Vous êtes sur la page 1sur 6

International Journal of Engineering Trends and Technology- Volume4Issue3- 2013

Vulnerability Assessment and Penetration Testing


Ankita Gupta#1, Kavita*2, Kirandeep Kaur#3
#
Computer Science Department, PEC University of Technology, India
*
Electronics and Electrical Communication Department, PEC University of Technology, India

AbstractVulnerability assessment and Penetration Testing and respond to security incidents done by Pen testers aka Red
(VAPT) is the most comprehensive service for auditing, Team.
penetration testing, reporting and patching f or your
c o m p a n y s web based applications. With port 80 always II. METHODOLOGY OVERVIEW
open for web access there is always a possibility that a 1) Discovery: The penetrator performs information
hacker can beat your security systems and have discovery via a wide range of techniques such as,
unauthorized access to your systems. Vulnerability
scan utilities, Google dorks, and more in order to
assessment and penetration testing are two different and
complimentary proactive approaches to assess the security
gain as much information about the target system as
posture of an information systems network. The possible. These discoveries often reveal sensitive
Vulnerability Assessment is done to test the security posture information that can be used to perform specific
of the information system both internally and externally. attacks on a given machine.
Penetration tests provide evidence that vulnerabilities 2) Enumeration: Once the specific networks and
do exist as a result network penetrations are possible. systems are identified through discovery, it is
They provide a blueprint for remediation. Methodology important to gain as much information possible about
include: discovery, enumeration, vulnerability identification, each system. The difference between enumeration
vulnerability assessment, exploitation and launching of and discovery depends on the state of intrusion.
attack, reporting, external penetration testing, internal
penetration testing, legal issues before you start.
Enumeration is all about actively trying to obtain
usernames as well as software and hardware device
Keywords- Vulnerability Assessment, Penetration Testing, version information.
Acunetix 3) Vulnerability Identification: The vulnerability
identification step is a very important phase in
I. INTRODUCTION penetration testing. This allows the user to determine
Vulnerability Assessment and Penetration Testing (VAPT) is the weaknesses of the target system and where to
a Systematic analysis of security status of Information systems. launch the attacks.
Vulnerability assessment is an on-demand solution which 4) Exploitation and launching of attacks: After the
makes it convenient to run tests over the Internet anywhere, vulnerabilities are identified on the target system, it
anytime. It is a hybrid solution which blends automated is then possible to launch the right exploits. The goal
testing with security expert analysis. The unique technology of launching exploits is to gain full access of the
identifies all possible attack vectors. Vulnerability assessment target system. Denial of Service: A DoS (Denial of
offers partial evaluation of vulnerabilities, actually testing for Service) test can be performed to test the stability of
vulnerabilities done by penetrating barriers is useful adjunct. production systems in order to show if they can be
As it identifies potential access paths missed by VAS. crashed or not. When performing a penetration test of
Penetration testing aka pen testing is the practice of testing a a production system, it is important to test its stability
computer system, network or Web application to find and how easily can it be crashed. By doing this, its
vulnerabilities that an attacker could exploit [1]. stability can be ensured once it is deployed into a real
environment. It is important to perform DoS attack
Pen tests can be automated with software applications or they to ensure the safeness of certain systems. If an
can be performed manually. Either way, the process includes attacker takes down your system during busy or peak
gathering information about the target before the test hours, this could lead to significant financial losses.
(reconnaissance), identifying possible entry points, attempting III. VULNERABILITY ASSESSMENT
to break in (either virtually or for real) and reporting back the
findings. [2] Vulnerability assessment is to find vulnerabilities and to
take more holistic look at security. Penetration testing is a
focused attack of a single or a few vulnerabilities that
The main objective of penetration testing is to determine
are generally already known to exist or are suspected of
security weaknesses. A pen test can also be used to test an
existing. Vulnerabilities now scale beyond technology the
organization's security policy compliance, its employees'
operational processes like patch management and incident
security awareness and the organization's ability to identify
management have a significant impact on the lifecycle of
vulnerability. Vulnerability analysis can forecast the

