Table of Contents
CASE STUDY ON PENETRATION TESTING OF AN AUTHENTICATION ENGINE: 4 CATEGORIZED PROCESSES AND REMEDIATION
With penetration testing, it’s possible to evaluate all faults present in the applications, infrastructures, and systems that can leave a path open for malicious entities to launch a full-scale cyberattack, irrespective of their business domain and requirements. It’s a must for all organizations to safeguard their systems with regressive penetration testing.
The case study before you today is about one of our clients with an authentication engine. The engine provided authentication based on various inbuilt and third-party libraries, SOAP, and RESTFUL web services. The severity of responsibilities and the multiple APIs in operation demanded module-based penetration testing.
Tools & Technologies Used For The Penetration Testing
We used the following tools and technologies to complete the process:
- John the Ripper
- Cain & Abel tool
- Restful and SOAP web service
- Kali Linux
Solution We Provided To Solve The Case
Before the actual test began, we ran scans to identify the system core components and designed a test plan, which had multiple test scenarios that we produced to cover all possible scenarios. A few of these include:
- Application-level penetration testing
- Infrastructural evaluation
- Network evaluation
We used Nessus to test on all Linux Machines. Nessus is a highly useful tool for packet sniffing and injecting. Our network engineers and security experts collaborated to perform this test on all the Linux Machines.
Burpsuite, Maltego, SkipFish
We used the aforementioned apps for testing web-based applications and SOAP web services. These sophisticated tools allow
- Application Scanning
- Changing Web Requests
- Crawling content
- Intercepting Proxies
The main goal of using these tools is to perform application-level testing, through which we can determine how an application would respond if a malicious user intercepts an HTTPS request.
Authentication Mechanism Evaluation
We checked all the authentication mechanisms to ensure that they all had a two-factor authentication system enabled. Two-factor authentication includes features like
- Encryption Keys That Change At Regular Intervals
- Security Questions
- Site Key With Strong And Updated Encryptions
Hashing & SSL
With hashing, we always go with SHA256 instead of MD5. The reason behind it is that MD5 can be easily exploited with different vulnerabilities.
As for SSL, We took a detailed test of all the certificates present on the system to validate their authority.
Cain & Abel Tool, John The Ripper
To check password encryption strength for all Windows-based systems, we performed cracking tests on said systems with the Cain & Abel tool. This tool uses multiple methods to try and crack a password that includes:
- Brute Force
- Network Sniffing
- Routing Protocol Analysis
John The Ripper is another tool that has the same functionalities and purpose, but we use that tool for Linux-based systems.
After running all sorts of tests, we found no vulnerabilities, as the client took our complete consultancy regarding penetration testing before securing all their systems.
GET OUR BEST IDEAS AND LATEST UPDATES TO YOUR INBOX
We’ll send our best articles, videos, and exclusive content right to your inbox. It’s free.