Академический Документы
Профессиональный Документы
Культура Документы
Black box testing zero knowledge about the scope when you start the
assessment, implies you will use a methodology with a perception that implies
you have zero knowledge
White box testing do not spend time on reconnaissance, know about the
scope at the beginning, have knowledge about systems or code
Grey box testing partial knowledge
Pentest Report statement about the scope and limitations, what was the goal,
what was the threat model, what level of attack was imitated, executive summary
of what happened (the scope, is everything ok/bad or expectation were met),
executive summary should be a short summary (bout a page long), if something
is wrong then list solutions, if it is critical it should be fixed or if it hasnt been then
it should be reported straight away before it is written in the report, report should
be about what you did and tested as well recommendations
CIA triad stands for Confidentiality, Integrity and Availability
Confidentiality secrecy, absence of unauthorized access, ensure no
unauthorized access is happening to information or system, privacy of business
data
Integrity validity and correctness, unauthorized change, hasnt be modified
Availability access when we need it, authorized users can access at any given
time, if you cant get it then some kind of DOS attack is happening and the
availability is broken
Non-repudiation cannot deny the authorship of information, cant say its not
me if Ive issued a digital signature for a document or an email or a message
Accountability have to account all the changes and actions in the system and
to have clear picture of what is wrong and investigate an incident when it
happens
Triple A triad Authentication, Authorization and Accounting
Accounting logging, providing accountability that everything is recorded and
there is a log that cannot or hasnt been changed
Authentication ID, verifying that the users are who they claim they are, show
that it is verifiable (authentication factor; something you can forgot, lose or cannot
change. Something you know(password, passphrase), something you
have(phone, smart card) and something I am(biometric, fingerprint, iris scan))
Authorization providing permissions, once authenticated you have to be
authorized so you can be given your role in the system (general user,
administrator)
Rules of Engagement what can be done, what dates, what systems, scope of
the assessment, legal agreement, invoice, list of actions that can/cannot be done
Scope Validation assured that what is in the engagement letter actually
belongs to this client, client might make mistakes(i.e. something they dont own)
Incident Response report to the client if something happens during testing
(pause testing and wait for further instructions), might discover security incident
already in action (someone else is already in the system), dont tamper with
evidence, dont change anything, gather all the evidence(conclusion) and retreat
immediately
Reporting doesnt have to be linked to you, all information should be in it (no
need for interpretation), should be written in a way so it can be understood so
there is no need to consult with you afterwards for clarification
3
nbtscan
enum4linux
Network mapping:
Topology mapping:
Zenmap
Maltego
Visio
Evidence handling:
Excel
CherryTree
Growly Notes
Evernote
OneNote
Network issues:
Use of VPN on external pentests
Use of VPN on internal pentests
Use of Tor and HTTP proxies
Firewall evasion techniques
Sniffing and Spoofing:
Sniffing:
Passively or actively capturing network traffic
Can be done on received traffic or passed through/routed traffic
Can be done anywhere on the internet
Routers/gateways are more risky
Mitigated by SSL/TLS or other E2E crypto
Spoofing:
Actively tampering with other hosts network config to intercept
network traffic
Then, sniffing or tampering with intercepted traffic
Very common in LAN:
Port security, traffic signing, SSL/TLS are possible means of
protection
Sniffing tools:
Wireshark:
Actively sniffing and analyzing
Processing external pcap files
Powerful GUI
Extendable and scriptable
Really slow sometimes
Security issues
Cain and Abel:
Windows only
Spoof, sniff, reverse passwords etc.
tcpdump (or other CLI tools):
The power of console
Present in most *NIX distros
tshark:
Console version of Wireshark
Comes with it by default
7
scapy:
BYOD: build your own dump
Easy as Python + StackOverflow
Spoofing tools:
arpspoof:
arpspoof t <target>
arpspoof t <gateway>
tcpdump
Remember to enable forwarding:
#echo 1 > /proc/sys/net/ipv4/ip_foward
ettercap and bettercap:
Scanning, spoofing, and sniffing
Crypto and WiFi considerations:
Intercepting encrypted traffic:
SSL/TLS:
SSLStrip+
Burp Proxy, OWASP ZAP etc.
Strong E2E crypto
WiFi spoofing and sniffing:
Hardware tools:
Packet injection
Alfa
Software tools:
aircrack-ng universal framework
Mana rogue AP toolkit
Kali tools
Windows security overview:
Windows Architecture:
Bootstrap process
Memory segments
File systems
Processes
Protection rings
Permissions
Credentials Security:
Security Accounts Manager (SAM)
LANMAN (LM) and NTLMv2
Memory Corruption:
Stack corruption (buffer overflow)
Use-after-free
Heap corruption, heap overflow, type confusion
DEP and ASLR
Memory or binary exploitation:
OllyDbg, GDB, Immunity Debugger, IDA Pro
Metasploit
Public/private exploits
Windows Hacking Basics:
Windows enumeration specifics:
IPC
8
SNMP
Windows hacking:
Password guessing
Dumping password hashes
Dumping cleartext passwords
Privilege escalation
Remote exploitation
Post-exploitation
Key-loggers
Enumeration tools:
nbstat a
enum4linux
snmpwalk
Password cracking tools:
John(the Ripper), Cain, L0phtcrack
HashDump
WEC
Metasploit Framework (MSF)
Manual exploitation
Legit tools:
Windows Sysinternals
PowerShell
Local Access and Privilege Escalation:
Privilege escalation:
Horizontal and vertical
Local exploits if not fixed
Unattended install leftovers
Group policy snooping
Service permissions misuse
Covering tracks:
auditpol \\IP/ disable
eslave s \\IP I Security C
Tools for lateral movement:
Metasploit Meterpreter post-modules
Public exploits
Windows command-line tools:
wmic, sc
net view/use/session/service
powershell
Physical access considerations:
Kon-Boot
Dumping Hashes and Cracking Passwords:
LM vs NTLM:
Case (in)sensitivity
Alphabets of 142 and 65536 (all Unicode) characters respectively
NTLM calculates the hash for entire password, LM splits the
password into two 7-character chunks, padding as necessary
Active Directory specifics:
Kerberos and LDAP
9
Sessions caching
Password hacking principles:
Online and offline password attacks
Dumping from SAM and RAM
Rainbow tables
Brute force
Tools:
JTR, WCE, mimikatz, MSF post-
Volatility
Linux Attacking Basics:
Linux vs. Windows (architecture):
Differences in file systems structure
Differences in memory and process execution
Device files
Differences in access control
Differences in user environment
Attack paths:
Password guessing
Remote exploitation
Local privesc exploits
Rootkits
Web security architecture overview:
Web Software:
Web-application architecture tiers:
Back-end
Front-end
Thin, thick, heavy clients
Web-applications (GUI):
Human interface
Forms, controls, dynamic content
Web-services (API):
Machine interface
Simple Object Access Protocol (SOAP) and XML
RESTfull API and JSON
Web Platform:
Operating Systems
Web-Servers
Application Servers:
o Tomcat, JBOSS, WebSphere
Database Management Software:
o Relational (SQL)
o Non-relational (No-SQL)
Cloud environments:
o SaaS, PaaS, IaaS
o Amazon AWS, DigitalOcean
Attacking the web-server:
Attack phases:
Server software identification
Finding known vulnerabilities
10
AAA bypass:
Authentication bypass
Session hijacking
Vertical and horizontal escalation
Cross-Site Request Forgery
Cookie stealing
Injections:
XSS, SQLi, RCE, L/RFI etc.
Sensitive data leakage:
Transport security bypass
IDOR
Misconfiguration abuse
References:
12
13