Penetration testing comes under the regulatory actions which has bene stated by the Government of the UK. In a penetration testing process, the ethical hacker is supposed to perform intrusion techniques within the organizational network (Bhardwaj et al. 2021). In that process, the ethical hacker needs to go through various kinds of legal processes where they would need to take the permission from the organization in order to conduct the penetration testing. The legal and ethical considerations made by the government of the UK states various kinds of ethical policies and regulations which the ethical need to obey which conducting the penetration test on the organizational network of the company (Ghanem and Chen 2020). Below are some of the major considerations which the penetration tester needs to make before proceeding with the penetration test –
The UK Government also has two major laws and rights, which helps them to keep the penetration tester accountable if any kind of data breach happens. The laws are –
The different methodologies helps the penetration tester to proceed with the test. It involves various kinds of phases which acts as a guide for the penetration tester. The list of the penetration testing methodologies is –
The OSSTMM is a manual, which contains various kinds of security testing methodology. Through the manual, the penetration tester is able to use various kinds of vulnerability analysis techniques in order to find out the vulnerabilities which are present within the organizational network (Hu, Beuran and Tan 2020). With the help of OSSTMM, the asset of the organization can be isolated and the possible threat can also be isolated. After that, the threat is analyzed in order to find out the root cause. However, OSSTMM has a premium version as well, for which the penetration tester needs to purchase the manual. Thus, with the free version of OSSTMM, is limited to the functionality that are required in order to conduct the penetration test on the organization (Goutam and Tiwari 2019). Adding to that, the tool description and software application present in OSSTMM does not have proper conclusion, due to this reason, the penetration tester is unable to choose which tool they should select in order to proceed with the penetration testing process.
Furthermore, the penetration testing which will be conducted, will be on a web application. The services, which are most likely to be exploited are http, vnc and ssh services (Ibrahim and Kant 2018). Also, the OSSTMM provides flexibility to the penetration tester with its guidelines and norms. It helps the penetration tester to get a deep understanding on the various kinds of components which are interconnected with one another (Khera, Kumar and Garg 2019). Also, the penetration testing process through OSSTMM is so much extensive that, the vulnerabilities are unable to hide.
This standard contains one of the core penetration methodologies, which has been drafted by leading penetration testers around the world (Lu and Yu 2021). It contains various kinds of vulnerability testing methods, through which the penetration tester would be able to identify the vulnerabilities which are present within the web application. After that, using the Metasploit framework present within the Kali Linux Operating System, the penetration tester would be able to exploit the vulnerabilities that has been identified earlier. The main objective of PTES is to provide standardized methodology approach towards the penetration testing of an organizational network or web application (Zitta et al. 2018). Through the standardized approach, the penetration tester is guided with steps which helps them in identifying the vulnerabilities which are present within the system.
There are total of seven phases which are present within the penetration testing through PTES. First, the penetration tester drafts a plan which contains details of the component on which they will interact (Shah et al. 2019). Depending on the type of system, threat modelling is conducted. This helps the penetration tester to understand the probable threats which might be present. After that, the penetration tester conducts a loophole analysis which helps in identifying the loopholes which are present within the organizational network. After that, exploitation is performed on the vulnerabilities which has been identified. Next, an attack is launched against the system. This helps in extracting the data and information which are present in the database and server of the organization (Lee et al. 2020). Lastly, documentation is conducted, where the vulnerabilities are listed out. It also contains the mitigation techniques, which the organization should perform in order to remove the listed vulnerabilities from the organizational network and the web application.
This technique helps in considering the various software development methodologies in order to conduct a proper analysis. OWASP uses a smaller number of automated tools, as it believes that, tools are not efficient enough to identify the vulnerabilities which are present in an organizational network or web application (Gangupantulu et al. 2021). However, this penetration methodology is majorly used to find the loopholes which are included in a web server. Adding to that, the part of computerized tests in detecting the loopholes in our administrations will be diminished. This process covers nearly all perspectives of a web application, subsequently covering all conceivable assault surfaces. For the penetration testing on a web server giving HTTP, SSH and VNC, this will majorly cover everything related to http (Patel 2019). To begin with, the penetration tester drafts a arrange which contains points of interest of the component on which they will connected.
Depending on the sort of framework, risk demonstrating is conducted. This makes a difference the infiltration analyzer to get it the plausible dangers which can be show. After that, the infiltration analyzer conducts an escape clause examination which makes a difference in recognizing the escape clauses which are display inside the organizational arrange (Ankele et al. 2019). After that, misuse is performed on the vulnerabilities which has been recognized. Following, an assault is propelled against the framework. This makes a difference in extricating the information and data which are show within the database and server of the organization. In conclusion, documentation is conducted, where the vulnerabilities are recorded out. It too contains the relief methods, which the organization ought to perform in arrange to evacuate the recorded vulnerabilities from the organizational organize and the net application (Casola et al. 2020). Few of the important services and assets which OWASP focusses on are, credentials present which helps in authorization of users. It also helps in understanding the key validation concept which is majorly used during the encryption process. Lastly, it helps in identifying the vulnerabilities which are present within the session management of the web application or web server.
