hoofdstuk 2 stuff
parent
feb7ef7bd3
commit
d5287c4f1b
|
@ -0,0 +1 @@
|
||||||
|
*.pdf
|
|
@ -0,0 +1,70 @@
|
||||||
|
# Introduction
|
||||||
|
|
||||||
|
## Teams involved in security
|
||||||
|
|
||||||
|
* red: attack team
|
||||||
|
* test effectiveness of security by performing attacks
|
||||||
|
* blue: defend team
|
||||||
|
* defend against attacks by constantly surveiling the network
|
||||||
|
* yellow: build team
|
||||||
|
* builds applications that can be used by the other teams
|
||||||
|
* sharing knowledge
|
||||||
|
* orange: builders learn from attackers
|
||||||
|
* green: builder learn from defenders
|
||||||
|
* purple: defenders learn from attackers
|
||||||
|
|
||||||
|
![Teams](img/ch01/security-teams.jpg)
|
||||||
|
|
||||||
|
## Penetration testing
|
||||||
|
|
||||||
|
### Penetration testers <-> red teams
|
||||||
|
|
||||||
|
* penetration testing
|
||||||
|
* methodical approach
|
||||||
|
* limited by Rules of Engagement (restricted scope)
|
||||||
|
* 1-2 week engagement
|
||||||
|
* generally announced
|
||||||
|
* goal is to assess security of network and systems
|
||||||
|
* red team
|
||||||
|
* flexible approach
|
||||||
|
* anything goes (as long as it's legal)
|
||||||
|
* 1 week to 6 months engagement
|
||||||
|
* no announcement
|
||||||
|
* goal is to test general security posture of company
|
||||||
|
|
||||||
|
### Penetrating testing <-> vulnerability assessments
|
||||||
|
|
||||||
|
* penetration testing
|
||||||
|
* find vulnerabilities, both automated and manually
|
||||||
|
* exploit them
|
||||||
|
* attempt to gather confidential data
|
||||||
|
* intended to go deeper and focus on technical issues
|
||||||
|
* vulnerability assessment
|
||||||
|
* find vulnerabilities through automated means
|
||||||
|
* don't exploit them or gather data
|
||||||
|
* broader and often includes explicit policy and procedure review
|
||||||
|
|
||||||
|
### assumed breach exercise
|
||||||
|
|
||||||
|
* pentest where attackers are assumed to already be inside
|
||||||
|
* malware is dropped inside company boundaries
|
||||||
|
* getting caught not the end -> reset and try again
|
||||||
|
* **Time To Detect** (TTD): how long it takes to notice breach
|
||||||
|
* **Time To Mitigate** (TTM): how long it takes to perform corrective action
|
||||||
|
|
||||||
|
### Useful resources
|
||||||
|
|
||||||
|
* [MITRE](https://attack.mitre.org/): knowledge base of attack tactics and
|
||||||
|
techniques
|
||||||
|
* explanation of **TTP**s (Tactics, Techniques and Procecures)
|
||||||
|
* [APT Groups and Operations](https://apt.threattracking.com/): Google doc containing
|
||||||
|
list of dangerous groups
|
||||||
|
* [Cyber Fundamentals](https://atwork.safeonweb.be/nl/tools-resources/cyberfundamentals-framework)
|
||||||
|
* concrete measures on how to protect data and ensure safety in company
|
||||||
|
* four assurance levels
|
||||||
|
* five core functions
|
||||||
|
1. identify
|
||||||
|
2. protect
|
||||||
|
3. detect
|
||||||
|
4. respond
|
||||||
|
5. recover
|
|
@ -0,0 +1,234 @@
|
||||||
|
# Planning, Scoping, Recon and OSINT
|
||||||
|
|
||||||
|
* **Threat**: agent or actor that can cause harm
|
||||||
|
* **Vulnerability**: flaw that can be exploited to cause harm
|
||||||
|
* **Risk**: overlap between threat and vulnerability
|
||||||
|
* **Exploit**: code or technique that a threat uses to take advantage of a
|
||||||
|
vulnerability
|
||||||
|
* **Hacking**: manipulate technology to make it do something it's not designed
|
||||||
|
to do
|
||||||
|
* **Ethnical hacking** (white hat): hacking with the permission of the target
|
||||||
|
* **Penetration testing**: ethical hacking with the goal of finding and
|
||||||
|
exploiting security vulnerabilities in target environment and reporting
|
||||||
|
them
|
||||||
|
* modelling techniques used by real-world attackers
|
||||||
|
* determine risk to company
|
||||||
|
* **Security audit**
|
||||||
|
* testing against a rigorous set of standards
|
||||||
|
* detailed checklists
|
||||||
|
* more in-depth than pen test
