What is the difference between White Hat and Black Hat hackers? => “permission”
Code of Ethics Canons [(ISC)2]
■
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
t is really difficult to define exactly what constitutes an ethical or unethical hacker
Why Stay Ethical?
Types of computer hackers
Black Hat Hackers
Those who conduct unauthorized penetration attacks against information systems
The reason behind this activity ranges from curiosity to financial gain
In some cases: their activities do not violate the laws of their country
White Hat Hackers
Those individuals who perform security assessments within a contractual agreement
who’s more capable—the Black Hat hacker or the White Hat hacker?
Gray Hat Hackers
Ethical Standards
Depending on your certification/location/affiliation
Certifications
(ISC)2
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession
SANS Institute
I will strive to know myself and be honest about my capability
I will conduct my business in a manner that assures that the IT profession
is considered one of integrity and professionalism
I respect privacy and confidentiality.
Employer
Almost every company has an ethical standards policy
make sure you include within the contract as part of the recipient’s obligation a clause stating that
they have read and will follow your company’s information security policies and ethics standards.
Educational and Institutional Organizations
Many organizations have instituted their own ethical standards
making membership within the organization dependent on
acceptance of these ethical standards
(ISSA)
Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles
Promote generally accepted information security current best practices and standards
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities
Discharge professional responsibilities with diligence and honesty
Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the association, and
Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers
Internet Activities Board: unethical behavior
Seeks to gain unauthorized access to the resources of the Internet
Disrupts the intended use of the Internet
Wastes resources (people, capacity, computer) through such actions
Destroys the integrity of computer-based information, and/or
Compromises the privacy of users
(IEEE)
To accept responsibility in making decisions consistent with the safety, health and welfare of the public,
and to disclose promptly factors that might endanger the public or the environment
To avoid real or perceived conflicts of interest whenever possible and to disclose them to affected parties when they do exist
To be honest and realistic in stating claims or estimates based on available data
To reject bribery in all its forms
To improve the understanding of technology, its appropriate application, and potential consequences
To maintain and improve our technical competence and to undertake technological tasks for others
only if qualified by training or experience, or after full disclosure of pertinent limitations
To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others
To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin
To avoid injuring others, their property, reputation, or employment by false or malicious action
To assist colleagues and coworkers in their professional development and to support them in following this code of ethics
(OECD)
Collection Limitation Principle
Data Quality Principle
Purpose Specification Principle
Use Limitation Principle
Security Safeguards Principle
Openness Principle
Individual Participation Principle
Accountability Principle
Computer Crime Laws
Types Of Laws
Civil Law
Criminal Law
Administrative/Regulatory Law
Type Of Computer Crimes And Attacks
Denial of service
Destruction or alteration of information
Dumpster diving
Emanation eavesdropping
Embezzlement
Espionage
Illegal content of material
Information warfare
Malicious code
Masquerading
Social engineering
Software piracy
Spoofing of Internet Protocol (IP) addresses
Terrorism
Theft of passwords
Use of easily-accessible exploit scripts
Network intrusions
U.S. Federal Law
1970 U.S. Fair Credit Reporting Act
1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
1973 U.S. Code of Fair Information Practices
1974 U.S. Privacy Act
1978 Foreign Intelligence Surveillance Act
1986 U.S. Computer Fraud and Abuse Act (amended 1996)
