W3.2 - 7 Software Security Touchpoints P2

What is penetration testing?

A security assessment methodology that involves actively attempting to find exploitable vulnerabilities in complete, deployed systems running in their actual operational environment

What is the main artifact that penetration testing evaluates?

Complete systems running in their production environment, not isolated code or components

Who typically performs penetration testing?

• Red teams or tiger teams
• External security consultants
• Specialized penetration testing companies
• Teams separate from the development organization

What information guides penetration testing?

Results from architectural risk analysis and abuse cases to focus testing efforts on high-risk areas

What is the key difference between traditional software testing and penetration testing?

Traditional testing verifies functional requirements work correctly, while penetration testing seeks unexpected but intentional misuses of the system

What are the two types of verification in security testing?

• White hat testing: Confirms all intended security features work correctly
• Black hat testing: Ensures intentional attacks cannot compromise the system

What is the fundamental challenge of penetration testing?

It attempts to prove vulnerabilities do not exist by failing to find them, which is logically difficult to do conclusively

What can you conclude when penetration testing finds no vulnerabilities?

You can only conclude that under the specific circumstances tested, no security faults occurred - it provides little assurance against all possible attacks

What happens when penetration testing finds vulnerabilities?

It provides concrete, reproducible evidence of real security problems that result in clear security improvements when fixed

What was the 1967 Ware Report?

The first formal assessment of security problems in time-sharing computer systems, led by Willis Ware of RAND Corporation, which introduced the term "penetration"

When did DOD penetration testing teams emerge?

In the 1970s, to assess the "real" security of government computer systems

What are CTF competitions?

Capture The Flag competitions that are popular in academic settings for learning penetration testing skills

Why are penetration testing teams typically separate from developers?

• To avoid tunnel vision
• Same reason doctors don't treat themselves or family members
• Provides fresh perspective and objectivity
• Ensures independent assessment

What is a Red Team?

The offensive security team that simulates attackers during penetration testing

What is a Blue Team?

The defensive security team that protects systems during security exercises

What is a Purple Team?

A collaborative approach that combines red team and blue team activities

What are the different access levels for penetration testing?

• No access: Simulates external attackers
• Limited access: Simulates specific user roles
• Full access: Simulates knowledgeable insiders
• Administrative access: Tests from highest privilege levels

What is the Scoping phase of penetration testing?

Defining target systems, establishing rules of engagement, identifying critical assets, and setting testing timeline and resources

What is the Discovery phase of penetration testing?

• Offline activities: Research target organization and technologies
• Online activities: Network scanning and service enumeration
• Information gathering: Social media reconnaissance and document analysis

What is Vulnerability Scanning in penetration testing?

• Automated scanning of identified systems
• Service fingerprinting for software versions
• Known vulnerability identification using CVE databases
• Custom vulnerability testing based on discovered technologies

What is Target Penetration in penetration testing?

• Exploit development or utilization
• Access attempts within testing parameters
• Privilege escalation after initial access
• Lateral movement to assess broader compromise

What happens in the Analysis phase of penetration testing?

• Root cause analysis of vulnerabilities
• Impact assessment of successful penetrations
• Attack path documentation
• Risk evaluation based on business impact

What should penetration testing reports include?

• Detailed technical findings with reproduction steps
• Executive summary for management
• Remediation recommendations with prioritization
• Retest procedures for vulnerability verification

What is External Testing in penetration testing?

Testing that simulates attacks from across the internet by gathering information about remote access, IP addresses, open ports, and allowed services

What is Internal Testing in penetration testing?

Testing performed onsite that provides a view of the system behind external perimeters, using software penetration testing tools to exploit vulnerabilities

According to professional experience, what percentage of web hacking involves parameter manipulation?

70% of web hacking involves messing with client-side parameters that applications incorrectly trust

What is an example of parameter manipulation in web hacking?

Changing a URL like "http://target.com/buy?item=1&price=5.00" to "http://target.com/buy?item=1&price=0.01" to test business logic

What percentage of web hacking involves default passwords?

10% of web hacking involves trying default passwords, which work far more often than expected

What percentage of web hacking involves hidden files and directories?

10% of web hacking involves finding hidden files and directories through manual exploration and directory brute forcing

What other attack vectors make up the remaining web hacking attempts?

• Authentication problems like bypass and replay attacks
• Insecure web services
• Configuration pages that reveal sensitive information
• Debug interfaces left accessible in production

What is Nmap and what does it do?

Network Mapper - a tool for network discovery that identifies hosts, services, operating systems, and packet filters/firewalls by sending raw IP packets

How does Nmap discover hosts?

• ICMP Echo Request and Timestamp requests
• TCP SYN packets to common ports like 443 and 80
• Protocol-specific UDP packets to particular ports
• OS fingerprinting probes

Why is stealth important in penetration testing?

A flurry of scanning activity may be detected, so testers control the rate of scanning to "work under the radar"

What is a web proxy in penetration testing?

A tool that sits between browser and server to display and modify HTTP/HTTPS packets as directed by the tester

What is OWASP Zap?

• Zed Attack Proxy - a free, open-source web security tool
• Provides GUI-based packet inspection and modification
• Can set breakpoints to intercept specific requests
• Includes active scanning and fuzzing capabilities

What additional features does Zap provide?

• Active scanning for XSS and SQL injection
• Fuzzing with context-specific payloads
• Spider for exploring site structure
• Automated vulnerability detection

What is Metasploit?

