13 hours 9 minutes
hello and welcome to a penetration testing execution Standard discussion. Today we're looking at the purpose of the exploitation phase of the Pee test standard. Now a quick disclaimer. The Pee test videos do cover tools and techniques that could be used for system hacking.
So many tools and techniques discussed her used during demonstrations should be researched and understood by the user.
Please remember to research your laws and regulations regarding the use of such tools in your given area to ensure that you don't violate any applicable laws. Now
the objectives of today's discussion are pretty straightforward. We're going to identify what exploitation is common tools that we use within the exploitation phase of the pee test standard and overall, what the primary focus should be of exploitation. So let's jump right in.
So what is exploitation?
Well, the exploitation phase of a penetration test focuses on establishing access to a system or resource by by bypassing security restrictions at the prior phase, vulnerability analysis was performed properly than it should be well planned in a precision strike, which is a short discussion, will have soon
overall bypassing security restrictions that could be technical in nature. That could be human in nature. And so
really, any control that an organization has put in place in an attempt to thwart an attacker. Our goal would essentially be to bypass those restrictions and have access to a system.
So let's jump into a few types of exploitation tools. And so our montage is an excellent tool. If you need to do some quick analysis of a system, do some quick scanning
and some quick exploitation attempts. It's essentially built on top of medicine, ploy, eat or the medicine flight framework. And so this particular tool is again great. If you just need to run some quick tests, you need to run some quick exploit attempts out of the framework.
Now it does have a component in it called Hail Mary, which essentially is where tries to throw everything to include the kitchen sink, a particular target. I don't recommend that function, but overall, arma Taj is a great gooey based
exploitation tool. Now beef is short for the browser exploitation framework, so it's a tool that really focuses again on Web browsers
and setting up sites and hooks and sites and things that nature to attempt to gain access to systems and things that nature. So if your specialty is, you know, Web exploitation and you're doing social engineering things, that nature beef is definitely a great tool.
Now, while exploit D B is not per se a, um, a tool like Karma Taj or the menace plate framework, it contains a lot of the exploits that medicine point uses and that can be used by different platforms
to attempt exploitations and exploit. Devi is invaluable in the exploitation phase of your penetration test
now. We also talked about the social engineering tool kit at one point, but it also has some penetration. Testing function as well again covers a high number of attack vectors to include mass mailing website spoofing.
So that's just to name a few things that are within the social engineering tool kit. But this is definitely a winner with respect to, you know, again being able to easily deploy social engineering attacks
in your exploitation face of the penetration test.
And then you had be mentioned, uh,
medicine point framework or did you no harm? A Taj was built on top of this, and so it enables you to find, exploit, invalidate vulnerabilities
and it provides the infrastructure, content and tools to perform penetration, testing and extensive security. Auditing This tool, in my mind is the one of the number one tools that should be in the arsenal of any penetration tester. For those of you that are wondering, that is my very poor attempt at one. It may not be the number one tool,
but that's opinion. I believe that it's probably built into Maur automated tools, gooey tools and frameworks and you're probably aware of. So it's an excellent tool. And if you don't know how to use it, then I would recommend looking at some courses that focus on the medicine boyfriend work
and really picking that up.
Now, what should the primary focus be of the exploitation phase? Well,
it's to identify the main entry point into the organization and to identify how high value assets. And so we want to identify those things. And if the vulnerability phase was done properly,
ah, high value target list should have been compiled. So this is something that should be completed prior to exploitation, and that should have resulted in a target list and potential exploit. Paths are vectors for us to attack. Now the attack vectors should take into consideration
the success, probability and high highest impact on the organization. So
either is a business owner or, um, as a penetration tester is a sock manager. Whatever the case may be,
if you get into a system. But that system is in a d m Z, and it really doesn't provide any value other than it's it's there to distract and attack her or to provide an early warning sign to an organization.
And that's the only system you're able to compromise. And it doesn't allow for, um,
the ability to move laterally into other systems internally.
Then, really, it's not of high value or high impact to the organization.
But if during the testing process you're able to identify and get into accounting systems, payroll systems, human resource is systems systems that contain confidential or sensitive information,
then those would probably be a higher impact, Um, and would be to the detriment of the organization if they were to be compromised. And so from the business standpoint, we want to make sure that when we're working on security testing and doing penetration testing, um,
that we're providing some transparency in the high value targets as faras letting, letting our testers know what those are. If we're doing a penetration test that
you know, we want to just understand the risk level for the organization and understand the likelihood that a threat actor could get into a system so ultimately that is going to be the primary focus of the exploitation phases.
What is the probability of success and the ability to execute that? And then what will the overall impact be based on the exploit and what we can do?
So with that, let's jump and do a quick check on learning. So true or false exploitation can happen before or after the vulnerability analysis component. A pee test and pee test aside,
Can't exploitation happened before
or after vulnerability? Analysis?
if you need more time, please take it. Pause the video. So the key thing here is exploitation can happen before or after
vulnerability analysis. In this case, exploitation should not happen before, um, vulnerability announces we should be doing our due diligence. We should be researching the systems. We should be understanding potential attack vectors.
We don't want to do spray and pray. We don't want to come right out the gate and try to exploit the system. And we've not done a single scan. Identified a single system
that's just have hazardous and not a responsible action on our part.
So this particular statement is going to ring. False exploitation can happen after vulnerability analysis and should happen after vulnerability announces. Not before,
So in summary today, we described what exploitation is,
and we looked at a couple common tools that we can use in the exploitation phase of the pee test standard. Again, Um, there are many, many other tools out there that you can use and research paid tools, open source tools.
Sky's the limit. So do some research. Find some things that fit your arsenal. I would definitely recommend if you're a user of Cali, Lennox, that you go to the tools that callie dot org's site
and research some of the exploitation tools within that
they've got a great sweet there. And then we describe what the primary focus of the exploitation phase is and really again, it's finding that path of least resistance, finding out what the impact would be to a system and what the impact is, especially against critical systems and what that means for the organization.
So with that in mind, I want to thank you for your time today. And I look forward to seeing you again, Shim.