- Barajar
ActivarDesactivar
- Alphabetizar
ActivarDesactivar
- Frente Primero
ActivarDesactivar
- Ambos lados
ActivarDesactivar
- Leer
ActivarDesactivar
Leyendo...
Cómo estudiar sus tarjetas
Teclas de Derecha/Izquierda: Navegar entre tarjetas.tecla derechatecla izquierda
Teclas Arriba/Abajo: Colvea la carta entre frente y dorso.tecla abajotecla arriba
Tecla H: Muestra pista (3er lado).tecla h
Tecla N: Lea el texto en voz.tecla n
Boton play
Boton play
36 Cartas en este set
- Frente
- Atrás
Penetration Testing Defined
|
is a legal and authorized attempt to successfully discover and exploit computer systems with the goal of making those systems more secure and better protected
|
domanins
|
1. planning and scoping 15%
2. information gathering and vulnerability identification 22% 3. attacks and exploits 30% 4. penetration testing tools 17% 5. reporting and communication 16% |
must understand the type of organization and business model being employed, to do this you must know what are the most valuable target assets of the company.
|
• Does the sector store and process PII, PHI, and/or financial data?
• Is the organization using supervisory control and data acquisition (SCADA) and/or programmable logic controllers? • Are there any government or military contracts? • Does the company have an air-gap from public networks? • Is there a security culture in the business environment? |
types of constraints
|
1. cost
2. time 3. bandwidth 4. techology 5. legal 6. regulatory 7. jurisdiction 8. service providers |
engagement support resources
|
1. soap project file
2. wsdl/wadl 3. sdk documentation 4. swagger document 5. xsd 6. sample application request 7. architectural diagrams |
what stands for
* SOW * MSA/SLA * NDA |
1. Statement of Work
2. Master service Agreement / Service Level Agrement 3. non-disclosure agreement or confidentiality agreement |
MSA components
|
1. Confidentiality
2. Delivery Requirements 3. Dispute Resolution 4. Geographic Locations 5. Intellectual property rights 6. Limitation of liability 7. Payment terms 8. Venue of law 9. Warranties 10. Work standars |
requirements for rules of engagement
|
1. Permission to test and other documents
2. Success criteria 3. Timelines and testing times 4. Locations 5. Disclosure 6. Evidence handling 7. Status meetings 8. Legal considerations |
special scoping factors
|
1. premerge or acquisition
2. Supply chain issues 3. shunning issues 4. dealing with MSSPs |
what is called the ROM
|
Rough Order of Magnitude
|
scoping assest
|
1. wireless network
2. network penetration 3. web applications 4. social networking |
penetration testing phases
|
1. Information gathering
2. Enumeration 3. Gaining access 4. Privilege escalation 5. Maintaining access 6. Covering tracks |
threat actors
|
Non-hostile
1. Reckless employee 2. Irresponsible contractor or guest 3. Poorly trained employee 4. Information partner 5. Social media leakage Hostile 1. script kiddie 2. hacktivist 3. anarchist 4. disgruntled insider 5. competitor 6. corrupt official 7. data miner 8. cyber miner 9. espionage agent irrational individual 10. legal adversary 11. organized criminal 12. terrorist 13. thief 14. vandal 15. vendor |
compliance-base assessment targets
|
1. PCI DSS
2. FISMA 3. MARS-E 4. HIPAA 5. Sarbanes-Oxley (SOX) 6. ISO |
types of risk treatment
|
1. avoid the risk (terminate activity)
2. transfer (share) the risk 3. mitigate the risk (modification) 4. accept the risk (retention) |
industry-accepted penetration testing approaces
|
1. SP 800-115
2. OSSTMM 3. OWASP |
well known scanning tools
|
• Nessus Professional
• Immuniweb • Netsparker • Nexpose • Retina • Core impact • Comodo hackerProof • OpenVAS • Nikto • Tripwire IP360 • Wireshark • Aircrack • Retina CS community • Microsoft Baseline Security analyzer (MBSA) |
things to enumerate
|
• Usernames and group names
• Hosts and hostnames • Networks and domains • Network shares and services • Web pages • Service ports • Ip tables and routin tables • Authentication tokens • Cookies • Service settings and audit configurations • Applications and banners • SNMP information (strings) • DNS details • Social networking data |
catetories of popular types of enumeration
|
• NetBios
• SNMP • LDAP • NTP • SMTP • DNS • Windows • UNIX/Linux |
NetBIOS Enumeration
|
• Runs on port 139 on windows
• Common attacks include o Read or write to a machine, depending on the availability of shares o Launch a denial of service (DoS) attack on the remote machine o Enumerate password policies on the remote machine • Common enumeration tools are Nbtstat, SuperScan, Hyena, Winfingerprint and NeTBIOS enumerator |
SNMP Enumeration
|
• Default SNMP passwords (strings) let attackers viw or modify the SNMP configuration settings on port 161
• Attacker can enumerate SNMP on remote network devices for o Information about network resources such as devices, shares, etc. o Arp and routing tables o Device specific information o Traffic statistics and more • Common tools include OpUtils, SolarWind, SNScan, SNMP Scanner and NS Auditor. |
lightweight directory access protocol (ldap) ENUMERATION
|
* ldap supports anonymous remote query on a server that can expose sensitive information (userneames, address, contact details, department details, etc.)
