This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Penetration Testing

Penetration testing, or pentesting, is a critical cybersecurity practice that simulates real-world attacks to identify vulnerabilities in systems, networks, and applications. Learn how pentesting helps organizations strengthen their security posture and protect against cyber threats.

Social Engineering as a Reconnaissance Tool: A Key Component in Cybersecurity

Discover how social engineering is used as a reconnaissance tool in cybersecurity. Learn about its techniques, significance, and strategies to defend against it effectively.
By İbrahim Korucuoğlu ( @siberoloji) |

When we think about cybersecurity threats, high-tech attacks like malware, ransomware, or data breaches often come to mind. However, some of the most effective and dangerous tactics come from a low-tech, high-skill technique known as social engineering. Social engineering leverages human psychology, deception, and manipulation rather than technical prowess to gather critical information from individuals, often as part of the reconnaissance phase in hacking.

In this article, we’ll examine the role of social engineering as a reconnaissance tool, how it is used to gather information, common techniques, and best practices for defending against it. What is Social Engineering in Cybersecurity?

Social engineering is a tactic that exploits human interaction to deceive individuals into divulging confidential information or performing actions that compromise security. Rather than relying on technical hacks, social engineers use psychological manipulation to persuade people to share sensitive data, such as login credentials, internal network information, or company policies.

In cybersecurity, social engineering is often deployed in the early reconnaissance stages of an attack. The information gathered through social engineering can be invaluable, enabling attackers to design more sophisticated attacks. Why is Social Engineering Important for Reconnaissance?

Reconnaissance is the first step in the hacking process, where hackers gather as much information as possible about a target to understand its vulnerabilities. Social engineering plays a significant role here, as it allows hackers to collect detailed, insider information without needing technical exploits.

Here’s why social engineering is so effective as a reconnaissance tool:

  • Access to Internal Knowledge Social engineering can help attackers gain knowledge about company policies, employee habits, or specific technologies in use, which aren’t typically available through technical reconnaissance.

  • Bypasses Technological Barriers Many organizations invest heavily in cybersecurity defenses to block technical attacks, but these tools cannot defend against human error and deception. Attackers use social engineering to bypass these barriers by targeting the people behind them.

  • Allows for Tailored Attacks Information gathered through social engineering can be used to craft highly targeted attacks that appear legitimate, such as spear-phishing emails that seem personalized, increasing the chances of success.

  • Facilitates Access to Other Attack Vectors Social engineering can uncover login credentials, open network ports, or employee names and roles, giving hackers valuable starting points for more technical attacks.

Common Social Engineering Techniques in Reconnaissance

Social engineering uses various tactics, each tailored to extract different types of information. Here are some of the most common techniques:

1. Phishing

Phishing involves sending deceptive emails or messages that appear to be from trusted sources. Attackers might send emails that mimic official company communication, often including malicious links or attachments designed to capture sensitive information.

  • Example: A hacker sends an email that appears to be from the IT department, requesting employees to update their passwords using a provided link.

2. Pretexting

Pretexting is the practice of creating a fictitious scenario or “pretext” to trick a person into disclosing sensitive information. The attacker may impersonate someone the victim trusts, such as a vendor or coworker.

  • Example: An attacker poses as a payroll representative asking an employee to confirm their banking details for direct deposit.

3. Baiting

Baiting lures individuals into a trap by offering something enticing. For instance, attackers may leave a USB drive in a visible location, hoping that someone will pick it up and plug it into a company computer, allowing malware to be installed.

  • Example: A flash drive labeled “Payroll Information” is left in the company lobby, encouraging employees to plug it in out of curiosity.

4. Tailgating (Piggybacking)

Tailgating occurs when an attacker gains physical access to restricted areas by following an authorized employee, often appearing as a harmless or authorized person.

  • Example: An attacker pretends to have forgotten their keycard and convinces an employee to let them into a secure building.

5. Impersonation and Phone Phishing (Vishing)

Attackers may call and impersonate trusted entities to extract information. Known as vishing (voice phishing), this technique often involves impersonating IT support or HR personnel to gain access to employee credentials or other sensitive data.

  • Example: A hacker calls a receptionist, claiming to be a manager from the IT department, and requests the names of team members and their roles.

the Psychology Behind Social Engineering**

Social engineering is effective because it preys on human psychology. Attackers understand that people are often the weakest link in security and leverage this in various ways:

  • Trust and Authority: People tend to trust authority figures, so attackers often impersonate roles like IT managers, HR representatives, or government officials.

  • Curiosity: Many social engineering attacks exploit natural curiosity, such as baiting tactics where an enticing item or information is presented.

  • Fear and Urgency: By creating a sense of urgency, attackers push individuals to act without thinking. Emails that claim immediate action is needed to avoid consequences are often successful in getting victims to comply.

  • Reciprocity: People feel obligated to return favors. Attackers may use friendly or helpful behavior, encouraging victims to offer information in return.

  • Social Proof: Social engineering can exploit people’s tendency to mimic behaviors if they think it is socially approved. Attackers might claim that “everyone else in your department has already done this.”

How Social Engineers Gather Reconnaissance Data

Social engineering can reveal a wealth of information about a target organization. Here’s how it works:

1. Identifying Key Individuals

Attackers start by identifying individuals in an organization who may possess valuable information. Social media, company directories, and LinkedIn profiles can provide details on employees’ roles, responsibilities, and connections.

2. Analyzing Social Media Profiles

Social media platforms are a rich source of information for social engineers. Personal and professional profiles often contain details that can be leveraged, like job titles, coworkers, or even location data that could hint at office security measures.