1986 U.S. Electronic Communications Privacy Act
1987 U.S. Computer Security Act
1991 U.S. Federal Sentencing Guidelines
1994 U.S. Communications Assistance for Law Enforcement Act
1996 U.S. Economic and Protection of Proprietary Information Act
1996 U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (amended 2000)
1996 Title I, Economic Espionage Act
1998 U.S. DMCA
1999 U.S. Uniform Computers Information Transactions Act
2000 U.S. Congress Electronic Signatures in Global and National Commerce Act
2001 USA PATRIOT Act
2002 E-Government Act, Title III, the FISMA
U.S. State Law
California SB 1386, in 2003
By 2005, 22 states had enacted similar laws
International Laws
Canada
Criminal Code of Canada, Section 342—Unauthorized Use of Computer
Criminal Code of Canada, Section 184—Interception of Communications
United Kingdom
The Computer Misuse Act (CMA) 1990 (Chapter 18)
The Regulation of Investigatory Powers Act 2000 (Chapter 23)
The Anti-terrorism, Crime and Security Act 2001 (Chapter 24)
The Data Protection Act 1998 (Chapter 29)
The Fraud Act 2006 (Chapter 35)
Potentially the Forgery and Counterfeiting Act 1981 (Chapter 45)
The CMA was recently amended by the Police and Justice Act 2006 (Chapter 48)
The Privacy and Electronic Communications
Australia
Cybercrime Act 2001
Crimes Act 1900 (NSW): Part 6, ss 308-308I
Criminal Code Act Compilation Act 1913 (WA)
Malaysia
Computer Crimes Act 1997 (Act 563)
Singapore
Computer Misuse Act 1993 (Chapter 50A)
Venezuela
Special Computer Crimes Act (Ley Especial de Delitos InformÆticos)
Safe Harbor And Directive 95/46/EC
Getting Permission to Hack
Confidentiality Agreement
Company Obligations
Contractor Obligations
Auditing and Monitoring
Conflict Management
Setting up Your Lab
Targets in a Pentest Lab
Problems with Learning to Hack
No legitimate targets online to practice against.
it is impossible for a person to create a pentest scenario that they can learn from
The only way to learn is to practice against scenarios created by others
Real-World Scenarios
Learning to hack using real-world servers is risky
Production labs are expensive and availability to the labs is often limited
unless you have the money to throw at the problem,
you will need to develop a personal lab
Turn-Key Scenarios
The disadvantage to turn-key pentest scenarios is that
they only imitate real-world servers but may not do so faithfully
Despite the disadvantages, turn-key scenarios are the
preferred method to learning how to conduct a penetration test.
What Is a LiveCD?
De-ICE
LiveCDs are real servers that contain real-world challenges
Available since January 2007
The challenge is to discover what applications are misconfigured or exploitable
and to obtain unauthorized access to the root account
A list of possible vulnerabilities
Bad/weak passwords
Unnecessary services
ftp
telnet
rlogin
Unpatched services
Too much information available (contact info, and so forth)
Poor system configuration
Poor/no encryption methodology
Elevated user privileges
No Internet Protocol (IP) Security filtering
Incorrect firewall rules (plug in and forget?)
Clear-text passwords
Username/password embedded in software
No alarm monitoring
Well-known exploits are not included in the De-ICE challenges
Hackerdemia
designed to be a training platform where various
hacker tools could be used and learned
Developed on the Slax Linux
Open Web Application (OWASP)
www.owasp.org
One of the OWASP projects is WebGoat
categories of Web-based attack vectors within WebGoat
Code quality
Unvalidated parameters
Broken access control
Broken authentication and session management
Cross-site scripting (XSS)
Buffer overflows
Injection flaws
Insecure storage
Denial of service (DoS)
Insecure configuration management
Web services
AJAX security
Virtual Network Pentest Labs
Keeping It Simple
Cost is usually a driver in trying to keep personal labs small and manageable
There is also no need to maintain a large library of applications
Unless a personal lab retains any sensitive data, a lot of security controls can be eliminated
Virtualization Software
Vmware
Backtrack
De-Ice
Protecting Penetration Test Data
Encryption Schemas
Data Encryption
Data Hashing
Securing Pentest Systems
Encrypt the hard drive
Lock hard drives in a safe
Store systems in a physically controlled room
Perform penetration tests against the pentest systems
Mobile Security Concerns
Wireless Lab Data
