Penetration Testing Assignment: Grey-Box Testing Project of CyberQ Group

Question

Task: Penetration Testing Assignment Brief:
Scenario: Assume that you are working as a consultant for an SME which is building its capability in penetration testing. You are part of a small team of three (3) consultants who are preparing to deliver a grey-box penetration testing project. Your client has asked your employer to conduct the penetration test against a server, as they fear they might have already been breached. To their best of their knowledge, the company assumes that the server offers only the following online services: http, b) ssh, and c) vnc.

In this context, this assignment has two tasks:

Task 1 is an individual task that will assess your understanding of the statutory and ethical issues surrounding penetration testing
Task 2 is a group task that will assess your understanding of the pentest process itself.

Answer

Penetration Testing Assignment Task 1
a. Introduction
Penetration testing is also known as pen tests or ethical hacking. It is considered the practice to test a computer system or any web application to find any security vulnerabilities exploited by an attacker(Baloch, 2017). It is mainly automated with the help of software applications. It is also performed manually. Penetration testing is a process of collecting information regarding the target before testing. It identifies some possible entry points for the attack in the system. The attack can be real or virtual.

The gradual development of cloud applications has caused various security concerns because of the lacking of control over concerned resources (Casola et al., 2018). Penetration testing identifies the security weaknesses in the system. It is used to test the security policy of an organization. Here, a grey-box penetration project is prepared in an SME company called CyberQ Group to conduct the penetration test against a server that only follows HTTP, vnc, and ssh.

b. Statutory and Ethical Consideration of a Penetration Tester working in the UK
Penetration testing within the UK law should be ensured that the test is conducted efficiently with testing consent. However, the consent form is included some private and sensitive data and information. So, it needs to be managed with care. All the information mentioned in the consent form should be kept private as per the testing organization's data handling process.

The main ethical consideration in penetration testing is to ensure the defined and agreed parameters. It should be ensured that the pen testing is done according to the consent of the concerned organization. The main theme of pen testing ethics is integrity, which helps protect the client and preserve the "security profession." The objectives should be met to avoid the "conflict of interest," "provision of false positives and false negatives" in the penetration testing.

c. Legal and Ethical Considerations
Penetration testing is considered ethical hacking that identifies securities vulnerabilities in the application or network system. It is important because it gives valuable data about the network system's security status and gives an overall understanding of the security issues in the system (Penetration Testing, 2021).However, some legal and ethical considerations should be kept in mind before starting a UK penetration test. The laws that are used for the majority of the tests are:

UK Computer Misuse Act 1990
UK Data Protection Act 1998
Police and Justice Act 2006

It is ensured that penetration test in the UK is conducted very efficiently. A testing consent form should be collected from the client before conducting the penetration test in the UK. In this consent form, the consent provider's name and position should be written along with the contact information and IP addresses or URL that are in the scope of testing (Reynolds, 2021). The date and time range of the permitted penetration test is mentioned in the form also. No penetration test is conducted in the UK without a completed and signed consent form. It ensures that the entire penetration test is relevant to UK laws.

The penetration test also needs some ethical considerations. Ethics is considered as "the study of morality." Ethics helps to identify the arguments, defend or understand the other's position, and establish a perfect action course by providing various theories and principles about what is right. Penetration testing also needs some ethical aspects that help decide which technique should be best for the testing. As per the Open Source Security Testing Methodology Manual or OSSTM, the business and industry policies of ethics should be classified before conducting a target penetration test.

However, there are some ethical codes for ethical hackers. For example, the "Council of Registered Ethical Security Testers" or CREST has provided some ethical code of conduct. It not only specifies the ethical codes but also prompts for some good performance. A conceptual model of ethics in a penetration test is proposed that focuses on the function of integrity. The "ACM Code of Ethics and Professional Conduct" concerns people's quality of life in protecting basic human rights (Berendt, 2018). Ethics help to conduct penetration tests efficiently in the UK.

Phases of Penetration Testing

Figure: A Conceptual Model of Penetration Testing Ethics (created by author)

Integrity is the main theme of the professional ethics of penetration testing. The model of integrity should be followed by a penetration tester all the time.

d. Comparison Criteria
The comparison criteria are extracted from the scope of assignment two. A grey-box infrastructure Pen Test should be undertaken to conduct the penetration test.

The comparison criteria are the knowledge of internal working structure, approach, the space of the tables for input,the process of finding error in the system, and the time. It offers only online services like HTTP, vnc, and ssh.

