Graduate Program KB

Penetration Testing Talking Script

What Is Penetration Testing?

  • Often referred to as "pen testing", is a proactive approach to assessing the security of a system by simulating various types of attacks with the end goal being to strengthen the system.
  • Pen testing is typically conducted by external parties such as ethical hackers or security firms, but can also be performed by in-house specialists.
  • The key parts of a penetration test include simulating attacks, thorough testing, detailed documentation, and recommendations or fixes for the findings.
  • It isn't uncommon to have unauthorised individuals (known as "grey hat" hackers) to report vulnerabilities for a fee, this is known as bug bounty hunting.

Roles In Pen Testing

  • Team Red: Attackers
  • Team Blue: Defenders
  • Team Purple: A mixture of both.
    • Either doing both the roles to test a system or facilitates that collaboration between the 2.

A Day in the Life of a Pen Tester

  • A typical day in the life of a pen tester could look something like this: (next slide)

    • Begin with Reconnaissance:
      • Perform passive and active information gathering
      • Passive information gathering refers to gathering information without making contact with the target system.
        • An example of this could be browsing the company website for information and querying search engines for information about the company.
        • This is passive since you are not directly interacting with the system you are going to test.
      • Active information gathering involves interacting with the system:
        • An example of this could be conducting some social engineering with staff members to try and trick them into giving you privileged information.
        • Another example could be to use nmap to find open ports and applications on a desired remote system.
      • A key point to remember here is that we are not performing any attacks or testing in this stage, simply gathering information.
      • That said it is important to note that without correct permissions to test a system, it is not wise to actively query it.
      • There are lots of tools available some more broad, and some more specific. It's all about making a decision based on what's presented to you.
    • Then a Vulnerability Assessment would commence:
      • Is a separate type of test to a penetration test although, it is commonly used in conjunction to provide a more complete analysis, so it is common for a penetration tester to conduct one.
      • Involves using automated tools to scan the system for vulnerabilities regardless of whether they can be exploited to actually cause damage or not.
      • In essence a vulnerability assessment finds flaws and vulnerabilities and the actual penetration test exploits them.
    • Exploitation:
      • The next logical step now after collecting all necessary information and identifying vulnerabilities, is to now exploit them and try to gain unauthorized access.
      • This step can provide the most value as it emphasises weak points in the system and highlights the damage that having said weak point could cause.
    • Detailed Reports:
      • Arguably the most crucial part, and the truth is in the detail.
      • A detailed report of all the findings and paths taken to achieve them is the most important part.
      • Collating all the information found into a digestible format for businesses to make educated and informed decisions going forward is the entire point of this exercise.
    • Continuous Learning:
      • Although these tasks most likely would be carried out over a couple days, this is the type of stuff that a penetration tester does.
      • In between these tasks a pen tester, much like a developer or anyone in the tech space, must continue to learn and stay up to date with the latest technology and threats.

  • It is a common misconception to view these steps as a chain, referred to as the "Kill Chain", whereas it is much more logical to think of it as a cycle.

  • You don't just conduct reconnaissance once and then move on. Once you crack a layer of the system, you need to do reconnaissance again to figure out where you can go next.

Common Targets and Red Flags

  • It is important to distinguish between what a vulnerability and a weakness is (refer to slide)
  • Some common attack categories include:
    • Network attacks: Exploit vulnerabilities in network configurations, protocols, or services to intercept, manipulate, or disrupt data transmission
    • Web attacks: Target web applications by exploiting flaws like SQL injection, cross-site scripting (XSS), or authentication bypass to compromise functionality or data.
    • Privilege escalation: Leverage system misconfigurations or vulnerabilities to elevate access rights, gaining unauthorized administrative or root-level privileges.
    • Credential attacks: Exploit weak or leaked credentials using brute force, dictionary attacks, or phishing to gain unauthorized system access
    • DoS: Overwhelm a target system or network with excessive traffic or resource-heavy requests to render it unavailable to users.
    • Wireless attacks: Compromise wireless networks by exploiting encryption weaknesses or conducting rogue access point attacks.
    • Social engineering attacks: Manipulate individuals to disclose sensitive information or perform actions that compromise security, often bypassing technical defenses.

Vulnerabilities vs Weaknesses

  • A vulnerability is a software code flaw or system misconfig that attackers can exploit.
  • A weakness refers to specific issues that reduce a system's security, even of no exploit has been identified.

