CompTIA Pentest+

Methodology - __ is a system of methods used in a particular area of study or activity. Pentest Methodology - __: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication NIST SP 800-115 Methodology - __: 1. Planning 2. Discovery 3. Attack 4. Reporting Planning a Penetration Test - __, Questions to ask: ▪ Why Is Planning Important? ▪ Who is the Target Audience? ▪ Budgeting ▪ Resources and Requirements ▪ Communication Paths ▪ What is the End State? ▪ Technical Constraints ▪ Disclaimers Planning a Penetration Test - Budgeting - __: ▪ Controls many factors in a test ▪ If you have a large budget, you can perform a more in-depth test __● Increased timeline for testing __● Increased scope __● Increased resources (people, tech, etc.) Planning a Penetration Test - Resources and Requirements - __: ▪ What resources will the assessment require? ▪ What requirements will be met in the testing? __● Confidentiality of findings __● Known vs. unknown vulnerabilities __● Compliance-based assessment Planning a Penetration Test - Communication Paths - __: ▪ Who do we communicate with about the test? ▪ What info will be communicated and when? ▪ Who is a trusted agent if testing goes wrong? Planning a Penetration Test - What is the End State? - __: ▪ What kind of report will be provided after test? ▪ Will you provide an estimate of how long remediations would take? Planning a Penetration Test - Technical Constraints - __: ▪ What constraints limited your ability to test? ▪ Provide the status in your report __● Tested __● Not Tested __● Can't Be Tested Planning a Penetration Test - Disclaimers - __: ▪ Point-in-Time Assessment __● Results were accurate when the pentest occurred ▪ Comprehensiveness __● How complete was the test? __● Did you test the entire organization or only specific objectives? Rules of Engagement (RoE) - __ are detailed guidelines and constraints regarding the execution of information security testing. The __ is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions. Rules of Engagement (RoE) Overview - __: ▪ Timeline ▪ Locations ▪ Time restrictions ▪ Transparency ▪ Test boundaries RoE: Timeline - __: ▪ How long will the test be conducted? _● A week, a month, a year ▪ What tasks will be performed and how long will each be planned for? RoE: Locations - __: ▪ Where will the testers be located? _● On-site or remote location ▪ Does organization have numerous locations? ▪ Does it cross international borders? RoE: Time Restrictions - __: ▪ Are there certain times that aren't authorized? ▪ What about days of the week? ▪ What about holidays? RoE: Transparency - __: ▪ Who will know about the pentest? ▪ Will the organization provide resources to the testers (white box test)? RoE: Boundaries - __: ▪ What will be tested? ▪ Is social engineering allowed to be used? ▪ What about physical security testing? ▪ How invasive can the pentest be? Legal Concepts (1) - __ are laws and regulations regarding cyber-crime vary from country to country, check the local laws before conducting an assessment. Legal Concepts (2) - __ refers to consulting your attorney before performing any penetration testing work to ensure you are within the legal bounds for the countries laws where you are operating. Crimes and Criminal Procedure - __: ▪ Hacking is covered under United States Code, Title 18, Chapter 47, Sections 1029 and 1030 § 1029 Fraud & related activity w/ access devices - __: ▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in one or more counterfeit access devices. ▪ Access devices can be an application or hardware that is created specifically to generate any type of access credentials § 1030 Fraud and related activity with computers - __: ▪ Covers just about any computer or device connected to a network ▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one's access rights ▪ Can be used to prosecute employees using capability and accesses provided by their company to conduct fraudulent activity Obtain Written Authorization - __: ▪ White hat hackers always get permission ▪ This is your get out of jail free card... ▪ Penetration tests can expose confidential information so permission must be granted ▪ Third-party authorization when necessary __● Ex: from a Cloud service provider Third-Party Authorization - __: ▪ If servers and services are hosted in the cloud, you must request permission from the provider prior to conducting a penetration test __● Ex: from a