Okay, so let's go ahead and discuss vulnerability assessments in penetration testing, and I'll refer to that Is pen testing throughout? All right, so vulnerability assessments. What I'm doing is I'm looking for weaknesses, and we can do this for both physical, administrative and technical controls,
right? You know, a physical,
ah, vulnerability assessment or my windows locks are the doors locked, our people following the clean desk policy,
administrative pin test or vulnerability assessments about social engineering? Let me call a variety of extensions and find out who's gonna give me more information than they should. And then, of course, technical, also known as logical,
usually is what people think about when you do, say, vulnerability assessments in the I T world.
So we're gonna scan for ports that shouldn't be open, and we're gonna do our research. Ultimately, what our goal is is to figure out what the weaknesses are now. Penetration testing takes things a step further, and what we're looking for in that particular means is we're looking to can we exploit the weaknesses?
So it's one thing to have the weaknesses that we find in vulnerability assessments,
but can we exploit them, which Francis in depend testing. Ah, this is referred to his ethical hacking or white hat hacking, Uh, in some places. In some environments, they have a red and the blue team within the organization Theater back in defense team
ultimately, and I just went out down at the bottom. Miss Special Publication 800-42
has a lot of good information on security testing that isn't testable, just fun trivia for parties. But at least you know there's a reference if you want to get more information.
Okay, what degree of knowledge do the pin testers have? It depends. So there's zero knowledge Pen tests sometimes referred to his black box testing because the team that's doing the testing has no knowledge of the organization. So what they're looking is what can I learn from the Internet?
What can I gain information? What cut type of information cannot gain for social engineering attacks,
and for somebody that has no internal knowledge of the organization, how far can I go?
All right now, the next step partial knowledge show. Often, Ah, the team is Impersonating and maybe a regular user on the network. I have some knowledge about the organization, but nothing in death, and then the full knowledge test is ultimately trying to figure out
What could a rogue administrator
do? Uh, in relation to our network. So having full knowledge, passwords, rights, permissions, everything that would be needed, What can I get away with various degrees of knowledge
Now when we do talk about vulnerability scanning? Like I said, I'm looking for things that shouldn't be. There are their active hosts on the network that shouldn't be there. This is particularly interesting for like, uh, WiFi, uh, for access points,
because frequently we find that rogue access points have been set up.
You know, it's so much easier for me to have you connect to my rogue access point named your company than it is for me to try and crack into a W. P A. To protected network and try to decrypt the information. Why not just have everybody in the company connect my rogue access point?
Um, and they'll be none the wiser.
So we're looking for things that shouldn't be there. But other times of rogue infrastructure Road D h C P server. All I need support on the wall to get d h. C P server on your network. And once I get a d h e p server, usually your host will get that I p address from D H C P.
But I can also, if you haven't set up for our configuration,
I could populate your d N a server. You're routers. I could do a lot of damage with just a d h e p server on your network.
We're looking for vulnerable service's ports that are open. And, you know, we do talk about hardening a server. One of the first things we say is get rid of unnecessary service is because those service's air listening on ports and porches just doorways into the system.
Ah, what applications and operating systems have vulnerabilities? Have they've been patched? Do we have miss configured settings? Were default settings? You know, default settings are are just as bad or worse than miss configured settings. Ah, lot of systems come out of the box
for ease of use rather than security.
That's why you get access points with, um, broadcasting the s s I d. You get access points that have no password, don't even use web w p a W p A. To so you can have those issues and leaving the default settings. And the beauty of the default is that's what they all come with. End,
you know, for a long time, Cisco head
Ah, an administrative account ad men. And then the password was Cisco. And, you know, we've got to change those things.
Now, after I figured out what the vulnerabilities are that I'm gonna move to the pen testing phase and I'm gonna follow a za pen tester. Ideally, I'm gonna follow the same methodology that an attacker would use.
So we usually talk about five basic steps in an attack,
and the 1st 1 starts with reconnaissance. So what reconnaissance does is it allows me to go out and find out any information I can about your organization, but usually nets from the outside, so it will have any of that internal knowledge. So I go to the Internet
and I start researching, and I figure out what branch offices you have.
