net-sec-samenvatting/02_planning.md

# Planning, Scoping, Recon and OSINT

* **Threat**: agent or actor that can cause harm
* **Vulnerability**: flaw that can be exploited to cause harm
* **Risk**: overlap between threat and vulnerability
* **Exploit**: code or technique that a threat uses to take advantage of a
  vulnerability
* **Hacking**: manipulate technology to make it do something it's not designed
  to do
  * **Ethnical hacking** (white hat): hacking with the permission of the target
  * **Penetration testing**: ethical hacking with the goal of finding and
    exploiting security vulnerabilities in target environment and reporting
    them
    * modelling techniques used by real-world attackers
    * determine risk to company
* **Security audit**
    * testing against a rigorous set of standards
    * detailed checklists
    * more in-depth than pen test

## Types of penetration tests

* Network services test
    * find target systems on network
    * look for openings in OS or running network services and exploit them
    * over the internet or from within breached network
* Client-side software test
    * look for vulnerabilities in client-side software (e.g. browsers)
* Web application test
    * look for vulnerabilities in web-based applications deployed in the target
      environment
* Social engineering / phishing test
    * attempt to trick user into revealing sensitive information
    * using phishing mails to make users click malicious links
* Wireless security test
    * find unauthorized wireless access points or authorized ones with security
      weaknesses
* Physical security test
    * look for flaws in physical security practices
    * literally try to break in
    * dumpster diving
* Stolen equipment test
    * "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
      sensitive info
* Cryptanalysis attack
    * break or bypass encryption on local or intercepted data
* Product security test
    * look for security flaws in software products that can be installed in
      tester's lab
* Remote war dial test (obsolete)
    * attempt to log into discovered modems

## Phases of an attack

1. Reconnaissance: OSINT, social engineering, dumpster diving...
2. Scanning: finding openings in the systems, listening ports...
3. Exploitation / gaining access: attempt to access and take control of target
   devices

* Malicious actors go further
    * install backdoors and rootkits
    * cover tracks with covert channels, log editing...

* public/free testing methodologies
    * Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html))
    * Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))
    * [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology)
    * ...

## Lab

* **Testing machine**: system used by pentester to attack other machines
    * don't use for anything personal
    * should be hardened to avoid being attacked themselves
    * scrub results between tests (avoid confusion, leave no trace)
* **Target machine**: machine being attacked/evaluated

## The pentesting process

* three phases
    1. preparation
        * perform necesary paperwork
        * clearly define rules of engagement
    2. testing: conduct the test
    3. conclusion
        * detailed analysis of results
        * write report

### rules of engagement

* must be defined in advance
* clear outline of what's allowed and what's not
* emergency contact information
* safe means of communication
* possible briefing calls
* agreement on period of engagement
* whether sysadmins are informed or not
* how much info is shared
    * **black box**: no info shared
        * more closely mimicks a true attack
        * takes longer
    * **grey box**: some info, e.g. password for non-privileged user
        * balance between efficiency and realism
    * **white box**: testers get everything
* what data can be viewed
    * remove personal data from sniffed packets
    * sometimes samples are allowed to prove they were there
* should be signed off before anything is done

### Scoping

* determine what should be focused on
    * ask organisation what their biggest weaknesses are
    * avoid scope creep
* ensure all targetted systems are allowed within scope
    * third-party systems should give *written* permission
    * large cloud ventors usually have pen testing rules in place
* ideally run test on staging environment (don't break prod)
* checking inside vulnerabilities
    * team travels onsite
    * team gets vpn or ssh access
* scope must specify level of testing allowed
    * ping sweep
    * port scanning
    * full on `nmap -A`
    * physical penetration attempts
    * social engineering
    * DoS checks
    * use of dangerous exploits

### Reporting and inventory management

* report is important
    * only thing the client will read
    * should clearly define what's the problem
    * write it as you go
    * convince client the problem is real and in the room with them
    * rank vulnerabilities according to severity
* executive summary
    * statement of confidentiality: how to treat this document
    * engagement contacts: who was involved
    * summary for management to read
        * most important conclusions
        * what should be fixed
        * what's been done
* pentest assessment summary: overview of most important findings
* detailed walktrhough: technical overview
* technical
    * deep technical findings
    * big nerd talk for the nerds
* remediation summary
    * short, medium and long-term recommendations
    * summarize project, scope and security state of target
* appendices
    * output of commands
    * data dumps
    * password reviews