|
||||||
|
|
||||||
|
## Types of penetration tests
|
||||||
|
|
||||||
|
* Network services test
|
||||||
|
* find target systems on network
|
||||||
|
* look for openings in OS or running network services and exploit them
|
||||||
|
* over the internet or from within breached network
|
||||||
|
* Client-side software test
|
||||||
|
* look for vulnerabilities in client-side software (e.g. browsers)
|
||||||
|
* Web application test
|
||||||
|
* look for vulnerabilities in web-based applications deployed in the target
|
||||||
|
environment
|
||||||
|
* Social engineering / phishing test
|
||||||
|
* attempt to trick user into revealing sensitive information
|
||||||
|
* using phishing mails to make users click malicious links
|
||||||
|
* Wireless security test
|
||||||
|
* find unauthorized wireless access points or authorized ones with security
|
||||||
|
weaknesses
|
||||||
|
* Physical security test
|
||||||
|
* look for flaws in physical security practices
|
||||||
|
* literally try to break in
|
||||||
|
* dumpster diving
|
||||||
|
* Stolen equipment test
|
||||||
|
* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
|
||||||
|
sensitive info
|
||||||
|
* Cryptanalysis attack
|
||||||
|
* break or bypass encryption on local or intercepted data
|
||||||
|
* Product security test
|
||||||
|
* look for security flaws in software products that can be installed in
|
||||||
|
tester's lab
|
||||||
|
* Remote war dial test (obsolete)
|
||||||
|
* attempt to log into discovered modems
|
||||||
|
|
||||||
|
## Phases of an attack
|
||||||
|
|
||||||
|
1. Reconnaissance: OSINT, social engineering, dumpster diving...
|
||||||
|
2. Scanning: finding openings in the systems, listening ports...
|
||||||
|
3. Exploitation / gaining access: attempt to access and take control of target
|
||||||
|
devices
|
||||||
|
|
||||||
|
* Malicious actors go further
|
||||||
|
* install backdoors and rootkits
|
||||||
|
* cover tracks with covert channels, log editing...
|
||||||
|
|
||||||
|
* public/free testing methodologies
|
||||||
|
* Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html))
|
||||||
|
* Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))
|
||||||
|
* [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology)
|
||||||
|
* ...
|
||||||
|
|
||||||
|
## Lab
|
||||||
|
|
||||||
|
* **Testing machine**: system used by pentester to attack other machines
|
||||||
|
* don't use for anything personal
|
||||||
|
* should be hardened to avoid being attacked themselves
|
||||||
|
* scrub results between tests (avoid confusion, leave no trace)
|
||||||
|
* **Target machine**: machine being attacked/evaluated
|
||||||
|
|
||||||
|
## The pentesting process
|
||||||
|
|
||||||
|
* three phases
|
||||||
|
1. preparation
|
||||||
|
* perform necesary paperwork
|
||||||
|
* clearly define rules of engagement
|
||||||
|
2. testing: conduct the test
|
||||||
|
3. conclusion
|
||||||
|
* detailed analysis of results
|
||||||
|
* write report
|
||||||
|
|
||||||
|
### rules of engagement
|
||||||
|
|
||||||
|
* must be defined in advance
|
||||||
|
* clear outline of what's allowed and what's not
|
||||||
|
* emergency contact information
|
||||||
|
* safe means of communication
|
||||||
|
* possible briefing calls
|
||||||
|
* agreement on period of engagement
|
||||||
|
* whether sysadmins are informed or not
|
||||||
|
* how much info is shared
|
||||||
|
* **black box**: no info shared
|
||||||
|
* more closely mimicks a true attack
|
||||||
|
* takes longer
|
||||||
|
* **grey box**: some info, e.g. password for non-privileged user
|
||||||
|
* balance between efficiency and realism
|
||||||
|
* **white box**: testers get everything
|
||||||
|
* what data can be viewed
|
||||||
|
* remove personal data from sniffed packets
|
||||||
|
* sometimes samples are allowed to prove they were there
|
||||||
|
* should be signed off before anything is done
|
||||||
|
|
||||||
|
### Scoping
|
||||||
|
|
||||||
|
* determine what should be focused on
|
||||||
|
* ask organisation what their biggest weaknesses are
|
||||||
|
* avoid scope creep
|
||||||
|
* ensure all targetted systems are allowed within scope
|
||||||
|
* third-party systems should give *written* permission
|
||||||
|
* large cloud ventors usually have pen testing rules in place
|
||||||
|
* ideally run test on staging environment (don't break prod)
|
||||||
|
* checking inside vulnerabilities
|
||||||
|
* team travels onsite
|
||||||
|
* team gets vpn or ssh access
|
||||||
|
* scope must specify level of testing allowed
|
||||||
|
* ping sweep
|
||||||
|
* port scanning
|
||||||
|
* full on `nmap -A`
|
||||||
|
* physical penetration attempts
|
||||||
|
* social engineering
|
||||||
|
* DoS checks
|
||||||
|
* use of dangerous exploits
|
||||||
|
|
||||||
|
### Reporting and inventory management
|
||||||
|
|
||||||
|
* report is important
|
||||||
|
* only thing the client will read
|
||||||
|
* should clearly define what's the problem
|
||||||
|
* write it as you go
|
||||||
|
* convince client the problem is real and in the room with them
|
||||||
|
* rank vulnerabilities according to severity
|
||||||
|
* executive summary
|
||||||
|
* statement of confidentiality: how to treat this document
|
||||||
|
* engagement contacts: who was involved
|
||||||
|
* summary for management to read
|
||||||
|
* most important conclusions
|
||||||
|
* what should be fixed
|
||||||
|
* what's been done
|
||||||
|
* pentest assessment summary: overview of most important findings
|
||||||
|
* detailed walktrhough: technical overview
|
||||||
|
* technical
|
||||||
|
* deep technical findings
|
||||||
|
* big nerd talk for the nerds
|
||||||
|
* remediation summary
|
||||||
|
* short, medium and long-term recommendations
|
||||||
|
* summarize project, scope and security state of target
|
||||||
|
* appendices
|
||||||
|
* output of commands
|
||||||
|
* data dumps
|
||||||
|
* password reviews
|
||||||
|
|
||||||
|
## Reconnaissance
|
||||||
|
|
||||||
|
* collect as much information as possible before launching any attack
|
||||||
|
* **Passive**: gather info without direct interaction with target
|
||||||
|
* via social media
|
||||||
|
* corporate website
|
||||||
|
* search engines
|
||||||
|
* ...
|
||||||
|
* **Active**: interact directly with target system
|
||||||
|
* scanning
|
||||||
|
* enumeration
|
||||||
|
* higher risk of detection
|
||||||
|
* social engineering
|
||||||
|
* important role in information gathering
|
||||||
|
* life cycle
|
||||||
|
1. investigate
|
||||||
|
* gather information about targets
|
||||||
|
* find details about them (job, personal interests...)
|
||||||
|
2. hook
|
||||||
|
* create plausible scenario to engage with target
|
||||||
|
* establish trust
|
||||||
|
3. play
|
||||||
|
* manipulate target into providing desired information
|
||||||
|
* trick target into revealing sensitive information
|
||||||
|
4. exit
|
||||||
|
* cover tracks to avoid detection
|
||||||
|
* document metadata analysis
|
||||||
|
* gather information from e.g. pdf metadata tags
|
||||||
|
* reveals what software they use, who works there
|
||||||
|
* lots of documents are (accidentally) publicly available
|
||||||
|
* use crawlers and search engines
|
||||||
|
* domain info
|
||||||
|
* WHOIS ([Belgium](https://www.dnsbelgium.be/))
|
||||||
|
* query registries about domains
|
||||||
|
* can contain contact information of sysadmins
|
||||||
|
* list domain servers
|
||||||
|
* not as useful now due to privacy laws
|
||||||
|
* Regional Internet Registries (RIRs) offer databases for IP -> domain lookup
|
||||||
|
* subdomain discovery
|
||||||
|
* enumerate subdomains used by target
|
||||||
|
* usually stored on target dns servers
|
||||||
|
* useful tools
|
||||||
|
* [knock](https://github.com/guelfoweb/knock/): brute-forcing tool
|
||||||
|
* [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names
|
||||||
|
* [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries
|
||||||
|
* search engines can provide useful info
|
||||||
|
* search for employees or company websites
|
||||||
|
* look at job offers
|
||||||
|
* ...