The grey box penetration testing knows the required internal working structure compared to the black and white box testing. However, it has limited coding knowledge(Zheng et al., 2019). The grey box testing can validate the software's internal system boundaries and data domains if it has sufficient coding knowledge. Through the grey box penetration testing, it is hard to determine the system's hidden error. It can be found in user-level testing. The "testing space of tables for input" in the grey box testing is lesser than the white and black box testing. However, the grey box testing might be done within a short period of time and is not suitable for algorithm testing. However, with the grey box infrastructure Pen Test's help, it is possible to develop one Linux server that offers the only HTTP, vnc, and ssh online services in the company.

e. Compare Published Penetration Testing Methods and their Application
a. OWASP
The Open Web Application Security Project or OWASP helps in controlling vulnerabilities in the application. It identifies the mobile and web vulnerabilities. Additionally, the logical flaws that are aroused in the unsafe development practices are complicated by the OWASP. It evaluates the vulnerabilities with various functionalities that are found in the latest applications. It also develops practical suggestions for particular technologies and features in the applications(Bach-Nutman, 2020). Some of the OWASP vulnerabilities are code injections, LDAP, XPATH, etcetera.

b. OSSTMM
The Open Source Security Testing Methodology Manual or OSSTMM is a framework used to detail the industry's standards. It is considered a scientific methodology to test the network penetration and vulnerability assessment.

It enables the security of the network in the software and develops some reliable and authentic solutions for securing the organization's network.

c. PTES
The Penetration Testing Methodologies and Standards or PTES is a structural approach in the penetration test. It helps through the communication beginning, data gathering, penetration testing, and threat modeling. In contrast, it also identifies the most susceptible areas in the software system that hackers can attack.

The Penetration Testing Methodologies and Standards provide the penetration testers guidelines to test the post-exploitation in the system.

f. Pen Test Methodology Comparison
A comparison is made among the three methodologies of penetration testing. It helps to justify using a Linux server that offers the following online services like HTTP, vnc, and ssh. The Linux server has been built on the "Linux open-source operating system"(Miano et al., 2019). Through this server, the organization can deliver services, contents, and apps to the client at a low cost. It is an open-source server and is beneficial for users.

It is possible with the OWASP methodology. There are some of the vulnerabilities in the Open Web Application Security Project. When many web applications have been hosted on a similar IP address, the host headers are used. It is used to identify the application that can process an HTTP request(Li, 2020). A "host header injection attacks" happen when a malicious host has been injected into the HTTP host header. It can be reduced by using the OWASP penetration methodology.

Here, in services testing and web applications, the OWASP, as mentioned above, the methodology are the best choice. The OSSTMM methodology is used to test the entire network infrastructure and telecommunication process and the organization's security.

The Penetration Testing Methodologies and Standards help the penetration testers in different penetration tests such as communicating; collecting information, threat modeling, etc.

The organization wants to deliver a grey-box penetration testing project and conduct a penetration test because they fear that the attackers might breach the system. So, here, the OWASP methodology is suitable for undertaking a grey-box infrastructure pen test. It identifies the possible vulnerabilities in the software through which the attackers can attack the system(Fashoto, Ogunleye, and Adabara, 2018). The grey box testing should be done with the following tools such as Poracle, PadBuster, and Python-padding oracle, and Padding Oracle exploitation.

The Penetration Test is useful to identify the vulnerabilities in the system to prevent the attacks of the hackers in the system. However, Open Web Application Security Project is better penetrating methodologies compare to the other two methodologies like The Open Source Security Testing Methodology Manual and the Penetration Testing Methodologies and Standards.

2. Penetration Testing Assignment Task 2
a. Group Management
The success of the installation of the penetration server in any business requires abundant effort from the team handling it. Penetration testing plays an important role in business in recent times. The organization needs to start using penetration testing to secure the organization's network and payment structure (Setiawanand Setiyadi, 2018). The members of the group are assigned different tasks to ensure an efficient penetration testing capacity building in the concerned SME. The division of labor is among the noted notion of Adam Smith in the regulation of the market economy.

The consent form is the basic requirement before starting the penetration testing project because it contains private and confidential information related to the organization for which the team is working (Emersonet al. 2017). It requires a certain amount of care and safety. Therefore, a member would be assigned to deal with ethical consideration and consent form.

The installation of a penetration system includes hacking with ethical consideration, and the following must be involved in its consideration (Alet al. 2018). It requires the identification of vulnerabilities in the installation and application of the network. A member of the group would be assigned the job of identification of vulnerabilities and understanding the security issue in the system. The members dealing with the consent form and vulnerabilities identification would also take care of implementing the following rules: UK Computer Misuse Act 1990, Human Rights Act 1998, UK Data Protection Act 1998, and Police and Justice Act 2006. They will try to ensure the legal and ethical consideration in installing the penetration system in the concerned SME (Berendt, 2018).

