Difference between revisions of "SANS 560 Notes"

From SkullSecurity
Jump to navigation Jump to search
Line 26: Line 26:
== Public/Free methodologies ==
== Public/Free methodologies ==


* Open Source Security Testing Methodology Manual [http://www.isecom.org/osstmm/]
Open Source Security Testing Methodology Manual [http://www.isecom.org/osstmm/]
** Focus on Transparency, business value
* Focus on Transparency, business value
** Broad descriptions of categories
* Broad descriptions of categories
** Numerous templates
* Numerous templates


* NIST [http://www.nist.gov/]
NIST [http://www.nist.gov/]
** Processes
* Processes
** Roles
* Roles
** Tools
* Tools
** High-level
* High-level


* OWASP [http://www.owasp.org/index.php/Main_Page]
OWASP [http://www.owasp.org/index.php/Main_Page]
** Web app testing
* Web app testing
** compares impact: likelihood
* compares impact: likelihood


* Penetration Testing Framework [http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html]
Penetration Testing Framework [http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html]
** Network penetration tests
* Network penetration tests
** Specific tools, commands
* Specific tools, commands
** Step-by-step
* Step-by-step
** Recon
* Recon
** Social Engineering
* Social Engineering
** Scanning/probing
* Scanning/probing
** enumeration
* enumeration


== Overall Methodology ==
== Overall Methodology ==

Revision as of 17:07, 30 July 2008

560.1 Sans 560: Network Penetration and Ethical Hacking

Definitions

  • Threat: Agent That can Cause harm
  • Vulnerability: A flaw that can be exploited
  • Risk: Overlap of Vulnerability and threat
  • Exploit: Code/Technique used by a threat on a vulnerability
  • Active attack: manipulates target
  • Passive Attack: Does not manipulate target
  • Ethical Hacking: Using attack techniques to find flaws with permission, to improve security ( aka white hat hacker )
  • Penetration testing: An attempt to gain entry to a network
  • Security Assessments/Vulnerability Assessment: Finding vulnerabilities
  • Security Audit: Comparing findings against a set of standards
  • Phases of an attack
    • Recon
    • Scanning
    • Exploitation
  • Pentesting limitations:
    • Scope
    • Time
    • Methods
  • Pentester limitations:
    • scope
    • time
    • methods

Public/Free methodologies

Open Source Security Testing Methodology Manual [1]

  • Focus on Transparency, business value
  • Broad descriptions of categories
  • Numerous templates
NIST [2]
  • Processes
  • Roles
  • Tools
  • High-level
OWASP [3]
  • Web app testing
  • compares impact: likelihood
Penetration Testing Framework [4]
  • Network penetration tests
  • Specific tools, commands
  • Step-by-step
  • Recon
  • Social Engineering
  • Scanning/probing
  • enumeration

Overall Methodology

  • Preparation
    • Sign a NDA
    • Discuss nature of the test
      • Identify threats/Concerns
      • Agree on rules of engagement
      • Determine scope of test
    • Sign off on permission, notice of danger
      • Vital to get before starting
      • "Get out of jail free" card
    • Assign team
  • Testing
    • Conduct the test
  • Conclusion
    • Perform detailed analysis
    • Retest
    • Reporting
    • Presentation

Limitation of liability/insurance

  • Should be drawn up by a lawyer
  • Generally limited to a value of project

Rules of Engagement

  • Emergency contact info ( 24/7 )
  • Daily debriefings
  • Dates and times of day
  • Announced/unannounced
  • Shunning ( IDS/IPS )
  • Black-box vs Crystal-box testing
  • Viewing data on compromised systems
  • Observing tests
  • Document agreements and both sign off

Scope

  • What are biggest concerns?
    • Disclosure of sensitive info
    • Interruption in production processing
    • Embarrassment ( defacement )
    • Compromising for deeper penetration
  • Avoid scope creep
  • What to test
    • Domain names
    • Address ranges
    • hosts
    • applications
  • Third party System
    • ISP's
    • DNS
    • Hosting
    • Get permission
  • Test vs. production
  • How to test
    • ping port scan
    • vulnerability scan
    • penetration
    • client-side
    • application
    • physical pen
    • social engineering
  • Internal vs external
    • On-site, granted access
    • On-site, sneak in
    • VPN access
  • Testing client-side
    • Browsers
    • Phishing
    • E-mail exploits
  • Social Engineering
    • Controversial
    • Ensure explicit permission
    • Define explicit goal
    • Establish pretexts, scripts in advance
    • Use a friendly people person ( female is better)
  • Denial of Service
    • Check version numbers or try to crush? Be explicit!
  • "Dangerous" exploits
    • should they be included?
    • Any test can potentially crash a host

Reporting

Always Create a report

  • Even for inhouse tests