SEC542 - Book 1 PDF

Chat with Document Download Quiz & Flashcards

Document Details

Uploaded by Deleted User

2023

Giovanni Gutierrez

Tags

web application penetration testing ethical hacking security training cyber security

Related

Summary

This document is a courseware for SANS Security 542, Section 1, focusing on web application penetration testing and ethical hacking. Copyright 2023 SANS Institute.

Full Transcript

© SANS Institute 2023 bed32444036bc812125ed23c8f5df13d 24 20...

© SANS Institute 2023 bed32444036bc812125ed23c8f5df13d 24 20 9, r1 be giovanniguti@gmail_com m ve No > m co l_ 29041690 ai gm i@ t gu nni va Giovanni Gutierrez io m User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of co the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, l_ shape, or form to any person or entity without the express written consent of SANS Institute. 29041690 ai gm If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this i@ Courseware. t gu SANS Institute may suspend and/or terminate User’s access to and require immediate return of any Courseware in connection ni with any (i) material breaches or material violation of this CLA or general terms and conditions of use agreed to by User; (ii) n technical or security issues or problems caused by User that materially impact the business operations of SANS Institute or va other SANS Institute customers, or (iii) requests by law enforcement or government agencies. Giovanni Gutierrez io m Copyright 2023 Eric Conrad (GSE #13), co Timothy McKenzie, and Bojan Zdrnja (GSE #346) l_ 29041690 Version I01_02 ai gm ti@ gu Welcome to SANS Security 542, Section 1! nni va Giovanni Gutierrez io m co l_ 29041690 ai gm t i@ gu SANS Offensive Operations leverages the vast experience of our esteemed faculty to produce the most n ni thorough, cutting-edge offensive cyber security training content in the world. Our goal is to continually broaden va the scope of our offensive-related course offerings to cover every possible attack vector. Giovanni Gutierrez io m co l_ 29041690 ai gm t i@ gu SEC467: Social Engineering for Security Professionals | 2 Sections n ni In this course, you will learn how to perform recon on targets using a wide variety of sites and tools, create and va track phishing campaigns, and develop media payloads that effectively demonstrate compromise scenarios. Giovanni Gutierrez io 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 9 t i@ gu Course Roadmap n ni Welcome to Security 542: Web App Penetration Testing and Ethical Hacking! va Giovanni Gutierrez io We’ll begin with an introduction to the web, talk about information gathering and virtual host discovery, then m Also, varied approaches to web app pen testing itself also exist and co could be relevant l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 14 ti@ gu Assessing/Improving Application Security n ni This course will obviously focus on web application penetration testing as a means to assess, with an eye toward va improving, an application's security posture. Web application penetration testing is by no means the only Giovanni Gutierrez io approach to assessing application security. Further, it also might not be the best or most effective way to assess m Flexible Good threat models don’t automatically mean good software co Early in the SDLC l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 16 t i@ gu Threat Modeling ni n By understanding what are realistic threats to a system or application, organizations can prioritize remediation va efforts to the findings that have the greatest positive impact to the overall security posture. Though threat Giovanni Gutierrez io modeling is only recently popular in association with penetration testing, there are numerous resources available Accuracy Can miss issues in compiled libraries m Fast (for competent reviewers) Cannot detect run-time errors easily co The source code actually deployed might differ from the one being analyzed l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 17 t i@ gu Source Code Review n ni Source code review by qualified individuals can find vulnerabilities that are difficult, or impossible, to find by va performing dynamic pen test assessments. Branching within the application that may trigger on parameters or Giovanni Gutierrez io values that would not be seen during normal use. Common issues like “concurrency problems, flawed business deployed application m co Weaknesses: Requires access to source code; might overlook APIs l_ or libraries leveraged by the application; overlooks ops side of apps 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 18 t i@ gu Static Application Security Testing (SAST) n ni Performing code review has long been considered a solid practice for reducing bugs/defects and improving va applications. Security vulnerabilities can rightly be thought of as a type of defect; however, security flaws are Giovanni Gutierrez io much less likely to have overt stakeholder impact during normal use of the application when compared to more m Can be automated and fast (and therefore cheap) Too late in the SDLC co Requires a relatively lower skill set than source code review Front impact testing only l_ 29041690 Tests the code that is actually being exposed ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 19 t i@ gu Dynamic Application Security Testing (DAST) n ni Penetration testing is the traditional way to find vulnerabilities within web applications, in part