Security AppScan

  1. Introduction:

IBM Security AppScan, previously known as IBM Rational AppScan, is a family of web security testing and monitoring tools from the Rational Software division of IBM. AppScan is intended to test Web applications for security vulnerabilities during the development process, when it is least expensive to fix such problems. The product learns the behavior of each application, whether an off-the-shelf application or internally developed, and develops a program intended to test all of its functions for both common and application-specific vulnerabilities.


  • AppScan Enterprise Edition– Client-server version used to scale security testing.
  • AppScan Standard Edition– Desktop software for automated Web application security testing environment for IT Security, auditors, and penetration testers
  • AppScan Source Edition– Prevent data breaches by locating security flaws in the source code
  • AppScan Dynamic Analyzer– Help secure web applications deployed on IBM Bluemix.
  • AppScan Mobile Analyzer– Help secure mobile applications by detecting dozens of pervasive, published security vulnerabilities.
  • Arxan Application Protection for IBM Solutions– Extend vulnerability analysis capabilities to mobile application hardening and runtime protection.


  • Virtual Forge CodeProfiler for IBM Security AppScan Source – Identify and remediate vulnerabilities in Advanced Business Application Programming (ABAP) code.
  1. Installing AppScan:

System requirements

A summary of the minimum hardware and software required to run Rational AppScan, Version 8.0.

Hardware requirements:

Hardware Minimum Requirement
Processor Pentium® P4, 2.4 GHz Memory
Memory 2 GB RAM
Disk Space 30 GB
Network 1 NIC 100 Mbps for network communication with configured TCP/IP

Operating system and software requirements:

Software Details
Operating System ·Supported operating systems (both 32–bit and 64–bit editions):

·Windows® XP: Professional, SP2 and SP3

·Windows 2003: Standard and Enterprise, SP1 and SP2 . Windows Vista: Business, Ultimate and Enterprise, SP1 and SP2

·Windows Server 2008: Standard and Enterprise, SP1 and SP2

Note: Rational AppScan smart tags, used when creating custom reports, are not supported for Vista or Windows Server 2008.

Browser Microsoft® Internet Explorer Version 6 or later
Other Microsoft .NET Framework Version 2.0 or later (Version 3.0 or later is required for some optional, additional functionality)

(Optional) Adobe® Flash Player for Internet Explorer, Version through inclusive is required for Flash execution (and for viewing instructional videos in some of the advisories).

Earlier and later versions are not supported for Flash execution. For instructions for downloading a supported version see the main User Guide or Online Help. (Optional) Word 2003 or 2007 for using AppScan® smart tags to insert fields for custom report templates. In the case of Word 2003 the following update must also be installed: Update for Office 2003: KB907417

Installation procedure:

  1. Close any Microsoft Office applications that are open.

Note: If you have Microsoft Word 2003 or higher installed, Rational AppScan smart tags will be added to its smart tag options during installation. These can be used to insert field codes for creating custom report templates. In order for this to be done, Microsoft Word and any other Microsoft Office programs that use it (such as Microsoft Outlook) must be closed during installation.

  1. Start Rational AppScan Setup and follow the online instructions. The Installation wizard guides you through the fast and simple installation.

Note: Depending on your operating system, .NET Framework Version 2.0 or 3.0 may be required to operate Rational AppScan. If you have an earlier version, or do not yet have it at all, you are asked if you want to install the required version. (If you select No, installation stops, as Rational AppScan cannot function correctly without the correct version of .NET Framework.)

  1. You will be asked if you want to install/download GSC (Generic Service Client). This is necessary for exploring Web Services in order to configure a Web Services scan, but is not needed if you will be scanning only Web applications.
  • If the GSC installation file is available locally, you are asked if you want to install GSC. If you click Yes it is installed and the Rational AppScan installation completes.
  • If the GSC installation file is not available locally you are asked if you want to download it and the Rational AppScan installation completes. To download the GSC installation file click Yes and save the file to your computer. After the download is complete, double-click on the file to install GSC for use with Rational AppScan in scanning Web services.
  • Silent install:You can install Rational AppScan “silently”, using the command line and the following parameters: AppScan_Setup.exe /z”InstallMode” /l”LanguageCode” /s /v”INSTALLDIR=\”InstallPath””

    Note: Silent installation automatically installs or updates .NET Framework Version 2.0 or 3.0, if required for your operating system.

    Important: If you wish to install Generic Service Client (required for scanning Web services, but not for scanning only Web applications) at the same time as you install Rational AppScan, you must run the command line from the folder that contains both the setup (.exe) files.


