Introduction to Pentesting
What is Pentesting
- A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information.
- A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.
Penetration Testing Ethics
- Hackers are sorted into three hats, based on their ethics and motivations behind their actions.
- White hats
- Grey hats
- Black hats
White Hats
- Good hackers.
- Follows rules and use their skills to benefit others.
Grey Hats
- Does not follow rules all the time.
- Uses their skills to benefit others often.
Black Hats
- Evil hackers.
- Often seek to damage organizations.
Rules of Engagement (ROE)
- The ROE is a document that is created at the initial stages of a penetration testing engagement.
- This document consists of three main sections.
- Permission - This section gives explicit permission for the engagement to be carried out.
- Test Scope - This section will annotate specific targets to which the engagement should apply.
- Rules - This section will define exactly the techniques that are permitted during the engagement.
Penetration Testing Methodologies
- The steps a penetration tester takes during an engagement is known as the methodology.
- The steps involved in a typical penetration test are as below
- Information Gathering
- Enumeration/Scanning
- Exploitation
- Privilege Escalation
- Post-exploitation
Information Gathering
- This stage involves collecting as much publicly accessible information about a target as possible.
- Example: OSINT and research.
- This does not involve scanning any systems.
Enumeration or Scanning
- This stage involves discovering applications and services running on the systems.
- For example: Finding open ports, finding a web server that may be potentially vulnerable.
Exploitation
- This stage involves leveraging vulnerabilities discovered on a system or application.
- This stage can involve the use of public exploits or exploiting application logic.
Privilege Escalation
- After exploitation, privilege escalation is an attempt to expand your access to a system.
- There are two types of privilege escalations.
- Horizontal escalation: Accessing another account of the same permission group (i.e. another user)
- Vertical escalation: Accessing another permission group (i.e. an administrator).
Post Exploitation
- This stage includes the following
- What other hosts can be targeted (pivoting).
- What additional information can we gather from the host now that we are a privileged user.
- Covering your tracks.
- Reporting.
OSSTMM
- The Open Source Security Testing Methodology Manual - https://github.com/mtesauro/owasp-wte/blob/master/temp-projects/wte-docs/contents/usr/share/doc/WTE-Documentation/OSSTMM/OSSTMM.3.pdf
- The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for:
- Telecommunications (phones, VoIP, etc.)
- Wired Networks
- Wireless communications
OWASP
- Open Web Application Security Project - https://owasp.org/
- Community-driven and frequently updated framework used solely to test the security of web applications and services.
- Read about the top 10 vulnerabilities here: https://owasp.org/Top10/
NIST Cybersecurity Framework 1.1
- National Institute of Standards and Technology - https://www.nist.gov/cyberframework/
- Popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats.
NCSC CAF
- National Cyber Security Center Cyber Assessment Framework - https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance/
- Extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation's defences.
Principles of Security
CIA Triad
- The CIA triad is an information security model that is used in consideration throughout creating a security policy.
- The model consists of three sections: Confidentiality, Integrity and Availability (CIA).
- Confidentiality is the protection of data from unauthorized access and misuse.
- Integrity is the condition where information is kept accurate and consistent unless authorized changes are made.
- Availability is the condition where information should be available when authorised users need to access it.
Principles of Privileges
- Two key concepts are used to assign and manage the access rights of individuals.
- Privileged Identity Management (PIM)
- Privileged Access Management (PAM)
- PIM is used to translate a user's role within an organisation into an access role on a system.
- PAM is the management of the privileges a system's access role has, amongst other things.
Security Models
- Some popular and effective security models used to achieve the three elements of the CIA triad.
- The Bell-La Padula Model
- Biba Model
- The Bell-La Padula Model is used to achieve confidentiality.
- This model uses the rule "no write down, no read up".
- The Bell LaPadula Model is popular within organisations such as governmental and military.
- The Biba model is arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.
- This model uses the rule "no write up, no read down".
- For example: a doctor would not be able to read the notes made by a nurse in a hospital with this model.
Threat Modelling & Incident Response
Threat Modelling
- Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and services.
- An effective threat model includes:
- Threat intelligence
- Asset identification
- Mitigation capabilities
- Risk assessment
- There are frameworks such as STRIDE, to help implementing the threat model.
- Spoofing identity
- Tampering with data
- Repudiation threats
- Information disclosure
- Denial of Service
- Elevation of privileges
Incident Response
- A breach of security is known as an incident.
- An incident is responded to by a Computer Security Incident Response Team (CSIRT).
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned