Mapping the Pentester's Mind - 0 to Root in 60 Min

7/31/2019 Mapping the Pentester's Mind - 0 to Root in 60 Min

1/84

Mapping The Penetration Testers Mind

0 to Root in 60 Min

#MappingThePenTestersMind

1


2/84

1

2

3

4

5

6

Methodology

Introduction

Technical Walkthrough of Testing

Tools

Further Learning

Questions

2


3/84

Who is this guy in front of me??

3

GOOD Question

Background: Penetration Tester for 12 years

Network Engineer for 13 years In IT for 15 years

Regulatory Technology Tester 5 years

Specializes in mobile technologies and communications

Social Engineering

Physical Security


4/84

4


Talks:

NotACon

Secure360

SecurityBSides

Chicago

Rochester

Dallas-Fort Worth

Los Angeles

Las Vegas

DeepSec

SecTor

ISSA / ISSACA Meetings Hacker Space Invitationals


5/84

5


Publications:

Mapping The Penetration Testers Mind: An Auditors Introduction to PenTesting (Book)

Late 2012

Mapping The Penetration Testers Mind: An Auditors Introduction To PenTesting

(Presentation) 2012

Mapping The Penetration Testers Mind: 0 to Root in 60 Min - 2012

Weaponizing The SmartphoneProtecting Against The Perfect WMD 2011

Weaponizing The SmartphoneDeploying The Perfect WMD 2011

Dont Bit The ARM That Feeds You Integrating Mobile Technologies Securely Into

Mature Security Programs 2011

Bond TechI Want More Than Movie Props - 2011


6/84

What is a penetration test? A penetration test, occasionally pentest, is a method of

evaluating the security of a computer system or network

by simulating an attack from malicious outsiders (who do

not have an authorized means of accessing the

organization's systems) and malicious insiders (who have

some level of authorized access). The process involves anactive analysis of the system for any potential

vulnerabilities that could result from poor or improper

system configuration, both known and unknown

hardware or software flaws, or operational weaknesses in

process or technical countermeasures. This analysis is

carried out from the position of a potential attacker and

can involve active exploitation of security vulnerabilities.

wikipedia

INTRODUCTION

6


7/84

Penetration tests are valuable for several reasons: Determining the feasibility of a particular set of attack vectors

Identifying higher-risk vulnerabilities that result from a combination

of lower-risk vulnerabilities exploited in a particular sequence

Identifying vulnerabilities that may be difficult or impossible to

detect with automated network or application vulnerability scanning

software

Assessing the magnitude of potential business and operational

impacts of successful attacks

Testing the ability of network defenders to successfully detect and

respond to the attacks

Providing evidence to support increased investments in security

personnel and technology

Wikipedia

INTRODUCTION

7


8/84

Testing Types

White Box Testing

In penetration testing, white-box testing refers to a

methodology where an ethical hacker has full

knowledge of the system being attacked. The goal of

a white-box penetration test is to simulate a

malicious insider who has some knowledge andpossibly basic credentials to the target system.

Black Box Testing

In penetration testing, black-box testing refers to a

methodology where an ethical hacker has no

knowledge of the system being attacked. The goal of

a black-box penetration test is to simulate an

external hacking or cyber warfare attack.

wikipedia

INTRODUCTION

8


9/84

1

2

3

4

5

6

Methodology

Introduction

Mapping The PenTesters Mind

Tools

Further Learning

Questions

99


10/84

METHODOLOGY

10


11/84

Reconnaissance

Using non-intrusive methods to enumerate

information about the network under test. DNS,

Whois and Web searching are used.

Objective:

To enumerate the target organization's Internet

Footprint, which represents the sum of all active IP

addresses and listening services and to identity potential

vulnerabilities

METHODOLOGY

11


12/84

Network Surveying & Vulnerability Scanning

This is the process of refining the target list

produced during the passive reconnaissance phase

by using more intrusive methods such as port

scanning, service and OS fingerprinting, andvulnerability scanning. Nmap, Nexpose and other

scanning tools are used.

