic headline-grabbing situations that can threaten organizational existence. Security risks must also be managed in an efficient and increasingly integrated manner, reflecting the growing stakeholder and regulatory demands for additional assurance processes. Risk = Threat x Vulnerability Risk management is used to identify, assess, and control risks. It includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. NIST, OCTAVE, ISO, and FAIR are four common methodologies for risk management. Common ways of managing risk: Software packages on all firm computers that are customized to provide real time automated firewall, anti-spam and anti-virus protection Stringent security and data recovery standards for any personal and mobile technology used by lawyers or staff Trained network security staff End-to-end monitoring for critical systems and associated components. Constant monitoring of all servers and network equipment with an intrusion detection system, including a vulnerability assessment/scanning appliance and host-based intrusion prevention agents, multiple layers of virus protection and multiple layers of anti-spam protection Physical 24-hour on-site security with continuous monitoring Real-time failover for our redundant connections to the Internet. Data links with clients are unlikely to ever fail and are tested every six months Internal security assessment In an internal security assessment, testing is performed from a number of network access points, representing each logical and physical segment. Internal security assessments may include the following: Tiers and DMZs within the environment Corporate network Partner company connections Internal security assessments may be announced or unannounced: Announced testing In announced testing, the full cooperation and knowledge of the IT staff are used to attempt to compromise systems on the client networks. The existing security infrastructure is examined for possible vulnerabilities in announced testing. Unannounced testing In unannounced testing, the knowledge of IT security professional is not required to attempt to compromise systems on the client networks. This test permits only the upper management to be aware about the test. In this test, the security infrastructure and responsiveness of the IT staff are examined. 19.2 Understand automated testing, manual testing, and penetration testing techniques Exam Focus: Understand automated testing, manual testing, and penetration testing techniques. Objective includes: Understand automated testing. Understand manual testing. Understand penetration testing techniques. Know the penetration testing phases. Automated testing Automated testing is a program that runs the program being tested, feeding it with proper inputs and comparing the actual output against the output that was expected. Primarily, automated testing was designed for the automation or execution of tests. This is the complete testing process where the outcomes are pre-determined and consequently matched with the actual results. There can be saving in time and cost over the long term when automated testing is used. Manual testing Manual testing is a testing process that is conducted by human testers. It is required for a tester for playing the role of an end user and using most of the features of the application to ensure correct behavior. The testing is the most effective method for User Interface Testing, User Acceptance Testing, and Usability Testing. Organizations can take benefit from the experience of a security professional in manual testing. Professionals assess the security posture of an organization from the perspective of an attacker. A manual approach needs the following for capturing the results of the testing process: Planning Test designing Scheduling Diligent documentation Stages of manual testing The following are stages of manual testing: Unit Testing: In the Unit Testing stage, the testing is normally carried out by the developer who wrote the code and sometimes by a peer using the white box testing technique. Integration Testing: The Integration Testing stage is carried out in two modes, as a complete package or as an increment to the earlier package. System Testing: In the System testing stage, software is tested from all possible dimensions for all intended purposes and platforms. The black box testing technique is normally used in this stage. User Acceptance Testing: The User Acceptance Testing stage is carried out in order to get customer sign-off of a finished product. This stage provides a 'pass' that ensures that software has been accepted by the customer and software is ready for use. Security testing Security testing is a process to determine that an information system protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorization, availability and nonrepudiation. Integrity in security testing Integrity is a measure intended to allow the receiver to determine that the information provided by a system is correct. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication. Penetration testing techniques The following are penetration testing techniques: Passive research: It is used to collect all the information regarding system configurations of an organization. Open source monitoring: It allows an organization to take the required steps to maintain confidentiality and integrity. Network mapping and OS fingerprinting: It gives an idea about the network's configuration that is tested. Spoofing: In spoofing, one machine pretends to be another. Spoofing is used for both internal and external penetration tests. Network sniffing: It involves capturing the data as it travels across a network. Trojan attack: It is a malicious code or program that is usually sent as email attachment or transferred through "Instant Message" into chat rooms. Brute force attack: It is a password cracking method. It can overload a system and possibly stop it from responding to the legal requests. Vulnerability scanning: It comprehensively examines the targeted areas of the network infrastructure of an organization. Scenario analysis: It is the final phase of testing. It makes a risk assessment of vulnerabilities more accurate. Categories of penetration testing The different categories of penetration testing are as follows: Open-box: In this category of penetration testing, testers have access to internal