## Reconnaissance

* collect as much information as possible before launching any attack
* **Passive**: gather info without direct interaction with target
    * via social media
    * corporate website
    * search engines
    * ...
* **Active**: interact directly with target system
    * scanning
    * enumeration
    * higher risk of detection
* social engineering
    * important role in information gathering
    * life cycle
        1. investigate
            * gather information about targets
            * find details about them (job, personal interests...)
        2. hook
            * create plausible scenario to engage with target
            * establish trust
        3. play
            * manipulate target into providing desired information
            * trick target into revealing sensitive information
        4. exit
            * cover tracks to avoid detection
* document metadata analysis
    * gather information from e.g. pdf metadata tags
    * reveals what software they use, who works there
    * lots of documents are (accidentally) publicly available
    * use crawlers and search engines
* domain info
    * WHOIS ([Belgium](https://www.dnsbelgium.be/))
    * query registries about domains
    * can contain contact information of sysadmins
    * list domain servers
    * not as useful now due to privacy laws
    * Regional Internet Registries (RIRs) offer databases for IP -> domain lookup
* subdomain discovery
    * enumerate subdomains used by target
    * usually stored on target dns servers
    * useful tools
        * [knock](https://github.com/guelfoweb/knock/): brute-forcing tool
        * [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names
        * [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries
* search engines can provide useful info
    * search for employees or company websites
    * look at job offers
    * ...
    * use fancy lookup syntax
* DNS
    * translates domain names to IP addresses
    * **NS**: nameserver
    * **A**: address
    * **MX**: mail server address for domain
    * **TXT**: plain text strings for domain
    * **CNAME**: aliases for domain names
    * **SOA**: indicates that server is authoritative for DNS zone
    * **PTR**: pointer for inverse lookup (IP -> domain)
    * zone transfer: mechanism used to replicate DNS DB info to other server
        * allow secondary servers to sync with primary one
        * can be exploited to receive full information from DNS server
        * should be disabled for properly configured server
* useful tools
    * recon-ng framework
        * open reconaissance framework
        * does a lot automatically
        * the perfect automated stalker tool
        * can detect antivirus by checking which dns entries are cached in domain servers
    * spiderfoot framework
        * OSINT automation tool
    * OWASP AMASS framework
    * GitHub
        * filled with leaked secrets
        * trufflehog and git-all-secrets automatically scan GitHub for leaks
    * [have i been pwned](https://haveibeenpwned.com/)
hoofdstuk 2 stuff 2024-12-27 12:05:42 +01:00			`# Planning, Scoping, Recon and OSINT`

			`* Threat: agent or actor that can cause harm`
			`* Vulnerability: flaw that can be exploited to cause harm`
			`* Risk: overlap between threat and vulnerability`
			`* Exploit: code or technique that a threat uses to take advantage of a`
			`vulnerability`
			`* Hacking: manipulate technology to make it do something it's not designed`
			`to do`
			`* Ethnical hacking (white hat): hacking with the permission of the target`
			`* Penetration testing: ethical hacking with the goal of finding and`
			`exploiting security vulnerabilities in target environment and reporting`
			`them`
			`* modelling techniques used by real-world attackers`
			`* determine risk to company`
			`* Security audit`
			`* testing against a rigorous set of standards`
			`* detailed checklists`
			`* more in-depth than pen test`

			`## Types of penetration tests`

			`* Network services test`
			`* find target systems on network`
			`* look for openings in OS or running network services and exploit them`
			`* over the internet or from within breached network`
			`* Client-side software test`
			`* look for vulnerabilities in client-side software (e.g. browsers)`
			`* Web application test`
			`* look for vulnerabilities in web-based applications deployed in the target`
			`environment`
			`* Social engineering / phishing test`
			`* attempt to trick user into revealing sensitive information`
			`* using phishing mails to make users click malicious links`
			`* Wireless security test`
			`* find unauthorized wireless access points or authorized ones with security`
			`weaknesses`
			`* Physical security test`
			`* look for flaws in physical security practices`
			`* literally try to break in`
			`* dumpster diving`
			`* Stolen equipment test`
			`* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for`
			`sensitive info`
			`* Cryptanalysis attack`
			`* break or bypass encryption on local or intercepted data`
			`* Product security test`
			`* look for security flaws in software products that can be installed in`
			`tester's lab`
			`* Remote war dial test (obsolete)`
			`* attempt to log into discovered modems`

			`## Phases of an attack`

			`1. Reconnaissance: OSINT, social engineering, dumpster diving...`
			`2. Scanning: finding openings in the systems, listening ports...`
			`3. Exploitation / gaining access: attempt to access and take control of target`
			`devices`

			`* Malicious actors go further`
			`* install backdoors and rootkits`
			`* cover tracks with covert channels, log editing...`

			`* public/free testing methodologies`
			`* Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html))`
			`* Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))`
			`* [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology)`
			`* ...`

			`## Lab`

			`* Testing machine: system used by pentester to attack other machines`
			`* don't use for anything personal`
			`* should be hardened to avoid being attacked themselves`
			`* scrub results between tests (avoid confusion, leave no trace)`
			`* Target machine: machine being attacked/evaluated`

			`## The pentesting process`

			`* three phases`
			`1. preparation`
			`* perform necesary paperwork`
			`* clearly define rules of engagement`
			`2. testing: conduct the test`
			`3. conclusion`
			`* detailed analysis of results`
			`* write report`

