Presentation on theme: "The Business of Penetration Testing"— Presentation transcript:
1 The Business of Penetration Testing Jacolon Walker
2 Agenda Introduction about me Penetration testing Methodology Pentesting FrameworksCustomizing your tool setEngagement PrepPost EngagementWrapping it all up
3 The about me stuff 6 years in InfoSec My talk not sponsored by employersWrite code, exploits, reverse malware for fun and sometimes profitHave CertsPlaced 2nd in Sans NetwarsDisclaimer on ideologySr. Information Security xeroxLead global dataguard
4 Ethical Pentesting Methodology? No such thing if you want to be successfulYou need to think like a hackerPentesting methodologies cover all grounds and help win assessmentsAttention to details and organization skillsPush the envelope but do not cross the line
7 Penetration Methodology Cont. ReconnaissanceGathering information passivelyNot actively scanning or exploiting anythingHarvesting informationBing, google, yahoo, yandexWay back machine (archive)Social media etcForums, bb, newsgroup, articles blogs etc
8 Penetration Methodology Cont. Scanning & EnumerationTarget discoveryEnumeratingVulnerability mappingTarget discovery – Usually known as footprinting identifying the targets network status, operating systems, devices and other relative network architecture. Most of this information can come from a grey/white box approach. Whois lookups can give you a vast amount of informationEnumerating – finding of services aka ports on target systems. Using tools such as nmap to find this open services. This helps with the process of identifying services that might have vulernabilities or possible low hanging fruitVuln mapping – identify and analyze the vulns based on the disclosed ports and services
9 DEMO Maltego Recon-ng Theharvester Nmap If the students have kali. Have them open it up and try to join along with some of the demos.Ask if there are any questions up to this point or need help understanding a tool or method'show modules' – recon-ng
10 OSINT ALL THE DATAAt this point you have gather very useful data to help in your assessment.The information acquired so far can be used for a full on Red-teaming style assessment.Social engineer, physical security, web application assessment etc
11 Penetration Methodology Cont. Gaining AccessMapped vulnsImportant to penetrate gaining user and escalating privsTry multiple vectors. This is actually a decently easy partWeb application, wifi, social engineer.Use your researchGoal of the pentest is to point out your customers security gaps and flaws.Illustrate itIf you can show them their “honey” usually what they consider their most honey making hive.
12 Penetration Methodology Cont. Maintaining AccessKeeping account accessPrivilege escalationPivoting to own allET phone home
14 Broken? No luck?The great Rolling stones once said: “You can't always get what you want.. But if you try sometimes well you might find...You get what you need”If your tools are failing you, or your vulnerabilities are not matching up.Go back and reassess the situation. Try a new vector.Maybe a bit more recon?Comb through your results throughly.Do not always rely on tools.Sometimes the best tools are the ones you build yourself during an assessment.
15 Penetration Methodology Cont. Covering TracksRemoving toolsBackdoors, ET phone homesClearing logsWindows security, application and system logsLinux /var/log/*Remove audit logs carefully!!!!!These types of techniques are typically used for “anonymous pentesting” but can be applied for assessment in a real engagement although majority of the time you will not have to worry about it if its legit.In some real attacks altering logs can be better for covering tracks rather then deleting them. Alerting the admin or analyst who are in place watching SIEM, IDS, IPS systems.
16 Penetration Frameworks vulnerabilityassessment.co.u kpentest-standard.orgOpen Source Security Testing Methodology Manual (OSSTMM)Information Systems Security Assessment Framework (ISSAF)Open Web Application Security Project (OWASP) Top TenWeb Application Security Consortium Threat Classification (WASC-TC)Pros:Comprehensive lists of tools and configurationsSpecific tests for systemsLoosing built off the CEH (pentest methodology)Pre-enagagement visitsSpecific testingThreat modeling taking into considerationBoth also deal with reporting.Cons:Include pre/post engagements. As if you have already won the bid for the assessment.Basically there is no set standard of these activies and change from assessment to assessment
17 Customizing your toolset Kali Linux – The new backtrackUse your methodology to help build thisRecon, Scanning, Exploitation, Post exploitationBecome familiar with those toolsChange it up to add more to your collectionUsing the pentesting methodology outline from the beginning of this presentation or the one you create as you gain more assessments, You will be building a great set of toolsMake sure you have tools for each steps of the methodology in your virtual machine or pentesting system.KNOW those tools. Stressing this a lot. The more you know your tools, The better reporting will become later.Another reason for knowing this is because a client or competitors will say they use X scanner and another might say they use Y scanner. But when you can say you use XYZ scanners it gives you a better broad scope of winning the assessments over.
