Pentest+
Scope creep
Condition when a client requests additional services after the sow and the project scope have been agreed to and signed
Hacktivist
Conduct activities against governments, corporations or individuals canbe an individual or a member of a group
Red team
Conducted by internal pen-testers of an organization during a security exercise to ensure defenders (blueteam) can perform their job adequately
Advanced persistent threat (apt)
Group with great capability and intent to hack a particular network or target; target organization for business or political motives usually funded by nation states; highly covert attacks over a long period of time
Packet inspection
Manual enumeration performed by analyzing captured packets to determine information; pcap; wine-shark
Banner grabbing
Manual fingerprinting or enumeration; use telnet or net cat to connect to the target host; commonly used for FTP, SSH, Telnet, and HTTP
Sniffing network traffic
Most common eavesdropping; intercepts and logs network traffic that can be seen via wired and wireless connections
Objective-based testing example
Multiple ways to get to a file; break in, phishing, various hacks
Tier five of adversaries
Nation states investing tons of money creating vulnerabilities/exploits
Tier six of adversaries
Nation states investing tons of money to carry out cyber, military, and intelligence operations to achieve political, military, or economic goals
Representational state transfer (rest)
Replaces soap in recent years; web apparchitectual style based on http • a lot less communication between the server and the end client
point-in-time assessment
Results were accurate when the penetration testoccuned at that point in time
Compliance -based assessments
Risk-based compliance assessment that is required to ensure policies or regulations are being followed correctly
Goal - based assessments
Specific goals are defined before the test starts could try to find multiple ways to meet that goal
Architectural Diagrams
Supplied in white-box test; network diagrams, physical maps of organization facilities, assists in mapping out network topology, location of switch closets, and where key information systems are located
Certificate inspection
Try to identify what type of encryption a web server is using (tl s issl2.0, or ssl3.0)
Compliance Scan
Type of scan used to identify vulnerabilities that may affect compliance with regulations and policies
Connection String Parameter Polluttion (CSPP)
exploits the semicolon-delimited database connections strings that are constructed dynamically based on use inputs from web applications
Tier four of adversaries
Organized, highly technicals proficient, well-funded hackers, working inteams to develop new exploits
Resources and requirements
What resources are needed? What requirements Will be met during testing?
Goal-Based Testing
What type of assessment seeks to validate a systems security posture against a particular checklist?
Four steps of penetration testing
1. Planning t scoping, 2, info gathering,3. Attacks exploits, and 4. Reporting and communication
Conducted a ping sweep of the subnet
> for I in seq 255; ping -c 1 10.1.0.$i; done
Simple object access protocol isoap)
A messaging protocol specifically for exchanging structured information in the implementation of web services
Ajudication
A method of evaluating and considering which vulnerabilities to prioritize for attacks; can use multiple calculations such as which are the most critical. Which have the best or easiest exploits, which are false positives. Which fall under common themes, etc.
g++ exploit.cpp -o notepad.exe
A security engineer is using the Kali Linux operating system and is writing exploits in C++. What command should they use to compile their new exploit and name it notepad.exe?
Static Analysis
A type of analysis that is performed in a non-runtime environment; inspects the programming code for flaws or vulnerabilities; line-by-line inspection can be performed
Dynamic Analysis
A type of analysis that occurs while the program is running; could be that the program is run in a Sandbox and changes are noted; more likely type of analysis
Risk avoidance
Actions taken to eliminate risk completely; ex-decommission a server that has a vulnerability
Enumeration
Actively connecting to systems to determine open services, shares, user accounts, software versions, and others being used by a host
Scanning
Actively connecting to the system getting a response to identify open ports and services
Packet crafting
Aka packet manipulation; sending modified packet headers to gather information from a system or host
Decompiling
Allows you to reverse engineer software using a decompile; reverses the process of compiling; can NOT turn it back into the source code, but can get byte-code and assembly code
Insider threat
Already have authorized access to the networks; may be skilled or unskilled; former or current employee
Full Scan
An in-depth scan including ports, services, and vulnerabilities; easy to see in network traffic when the scan is performed; usually only tun by defenders not attackers
Time Restrictions
Are there certain times that are not authorized for testing? What about days of the week? What about holidays?
Containers
Basically mini virtual machines; built from a base OS image with unique apps on top of the OS and require way less resources to run
Pre-merger
Before two companies perform a merger it is common-to conduct a penetration tests on them to identify weaknesses being inherited can be part of the due diligence efforts
Radio frequency monitoring
Can be used to determine types of devices uses cellular, WiFi's Bluetooths
Asset Categorization
Categorizing by OS or function; discover high value assets then by most or lest vulnerabilities on a system; or by which has the most critical vulnerabilities
Non-credentialed Scans
Closer to a hacker's perspective for scanning; does not use an authenticated account
A vulnerability scan has returned the following results: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Detailed Results10.56.17.21 (APACHE-2.4) Windows SharesCategory: WindowsCVE ID: -Vendor Ref: -Bugtraq ID: -Service Modified - 8.30.2017 Enumeration Results: print$ c:\windows\system32\spool\driversfiles c:\FileShare\Accounting Temp c:\temp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What best describes the meaning of this output?
Connecting to the host with a null session allows the enumeration of the share names on the host The enumeration results show three share names (print$, files, Temp) were found using a null session connection.
Master Services Agreement (MSA)
Contract where parties agree to most of the terms that will govern future actions.
Budgetting
Controls many factors in a test, larger budget = more time
Risk mitigation
Controls& countermeasures are put into place
Cryptographic inspection
Determine the encryption that is being used
Rules of engagement (roe)
Ground rules that you play by for the organization and the test, timeline, locations, time restrictions, transparency, and test boundaries
Test Boundaries
What will be tested? Is social Engineering allowed to be used? What about physical security testing? How invasive can the test be?
