Active Testing

00:00

Hello and welcome to another penetration testing execution Standard discussion. Today we're continuing with our discussions on vulnerability analysis. Specifically today, we're going to look at active testing

00:14

now before we get started. A quick disclaimer Pee Test videos do cover tools and techniques that could be used for system hacking. So any tools discussed or used during our demonstrations

00:23

should be researched and understood by the user. Please researcher laws and regulations in your given area for the use of such tools and techniques so that we ensure we do not violate any laws and get ourselves in hot water. So with that in mind, let's jump over to our objectives.

00:40

So today we're going to discuss what is active testing. We're going to look at automated methods for testing and what those look like. We're going to look at some general vulnerability scanners talk about better grabbing at a high level Web application scanners, and we're going to discuss some off obfuscation methods.

01:00

So with that, let's jump right into what is active testing.

01:03

So

01:04

active testing involves direct interaction with the component being tested for security vulnerabilities. This could be low level components such as the TCP stack on a network device. Or it could be components higher up the stacks, such as Web based interfaces used to administer such devices.

01:23

So there are two distinct ways to interact with a target component. And that is either in an automated or manual method.

01:30

So we can use something like in map, which will discuss. Or we can use a vulnerability scanner that is more automated in nature. So automated methods utilize software to interact with a target, examine the response and determine whether a vulnerability exists based on those responses.

01:49

Now, an automated process can help to reduce time

01:52

and labor requirements within your testing. For example, lights, while it's simple to connect a single TCP port on a system to determine whether that ports open and receive, you know incoming data performing this step for each of the 65,535 possible ports

02:09

would require a significant amount of time if done annually. Now. The other thing to consider here

02:17

is that even though ah port provides a response, it doesn't mean that the system is vulnerable, and so we would have to do some service version research on the port. It would have to respond with that particular version in order for it to be vulnerable, and so that would further

02:35

complicate the need. Thio. Try and do it manually.

02:39

And then just imagine. Just because, you know a certain protocol runs on a certain port like 3389 for RTP doesn't mean that a client will always run RTP off of 3389 And so then you'd have to evaluate each of those responses independently. And so automated methods are definitely

02:59

a lifesaver when it comes to vulnerability analysis.

03:02

So let's jump into some general vulnerability scanners. This list is by no means comprehensive, but these were someone's that you might be familiar with. So open Boss is an A cross platform scanner. It can identify issues on a number of systems

03:17

on the platform is, you know, kept relatively up to date. They do a really good job of keeping this can up to date. Even with the community addition, you might be behind by about a week or two, or maybe three,

03:28

but generally they do a really good job of keeping that scanner in that tool up. Today, it's relatively easy to set up and easy to use. Um, in map. I'm sure you've heard of in map. While some manual checks

03:40

would need to be done in map does have some general vulnerability scanning capabilities. It has an actual library of scripts that can be used,

03:49

and it has a vulnerability. Switch

03:52

our script, which can be run against systems, and it will find some common vulnerability types on those systems. So it can definitely be good for validation and cross checking these particular tools. And the next poses another flavor of vulnerability management and scanning platform.

04:08

Each of these has their their pros and their cons and their strengths and their weaknesses. Definitely not just these tools on the market. So do your research. And if you've got something already that you're using for vulnerability scanning, definitely

04:23

you recommend that you just

04:25

do some pro con analysis on each of these. And, of course, in map is a must for anyone who's doing penetration testing.

04:30

Now, Boehner grabbing is another means for us to process a connection to a specific port and examine the data that's returned by the remote hose to identify the service

04:42

slash application bound to that port so often In the connection process, software will provide an identification string, which may include information such as the name of the application or information about the specific version that the software is running. So, in this case,

04:57

ah, connection is made with Net Cat to a Web, our website on Port 80. It provides some response information http information and the way it connected

05:08

dating Tom Data. As we can see here, we've got some server information that may be beneficial and some server version information. So

05:16

Emap may or may not get this information right out. I'm assuming, you know, does a decent job. But if you want to get a direct response in for, you know, set of information, you could use something like Net cat

05:29

or other connection methods to get this response, but definitely worth, you know, validating information. If you're not using in map at the moment and you just wanna validate that it picks up Apache 2.0 point 46 Then you could use something like that cat to do that. But it always makes sense to try and validate the information that you're getting from scans

05:48

just a double triple check and make sure that you don't have a false positive.

