What is a pentest?

[Carding 4 Carders]

What is a pentest?

Pentest - penetration testing, analysis of network infrastructure, company servers, or applications for vulnerabilities.

The purpose of this analysis is to find vulnerabilities and create possible attack vectors, simulating the actions of a real attacker.

After testing, a report is prepared for management, which describes the vulnerabilities found and recommendations for their elimination.

Some security standards (such as PCI DSS and 382-P for financial sector organizations) require such testing to be performed once a year or more often.

The orders of the FSTEC of Russia also contain a requirement to conduct penetration testing every 3 years for organizations that work with personal data.

Types of pentesting based on the knowledge model

Whitebox-code and infrastructure Audit. In this case, the pentester team is given the source code of the SOFTWARE, or a copy of the infrastructure, which can be deployed at home and studied “from the inside”.

Graybox – Before testing, the team of specialists is provided with information about the organization's structure.

Blackbox – the pentester does not Have any information about the organization of information security. Only General information about the organization is given. You have to act like a real attacker, starting testing with data collection.

The “Red Team" principle is the closest approach to the real scenario. The pentester team does not have information about the attack targets, and the organization's employees do not know about the testing being conducted.

Types of penetration testing

Infrastructure scanning – Testing the network with security scanners and providing a report. The simplest type of testing that allows you to find obvious security holes.

External pentest – an attack only on the external network segment. The purpose of such testing is to make sure that an attacker from outside will not be able to get into the internal perimeter of the network. For example, an organization has web services that are accessible from the outside and are included in the internal network. The task of the pentester is to get access to the internal network through such an external service.

Internal pentest-simulates an attack on the internal perimeter by a user who has basic rights within the organization. Typical scenario: an attacker gets a job in an organization disguised as an employee. The purpose of the internal pentest is to make sure that they can't upgrade their rights in the network and get protected data.

WIFI testing-searches for vulnerabilities in the organization's WIFI network.

Web application pentest – search for vulnerabilities on the organization's websites. These can be configuration errors, session management errors, or authorization mechanism errors. The most common vulnerabilities are described in the OWASP Top 10 methodology.

Load testing-Checks the readiness of the network infrastructure in case of a DDOS attack on the organization.

Testing social networksemployee networks-Checks whether the organization's employees comply with internal security protocols. After all, often the reason for hacking a well-protected network can be the human factor.

Testing methodology

There are several basic methodologies that are used for conducting a pentest.

• PTES (Penetration Testing Execution Standard)
• OWASP (Open Web Application Security Project)
• OSSTMM (Open Source Security Testing Methodology Manual)
• NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
• ISSAF (Information Systems Security Assessment Framework)

The choice of a specific methodology depends on the tasks, requirements and security standards applied in a particular organization.

Stages of penetration testing

The work of a pentester consists of several main stages.

• Collection of information
• Vulnerability analysis
• Data operation and processing
• Generating a report

Collection of information

At this stage, they search for as much information as possible about the goal. This will increase the scope of testing, because each new host may have vulnerabilities.

First, using search engines (Yandex, Google, Bing). You can use the organization's name to find domains, employee names, addresses, and phone numbers. All this will be useful in the next stages.

Further, specialized search engines are used, for example https://spyse.com/.

You can use it to get:

• Information about DNS records
• WHOIS
• Subdomains
• Host IP addresses
• Sites located on the specified IP address (other than the target one)
• Open ports
• Banners for running services (type, version, and even possible vulnerabilities)

All this is uploaded to a report that will be used during the analysis stage.

The following tools can also be useful when collecting information::

Wayback Machine – a Web archive that stores old versions of pages. Allows you to view changes on the site by the specified dates.

Maltego is a full-Fledged complex for collecting information, which, in addition to the main tools, has the ability to build a map of the target's infrastructure. This visual representation helps you avoid missing out on possible attack vectors.

Vulnerability analysis of targets

The next stage of the pentester's work is to search for vulnerabilities in the testing area it has found. The organization's hosts found are scanned for open ports and the software versions installed are checked for up-to-date. Phishing mailings are generated for the found list of addresses of employees of the company.

Where physical access to the infrastructure is possible, attacks on WIFI OR the use of BadUSB (a device that can be connected to the computer's USB port and get remote access) can be used.

