TJI 06 Ethical Hacking CompTIA Pentest+ Other Scoping & Information Gathering



other scoping considerations so in this lesson we're going to talk about the last couple of things that you might want to think about as you're scoping your penetration test and the first one is whitelist and blacklist if you remember from security plus there are whitelist that allow things in two networks and blacklist that prevent things from getting into networks and that's usually done by IP addresses or ports and so the question is is your penetration test system going to be put on a whitelist or a blacklist if you're trying to do an internal assessment they may whitelist you if you're trying to an external one they may blacklist you and you may have to find some way to bypass that to break into the system so you just start considering this as you are scoping your assessment and figuring out your plan the next thing we have is security exceptions and there are lots of security devices on these networks there's intrusion protection systems and web application firewalls network access control certificate pinning and company policies and so depending on what those policies are and what those systems are are they going to allow an exception to let you connect your systems or allow you in through one of those systems because maybe you're not really testing their web application firewall you're testing the application behind it and so they would whitelist you in the web application firewall so you can test the application you're trying to go after that's the kind of considerations we're talking about here again there's no right answer it just depends on what you negotiate now I want to bring up certificate pinning just for a second here what is certificate pinning well some networks as part of their network access control require a digital certificate for a device bill allowed to connect to a network and if we want to be able to do that and we have a security exception that is called certificate pinning they would give us one of those certificates so that we can then put it on our pen test device and connect to their network and not trip their sensors next we have risk what is the risk tolerance of the organization and this is a big question when you're figuring out the timing and tempo and scope of a Penant and test if the organization is very risk adverse you're going to be very careful and have a very small scope and a very controlled pen test if they're more risk tolerant they might let you get away with a lot more now when you look at risk again there are four things that they can do with risk they can avoid risk they can transfer risk they can mitigate risk and they can accept risk if the organization is going to avoid risk they're going to try to avoid every risk completely and that means they're gonna have very tight control of renewing your pen test if they want to transfer risk they may want to move that risk to another entity they may ask you to sign something then take the risk on that if the system crashes you're gonna be responsible for fixing it that would be a transfer of risk they may want to mitigate their risk and they may want to say okay we're gonna let you do the pen test but only during these times and only on these days because we don't want it to be during our core peak business hours right so that mitigates the risk of them losing revenue and then finally they could accept the risk and if they have a very high risk tolerance they may just say yep go ahead and pen test we're okay with that we've looked at the risk and we're willing to accept it right and so again avoid transfer mitigate and accept those are the four things that they can do with risk and risk tolerance is an important consideration as you scope your penetration test next when we talk about risk and we talk about tolerance what is the tolerance to impact now what this means is what is going to be the impact operations if things go wrong so if you start doing a pen test and you trip a server off line how is that going to affect the company well they're gonna consider that in their risk calculus and they're gonna balance the needs of you doing a full assessment against their need to keep operations going and as part of that they may scope certain things into or out of the assessment for example here I might say that it's in scope for you to test our network storage our web servers our intranet connections and our physical security but I don't want you to touch my email servers my e-commerce servers my database or my public Wi-Fi and so you're gonna have to build your assessment with those considerations in mind what can you do the in scope stuff and what are you not allowed to do the out of scope stuff and that is one way to minimize the in and that all comes down to that risk tolerance again now the next thing we're going to look at is how do you schedule this assessment will the timing of the pen test be known to the organization's defenders or are they just going to know that sometime in the next three months you're going to attack or are they gonna be told on July 5th you're coming in that is something that's up for negotiation again and there's no right answer if you're trying to do it more of a red team blue team you're gonna want to tell them when you're coming if you're trying to do it as a true attack or simulation and a real pen test then you would probably not want to tell them when you're coming but again that's up to the organization and your scope of work will it be performed during peak hours or are you told you can only do it during off-peak hours what about holidays I love pen testing on holidays because there's less defenders to catch me makes my job easier but again the organization may say no no no we're not gonna allow you to do it on holidays and so you have to think about this and you're gonna have this list of events you're gonna have time and date restrictions you're gonna have client stakeholder notifications being made all of these things are gonna impact your schedule and you're gonna have to decide with the company how and when you're gonna do this pen test last we have scope creep and we talked about scope creep we're talking about your scope of work that agreement that you had that says I'm gonna do these things for this much money so scope creep happens when you have a client who starts asking for more you've already agreed that you're gonna do 10 servers and now they ask you hey can you do five more and if you're already doing a hundred servers maybe five more it's not a big deal if you're doing ten in the disaster for five more that's a 50% increase in scope now who's gonna pay for that that takes more time and resources are the scopes are going to be contained and how are you going to contain your scope you may do it by putting cost measures in your scope of work I mentioned this back in the scope of work lesson you may say that we're going to do a hundred servers and for every server over a hundred you're gonna have to pay us an extra thousand dollars and that will help keep the scope creep from happening because they're gonna think about it before it is asking for more because it cost more money anytime there's a scope change you need to document that and I highly recommend doing that as a change order to your