3. Building Relationships

Some social engineers engage in prolonged reconnaissance by building online relationships with employees. By gaining their trust over time, they can extract valuable information without raising suspicion.

4. Simulating Phishing Attacks

In an authorized setting, ethical hackers use phishing campaigns to test employees’ susceptibility to social engineering attacks. This can reveal what information employees are likely to disclose and which types of attacks are most effective.

5. Gaining Physical Access

Social engineers may visit a company’s physical location, pretending to be a visitor or employee. By walking through offices, they can identify security weaknesses, access terminals, or even observe login credentials on desks or screens. How to Defend Against Social Engineering

Defending against social engineering attacks is challenging because they target human behavior rather than technical systems. However, there are several strategies that organizations can employ to reduce their vulnerability:

1. Employee Training and Awareness

Regular training sessions that teach employees to recognize and respond to social engineering attempts are critical. Employees should know the signs of phishing, pretexting, and other common social engineering tactics.

2. Implementing Multi-Factor Authentication (MFA)

MFA adds an extra layer of security, making it more difficult for social engineers to gain access to systems even if they obtain login credentials.

3. Use of Simulated Phishing Tests

Running regular, controlled phishing tests helps organizations identify employees who may need additional training. This approach also keeps employees vigilant against real phishing attempts.

4. Encourage a Culture of Verification

Employees should be encouraged to verify unusual requests by contacting the requestor through a known, trusted channel. This habit can prevent attackers from easily impersonating colleagues or authority figures.

5. Limit Access to Sensitive Information

Implementing the principle of least privilege ensures that employees have only the access they need to perform their job duties. This reduces the likelihood that a social engineer will obtain critical information from a low-level employee.

6. Clear Reporting Channels for Suspicious Activity

Establishing a clear protocol for reporting suspicious emails, calls, or encounters helps organizations respond quickly to potential threats. Employees should know exactly how to report any unusual activity or requests. Challenges of Defending Against Social Engineering

Social engineering poses several unique challenges for organizations:

  • Human Error: Even with training, human error can never be eliminated. Attackers exploit this reality by using social engineering.

  • Evolving Tactics: Social engineering techniques evolve, making it difficult for organizations to stay ahead of every possible tactic.

  • Complex Detection: While technical attacks may trigger security alarms, social engineering attacks often go undetected, as they primarily involve human interaction.

Conclusion

Social engineering as a reconnaissance tool is one of the most effective yet insidious tactics in cybersecurity. It allows attackers to bypass technological barriers by targeting the human element and exploiting psychological vulnerabilities to gather critical information. Understanding and defending against social engineering requires a proactive approach, combining employee training, strict security policies, and a culture of vigilance.

Organizations that prioritize social engineering defense are better equipped to protect their information assets and build a resilient cybersecurity posture. By training employees to recognize and respond to these threats, implementing multifactor authentication, and fostering a culture of verification, companies can reduce the likelihood of falling victim to social engineering tactics. FAQs on Social Engineering as a Reconnaissance Tool

**1. What is social engineering in the context of cybersecurity? **Social engineering is a technique that exploits human psychology to manipulate individuals into divulging sensitive information or taking actions that compromise security.

2. Why is social engineering used as a reconnaissance tool? Social engineering is used because it can reveal insider knowledge about an organization’s structure, practices, and vulnerabilities that technical reconnaissance cannot uncover.

3. What are common types of social engineering attacks? Common attacks include phishing, pretexting, baiting, tailgating, and vishing (phone phishing).

4. How can employees recognize social engineering attempts? Employees should be cautious of unusual requests, unsolicited communications, or messages that create a sense of urgency, and verify the authenticity of any such requests.

5. Is it possible to fully protect against social engineering? While no organization can fully protect against social engineering, training, awareness, and layered security measures significantly reduce the risk.

6. What is the role of training in preventing social engineering attacks? Training helps employees recognize and respond to social engineering tactics, making them less likely to fall for manipulative schemes.

Cybersecurity Phases for Ethical Hackers with 50 Subtopics

By İbrahim Korucuoğlu ( @siberoloji) |

Here are 50 subtopics that you can explore in relation to the cybersecurity phases for intrusion, especially from the perspective of white hat hackers. These subtopics cover various aspects of the different phases of intrusion and are suitable for creating blog posts, training materials, or cybersecurity guides focused on ethical hacking. Each subtopic can be expanded into a deeper exploration of tactics, tools, best practices, or real-world applications.

1. Reconnaissance (Information Gathering) Subtopics:

    * The Role of Network Scanning in Penetration Testing

    • Understanding Network Port Scanning with Nmap

    • Vulnerability Scanning: Tools, Best Practices, and Risks

    • Mapping Network Topologies for Better Attack Planning

    • Service Fingerprinting in Ethical Hacking

    • How to Conduct Safe Vulnerability Scans Without Raising Alarms

    • Network Scanning vs. Vulnerability Scanning: Key Differences

    • Identifying Live Systems Through ICMP and Ping Sweeps

    • Protecting Systems Against Common Scanning Techniques

    • Using Automated Tools for Scanning: Advantages and Disadvantages 3. Gaining Access Subtopics:

      * How Ethical Hackers Exploit Vulnerabilities to Gain Access

      • SQL Injection: A Deep Dive into Exploiting Databases

      • Cross-Site Scripting (XSS) Attacks and How to Defend Against Them

      • Exploiting Buffer Overflow Vulnerabilities for System Access

      • Password Cracking Techniques: From Brute Force to Dictionary Attacks

      • Social Engineering Tactics: Phishing and Baiting Attacks

      • The Role of Exploit Kits in Penetration Testing

      • Tools for Gaining Access: Metasploit, SQLMap, and Burp Suite

      • Case Study: Gaining Access Through Unpatched Software

      • Ethical Considerations When Exploiting Vulnerabilities 4. Maintaining Access (Persistence) Subtopics:

        * Techniques for Establishing Persistence in Compromised Systems

        • Backdoor Creation: How Attackers Ensure Long-Term Access

        • Understanding Rootkits and Their Role in Cybersecurity Intrusions

        • Privilege Escalation: From Regular User to Administrator

        • Remote Access Trojans (RATs): How They Work and How to Detect Them

        • Session Hijacking and Maintaining Access Through Cookies

        • Detecting and Removing Persistent Threats in a Network

        • Real-World Examples of Persistent Access Techniques

        • Ethical Hacking: Demonstrating Persistence Without Causing Harm

        • How Attackers Evade Detection While Maintaining Access 5. Covering Tracks Subtopics:

          * The Importance of Covering Tracks in Ethical Hacking Simulations

          • Techniques for Deleting System Logs to Avoid Detection

          • Clearing Command Histories: How Attackers Hide Their Actions

          • The Role of Timestamp Alteration in Evading Forensic Investigations

          • How to Detect and Prevent Log Tampering in Cybersecurity

          • Steganography: Hiding Malicious Code in Plain Sight

          • Best Practices for Ethical Hackers to Simulate Covering Tracks

          • Tools for Covering Tracks: Anti-Forensics Techniques

          • Real-World Examples of Hackers Covering Their Tracks

          • Strengthening Logging and Monitoring to Detect Intruders Early

Roadmap to Becoming a Penetration Tester (Pen Tester)

By İbrahim Korucuoğlu ( @siberoloji) |

In today’s digital age, cybersecurity has become more crucial than ever before. With organizations facing a constant barrage of cyber threats, the need for skilled professionals to test and secure systems has skyrocketed. One such role is that of a penetration tester (often referred to as a pen tester). Pen testers are ethical hackers responsible for probing security systems, identifying vulnerabilities, and recommending solutions to protect against malicious attacks.

If you’re interested in a career in penetration testing, this post will provide you with a step-by-step roadmap to help you break into this challenging yet rewarding field. What is Penetration Testing?

Penetration testing, or pen testing, is the practice of legally and ethically hacking into computer systems to find and fix security vulnerabilities before malicious hackers exploit them. Pen testers mimic the actions of real-world attackers but do so in a controlled and authorized manner. The ultimate goal of pen testing is to help organizations bolster their defenses by identifying weak points in their systems, networks, and applications.

Pen testers need a blend of technical skills, creative thinking, problem-solving abilities, and the knowledge of how real-world attacks work. Let’s dive into the roadmap for becoming a successful penetration tester.

  1. Understand the Basics of Cybersecurity

Before diving into penetration testing, it’s essential to build a solid foundation in cybersecurity concepts. As a pen tester, you will need to understand how computer systems, networks, and security measures work. Here are the basic concepts you should focus on:

  • Networking Fundamentals: Learn how networks operate, including the OSI model, TCP/IP, subnets, firewalls, routers, and switches.

  • Operating Systems: Gain proficiency in both Windows and Linux operating systems, as you’ll be working with these environments often in penetration testing.

  • Cryptography: Understanding encryption, hashing algorithms, and how cryptographic methods secure data in transit and at rest is critical for a pen tester.

  • Web Applications and Servers: Many attacks target web applications, so a basic understanding of how they work, including HTTP, HTTPS, cookies, and session handling, is essential. To get started, you can explore introductory cybersecurity courses from platforms like Coursera, edX, or Udemy, or read foundational books like “The Web Application Hacker’s Handbook”.

  1. Learn Programming and Scripting

While penetration testing tools can automate many tasks, having programming and scripting skills allows you to write custom scripts, understand exploit code, and develop more advanced attacks.

  • Python: Python is one of the most popular languages in the cybersecurity world. Its simplicity and versatility make it a great tool for automating tasks, analyzing data, and creating scripts for attacks.

  • Bash: Since Linux is widely used in penetration testing, knowledge of Bash scripting is crucial for navigating the command line, automating tasks, and interacting with network protocols.

  • JavaScript: Since many vulnerabilities are web-based, understanding JavaScript can help in discovering client-side vulnerabilities like Cross-Site Scripting (XSS).

  • C/C++ and Assembly Language: If you’re interested in reverse engineering and exploit development, learning low-level programming languages like C and Assembly will be necessary. Start by working on small projects that mimic attack scenarios or by contributing to open-source cybersecurity projects.

  1. Master Networking and Protocols

A significant portion of penetration testing revolves around identifying weaknesses in network configurations and protocols. Understanding how data is transferred across the internet is fundamental to identifying vulnerabilities. You should focus on the following areas:

  • Network Protocols: Study the most common protocols, including HTTP, FTP, DNS, and SMB. You’ll need to know how these protocols operate and where vulnerabilities typically lie.

  • Firewalls and Intrusion Detection Systems (IDS): Learn how firewalls, IDS, and other network security devices work. This knowledge will help you understand how attackers bypass security systems.

  • Packet Analysis: Use tools like Wireshark to analyze network traffic and identify anomalies that could indicate vulnerabilities. Getting practical experience with virtual labs like Hack The Box or TryHackMe will solidify your understanding of how networking plays a critical role in security.

  1. Get Familiar with Linux and Windows Systems

Pen testers must be comfortable using both Linux and Windows environments since both are commonly encountered in real-world attacks. Linux, in particular, is favored for penetration testing due to its versatility and robust set of built-in security tools.

