Thursday, 9 January 2025

Introduction to Pentesting.

Introduction & Key Concepts.

What are Penetration Tests?
- Attack on System: Penetration Test is controlled attack on system, network or
  application
- Goal: Objective of Penetration Tests is checking hardiness to various types of
  attacks
- Role: Pentester acts as an attacker, while remaining cautious to not cause
  permanent damage to the system

Types of Penetration Tests:
- Internal: Tests taken from the internal network's perspective
  - Attack from inside: Pentester simulates attack coming from internal
    network of organization
  - Goal: Objective is to find vulnerabilities in internal
    infrastructure
  - Examples of vulnerabilities:
    - Unprotected servers
    - Weak passwords
    - Obsolete systems
- External: Tests taken from the external network's perspective
  - No access to internal network: Pentester attempts to gain access from
    outside of the Internet
  - Goal: Objective is to find security gaps
  - Vulnerable applications and services: Search for obsolete systems and
    configuration errors

Penetration Tests can also be categorized by knowledge we have about tested system(s)
- Black Box Testing:
  - No knowledge: Pentester has no prior knowledge about tested system
  - Black box: We approach system as closed, unknown structure
  - Information gathering: We must collect all needed informations using publicly
    available means
  - Creativity & skills: We rely on our creativity and on our skills in
    reconaissance and exploitation
- White Box Testing:
  - Full knowledge: We assume that we have full access to source code, documentation
    and architecture
  - Identifying vulnerabilities: Useful for finding security gaps in application's
    logic and in data flow
  - Deep analysis: We have more time for analysis of source code and architecture
- Grey Box Testing: Hybrid approach, something between Black and White Box Testing
  - Limited access: Pentester has limited access to the system
  - Inside threats: Identification of security gaps used by insiders
  - Red and Purple Teaming: Approaches that supplement the Grey Box Testing

Red Teaming:
- Simulation of realistic attack on organization
- Varied techniques: Using social engineering, phishing, exploits & other attacks
- Assessment of readiness: Checking real readiness for defense against threats,
  performing tests without prior warning

Purple Teaming:
- Cooperation: Red and Blue Teams cooperate
  - Red Team performs attacks using various techniques and shares findings with Blue
    Team
  - Blue Team uses knowledge gained from Red Team to enable adaptation to threat(s),
    to repel such attack(s)
- Constant learning: This approach promotes constant development
- Increasing security: Increases general security stance

Significance of Penetration Tests:
- Ensuring security: Penetration Tests are neccessary to provide organization with
  security & safety
- Varied perspectives: Varied types of tests provide varied informations, from varied
  perspectives
- Preparation for threats: Red and Purple Teaming exercises help organizations to
  prepare
- Constant development: Regular tests enable constant development of security
  mechanisms


 Pentetration Testing Method.

When performing pentesting, it's convenient to use proven, standardized methods. One of such standard methodics is PTES: Penetration Testing Execution Standard. Every pentester develops his/her own methodics, but PTES is where we can start from.

PTES Phases: PTES divides pentesting process into 7 key stages
- Pre-engagement interactions:
  - Initial communication: Agreements between customer and the testing team
    - Time frames
    - Target system(s)
    - Limits
    - Signing contracts
      - Signing NDA contracts
      - Obtaining written permission for performing tests
  - Preparation: Planning and organization of testing
  - Agreements: Designating objectives and scope of pentesting
- Intelligence gathering
  - Collecting data about tested organization and it's systems
    - Customers
    - Partners
    - Employees
    - Used technologies
  - Analysis of public sources
    - Browsing internet pages
    - Checking social media
    - Checking public registries (WHOIS)
  - Using tools
    - Scanning network(s)
    - Searching for security gaps
    - Collecting technical data
  - Identifying targets
    - Services
    - Operating systems
    - Web applications
  - Objective: creating detailed image of test's target
- Threat modelling & vulnerability analysis
  - These two stages are often combined together, for practical reasons
  - Threat analysis: Designating threats and vulnerabilities
  - Automated scanning in search for vulnerabilities
  - Static & dynamic application code analysis
  - Testing validity of configuration
    - Application settings
    - Systems
    - Networks
  - Objective: Creating complex list of confirmed vulnerabilities that can be used in
    next stage
- Exploitation
  - Use of found vulnerabilities, to gain unauthorized access to certain resources or
    to raise (escalate) our privileges
  - If we succeed, we can make steps deeper into the infrastucture
    (so called: 'lateral movement')
  - Creation / adjustment of exploits
  - We must be careful to not disrupt working of customer's production system(s)
  - Publicly available exploits sometimes pose threat to correct performance of
    customer's production system(s). Code of such exploits has to be
    analysed before use - in an attempt to predict it's effect(s) on
    customer's production system(s)
- Post-exploitation
  - Re-enumeration: Analysis of new privileges and possibilities
  - Confidential data identification: Discovery of new, critical resources
  - Maitaining access: Testing means for maitaining control
- Reporting
  - Notations
    - Recording found vulnerabilities
    - Passwords
    - Keys
    - Usernames
  - Summary: Compiling all of important data for the report
  - Detailed report: Description of methods and recommendations, even up to 100 pages
  - Report should be created in parallel with performed penetration tests, to make it
    easier to summarize findings
  - Elements of a good report
    - Executive summary: summary for non-technical personnel, associated with
      business. Often presented in a short, condensed, 1-2 pages report
      - Summary for the management staff
      - Technical summary of found vulnerabilities: Detailed, understandable for
        everyone description of found security gaps
      - Vulnerability assessment & recommendations: Risk assessment &
        corrective recommendations
      - Evidence: Report should include evidence that confirms found problems
    - Technical description of vulnerabilities
      - Detailed description: Detailed description of identified vulnerabilities,
        including all of the steps neccessary to reproduce the vulnerability
      - Impact: Presentation of potential impact for each of found vulnerabilities
      - Vulnerability assessment: For each of vulnerabilities we should include it's
        assessment according to the CVSS 3.1, categorization, and estimated
        impact on business
      - Recommendations: Recommendations regarding vulnerability removal, correction
        of errors & improvement of security
      - Repair actions: Prepared plan for repairing, based on tests report
      - Evidence
        - Screenshots
        - Logfiles
        - Confidential data should be masked/partially hidden (passwords for example)
  - Importance of good report
    - Key result: Good report allows for understanding and resolving identified
      security problems
    - Quality of work: Report speaks about quality of pentester's work
    - Closure of the Pentest: Report finishes the last stage of pentest, and closes
      the last stage of the PTES methodics