due to network- va based vulnerability identification that has been rooted in similar activity. While penetration testing can be an Giovanni Gutierrez io effective method to identify vulnerabilities, it requires that the portions of the application that are being tested to m co l_ 29041690 ai gm ti@ gu nni va Giovanni Gutierrez io m Promotes teamwork co Early in the SDLC l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 21 t i@ gu Manual Inspections and Reviews nni When the pen tester can review documentation about the target application and systems, it can speed up the va testing process in several ways. Giovanni Gutierrez io Automated tools can be tuned to only target technologies present in the application. When millions, o Enables tuning of the automated systems by focusing only on relevant technology and reducing the m volume of requests co The best of both methods can be realized when combined to complement each other l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 22 ti@ gu Automated + Manual = Best n ni Automated scans are necessary to test the multitude of inputs for the common vulnerabilities found in web va applications. For large applications, a human tester would not be able to perform the tests in a reasonable Giovanni Gutierrez io amount of time, nor in a reliable way. While automated tools are necessary, they are prone to detecting false- m Real-world tests fall somewhere between these two spectrums co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 23 ti@ gu More is Definitely Better n ni Pen testers are occasionally presented with the myth that a zero-knowledge penetration test, one in which the va pen tester has little to no information about the target, is representative of a real-world attacker. Those under the Giovanni Gutierrez io misconception that real-world attackers do not have access to internal information want pen testers to “hack Exploitation m Rigorous co Post Exploitation Under quality control l_ Reporting 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 24 ti@ gu Methodology n ni A penetration testing framework can help to ensure that the same set of applicable tests are run across multiple va web application assessments. Following a framework ensures that another pen tester could follow in the Giovanni Gutierrez io footsteps of the original assessor and find a very similar set of findings (assuming each tester has a similar skill exploiting SQL injection flaws m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 31 ti@ gu OWASP Web Application Security Testing Methodology n ni The OWASP Web Security Testing Guide is available at https://sec542.com/2i. va Giovanni Gutierrez io There is a copy of the guide in the root directory of the Security 542 media ISO file. The section "Testing for SQL HEAD: very quick, useful for simple m co HTTP response header evaluations l_ (e.g., Cookie without HttpOnly flag) 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 86 ti@ gu HTTP Request Methods: HEAD n ni HEAD is a request method that asks the server to return only a header, no body, regardless of whether a body va would exist or not. While not terribly useful for browsing a website, if all we have need of knowing is Giovanni Gutierrez io information included in the HTTP headers, then this is sufficient, and seemingly innocuous. m co l_ 29041690 ai gm ti@ gu n ni va Giovanni Gutierrez io m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 89 ti@ gu HTTP Request Methods: OPTIONS n ni The OPTIONS method allows for quickly asking servers to communicate supported methods. While GET and va HEAD methods are expected to be supported, as the standards suggest support is required, the other methods Giovanni Gutierrez io need not be supported. If the receiving server supports the OPTIONS method, it responds with the list of m risk of inadvertent information co disclosure via the Referer1 l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 93 t i@ gu HTTP Request: Referer nni The ignominiously misspelled Referer (rather than Referrer) request header is used to identify for the target va server what page the user-agent was viewing when a link was clicked. This seems innocuous enough, but Giovanni Gutierrez io unfortunately, given the potential for sensitive information being included on the URL, it makes the use of the 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 106 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io WSTG-INFO-08 Fingerprint Web Application Framework m WSTG-INFO-09 Fingerprint Web Application co WSTG-INFO-10 Map Application Architecture l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 107 ti@ gu WSTG: Information Gathering1 n ni The table above highlights the particular Test IDs for the Information Gathering section of the OWASP Web va Security Testing Guide. Note that some elements above might be discussed during a separate section of the Giovanni Gutierrez io course for pedagogical purposes. For additional details on this category, see below. Forced Browsing m co l_ NOTE: Some overlap exists between our goals and the associated techniques. 