An efficient and productive operating system that is open-source is provided by Linux. It is used to address the business requirement of applications, including network administration and database management (McPhee, 2017). It provides a better security system, flexibility, and regularity which is the demand of every business inclined towards the installation of computer application. Some of the important features of the Linux server include stability, efficiency, security, and networking. The stability of the Linux server can be better understood by the fact that it does not require a constant reboot to maintain the effectiveness of the system. It provides consistent high-level performance and is compatible with networks and servers.

The security of this open-source system is also very efficient and can be opted for the development of a penetration system in the concerned SME. The team of two members would be assigned the job of testing the efficacy of the Linux server. There is a various methodology used in the installation of penetration system including OWASP, OSSTMM, and PTES. A team of three of the groups would be made and assigned the job of testing the efficiency of these methodologies.

OWASP is a methodology in the application of a new system and has the function to control the vulnerabilities in the application of penetration systems (Archibald, J. and Renaud, 2018). A member would be assigned to complete the task. A member of the special team would be assigned the job to analyze OWASP. Another member would be assigned the job to test the reliability of OSSTMM. OSSTMM is also a testing methodology that develops the authentic solution system to protect the organization's network (Lagreca, 2017). The last member of a team of 3 would be assigned the job to assess the approach named PTES. It is an approach that can assess the area which is most vulnerable (Albrecht, M.R. and Jensen, 2020).

b. SOP
A penetration system is a cyber attack on the system to know the vulnerabilities that the attackers can exploit. The organization uses it in the business context to protect the data of the clients of the SMEs as it contains confidential information.

The purpose of the Standard Operation Procedure is to develop the capability of the penetration system in the SME. The SOP includes various phases, including gathering intelligence, identifying the vulnerability, exploiting the system, and analyzing the system after system exploitation.

Phase 1: Gathering of intelligence
Process: In this phase, the group would define the goal of the test Activity:

In this activity, information of the organization would be gathered using input in the system.

Name:DNS server
Input: Locating the IP blocks and using WHOIS
Function:Its function is to gather information and create network diagrams in detail.
Output: It helps in finding the open ports. The goal of the test is to install a penetration system in CyberQ.
Resources/Tools: The resource or tool used in this phase is an open-source operating system named Linux.
Details: It is used to gather information regarding the discrepancies present in the system. In phase 1 of testing, the goal of the test would be set, which would help in a successful completion. Intelligence gathering is used to understand the work of the system and the potential of vulnerabilities available in the system.

Phase II: Identification of the vulnerability
In this phase vulnerability of the system would b identified. An open-source system would be used to identify the vulnerability in the system. The open-source system would be chosen based on the recommendations made by the system. The tester would try to recognize the threats and dangers of the system (Yaqoobet al. 2017). After the recognition of threat is done, vectors of attack would be mapped. The threats would be divided into an external and internal threats. The security risk would be identified with the help of a scanner of vulnerability.

Phase III: Exploitation of the system
Using identified discrepancies and vulnerability in the system and the mapped vectors of attacks, the vulnerability in the system would be exploited in the system. In this phase, rigorous manual testing would be done, which would be a time-consuming process. It also includes the injection of SQL. The exploitation of the attacks also includes the exploitation of Wi-Fi attacks (Sinha, 2018). The tester would also employ cross-site scripting to understand the vulnerabilities. In this process, they would steal the data of the organization and intercepting traffic. It is used to understand the extent of the damage a cyber attack can cause to CyberQ.

Phase IV: Analysis of the system
In this phase, the system is analyzed after the exploitation of the system. In the analysis of the system, documentation of the utilized methods would be done. This method would provide help in gaining access to the confidential data of the CyberQ. It is used t control the system in the future and helps the organization in saving the system from threats. The exploitation of the system and the result of the vulnerabilities, and the amount of damage that the organization can face due to cyber-attack would be compiled into a documented report. The report includes the details of several confidential data which were accessed by the testers' team and particular discrepancies. It also includes the details of the time which the system took to identify the threat. The information of the system would then be analyzed by the team in configuring a system that would help the organization in saving it from the threat. Lastly, after the analysis of the system, a web application firewall would be developed to protect the data of the organization.

c. Decision Tree (500)
A decision-making tree is used to determine the action plan to install a pen testing system in Cyber Q. It lays out the decision and the patterns in which a plan has to be implemented. It is a visual representation of the decision to be taken in a system. The decision tree of installing the pen testing system in CyberQ is developed based on Standard Operation Procedure. The table provided is the decision tree of pen testing:

Phases of Penetration Testing

Table 1: Decision tree
(Source: created by the researcher)

Phases of Penetration Testing

Conclusion
In the analysis of the installation of the pen testing in CyberQ, ethical consideration in the penetration system is considered. It can be concluded the testers in pen testing considers the ethical requirement of the projects. The study also considers the development of legalities in pen testing in the organization. In pen testing, it can be concluded that all UK government rules are taken into consideration. The legal consideration involves consideration of the UK Computer Misuse Act 1990, including others. In the comparison criteria, several penetration testing methodologies are analyzed, including OWASP, among others. The analysis of methodologies concludes that it helps in identifying the vulnerabilities in the system.