system code. This mode is basically suited for Unix or Linux. Closed-box: In this category of penetration testing, testers do not have access to closed systems. This method is good for closed systems. Zero-knowledge test: In this category of penetration testing, testers have to acquire information from scratch and they are not supplied with information concerning the IT system. Partial-knowledge test: In this category of penetration testing, testers have the knowledge that may be applicable to a specific type of attack and associated vulnerabilities. Full-knowledge test: In this category of penetration testing, testers have massive knowledge concerning the information system to be evaluated. Phases of penetration testing The following are phases of penetration testing: 1. Pre-attack phase: In this phase, reconnaissance is considered as the first step. Reconnaissance is used to locate, gather, identify, and record information regarding the target. The pre-attack phase is of two types: o Passive reconnaissance: In passive reconnaissance, information is gathered regarding a target from the publicly accessible sources. o Active reconnaissance: In active reconnaissance, information is gathered via social engineering, on-site visits, interviews, and questionnaires. Information such as competitive intelligence, network registration information, DNS and mail server information, operating system information, user's information, authentication credentials information, analog connections, website information, physical and logical location of the organization, product range and service offerings of the target company that are available online, and any other information that leads to possible exploitation are retrieved in the pre-attack phase. 2. Attack phase: This phase includes the following steps: o Penetrate perimeter: this test simulates the average intruder on the Internet attempting to penetrate the outer security perimeter and gain unauthorized access to an organization's critical assets such as the router, firewall, IDS, via the Internet. o Acquire target: Acquiring a target refers to a set of activities in which the tester subjects the suspect machine to more intrusive challenges, which may be as follows: Vulnerability scans Security assessment Testing methods used to acquire the target include the following: Active probing assaults: Results of the network scan are used to collect further information that can result in a compromise. Running vulnerability scans: Vulnerability scans are completed. Trusted systems and trusted process assessment: Legitimate information obtained through social engineering or other means are used to access the machine's resources. o Execute, implant, and retract: The tester executes the arbitrary code to effectively compromise the acquired system. System penetration is required to explore to the level to which the security fails. Execute exploit is already available or specially crafted to take the benefit of the vulnerabilities recognized in the target system. o Escalate privileges: After acquiring the target, the tester tries to exploit the system and gain more access to the protected resources. Escalating privileges include the following: The tester may use poor security policies or unsafe web code to collect information that can result in escalation of privileges. Achieve privileged status by using techniques such as brute force. Use Trojans and protocol analyzers. Gain unauthorized access to the privileged resources by using information gleaned through techniques such as social engineering. 3. Post attack phase: This phase is important as the tester has the responsibility to restore the systems to their pre-test states. This phase includes the following: o Remove all files uploaded on the system. o Clean all registry entries and remove vulnerabilities. o Remove all tools and exploits from the tested systems. o Restore the network to the pre-test state by removing shares and connections. Testing methods for perimeter security The following are testing methods for perimeter security: Forge responses with crafted packets to check access control lists. Try connections using protocols such as SSH, FTP, and Telnet to evaluate protocol filtering rules. Use multiple methods such as POST, DELETE, and COPY to examine the perimeter security system's response to web server scans. Evaluate error reporting and error management with ICMP probes. Try persistent TCP connections, evaluate transitory TCP connections, and try to stream UDP connections for measuring the threshold for denial of services. Evaluate the IDS's capability by passing malicious content and scanning the target for responding to abnormal traffic. 19.3 Understand enumerating devices Exam Focus: Understand enumerating devices. Objective includes: Understand enumerating devices. Understand penetration testing roadmap. Understand denial of service emulation. Outsource pen testing services. Identify various penetration testing tools. Enumerating devices A device inventory is considered as the collection of network devices together with some relevant information about devices that are recorded in a document. Inventory of devices is made after the network has been mapped and the business assets are identified. A physical check may also be performed to ensure that the enumerated devices have been located. Device enumeration A device inventory is a collection of network devices together with some relevant information about each device that is recorded in a document. The penetration tester maps the network. When the network has been mapped and the business assets are identified, the next logical step is to make an inventory of identified. This process is known as device enumeration. A physical check may be conducted additionally to ensure that the enumerated devices have been located correctly. DoS emulation Emulating DoS attacks can be resource intensive. The penetration tester can emulate DoS attacks using hardware. Some online sites simulate DoS attacks for a nominal charge. These tests are meant to check the effectiveness of anti-DoS devices. Magic Packets attack A Magic Packets attack is a class of DoS. In this attack, the attacker causes a DoS attack by exploiting an existing vulnerability in the OS running in the target computer or applications of the target computer by sending some