-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathpentest.txt
174 lines (146 loc) · 7.9 KB
/
pentest.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
*PenetrationTesting*
Pentest assessment flavours
Static analysis (white box)
Design review
Static code analysis
Configuration review
Dynamic Testing (black box)
Network infrastructure testing
Web application testing
Mobile app test
Web service testing (e.g., APIs supporting mobile applications)
Internet-based social engineering
Gray box (both)
Physical pentest
Social engineering test
Network security assessment
Reconnaissance: Identify networks, hosts, and users of interest
Vulnerability scanning: Identify potentially exploitable conditions
Investigation of vulnerabilities and further probing by hand
Exploitation of vulnerabilities and circumvention of security mechanism
Elevation of privileges, pivoting, recurse.
Penetration Testing
Report
Executive summary
Engagement highlights
Vulnerability report
Remediation Report
Findings Summary
Detailed Summary
Botnet and C&C design
Clients use TLS port 443 to connect to the C&C for better chances of bypassing firewalls (looks like HTTP and I can use any protocol).
Certificate is validated client side, to prevent MITM.
Use multiple valid certificates, each IP range gets a different one to prevent blacklisting.
I would also have multiple front ends, the client would try to connect to some of them (each client has multiple front end hardcoded).
The client polls for new commands every hour, the time can be changed at polling time, the binary updated, IPS and certificates changed.
Every time connect to a differnet front end to not look suspicious.
Use TOR hidden services, generate unique domains for every binary.
Use a dropper, with links that only work once, to a hidden service to get the actual client
Detect if you are running in a sandbox and do nothing bad(dns for bad.com, 8.8.8.8 dns query for bad.com and match results), debug flag, etc...
Ddos countermeasures
fail2ban (monitors logs and sets iptable rules)
Use a CDN such as cloudflare, very cost efficient(filters the traffic in the scrubbing centres)
Or I would spend some money on getting a very good ISP that allows me to put mitigations on their site/
In **DNS Amplification** an attacker spoofs a DNS query with the victim source's IP. The DNS query is of type transfer or something that will cause a large response. Most ISP should filter spoofed datagrams, some don't
A DNS server with Open Recursion will respond to any query, not only your authoritative domain
There are 13 root DNS servers, (IPs) each is a distributed system. Root servers are responsible for delegating TLDs to the appropriate domain. guif.re? root (says .re is foo), foo says ns.guif.re is bar), bar says guif.re is 1.2.3.4
Bypassing countermeasures
Find another bug OWASP and hack it down.
Bypass the reverse proxies and attack the backends.
Amplification attacks with DNS
Application level DOS
Avoid detection with nmap
TCP scan: Send SYN. If SYN/ACK received: open. If RST received: closed. If no packet: filtered.
Null scan: Send invalid TCP packet, if no packet port is open. If RST it it is closed.
FIN scan: send fin flag packet if no response port open, if RST port closed.
-f: fragments packets
--mtu 24: set the max packet size small to confuse firewalls
-D ip1,ip2... will make nmap to also send spoof packets with other ips to make difficult to detect you
–randomize-hosts
–badsum
You can find hosts that have no network activity by inspecting ID packets of outgoing packets.If the ID is incremental, you can use it to do a zombie scan.
Open a file as securely
Check the user permissions to the file and respond correspondingly
If the user tries a chmod command on the file to escalate his privileges, reject the request
if the user tries to create a link to the file somewhere else in his directory, reject the request for sensitive files
If the user is the owner of the file only then allow to edit the file else don't
Open the file in a mode according to the privileges of the user like read-only, write-only,execute only, keep the default mode for all the files as read-only
Top five cyber security threats
Phishing
Insecure passwords
Network vulnerabilities
Website vulnerabilities
Mobile malware
Phases Of Network Penetration
Reconnaissance
Scanning
Gaining access
Keeping access
Covering tracks
Penetration testing methodologies
Information System Security Assessment Framework (ISSAF)
Open Source Security Testing Methodology Manual (OSSTMM).
Planning
Number of network devices
Types of network devices
Known operating systems
Known websites
Length of the evaluation
Location
Physical or remote
Organization
Team leader, network expert, social engineering expert, wifi, web...
Methodology
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
Statement of Work (SoW)
The pentesting company presents a SoW, the client accepts it and issues a purchase order. it contains
Purpose of the assessment
Type of assessment
Scope of effort
Time constraints of the assessment
Preliminary schedule
Communication strategy
Incident handling and response procedures
Description of the task to be performed
Deliverables
Sensitive data handling procedures
Budget (to include expenses)
Payment terms
Points of contact for emergencies
Report
Table of contents
Executive summary
Methodology used
Prioritized findings per business unit, group, department
Finding
Impact
Recommendation
Detailed records and screenshots in the appendix (back of report)
1. Planning and preparation
Identification of contact individuals from both side,
Opening meeting to confirm the scope, approach, and methodology, and
Agree to specific test cases and escalation paths.
2. Assessment
Information Gathering: Using the Internet to find all information about the target, using both technical and nontechnical methods.
Network Mapping: Identifying all systems and resources within the target network.
Vulnerability Identification: Activities performed by the assessor to detect vulnerabilities in the target.
Penetration: Gaining unauthorized access by circumventing the security measures in place and trying to reach as wide a level of access as possible.
Gaining Access and Privilege Escalation: After successfully exploiting a target system or network, the assessor will try to gain higher level privileges.
Enumerating Further: Obtaining additional information about processes on the system, with the goal of further exploiting a compromised network or system.
Compromise Remote Users/Sites: Exploit the trust relationships and communication between remote users and enterprise networks.
Maintaining Access: Using covert channels, back doors, and rootkits to hide the assessor’s presence on the system or to provide continual access to the compromised system.
Covering Tracks: Eliminate all signs of compromise by hiding files, clearing logs, defeating integrity checks, and defeating antivirus software.
3. Report
Management summary
Project scope
Penetration test tools used
Exploits used
Date and time of the tests
All outputs of the tools and exploits
A list of identified vulnerabilities
Recommendations to mitigate identified vulnerabilities, organized into priorities
Terminology
**Smishing** Phising over SMS. Usually to access financial information
**Vishing** Phising over phone. Usually to access financial information
**Side-channel attack** is an attack based on the physical implementation of the system (timing, sounds, etc...).