Andrew McNicolAndrew (@primalsec) is a Python junkie who is currently the lead for a web application penetration testing team and mentor for the SANS institute. Previously, he worked on an incident response team focusing on malware analysis and network forensics. He is always looking for new Python tricks or new ways to gain code execution on remote systems. He is one of the founders and lead authors of Primal Security Podcast, focusing on Python scripting, exploit development, and CLI Kung Fu. Andrew holds numerous technical security qualifications, most notably Offensive Security Certified Expert (OSCE), and Offensive Security Certified Professional (OSCP).Don't forget to comment!Tell us what you think, and share your own knowledge.
Listen to / Download the MP3[insert_vertical_space the_pixels="10"] Session Summary & Notes: Risk analysis and penetration testing are the two phases involved in performing a security audit of an organization’s network and systems. The objective is to first get the lay of the land in order to enumerate the attack surfaces where potential vulnerabilities lie. The second phase then uses this intelligence in an attempt to exploit the discovered vulnerabilities. This second phase is what is known as external penetration testing.Attackers with malicious intent–as well as good guys sometimes referred to as white hat hackers–use similar methodologies and tools in an attempt to exploit security vulnerabilities. The primary difference is one of intent. The bad guys are looking for opportunities to either cause mischief or achieve financial gain from their actions whereas the white hatters are highly-skilled professionals hired by an organization to audit technology environments for security vulnerabilities. The focus of this video is on the disciplined approach taken by IT security professional s using well-defined methodologies in order to carry out vulnerability assessments and penetration testing. The goal of external penetration testing is to identify risks, which begins with information gathering during the assessment phase. Before beginning, it’s vital to understand precisely what the customer is attempting to accomplish with a security audit. Is their need compliance-driven or do they simply require a general vulnerability assessment? In addition, the penetration tester must also be clear on what can be tested and when it can be tested. Bringing down critical systems or infrastructure during peak business hours probably won’t go over too well with the customer. The cardinal rule of external penetration testing is do no harm! By understanding the need upfront, a more tailored approach can then be crafted for the customer. Penetration testing methodologies consist of repeatable processes that are typically governed by industry standards. The OWASP Testing Guide is an example of one such standard. Utilizing a safe environment provides isolation from production equipment and systems. Virtual Machines (VMs) as well as online lab challenges can be probed for vulnerabilities separately from a customer’s production environment. The first step in a disciplined approach is to examine the externally-facing communication channels on the customer’s network along with publicly available information about the organization. Information about the technologies and systems in use is then expanded to enumerate IP address ranges on the network along with the enumeration of domains and subdomains connected to the WWW. This information can in turn be used with port-scanning tools and spiders to crawl linked content. Sitemaps and a list of open ports and services associated with them is a treasure trove of potentially vulnerable attack vectors. Extracting the technology stack for a network is another piece of the vulnerability puzzle. Knowing that systems on a network are running ruby scripts or using a MySQL database on the backend of web apps provides deeper insight into the technology environment and yields more potential vulnerabilities to probe during the external penetration testing phase. Finally, perhaps the most vulnerable element in any organization is the human one. Knowing something about the users on the network sets the stage for social engineering and phishing attacks to obtain login credentials. By identifying the attack surface, the stage is then set for drilling down into the technologies within an environment in order to obtain a list of injection points that can then be probed using automated penetration testing tools.