    To install an English version of Rational AppScan in the default directory enter:

    AppScan_Setup.exe /l”1033″ /s

    To install Japanese versions of Rational AppScan and GSC in the default directories enter: AppScan_Setup.exe /z”GSC” /l”1041″ /s

    Note: To include GSC in the installation, this command must be run from the folder that contains both the Rational AppScan and the GSC setup (.exe) files.

    To install a Korean version of Rational AppScan in D:\Program Files\AppScan\ enter: AppScan_Setup.exe /l”1042″ /s /v”INSTALLDIR=\”D:\Program Files\AppScan\””

    To uninstall:

    AppScan_Setup.exe /z”REMOVE” /s

  • Test-run :If you have an evaluation copy of Rational AppScan (i.e. you have not purchased a license), you can “test-run” the product by scanning IBM’s “AltoroMutual Bank” website, which has been created for demonstration purposes. Use the following URL and login

    credentials: URL

    Username jsmith

    Password demo1234

    Note: If you are using an evaluation copy of AppScan, the AltoroMutual Bank website is the only site you can scan.

  • Scan stages and scan phases:A Rational AppScan Full Scan consists of two stages: Explore and Test. It is useful to understand the principal behind this, even though most of the scan process is in fact seamless to the user, and little user input is required until the scan is complete.

    Explore stage: During the first stage, the site is explored and an application tree is constructed. This is the Explore stage. AppScan analyzes the responses to each request it sends, looking for any indication of a potential vulnerability. When AppScan receives responses that may indicate security vulnerability, it automatically creates tests, as well as noting the validation rules needed to determine which results constitute vulnerability, and the level of security risk involved.

    Test stage: During the Test stage, AppScan sends thousands of custom test requests that it created during the Explore stage. It records and analyzes the application’s response to identify security problems and rank their level of security risk.

    Scan phases: In practice, the Test stage frequently reveals new links within a site, and more potential security risks. Therefore, after completing the first “phase” of Explore and Test, AppScan automatically begins a new “phase” to deal with the new information. (The default number of phases is four.)

  • Web applications vs Web services.AppScan can scan both Web applications and Web services.

    Web applications: In the case of regular applications (without Web services) it may be sufficient to supply AppScan with the start URL and login authentication credentials for it to be able to test the site. If necessary you can also manually crawl the site, to give AppScan access to areas that can only be reached through specific user input.

    Web services: In the case of Web services the integrated Generic Service Client (GSC) uses the service’s WSDL file to display the individual methods available in a tree format, and creates a user-friendly GUI for sending requests to the service. You can use this interface to input parameters and view the results. The process is “recorded” by AppScan and used to create tests for the service.


Dashboard Shows

View selector Main panes
Application Tree As the scan progresses the application tree is populated. By the end of the scan the tree shows all the folders, URLs and files that were found in your application.
Result list Shows relevant results for the selected node in the application tree
Detail pane Shows relevant details for the selected node in the result list, in three tabs: Advisory, Fix Recommendation, and full Request/Response.
Dashboard Shows information about the current results in the form of panels that can be “played” in succession.
  • Workflow :

This section describes a simple workflow using the Scan Configuration Wizard, most suited to new users, or users with a pre-configured scan template. More advanced users may prefer to configure their scan using the Scan Configuration dialog box, Explore some of the site manually (to show Rational AppScan some typical user behavior), and then start the scan.

To scan using the wizard:

  1. Select a scan template. (You can later adjust the configuration as required.)
  2. Open the Scan Configuration wizard and choose Web Application Scan or Web Service Scan.
  3. Use the wizard to set up the scan:

To scan an application:

  1. Type in the starting URL.
  2. (Recommended) Perform the login procedure manually.
  3. (Optional) Review the Test Policy.

To scan a Web service:

  1. Type in the WSDL file location.
  2. (Optional) Review the Test Policy.
  3. Use Generic Service Client (which opens automatically) to send requests to the service while Rational AppScan records your input and the responses received.

Note: You must send at least one request to the service for AppScan to be able to test it.

  1. (Optional, applications only) Run Scan Expert:
  2. Run Scan Expert to review the effectiveness of your configuration for the application being scanned. b. Review suggested configuration changes and apply selectively. Note: You can configure Scan Expert to perform its analysis and apply some of its recommendations automatically, when you start the scan.
  3. Start Automatic Scan.
  4. (Optional) Run Result Expert to process scan results and add information to the Issue Information tab (Detail pane).
  5. (Optional) Run Malware Tests to analyze pages and links on your site for malicious or otherwise unwanted content. Note: Malware Test uses data gathered during the Explore stage of a regular scan, so you must have some Explore results for it to function.
  6. Review Results to evaluate the security status of the site (Result Expert can help you with this), and
  • Explore additional links manually
  • Print Reports
  • Review remediation tasks
  • Log defects to your defect tracking system

Scan configuration:

This section describes standard application scan configuration using the wizard. For advanced configuration methods, and details of Web service scan configuration, refer to the main user guide and online help.


