pentesting.tex

%pen testing

To test the vulnerabilities of a device, we have to attack or hack it.

The term ``hacker'' has a double usage in the computer industry (Palmer, 2001). Originally, the term was defined as:  
\begin{enumerate}
	\item A person who learns the particular details of computer systems and the possible ways to extend their abilities, unlike  the  most  users  of  computers,  who  are  learning  only the minimum skills necessary.  
	\item A person who programs devotedly or who enjoys programming instead of only theorizing about programming.
\end{enumerate}

The definition of ethical hacking (SecuritySearch, 2006) is  ``a computer or network expert who attacks a system on behalf of its owners, seeking vulnerabilities that a malicious hacker can exploit''. Ethical hacking is one of the growing areas of ethics and Information Security. The term ``ethical hacker'' has become popularized by corporations hiring security professionals to test their systems for vulnerabilities and describing these individuals as ``ethical hackers''.\cite{ethicalHacking}

The essential terminology is:
\begin{itemize}
	\item \textbf{Hack Value:} Hack value is the notion among hackers that something is worth doing or is interesting.
	\item \textbf{Exploit:} To, in some way, take advantage of a vulnerability in a system in the pursuit or achievement of some objective. All vulnerability exploitations are attacks but not all attacks exploit vulnerabilities.\cite{Hacking1}
	\item \textbf{Vulnerability:} Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing
	\item \textbf{Target of Evaluation:} is an IT system, product or component that is identified/subjected to a required security evaluation.
	\item \textbf{Zero-day Attack:} The attacker exploits the vulnerabilities in the computer application before the software developoer releases a patch for them.
	\item \textbf{Daisy Chaining:} Attacker who get away with database theft usually complete their task and the backtrack to cover their tracks by destroying logs, etc.
\end{itemize}

Information Security Threats are broadly classified into three categories, as follows:
\subsection{Natural threats }
It include natural disaster such as earthquakes, hurricanes, floods, or any nature-created disaster that cannot be stop.
\subsection{Psysical threats}
It may include loss or damage of system resources through fire, water, theft, and physical imact.
\subsection{Human threats} 
It can be further classified into three types, as follows.

\subsubsection{Network threats}
A malicious person may brek into the communication channel and steal the information traveling over the network.\\
The attacker can impose various threats on a target network:
\begin{itemize}
	\item Information gathering: Through social engineering the enemy try to find ways to get the credentials to steal the data. One way of gather information is by footprinting which can be both passive and active. Reviewing the company's website is an example of passive footprinting, whereas calling the help desk and attempting to social engineering them out of privileged information is an example of active information gathering.\cite{Hacking3}
	\item Sniffing and eavesdropping: It is a technique by which you can "hear" everything that circulates through a network.
	\item Spoofing: It is about try to supplant the user identity and access the system.
	\item Session hijacking: Sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system.
	\item main-in-the-middle attacks: Is an attack that acquires the ability to read, insert and modify at will, the messages between two parties without any of them knowing that the link between them has been violated.
	\item SQL injection: This attack inserts SQL code in order to alter the operation of the program.
	\item ARP poisoning: Is a technique by which an attacker sends Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
	\item Password-based attacks: This technique involves trying to figure out the password of a system to access it. The most commonly used variants are brute force attacks and dictionary attacks.
	\item Denial of service attack: This is an Attack on a computer system or network that causes a service or resource to be inaccessible.
	\item compromised-key attack: Occurs when the attacker determines the key, which is a secret code or number used to encrypt, decrypt, or validate secret information
\end{itemize}

\subsubsection{Host threats} 

Are directed at a particular system on which valuable information resides.\\
The following are possible threats to the hosts:
\begin{itemize}
	\item Malware attacks: Software whose purpose is to damage the system to which it accedes.
	\item Target Footprinting: It allows a hacker to gain information about the target system.
	\item Password attacks: The same technique as the one used in the password-bassed attacks on networks. 
	\item Arbitrary code execution: SQL injection is one of the types of attack.
	\item Unauthorized access: Is the act of gaining access to a network, system, application or other resource without permission.
	\item Privilege escalation: Is a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. 
	\item Back door attacks: Is a means of access to a computer program that bypasses security mechanisms.
	\item Physical security threats: A malicious agent can damage computers by physical attacks, such as setting them on fire or breaking them.
	\item Denial of service attacks: Attack on a computer system or network that causes a service or resource to be inaccessible.
\end{itemize}

\subsubsection{Application} 
Might be vulnerable to different types of application attacks.\\
The following are possible threats to the application:
\begin{itemize}
	\item Data/input validation: Data entry into the application may be compromised.
	\item Authentication and Authorization attacks: Authentication and authorization of the application can be sniffing or spoofing.
	\item Configuration management: The application may have security holes in its configuration files
	\item Information disclosure: This type of attack is aimed at acquiring system specific information about a web site including software distribution, version numbers, and patch levels
	\item Session management issues: Session hijacking.
	\item Buffer overflow issues: Occurs when a program exceeds the amount of memory allocated, so arbitrary code can be executed.
	\item Cryptography attacks: Is a method of circumventing the security of a cryptographic system.
	\item Parameter tampering: Is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user's authorization.
	\item Improper error handling and exception management: If errors or exceptions are not handled properly they can provide valuable information to attackers.
	\item Auditing and loggin issues: Another way to get the information needed to attack the system.
\end{itemize}

%It has been searched differents links for pentesting task:
%\begin{itemize}
%	\item \href{https://www.youtube.com/watch?v=zUok5HeZGyA}{IoT penetration for ZigBee}
%	\item \href{http://blog.attify.com/2016/06/30/guide-to-iot-pentesting/}{Guide to pentesting IoT}
%	\item \href{https://www.securityartwork.es/2014/05/13/python-para-el-pentest-introduccion/}{Python pentesting}
%	\item \href{https://www.cybrary.it/0p3n/heathen-iot-pentesting-framework-released/}{Framework pentesting}
%	\item \href{https://github.com/phodal/awesome-iot}{IoT github}
%\end{itemize}
%
%Currently there are a lot of IoT devices. The next links show differents classifications.
%\begin{itemize}
%	\item \href{http://iotlist.co/}{Here we can find a big ammount of IoT devices}
%	
%	\item \href{https://www.micrium.com/iot/devices/}{Here we can find a company dedicated to proporcionate features for help developers to build microprocessors, microcontroller or DSP-based device and an explanation of how works IoT}
%	\item \href{http://www.pcmag.com/article2/0,2817,2410889,00.asp}{Popular smart home devices}
%\end{itemize}
%	\item \href{https://www.bbvaopenmind.com/7-tendencias-de-internet-de-las-cosas-en-2017/}{no sirve mucho}
%\item \href{https://www.postscapes.com/internet-of-things-award/connected-home-products/}{\IoT most popular}
%\item \href{https://www.postscapes.com/internet-of-things-award/winners/}{\IoT popular 2017}
%http://www.beyondsecurity.com/security_testing_iot_internet_of_things.html