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 108 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io sec542.sans.org r1 be The approach: Perform a WHOIS lookup for IP addresses owned by giovanniguti@gmail_com m the target organization and then perform a reverse DNS lookup for ve every IP: No In-class hypothetical example Sec542, Inc., owns 192.168.1.0/24 > m So, we'll perform a scan of the reverse DNS records for 192.168.1.0– co 192.168.1.255 l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 113 ti@ gu Reverse DNS Scan n ni We previously discussed how WHOIS can be used to identify public netblocks owned by a target organization. va Once these are identified, reverse DNS scans can be used to resolve the PTR records for each IP address. Giovanni Gutierrez io m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 114 t i@ gu DNS Brute Force Scans n ni DNS brute force scans are an additional technique for discovering DNS names, including “hidden” DNS names va that are not publicly published outside of DNS and do not have reverse (PTR) records pointing to them. Giovanni Gutierrez io Let's discuss each tool. m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 115 ti@ gu Useful DNS Reconnaissance Tools n ni The following is a (partial) list of tools that are useful for DNS reconnaissance: va Giovanni Gutierrez io nslookup Cons: m co It has limited functionality compared to dig l_ Functionality has been removed from newer versions 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 116 t i@ gu nslookup n ni Most of us performed our first command-line DNS lookup via nslookup. Then we grew up and used dig, which va is far more powerful, as we will learn next. Giovanni Gutierrez io Along with nslookup and host m co ISC also has an official Windows BIND port, l_ including all client software 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 117 t i@ gu dig n ni The command above is: va Giovanni Gutierrez io $ dig sec542.org –t any m $ dig -x 192.168.1.23 co Query the nameserver's version of BIND: l_ 29041690 ai $ dig @192.168.1.8 version.bind chaos txt gm SEC542 | Web App Penetration Testing and Ethical Hacking 118 ti@ gu dig Syntax n ni You may someday win Hacker Jeopardy by remembering the syntax for querying version.bind via the command va line. The query uses the archaic CHAOSNET DNS records. CHAOSNET was an early LAN technology (3Mb Giovanni Gutierrez io Ethernet via coaxial cable) created at MIT in 1975 when Colossal Cave Adventure1 was considered cutting 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 126 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 127 ti@ gu SEC542 Workbook: Virtual Host Discovery nni Please go to Exercise 1.3 in the 542 Workbook. va Giovanni Gutierrez io Includes details about SSL certificates m May aid in the discovery of recent configuration co changes to harden the target environment prior l_ to a pen test 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 130 t i@ gu Shodan n ni Shodan is available at https://sec542.com/6z. va Giovanni Gutierrez io "Shodan is the world's first computer search engine that lets you search the Internet for computers. Find devices m co l_ 29041690 ai gm ti@ gu n ni va Giovanni Gutierrez io 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 144 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 145 t i@ gu A02:2021-Cryptographic Failures n ni Cryptography is used to protect the confidentiality and integrity of sensitive data that is stored, transmitted, va and/or processed by the application and components of its technology stack. Giovanni Gutierrez io encryption of data in transit m co l_ Cloudflare: TLS Handshake1 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 147 ti@ gu HTTPS: SSL/TLS Handshake n ni Here are more complete details of the TLS handshake process: va Giovanni Gutierrez io “The 'client hello' message: The client initiates the handshake by sending a "hello" message to the m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 155 ti@ gu HTTPS Testing: Using testssl.sh to Evaluate HTTPS ni n The testssl.sh tool is available for download from Github1 as a bash script, or as a Docker container. va Giovanni Gutierrez io To run the bash script, after downloading it from Github: m co 1 l_ 29041690 ai 1 gm SEC542 | Web App Penetration Testing and Ethical Hacking 156 t i@ gu HTTPS Testing: Qualys SSL Labs n ni An outstanding public resource for evaluating SSL configurations is available from Qualys. SSL Labs is a free, va publicly accessible site, that requires no registration of any kind. Simply navigate to its page and submit the site Giovanni Gutierrez io you would like to be assessed. 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 159 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io WSTG-INFO-09 Fingerprint Web Application m WSTG-INFO-10 Map Application Architecture co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 160 ti@ gu Application Information Gathering: Spidering n ni This table highlights the particular Test IDs for the category. For additional details on this category, see below. va Giovanni Gutierrez io Reference: No m profiling may be identified co Max Depth Visit Links l_ Yes Reached? 