  1. Launch AppScan.
  2. In the Welcome Screen, click Create new Scan.
  3. In the New Scan dialog box, verify that the Launch wizard checkbox is selected.
  4. In the Predefined Templates area, click Default to use the default template. (If you are using AppScan to scan one of the test sites for which there is a specialized pre-defined template, select that template: Demo.Testfire, Foundstone, or WebGoat.)
  5. Select Web Application Scan, and click Next for Step 1 of the three-stage setup.
  6. Type in the URL where the scan will start. Note: Click Advanced if you need to add additional servers or domains.
  7. Click Next to advance to Step 2.
  8. Select Recorded Login, then click New. A message appears describing the procedure for recording a login.
  9. Click OK. The embedded browser opens with the Record button pressed (grayed out).
  10. Browse to the login page, record a valid login sequence, and then close the browser.
  11. In the Session Information dialog box, review the login sequence and click OK.
  12. Click Next to advance to Step 3. At this stage you can review the Test Policy that will be used for the scan (i.e. which categories are used for the scan. Note: By default all except invasive tests are used. Note: The Advanced button lets you control additional test options including privilege escalation (testing the extent to which privileged resources are accessible to users with insufficient access privileges) and multiphase scanning.
  13. The In-Session Detection checkbox is selected by default, and text indicating that the response is “in-session” is highlighted. During the scan AppScan sends heartbeat requests, checking the responses for this text to verify that it is still logged in (and logs in again as necessary). Verify that the highlighted text is indeed proof of a valid session.
  14. Click Next.
  15. Select the appropriate radio button to start Automatic Scan, start with Manual Explore or Later (to start the scan later by clicking the Start icon on the toolbar).
  16. (Optional) By default the Scan Expert checkbox is selected so that Scan Expert will run when you complete the wizard. You can clear this to proceed directly to the scan stage.
  17. Click Finish to exit the wizard
  • Manual exploring:

Manual Explore lets you browse the application yourself, clicking on links and inputting data. AppScan records your actions, and uses the data to create tests. There are three reasons you might want to explore manually:

To pass anti-automation mechanisms (such as the requirement to type in a random word, displayed as an image) 10 IBM Rational AppScan Standard Edition Getting Started

To explore a specific user process (the URLs, files and parameters that a user would access given a certain scenario)

Because interactive links were discovered during a scan, and you want to fill in the required data to enable a more thorough scan Note: After creating a Manual Explore, you may want to continue with an automatic Explore stage, so that the scan covers your entire application.

  • Procedure :
  1. Click Scan > Manual Explore The embedded browser opens.
  2. Browse the site, clicking on links and filling in fields as required.
  3. When finished close the browser.
  • Note: You can create a manual explore that contains multiple processes by clicking Pause, browsing to a different location, and then clicking Record to resume recording. The Explored URLs dialog box appears, displaying the URLs that you visited.
  1. Click OK.
  2. AppScan checks if any of your input is suitable for adding to the Automatic Form Filler, presents a list, and asks if so asks whether you want to add All, None or Selected Parameters.
  • If you want some of your input to be added to the Automatic Form Filler, click Add Selected. Then select items in the Temporary Form Parameters list, and click Move (to move them to the Existing Form Parameters list). Then click OK.
  1. Click OK. AppScan analyzes the URLs that you crawled and creates tests based on this analysis.
  2. To run the new tests, click Scan > Continue Scan.
  • Scanning:

When the scan begins, the Progress Panel appears in the upper part of the screen, and together with the status bar (along the bottom of the screen), shows details of scan progress. The panes are populated with real-time results as they are processed.


  • Scheduling scans :

You can schedule scans to start automatically once or at regular intervals.


  1. Click Tools > Scan Scheduler, then click New.
  2. Type in a name for the schedule, and fill-in the options you require:

Select Current Scan or a Saved scan (if Saved, browse to the required .scan file)

  • Select Daily, Weekly, Monthly, or Once Only.
  • Select Date and Time for the scan
  • Type in Domain Name and Password
  1. Click OK.

The schedule name appears in the Scan Scheduler dialog box.

  • Working with results:

Result views

Results can be displayed in three views: Security Issues, Remediation Tasks, and Application Data. The view is selected by clicking a button in the view selector. The data displayed in all three panes varies with the view selected.

