Offensive Security 2.pdf

Summary

This document explains the offensive security concepts of the cyber kill chain and various penetration testing techniques. It provides the seven stages of the cyber kill chain, along with detailed descriptions for each stage. It also discusses vulnerability assessment and penetration testing (VAPT) services.

Full Transcript

Lockheed Martin Cyber Kill chain

1. Reconnaissance
It is essentially the research stage of the operation. Attackers scope out their target to
identify any vulnerabilities and potential entry points. This can be as simple as gathering
public email addresses, to the advanced deployment of spying tools and automated
scanners to detect the types of security systems or third-party applications used.
Reconnaissance is a pivotal step in any sophisticated cyberattack and can be done both
online and offline. The more intelligence attackers gain at this stage, the more successful
the attack is likely to be.

2. Weaponization
Once the perpetrator has gathered their information on the target, they can strategize
to take advantage of their weaknesses. Here, the attacker creates malware or malicious
payloads to use against the target. The process can include:
 Designing new forms of malware
Modifying existing programs to better match the vulnerabilities they’re trying to
exploit

3. Delivery
This is when cybercriminals try to infiltrate their target’s network or security system.
Typically, these actors deploy malware into the system via phishing emails and other
social engineering tools. It can also involve hacking into a network and exploiting
vulnerabilities in an organization’s hardware or software.

4. Exploitation
After the successful delivery of malware or other forms of hacking, the next step is
exploiting the weaknesses they uncovered in the previous cyber kill chain phases.
Attackers can now further infiltrate a target’s network and learn of additional
vulnerabilities that they were unaware of prior to entering.
At this stage, they often move laterally across a network from one system to another,
spotting more potential entry points on the way. Vulnerabilities are much easier to
identify now if there are no deception measures in place on the network.

5. Installation
Also known as the privilege escalation phase. The attacker tries to install malware and
deploy other cyberweapons within the target network in order to gain additional control
of more systems, accounts, and data. Strategies include installing malware via:

Trojan horses
Access token manipulation
Command-line interfaces
 Backdoors

Tactics begin to intensify, as attackers forcefully infiltrate the target network, seeking
out unprotected security credentials and changing permissions on compromised
accounts.

6. Command and Control
One of the crucial steps of the cyber security kill chain is the development of a command
and control channel (also known as the C2 phase). After gaining control of part of their
target’s system or accounts, the attacker can now track, monitor and guide their
deployed cyberweapons and tool stacks remotely. This stage can be broken down into
two methods:

Obfuscation is the process by which an attacker makes it look like no threat is
present, essentially covering their tracks. This includes methods such as file
deletion, binary padding and code signing.
Denial of service (DoS) is when cybercriminals cause problems in other
systems/areas to distract security teams from uncovering the core objectives of
the attack. This often involves network denial of service or endpoint denial of
service, as well as techniques like resource hijacking and system shutdowns.

7. Action
The 7 stages of the cyber kill chain culminate with action: the final phase in which
cybercriminals execute the underlying objective of the attack. This phase of the cyber kill
chain process can take several weeks or months depending on the success of previous
steps. Common end goals of a strategic cyberattack include:
 Supply chain attacks
Data exfiltration
Data encryption
Data compression

References
https://www.splunk.com/en_us/blog/learn/cyber-kill-chains.html
https://www.crowdstrike.com/cybersecurity-101/cyber-kill-chain/

Vulnerability Assessment and Penetration Testing (VAPT)
Vulnerability Assessment and Penetration Testing (VAPT) is a term used to describe
security testing that is designed to identify and help address cyber security
vulnerabilities.

VAPT Services

1. Penetration Testing

Penetration testing, or pen testing for short, is a multi-layered security assessment that
uses a combination of machine and human-led techniques to identify and exploit
vulnerabilities in infrastructure, systems and applications.
A pen test conducted by a professional ethical hacker will include a post-assessment
report detailing any vulnerabilities discovered and remediation guidance to help address
them.

