Lesson 3 - Assessing Security Posture with Software Tools
Activity 3-1: Discussing Penetration Testing Concepts 5. In the context of penetration testing, what is a pivot?
Access to a host system and/or privileges that allow the attacker to gain control or visibility over a wider range of hosts on the target network.
____ reconnaissance has more risk of detection. ______ techniques might involve gaining physical access to premises or using scanning tools on the target's web services and other networks.
Active
probe controls for configuration weaknesses and errors, such as weak passwords or software vulnerabilities
Actively test security controls
the software operating the port, such as Apache® web server or Internet Information Services (IIS) web server.
Application name and version
look for easy ways to attack the system
Bypass security controls
Activity 3-1: Discussing Penetration Testing Concepts 3. Why should an ISP be informed before pen testing takes place?
ISPs monitor their networks for suspicious traffic and may block the test attempts. The pen test may also involve equipment owned and operated by the ISP.
(linux) netstat -t
Internet connections for TCP
(linux) netstat -u
Internet connections for UDP
can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection. The tool is open source software with packages for most versions of Windows, Linux, and macOS®.
Nmap
use the -o switch to enable OS fingerprinting (or -A to use both OS fingerprinting and version discovery).
OS type and version
if agreed, the consultant will try to use any means to penetrate as far into the network and information systems as possible
Whether to use "No holds barred" or "smash and grab" testing
refers to the tester's ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the tester must establish a Command and Control (C2 or C&C) network to use to control the compromised host (upload tools and download data).
persistence
command can be used to detect the presence of a host on a particular IP address or that responds to a particular host name
ping
One of the steps in penetration testing. After escalating privileges, the tester uses additional tools to gain additional information on the exploited computer or on the network.
pivot/escalating the privileges
do not assume that a port is being used for its "well known" application protocol. Nmap can scan traffic to verify whether it matches the expected signature (HTTP, DNS, SMTP, and so on).
protocol
(linux) netstat -w
raw connections
A necessary part of attacking a network is to gather information about it
reconnaissance.
The practice of using network scans to discover open TCP and UDP ports, plus information about the servers operating them.
service discovery
•Tool for capturing network frames •Use software to interact with host network driver •libpcap •winpcap •Use an appliance and tap to read frames from network media •Promiscuous mode and switched Ethernet
sniffer
White box (or full disclosure)
the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.
black box (or blind)
the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform the reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.
Gray box
the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.
The key difference from passive vulnerability scanning is that an attempt is made
to actively test security controls and exploit any vulnerabilities discovered.
command tools provide a simple means of probing the path from one end system (host) to another, listing the intermediate systems (routers) providing the link
tracert (Windows) or traceroute (Linux)
A pen test might involve the following steps:
verify a threat exist bypass security controls actively test security protocols exploit vulnerabilities
Out of hours
whether the consultant should only perform testing out of hours to avoid causing problems on a production network. The problem here is that network policies and intrusion detection systems are generally configured to view out of hours access as suspicious, so the penetration testing is not taking place in the network's "real world" state.
An attacker might be able to obtain useful information by examining a company's domain registration records by running a ___ lookup against the appropriate registry. The ___ command is part of Linux and for Windows users is available as one of the utilities in the Sysinternals suite (https://docs.microsoft.com/en-us/ sysinternals).
who is
Penetration Testing
•Also known as "pen test" •Find ways to bypass security controls •Find ways to remove or disable controls •Exploit vulnerabilities to prove threat exists ("pwned") •Involves active reconnaissance techniques
banner/Organizationally Unique Identifier (OUI) grabbing
•Analyze header responses to identify OS/application version •Work out patch status and vulnerabilities •MAC address Organizationally Unique Identifier (OUI) •Identify device manufacturer and possibly known exploits
Implementing penetration testing guidelines
•Consider the benefits of conducting a pen test in addition to or instead of a vulnerability assessment. •Be aware of the risks involved in pen testing. •Consider implementing pen testing techniques as different phases in a simulated attack. •Consider conducting pen tests using different box testing methods. •Understand the different recon requirements for each box testing method.
