Category: Case Studies
CASE STUDY ON PENETRATION TESTING OF AN AUTHENTICATION ENGINE: 4 CATEGORIZED PROCESS AND REMEDIATION
TABLE OF CONTENT :
Penetration Testing makes it possible to evaluate all faults present in applications, infrastructures, and systems that can leave a path open for malicious entities to launch a full-scale cyberattack, irrespective of their business domain and requirements. That's why it's a must for all organizations to safeguard their systems with regressive penetration testing.
The Case
Today's case study is about one of our clients who had an authentication engine that they needed to test. The engine provided authentication based on various in-built and third-party libraries, SOAP, and RESTFUL web services. The severity of the responsibilities and the multiple APIs in operation demanded module-based penetration testing.
Tools & Technologies Used for Penetration Testing
We used the following tools to complete the test process:
- BurpSuite
- Cain & Abel Tool
- John The Ripper
- Kali Linux
- Restful and SOAP Web Services
- Maltego
- Nessus
- Skipfish
Solution We Provided To Solve The Case
Initiation
Before the actual test began, we ran scans to identify the system core components and designed a test plan, which had multiple test scenarios that we produced to cover all possible scenarios. A few of these include:
- Application-level penetration testing
- Infrastructural evaluation
- Network evaluation
Nessus
We used Nessus to test on all Linux machines. Nessus is a highly useful tool for packet sniffing and injecting. Our network engineers and security experts collaborated to perform this test on all the Linux machines.
Burpsuite, Maltego, SkipFish
We used the aforementioned apps for testing web-based applications and SOAP web services. These sophisticated tools allow
- Application Scanning
- Changing Web Requests
- Crawling content
- Intercepting Proxies
The main goal of using these tools is to perform application-level testing, through which we can determine how an application would respond if a malicious user intercepts an HTTPS request.
Authentication Mechanism Evaluation
We checked all the authentication mechanisms to ensure that they all had a two-factor authentication system enabled. Two-factor authentication includes features like
- Captcha
- Encryption Keys That Change At Regular Intervals
- Security Questions
- Site Key With Strong And Updated Encryptions
Hashing & SSL
With hashing, we always go with SHA256 instead of MD5. The reason behind this is that MD5 can be easily exploited with different vulnerabilities.
As for SSL, we took a detailed test of all the certificates present on the system to validate their authority.
Cain & Abel Tool, John The Ripper
To check password encryption strength for all Windows-based systems, we performed cracking tests on said systems with the Cain & Abel tool. This tool uses multiple methods to try and crack a password, which includes:
- Brute Force
- Cryptanalysis
- Dictionary
- Network Sniffing
- Routing Protocol Analysis
John The Ripper is another tool that has the same functionalities and purpose, but we use that tool for Linux-based systems.
Conclusion
After running all sorts of tests, we found no vulnerabilities, as the client took our complete consultancy regarding penetration testing before securing all their systems.