two separate labs should be created
a wireless lab designed to practice wireless hacking
a separate lab that can be used to conduct system attacks
Advanced Pentest Labs
Hardware Considerations
Routers
Firewalls
Firewall evasion is an advanced skill that needs practice
Stateful and stateless firewalls present different problems as well
Intrusion Detection
the most widely used IDS/IPS is the Open Source software application called Snort
This allows Nepenthes to harvest malware directly from Internet attacks
Information Analysis
tools
Wireshark
reverse engineering
Other Target Ideas
CTF Events
DefCon CTF
www.openctf.com
www.captf.com/wiki/Main_Page
Web-Based Challenges
www.hackthissite.org/
Crackmes.de
www.hellboundhackers.org
www.try2hack.nl/
Vulnerability Announcements
Methodologies & Frameworks
Information System Security Assessment Framework
the ISSAF is a peer-reviewed process that provides in-depth
information about how to conduct a penetration test
a professional penetration tester will use most, if not all, of the tools described in the ISSAF
numerous examples of how tools are used within a pentest engagement
a serious problem with the ISSAF : lack of updates
the ISSAF document was in 2006
layers
Information Gathering
Network Mapping
Vulnerability Identification
Penetration
Gaining Access and Privilege Escalation
Enumerating Further
Compromise Remote Users/Sites
Maintaining Access
Covering Tracks
targets
Networks
Hosts
Applications
Databases
phases
Planning and Preparation—Phase I
the steps to exchange initial information, plan, and prepare for the test
efore testing, a formal Assessment Agreement will be signed from both parties
Identification of contact individuals from both side
Opening meeting to confirm the scope, approach, and methodology
Agree to specific test cases and escalation paths
Assessment—Phase II
Network Security
Password Security Testing
Switch Security Assessment
Router Security Assessment
Firewall Security Assessment
ntrusion Detection System Security Assessment
Virtual Private Network Security Assessment
Antivirus System Security Assessment and Management Strategy
Storage Area Network Security
Wireless Local Area Network Security Assessment
Internet User Security
AS 400 Security
Lotus Notes Security
Host Security
Unix/Linux System Security Assessment
Windows System Security Assessment
Novell Netware Security Assessment
Web Server Security Assessment
Application Security
Web Application Security Assessment
SQL Injections
Source Code Auditing
Binary Auditing
Database Security
Remote enumeration of databases
Brute-forcing databases
Process manipulation attack
End-to-end audit of databases
Social Engineering
Reporting, Clean-up, and Destroy Artifacts—Phase III
Reporting
types
verbal
written
the final written report
Management summary
Project scope
Penetration test tools used
Exploits used
Date and time of the tests
All outputs of the tools and exploits
A list of identified vulnerabilities
Recommendations to mitigate identified
vulnerabilities, organized into priorities
Clean-up and Destroy Artifacts
Open Source Security Testing Methodology Manual
OSSTMM
Introduced to the Information System Security industry in 2000
The current release is version 3.0
maintained by the Institute for Security and Open Methodologies
www.isecom.org
Rules of Engagement
Project Scope
Confidentiality and Nondisclosure Assurance
Emergency Contact Information
Statement of Work Change Process
Test Plan
Test Process
Reporting
Channels
Human Security
Physical Security
Communications
Telecommunications
Data Networks
Network Surveying
Enumeration
Identification
Access Process
Services Identification
Authentication
Spoofing
Phishing
Resource Abuse
Modules
Phase I: Regulatory
Posture Review
Logistics
Active Detection Verification
Phase II: Definitions
Visibility Audit
Access Verification
rust Verification
Controls Verification
Phase III: Information Phase
Process Verification
Configuration Verification
Property Validation
Segregation Review
Exposure Verification
Competitive Intelligence Scouting
Phase IV: Interactive Controls Test Phase
Quarantine Verification
Privileges Audit
Survivability validation
Alert and Log Review
Pentest Project Management
Quantitative, Qualitative, and Mixed Methods
Quantitative Analysis
we rely on numbers—and lots of them
Don’t always assume that the measurable data gathered are always correct.
