Lesson 3 - Assessing Security Posture with Software Tools

Ace your homework & exams now with Quizwiz!

Activity 3-1: Discussing Penetration Testing Concepts 5. In the context of penetration testing, what is a pivot?

Access to a host system and/or privileges that allow the attacker to gain control or visibility over a wider range of hosts on the target network.

____ reconnaissance has more risk of detection. ______ techniques might involve gaining physical access to premises or using scanning tools on the target's web services and other networks.

Active

probe controls for configuration weaknesses and errors, such as weak passwords or software vulnerabilities

Actively test security controls

the software operating the port, such as Apache® web server or Internet Information Services (IIS) web server.

Application name and version

look for easy ways to attack the system

Bypass security controls

Activity 3-1: Discussing Penetration Testing Concepts 3. Why should an ISP be informed before pen testing takes place?

ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.

(linux) netstat -t

Internet connections for TCP

(linux) netstat -u

Internet connections for UDP

can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection. The tool is open source software with packages for most versions of Windows, Linux, and macOS®.

Nmap

use the -o switch to enable OS fingerprinting (or -A to use both OS fingerprinting and version discovery).

OS type and version

if agreed, the consultant will try to use any means to penetrate as far into the network and information systems as possible

Whether to use "No holds barred" or "smash and grab" testing

refers to the tester's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the tester must establish a Command and Control (C2 or C&C) network to use to control the compromised host (upload tools and download data).

persistence

command can be used to detect the presence of a host on a particular IP address or that responds to a particular host name

ping

One of the steps in penetration testing. After escalating privileges, the tester uses additional tools to gain additional information on the exploited computer or on the network.

pivot/escalating the privileges

do not assume that a port is being used for its "well known" application protocol. Nmap can scan traffic to verify whether it matches the expected signature (HTTP, DNS, SMTP, and so on).

protocol

(linux) netstat -w

raw connections

A necessary part of attacking a network is to gather information about it

reconnaissance.

The practice of using network scans to discover open TCP and UDP ports, plus information about the servers operating them.

service discovery

•Tool for capturing network frames •Use software to interact with host network driver •libpcap •winpcap •Use an appliance and tap to read frames from network media •Promiscuous mode and switched Ethernet

sniffer

White box (or full disclosure)

the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.

black box (or blind)

the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform the reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.

Gray box

the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.

The key difference from passive vulnerability scanning is that an attempt is made

to actively test security controls and exploit any vulnerabilities discovered.

command tools provide a simple means of probing the path from one end system (host) to another, listing the intermediate systems (routers) providing the link

tracert (Windows) or traceroute (Linux)

A pen test might involve the following steps:

verify a threat exist bypass security controls actively test security protocols exploit vulnerabilities

Out of hours

whether the consultant should only perform testing out of hours to avoid causing problems on a production network. The problem here is that network policies and intrusion detection systems are generally configured to view out of hours access as suspicious, so the penetration testing is not taking place in the network's "real world" state.

An attacker might be able to obtain useful information by examining a company's domain registration records by running a ___ lookup against the appropriate registry. The ___ command is part of Linux and for Windows users is available as one of the utilities in the Sysinternals suite (https://docs.microsoft.com/en-us/ sysinternals).

who is

Penetration Testing

•Also known as "pen test" •Find ways to bypass security controls •Find ways to remove or disable controls •Exploit vulnerabilities to prove threat exists ("pwned") •Involves active reconnaissance techniques

banner/Organizationally Unique Identifier (OUI) grabbing

•Analyze header responses to identify OS/application version •Work out patch status and vulnerabilities •MAC address Organizationally Unique Identifier (OUI) •Identify device manufacturer and possibly known exploits

Implementing penetration testing guidelines

•Consider the benefits of conducting a pen test in addition to or instead of a vulnerability assessment. •Be aware of the risks involved in pen testing. •Consider implementing pen testing techniques as different phases in a simulated attack. •Consider conducting pen tests using different box testing methods. •Understand the different recon requirements for each box testing method.