* ldap runs by default on tcp and udp port 389, or on port 636 for LDAPS * ldap enumartion tools include softerra ldap administrator, jxplorer, ldap admin tool and ldap administrator tool. |
Network time protocole (ntp) Enumeration
|
* ntp typically runs on udp port 123
* attackers will commonly list hosts connected to the ntp server and further enumerate internal client ip addresses, hostnames and the operating system used *ntptrace - queries to discover where the ntp server updates its time from and traces the chain of ntp servers form a source * ntpdc - queries the ntp daemon about its current state and to requiest changes in the state * ntpq - monitor the ntp daemon ntpd operations and determines performance metrics |
simple mail transfer protocol (smtp) enumeration
|
* SMPT (tpc 25) uses three built-in exploitable commands
- VRFY - validates users on the SMTP servers - EXPN - shows delivery addresses of aliases and mailing list - RCPT TO - defines the recipients of the message * SMTP enumeration and fingerprinting is possible based on various responses to these commands. * attackers can determine the valid usesrs on the smtp servers with the same technique * two common tools include netscan tools pro and smtp user enum |
domain name system (dns) enumeration
|
* dns woeks on both udp and tpc on well-known port number 53
* it uses udp for resolving queries and tpc for zone transfers * dns enumeration often sends zone transfer requuests to the dns primary server, spoofing a client to discover sensitive domain records in respose to the requiest * coomon dns enumeration tools are nslookup, dns dumpster and dns recon |
windows enumerations
|
* the windows os ca be enumerated with many tools, inlcuding ones form sysinternals at
https://technet.microsoft.com/en-in/sysinternals/bb545021.aspx |
windows key sysinternals utilities
|
* psexec - executes processes on remote machine
* psfile - displays list of files opened remotely * psgetsid - translates sid to display name and vice versa * pskill - kills processes on local or remote machine * psinfo - displays installation, inatll date, kernel build, phisical memory, processosrs type and number * pslist - diplays process, cpu, memory and thread statistics * psloggedon - diplays local and remote logged users * psloglist - allows viewing of event logs |
nix enumeartion
|
* unix and linux operating systems can be enumerated with multiple command line utilities provide by the os
* finger - enumerates users on remote machine * rpcInfo - enumerates remote procedure call * rpclient - enumerates useranemes on linux * showmount - enumerates list of shared directories * enum4linux - https://labs.portcullis.co.uk/tools/enum4linux |
sniffing tools
|
* wireshark
* tcpdump * dsniff |
packet crafting steps
|
* assembly
* editing * playing * analysis |
tools to packet crafting and inspection
|
* hping
* snort * nemesis * netcat * scapy * socat aditional examples: www.valencynetworks.com/articles/cyber-security-attacks-packet-crafting.html |
passive fingerpriting tools
|
* P0f
* Nmap * nertowkminer * ettercap * packetfence |
eavesdropping
|
* packet sniffers are common eaesdropping tools: https://sectools.org/tag/sniffers
*wireless sniffers are dedicated to the 802.11 family: www.voipmointor.org * voip sniffers are effective on voice datagramas: www.voipmonitor.org |
cerfications vulnerabilities
|
* introduce MITM and rogue certificates.
* attack non-pinning CAs * exploit self-signed certificates * take advantage of browsers ignoring warnings * look for mixed content sites without EV certificates * attack weak/ignored revocation methods (CRL and OCSP) * Perform OCSP replay attacks where stapling is not used |
types of scans
|
* network discovery: finds active devices and identifes communications paths; determines network protocoles and architectures
* port and service scanning: finds ative devices, open ports, and associated aplications and services. * vulnerability scanning: identifies known vulnerabilities with high reat of false positives. * wireless scanning: finds rogue devices and backdoors (station and aps) discovers signals outside of ranges. *stealth scans: is a type of port scan stops the server or host system from logging the request for connection * complience scan: scannings to adhere to some regulation or some compliance * aplications and container scanning |
common types of compliance sacans
|
* BASEL II
* Center ofr Internet Security Benchmarks (CIS) * Control Objectives for Information and related Technology (COBIT) * Defense Information Systems Agency (DISA) * STIGs * Federal Information Security Management Act (FISMA) * Federal Desktop Core Configuration (FDCC) * Gramm-Leach-bliley Act (GLBA) * health insurance portabability and accountability act (HIPAA) * ISO 27002/17799 Security standars * information techonology information library (itil) * National Institute of Standarsds (NIST) configuration guidelines. * National Security Agency (NSA) configuration guidelines * Payment Card Industry Data Security Standards (PCI DSS) * Sarbanes-Oxley (SOX) * Site Data Protection (SDP) * United States Government Configuration Baseline (USGCB) |