Qualitative Analysis
Quantitative risk analysis relies strictly on measurable data.
The origin of attackf 4 ex
difference between threat and risk
a threat is something that can do damage to a system
The risk describes the likelihood and impact of the threat
The disadvantage: opinions can be biased and influenced by external factors
to prevent bias: use of anonymous submissions
Mixed Method Analysis
The use of just one method to determine metrics is insufficient
requires a larger amount of time and resources
Pentest findings need to be written to match stakeholder expectations
Management of a Pentest
Introduction to PMBOK
First published by the PMI in 1987
attempts to standardize project management practices and information
project life cycle
Initiating Process Group
Develop Project Charter
Identify Stakeholders
Planning Process Group
Develop Project Management Plan
Collect Requirement
translating business objectives into technical requirements
Limitations should also be collected
Define Scope
objectives
requirements
boundaries
assumptions
deliverables of a project
Create WBS
Work Breakdown Structure
actual work needs to be done to complete the project
The WBS is not a schedule
Sequence Activities
Estimate Activity Resources(type & quantities)
material
people
equipment
Estimate Activity Durations
Develop Schedule
Estimate Costs
the project may not be worth the cost
compared to the revenue the project will generate
Determine Budget
Plan Quality
Develop Human Resource Plan
Plan Communications
Plan Risk Management
Identify Risks
Perform Qualitative Analysis
Plan Risk Responses
Plan Procurements
Executing Process Group
Direct and Manage Project Execution
Perform Quality Assurance
Acquire Project Team
Develop Project Team
Manage Project Team
Distribute Information
Manage Stakeholder Expectations
Conduct Procurements
Closing Process Group
Close Project or Phase
Close Procurements
Monitoring and Controlling Process Group
Monitor and Control Project Work
Perform Integrated Change Control
Verify Scope
Control Scope
Control Schedule
Control Costs
Perform Quality Control
Report Performance
Monitor and Control Risks
Administer Procurements
Project Team Members
Roles and Responsibilities
Team Champion
Project Manager
Pentest Engineers
Organizational Structure
Functional Organization
Matrix Organization
Projectized Organization
Project Management
Initiating Stage
processes
develop project charter
identify stakeholders
potential stakeholders
Client/Customer Organization
Project Sponsor
Point of Contact
Senior Management
Target System/Network Manager
Target System/Network Administrators
Network Administrators
Network Defense Administrators
Penetration Test Team
Project Manager
Functional Manager
Senior Management
Pentest Engineers
Procurement Department
Government Agencies
Local law Enforcement
Local Law Enforcement Investigators
Federal Law Enforcement
Third-Party Groups
Internet Service Providers
Subject-Matter Experts/Consultants
Planning Stage
Executing Stage
Monitoring and Controlling
Closing Stage
Formal Project Review
Effort Evaluation
Identification of New Projects
Future Project Priority Identification
Overall security risk to the client
Cost of each project
Financial gain of each project
Length of time needed for each project
Skills needed to successfully complete each project
Staff/resource availability
Project sponsor/requestor
Solo Pentesting
Initiating Stage
Planning Process Stage
Collect Requirements
Define Scope
Estimate Activity Durations
Develop Schedule
Plan Quality
Plan Communications
Identify Risks
Plan Risk Responses
Plan Procurements
Executing Stage
Direct and Manage Project Execution
Manage Stakeholder Expectations
Closing Stage
ensures that all the reporting is completed
concludes the contract
Monitoring and Controlling
Monitor and Control Project Work
Verify Scope
Control Scope
Perform Quality Control
Monitor and Control Risks
Archiving Data
Should You Keep Data?
