Chapter 8

Understanding the Techniques Used in Penetration Testing

This chapter covers the following topics related to Objective 1.8 (Explain the techniques used in penetration testing) of the CompTIA Security+ SY0-601 certification exam:

  • Penetration testing

    • Known environment

    • Unknown environment

    • Partially known environment

    • Rules of engagement

    • Lateral movement

    • Privilege escalation

    • Persistence

    • Cleanup

    • Bug bounty

    • Pivoting

  • Passive and active reconnaissance

    • Drones

    • War flying

    • War driving

    • Footprinting

    • OSINT

  • Exercise types

    • Red-team

    • Blue-team

    • White-team

    • Purple-team

Penetration testing (otherwise known as ethical hacking) has been extremely popular in the last several years. A penetration tester is someone who mimics what an attacker can do to an organization when finding and exploiting security vulnerabilities. In this chapter, you learn the details about penetration testing methodologies, rules of engagement, and how security researchers also participate in bug bounties. You also learn how penetration testers (pen testers) perform passive and active reconnaissance and the different types of security exercises.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 8-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 8-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Penetration Testing

1–4

Passive and Active Reconnaissance

5–7

Exercise Types

8–10

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which term is used to define the practice of mimicking a threat actor by using the same methodologies and tools to find and exploit vulnerabilities with the permission of the system or network owner?

  1. Ethical hacking

  2. Pen testing

  3. Penetration testing

  4. All of these answers are correct.

2. Which of the following is a type of penetration testing where the tester starts out with a significant amount of information about the organization and its infrastructure?

  1. Known environment

  2. Unknown environment

  3. Partially known environment

  4. None of these answers are correct.

3. Which of the following are elements of the penetration pre-engagement phase?

  1. Developing the rules of engagement document

  2. Negotiating contracts

  3. Creating the statement of work (SOW)

  4. All of these answers are correct.

4. Which of the following elements are typically included in the rules of engagement document during a penetration testing?

  1. Testing timeline

  2. Location of the testing

  3. The security controls that could potentially detect or prevent testing

  4. All of these answers are correct.

5. Which term is used when a penetration tester uses public records to perform passive reconnaissance?

  1. OSINT gathering

  2. Scanning

  3. Banner fingerprinting

  4. Shodan

6. Which tool can be used to perform active reconnaissance?

  1. Nmap

  2. Nessus

  3. Nikto

  4. All of these answers are correct.

7. Which term is used to describe when attackers or pen testers fly drones to perform reconnaissance of a location or eavesdrop wireless networks?

  1. War driving

  2. War flying

  3. Wireless flying

  4. None of these answers are correct.

8. Which of the following is an example of a blue team?

  1. CSIRT

  2. Pen testing teams

  3. Offensive security teams

  4. None of these answers are correct.

9. What term is used to describe how an organization integrates the defensive capabilities of a blue team with the adversarial techniques used by the red team?

  1. Advanced red teaming

  2. Adversarial emulation

  3. Purple teaming

  4. None of these answers are correct.

10. Which term is often used to define the team that focuses in security governance, regulatory compliance, and risk management?

  1. White team

  2. Purple team

  3. Red team

  4. Blue team

Foundation Topics

Penetration Testing

A penetration tester is typically also referred to as an ethical hacker. The term ethical hacker describes a person who acts as an attacker and evaluates the security posture of a computer network for the purpose of minimizing risk. The term hacker has been used in many different ways and has many different definitions. Most people in a computer technology field would consider themselves hackers by the simple fact that they like to tinker. This is obviously not a malicious thing. The key factor here in defining ethical versus nonethical hacking is that the latter involves malicious intent. A security researcher looking for vulnerabilities in products, applications, or web services is considered an ethical hacker if he or she responsibly discloses those vulnerabilities to the vendors or owners of the targeted research. However, the same type of “research” performed by someone who then uses the same vulnerability to gain unauthorized access to a target network/system would be considered a nonethical hacker. We could even go so far as to say that someone who finds a vulnerability and discloses it publicly without working with a vendor is considered a nonethical hacker—because this could lead to the compromise of networks/systems by others who use this information in a malicious way.

