The Business of Penetration Testing Jacolon Walker

Agenda Introduction about me Penetration testing Methodology Pentesting Frameworks Customizing your tool set Engagement Prep Post Engagement Wrapping it all up

The about me stuff 6 years in InfoSec My talk not sponsored by employers Write code, exploits, reverse malware for fun and sometimes profit Have Certs Placed 2nd in Sans Netwars Disclaimer on ideology Sr. Information Security Engineer/Principal @ xerox Lead Pentester @ global dataguard

Ethical Pentesting Methodology? No such thing if you want to be successful You need to think like a hacker Pentesting methodologies cover all grounds and help win assessments Attention to details and organization skills Push the envelope but do not cross the line

Penetration Methodology 5 step process Reconnaissance Scanning & Enumeration Gaining Access Maintaining Access Covering Tracks

Reconnaissance

Penetration Methodology Cont. Reconnaissance Gathering information passively Not actively scanning or exploiting anything Harvesting information Bing, google, yahoo, yandex Way back machine (archive) Social media etc Forums, bb, newsgroup, articles blogs etc

Penetration Methodology Cont. Scanning & Enumeration Target discovery Enumerating Vulnerability mapping Target discovery – Usually known as footprinting identifying the targets network status, operating systems, devices and other relative network architecture. Most of this information can come from a grey/white box approach. Whois lookups can give you a vast amount of information Enumerating – finding of services aka ports on target systems. Using tools such as nmap to find this open services. This helps with the process of identifying services that might have vulernabilities or possible low hanging fruit Vuln mapping – identify and analyze the vulns based on the disclosed ports and services

DEMO Maltego Recon-ng Theharvester Nmap If the students have kali. Have them open it up and try to join along with some of the demos. Ask if there are any questions up to this point or need help understanding a tool or method https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home 'show modules' – recon-ng

OSINT ALL THE DATA At this point you have gather very useful data to help in your assessment. The information acquired so far can be used for a full on Red-teaming style assessment. Social engineer, physical security, web application assessment etc

Penetration Methodology Cont. Gaining Access Mapped vulns Important to penetrate gaining user and escalating privs Try multiple vectors. This is actually a decently easy part Web application, wifi, social engineer. Use your research Goal of the pentest is to point out your customers security gaps and flaws. Illustrate it If you can show them their “honey” usually what they consider their most honey making hive.

Penetration Methodology Cont. Maintaining Access Keeping account access Privilege escalation Pivoting to own all ET phone home

DEMO Metasploit Post scripts search platform:windows type:exploit cve:2008 path:exploit/windows/smb set PAYLOAD windows/meterpreter/reverse_tcp

Broken? No luck? The great Rolling stones once said: “You can't always get what you want.. But if you try sometimes well you might find...You get what you need” If your tools are failing you, or your vulnerabilities are not matching up. Go back and reassess the situation. Try a new vector. Maybe a bit more recon? Comb through your results throughly. Do not always rely on tools. Sometimes the best tools are the ones you build yourself during an assessment.

Penetration Methodology Cont. Covering Tracks Removing tools Backdoors, ET phone homes Clearing logs Windows security, application and system logs Linux /var/log/* Remove audit logs carefully!!!!! These types of techniques are typically used for “anonymous pentesting” but can be applied for assessment in a real engagement although majority of the time you will not have to worry about it if its legit. In some real attacks altering logs can be better for covering tracks rather then deleting them. Alerting the admin or analyst who are in place watching SIEM, IDS, IPS systems.

Penetration Frameworks vulnerabilityassessment.co.u k pentest-standard.org Open Source Security Testing Methodology Manual (OSSTMM) Information Systems Security Assessment Framework (ISSAF) Open Web Application Security Project (OWASP) Top Ten Web Application Security Consortium Threat Classification (WASC-TC) Pros: Comprehensive lists of tools and configurations Specific tests for systems Loosing built off the CEH (pentest methodology) Pre-enagagement visits Specific testing Threat modeling taking into consideration Both also deal with reporting. Cons: Include pre/post engagements. As if you have already won the bid for the assessment. Basically there is no set standard of these activies and change from assessment to assessment

Customizing your toolset Kali Linux – The new backtrack Use your methodology to help build this Recon, Scanning, Exploitation, Post exploitation Become familiar with those tools Change it up to add more to your collection Using the pentesting methodology outline from the beginning of this presentation or the one you create as you gain more assessments, You will be building a great set of tools Make sure you have tools for each steps of the methodology in your virtual machine or pentesting system. KNOW those tools. Stressing this a lot. The more you know your tools, The better reporting will become later. Another reason for knowing this is because a client or competitors will say they use X scanner and another might say they use Y scanner. But when you can say you use XYZ scanners it gives you a better broad scope of winning the assessments over.