two schools
keep everything
keep nothing
Legal Issues
E-mail
some e-mails will contain sensitive data that should be protected
roper encryption and access control mechanisms must be in place
Findings and Reports
Securing Documentation
Access Controls
Archival Methods
Archival Locations
Destruction Policies
Cleaning up Your Lab
Archiving Lab Data
Proof of Concepts
Malware Analysis
Creating and Using System Images
License Issues
Virtual Machines
“Ghost” Images
Creating a “Clean Shop”
Sanitization Methods Using Hashes
Change Management Controls
Planning for Your Next Pentest
Risk Management Register
Creating a Risk Management Register
Prioritization of Risks and Responses
Knowledge Database
Creating a Knowledge Database
Sanitization of Findings
Project Management
Knowledge Database
Points of contacts internal to the company
Points of contacts of client organizations
Resource vendors
List of subject-matter experts
List of past team members and current contact information
Contracts
Statements of work
Project templates
After-Action Review
Project Assessments
Scheduling issues (too little time, too much time, and so forth)
Resource availability
Risk management
Project scope issues (too broad, too narrow, and so forth)
Communication issues
Team Assessments
Technical strengths
Technical weaknesses
Level of effort within each component of the project
Team training ideas
Time management skills
Obstacles that prevented effective teamwork
Overall opinion on productivity of the team
Training Proposals
Information Gathering
Passive Information Gathering
Web Presence
Tools
Web browser
Dogpile.com
Alexa.org
Archive.org
Shodanhq.com
dig
nslookup
Informations
Web site address(es)
Web server type
Server locations
Dates, including “date last modified”
Web links—both internally and externally
Web server directory tree
Technologies used (software/hardware)
Encryption standards
Web-enabled languages
Form fields (including hidden fields)
Form variables
Method of form postings
Company contact information
Meta tags
Any comments within Web pages
E-commerce capabilities
Services and products offered
Exercice: gathering info about Nmap
Step 1 : google "Nmap"
Results
Nmap.org
Insecure.org
Sectools.org
Step 2 : Alexa "Nmap.org"
Alexa.org believes => Nmap.org and Insecure.org are related
Nmap.org permits subdomains
scanme.Nmap.org.
Step 3: nmap.org itself
Archive.org
allows to see how the Website has changed over the years
it often has information no longer available through Google
Archive.org does not provide the latest 6 months of archive
Turn Off All Access to Target System
Netcraft.com
Google
site:cgi.Insecure.org
Corporate Data
location
employee information
network information
Google maps
adjoining buildings
buildings across
the street
entrances
window locations
ingress/egress routes
lighting
cameras
access controls
Google Earth
Bing maps
Whois and DNS
Whois
dig
query nameservers
dig ns nmap.org
nslookup
Additional Internet Resources
http://freenews.maxbaud.net
investigated to determine if it has
been listed in the SPAM database
it might indicate that the mail server had
been compromised in the past
www.dnsbl.info
job sites
Active Information Gathering
DNS Interrogation
version number of the Berkeley Internet Name Domain (BIND)
ns1.titan.net
E-mail Accounts
Goal: create a list of users that reside on the system
helpful in any brute-force attack & login attempt
social engineering purposes
Perimeter Network Identification
Network Surveying
Goal: identify how many systems reside within
the network and their associated IP address
Use Nmap
nmap -sF 192.168.1.1-255
Use netdiscover
Vulnerability Identification
Port Scanning
Target Verification
Active Scans
Ping
Msgs used to determine if the target is alive
Echo Request
Echo Replay
initial request: set the Type field to “8” & send it
If target system is alive => Return a datagram using the value of "0"
Results are not always accurate => protection against random scans
nmap -sP 192.168.1.123
ICMP echo request
TCP ACK packet
nmap -sP 192.168.1.0/24
Passive Scans
UDP Scanning
disadvantages
slow when compared to TCP scans
most exploitable applications use TCP
possible results returned (UDP scan)
Open
the existence of an active UDP port
Open/filtered
No response was received
Closed
“port unreachable”
Filtered
If OPEN or CLOSED => the target is ALIVE
If OPEN/FILTRED or FILTRED => IPS or Firewall is intercepting => We need to adjust our attack