vulnerability scanning
•In-depth analysis of security systems and policies •Generally passive techniques •Discover vulnerabilities without exploiting them •Identify lack of security controls/misconfigurations
OS foot-printing
•Protocol •Application name and version •OS type and version •Host name •Device type
The following represent some of the main types of scanning that Nmap can perform:
•TCP SYN (-sS) •TCP connect (-sT) •TCP flags •UDP scans (-sU) Port range (-p)
prove that a vulnerability is high risk by exploiting it to gain access to data or install malware
Exploit vulnerabilities
Protocol Analyzer
A monitoring device or a computer with monitoring software that captures each packet to decode & analyze its contents. Also called a sniffer.
ARP (Address Resolution Protocol)
A communications protocol that resolves IP addresses to MAC addresses.
Domain Information Groper (DIG)
Command-line tool in non-Windows systems used to diagnose DNS problems.
Nmap comes with a database of application and version fingerprint signatures, classified using a standard syntax called
Common Platform Enumeration (CPE).
______ (to third parties) by the consultant.
Confidentiality and non-disclosure
Authorization for pen testing
Employee/Human Resources (HR) issues •Prior warnings to end users, consent, privacy ... Data confidentiality and regulatory issues Third-party suppliers •ISP, cloud providers, managed services •Must obtain consent to proceed Criminal legislation •Legality of pen testing not always clear from country-to-country •Networks may cross borders and jurisdictions Document all authorizations
____ of test results to the company in a timely manner. The report should also contain recommendations for remediating vulnerabilities.
Full disclosure
RECONNAISSANCE PHASE TECHNIQUES that refer to using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.
Open Source Intelligence (OSINT)
______ reconnaissance is not likely to alert the target of the investigation as it means querying publicly available information
Passive
Activity 3-1: Discussing Penetration Testing Concepts 4. In the context of penetration testing, what is persistence?
Persistence refers to the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.
by default, Nmap scans 1000 commonly used ports. Use the -p argument to specify a port range.
Port range (-p)
Activity 3-2: Discussing Topology Discovery Software Tools 1. What are the two principal uses of network scanning tools in the context of auditing?
Rogue system detection to locate hosts that are not authorized to communicate on the network and network mapping to validate the topology of the network and presence of authorized hosts.
RECONNAISSANCE PHASE TECHNIQUES that refer to using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.
Scanning
Activity 3-1: Discussing Penetration Testing Concepts 2. What are the disadvantages of performing penetration testing against a simulated test environment?
Setting up a replica of a production environment is costly and complex. It may be very difficult to create a true replica, so potential vulnerabilities may be missed.
RECONNAISSANCE PHASE TECHNIQUES that refer to obtaining information, physical access to premises, or even access to a user account through the art of persuasion.
Social engineering
this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it.
TCP SYN (-sS)
a half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets.
TCP connect (-sT)
you can scan by setting TCP headers in unusual ways. A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet, and an Xmas scan (-sX) sets the FIN, PSH, and URG flags. This was a means of defeating early types of firewalls and IDS.
TCP flags
Activity 3-1: Discussing Penetration Testing Concepts 1. What is meant by a black box pen test?
The tester will attempt to penetrate the security system without having any privileged knowledge about its configuration.
Activity 3-2: Discussing Topology Discovery Software Tools 3. What is the purpose of using the ping and arp tools together?
To obtain both the IP and MAC addresses of local hosts. Ping performs a connectivity test with a host via its IP address. If the host is contacted, the Address Resolution Protocol (ARP) cache is updated with its IP:MAC address mapping. The arp tool queries the cache to obtain the host's MAC address.
part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network
Topology discovery (or "footprinting")
scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
UDP scans (-sU)
(linux) netstat -x
UNIX sockets/local server ports
DNS Harvesting
Using OSINT to gather info about a domain.
use surveillance, social engineering, network scanners, and vulnerability assessment tools to identify vulnerabilities that could be exploited.
