How to do penetration testing of your network – Step by Step Guide

Network pentesting which helps pentesters/ network administrators to finds vulnerability in a particular system. Network pentesting is done to secure the network. It helps to test local network and helps to find network vulnerabilities. According to ethical hacking researcher of international institute of cyber security, if the attacker enters any one system of local network of any organization, attacker can use further methods to penetrate the Local Network.

Network Pentesting Methodology

As explained above network pentesting should be done consistently to secure corporate networks. Below you can see network pentesting methodology.

  • Information Gathering – This phase consists of service enumeration. Here open ports & services are scanned. Mostly ports are scanned to find any vulnerabilities. In scanning phase discovered hosts are prime source for finding un-patched security. Most companies uses wifi based printers which are most common threats for attacking. In this phase pentesters tries to find as much information as possible. This is the most important phase where collected information is used to find vulnerabilities. Netass2 is helpful finding open ports & services, also help in discovered hosts.
  • Threat Modeling – Here automate scanners are used. In this phase collected information from above phase is used. Threat Modeling identify assets & divide into threat categories. These might consists of password hashes, un-patched security updates, using outdated firewall policies which helps attacker to enter into network using MITM methods.
  • Vulnerability Analysis – This phase involves analysis of founded vulnerabilities. This phase includes of various security tools & manual testing. In this phase many vulnerabilities has to analyzed. Plan of attacking is designed here.
  • Exploitation – This phase involves actual attacking on founded vulnerabilities. Exploitation includes intense attacking on the vulnerabilities.
  • Reporting – This phase reports all the founded vulnerabilities with a proper reporting format. This phase needs to be written & verified properly. As it includes all the details of vulnerabilities & shows the value of our services.

Netass2 (Network Assessment Assistance Framework) is used to scan local network in Information gathering phase. Netass2 uses nmap & zenmap modules for scanning given hosts.

  • For testing we will use Kali Linux 2018.2 amd64. Open terminal type git clone https://github.com/zerobyte-id/NetAss2.git
  • Type cd NetAss2
  • Type ls
  • Type chmod 755 install.bash netass2.bash
  • Type ./netass2.bash
root@kali:/home/iicybersecurity/Downloads/NetAss2# ./netass2.bash
 ------------------------------------------
 | NAME  : Network Assessment Assistance  |
 | ALIAS : NetAss2                        |
 | TYPE  : VA Framework                   |
 | VERS  : 0.1-RC                         |
 | LICEN : GPL v3                         |
 | LINK  : github.com/zerobyte-id/NetAss2 |
 ------------------------------------------
  • Enter project name – project02
Enter a project name: project02
 --------------------------------------------------

      __     _     _           ____
   /\ \ \___| |_  / \  ___ ___|___ \
  /  \/ / _ \ __|/ O \/ __/ __| __) |
 / /\  /  __/ |_/  _  \__ \__ \/ __/
 \_\ \/ \___|\__\_/ \_/___/___/_____\
     Network Assessment Assistance

 [1]. HOST DISCOVERY
 [2]. PORT SCAN ON SINGLE HOST
 [3]. MASSIVE PORT SCAN VIA DISCOVERED HOSTS
 [4]. MASSIVE PORT SCAN VIA LIST ON FILE
 [5]. SINGLE PORT QUICK SCAN VIA NETWORK BLOCK
 [6]. MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK
 [!]. SHOW REPORTS
 [0]. EXIT
INPUT: 1
 ----------------[ HOST DISCOVERY ]----------------
 NOTE: Your network block reminder
 192.168.1.102/24
 NOTE: Enter the network block that you want to scan
 NOTE: Example: 192.168.1.0/24 
  • Enter network subnet. For finding network subnet, run ipconfig and check the IP Address and Subnet Mask in the output. After getting the network subnet enter it as shown below.
  • Type 192.168.1.1/24
   --------------------------------------------------