UDP scans are not something most firewall administrators think about
TCP Scanning
TCP Connect Scan (-sT)
most reliable method of determining port activity
complete three-way TCP handshake
may be noticed by IDSes
advantage: we will know for certain whether an
application is truly present or not
TCP SYN Stealth Scan (-sS)
creates a half-open connection
this might help against IDSes
advantage: speed
Perimeter Avoidance Scanning
ACK Scan (-sA)
send an ACK to the target system
firewall will assume a communication channel that already exists
Null Scan Attack (-sN)
FIN (-sF) and Xmas Tree (-sX) Scans
System Identification
Active OS Fingerprinting
Nmap can scan a system and identify the OS
nmap -O 192.168.1.100
Another tool we can use is xprobe2
xprobe2 -p tcp:80:open 192.168.1.100
Passive OS Fingerprinting
equires a lot of patience
Objective: Capture TCP packets stealthily
p0f Scan
ARP poisoning attack
Services Identification
Banner Grabbing
Launch Nmap using the -sV => grab banner information from apps
Banner grabbing using Telnet
Enumerating Unknown Services
Connect to the ports manually and see what type of information is returned
After we connect(Using NetCat), we can send random data
nc pWnOS 1000
Connecting to target using smbclient.
Vulnerability Identification
http://nvd.nist.gov/
If we were simply conducting a risk assessment without conducting a penetration test, this is where we would probably stop
Vulnerability Exploitation
Introduction
In this chap, we'll allow automated tools to do the same thing(chap 7) for us
Without understanding how to gather the application and OS version information yourself, you cannot accurately understand how automated tools gather the same information
if we want to call ourselves professionals, that we cannot simply allow our tools to do our work for us
four steps
Find proof of concept code/tool
Test proof of concept code/tool
testing the exploit against a test server first
we really cannot know what will happen when we launch the exploit, unless we examine the code first, or test it within a test environment
an exploit can have different results, including crashing the target and losing all data and functionality
Write your own proof of concept code/tool
Use proof of concept code/tool against target
Automated Tools
The top 10 vulnerability scanners
Nessus (open source/commercial)
OpenVAS (open source)
Core Impact (commercial)
Nexpose (commercial)
GFI LanGuard (commercial)
QualysGuard (commercial)
MBSA (open source)
Retina (commercial)
Secunia PSI (open source)
Nipper (commercial)
Vulnerability exploitation tools
Metasploit (open source/commercial)
Core Impact (commercial)
sqlmap (open source)
Canvas (commercial)
Netsparker (commercial)
Nmap Scripts
usr/share/nmap/scripts
To invoke these scripts, we need to use the -A flag
nmap -A 10.0.3.125
Default Login Scans
Frequent issue: The use of default or weak passwords on applications
There are multiple tools we can use: Medusa, Hydra...
any application launched in Microsoft Windows can be detected by looking at the processes running on the system
Two options
Delete the entire log
Modify the content
Two types of logs
System generated
Application generated
Targeting Support Systes
Database Attacks
first step : Nmap scan, using the “-A” flag
take a look at the available exploits and modules available on Metasploit
First thing to check: weak passwords
We can use our own dictionaries to conduct a brute-force attack
Network Shares
Targeting The Network
Wireless Network Protocols
Wi-Fi Protected Access Attack
Set in monitor mode
airodump-ng
Basic Service Set Identifier (BSSID)
Extended Service Set Identifier
Station (client) MAC addresses:
aireplay-ng
deauthenticate connected clients from a target access point, requiring the clients to reconnect and reauthenticate using the WPA handshake
Dictionary attack against the encrypted key
aircrack-ng
Decipher our captured WPA encrypted key
WEP Attack
Crackin' WEP involves capturing all IVs between the client and the AP
IVs are blocks of bits that are used to differentiate users on the wireless network
IVs eliminate the need for users to constantly reauthenticate
Eventually, an authenticated user will reuse an IV because the number of bits used is limited
If enough IVs are captured, it is possible to decipher
WEP encryption can be broken regardless of the encryption key complexity
Simple Network Management Protocol
UDP scan
Brute-force attack of SNMP community strings.