  • Kali Linux: This is a distribution specifically designed for penetration testing. It comes preloaded with hundreds of tools for reconnaissance, exploitation, and reporting. You should familiarize yourself with common tools like Nmap, Metasploit, and Burp Suite.

  • Windows Exploitation: Many organizations use Windows environments, so you should learn about Windows-specific vulnerabilities, PowerShell scripting, and how Windows Active Directory can be exploited. You can set up virtual machines on platforms like VirtualBox or VMware to practice using both Linux and Windows in various attack scenarios.

  1. Master Penetration Testing Tools

Pen testers rely heavily on a wide variety of tools to assist them in identifying vulnerabilities. Some of the essential tools you need to master include:

  • Nmap: A network scanner used for discovering hosts and services on a computer network.

  • Wireshark: A tool for packet analysis that allows you to capture and interactively browse the traffic running on a network.

  • Metasploit Framework: One of the most popular penetration testing platforms, Metasploit is used to develop, test, and execute exploits.

  • Burp Suite: A web vulnerability scanner used for testing the security of web applications.

  • John the Ripper: A popular password-cracking tool.

  • SQLmap: A tool that automates the process of detecting and exploiting SQL injection flaws. Each of these tools has a learning curve, but hands-on practice is the best way to become proficient.

  1. Build Hands-On Experience

Reading and watching tutorials will only get you so far. To truly excel as a pen tester, you need hands-on experience. The good news is that there are numerous platforms and resources that allow you to test your skills in real-world scenarios:

  • Capture The Flag (CTF) Challenges: These challenges simulate real-world penetration testing environments. Platforms like Hack The Box, TryHackMe, and OverTheWire offer CTFs that range from beginner to advanced.

  • Bug Bounty Programs: Many companies, including tech giants like Google and Facebook, run bug bounty programs that pay ethical hackers to find vulnerabilities in their systems. Websites like HackerOne and Bugcrowd host these programs, giving you a chance to make money while gaining experience.

  • Build a Home Lab: Set up a virtual environment where you can practice exploiting different systems and networks. You can use tools like VirtualBox or VMware to run multiple virtual machines and simulate attacks in a safe environment.

  1. Get Certified

Certifications can help validate your skills and make you stand out in the job market. Some of the most recognized certifications for penetration testers include:

  • Certified Ethical Hacker (CEH): Offered by the EC-Council, CEH is one of the most well-known certifications for ethical hacking. It covers a broad range of hacking techniques.

  • Offensive Security Certified Professional (OSCP): This certification is more hands-on and focuses on real-world penetration testing skills. It’s a highly respected cert in the cybersecurity community.

  • CompTIA PenTest+: A well-rounded certification that validates intermediate skills in penetration testing and vulnerability assessment.

  • Certified Information Systems Security Professional (CISSP): Although broader than pen testing, CISSP is an excellent certification for building a career in cybersecurity as a whole.

  1. Stay Updated and Evolve

The cybersecurity landscape is constantly evolving. New vulnerabilities, tools, and attack vectors emerge every day. To stay relevant as a pen tester, it’s crucial to continuously learn and adapt. Here are some ways to stay updated:

  • Join cybersecurity communities like Reddit’s r/netsec, security conferences like DEF CON and Black Hat, and online forums like Stack Exchange.

  • Follow cybersecurity blogs and YouTube channels that regularly publish tutorials, tips, and updates on new vulnerabilities.

  • Contribute to open-source projects and engage in security research.

Conclusion

Becoming a penetration tester is a challenging journey, but it’s also highly rewarding. By following this roadmap, you’ll be well on your way to gaining the skills and experience necessary to enter the field. Remember, practice and persistence are key. From understanding cybersecurity fundamentals and learning programming to mastering tools and gaining certifications, each step will bring you closer to becoming a successful pen tester.

Good luck on your journey to ethical hacking mastery!

Information Gathering Procedures -2- Target Selection

By İbrahim Korucuoğlu ( @siberoloji) |

We have started the Information Gathering process, which is the 2nd Phase of Penetration Testing, with our article found at this link. We will try to explain the Target Selection title, which is one of the main topics we mentioned in that article.

Clear Definition of the Goal

When collecting information about an IT system begins, inevitably many domain names or IP addresses will be discovered. Sometimes, organizations have systems with a .com extension, but also have .net or .xyz addresses. At this point, it should be clearly stated that the team performing the test should never go beyond the scope determined during coordination.

If the scope is subject to restrictive rules, it is not possible to go beyond the main framework. Even if some systems contain very useful and useful information, it should be essential to strictly adhere to the rules of engagement, which we will explain below. Otherwise, it is inevitable that problems will occur both legally and ethically.

Rules of Engagement and Boundaries

The rules that emerge by linking the scope determined in coordination meetings to rules in detail -clear and without any room for doubt- are called rules of engagement. For example, when testing the X server, packets from an out-of-scope data source can be recorded in the analysis software. The rules that dictate which behavior to follow when this data is detected both set limits for the test team and determine the degree of their freedom.

Past experience of the company providing security services is an important criterion in determining the rules of engagement and boundaries. For this reason, while these rules are determined at the coordination meeting, it is of great importance that the security company warns and directs the company that will receive service.

In some cases, a member of the testing team may forget these rules because he is concentrating on something else. For this reason, it is not desirable for penetration tests to be performed by one person. If possible, it should be preferred to have at least two people. If the team consists of 3 people, task sharing and time planning will be more effective and productivity will increase. In this way, it will be possible for the other member to notice the rules and restrictions that are overlooked by one team member.

Complying with the Test Duration and Time Plan

How much of the total time planned for Penetration Testing is allocated to the Information Gathering phase? There may be tests that can and cannot be performed during this time. Some tests and analyses can take 1-2 months depending on their characteristics.