Verify a threat exists
nslookup
a tool used to query the DNS system to find the IP addresses for domain names, and vice versa
stealing data from one or more systems (data exfiltration).
action on objectives
Pen testing is an _____ reconnaissance technique.
active
Attack profile
attacks come from different sources and motivations. You may wish to test both resistance to external (targeted and untargeted) and insider threats.
refers to probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting detail about the way the server is configured
banner grabbing
arp -a
command prompt that will show IP addresses and corresponding MAC addresses of remote computers.
netstat -tu
command shows Internet connections (TCP and UDP) only
not all network devices are PCs. Nmap can identify switches and routers or other types of networked devices, such as NAS boxes, printers, and webcams.
device type
Activity 3-2: Discussing Topology Discovery Software Tools 4. Which command is used to query a DNS server for records from a Linux host?
dig
You can install _____ on Windows by downloading the BIND DNS server package (https://www.isc.org/downloads/) and installing it using the tools-only option.
dig
netstat -e
displays Ethernet statistics
•Audit technique to detect unauthorized protocols and hosts •Adversary technique to learn about the network and steal unencrypted data
eavesdropping
detailed analysis of services on a particular host
footprinting
Whether to stop at the perimeter
having demonstrated that a vulnerability exists at the network edge, the consultant will stop and not attempt to exploit the breach or view confidential data
Test system or production environment
ideally, tests would be performed in a sandbox environment that accurately simulates the production environment. However, this is expensive to set up. It may be very difficult to create a true replica, so potential vulnerabilities may be missed. Using the production environment risks service outages and data loss, especially with the "no holds barred" approach.
(Linux) command can be used to report the adapter configuration and enable or disable it or apply a different static IP configuration
ifconfig
an exploit is used to gain some sort of access to the target's network
initial exploitation phase (also referred to as weaponization)
Going forward, the ___ command is intended to replace ifconfig. ip is a more powerful tool, with options for managing routes as well as the local interface configuration.
ip
The basic functionality of ifconfig (show the current address configuration) is performed by running
ip a
Activity 3-2: Discussing Topology Discovery Software Tools 2. What command line tool would you use to identify the current network addressing configuration of a wired adapter on a Linux host?
ip or ifconfig or ip a
(Windows) command can be used to report the configuration assigned to the network adapter. The attacker can identify whether the network uses DHCP or a static IP addressing scheme.
ipconfig
command allows you to check the state of ports on the local machine (Windows or Linux).
netstat
A Linux command that includes ports in the listening state in the output
netstat -a
displays all connections (active TCP and UDP connections plus ports in the listening state).
netstat -a
shows the process name that has opened the port
netstat -b
A linux command that sets output to update continuously
netstat -c
A Linux command that displays extra information
netstat -e
A Linux command that displays interface statistics (similar to -e on Windows).
netstat -i
displays ports and addresses in numerical format. Skipping name resolution speeds up each query
netstat -n
shows the Process ID (PID) number that has opened the port
netstat -o
A Linux command that shows the Process ID (PID) number that has opened the port (similar to -o on Windows).
netstat -p
___ displays connections by protocol (TCP or UDP or TCPv6/UDPv6).
netstat -p
A Linux command that shows the routing table
netstat -r
shows the routing table
netstat -r
shows per protocol statistics, such as packets received, errors, discards, unknown requests, port requests, failed connections, and so on
netstat -s
this switch can also filter the statistics shown by IP, IPv6, ICMP, and ICMPv6
netstat -s
tool performs host discovery and identifies how the hosts are connected together on the network
networking mapping
The utility can also be set to run in the background by entering netstat __ , where __ is the refresh interval in seconds (press CTRL+C to stop).
nn
Reconnaissance activities can be classed as
passive or active
Performing Open Source Intelligence (OSINT) searches represents another type of
passive reconnaissance.
essentially involves thinking like an attacker and trying to penetrate the target's security systems
penetration test (pen test) or ethical hacking