Difference between revisions of "SANS 560 Notes"
Jump to navigation
Jump to search
| Line 49: | Line 49: | ||
** Scanning/probing | ** Scanning/probing | ||
** enumeration | ** enumeration | ||
== Overall Methodology == | |||
* Preparation | |||
** Sign a NDA | |||
** Discuss nature of the test | |||
*** Identify threats/Concerns | |||
*** Agree on rules of engagement | |||
*** Determine scope of test | |||
** Sign off on permission, notice of danger | |||
*** Vital to get before starting | |||
*** "Get out of jail free" card | |||
** Assign team | |||
* Testing | |||
** Conduct the test | |||
* Conclusion | |||
** Perform detailed analysis | |||
** Retest | |||
** Reporting | |||
**Presentation | |||
== Limitation of liability/insurance == | |||
* Should be drawn up by a lawyer | |||
* Generally limited to a value of project | |||
== Rules of Engagement == | |||
* Emergency contact info ( 24/7 ) | |||
* Daily debriefings | |||
* Dates and times of day | |||
* Announced/unannounced | |||
* Shunning ( IDS/IPS ) | |||
* Black-box vs Crystal-box testing | |||
* Viewing data on compromised systems | |||
* Observing tests | |||
* '''Document agreements and both sign off''' | |||
== Scope == | |||
* What are biggest concerns? | |||
** Disclosure of sensitive info | |||
** Interruption in production processing | |||
** Embarrassment ( defacement ) | |||
** Compromising for deeper penetration | |||
* Avoid scope creep | |||
* What to test | |||
** Domain names | |||
** Address ranges | |||
** hosts | |||
** applications | |||
* Third party System | |||
** ISP's | |||
** DNS | |||
** Hosting | |||
** Get permission | |||
* Test vs. production | |||
* How to test | |||
** ping port scan | |||
** vulnerability scan | |||
** penetration | |||
** client-side | |||
** application | |||
** physical pen | |||
** social engineering | |||
* Internal vs external | |||
** On-site, granted access | |||
** On-site, sneak in | |||
** VPN access | |||
* Testing client-side | |||
** Browsers | |||
** Phishing | |||
** E-mail exploits | |||
* Social Engineering | |||
** Controversial | |||
** Ensure explicit permission | |||
** Define explicit goal | |||
** Establish pretexts, scripts in advance | |||
** Use a friendly people person ( female is better) | |||
*Denial of Service | |||
** Check version numbers or try to crush? '''Be explicit!''' | |||
* "Dangerous" exploits | |||
** should they be included? | |||
** Any test can potentially crash a host | |||
== Reporting == | |||
Always Create a report | |||
* Even for inhouse tests | |||
Revision as of 17:06, 30 July 2008
560.1 Sans 560: Network Penetration and Ethical Hacking
Definitions
- Threat: Agent That can Cause harm
- Vulnerability: A flaw that can be exploited
- Risk: Overlap of Vulnerability and threat
- Exploit: Code/Technique used by a threat on a vulnerability
- Active attack: manipulates target
- Passive Attack: Does not manipulate target
- Ethical Hacking: Using attack techniques to find flaws with permission, to improve security ( aka white hat hacker )
- Penetration testing: An attempt to gain entry to a network
- Security Assessments/Vulnerability Assessment: Finding vulnerabilities
- Security Audit: Comparing findings against a set of standards
- Phases of an attack
- Recon
- Scanning
- Exploitation
- Pentesting limitations:
- Scope
- Time
- Methods
- Pentester limitations:
- scope
- time
- methods
Public/Free methodologies
- Open Source Security Testing Methodology Manual [1]
- Focus on Transparency, business value
- Broad descriptions of categories
- Numerous templates
- NIST [2]
- Processes
- Roles
- Tools
- High-level
- OWASP [3]
- Web app testing
- compares impact: likelihood
- Penetration Testing Framework [4]
- Network penetration tests
- Specific tools, commands
- Step-by-step
- Recon
- Social Engineering
- Scanning/probing
- enumeration
Overall Methodology
- Preparation
- Sign a NDA
- Discuss nature of the test
- Identify threats/Concerns
- Agree on rules of engagement
- Determine scope of test
- Sign off on permission, notice of danger
- Vital to get before starting
- "Get out of jail free" card
- Assign team
- Testing
- Conduct the test
- Conclusion
- Perform detailed analysis
- Retest
- Reporting
- Presentation
Limitation of liability/insurance
- Should be drawn up by a lawyer
- Generally limited to a value of project
Rules of Engagement
- Emergency contact info ( 24/7 )
- Daily debriefings
- Dates and times of day
- Announced/unannounced
- Shunning ( IDS/IPS )
- Black-box vs Crystal-box testing
- Viewing data on compromised systems
- Observing tests
- Document agreements and both sign off
Scope
- What are biggest concerns?
- Disclosure of sensitive info
- Interruption in production processing
- Embarrassment ( defacement )
- Compromising for deeper penetration
- Avoid scope creep
- What to test
- Domain names
- Address ranges
- hosts
- applications
- Third party System
- ISP's
- DNS
- Hosting
- Get permission
- Test vs. production
- How to test
- ping port scan
- vulnerability scan
- penetration
- client-side
- application
- physical pen
- social engineering
- Internal vs external
- On-site, granted access
- On-site, sneak in
- VPN access
- Testing client-side
- Browsers
- Phishing
- E-mail exploits
- Social Engineering
- Controversial
- Ensure explicit permission
- Define explicit goal
- Establish pretexts, scripts in advance
- Use a friendly people person ( female is better)
- Denial of Service
- Check version numbers or try to crush? Be explicit!
- "Dangerous" exploits
- should they be included?
- Any test can potentially crash a host
Reporting
Always Create a report
- Even for inhouse tests