Tests that will go beyond the planned time mean an unplanned need for time and labor. This situation may impose an unplanned cost burden on the company receiving the service. It is very important to determine the tests to be performed according to the rules of engagement, the tests to be performed if time permits, and the tests that cannot be performed, and to give instructions to the test team.

For example, while network connection discovery of a server is being made, analyzing packets transmitted by a group of detected IP addresses may seem like a fast and effective decision at first. However, a failure or error that occurs during network discovery may also render other packet analysis processes useless. In this case, a process that will take a total of 5 hours will take longer due to the division and concentration of resources. This decision should be made by the test team leader based on past experiences.

The conclusion we will reach from here is that it is essential to plan time correctly from the very beginning during coordination. Planning a process that requires a total of 10 hours in 5 hours will be unrealistic and will also stress the test team.

Past experience has shown that 20% should be added to the total planned time for unforeseen delays. This 20% time precautionary measure may or may not be necessary, depending on the situation. If it is not used, it must be reported to the company receiving the service and deducted from the cost account. Otherwise, invoicing would not be ethical.

This time plan should be clearly stated and put into writing in the Control Measures section, which is a sub-item of the Coordination phase, and in the Payment Method section under other topics.

Remembering the Ultimate Goal of the Test

During information collection, the ultimate purpose of the test should not be forgotten. These operations should be performed using tools that support the ultimate goal of the test.

Using software that will not contribute to the final goal will be a waste of time. Therefore, the question “How critical is the information to be collected in reaching the final goal?” should be taken into consideration at each step.

Penetration Test Phases (Coordination -3)

By İbrahim Korucuoğlu ( @siberoloji) |

Our articles explaining Penetration Testing processes continue. In this study, we will explain the targets** to be discussed in the Coordination article, which is the 1st Phase of the Penetration Testing Phases .

As you know, the first part of the Coordination activity is the PURPOSE ( see ). The primary, secondary and final goals to be achieved direct the tests to be carried out. Tests carried out in line with all these goals contribute to the general goals and policies of the service receiving company. Therefore, targets determined with the right approach always bring great benefits to the company receiving the service.

We have explained below the issues to be considered and the common mistakes made in determining the targets. These headings are divided into 3 sub-sections as primary, secondary and final targets. If we consider the flexibility of cyberspace, these sub-sections and items may change. They can be redesigned according to the need. Even new checklists and question and answer forms can be developed. We are using 3 sub-items as an example.

Primary Goals

The primary goal of the test should not be to provide standards. If a company is having a Penetration Test done to provide a standard, it should be known that Standard and Security are not the same thing.

For example, let’s assume an IT infrastructure where customer information or credit cards are processed in the system. The primary goals to be determined here may be how secure the system is and the level of resistance and durability against risks. These goals usually directly concern the management level and decision-making mechanisms.

Secondary Goals

The objectives that we mentioned in the first article as not being necessary are specified here. For example, determining compliance with the standard is exactly the subject of these secondary objectives. Again, if we give the same credit card system as an example, issues such as the security level of the encryption algorithm used during communication or the detection of the weak sides of the communication protocol used can be given as examples.

Primary and secondary goals are sometimes confused because it is not possible to separate them with clear rules and lines. In order to distinguish these goals, the following point should be taken into consideration. Primary goals are goals that directly concern the company management and are used to achieve general strategic results that should be presented to their attention.

Ultimate Goals

The ultimate goals we will talk about in this article are different from primary and secondary goals. These are the points where the tests performed contribute to the company’s long-term goals. Generally, they can be detected if an agreement has been made with the company providing the testing service for long-term testing at different times.

In one-time tests, it may be sufficient to determine the primary and secondary targets and shape the test accordingly. The final targets are related to medium and long-term plans. For example, the company has decided to invest in infrastructure to provide secure data storage and backup services at the end of the next 2 years. Before starting to provide this service, it may want to have its system tested every month for 2 years and reassure its customers with these test results. These types of issues can be determined as final targets if desired.

With this article, we have completed our review of the Coordination Phase. We will begin to examine the Information Gathering Phase in detail in our upcoming articles. You can let us know your opinions and comments.

Penetration Testing Phases (Coordination – 2)

By İbrahim Korucuoğlu ( @siberoloji) |

We have examined the general structure of the coordination processes, which is the 1st Phase during the Penetration Test preparations, in our article in this link. Now, we will examine in detail one of the issues that will be discussed during the meeting.

During the determination of the Scope within the coordination processes we mentioned, the security company providing the service asks some questions in order to reveal the purpose of the company receiving the service. Below, we will explain the questions that may be asked depending on the type of test to be performed. The company that will receive the service should prepare for the answers to these questions before the coordination meeting, in order to avoid any uncertainties that may arise during the meeting.

Network Test

  • Why will the company have its system personnel perform network testing?

  • Is network testing done out of obligation to meet a standard?

  • During which time periods does the company find it more appropriate to actively conduct the test?* During business hours?

  • After hours?

  • On weekends?

  • How many total IP addresses will be tested?* How many internal network IP addresses will be tested?

  • What is the number of external network IP addresses to test?

  • Is there a Firewall, IPS / IDS or Load Balancer system in the Network topology to be tested?

  • If the system can be logged in, how will the testing team act?* Will a local vulnerability scan be performed on the logged-in system?

  • Will efforts be made to become the most authorized user in the system to which access is provided?

  • Will dictionary attacks be performed to obtain passwords on the system that is being accessed?

Web Application Testing

  • How many applications will be tested?

  • How many login systems will be tested?

