After having gathered the relevant information about the targeted system, the next step is to determine the vulnerability that exists in each system. Penetration testers should have a collection of exploits and vulnerabilities at their disposal for this purpose. The knowledge of the penetration tester in this case would be put to test. An analysis will be done on the information obtained to determine any possible vulnerability that might exist. This is called manual vulnerability scanning as the detection of vulnerabilities is done manually.
There is an exploit known as the dot bug that existed in MS Personal Web Server. This is a bug that existed in IIS 3.0 that allows ASP source code to be downloaded by appending a ‘.’ to the filename. Microsoft eventually fixed this bug but they did not fix the same hole in their Personal Web Server at that time. Some Personal Web Servers has this vulnerability until today. If a system running MS Personal Web Server pops up in the information gathered earlier, this would probably be a vulnerability that might exist in that particular system.
After determining the vulnerabilities that exist in the systems, the next stage is to identify suitable targets for a penetration attempt. The time and effort that need to put in for the systems that have vulnerabilities need to be estimated accordingly. Estimations on how long a penetration test takes on a particular system are important at this point. The target chosen to perform the penetration attempt is also important.
Imagine a scenario whereby two penetration testers are required to perform a penetration test on a network consisting of more than 200 machines. After gathering sufficient information and vulnerabilities about the network, they found out that there are only 5 servers on the network and the rest are just normal PCs used by the organization’s staff. Common sense will tell them that the likely target would be these 5 servers.
Password cracking has become a normalAuthorpractice in penetration tests. In most cases, you’ll find services that are running on systems like telnet and ftp. This is a good that exist should be tested on the target first before conducting any other penetration attempt.
• Dictionary Attack – Uses a word list or dictionary file.
• Hybrid Crack - Tests for passwords, the words in a dictionary file.
• Brute Force - Tests for passwords that are made up of characters.