vulnerability scanning

•In-depth analysis of security systems and policies •Generally passive techniques •Discover vulnerabilities without exploiting them •Identify lack of security controls/misconfigurations

OS foot-printing

•Protocol •Application name and version •OS type and version •Host name •Device type

The following represent some of the main types of scanning that Nmap can perform:

•TCP SYN (-sS) •TCP connect (-sT) •TCP flags •UDP scans (-sU) Port range (-p)

prove that a vulnerability is high risk by exploiting it to gain access to data or install malware

Exploit vulnerabilities

Protocol Analyzer

A monitoring device or a computer with monitoring software that captures each packet to decode & analyze its contents. Also called a sniffer.

ARP (Address Resolution Protocol)

A communications protocol that resolves IP addresses to MAC addresses.

Domain Information Groper (DIG)

Command-line tool in non-Windows systems used to diagnose DNS problems.

Nmap comes with a database of application and version fingerprint signatures, classified using a standard syntax called

Common Platform Enumeration (CPE).

______ (to third parties) by the consultant.

Confidentiality and non-disclosure

Authorization for pen testing

Employee/Human Resources (HR) issues •Prior warnings to end users, consent, privacy ... Data confidentiality and regulatory issues Third-party suppliers •ISP, cloud providers, managed services •Must obtain consent to proceed Criminal legislation •Legality of pen testing not always clear from country-to-country •Networks may cross borders and jurisdictions Document all authorizations

____ of test results to the company in a timely manner. The report should also contain recommendations for remediating vulnerabilities.

Full disclosure

RECONNAISSANCE PHASE TECHNIQUES that refer to using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.

Open Source Intelligence (OSINT)

______ reconnaissance is not likely to alert the target of the investigation as it means querying publicly available information

Passive

Activity 3-1: Discussing Penetration Testing Concepts 4. In the context of penetration testing, what is persistence?

Persistence refers to the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.

by default, Nmap scans 1000 commonly used ports. Use the -p argument to specify a port range.

Port range (-p)

Activity 3-2: Discussing Topology Discovery Software Tools 1. What are the two principal uses of network scanning tools in the context of auditing?

Rogue system detection to locate hosts that are not authorized to communicate on the network and network mapping to validate the topology of the network and presence of authorized hosts.

RECONNAISSANCE PHASE TECHNIQUES that refer to using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.

Scanning

Activity 3-1: Discussing Penetration Testing Concepts 2. What are the disadvantages of performing penetration testing against a simulated test environment?

Setting up a replica of a production environment is costly and complex. It may be very difficult to create a true replica, so potential vulnerabilities may be missed.

RECONNAISSANCE PHASE TECHNIQUES that refer to obtaining information, physical access to premises, or even access to a user account through the art of persuasion.

Social engineering

this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it.

TCP SYN (-sS)

a half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets.

TCP connect (-sT)

you can scan by setting TCP headers in unusual ways. A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet, and an Xmas scan (-sX) sets the FIN, PSH, and URG flags. This was a means of defeating early types of firewalls and IDS.

TCP flags

Activity 3-1: Discussing Penetration Testing Concepts 1. What is meant by a black box pen test?

The tester will attempt to penetrate the security system without having any privileged knowledge about its configuration.

Activity 3-2: Discussing Topology Discovery Software Tools 3. What is the purpose of using the ping and arp tools together?

To obtain both the IP and MAC addresses of local hosts. Ping performs a connectivity test with a host via its IP address. If the host is contacted, the Address Resolution Protocol (ARP) cache is updated with its IP:MAC address mapping. The arp tool queries the cache to obtain the host's MAC address.

part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network

Topology discovery (or "footprinting")

scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.

UDP scans (-sU)

(linux) netstat -x

UNIX sockets/local server ports

DNS Harvesting

Using OSINT to gather info about a domain.

use surveillance, social engineering, network scanners, and vulnerability assessment tools to identify vulnerabilities that could be exploited.