  • How many static pages will be tested?

  • How many dynamic pages will be tested?

  • Will the source codes of the application to be tested be provided?

  • Will any documentation regarding the application be provided?* If the answer is yes, what are these documents?

  • Will static analyzes be performed on the application?

  • What are the other topics requested?

Wireless Network Test

  • How many wireless networks are in the system?

  • Which of these will be tested?

  • Is there a wireless network in the system for guest use?

  • What are the encryption techniques of wireless networks?

  • Will users connected to guest networks be tested?

  • What are the broadcast distances of wireless networks?

  • How many people on average use these wireless networks?

Physical Security Tests

  • What are the number and locations of testing venues?

  • Is the testing location shared with other units?

  • How many floors are there in the venue?

  • Which of the floors are included in the scope?

  • Are there security guards at the venue that you have to pass through?

  • What are the equipment status and powers of the officers?

  • Is security service received from a 3rd party company?

  • How many entrances does the venue have?

  • Are there any video recording security measures?

  • Will the testing team test access to video recorders?

  • Is there an alarm system?

Social Engineering Test

  • Will an email address list be provided for Social Engineering tests?

  • Will a list of phone numbers be provided for Social Engineering tests?

  • Is physical access to the system granted as a result of social engineering? Questions related to the above mentioned tests can be expanded. It is also possible to differentiate based on experience.

Penetration Test Phases (Coordination -1)

By İbrahim Korucuoğlu ( @siberoloji) |

What are the Penetration Testing Phases? In our article titled ( see ), we examined the general definition and content of the phases. In this article, we will look at Phase 1, Coordination, in detail.

In these articles we have prepared, we intend to examine the Penetration Testing processes within the relationship between the service provider and the customer. Preparing technical articles and HOW-TO documents for the Penetration Testing experts who perform the test will constitute the next stage of our project.

Coordination

If a process is to be implemented, coordination is always required before the implementation phase. Coordination as an indispensable part of planning; It can be defined as the parties having a common understanding with each other and operating effective communication mechanisms. Using a common language with each other, working in harmony in terms of time and understanding the same thing when a topic is expressed, etc. Coordination and coordination measures with relevant meanings are determined and decided upon by the parties in the 1st Phase.

Coordination measures refer to measures that prevent the parties from concentrating on the same goal and deviating from the target for harmony and efficient work. For example, all scopes and agreed points such as the latest start time of a transaction, the latest completion time, the application or IP range to be examined can be considered as coordination measures.

The template below is a list prepared in light of the information gained through long experience. We are providing it here as a guide for coordination meetings. It is possible to expand or narrow it down as needed.

Coordination Meeting Topics

Aim

This is the part where the expectations and thoughts of the service recipient are shared with the company. It is revealed what the tests to be performed are and what thoughts will be used to carry out these tests. In this way, service company officials can understand the nature of the tests they will be responsible for and create the general framework in their minds.

As a result of the tests, the primary, secondary and final goals ( see ) to be achieved are determined. In some cases, it may be revealed that the tests to be performed are incompatible with each other and cannot be performed simultaneously. At this point, the service provider company may offer different suggestions as a consultancy service. As a result of all these meetings, the goals and objectives are determined and decided upon.

Scope

This is the stage where it is clearly determined which systems the Penetration Test will cover in technical terms. In short, it is the determination of the details within the framework of the targets determined in the Purpose section. As a result of these details, the duration and labor requirements of the tests to be performed will also emerge.

Systems Subject to Test

The currently operational system has many layers and members. It should be determined exactly which of these systems will be tested. For example, whether the stock and accounting systems of the service recipient company will be included in the test or whether only the backup parts of these systems will be tested will be sufficient, etc. Topics are discussed. In general terms, the elements on the topology that are included or excluded from the scope are determined.

It is determined with precision which of the Network Test, Web Application Test, Wireless Systems Test, Physical Security Test, Social Engineering Test will be performed and which topology elements will be included in these tests.

You can find detailed questions about these tests, which will be the subject of application, in our article at this link ( see ).

Legal Restrictions and Permissions

After determining the systems subject to test, it is necessary to pay attention to whether there are legal restrictions on this issue. It should not be forgotten that it is necessary to act in accordance with the provisions of personal data protection, privacy of private life and other similar legal frameworks.

If the tests to be performed disrupt or disable another critical related system, there is a possibility of legal liability. If there are authorities that require prior permission, the steps to be taken for this are also determined at this point.

Frames and IP Ranges

In some cases, the infrastructure of the receiving company may be spread over a wide geographical area. Testing geographically dispersed systems from a single point may not be appropriate in terms of cost and scheduling. In such cases, tests can be divided into parts in time and space.

However, even if the area is not large, certain IP ranges in the system may be allocated for special purposes and communicate with limited clients. Since there will be traffic congestion in these limited communication channels, it is decided to exclude the tests or conduct them at a different time (for example, at night).

Coordination Measures

The coordination measures to be decided are indispensable for the establishment and harmonious work of teams. It prevents the waste of resources and contributes to the establishment of unity of purpose. For this reason, it should be determined down to the smallest detail. A plan that takes into account past experiences also prevents possible disruptions.

Time Planning

In the light of the issues identified in the scope section, time planning of the process to be carried out is made. It is critical to plan the total time needed and divide this total time into parts and plan them step by step. To give you an idea, WHO? WHERE? WHEN? HOW? WHAT WILL HE DO? In the coordination processes where we seek answers to the questions WHEN? The question is answered and clarified.

Space and Security Planning

During the tests to be performed, the work areas of the assigned teams, their entrances and exits to the facilities, and their past security records (clearance) are discussed at this point. In addition, the social facilities and needs to be provided to the teams are determined at this stage.

