WTF IS PENETRATION TESTING? AN OVERVIEW OF WHO, WHAT, WHERE, WHEN, AND WHY

AKHIL..

Presentation Overview

• WHAT IS A “PEN TEST”?

• WHY DO COMPANIES “PEN TEST”?

• WHO DOES “PEN TESTING”?

• WHAT SKILLS ARE REQUIRED?

‒ NON TECHNICAL SKILLSET

‒ BASIC TECHNICAL SKILLSET

‒ OFFENSIVE AND DEFENSIVE KNOWLEDGE

• WHAT ARE SOME COMMON TOOLS?

• PEN TESTING AS A CAREER• ATTACK DEMO: SQL INJECT WORLD

• QUESTIONS

What is Penetration Testing?

Our Definition:

“The process of evaluating systems, applications, and protocols with the intent of identifying vulnerabilities from

the perspective of an unprivileged or anonymous user to determine the real-world impact…”

“…legally and under contract”

Why do Companies Pen Test?•

Compliance Requirements

Validate Existing Controls

Identify Unknown Security Gaps

Prioritize Existing Security Initiatives

Prevent Data Breaches

Test IDS / IPS / IRP

What are the Technical Objectives?

Client specific objectives first

Identify and verify all entry points

Identify critical escalation points

Gain unauthorized access to:

‒ Application functionality

‒ Critical systems

‒ Sensitive data

Assessment VS. Penetration• :

Vulnerability Assessment and Penetration Testing Answer:

- What are my system layer vulnerabilities?

‒ Where are my system layer vulnerabilities?

‒ How wide spread are my system layer vulnerabilities?

‒ Can I identify attacks?

‒ How do I fix my vulnerabilities?

Assessment VS. Penetration

Penetration Testing Answers:

‒ What are my high impact network layer issues?

‒ What are my high impact application layer issues?

‒ Can an attacker gain unauthorized access to:

• critical infrastructure that provides privileged access or cause service disruptions

• critical application functionality that the business depends on

• sensitive data that the business would be required to report on if a breach occurs

‒ Can an attacker bypass our IPS / WAF?‒ Can an attacker pivot from environment A to environment B?

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc

• Information Gathering

• Vulnerability Enumeration

• Penetration

• Escalation

• Evidence Gathering (Pilfering)

• Clean up

• Report Creation

• Report Delivery and Review

• Remediation

Rules of Engagement

Have fun, but…Hack Responsibly!

Written permission

Stay in scope

No DoS

Don’t change major state

Restore state

Clear communication

What Skills are Needed?

Non Technical

Basic Technical

Offensive

Defensive

Common Tools

Non Technical SkillsetWritten and Verbal Communications

Emails/phone calls

Report development

Small and large group presentations

Professionalism

Respecting others, setting, and meeting expectations

Troubleshooting Mindset

Never give up, never surrender

Where there is a will, there is a way

Ethics

Don’t do bad things

Pros (career) vs. Cons (jail)

Hack responsibly

Basic Technical Skillset

Windows Desktop Administration

Windows Domain Administration

Linux and Unix Administration

Network Infrastructure Administration

Application Development

Scripting (Ruby, Python, PHP, Bash, PS, Batch)

Managed languages (.Net, Java, Davlik)

Unmanaged languages (C, C++)

Offensive and Defensive Knowledge

System enumeration and service fingerprinting

Linux system exploitation and escalation

Windows system exploitation and escalation

Network system exploitation and escalation

Protocol exploitation

Web application exploitation (OWASP)

Reverse engineering client-server applications + AV Evasion

Social engineering techniques (onsite, phone, email)

Common Tools• Knowledge > Tools

Understand the core technologies

Understand the core offensive techniques

Understand the core defensive techniques

Network Penetration Testing

BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS,NEXPOSE, WCE, MIMIKATZ, AirCrack-ng,METASPLOIT… and NATIVE TOOLS!

Application Penetration Testing

BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQLNinja, and BEEF…. and

commercial tools

Pen Testing as a Career:

Common Paths

Internal Paths

Help Desk

IT Support

IT Admin

Security Analyst

Senior Security Analyst

Internal Consultant

CISO

Security Consulting Paths

Internship

Consultant•

Senior Consultant

Principle Consultant

Team Lead

Director Security

>Consultants often

end up in malware

research or exploit

development, but

some go corporate.

>Internal employees

often stay internal.

BE SAFE and HACK RESPONSIBLY

Questions,comments, curses?