phases of pentesting Flashcards
Recon
Gather information from public sources to learn
about the target.
– People
– Naming conventions
– Technical Infrastructure
- Information gathered in this phase will be helpful in
the other phases. - Most important stage of an attack.
More information = Higher successful rate - Information obtained in this phase.
– Domain name
– Contacts at the target organization
– DNS Server IP addresses - Passive Reconnaissance
– Gather information of a target without connecting
to target directly.
– e.g. Search engine results of target. - Active Reconnaissance
– Gather information of a target by probing the
network. - e.g. DNS interrogation.
– More risk of detection as compared to passive
reconnaissance.
Scanning
- Taking information gathered during
reconnaissance and examine target’s network.
– Look for openings and vulnerabilities. - Often relies on automated tools to look for
openings in the armor. - Irony
– Attacker only need to find one way in to achieve his
goal.
– IT Security Professional must defend all entry points. - Information obtained in this phase.
– Network addresses of hosts, servers, firewalls etc.
– Network topology
– Operating systems
Gaining access
Attacker will try to gain access into system by
– Breaking in physically.
– Manipulating poorly written software.
– Exploiting weak password storage mechanism.
Based on information gathered during
reconnaissance and scanning phases.
Activities in gaining access
* Password attacks using password cracking tools
* Web-based attacks
– Through session tracking
* Privilege escalation
Maintaning access
Need to keep access for future exploitation and
attacks, Secure exclusive access with backdoors, rootkits
and Trojans.
– Harden system from other hackers and security
personnel
* Owned system is sometimes known as zombie
system.
* Owned systems may be used to launch attacks on
other machines
Activities in Maintaining Access
* Planting Trojan horses software
– Create listening servers in victim system.
* Planting backdoor software
– Help to bypass security access controls.
* Planting RootKits
– By overwriting critical system components with
customised data or program which will create an
‘legitimate’ access channel.
Covering Tracks
Cover tracks to Avoid detection Continue using owned system
– Remove evidence of attack
– Possibly avoid legal actions
* Erase records of intrusion thereby hiding the
history of intrusion.
* Hide all backdoors created.
Activities
* Alteration of event logs
– e.g. Remove log files.
- Switching off Intrusion Detection System (IDS)
alarms. - Using tunneling protocol
– Create covert channels for future communication.
NetBIOS Enumeration
- A null session is an unauthenticated NETBIOS session between two
machines. - Null sessions are a vulnerability found in…
– Unix/Linux: Common Internet File System (CIFS).
– Windows: Server Message Block (SMB). - Information about the machine can be obtained once connected.
– These information include usernames, groups, shares, permissions,
policies and services. - Tools include nbtscan and auxiliary scanner in Metasploit
framework
– nbtscan <IP>
– auxiliary/scanner/netbios/nbname
– auxiliary/scanner/smb/smb_version</IP>
SNMP Enumeration
- SNMP employs 2 major types of software components
for communication.
– SNMP agent
– SNMP management station - SNMP management station sends requests to agents to
manage the system or device.
– The requests from management station and replies from
agents refer to configuration variables accessible by the
agents. - Management Information Base (MIB) is the database
of configuration variables that resides on a networking
device. - SNMP has 2 passwords to access and configure SNMP agent from the
management station.
– Public (r) community string - Password for viewing of configuration of device/system.
– Private (rw) community string - Password for changing and editing of configuration on device.
- SNMP v1 and v2 passes these community strings across the network
unencrypted.
– SNMP v1 and v2 are subjected to packet sniffing. - SNMP v3 has added security and remote configuration enhancements
such as encryption and message integrity. - Tools include snmp-check, snmpwalk, onesixtyone and auxiliary scanner in
Metasploit framework
– snmpwalk <IP> -c public –v 2c
– auxiliary/scanner/snmp/snmp_enum;
auxiliary/scanner/snmp/snmp_enumshares;
auxiliary/scanner/snmp/snmpusers; auxiliary/scanner/snmp/snmp_login</IP>
SMTP Enumeration
- Under certain misconfigurations, mail server can be used to gather
information about host and network. - SMTP supports interesting commands such as VRFY and EXPN.
– A VRFY request asks the server to verify an email address.
– A EXPN asks the server for membership of a mailing list. - These can be abused to verify existing users on a mail server which
can aid the attacker later.
– e.g. Windows usernames may be the same as the email account.
– e.g. Verified email accounts used to send malicious emails. - Tools include smtp-user-enum.pl and auxiliary scanner in
Metasploit framework
– smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
– auxiliary/scanner/smtp/smtp_enum
Countermeasures
For Host
– Close unused port and disable unneeded services.
– Keep system patches & signature files up-to-date.
– Automate regular backup of logs & critical information.
- For Network
– Deploy Defense-In-Depth tools.
– Audit regularly by using vulnerability scanners. - Implement and regularly revise security policies & incident response
procedures. - Create awareness and training.
Goal of Penetration Testers
Understand how to perform an attack in order
to find out how vulnerable targeted systems
are.
- ULTIMATE AIM: Protect systems from hackers.
NOT TO GAIN UNAUTHORIZED ACCESS TO
MACHINES!
example of human and computer social engineering attack
Human-based social engineering techniques
* Impersonating an employee or valid user
* Posing as an important user (e.g. High-level
manager)
Computer-based social engineering techniques
* Email attachments
* Popup Windows
* Fake websites (e.g. Phishing and online scams)