Common Attack Categories

  • Network attacks
  • Web attacks
  • Privilege escalation
  • Credential attacks
  • DoS
  • Wireless attacks
  • Social engineering attacks

Web Application Vulnerabilities

SQL Injection

  • Is a web based attack which involves users inputting "smart" data into forms to access the systems database.
  • The goal is to obtain data that shouldn't be able to be retrieved, like say user passwords.
  • You stop these attacks by sanitising the input on your forms so that fetching user input can't result in unexpected queries.
  • Some common types include: (refer to slides)
  • Classic SQL Injection: exploits simple input input fields to extract or manipulate data.
  • Blind SQL Injection: exploits when an application doesn't display direct output but reveals info indirectly.
  • Time-based SQL Injection: Uses delays in responses to infer data.

XSS

  • Another type of injection attack occurs when an attacker uses a web application to inject malicious scripts.
  • They can be mitigated similar to SQL injections, by sanitising the input.
  • refer to slides for types
  • Attackers will conduct such an attack to try and steal cookies, session tokens or other sensitive data that is stored when you browse the web.
  • Some common targets include input fields, search bars, comment sections, or URL parameters.

CSRF

  • Allows an attacker to induce users to perform actions that they do not intend to perform and also partly circumvent the same origin policy.
  • The same origin policy is designed to prevent different websites from interfering with each other, it helps to isolate potentially malicious documents, reducing attack vectors.

Network Vulnerabilities

Open Ports

  • This is a weakness
  • Is like accidentally leaving the door unlocked.
  • One entry point will allow someone unwanted to come in.
  • It's important to reduce the attack surface.

Weak Protocols

  • Protocols like FTP, file transfer protocol, and Telnet pose network vulnerabilities due to their lack of modern security features.
    • They send data without encryption, making sensitive data such as passwords vulnerable to packet sniffers like Wireshark.
    • Without encryption, attackers can execute man in the middle attacks.
    • Both protocols rely on static credentials which are vulnerable to brute force attacks.
    • They're aren't mechanisms to ensure data integrity.
    • Vulnerable to Replay Attacks, as FTP and Telnet don't secure session tokens or credentials, authentication data can be replayed to gain access.
  • If FTP is used to transfer sensitive data, attackers can steal or alter these files.
  • If Telnet is used to manage network devices, attackers can take control of routers and servers disrupting the entire network.

Mitigation Strategies

  • Replace the weak protocols:
    • FTP -> SFTP
    • Telnet -> SSH
  • Implement encryption with TLS/SSL
  • Implement MFA and practice good password habits.
  • Access Control with file permissions and firewall rules.
  • Monitor and audit network traffic and logs for signs of suspicious activity.

System Weaknesses

  • Outdated software and unpatched systems refer to applications, operating systems, firmware, etc. that are no longer updated, leaving them vulnerable to known exploits.
  • These systems could contain publicly disclosed vulnerabilities.
    • Essentially making them easy targets for attackers.
  • We can mitigate this by using Reconnaissance tools to identify the out of date software and update/patch it.
  • You can use Intrusion Detection Systems (IDS) to help monitor for exploit attempts targeting outdated systems.

Human Factor

Social Engineering

  • Manipulating individuals into divulging confidential information or performing actions that compromise security.
  • Identifies weaknesses in human defences and provides actionable insights to strengthen policies and training programs.
  • The main mitigation strategy is to train employees and spread awareness.

Phishing

  • A form of social engineering that involves sending deceptive messages to trick users into revealing sensitive information or installing malicious software.
  • Different types:
    • Email phishing: sending fake emails mimicking trusted sources.
    • Spear phishing: phishing directed at specific individuals or roles.
    • Pretexting: Creating a fabricated scenario to extract information (eg. posing as IT support).
    • Baiting: Luring victims with physical or digital "bait" (eg. USB drive with malicious files).

Common Tools and Techniques

There are many tools out there, I will just mention a few of them and then take a small slice of those mentioned to go into more depth with in our demo.

