14

Network Penetration Testing

Penetration Testing IntroPen Testing Process and LawPlanning and Passive ReconPort ScanningPractice QuestionsForged Emails (Lab 4b)Introduction to Basic Exploits (Lab 5)Metasploit Framework (Lab 6)Web Application Technologies/Vulnerabilities (Lab 7)Apache Web Application Configuration (Lab 8a)Web Application Testing (Lab 8b)SQL Injection Testing/Attacks (Lab 9)Password Attacks (Lab 10)Active Recon - Network Scanning, Enumeration and Vulnerability Scanning (Lab 4a)

Planning and Passive Recon

Week 1 Day 2 - Lecture 1

Last Update Unknown

Preparation

Designing the Pen Test

  • Define the Assets being protected
  • Engagement Zone
  • Define Scope of Test
  • Define Testing Channels - Human, Physical, Wireless, Telecommunications, and Data Networks
  • Define Testing Types - Blind, Double Blind, Gray Box, Double Gray Box, Tandem, and Reversal
  • Define Rules of Engagement

Rules of Engagement

These rules define the operational guidelines of acceptable practices in performing testing work, and reporting the results of testing


For example:

  • confidentiality and non-disclosure of customer information and test results
  • operate within the law of the physical location(s)
  • tester must not leave the organisation in a position of less security than it was when test started
  • Testing report must respect the privacy of all individuals and maintain their privacy

Deliverables

- Reporting the results of testing

- Daily or weekly reports/logs

- Final Report - format/contents

  • Executive Summary
  • Vulnerability Summary
  • Details
  • Mitigation countermeasures
  • Technical Supporting Appendices

Passive Recon

Passive Information Gathering: The process of collecting information about your target(s) using publicly available sources of information.

Difficult to restrict this phase to “only” public data, so we will include:

  • Google searches involving non-target servers.
  • Reading information on target's public web pages.
  • Performing simple DNS queries, WHOIS, and other data sources.

What is Useful information?

Reconnaissance is all about having useful information but it is not clear what will be useful!


Social Engineering needs information on user processes and people while technical attacks need information on the topology, system design, system procedures, and configurations.

Types of Useful Information

  • Organisation information
  • Contact details
  • Staff email addresses
  • Network address ranges/addresses
  • Organisation products, device types, OS, applications
  • Historical data
  • Data mistakenly exposed online

Sources of useful information

  • Target organisation website
  • Google - Caches, Advanced searching
  • Web Archive sites
  • DNS and Whois servers
  • Blogs, wikis etc
  • Newsgroups
  • Social Media
  • Specialist Online search tools - Shodan
  • Physical Access/searching bins etc
  • Social Engineering

Passive Information Sources

Physical Location

  • DNS and WHOIS and IP Address location info
  • Google maps, streetview, earth etc
  • Physical Addresses, Physical access, employees


Waste disposal or 'dumpster diving'

  • Sensitive documents
  • passwords and credentials
  • code or printed manuals

Social Engineering

Phishing campaigns are now commonly part of a pentest.

  • Staff directory webpages, emails
  • Reconnaissance of employees
  • System Administrators need help too.
  • When experts need help they may turn to the internet, such as experts exchange or technet.
  • Good experts when posting messages in forums etc will hide important site details, change IP numbers and passwords, or even use accounts unrelated to their company.

Website Archives

Organisation's Archival Web Data can be useful as data can be found which has been removed for privacy. It can reveal misconfigurations or deleted posts and documents

The WayBackMachine is the website used for this.

DNS WHOIS

Passive-ish DNS queries

  • The glue which binds IP numbers to hostnames is the Domain Name Service - DNS.
  • DNS and WHOIS querying can be used to map the networks of a target organization
  • It is “active” in that you are contacting servers for information…
  • However we consider it passive here as it is difficult to relate to attacks, can be obtained using proxy servers easily, and uses servers outside the immediate management of the targets/target network.

Whois for IP

  • Just as a domain name has a owner, so does an IP range.
  • Some ranges can be sub-allocated, so for instance a fixed IP on your home broadband is allocated to your ISP and not to you.
  • The IP must be allocated to you (or delegated from the owner) in order to control the reverse DNS.
  • The actual owner can be found via whois.

Other DNS records

DNS holds not just A and PTR records.
  • A: Address record, PTR: reverse address


• Other records can be useful such as:
  • HINFO: a command about specific machine specifications.
  • TXT: a general purpose text comment
  • MX: how email is handled
  • NS: additional name servers
  • SOA: Start of authority record
  • AXFR: Zone Transfer!

Automate DNS Recon

dnsrecon. py

  • Python script to automate DNS server enumeration
  • Try DNS Zone transfers on all DNS Servers in domain:
  • Try SOA, NS, A, AAAA, MX and SRV records on DNS Servers in domain

fierce

  • Wordlist/Brute forcing of sub-domains + Zone transfers

Information Gathering - Google

Web-accessible security and vulnerabilities:

  • Network-accessible devices may have vulnerabilities we can exploit
  • In large companies the exploitable devices may be difficult to spot.
  • Some servers may have useful data publically accessible, but are difficult to identify and navigate.
  • Google can assist in reconnaissance!

Google Hacking

Google Cache

  • Cache feature means typically don't even have to interact directly with the target website
  • Cached link on search page - DOES hit target server!

  • Right click cache link, and add &strip=1 to URL so that it w

    on't hit target server, only Google cache server
  • Note the header - this may have changed since cached

Google Advanced Search

You can use Google Advanced Search Operators to modify the search.

There are quite a few operators available, including:

  • site: Limit the search to a particular hostname or domain
  • inurl: text must appear in a url definition.
  • intext: text matches on page text
  • filetype: the page found must end with that particular extension.
  • intitle: the parameter must appear in that page's title.
  • “quotes” - something in quotes MUST be found on the page returned.
  • -parameter - the word “parameter” MUST NOT be found on the page returned.
  • cache: use google cache servers

Poor Default Pages

  • When a webserver is installed it may be set to give pages directly from one particular user's home space.
  • Of course step 2 should be to hide that user's files, such as .bash_history, and replace the information with an HTML file.
  • Not reaching step 2 means people can click on files in your homespace, see commands you types, private files, etc.

You can search:

Pastebin

  • Data/code sharing website - now can find all sorts of data
  • Stolen code dumped
  • Leaked/hacked password lists
  • Student course works reports/code often found here!
  • Pastebin can be automatically searched
  • Alert tools automatically search periodically

Metadata

  • All files have have metadata - company, user, geolocation
  • doc, photo, spreadsheet, ppt files
  • Facebook and other big web applications typically now remove metadata, but not all
  • Huge amounts of metadata still online
  • exif metadata extraction tools online and in Kali
  • Linux strings tool