02 Introduction to Pentesting

Introduction¶

A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information.
A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.

Hackers are sorted into three hats, based on their ethics and motivations behind their actions.
White hats
Grey hats
Black hats

The ROE is a document that is created at the initial stages of a penetration testing engagement.
This document consists of three main sections.
Permission - This section gives explicit permission for the engagement to be carried out.
Test Scope - This section will annotate specific targets to which the engagement should apply.
Rules - This section will define exactly the techniques that are permitted during the engagement.

The steps a penetration tester takes during an engagement is known as the methodology.
The steps involved in a typical penetration test are as below
Information Gathering
Enumeration/Scanning
Exploitation
Privilege Escalation
Post-exploitation

This stage involves collecting as much publicly accessible information about a target as possible.
Example: OSINT and research.
This does not involve scanning any systems.

This stage involves discovering applications and services running on the systems.
For example: Finding open ports, finding a web server that may be potentially vulnerable.

This stage involves leveraging vulnerabilities discovered on a system or application.
This stage can involve the use of public exploits or exploiting application logic.

After exploitation, privilege escalation is an attempt to expand your access to a system.
There are two types of privilege escalations.
Horizontal escalation: Accessing another account of the same permission group (i.e. another user)
Vertical escalation: Accessing another permission group (i.e. an administrator).

This stage includes the following
What other hosts can be targeted (pivoting).
What additional information can we gather from the host now that we are a privileged user.
Covering your tracks.
Reporting.

The Open Source Security Testing Methodology Manual - https://github.com/mtesauro/owasp-wte/blob/master/temp-projects/wte-docs/contents/usr/share/doc/WTE-Documentation/OSSTMM/OSSTMM.3.pdf
The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for:
Telecommunications (phones, VoIP, etc.)
Wired Networks
Wireless communications

Open Web Application Security Project - https://owasp.org/
Community-driven and frequently updated framework used solely to test the security of web applications and services.
Read about the top 10 vulnerabilities here: https://owasp.org/Top10/

National Institute of Standards and Technology - https://www.nist.gov/cyberframework/
Popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats.

National Cyber Security Center Cyber Assessment Framework - https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance/
Extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation's defences.

The CIA triad is an information security model that is used in consideration throughout creating a security policy.
The model consists of three sections: Confidentiality, Integrity and Availability (CIA).
Confidentiality is the protection of data from unauthorized access and misuse.
Integrity is the condition where information is kept accurate and consistent unless authorized changes are made.
Availability is the condition where information should be available when authorised users need to access it.

Two key concepts are used to assign and manage the access rights of individuals.
Privileged Identity Management (PIM)
Privileged Access Management (PAM)
PIM is used to translate a user's role within an organisation into an access role on a system.
PAM is the management of the privileges a system's access role has, amongst other things.

Some popular and effective security models used to achieve the three elements of the CIA triad.
The Bell-La Padula Model
Biba Model
The Bell-La Padula Model is used to achieve confidentiality.
This model uses the rule "no write down, no read up".
The Bell LaPadula Model is popular within organisations such as governmental and military.
The Biba model is arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.
This model uses the rule "no write up, no read down".
For example: a doctor would not be able to read the notes made by a nurse in a hospital with this model.

Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and services.
An effective threat model includes:
Threat intelligence
Asset identification
Mitigation capabilities
Risk assessment
There are frameworks such as STRIDE, to help implementing the threat model.
Spoofing identity
Tampering with data
Repudiation threats
Information disclosure
Denial of Service
Elevation of privileges

A breach of security is known as an incident.
An incident is responded to by a Computer Security Incident Response Team (CSIRT).
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned