hoofdstuk 2 stuff

main
Jef Roosens 2024-12-27 12:05:42 +01:00
parent feb7ef7bd3
commit d5287c4f1b
No known key found for this signature in database
GPG Key ID: 69D2F0660E385613
7 changed files with 313 additions and 130 deletions

1
.gitignore vendored 100644
View File

@ -0,0 +1 @@
*.pdf

70
01_introduction.md 100644
View File

@ -0,0 +1,70 @@
# Introduction
## Teams involved in security
* red: attack team
* test effectiveness of security by performing attacks
* blue: defend team
* defend against attacks by constantly surveiling the network
* yellow: build team
* builds applications that can be used by the other teams
* sharing knowledge
* orange: builders learn from attackers
* green: builder learn from defenders
* purple: defenders learn from attackers
![Teams](img/ch01/security-teams.jpg)
## Penetration testing
### Penetration testers <-> red teams
* penetration testing
* methodical approach
* limited by Rules of Engagement (restricted scope)
* 1-2 week engagement
* generally announced
* goal is to assess security of network and systems
* red team
* flexible approach
* anything goes (as long as it's legal)
* 1 week to 6 months engagement
* no announcement
* goal is to test general security posture of company
### Penetrating testing <-> vulnerability assessments
* penetration testing
* find vulnerabilities, both automated and manually
* exploit them
* attempt to gather confidential data
* intended to go deeper and focus on technical issues
* vulnerability assessment
* find vulnerabilities through automated means
* don't exploit them or gather data
* broader and often includes explicit policy and procedure review
### assumed breach exercise
* pentest where attackers are assumed to already be inside
* malware is dropped inside company boundaries
* getting caught not the end -> reset and try again
* **Time To Detect** (TTD): how long it takes to notice breach
* **Time To Mitigate** (TTM): how long it takes to perform corrective action
### Useful resources
* [MITRE](https://attack.mitre.org/): knowledge base of attack tactics and
techniques
* explanation of **TTP**s (Tactics, Techniques and Procecures)
* [APT Groups and Operations](https://apt.threattracking.com/): Google doc containing
list of dangerous groups
* [Cyber Fundamentals](https://atwork.safeonweb.be/nl/tools-resources/cyberfundamentals-framework)
* concrete measures on how to protect data and ensure safety in company
* four assurance levels
* five core functions
1. identify
2. protect
3. detect
4. respond
5. recover