scope of work make it clear yes I'm willing to go look at that email server that you said was out of scope but now if I'm doing the email server it's gonna take another one one or two weeks it's gonna take me three more people and it's going to cause X amount of dollars right you remember that more devices are gonna equal more time and that means more resources now they may say you know what out of the hundred that we already paid you for instead of doing these three I want you to do these other three you may do a one-for-one swap like that and that's okay but again all of this is up for negotiation between you and the company and the best way to keep things aboveboard is keep everything documented so get that change order and put that in with your scope of work welcome to domain to information gathering and vulnerability identification in this domain we're going to conduct five main functions the first is to conduct information gathering where we learn all about our targets then we're gonna dig deeper by performing vulnerability scanning that's where we scan our targets to find any vulnerabilities that we might be able to use to exploit them as we move into domain 3 then we're gonna analyze the results of these vulnerability scans so once we use a tool then we start scanning things we're gonna get the output of these tools so for example if I use n map it's gonna give me an output can you understand how to read that output to learn what operating system is running what service it's running what ports are open those are the type of things we're gonna have to be able to do here in domain 2 then we're gonna leverage this information for exploitation as we move into domain 3 and we start attacking these systems and finally we're gonna find weaknesses and specialized systems things like Internet of Things devices things like ICS and SCADA devices and critical infrastructure all of this is going to be covered inside a domain – now before we start digging into domain 2 I want to mention a couple of things about the objectives there are five objectives inside of domain 2 the first three are called given a scenario do XY and Z the second two are going to be explained only so what does this really mean for you well those first three objectives are going to be things like given a scenario conduct information gathering using appropriate techniques and the objective is going to tell you all the different techniques we're gonna cover all of those in this section you're also gonna get something like given a scenario perform a vulnerability scan that might be something like running an nmap scan or running an esse squarey or open voss we'll talk about all that as well and the third type you're gonna have is given a scenario analyze the scan results so going back to that end map I told you can you read the output or if you look at something like a vulnerability scan report from Nick dough or necess or open Voss can you read and interpret it because these are a given a scenario these might be code snippets inside the multiple choice or they could be simulation questions so it's not outside the realm of the possibility to see something like an nmap scan inside the simulation and either craft that command of how you're going to get that output or find and analyze that output and figure out what systems are vulnerable based on it so this is why it's important to look at those objectives before test day so you understand what type of questions could be asked information-gathering so the first step here is what we call information gathering this is where we want to learn all about the network it's also known as reconnaissance now when we do reconnaissance this is the systematic attempt for us to locate gather identify and record information about a target which is a host a server a system or even a person this is also known as footprinting the organization because we want to figure out exactly what that organization has out there that we might be able to attack later now there are a lot of techniques that we can use during this foot printing or reconnaissance phase we can do our information gathering by using internet or open-source research that means we can be looking for things like press releases and resumes and the company's website and just googling around until we find what we're looking for we also can do social engineering and social engineering is where we try to trick a user into giving us the information that can be through email attempts like fishing voice calls like fishing or even in person then we can also do dumpster diving where we go to the physical location and start going through their trash because once it's in the trash it's open for anyone to get and so we might be able to find things like usernames in their phone lists organizational charts or other information that can be useful to us as part of footprinting that organization and finally we have email harvesting where we try to collect as many emails as we can and again using things like Google is your friend here because a lot of this stuff ends up on the internet and you can then download it digitally and go through it at your leisure now what kind of information are we looking for with all of these techniques well I alluded to some of it before but some of the things specifically that I look for is things like phone numbers contact names organizational positions email addresses security related information the type of information systems they use whether they're Windows or Linux they're using Apache or iis all of this stuff is out there for the taking you might be looking through job postings or resumes now why would you look through job postings and resumes well let me walk through two of those and give you an example of why important so if I go online and I google very quickly I can find job postings out there for example here's one I found it's for a system administrator level 2 from some government contractor LLC I hid the corporation's name here the job title was system administrator level 2 they want somebody who has a clearance a top-secret SC eye clearance they want them to work in Cannon Air Force Base New Mexico so you can probably figure out where this Air Force Base is and who might be interested in these type of positions now who are they reporting to the program manager and what type of status is an example time regular now does this tell me much not really except the location but if I know that I'm targeting that Air Force Base as part of my pen test I now know that this company has positions for that organization and so I can use that against them but even more I can go to the second page of this job posting and that's where things get really interesting so if I look through this they tell me what the skills and knowledge and abilities are of someone who should apply for this job they're looking for somebody who has Microsoft's certified 2000 or 2003 certifications that means they're running Server 2000 or 2003 yes this is an old job posting I'm just giving you an example here they're also looking for somebody who's familiar with the military and has done UNIX or Linux in their past which means they're running UNIX and Linux servers they also have to have experience with blade servers from HP which again tells me they're using that it tells