Cloud service provider Pentest Contracts - __: ▪ Statement of Work (SOW) ▪ Master Service Agreement (MSA) ▪ Non-Disclosure Agreement (NDA) Statement of Work (SOW) - __ is a formal document stating scope of what will be performed during a penetration test. ▪ Clearly states what tasks are to be accomplished during an engagement Master Service Agreement (MSA) - __ is a contract where parties agree to most of the terms that will govern future actions. ▪ High level contract between a service provider and a client that specifies details of the business arrangement Non-Disclosure Agreement (NDA) - __ is a legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it. ▪ Agreement that defines confidential material and restrictions on use and sharing sensitive information with other parties Corporate Policies - __: ▪ What do corporate policies allow you to do? ▪ Have employees waived their privacy? ▪ What policies should be tested? __●Password strength/reuse __● Bring Your Own Device (BYOD) __● Encryption __● Update frequency Export Restrictions - __: ▪ Wassenaar Agreement precludes the transfer of technologies considered "dual-use" ▪ Strong encryption falls under this restriction ▪ Penetration testing tools could be considered surveillance tools and fall under these rules Penetration Testing Strategies - __: ▪ Black Box ▪ Gray Box ▪ White Box Black Box (No Knowledge Test) - __: ▪ No prior knowledge of target or network ▪ Simulates an outsider attack ▪ Only focuses on what external attacks see and ignores the insider threat ▪ Takes more time and is much more expensive White Box (Full Knowledge Test) - __: ▪ Full knowledge of network, systems, and the infrastructure ▪ Spend more time probing vulnerabilities and less time gathering information ▪ Tester is given support resources from the organization Gray Box (Partial Knowledge Test) - __: ▪ Partial knowledge of target ▪ Can be used as an internal test to simulate an insider attack with minimal knowledge ▪ Can also be used to decrease the information gathering stage so more time can be spent on identifying vulnerabilities EX: IP Range provided or Company Emails for Phishing White Box Support Resources - Generally provided only for a white box penetration test __● Architectural diagrams __● Sample application requests __● SDK documentation __● SOAP project files __● Swagger document __● WSDL/WADL __● XSD White Box Architectural Diagrams - __: ▪ Network diagrams, software flow charts, physical maps of organizational facilities ▪ Assists the tester in mapping out network topologies, location of switch closets, and where key information systems are located White Box Sample Application Requests - __: ▪ Generally used for testing web applications or other applications developed by organization White Box SDK Documentation - __: ▪ Software Developer's Kit (SDK) provides a set of tools, libraries, documentation, code samples, processes, or guides to allow faster development of a new app on a platform ▪ SDK provides code libraries for use White Box SOAP Project File - __: ▪ Simple Objective Access Protocol (SOAP) is a messaging protocol specification for exchanging structured information in the implementation of web services ▪ SOAP project files are created from WSDL files or a single service call White Box Swagger Document - __: ▪ Open-source framework with a large system of tools to help design, build, document, test, and standardize REST Web Services ▪ Representational State Transfer (REST) has been replacing SOAP in most web applications in recent years ▪ REST is a web application architectural style based on HTTP White Box WSDL - __: ▪ Web Services Description Language __● XML-based interface definition language used for describing the functionality offered by a web service such as a SOAP server __● Flexible and allows binding options __● Not useful for REST services with WSDL 1.1 White Box WADL - __: ▪ Web Application Description Language __● XML-based machine-readable description of HTTP-based web services __● Easier to write than WSDL but not as flexible __● Typically used for REST services White Box XML Schema Definition (XSD) - __: ▪ World Wide Web Consortium (W3C) recommendation that specifies how to formally describe elements in an Extensible Markup Language (XML) document Types of Pentest Assessments - __: ▪ Goal-based Pentests ▪ Objective-based ▪ Premerger ▪ Supply Chain ▪ Red Team Goal-based Pentests Assessment - __: ▪ Specific goals are defined before testing starts ▪ Pentester may attempt to find many unique methods to achieve thespecific goals Objective-based Assessment (1) - __: ▪ Objective-based pentests seek to ensure the information remains secure ▪ Testing occurs using all methods and more accurately simulates a real attack ▪ Compliance-based ▪ Risk-based compliance assessment that is required to ensure policies or Objective-based Assessment (2) - __: ▪ Objective-based pentests seek to ensure the information remains secure regulations are being followed properly ▪ Regulations and policies provide checklists, for example the PCI-DSS compliance assessment ▪ Objectives are clearly defined ▪ Focus is on password policies, data isolation, limited network/storage access, and key management Premerger Assessment - __: ▪ Before two companies perform a merger, it is common to conduct penetration tests on them to identify weaknesses being inherited ▪ Can be a part of the due diligence efforts Supply Chain Assessment - __: ▪ Pentest may be required of your suppliers to ensure they are meeting their cybersecurity requirements ▪ Can be required prior to allowing an interconnection between the supplier's systems and your organization's systems ▪ Minimize risk by purchasing only from trusted vendors Red Team - __ is a Penetration test conducted by internal pentesters of an organization during security exercise to ensure defenders (blue team) can perform their jobs adequately Threat Actors - __: ▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies Threat Actors - Tiers of Adversaries - __: ▪ Not all threat actors are created equal ▪ Some are structured, some are unstructured ▪ Some are more skilled than others Threat Actors - Advanced Persistent Threat (APT) - __: ▪ Group with great capability and intent to hack a particular network or system ▪ Target organizations for business or political motives and usually funded by nation states ▪ Conduct highly covert hacks over long periods of time Threat Actors - Hacktivist - __: ▪ Conduct activities against governments, corporations, or individuals ▪ Can be an individual or member of a group Threat Actors - Insider Threat - __: ▪ Already have authorized user access to the networks, making them extremely dangerous ▪ May be a skilled or unskilled attacker ▪ Might be a former or current employee Threat Actors - Script Kiddies - __: ▪ Low-skilled attackers who use other's tools ▪ Use freely available vulnerability assessment and hacking tools to conduct attacks Threat Actors - What is the Intent? - __: ▪ Greed or monetary gain ▪ Power, revenge, or blackmail ▪ Thrills, reputation, or recognition ▪ Espionage or political motivation Threat Actors - Threat Modeling - __: ▪ What threat are you trying to emulate? ▪ Will you use open-source and openly available tools like a script kiddie, or create custom hacks like an Advanced Persistent Threat? ▪ Will you be given insider knowledge or perform a white box penetration test? Tiers of Adversaries - __: 1 - Little Money & Rely on off-the-shell tools/known exploits 2 - Little Money & invested in own tools against known vulners 3 - Invests Lots of money to find vulners to steal for profit 4 - Organized, Technical, proficient, funded, working in teams 5 - Nation states investing tons of money to finding/creating vulners 6 - Nation stats investing tons to carry out military ops Target Selection - __: ▪ Internal or External ▪ First-party or Third-party hosted ▪ Physical ▪ Users ▪ SSIDs ▪ Applications Target Selection - Internal - __ focuses on targets inside the firewall ● Can be on-site or off-site ● Logically internal Target Selection - External - __ focuses on publicly facing targets ● Webservers in the DMZ ● Outside the protected LAN Target Selection - First-party or Third-party - __: ▪ Are the targets hosted by the organization or by a third-party service provider? ▪ DionT is hosted by Thinkific and might be outside the penetration test scope Target Selection - Physical - __: ▪ Are we contracted to test physical security? ▪ Should we attempt to break into the facility? Target Selection - Users - __: ▪ Is social engineering authorized? ▪ Are particular users being targeted or not considered part of the assessment? Target Selection - Wireless and SSIDs - __: ▪ Is wireless pentesting being conducted? ▪ Are any SSID's out of scope? __● Guest or public network Target Selection - Applications - __: ▪ Are we focused on a particular application? ▪ Is a particular application mission critical and cannot be targeted? __● Credit card processing system __● Health care system Scoping Considerations - Whitelist vs Blacklist - __: ▪ Will your pentest systems be put on a list? ▪ Whitelist will allow you access, but blacklist will prevent your system from connecting Scoping Considerations - Security Exceptions - __: ▪ Intrusion Prevention System (IPS) ▪ Web Application Firewall (WAF) ▪ Network Access Control ▪ Certificate Pinning __● Required if the organization relies on digital certificates as part of their security ▪ Company policies Scoping Considerations - Risk - __: ▪ What is the risk tolerance of the organization? ▪ Avoidance __● Actions taken to eliminate risk completely ▪ Transference __● Risk is moved to another entity ▪ Mitigation __● Controls and countermeasures are put into place ▪ Acceptance __● Risk is identified, analyzed, and within limits Scoping Considerations - Tolerance to Impact - __: ▪ What is the impact to operations going to be? ▪ Balance the assessment needs with the operational needs of the organization by placing things in or out of scope Scoping Considerations - Schedule - __: ▪ Will the timing of the penetration test be known by the organization's defenders? ▪ Will it be performed during peak or off-peak hours? ▪ What about holidays? Scoping Considerations - Scope Creep - __: ▪ Condition when a client requests additional services after the SOW and project scope have been agreed to and signed ▪ How will scope be contained? ▪ Document any changes to the scope of test ▪ Recommend signing a change order to SOW Information Gathering and Vulnerability Identification - __: ▪ Conducting information gathering ▪ Performing vulnerability scanning ▪ Analyzing results of vulnerability scans ▪ Leveraging information for exploitation ▪ Weaknesses in specialized systems Information Gathering - Reconnaissance - __ refers to the systematic attempt to locate, gather, identify, and record information about a target ▪ Also known as footprinting the organization Information Gathering - Reconnaissance Techniques - __: ▪ Internet or open-source research ▪ Social engineering ▪ Dumpster diving ▪ Email harvesting What kind of information are we looking to find? - __ - Reconnaissance : ▪ Phone numbers ▪ Contact names ▪ Email addresses ▪ Security-related information ▪ Information systems used ▪ Job postings ▪ Resumes Reconnaissance Tools - __: ▪ Nslookup ▪ Traceroute ▪ Ping ▪ Whois ▪ Domain Dossier ▪ Email Dossier ▪ Google ▪ Social Networking ▪ D ▪ Maltego Nslookup - __ is a command-line program in Windows used to determine exactly what information the DNS server is providing about a specific host name. ▪ is a Reconnaissance Tool Traceroute - __ is a utility application that monitors the network path of packet data sent to a remote computer. ▪ is a Reconnaissance Tool Ping - __ sends a message from one computer to another to check whether it is reachable and active. ▪ is a Reconnaissance Tool Whois - __ is a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. ▪ It is a source of information that can be used to exploit system vulnerabilities. ▪ is a Reconnaissance Tool Domain Dossier - __ is a tool used to investigate domains and IP address. ▪ It gathers registrant information, DNS records and other things, compiling it all into one report. ▪ is a Reconnaissance Tool Dossier - __ is a specific collection of documents. ▪ is a Reconnaissance Tool Email Dossier - __ is a tool used to investigate emails. ▪ is a Reconnaissance Tool Google - __ is a search engine that can be used to find information about a target. ▪ is a Reconnaissance Tool Google hacking - __ is the technique of using advanced operators in the Google search engine to locate specific strings of text within search results, including strings that identify software vulnerabilities and mis-configurations. ▪ is a Reconnaissance Tool Social Networking - __ is a means by which people use the Internet to communicate and share information among their immediate friends, and meet and connect with others through common interests, experiences, and friends. ▪ is a Reconnaissance Tool D - __ is a discovery framework was developed to quickly and efficiently identify passive information about a company or network. ▪ This framework is through a tool called Discover-scripts ▪ is a Reconnaissance Tool Maltego - __ is a