234
02_planning.md 100644
View File

@ -0,0 +1,234 @@
# Planning, Scoping, Recon and OSINT
* **Threat**: agent or actor that can cause harm
* **Vulnerability**: flaw that can be exploited to cause harm
* **Risk**: overlap between threat and vulnerability
* **Exploit**: code or technique that a threat uses to take advantage of a
vulnerability
* **Hacking**: manipulate technology to make it do something it's not designed
to do
* **Ethnical hacking** (white hat): hacking with the permission of the target
* **Penetration testing**: ethical hacking with the goal of finding and
exploiting security vulnerabilities in target environment and reporting
them
* modelling techniques used by real-world attackers
* determine risk to company
* **Security audit**
* testing against a rigorous set of standards
* detailed checklists
* more in-depth than pen test
## Types of penetration tests
* Network services test
* find target systems on network
* look for openings in OS or running network services and exploit them
* over the internet or from within breached network
* Client-side software test
* look for vulnerabilities in client-side software (e.g. browsers)
* Web application test
* look for vulnerabilities in web-based applications deployed in the target
environment
* Social engineering / phishing test
* attempt to trick user into revealing sensitive information
* using phishing mails to make users click malicious links
* Wireless security test
* find unauthorized wireless access points or authorized ones with security
weaknesses
* Physical security test
* look for flaws in physical security practices
* literally try to break in
* dumpster diving
* Stolen equipment test
* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
sensitive info
* Cryptanalysis attack
* break or bypass encryption on local or intercepted data
* Product security test
* look for security flaws in software products that can be installed in
tester's lab
* Remote war dial test (obsolete)
* attempt to log into discovered modems
## Phases of an attack
1. Reconnaissance: OSINT, social engineering, dumpster diving...
2. Scanning: finding openings in the systems, listening ports...
3. Exploitation / gaining access: attempt to access and take control of target
devices
* Malicious actors go further
* install backdoors and rootkits
* cover tracks with covert channels, log editing...
* public/free testing methodologies
* Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html))
* Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))
* [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology)
* ...
## Lab
* **Testing machine**: system used by pentester to attack other machines
* don't use for anything personal
* should be hardened to avoid being attacked themselves
* scrub results between tests (avoid confusion, leave no trace)
* **Target machine**: machine being attacked/evaluated
## The pentesting process
* three phases
1. preparation
* perform necesary paperwork
* clearly define rules of engagement
2. testing: conduct the test
3. conclusion
* detailed analysis of results
* write report
### rules of engagement
* must be defined in advance
* clear outline of what's allowed and what's not
* emergency contact information
* safe means of communication
* possible briefing calls
* agreement on period of engagement
* whether sysadmins are informed or not
* how much info is shared
* **black box**: no info shared
* more closely mimicks a true attack
* takes longer
* **grey box**: some info, e.g. password for non-privileged user
* balance between efficiency and realism
* **white box**: testers get everything
* what data can be viewed
* remove personal data from sniffed packets
* sometimes samples are allowed to prove they were there
* should be signed off before anything is done
### Scoping
* determine what should be focused on
* ask organisation what their biggest weaknesses are
* avoid scope creep
* ensure all targetted systems are allowed within scope
* third-party systems should give *written* permission
* large cloud ventors usually have pen testing rules in place
* ideally run test on staging environment (don't break prod)
* checking inside vulnerabilities
* team travels onsite
* team gets vpn or ssh access
* scope must specify level of testing allowed
* ping sweep
* port scanning
* full on `nmap -A`
* physical penetration attempts
* social engineering
* DoS checks
* use of dangerous exploits
### Reporting and inventory management
* report is important
* only thing the client will read
* should clearly define what's the problem
* write it as you go
* convince client the problem is real and in the room with them
* rank vulnerabilities according to severity
* executive summary
* statement of confidentiality: how to treat this document
* engagement contacts: who was involved
* summary for management to read
* most important conclusions
* what should be fixed
* what's been done
* pentest assessment summary: overview of most important findings
* detailed walktrhough: technical overview
* technical
* deep technical findings
* big nerd talk for the nerds
* remediation summary
* short, medium and long-term recommendations
* summarize project, scope and security state of target
* appendices
* output of commands
* data dumps
* password reviews
## Reconnaissance
* collect as much information as possible before launching any attack
* **Passive**: gather info without direct interaction with target
* via social media
* corporate website
* search engines
* ...
* **Active**: interact directly with target system
* scanning
* enumeration
* higher risk of detection
* social engineering
* important role in information gathering
* life cycle
1. investigate
* gather information about targets
* find details about them (job, personal interests...)
2. hook
* create plausible scenario to engage with target
* establish trust
3. play
* manipulate target into providing desired information
* trick target into revealing sensitive information
4. exit
* cover tracks to avoid detection
* document metadata analysis
* gather information from e.g. pdf metadata tags
* reveals what software they use, who works there
* lots of documents are (accidentally) publicly available
* use crawlers and search engines
* domain info
* WHOIS ([Belgium](https://www.dnsbelgium.be/))
* query registries about domains
* can contain contact information of sysadmins
* list domain servers
* not as useful now due to privacy laws
* Regional Internet Registries (RIRs) offer databases for IP -> domain lookup
* subdomain discovery
* enumerate subdomains used by target
* usually stored on target dns servers
* useful tools
* [knock](https://github.com/guelfoweb/knock/): brute-forcing tool
* [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names
* [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries
* search engines can provide useful info
* search for employees or company websites
* look at job offers
* ...
* use fancy lookup syntax
* DNS
* translates domain names to IP addresses
* **NS**: nameserver
* **A**: address
* **MX**: mail server address for domain
* **TXT**: plain text strings for domain
* **CNAME**: aliases for domain names
* **SOA**: indicates that server is authoritative for DNS zone
* **PTR**: pointer for inverse lookup (IP -> domain)
* zone transfer: mechanism used to replicate DNS DB info to other server
* allow secondary servers to sync with primary one
* can be exploited to receive full information from DNS server
* should be disabled for properly configured server
* useful tools
* recon-ng framework
* open reconaissance framework
* does a lot automatically
* the perfect automated stalker tool
* can detect antivirus by checking which dns entries are cached in domain servers
* spiderfoot framework
* OSINT automation tool
* OWASP AMASS framework
* GitHub
* filled with leaked secrets
* trufflehog and git-all-secrets automatically scan GitHub for leaks
* [have i been pwned](https://haveibeenpwned.com/)

