Penetration Testing Execution Standard
Pre Engagement Interaction
*John Strand* Ian Amit Joe McCray Nicholas J. Percoco
Scoping
How to scope
Metrics for time estimation, Estimating project as a whole, Additional support based on hourly rate
Questionaires, Questions for Business Unit Managers, Questions for Systems Administrators, Questions for Help Desk, General Employee Questions
Scope Creep, Specify Start and End Dates, Letter of Amendment (LOA), LOA - Based on Scope Size, but not overall project direction, LOA - Based on vulnerabilities found during the engagement, LOA - Based on change in the direction of the overall project, Tie back to goals section
Specify IP ranges and Domains, Validate Ranges
Dealing with Third Parties, Cloud services, ISP, Web Hosting, MSSPs, Countries where servers are hosted
Define Acceptable Social Engineering Pretexts
DoS Testing
Payment Terms, Net 30, Half Upfront, Interest, Recurring, Monthly, Quarterly, Semi-Annual
Delphi Scoping, you actually work with the target in iterations... gotta break my noodle on how to get it in here
Goals
Identifying goals, primary, secondary
Business analysis, Defining a company's security maturity
Needs analysis
Testing terms and definitions
Pentesting Terms Glossary
Establish lines of communication
Emergency Contact information
Incident Reporting process, Incident Definiton, Incident Threshold
Status Report Frequency
Establish a Primary POC
PGP and other alternatives (Encryption is not an "option")
Define communication parameters with external 3rd parties (hosting, ...)
Rules of Engagement
Timeline, Defining Roadblocks and Gates, Work Breakdown Structure, Assign Responsibilities of the team, When things go wrong - or delayed, how to cope with scope creep, or the client has to pause the pentest
Locations
Exploitation Control (free-form, coordinated, formally monitored...)
Disclosure of Sensitive Information, PII, Credit Card Information, PHI, Other: We cannot contain Security to PII and PHI. Examples: BoA and Wikileaks, Dell, Intel and the Aurora attacks.
Evidence Handling
Regular Status Meetings, Plans, Progress, Problems
Time of the day to test
Dealing with shunning
Permission to Attack
Capabilities and Technology in Place
Incident response and monitoring, Ability to detect and respond to information gathering, Ability to detect and respond to footprinting, Ability to detect and respond to scanning and vuln analysis, Ability to detect and respond to infiltration (attacks), Ability to detect and respond to data aggregation, Ability to detect and respond to data exfiltration
Protect yourself
Preparing your Testing System, Encryption, Validate Firewall Rules, Results Scrubbed From Previous Tests
Pre Engagement Checklist
Packet capture
Post Engagement Checklist
Intelligence Gathering
*Chris Gates* Chris Nickerson Iam Amit Stefan Friedli Nicholas J. Percoco * Add listing of relevant tools *
Target selection
Admin
High Level Employee
Random Employee
Employee w/ specific access, Engineer, Secretary, Developer, Network Engineer, Accounting, Human Resources, Procurement, Sales
OSINT
Corporate, Physical, Locations, owner, land/tax records, shared/individual, timezones, Pervasiveness, Relationhips, Logical, Business Partners, Competetiors, touchgraph, Hoovers profile, Product line, Market Verticle, Marketing accounts, Meetings, signifigant company dates, Board meetings, holidays, anniversarys, product/service launch, job openings, Charity affiliations, Org chart, Position identification, Tansactions, Affiliates, Electronic, Document/metadata leakage, marketing communications, Assets, Network blocks owned, mail addresses, external infrastructure profile, Technologies used, purchase agreements, Remote access, application usage, defense technologies, human capability, Financial, Reporting, market analysis, trade capital, value history
Individual, Employee, History, EDGAR (SEC) data, court records, political donations, professional licenses or registries, SocNet Profile, Metadata leakage, tone, frequency, location awareness, bing map apps, foursquare, google latitude, yelp, Social Media, Facebook / openbook, Linkedin, Xing, twitter, blogger / blogspot, MySpace, wordpress, livejournal, foursquare, yahoo, google profile, Gowalla, entitycube, picasa, Flickr, yfrog, twitpic, PicFog, DeviantArt, aim, irc, icq, qq, JUST USE NAMECHK or something likeit, wikipedia, google groups / newsgroups, Internet Footprint, Email addresses, Usernames/Handles, Personal Domain Names, Static IPs, Bloggosphere, Active updates, physical, logical, Physical location, active, passive, Mobile footprint, Phone #, Device type, Use, Installed applications, owner/administrator, For Pay Information, Background Checks, For Pay Linked-In, LEXIS/NEXIS, Other
Covert gathering
on-location gathering, Physical security inspections, wireless scanning / RF frequency scanning, Employee behavior training inspection, accessible/adjacent facilities (shared spaces), dumpster diving, types of equipment in use
offsite gathering, Datacenter locations, Network provisioning/provider
HUMINT (if applicable)
Key employees
Partners/Suppliers
Social Engineering
Footprinting
External Footprinting, Identifying Customer Ranges, whois lookup, bgp looking glasses, subsidiaries, third party identification and right to audit, Verification with customer, Newsgroup Headers, Mailing List Headers, Robtex, Passive Reconnaissance, Search Engine Hacking, Google, Yahoo, Bing, Manual browsing, shodan, Active Footprinting, Port Scanning, Banner Grabbing, Zone Transfers, SMTP Bounce Back, Web Application Language Mapping, PHP, ASP, easy targets, Banner Grabbing, SNMP Sweeps, Forward/Reverse DNS, DNS Bruting, Website Mirroring, Robots.txt Harvesting, Establish target list, Mapping versions, Identifying patch levels, Looking for weak web applications, Identify lockout threshold, Error Based, Identify weak ports for attack, Outdated Systems, Virtualization platforms vs VMs, Storage infrastructure
Internal Footprinting, Active Footprinting, Port Scanning, SNMP Sweeps, Zone Transfers, SMTP Bounce Back, Forward/Reverse DNS, Banner Grabbing, VoIP mapping, extensions, special mailboxes, authentication, Arp Discovery, DNS discovery, Passive Reconnaissance, Packet Sniffing, Broadcast Traffic Anaysis, ARP, NetBios, Other UDP, Establish target list, Mapping versions, Identifying patch levels, Looking for weak web applications, Identify lockout threshold, Error Based, Identify weak ports for attack, Outdated Systems, Virtualization platforms vs VMs, Storage infrastructure
Identify protection mechanisms
Network protections, "simple" packet filters, Traffic shaping devices, DLP systems, Encryption/tunneling
Host based protections, stack/heap protections, whitelisting, AV/Filtering/Behavioral analysis, DLP systems
Application level protections, Identify application protections, Encoding options, Potential Bypass Avenues, Whitelisted pages
Storage Protection, HBA - Host Level, LUN Masking, Storage Controller, iSCSI CHAP Secret
Exploitation
*Dave Kennedy* Paul Asadoorian Joe McCray Stefan Friedli
Precision strike
Well researched attack vector
Ensure countermeasure bypass
AV, Encoding, Packing, Whitelist Bypass, Process Injection, Purely Memory Resident
Human
HIPS
DEP
ASLR
VA + NX (Linux)
w^x (OpenBSD)
WAF
Stack Canaries
Customized exploitation avenue
List of tools
Best attack for the organization: Possibly move to Precision Strike
Zero day angle, Fuzzing, Dumb Fuzzing, "intelligent" Fuzzing, Code Coverage, Reversing, Deadlisting, Live Reversing, Dealing with Symbol Striping, Traffic Analysis, Protocol Analysis, Reviewing RFCs, Reviewing Development Documentation, Protocol Reversing
Public exploit customization, Changing Memory locations in Existing Exploits, Important for Foreign Pentests, Altering payload, Rewriting shellcode, Add protection bypasses (DEP, ASLR, etc.)