program that can be used to determine the relationships and real world links between: People. Groups of people (social networks) Companies ▪ Intelligence gathering and analysis platform ▪ is a Reconnaissance Tool Domain name squatting - Cybersquatting (also known as __ ), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else Scanning - __ is actively connecting to the system and get a response to identify open ports and services Types of Scanning - __: ▪ Hosts ▪ Systems ▪ Networks ▪ Computers ▪ Mobile Devices ▪ Applications ▪ Printers Enumeration - __ is actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info Types of Enumeration - __: ▪ Hosts ▪ Networks ▪ Domains ▪ Users/Groups ▪ Network shares ▪ Web pages ▪ Applications ▪ Services ▪ Tokens ▪ Social networks How Do We Scan and Enumerate? - __: ▪ Use specialized scanning/enumeration tools and public information sources Fingerprinting - __ is identification of the operating system, service, software versions being used by a host ▪ Determining OS type and version a target is running Banner Grabbing - __ is gathering information from messages that a service transmits when another program connects to it. ▪ Manual enumeration and fingerprinting ▪ Use telnet or Netcat to connect to target host ▪ Commonly used for FTP, SSH, Telnet, & HTTP telnet - __ is a a network protocol that allows a user on one computer to log into another computer that is part of the same network. ▪ Port 23 ▪ Can be used for Banner Grabbing Netcat (nc) - __ is a computer networking utility for reading from and writing to network connections using TCP or UDP. ▪ The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. ▪ Is a Packet Crafting Tool & Banner Grabbing Tool Packet Crafting - __ is also known as packet manipulation ▪ Sending modified packet headers to gather information from a system or host ▪ Creating specific network packets to gather information or carry out attacks ▪ Tools - netcat, nc, ncat, hping Packet Crafting Tools - __: ▪ Nmap ▪ Netcat (nc) ▪ Ncat (ncat) ▪ Hping Nmap - __ use raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. ▪ is a Packet Crafting Tool Ncat (ncat) - __ is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. __ is suitable for interactive use or as a network-connected back end for other tools. ▪ is a Packet Crafting Tool Hping - __ is a TCP/IP packet assembler/analyzer, running on most *nix versions. It supports various protocols, including TCP, UDP and ICMP. ▪ Good guys commonly use it to scan ports for holes that bad guys try to exploit. ▪ It's also useful for testing network machines by firing precompiled exploits at them. ▪ is a Packet Crafting Tool Packet Inspection - __ is Manual enumeration performed by analyzing the captured packets to determine information ▪ Capturing and analyzing network packets ▪ Tool - Wireshark Cryptographic Inspection - __ is to determine the encryption is being used during your information gathering ▪ Do they have web servers with SSL or TLS? ▪ What about Wireless Networks using WEP, WPA, WPA2, or a WPS handshake? ▪ Are files encrypted on the network shares? Certificate Inspection - __: ▪ Web-servers will identify the type of encryption they support (SSL 2.0, SSL 3.0, or TLS) ▪ Tools exists to automate this process SSLyze script comes with Kali Linux SSLyze - __ is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. ▪ Server certificate validation and revocation checking through OCSP stapling. ▪ Certificate Inspection Tool Eavesdropping - __ is used to refer to the interception of communication between two parties by a malicious third party. ▪ Radio Frequency monitoring can be performed to determine the type of devices used in the facility (Cellular, WiFi, Bluetooth, etc) ▪ Radio frequencies can be captured and analyzed using specialized tools Sniffing Network Traffic - __ is when you Intercepts and logs network traffic that can be seen via the wired or wireless network interface. ▪ If you gain access to one host computer, you could use it to capture traffic on other parts of the network, too! Packet Capture - __ is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. Packet Capture Techniques - __: Use Wireshark or TCPDump to conduct packet capturing of wired or wireless networks ▪ Connect to a mirrored port to capture wired network traffic ▪ Wireless networks can be captured and their encryption cracked to access the data using Aircrack-ng Wireshark - __ is an