ISSN: 2231-5381 http://www.internationaljournalssrg.org Page 328


International Journal of Engineering Trends and Technology- Volume4Issue3- 2013

effectiveness of proposed countermeasures and evaluate Sniff email messages.


their actual effectiveness after they are put into use. Attempt replay attacks.
Attempt ARP poisoning.
A. Reasons for Vulnerability Existence Attempt MAC flooding.
Insecure coding practices Conduct a man-in-middle attack.
Developer education not focused on security Attempt DNS poisoning.
Limited testing budget and scope Try a login to a console machine.
Disjoined security processes Attempt session hijacking on Telnet, Http, and FTP
More resources outside than inside traffic.
Attempt to plant software key logger to steal
B. Steps for Vulnerability Analysis passwords.
Plant spyware on target machine.
Defining and classifying network or system Plant Trojan on target machine.
resources. Attempt to bypass antivirus software installed on
Assigning relative levels of importance to the target machine.
resources. Escalate user privileges.
Identifying potential threats to each resource.
Developing a strategy to deal with the most serious B. External Penetration Testing
potential problems first. It is the type of penetration testing which is done
Defining and implementing ways to minimize the remotely outside the network. Complete external
consequences if an attack occurs. viewpoint evaluates the security of the entire site.
Once analysis has been completed, if security holes are Inventory the companys external infrastructure.
found as a result of vulnerability analysis, a vulnerability Create topological map of the network and Identify
disclosure may be required. The person or organization the IP address of the target machine.
that discovers the vulnerability or a responsible industry Locate the traffic route that goes to the web
body such as the Computer Emergency Readiness Team servers. Locate TCP and UDP path to the
(CERT) may make the disclosure. If the vulnerability is destination.
not classified as a high level threat, the vendor may be Identify the physical location of the target
given a certain amount of time to fix the problem before servers.
the vulnerability is disclosed publicly. The third stage of Examine the use of IPV6 at the remote location.
vulnerability analysis (identifying pot ent ial threats) is Lookup domain registry for the IP information.
sometimes performed by a white hat using ethical hacking Find IP block information about the target and
techniques. Using this method to assess vulnerabilities, locate the ISP servicing the client.
security experts deliberately probe a network or system All this is achieved by scanning every port on network. Use
to discover its weaknesses. This process provides guidelines SYN scan (The TCP SYN scan uses common methods of
for the development of countermeasures to prevent a port-identification that allow to gather information about
genuine attack [4]. open ports without completing the TCP handshake pro-
cess. When an open port is identified, the TCP handshake is
IV. PENETRATION TESTING
reset before it can be completed. This technique is often
Penetration testing is a method of evaluating the security referred as half open scanning.) , XMAS scan (hackers use
of a machine. Services are evaluated to identify weakness, TCP XMAS scan to identifying listening TCP ports. This
flaws, vulnerabilities and the absence of patches. scan uses a series of strangely configured TCP packets,
Identifying the security holes, firewall configuration and which contain a sequence number of 0 and the Urgent
Wireless points. It includes internal penetration testing (URG), Push (PSH), and FIN flags. ), NULL scan (this
(penetration done locally within the network. Often taken type of scan can get through some fire- walls and boundary
as a white-box approach) and External Penetration testing routers th a t filter on incoming TCP packets with standard
(done remotely). flag settings). This includes security vulnerabilities and
other bugs, and improving the performance. Look for error
A. Internal Penetration Testing and custom web pages. Guess different sub domains names
Map the internal network. and analyze different responses. Examine the session
Scan the network for live host. variables and cookies generated by the server. One can
Port scans individual machines. check for directory consistency and page naming syntax
Try to gain access using known vulnerabilities. of the web pages via looking for sensitive information in
Attempt to establish null sessions. webpage source code. Attempt URL encoding on web
Enumerate users/identify domains on the network. pages. Try buffer over-flow attempts at input fields, Cross
Sniff the network using Wire shark. Site Scripting ( XSS) technique. Various SQL injection
Sniff POP3/FTP/Telnet passwords.

