Penetration Testing basics:

pp_1

Pre-engagement:

pp_2 NDA: An NDA is a legal agreement that specifies that a penetration tester and their employer will not share or hold onto any sensitive or proprietary information that is encountered during the assessment.

RoE: The scope of a penetration test, also known as the rules of engagement, defines the systems the penetration tester can and cannot hack. This ensures the penetration tester remains within legal boundaries.

The following are some sample pre-engagement questions to help you define the scope of a penetration test: • What is the size/class of your external network? (Network penetration testing) • What is the size/class of your internal network? (Network penetration testing) • What is the purpose and goal of the penetration test? (Applicable to any form of penetration testing) • How many pages does the web application have? (Web application penetration testing) • How many user inputs or forms does the web application have?

Information Gathering:

Penetration testing involves information gathering, which is vital to ensure that penetration testers have access to key information that will assist them in conducting their assessment. Seasoned professionals normally spend a day or two conducting extensive reconnaissance on their target. The more knowledge that is known about the target will help the penetration tester to identify the attack surface such as points of entry in the target’s systems and networks.

Threat modeling:

Threat modeling is a process used to assist penetration testers and network security defenders to better understand the threats that inspired the assessment or the threats that the application or network is most prone to. This data is then used to help penetration testers simulate, assess, and address the most common threats that the organization, network, or application faces.

The following are some threat modeling frameworks: • Spoofing, Tampering, Repudiation, Information disclosure, Denial of server and Elevation of privilege (STRIDE) • Process for Attack Simulation and Threat Analysis (PASTA)

Vulnerability Analysis:

Vulnerability analysis typically involves the assessors or penetration testers running vulnerability or network/port scans to better understand which services are on the network or the applications running on a system and whether there are any vulnerabilities in any systems included in the scope of the assessment. This process often includes manual vulnerability discovery and testing, which is often the most accurate form of vulnerability analysis or vulnerability assessment.

Exploitation:

Exploitation is the ammunition or evidence that helps articulate why the vulnerability matters and illustrates the impact that the vulnerability could have on the organization. Furthermore, without exploitation, the assessment is not a penetration test and is nothing more than a vulnerability assessment.

Post-exploitation:

The process of post-exploitation is the continuation of this step, where the foothold gained is leveraged to access data or spread to other systems via lateral movement techniques within the target network. During post-exploitation, the primary goal is typically to demonstrate the impact that the vulnerability and access gained can pose to the organization. This impact assists in helping executive leadership to better understand the vulnerabilities and the damage it could cause to the organization if a real cyber-attack was to occur.

Report writing:

Report writing involves much more than listing a few vulnerabilities discovered during the assessment. It is the medium through which you convey risk and business impact, summarize your findings, and include remediation steps. A good penetration tester needs to be a good report writer, or the issues they find will be lost and may never be understood by the client who hired them to conduct the assessment.

Approaches of penetration testing:

  1. Black Box - Negligible information is provided.
  2. White Box - Much more information is provided during the pen test.
  3. Grey Box - Hybrid approach.

Phases of hacking:

How a hacker approaches a target: pp_3

Reconaissance/information gathering:

The reconnaissance or information gathering phase is where the threat actor focuses on acquiring meaningful information about their target. This is the most important phase in hacking: the more details known about the target, the easier it is to compromise a weakness and exploit it.

Scanning and enumeration:

The second phase of hacking is scanning. Scanning involves using a direct approach in engaging the target to obtain information that is not accessible via the reconnaissance phase. Techniques: • Checking for any live systems • Checking for firewalls and their rules • Checking for open network ports • Checking for running services • Checking for security vulnerabilities • Creating a network topology of the target network

Gaining access:

This phase can sometimes be the most challenging phase of them all. In this phase, the threat actor uses the information obtained from the previous phases to exploit the target. Upon successful exploitation of vulnerabilities, the threat actor can then remotely execute malicious code on the target and gain remote access to the target system. The following can occur once access is gained: • Password cracking • Exploiting vulnerabilities • Escalating privileges • Hiding files

Maintaining access:

After exploiting a system, the threat actor should usually ensure that they are able to gain access to the victim’s system at any time as long as the system is online. This is done by creating backdoor access to the target and setting up multiple persistence connections between the attacker’s machines and the victim’s system. The objectives of maintaining access are as follows: • Lateral movement • Exfiltration of data • Creating backdoor and persistent connections

Covering tracks:

The last phase is to cover your tracks. This ensures that you do not leave any traces of your presence on a compromised system or network. As penetration testers, we would like to be as undetectable as possible on a target’s network, not triggering any alerts on security sensors and appliances while we remove any residual traces of the actions performed during the penetration test. Covering your tracks ensures that you don’t leave any trace of your presence on the network, as a penetration test is designed to be stealthy and simulate real-world attacks on an organization.


The cyber kill chain framework:

The Cyber Kill Chain is a seven-stage framework developed by Lockheed Martin, an American aerospace corporation. This framework outlines each critical step a threat actor will need to perform before they are successful in meeting the objectives and goals of the cyber-attack against their targets. pp_4

Reconnaissance:

As with every battle plan, it’s important to know a lot about your opponent before starting a war. The reconnaissance stage is focused on gathering a lot of information and intelligence about the target, whether it’s a person or an organization.

Important

The reconnaissance stage involves both passive and active information gathering techniques, which will be covered in later sections of this book. You will also discover tools and techniques to improve your information skills when performing a penetration testing engagement.

Weaponization:

Using the information gathered from the reconnaissance phase, the threat actor and penetration tester can use it to better craft a weapon, better referred to as an exploit, that can take advantage of a security vulnerability on the target. The weapon (exploit) has to be specially crafted and tested to ensure its success when launched by the threat actor or the penetration tester. The objective of the exploit is to affect the confidentiality, integrity, and/or availability of the target’s systems or networks.

Delivery:

After creating the weapon, the threat actor or the penetration tester has to deliver the weapon onto the target system. Delivery can be done using the creative mindset of the attacker, whether using email messaging, instant messaging services, or even by creating drive-by downloads on compromised web services. Another technique can be copying the exploit onto multiple USB drives and dropping them within the compound of the target organization(evasdropping), with the hope an employee will find it and connect it to an internal system due to human curiosity.

  • We can use USB Ninja cables , or we can make them by our own.
  • We can also use rubber duckies for attacks like evasdropping.

Exploitation:

After the weapon (exploit) is delivered to the target, the attacker needs to ensure when the exploit is executed, it successfully takes advantage of the security vulnerability on the target system as intended. If the exploit does not work, the threat actor or penetration tester may be detected by the organization’s blue team and there is a halt in the Cyber Kill Chain. The attacker needs to ensure the exploit is tested properly before executing it on the target system.

Installation:

After the threat actor has exploited the target system, the attacker will attempt to create multiple persistent backdoor accesses to the compromised system. This allows the threat actor or the penetration tester to have multiple channels of entry back into the system and network. During this stage, additional applications may usually install while the threat actor takes a lot of precautions to avoid detection by any threat detection systems.

Command and control server(c2):

An important stage in a cyber-attack is creating Command and Control (C2) connections between the compromised systems and a C2 server on the internet. This allows the threat actor to centrally control a group of infected systems (botnet) using a C2 server that is managed by the attacker. This allows the threat actor to create an army of zombies, all controlled and managed by a single threat actor. pp_5

Actions and objectives:

If the threat actor or the penetration tester is able to reach this stage of the Cyber Kill Chain, the organization’s blue team has failed to stop the attacker and prevent the cyberattack. At this stage, the threat actor has completed their objectives and achieved the goals of the attack. In this phase, the attacker can complete the main objective of the attack, whether it’s exfiltrating data from the organization and selling it on the dark web or even extending their botnet for a larger-scale cyber-attack on another target organization. Stopping the threat actor or the penetration tester at this phase is considered to be extremely difficult as the attacker would have already established multiple persistent backdoor accesses with encrypted C2 connections on multiple compromised systems within the target organization. Furthermore, the threat actor will also be clearing traces of any evidence or artifacts that could help cybersecurity professionals to trace the attack to the threat actor.

Defending-architecture-whitepapers