Steps performed by a penetration tester:

1.     Perform a foot printing analysis.

2.     Enumerate information.

3.     Obtain access through user manipulation and Escalate privileges.

4.     Gather additional passwords and secrets.

The main objective of a penetration tester is to gather information about the target system which can be used in a malicious manner to gain access to the target systems.

 1.     Foot printing:

Scanning involves steps such as intelligent system port scanning which is used to determine open ports and vulnerable services. In this stage the attacker can use different automated tools to discover system vulnerabilities.

Other techniques used in this phase include:

• Network Mapping
• Sweeping
• Use of Dialers
• Vulnerability Scanners

Commonly used tools:

·         # NSlooup command line tool in Windows NT 4.0, Windows 2000, XP that can be used to perform DNS quarries.

·         #Tracert command line tool.

·                   Create network maps of targets network.

·         #Samspade Samspade.org is a web interface.

·                   Performs: Whois lookup, forward & reverse DNS searches & traceroutes.

·         #Nmap unix based port scanner.

·         #Scanline Windows NT based port scanner.

 #Netsparker

  #Accunetix 

2.     Enumerate info:

·         Brute Force  attack to gain access to the system as an authenticated user.

Tools:

·         #Netcat banner grabbing & port scanning, among other things.

·         #Epdump/Rpdump gain information about remote procedure call(RPC) services on a server.

·         #Getmac windows NT command to obtaining the media access control (MAC), Ethernet layer address & binding order for a computer running windows NT 4.0, 2000, XP.

·         #DumpSec: security auditing program for windows NT.

·         #Netsparker

·         #Accunetix

3.     Obtaining access through user manipulation and Escalation privilages:

·         1.     Social engineering

·         2.     Bruiteforce attack

·         Tools :

·         #NetBois auditing tool bruiteforce password tool.

4. Gather additional passwords & secrets:

          SAM (security accounts manger)

          *Hashed passwords can be fed to programs like LC3 or John The Ripper.

          LSA (local security authority)

         

Tools:

          #pwdump2 can obtain pwd hashes from the SAM db or Active directory.

          #Lsadump2 exposes the contents of  LSA in clear text.

          #LC3 evaluate windows NT, 2000, XP password hashes.

          #John the ripper  pwd cracking for several OS.

#Fpipe  A port  redirector for windows systems. Allow the source port for redirected traffic to be specified.