ISSN: 2231-5381 http://www.internationaljournalssrg.org Page 329


International Journal of Engineering Trends and Technology- Volume4Issue3- 2013

techniques are used for remote database exploitation. [3] credentials and sessions tokens are often not
properly protected, third party can access to
V. BENEFITS OF VAPT ones account. Method of attack use weakness
Avoid network downtime due to breach. in authentication mechanism:
Discover methods that hackers use to 4.
compromise the network. Logout
Enhancive effectiveness of an overall Password Management Timeout
security life cycle. Remember me
Provide a strong basis for helping to
determine appropriate security budgets. 5. Insecure Direct Object References: Occurs when
developer uses HTTP parameter to refer to
VI. WEB APPLICATION VULNERABILITIES internal object. A direct object reference occurs
Web applications are those applications that can be when a developer exposes a reference to an internal
availed from anywhere in the world, attackers may be implementation object, such as a file, directory,
sitting worldwide to make these applications vulnerable, database record, or key, as a URL or form
on the basis of specific protocols such as HTTP and parameter. An attacker can manipulate direct
HTTPS (and also streaming) object references to access other objects without
authorization, unless an access control check is in
A. Types of Web Application Vulnerabilities place. For example, in Internet Banking
applications, it is common to use the account
1. SQL- Injection: SQL Injection is the hacking number as the primary ke y. Therefore, it is
technique which attempts to pass SQL commands tempting to use the account number directly in
(statements) through a web application for the web interface. Even if the developers have
execution by the backend database. If not sanitized used parameterized SQL queries to prevent SQL
properly, web applications may result in SQL injection, if there is no extra check that the user is
Injection attack that allow hackers to view the account holder and authorized to see the
information from the database and/or even wipe account, an attacker tampering w i t h the account
it out. In SQL Injection, the hacker uses SQL number parameter can see or change all accounts
queries and creativity to get to the database of
sensitive corporate data through the web 6. Failure to Restrict URL: Many web applications
application.[6] check URL access rights before rendering protected
links and button. However, applications need to
2. Cross-Site Scripting: If the web site allows perform similar access control checks each time
uncontrolled content to be supplied by users. User when pages are accessed, or attackers will be able to
can introduce malicious code in the content for forge URLs to access these hidden pages anyway.
example: Modification of the Document Object Some site just prevent the display links or URLs to
Model-DOM (change some links, add some unauthorized users, attackers can access directly
buttons), Send personal information to third party the URLs by gaining access to protected areas.
(JavaScript can send cookies to other sites)[1][2]. Code that evaluates privileges on the client rather
XSS attacks involve three parties: than on the server. Privileges tested in JavaScript and
The attacker access to a hidden address. But attacker can see the
The victim code the address. [4]
The vulnerable web site that the attacker
exploits to take action on the victim. 7. Remote Code Execution: This vulnerability allows an
attacker to run arbitrary, system level code on the
XSS vulnerabilities exist when a web application vulnerable server and retrieve any desired
accepts user input t h r ough HTTP requests such information contained therein. Improper coding errors
as a GET or a POST and then redisplays the input lead to this vulnerability. It is difficult to discover this
somewhere in the output HTML code. vulnerability during penetration testing assignments
but such problems are often revealed while doing a
3. Broken Authentication and Session source code review. However, when testing web
Management: Application functions related to applications is important to remember that
authentication and session management are exploitation of this vulnerability can lead to total
often not implemented correctly, allowing system compromise with the same rights as the web
attackers to compromise passwords, keys, server itself [8].
session tokens, or exploit other implementation
flaws to assume other users identities. Account