I see if I can find names of any managers, your senior executives, phone numbers, any information that I can pull that's out there, you know, let me check and see if you're hiring and if you're high hiring. Ah, units, Admin. While I've got a pretty good idea of what time server you're running.
So whatever I confined and ideally, what I'm gonna do is I'm gonna take the information that I've gathered in reconnaissance, and I'm going to use that as a means to get on your network whether I can get a lot enough information from reconnaissance. Maybe not. But the reconnaissance information could allow me to
conduct assessed the successful social engineering attack
and maybe get you to click on the link and email that install some backdoor software and maybe I can get a toehold on the network.
All right, Once I have my toe hold on the network, the next thing that I want to do is I wanna flip print the network. And when we talk about foot printing, what I'm looking to do is discover the essential devices on your network blooming map out the networking. As a matter of fact, in map is tool. That does that,
but I want to find out your i p addressing scheme. I want to know what servers do, what
but where Those elements that would be of the greatest interest to an attacker. So in math, like we said, was a tool. Other tools for foot printing, something called a ping sweep. So I'm gonna ping Tenn 0.0 dot 0.1 dot 0.0 dot to 10.3 10.3
And ultimately, what I'm looking for is a reply. And once I get the reply, I'll then no, your i p dressing scheme
de ns zone transfers are a wealth of information, and at one point, time zone transfers were not even encrypted across the network. Most cases now would have them be encrypted. But maybe I can masquerade is of legitimate Deanna Server
and perhaps trick a legitimate DINA server into transferring their zone information.
You know, there are lots of ways to map the network. I could just simply evaluate traffic. And if I see a whole bunch of traffic going to particular Server 8 a.m. Well, I might say, Well, that's probably an authentication server. So many different ways to map out the network
now, once I find my desirable target and I figured out okay, this is the server and want to attack,
The next step is gonna be foot printing.
So where's fingerprinting is learning about the network? Foot printing is figuring out what operating system the desirable servers running. Because every operating system has vulnerabilities. And what I want to do is on the figure exactly what Os is running so I can check for those known vulnerabilities.
All right, so the vulnerability itself I'm gonna look for those weaknesses.
Those Miss configured settings, those default settings is the software unpatched. What are those vulnerabilities? And then ultimately, once I've gathered that information, this will lead me to the attack. Ideally, a successful penetration. But the thing with the pennant with penetrating this system is very frequently
I only access that system
as with the degree of privileges of the currently logged in user. So often that's a very low in set of permissions. I want to escalate those privileges and have administrative rights. What I really love to do is I'd love to get a root kit on the system
And if your units person, you know, route the term route goes back to
the ultimate authority in UNIX. So when we talk about a root kit, thes air nasty little pieces of software that get in there and get embedded with the operating system kernel. They're very difficult for most of these little Norton anti virus or McAfee and
very, very difficult to detect with basic any virus in any malware
applications because it is so embedded with the operating system kernel. And usually this offers me a backdoor into the system as a means a cz, an additional piece to the root kit
when a root kit is found on a system. Generally speaking, you have to blow out the whole system, reinstall the operating system and then restore data from backup. That could actually be a test question because it doesn't do me any good to restore the OS from backup. That's probably been corrupted.
Blow out the system,
reinstall the operating system, restored that data from back in.
All right, now, after that, uh, one of the things an attacker is gonna be very calmness enough is cleaning up after himself, uh, a zone attacker. We want to make sure that there's no indication I was ever president the present on the system. So I will go through and modified log files. If I'm able
Also any sort of service is that I have running.
I may want to rename them. It's legitimate surfaces and we refer to those his Trojan programs. So I might rename my malicious file explorer dot e x e right. That's a legitimate service that runs. And if you just glance at your processes, that wouldn't be necessarily anything that would trigger,
So ultimately, these air, the five steps off a pen tests, but they're also the five steps of attack methodology as well.