The necessary permissions are determined to avoid any incompatibility between the security policies implemented by the service receiving party and the working procedures of the teams.

Communication Topics

During the planning and execution of the testing process, it is determined who both the management and the testing teams will be in contact with. Failure to communicate properly will cause disruptions and time planning may be interrupted. In order to prevent such undesirable situations from occurring, it is essential to establish an effective communication system and provide information to all parties.

There is a separate heading below for unusual situations that arise outside of normal communication needs during transactions.

Coordination with 3rd Parties

The systems of the receiving party may be receiving services from third party companies. For example, cloud systems, Internet service providers or security solution providers. In case of such a third party, coordination with them must be made. If necessary, a separate review should be made for the coordination of the parties in terms of time. In some cases, coordination deficiencies may occur due to time differences.

Social Engineering Topics

If there is a Social Engineering test among the tests determined in the scope article, the issues regarding this should be clarified. Issues such as the techniques to be used in social engineering tests or, if necessary, employee email lists should be decided.

Emergency Matters

Unwanted situations may occur during the tests. In such cases, it must be determined in advance how and to whom the incident will be reported. It should be determined which secure communication technique will be used for this reporting. If necessary, it is determined who will exchange public and private keys.

Although undesirable situations can be predicted to some extent in advance, not every possible possibility can be predicted. These situations may vary depending on the scope, size or physical structure of the company receiving service.

For example, a small command error can cause a Router to become unusable. In this case, reinstalling the device and keeping the installation software available can be considered among the measures that can be taken. In addition, it must be determined who will be notified and who will do this.

Other Topics

Out of Scope Data

During all these tests, although efforts are made to stay within the specified framework, sometimes out-of-scope data may be obtained. What to do about this should be decided clearly and explicitly. For example, rules such as “only the file list will be recorded to prove that a system has been accessed, no photos will be taken from the webcam, no file downloads will be made” etc. should be determined.

Payment method

The payment method, the size of the activity to be carried out, the resource requirement and the coordination should be discussed and agreed upon between the parties at the end. The method generally followed is payment after the delivery of the final result report. If there is a long-term supply or service agreement between the parties, it may be decided that a certain percentage will be paid in advance and the rest will be paid after the report is delivered.

The topics we have tried to explain in general above are the content of the Coordination, which is the 1st Phase of the Penetration Testing activity. The topics mentioned here can be narrowed down and expanded. We hope that it has been guiding and informative for the parties who will receive and provide service. You can let us know your opinions and suggestions.

Information Gathering Procedures -1- Basic Approach

By İbrahim Korucuoğlu ( @siberoloji) |

From this article, we are starting the 2nd Phase of Penetration Testing, Information Gathering processes and their details. We will follow the path of explaining the topics listed below in separate articles. You can review the general stages in this article . Correct and effective information gathering processes will provide input to the following stages. What will be explained in this phase will also show all institutions and companies that want to ensure information security the measures they need to take to protect information. Revealing what the information gathering phase covers will shed light on what measures managers at all levels should take because the information gathering processes followed by the security team conducting the test are very similar to the processes followed by malicious structures in real life. We recommend that you review the article on Cyberspace Definition and Actors.

We will investigate the subject under the following headings. In the rest of the article, we explained the basic approach to Information Gathering.

  • Basic Approach

  • Target Selection

  • Open Source Intelligence

  • Covert Information Collection

  • Identifying Protection Mechanisms

Basic Approach

It is necessary to separate the information collection processes into certain groups according to the tools used and the outputs obtained. If this distinction is not made, the results obtained can easily exceed the determined scope and purpose. The separation of the tools ensures that the scope remains. For this reason, we will divide the processes to be carried out into 3 layers. In addition to the topics explained in other articles to be prepared on this subject, we will indicate in which layer the process can be carried out. For example, when you see the expression 1K-2K next to a subject, this means that Layer 1 and Layer 2 information collection processes are intended. In this way, the processes can be understood more clearly.

Layer 1

This layer is the fastest part of information gathering and is performed through automatic programs. These automatic information gathering tools produce results about the target by scanning search engines and internet archives. It also includes researching whether the target has certain standard information security policies and how well these standards are followed. This layer must be implemented in order to be able to say that the Information Gathering phase has been completed. If a company wants to have a conformity test done for the sector standard (e.g.: ISO 27001), this layer will be sufficient.

Layer 2

In addition to the operations carried out in the 1st Layer, these are detailed information collection operations, especially those performed manually. It also includes information gathering methods and Open Source Intelligence that seek answers to specific questions. More details of physical location, address information and business relationships are examined. If a company aims for long-term information security along with compliance with industry standards and plans to enter into business agreements with 3rd party suppliers, it should also consider using this layer.

Layer 3

These are detailed information gathering processes that may be required in very advanced penetration tests. This is a layer that is spread over a long period of time and where every possible technique is used. It is not required to be done in every penetration test. Information gathering for this layer is more relevant to the state level. In addition to information gathering, structures that plan to establish a permanent and staffed cyber defense organization should use this layer.

What is Information Collection?

In the later stages of the Penetration Test, vulnerability analysis and system entry processes will be performed. In order for these stages not to be inconclusive, some basic information is needed. The more information is collected in this stage, the more attack vectors that can be revealed and the probability of success will increase. The attack vector describes the path of the attack. Let’s assume that 10 different methods can be used and which steps can be followed in light of the information collected. Each of these 10 different methods is called an attack vector, but they are also ranked by calculating the probability of success among themselves. It is not possible to apply all of them at once. All vectors and potential threats must be reported to the company in the Penetration Test result report.