This penetration testing technique contains a total of three phases. The name of the phases is, synthesis, analysis and evaluation phase. This procedure covers about all points of view of a web application, hence covering all conceivable attack surfaces (Kissi and Asante 2020). For the entrance testing on a web server giving HTTP, SSH and VNC, this will majorly cover everything related to http. To start with, the entrance analyzer drafts a orchestrate which contains focuses of intrigued of the component on which they will associated. Depending on the sort of system, chance illustrating is conducted. This makes a contrast the invasion analyzer to induce it the conceivable perils which can be appear. After that, the invasion analyzer conducts an elude clause examination which makes a contrast in recognizing the elude clauses which are show interior the organizational orchestrate. After that, abuse is performed on the vulnerabilities which has been recognized. Taking after, an attack is moved against the system (Hance et al. 2022). This makes a contrast in removing the data and information which are appear inside the database and server of the organization. In conclusion, documentation is conducted, where the vulnerabilities are recorded out.
This section discusses about the various kinds of tasks which needs to be performed in order to proceed with the penetration test. It will also discuss the effective measures which needs to be undertaken, so that, the penetration test can be successful. The steps will also include the process through which the vulnerability analysis will be conducted. It will help in identifying the tools which will be used further during the course of penetration testing. The assignment that’s to be carried out is to create an assault tree in regard to a vulnerability test that’s assumed to be carried out to distinguish different vulnerabilities, which could be existing inside the embraced web server such as an Apache Server to secure the same from different dangers likely to be postured at the organize (Rani and Nagpal 2019). The scope of the infiltration testing too contains the subtle elements of the client. Besides, the entrance analyzer clarifies the client approximately the steps they would be conducting on the organization arrange or web application. The specialized group of the client ought to remain online throughout the method. In case there’s any kind of issue event at that point the penetration testing group will educate the specialized group approximately the issue and it will be resolved as before long as conceivable, so that, the conclusion clients of the net application is not influenced (Almaarif and Lubis 2020). The entrance analyzer should draft a scope of the infiltration test. The scope of the infiltration test would incorporate all the information and data which are required for conducting the infiltration.
There are fundamentally three sorts of penetration test. The title of the sorts of infiltration test are, dark box entrance testing, white box entrance testing and grey box infiltration testing. Within the occasion of dark box infiltration testing, the entrance analyzer does not have any information almost the organizational organize which they would be misusing (Yadav et al. 2020). They ought to formulate a roadmap, through which they would be able to begin with discover the vulnerabilities show within the framework and after that continue with exploitation. Next, there’s the dim box infiltration testing. In this kind of dim box infiltration testing, the moral programmer knows almost the internet application whose vulnerabilities must be distinguished and after that abused. Consequently, the taking after area clearly portrays the person exercises to be carried out by the gather individuals in specific.
Phase 1 – Planning and Pre – Engagement
Process 1.1 – Strategy for Testing and interaction during Pre – Engagement
Activity 1.1.1 – Scope of Task
Phase 2 – Information Gathering
Process 2.1 – Ping Sweeping
Activity 2.1.1 – Identification of Target and Profiling
Activity 2.1.2 – Port Scanning
Activity 2.1.3 – Banner Grabbing
Phase 3 – Vulnerability Identification and Analysis
Process 3.1 – Vulnerability scanning
Activity 3.1.1 – Identification of Application
Activity 3.1.2 – Scanning of Vulnerabilities
Phase 3.2 – Identification of Vulnerabilities
Activity 3.2.1 – Identification and Validation of Vulnerabilities
Activity 3.2.2 – Create Attack Venues
Phase 4 – Exploitation
Process 4.1 – Customising the exploitation.
Activity 4.1.1 – Brute Force Application
Activity 4.1.2 – Brute Force with Network Logon.
Phase 5 – Post – Exploitation
Process 5.1 – Mitigate Attack Trees
Activity 5.1.1 – Deletion of log data.
Phase 6 – Reporting
Process 6.1 – Documentation of the Penetration Test
Activity 6.1.1 – Technical Report.
Figure 1 – Attack Tree
(Source – Created by Author)
References
Almaarif, A. and Lubis, M., 2020. Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website. International Journal on Advanced Science Engineering and Information Technology, 10(5), pp.1874-1880.
Ankele, R., Marksteiner, S., Nahrgang, K. and Vallant, H., 2019, August. Requirements and recommendations for IoT/IIoT models to automate security assurance through threat modelling, security analysis and penetration testing. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-8).
Bhardwaj, A., Shah, S.B.H., Shankar, A., Alazab, M., Kumar, M. and Gadekallu, T.R., 2021. Penetration testing framework for smart contract blockchain. Peer-to-Peer Networking and Applications, 14(5), pp.2635-2650.