Types of penetration testing:

Internal/external infrastructure testing
 Web application testing
Wireless network testing
Mobile application testing
Build and configuration review testing
Social engineering testing
Application and API review testing

Approaches to Pen testing

1. White box
2. Black box
3. Grey box

Penetration testing stages

Reconnaissance – Defining the scope and objective of the test, gathering of
information about the target for the planning of the attack.
Scanning – Understanding how the target application will respond to different
intrusion attempts. Openings are then found through Static and Dynamic analysis.
 Gaining Access – The tester attempts to access and take control of one or more
of the target’s network devices, either to extract information of value or attack
another target.
Maintaining Access – See if the access to the vulnerability can be maintained
long enough to achieve a persistent presence on the target device.
Covering Tracks & Analysis – Concealing of all evidence to eliminate all
possibilities of an attack being detected. Test results are then gathered into a
report for weaknesses to be examined

2. Vulnerability Assessment
A vulnerability assessment, often encompassing vulnerability scanning, is designed to
help identify, classify and address security risks. Vulnerability assessment services also
provide the ongoing support and advice needed to best mitigate any risks identified.

3. Red Team Operations
A red team operation is the most in-depth security assessment available. By utilising
modern adversarial techniques and intelligence, red teaming simulates the approach of
real-life adversaries to test an organisation’s ability to detect and respond to persistent
threats.
VAPT Tools
A VAPT tool performs a VA to detect vulnerabilities and a PT to acquire access by
exploiting such flaws. A VA, for example, could assist in detecting poor encryption, but
the PA will try to decode it. The VAPT tools scan for vulnerabilities, create a PA report,
and, in certain circumstances, run code or payloads. VAPT products assist with PCI-DSS,
GDPR, and ISO27001 compliance.

1. Nessus: An online vulnerability and configuration scanner for IT infrastructure
that is open-source.
2. OpenVAS: A vulnerability scanner that enables the monitoring of networks,
systems, and applications for security vulnerabilities. It identifies and classifies
potential points of weakness in your infrastructure, quantifies the possible risks,
and recommends mitigations to remediate the problem.
3. Nmap: Network Mapper is a network scanner. Nmap is used to discover hosts and
services on a computer network by sending packets and analyzing the responses
 4. Wireshark: is a network protocol analyzer, or an application that captures packets
from a network connection. Wireshark is the most often-used packet sniffer and
analysis tool.
5. BeEF: The Browser Exploitation Framework is an open source tool designed to
enable an attacker to use a target's browser as an attack point, or beachhead.
6. Burp Suite Pro: Web application security, vulnerability detection, and penetration
testing are all made easier with this set of technologies.
7. Aircrack-ng: A collection of wireless network security evaluation tools that can
be used to monitor, scan, crack passwords, and attack wireless networks.
8. MetaSploit: A solid framework with ready-to-use exploit code. The Metasploit
project helps it by providing information on a large number of vulnerabilities and
associated exploits.
9. SQLMap: An open-source penetration testing tool that focuses on SQL injection
problems.
10. Nikto: A sophisticated online application, server, and content management
system vulnerability scanner.
11. W3af: A framework for web applications, attacks, and audits. It detects more than
200 flaws in web applications.

Focus Points
Reconnaissance
Active and Passive
With active reconnaissance, hackers interact directly with the computer system and
attempt to obtain information through techniques like automated scanning or manual
testing and tools like ping probes, port scanning, or traceroute and netcat. Active recon
is generally faster and more accurate, but riskier because it creates more noise within a
system and has a higher chance of being detected.
Passive reconnaissance gathers information without directly interacting with systems,
using techniques such as physical observation around buildings, eavesdropping on
conversations, finding papers with logins/passwords, Google dorks, open source
intelligence (OSINT), advanced Shodan searches, WHOIS data, and packet sniffing and
methods such as OS fingerprinting to gain information.