“snmpenum.pl” script to dump data from the target system
Modifying hostname using “snmpset.”
Web Apps Attack Techniques
SQL Injection
technique used for manipulating Web services that send SQL queries to a RDBMS to alter, insert, or delete data in a database
SQL injections work more often than they should
SELECT * FROM user_data WHERE last_name = ‘Tom’ OR ‘1’ = ‘1’
display the user_data associated with the user TOM
give us everything because 1 = 1
SQL injections are perfect examples of weaknesses in Integrity Controls
Cross-Site Scripting
Gather session information of a victim user, Ex: administrator
t is sometimes possible to conduct a replay attack—using the session information
Injecting “Alert” script into database
Once saved, an alert window will appear with the session ID information
After we have successfully injected our script we wait until someone else visits Tom’s information
use JavaScript or another programming language that imbeds into HTML to send the session ID
Web Application Vulnerabilities
How
Identify applications running on ports,usually port 80 or 443 for Web app
Find version information (if possible)
Look for exploits on the Internet.
Run the exploits against the target application
Top 10 attack vectors
Injection (including SQL injections)
Broken Authentication and Session Management
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery (an attack that targets a victim’s browser)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
Automated Tools
CORE IMPACT
HP WebInspect
Nikto
Paros Proxy
Burp Suite Pro
A proxy server
A spider tool
A vulnerability scanner
A repeater tool
A sequencing tool
Reporting Results
What Should You Report?
Out of Scope Issues
Findings that are discovered during the course of the pentest on a target
Findings that indicate systemic flaws in the overall architecture
Findings
We need to include what was not found as well
There will be times when a finding needs to be reported on immediately.
Solutions
Believe it or not, clients like to be told what to do.
Manuscript Preparation
Title Page
Introduce the topic of the report
Introduce author and the penetration test team’s organization
Great place to brandish logos and make everything look appealing
Primary goal: Provide a clear message of what the report is about
Abstract
The abstract = The executive report
The executive summary should be no longer than one page and contain concise analysis and findings
Text
elements
Description of the target network or system
Vulnerability findings
Remediation
we should include graphical representation of the architecture and include descriptions of each element
Vulnerability findings and remediation options should be meshed together
References
we should provide the reader Internet references regarding the vulnerabilities
The National Vulnerability Database, located at http://nvd.nist.gov, is a good choice
Appendices
At least two appendices
a list of definitions
The step-by-step events surrounding each vulnerability exploitation
Initial Report
Peer Reviews
We all make mistakes, especially when writing.
Fact Checking
e can generate a list of questions that we need to answer or we can send a copy of the initial report to the client so that they can verify all statements within the document
Metrics
Nessus
CORE IMPACT
Final Report
Peer Reviews
it is often prudent to conduct additional peer reviews on the report
This is our last chance to correct any grammatical errors
Documentation
Most customers are comfortable with receiving printed reports
Microsoft Word documents, or Adobe’s Portable Document Format (PDF)
If we already have a digital certificate, we can use it to sign our document
Selecting file for inclusion into security envelope.