Group management is an important criterion for the successful completion of the project. In the group management section, several team members are assigned tasks, and it can be concluded that it assists in installing a pen-testing system in CyberQ. SOP is constructed to show the path of the plan completion and the development of the tasks. The decision tree reflects the visual representation of the manner in which the task is to be completed. Overall, it is concluded that the installation of a pen-testing system in the organization helps in defending vulnerabilities. ?

References
Bach-Nutman, M. (2020) ‘Understanding The Top 10 OWASP Vulnerabilities’, arXiv preprint arXiv:2012.09960, pp. 1–4.

Baloch, R. (2017) Ethical hacking and penetration testing guide. CRC Press, pp. 1-493

Berendt, B. (2018) ‘AI for the Common Good?! Pitfalls, challenges, and ethics pen-testing’, arXiv preprint arXiv:1810.12847, pp. 1–2.

Rak, M., Casola, V., De Benedictis, A. and Villano, U., 2018, October. Automated risk analysis for iot systems. In International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (pp. 265-275). Springer, Cham.

Fashoto, S. G., Ogunleye, G. O. and Adabara, I. (2018) ‘EVALUATION OF NETWORK AND SYSTEMS SECURITY USING PENETRATION TESTING IN A SIMULATION ENVIRONMENT.’, Computer Science & Telecommunications, 54(2), pp. 1–9.

Li, J. (2020) ‘Vulnerabilities mapping based on OWASP-SANS: a survey for static application security testing (SAST)’, pp. 1–8.

Miano, S., Bertrone, M., Risso, F., Bernal, M.V., Lu, Y. and Pi, J., 2019. Securing Linux with a faster and scalable iptables. ACM SIGCOMM Computer Communication Review, 49(3), pp.2-17.

Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H. and Sun, L., 2019. FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In 28th {USENIX} Security Symposium ({USENIX} Security 19) (pp. 1099-1114). Itgovernance.co.uk. 2021. Penetration Testing. [online] Available at: [Accessed 13 March 2021].

Reynolds, I., 2021. Penetration Testing Under UK Law. [online] SecureTeam. Available at: [Accessed 13 March 2021].

Setiawan, E.B. and Setiyadi, A., 2018, August.Web vulnerability analysis and implementation. In IOP Conference Series: Materials Science and Engineering (Vol. 407, No. 1, p. 012081). IOP Publishing.

Emerson, J.B., Adams, R.I., Román, C.M.B., Brooks, B., Coil, D.A., Dahlhausen, K., Ganz, H.H., Hartmann, E.M., Hsu, T., Justice, N.B. and Paulino-Lima, I.G., 2017. Schrödinger’s microbes: tools for distinguishing the living from the dead in microbial ecosystems. Microbiome, 5(1), pp.1-23.

Al Shebli, H.M.Z. and Beheshti, B.D., 2018, May. A study on penetration testing process and tools.In 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT) (pp. 1-7).IEEE.

Berendt, B., 2018. AI for the Common Good?!Pitfalls, challenges, and ethics pen-testing. arXiv preprint arXiv:1810.12847.

McPhee, M., 2017. Mastering Kali Linux for Web Penetration Testing.Packt Publishing Ltd.

Archibald, J. and Renaud, K., 2018, September. POINTER: A GDPR-Compliant Framework for Human Pentesting (for SMEs). In HAISA (pp. 147-157). Lagreca, N., 2017. MODELO DE AUDITORIA PARA SERVICIOS TELEMÁTICOS DE LA UNIVERSIDAD SIMÓN BOLÍVAR. Télématique, 16(2).

Albrecht, M.R. and Jensen, R.B., 2020, November.The Vacuity of the Open Source Security Testing Methodology Manual.In International Conference on Research in Security Standardisation (pp. 114-147).Springer, Cham.

Yaqoob, I., Hussain, S.A., Mamoon, S., Naseer, N., Akram, J. and urRehman, A., 2017. Penetration testing and vulnerability assessment. Journal of Network Communications and Emerging Technologies (JNCET) www.jncet. org, 7(8).

Sinha, S., 2018.Information Gathering.In Beginning Ethical Hacking with Kali Linux (pp. 189-220).Apress, Berkeley, CA.?

1. Appendix

Phases of Penetration Testing