235 lines
8.7 KiB
Markdown
235 lines
8.7 KiB
Markdown
# Planning, Scoping, Recon and OSINT
|
|
|
|
* **Threat**: agent or actor that can cause harm
|
|
* **Vulnerability**: flaw that can be exploited to cause harm
|
|
* **Risk**: overlap between threat and vulnerability
|
|
* **Exploit**: code or technique that a threat uses to take advantage of a
|
|
vulnerability
|
|
* **Hacking**: manipulate technology to make it do something it's not designed
|
|
to do
|
|
* **Ethnical hacking** (white hat): hacking with the permission of the target
|
|
* **Penetration testing**: ethical hacking with the goal of finding and
|
|
exploiting security vulnerabilities in target environment and reporting
|
|
them
|
|
* modelling techniques used by real-world attackers
|
|
* determine risk to company
|
|
* **Security audit**
|
|
* testing against a rigorous set of standards
|
|
* detailed checklists
|
|
* more in-depth than pen test
|
|
|
|
## Types of penetration tests
|
|
|
|
* Network services test
|
|
* find target systems on network
|
|
* look for openings in OS or running network services and exploit them
|
|
* over the internet or from within breached network
|
|
* Client-side software test
|
|
* look for vulnerabilities in client-side software (e.g. browsers)
|
|
* Web application test
|
|
* look for vulnerabilities in web-based applications deployed in the target
|
|
environment
|
|
* Social engineering / phishing test
|
|
* attempt to trick user into revealing sensitive information
|
|
* using phishing mails to make users click malicious links
|
|
* Wireless security test
|
|
* find unauthorized wireless access points or authorized ones with security
|
|
weaknesses
|
|
* Physical security test
|
|
* look for flaws in physical security practices
|
|
* literally try to break in
|
|
* dumpster diving
|
|
* Stolen equipment test
|
|
* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
|
|
sensitive info
|
|
* Cryptanalysis attack
|
|
* break or bypass encryption on local or intercepted data
|
|
* Product security test
|
|
* look for security flaws in software products that can be installed in
|
|
tester's lab
|
|
* Remote war dial test (obsolete)
|
|
* attempt to log into discovered modems
|
|
|
|
## Phases of an attack
|
|
|
|
1. Reconnaissance: OSINT, social engineering, dumpster diving...
|
|
2. Scanning: finding openings in the systems, listening ports...
|
|
3. Exploitation / gaining access: attempt to access and take control of target
|
|
devices
|
|
|
|
* Malicious actors go further
|
|
* install backdoors and rootkits
|
|
* cover tracks with covert channels, log editing...
|
|
|
|
* public/free testing methodologies
|
|
* Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html))
|
|
* Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))
|
|
* [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology)
|
|
* ...
|
|
|
|
## Lab
|
|
|
|
* **Testing machine**: system used by pentester to attack other machines
|
|
* don't use for anything personal
|
|
* should be hardened to avoid being attacked themselves
|
|
* scrub results between tests (avoid confusion, leave no trace)
|
|
* **Target machine**: machine being attacked/evaluated
|
|
|
|
## The pentesting process
|
|
|
|
* three phases
|
|
1. preparation
|
|
* perform necesary paperwork
|
|
* clearly define rules of engagement
|
|
2. testing: conduct the test
|
|
3. conclusion
|
|
* detailed analysis of results
|
|
* write report
|
|
|
|
### rules of engagement
|
|
|
|
* must be defined in advance
|
|
* clear outline of what's allowed and what's not
|
|
* emergency contact information
|
|
* safe means of communication
|
|
* possible briefing calls
|
|
* agreement on period of engagement
|
|
* whether sysadmins are informed or not
|
|
* how much info is shared
|
|
* **black box**: no info shared
|
|
* more closely mimicks a true attack
|
|
* takes longer
|
|
* **grey box**: some info, e.g. password for non-privileged user
|
|
* balance between efficiency and realism
|
|
* **white box**: testers get everything
|
|
* what data can be viewed
|
|
* remove personal data from sniffed packets
|
|
* sometimes samples are allowed to prove they were there
|
|
* should be signed off before anything is done
|
|
|
|
### Scoping
|
|
|
|
* determine what should be focused on
|
|
* ask organisation what their biggest weaknesses are
|
|
* avoid scope creep
|
|
* ensure all targetted systems are allowed within scope
|
|