Whois
Whatcms
Wayback machine
- Google dorking
is the method capable of returning the information difficult to locate through simple
search queries by providing a search string that uses advanced search operators
site: - Restrict search to a particular website, top-level domain, or subdomain.
site:tesla.com
site:maps.google.com
site:godaddy.com domain registration

@ - Restrict search to a particular social platform.
@youtube pentest
@twitter trending memes
@reddit memes -dark

filetype:, ext: - Restrict the returned web addresses to the designated file type or
extension
filetype:pdf home cooking
ext:txt cars

imagesize:(height)x(width) - Restrict image search results to those of the specified
dimensions
imagesize:1920×1080

weather: Gets the weather of the given location
weather:tokyo

location:, loc: - Find information about a location.
location:syria earthquake

intitle:, allintitle: - Look for pages with titles containing the search terms.
intitle:g wagon
allintitle:g wagon

inurl: - Finds links containing the character string.
inurl:login.php

intext:, allintext: - Finds websites containing the payload
intext:”Index of /” +.htaccess

" " - Return exact matches of a query string enclosed in the double quotes.Note that
these are straight and not curly “” quotation marks.
Single quotes don’t work.
“country side”
"index of" "database.sql.zip" - Get unsecured SQL dumps. Data from improperly
configured SQL servers will show up on this page.

OR, | - Return sites containing either query item joined by OR or the pipe character |.
This is an inclusive OR.
ferrari OR audi
- - Hyphen; excludes search results containing the word or phrase after the hyphen.
“cross site scripting” -“penetration testing”
jumia -reviews

link:mak.ac.ug PhD science - Find information on “PhD” and “math” that link to
Makerere University’s official website.

Scanning with nmap
nmap 1.1.1.1/domain name - Basic Nmap Scan against IP or host
nmap -sp 192.168.5.0/24 - Nmap Ping Scan (easiest way to detect hosts on any
network)
nmap -oN output.txt securitytrails.com - Saving the Result to a File
nmap -sV localhost - Detection of Services
nmap -iL list.txt - Scan hosts and IP addresses reading from a text file
Let’s suppose you create a list.txt file that contains these lines inside:
192.168.1.106
cloudflare.com
microsoft.com
securitytrails.com

nmap --top-ports 20 192.168.1.106 - Popular Ports Scanning
Scanning Ip Range
nmap 8.8.8.0/28
nmap 8.8.8.1-14
nmap 8.8.8.* - This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.

Scan specific ports or scan entire port ranges
nmap -p 1-65535 localhost
nmap -p 80,443 8.8.8.8

Save your Nmap scan results to a file
nmap -oN output.txt securitytrails.com
nmap -oX output.xml securitytrails.com - export files into XML format

Scan + OS and service detection
nmap -A -T4 cloudflare.com

Detect service/daemon versions
nmap -sV localhost

Scan using TCP or UDP protocols
nmap -sT 192.168.1.1
nmap -sU localhost

Detecting malware infections on remote hosts
A common malware scan can be performed by using:
nmap -sV --script=http-malware-host 192.168.1.105

Or using Google’s Malware check:
nmap -p80 --script http-google-malware infectedsite.com

Output example:
80/tcp open http
|_http-google-malware.nse: Host is known for distributing malware.

References
https://mindmajix.com/what-is-vapt
https://mindmajix.com/what-is-vapt
https://www.redscan.com/services/penetration-testing/vapt/
https://vapt.in/
https://www.spiceworks.com/it-security/vulnerability-management/articles/best-
penetration-testing-tools/
https://www.getastra.com/blog/security-audit/vulnerability-assessment-scanning-
tools/
https://www.g2.com/articles/penetration-testing
https://cacm.acm.org/magazines/2021/3/250712-cyber-reconnaissance-
techniques/fulltext
https://securitytrails.com/blog/nmap-commands
https://www.stationx.net/google-dorks-cheat-sheet/