An Analysis Of Tools, Techniques, And Mathematics Involved In A Penetration Test

In the security arena, there are two main approaches to carrying out security measures, namely offensive and defensive. Penetration testing combines these two methodologies to help detect and eliminate vulnerabilities. Penetration testing simulates real attacks to properly assess the potential consequences of a security breach; furthermore, penetration testers not only discover vulnerabilities but actively exploit vulnerabilities to identify the systems and data potentially at risk. Using a virtual lab and Appalachian State University’s Computer Science Department’s student server as targets, this thesis introduces the idea of a penetration test, provides a demonstration of selected tools, investigates efficiency issues of various attacks, and ultimately offers an inspection of the information obtained. An effective and efficient password cracking attempt is illustrated by discovering, analyzing, and interpreting the mathematics that underlie the Secure Hashing Algorithm. This work exposed significant security vulnerabilities on the student machine, including an exploit that can be executed by a regular user to obtain root access unobtrusively. In addition, student account passwords are, by default, very insecure. After using an exploit to obtain the password and shadow files, it was found that 60% of the passwords can be cracked in just over 24 hours.