Penetration Testing Defined	is a legal and authorized attempt to successfully discover and exploit computer systems with the goal of making those systems more secure and better protected
domanins	1. planning and scoping 15% 2. information gathering and vulnerability identification 22% 3. attacks and exploits 30% 4. penetration testing tools 17% 5. reporting and communication 16%
must understand the type of organization and business model being employed, to do this you must know what are the most valuable target assets of the company.	• Does the sector store and process PII, PHI, and/or financial data? • Is the organization using supervisory control and data acquisition (SCADA) and/or programmable logic controllers? • Are there any government or military contracts? • Does the company have an air-gap from public networks? • Is there a security culture in the business environment?
types of constraints	1. cost 2. time 3. bandwidth 4. techology 5. legal 6. regulatory 7. jurisdiction 8. service providers
engagement support resources	1. soap project file 2. wsdl/wadl 3. sdk documentation 4. swagger document 5. xsd 6. sample application request 7. architectural diagrams
what stands for * SOW * MSA/SLA * NDA	1. Statement of Work 2. Master service Agreement / Service Level Agrement 3. non-disclosure agreement or confidentiality agreement
MSA components	1. Confidentiality 2. Delivery Requirements 3. Dispute Resolution 4. Geographic Locations 5. Intellectual property rights 6. Limitation of liability 7. Payment terms 8. Venue of law 9. Warranties 10. Work standars
requirements for rules of engagement	1. Permission to test and other documents 2. Success criteria 3. Timelines and testing times 4. Locations 5. Disclosure 6. Evidence handling 7. Status meetings 8. Legal considerations
special scoping factors	1. premerge or acquisition 2. Supply chain issues 3. shunning issues 4. dealing with MSSPs
what is called the ROM	Rough Order of Magnitude
scoping assest	1. wireless network 2. network penetration 3. web applications 4. social networking
penetration testing phases	1. Information gathering 2. Enumeration 3. Gaining access 4. Privilege escalation 5. Maintaining access 6. Covering tracks
threat actors	Non-hostile 1. Reckless employee 2. Irresponsible contractor or guest 3. Poorly trained employee 4. Information partner 5. Social media leakage Hostile 1. script kiddie 2. hacktivist 3. anarchist 4. disgruntled insider 5. competitor 6. corrupt official 7. data miner 8. cyber miner 9. espionage agent irrational individual 10. legal adversary 11. organized criminal 12. terrorist 13. thief 14. vandal 15. vendor
compliance-base assessment targets	1. PCI DSS 2. FISMA 3. MARS-E 4. HIPAA 5. Sarbanes-Oxley (SOX) 6. ISO
types of risk treatment	1. avoid the risk (terminate activity) 2. transfer (share) the risk 3. mitigate the risk (modification) 4. accept the risk (retention)
industry-accepted penetration testing approaces	1. SP 800-115 2. OSSTMM 3. OWASP
well known scanning tools	• Nessus Professional • Immuniweb • Netsparker • Nexpose • Retina • Core impact • Comodo hackerProof • OpenVAS • Nikto • Tripwire IP360 • Wireshark • Aircrack • Retina CS community • Microsoft Baseline Security analyzer (MBSA)
things to enumerate	• Usernames and group names • Hosts and hostnames • Networks and domains • Network shares and services • Web pages • Service ports • Ip tables and routin tables • Authentication tokens • Cookies • Service settings and audit configurations • Applications and banners • SNMP information (strings) • DNS details • Social networking data
catetories of popular types of enumeration	• NetBios • SNMP • LDAP • NTP • SMTP • DNS • Windows • UNIX/Linux
NetBIOS Enumeration	• Runs on port 139 on windows • Common attacks include o Read or write to a machine, depending on the availability of shares o Launch a denial of service (DoS) attack on the remote machine o Enumerate password policies on the remote machine • Common enumeration tools are Nbtstat, SuperScan, Hyena, Winfingerprint and NeTBIOS enumerator
SNMP Enumeration	• Default SNMP passwords (strings) let attackers viw or modify the SNMP configuration settings on port 161 • Attacker can enumerate SNMP on remote network devices for o Information about network resources such as devices, shares, etc. o Arp and routing tables o Device specific information o Traffic statistics and more • Common tools include OpUtils, SolarWind, SNScan, SNMP Scanner and NS Auditor.
lightweight directory access protocol (ldap) ENUMERATION	* ldap supports anonymous remote query on a server that can expose sensitive information (userneames, address, contact details, department details, etc.) * ldap runs by default on tcp and udp port 389, or on port 636 for LDAPS * ldap enumartion tools include softerra ldap administrator, jxplorer, ldap admin tool and ldap administrator tool.
Network time protocole (ntp) Enumeration	* ntp typically runs on udp port 123 * attackers will commonly list hosts connected to the ntp server and further enumerate internal client ip addresses, hostnames and the operating system used ntptrace - queries to discover where the ntp server updates its time from and traces the chain of ntp servers form a source ntpdc - queries the ntp daemon about its current state and to requiest changes in the state * ntpq - monitor the ntp daemon ntpd operations and determines performance metrics
simple mail transfer protocol (smtp) enumeration	* SMPT (tpc 25) uses three built-in exploitable commands - VRFY - validates users on the SMTP servers - EXPN - shows delivery addresses of aliases and mailing list - RCPT TO - defines the recipients of the message * SMTP enumeration and fingerprinting is possible based on various responses to these commands. * attackers can determine the valid usesrs on the smtp servers with the same technique * two common tools include netscan tools pro and smtp user enum
domain name system (dns) enumeration	* dns woeks on both udp and tpc on well-known port number 53 * it uses udp for resolving queries and tpc for zone transfers * dns enumeration often sends zone transfer requuests to the dns primary server, spoofing a client to discover sensitive domain records in respose to the requiest * coomon dns enumeration tools are nslookup, dns dumpster and dns recon
windows enumerations	* the windows os ca be enumerated with many tools, inlcuding ones form sysinternals at https://technet.microsoft.com/en-in/sysinternals/bb545021.aspx
windows key sysinternals utilities	* psexec - executes processes on remote machine * psfile - displays list of files opened remotely * psgetsid - translates sid to display name and vice versa * pskill - kills processes on local or remote machine * psinfo - displays installation, inatll date, kernel build, phisical memory, processosrs type and number * pslist - diplays process, cpu, memory and thread statistics * psloggedon - diplays local and remote logged users * psloglist - allows viewing of event logs
nix enumeartion	* unix and linux operating systems can be enumerated with multiple command line utilities provide by the os * finger - enumerates users on remote machine * rpcInfo - enumerates remote procedure call * rpclient - enumerates useranemes on linux * showmount - enumerates list of shared directories * enum4linux - https://labs.portcullis.co.uk/tools/enum4linux
sniffing tools	* wireshark * tcpdump * dsniff
packet crafting steps	* assembly * editing * playing * analysis
tools to packet crafting and inspection	* hping * snort * nemesis * netcat * scapy * socat aditional examples: www.valencynetworks.com/articles/cyber-security-attacks-packet-crafting.html
passive fingerpriting tools	* P0f * Nmap * nertowkminer * ettercap * packetfence
eavesdropping	* packet sniffers are common eaesdropping tools: https://sectools.org/tag/sniffers wireless sniffers are dedicated to the 802.11 family: www.voipmointor.org voip sniffers are effective on voice datagramas: www.voipmonitor.org
cerfications vulnerabilities	* introduce MITM and rogue certificates. * attack non-pinning CAs * exploit self-signed certificates * take advantage of browsers ignoring warnings * look for mixed content sites without EV certificates * attack weak/ignored revocation methods (CRL and OCSP) * Perform OCSP replay attacks where stapling is not used
types of scans	* network discovery: finds active devices and identifes communications paths; determines network protocoles and architectures * port and service scanning: finds ative devices, open ports, and associated aplications and services. * vulnerability scanning: identifies known vulnerabilities with high reat of false positives. * wireless scanning: finds rogue devices and backdoors (station and aps) discovers signals outside of ranges. stealth scans: is a type of port scan stops the server or host system from logging the request for connection complience scan: scannings to adhere to some regulation or some compliance * aplications and container scanning
common types of compliance sacans	* BASEL II * Center ofr Internet Security Benchmarks (CIS) * Control Objectives for Information and related Technology (COBIT) * Defense Information Systems Agency (DISA) * STIGs * Federal Information Security Management Act (FISMA) * Federal Desktop Core Configuration (FDCC) * Gramm-Leach-bliley Act (GLBA) * health insurance portabability and accountability act (HIPAA) * ISO 27002/17799 Security standars * information techonology information library (itil) * National Institute of Standarsds (NIST) configuration guidelines. * National Security Agency (NSA) configuration guidelines * Payment Card Industry Data Security Standards (PCI DSS) * Sarbanes-Oxley (SOX) * Site Data Protection (SDP) * United States Government Configuration Baseline (USGCB)

Descubre

Crear Tarjetas

Acerca de Nosotros

Explore Tarjetas

Comparta este Set de Tarjetas de Aprendizaje

Tarjetas de Aprendizaje relacionadas

Pentest+

Cómo estudiar sus tarjetas

Rango de Cartas a estudiar

36 Cartas en este set