1
03_scanning.md 100644
View File

@ -0,0 +1 @@
# Scanning

2
Makefile 100644
View File

@ -0,0 +1,2 @@
samenvatting.pdf: *.md metadata.yml
pandoc --toc -o $@ $^

5
metadata.yml 100644
View File

@ -0,0 +1,5 @@
---
geometry:
- top=30mm
- left=30mm
---

View File

@ -1,130 +0,0 @@
# Introduction
## Teams involved in security
* red: attack team
* test effectiveness of security by performing attacks
* blue: defend team
* defend against attacks by constantly surveiling the network
* yellow: build team
* builds applications that can be used by the other teams
* sharing knowledge
* orange: builders learn from attackers
* green: builder learn from defenders
* purple: defenders learn from attackers
![Teams](img/ch01/security-teams.jpg)
## Penetration testing
### Penetration testers <-> red teams
* penetration testing
* methodical approach
* limited by Rules of Engagement (restricted scope)
* 1-2 week engagement
* generally announced
* goal is to assess security of network and systems
* red team
* flexible approach
* anything goes (as long as it's legal)
* 1 week to 6 months engagement
* no announcement
* goal is to test general security posture of company
### Penetrating testing <-> vulnerability assessments
* penetration testing
* find vulnerabilities, both automated and manually
* exploit them
* attempt to gather confidential data
* inteded to go deeper and focus on technical issues
* vulnerability assessment
* find vulnerabilities through automated means
* don't exploit them or gather data
* broader and often includes explicit policy and procedure review
### assumed breach exercise
* pentest where attackers are assumed to already be inside
* malware is dropped inside company boundaries
* getting caught not the end -> reset and try again
* **Time To Detect** (TTD): how long it takes to notice breach
* **Time To Mitigate** (TTM): how long it takes to perform corrective action
### Useful resources
* [MITRE](https://attack.mitre.org/): knowledge base of attack tactics and
techniques
* [APT Groups and Operations](https://attack.mitre.org/): Google doc containing
list of dangerous groups
* [Cyber Fundamentals](https://atwork.safeonweb.be/nl/tools-resources/cyberfundamentals-framework)
* concrete measures on how to protect data and ensure safety in company
* four assurance levels
* five core functions
1. identify
2. protect
3. detect
4. respond
5. recover
# Planning, Scoping, Recon and OSINT
* **Threat**: agent or actor that can cause harm
* **Vulnerability**: flaw that can be exploited to cause harm
* **Risk**: overlap between threat and vulnerability
* **Exploit**: code or technique that a threat uses to take advantage of a
vulnerability
* **Hacking**: manipulate technology to make it do something it's not designed
to do
* **Ethnical hacking** (white hat): hacking with the permission of the target
* **Penetration testing**: ethical hacking with the goal of finding and
exploiting security vulnerabilities in target environment and reporting
them
* **Security audit**
* testing against a rigorous set of standards
* detailed checklists
* more in-depth than pen test
## Types of penetration tests
* Network services test
* find target systems on network
* look for openings in OS or running network services and exploit them
* over the internet or from within breached network
* Client-side software test
* look for vulnerabilities in client-side software (e.g. browsers)
* Web application test
* look for vulnerabilities in web-based applications deployed in the target
environment
* Social engineering / phishing test
* attempt to trick user into revealing sensitive information
* using phishing mails to make users click malicious links
* Wireless security test
* find unauthorized wireless access points or authorized ones with security
weaknesses
* Physical security test
* look for flaws in physical security practices
* literally try to break in
* dumpster diving
* Stolen equipment test
* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
sensitive info
* Cryptanalysis attack
* break or bypass encryption on local or intercepted data
* Product security test
* look for security flaws in software products that can be installed in
tester's lab
* Remote war dial test (obsolete)
* attempt to log into discovered modems
## Phases of an attack
1. Reconnaissance: OSINT, social engineering, dumpster diving...
2. Scanning: finidngo penings in the systems, listening ports...
3. Exploitation / gaining access: attempt to access and take control of target
devices
* Malicious actors go further
* install backdoors and rootkits
* cover tracks with covert channels, log editing...