net-sec-samenvatting/02_planning.md

Planning, Scoping, Recon and OSINT

• Threat: agent or actor that can cause harm
• Vulnerability: flaw that can be exploited to cause harm
• Risk: overlap between threat and vulnerability
• Exploit: code or technique that a threat uses to take advantage of a vulnerability
• Hacking: manipulate technology to make it do something it's not designed to do
  • Ethnical hacking (white hat): hacking with the permission of the target
  • Penetration testing: ethical hacking with the goal of finding and exploiting security vulnerabilities in target environment and reporting them
    • modelling techniques used by real-world attackers
    • determine risk to company
• Security audit
  • testing against a rigorous set of standards
  • detailed checklists
  • more in-depth than pen test

Types of penetration tests

• Network services test
  • find target systems on network
  • look for openings in OS or running network services and exploit them
  • over the internet or from within breached network
• Client-side software test
  • look for vulnerabilities in client-side software (e.g. browsers)
• Web application test
  • look for vulnerabilities in web-based applications deployed in the target environment
• Social engineering / phishing test
  • attempt to trick user into revealing sensitive information
  • using phishing mails to make users click malicious links
• Wireless security test
  • find unauthorized wireless access points or authorized ones with security weaknesses
• Physical security test
  • look for flaws in physical security practices
  • literally try to break in
  • dumpster diving
• Stolen equipment test
  • "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for sensitive info
• Cryptanalysis attack
  • break or bypass encryption on local or intercepted data
• Product security test
  • look for security flaws in software products that can be installed in tester's lab
• Remote war dial test (obsolete)
  • attempt to log into discovered modems

Phases of an attack

1. Reconnaissance: OSINT, social engineering, dumpster diving...
2. Scanning: finding openings in the systems, listening ports...
3. Exploitation / gaining access: attempt to access and take control of target devices

• Malicious actors go further

  • install backdoors and rootkits
  • cover tracks with covert channels, log editing...

• public/free testing methodologies

  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))
  • NIST (US National Institute of Standards and Technology)
  • ...

Lab

• Testing machine: system used by pentester to attack other machines
  • don't use for anything personal
  • should be hardened to avoid being attacked themselves
  • scrub results between tests (avoid confusion, leave no trace)
• Target machine: machine being attacked/evaluated

The pentesting process

• three phases
  1. preparation
     • perform necesary paperwork
     • clearly define rules of engagement
  2. testing: conduct the test
  3. conclusion
     • detailed analysis of results
     • write report

rules of engagement

• must be defined in advance
• clear outline of what's allowed and what's not
• emergency contact information
• safe means of communication
• possible briefing calls
• agreement on period of engagement
• whether sysadmins are informed or not
• how much info is shared
  • black box: no info shared
    • more closely mimicks a true attack
    • takes longer
  • grey box: some info, e.g. password for non-privileged user
    • balance between efficiency and realism
  • white box: testers get everything
• what data can be viewed
  • remove personal data from sniffed packets
  • sometimes samples are allowed to prove they were there
• should be signed off before anything is done

Scoping

• determine what should be focused on
  • ask organisation what their biggest weaknesses are
  • avoid scope creep
• ensure all targetted systems are allowed within scope
  • third-party systems should give written permission
  • large cloud ventors usually have pen testing rules in place
• ideally run test on staging environment (don't break prod)
• checking inside vulnerabilities
  • team travels onsite
  • team gets vpn or ssh access
• scope must specify level of testing allowed
  • ping sweep
  • port scanning
  • full on nmap -A
  • physical penetration attempts
  • social engineering
  • DoS checks
  • use of dangerous exploits

Reporting and inventory management

• report is important
  • only thing the client will read
  • should clearly define what's the problem
  • write it as you go
  • convince client the problem is real and in the room with them
  • rank vulnerabilities according to severity
• executive summary
  • statement of confidentiality: how to treat this document
  • engagement contacts: who was involved
  • summary for management to read
    • most important conclusions
    • what should be fixed
    • what's been done
• pentest assessment summary: overview of most important findings
• detailed walktrhough: technical overview
• technical
  • deep technical findings
  • big nerd talk for the nerds
• remediation summary
  • short, medium and long-term recommendations
  • summarize project, scope and security state of target
• appendices
  • output of commands
  • data dumps
  • password reviews

Reconnaissance

• collect as much information as possible before launching any attack
• Passive: gather info without direct interaction with target
  • via social media
  • corporate website
  • search engines
  • ...
• Active: interact directly with target system
  • scanning
  • enumeration
  • higher risk of detection
• social engineering
  • important role in information gathering
  • life cycle
    1. investigate
       • gather information about targets
       • find details about them (job, personal interests...)
    2. hook
       • create plausible scenario to engage with target
       • establish trust
    3. play
       • manipulate target into providing desired information
       • trick target into revealing sensitive information
    4. exit
       • cover tracks to avoid detection
• document metadata analysis
  • gather information from e.g. pdf metadata tags
  • reveals what software they use, who works there
  • lots of documents are (accidentally) publicly available
  • use crawlers and search engines
• domain info
  • WHOIS (Belgium)
  • query registries about domains
  • can contain contact information of sysadmins
  • list domain servers
  • not as useful now due to privacy laws
  • Regional Internet Registries (RIRs) offer databases for IP -> domain lookup
• subdomain discovery
  • enumerate subdomains used by target
  • usually stored on target dns servers
  • useful tools
    • knock: brute-forcing tool
    • sublist3r: uses search engines for domain names
    • SubBrute: uses open resolvers as proxies for dns queries
• search engines can provide useful info
  • search for employees or company websites
  • look at job offers
  • ...
  • use fancy lookup syntax
• DNS
  • translates domain names to IP addresses
  • NS: nameserver
  • A: address
  • MX: mail server address for domain
  • TXT: plain text strings for domain
  • CNAME: aliases for domain names
  • SOA: indicates that server is authoritative for DNS zone
  • PTR: pointer for inverse lookup (IP -> domain)
  • zone transfer: mechanism used to replicate DNS DB info to other server
    • allow secondary servers to sync with primary one
    • can be exploited to receive full information from DNS server
    • should be disabled for properly configured server
• useful tools
  • recon-ng framework
    • open reconaissance framework
    • does a lot automatically
    • the perfect automated stalker tool
    • can detect antivirus by checking which dns entries are cached in domain servers
  • spiderfoot framework
    • OSINT automation tool
  • OWASP AMASS framework
  • GitHub
    • filled with leaked secrets
    • trufflehog and git-all-secrets automatically scan GitHub for leaks
  • have i been pwned