  • A common and powerful network scanning tool is nmap:
    • Used to discover hosts and services on a computer network.
    • Great for mapping network topology (physical and logical structure of a network) and identifying vulnerabilities.
    • Main features include network discovery, port scanning, service identification, OS detection, it's also scriptable using NSE (Nmap Scripting Engine).
  • Shodan:
    • A search engine for internet-connected devices.
    • Used to identify exposed devices, IoT systems, and servers for vulnerability assessments.
    • Main features include device and service fingerprinting, real-time monitoring, and API integration for automation.
    • Click here for more
  • OSINT Framework:
    • Is a collection of tools and resources for Open-Source Intelligence gathering.
    • It really helps gather publicly available data faster for reconnaissance during a pen test.
    • It's pretty cool, Click here for more.
  • Nessus:
    • A tool that scans for vulnerabilities such as:
      • Software flaws.
      • Missing patches.
      • Malware.
      • Misconfigurations across multiple different OS, devices, and apps.
    • Also provides a variety of vulnerability scoring systems.
    • Click here for more
  • OpenVAS:
    • Another vulnerability scanner capable of unauthenticated and authenticated testing, different levelled internet and industrial protocols, performance tuning for large scale scans, and its own internal programming language to implement any type of vulnerability test.
  • Nikto:
    • Open source web server scanner.
    • Performs vulnerability scanning against web servers for items such as:
      • Dangerous files and programs
      • Outdated versions of web server software.
      • Server configuration errors and the possible vulnerabilities associated with it.
  • Metasploit:
    • Open source web server scanner.
    • Performs vulnerability scanning against web servers for items such as:
      • Dangerous files and programs
      • Outdated versions of web server software.
      • Server configuration errors and the possible vulnerabilities associated with it.
    • Some useful items that metasploit includes are:
      • Exploit tools to take advantage of weak systems.
      • Payloads of malicious code that can be used for tests.
      • Encoders for converting code or information.
      • Listeners (malicious software that hides in order to gain access.)
      • Shell code that is programmed to activate once it gets inside its target.
      • Post-exploitation code, which is real useful for testing deeper into the system once inside.
  • Exploit-DB
    • Is a online public database maintained by Offensive Security.
    • It contains vulnerabilities and their associated exploits and proof-of-concept code.
    • Can be a valuable resource if trying to test a specific vulnerability.
    • Click here for more
  • Mimikatz:
      • Is an open-source application that allows users to view and save authentication credentials.
    • Is a threat actor tool, commonly used for stealing passwords.
    • Click here for more
  • Powershell Empire
    • Is a PowerShell post-exploitation tool.
    • It allows you to run PowerShell scripts in memory and make a connection back to your machine.
    • This can be used to get elevated privileges and extract passwords using Mimikatz.
    • In summary, it can be thought of as similar to Metasploit but specific to PowerShell.
    • Click here for more
  • Burp Suite:
    • Is a proprietary software tool for security assessment and penetration testing of web apps.
    • Developed by Portswigger.
    • It aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons called BApps.
    • It's popular among professional web app security researchers and bug bounty hunters.
    • Click here for more
  • OWASP ZAP
    • Free and open-source web app scanner.
    • Some security functions ZAP is capable of include:
      • Passively scanning web requests.
      • Using dictionary lists to search for files and folders on web servers.
      • Using crawlers to identify a site's structure and retrieve all links and URLs.
    • Click here for more
  • Aircrack-ng:
    • A complete set of tools to assess WiFi network security.
    • Areas of focus include:
      • Monitoring: Capturing packets and export of data to text files for further processing by 3rd party tools.
      • Attacking: Replay attacks, de-authentication, fake access points and packet injection.
      • Testing: Checking WiFi cards and driver capabilities.
    • All tools are command line which allows for heavy scripting, lots of GUIs take advantage of this.
    • A replay attack is when a malicious actor captures and retransmits valid data to achieve fraudulent authentication.
    • Click here for more
  • Wireshark:
    • A very popular network protocol analyser.
    • Allowing you to see what's happening on your network at a microscopic level.
    • Some of the many features:
      • Inspection of protocols.
      • Live capture and offline analysis.
      • Powerful display filters.
      • Rich VoIP analysis, Voice over Internet Protocol
      • many more
  • John the Ripper:
    • A general purpose password cracker that is easy to start using.
    • Suited for single machine set ups.
    • Slow for large data sets
    • Click here for more
  • Hashcat:
    • Another popular password cracker and recovery tool.
    • Much faster than John the ripper.
    • Highly configurable.
    • Slightly more complex to use than John the ripper.
    • Click here for more

Reconnaissance Tools

  • Active: Nmap, Nessus, openVAS, Nikto, Metasploit, Burp suite, OWASP ZAP.
  • Passive: Shodan, OSINT Framework, Wireshark

Vulnerability Assessment

  • Dedicated Scanners: Nessus, OpenVAS, Nikto
  • Reconnaissance Adapted: NSE scripts, Shodan, exploit-db
  • Web App Vulnerabilities: OWASP ZAP, Burp Suite
  • Post-exploration tools: Metasploit
  • Traffic analysis: Wireshark, aircrack-ng

Exploitation

  • Frameworks: Metasploit, Empire
  • Password cracking: hashcat, john the ripper
  • Credential harvesting: Mimikatz

Further Learning

Return