An advanced open-source platform for developing, testing, and using exploit code with an extensible model for integrating payloads, encoders, and exploits

What is the Metasploit attack workflow?

• Probe remote site for vulnerable services
• Construct payload based on versions and features
• Encode payload to avoid detection
• Inject payload and wait for shellcode to connect back

What is Meterpreter in Metasploit?

A command processor injected into the target's memory that permits stealthy probing and control of compromised systems

What types of modules does Metasploit include?

• Exploits against specific vulnerabilities
• Password sniffing tools
• Privilege escalation modules
• Keylogging and backdoor capabilities

What is Kali Linux?

A Linux distribution with many open-source penetration testing tools pre-installed and configured, including Nmap, Zap, Metasploit, and dozens more

What additional tools are included in Kali Linux?

• John the Ripper for password cracking
• Valgrind for dynamic binary analysis
• Reaver for WiFi password cracking
• peepdf for scanning PDF files for attack vectors

What is fuzzing?

A process of repeatedly running a program with generated inputs that may be syntactically or semantically malformed to find improperly handled inputs

What is the goal of fuzzing?

• Make sure certain bad things don't happen regardless of input
• Prevent crashes, thrown exceptions, and non-termination
• Find conditions that could be foundations for security vulnerabilities

How does fuzzing complement functional testing?

Functional testing verifies features work correctly, while fuzzing tests for robust error handling and validates that misfeatures don't exist

What is Black Box fuzzing?

• Tool knows nothing about the program or its input
• Easy to use but explores only shallow states unless lucky
• Random or semi-random input generation

What is Grammar-Based fuzzing?

• Tool generates input informed by a formal grammar
• More work to create grammar but can reach deeper application states
• Higher quality inputs that exercise more program logic

What is White Box fuzzing?

• Tool generates inputs informed by the code being fuzzed
• Often easy to use but computationally expensive
• Uses program analysis to guide input generation

What is Mutation-based fuzzing?

Taking legal inputs and mutating them with operations like bit flips, byte changes, or arithmetic modifications while preserving some structure

What is Generation-based fuzzing?

Creating inputs from scratch using grammars, templates, or protocol specifications rather than modifying existing inputs

What is Radamsa?

A mutation-based, black box fuzzer that mutates given inputs and passes them to target programs for testing

What is Blab?

A grammar-based fuzzer that generates inputs according to grammars specified as regular expressions and context-free grammars

What is American Fuzzy Lop (AFL)?

A mutation-based, white-box fuzzer that instruments targets to gather runtime information and mutates inputs to discover new code paths

How does AFL work?

• Instruments target to track code location tuples
• Runs tests and mutates inputs that generate unseen execution paths
• Discards tests that don't increase coverage
• Periodically culls tests to avoid local minima

What is file-based fuzzing?

Generating or mutating input files, running the target program with them, and observing what happens for crashes or errors

What is network-based fuzzing approach 1?

Acting as half of a communicating pair by replaying and altering previously recorded interactions or generating from protocol grammars

What is network-based fuzzing approach 2?

Acting as a "man in the middle" by mutating inputs exchanged between communicating parties, often informed by protocol grammars

What is SPIKE?

A fuzzer creation kit providing a C-language API for writing fuzzers for network-based protocols with template and payload capabilities

What is Burp Intruder?

A tool that automates customized attacks against web applications by allowing users to craft request templates with "holes" (payloads) for fuzzing

What questions arise when fuzzing discovers crashes?

• What is the root cause so it can be fixed?
• Can the input be made smaller for easier analysis?
• Are multiple crashes signaling the same bug?
• Does the crash indicate an exploitable vulnerability?

How do you determine if crashes represent the same bug?

If they "minimize" to the same input after reducing the crash-causing input to its smallest form

What types of crashes are rarely vs often exploitable?

• Rarely exploitable: NULL pointer dereferences
• Often exploitable: Buffer overflows and memory corruption

What is Address Sanitizer (ASAN)?

A tool that instruments array accesses to check for overflows and use-after-free errors, helping identify memory-related security vulnerabilities

What is CERT Basic Fuzzing Framework (BFF)?

A fuzzing framework based on Zzuf that has found bugs in major software like Adobe Reader, Flash Player, Apple Preview, and QuickTime

What is Sulley?

A comprehensive fuzzing framework that watches networks, maintains records, monitors target health, detects and categorizes faults, and can fuzz in parallel

What are the benefits of penetration testing?

• Penetrations are certain and reproducible
• Applied to whole components, not fragments
• No false alarms when vulnerabilities are found
• Provides concrete evidence of real problems

What is the "feel good" factor in penetration testing?

When penetration testing produces evidence of real vulnerabilities that would otherwise go unfixed, resulting in clear security improvements

What are the drawbacks of penetration testing?

• Absence of penetrations doesn't prove security
• System changes necessitate complete retesting
• Security is not compositional - changes affect entire system
• Can be expensive to retest frequently

Why is penetration testing still worth doing despite its limitations?

Because when it finds vulnerabilities, it provides concrete, actionable evidence that leads to real security improvements

What is the ethical principle behind penetration testing tools?

Tools should be used to reveal security vulnerabilities so they can be fixed, not to exploit them maliciously in the wild

What should you avoid when using penetration testing tools?

Using tools for nefarious purposes - always maintain ethical boundaries and only test systems you have explicit permission to tes