ISSN: 2231-5381 http://www.internationaljournalssrg.org Page 330


International Journal of Engineering Trends and Technology- Volume4Issue3- 2013

VII. VULNERABILITY ASSESSMENT USING utility when performed on its own, as all the injected exploits
ACUNETIX would be blind, i.e., they would be launched at the target
Acunetix S i t e Audit provides you with an immediate and without knowing its specific details or susceptibility 6
comprehensive securit y audit of all off-the-shelf and Vulnerability Assessment IA Tools Report Sixth Edition to
bespoke web applications. Performed by web security the exploits. For this reason, the majority of vulnerability
experts using Acunetix Web Vulnerability Scanner, assessment tools combine both passive and active scanning,
Acunetix Site Audit: the passive scanning is used to discover the vulnerabilities
that the target is most likely to contain, and the active
scanning is used to verify that those vulnerabilities are, in
Provides you with an immediate and fact, both present and exposed as well as exploitable.
comprehensive website security audit. Determining that vulnerabilities are exploitable increases the
Ensures your website is secure against accuracy of the assessment tool by eliminating the false
we b attacks. positives, i.e. , the instances in which the scanner detects a
Checks for SQL injection, Cross site pattern or attribute indicative of a likely vulnerability that
scripting an d other vulnerabilities. which, upon analysis, proves to be either
Audits shopping carts, forms, and 1. Not present,
dynamic content. Scans all your website and web
2. Not exposed, and
applications including JavaScript / AJAX
applications for security vulnerabilities. 3. Not exploitable.
It is the combination of passive and active scanning,
VIII. WORKING OF VULNERABILITY ASSESSMENT together with increased automation, that has rendered
TOOL auto- mated penetration testing suites more widely useful
Vulnerability assessment tools generally work by attempting in vulnerability assessment. Most vulnerability
to automate the steps often employed to exploit vulnerabilities: assessment tools are capable of scanning a number of
they begin by performing a footprint analysis to determine network nodes, including networking and networked devices
what network services and/or software programs (including (switches, routers, firewalls, printers, e t c .) , as well as
versions and patch levels) run on the target. The tools then server, desktop, and portable computers. The
attempt to find indicators (pat- terns, attributes) of, or to vulnerabilities that are identified by these tools may be
exploit vulnerabilities known to exist, in the detected the result often programming fl a ws (e.g. Vulnerabilities
services/software versions, and to re- port the findings that to buffer overflows, SQL-Injections, cross site scripting
result. Caution must be taken when running exploit code [XSS], etc.) ,or implementation flaws and
against live (operational) targets, because damaging results misconfigurations. A smaller subset of tools also provide
may occur. For example, targeting a live Web application enough information to enable the user to discover
with a drop tables Standard Query Language (SQL) design and even architecture flaws.
injection probe could result in actual data loss. For this The reason for specialization of vulnerability
reason, some vulnerability as- assessment tools are (or are assessment tools, e.g., network scanners, host scanners,
claimed to be) entirely passive. Passive scans, in which no
database scanners, web application scanners, is that to
data is injected by the tool into the target, do nothing but
be effective, the tool needs to have a detailed knowledge
read and collect data. In some cases, such tools use
of the targets it will scan. A network scanner needs to
vulnerability signatures, i.e., patterns or attributes associated
know how to perform and interpret a network footprint
with the likely presence of a known vulnerability, such as lack
of a certain patch for mitigating that vulnerability in a given analysis that involves first discovering all active nodes on
target. All passive tools are limited in usefulness (compared the network, then scanning them to enumerate all of the
with tools that are not completely passive) because they can available net- work services (e.g., File Transfer Protocol
only shows the presence of vulnerabilities based on [FTP], Hyper Text Transfer Protocol [HTTP]) on each
circumstantial evidence, rather than testing directly for host. As part of this service enumeration process, the
those vulnerabilities.[9] scanner attempts to identify vulnerabilities through
Most vulnerability assessment tools implement at least some grabbing and analysing banners, and checking open port
intrusive scanning techniques that involve locating a status, n protocol compliance, and service behaviour,
likely vulnerability (often through passive scanning) , then and through direct injection of exploits targeting known
injecting either random data or simulated attack data into the vulnerabilities (listed in the tools built-in vulnerability
interface created or exposed by that vulnerability, as database) into any open port it has found.
described above, then observing what results. Active
scanning is a technique traditionally associated with A host-based vulnerability assessment tool needs full
penetration testing, and like passive scanning, is of limited knowledge of the software and software patches installed

ISSN: 2231-5381 http://www.internationaljournalssrg.org Page 331


International Journal of Engineering Trends and Technology- Volume4Issue3- 2013

on the target host, down to specific version/ release they can also retrieve or generate and apply those
and patch levels. Thus, requires full access to that remediation /patches in real time, and follow up with
host in order to scan the host and discover all of its ongoing periodic automated and/or event driven(ad-hoc)
software programs/patches, and to perform various reassessments to ensure that no new vulnerabilities have
configuration checks. Most often, this requires the emerged, or old ones resurfaced, during the evolution of
installation (on the target hosts) of software agents that the target or its threat environment. The ability of a
collect the information for that host, and report it tool to not only assess but also remediate and
back to a central scan server, which aggregates all of continuously monitor the system for vulnerabilities
the data received from all of the agents, analyzes it, promotes it from a vulnerability assessment tool to a
then determines what exploits from its vulnerability vulnerability management system.
database should be attempted on each target host to
discover and validate the existence of known/ suspected IX. VAPT OF PEC WEBSITE
vulnerabilities on that target. Un- like remote network
scanning, agent-based host scanners can test for both In this we have analysed website of
client-side and perform common attacks against it, such PEC (www.pec.edu.in) using acunetix vulnerability
as SQL injections, XSS, least privilege violations, etc. assessment tool. Using this tool we have identified
The growing power and size of computing platforms able some major vulnerability as shown below: Major flaw in PEC
to host more complex scanning applications and their website/server that password transmitted over HTTP . If an
larger databases (used for storing vulnerability databases attacker can intercept network traffic he/she can steal users
and collected findings) , along with simultaneous increases credentials. All sensitive data should be transferred over
in network throughput and available bandwidth, allowing HTTPS rather than HTTP. Forms should be served over
for more scan-related traffic, have been enablers in the HTTPS. All aspects of the application that accept user
growing category of multilevel vulnerability assessment input starting from the login process should only be served
tools. Multilevel scanners seek and assess vulnerabilities over HTTPS.
at multiple layers of the ICT infrastructure, in essence Another major flaw discovered during vulnerability
combining the capabilities of two or more of the other assessment that the target web server is disclosing ASP.NET
scanner types (network and host, host and database, version in the HTTP response. This in- formation can
host and application, etc.) . This consolidation of help an attacker to develop further attacks and also the
scanners into a single tool parallels the trend towards system can become an easier target for automated attacks.
It was leaked from X-AspNet-version banner of HTTP
consolidating multiple security-relevant analysis,
response or de- fault ASP.NET error page. An attacker can
assessment, and remediation functions into a single
use dis- closed information to harvest specific security
vulnerability management system that, in turn, may be
vulnerabilities for the version identified. The attacker can
part of an even larger enterprise security management also use this information in conjunction with the other
system. The type and level of detail of a vulnerability vulnerabilities in the application or web server. Solve this
assessment tools findings varies from tool to tool. Some issues server administrator should do error handling in
tools attempt to detect only a narrow set of widely- ASP.NET pages and applications , also remove X-AspNet-
known vulnerabilities and provide little information about Version header from configuration files.
those it discovers. Others attempt to detect a much larger
number of vulnerabilities and weaknesses (i.e., anomalies
that are only suspected to be exploitable as
vulnerabilities) , and provides a great deal of
information about its findings, including potential
impacts of level of risk posed by the discovered
vulnerabilities, suggested remediations for them (e.g.,
necessary reconfigurations or patches) , and
prioritization of those remediations based on their
perceived or assessed impact and/or risk.
Vulnerability assessment tools are most useful when
applied during two phases in a targets lifecycle:
1. Just before deployment of system.
2. Re-Iteratively after its deployment.
The most sophisticated vulnerability assessment tools
not only identify vulnerabilities, analyze their likely X. LIMITATIONS OF PENETRATION TESTING
impact, and determine and prioritize mitigations,