05:53

Now. Some of the scanners previously mentioned may do some Web application, testing and and scanning. But these air some tools that are specific to

06:01

with application testing. So Iraq Me is a Web vulnerability Skinner built on Ruby. It's capable of performing fingerprinting and conducts active and passive checks for vulnerabilities.

06:13

There's Debbie three F, which is an open source project that uses Python. It runs on both clinics and Windows. It's able to detect quite a number of Web application vulnerabilities, including those in the top 10.

06:25

And then there's a wasp zap, which is a relatively well maintained application. It's cross platform, Java based Tool, which runs on very minimal hardware.

06:36

Now there's a number of tools that you can find on the A wasp site for Web application testing. And if you're not familiar with the OAS top 10 I would definitely suggest that,

06:46

as some required reading, the top 10 is essentially that the top 10 most common security vulnerabilities on Web applications and they are labeled as such for a very good reason

06:59

and so definitely a resource worth joining down and keeping so

07:02

the primary thing to remember his here is the goal of the testing that you're doing. If its Web application based, it's best to use a tool that's made for Web application testing. And if you're doing general network scanning and Web application testing that it would be good to mix the tools up

07:17

in this case. Now let's jump into office cation. So office cation is essentially what we're trying to evade, detection or evade the detection of our nodes and things that nature. And so you can use

07:32

something like tour to cover up your source. I p. And so, in this case, you could have your traffic come out of multiple exit nodes. And in this manner, you can kind of test the response of the security team. If the client has a security team and see if they're able to pick up activities,

07:53

that could be, you know, a threat actor. Now, if you're able to use you know, 10 2030 40 exit nodes and you're doing a relatively low impact sneaky scan, chances are they may not pick you up

08:05

and then ideas and invade evasion. So when conducting assessment activities against the Target network, where ideas technologies are deployed, it may be necessary to perform evasion using methods. Such a string manipulation polymorphism session spicing and fragmentation, where

08:20

you send responses and requests in multiple fragments instead of all at once can help to bypass some signature based idea systems. Of course,

08:31

nothing is bulletproof as faras. These protections go, and so if again, you're trying to test the capabilities of a security team. Or you're trying to see if they will be able to pick up certain traffic types than you'll definitely want to use some of these evasion techniques and maybe use something like toward to do that as well. Again,

08:50

all depends on the goals and what the client is hoping you get as far as an outcome of this testing.

08:56

So let's jump into a quick check on learning which of the following

09:01

is a network vulnerability scanner.

09:05

All right, so if you need additional time, please pause the video and take it

09:11

so

09:11

a WASP zap is not a vulnerability scanner per se for networks. It is primarily for Web application testing and vulnerability testing against Web applications. Iraqi was specifically named as a Web application vulnerability scanner.

09:26

The only network based vulnerability scanner that we have on this list is open moss. So while it may be able to do some Web based vulnerability scanning and is primarily a network based vulnerability scanner,

09:37

so in summary, what are the things we talked about today? Well, we looked at what active testing is, and we discussed some automated methods for doing that and why that's important. We looked at general vulnerability scanners like Open Voss and Map Next pose, just to name a few. We looked at banner grabbing for validation of vulnerability information.

09:58

We looked at Web application scanners,

10:01

and we discussed office cation.

10:03

All of this is important, and again, you're going to need to apply what is pertinent to the client's needs. What is pertinent? Thio. You know the targeted outcome

10:15

and you know if you've got tools already that your organizations using a lot of what I mentioned here is open source. But if you're using paid versions of these tools or something of that nature, typically they have better support and better kept database, Issa's faras updates. But there's nothing wrong with using up with open source tools.

10:31

If that's what you have available for you and your team, as long as the accurate you know, the results are accurate and trustworthy.