1 / 38

2011 NSAA IT Pre-Conference Workshop Penetration Testing For Maximum Benefit PTES Methodology

2011 NSAA IT Pre-Conference Workshop Penetration Testing For Maximum Benefit PTES Methodology. Exercise. Scenario – Thief You are a diamond thief. You currently work independently at night. List 10 ways to choose the best diamond store to rob.

xalvadora-kieva
Download Presentation

2011 NSAA IT Pre-Conference Workshop Penetration Testing For Maximum Benefit PTES Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2011 NSAA IT Pre-Conference WorkshopPenetration Testing For Maximum BenefitPTES Methodology

  2. Exercise Scenario – Thief • You are a diamond thief. You currently work independently at night. • List 10 ways to choose the best diamond store to rob. • List 10 security mechanisms which you may have to avoid. • List 10 things you will have to do to avoid detection during the job. • List 10 ways to increase the amount of money you make from each job.

  3. Lessons Learned • Mindset/Thinking • “To catch a thief you have to think like a thief.” • Methodology • Must be comprehensive • Repeatable and consistent results • Measurable • Quantitatively as well as Qualitatively • Strategies • Testing techniques • Tools • Roadblocks

  4. Classic Attack Methodology • Information Gathering • Probe • Attack • Locating Exploits • Getting Exploits • Modification of Exploits • Building Exploits • Testing Exploits • Running Exploits • Advancement • Entrenchment • Infiltration/Extraction

  5. “Script Kiddies” Methodology • Exploit Selection • Target Selection • Attack

  6. Professional Methodologies • Open Source Security Testing Methodology Manual (OSSTMM) • NIST SP 800-42 – Guideline on Network Security Testing • NSA INFOSec Evaluation Methodology (IEM) / INFOSec Red Team Methodology (IRM) • Internet Systems Security Assessment Framework (ISSAF) • Penetration Testing Execution Standard (PTES)

  7. PTES Methodology • http://www.pentest-standard.org • New standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing. • PTES will not cover all scenarios. • PTES will define a baseline for the minimum that is required from a basic pentest. • Additional "levels” of comprehensive activities required for organizations with higher security needs will be defined.

  8. PTES Breakdown • Following are the main sections defined by the standard as the basis for penetration testing execution: • Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting • Penetration Testing Execution Standard Technical Guidelines

  9. Technical Testing Skills • Technical Skills and Knowledge • Networking Technology (routing, firewall, switch) • Operating Systems (Windows, Unix, Linux) • Application Technology (database, web, DNS, smtp) • Security Technology • Programming skills • Scripting Language (Bash, Perl, Javascript) • Programming Language (C, C++, Java, SQL) • Technical writing

  10. Analytical Skills • Analytical Skills and Knowledge • Analyzing testing tool output • Best practices • Legal and Privacy issues • Business Processes • Business Risks • Business Culture • Technical writing • Notice BUSINESS!

  11. PTES Pre-Engagement • Scoping • How to Scope • Metrics for Time Estimation • Scoping Meeting • Additional Support Based on Hourly Rate • Questionnaires • General Questions • Scope Creep • Specify IP Ranges and Domains • Dealing with Third Parties • Define Acceptable Social Engineering Pretexts • DoS Testing • Payment Terms • Goals • Establish Lines of Communication • Emergency Contact Information • Rules of Engagement • Capabilities and Technology in Place

  12. PTES Intelligence Gathering • Intelligence gathering is essentially using the Internet to find all the information you can about the target (company and/or person) using both technical (i.e., DNS/WHOIS) and non-technical (i.e., search engines, news groups, mailing lists etc…) methods. • This is the initial stage of any security test, which many people tend to overlook. • Anything you can get a hold of during this stage of testing is useful: company brochures, business cards, leaflets, newspaper adverts, internal paperwork, Internet newsgroup postings, etc.

  13. PTES Intelligence Gathering • Expected Results: • Employees (name and number of employees, role, positions and contact details,) • Technology partners (technologies used, locations, computing platforms) • Business partners (involvement, location, their trust relationship, and so on) • Business/financial history, investments, and investor details • Web presence (name and number of domains, where they are hosted, etc.) • Physical locations (offices, data centers, partners, warehouses)

  14. PTES Intelligence Gathering • Expected Results: • Network topology and –architecture • Technologies being implemented on the network • E-mails, phone numbers, or any other personal information • Company location, product names, and names of senior managers in the company • IP block owned • Administration and maintenance contact for target domain and IP block

  15. PTES Intelligence Gathering There are a few invaluable sources of information for intelligence gathering • Regional Internet Registries (RIR) • Domain Name Registration • Electronic Data Gathering, Analysis and Retrieval (EDGAR) database from the SEC • News websites (CNN, MSNBC, etc.) • Financial websites (Yahoo Finance, Morningstar, etc.) • Search Engines (Google, Altavista, Dogpile, etc.) • Disgruntled Employee sites

  16. PTES Intelligence Gathering • The Internet Corporation for Assigned Names and Numbers (ICANN) has overall control of IP addresses and domain names • Domain names are registered through private companies • IP address distribution is assigned to Regional Internet Registries