Casola, V., Benedictis, A.D., Rak, M. and Villano, U., 2020. A methodology for automated penetration testing of cloud applications. International Journal of Grid and Utility Computing, 11(2), pp.267-277.
Chaudhary, S., O’Brien, A. and Xu, S., 2020, June. Automated post-breach penetration testing through reinforcement learning. In 2020 IEEE Conference on Communications and Network Security (CNS) (pp. 1-2). IEEE.
Chowdhary, A., Huang, D., Mahendran, J.S., Romo, D., Deng, Y. and Sabur, A., 2020, December. Autonomous security analysis and penetration testing. In 2020 16th International Conference on Mobility, Sensing and Networking (MSN) (pp. 508-515). IEEE.
Gangupantulu, R., Cody, T., Park, P., Rahman, A., Eisenbeiser, L., Radke, D. and Clark, R., 2021. Using cyber terrain in reinforcement learning for penetration testing. arXiv preprint arXiv:2108.07124.
Ghanem, M.C. and Chen, T.M., 2020. Reinforcement learning for efficient network penetration testing. Information, 11(1), p.6.
Goutam, A. and Tiwari, V., 2019, November. Vulnerability Assessment and Penetration Testing to Enhance the Security of Web Application. In 2019 4th International Conference on Information Systems and Computer Networks (ISCON) (pp. 601-605). IEEE.
Hance, J., Milbrath, J., Ross, N. and Straub, J., 2022. Distributed Attack Deployment Capability for Modern Automated Penetration Testing. Computers, 11(3), p.33.
Hatfield, J.M., 2019. Virtuous human hacking: The ethics of social engineering in penetration-testing. Computers & Security, 83, pp.354-366.
Hu, Z., Beuran, R. and Tan, Y., 2020, September. Automated penetration testing using deep reinforcement learning. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 2-10). IEEE.
Ibrahim, A.B. and Kant, S., 2018. Penetration testing using SQL injection to recognize the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), pp.5935-5942.
Johari, R., Kaur, I., Tripathi, R. and Gupta, K., 2020, October. Penetration Testing in IoT Network. In 2020 5th International Conference on Computing, Communication and Security (ICCCS) (pp. 1-7). IEEE.
Khera, Y., Kumar, D. and Garg, N., 2019, February. Analysis and Impact of Vulnerability Assessment and Penetration Testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525-530). IEEE.
Kissi, M.K. and Asante, M., 2020. Penetration testing of IEEE 802.11 encryption protocols using Kali Linux hacking tools. International Journal of Computer Applications, 176(32), pp.26-33.
Kothia, A., Swar, B. and Jaafar, F., 2019, July. Knowledge Extraction and Integration for Information Gathering in Penetration Testing. In 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (pp. 330-335). IEEE.
Lee, T., Wi, S., Lee, S. and Son, S., 2020, February. FUSE: Finding File Upload Bugs via Penetration Testing. In NDSS.
Lu, H.J. and Yu, Y., 2021. Research on wifi penetration testing with kali linux. Complexity, 2021.
Patel, K., 2019, April. A survey on vulnerability assessment & penetration testing for secure communication. In 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI) (pp. 320-325). IEEE.
Rani, S. and Nagpal, R., 2019. Penetration testing using metasploit framework: An ethical approach. Int. Res. J. Eng. Technol, 6(8), pp.538-542.
Shah, M., Ahmed, S., Saeed, K., Junaid, M. and Khan, H., 2019, January. Penetration testing active reconnaissance phase–optimized port scanning with nmap tool. In 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies (iCoMET) (pp. 1-6). IEEE.
Vats, P., Mandot, M. and Gosain, A., 2020, June. A comprehensive literature review of penetration testing & its applications. In 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO) (pp. 674-680). IEEE.
Yadav, G., Paul, K., Allakany, A. and Okamura, K., 2020, January. Iot-pen: A penetration testing framework for iot. In 2020 International Conference on Information Networking (ICOIN) (pp. 196-201). IEEE.
Zhang, N., Arroyo, M., Ciantia, M.O., Gens, A. and Butlanska, J., 2019. Standard penetration testing in a virtual calibration chamber. Computers and Geotechnics, 111, pp.277-289.
Zitta, T., Neruda, M., Vojtech, L., Matejkova, M., Jehlicka, M., Hach, L. and Moravec, J., 2018, December. Penetration testing of intrusion detection and prevention system in low-performance embedded IoT device. In 2018 18th International Conference on Mechatronics-Mechatronika (ME) (pp. 1-5). IEEE.
We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.
Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.
Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.
Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.
Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.
Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.
We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.
Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.
You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.
Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.
Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.
From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.
Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.
Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.
You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.
You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.
Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.
We create perfect papers according to the guidelines.
We seamlessly edit out errors from your papers.
We thoroughly read your final draft to identify errors.
Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!
Dedication. Quality. Commitment. Punctuality
Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.
We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.
We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.
We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.
We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.