|
||||||
|
* use fancy lookup syntax
|
||||||
|
* DNS
|
||||||
|
* translates domain names to IP addresses
|
||||||
|
* **NS**: nameserver
|
||||||
|
* **A**: address
|
||||||
|
* **MX**: mail server address for domain
|
||||||
|
* **TXT**: plain text strings for domain
|
||||||
|
* **CNAME**: aliases for domain names
|
||||||
|
* **SOA**: indicates that server is authoritative for DNS zone
|
||||||
|
* **PTR**: pointer for inverse lookup (IP -> domain)
|
||||||
|
* zone transfer: mechanism used to replicate DNS DB info to other server
|
||||||
|
* allow secondary servers to sync with primary one
|
||||||
|
* can be exploited to receive full information from DNS server
|
||||||
|
* should be disabled for properly configured server
|
||||||
|
* useful tools
|
||||||
|
* recon-ng framework
|
||||||
|
* open reconaissance framework
|
||||||
|
* does a lot automatically
|
||||||
|
* the perfect automated stalker tool
|
||||||
|
* can detect antivirus by checking which dns entries are cached in domain servers
|
||||||
|
* spiderfoot framework
|
||||||
|
* OSINT automation tool
|
||||||
|
* OWASP AMASS framework
|
||||||
|
* GitHub
|
||||||
|
* filled with leaked secrets
|
||||||
|
* trufflehog and git-all-secrets automatically scan GitHub for leaks
|
||||||
|
* [have i been pwned](https://haveibeenpwned.com/)
|
|
@ -0,0 +1 @@
|
||||||
|
# Scanning
|
|
@ -0,0 +1,2 @@
|
||||||
|
samenvatting.pdf: *.md metadata.yml
|
||||||
|
pandoc --toc -o $@ $^
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
geometry:
|
||||||
|
- top=30mm
|
||||||
|
- left=30mm
|
||||||
|
---
|
130
samenvatting.md
130
samenvatting.md
|
@ -1,130 +0,0 @@
|
||||||
# Introduction
|
|
||||||
|
|
||||||
## Teams involved in security
|
|
||||||
|
|
||||||
* red: attack team
|
|
||||||
* test effectiveness of security by performing attacks
|
|
||||||
* blue: defend team
|
|
||||||
* defend against attacks by constantly surveiling the network
|
|
||||||
* yellow: build team
|
|
||||||
* builds applications that can be used by the other teams
|
|
||||||
* sharing knowledge
|
|
||||||
* orange: builders learn from attackers
|
|
||||||
* green: builder learn from defenders
|
|
||||||
* purple: defenders learn from attackers
|
|
||||||
|
|
||||||
![Teams](img/ch01/security-teams.jpg)
|
|
||||||
|
|
||||||
## Penetration testing
|
|
||||||
|
|
||||||
### Penetration testers <-> red teams
|
|
||||||
|
|
||||||
* penetration testing
|
|
||||||
* methodical approach
|
|
||||||
* limited by Rules of Engagement (restricted scope)
|
|
||||||
* 1-2 week engagement
|
|
||||||
* generally announced
|
|
||||||
* goal is to assess security of network and systems
|
|
||||||
* red team
|
|
||||||
* flexible approach
|
|
||||||
* anything goes (as long as it's legal)
|
|
||||||
* 1 week to 6 months engagement
|
|
||||||
* no announcement
|
|
||||||
* goal is to test general security posture of company
|
|
||||||
|
|
||||||
### Penetrating testing <-> vulnerability assessments
|
|
||||||
|
|
||||||
* penetration testing
|
|
||||||
* find vulnerabilities, both automated and manually
|
|
||||||
* exploit them
|
|
||||||
* attempt to gather confidential data
|
|
||||||
* inteded to go deeper and focus on technical issues
|
|
||||||
* vulnerability assessment
|
|
||||||
* find vulnerabilities through automated means
|
|
||||||
* don't exploit them or gather data
|
|
||||||
* broader and often includes explicit policy and procedure review
|
|
||||||
|
|
||||||
### assumed breach exercise
|
|
||||||
|
|
||||||
* pentest where attackers are assumed to already be inside
|
|
||||||
* malware is dropped inside company boundaries
|
|
||||||
* getting caught not the end -> reset and try again
|
|
||||||