  17. PTES Intelligence Gathering • Internet Name Service – WHOIS • Five Regional Internet Registries (RIR). • ICANN - http://www.icann.org • IANA - http://www.iana.com • NRO - http://www.nro.net • AFRINIC - http://www.afrinic.net • APNIC - http://www.apnic.net • ARIN - http://ws.arin.net • LACNIC - http://www.lacnic.net • RIPE - http://www.ripe.net

  18. PTES Intelligence Gathering • whois - Command line • by registrar: whois "microsoft."@whois.crsnic.net • by name: whois "name microsoft"@whois.networksolutions.com • by domain: whoismicrosoft.com@whois.networksolutions.com • by network: whois "microsoft."@whois.arin.net • by handle: whois "HANDLE MH37-ORG."@whois.networksolutions.com

  19. PTES Intelligence Gathering

  20. PTES Intelligence Gathering

  21. PTES Intelligence Gathering http://www.sec.gov/edgar.shtml

  22. PTES Intelligence Gathering Finding Companies Owned by Target

  23. PTES Intelligence Gathering • DNS • DNS database provides the information mapping between the IP address and hostnames. • Zone transfer is used to synchronize primary and secondary name servers. • Zone transfer should be allowed to the authorized servers only. • External name servers should not allow leakage of internal information.

  24. PTES Intelligence Gathering • Prerequisites • Incorrectly configured Domain Name Server Zone transfer with nslookup • Nslookup server <ipaddresses> set type=any ls –d <target.com> >> zoneinfo.txt • Zone transfer with host • Command • # host –l –v –t any <target.com> • dig • send domain name query packets to name servers dig @server domain query-type query-class dig domain • works in the above simple/interactive mode

  25. PTES Intelligence Gathering • Search Engines • Generally one will get the best results using various keyword combinations such as: • Target name • Location • Industry • Product type • Product lines/names • Contact names • The best choices in most situations are http://www.google.com, http://www.dogpile.com/, www.alltheweb.com and http://www.infoseek.com. • Engines such as http://www.kartoo.com also provide a good visual link between organizations and individuals.

  26. PTES Intelligence Gathering

  27. PTES Intelligence Gathering • Google Tips • Simple word searches little red ridding hood • “+” searches +where stanley hotel • Phrase searching “colorado law” • Mixed searches “colorado law” hack hacking • http://johnny.ihackstuff.com/ • Great references • Googledorks!

  28. PTES Intelligence Gathering • Google Advanced

  29. PTES Intelligence Gathering • http://www.ozzu.com/ftopic340.html

  30. PTES Intelligence Gathering • Googel Tools • SiteDigger • Searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security information on web sites • Wikto • Gooscan

  31. PTES Intelligence Gathering • Job Databases • Just like regular search engines, job search sites could reveal a plethora of information on technology and services running on the target’s internal network. A tester should carefully review the job postings published by the target on their own website or on other popular job search sites. • Process • Check for resumes available on the target website • Check various job databases • Search using search engines • Check for job postings on the target website • Check for job postings on job sites • Gather all e-mail addresses, phone numbers, and contact details • Focus on resumes/ads where technology experience is required • Try to correlate technologies with the target’s product information gained from the aforementioned steps • Gain more information on their business structure from such postings • Confirm to their B2B / B2E / B2C – gained from aforementioned topics.

  32. PTES Intelligence Gathering • Job Openings • Monster • http://www.monster.com • CareerBuilder • http://www.careerbuilder.com • Computerjobs.com • http://www.computerjobs.com • Craigslist • http://www.craigslist.org/about/sites

  33. PTES Intelligence Gathering • Traceroute.org

  34. PTES Intelligence Gathering • Search for the domain name preceded by the @ symbol (@target.com), to scour e-mail addresses within the target organization and to build a database of from them • Add all e-mail addresses gathered from initial conversations with the customer to the database • Search for target organization's (complete) e-mail addresses gathered from the previous two steps on Web search engines and in groups in order to profile each employee

  35. PTES Intelligence Gathering • Search for employee names if they are part of the e-mail addresses on Web search engines and in groups • Attempt to bypass authentication using search engines • Review target Website using search engines’ cache in order to evade the target’s logs. • Check partners (to find out technologies used)

  36. PTES Intelligence Gathering • Check other than main pages (sub domains/folders) • services.target.com • support.target.com • target.com/support • target.com/sales Collect • Names, phone numbers, e-mail addresses • Recent activities/happenings • Technologies used • Gaining personal information on a specific employee from the target’s website can be beneficial for conducting social engineering. • Search for e-mails from their domain posted in the mail groups and that reveal information regarding the internal network architecture.

  37. PTES Intelligence Gathering • Browse through news-search services to get more information on their business structure. • Probe into their B2B / B2E / B2C – which might be helpful insight into the trust relationship of their network. • Scan through all the e-mail-signatures to gain all possible e-mail and phone number information. This could be used in later stages for war-dialing or social engineering.

  38. PTES Intelligence Gathering • Familiarize oneself with company specific information such as: an organizational map with details of senior managers, company’s product names, and details. • Finally, put all information together into the organizational map started in the previous step

More Related