specially designed data packets to particular ports, for instance, Ping of Death and WinNuke. Resource exhaustion attack A resource exhaustion attack is a type of denial of service (DoS) which is implemented by intentional utilization of the maximum resources and then stilling information. It is a flood of fake RPCs; such floods would waste resources of the nodes, specially, disk seeks on affirmative GETs, entries in the RAM index for PUTs, and CPU cycles to process RPCs. Pen-testing roadmap Target scoping This is the process of observing and understanding the given scope of the target network environment: what has to be tested, how it should be tested, what conditions should be applied during the test process, what will limit the execution of test process, how long will it take to complete the test, and what business objectives will be achieved, are all the possible outlines that should be decided under target scoping. To lead a successful penetration testing, an auditor must be aware of the technology under assessment, its basic functionality, and interaction with the network environment. Information gathering Once the scope has been finalized, it is time to move into the reconnaissance phase. The more information gathered during this phase, the better the chances for success of the pen-test. During this phase, a pen-tester uses a number of publicly available resources (primarily, the internet) to learn more about his target, or using tools that collect information through DNS servers, trace routes, Whois database, e-mail addresses, phone numbers, personal information, and user accounts. Target discovery This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides a complete image of the current technologies or devices interconnected and may help further in enumerating various services running over the network. Enumerating target This phase takes all the previous efforts forward and finds the open ports on the target systems, serving as the base for detecting vulnerabilities in network devices. Once the open ports have been identified, they can be enumerated for the running services. By using a number of port scanning techniques such as fullopen, half-open, and stealth, scan can help determining the port visibility, even if the host is behind a firewall or Intrusion Detection System (IDS). Vulnerability mapping In this step, we identify and analyze the vulnerabilities based on the disclosed ports and services. This process can achieved via a number of automated network and application vulnerability assessment tools or via a significant manual effort. Social engineering This can be anybody pretending to be a network administrator over the phone forcing you to reveal account information, or an e-mail phishing scam leading to hijack your bank account details. Note that for a successful penetration of this type, sometimes it may require additional time drawing the human psychology before applying any suitable deception against the target. Target exploitation This phase mainly focuses on target acquisition. After carefully examining the discovered vulnerabilities, it is possible to penetrate the target system based on the types of exploits available. Testers can also apply client-side exploitation methods mixed with a little social engineering to take control of a target system. Privilege escalation Now that the target has been acquired, we can consider the penetration is successful. The tester can now move freely into the system depending on his access privileges, and launch further attacks on the local network systems, as well as crack passwords and apply local network spoofing tactics. Maintaining access Sometimes an auditor may be asked to retain access to the system for a specified time period. Such activity can be used to demonstrate illegitimate access to the system without hindering the penetration testing process again. This kind of system access provides a clear view on how an attacker can maintain his presence in the system without noisy behavior. Documentation and reporting Documenting, reporting, and presenting the vulnerabilities found, verified, and exploited will conclude our penetration testing methodology. This is a very important step, because it is based on this set of reports that action can be taken to address identified vulnerabilities. They also serve as a baseline of the system snapshot at the time of the penetration test. Penetration testing methodologies The following are penetration testing methodologies: Information gathering Vulnerability analysis External penetration testing Internal network penetration testing Router and switches penetration testing Firewall penetration testing IDS penetration testing Wireless network penetration testing Denial of Service penetration testing Password cracking penetration testing Social engineering penetration testing Stolen laptops, PDAs, and cell phones penetration testing Application penetration testing Physical security penetration testing Database penetration testing VoIP penetration testing VPN penetration testing War dialing Virus and Trojan detection Log management penetration testing File integrity checking Bluetooth and handheld device penetration testing Communication system penetration testing Email security penetration testing Data leakage penetration testing Outsourcing penetration testing services To acquire an intruder's point of view, get the network audited by an external agency. A specific security assessment and suggestive corrective measures may be needed by the organization. Professional liability insurance pays for settlement or judgments for which pen testers become responsible as a result of their actions or failure to perform professional services. Penetration testing consultants Numerous different hosts, network architecture, policies, and procedures will be examined using a penetration test of a corporate network. You need years of experience in IT fields such as development, system administration, or consultancy to obtain penetration testing skills. In penetration testing, each area of the network must be examined in-depth. Terms of agreement After agreeing on explicitly stated rules of engagement, an organization sanctions a penetration test against any of its production systems. The agreement must include the terms of reference under which the agency can interact with the