Statement of Work (SOW)
Formal document stating the scope of what will be performed during a penetration test.
White-Box Testing
Full knowledge test; full knowledge of network, systems, and the infrastructure; more time probing vulnerabilities and less time gathering information
Sample application requests
Generally used for testing web app or other apps developed by the organizations usually given inputs expected outputs
Timeline
How long will the test be conducted
Fingerprinting
Identification of the operating system, service, or software versions being used by the host
Risk transference
Insurance; risk is moved to another entity
Tier three of adversaries
Invest lots of money to find unknown vulnerabilities in order to steal data to sell for profit
Stealth Scan
Least intrusive kind of scans conducted through sending SYN packet and analyzing the result fo sending it out. If SYN/ACK is received, port is open, then the scanner sends a RST so that hopefully the handshake is never completed nor logged; some IDS will see this type of scan
LM Hash
Legacy hashes that are not generated when the password length exceeds 15 characters
Non-Disclosure Agreement (NDA)
Legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it.
Tier two of adversaries
Little money and invest in own tools against KNOWN vulnerabilities
Tier one of adversaries
Little money and rely on off the shelf tools and known exploits
Script kiddies
Low-skilled attackers who use others' tools J use freely available vulnerability assessment and hacking tools to conduct an attack
Common Vulnerabilities and Exposures (CVE)
MITRE provided; every vendor submits to it; has vulnerabilities and exposures
Common Weakness Enumeration (CWE)
MITRE provided; software weaknesses and the different types of them; provides information about the actual weaknesses
Common Attack Pattern Enumeration and Classification (CAPEC)
MITRE provided; used to help understand and identify attack patterns to understand and potentially emulate them.
Web Application Scanner
Nikto
Black-Box Testing
No knowledge test; simulates an outsider attack; ignores internal threats; ; takes longer and costs more
Foot printing tools
Nslookup, traceroute, pings Whois, domain dossier, email dossier, Google, social networking discovery.sh, Maltego
Swagger documentation
Open- source framework with a large system of tools to help designs builds documents test, and style based on HTTP
Gray-Box Testing
Partial knowledge test, can be used as an internal test to simulate an insider with minimal knowledge, can decrease time spent on gathering info and more time on identifying vulnerabilities; this is the most likely type of pentest
Supply chain assessments
Pen-test may be received of your suppliers to ensure they are meeting their Cybersecurity requirements
NIST sp 800-115
Plan, discover, attack, and report
Wassenaar Agreement
Precludes the transfer of technology considered to be "dual use" (can be used commercial and weapon, like encryption)
Threat modeling
Pretending to be a certain kind of attacker and conducting an attack simulating they way that they would attack
Software development Kit (sdk)
Provides a set of tools, libraries, and documentation, code samples, processes or guides to allow faster development of a hew app on a platform
Discovery Scan
Scan that is the least intrusive; used to create a network map to show connected devices in the architecture
Credentialed Scans
Scanner uses an authorized user or admin account; closer to a system admin perspective; generally finds more vulnerabilities
Vulnerability scanning
Scanning a host, system, or network to determine what vulnerabilities exist; tools are only as good as their configuration
Objective - based assessments
Seek to ensure the information remains secure j testing occurs using all measures and more accurately simulates a real attack
Domain squatting
Take something close to actual website name cipher.com versus cypher.com make it look as close as possible, then host malware there
Packet capturing
Use wireshark or tep dump to conduct this j electronic eavesdropping
Debugging
Used to identify and remove errors from hardware, software, or systems; also allows you to run through the executable step-by-step
sc query
What command could be used to list the active services from the Windows command prompt?
Technical constraints
What constraints limit your ability to test?
XML Denial of Service Issues; this is due to the fact that SOAP message itself is formatted as an XML document
What is a common Service Oriented Architecture Protocol (SOAP) vulnerability?
End state/reporting
What kind of report will be provided? Will you provide an estimate of how long remediation will take?
Location
Where will the testers be located? Does the organization have multiple locations? Will it cross international borders? Will the testers be on-site or remote?
Communication paths
Who de we communicate with about the test? Who is our inside man to discuss about the test with?
Transparency
Who knows about the test? WIll there be any information provided to the testers?
XML schema definition (xSD)
World Wide Web consortium (W3C) recommendation that specifies how to formally describe elements in an extensible markup language (XML) document
Web services description language (wsdl)
Xml-based interface definition language used for describing the functionality offered by a web service such as SOAP server; flexible and allows binding; not useful for REST services
Web Application Description language (WADL)
Xml-based, machine readable description of HTTP-based web services, easier to write; not flexible; FOr REST
When conducting a Google search, using site:AAA in the query will return results only from that website (AAA). If you use -site:AAA, you will get results not explicitly on the website (AAA). In the case of this question, no results should show up from sales.webserver.com. All results should only come from webserver.com.
You have conducted a Google search for the "site:webserver.com -site:sales.webserver.com financial." What results do you expect to receive?
sc config
a Windows command to modify the value of a service's entries in the registry and the Service Control Manager
Japan's CERT (JCERT)
curated by the Japanese federal government; lists all vulnerabilities that are known
sc query
command to obtain information about running services in Windows
LanMan Hash (LM Hash)
compromised hashing password function was the primary hash that Microsoft LAN Manager and Windows versions before Windows NT used to store passwords.
Computer Emergency Response Team (CERT)
curated by the US federal government; lists all vulnerabilities that are known
Type of technique often used to implemetn exploit chaining
injecting parameters into a connection strong using semicolons as separators
Eavesdropping
part of info gathering that is listened on wired/wireless to see what you can pick up