When it comes to testing a website, the pentester checks possible vulnerabilities in business logic, configuration, as well as the most common errors (SQL, XSS, and so on).

Automation tools can be used for analysis, such as Burp Suite, Nessus, Nmap, and others. Automatic scanning helps you narrow down your search area and focus on potentially vulnerable areas. Then the manual work begins.

Data operation and processing

At this stage, the pentester tries to exploit the found vulnerabilities. Exploits and phishing emails with attachments are all tools that can be used to get inside the infrastructure.

After that, you need to raise your rights and gain a foothold in the system. For this purpose, local exploits and other methods of privilege escalation are used. For securing in the system – backdoors.

Once the system is established, the pentester collects data. This is the proof of network infrastructure vulnerability required for the report.

Often, the collected data allows you to conduct several more iterations of analysis and operation, because they may contain credentials or information about new hosts.

Creating a report

After identifying vulnerabilities, the team collects evidence and creates a report indicating the vulnerabilities found and attack vectors. The report includes information on vulnerabilities that were used for hacking, information about vulnerable SOFTWARE, incorrect network configuration, and so on.

The report specifies the servers, applications, data, and network sections that were accessed. After viewing the report, the company Manager can assess the dangerous consequences that a real hack can lead to and draw up a roadmap for fixing the shortcomings.

It is necessary to conduct regular testing of your network infrastructure. A real hacker attack can result in serious financial and reputational losses. Therefore, conducting such testing is mandatory for the financial sector, and it is highly recommended for any medium and large business.

 

[Carding]

Conduct passive and active information collection!​

Today we will talk about the first step in collecting information about the company. Or rather, about evaluating the security of the company's it infrastructure based on data from its websites and DNS records using penetration testing, called "pentest".

We start the pentest process by collecting General information about the object: what services are used, how many servers and what addresses they have, etc.

The starting point is most often the customer's level 2 domain, which is also the company's website. Let's try to get the most out of this information. Moreover, we will do this in passive mode, so that monitoring systems do not detect suspicious activity, etc.

You should start by analyzing the site and the information on it. If we start scanning a site, we may trigger security alerts, so we'll use a service that has already scanned this site and has a cast of it. Yes, such a service exists and is called Google!

Collecting information in Google

How can Google show you the information you're interested in? Normal site surfing turns into a professional passive crawler when you start using special commands in search queries – "dorky".

Search for keywords on the site

"keyword" site:domain.com

Application:

It is useful to collect email addresses, which are also logins that are used in the company.

Often, the main domain is not only the company's website address, but also the mail domain. Accordingly, we enter in the Google search

@domain.com site:domain.com

Search for files on the site

"keyword" filetype: pdf site:domain.com

Application:

For example, find contracts that may contain information about partners.

Contract filetype: pdf site:domain.com

We can also easily find robot.txt, including test versions that are not located in the root directory

Contract filetype: txt site:domain.com

Search in the URL

inurl: "what are we looking for"

Application:

Helps you search for sql injections. A well-known search query that starts the "hunt" for sql injections

inurl:.php?id=

Analysis of DNS records
Another service that can tell you a lot about a pentest object is public DNS. In order for the outside world to work correctly with the company's services, you need to publish some information.

In the Linux terminal, enter the whois "domain" command. For example:

whois vk.com

% IANA WHOIS server

% for more information on IANA, visit http://www.iana.org

% This query returned 1 object

refer: whois.verisign-grs.com

domain: COM

organisation: VeriSign Global Registry Services

address: 12061 Bluemont Way

address: Reston Virginia 20190

address: United States

contact: administrative

name: Registry Customer Service

organisation: VeriSign Global Registry Services

address: 12061 Bluemont Way

address: Reston Virginia 20190

address: United States

phone: +1 703 925-6999

fax-no: +1 703 948 3978

e-mail: [email protected]

contact: technical

name: Registry Customer Service

organisation: VeriSign Global Registry Services

address: 12061 Bluemont Way

address: Reston Virginia 20190

address: United States

phone: +1 703 925-6999

fax-no: +1 703 948 3978

e-mail: [email protected]

nserver: A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30

nserver: B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30

nserver: C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30

etc.

