Lecture 1-2.txt

Full Transcript

Penetration Testing Methodology

1. a pentester and a client should meet and discuss the objectives and
scope of the test. Examples of objectives: To determine security
weakness, to test if an organisation is following its security rules
and policies, its employees' security awareness, to test an
organisation's ability to identify and respond to security
incidents. Scope of the test includes testing of network
penetration, social engineering, application security, physical
penetration: Testing the security of premises where digital assets
and network resources are stored.

2. Choosing the type of test. Black-box testing: Most closely resembles
the situation of an outside attack. This test is called "external
test". Execute the test from a remote location much like a real
attacker. The pentester will be extremely limited on information of
the target. Grey-Box testing: The pentenster will have some limited
knowledge on the target, for example, (at least) what operating
system the target is mainly using. White-Box Testing: This gives the
pentester full knowledge on the target. Basically this test
simulates "insider attack". This test is called "internal test".

3. Gaining permission via a contract: It is vitally important to get
clear and unambiguous permission to perform a pentest: A written
form of authorisation rather than a verbal authorisation is
important. It should include Systems to be evaluated. Perceived
risks. Timeframe. Actions to be performed when a serious problem is
found. Deliverables.

4. perform the penetration test.

5. create a risk mitigation plan: RMP is to develop options and actions
to enhance opportunities and reduce threats in an organisation. It
should clearly document all the actions took place including the
results, interpretations and recommendations

6. Cleaning up all the changes made during the test.

Categorising information gathering methods

Passive: Methods that do not engage the target.

Active: Methods that do engage the target by, for example, making phone
calls to the company, help desk, employees and/or other personnel.

Open Source Intelligence (OSINT) gathering: Gathering information from
those sources that are typically publicly available and open. A kind of
passive information gathering method. The least aggressive method.

Gathering information about domain: DNS, subdomain and etc.

nsllokup: A tool to obtain domain name or IP address mapping, or other
DNS records. This is a tool for sending a DNS query directly from the
client to any type of DNS server, regardless of whether it is root, TLD
or authoritative. Usage: nslookup www.example.com. By adding --type
option, one can specify the type of DNS record. For example, nslookup
--type=ns example.com. Reverse DNS is also possible, for example,
nslookup 11.22.33.44

whois: A protocol for querying about the owner of a domain name, IP
network. Information returned by WHOIS contains information about the
owner, including email addresses, contact numbers, street addresses,
etc.

Subdomains are extensions of a main domain, like sub.example.com.
Discovering subdomains can reveal additional servers or services that
might be less secure or overlooked.

Some domains are on the same server. Same server, different websites.
One server can serve/handle multiple websites. Gaining access to one of
those websites on the same server can be helpful to attack others.

Gathering information about network topology

traceroute: gives information about routers between the source and
destination. It shows the path a packet takes as it travels from the
source to the destination. After running traceroute to several systems
on their network, one can start drawing a network diagram.

Gathering intelligence from websites

What can be found ØPeople (personnel) ØEmail addresses ØPhysical
addresses ØJob postings leaking information ØProduct, project and
service information

Netcraft: A website that provides comprehensive information about
technologies that a website uses. It provides information about web
hosting company, hosting history, type of web server, whether it sends
spam, server-side and client-side technologies, web applications used
and etc. All the above information can be exploited to find
vulnerabilities of the target by visiting websites like
www.exploit-db.com.

Electronic dumpster diving (finding websites that do not exist any more)

Viewing a website offline is useful if websites/webpages can be saved
locally and examine them. A tool called website downloader or website
crawler can be used. Example) Here, the website owner might think that
the filed "value" is hidden from the view of public but a malicious
hacker can modify the value stored in his web browser and repost it.

Gathering intelligence on email addresses, people

The Harvester is a tool in Kali Linux for collecting e-mail addresses,
subdomains, employee names and etc. E-mail addresses on their own
provide an opportunity to launch phishing attacks, attempt to get
Trojans installed, and other direct attacks. Another opportunity is that
the local part (everything to the left of the @ ) is often the username
and having a list of usernames gives an attacker a list of accounts to
use when trying to log in other critical systems.

------------------------------------------------------------------------

a penetration tester or a pentester is a white hat hacker employed to do
a penetration test. It involves surveying, assessing and testing the
security of a given organisation by using the same tools and techniques
that a malicious hacker would use.

Process of Penetration Testing Information (Intelligence) Gathering:
Gather information about a target before performing active attacks.
Scanning: Based on the information gathered, target the attack much more
precisely Exploitation: Following enumeration, execute the attack
Covering tracks: Make all attempts to remove evidence of being in a
system Maintaining Access: Plant backdoors or other means to leave
something behind

Information to be gathered technical information: operating system,
network and applications, IP addresses and or IP address ranges, and
device information. Additionally, information regarding webcams, alarm
systems, mobile devices and etc. Administrative information:
Organisational structure, corporate policies, hiring procedures, details
of employees, phone directories, vendor information, and etc. Physical
details: Data about location and facility.

internetworking application = application that uses the internet.

three classes of DNS servers root DNS servers: help in directing queries
to the appropriate TLD servers. There are 13 root DNS server clusters,
named with letters from A to M, which are operated by various
organizations worldwide. Top-Level Domain (TLD) servers:.com,.org,.net,.edu, gov, au, uk, ca, kr, jp and etc. Authoritative DNS servers:
Authoritative DNS servers are like the official record keepers for
domain names (like google.com). They hold the correct information about
which IP addresses correspond to which domain names.

DNS scenario a user makes a query by entering the url or clicking a
link. The browser then sends that DNS query to the DNS resolver(local
DNS server). The DLS resolver queries the root servers to get a list of
IP address for TLD servers responsible for.com. The DNS resolver then
queries one of those TLD servers to get the IP address of the
authoritative DNS server for amazon. The DNS resolver queries the
authoritative DNS server to get the IP address of www.amazon.com, which
is 130.130.213.213.

DNS records DNS servers store DNS records, which are also called
"resource records(RRs)". Each DNS record is a four-tuple and contains
the following fields: {Name, Value, Type, TTL}. TTL is "time to live"
for that DN dS record.

Four types of DNS records A (IPv4) or AAAA (IPv6): Name is a hostname
and Value is its IP address. Example: {www.example.com, 13.54.131.40, A,
TTL} CNAME: Name is a hostname and Value is its alias, "Canonical Name".
Example: {www.example.com, web1.example.com, CNAME, TTL} MX: Name is a
domain name and Value is its mail server name. Example: {example.com,
mail1.example.com, MX, TTL} NS: Name is a domain name and Value is its
name server. Example: {example.com, ns1.example.com, NS, TTL} SOA:
Provides "start of authority (SOA)", which is the authoritative
information about the domain, the e-mail address of the domain admin,
the domain serial number, etc. Name is a domain name and Value is its
primary name server (only one). Example: {example.com, dns1.example.com,
SOA, TTL}