      __     _     _           ____
   /\ \ \___| |_  / \  ___ ___|___ \
  /  \/ / _ \ __|/ O \/ __/ __| __) |
 / /\  /  __/ |_/  _  \__ \__ \/ __/
 \_\ \/ \___|\__\_/ \_/___/___/_____\
     Network Assessment Assistance

 [1]. HOST DISCOVERY
 [2]. PORT SCAN ON SINGLE HOST
 [3]. MASSIVE PORT SCAN VIA DISCOVERED HOSTS
 [4]. MASSIVE PORT SCAN VIA LIST ON FILE
 [5]. SINGLE PORT QUICK SCAN VIA NETWORK BLOCK
 [6]. MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK
 [!]. SHOW REPORTS
 [0]. EXIT

 INPUT: 1

 ----------------[ HOST DISCOVERY ]----------------

 NOTE: Your network block reminder
  + 192.168.1.102/24

 NOTE: Enter the network block that you want to scan
 NOTE: Example: 192.168.1.0/24
INPUT: 192.168.1.1/24
 INFO: Nmap run...
 INFO: Discovering host...

 Host
 ------------
 192.168.1.1
 192.168.1.12
 192.168.1.102
 192.168.1.103

 --------------------------------------------------
  • Above shows the available hosts on network. For finding open ports. Type 2
 --------------------------------------------------

      __     _     _           ____
   /\ \ \___| |_  / \  ___ ___|___ \
  /  \/ / _ \ __|/ O \/ __/ __| __) |
 / /\  /  __/ |_/  _  \__ \__ \/ __/
 \_\ \/ \___|\__\_/ \_/___/___/_____\
     Network Assessment Assistance

 [1]. HOST DISCOVERY
 [2]. PORT SCAN ON SINGLE HOST
 [3]. MASSIVE PORT SCAN VIA DISCOVERED HOSTS
 [4]. MASSIVE PORT SCAN VIA LIST ON FILE
 [5]. SINGLE PORT QUICK SCAN VIA NETWORK BLOCK
 [6]. MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK
 [!]. SHOW REPORTS
 [0]. EXIT
INPUT: 2
  -----------[ PORT SCAN ON SINGLE HOST ]-----------
  INFO: Discovered host
  192.168.1.1
  192.168.1.12
  192.168.1.102
  192.168.1.103
  NOTE: Enter the specific host that you want to scan
  NOTE: Example: 192.168.1.100
  INPUT: 192.168.1.103
  INFO: Nmap run…
  INFO: Discovering port on 192.168.1.103…
  IP Addr        Port      Service          Vendor
  -------        ----      -------          ------
  192.168.1.103  135/tcp   msrpc            Microsoft Windows RPC
  192.168.1.103  139/tcp   netbios-ssn      Microsoft Windows netbios-ssn
  192.168.1.103  445/tcp   microsoft-ds?
  192.168.1.103  902/tcp   ssl/vmware-auth  VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
  192.168.1.103  912/tcp   vmware-auth      VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
  192.168.1.103  1536/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1537/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1538/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1539/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1540/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1541/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1545/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  1569/tcp  msrpc            Microsoft Windows RPC
  192.168.1.103  3389/tcp  ms-wbt-server    Microsoft Terminal Services 
  • Above output shows open ports which shows target can be vulnerable to different windows vulnerabilities. Netass2 is used in network pentesting.
  • Type 3
--------------------------------------------------
      __     _     _           ____
   /\ \ \___| |_  / \  ___ ___|___ \
  /  \/ / _ \ __|/ O \/ __/ __| __) |
 / /\  /  __/ |_/  _  \__ \__ \/ __/
 \_\ \/ \___|\__\_/ \_/___/___/_____\
     Network Assessment Assistance

 [1]. HOST DISCOVERY
 [2]. PORT SCAN ON SINGLE HOST
 [3]. MASSIVE PORT SCAN VIA DISCOVERED HOSTS
 [4]. MASSIVE PORT SCAN VIA LIST ON FILE
 [5]. SINGLE PORT QUICK SCAN VIA NETWORK BLOCK
 [6]. MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK
 [!]. SHOW REPORTS
 [0]. EXIT
INPUT: 3
 ----[ MASSIVE PORT SCAN VIA DISCOVERED HOSTS ]----

 INFO: Nmap run...
 INFO: Discovering port on 192.168.1.1...
 INFO: Nmap run...
 INFO: Discovering port on 192.168.1.12...
 INFO: Nmap run...
 INFO: Discovering port on 192.168.1.102...
 INFO: Nmap run...
 INFO: Discovering port on 192.168.1.103...