* third-party systems should give *written* permission
|
|
* large cloud ventors usually have pen testing rules in place
|
|
* ideally run test on staging environment (don't break prod)
|
|
* checking inside vulnerabilities
|
|
* team travels onsite
|
|
* team gets vpn or ssh access
|
|
* scope must specify level of testing allowed
|
|
* ping sweep
|
|
* port scanning
|
|
* full on `nmap -A`
|
|
* physical penetration attempts
|
|
* social engineering
|
|
* DoS checks
|
|
* use of dangerous exploits
|
|
|
|
### Reporting and inventory management
|
|
|
|
* report is important
|
|
* only thing the client will read
|
|
* should clearly define what's the problem
|
|
* write it as you go
|
|
* convince client the problem is real and in the room with them
|
|
* rank vulnerabilities according to severity
|
|
* executive summary
|
|
* statement of confidentiality: how to treat this document
|
|
* engagement contacts: who was involved
|
|
* summary for management to read
|
|
* most important conclusions
|
|
* what should be fixed
|
|
* what's been done
|
|
* pentest assessment summary: overview of most important findings
|
|
* detailed walktrhough: technical overview
|
|
* technical
|
|
* deep technical findings
|
|
* big nerd talk for the nerds
|
|
* remediation summary
|
|
* short, medium and long-term recommendations
|
|
* summarize project, scope and security state of target
|
|
* appendices
|
|
* output of commands
|
|
* data dumps
|
|
* password reviews
|
|
|
|
## Reconnaissance
|
|
|
|
* collect as much information as possible before launching any attack
|
|
* **Passive**: gather info without direct interaction with target
|
|
* via social media
|
|
* corporate website
|
|
* search engines
|
|
* ...
|
|
* **Active**: interact directly with target system
|
|
* scanning
|
|
* enumeration
|
|
* higher risk of detection
|
|
* social engineering
|
|
* important role in information gathering
|
|
* life cycle
|
|
1. investigate
|
|
* gather information about targets
|
|
* find details about them (job, personal interests...)
|
|
2. hook
|
|
* create plausible scenario to engage with target
|
|
* establish trust
|
|
3. play
|
|
* manipulate target into providing desired information
|
|
* trick target into revealing sensitive information
|
|
4. exit
|
|
* cover tracks to avoid detection
|
|
* document metadata analysis
|
|
* gather information from e.g. pdf metadata tags
|
|
* reveals what software they use, who works there
|
|
* lots of documents are (accidentally) publicly available
|
|
* use crawlers and search engines
|
|
* domain info
|
|
* WHOIS ([Belgium](https://www.dnsbelgium.be/))
|
|
* query registries about domains
|
|
* can contain contact information of sysadmins
|
|
* list domain servers
|
|
* not as useful now due to privacy laws
|
|
* Regional Internet Registries (RIRs) offer databases for IP -> domain lookup
|
|
* subdomain discovery
|
|
* enumerate subdomains used by target
|
|
* usually stored on target dns servers
|
|
* useful tools
|
|
* [knock](https://github.com/guelfoweb/knock/): brute-forcing tool
|
|
* [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names
|
|
* [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries
|
|
* search engines can provide useful info
|
|
* search for employees or company websites
|
|
* look at job offers
|
|
* ...
|
|
* use fancy lookup syntax
|
|
* DNS
|
|
* translates domain names to IP addresses
|
|
* **NS**: nameserver
|
|
* **A**: address
|
|
* **MX**: mail server address for domain
|
|
* **TXT**: plain text strings for domain
|
|
* **CNAME**: aliases for domain names
|
|
* **SOA**: indicates that server is authoritative for DNS zone
|
|
* **PTR**: pointer for inverse lookup (IP -> domain)
|
|
* zone transfer: mechanism used to replicate DNS DB info to other server
|
|
* allow secondary servers to sync with primary one
|
|
* can be exploited to receive full information from DNS server
|
|
* should be disabled for properly configured server
|
|
* useful tools
|
|
* recon-ng framework
|
|
* open reconaissance framework
|
|
* does a lot automatically
|
|
* the perfect automated stalker tool
|
|
* can detect antivirus by checking which dns entries are cached in domain servers
|
|
* spiderfoot framework
|
|
* OSINT automation tool
|
|
* OWASP AMASS framework
|
|
* GitHub
|
|
* filled with leaked secrets
|
|
* trufflehog and git-all-secrets automatically scan GitHub for leaks
|
|
* [have i been pwned](https://haveibeenpwned.com/)
|