me again they wanted somebody who knows how to troubleshoot and operate Windows servers it tells me that shift work is required now why is shift work important well shift work tells me that they operate at weird timeframes so when I might go into a normal organization that works maybe 8:00 to 5:00 and go in at midnight to try to break in if they use shift work there might be somebody there at midnight and so that's important for a physical pen test but you can see how we start taking these pieces of information from the job posting and this tells me about this organization what they're looking to hire tells me what they have now this brings me to the flip side what about resumes there are lots of resumes out there just go on LinkedIn it is an online database of people's resumes and you can start searching for the company that you're going to be targeting so if I go in search for a company I might find a resume that looks like this now John Smith's just a fictional character but this looks like a regular resume right it has some professional summary and some technical proficiencies it says all the things he's good at now is this real helpful not particularly yet except for maybe the phone number in his email because I might call him for an interview right for a fake job that doesn't exist and try to get information about his past employer but when I get on to the back side of his resume I start seeing something that is a lot more interesting because I start seeing that he worked with ABC energy which is the company I'm targeting in this case and they had over 200 Linux servers running RedHat and SUSE Linux again this helps me narrow down my focus for my enumeration and my vulnerability scanning later they had this throughout three data center search three physical locations that I have to consider they also use VMware ESX servers right so they're using virtualization so I might have to perform VM escapes to get out of those right they also were using things like Red Hat version 4 they're using Windows 2003 they're using citrix metaframe right all of these things are information that help me when I'm going after that organization it's all little nuggets of information that I can put together to get a more complete picture and so those job postings and those resumes can tell you a lot about an organization and they're freely available online just start googling right so that's what I wanted to get you here to start thinking a little bit more differently because this is helpful information so what are some tools that we can use for reconnaissance besides the standard googling and looking at job postings and resumes well we have nslookup which is used to look up domain names we have traceroute which helps me figure out the path from my computer all the way through to their server there's ping which can tell me if there's a server up or down and so I can start mapping the network that way there's things like Whois which will give me information about who owns the domain name there's domain dossier or an email dossier which you can find on central ops net which are really really helpful I recommend you go in there and just play with domain das your email das here it'll tell you if the email is a valid one or not so you can then use it towards your phishing campaigns you can use google we've already talked about that you can use social networking like Facebook and Twitter and Instagram and LinkedIn and whatever else you want you can become this person's friend if they work in that organization and start figuring out information and who their coworkers are and start using that for social engineering you can also use a script called discovery SH which has a lot of social engineering tools and you can use multigo which is a way to start piecing together pieces of information in a visual format as you can see on the bottom image there and it starts tell me who is connected to who within the organization as I start again putting all of these pieces of information together to form a more complete picture now reconnaissance is where you spend a lot of time as a penetration tester or as a hacker but as a pen tester a lot of times this stuff will be given to you because if you're doing a white box test or a grey box test this is going to be handed to you and they're going to tell you these are the domain names these are the type of servers go and attack us right so we're not going to spend a ton of time on reconnaissance here inside pen test Plus but as a real hacker this is where they spend probably 80% of their time is figuring out all that information about the organization that they plan to target so let's put all this together let's pretend that you were a hacker what would you do with all this information well you've gone out and you've collected emails and names and positions and phone numbers and server addresses and documents you may even gotten some powerpoints or some spreadsheets from the organization because that stuff exists out there if you google right you take all that together and you decide to craft an excellent spearfishing campaign because you know who to target based on their name and their email and you know what an email looks like because you've stolen some previous ones that you found on Google now you can make a potential Spearfish that is very very well-crafted we'll take a word document that may have been from that organization and embed malware into it and then we're going to send it as part of the spear phishing campaign now let's say somebody opens that spear phishing email and they open that PowerPoint in that word file with the embedded malware that malware launches creates a callback to your system you now have a remote shell and you can now take control their machine and do whatever you need to for your Penton right that entry was all done because of the things you found during the reconnaissance phase you can use realistic employee names their positions and writing style to mimic real traffic maybe I'll send it so it looks like it's coming from their boss or their boss's boss and tell them that it's really important they have to open it now and trick them into doing it but that's if you really want to be crafty or if you want to take it even a step further well if we take it a step further we might do something like domain name squatting this is where maybe if the organization was named Titan cipher we might use Titan cipher with a why instead of an i and so when customers and employees try to go to the website they might fat-finger it on the keyboard and go to the wrong site when they do that they'll get to the site that looks like the one they wanted to but it really wasn't and they might log in with their username and password and that will allow you to steal their credentials you can also identify any subdomains developer sites mail servers etc for exploitation all of this stuff is yours for the taking as a part of the reconnaissance phase you just have to know where to look for it right and so think about that as you're going through the reconnaissance information gathering and footprinting phases where can I get the information get creative think outside the box and really just have some fun with it

Leave a Reply

Your email address will not be published. Required fields are marked *