open source tool for profiling network traffic and analyzing packets. ▪ This information can be useful for evaluating security events and troubleshooting network security device issues. __ will typically display information in three panels. TCPDump - __ is an open source command-line tool for monitoring (sniffing) network traffic. __ works by capturing and displaying packet headers and matching them against a set of criteria. Aircrack-ng - __ is a complete suite of tools to assess WiFi network security. ▪ It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. ▪ Wireless hacking suite that consists of scanner, packet sniffer, and password cracker Decompiling - __ is the process of reverse-engineering source code from the binary. ▪ Reverse engineering of software using a decompiler ▪ Reverses the processes of a compiler but not as cleanly ▪ Decompilers cannot always turn executables back into their source code but can it back to byte code or assembly Debugging - __ is the process of finding and resolving defects or problems within a computer program that prevent correct operation of computer software or a system. ▪ Used to identify and remove errors from hardware, software, or systems Tools - windbg Decompiling vs Debugging - __: ▪ Decompiling uses a static analysis of code ▪ Debugging often uses a dynamic approach that allows code to be run __● Code is run step by step through the program __● Code can be run until a break point ▪ Both techniques can be useful when conducting a penetration test or assessment of custom-built applications Open-Source Intelligence (OSINT) - __ is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources. It is not related to open-source software or collective intelligence. Vulnerability Scans - __ are scans of a host, system, or network to determine what vulnerabilities exist ▪ Numerous tools used by both defenders and attackers to identify vulnerabilities ▪ Tools are only as good as their configuration Non-credentialed Scans - __ enumerate ports, protocols, and services that are exposed on a host and identifies vulnerabilities and mis-configurations that could allow an attacker to compromise your network. ▪ Scanner doesn't have a user or admin account ▪ Closer to the hacker's perspective ▪ Fewer details, often used in early phases of attacks/tests Credentialed Scans - __ are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. ▪ Scanner uses an authorized user or admin account ▪ Closer to the system administrator's perspective ▪ Finds more vulnerabilities ▪ More detailed, accurate information Types of Vulnerability Scans - __: ▪ Discovery scan ▪ Full scan ▪ Stealth scan ▪ Compliance scan Discovery Scan - __ used to find potential targets. ▪ Identity/info gathering early on ▪ Least intrusive scan (like a ping sweep) ▪ Used to create a network map to show connected devices in the architecture ▪ nmap ping sweep nmap -sP target Full Scan - __ scans ports, services, and vulnerabilities. ▪ In-depth scan including port, services, and vulnerabilities ▪ Easy to see in network traffic when performed nmap -A target Stealth Scan - __ attempt to avoid tripping defensive control thresholds. ▪ Conducts scans by sending a SYN packet and then analyzing the response ▪ If SYN/ACK is received, the destination is trying to establish the connection (port is open) and the scanner sends a packet with RST - nmap -sS target Compliance Scan - __ scan for specific known vulnerabilities that would make a system non-compliant. ▪ Used to identify vulnerabilities that may affect compliance with regulations or policies ▪ Commonly setup as a scanning template in your vulnerability scanner (PCI-DSS) Vulnerability Scanner Tools - __: ▪ QualysGuard Vulnerability Scanner ▪ Tenable's Nessus Vulnerability Scanner ▪ Rapid7's Nexpose ▪ OpenVAS (Open-source Scanner) ▪ Nikto (Web Application Scanner) QualysGuard Vulnerability Scanner - __ is a popular SaaS (software as a service) vulnerability management offering. It's web-based UI offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Tenable's Nessus Vulnerability Scanner - __ is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. Rapid7's Nexpose - __ is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. ▪ It integrates with Rapid7's Metasploit for vulnerability exploitation. OpenVAS (Open-source Scanner) - __ is a software framework of several services and tools offering vulnerability scanning and vulnerability