organization. Terms of engagement can specify the following: Desired code of conduct Procedures to be followed Nature of interaction between the testers and the organization Project scope It is necessary to decide if the test is a targeted test or a comprehensive test for determining the scope of the pentest. The pentest agency makes comprehensive assessments so that as much vulnerability as possible can be uncovered throughout the organization. Comprehensive assessments are coordinated efforts. In specific systems and practices, a targeted host will seek to identify vulnerabilities. Pentest service level agreements A service level agreement (SLA) is a contract that contains the terms of service that will be provided by an outsourcer. Service level agreements document both remedies and penalties. SLAs specify the minimum levels of availability from the testers and determine actions that will be taken in the case of serious disruption. Penetration testing tools In the following sections we will discuss a variety of penetration testing tools in the areas of: Application security Web application security Network security Wireless/remote access Telephony security Application security assessment tools The following are application security assessment tools: Acunetix: The following are features of the Acunetix Web vulnerability scanner: o An automatic client script analyzer permits security testing of Ajax and Web 2.0 applications. o Visual macro recorder makes testing of web forms and password protected areas easy. o Support for pages with CAPTCHA, single sign-on, and two factor authentication mechanisms. o Provide extensive reporting facilities including PCI compliance reports. o Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease. o Intelligent crawler detects web server type and application language. o Acunetix crawls and analyzes websites including flash content, SOAP, and AJAX. o Port scans a web server and runs security checks against network services running on the server. Wapiti: Wapiti is used to audit the security of web applications. It performs "black-box" scans. It does not study the source code of the application but will scan the webpages of the deployed webapp, seeking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer and injects payloads to see if a script is vulnerable. The following vulnerabilities can be detected by Wapiti: o File Handling Errors (Local and remote include/require, fopen, readfile...) o Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections) o XSS (Cross Site Scripting) Injection o LDAP Injection o Command Execution detection (eval(), system(), passtru()...) o CRLF Injection (HTTP Response Splitting, session fixation...) Netsparker: Netsparker is the only false-positive-free web application security scanner. It simply points at your website and will automatically discover the flaws that can leave you dangerously exposed. Watcher: Watcher is a Fiddler addon which helps penetration testers in passively finding Web-application vulnerabilities. Watcher can be used for the following reasons: o It is safe for the cloud and hosting environments. When applications live in the Cloud, there is often a risk that the shared infrastructure will be damaged by running security testing. However, passive tools like Watcher ensures that Cloudlike infrastructure will not be damaged. o It is safe for production environments. Watcher does not attack web-applications with loads of intrusive requests. It does not modify inputs to your application. Unlike crawlers and web-application scanners, Watcher does not generate dangerous traffic. It quietly analyzes normal user-interaction and makes educated reports on the security of an application. o It provides low overhead and does not need training. You already have a development and test staff if you are building web-applications. NStalker: NStalker is a WebApp security scanner used to search for vulnerabilities such as SQL injection, XSS, and known attacks. Websecurify: Websecurify is an online security scanner. It is designed to identify vulnerabilities in web applications, web services and other web technologies. Skipfish: Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. High speed, ease of use, and cutting-edge security logic are the features of the Skipfish tool. x5s: x5s is a Fiddler addon that helps penetration testers in finding cross-site scripting vulnerabilities. It needs some understanding of how encoding issues lead to XSS and manual driving. Webscarab: Webscarab is a framework used to analyze applications that use the HTTP and HTTPS protocols for communication. Web application testing - 1 Web application testing - 1 includes the following: Input validation: Tests include the following: o OS command injection o Script injection o SQL injection o LDAP injection o Cross-site injection Output sanitization: Tests include the following: o Parsing special characters o Verifying error checking in the application Access control: Access to administrative interfaces are checked, data for manipulation form fields are send, URL query strings are tried, value on the client side scrip are changed, and cookies are attacked during web application testing - 1. Web application testing - 2 Web application testing - 2 involves checking for buffer overflows, Denial of Service, component checking, and data and error checking. Web application testing - 2 includes attacks against the following: Stack overflows Heap overflows Format string overflows Web application testing - 3 Lapses in key exchange mechanism, adequate key length, and weak algorithms are checked for applications using secure protocols and encryption. Session management checks the following: Time validity of session tokens Length of tokens Expiration of session tokens while transiting from SSL to non-SSL resources Presence of any session tokens in the browser history or cache Randomness of session ID Network security assessment Network security assessment identifies vulnerabilities and is helpful in improving an enterprise's security policy by scanning the network environment. It uncovers network security faults that can result in exploitation and destruction of data or equipment by Trojans, denial of service attacks, and other intrusions. It ensures that the protection that the enterprise needs when any attack occurs on a network is provided