Chapter 0 Part 2
Class Questions:
- Is a scope that specifies "no social engineering, no client side apps, and no web apps" a good scope? - Is a scope that specifies that the pen tester "perform an external phishing attempt on a single user that results in a pivot all the way through to privileged access (administrator) of a high value internal restricted server" a good scope?
Penetration Testing Key characteristics:
- It is an authorized attack on a network, system, or application - Uses a well-defined process - Tests defenses to uncover risks from the perspective of a motivated attacker - Test results are reported to management • A pen test is a great way to communicate the organization's security posture - Must make sure that final report can be understood by senior executives and board members
Git Repositories and Pastebins Examples:
- Assembla - Beanstalk - Bitbucket - Codebase - GitEnterprise - Gitgo - Github - GitLab - GitwithoutBS - Planio - And more... Textbook Author's Github Site (https://github.com/cheetz/thp2)
• Example stages of a typical penetration test: 2
6. Social Engineer: • Exploit people (phishing, Trojanized flash drives, etc.) to gain access to systems 7. Take Control: • Access system and steal data, install keyloggers, rootkits, etc. 8. Pivot • Jump to different network segments or systems 9. Gather Evidence • Collect proof that system was successfully compromised 10. Report • Generate report on techniques used successfully during compromise 11. Remediate (Customer): • Close the holes that the pen tester was able to exploit
Introduction to Penetration Testing
Know the enemy and know yourself; in a hundred battles, you will never de defeated. Sun Tzu Definition: Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network (NIST SP 800-115) - Also known as ethical hacking assessment or security assessment • Intent is to determine how far a potential attacker might have been able to penetrate the organization's systems • The overall goal of the test is to identify security gaps
Terms of Engagement
Definition: A penetration test's terms of engagement define how the penetration test is to occur, sets proper expectations, and communicates different aspects which need to be addressed prior to the start of the test - May also be called rules of engagement • One of the most important things it defines is scope - Scope should include organization's most important assets • These are systems that pen testers should try to access - If done for compliance, should access systems covered by the compliance • A bad scoping document can make or break a penetration test when expectations are not met (on either side)
Git Repositories and Pastebins
are websites that are designed to host open-source software projects
Purple team
ensure and maximize the effectiveness (communication) between Red and Blue Teams - Integrate the defensive tactics and controls from the Blue Team with the threats and vulnerabilities found by the Red Team into a single narrative that ensures the efforts of each are utilized to their maximum - Ensure that observations and lessons from both teams make it to the other so that can occur - Can come in the form of an actual, named team that performs this function or it can be part of the Red/Blue Team's management organization that ensures that the feedback loop between them is continuous and healthy • Can be a function, or concept, rather than a separate entity - Not all organizations have them
Source code for DOOM can be found on Github:
https://github.com/id-Software/DOOM
Rapheal Mudge published a series of nine videos on learning the tradecraft of red team operations
https://www.youtube.com/playlist?list=PL9HO 6M_MU2nesxSmhJjEvwLhUoHPHmXvz
How Not to Suck at Pen Testing (John Strand)
https://youtu.be/Yo4oP2eyDtI
Tiger Team
is a self-contained unit of experts with all the skill sets and resources needed to solve a unique problem - Similar, but not quite the same, as a Red Team - Term was originally coined by the military and had nothing to do with IT • Characteristics: - Hand-picked - Senior personnel - Subject-matter experts (extremely skilled) - Brought together for a single project - Created by management edict
Vulnerability assessments
provide a detailed listing of potential vulnerabilities and suggestions on how to mitigate or remediate them - Pen tests, on the other hand, are typically driven by a human analyst and are goal-oriented or structured to simulate a real-world attack scenario - The result of a vulnerability scan is usually a very large report with a listing of vulnerabilities while a penetration test report usually less than 12 pages (kind of due to appendices) • Important: Every new piece of equipment should have a vulnerability scan run against it
- To test incident response preparedness
• Tests the organization's monitoring and incident response program • Allows the organization to gauge how well the incident response team detects and addresses an attack
Required Skills
• The person carrying out the pen test should be qualified to do so - Training may or may not be a good indicator of a technician's skills • Many of the best pen-testers were self-taught • To be an effective pen tester, one should possess the following skills and knowledge: - Basic programming or scripting (C, VBS, PHP, Python, Ruby, etc.) - Networking and network protocols (TCP, DNS, ARP, packet structure, etc.) - Operating systems - Security concepts (firewall ACLs, etc.) - Basic forensics - Databases (basic constructs)
Red Team Comment
"Through the years I've been part of some great red teams -- and heard countless stories of how red teams not only broke in, but did so discretely, without setting off any alarms. Personally, every red team I've ever been a member of over the last 20 years has taken no more than three hours to break in without social engineering. If social engineering was allowed, it usually took less than an hour." Roger Grimes, Pen Tester
Git repositories and security:
- Target of attacks • Steal uploaded code • Brute force credentials • DDoS the site - Used to store stolen code/information • NSA Equation Groups hackers, Shadow Brokers, placed initial cache of stolen code on Github
Blue Team
- The internal security team that defends against attackers - Unlike standard security teams, the true Blue Team is constantly vigilant against attack
Red Team
- The more "elite" of the pen testers - External entity brought in to test the effectiveness of a security program • Must maintain a certain separation from the organization they are testing as this is what gives them the proper scope and perspective to emulate attackers • When brought "inside" as part of the security team, they tend to erode and often become constrained, stale, and ultimately impotent
Trustworthiness is important
- The pen tester will most likely have to sign an NDA because he/she may get access to data that they would not be normally authorized to see • As a result, test reports are never sent via email or other insecure channels bur rather secure FTP or secure file-sharing sites that use SSL
Organizations conduct penetration tests for the following reasons:
- To minimize the risk of a breach • Find vulnerabilities before an attacker does • Allows organizations to learn how they are exposed so that they can close any holes - To verify security controls • By validating the security configuration of in-line defenses, an organization can determine if what they have in place is properly configured
Application Pen Test
- Usually a web-based application - To really protect software, you need to consider the hackers point of view of the application
Thinking like an attacker:
- What is the attacker's motivation? What is he/she after? - Is the attacker targeting the organization specifically or are they opportunistic and the organization just so happens to have vulnerabilities that make them a target? - How would they attack? - When would they attack? - Attackers often take the path of least resistance - and so will the pen tester!
