1. Penetration Testing
Dr. X

2. Pen Testing
A penetration test or pentest is a test evaluating the strengths of all security controls on the computer system. Penetration tests evaluate procedural and operational controls as well as technological controls
Common Vulnerabilities and Exposures (The Standard for Information Security Vulnerability Names)
Vulnerability Assessment places the emphasis on identifying areas that are vulnerable without compromising the system
Pentesting focuses on finding vulnerabilities and exploit all the layers: it simulates a hacker attack

3. Penetration Testing Methodology
AKA – The “Attack Chain”
Methodology for this course:
1 - Reconnaissance and Vulnerability Discovery
2 - Exploitation: Establishing a Foothold
3 - Privilege Escalation and Lateral Movement
4 - Data Exfiltration

4. Reconnaissance and Scanning
Initial Enumeration
Port scanning
Manual information gathering
Initial Enum: you have plugged in the network, now what? Make sure you have an IP
Once you have an IP, now what? Check DNS and domain settings cat /etc/resolve.conf
This identifies some domains as well as the IP and subnet of the DNS server.
Domain Controllers are juicy targets, so you’ll want to identify all the DC’s in any domains found in the previous step.
nslookup -q=SRV _ldap._tcp.<fully qualified domain name>

5. Scanning Port scanning Tools Open Closed Filtered Nmap Mascan Maltego
Wireshark
Your own custom socket programming tools
Using the Subnet(s) identified so far, perform some scans for various services that are commonly vulnerable
• Web Services
• Databases
• FTP, SSH, and Telnet
Know your common ports!
The main goal of port scanning is to find out which ports are
open, which are closed, and which are filtered.
Looking at your machine from the outside, a given port on your
machine is open only if you are running a server program on the
machine and the port is assigned to the server. If you are not
running any server programs, then, from the outside, no ports
on your machine are open. This could be the case with a brand
new digital device that is not meant to provide any services to
the rest of the world.
When we say a port is filtered, what we mean is that the packets
passing through that port are subject to the filtering rules of a
firewall.
If a port on a remote host is open for incoming connection re-
quests and you send it a SYN packet, the remote host will respond
back with a SYN+ACK packet
• If a port on a remote host is closed and your computer sends it
a SYN packet, the remote host will respond back with a RST
packet
Maltego is an amazing relationship analysis tool that can track who or what is connected to what or who. The software can explore links between people, social networks, organizations, web sites, Internet infrastructure, phrases and has tags on Twitter, affiliations and files and produces graphical network diagrams;

6. Port scanning SYN packets What if the port is closed?
What if there is a firewall?
It is the “duty” of a good port-scanner
to immediately send back to the target machine an RST packet
in response to a received SYN+ACK packet so that the half-open
TCP circuit at the target is closed immediately.
Note that when a target machine is proteced by a packet-level
firewall, it is the firewall rules that decide what the machine’s
response wil be to a received SYN packet.

7. Nmap Network Map Developed by Fyodor (see http://insecure.org/)
Inventory of all devices in network
Detect OS
Nmap can perform:
TCP SYN scan
TCP connect() scans
UDP scans –
Is there such thing as UDP SYN?
How will machine respond?
ICMP scans, etc.
[Regarding UDP scans, note that SYN is a TCP concept, so there is no such thing as a
UDP SYN scan. In a UDP scan, if a UDP packet is sent to a port that is not open, the
remote machine will respond with an ICMP port-unreachable message. So the absence
of a returned message can be construed as a sign of an open UDP port. However, a packet filtering firewall at a remote machine may
prevent the machine from responding with an ICMP error message even when a port is
closed

8. Nmap example
nmap -sS -p 80,443, open --script http-title --script-args'http.useragent="Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"' /24
• -sS
• Specifies a SYN scan
• Sends SYN packet -> listens for SYN-ACK -> closes connection
• No full TCP handshake
• Slightly stealthier
• -p
• Specifies the ports to scan
• Keeping the ports limited reduces network traffic
• --open
• Only returns results with ports that are Open
• Reduces clutter and eliminates closed/filtered ports
• Without this, almost every live system would show up in your scans!
• --script
• Specifies which NSE (nmap scripting engine) scripts to run
• Can perform tasks after identifying open ports
• Banner grabs
• Vulnerability checks
• Software version enumeration
• etc
• --script-args
• Supplies arguments to any scripts included in the “—script” option
• Important to include for web scans
• Nmap has its own user agent by default
• This is easy to detect!
• Specifying a user agent makes the scan more likely to go unnoticed
• /24
• The CIDR range of IP addresses to scan
• Can also provide a list of targets with “-iL” option
Common Ports – 1433, 3306
Useful Nmap Scripts – ms-sql-info, ms-sql-empty-password, mysql-info, mysql-empty-password
Common Ports – 21, 22, 23Useful Nmap Scripts – ftp-anon, banner

9. Gaining access Exploiting the vulnerabilities identified
Gaining code execution
Establishing a command and control channel

10. Gaining access R2L U2R Active exploitation testing
Login checking and brute forcing
Vulnerability exploitation (Metasploit, Core Impact)
0day and exploit discovery (Fuzzing, program analysis)
Post exploitation techniques to assess severity (permission levels, backdoors, rootkits, etc)