Security Issues view Shows the actual issues discovered, from overview level down to individual requests/responses. This is the default view.

Application Tree: Complete application tree. Counters next to each item show the number of issues found for the item.

Result List: Lists issues for the selected note in the application tree, and the severity of each issue.

Detail Pane: Shows advisory, fix recommendations and request/response (including all variants used) for the issue selected in the Result List

Remediation Tasks view Provides a To Do list of specific remediation tasks to fix the issues found by the scan.

Application Tree: Complete application tree. Counters next to each item show the number of fix recommendations for that item.

Result List: Lists remediation tasks for the selected node in the application tree, and the priority of each task.

Detail Pane: Shows details of the remediation task selected in the Result List, and all the issues that this remediation will solve.

Application Data view Shows script parameters, interactive URLs, visited URLs, broken links, filtered URLs, comments, JavaScripts and cookies from the Explore stage.

Application Tree: Complete application tree.

Result List: Select a filter from the pop-up list at the top of the Result List, to determine which information is displayed.

Detail Pane: Details of the item selected in the Result List

Unlike the other two views, Application data view is available even if AppScan has only completed the Explore stage. Use the pop-up list at the top of the Result list to filter the data.

Severity levels The Result List displays the issues for whatever item is selected in the application tree. These can be for:

  • Root level: All site issues are displayed
  • Page level: All issues for the page
  • Parameter level: All issues for a particular request to a particular page

Each issue is assigned one of four security levels:

  • High security issue
  • Medium security issue
  • Low security issue
  • Informational security issue
  • Security issues tabs:In Security Issues view the vulnerability details for the selected issue appear in the Detail pane in four tabs:
    Issue Information A summary of the information available on the other Detail pane tabs. Its main purpose lies in the display of additional information added by Result Expert. This information includes CVSS Metric scorings for the issue, and relevant screen shots, that can be saved with the results and included in reports.
    Advisory Technical details on the selected issue and links for more information. What has to be fixed and why
    Fix Recommendations The exact tasks that should be done to make your web application secure against the specific selected issue.
    Request/Response Shows the speciic tests that were sent to the application, and its response (can be viewed as HTML or in a Web browser).

    Variants: If there are variants (different parameters that were sent to the same URL), they can be viewed by clicking the < and > buttons at the top of the tab.

    Two tabs at the right of this tab let you view Variant Details and add a Screenshot that will be saved with the results.


  • Result Expert: Result Expert consists of various modules that are used to process scan results. The processed results are added to the Issue Information tab of the Detail pane, making the information displayed there more comprehensive and detailed, including screen shots where relevant.

    Result Expert is usually run automatically following a full scan, however it can also be run manually at any time, on full or partial scan results. When time is limited and the volume of results is large, you may decide not to run Result Expert, or to disable one or more of its modules. To update the Issue Information tabs of all issues found, click Tools > Run Scan Expert.


  • Testing for malware :The Test for malware feature tests your application for malware and links to malicious external domains. It does this by analyzing results obtained from the Explore stage of a regular scan. It is run as a separate set of tests after a regular scan, or at least the Explore stage of a regular scan. The Malware Test icon is only active when there are existing Explore results.

    The feature consists of two modules:

    Check application content for malicious patterns

    Analyzes your application content, as well as content available from links that lead to other domains, for malware patterns, such as malicious executable code. This module can check for malicious patterns in

    • Content of visited URLs
    • Content retrieved from external links
    • File types that are excluded from regular scans


  • Check for links to malicious external Web sites Examines all links that lead from your site to a different domain, and for each link returns its ISS category. An Internet connection is required for this, in order to connect to the ISS database.

    By default, both modules are selected, but you can adjust this from the Scan Configuration dialog box.

    To test for malware:  

    1. Verify that you have Explore stage results for the site, or part of the site, that you want to test. These can be from a full regular scan, from an Explore Only, or from a Manual Explore.
    2. To make any configuration changes click Scan > Scan Configuration > Malware tab.
    3. Click the icon on the toolbar, or click Scan > Test for malware. Chapter


    The malware progress dialog box appears, and closes when malware testing is over. A status message indicates the success of the testing process. The results are added to the regular scan results in the form of additional Issue Types in the Result List, and full details in the Detail Pane.

    Exporting results:

    You can export the complete scan results as an XML file, or as a relational database. (The database option exports the results into a Firebird database structure. This is open source, and follows ODBC and JDBC standards.)

    Procedure :

    1. Click File > Export and select XML or DB.
    2. Browse to the location you want, and type in a name for the file.
    3. Click Save.

