WARNING: Wiki content is an archive, no promise about quality!
560.1 Sans 560: Network Penetration and Ethical Hacking
Definitions
- Threat: Agent That can Cause harm
- Vulnerability: A flaw that can be exploited
- Risk: Overlap of Vulnerability and threat
- Exploit: Code/Technique used by a threat on a vulnerability
- Active attack: manipulates target
- Passive Attack: Does not manipulate target
- Ethical Hacking: Using attack techniques to find flaws with permission, to improve security ( aka white hat hacker )
- Penetration testing: An attempt to gain entry to a network
- Security Assessments/Vulnerability Assessment: Finding vulnerabilities
- Security Audit: Comparing findings against a set of standards
- Phases of an attack
- Recon
- Scanning
- Exploitation
- Pentesting limitations:
- Scope
- Time
- Methods
- Pentester limitations:
- scope
- time
- methods
Public/Free methodologies
Open Source Security Testing Methodology Manual 1
- Focus on Transparency, business value
- Broad descriptions of categories
- Numerous templates
NIST 2
- Processes
- Roles
- Tools
- High-level
OWASP 3
- Web app testing
- compares impact: likelihood
Penetration Testing Framework 4
- Network penetration tests
- Specific tools, commands
- Step-by-step
- Recon
- Social Engineering
- Scanning/probing
- enumeration
Overall Methodology
Preparation
- Sign a NDA
- Discuss nature of the test
- Identify threats/Concerns
- Agree on rules of engagement
- Determine scope of test
- Sign off on permission, notice of danger
- Vital to get before starting
- "Get out of jail free" card
- Assign team
Testing
- Conduct the test
Conclusion
- Perform detailed analysis
- Retest
- Reporting
- Presentation
Limitation of liability/insurance
- Should be drawn up by a lawyer
- Generally limited to a value of project
Rules of Engagement
- Emergency contact info ( 24/7 )
- Daily debriefings
- Dates and times of day
- Announced/unannounced
- Shunning ( IDS/IPS )
- Black-box vs Crystal-box testing
- Viewing data on compromised systems
- Observing tests
- Document agreements and both sign off
Scope
What are biggest concerns?
- Disclosure of sensitive info
- Interruption in production processing
- Embarrassment ( defacement )
- Compromising for deeper penetration
Avoid scope creep What to test
- Domain names
- Address ranges
- hosts
- applications
Third party System
- ISP's
- DNS
- Hosting
- Get permission
Test vs. production How to test
- ping port scan
- vulnerability scan
- penetration
- client-side
- application
- physical pen
- social engineering
- Internal vs external
- On-site, granted access
- On-site, sneak in
- VPN access
- Testing client-side
- Browsers
- Phishing
- E-mail exploits
Social Engineering
- Controversial
- Ensure explicit permission
- Define explicit goal
- Establish pretexts, scripts in advance
- Use a friendly people person ( female is better)
Denial of Service
- Check version numbers or try to crush? Be explicit!
"Dangerous" exploits
- should they be included?
- Any test can potentially crash a host
Reporting
Always Create a report
- Even for inhouse tests