The truth is that, as an ethical hacker, you use the same tools to find vulnerabilities and exploit targets as do nonethical hackers. However, as an ethical hacker, you would typically report your findings to the vendor or customer you are helping to make more secure. You would also try to avoid performing any tests or exploits that might be destructive in nature. An ethical hacker’s goal is to analyze the security posture of a network’s or system’s infrastructure in an effort to identify and possibly exploit any security weaknesses found and then determine if a compromise is possible. This process is called security penetration testing or ethical hacking.

So, why do we need penetration testing? Well, first of all, as someone who is responsible for securing and defending a network/system, you want to find any possible paths of compromise before the bad guys do. For years we have developed and implemented many different defensive techniques (for instance, antivirus programs, firewalls, intrusion prevention systems [IPSs], antimalware). We have deployed defense-in-depth as a method to secure and defend our networks. But how do we know if those defenses really work and whether they are enough to keep out the bad guys? How valuable is the data that we are protecting, and are we protecting the right things? These are some of the questions that should be answered by a penetration test.

If you build a fence around your yard with the intent of keeping your dog from getting out, maybe it only needs to be 4 feet tall. However, if your concern is not the dog getting out but an intruder getting in, then you need a different fence—one that would need to be much taller than 4 feet. Depending on what you are protecting, you might also want razor wire on the top of the fence to deter the bad guys even more.

When it comes to information security, you need to do the same type of assessments on your networks and systems. You need to determine what you are protecting and whether your defenses can hold up to the threats that are imposed on them. This is where penetration testing comes in. Simply implementing a firewall, an IPS, antimalware, a virtual private network, a web application firewall (WAF), and other modern security defenses isn’t enough. You also need to test their validity. And you need to do this on a regular basis. As you know, networks and systems change constantly. This means the attack surface can change as well, and when it does, you need to consider reevaluating the security posture by way of a penetration test.

When talking about penetration testing methods, you are likely to hear the terms known environment, unknown environment, or partially known environment testing. These terms are used to describe the perspective from which the testing is performed, as well as the amount of information that is provided to the tester:

  • Known environment: In this environment the tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided things like network diagrams, IP addresses, configurations, and a set of user credentials. If the scope includes an application assessment, the tester might also be provided the source code of the target application. The idea of this type of test is to identify as many security holes as possible. In an unknown environment test, the scope may be only to identify a path into the organization and stop there. With “known environment” testing, the scope would typically be much broader and include internal network configuration auditing and scanning of desktop computers for defects. Time and money are typically deciding factors in the determination of which type of penetration test to complete. If a company has specific concerns about an application, a server, or a segment of the infrastructure, it can provide information about that specific target to decrease the scope and the amount of time spent on the test but still uncover the desired results. With the sophistication and capabilities of adversaries today, it is likely that most networks will be compromised at some point, and a known environment approach is not a bad option.

  • Unknown environment: In this environment the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information and gaining more and more information to use in attacks. The tester would not have prior knowledge of the target’s organization and infrastructure. Another aspect of unknown environment testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This type of environment allows for a defense exercise to take place as well, and it also eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

  • Partially known environment: This type of penetration test is somewhat of a hybrid approach between the preceding two types. The penetration testers may be provided credentials but not full documentation of the network infrastructure. This way, the testers could still provide results of their testing from the perspective of an external attacker’s point of view. Considering the fact that most compromises start at the client and work their way throughout the network, a good approach would be a scope where the testers start on the inside of the network and have access to a client machine. Then they could pivot throughout the network to determine what the impact of a compromise would be.

A number of penetration testing methodologies have been around for a while and continue to be updated as new threats emerge. The following are some of the most common:

Figure 8-1 shows the penetration testing lifecycle based on the Penetration Testing Execution Standard guidance.