Hacking as a career
Career Paths
Network Architecture
make sure that you understand as many different facets of network architecture as you can if you want to become a pentest engineer
Learn about
Communication protocols
VoIP
routers
switches
IDS
firewall
wireless
ransmission Control Protocol (TCP)
and anything else you can think of
System Administration
Applications and Databases
Certifications
High-Level Certifications
(ISC)2
www.isc2.org
About (ISC)2
Headquartered in the United States
offices in
London
Hong Kong
Tokyo
compendium
Associate of (ISC)2
This designation was created for individuals who do not meet the experience requirements to obtain any of the other certifications with (ISC)2
employer that the associates have the knowledge to obtain the certifications, even if they don’t have the experience
SSCP [(ISC)2]
Access Controls
Analysis and Monitoring
Cryptography SSCP
Malicious Code
Networks and Telecommunications
Risk, Response, and Recovery
Security Operations and Administration
Certification and Accreditation Professional (CAP)
Understanding the Purpose of Certification
Initiation of the System Authorization Process
Certification Phase
Accreditation Phase
Continuous Monitoring Phase
Certified Secure Software Lifecycle Professional (CSSLP) [(ISC)2]
Secure Software Concepts
Secure Software Requirements
Secure Software Design
Secure Software Implementation/Coding
Secure Software Testing
Software Acceptance
Software Deployment, Operations, Maintenance, and Disposal
CISSP [(ISC)2]
Access Control
Application Security
Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Cryptography
Information Security and Risk Management
Legal, Regulations, Compliance, and Investigations
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security
CISSP-ISSAP [(ISC)2]
Access Control Systems and Methodology
Cryptography
Physical Security Integration
Requirements Analysis and Security Standards, Guidelines and Criteria
Technology-Related BCP and DRP
Telecommunications and Network Security
CISSP-ISSEP [(ISC)2]
C&A
Systems Security Engineering
Technical Management
U.S. Government Information Assurance Regulations
CISSP-ISSMP [(ISC)2]
BCP and DRP and Continuity of Operations Planning
Enterprise Security Management Practices
Enterprise-wide System Development Security
Law, Investigations, Forensics, and Ethics
Overseeing Compliance of Operations Security
Information Systems Audit and Control Association
Certified Information Systems Auditor
Certified Information Security Manager
Global Information Assurance Certification
GIAC Security Leadership Certification
GIAC Security Expert
CompTIA
Security +
Network security
Compliance and operational security
Threats and vulnerabilities
Application, data, and host security
Access control and identity management
Cryptography
Project Management Institute
Project Management Professional (PMP)
Initiation
Planning
Executing
Monitoring and Controlling
Closing
Dynamic Systems Development Method Consortium
Skill- and Vendor-Specific Certifications
Cisco
Cisco Certified Network Associate Security
Cisco Certified Network Professional Security
Cisco Certified Internetwork Expert
Global Information Assurance Certification
GIAC Information Security Fundamentals
GIAC Security Essentials Certification
GIAC Web Application Penetration Tester (GWAPT)
GIAC Certified Enterprise Defender (GCED)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Certified Forensics Analyst (GCFA)
GIAC Certified Penetration Tester (GPEN
Check Point
Check Point Certified Security Administrator
Check Point Certified Security Expert
Check Point Certified Managed Security Expert
Check Point Certified Master Architect (CCMA)
Juniper Networks
JNCIA-Junos (Juniper Networks)
Juniper systems certifications JNCIS-SEC
JNCIE-SEC
Oracle
Associations and Organizations
Professional Organizations
merican Society for Industrial Security
Institute of Electrical and Electronics Engineers
ISACA—ISACA
Information Systems Security Association
The Open Organisation of Lockpickers
Conferences
DoD Cyber Crime Conference
Network and Distributed System Security
ShmooCon
GOVSEC and U.S. Law Conference
Theory of Cryptography Conference (TCC)
IEEE Symposium on Security and Privacy
The International Conference on Dependable Systems and Networks (DSN)
REcon (Reverse Engineering Convention)
Black Hat
Computer Security Foundations Symposium
Hackers on Planet Earth (HOPE)
DefCon
International Cryptology Conference
USENIX Security Symposium
European Symposium on Research in Computer Security
International Symposium on Recent Advances in Intrusion Detection
ToorCon
Internet Measurement Conference (IMC)
Microsoft BlueHat Security Briefings
Association for Computing Machinery (ACM) Conference on
Computer and Communications Security