The Best Penetration Testing Tools in 2016

Top Best Penetration Testing Tools :

1) Metasploit 

This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating the perfect framework for penetration testing.

It can be used on web applications, networks, servers etc. It has a command-line and a GUI clickable interface, works on Linux, Apple Mac OS X and Microsoft Windows. This is a commercial product, although there might be free limited trials available.

For more details and download visit at

2) Wireshark

This is basically a network protocol analyzer –popular for providing the minutest details about your network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many other systems. The information that is retrieved via this tool can be viewed through a GUI, or the TTY-mode TShark utility.  You can get your own free version of the tool from here.

For more details and download visit

3) w3af

W3afis a Web Application Attack and Audit Framework.

Some of the features are: fast HTTP requests, integration of web and proxy servers into the code, injecting payloads into various kinds of HTTP requests etc.

It has a command-line interface, works on Linux, Apple Mac OS X and Microsoft Windows.
All versions are free of charge to download.

For more details and download visit at

4) Nmap

“Network Mapper” though not necessarily a pen-testing tool, it is a must-have for the ethical hackers. This is a very popular tool that predominantly aids in understanding the characteristics of any target network. The characteristics can include: host, services, OS, packet filters/firewalls etc.  It works on most of the environments and is open sourced.

For more details and download visit at

 5) Sqlmap

Sqlmap is again a good open source pen testing tool. This tool is mainly used for detecting and exploiting SQL injection issues in an application and hacking over of database servers. It comes with command-line interface. Platform: Linux, Apple Mac OS X and Microsoft Windows are supported platforms. All versions of this tool are free for download.

For more details and download visit at

 6) Nessus

Nessus also is a scanner and one that needs to be watched out for. It is one of the most robust vulnerability identifier tools available. It specializes in compliance checks, Sensitive data searches, IPs scan, website scanning etc. and aids in finding the ‘weak-spots’. It works on most of the environments.

For more details and download visit at

7) Burpsuite

Burp suite is also essentially a scanner (with a limited “intruder” tool for attacks), although many security testing specialists swear that pen-testing without this tool is unimaginable. The tool is not free, but very cost effective. Take a look at it on below download page. It mainly works wonders with intercepting proxy, crawling content and functionality, web application scanning etc.  You can use this on Windows, Mac OS X and Linux environments.

For more details and download visit at

8) OWASP Zed Attack Proxy (ZAP)

ZAP is a completely free to use, scanner and security vulnerability finder for web applications. ZAP includes Proxy intercepting aspects, variety of scanners, spiders etc. It works on most platforms and the more information can be obtained from below page.

For more details and download visit at

 9)  Cain & Abel

If cracking encrypted passwords or network keys is what you need, then Cain& Abel is the tool for you. It uses network sniffing, Dictionary, Brute-Force and Cryptanalysis attacks, cache uncovering and routing protocol analysis methods to achieve this. Check out information about this free to use tool at below page. This is exclusively for Microsoft operating systems.

For more details and download visit at

10) Acunetix

Acunetix is essentially a web vulnerability scanner targeted at web applications. It provides SQL injection, cross site scripting testing, PCI compliance reports etc. along with identifying a multitude of vulnerabilities. While this is among the more ‘pricey’ tools, a limited time free trial version can be obtained at below page.

For more details and download visit at

11) John The Ripper

Another password cracker in line is, John the Ripper. This tool works on most of the environments, although it’s primarily for UNIX systems. It is considered one of the fastest tools in this genre. Password hash code and strength-checking code are also made available to be integrated to your own software/code which I think is very unique. This tool comes in a pro and free form. Check out its site to obtain the software on this page.

For more details and download visit at

12) Retina

As opposed to a certain application or a server, Retina targets the entire environment at a particular company/firm. It comes as a package called Retina Community. It is a commercial product and is more of a vulnerability management tool more than a pen-testing tool. It works on having scheduled assessments and presenting results. Check out more about this package at below page.

For more details and download visit at

13) Netsparker

Netsparker comes with a robust web application scanner that will identify vulnerabilities, suggest remedial action etc. This tool can also help exploit SQL injection and LFI (local file induction). It has a command-line and GUI interface, works only on Microsoft Windows. This is a commercial product, although there might be free limited trials available at below page.

For more details and download visit at

14) Canvas

Immunity’s CANVAS is a widely used tool that contains more than 400 exploits and multiple payload options. It renders itself useful for web applications, wireless systems, networks etc. It has a command-line and GUI interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is not free of charge and can more information can be found at below page.