A figure represents the Penetration Testing Lifecycle.

FIGURE 8-1 The Penetration Testing Lifecycle

The penetration testing lifecycle has three major milestones (as shown in Figure 8-1): the pre-engagement tasks, the actual testing, and the report delivered to the customer after testing. The pre-engagement tasks include items such as contract negotiations, the statement of work (SOW), scoping, and the rules of engagement.

The rules of engagement documentation specifies the conditions under which the security penetration testing engagement will be conducted. You need to document and agree upon these rules of engagement conditions with the client or an appropriate stakeholder. The following elements are typically included in a rules of engagement document:

  • Testing timeline

  • Location of the testing

  • Time window of the testing

  • Preferred method of communication

  • The security controls that could potentially detect or prevent testing

  • IP addresses or networks from which testing will originate

  • The scope of the engagement

During the penetration testing, the ethical hacker performs passive and active reconnaissance to find vulnerabilities. Passive and active reconnaissance are discussed later in this chapter. Based on the findings from the reconnaissance phase, the ethical hacker then starts finding security vulnerabilities and demonstrates how an attacker could exploit such vulnerabilities. After exploiting a vulnerability, the ethical hacker could also demonstrate how an attacker could perform post-exploitation activities such as

  • Lateral movement and Pivoting: Lateral movement (also referred to as pivoting) is a post-exploitation technique that can be performed using many different methods. The main goal of lateral movement is to move from one device to another to avoid detection, steal sensitive data, and maintain access to these devices to exfiltrate the sensitive data. Lateral movement involves scanning a network for other systems, exploiting vulnerabilities in other systems, compromising credentials, and collecting sensitive information for exfiltration. Lateral movement is possible if an organization does not segment its network in a proper way. Network segmentation is therefore very important. After compromising a system, you can use basic port scans to identify systems or services of interest that you can further attack in an attempt to compromise valuable information.

  • Privilege escalation: This is the process of elevating the level of authority (privileges) of a compromised user or a compromised application. It is done to further perform actions on the affected system or any other systems in the network. It is possible to perform privilege escalation in a few different ways. An attacker may be able to compromise a system by logging in with a nonprivileged account. Subsequently, the attacker can go from that unprivileged (or less privileged) account to another account that has greater authority. It is also possible to perform privilege escalation by “upgrading,” or elevating, the privileges of the same account.

  • Persistence: After the exploitation phase, you need to maintain a foothold in a compromised system to perform additional tasks such as installing and/or modifying services to connect back to the compromised system. You can maintain persistence of a compromised system in a number of ways, including the following:

    • Creating a bind or reverse shell

    • Creating and manipulating scheduled jobs and tasks

    • Creating custom daemons and processes

    • Creating new users

    • Creating additional backdoors

Tip

When you maintain persistence in a compromised system, you can take several actions, such as the following:

  • Uploading additional tools

  • Using local system tools

  • Performing ARP scans and ping sweeps

  • Conducting DNS and directory services enumeration

  • Launching brute-force attacks

  • Performing additional enumeration and system manipulation using management protocols (for example, WinRM, WMI, SMB, SNMP) and compromised credentials

  • Executing additional exploits

Ethical hackers or pen testers also need to be able to cover their tracks. Many tools can leave behind residual files or data that you need to be sure to clean from the target systems after the testing phases of a penetration testing engagement are complete. It is also very important to have the client or system owner validate that the cleanup effort is sufficient. This is not always easy to accomplish, but providing a comprehensive list of activities performed on any systems under test will help.

Following are some items you will want to be sure to clean from systems:

  • User accounts created

  • Shells spawned on exploited systems

  • Database input created by automated tools or manually

  • Any tools installed or run from the systems under test

Bug Bounties vs. Penetration Testing

Bug bounties have become very popular in the last several years. In a bug bounty program, an organization provides recognition and compensation to security researchers for reporting security vulnerabilities (which are basically bugs in code or hardware). The goal of bug bounty programs is to allow underlying organizations to crowdsource the way they find vulnerabilities in their systems and infrastructure in a scalable way.