by the security implementation. Teams trying to break into the network or servers perform network security assessment. The following are network security assessment tools: Cain and Abel Nessus John the Ripper Snort Kismet Tcpdump Ntop Wireshark Angry IP Scanner Angry IP Scanner is used to scan IP addresses and ports in any range. NetBIOS information, favorite IP address ranges, web server detection and customizable openers are features of Anger IP Scanner. GFI LANguard GFI LANguard is a network security scanner and patch management solution. It assists in patch management, vulnerability management, network and software auditing, assets inventory, change management, and risk analysis, and compliance. Kismet Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It passively collects packets for identifying networks. It detects hidden networks and presence of non-beaconing networks through data traffic. Wireless/remote access assessment In wireless/remote access assessment, the security risks associated with an increasingly mobile workforce are addressed. The following are wireless/remote access assessment: Aircrack WiFi Scanner Airsnot FakeAP KisMAC TigerII Wap Tool Netstumbler Blueauditor Wireless testing The following are methods for wireless testing: It is checked that whether the access point's default Service Set Identifier (SSID) is easily available. "Broadcast SSIS" and accessibility to the LAN through this are tested. Brute forcing the SSID character string using tools such as Kismet can be included in tests. Vulnerabilities in accessing the WLAN via the wireless router, access point, or gateways are checked. This can include verification of the default Wired Equivalent Privacy (WEP) encryption key whether it can be captured and decrypted. A broadcast beacon of any access point is audited and all protocols available on the access points are checked. It is checked that whether layer 2 switched networks are being used instead of hubs for access point connectivity. Privilege escalation and unauthorized access are checked by subjecting authentication for playback of previous authentications. It is verified that whether access is granted only to client machines with registered MAC addresses. Telephony security assessment tools The following are telephony security assessment tools: VLANping: VLANping is a network pinging utility that can work with a VLAN tag. VoIPER: VoIPER is a VoIP security testing toolkit incorporating several VoIP fuzzers and auxiliary tools to assist the auditor. VoIP Hopper: VoIP Hopper is a GPLv3 licensed security tool that rapidly runs a VLAN Hop security test. It is a VoIP infrastructure security testing tool. It can be used to test the security of VLANs. VoIPong: VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to separate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP, and RTCP. Vomit: Vomit converts a Cisco IP phone RTP conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. VoIPaudit: VoIPaudit is the only vulnerability assessment and penetration testing product available that is specifically designed to identify Voice over IP (VoIP) and Unified Communication (UC) vulnerabilities . Omnipeek: Omnipeek is a network analyzer. It provides real-time VoIP monitoring and analysis with Ethernet, Wireless, 10GbE, and WAN. Traffic IQ professional Traffic IQ Professional enables security professionals to audit and validate the behavior of security devices. It does this by generating the standard application traffic or attack traffic between two virtual machines. Traffic IQ Professional can be used for assessing, auditing, and testing the behavioral characteristics of any non-proxy packet filtering devices, including Application layer firewalls, intrusion detection systems, intrusion prevention systems, and routers and switches. Chapter Summary In this chapter, we learned about penetration testing, security assessments, risk management, and types of penetration testing. We discussed automated testing, manual testing, penetration testing techniques, and penetration testing phases. Lastly, we focused on enumerating devices, denial of service emulation, outsourcing pen testing services, and identifying various penetration testing tools. Nikto Nikto is a Web scanner that is used to perform penetration testing against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. It is an open source tool and its plugins and scan items are frequently updated. It uses Whisker/libwhisker for performing various types of attacks. It runs on both command-line mode and GUI mode. Glossary Automated testing Automated testing is a program that runs the program being tested, feeding it with proper inputs and comparing the actual output against the output that was expected. Backtrack Open source vulnerability assessment tool Black Box Testing No prior knowledge of the system before testing. Also known as external testing. GFI LANguard GFI LANguard is a network penetration testing tool that scans, detects, assesses and remediates any security vulnerabilities of a network. With a single console and extensive reporting functionality, it can deal with the three pillars of vulnerability management, namely network and port scanning, patch management, and network auditing. GFI LANguard Network vulnerability assessment tool Manual testing Manual testing is a testing process that is conducted by human testers. It is required for a tester to play the role of an end user and use the most of the features of the application to ensure correct behavior. Network security assessment Network security assessment identifies vulnerabilities and is helpful in improving an enterprise's security policy by scanning the network environment. Nikto Nikto is a Web scanner that is used to perform penetration testing against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Penetration testing Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. Security testing Security testing is a process to determine that an information system protects data and maintains functionality as intended. Vulnerability assessment A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Web testing Web testing is the name given to the software testing that focuses on Web applications, and is one of the fastest growing areas of software testing. White Box testing Full information about the system before testing