net-sec-samenvatting/02_planning.md

235 lines
8.7 KiB
Markdown

# Planning, Scoping, Recon and OSINT
* **Threat**: agent or actor that can cause harm
* **Vulnerability**: flaw that can be exploited to cause harm
* **Risk**: overlap between threat and vulnerability
* **Exploit**: code or technique that a threat uses to take advantage of a
vulnerability
* **Hacking**: manipulate technology to make it do something it's not designed
to do
* **Ethnical hacking** (white hat): hacking with the permission of the target
* **Penetration testing**: ethical hacking with the goal of finding and
exploiting security vulnerabilities in target environment and reporting
them
* modelling techniques used by real-world attackers
* determine risk to company
* **Security audit**
* testing against a rigorous set of standards
* detailed checklists
* more in-depth than pen test
## Types of penetration tests
* Network services test
* find target systems on network
* look for openings in OS or running network services and exploit them
* over the internet or from within breached network
* Client-side software test
* look for vulnerabilities in client-side software (e.g. browsers)
* Web application test
* look for vulnerabilities in web-based applications deployed in the target
environment
* Social engineering / phishing test
* attempt to trick user into revealing sensitive information
* using phishing mails to make users click malicious links
* Wireless security test
* find unauthorized wireless access points or authorized ones with security
weaknesses
* Physical security test
* look for flaws in physical security practices
* literally try to break in
* dumpster diving
* Stolen equipment test
* "obtain" (steal) a piece of equipment (e.g. laptop) and analyse it for
sensitive info
* Cryptanalysis attack
* break or bypass encryption on local or intercepted data
* Product security test
* look for security flaws in software products that can be installed in
tester's lab
* Remote war dial test (obsolete)
* attempt to log into discovered modems
## Phases of an attack
1. Reconnaissance: OSINT, social engineering, dumpster diving...
2. Scanning: finding openings in the systems, listening ports...
3. Exploitation / gaining access: attempt to access and take control of target
devices
* Malicious actors go further
* install backdoors and rootkits
* cover tracks with covert channels, log editing...
* public/free testing methodologies
* Open Source Security Testing Methodology Manual ([OSSTMM](https://www.isecom.org/research.html))
* Pen Testing Execution Standard ([PTES](Pen Testing Execution Standard))
* [NIST](https://csrc.nist.gov/publications/detail/sp/800-115/final) (US National Institute of Standards and Technology)
* ...
## Lab
* **Testing machine**: system used by pentester to attack other machines
* don't use for anything personal
* should be hardened to avoid being attacked themselves
* scrub results between tests (avoid confusion, leave no trace)
* **Target machine**: machine being attacked/evaluated
## The pentesting process
* three phases
1. preparation
* perform necesary paperwork
* clearly define rules of engagement
2. testing: conduct the test
3. conclusion
* detailed analysis of results
* write report
### rules of engagement
* must be defined in advance
* clear outline of what's allowed and what's not
* emergency contact information
* safe means of communication
* possible briefing calls
* agreement on period of engagement
* whether sysadmins are informed or not
* how much info is shared
* **black box**: no info shared
* more closely mimicks a true attack
* takes longer
* **grey box**: some info, e.g. password for non-privileged user
* balance between efficiency and realism
* **white box**: testers get everything
* what data can be viewed
* remove personal data from sniffed packets
* sometimes samples are allowed to prove they were there
* should be signed off before anything is done
### Scoping
* determine what should be focused on
* ask organisation what their biggest weaknesses are
* avoid scope creep
* ensure all targetted systems are allowed within scope
* third-party systems should give *written* permission
* large cloud ventors usually have pen testing rules in place
* ideally run test on staging environment (don't break prod)
* checking inside vulnerabilities
* team travels onsite
* team gets vpn or ssh access
* scope must specify level of testing allowed
* ping sweep
* port scanning
* full on `nmap -A`
* physical penetration attempts
* social engineering
* DoS checks
* use of dangerous exploits
### Reporting and inventory management
* report is important
* only thing the client will read
* should clearly define what's the problem
* write it as you go
* convince client the problem is real and in the room with them
* rank vulnerabilities according to severity
* executive summary
* statement of confidentiality: how to treat this document
* engagement contacts: who was involved
* summary for management to read
* most important conclusions
* what should be fixed
* what's been done
* pentest assessment summary: overview of most important findings
* detailed walktrhough: technical overview
* technical
* deep technical findings
* big nerd talk for the nerds
* remediation summary
* short, medium and long-term recommendations
* summarize project, scope and security state of target
* appendices
* output of commands
* data dumps
* password reviews
## Reconnaissance
* collect as much information as possible before launching any attack
* **Passive**: gather info without direct interaction with target
* via social media
* corporate website
* search engines
* ...
* **Active**: interact directly with target system
* scanning
* enumeration
* higher risk of detection
* social engineering
* important role in information gathering
* life cycle
1. investigate
* gather information about targets
* find details about them (job, personal interests...)
2. hook
* create plausible scenario to engage with target
* establish trust
3. play
* manipulate target into providing desired information
* trick target into revealing sensitive information
4. exit
* cover tracks to avoid detection
* document metadata analysis
* gather information from e.g. pdf metadata tags
* reveals what software they use, who works there
* lots of documents are (accidentally) publicly available
* use crawlers and search engines
* domain info
* WHOIS ([Belgium](https://www.dnsbelgium.be/))
* query registries about domains
* can contain contact information of sysadmins
* list domain servers
* not as useful now due to privacy laws
* Regional Internet Registries (RIRs) offer databases for IP -> domain lookup
* subdomain discovery
* enumerate subdomains used by target
* usually stored on target dns servers
* useful tools
* [knock](https://github.com/guelfoweb/knock/): brute-forcing tool
* [sublist3r](https://github.com/aboul3la/Sublist3r): uses search engines for domain names
* [SubBrute](https://github.com/TheRook/subbrute): uses open resolvers as proxies for dns queries
* search engines can provide useful info
* search for employees or company websites
* look at job offers
* ...
* use fancy lookup syntax
* DNS
* translates domain names to IP addresses
* **NS**: nameserver
* **A**: address
* **MX**: mail server address for domain
* **TXT**: plain text strings for domain
* **CNAME**: aliases for domain names
* **SOA**: indicates that server is authoritative for DNS zone
* **PTR**: pointer for inverse lookup (IP -> domain)
* zone transfer: mechanism used to replicate DNS DB info to other server
* allow secondary servers to sync with primary one
* can be exploited to receive full information from DNS server
* should be disabled for properly configured server
* useful tools
* recon-ng framework
* open reconaissance framework
* does a lot automatically
* the perfect automated stalker tool
* can detect antivirus by checking which dns entries are cached in domain servers
* spiderfoot framework
* OSINT automation tool
* OWASP AMASS framework
* GitHub
* filled with leaked secrets
* trufflehog and git-all-secrets automatically scan GitHub for leaks
* [have i been pwned](https://haveibeenpwned.com/)