SANS 560 Notes
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
560.1 Sans 560: Network Penetration and Ethical Hacking
Definitions
- Threat: Agent That can Cause harm
- Vulnerability: A flaw that can be exploited
- Risk: Overlap of Vulnerability and threat
- Exploit: Code/Technique used by a threat on a vulnerability
- Active attack: manipulates target
- Passive Attack: Does not manipulate target
- Ethical Hacking: Using attack techniques to find flaws with permission, to improve security ( aka white hat hacker )
- Penetration testing: An attempt to gain entry to a network
- Security Assessments/Vulnerability Assessment: Finding vulnerabilities
- Security Audit: Comparing findings against a set of standards
- Phases of an attack
- Recon
- Scanning
- Exploitation
- Pentesting limitations:
- Scope
- Time
- Methods
- Pentester limitations:
- scope
- time
- methods
Public/Free methodologies
Open Source Security Testing Methodology Manual [1]
- Focus on Transparency, business value
- Broad descriptions of categories
- Numerous templates
NIST [2]
- Processes
- Roles
- Tools
- High-level
OWASP [3]
- Web app testing
- compares impact: likelihood
Penetration Testing Framework [4]
- Network penetration tests
- Specific tools, commands
- Step-by-step
- Recon
- Social Engineering
- Scanning/probing
- enumeration
Overall Methodology
Preparation
- Sign a NDA
- Discuss nature of the test
- Identify threats/Concerns
- Agree on rules of engagement
- Determine scope of test
- Sign off on permission, notice of danger
- Vital to get before starting
- "Get out of jail free" card
- Assign team
Testing
- Conduct the test
Conclusion
- Perform detailed analysis
- Retest
- Reporting
- Presentation
Limitation of liability/insurance
- Should be drawn up by a lawyer
- Generally limited to a value of project
Rules of Engagement
- Emergency contact info ( 24/7 )
- Daily debriefings
- Dates and times of day
- Announced/unannounced
- Shunning ( IDS/IPS )
- Black-box vs Crystal-box testing
- Viewing data on compromised systems
- Observing tests
- Document agreements and both sign off
Scope
What are biggest concerns?
- Disclosure of sensitive info
- Interruption in production processing
- Embarrassment ( defacement )
- Compromising for deeper penetration
Avoid scope creep What to test
- Domain names
- Address ranges
- hosts
- applications
Third party System
- ISP's
- DNS
- Hosting
- Get permission
Test vs. production How to test
- ping port scan
- vulnerability scan
- penetration
- client-side
- application
- physical pen
- social engineering
- Internal vs external
- On-site, granted access
- On-site, sneak in
- VPN access
- Testing client-side
- Browsers
- Phishing
- E-mail exploits
Social Engineering
- Controversial
- Ensure explicit permission
- Define explicit goal
- Establish pretexts, scripts in advance
- Use a friendly people person ( female is better)
Denial of Service
- Check version numbers or try to crush? Be explicit!
"Dangerous" exploits
- should they be included?
- Any test can potentially crash a host
Reporting
Always Create a report
- Even for inhouse tests