Objective:

To obtain visibility in the network; Determining whichdevices are targets and enumerating possible threats to the

network.

METHODOLOGY

12


13/84

Vulnerability Research & Verification

In this phase, a vulnerability scanner is run against

the devices gathered in previous phases.

Objective: To take knowledge gathered in previous phases, check for

known vulnerabilities and configuration error.

Objective:

To obtain access to services and devices that are notavailable through configuration error and vulnerability

exploitation.

METHODOLOGY

13


14/84

Password Attacks

Services with authenticated logins are tested

against a username and password list created in

previous phases.

Objective:

To verify password policies, best practices, and complexity

requirements are in use and properly enforced.

METHODOLOGY

14


15/84

Reporting and Analysis

In this phase, an analysis of the results found during the

automated and manual aspects of the assessment.

Objective:

To build a deliverable containing the greatest risks to

the organization being testing.

METHODOLOGY

15


16/84

1

2

3

4

5

6

Methodology

Introduction


Tools

Further Learning

Questions

1616


17/84

TOOLS

17


18/84

1

2

3

4

5

6

Methodology

Introduction


Tools

Further Learning

Questions

1818


19/84

Who should do thetest?


19


20/84

20


Interview the vendor AND the Tester

Experience Levels of the Tester

Free range

Enterprise class

Know the data retention policy

Create a relationship with your tester they are your guide not only an employee or consultant


21/84


22/84


23/84


24/84

DISCOVER TARGETS


24


25/84


26/84

Metasploit Scanning

26


27/84

Metasploit Scanning

27


28/84


29/84

Nexpose Scanning

29


30/84

Nexpose Scanning

30


31/84


32/84

32

EXECUTE ARP POISON


33/84

EXPLOITATION

33



34/84


35/84

MS08-067

35


36/84

MS08-067

36


37/84


38/84


39/84

CREDENTIAL

ANDHASH

COLLECTION

39



40/84

COLLECTING CREDENTIALS SMB


41/84

41

COLLECTING CREDENTIALS - SMB


42/84


43/84

43



44/84


45/84

PASS-THE-HASH

(NOT THAT KIND)

45



46/84


47/84


48/84

48



49/84


50/84

PSEXEC WITH A LOCAL ACCOUNT HASH


51/84

51

PSEXEC WITH A LOCAL ACCOUNT HASH

CREATE LOCAL ADMINISTRATOR ACCOUNT


52/84

52

CREATE LOCAL ADMINISTRATOR ACCOUNT

REMOTE DESKTOP VIA RAPID7 LOCAL ADMIN


53/84

53

REMOTE DESKTOP VIA RAPID7 LOCAL ADMIN


54/84


55/84

M i Th P T Mi d


56/84

56


M i Th P T Mi d


57/84

57



58/84


59/84

M i Th P T t Mi d


60/84

60



61/84

M i Th P T t Mi d


62/84

62



63/84



64/84

64




65/84

65

Mapping The PenTester s Mind


66/84



67/84

67



68/84

PSEXEC WITH DOMAIN ADMIN ACCOUNT


69/84

69

PSEXEC WITH DOMAIN ADMIN ACCOUNT

SESSIONS CREATED WITH CREATED DOMAIN ADMIN


70/84

70

SESSIONS CREATED WITH CREATED DOMAIN ADMIN


71/84


72/84


73/84

LOCAL ACCESS


74/84

I trust ALL of mycontractors

74

LOCAL ACCESS

BOOT FROM USB


75/84

75

BOOT FROM USB

BOOT TO UNAUTHORIZED OS


76/84

76

BOOT TO UNAUTHORIZED OS


77/84


78/84


79/84


80/84

1

2

3

4

5

6

Methodology

Introduction

Tools


Further Learning

Questions


81/84



82/84

82


Taking a step by step approach

makes the expansiveness of a

network becomes very narrow and a

single vulnerability can lead to a

larger problem.


83/84

1

2

3

4

5

6

Methodology

Introduction

Tools


Further Learning

Questions

8383


84/84

Documents

Mapping the Pentester's Mind - 0 to Root in 60 Min