For more details and download visit at

15) Social Engineer Toolkit

The Social-Engineer Toolkit (SET) is a unique tool in terms that the attacks are targeted at the human element than on the system element. It has features that let you send emails, java applets, etc containing the attack code. It goes without saying that this tool is to be used very carefully and only for ‘white-hat’ reasons.  It has a command-line interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is open source and can be found at below page.

For more details and download visit at

16) Sqlninja

Sqlninja, as the name indicates is all about taking over the DB server using SQL injection in any environment. This product by itself claims to be not so stable its popularity indicates how robust it is already with the DB related vulnerability exploitation. It has a command-line interface, works on Linux, Apple Mac OS X and not on Microsoft Windows. It is open source and can be found at this page.

For more details and download visit at


17) CORE Impact

CORE Impact Pro can be used to test mobile device penetration, network/network devise penetration, password identification and cracking, etc. It has a command-line and a GUI clickable interface, works Microsoft Windows. This is one of the expensive tools in this line and all the information can be found at below page.

For more details and download visit at

18) BeEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser- what this means is that, it takes advantage of the fact that an open web-browser is the window(or crack) into a target system and designs its attacks to go on from this point on . It has a GUI interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is open source and can be found at this page.

For more details and download visit at

19) Dradis

Dradis is an open source framework (a web application) that helps with maintaining the information that can be shared among the participants of a pen-test. The information collected helps understand what is done and what needs to be done. It achieves this purpose by the means of plugins to read and collect data from network scanning tools, like Nmap, w3af, Nessus, Burp Suite, Nikto and many more.  It has a GUI interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is open source and can be found at this page.

For more details and download visit at


Phases of Penetration Testing

Summarizing the Five Phases of Penetration Testing.

In the ethical hacker class on our website, the course begins by recapping the five phases of penetration testing. Essentially, the five phases of pen testing is a module that summarizes what the rest of the ethical hacker class is going to look like. The five phases refer to each primary step in the process of operating a penetration test, and the concept is critical for a new entrant into the field. Here is a brief overview of the five phases of penetration testing:

Phase 1 | Reconnaissance:
Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).

Phase 2 | Scanning:
The phase of scanning requires the application of technical tools to gather further intelligence on your target, but in this case, the intel being sought is more commonly about the systems that they have in place. A good example would be the use of a vulnerability scanner on a target network.

Phase 3 | Gaining Access:
Phase 3 gaining access requires taking control of one or more network devices in order to either extract data from the target, or to use that device to then launch attacks on other targets.

Phase 4 | Maintaining Access:
Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible. The attacker must remain stealthy in this phase, so as to not get caught while using the host environment.

Phase 5 | Covering Tracks:
The final phase of covering tracks simply means that the attacker must take the steps necessary to remove all semblance of detection. Any changes that were made, authorizations that were escalated etc. all must return to a state of non-recognition by the host network’s administrators.


Basic Common Ports

Common ports, such as TCP port 80 (HTTP), may be locked down — but other ports may get overlooked and be vulnerable to hackers. In your security tests, be sure to check these commonly hacked TCP and UDP ports:


Port TCP UDP Description
9   UDP Wake-on-LAN
13 TCP UDP Daytime Protocol
20 TCP UDP File Transfer Protocol (FTP) data transfer
21 TCP\SCTP12 UDP File Transfer Protocol (FTP) control (command)
22 TCP\SCTP UDP Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding
23 TCP UDP Telnet protocol—unencrypted text communications
25 TCP UDP Simple Mail Transfer Protocol (SMTP), used for e-mail routing between mail servers
37 TCP UDP Time Protocol
43 TCP UDP WHOIS protocol
49 TCP UDP TACACS+ Login Host protocol
53 TCP UDP Domain Name System (DNS)
69 TCP UDP Trivial File Transfer Protocol (TFTP)
79 TCP UDP Finger protocol
80 TCP\SCTP UDP[44] Hypertext Transfer Protocol (HTTP)
88 TCP UDP Kerberos authentication system
107 TCP UDP Remote User Telnet Service (RTelnet)
109 TCP UDP Post Office Protocol, version 2 (POP2)
110 TCP UDP Post Office Protocol, version 3 (POP3)
111 TCP UDP Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC)
113 TCP   Ident, authentication service/identification protocol,used by IRC servers to identify users
113 TCP UDP Authentication Service (auth), the precedessor to identification protocol. Used to determine an user’s identity of a particular TCP connection.
115 TCP UDP Simple File Transfer Protocol
123 TCP UDP Network Time Protocol (NTP), used for time synchronization
135 TCP UDP Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service,used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM
137 TCP UDP NetBIOS Name Service, used for name registration and resolution
138 TCP UDP NetBIOS Datagram Service
139 TCP UDP NetBIOS Session Service
143 TCP UDP Internet Message Access Protocol (IMAP), management of electronic mail messages on a server
152 TCP UDP Background File Transfer Program (BFTP)
153 TCP UDP Simple Gateway Monitoring Protocol (SGMP), a protocol for remote inspection and alteration of gateway management information
161 TCP UDP Simple Network Management Protocol (SNMP)
162 TCP UDP Simple Network Management Protocol Trap (SNMPTRAP)(citation needed]
179 TCP\SCTP UDP Border Gateway Protocol (BGP),[72] used to exchange routing and reachability information among autonomous systems (AS) on theInternet
199 TCP UDP SMUX, SNMP Unix Multiplexer[importance?]
209 TCP UDP Quick Mail Transfer Protocol
220 TCP UDP Internet Message Access Protocol (IMAP), version 3
311 TCP   Mac OS X Server Admin (officially AppleShare IP Web administration)
384 TCP UDP A Remote Network Server System
389 TCP UDP Lightweight Directory Access Protocol (LDAP)
427 TCP UDP Service Location Protocol (SLP)
434 TCP UDP Mobile IP Agent (RFC 5944)
443 TCP\SCTP UDP Hypertext Transfer Protocol over TLS/SSL (HTTPS)
444 TCP UDP Simple Network Paging Protocol (SNPP)
445 TCP   Microsoft-DS Active Directory, Windows shares
445 TCP   Microsoft-DS SMB file sharing
465 TCP   URL Rendezvous Directory for SSM (Cisco protocol)
464 TCP UDP Kerberos Change/Set password
513 TCP   rlogin
514 TCP   Remote Shell, used to execute non-interactive commands on a remote system (Remote Shell, rsh, remsh)
514   UDP Syslog,used for system logging
515 TCP   Line Printer Daemon (LPD), print service
543 TCP   klogin, Kerberos login
544 TCP   kshell, Kerberos Remote shell
546 TCP UDP DHCPv6 client
547 TCP UDP DHCPv6 server
548 TCP   Apple Filing Protocol (AFP) over TCP[11]
587 TCP   e-mail message submission(SMTP)
631 TCP UDP Internet Printing Protocol (IPP)[11]
636 TCP UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
646 TCP UDP Label Distribution Protocol (LDP), a routing protocol used in MPLS networks
674 TCP   Application Configuration Access Protocol (ACAP)
691 TCP   MS Exchange Routing
873 TCP   rsync file synchronization protocol
989 TCP UDP FTPS Protocol (data), FTP over TLS/SSL
990 TCP UDP FTPS Protocol (control), FTP over TLS/SSL
991 TCP UDP Netnews Administration System (NAS)[100]
992 TCP UDP Telnet protocol over TLS/SSL
993 TCP   Internet Message Access Protocol over TLS/SSL (IMAPS)
994 TCP UDP Internet Relay Chat over TLS/SSL (IRCS)[73]
995 TCP   Post Office Protocol 3 over TLS/SSL (POP3S)[11]
1027   UDP Native IPv6 behind IPv4-to-IPv4 NAT Customer Premises Equipment
1029     Microsoft DCOM services
1433 TCP UDP Microsoft SQL Server database management system (MSSQL) server
1521 TCP UDP nCube License Manager
1720 TCP UDP H.323 call signaling
1723 TCP UDP Point-to-Point Tunneling Protocol (PPTP)[11]
1755 TCP UDP Microsoft Media Services (MMS, ms-streaming)
2000 TCP UDP Cisco Skinny Client Control Protocol (SCCP)
2049 TCP UDP Network File System (NFS)[11]
3000 TCP   Ruby on Rails development default[143]
3128 TCP ? Squid caching web proxy[147]
3306 TCP UDP MySQL database system
3389 TCP UDP Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT)
4899 TCP UDP Radmin remote administration tool
5000 TCP   commplex-main
5051 TCP   ita-agent Symantec Intruder Alert
5060 TCP UDP Session Initiation Protocol (SIP)
5190 TCP   AOL Instant Messenger protocol
5357 TCP UDP Web Services for Devices (WSDAPI) (only provided by Windows Vista, Windows 7 and Server 2008)
5432 TCP UDP PostgreSQL database system
5631 TCP   pcANYWHEREdata, Symantec pcAnywhere (version 7.52 and later  data
5666 TCP   NRPE (Nagios)
5800 TCP   VNC remote desktop protocol over HTTP
5900 TCP UDP Remote Frame Buffer protocol (RFB)
6000-6063 TCP UDP X11—used between an X client and server over the network
6262 TCP   Sybase Advantage Database Server
6646   UDP McAfee Network Agent[citation needed]
7070 TCP UDP Real Time Streaming Protocol (RTSP), used by QuickTime Streaming Server. TCP is used by default, UDP is used as an alternate.
8000 TCP UDP iRDMI (Intel Remote Desktop Management Interface)—sometimes erroneously used instead of port 8080
8008 TCP   HTTP Alternate
8009 TCP   ajp13—Apache JServ Protocol AJP Connector
8080 TCP   HTTP alternate (http_alt)—commonly used for Web proxy and caching server, or for running a Web server as a non-root user
8081 TCP   HTTP alternate, VibeStreamer, e.g. McAfee ePolicy Orchestrator (ePO)
8443 TCP   SW Soft Plesk Control Panel
8888 TCP   HyperVM HTTPS
9100 TCP UDP PDL Data Stream, used for printing to certain network printers
10000 TCP UDP Network Data Management Protocol

