The test plan would consist of testing several things. Modules would be identified and tested separately. First network survey of organization system is performed. In survey no intrusion or other illegal activity is carried out. It is used to collect data about organization such as domain names, server names, block of IP addresses assigned to organization so that system for penetration testing can be identified and mapped. Here are a few modules of importance.

Port Scanning: It works at both transport layer and network layer of TCP/IP protocol suite. It helps in identifying services and systems behind firewall. Error checking is performed by identifying network, the round trip time of packet sent, the success rate of response and failure of response. The system network is determined by different means such as gathering broadcast packets of network, using ICMP message to identify all hosts in network. Then packet is sent whose Time to live fields is strategically set and sent to all hosts in the network. Then different port setting are used in TCP fragments, TCP synchronization, TCP ACK and then sent to all the hosts in the network. Port states such as open and close can be identified by sending TCP SYN packets. Similarly TCP SYN packets reveal whether ports are filtered or not. Ports of default fragment testing ports can be specified and services related to them can be identified by using reverse fragmentation. UDP port states of all hosts on network can be gauged by performing UDP scan. Port Scanning module also includes verification of different protocols such as routing, non-standard and encrypted protocols. It also includes packet response verification, such as Initial Sequence Number and Identification number predictability.

Service identification: This modules helps in identifying applications related to services. In some cases single service can have more than one application such as HTTP daemon may act as listening service and PERL may act as its component. In this module all open ports are mapped to services and protocols. Fingerprinting is used to find applications behind services. These applications are then verified and there components are determined.

System identification: In this module the operation system used in the system and there version number is identified. The system type and patch level is determined by analyzing the application and system response. Information about system type is gathered through websites such as technical bulletin board of organization and job vacancy sites.

Router testing module: Organizations use gateway routers as a firewall between systems and internet. Access control list is used in router as an instruction set which specify type of inbound and outbound traffic allowed. Auditors examine all information about router gathered in Information Security methodology such as router type, whether NAT is enabled or not, penetrations using firewall in port scanning module. Firewall is used to determine the layer four protocols that are allowed by routers. The auditor send the packet with TTL field contains one more hop than router so if packet is allowed than ICMP TIME EXCEEDED message is returned by next node. Else packet is dropped by router and no message is returned. Auditor then tests ACL against organization policy and “deny all” rule. End of access list has implicit deny all statement which means that only packets that meet access list instructions are allowed and all other packets are denied access. Egress filtering is checked to insure no unwanted traffic passes from intranet to internet. Outbound traffic from within system network is analyzed. Different packet header tests are performed such as minimum allowable packet size, maximum allowable packet size, fragmentation test. Fragmentation test in router is like Teardrop test. Teardrop takes advantage of bug in old versions of Windows and Linux operating systems by sending overlapping fragments which cannot be reassembled thus crashing the system.

Firewall testing modules: Just like ACLs in router Firewall manages all inbound and outbound traffic within different sections of organization, Demilitarized Zones (DMZ) and internet. DMZ is boundary between organizations and public network. DMZ consist of proxy servers or servers which accept all outbound request from private network and forward it to external computer. External computer sends requests to internet. External computer provides extra buffer and protection. First verification is performed on router type, NAT usage and Firewalls. Then ACLs of firewall are matched against organization policy. The verification about egress filtering and address spoofing are carried out. The firewall response is measured for different payload sizes and fragmentations and ICMP messages. The firewall response is measures against different fields in packet header such as RST flag, windows size, all flag set. The firewall response is measured against different types of TCP packets such as ACK, SYN, FIN and NULL packets. Firewall response is measured against different types of denial of service attacks such as sustained TCP connections, temporary TCP connections, streaming UDP connections. Firewall logs are analyzed for testing and verification purpose. Next module is Intrusion Detection System Testing. Using information gathered in Comparative intelligence review module the type of IDS is determined. Based on type the working and scope of IDS is decided. IDS response to swarm attack and flood attack is examined. In swarm attack the auditor takes advantage of vulnerability in system repetitively to achieve certain goals. In flood attack the auditors sends many spoof packets to waste the bandwidth and server resources. The IDS response is measured against obfuscated URLs. Obfuscation is carried by using IP address instead of domain name in decimal, double word, octal or hexadecimal format. Similarly “@” and hexadecimal character codes are used instead of ASCII character set. The auditor examines IDS the response against activities such as changing the speed of packet transmission in normal mode and attack mode. Its response is checked with respect to fragmented packets and multiple packets. The IDS logs are reviewed to views its alerts against different activities such as vulnerability scan, password cracking and trusted system execution and installation.

Password Cracking: It uses recovery tools to examine the strength of password, strength of cryptographic algorithm and weakness with respect to human intervention or due to incorrect implementation of algorithm. The auditor gains root access to system after successfully cracking the password. He can further use automated recovery tool to gain access to other files and directories. The system has password file that consist of passwords with respect to user names. Automated brute force is used to crack it. It is time consuming process as all possible combinations of password are tried before one of them is successful. Similarly automated dictionary attack is carried out in which all passwords in dictionary are tried to crack the password file. The passwords obtained through this procedure are used to gain further access to resources. Auditor uses automated password cracker to decrypt encrypted files. All these activate highlight weakness in cryptographic algorithm and organization policy to form new password.

Port Scanning: It works at both transport layer and network layer of TCP/IP protocol suite. It helps in identifying services and systems behind firewall. Error checking is performed by identifying network, the round trip time of packet sent, the success rate of response and failure of response. The system network is determined by different means such as gathering broadcast packets of network, using ICMP message to identify all hosts in network. Then packet is sent whose Time to live fields is strategically set and sent to all hosts in the network. Then diffe