18 My toolset A few things in my tool set Recon-ng / Theharvester BurpsuiteNmap / p0f / ncatNessus / CoreImpact / Acunetix / SaintArachni / Vega / Metasploit / WebsecurifyPython Python PythonKeepnote / Lair / etherpad / (armitage *testing*)These tools help me on every assessment I have had up to this date. I have been through several tools. Always trying something new or developing new ones.For me a tool has to meet extreme requirements of accurate data, modular, how much memory does it take to run, and can I contribute to this project?Those are always a couple things I keep in mind. Because if you like something you can always make it better if need be.Knowing what tools work for you and what results it will provide for youTalk about the tools a bit. Dont forget to mention this is just some basic tools that use to get small assessments done.
19 Demonstrating some of the tools I use Toolset DemoDemonstrating some of the tools I use
21 Pre-engagement Prep You are selling a Service so.... Sell something Tools customizationKnowing what offers and market rates areIs this assessment for you?Fixed pricing or hourlyWhat does the client want?Can you provide what they want?Remember in the end you are selling a service.So knowing your methodology and tools you use that you have customized or tailored to yourself is a start.Knowing what pentests, application assessments, code auditing prices go for is a must to stay competitive.If you know your tools this goes right back to the point of having XYZ tools and charging the same rate as others.Is this assessment really what you know how to do? You do not want to accept something you can not complete.Knowing what the client wants while being able to explain to them what will really happen is something they need to hear. Even if they don't want to. This will help with defining scopes
22 Engagement Sold!!! Scope of work Understand what the client wants Black, gray, white box testing or red teamingHow long assessment will takeWhat to expect from the assessmentClient contacts from project manager to network admins incase of emergenciesUse methodologies that you have createdRemember to log everythingSecure communication with clientsFigure out what the client is asking for. This will help you write up a scope of work defining what they want from the assessment to whose liable for what.Having this type of information documented will come in handy later if accused for testing work subnet or if you forgot to test a subnet etc.Log everything. From hours worked to every command you did on the assessment. You can later replay back attacks, trace your steps and provide greater value when reporting rolls around. Not to mention its a cover your butt policy.When communicating with a client about their network, things of concerns or interests. Always use some sort of secure messaging channel such as pgp
23 Post Engagement Report writing Any issues occur? Could they have been prevented? Can it be fixed?Did you get what you wanted from the engagement? Profit?Any new tools added or methodologies?Possible new techniques?Was the customer satisfied?No one likes report writing. I still til this day do not like it and I have a couple due this week. But reports can make or break you. When the next quarter approaches and the client needs a pentest they will recall your report writing skills....Any major issues have such as services crashing? Exploits not working? Communication with client was not up to par. Can you fix those issuesDid you find that something better work for you in this pentest that got you that gold nugget or change your methodologies?FInd any interesting 0days or breaches? Maybe can write a paper on itWas the customer satisfied with your report writing and the communication during the assessment
24 Report WritingIt is the last thing the customer sees. Make it the best thing they seeCustomers are paying for qualityDifferent reports for various teamsExecutive SummaryDetailed SummaryI could write a whole presentation about this but I will notThings to know if your report is bad:Customer or anyone else can run the same tools and get the same report..All you have changed is your logo and there is no customizationBad-decent: Pretty Graphs for executives, root cause analysis performed, tactical remediations includedGood: Vulnerability ranking, system ranking, remediations efforts. The more variables provided in the report the longer time spent. But the outcome shows a better response.Awesome reports:If the report is analyzed and customized specifically to the client. Client inventory and critical assets
25 Wrapping it all up Pentesting has numerous components Its not always about hacking its about research and businessMaking sure you are NICHE at what you do. Know your target and fieldAlways improve your methods while helping your client improve their infrastructure“Dont learn to hack, Hack to learn”Summary of the talkUse open source intelligence to gather your information use it throughly before attackingBecoming NICHE is what makes things better. If you are niche with certain field say healthcare. Stick to healthcare and know it. Then you can bridge the gap between that field and security.Methodologies are always changing but you need to create your own