SANS 560 Notes

From SkullSecurity
Revision as of 17:06, 30 July 2008 by Iamstef (talk | contribs)
Jump to navigation Jump to search

560.1 Sans 560: Network Penetration and Ethical Hacking

Definitions

  • Threat: Agent That can Cause harm
  • Vulnerability: A flaw that can be exploited
  • Risk: Overlap of Vulnerability and threat
  • Exploit: Code/Technique used by a threat on a vulnerability
  • Active attack: manipulates target
  • Passive Attack: Does not manipulate target
  • Ethical Hacking: Using attack techniques to find flaws with permission, to improve security ( aka white hat hacker )
  • Penetration testing: An attempt to gain entry to a network
  • Security Assessments/Vulnerability Assessment: Finding vulnerabilities
  • Security Audit: Comparing findings against a set of standards
  • Phases of an attack
    • Recon
    • Scanning
    • Exploitation
  • Pentesting limitations:
    • Scope
    • Time
    • Methods
  • Pentester limitations:
    • scope
    • time
    • methods

Public/Free methodologies

  • Open Source Security Testing Methodology Manual [1]
    • Focus on Transparency, business value
    • Broad descriptions of categories
    • Numerous templates
  • NIST [2]
    • Processes
    • Roles
    • Tools
    • High-level
  • OWASP [3]
    • Web app testing
    • compares impact: likelihood
  • Penetration Testing Framework [4]
    • Network penetration tests
    • Specific tools, commands
    • Step-by-step
    • Recon
    • Social Engineering
    • Scanning/probing
    • enumeration

Overall Methodology

  • Preparation
    • Sign a NDA
    • Discuss nature of the test
      • Identify threats/Concerns
      • Agree on rules of engagement
      • Determine scope of test
    • Sign off on permission, notice of danger
      • Vital to get before starting
      • "Get out of jail free" card
    • Assign team
  • Testing
    • Conduct the test
  • Conclusion
    • Perform detailed analysis
    • Retest
    • Reporting
    • Presentation

Limitation of liability/insurance

  • Should be drawn up by a lawyer
  • Generally limited to a value of project

Rules of Engagement

  • Emergency contact info ( 24/7 )
  • Daily debriefings
  • Dates and times of day
  • Announced/unannounced
  • Shunning ( IDS/IPS )
  • Black-box vs Crystal-box testing
  • Viewing data on compromised systems
  • Observing tests
  • Document agreements and both sign off

Scope

  • What are biggest concerns?
    • Disclosure of sensitive info
    • Interruption in production processing
    • Embarrassment ( defacement )
    • Compromising for deeper penetration
  • Avoid scope creep
  • What to test
    • Domain names
    • Address ranges
    • hosts
    • applications
  • Third party System
    • ISP's
    • DNS
    • Hosting
    • Get permission
  • Test vs. production
  • How to test
    • ping port scan
    • vulnerability scan
    • penetration
    • client-side
    • application
    • physical pen
    • social engineering
  • Internal vs external
    • On-site, granted access
    • On-site, sneak in
    • VPN access
  • Testing client-side
    • Browsers
    • Phishing
    • E-mail exploits
  • Social Engineering
    • Controversial
    • Ensure explicit permission
    • Define explicit goal
    • Establish pretexts, scripts in advance
    • Use a friendly people person ( female is better)
  • Denial of Service
    • Check version numbers or try to crush? Be explicit!
  • "Dangerous" exploits
    • should they be included?
    • Any test can potentially crash a host

Reporting

Always Create a report

  • Even for inhouse tests