management. ▪ All OpenVAS products are free software, and most components are licensed under the GNU General Public License. Nikto (Web Application Scanner) - __ is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. Scanning Considerations - When Do You Run the Scans? - __: ▪ Scanning the systems can take up valuable resources and slow down the network ▪ Are you trying to be sneaky? ▪ When is the best time to run the scans? Scanning Considerations - What Protocols Will Be Used? - __: ▪ Each protocol scanned takes time/resources ▪ Will you scan every port and services? ▪ Consult scope of assessment and objectives Scanning Considerations - Where Do You Scan From? - __: ▪ Network topology is important, are you inside or outside the network? ▪ PCI-DSS requires both internal and external scanning to be performed Scanning Considerations - Bandwidth Limitations - __: ▪ How much bandwidth is dedicated to the scan? ▪ Throttle the queries if needed __● Nmap -T option sets the timing Scanning Considerations - Fragile or Non-Traditional Systems - __: ▪ Should we scan these? ▪ Should we exempt these? ▪ How to avoid impacting fragile mission critical systems? Application Scanning - __ is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Scanners do not access the source code, they only perform functional testing and try to find security vulnerabilities Application Scanning - Dynamic Analysis - __ identifies vulnerabilities in a runtime environment. ▪ Automated tools provide flexibility on what to scan for. ▪ It allows for analysis of applications in which you do not have access to the actual code. ▪ It can be conducted against any application. ▪ Occurs while a program is running ▪ Program is run in a sandbox and changed noted Application Scanning - Static Analysis (SAST) - __ is a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack. __ scans an application before the code is compiled. ▪ It's also known as white box testing. ▪ Performed in a non-runtime environment ▪ Inspects programming code for flaws/vulnerabilities ▪ Line by line inspection can be performed Container - __ are like micro virtual machines ▪ Each container is built from the base Operating System image with unique applications run on top of them ▪ Requires less resources than a typical VM ▪ Docker, Puppet, and Vagrant are examples Docker - __ is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers. ▪ Containers are isolated from one another and bundle their own software, libraries and configuration files. ▪ They can communicate with each other through well-defined channels. Puppet - __ is an open source software configuration management and deployment tool. ▪ It's most commonly used on Linux and Windows to pull the strings on multiple application servers at once. Vagrant - __ s an open-source software product for building and maintaining portable virtual software development environments, e.g. for VirtualBox, KVM, Hyper-V, Docker containers, VMware, and AWS. ▪ It tries to simplify software configuration management of virtualizations in order to increase development productivity. Containers Require Security - __: ▪ Containers still contain applications which can contain vulnerabilities ▪ Still need to be scanned for vulnerabilities ▪ If an OS vulnerability is found, it will apply to multiple containers (all based on same OS) and can lead to a large level of exploitation Analyzing Vuln Scans - Asset Categorization - __: ▪ Categorize by Operating System or function ▪ Ideally, we identify high-value assets __● Domain Controllers, Web Servers, Databases, etc. ▪ Identify and rank assets by relative value ▪ Categorize by most vulnerabilities ▪ Categorize by the most critical vulnerability ▪ Vulnerable assets with little value could be a waste of time Adjudication - __ is a series of steps that determine which vulnerabilities are valid. ▪ Determine which results are valid __● False positives __● Filter out false positives False positives - __ is a vulnerability is identified by the scan but does not really exist on the system ▪ Should be filtered out of your scans Prioritize the Vulnerabilities - __: ▪ Consider the most critical vulnerabilities first ▪ What target should we focus on first? Common Themes - Analyze vulnerability scans for __ that are recurring items ▪ Do the same vulnerabilities show up on many hosts? ▪ Do you see the same types of operating systems and applications being used across