The Steps to Becoming a Penetration Tester

The Steps to Becoming a Penetration Tester

According to statistics provided by, the cost of cybercrime will top $100 billion this year. Cybercrime affects 18 victims per second for a total of around 556 million victims per year. Just recently, the FBI warned that cyber-attacks have eclipsed domestic terrorism as the primary threat to U.S. security.

Penetration testers fight on the front-lines of cyber security. They give financial institutions, hospitals, government institutions and businesses vital information about how to improve their network security. Penetration testers protect not only institutions but also individual customer’s bank accounts, health records and private information. In a job market that has a profound shortage of cyber security professionals, penetration testers can contribute to society and potentially earn six figures for their efforts.

What is penetration testing?

A penetration tester is paid to hack into the networks of organizations to help organizations identify weak points. Penetration testers may work for companies, not-for-profits or government agencies. They can also offer independent consulting services.

What is a typical day like for a penetration tester?

Penetration testers come up with ingenious ways to launch cyber-attacks against their clients. For example, a tester may sit inside a parked car and attempt to hijack company Wi-Fi to launch a man-in-the-middle attack. A tester may also use a company restroom, drop a corrupted thumb drive on the countertop and then wait to see whether employees pick up the drive.

Testers launch phishing campaigns against company e-mail accounts to educate executives about potential vulnerabilities. They may even try to physically breach security by posing as technicians or delivery personnel. From their own terminals, they may try to launch DDoS or SQL injection attacks against the organizations. Their goal is to find weaknesses and develop strategies that reduce or eliminate threats.

How does someone become a penetration tester?

A strong record of IT experience, along with certification, will help people to find work as penetration testers. For people without IT backgrounds that want to become penetration testers, experts recommend starting by earning A+ Certification and finding a job working a help desk. In addition to A+ Certification, future penetration testers can add credentials like CCNA or Network+ that will enable them to be promoted to network support, network administration and network engineering roles.

To move into information security, penetration testing candidates can earn security certifications, including Security+, CISSP or TICSA. Programming languages like Java, Perl or LISP are important as is the ability to write Unix/Linux distributions and commands. Additionally, people that want to become penetration testers should spend some time learning how to use and manipulate SQL databases.

What certifications are required?

People can earn the Certified Ethical Hacker (CEH) designation from the Internal Council of Electronic Commerce Consultants (EC-Council) by following one of two processes. After completing training or self-study, future penetration testers must pass Exam 312-50 to earn their CEH credential.

  1. EC-Council training program.The EC-Council’s CEH training program is offered at some local universities. It’s also offered online either as a self-paced course or as an instructor-led course. Organizations can also book instructors to teach CEH training courses onsite.
  2. Self-study.People that want to skip the training program can take the certification exam without going through EC-Council training. However, they must submit an application to the EC-Council confirming at least two years of relevant employer-endorsed information security work experience. Without this experience, they can still apply and ask the EC-Council to consider whatever work experience they have. The council makes decisions on a case-by-case basis.

What else is required?

In addition to earning certification, penetration testers need to have good social engineering skills. When trying to break into a datacenter, for example, they’ll need to be able to convince personnel that they’re authorized to be there. They’ll also need to construct realistic social engineering attacks as part of their comprehensive network testing.

Most companies perform background checks before hiring a CEH. For jobs in government that require security clearance, testers should expect a background check and a polygraph test. Also, testers should keep up with EC-Council recertification requirements. Currently, CEH holders must recertify every three years to keep the credential.


The cyber security industry, according to GO-Gulf estimates, will pull in $120.1 billion by 2017. Additionally, many government agencies are keen to hire cyber security professionals. As concerns about cyber-attacks grow, penetration testers can both perform good deeds and enjoy a healthy payday.