/ Work in Progress /
Introduction & OSINT.
Reconaissance is a part of pentesting process.
Information is the key to Strategy, and it happens before attack. In pentesting process, before we can exploit target system, we gather intelligence - both technical and non-technical - and build image of the target organization and it's systems. This will make it easier for us to perform attack, to exploit our target(s).
Types of reconnaissance
- Passive: Intelligence gathering without interaction
- We collect information from public sources
- Active: Interaction with target
- Sending requests and receiving responses
- Login attempts
- Ports scanning
- Nmap
- Nessus
- Nikto
- Interaction will leave tracks, for example in logfiles
- Going beyond scope of test agreed with customer in the pre-engagement phase
(see: PTES phases in previous article) of the pentest is law infringement
Enumeration
- Detailed analysis of services, machines and applications
- Identifying users by iterating
- Active technique
OSINT: Open Source Intelligence
- Also known as: 'White Intelligence'
- Three pillars of OSINT
- Gathering intelligence about target organization
- Obtaining information about infrastructure
- Gathering other data
- Sensitive information leaks
- Passwords
- Email addresses
- Other sensitive data
When we gather intelligence about our target, at first we want to know the target organization.
- What it does?
- Whom it employs?
- Where it is located?
We build general image of the target.
Location:
- Large organization may be located in many cities or even nations
- On web pages and in social media we may find photos of the locations, both inside
and outside
- Sometimes on interior photos we can find sensitive informations
- Employee list
- WiFi password
- Other
- Outside photos can be used to find out where are cameras, which routes can be
taken to enter the building
- There were cases where hackers found camera model on image and used it to
hack the camera, gaining unauthorized admin access
- On interior photos sometimes computers can be seen, with running software
This little bit of information can have serious consequences sometimes
Employees:
- Often on webpages we can find information about employees, which can be a starting
point for social engineering attacks
- Data about employees can also be found in LinkedIn and in other social media
- We can find information about company itself
- Whether target company is large or small
- Whether employees are employed for long, or if there's high rotation of personnel
- This may affect employees morale, and unhappy worker can be easy target for
attacks
- It happens that on LinkedIn - for example - we want to make employer to contact us
easier and we put information about our email address or telephone number in our
profile
- Sometimes on organization's webpage there are documents to download. These files
might contain sensitive informations
- Often file formats contain metadata that can be extracted. This might
contain used software, employee's name or even login, etc.
This information may let us to profile our attack better
- For example, if we notice that employee uses archaic version of
excel program, we might succesfully use specially prepared xls
file to perform an attack
- There's tool called: 'exiftool' that can be used to extract metadata
- Colleecting contact information
- Email addresses
- Phone numbers
- Hunter.io is one of many tools that allow us to find a person by his/her name
and surname
Organization's workings (what/how it does)
- All kinds of sales results
- Operation reports
- Financial reports
- What organization offers
- Services offered
- What kinds of products are sold
- How these products work
- Manuals
- Tutorials
- You Tube films
- Activities of employees in social media
- All kinds of company-related photos
- 'Another day in office'
- Corporate events
Discussion forums where support solves users' problems can be real treasury of informations.
There are services that allows to easily read reports, check connections between organizations or to check person to see connected organizations.
- For example: przeswietl.pl
All of the connected informations are useful, help us to get right image of target organization and to enhance our potential attack surface.
Reconnaissance: Domains & Subdomains.
/ To be continued /
Thursday, 16 January 2025
Thursday, 9 January 2025
Introduction to Pentesting.
Introduction & Key Concepts.
What are Penetration Tests?