My toolset A few things in my tool set Recon-ng / Theharvester Burpsuite Nmap / p0f / ncat Nessus / CoreImpact / Acunetix / Saint Arachni / Vega / Metasploit / Websecurify Python Python Python Keepnote / Lair / etherpad / (armitage *testing*) These tools help me on every assessment I have had up to this date. I have been through several tools. Always trying something new or developing new ones. For me a tool has to meet extreme requirements of accurate data, modular, how much memory does it take to run, and can I contribute to this project? Those are always a couple things I keep in mind. Because if you like something you can always make it better if need be. Knowing what tools work for you and what results it will provide for you Talk about the tools a bit. Dont forget to mention this is just some basic tools that use to get small assessments done.

Demonstrating some of the tools I use Toolset Demo Demonstrating some of the tools I use

Finally the assessment is over? No http://nooooooooooooooo.com

Pre-engagement Prep You are selling a Service so.... Sell something Tools customization Knowing what offers and market rates are Is this assessment for you? Fixed pricing or hourly What does the client want? Can you provide what they want? Remember in the end you are selling a service. So knowing your methodology and tools you use that you have customized or tailored to yourself is a start. Knowing what pentests, application assessments, code auditing prices go for is a must to stay competitive. If you know your tools this goes right back to the point of having XYZ tools and charging the same rate as others. Is this assessment really what you know how to do? You do not want to accept something you can not complete. Knowing what the client wants while being able to explain to them what will really happen is something they need to hear. Even if they don't want to. This will help with defining scopes

Engagement Sold!!! Scope of work Understand what the client wants Black, gray, white box testing or red teaming How long assessment will take What to expect from the assessment Client contacts from project manager to network admins incase of emergencies Use methodologies that you have created Remember to log everything Secure communication with clients Figure out what the client is asking for. This will help you write up a scope of work defining what they want from the assessment to whose liable for what. Having this type of information documented will come in handy later if accused for testing work subnet or if you forgot to test a subnet etc. Log everything. From hours worked to every command you did on the assessment. You can later replay back attacks, trace your steps and provide greater value when reporting rolls around. Not to mention its a cover your butt policy. When communicating with a client about their network, things of concerns or interests. Always use some sort of secure messaging channel such as pgp

Post Engagement Report writing Any issues occur? Could they have been prevented? Can it be fixed? Did you get what you wanted from the engagement? Profit? Any new tools added or methodologies? Possible new techniques? Was the customer satisfied? No one likes report writing. I still til this day do not like it and I have a couple due this week. But reports can make or break you. When the next quarter approaches and the client needs a pentest they will recall your report writing skills.... Any major issues have such as services crashing? Exploits not working? Communication with client was not up to par. Can you fix those issues Did you find that something better work for you in this pentest that got you that gold nugget or change your methodologies? FInd any interesting 0days or breaches? Maybe can write a paper on it Was the customer satisfied with your report writing and the communication during the assessment

Report Writing It is the last thing the customer sees. Make it the best thing they see Customers are paying for quality Different reports for various teams Executive Summary Detailed Summary I could write a whole presentation about this but I will not Things to know if your report is bad: Customer or anyone else can run the same tools and get the same report.. All you have changed is your logo and there is no customization Bad-decent: Pretty Graphs for executives, root cause analysis performed, tactical remediations included Good: Vulnerability ranking, system ranking, remediations efforts. The more variables provided in the report the longer time spent. But the outcome shows a better response. Awesome reports: If the report is analyzed and customized specifically to the client. Client inventory and critical assets

Wrapping it all up Pentesting has numerous components Its not always about hacking its about research and business Making sure you are NICHE at what you do. Know your target and field Always improve your methods while helping your client improve their infrastructure “Dont learn to hack, Hack to learn” Summary of the talk Use open source intelligence to gather your information use it throughly before attacking Becoming NICHE is what makes things better. If you are niche with certain field say healthcare. Stick to healthcare and know it. Then you can bridge the gap between that field and security. Methodologies are always changing but you need to create your own