Difference between revisions of "SANS 560 Notes"
Jump to navigation
Jump to search
(→Scope) |
|||
(One intermediate revision by the same user not shown) | |||
Line 51: | Line 51: | ||
== Overall Methodology == | == Overall Methodology == | ||
Preparation | |||
* Sign a NDA | |||
* Discuss nature of the test | |||
** Identify threats/Concerns | |||
** Agree on rules of engagement | |||
** Determine scope of test | |||
* Sign off on permission, notice of danger | |||
** Vital to get before starting | |||
** "Get out of jail free" card | |||
* Assign team | |||
Testing | |||
* Conduct the test | |||
Conclusion | |||
* Perform detailed analysis | |||
* Retest | |||
* Reporting | |||
* Presentation | |||
== Limitation of liability/insurance == | == Limitation of liability/insurance == | ||
Line 85: | Line 85: | ||
== Scope == | == Scope == | ||
What are biggest concerns? | |||
* Disclosure of sensitive info | |||
* Interruption in production processing | |||
* Embarrassment ( defacement ) | |||
* Compromising for deeper penetration | |||
Avoid scope creep | |||
What to test | |||
* Domain names | |||
* Address ranges | |||
* hosts | |||
* applications | |||
Third party System | |||
* ISP's | |||
* DNS | |||
* Hosting | |||
* Get permission | |||
Test vs. production | |||
How to test | |||
* ping port scan | |||
* vulnerability scan | |||
* penetration | |||
* client-side | |||
* application | |||
* physical pen | |||
* social engineering | |||
* Internal vs external | * Internal vs external | ||
* On-site, granted access | |||
* On-site, sneak in | |||
* VPN access | |||
* Testing client-side | * Testing client-side | ||
* Browsers | |||
* Phishing | |||
* E-mail exploits | |||
Social Engineering | |||
* Controversial | |||
* Ensure explicit permission | |||
* Define explicit goal | |||
* Establish pretexts, scripts in advance | |||
* Use a friendly people person ( female is better) | |||
Denial of Service | |||
* Check version numbers or try to crush? '''Be explicit!''' | |||
"Dangerous" exploits | |||
* should they be included? | |||
* Any test can potentially crash a host | |||
== Reporting == | == Reporting == | ||
Always Create a report | Always Create a report | ||
* Even for inhouse tests | * Even for inhouse tests |
Latest revision as of 17:09, 30 July 2008
560.1 Sans 560: Network Penetration and Ethical Hacking
Definitions
- Threat: Agent That can Cause harm
- Vulnerability: A flaw that can be exploited
- Risk: Overlap of Vulnerability and threat
- Exploit: Code/Technique used by a threat on a vulnerability
- Active attack: manipulates target
- Passive Attack: Does not manipulate target
- Ethical Hacking: Using attack techniques to find flaws with permission, to improve security ( aka white hat hacker )
- Penetration testing: An attempt to gain entry to a network
- Security Assessments/Vulnerability Assessment: Finding vulnerabilities
- Security Audit: Comparing findings against a set of standards
- Phases of an attack
- Recon
- Scanning
- Exploitation
- Pentesting limitations:
- Scope
- Time
- Methods
- Pentester limitations:
- scope
- time
- methods
Public/Free methodologies
Open Source Security Testing Methodology Manual [1]
- Focus on Transparency, business value
- Broad descriptions of categories
- Numerous templates
NIST [2]
- Processes
- Roles
- Tools
- High-level
OWASP [3]
- Web app testing
- compares impact: likelihood
Penetration Testing Framework [4]
- Network penetration tests
- Specific tools, commands
- Step-by-step
- Recon
- Social Engineering
- Scanning/probing
- enumeration
Overall Methodology
Preparation
- Sign a NDA
- Discuss nature of the test
- Identify threats/Concerns
- Agree on rules of engagement
- Determine scope of test
- Sign off on permission, notice of danger
- Vital to get before starting
- "Get out of jail free" card
- Assign team
Testing
- Conduct the test
Conclusion
- Perform detailed analysis
- Retest
- Reporting
- Presentation
Limitation of liability/insurance
- Should be drawn up by a lawyer
- Generally limited to a value of project
Rules of Engagement
- Emergency contact info ( 24/7 )
- Daily debriefings
- Dates and times of day
- Announced/unannounced
- Shunning ( IDS/IPS )
- Black-box vs Crystal-box testing
- Viewing data on compromised systems
- Observing tests
- Document agreements and both sign off
Scope
What are biggest concerns?
- Disclosure of sensitive info
- Interruption in production processing
- Embarrassment ( defacement )
- Compromising for deeper penetration
Avoid scope creep What to test
- Domain names
- Address ranges
- hosts
- applications
Third party System
- ISP's
- DNS
- Hosting
- Get permission
Test vs. production How to test
- ping port scan
- vulnerability scan
- penetration
- client-side
- application
- physical pen
- social engineering
- Internal vs external
- On-site, granted access
- On-site, sneak in
- VPN access
- Testing client-side
- Browsers
- Phishing
- E-mail exploits
Social Engineering
- Controversial
- Ensure explicit permission
- Define explicit goal
- Establish pretexts, scripts in advance
- Use a friendly people person ( female is better)
Denial of Service
- Check version numbers or try to crush? Be explicit!
"Dangerous" exploits
- should they be included?
- Any test can potentially crash a host
Reporting
Always Create a report
- Even for inhouse tests