1.8 - Penetration Testing Techniques

Question 1

Pentest

Answer 1

• Penetration test
• Actively trying to gain access to a system
• simulate an attack
• One step further than a vulnerability scan b/c you’re trying to exploit the vulnerabilities you find
• Often pentest are part of a compliance mandate (often partner with a third party)

Question 2

NIST

Answer 2

• National Institute of Standards and Technology
• their Technical Guide to Information Security Testing Assessment
• Excellent document that can help you design and plan for a penetration test

Question 3

Rules of Engagement

Answer 3

• Pentation tests can be very invasive
• Important document defines the purpose and scope, makes everyone aware of the test parameters
• means everyone will be aware of systems considered, maybe time of day
• Type of testing (internal or external)
• List of IP address ranges that are in scope (and those that are out of scope)
• Want to make sure you have emergency contacts listed in the Rules of Engagement
• Probably some sensitive information discovered (need to define in scope / out of scope applications)

Question 4

Working Knowlege

Answer 4

• What information are you going to provide to the penetration tester?
• Many approaches
• Ex: unknown environment, you tell them nothing (they have to build out from the dark)
• Ex: Known environment - full disclosure (common if you’re running the penetration test internally)
• Partially Known environment - a mix of unknown and unknown - focus on certain systems or applications

Question 5

Pentation Test - Possible outcomes

Answer 5

• Potential data loss
• Potential DoS (Denial of Service)
• Buffer overflows can cause instability
• ## Gain privilege escalation

Question 6

Penetration Test - Approaches

Answer 6

• A good penetration test will try many different tactics
• Ex: password, brute-force
• Social engineering
• Database injections
• buffer overflows

Question 7

Penetration Test - Process

Answer 7

• Getting Access to system (only first step)
• Lateral movement - move from system to system (inside of the network is relatively unprotected)
• Persistence - once you’re there, you want to be able to come back.
• The Pivot - gain access to systems that would not normally be accessible, use a vulnerable system as a proxy or relay

Question 8

Lateral Movement

Answer 8

• Move from device to device within a system
• (inside of the network is relatively unprotected)
• usually a little easier than initial exploit

Question 9

Persistence

Answer 9

• Once an attacker is in the system, they want to be able to come back (even if exploit is fixed)
• (ex: set up a backdoor, build user accounts, change or verify default passwords)

Question 10

Pivot

Answer 10

• Attackers gain access to one system and they use this as jumping off point to get access to other systems
• Central point from which attackers will start their efforts

Question 11

Penetration test - Aftermath

Answer 11

• Cleanup
• Leave the network in its original state (ex: network configurations reverted)
• Remove any binaries or temporary files
• Remove any backdoors or pivot points
• Delete user accounts created during the test

Question 12

Bug Bounty

Answer 12

• A reward for discovering vulnerabilities offered by the owner of the system
• Earn money for hacking a system
• Document the vulnerability for cash
• Usually collected by researchers

Question 13

Reconnaissance

Answer 13

• Need to gain information about the systems someone will attack
• Gathering a digital footprint (all devices in an organization)
• Understand security posture (firewalls, security configurations)
• Minimize or focus the attack area, focus on key systems
• Create a network map (identify routers, networks, remote sites)

Question 14

Passive Footprint

Answer 14

• Learn as much as you can from open sources
• Don’t want to alert victim early
• Ex: social media pages, corporate website, online forums, reddit, social engineering (calling directly into organization)
• Ex: dumpster diving, business organizations

Question 15

OSINT

Answer 15

• Open Source Intelligence
• Gathering information from many open sources
• Find information or anyone / anything
• Data you can gather is extnesive
• https://osintframework.com will give you an idea of what kind of information you can gather
• Many tools can gather information automatically

Question 16

Wardriving / Warflying

Answer 16

• Combine WiFi analysis monitoring with GPS to locate where a wireless network might be
• Search for wireless network from your car (wardriving)
• or plane or drone (warflying)
• Can gather other information like name of WiFi network, where access points might be, and some information about what frequency are in use
• After accumulating information, can find all of the SSID, understand more if encryption is turned on, strength values of signal
• all of this can be done by free (Kismet and inSSIDer and http://wigle.net) shows where all these wireless networks exist as a result of wardriving

Question 17

Active Footprinting

Answer 17

• Actively send information into network or network devices
• If someone is monitoring the network, they will see these active footprint attacks
• Ex: ping scans, port scans, analyze DNS information, OS scans, OS fingerprinting
• can determine the version of a service too with certain tools

Question 18

Security Teams

Answer 18

• Cyber security involves many skills
• Ex: personnel doing operational security, penetration testing, exploit research, web application hardening
• Usually one person doesn’t do all these tasks
• Usually personnel become niche experts that are divided into teams

Question 19

Red Team

Answer 19

• Offensive security team
• the hired attackers (performing the penetration test themselves)
• Ethical hackers who find security holes
• gain access to systems using exploits
• might also perform social engineering attacks to see how susceptible an org might be
• might have daily scans

Question 20

Blue Team

Answer 20

• Defensive Security team
• opposite of red
• protecting the data
• perform day to day operation security to keep data safe
• respond to incidents
• damage control
• will stay up to date with latest CVEs
• Digital forensics - team that puts together information about what happened in attack and what they did to prevent issues

Question 21

Purple Team

Answer 21

• Red and blue teams
• working together
• Many organizations will combine the two teams, so they are sharing information instead of comparing so they can fix application and secure data faster
• Usually a feedback loop b/n both teams (as soon as one finds something, they’ll inform the other)

Question 22

White Team

Answer 22

• Not on the red or blue team
• Manages the interactions between the red and blue teams
• oversees both teams “referee”
• can enforce rules or resolve issues
• determines the score (if an organization keeps score)
• Usually puts together the results of a penetration test to see what worked well and what didn’t