Penetration Testing: A method of evaluating security by simulating an attack on a system
Penetration testing can be conducted using various techniques classified by the following terms
Blackbox : In this type of test assessor has no knowledge of the inner workings of the system or the source code. The assessor simply tests the application for functionality.
Whitebox : In this type of testing assessor has knowledge of the inner workings of either the system or the source code.
Graybox : This type of testing combines white and black box techniques. The tester has some limited knowledge of the inner workings
Vulnerability scanning can be done in either a credentialed or non-credentialed manner. The difference is that a credentialed vulnerability scan uses actual network credentials to connect to systems and scan for vulnerabilities. Non-credentialed scans are very useful tools that provide a quick view of vulnerabilities by only looking at network services exposed by the host.
Vulnerability Scanning: A vulnerability scanner can execute intrusive or non-intrusive tests. An intrusive test tries to exercise the vulnerability, which can crash or alter the remote target. A non-intrusive test tries not to cause any harm to the target. A crash or degradation of the service is only a side effect of an intrusive test, not a goal.
Passive reconnaissance: It is the process of collecting information about an intended target without the target knowing what is occurring. Typical passive reconnaissance can include physical observation of an enterprise's building, sorting through discarded computer equipment in an attempt to find equipment that contains data or discarded paper with usernames and passwords, eavesdropping on employee conversations, etc.
Active reconnaissance: The process of collecting information about an intended target of a malicious hack by probing the target system. Active reconnaissance typically involves port scanning in order to find weaknesses in the target system. The process of exploiting the system can then be carried out once the hacker has found a way to access the system. Tools such as port scans, traceroute information, and network mapping are used to find weaknesses in the target system
Pivot: The attacker starts by sending a phishing email from outside of the organization. Once he gained access to the victim's machine, he does his info gathering and then uses that info to look as if he's a normal user on the network moving to the real target. He jumps from one target to another, thus making the earlier victim as a pivot to reach the real target.
Persistence: In persistence, the attacker does not limit their attack to a limited time. Instead, they watch and wait, looking for an opening to strike the target system. When one presents itself, they take penetrate the victims system. Afterwards, the attacker will continue to monitor the target network for further vulnerabilities.
Passive and active reconnaissance:
Reconnaissance: Reconnaissance can be one of two types: Passive reconnaissance and Active reconnaissance. Passive reconnaissance is performed using methods to gain information about targeted computers and networks without actively engaging with the target systems and thus avoiding detection. In active reconnaissance, the attacker engages with the target system, typically conducting a port scan to find any open ports. Active reconnaissance involves using packets that can be traced; it involves engaging services that can be logged.
Pivoting: In pivoting, one moves to a new location in a network and begins the attack process over again, performing scans to see machines that were not visible from the outside. Pivoting is one of the key methods of learning where to move next.
Lateral Movement: Lateral movement, sometimes referred to as network lateral movement, refers to the process used by attackers to move deeper into a network to get to the target data. Lateral movement and pivoting work hand in hand. The purpose of lateral movement is to go to where the data is, and pivoting is one of the key methods of learning where to move next.
Footprinting: Footprinting is the first step in gaining active information on a network during the reconnaissance process.
Bug bounty: Bug bounty programs are mechanisms where companies pay hackers for revealing the details of vulnerabilities that they discover, providing the companies an opportunity to correct the issues.
Cleanup: Cleanup involves the steps of clearing logs and other evidence to prevent one from being easily discovered. Clearing logs, blocking remote logging, messing with system history, and using reverse shells and Internet Control Message Protocol (ICMP) tunnels to avoid detection and logging are some of the methods employed.
Persistence: Persistence is the condition where a system connects to the same target in a load-balanced system. This can be important for maintaining state and integrity of multiple round-trip events
War flying: War flying is when someone on a plane, drone, or helicopter uses a WiFi-enabled device to look for open APs. It's sometimes called war storming.
OSINT (open source intelligence): OSINT is the technique of using publicly available information sources to gather information on a system. OSINT is not a single method but rather an entire set of both qualitative and quantitative methods that can be used to collect useful information. OSINT is a passive activity, so passive reconnaissance is the correct answer. All of the other answers involve active measures
Drones: Drones are unmanned aerial platforms capable of carrying cameras, mobile devices, and other items across normal boundaries such as walls, fences, and checkpoints. This provides pen testers a means of getting closer to signals such as wireless networks and then recording traffic
Explain the techniques used in penetration testing
Rules of engagement: The rules of engagement describe the scope of an engagement and provide important information regarding contacts and permissions. Obtaining these rules is essential before any pen test work begins. The rules of engagement also establishes the boundaries associated with the test.
Below are some of the different things captured and detailed in this section:
1. Treatment of sensitive information during the project
2. How project status updates will be communicated
3. Emergency contact information
4. Handling of a sensitive and critical vulnerability
5. Steps taken if a prior compromise is uncovered
6. Security controls impact and specifics
7. IP addresses of testing machines for monitoring/whitelisting
8. Requirements for third-party hosting provider approvals to test, etc.
Lateral Movement: Lateral movement, sometimes referred to as network lateral movement, refers to the process used by attackers to move deeper into a network to get to the target data.
Reconnaissance: Reconnaissance can be one of two types: passive or active. Passive reconnaissance and Active reconnaissance. Passive reconnaissance is performed using methods to gain information about targeted computers and networks without actively engaging with the target systems and thus avoiding detection. In active reconnaissance, the attacker engages with the target system, typically conducting a port scan to find any open ports. Active reconnaissance involves using packets that can be traced; it involves engaging services that can be logged.
Privilege escalation The step in an attack where an attacker increases their privilege, preferably to administrator or root level.
Exercise Type:
Red team: Red Teams are internal or external entities dedicated to testing the effectiveness of a security program by emulating the tools and techniques of likely attackers in the most realistic way possible.
Blue Team: Blue Teams refer to the internal security team that defends against both real attackers and Red Teams. Blue team members come from the IT and security operations departments, and they typically perform two functions. The first is establishing defenses, configuring defensive elements such as firewalls and security appliances, managing permissions, and logging. The second involves monitoring and incident response functions.
White Team: When an exercise involves scoring and/or a competition perspective, the team of judges is called the white team. If the exercise is such that it requires an outside set of coordinators to manage it, independent of the defending team, these coordinators are also called the white team.
Purple team: A purple team is composed of both red team and blue team members. These team members work together to establish and test defenses.
Note: Red team is the attacker, the blue team is the defender, the white team is the exercise manager/judge, and the purple team is composed of a combination of red and blue team members.
When conducting a penetration testing on a Company network, it is important that a network administrator take permission from the manager or owner so that he is not blamed with any suspicious activity. The activity of the technician or network admin should be consistent with the company security policy.
Purple teams have both offensive (red) and defensive (blue) personnel to provide a balanced response. Red team is the attacker, the blue team is the defender, the white team is the exercise manager/judge, and the purple team is composed of a combination of red and blue team members.