ISSN: 2231-5381 http://www.internationaljournalssrg.org Page 332


International Journal of Engineering Trends and Technology- Volume4Issue3- 2013

There are many security problems for which


penetration tests will not be able to identify server-side XI. CONCLUSION
vulnerabilities. Web a ppl i cat i on and database
vulnerability scanners look for vulnerabilities that are It is important to make a distinction between
traditionally ignored by network- or host-level penetration testing and network security assessments. A
vulnerability scanners. Even custom-developed web network security or vulnerability assessment may be
application and/or database application often use useful to a degree, but do not always reflect the
common middleware (e.g., a specific suppliers web server extent to which hackers will go to exploit a
such as Microsoft internet information web server (IIS) or vulnerability. Penetration tests attempt to emulate a
Apache server), backend (Oracle, PostgreSQL, and real world attack to a certain degree. The
technologies (e.g., JavaScript , SQL) that are known or penetration testers will generally compromise a system
considered likely to harbour certain types of with vulnerabilities that they successfully exploited.
vulnerabilities that cannot be identified via signature-
If the penetration tester finds 5 holes in a sys- tem
based methods used by network- and host-based
to get in this does not mean that hackers or external
vulnerability analysis tools. Instead, web Application
intruder will not be able to find 6 holes. Hackers and
scanners and database scanners directly analyze then
target web application or database, and attempt to[10] intruders need to find only one hole to exploit whereas
penetration testers need to possibly find all if not as
Penetration tests are generally many as possible holes that exist. This is a daunting
carried out as black box exercises, where task as penetration tests are normally done in a certain
the penetration tester does not have complete time frame. Finally, a penetration test alone provides
information about the system being tested. no improvement in the security of a computer or
network. Action to taken to ad- dress these
A test may not identify a
vulnerabilities that is found as a result of conducting
vulnerability that is obvious to anyone with
the penetration test.
access to internal infor- mation about the
machine.
REFERENCES
A penetration test can only identify
those prob- lems that it is designed to look [1] Vulnerability Assessment and Penetration Testing
for. If a service is not tested then there will http://www.aretecon.com/aretesoftwares/ vapt.html
[2] http://searchsoftwarequality.techtarget.com/definition/penetration-testing
be no information about its security or [3] http://www.netragard.com/penetration-testing- definition
insecurity. [4] Introduction to t h e Premier Pen Testing Informa- tion Security
Certification (Advanced EthicalHacking)
A penetration test is unlikely to provide [5] Laura Chappells session TUT233, Cyber Crime at PacketLevel, at
information about new vulnerabilities, Novell BrainShare 2001.
especially those discovered after the test is [6] C. Anley,Advanced SQL injection in SQL server applications,,
carried out. 2002.
[7] Open Web Application Security Project,
Even if the penetration team did not
https://www.owasp.org/index.php/Category: Vulnerability
manage to break into the organization this does [8] Vulnerability Analysis, http://www.
not mean that they are secure. pentest-standard.org/index.php/ Vulnerability_Analysis
[9] Penetration Testing Limits http://www.
Penetration testing is not the best praetorian.com/blog/penetration-testing/ limitations-of-penetration-testing/,
way to find all vulnerabilities. Vulnerability 2008
[10] Audit your website security with Acunetix Web Vulnerability
assessments that include careful diagnostic Scanner, http://www.acunetix.com/ vulnerability-scanner/
reviews of all servers and network devices will
definitely identify more issues faster than a
black box penetration test.
Penetration tests are conducted in a
limited time period. This means that it is a
snapshot of a system or networks security.
As such, test- ing is limited to known
vulnerabilities and the current configuration
of the network. Also it does not mean that if
the testing team did not discover the any
vulnerability in the organizations system, it
does not mean that hackers or intruders will
not [7].

ISSN: 2231-5381 http://www.internationaljournalssrg.org Page 333