Penetration testing techniques Flashcards
Penetration testing
Known environment Unknown environment Partially known environment Rules of engagement Lateral movement Privilege escalation Persistence Cleanup Bug bounty Pivoting
Known environment
Black box (or unknown environment)—the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform a reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.
Unknown environment
White box (or known environment)—the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.
Partially known environment
Gray box (or partially known environment)—the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.
Rules of engagement
Agreeing scope, operational parameters, and reporting requirements for a penetration test.
Lateral movement
Gaining control over other hosts. This is done partly to discover more opportunities to widen access (harvesting credentials, detecting software vulnerabilities, and gathering other such “loot”), partly to identify where valuable data assets might be located, and partly to evade detection. Lateral movement usually involves executing the attack tools over remote process shares or using scripting tools, such as PowerShell.
Privilege escalation
Persistence is followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. Moving within the network or accessing data assets are likely to require higher privilege levels. For example, the original malware may have run with local administrator privileges on a client workstation or as the Apache user on a web server. Another exploit might allow malware to execute with system/root privileges, or to use network administrator privileges on other hosts, such as application servers.
Persistence
The tester’s ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor. To do this, the tester must establish a command and control (C2 or C&C) network to use to control the compromised host, upload additional attack tools, and download exfiltrated data. The connection to the compromised host will typically require a malware executable to run after shut down/log off events and a connection to a network port and the attacker’s IP address to be available.
Cleanup
For a threat actor, this means removing evidence of the attack, or at least evidence that could implicate the threat actor. For a pen tester, this phase means removing any backdoors or tools and ensuring that the system is not less secure than the pre-engagement state.
Bug bounty
A bug bounty is a program operated by a software vendor or website operator where rewards are given for reporting vulnerabilities. Where a pen test is performed on a contractual basis, costed by the consultant, a bug bounty program is a way of crowd sourcing detection of vulnerabilities. Some bug bounties are operated as internal programs, with rewards for employees only.
Pivoting
Hosts that hold the most valuable data are not normally able to access external networks directly. If the pen tester achieves a foothold on a perimeter server, a pivot allows them to bypass a network boundary and compromise servers on an inside network. A pivot is normally accomplished using remote access and tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or remote desktop.
Passive and active reconnaissance
Drones War flying War driving Footprinting OSINT
Drones
Drones/unmanned aerial vehicle (UAV)—allow the tester to reconnoiter campus premises, and even to perform war driving from the air (war flying). A tool such as the Wi-Fi Pineapple can easily be incorporated on a drone (hackaday.com/2018/05/27/watch-dogs-inspired-hacking-drone-takes-flight). Drones also provide a vector for one enduringly popular social engineering technique; dropping infected USB media around premises, with the expectation that at least some of them will be picked up and used (blackhat.com/docs/us-16/materials/us-16-Bursztein-Does-Dropping-USB-Drives-In-Parking-Lots-And-Other-Places-Really-Work.pdf).
War flying
Mounting infiltration tools on a drone and using it.
War driving
Mapping the location and type (frequency channel and security method) of wireless networks operated by the target. Some of these networks may be accessible from outside the building. Simply sniffing the presence of wireless networks is a passive activity, though there is the risk of being observed by security guards or cameras. An attacker might be able to position rogue access points, such as the Hak5 Pineapple (shop.hak5.org/products/wifi-pineapple), or perform other wireless attacks using intelligence gathered from war driving.
Driving around in van looking unsecured wifi