These programs allow an underlying organization to learn about bugs and fix them before an attacker can abuse them. Several bug bounty platforms (or brokers) help crowdsource and manage a bug bounty program. Examples of bug bounty platforms/companies include

Security researchers and ethical hackers often participate either full-time or part-time in these bug bounty programs.

Tip

For a list of references and resources about bug bounty programs, platforms, tools, and tips, see https://github.com/The-Art-of-Hacking/h4cker/tree/master/bug-bounties.

Passive and Active Reconnaissance

Reconnaissance can be passive or active. Passive reconnaissance can be carried out by an attacker just researching information about the victim’s public records, social media sites, and other technical information, such as DNS, whois, and sites such as Shodan (www.shodan.io). Searching through these public records is often referred to as open-source intelligence (OSINT) gathering. The ethical hacker or pen tester can use tools such as Maltego, Recon-ng, theHarvester, SpiderFoot, OWASP Amass, and many others to accelerate this research.

Tip

The download links of the aforementioned OSINT tools (along with several others) are included in the GitHub repository at https://github.com/The-Art-of-Hacking/h4cker/tree/master/osint. This GitHub repository includes a curated list of numerous references and resources about OSINT and passive reconnaissance tools and methodologies.

For instance, the Shodan search engine is a powerful database of prescanned networked devices connected to the Internet. It consists of scan results including banners collected from port scans of public IP addresses, with fingerprints of services like Telnet, FTP, HTTP, and other applications.

Shodan creates a risk profile by providing both attackers and defenders with a prescanned inventory of devices connected to public IP addresses on the Internet. For example, when a new vulnerability is discovered and published, an attacker can quickly and easily search Shodan for vulnerable devices and then launch an attack.

Attackers can also search the Shodan database for devices with poor configurations or other weaknesses, all without actively scanning. Using Shodan search filters, a user can really narrow down search results, by country code or classless interdomain routing (CIDR) netblock, for example. Shodan application programming interfaces (APIs) and some basic scripting can enable many search queries and subsequent actions (for example, a weekly query of newly discovered IPs scanned by Shodan on a CIDR netblock that runs automatically and is emailed to the security team). Remember that public IP addresses are constantly probed and scanned already. By using Shodan, you are not scanning because Shodan has already scanned these IPs. Shodan is a tool, and it can be used for good or evil. To mitigate risk, you can take tangible steps like registering for a free Shodan account, searching for your organization’s public IPs, and informing the right network and security people of the risks of your organization’s Shodan exposure. You can learn more at www.shodan.io.

Active reconnaissance is carried out mostly by using network and vulnerability scanners. The following are commercial and open-source application, port, and vulnerability scanners:

  • AppScan by IBM

  • Burp Suite Professional by PortSwigger

  • Nessus by Tenable Network Security

  • Netsparker by Mavituna Security

  • Nexpose by Rapid7

  • Nmap (open-source port scanner)

  • Nikto (open-source web application scanner)

  • OWASP Zed Attack Proxy (open-source web application scanner, proxy, and attack platform maintained by the Open Web Application Security Project [OWASP])

  • Qualys

  • Retina Web Security Scanner by eEye Digital Security

  • Sentinel by WhiteHat

  • Veracode Web Application Security by Veracode

  • VUPEN Web Application Security Scanner by VUPEN Security

  • WebApp360 by nCircle

One of the main purposes of reconnaissance is to footprint (perform footprinting on) an application, system, or network to find vulnerabilities that could potentially be exploited. Attackers and pen testers have used several creative methods to perform reconnaissance. For example, even drones have been used to eavesdrop and monitor wireless networks. The term war driving refers to the ability of an attacker to just drive around and get a huge amount of information over a very short period of time. The attacker could obtain observations about wireless access points, underlying service set identifiers (SSIDs), and even Bluetooth and cellular communications. A good example of a repository and application that has been used to store and analyze war driving records is Wigle (https://wigle.net/). Any individual can download the Wigle mobile app and automatically upload information about Wi-Fi networks, cell towers, and Bluetooth devices.

