Module 1 Passive Recon - jude-lindale/Wiki GitHub Wiki

Types of Security Assessments Vulnerability scanning/assessemt (fastest) Identifies potential vulnerabilities Identify and fix potential vulnerabilities Penetration testing(fast) Identifies and exploits vulnerabilities to verify Identify and fix proven vulnerabilities Not trying to evade detection Red teaming(slow and quite) Attempts to evade detection Adversary emulation(slow, quite, and more) Attempts to emulate a specific adversary/threat Transparent vs Opaque Box Testing Transparent Box AKA White Box, Open Box Testers have knowledge of target systems/networks Work with and/or get documentation from system administrators Opaque Box AKA Black Box, Closed Box Tests have no knowledge of target systems/networks Simulate what an attacker would do Test vs Attack What’s the difference between penetration testing and a malicious attacker? Overall intent and legality Why does the difference matter Protection fro tester(s) Protection for organization being assessed Rules of engagement What can go wrong if the rules/scope isn’t adhered to? Phases of Penetration Testing Reconnaissace Identify potential targets No interaction with enviroment yet! Scanning Scan for live hosts (web applications, databases, etc.) Identify potential vulnerabilities (misconfigurations, missing patches, password spraying) Exploitation Attempt to exploit vulnerabilities found in scanning phase Post-exploitation & Maintaining Access Maintai n persistence, pivot, escalate privileges Reporting Difference between attackers and testers! Step 1: Reconnaissance Active vs passive recon Passive - open-source intelligence (OSINT), publicly available information Active- interacting directly with the target - Need permission if going beyon public access Goals of Recon Network Information (IPs, CIDR, Domains) Systems (Server Names/IPs) Web Applications Security Tools (Firewalls, IDS/IPS, Endpoint Secuirty) People (Leadership, Admins, Engineers, Developers, etc.) Partners (Vendors, Hosting Providers) Step 1: Reconnaissance - Passive Reconnaissance Sources Domain Registration Internet Corporation for Assigned Names and Numbers (ICANN) Domain Registration (contact names, addresses, nameserver info) IP Address Registration Internet Assigned Numbers Authority (IANA) - Five regions AfriNIC - Africa APNIC - Asia/Pacfic ARIN - North America LACNIC - Latin America and Caribbean RIPE - Europe, Middle East, Central Asia Google Dorking - Offensive Security’s Google Hacking Database AKA Google Hacking Shodan Step 1: Reconnaissance - Passive Reconnaissance Tools TheHarvester Command line tool to query multiple search engines (also DNS stuff) Included in Kali, but included version can have problems: when in doubt, pull it down from GitHub Netcraft Provides technical reports on other websites Use “ Metagoofil Kali utility that is designed for extracting metadata from public documents Step 1: Reconnaissance - DNS Reconnaissance DNS (name to IP mapping) can provide a tester with systems to target in Phase 2 (scanning) Nslookup and Dig are useful command line tools Dnsrecon (included in Kali) offers a streamlined approach to gathering data, however, pull down the latest version MxToolbox Find email service provider, DNS information, WhoIs information, and more! Note on Tools Trust We can be somewhat confident of tools listed in kali as well at their tool sources. These are curated by Offensive Security who enjoys a very good reputation We should be very suspicious of compiled binaries and code retrieved from the internet without a good deal of understanding of the tools and tool sources reputation A subset of the tools included with Kali are not the latest or have missing dependencies, we will see examples of this in class Kali is not likely a suitable tool for daily desktop computing, run it in a high powered VM. Knowledge Arbitrary running of tools without some level of research into tool options and pitfalls and what is actually occurring on the backend is not a good approach and a recipe for a self inflicted wound Let's focus on manual techniques and the automation can come later (and perhaps even coded by you!)