Physical access, Human angle, our pretext, PC access (custom boot CD/USB), USB, Autorun, Teensy, Firewire, RFID, sniffing, Brute-Force, Replay Attacks, MITM, SSL Strip, Print jobs, Extracting of cleartext protocols, Downgrading attacks, ..., Routing protocols, CDP, HSRP, VSRP, DTP, STP, OSPF, RIP, ..., VLAN Hopping, Other hardware (keystroke loggers, etc)
Proximity access (WiFi), Attacking the Access Point, Crypto Implementation Attacks, Vulnerabilties in Access Points: Summon Paul Asadorian, Cracking Passwords, 802.1x, WPA-PSK, WPA2-PSK, WPA2-Enterprise, WPA-Enterprise, Ham Radio Surveillance, LEAP, EAP-Fast, WEP, Attacking the User, Karmetasploit Attacks, Attacking DNS Requests, Bluetooth, Personalized Rogue AP, Attacking Ad-Hoc Networks, RFID/Prox Card, Spectrum Analysis, FCC Business Frequency Search, 802.11, 802.11 Wireless collection tools, Previously-collected data (WiGLE), UHF/VHF/etc., Microwave, Satellite, Guard Radio Frequencies, Wireless Headset Frequencies
DoS / Blackmail angle
Web, SQLi, XSS, CSRF, Information Leakage, Rest of OWASP top 10
Non-Traditional Exploitation, Business Process Flaws, Configuration / Implementation Errors, Trust Relationships, AirGap Hopping, Ethernet Over Powerline, Hardware Implants, Signaling Channels, Physics, Light (LED Signaling), Audio, Emanations, Van Eck
Detection bypass
FW/WAF/IDS/IPS Evasion
Human Evasion
DLP Evasion
Derive control resistance to attacks
Exploit Testing
Reproduce Environment for exploit testing/developement
Type of Attack
Client Side, Phishing (w/pretext)
Service Side
Out of band
Post-Exploitation
*Carlos Perez* Chris Gates Robin Wood Dave Kennedy
Infrastructure analysis
netstat etc to see who connections to and from
ipconfig etc to find all interfaces
VPN detection
route detection, including static routes
neighbourhood network/OS X browser (mdns? or bonjour)
Network Protocols in use
Proxies in use, Network Level, Application Level
network layout (net view /domain)
High value/profile targets
Pillaging
Video Cameras
Data exfiltration through available channels, identify web servers, identify ftp servers, DNS and ICMP tunnels, VoIP channels, Physical channels (printing, garbage disposal, courier), Fax (on multifunction printers)
Locating Shares
Audio Capture, VoIP, Microphone
High Value Files
Database enumeration, Checking for PPI, card data, passwords/user accounts
Wifi, Steal wifi keys, Add new Wifi entries with higher preference then setup AP to force connection, Check ESSIDs to identify places visited
Source Code Repos, SVN, Git, CVS, MS Sourcesafe, WebDAV
Identify custom apps
Backups, Locally stored backup files, Central backup server, Remote backup solutions, Tape storage
Business impact attacks
What makes the biz money
Steal It
Sabotage / Modification, Change Pricing, Change Scientific Process Results, Modify Engineering Designs
Further penetration into infrastructure
List of relevant tools
Botnets, Mapping connectivity in/out of every segment, Lateral connectivity
Pivoting inside, Linux Commands, Windows Commands, Token Stealing and Reuse, Password Cracking, Wifi connections to other devices, Password Reuse, Keyloggers, User enumeration, From Windows DC or from individual machines, Linux passwd file, MSSQL Windows Auth users, Application-specific users
Check History/Logs, Linux, Check ssh known hosts file, Log files to see who connects to the server, .bash_history and other shell history files, MySQL History, syslog, Windows, Event Logs, Recent opened files, Browsers, favourites, stored passwords, stored cookies, browsing history, browser cache files
Cleanup
Ensure documented steps of exploitation
Ensure proper cleanup
Remove Test Data
Leave no trace
Proper archiving and encryption of evidence to be handed back to customer
Restore database from backup where necessary
Persistance
Autostart Malware
Reverse Connections
Rootkits, User Mode, Kernel Based
C&C medium (http, dns, tcp, icmp)
Backdoors
Implants
VPN with creds
Introduction of Vulnerabilities, Web App Source Modification, Remove Input Validation, Add Extra functionality, Downgrade application version, Reintroduce default account/pwd, Re-enable disabled accounts
