1.4 Explain penetration testing concepts. Flashcards
Active Reconnaissance
Hacking Process:
- Profiling
- Scanning and Enumeration
- Gaining Access/Initial Exploitation
- Maintaining Access/Persistence
- Covering Tracks
Reconnaissance performed in the scanning and enumeration phase is known as active reconnaissance because the hacker is still collecting information, but doing it by communicating (actively sending traffics) to the organization’s systems.
Passive Reconnaissance
Hacking Process:
- Profiling
- Scanning and Enumeration
- Gaining Access/Initial Exploitation
- Maintaining Access/Persistence
- Covering Tracks
Reconnaissance performed in the profiling phase is known as passive reconnaissance because the hacker does not touch the organization’s systems—the hacker is extracting information from public sources.
Pivot
Pivoting is the process of using various tools to gain additional information.
Remember this - After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems. Pivoting is the process of using an exploited system to target other systems.
For example, imagine a tester gains access to Homer’s
computer within a company’s network. The tester can then pivot and use Homer’s computer to gather information on other computers. Homer might have access to network shares filled with files on nuclear power plant operations. The tester can use Homer’s computer to collect this data and then send it back out of the network from Homer’s computer. Testers (and attackers) can use pivoting techniques to gather a wide variety of information. Many times, the tester must first use escalation of privilege techniques to gain more privileges. However, after doing so, it’s possible that the tester can access databases (such as user accounts and password databases), email, and any other type of data stored within a network.
Initial Exploitation
Hacking Process:
- Profiling
- Scanning and Enumeration
- Gaining Access/Initial Exploitation
- Maintaining Access/Persistence
- Covering Tracks
After scanning the target, testers discover vulnerabilities. They then take it a step further and look for a vulnerability that they can exploit. For example, a vulnerability scan may discover that a system doesn’t have a patch installed for a known vulnerability. The vulnerability allows attackers (and testers) to remotely access the system and install malware on it. With this knowledge, the testers can use known methods to exploit this vulnerability. This gives the testers full access to the system. They can then install additional software on the exploited system.
Persistence
Hacking Process:
- Profiling
- Scanning and Enumeration
- Gaining Access/Initial Exploitation
- Maintaining Access/Persistence
- Covering Tracks
Attackers often use various threats that allow them to stay within a network for weeks, months, or even years without being detected. Penetration testing techniques use similar techniques to maintain persistence within the network.
A common technique used to maintain persistence is to create a backdoor back into the network. For example, a tester may be able to create alternate accounts that can be accessed remotely. In some cases, it’s also possible to install or modify services to connect back into a system. For example, a tester may be able to enable Secure Shell (SSH) and then create a method used to log on to a system using SSH.
Escalation of Privilege
Privilege escalation is when a hacker finds a flaw in the operating system, or in a piece of software installed on the system, that, when exploited, elevates the hacker’s privileges from normal user capabilities to administrative access. Once the hacker has gained administrative access to the system, they can make whatever changes they want to the system, including planting a back door for future access.
There are three types of privilege escalation:
Vertical privilege escalation
When someone with normal user access is able to raise their privileges to administrative access
Horizontal privilege escalation
When the same level of access is maintained, but the resource being accessed is different
Privilege de-escalation
When someone with administrative access is able to lower their privilege level so that they can access data that a specific user has access to
Types of Testing - Black Box Test
When performing a black box test, or hiring a pentester
(penetration tester) to do a black box test, the goal is to give the tester no information on the organization or its network configuration.
The tester will have to act as a hacker and discover the details of the organization and its configuration on their own and then simulate the attacks. This type of test would take the longest because the tester has to figure out what assets you have before trying to compromise them.
Types of Testing - White Box Test
With a white box test, you, or the consultants you hire
to do the test, are given all the details about the organization’s assets and configuration. In this type of test, the goal is to see if the systems can be compromised.
Although this type of test is quicker than the black box test, it does not give you any idea of how easy or hard it may be for someone to discover information about your organization.
Types of Testing - Gray Box Test
A gray box test is in the middle; the tester gets some
details about the organization and its configuration, but only limited details. For example, the tester may get a list of IP addresses used by the organization and have to figure out what is running on those IP addresses and then simulate an attack.
Penetration Testing vs. Vulnerability Scanning
Penetration Testing
A penetration test is an active test that can assess deployed security controls and determine the impact of a threat. It starts with a vulnerability scan and then tries to exploit vulnerabilities by actually attacking or simulating an attack.
A List of Some of the Common Steps in a Penetration Test:
- Initial meeting
- Draft legal documents (DON’T FORGET THIS !!!)
- Create a pen-test plan
- Test pen-test plan
- Perform penetration test
- Create a report on findings
- Present report results
- Destroy any copies of the report
Many penetration tests include the following activities: • Passive reconnaissance • Active reconnaissance • Initial exploitation • Escalation of privilege • Pivot • Persistence
Vulnerability Scanning
A key part of a vulnerability assessment is a vulnerability scan. Security administrators often use a vulnerability scanner to identify which systems are susceptible to attacks. Vulnerability scanners identify a wide range of weaknesses and known security issues that attackers can exploit.
Most vulnerability scanners combine multiple features into a single package. A vulnerability scan often includes the following actions: • Identify vulnerabilities • Identify misconfigurations • Passively test security controls • Identify lack of security controls