11. Gaining access tools Common tools and frameworks:
Metasploit Framework (Nexpose);
Burp Suite;
Nikto;
Zed Attack Proxy (ZAP)
SQLMap
Hydra;
John the Ripper;
Specialized OS distributions (Linux):
Kali Linux;
Backtrack – discontinued;
Quick descriptions for every software on the list:
Burp Suite is an integrated platform for performing security testing of Web applications, from initial mapping and analysis of an application's attack surface through to finding and exploiting security vulnerabilities;
Hydra is a free brute force password cracking tool. You can attack either single or multiple user accounts and try single passwords or a list of passwords. Hydra provides IPv6 support, a graphical user interface, internationalized support (RFC 4013), HTTP proxy support, and SOCKS proxy support. Hydra knows how to interact with a huge range of target services, including AFP, FTP, HTTP, IMAP, LDAP, MySQL, Oracle, POP3, RDP, RSH, SMB, SMTP, VNC, and Vmware;
John the Ripper is another command line-based password cracker that’s noted for its speed. Its primary purpose is to detect weak Unix passwords;
The Zed Attack Proxy (ZAP) developed and supported by the Open Web Application Security Project (OWASP) is a free, open source integrated penetration testing tool for finding vulnerabilities in web applications. Designed to be easy to use ZAP provides a huge range of features including an intercepting proxy, spiders, automated and passive scanners, and a REST API;
Sqlmap is a free open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester including database fingerprinting, data fetching from a database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections

12. Metasploit framework
An exploitation framework written in Ruby, currently at version
It’s modular
Contains exploits, payloads, encoders and auxiliaries
1817 Exploits
1031 Auxiliary
539 Payloads
42 Encoders
The framework is Open Source
The Metaspoit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine
To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.
A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there.
Encoders obfuscate the exploits to avoid antivirus and intrusion detection systems (IDS) detection
Auxiliaries: other modules besides exploitation
It is basically a tool for the development of exploits and the testing of these exploits on live targets
Can be used for penetration testing, risk assessment, vulnerability research, and other security developmental practices such as IDS and the intrusion prevention system ( IPS ).

13. Metasploit framework
Is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime
Stealthy
Powerful
Extensible
Features can be added at runtime: new features are added to Meterpreter by loading extensions.
It features command history, tab completion, channels, and more
How Meterpreter Works
The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc.
The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL.
The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client.
Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.
Stealthy
Meterpreter resides entirely in memory and writes nothing to disk.
No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily.
By default, Meterpreter uses encrypted communications.
All of these provide limited forensic evidence and impact on the victim machine.
Powerful
Meterpreter utilizes a channelized communication system.
The TLV protocol has few limitations.
Extensible
Features can be augmented at runtime and are loaded over the network.
New features can be added to Meterpreter without having to rebuild it.

14. Metasploit framework
msfconsole is probably the most popular interface to the MSF
It provides an "all-in-one" centralized console
It is the only supported way to access most of the features within Metasploit.
Provides a console-based interface to the framework
Contains the most features and is the most stable MSF interface
Full readline support, tabbing, and command completion
Execution of external commands in msfconsole is possible

15. Privilege Escalation and Lateral Movement
Go from “User” to “Administrator”
Via local security misconfigurations
Identify other targets on the network
Testing admin access
Establish C2 channels to those targets with remote management functionality
PSEXEC
WMI
• User account without admin privileges
• User account with admin privileges, but not running in an admin process
• Services with insecure permissions running as SYSTEM
• Executable with insecure permissions running as SYSTEM
• Insecurely quoted file paths
• Local access to the machine
• Cleartext credentials stored on the file system

16. msfconsole
Practical example

17. Persistence Maintain access Backdoor
The Metasploit Framework comes with two options for backdooring a system.
Persistence
Metsvc
For example if the user decides to install a patch or to remove the vulnerable service in his system then you will need to figure out an alternative way for getting again access to the remote system.That’s why back-doors are important because they can maintain access to a system that you have compromised.

18. Cover Tracks Remove log files History Network tracks
Covert communication
Reverse HTTP
ICMP tunnel
In this type of attack, the attacker typically installs reverse HTTP shell on the victim computer. This reverse HTTP shell is programmed to ask the commands from an external moderator who controls this reverse shell at regular intervals. This seems like a normal traffic to an organization network perimeter security device like a firewall, as port 80 is usually opened.
Once the attacker receives the request from the reverse HTTP shell, commands will be issued back that will be executed locally by the victim. This all is seen as HTTP request /response to the network devices. Once the commands get executed, results will be sent out in the next web request. These HTTP reverse shells can also be programmed to bypass any static authentication required by perimeter devices, like a firewall.
First the attacker configures the local client to connect with the victim client. The victim in turn encapsulates the TCP payload in an ICMP ECHO packet and forwards it to the proxy server. The proxy server in turn de-encapsulates the packet and extracts the TCP payload and send to attacker. To the network devices, it seems like a simple ICMP packet.

19. Penetration testing summary
Different than vulnerability assessment
Distinct phases
Iterative process
Tools
Art and science

20. Penetration Testing Lab on GENI