the network? ▪ Lack of best practices __● Common mis-configurations __● Weak passwords __● Poor security practices __● Logging disabled Prioritize Efforts for Pentest - __: ▪ What will be attacked first? ▪ What exploits will we use? __● Do we need custom made exploits? ▪ Does Metasploit or Nmap already have known exploits for the vulnerabilities? __● Use the 'search' function in Metasploit Metasploit - __ Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. ▪ Can be used to create security testing tools and exploit modules and also as a penetration testing system. Common Attack Techniques - __: ▪ Cross-compiling code ▪ Exploit modification ▪ Exploit chaining ▪ Proof-of-concept development ▪ Social engineering ▪ Credential brute forcing ▪ Dictionary attacks ▪ Rainbow tables ▪ Deception Cross-compiling Code - __ is a type of a compiler that can create an executable code for a platform other than the one on which the compiler is running. ▪ Many pentesters use Kali Linux but many victim systems are Windows-based ▪ Exploits for Windows can be compiled on Linux using tools like Mingw-w64 Exploit Modification - __: ▪ If the organization has added security, you may need to modify exploits to get past it ▪ Encrypting or encoding an exploit to avoid detection by anti-virus Exploit Chaining - __: ▪ Involves layering exploits in a series ▪ Exploit chain example: -- 1. Bypass the firewall -- 2. Gain access to user system -- 3. Escalate privileges Proof-of-Concept Development - __: ▪ New or custom exploits require testing before using in a pentest ▪ Build a virtual machine based on the specifications you earned during enumeration Social Engineering - __ involves manipulating people to get information or to gain access. ▪ Often utilizes deception and lies Credential Brute Forcing - __: ▪ Attempt to crack a password or authentication system to gain access ▪ Attempt to crack passwords from a hash file ▪ Conduct password guessing to login Dictionary Attack - __ is a brute force attack that uses a dictionary of commonly used usernames and passwords. ▪ Weak passwords and passwords from previous data breaches make a great list Rainbow Tables - __ is a pre-computed hash values of known usernames and passwords used for offline password file cracking Industrial Control Systems (ICS) - __ a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. Supervisory Control and Data Acquisition (SCADA) - __ is a system of software and hardware elements that allows industrial organizations to: Control industrial processes locally or at remote locations. Monitor, gather, and process real-time data. Programmable Logic Controller (PLC) - __ is a very small dedicated computer in an industrial system that is capable of converting analog data to digital data. The __ works in real time, can control machinery, and is a critical component of the ICS (industrial control system). Mobile Devices - Weakness in Specialized Systems - __: ▪ Lack of updates (especially Android) ▪ Root/Jailbreak (especially iPhone) ▪ 3rd party applications ▪ Bluetooth, NFC, and WiFi ▪ Lack of Mobile Device Management in smaller organizations Internet of Things (IoT) - __ is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. Embedded Devices - __ is an object that contains a special-purpose computing system. ▪ The system, which is completely enclosed by the object, may or may not be able to connect to the Internet. Point-of-Sale (POS) Systems - __ is typically includes a cash register (which in recent times comprises a computer, monitor, cash drawer, receipt printer, customer display and a barcode scanner) and the majority of retail POS systems also include a debit/credit card reader. Biometrics - __ is the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting ▪ Fingerprint readers and other __ aren't foolproof security measures Application Containers - __ encapsulate the files, dependencies and libraries of an application to run on an OS. __ enable the user to create and run a separate container for multiple independent applications or multiple services constitute a single application. ▪ Breaking out of a container can allow attackers to break into other systems Real-Time Operating System (RTOS) - __ is an operating system intended to serve real-time applications that process data as it comes in, typically without buffer delays. ▪ Usually found in embedded systems ▪ Security is not a primary concern during their development