Why Collect Information?

Penetration Testing Information Gathering process is completely related to Open Source Intelligence. In this way, the company will determine how much of its information is in the hands of open sources and will be able to take the necessary precautions. In this process, the points that are likely to enter the system are tried to be revealed. These can be electronic, physical and human-based. Physical vulnerabilities will shed light on the precautions that need to be taken in the field of physical security, and human-based vulnerabilities will shed light on social engineering and employee training.

What is Information Collection Not?

If the desired information cannot be obtained through the layers used during information collection processes, non-standard methods are not used to find it. This approach is outside the scope of Penetration Testing. For example, operations such as garbage disposal are not covered.

What are the Penetration Testing Phases?

The process referred to as Penetration Testing consists of 7 stages.
By İbrahim Korucuoğlu ( @siberoloji) |

Tests performed to determine the current status of the information system used and the precautions to be taken are called Penetration Tests. The process referred to as Penetration Testing consists of 7 stages. Although Penetration Test Phases are sometimes not clearly separated from each other, they also contain important differences in character.

It is generally accepted that there are 7 phases of the process to link planning and implementation to a certain procedure. There are also sources that express these stages as 5. We will base our work on 7 stages.

The topics mentioned as standard guide security companies as the service provider and provide control and audit opportunities to the service recipient. For this reason, the stages and details we will explain in our articles concern all parties of the penetration test.

You can review the Penetration Testing Phases list and their general definitions in the section below.

Penetration Test Phases

1. Coordination

This phase aims to determine the purpose of the tests to be carried out and to determine which systems will be included in the test. It is the phase where the service recipient and provider parties ask mutual questions in order to understand each other’s demands and capabilities and an agreement is reached on all discussed issues.

In the following stages, all necessary coordination is expected to be made and completed in the section called “Coordination” in order to avoid clogging up the process and experiencing delays. In addition to the questions of the party that will provide the Penetration Testing service regarding the system and scope, the party that will receive the service should also ask many questions and clarify them.

2. Collecting Information

Gathering information about the system or target to be Penetration Tested is the 2nd phase of the process. At this stage, information collection processes are generally divided into “active information collection” and “passive information collection”. However, this distinction actually refers only to the types of information gathering based on the situation of communicating with the target.

The information gathering phase that we will describe here consists of 3 separate layers. The information obtained in each layer may have a meaning on its own, or it may be used as input for the next layer.

Layer 1

This layer is the part of information collection that is carried out through the fastest and most automatic programs. These automatic information gathering tools scan search engines and internet archives to produce results about the target.

It also includes investigating whether the target has certain standard information security policies and how well these standards are adhered to. This layer must be implemented in order to be able to say that the Information Gathering phase has been carried out.

Layer 2

In addition to the operations carried out in the 1st Layer, these are detailed information collection operations, especially those performed manually. It also includes information gathering methods and Open Source Intelligence that seek answers to specific questions. More details of physical location, address information and business relationships are examined.

Layer 3

These are detailed information gathering processes that may be required in very advanced penetration tests. This is a layer that is spread over a long period of time and where every possible technique is used. It is not required to be done in every penetration test. Information gathering for this layer is more relevant to the state level.

3. Threat Modeling

At this stage, the assets of the service recipient and the potential threats that may exist against these assets are analyzed. A method similar to the classical SWOT analysis approach can be followed. The important point here is to correctly identify the assets and their values ​​and correctly analyze the threats according to their importance.

One of the most important criteria is the probability of the threat occurring again and again. This is usually directly related to how indispensably the service recipient is attached to the supplier in terms of the systems they use.

As a result of all these analyses, threats and potential threats are revealed.

4. Vulnerability Analysis

It is related to the purpose of revealing the physical or logical vulnerabilities and weaknesses of the target system originating from programs. It is the phase of applying the trial and test methods to detect these vulnerabilities.

During the implementation, the restrictive rules determined during the coordination phase, which is the 1st phase, must be followed. It is essential to achieve the determined goals, taking into account time and opportunities.

For example: If our goal is to access the web server as an authorized user, we should try to detect vulnerabilities for this goal. During these efforts, the tester may encounter other vulnerabilities. Even if these are recorded for reporting, the main goal should not be deviated from.

5. Login to the System

The system entry phase is about using the entry point into the system by disabling the existing security measures as a result of the 4 previous phases.

If the vulnerability analysis and information gathering phases are carried out efficiently enough, this phase consists of the application of certain techniques. Because the information and analysis obtained have already revealed which vulnerabilities exist in the system in the previous stage. All that remains is to activate the application that exploits this vulnerability.

6. Post-Entry Procedures

The first purpose of this phase is to evaluate the information and value of the system to which access is provided.

How sensitive is the data stored on the system’s disk? Is this system useful for accessing other systems? Can this system be used if it is necessary to provide persistence for the next step?

In addition to the answers we will give to all these questions, the rules and limits of the scope determined in the Coordination phase, which is the first phase, are very important.

7. Reporting

The findings and results obtained at the end of the Penetration Test Phases are presented to the service user in the form of a report. This report does not have a specific format. In fact, each company can produce its own unique report. Although there is no template restriction, the report should be expected to have certain features.

Generally, the first part is expected to contain an “Application Summary” that summarizes the subject and is free of technical details. The second part is the “Technical Report” that guides the technical staff who will carry out the necessary work. In this section, the operations carried out during all stages are reported with technical details. The identified vulnerabilities and their level of importance are expressed. Finally, the report is completed by including thoughts and recommendations in the conclusion section.

We will include the details of the stages that we have briefly explained in this article in our subsequent articles.