Ethical Hacking and Penetration Testing Lecture 3 PDF

Ethical Hacking and Penetration Testing Lecture 3: Target Scanning (Active Information Gathering) and Threat Modelling Outline  OSINT Types Recap  Active Information Gathering  Target Scanning and Tools  Banner Grabbing and Tools  Threats Overview  Threat Modelling Penetration Testing Framework  Pre-Engagement Interactions  Information Gathering  Threat Modelling  Vulnerability Assessment  Exploiting Weakness  Privilege Escalation  Post Exploitation  Retaining Access  Covering Tracks  Reporting Framework Step 1 - Information Gathering http://www.pentest-standard.org/index.php/Intelligence_Gathe ring 29/01/2025 Information Gathering  Information Gathering or Intelligence Gathering  Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the following phases, i.e., target scanning, vulnerability assessment and exploitation.  The more information you can gather during this phase, the more vectors of attack you may be able to use in the future. OSINT forms Recap  Passive Information Gathering  Semi-Passive Information Gathering  Active Information Gathering – This week OSINT forms (OSINT) takes three forms; Passive, Semi-passive, and Active.  Passive Information Gathering: Passive Information Gathering is generally useful if there is a very clear requirement that the information gathering activities should never be detected by the target.  This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet.  This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.  Example: Google search – Google Dorks / Dorking OSINT forms  Semi-passive Information Gathering: The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior.  We query only the published name servers for information  We aren’t running network level port-scans or crawlers, and we are only looking at metadata in published documents and files; not actively seeking hidden content.  The key here is not to draw attention to our activities. Postmortem the target may be able to go back and discover the reconnaissance activities, but they shouldn’t be able to attribute the activity back to anyone.  Example: WHOIS Database Countermeasures against Passive Information Gathering  Review public sources of information  Check for metadata before publication  Use of anonymous identities  Whois database record – e.g., [email protected]  Consider private domain registration Countermeasures against Passive Information Gathering  Watch out for archives!  WayBack Machine  Whois Domain history (domiantools.com)  Educate staff, particularly those on the front line  Visitor policy  Data lifecycle and elimination policy – Shredding, safe removal (trace the process from pick-up to destruction) OSINT forms  Active Information Gathering: Active information gathering should be detected by the target as suspicious or malicious behavior.  During this stage we are actively mapping network infrastructure  Actively enumerating and/or vulnerability scanning the open services,  We are actively searching for unpublished directories, files, and servers.  Most of this activity falls into your typical “reconnaissance” or “scanning” activities for your standard pentest.  Example: Ping, Traceroute, Nmap or Banner Grabbing Target Scanning  Imagine trying every extension in a large company  Who answers and how do they announce themselves ?  Target Scanning  Host Discovery  Port Scanning  Operating System Discovery Points of Entry (e.g., for an attacker or pentester)  Server-side  Client-side  Web Applications  Wireless Scanners  Nmap ( GUI based is Zenmap)  Netcat  Superscan @ Foundsstone  Angry IP scanner @ www.angryip.org  Scan Types  Ping Sweep – (discovers hosts that are up and running)  TCP Port Scan (detects TCP ports that are open and running)  UDP Port Scan (detects UDP ports that are open and running)  Operating System Discovery Nmap Scan Image adopted from: https://linuxhint.com/nmap_scan_ip_ranges/ Banner Grabbing  Banner: Information leaked by a service or protocol  Banner grabbing is a technique used in network security and penetration testing to gather information about a computer system on a network and the services running on its open ports. This information is often obtained by connecting to a service and reading the "banner" or message that the service returns. Banner Grabbing  Banner: Information leaked by a service or protocol  Service – more reliable than port numbers alone  Software – e.g., Microsoft Exchange vs Postfix  Version – e.g., Postfix 2.0 vs 2.7  Other Information unrelated to service e.g., OS version  Protocols with banners include HTTP, FTP, SMTP etc.  Banner Grabbing  Typically establish a TCP connection and see what is returned  Send appropriate commands to grab the banner Banner Grabbing Tools  Tools –  Telnet: Connects to a port and reads the banner (e.g., telnet ).  