Verify a threat exists

nslookup

a tool used to query the DNS system to find the IP addresses for domain names, and vice versa

stealing data from one or more systems (data exfiltration).

action on objectives

Pen testing is an _____ reconnaissance technique.

active

Attack profile

attacks come from different sources and motivations. You may wish to test both resistance to external (targeted and untargeted) and insider threats.

refers to probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting detail about the way the server is configured

banner grabbing

arp -a

command prompt that will show IP addresses and corresponding MAC addresses of remote computers.

netstat -tu

command shows Internet connections (TCP and UDP) only

not all network devices are PCs. Nmap can identify switches and routers or other types of networked devices, such as NAS boxes, printers, and webcams.

device type

Activity 3-2: Discussing Topology Discovery Software Tools 4. Which command is used to query a DNS server for records from a Linux host?

dig

You can install _____ on Windows by downloading the BIND DNS server package (https://www.isc.org/downloads/) and installing it using the tools-only option.

dig

netstat -e

displays Ethernet statistics

•Audit technique to detect unauthorized protocols and hosts •Adversary technique to learn about the network and steal unencrypted data

eavesdropping

detailed analysis of services on a particular host

footprinting

Whether to stop at the perimeter

having demonstrated that a vulnerability exists at the network edge, the consultant will stop and not attempt to exploit the breach or view confidential data

Test system or production environment

ideally, tests would be performed in a sandbox environment that accurately simulates the production environment. However, this is expensive to set up. It may be very difficult to create a true replica, so potential vulnerabilities may be missed. Using the production environment risks service outages and data loss, especially with the "no holds barred" approach.

(Linux) command can be used to report the adapter configuration and enable or disable it or apply a different static IP configuration

ifconfig

an exploit is used to gain some sort of access to the target's network

initial exploitation phase (also referred to as weaponization)

Going forward, the ___ command is intended to replace ifconfig. ip is a more powerful tool, with options for managing routes as well as the local interface configuration.

ip

The basic functionality of ifconfig (show the current address configuration) is performed by running

ip a

Activity 3-2: Discussing Topology Discovery Software Tools 2. What command line tool would you use to identify the current network addressing configuration of a wired adapter on a Linux host?

ip or ifconfig or ip a

(Windows) command can be used to report the configuration assigned to the network adapter. The attacker can identify whether the network uses DHCP or a static IP addressing scheme.

ipconfig

command allows you to check the state of ports on the local machine (Windows or Linux).

netstat

A Linux command that includes ports in the listening state in the output

netstat -a

displays all connections (active TCP and UDP connections plus ports in the listening state).

netstat -a

shows the process name that has opened the port

netstat -b

A linux command that sets output to update continuously

netstat -c

A Linux command that displays extra information

netstat -e

A Linux command that displays interface statistics (similar to -e on Windows).

netstat -i

displays ports and addresses in numerical format. Skipping name resolution speeds up each query

netstat -n

shows the Process ID (PID) number that has opened the port

netstat -o

A Linux command that shows the Process ID (PID) number that has opened the port (similar to -o on Windows).

netstat -p

___ displays connections by protocol (TCP or UDP or TCPv6/UDPv6).

netstat -p

A Linux command that shows the routing table

netstat -r

shows the routing table

netstat -r

shows per protocol statistics, such as packets received, errors, discards, unknown requests, port requests, failed connections, and so on

netstat -s

this switch can also filter the statistics shown by IP, IPv6, ICMP, and ICMPv6

netstat -s

tool performs host discovery and identifies how the hosts are connected together on the network

networking mapping

The utility can also be set to run in the background by entering netstat __ , where __ is the refresh interval in seconds (press CTRL+C to stop).

nn

Reconnaissance activities can be classed as

passive or active

Performing Open Source Intelligence (OSINT) searches represents another type of

passive reconnaissance.

essentially involves thinking like an attacker and trying to penetrate the target's security systems

penetration test (pen test) or ethical hacking


Related study sets

Unit 2: Global Resource Consumption and Security

View Set

Broker Pre-License Flashcards (Unit 1)

View Set

Vocabulary for Examination - Sentence Transformation 3

View Set

Chapter 10: Health Promotion of the Infant and Family

View Set