Cybersecurity 29
side note
Certificate issuers publish logs of the SSL/TLS certificates that they issue to organizations. This certificate transparency can be exploited by attackers and used to search for subdomains.
There are three primary types of penetration tests
no view, full view and partial view.
Active reconnaissance
when you directly engage with a target system. For example, running a port scan directly on a server.
Passive reconnaissance
when you try to gain information about a target's system and network without directly engaging with the systems.
Domain Hijacking
Alters registrar information in order to redirect traffic away from your DNS server and domain towards another destination.
DNS flooding
Overwhelms a server with malicious requests so that it cannot continue servicing legitimate DNS requests.
An engagement consists of five stages
Planning and Reconnaissance Scanning Exploitation Post Exploitation Reporting
side note
Regardless of the scenario, the main deliverable for pentesters is a report that summarizes their findings and recommendations for improvements.
side note
Search: site:megacorpone.com in the google search engine. This is a very basic subdomain enumeration task that yields a variety of MegaCorp One's subdomains. The file system shows up in the search results and we can see all the assets of the site. This gives an attacker a deeper understanding of the site's file structure.
Distributed reflection denial of service (DRDoS)
Sends requests from its own servers with a spoofed source address of the targeted victim, causing all replies to flood the target.
side note
The first form of contact is usually a kickoff call or meeting during which clients work with pentesters to determine the purpose and scope. During this stage, clients will: Clarify their needs and concerns and communicate which assets the business is most interested in protecting. This defines the purpose. Inform pentesters which machines and networks are off-limits and should not be targeted for attack. This defines the scope
side note
To conduct passive reconnaissance, pentesters can use the massive amounts of both useful and superfluous information that already exist on the web. For instance, there are many third-party tools that may have already scanned a system. A pentester can use these third-party tools to get information without engaging directly with a system.
Another useful OSINT tool is Shodan
a search engine that searches specifically for computers and machines connected to the internet. It scans the entire web and reports back all of its findings in the browser window.
DNSSEC
a set of protocols that use public keys and digital signatures to verify data throughout the DNS lookup and exchange process. It adds an extra layer of security during DNS transport.
OSINT
aims to gather publicly available information about a target
No view testing
also known as black box, simulates a hacker who has no prior knowledge of the target system and network. They are paid to learn and exploit as much as they can about the network using only the tools available to an attacker on the public internet.
Partial view testing
also known as grey box, is performed by the in-house system or network administrator.
Full view testing
also known as white box, is given full knowledge of the system or network. This knowledge allows them to tear apart subtle security issues on behalf of their clients. Full view pen testing is most appropriate when the client wants a detailed analysis of all potential security flaws, rather than all exposed and visible vulnerabilities.
A penetration test is often referred to as an
engagement
Recon-ng
framework that ingests a lot of popular OSINT modules, allowing the results of multiple tools to be combined into a single report.
Google hacking, also known as Google dorking
is a technique that uses Google for OSINT and to discover security holes in a website's code.
the first step to executing any attack
is performing reconnaissance
pen testing or ethical hacking
is the offensive security practice of attacking a network using the same techniques that a hacker would use, in an effort to identify security holes and raise awareness in an organization.