There is a lot of useful information. Often, contacts indicate the real email address of the administrator. If you manage to conduct a successful brute force attack on this login, you can get full control over the entire it infrastructure.

It is also a great success to meet the filled in field inetnum, which indicates the range of IP addresses belonging to the company

inetnum 95.200.118.0 - 95.200.119.255

Do not forget about such important information as the list of subdomains. If you can't pass through the main domain (level 2), the services that lead to subdomains are usually less secure.

Another source of passive data collection is web services that provide whois information. Such as 2ip. In addition to what you received earlier, you can also determine even the CMS that the site is running on. For more information, see the site Management System (CMS) section.

Search for live hosts
Now let's start actively collecting information.

At the previous stage, if we were lucky, we got a pool of addresses that belong to the object. Let's find out which ones are currently being used

fping -Asg 95.200.118.0/24 -r 2 >> adress.list
cat address.list | grep alive

We get a list of hosts that responded to ping.

Next, you can start exploring hosts from this list with the nmap command.

Scanning the network via nmap​

Quick check of standard ports

nmap-sS "ip address or subnet"

sS stands for "silent" check. There is a chance that monitoring systems will not notice the scan.

Checking all ports

nmap-sS "ip address or subnet" -p1-65536

Determining the OS version

nmap-O "ip address or subnet"

Automate the analysis process

Finally, I would like to highlight a convenient tool that will allow you to automate all the above methods of exploration and even more.

The app is called recon-ng.

Download link https://bitbucket.org/LaNMaSteR53/recon-ng.git

Pre-installed in Kali Linux.

It is a modular framework similar to the Metasploit Framework (MF), but is mainly intended for passive analysis of web resources. The control mechanism is similar to MF.

The main modules, a list of which is available for registered users, will allow you to visually evaluate whether this framework is useful for you or not.

Conclusions
The result of the pentest is the collected information, based on which you can determine the vectors of possible attacks on the company and see the places of the it infrastructure that first need protection. We will tell you how to do this in the following materials!

 

[Jollier]

BASIC PENTEST SCANS

IKE-SCAN

Get the VPN pre-shared key (if in agressive mode) for cracking. store it in "ike-hash" file

ike-scan -M -A -Pike-hash 108.170.124.170

Wpscan - on Kali

# note, the -r is important to randomize a legit user agent. Secured wordpress sites reject non-legit agents.

wpscan -r --url <url>

Nmap

Nmap snmp brute force - not sure if this is actually working
./nmap -sU --script snmp-brute --script-trace --script-args snmp-brute.communitiesdb=SNMP_PASSWORDS.txt <IP>

Metasploit

Metasploit snmp_login module (for brute force)

msf6> use auxiliary/scanner/snmp/snmp_login
show options
set RHOSTS <IP>
run

SNMP-brute on Kali

/usr/share/sparta/scripts/snmpbrute.py -f <communitystring_file> -t <IP>

SNMP enumeration once you know the community string

perl snmpenum.pl <IP> <COMMUNITY> <FILE>
 
Sqlmap (blind sql injection tests)

full request in updateprofile.txt, parameter tested is "rank_id"

sqlmap -r updateprofile.txt -p rank_id

Hydra (brute force SSH, telnet, etc.)

hydra -s 22 -v -L ./usernames_small.txt -P ./passwords_small.txt -t 10 sftp.dvidshub.net ssh

Dnsrecon to reverse lookup an ip range

dnsrecon -r 155.7.145/24

Nikto

nikto.pl -C all -host <hostname>

 

[Teacher]

Pentest Tools:
- Windows Active Directory Pentest;
- AMSI Bypass restriction Bypass;
- Payload Hosting;
- Network Share Scanner;
- Reverse Shellz;
- Backdoor finder;
- POST Exploitation;
- Web Application Pentest and more...

GitHub - S3cur3Th1sSh1t/Pentest-Tools

Contribute to S3cur3Th1sSh1t/Pentest-Tools development by creating an account on GitHub.

github.com

+ Netstalking OSINT

GitHub - netstalking-core/netstalking-osint: Коллекция материалов по OSINT для нетсталкинга

Коллекция материалов по OSINT для нетсталкинга. Contribute to netstalking-core/netstalking-osint development by creating an account on GitHub.

github.com