Cross-Site Scripting Attack (XSS)
Introduction to Pen Testing
Outline
Basics of Penetration Testing
Pen testing versus Vulnerability assessment
Why do pen tests?
White hats hacker versus black hats
White box, black and grey box testing
Pen test methodology
NIST methodology: planning, discovery, attack and reporting phase.
Pen testing, ethical hacking, penetration testing, pen test
What is pen testing?
Authorised and legal attempt to expose and exploit vulnerabilities in a target system
– Computer system, web application, networks, IoT,…
Analytical evaluation of the target system’s security
Reporting
Catalogue potential threats
Determine the feasibility of a cyber-attack
Assess the potential impact on a business of a successful cyber-attack
Publicly available pen test reports: https://github.com/juliocesarfort/public-pentesting-reports
Pen testing vs Vulnerability assessment
VA focuses on discovering potential weaknesses
Vulnerabilities are not actively exploited in VA
Pen testing goes beyond vulnerability VA
Pen testing actively exploits vulnerabilities
Why pen test?
To make computer systems, network systems and web applications more secure
Aims to find and mitigate security weaknesses in a system before an attacker exploits them
Rationale: Pen test provides a level of assurance that any malicious user will not be able to penetrate the system
National Institute of Standards and Technology (NIST)
To “enhance the organisation’s understanding of the system”
To “uncover weaknesses of deficiencies in the system”
To “indicate the level of effort required on the part of adversaries to breach the system safeguards”
Pen test should be carried out on any computer system: before (and after) it is deployed, in particular – Internet facing systems, software version updates
Who needs to pen test?
Large organisations may be required by legislation, in the future, to employ a cyber/digital security specialist
Cost effective for Small & Medium-sized Enterprises?
How to pen test?
Pen Test Methodology
Analysis is carried out from the point of view of an attacker
Simulated attempt to exploit vulnerabilities in the target
Ethical Hackers use the same tools, techniques and payloads as a Malicious Hacker
White hats hacker
A computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization’s information systems
Malicious hackers (black hats)
Someone who explores methods for breaching defences and exploiting weaknesses in a computer system or network
Permission, motivation and intent:
Permission should be obtained before conducting any test, and agree the scope of the test between pen tester and company being audited
Motivation not be driven by personal gain, including profit or fame
Intent to make the computer systems more secure
Pen tests can be conducted in several ways: No standardised guidelines for pen test execution
Prior knowledge vary in the amount of detail given to the tester
Blackbox testing Whitebox testing Grey box testing
Blind testing
No prior knowledge of target system
Must find and expose the weaknesses
Simulates outside attacker
Labour-intensive
Requires expertise to minimise risks
Insider test
Complete knowledge of the infrastructure
Often conducted as a fully automated process
Simulated insider attack
e.g. Unhappy employee
e.g. After information leak
Variations between black box and white box
Partial disclosure
Constraints Risks
Ethical hackers are (frequently) constrained by time
Malicious hackers are constrained by stealth
Pen tester tend to be noisy
– Not concerned about triggering IDS and firewalls
– Not realistic attack simulation Testing may slow the response time
Systems may be damaged in the course of a penetration testing
Risks can be mitigated by experienced pen testers
Pen Testing Methodology
NIST – National Institute of Standards and Technology
https://www.nist.gov/
PTES – Penetration Testing Execution Standard
http://www.pentest-standard.org/index.php/Main_Page
Payment Card Industry Security Standards Council
https://www.pcisecuritystandards.org/
OWASP – Open Web Application Security Project
https://owasp.org/ Web applications only
NIST methodology
National Institute of Standards and Technology
NIST – Special Report 800-115
Penetration Testing Methodology
NIST four-stage penetration testing methodology
NIST methodology: planning phase
The scope of a project defines what is to be tested – Rules of Engagement
Neglecting proper pre-engagement activities: Unsatisfied customers & Legal issues
Pen testing requires a lot of trust : essentially hacking a system
Important to understand what the customer expects from the pen test
Not uncommon for a client to be unaware of exactly what it is they need to be tested
Also possible the client not to know how to communicate what they are expecting from the test
Important to establish communication channels between all parties involved
Pen tester and company being audited must mutually agree on:
Terms, Conditions, Rules, Requirements and Scope that secure the interests of both parties
Detailed information about the resources to be included in the test
List any system or attack that the client does not want to be included in the test
e.g.: DNS servers, Mail servers, Firewalls, Public-facing websites, and Internal systems storing sensitive data…
Management approval finalised
Formally documented in a legal contract signed by all the parties
Legal authorisation required before initiating any pen testing assignment
Confidentiality or Non-Disclosure Agreement signed: findings should be confidential, and shared only with the client
No actual test occurs in this phase
NIST methodology: discovery and attack phase
Discovery phase:
Reconnaissance / Information Gathering
Target Scanning
Vulnerability Assessment
Attack phase:
Exploits vulnerabilities discovered to confirm existence
Active exploitation of the vulnerabilities in the target
Exploits do not always grant maximum level of access to a system
May result in additional discovery about the targeted
May induce a change in the state of the targeted network security
Some exploits enable pen testers to escalate privileges on a system
Required to gain access to additional resources – Lateral movement
Installing additional tools to facilitate the testing process
To gain access to additional systems or resources on the network
To obtain access to information about the network or organisation
Testing and analysis on multiple systems should be conducted during a penetration test to determine the level of access
If an attack on a specific vulnerability proves impossible, the tester should attempt to exploit another vulnerability discovered
NIST methodology: Reporting phase
Pen testing assignments ends with a final pen testing report
Reporting simultaneously with the other three phases
Planning phase: development of pen test plan (Rules of engagement)
Discovery and attack phases: written logs are kept & periodic reports to system administrators and management
Specific recommendations to address and fix vulnerabilities discovered during the test
Final pen testing report should include:
All the relevant information uncovered during the pen testing
Detailed explanation of how the test was conducted
Describe what was done during the test
Executive summary highlighting the most critical issues uncovered
Propose mitigations and solutions for the security issues
Publicly available pen test reports: https://github.com/juliocesarfort/public-pentesting-reports