 IP Addr        Port       Service          Vendor
 -------        ----       -------          ------
 192.168.1.1    21/tcp     ftp              Netgear broadband router or ZyXel VoIP adapter ftpd 1.0
 192.168.1.1    23/tcp     telnet           Netgear broadband router or ZyXel VoIP adapter telnetd
 192.168.1.1    80/tcp     upnp
 192.168.1.1    7547/tcp   upnp
 192.168.1.12   135/tcp    msrpc            Microsoft Windows RPC
 192.168.1.12   139/tcp    netbios-ssn      Microsoft Windows netbios-ssn
 192.168.1.12   445/tcp    microsoft-ds     Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
 192.168.1.12   554/tcp    rtsp?
 192.168.1.12   2869/tcp   http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 192.168.1.12   3389/tcp   ms-wbt-server    Microsoft Terminal Service
 192.168.1.12   3389/tcp   ms-wbt-server?
 192.168.1.12   5357/tcp   http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 192.168.1.12   10243/tcp  http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 192.168.1.12   49152/tcp  msrpc            Microsoft Windows RPC
 192.168.1.12   49153/tcp  msrpc            Microsoft Windows RPC
 192.168.1.12   49154/tcp  msrpc            Microsoft Windows RPC
 192.168.1.12   49155/tcp  msrpc            Microsoft Windows RPC
 192.168.1.12   49156/tcp  msrpc            Microsoft Windows RPC
 192.168.1.12   49157/tcp  msrpc            Microsoft Windows RPC
 192.168.1.102  22/tcp     ssh              OpenSSH 7.6p1 Debian 4 (protocol 2.0)
 192.168.1.103  135/tcp    msrpc            Microsoft Windows RPC
 192.168.1.103  139/tcp    netbios-ssn      Microsoft Windows netbios-ssn
 192.168.1.103  445/tcp    microsoft-ds?
 192.168.1.103  902/tcp    ssl/vmware-auth  VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
 192.168.1.103  912/tcp    vmware-auth      VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
 192.168.1.103  1536/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1537/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1538/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1539/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1540/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1541/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1545/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  1569/tcp   msrpc            Microsoft Windows RPC
 192.168.1.103  3389/tcp   ms-wbt-server    Microsoft Terminal Services

 --------------------------------------------------
  • Above output shows open ports of all discovered hosts on local network. Network pentesting shows open ports & services which then can be used in another phases attacking.

Others Types of Network Level Attacks

Some network level attacks which occur in last year. There are many network level attacks. Day to day such cases of network attacks are coming. Such companies loss lot of money because of cyber attacks as commented by Ethical hacking expert of International Institute of Cyber Security.

  • Browser Attacks – These types of network attacks are the most common. As explained above attacker tries to find vulnerabilities of running host on local network. They tries to breach the security through browser, most common utility is used to access internet.
  • Brute Force Attacks – Such attacks uses larger size of keywords or dictionary is created by gathering information about the target. Installing malware sometimes takes time to attack an machine because in this attack. Victim has to click on the malware.
  • DOS (Denial of Service Attacks) – Multiple packets are send to particular port to interrupt the ongoing service of running server or website. DOS attacks are very common & not many companies are able to recover their resources.
  • Malware Attacks – Such attacks uses a piece of malware in the form of windows executable or other OS software, to create an reverse session of victim computer. Malware attacks are very serious as it gives all permission to attack for accessing victim computer.