- Attack on System: Penetration Test is controlled attack on system, network or
application
- Goal: Objective of Penetration Tests is checking hardiness to various types of
attacks
- Role: Pentester acts as an attacker, while remaining cautious to not cause
permanent damage to the system
Types of Penetration Tests:
- Internal: Tests taken from the internal network's perspective
- Attack from inside: Pentester simulates attack coming from internal
network of organization
- Goal: Objective is to find vulnerabilities in internal
infrastructure
- Examples of vulnerabilities:
- Unprotected servers
- Weak passwords
- Obsolete systems
- External: Tests taken from the external network's perspective
- No access to internal network: Pentester attempts to gain access from
outside of the Internet
- Goal: Objective is to find security gaps
- Vulnerable applications and services: Search for obsolete systems and
configuration errors
Penetration Tests can also be categorized by knowledge we have about tested system(s)
- Black Box Testing:
- No knowledge: Pentester has no prior knowledge about tested system
- Black box: We approach system as closed, unknown structure
- Information gathering: We must collect all needed informations using publicly
available means
- Creativity & skills: We rely on our creativity and on our skills in
reconaissance and exploitation
- White Box Testing:
- Full knowledge: We assume that we have full access to source code, documentation
and architecture
- Identifying vulnerabilities: Useful for finding security gaps in application's
logic and in data flow
- Deep analysis: We have more time for analysis of source code and architecture
- Grey Box Testing: Hybrid approach, something between Black and White Box Testing
- Limited access: Pentester has limited access to the system
- Inside threats: Identification of security gaps used by insiders
- Red and Purple Teaming: Approaches that supplement the Grey Box Testing
Red Teaming:
- Simulation of realistic attack on organization
- Varied techniques: Using social engineering, phishing, exploits & other attacks
- Assessment of readiness: Checking real readiness for defense against threats,
performing tests without prior warning
Purple Teaming:
- Cooperation: Red and Blue Teams cooperate
- Red Team performs attacks using various techniques and shares findings with Blue
Team
- Blue Team uses knowledge gained from Red Team to enable adaptation to threat(s),
to repel such attack(s)
- Constant learning: This approach promotes constant development
- Increasing security: Increases general security stance
Significance of Penetration Tests:
- Ensuring security: Penetration Tests are neccessary to provide organization with
security & safety
- Varied perspectives: Varied types of tests provide varied informations, from varied
perspectives
- Preparation for threats: Red and Purple Teaming exercises help organizations to
prepare
- Constant development: Regular tests enable constant development of security
mechanisms
Pentetration Testing Method.
When performing pentesting, it's convenient to use proven, standardized methods. One of such standard methodics is PTES: Penetration Testing Execution Standard. Every pentester develops his/her own methodics, but PTES is where we can start from.
PTES Phases: PTES divides pentesting process into 7 key stages
- Pre-engagement interactions:
- Initial communication: Agreements between customer and the testing team
- Time frames
- Target system(s)
- Limits
- Signing contracts
- Signing NDA contracts
- Obtaining written permission for performing tests
- Preparation: Planning and organization of testing
- Agreements: Designating objectives and scope of pentesting
- Intelligence gathering
- Collecting data about tested organization and it's systems
- Customers
- Partners
- Employees
- Used technologies
- Analysis of public sources
- Browsing internet pages
- Checking social media
- Checking public registries (WHOIS)
- Using tools
- Scanning network(s)
- Searching for security gaps
- Collecting technical data
- Identifying targets
- Services
- Operating systems
- Web applications
- Objective: creating detailed image of test's target
- Threat modelling & vulnerability analysis
- These two stages are often combined together, for practical reasons
- Threat analysis: Designating threats and vulnerabilities
- Automated scanning in search for vulnerabilities
- Static & dynamic application code analysis
- Testing validity of configuration
- Application settings
- Systems
- Networks
- Objective: Creating complex list of confirmed vulnerabilities that can be used in
next stage
- Exploitation
- Use of found vulnerabilities, to gain unauthorized access to certain resources or
to raise (escalate) our privileges
- If we succeed, we can make steps deeper into the infrastucture
(so called: 'lateral movement')
- Creation / adjustment of exploits
- We must be careful to not disrupt working of customer's production system(s)
- Publicly available exploits sometimes pose threat to correct performance of
customer's production system(s). Code of such exploits has to be
analysed before use - in an attempt to predict it's effect(s) on
customer's production system(s)
- Post-exploitation
- Re-enumeration: Analysis of new privileges and possibilities
- Confidential data identification: Discovery of new, critical resources
- Maitaining access: Testing means for maitaining control
- Reporting
- Notations
- Recording found vulnerabilities
- Passwords
- Keys
- Usernames
- Summary: Compiling all of important data for the report
- Detailed report: Description of methods and recommendations, even up to 100 pages
- Report should be created in parallel with performed penetration tests, to make it
easier to summarize findings
- Elements of a good report
- Executive summary: summary for non-technical personnel, associated with
business. Often presented in a short, condensed, 1-2 pages report
- Summary for the management staff
- Technical summary of found vulnerabilities: Detailed, understandable for
everyone description of found security gaps
- Vulnerability assessment & recommendations: Risk assessment &
corrective recommendations
- Evidence: Report should include evidence that confirms found problems
- Technical description of vulnerabilities
- Detailed description: Detailed description of identified vulnerabilities,
including all of the steps neccessary to reproduce the vulnerability
- Impact: Presentation of potential impact for each of found vulnerabilities
- Vulnerability assessment: For each of vulnerabilities we should include it's
assessment according to the CVSS 3.1, categorization, and estimated
impact on business
- Recommendations: Recommendations regarding vulnerability removal, correction
of errors & improvement of security
- Repair actions: Prepared plan for repairing, based on tests report
- Evidence
- Screenshots
- Logfiles
- Confidential data should be masked/partially hidden (passwords for example)
- Importance of good report
- Key result: Good report allows for understanding and resolving identified
security problems
- Quality of work: Report speaks about quality of pentester's work
- Closure of the Pentest: Report finishes the last stage of pentest, and closes
the last stage of the PTES methodics
PTES includes detailed guidelines and checklists for each of pentest's stages, helping pentesters to perform complex & methodical penetration tests.
