Week 1 (01/16-01/22)

Overview

Following introductions, this week was primarily focused on understanding the rules of engagement and the responsibilities of penetration testers. After developing rules of engagement, we began discussing passive reconnaissance and the attack methodology.

Points of interest (Lecture notes)

Definition of penetration testing

Penetration testing is “defined as a legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure” - Engebretson

How does penetration testing relate to other forms of security assessments?

Penetration testing and vulnerability scanning are terms that are often used interchangeably, however, they don't mean the same thing. Penetration testing can include vulnerability scanning, but also includes actually exploiting the vulnerability and attackers are usually not trying to evade detection.

Transparent vs. Opaque Box Testing

Transparent A.K.A white/open box means the environment is known or partially known by testers--they may have documentation from sysadmins or even prior knowledge of the environment.

Opaque A.K.A. black/closed box means that the environment is unknown by testers--there's no telling how the environment looks and this is intended to closely simulate the attacker's perspective.

Penetration testers vs. malicious attackers

• Pen testers have a series of legal protections for their work--so do the organizations that are being tested.
• Involved parties must follow the rules of engagement that are established prior to testing.

Penetration testing phases:

1. Reconnaissance: ID potential targets, no environment interaction yet

• Passive recon is largely composed of OSINT (open source intelligence) since there shouldn't be any direct interactions with the network until you move into the later stages of the attack process.
• Active recon entails interacting directly with the target (permission is needed to do this)
• The goal of recon is to gather information about the network, including targets, security systems, employees, and 3rd-party service providers

Some helpful resources:

• Domain Registration (Internet Corporation for Assigned Names and Numbers (ICANN) may have contact names, addresses, and nameserver information)
• IP Address Registration (Internet Assigned Numbers Association (IANA) has five regions: AfriNIC (Africa), APNIC (Asia/Pacific), ARIN (North America), LACNIC (Latin America & Caribbean), RIPE (Europe, Middle East, Central Asia)
• Google Dorking is a popular passive recon approach
• Shodan is another useful tool for recon
• Additional tools: The Harvester, Netcraft, Metagoofil
• DNS reconnaissance: using DNS to map IPs to hosts
• DNS-based CLI tools: Nslookup, Dig
• Kali offers Dnsrecon (Data gathering, make sure to pull the latest vers.)
• MxToolbox can be used to find an email service provider, WhoIs info, etc.

Tools note: While online tools can be especially useful, it's not good practice to run anything you don't understand, especially when the source cannot be verifiable. Kali-based tools are relatively safe, however, for the time being, let's stick to manual approaches to mitigate uncontrolled issues.

2. Scanning: Searching for "live hosts", i.e. web apps, databases, and identifying vulnerabilities (ex. misconfigurations, unpatched vulns)

3. Exploitation: Attempt to exploit vulnerabilities found during the scanning

4. Post-exploitation & Maintaining Access: Privilege escalation, pivoting, etc.

5. Reporting: Generating reports for organizations following test(s)

Passive Recon activity

An in-class activity was conducted to expose students to passive recon approaches (NOTE: All of this activity was theoretical and there was no intent to follow through with anything--all information in this section was non-malicious):

• Students started by identifying a medium-sized company
• From there, students made a document and collected open-source, free, and publicly available information about the company, such as any internet addresses, domain names, key employees, and any publicly available workplace technology (i.e. job postings with experience requirements). This reflected the sort of information that pen testers would collect in phase one of the attack sequence.

My group used Google Dorking techniques and OSINT techniques including using LinkedIn and company web pages to collect information about the medium-sized company we chose. "site:" was a popular starting point for Google Dorking since we found multiple pages hosted by the same domain. Sites such as whatsmyip.org and similar DNS-related resources were helpful in identifying some information as well. Leveraging LinkedIn proved a useful way to collect what kind of servers and program languages were being used in the workplace, and performing an ARIS WhoIS yielded that the IP of the company was hosted off-site. IP addresses that were found would be potentially useful targets for scans, and the employees found on LinkedIn provided examples of some potential social engineering targets.

Reading: Chapter 4: Internet Information Gathering

What to look for during OSINT

• Company subdomains
• Websites
• Public IP addresses (including the one on the cloud AWS/Azure)
• Leaked internal IP addresses
• Previous breaches
• Significant business change (e.g. acquisitions)
• Business phone numbers (Social engineering)
• Employee public information (Social engineering)
• A company presence on social media (e.g. LinkedIn)

Use internet search engines to get your results

Use search engines to take advantage of leaks in the wild, such as Google, shodan.io, and duckduckgo:

Use Shodan

Shodan has many useful filters for searching with:

Search Filter	Example
Port	Port:80
Product	Product: "Apache"
Org	Org: "Target company name"
Country	Country:CA
City	City:Montreal
hostname	Hostname: "domain-name.com"
Server	Server: "Linux"
http.title	http.title:"Dashboard"

Use Google Queries

Query Google database (Google Hacking Database (GHDB) or Google Dorking).

A good starting point is to use the site: query, as it will search for all web pages and sites related to the target domain (incl. subdomains). You can follow site names with keywords for more advanced searches. GitHub is particularly used by developers, and therefore can lead to leaked information being discovered there.

Some query examples:

Query	Example
inurl:	site:[DOMAIN] inurl:?id=
intitle:	intitle:"index of" "cctv"
filetype:	site:[DOMAIN] filetype:"xls"

A beneficial resource with the latest Google Dorking techniques:

www.exploit-db.com/google-hacking-database

The site above belongs to the founders of Kali Linux

See how to display information about domains using Whois database

Entities that buy a domain name must provide personal information prior to registering the domain. Unless this information is obfuscated with a fee, the Whois database will have information publicly available.

$whois [DOMAIN]

This will return as much information as it can find that's not hidden, including the registrant name, contact phone, email, entity physical address, domain expiry date, and name servers.

See how the essential tools for passive footprinting work on Kali, including TheHarvester, Dmitry, and Maltego

• TheHarvester This is a great tool to find email addresses--email is a good starting point for social engineering. Here's the general format for use:

$theHarvester -d [DOMAIN] -b [online sources] -s

d is the switch that specifies target name

-s specifies searching Shodan

-b specifies the data source name

-h is the help command

• DMitry (Deepmagic information gathering tool) -w performs a Whois lookup

-n retrives records from Netcraft.com

-s searches for subdomains

-e searches for email addresses

-p scans for open TCP ports (NOTE: This isn't passive and enters into scans)

Example:

root@kali:~# dmitry -wnse [DOMAINNAME]

• Maltego The complete functionality of Maltego requires a paid subscription, so only a limited number of tools are readily available for free. It offers close to comprehensive information gathering if you subscribe.

Transformation Hub

A collection of sites where Maltego will fetch data--the data sources you want will need to be installed, and they are either: Paid separately, Free, or require you create an account and use an API token to authenticate and use data.

Week 2 (01/23-01/29)

Overview

This week focused on active reconnaissance and dived into network scans in particular.

Host Discovery Activity

Reading: Chapter 3: Network Hosts Scanning

Week 3 (01/30-02/05)

No lecture or reading this week--all information is within the assignments and class activity.