Netcat (nc): Flexible tool to connect and read banners (e.g., nc ).  Often called the Swiss Army Knife of networking because it is an extremely versatile and powerful tool that can perform a wide range of networking tasks. Its flexibility and the breadth of its functionality make it invaluable for both system administrators and security professionals.  Reads and writes data over TCP/UDP connections  Chat sever, file transfer, port scanning  Nmap: Network scanning tool with scripts for banner grabbing (e.g., nmap -sV ).  Wireshark: Passive network traffic analyzer.  telnet example.com 21  220 ProFTPD 1.3.6 Server (Debian) [::ffff:192.168.1.1] Countermeasures against Active Information Gathering  Think Network topology that is difficult to scan ( network segregation)  Disable unnecessary services  Firewall, not just on the perimeter  Network intrusion systems  Remove Banners to stop information leakage  Log Analysis  Network Traffic  Application logs  Distinguishing abnormal from normal behaviour  Run your own scans to identify what is visible Framework Step 2 – Threat Modelling http://www.pentest-standard.org/index.php/Threat_Modeling 29/01/2025 Responsible Disclosure  When finding vulnerabilities:  No disclosure  Limited disclosure  Full disclosure  Responsible disclosure  Balance between  Informing the public  Giving the vendor‘s time to respond properly Responsible Disclosure  Responsible disclosure is encouraged and sometimes rewarded Responsible Disclosure  Responsible disclosure is encouraged and sometimes rewarded Responsible Disclosure  Responsible disclosure is encouraged and sometimes rewarded Introduction to Threat Modelling Let's talk about threats! What is a Threat?  "A threat is an intent to inflict damage on a system.” (Landwehr 2001)  "A threat consists of an adverse action performed by a threat agent on an asset." (Common Criteria)  "Who might attack against what assets, using what resources, with what goal in mind, when/where/why, and with what probability.” (Johnston 2010)  "Threats remain ideas until practical examples have been demonstrated.“ (Schäfer 2009)  "A threat is a potential cause of an unwanted incident.” (Lund 2011) What is a Threat?  “A threat is an entity that wants to do harm to you or something you care about” (http://www.bitsmasherpress.com/?p=67)  “intended cause” (Pieters 2011)  "A potential for harm of an asset.“ (Yoshioka 2008)  “Threats are the likelihood of, or potential for, hazardous events occurring.” (Schumacher 2006)  "A threat is the potential for abuse of an asset that will cause harm in the context of the problem“ (Haley 2004)  “Threat is a general condition, situation, or state ([…]) that may result in one or more related attacks” (Firesmith 2004) The concept of Threats is  … ambiguous  … approached from various perspectives  … subjective dependent on who talks about threats  … often used inappropriately (e.g. as synonym for vulnerabilities)  … but crucial to understand security  problem at hand. Components of a Security Problem  Threats - Petty criminals, Organized crime, Law enforcement  Vulnerabilities - No encryption, Software defects  Assets – Secrets, System integrity, Hardware value Components of a Security Problem Approaches to Threat Modelling Threat Modelling in Software Development Threat Modelling Techniques Microsoft (MS) Security Development Lifecycle (SDL) Threat Modelling MS SDL Threat Modelling Tool  https://www.microsoft.com/en -us/securityengineering/sdl/thr eatmodeling?oneroute=true#: ~:text=Microsoft%20Threat% 20Modeling%20Tool&text=Th e%20Threat%20Modeling%2 0Tool%20enables,manage%2 0mitigations%20for%20securi ty%20issues Example: Web Shop MS SDL Threat Modelling Tool MS SDL Threat Modelling Tool Challenges for Using MS SDL Threat Modeling  When Three Engineers Interpret a Threat Model... Reflection Where is the sweet spot? Tools Summary  OSINT Types Recap  Active Information Gathering  Target Scanning and Tools  Banner Grabbing and Tools  Threats Overview  Threat Modelling This Week’s Lab  Complete Week 3 Lab Activities on Active Information Gathering using Nmap for Target Scanning  We will be using both the Kali Linux and Metasploitable virtual machines  Complete MySay module survey  Review the coursework specification document and ask any questions you might have! Reading List  http://www.pentest-standard.org/index.php/Intelligence_Gathering#Active_Foo tprinting  https://www.securitysift.com/passive-reconnaissance/  http://osintframework.com  https://github.com/enaqx/awesome-pentest#social-engineering-resources Next Week  Vulnerability Assessment  Coursework (formative) feedback in all future lab sessions Questions?

Ethical Hacking and Penetration Testing Lecture 3 PDF

Document Details

Tags

Related

Summary

Full Transcript