PTES's elasticity:
- Adjustable for context: PTES provides elastic guidelines, that depend on tested
system
- Team cooperation: Common methodics makes it easier for pentesting teams to cooperate
- Overlapping approaches: PTES & OSCP methodics have many of common elements
Gentleness at pentester's work:
- Cooperation, not rivalry: Objective is increasing security, and NOT proving
one's superiority or showing off
- Empathy & understanding: Let's remember that other workers also want to increase
the security
- Common goal: We all play to the common goal, we want to increase security together
- Tone of speech: Avoid only pointing at errors, also appreciate the efforts of the
whole team
- Building cooperation: Describe good sides of realized solutions in the report
- Communication & 'soft skills': Also important in the pentester's work
Where to hack legally?
CTF Platforms (Capture the flag):
Mostly for testing/honing skills, but sometimes there are financial rewards.
- Hack The Box: https://www.hackthebox.com
- VulnHub: https://www.vulnhub.com
- TryHackMe: https://tryhackme.com
Bug Bounty Platforms:
There are financial rewards, but competition is big.
- HackerOne: https://www.hackerone.com
- Intigriti: https://www.intigriti.com
- BugCrowd: https://www.bugcrowd.com
Sometimes found vulnerabilities are reejected (for example: when someone else found the vulnerability earlier), not every time one gets paid.
Building Hacker's Mindset.
For a pentester, it's worthwhile to develop Hacker's Mindset, to develop following 9 of mind's qualities:
Desire for constant development
- Dynamic domain: New threats and fast development of technology
- Passion for learning: Specialist has to follow newest trends
- Beginning of the adventure: This article is just a beginning
- Constant development: Don't stop here
Think like a hacker
- Learn attack methods
- Offensive approach: Learn to think as attacker, to defend better
- Use gained knowledge to protect the systems
Be curious
- Learn various topics in depth, don't stop at shallow knowledge
- Various approaches: Try various methods and ways for problem solving
- Creatitivity: There's no single and true way, be open for new ideas
Analytical thinking
- Break down issues into prime factors, analyse information to find vulnerabilities
- Connect seemingly unrelated elements
- Predict where something can be broken
Communication skills
- Cooperate with the rest of the team
- Adapt the language to the recipient's level
- Constructive critic: Convey comments in a sensitive manner
Resistance to stress:
- Keep calm: Stay focused when under pressure
- Plan a'priori: Plan all steps to be taken in advance
- Keep tools ready
- Train personnel in advance
Ethics:
- Be cautious with access to sensitive information
- Stay within agreed scope of the pentest
- Remember to be responsible with regard of users' security
Don't give up
- Be determined and persistent
- Don't give up when difficulties arise
- Take a break: rest for a while then return to problem
- Keep trying until you succeed
Solve problems:
- Try solving problems on your own
- Slow down, think, and try to analyse problem again
- Think creatively: Try to find non-obvious solutions. That's hacking after all
What are Penetration Tests?