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 161 t i@ gu Content Discovery - Spidering n ni Also known as crawling, spidering is the most important portion of the web application assessment. Not va properly performed, portions of the web application may be missed. Giovanni Gutierrez io The robots.txt file is publicly available; it should not be used to m co “hide” sensitive content or functionality l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 162 t i@ gu Robots Exclusion Protocol n ni The Robots Exclusion Protocol1 defines the rules by which automated spiders, aka robots, behave when va interacting with a website. The rules are voluntary, and software does not have to include code to enforce Giovanni Gutierrez io obedience to the standard. In fact, tools built for attackers not only ignore the restrictions suggested by the Allows for the identification of sensitive or dangerous functions May invalidate sessions, destroy data, reconfigure the application, or m within the application add bogus data to data repositories co Facilitates an understanding of the purpose for the application Tends to identify most of an application’s inputs (usually) l_ Supports one-off testing of features for common vulnerabilities Accumulates a large volume of data quickly that requires more 29041690 ai automation to work through gm SEC542 | Web App Penetration Testing and Ethical Hacking 163 i@ t gu The Attacker’s Dilemma: Manual vs. Automated n ni The question about whether it is better to manually spider a web application or use automation comes up va frequently among those new to testing web applications. The comparison between manual and automated Giovanni Gutierrez io spidering calls out positive and negative aspects of each approach. As will be explored throughout the course, 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 171 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 172 ti@ gu SEC542 Workbook: Web Spidering nni Please go to Exercise 1.6 in the 542 Workbook. va Giovanni Gutierrez io 15. Content Discovery - Spidering m 16. Exercise 1.6: Web Spidering co 17. Summary l_ 18. Appendix: Open-Source Intelligence 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 175 ti@ gu This page intentionally left blank. nni va Giovanni Gutierrez io Data provided by users/employees of the target organization m co Information provided (un)intentionally by the target organization l_ 29041690 ai Information from social media sites gm SEC542 | Web App Penetration Testing and Ethical Hacking 176 ti@ gu What Is Open-Source Intelligence (OSINT)? n ni Gathering information about target organizations and applications can greatly improve the likelihood of va successful compromise for adversaries. While penetration testers are generally not expected to perform full Giovanni Gutierrez io adversary emulation exercises, reconnaissance can make our process both more efficient and effective. Open m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 178 ti@ gu OSINT: Search Engines n ni Though Google is, without question, the market leader in search and has more documentation regarding its use va for OSINT, both DuckDuckGo and Bing warrant at least passing mention as well. When performing casual Giovanni Gutierrez io internet searches, the choice of browser likely doesn't cross most peoples' minds. However, our use case goes extension/filetype hitchhiker The words hitchhiker and towel must be within 10 m near:10 towel words of each other in search results co intitle: Search in the web page inurl: title or url rather than l_ contains:asp Return sites with links to specified content type, as content 29041690 opposed to links to the files themselves as filetype ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 179 t i@ gu OSINT: Key Search Operators n ni One really nifty search operator for DuckDuckGo is the bang (!). Bangs allow you to outsource your va DuckDuckGo search to say Google, Bing, Google Maps, Yandex. So, from the DuckDuckGo search bar, you Giovanni Gutierrez io can perform a Google, Bing, LinkedIn, Yandex, or Baidu search just by prepending !google, !bing, m substantial collection of co dorks l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 180 t i@ gu OSINT: Google Dorks n ni Rather than simply supplying a keyword, as would be the case in most general-purpose searches, these crafted va searches employ special operators to filter results substantially. These crafted queries can return data suggesting Giovanni Gutierrez io particular vulnerabilities being exhibited by the target. Vulnerability identification without even interacting Not all, but many 'dorks' work m beyond Google and could co provide different results l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 181 ti@ gu OSINT: Dorking n ni The Google Hacking Database provides unique ID numbers and descriptions associated with each dork. va Although Google dork remains the predominant name used for this style of search against search engines, the Giovanni Gutierrez io more generic term dork is increasingly used. The term dork, as opposed to googledork, rightly suggests that m co l_ 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 183 ti@ gu OSINT: theHarvester n ni Here is the command line help from the tool to show options: va Giovanni Gutierrez io usage: theHarvester.py [-h] -d DOMAIN [-l LIMIT] [-S START] [-g] [-p] [-s] m Reference: co GitHub – theHarvester, https://sec542.com/6j l_ 29041690 ai gm t i@ gu n ni va Giovanni Gutierrez io Open/public APIs m co APIs requiring a free account l_ Commercial APIs ($$$) 29041690 ai gm SEC542 | Web App Penetration Testing and Ethical Hacking 185 ti@ gu OSINT Suites n ni For our use case, much greater efficiency in performing OSINT can be achieved through the use of OSINT va suites rather than performing ad hoc one-off searches or wielding singularly focused tools. No specific criteria Giovanni Gutierrez io exist for characterizing a tool as being an OSINT suite rather than a one-off, but our general rule will be to

Use Quizgecko on...
Browser
Open
Browser
Browser