* **Time To Detect** (TTD): how long it takes to notice breach
|
|
||||||
* **Time To Mitigate** (TTM): how long it takes to perform corrective action
|
|
||||||
|
|
||||||
### Useful resources
|
|
||||||
|
|
||||||
* [MITRE](https://attack.mitre.org/): knowledge base of attack tactics and
|
|
||||||
techniques
|
|
||||||
* [APT Groups and Operations](https://attack.mitre.org/): Google doc containing
|
|
||||||
list of dangerous groups
|
|
||||||
* [Cyber Fundamentals](https://atwork.safeonweb.be/nl/tools-resources/cyberfundamentals-framework)
|
|
||||||
* concrete measures on how to protect data and ensure safety in company
|
|
||||||
* four assurance levels
|
|
||||||
* five core functions
|
|
||||||
1. identify
|
|
||||||
2. protect
|
|
||||||
3. detect
|
|
||||||
4. respond
|
|
||||||
5. recover
|
|
||||||
|
|
||||||
# Planning, Scoping, Recon and OSINT
|
|
||||||
|
|
||||||
* **Threat**: agent or actor that can cause harm
|
|
||||||
* **Vulnerability**: flaw that can be exploited to cause harm
|
|
||||||
* **Risk**: overlap between threat and vulnerability
|
|
||||||
* **Exploit**: code or technique that a threat uses to take advantage of a
|
|
||||||
vulnerability
|
|
||||||
* **Hacking**: manipulate technology to make it do something it's not designed
|
|
||||||
to do
|
|
||||||
* **Ethnical hacking** (white hat): hacking with the permission of the target
|
|
||||||
* **Penetration testing**: ethical hacking with the goal of finding and
|
|
||||||
exploiting security vulnerabilities in target environment and reporting
|
|
||||||
them
|
|
||||||
* **Security audit**
|
|
||||||
* testing against a rigorous set of standards
|
|
||||||
* detailed checklists
|
|
||||||
* more in-depth than pen test
|
|
||||||
|
|
||||||
## Types of penetration tests
|
|
||||||
|
|
||||||
* Network services test
|
|
||||||
* find target systems on network
|
|
||||||
* look for openings in OS or running network services and exploit them
|
|
||||||
* over the internet or from within breached network
|
|
||||||
* Client-side software test
|
|
||||||
* look for vulnerabilities in client-side software (e.g. browsers)
|
|
||||||
* Web application test
|
|
||||||
* look for vulnerabilities in web-based applications deployed in the target
|
|
||||||
environment
|
|
||||||
* Social engineering / phishing test
|
|
||||||
* attempt to trick user into revealing sensitive information
|
|
||||||
* using phishing mails to make users click malicious links
|
|
||||||
* Wireless security test
|
|
||||||
* find unauthorized wireless access points or authorized ones with security
|
|
||||||
weaknesses
|
|
||||||
* Physical security test
|
|
||||||
* look for flaws in physical security practices
|
|
||||||
* literally try to break in
|
|
||||||
* dumpster diving
|
|
||||||
* Stolen equipment test
|
|
||||||
* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
|
|
||||||
sensitive info
|
|
||||||
* Cryptanalysis attack
|
|
||||||
* break or bypass encryption on local or intercepted data
|
|
||||||
* Product security test
|
|
||||||
* look for security flaws in software products that can be installed in
|
|
||||||
tester's lab
|
|
||||||
* Remote war dial test (obsolete)
|
|
||||||
* attempt to log into discovered modems
|
|
||||||
|
|
||||||
## Phases of an attack
|
|
||||||
|
|
||||||
1. Reconnaissance: OSINT, social engineering, dumpster diving...
|
|
||||||
2. Scanning: finidngo penings in the systems, listening ports...
|
|
||||||
3. Exploitation / gaining access: attempt to access and take control of target
|
|
||||||
devices
|
|
||||||
|
|
||||||
* Malicious actors go further
|
|
||||||
* install backdoors and rootkits
|
|
||||||
* cover tracks with covert channels, log editing...
|
|
Loading…
Reference in New Issue