- Attack on System: Penetration Test is controlled attack on system, network or
application
- Goal: Objective of Penetration Tests is checking hardiness to various types of
attacks
- Role: Pentester acts as an attacker, while remaining cautious to not cause
permanent damage to the system
Types of Penetration Tests:
- Internal: Tests taken from the internal network's perspective
- Attack from inside: Pentester simulates attack coming from internal
network of organization
- Goal: Objective is to find vulnerabilities in internal
infrastructure
- Examples of vulnerabilities:
- Unprotected servers
- Weak passwords
- Obsolete systems
- External: Tests taken from the external network's perspective
- No access to internal network: Pentester attempts to gain access from
outside of the Internet
- Goal: Objective is to find security gaps
- Vulnerable applications and services: Search for obsolete systems and
configuration errors
Penetration Tests can also be categorized by knowledge we have about tested system(s)
- Black Box Testing:
- No knowledge: Pentester has no prior knowledge about tested system
- Black box: We approach system as closed, unknown structure
- Information gathering: We must collect all needed informations using publicly
available means
- Creativity & skills: We rely on our creativity and on our skills in
reconaissance and exploitation
- White Box Testing:
- Full knowledge: We assume that we have full access to source code, documentation
and architecture
- Identifying vulnerabilities: Useful for finding security gaps in application's
logic and in data flow
- Deep analysis: We have more time for analysis of source code and architecture
- Grey Box Testing: Hybrid approach, something between Black and White Box Testing
- Limited access: Pentester has limited access to the system
- Inside threats: Identification of security gaps used by insiders
- Red and Purple Teaming: Approaches that supplement the Grey Box Testing
Red Teaming:
- Simulation of realistic attack on organization
- Varied techniques: Using social engineering, phishing, exploits & other attacks
- Assessment of readiness: Checking real readiness for defense against threats,
performing tests without prior warning
Purple Teaming:
- Cooperation: Red and Blue Teams cooperate
- Red Team performs attacks using various techniques and shares findings with Blue
Team
- Blue Team uses knowledge gained from Red Team to enable adaptation to threat(s),
to repel such attack(s)
- Constant learning: This approach promotes constant development
- Increasing security: Increases general security stance
Significance of Penetration Tests:
- Ensuring security: Penetration Tests are neccessary to provide organization with
security & safety
- Varied perspectives: Varied types of tests provide varied informations, from varied
perspectives
- Preparation for threats: Red and Purple Teaming exercises help organizations to
prepare
- Constant development: Regular tests enable constant development of security
mechanisms
Pentetration Testing Method.
When performing pentesting, it's convenient to use proven, standardized methods. One of such standard methodics is PTES: Penetration Testing Execution Standard. Every pentester develops his/her own methodics, but PTES is where we can start from.
PTES Phases: PTES divides pentesting process into 7 key stages
- Pre-engagement interactions:
- Initial communication: Agreements between customer and the testing team
- Time frames
- Target system(s)
- Limits
- Signing contracts
- Signing NDA contracts
- Obtaining written permission for performing tests
- Preparation: Planning and organization of testing
- Agreements: Designating objectives and scope of pentesting
- Intelligence gathering
- Collecting data about tested organization and it's systems
- Customers
- Partners
- Employees
- Used technologies
- Analysis of public sources
- Browsing internet pages
- Checking social media
- Checking public registries (WHOIS)
- Using tools
- Scanning network(s)
- Searching for security gaps
- Collecting technical data
- Identifying targets
- Services
- Operating systems
- Web applications
- Objective: creating detailed image of test's target
- Threat modelling & vulnerability analysis
- These two stages are often combined together, for practical reasons
- Threat analysis: Designating threats and vulnerabilities
- Automated scanning in search for vulnerabilities
- Static & dynamic application code analysis
- Testing validity of configuration
- Application settings
- Systems
- Networks
- Objective: Creating complex list of confirmed vulnerabilities that can be used in
next stage
- Exploitation
- Use of found vulnerabilities, to gain unauthorized access to certain resources or
to raise (escalate) our privileges
- If we succeed, we can make steps deeper into the infrastucture
(so called: 'lateral movement')
- Creation / adjustment of exploits
- We must be careful to not disrupt working of customer's production system(s)
- Publicly available exploits sometimes pose threat to correct performance of
customer's production system(s). Code of such exploits has to be
analysed before use - in an attempt to predict it's effect(s) on
customer's production system(s)
- Post-exploitation
- Re-enumeration: Analysis of new privileges and possibilities
- Confidential data identification: Discovery of new, critical resources