Reporting
Executive-Level Reporting
Business Impact
Customization
Talking to the business
Affect bottom line
Strategic Roadmap
Maturity model
Appendix with terms for risk rating
Timeline of attack / Gant chart of timeline
Quantifying the risk, Evaluate incident frequency, probable event frequency, estimate threat capability (from 3 - threat modeling), Estimate controls strength (6), Compound vulnerability (5), Level of skill required, Level of access required, Estimate loss magnitude per incident, Primary loss, Secondary loss, Identify risk root cause analysis, Root Cause is never a patch, Identify Failed Processes, Derive Risk, Threat, Vulnerability, Overlap
Technical Reporting
Identify systemic issues and technical root cause analysis
Pentest metrics, # of systems in scope, # of scenarios in scope, # of processes in scope, # of times detected, # of vulns/host, % of scope systems exploited, % of succesful scenarios, % of time / phase, (to be expanded)
Technical Findings, Description, Screen shots, Ensure all PII is correctly redacted, Request/Response captures, PoC examples, Ensure PoC code provides benign validation of the flaw
Reproducible Results, Test Cases, Fault triggers
Incident response and monitoring capabilities, Intelligence gathering, Reverse IDS, Pentest Metrics, Vuln. Analysis, Exploitation, Post-exploitation, Residual effects (notifications to 3rd parties, internally, LE, etc...)
Common elements, Methodology, Objective(s), Scope, Summary of findings, Appendix with terms for risk rating
Deliverable
Preliminary results
Review of the report with the customer
Adjustments to the report
Final report
Versioning of Draft and Final Reports
Presentation, Technical, Management Level
Workshop / Training, Gap Analysis (skills/training)
Exfiltarted evidence, and any other raw (non-proprietary) data gathered.
Remediation Roadmap, Triage, Maturity Model, Progression Roadmap, Long-term Solutions, Defining constraints
Custom tools developed
Threat modelling
* Iftach Ian Amit *
Business asset analysis
This goes beyond PII, PHI and Credit Cards
Define and bound Organizational Intelectual Property
Keys To Kingdom, Trade Secrets, Research & Development, Marketing Plans, Corporate Banking/Credit Accounts, Customer Data, PII, PHI, Credit Card Numbers, Supplier Data, Critical Employees, Executives, Middle Managers, Admins, Engineers, Technicians, HR, Executive Assistants
Business process analysis
Technical infrastructure used
Human infrastructure
3rd party usage
Threat agents/community analysis
Internal Users, Executives, Middle Management, Administrators, Network Admins, System Admins, Server Admins, Developers, Engineers, Technicians
Competitors
Nation States
Organized Crime
Weekend Warriors
Threat capability analysis
Analysis of tools in use
Availability to relevant exploits/payloads
Communication mechanisms (encryption, dropsites, C&C, bulletproof hosting)
Finding relevant news of comparable Organizations being compromised
Vulnerability Analysis
* Eric Smith *
Testing
Active, Automated, Network/General Vuln Scanners, Port based, Service based, banner grabbing, Web Application Scanners, General application flaw scanner, directory listing/bruteforcing, webserver version/vuln identification, methods, network vulnerability scanners, vpn, ipv6, Voice Network scanners, War Dialing, VoIP, Manual Direct Connection, obfucsacted, Multiple Exit Nodes, Ids Evasion, Variable Speed, Variable scope
Passive, Automated, Metadata analysis from Intel phase, Traffic monitoring (p0f etc), Manual, direct connections
Validation
Correlation between scanners
Manual testing/protocol specific, VPN, Fingerprinting, Citrix, Enumeration, DNS, Web, Mail
Attack avenues, Creation of attack trees
Isolated lab testing
Visual confirmation, Manual connection w/review
Research
Public Research, exploit-db, Google Hacking, Exploit sites, Common/default passwords, Vendor specific advisories
Private Research, Setting up a replica environment, Testing configurations, Identifying potential avenues, Disassembly and code analysis