A similar concept is war flying. In war flying an attacker can fly drones or similar devices to obtain information about a wireless network or even collect pictures of facilities in some cases.

Tip

Another great resource to learn about real-life adversarial techniques used for passive and active reconnaissance (as well as the complete lifecycle of a cybersecurity attack) is the MITRE ATT&CK framework, which can be accessed at https://attack.mitre.org.

Exercise Types

Several terms have been used to define the different penetration testing or cybersecurity exercise types. The following terms are the most common:

  • Red team: Individuals who are performing adversarial simulation and penetration testing. However, a “true red team engagement” goes beyond the traditional scope of a penetrating testing. For example, red teamers can also demonstrate how an attacker could infiltrate a building and perform advanced social engineering attacks. Red teamers also create exploits and their own tools.

  • Blue team: Defenders of the organizations. Blue teams typically include the computer security incident response team (CSIRT) and information security (InfoSec) teams. The expression “blue teams versus red teams” is adopted from the military, where the red team is typically the “offensive” team and blue is the “defensive” team.

  • Purple team: Individuals who perform different tactics to maximize the effectiveness of red and blue team operations. If you combine the colors red and blue, you end up with purple. Similarly in security, purple teams integrate the defensive capabilities of a blue team with the adversarial techniques used by the red team. In most cases, the purple team is not a separate team, but a solid dynamic between the blue and read teams.

  • White team: A team that blends all previous colors together. White teams are individuals who are focused on governance, management, risk assessment, and compliance.

Tip

In teaming security assessments, the blue team members are the defenders. It is their job to counter the red team and keep them from accomplishing their mission. This team has the additional advantage of measuring and improving alerting and response. The red team members act as the adversaries. They are the ones attacking and trying to remain unnoticed. The white team members are neutral. They are the referees who define the goals and rules and also adjudicate the exercise. The goals of the purple team are to effectively combine the skills and knowledge of both the red and blue teams to achieve maximum effectiveness.

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 8-2 lists a reference of these key topics and the page number on which each is found.

Table 8-2 Key Topics for Chapter 8

Key Topic Element

Description

Page Number

List

Understanding known environment, unknown environment, or partially known environment penetration testing

198

Paragraph

Defining rules of engagement

200

List

Defining lateral movement, pivoting, privilege escalation, and persistence

201

Paragraph

Understanding how attackers and penetration testing cover their tracks and perform cleanup

202

Paragraph

Surveying what bug bounties are

202

Paragraph

Defining footprinting, war driving, and war flying

205

List

Defining red, blue, purple, and white teams

205

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

penetration testing

known environment

unknown environment

partially known environment

rules of engagement

lateral movement

pivoting

privilege escalation

persistence

cleanup

bug bounties

passive reconnaissance

open-source intelligence (OSINT)

active reconnaissance

footprinting

drones

war driving

war flying

red team

blue team

purple team

white team

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. You were hired to perform a penetration test against a set of applications. After the exploitation phase, you need to maintain a foothold in a compromised system to perform additional tasks such as installing and/or modifying services to connect back to the compromised system. This process is referred to as _____________.

2. What is the process of elevating the level of authority (privileges) of a compromised user or a compromised application?

3. What is the term used to define the type of testing where the penetration testers may be provided credentials but not full documentation of the network infrastructure?

4. What is the term used when an organization provides recognition or compensation to security researchers and ethical hackers who report security vulnerabilities or bugs? Often organizations can use brokers and companies that manage the compensation and communication with the security researchers.

5. OSINT is used in the ________ reconnaissance phase of the penetration testing lifecycle.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.237.232.196