			`### rules of engagement`

			`* must be defined in advance`
			`* clear outline of what's allowed and what's not`
			`* emergency contact information`
			`* safe means of communication`
			`* possible briefing calls`
			`* agreement on period of engagement`
			`* whether sysadmins are informed or not`
			`* how much info is shared`
			`* black box: no info shared`
			`* more closely mimicks a true attack`
			`* takes longer`
			`* grey box: some info, e.g. password for non-privileged user`
			`* balance between efficiency and realism`
			`* white box: testers get everything`
			`* what data can be viewed`
			`* remove personal data from sniffed packets`
			`* sometimes samples are allowed to prove they were there`
			`* should be signed off before anything is done`

			`### Scoping`

			`* determine what should be focused on`
			`* ask organisation what their biggest weaknesses are`
			`* avoid scope creep`
			`* ensure all targetted systems are allowed within scope`
			`* third-party systems should give written permission`
			`* large cloud ventors usually have pen testing rules in place`
			`* ideally run test on staging environment (don't break prod)`
			`* checking inside vulnerabilities`
			`* team travels onsite`
			`* team gets vpn or ssh access`
			`* scope must specify level of testing allowed`
			`* ping sweep`
			`* port scanning`
			* full on `nmap -A`
			`* physical penetration attempts`
			`* social engineering`
			`* DoS checks`
			`* use of dangerous exploits`

			`### Reporting and inventory management`

			`* report is important`
			`* only thing the client will read`
			`* should clearly define what's the problem`
			`* write it as you go`
			`* convince client the problem is real and in the room with them`
			`* rank vulnerabilities according to severity`
			`* executive summary`
			`* statement of confidentiality: how to treat this document`
			`* engagement contacts: who was involved`
			`* summary for management to read`
			`* most important conclusions`
			`* what should be fixed`
			`* what's been done`
			`* pentest assessment summary: overview of most important findings`
			`* detailed walktrhough: technical overview`
			`* technical`
			`* deep technical findings`
			`* big nerd talk for the nerds`
			`* remediation summary`
			`* short, medium and long-term recommendations`
			`* summarize project, scope and security state of target`
			`* appendices`
			`* output of commands`
			`* data dumps`
			`* password reviews`

			`## Reconnaissance`

			`* collect as much information as possible before launching any attack`
			`* Passive: gather info without direct interaction with target`
			`* via social media`
			`* corporate website`
			`* search engines`
			`* ...`
			`* Active: interact directly with target system`
			`* scanning`
			`* enumeration`
			`* higher risk of detection`
			`* social engineering`
			`* important role in information gathering`
			`* life cycle`
			`1. investigate`
			`* gather information about targets`
			`* find details about them (job, personal interests...)`
			`2. hook`
			`* create plausible scenario to engage with target`
			`* establish trust`
			`3. play`
			`* manipulate target into providing desired information`
			`* trick target into revealing sensitive information`
			`4. exit`
			`* cover tracks to avoid detection`
			`* document metadata analysis`
			`* gather information from e.g. pdf metadata tags`
			`* reveals what software they use, who works there`
			`* lots of documents are (accidentally) publicly available`
			`* use crawlers and search engines`
			`* domain info`
			`* WHOIS ([Belgium](https://www.dnsbelgium.be/))`
			`* query registries about domains`
			`* can contain contact information of sysadmins`
			`* list domain servers`
			`* not as useful now due to privacy laws`
			`* Regional Internet Registries (RIRs) offer databases for IP -> domain lookup`
			`* subdomain discovery`
			`* enumerate subdomains used by target`
			`* usually stored on target dns servers`
			`* useful tools`
			`* [knock](https://github.com/guelfoweb/knock/): brute-forcing tool`
			`* [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names`
			`* [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries`
			`* search engines can provide useful info`
			`* search for employees or company websites`
			`* look at job offers`
			`* ...`
			`* use fancy lookup syntax`
			`* DNS`
			`* translates domain names to IP addresses`
			`* NS: nameserver`
			`* A: address`
			`* MX: mail server address for domain`
			`* TXT: plain text strings for domain`
			`* CNAME: aliases for domain names`
			`* SOA: indicates that server is authoritative for DNS zone`
			`* PTR: pointer for inverse lookup (IP -> domain)`
			`* zone transfer: mechanism used to replicate DNS DB info to other server`
			`* allow secondary servers to sync with primary one`
			`* can be exploited to receive full information from DNS server`
			`* should be disabled for properly configured server`
			`* useful tools`
			`* recon-ng framework`
			`* open reconaissance framework`
			`* does a lot automatically`
			`* the perfect automated stalker tool`
			`* can detect antivirus by checking which dns entries are cached in domain servers`
			`* spiderfoot framework`
			`* OSINT automation tool`
			`* OWASP AMASS framework`
			`* GitHub`
			`* filled with leaked secrets`
			`* trufflehog and git-all-secrets automatically scan GitHub for leaks`
			`* [have i been pwned](https://haveibeenpwned.com/)`