Pen Test Frequency: How often pen tests are conducted depend on several factors:
- Whether the organization is using internal staff or third-parties - Compliance requirements • Many require yearly assessments - Hybrid Model: • Monthly or quarterly tests by junior in-house personnel to identify the "low-hanging fruit" • Yearly tests by a third-party who is tasked with going deeper to identify the more advanced issues
A penetration test is one of the most effective ways to understand the weaknesses within a network or system
- Will determine where the system is most vulnerable to attack • The pen tester will try to take control of a system (pwn) and obtain data - Will determine if defenses are sufficient - Will demonstrate which defenses can be defeated • After the test, the exploited vulnerabilities (holes) are closed
Stages of a Penetration Test • Example stages of a typical penetration test:
1. Goal: • Set objectives for the assessment 2. Reconnaissance: • Offline and online research about the target 3. Discovery: • Port or vulnerability scans to learn more about the environment 4. Exploitation: • Using knowledge gained, exploit system to gain access 5. Brute Force: • Crack passwords
Pen Testing Frameworks: Two common methodologies are:
1. NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) 2. Penetration Testing Execution Standard (PTES)
The "Teams"
• Special terms are used to describe the teams involved in penetration testing: - Blue Team - Red Team • Tiger Team - Purple Team
- To ensure the security of new software
• Especially if the new system is going to store or process sensitive data
- To get a baseline of the security program
• Help the organization's technology leadership better understand the risks and determine what future resources may be needed (can help justify budgets and head counts)
Topics
• Introduction to Penetration Testing - Video: Hacking the Grid • Git Repositories and Pastebins
Types of Penetration Tests
• Network Pen Test • Mobile Pen Test • Application Pen Test • Wireless Pen Test • Cloud Pen Test - Relatively new (https://channel9.msdn.com/Shows/Azure-Friday/Red-vs-Blue-Internal-security-penetration-testing-of-Microsoft-Azure)
Pen Testing Tools
• Pen testers use a variety of tools and scripts - some are commercially available while some are open source or custom-made • Example tools: - Rapid7's Metasploit • Editions range from free to professional enterprise • Based on the Metasploit framework - Core Security Technologies' Core Impact - Kali Linux, Matriux Linux, etc. - And many, many more....
Pen Testing Certifications
• Pen testing certifications - Generally test on a shallow level of knowledge across a broad domain - Some focus solely on the ability to run tools • SANS GPEN (GIAC Certified Penetration Tester) • Office Security's OSCP (Office Security Certified Professional) • EC-Council's Certified Ethical Hacker (CEH) • And more...
Penetration Tests vs. Vulnerability Assessments
• Pen tests and vulnerability assessments, or scans, are often confused with each other but they are very different - While both are necessary for a good security posture, they have different goals • Differences: - In vulnerability assessments, the goal is to find and report known vulnerabilities while in pen testing the goal is to find and exploit vulnerabilities - In vulnerability assessments, the tool performs the test while in penetration testing, the penetration tester does most of the work - Requires different skill sets - a security technician runs a vulnerability scan but a "hacker" performs a pen test
- To practice due diligence
• Pen tests demonstrate proactive security • The detailed reports provided assist in helping organizations demonstrate ongoing due diligence to auditors and/or examiners, and customers - May help organizations gain new customers or keep existing customers happy
- To satisfy compliance requirements
• Regulations such as ISO 27001, HIPAA, FISMA, FFIEC, GLBA, PCI DSS, etc. require penetration tests as part of their audits