- Maitaining access: Testing means for maitaining control
- Reporting
- Notations
- Recording found vulnerabilities
- Passwords
- Keys
- Usernames
- Summary: Compiling all of important data for the report
- Detailed report: Description of methods and recommendations, even up to 100 pages
- Report should be created in parallel with performed penetration tests, to make it
easier to summarize findings
- Elements of a good report
- Executive summary: summary for non-technical personnel, associated with
business. Often presented in a short, condensed, 1-2 pages report
- Summary for the management staff
- Technical summary of found vulnerabilities: Detailed, understandable for
everyone description of found security gaps
- Vulnerability assessment & recommendations: Risk assessment &
corrective recommendations
- Evidence: Report should include evidence that confirms found problems
- Technical description of vulnerabilities
- Detailed description: Detailed description of identified vulnerabilities,
including all of the steps neccessary to reproduce the vulnerability
- Impact: Presentation of potential impact for each of found vulnerabilities
- Vulnerability assessment: For each of vulnerabilities we should include it's
assessment according to the CVSS 3.1, categorization, and estimated
impact on business
- Recommendations: Recommendations regarding vulnerability removal, correction
of errors & improvement of security
- Repair actions: Prepared plan for repairing, based on tests report
- Evidence
- Screenshots
- Logfiles
- Confidential data should be masked/partially hidden (passwords for example)
- Importance of good report
- Key result: Good report allows for understanding and resolving identified
security problems
- Quality of work: Report speaks about quality of pentester's work
- Closure of the Pentest: Report finishes the last stage of pentest, and closes
the last stage of the PTES methodics
PTES includes detailed guidelines and checklists for each of pentest's stages, helping pentesters to perform complex & methodical penetration tests.
PTES's elasticity:
- Adjustable for context: PTES provides elastic guidelines, that depend on tested
system
- Team cooperation: Common methodics makes it easier for pentesting teams to cooperate
- Overlapping approaches: PTES & OSCP methodics have many of common elements
Gentleness at pentester's work:
- Cooperation, not rivalry: Objective is increasing security, and NOT proving
one's superiority or showing off
- Empathy & understanding: Let's remember that other workers also want to increase
the security
- Common goal: We all play to the common goal, we want to increase security together
- Tone of speech: Avoid only pointing at errors, also appreciate the efforts of the
whole team
- Building cooperation: Describe good sides of realized solutions in the report
- Communication & 'soft skills': Also important in the pentester's work
Where to hack legally?
CTF Platforms (Capture the flag):
Mostly for testing/honing skills, but sometimes there are financial rewards.
- Hack The Box: https://www.hackthebox.com
- VulnHub: https://www.vulnhub.com
- TryHackMe: https://tryhackme.com
Bug Bounty Platforms:
There are financial rewards, but competition is big.
- HackerOne: https://www.hackerone.com
- Intigriti: https://www.intigriti.com
- BugCrowd: https://www.bugcrowd.com
Sometimes found vulnerabilities are reejected (for example: when someone else found the vulnerability earlier), not every time one gets paid.
Building Hacker's Mindset.
For a pentester, it's worthwhile to develop Hacker's Mindset, to develop following 9 of mind's qualities:
Desire for constant development
- Dynamic domain: New threats and fast development of technology
- Passion for learning: Specialist has to follow newest trends
- Beginning of the adventure: This article is just a beginning
- Constant development: Don't stop here
Think like a hacker
- Learn attack methods
- Offensive approach: Learn to think as attacker, to defend better
- Use gained knowledge to protect the systems
Be curious
- Learn various topics in depth, don't stop at shallow knowledge
- Various approaches: Try various methods and ways for problem solving
- Creatitivity: There's no single and true way, be open for new ideas
Analytical thinking
- Break down issues into prime factors, analyse information to find vulnerabilities
- Connect seemingly unrelated elements
- Predict where something can be broken
Communication skills
- Cooperate with the rest of the team
- Adapt the language to the recipient's level
- Constructive critic: Convey comments in a sensitive manner
Resistance to stress:
- Keep calm: Stay focused when under pressure
- Plan a'priori: Plan all steps to be taken in advance
- Keep tools ready
- Train personnel in advance
Ethics:
- Be cautious with access to sensitive information
- Stay within agreed scope of the pentest
- Remember to be responsible with regard of users' security
Don't give up
- Be determined and persistent
- Don't give up when difficulties arise
- Take a break: rest for a while then return to problem
- Keep trying until you succeed
Solve problems:
- Try solving problems on your own
- Slow down, think, and try to analyse problem again
- Think creatively: Try to find non-obvious solutions. That's hacking after all
Subscribe to:
Posts (Atom)