# Planning, Scoping, Recon and OSINT * **Threat**: agent or actor that can cause harm * **Vulnerability**: flaw that can be exploited to cause harm * **Risk**: overlap between threat and vulnerability * **Exploit**: code or technique that a threat uses to take advantage of a vulnerability * **Hacking**: manipulate technology to make it do something it's not designed to do * **Ethnical hacking** (white hat): hacking with the permission of the target * **Penetration testing**: ethical hacking with the goal of finding and exploiting security vulnerabilities in target environment and reporting them * modelling techniques used by real-world attackers * determine risk to company * **Security audit** * testing against a rigorous set of standards * detailed checklists * more in-depth than pen test ## Types of penetration tests * Network services test * find target systems on network * look for openings in OS or running network services and exploit them * over the internet or from within breached network * Client-side software test * look for vulnerabilities in client-side software (e.g. browsers) * Web application test * look for vulnerabilities in web-based applications deployed in the target environment * Social engineering / phishing test * attempt to trick user into revealing sensitive information * using phishing mails to make users click malicious links * Wireless security test * find unauthorized wireless access points or authorized ones with security weaknesses * Physical security test * look for flaws in physical security practices * literally try to break in * dumpster diving * Stolen equipment test * "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for sensitive info * Cryptanalysis attack * break or bypass encryption on local or intercepted data * Product security test * look for security flaws in software products that can be installed in tester's lab * Remote war dial test (obsolete) * attempt to log into discovered modems ## Phases of an attack 1. Reconnaissance: OSINT, social engineering, dumpster diving... 2. Scanning: finding openings in the systems, listening ports... 3. Exploitation / gaining access: attempt to access and take control of target devices * Malicious actors go further * install backdoors and rootkits * cover tracks with covert channels, log editing... * public/free testing methodologies * Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html)) * Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard)) * [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology) * ... ## Lab * **Testing machine**: system used by pentester to attack other machines * don't use for anything personal * should be hardened to avoid being attacked themselves * scrub results between tests (avoid confusion, leave no trace) * **Target machine**: machine being attacked/evaluated ## The pentesting process * three phases 1. preparation * perform necesary paperwork * clearly define rules of engagement 2. testing: conduct the test 3. conclusion * detailed analysis of results * write report ### rules of engagement * must be defined in advance * clear outline of what's allowed and what's not * emergency contact information * safe means of communication * possible briefing calls * agreement on period of engagement * whether sysadmins are informed or not * how much info is shared * **black box**: no info shared * more closely mimicks a true attack * takes longer * **grey box**: some info, e.g. password for non-privileged user * balance between efficiency and realism * **white box**: testers get everything * what data can be viewed * remove personal data from sniffed packets * sometimes samples are allowed to prove they were there * should be signed off before anything is done ### Scoping * determine what should be focused on * ask organisation what their biggest weaknesses are * avoid scope creep * ensure all targetted systems are allowed within scope * third-party systems should give *written* permission * large cloud ventors usually have pen testing rules in place * ideally run test on staging environment (don't break prod) * checking inside vulnerabilities * team travels onsite * team gets vpn or ssh access * scope must specify level of testing allowed * ping sweep * port scanning * full on `nmap -A` * physical penetration attempts * social engineering * DoS checks * use of dangerous exploits ### Reporting and inventory management * report is important * only thing the client will read * should clearly define what's the problem * write it as you go * convince client the problem is real and in the room with them * rank vulnerabilities according to severity * executive summary * statement of confidentiality: how to treat this document * engagement contacts: who was involved * summary for management to read * most important conclusions * what should be fixed * what's been done * pentest assessment summary: overview of most important findings * detailed walktrhough: technical overview * technical * deep technical findings * big nerd talk for the nerds * remediation summary * short, medium and long-term recommendations * summarize project, scope and security state of target * appendices * output of commands * data dumps * password reviews ## Reconnaissance * collect as much information as possible before launching any attack * **Passive**: gather info without direct interaction with target * via social media * corporate website * search engines * ... * **Active**: interact directly with target system * scanning * enumeration * higher risk of detection * social engineering * important role in information gathering * life cycle 1. investigate * gather information about targets * find details about them (job, personal interests...) 2. hook * create plausible scenario to engage with target * establish trust 3. play * manipulate target into providing desired information * trick target into revealing sensitive information 4. exit * cover tracks to avoid detection * document metadata analysis * gather information from e.g. pdf metadata tags * reveals what software they use, who works there * lots of documents are (accidentally) publicly available * use crawlers and search engines * domain info * WHOIS ([Belgium](https://www.dnsbelgium.be/)) * query registries about domains * can contain contact information of sysadmins * list domain servers * not as useful now due to privacy laws * Regional Internet Registries (RIRs) offer databases for IP -> domain lookup * subdomain discovery * enumerate subdomains used by target * usually stored on target dns servers * useful tools * [knock](https://github.com/guelfoweb/knock/): brute-forcing tool * [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names * [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries * search engines can provide useful info * search for employees or company websites * look at job offers * ... * use fancy lookup syntax * DNS * translates domain names to IP addresses * **NS**: nameserver * **A**: address * **MX**: mail server address for domain * **TXT**: plain text strings for domain * **CNAME**: aliases for domain names * **SOA**: indicates that server is authoritative for DNS zone * **PTR**: pointer for inverse lookup (IP -> domain) * zone transfer: mechanism used to replicate DNS DB info to other server * allow secondary servers to sync with primary one * can be exploited to receive full information from DNS server * should be disabled for properly configured server * useful tools * recon-ng framework * open reconaissance framework * does a lot automatically * the perfect automated stalker tool * can detect antivirus by checking which dns entries are cached in domain servers * spiderfoot framework * OSINT automation tool * OWASP AMASS framework * GitHub * filled with leaked secrets * trufflehog and git-all-secrets automatically scan GitHub for leaks * [have i been pwned](https://haveibeenpwned.com/)