PTES includes detailed guidelines and checklists for each of pentest's stages, helping pentesters to perform complex & methodical penetration tests.

PTES's elasticity:
- Adjustable for context: PTES provides elastic guidelines, that depend on tested
  system
- Team cooperation: Common methodics makes it easier for pentesting teams to cooperate
- Overlapping approaches: PTES & OSCP methodics have many of common elements

Gentleness at pentester's work:
- Cooperation, not rivalry: Objective is increasing security, and NOT proving
  one's superiority or showing off
- Empathy & understanding: Let's remember that other workers also want to increase
  the security
- Common goal: We all play to the common goal, we want to increase security together
- Tone of speech: Avoid only pointing at errors, also appreciate the efforts of the
  whole team
- Building cooperation: Describe good sides of realized solutions in the report
- Communication & 'soft skills': Also important in the pentester's work


 Where to hack legally?

CTF Platforms (Capture the flag):

Mostly for testing/honing skills, but sometimes there are financial rewards.

- Hack The Box: https://www.hackthebox.com
- VulnHub: https://www.vulnhub.com
- TryHackMe: https://tryhackme.com

Bug Bounty Platforms:

There are financial rewards, but competition is big.

- HackerOne: https://www.hackerone.com
- Intigriti: https://www.intigriti.com
- BugCrowd: https://www.bugcrowd.com

Sometimes found vulnerabilities are reejected (for example: when someone else found the vulnerability earlier), not every time one gets paid.


 Building Hacker's Mindset.

For a pentester, it's worthwhile to develop Hacker's Mindset, to develop following 9 of mind's qualities:

Desire for constant development
- Dynamic domain: New threats and fast development of technology
- Passion for learning: Specialist has to follow newest trends
- Beginning of the adventure: This article is just a beginning
- Constant development: Don't stop here

Think like a hacker
- Learn attack methods
- Offensive approach: Learn to think as attacker, to defend better
- Use gained knowledge to protect the systems

Be curious
- Learn various topics in depth, don't stop at shallow knowledge
- Various approaches: Try various methods and ways for problem solving
- Creatitivity: There's no single and true way, be open for new ideas

Analytical thinking
- Break down issues into prime factors, analyse information to find vulnerabilities
- Connect seemingly unrelated elements
- Predict where something can be broken

Communication skills
- Cooperate with the rest of the team
- Adapt the language to the recipient's level
- Constructive critic: Convey comments in a sensitive manner

Resistance to stress:
- Keep calm: Stay focused when under pressure
- Plan a'priori: Plan all steps to be taken in advance
- Keep tools ready
- Train personnel in advance

Ethics:
- Be cautious with access to sensitive information
- Stay within agreed scope of the pentest
- Remember to be responsible with regard of users' security

Don't give up
- Be determined and persistent
- Don't give up when difficulties arise
- Take a break: rest for a while then return to problem
- Keep trying until you succeed

Solve problems:
- Try solving problems on your own
- Slow down, think, and try to analyse problem again
- Think creatively: Try to find non-obvious solutions. That's hacking after all
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)