Basic Pentest Training

Day 1
● Basic penetration testing for beginners.

- intro to penetration testing
- intro to basic Linux commands (generally needed in
pentest)
- basic in network penetration testing
● Maybe will includes a bit of 2nd day topics too
Day 2
● Basic web application penetration testing for

beginners.
- introduction to web application
- basic information gathering
- basic web application vulnerabilities
> OWASP top 10
> understand the issues
> how to identify the vulnerability
> tools and resources
What is
A penetration test, also known as a
pentest, is a simulated cyber attack
pentesting
against your computer system to
check for exploitable vulnerabilities
● Self awareness in an
Why need
organisation
○ To understand, evaluate, study
current security posture
pentesting ●
●
Requirements/Regulatory
Certifications
○ PCI-DSS
Types of
● Network/Infrastructure
○ External/Internal perimeter
● Applications
pentesting ●
○ Web, mobile, client-based, IoT, etc
Hardware
tasks ● People
○ Social engineering, phishing, etc
● Wireless
● Red-Teaming
● Black-box
○ Know nothing
● Gray/Grey-box
Types of ○
○
Timed-box
Knows a bit of the tech used
pentesting
○ Credentials supplied
● White-box
○ Have access to almost all needed
approach ●
information
* note that every countries have
their own way of performing
pentest depending of the
acceptance level of the
industry
● Vulnerability scanning
○ Click and run that scanner
● Vulnerability assessment
○ Scan and validate to reduce false
positive issues
Is this ● Pentest
○ With an objective to show highest
pentesting?
impact can be conducted (e.g
compromise Domain Server)
○ Can consists VA
● Red-Team
○ Similar to pentest, but wider targets
○ Silently executed
○ To validate Blue Team
Can I be a
pentester in 2 ● Never.
days?
Pentester’s ● Technology knowledge +
Security knowledge + Hacker’s
formula mindset
Evaluating the risk/impact
Factors
Loss of confidentiality : How much data could be disclosed and how sensitive is
it? Minimal/Excessive non-sensitive/critical data? All?
Loss of integrity : How much data could be corrupted and how damaged is it?
Minimal/Extensive slightly/seriously corrupt data ? All?
Loss of availability : How much service could be lost and how vital is it?
Minimal/Excessive secondary/primary services interrupted? Complete lost?
Loss of accountability : Are the threat agents' actions traceable to an individual?

Basic Penetration Testing
Common Methods
● Preparation
● Reconnaissance
● Scanning
● Exploitation
● Analysis
● Reporting
Common Methods
● Scoping
● Preparation ○ Define objectives
○ Define targets
● Reconnaissance ○ Roles and responsibilities
● Scanning ○ Any limitations
○ Success factors
● Exploitation
○ Timeframe
● Analysis ○ Documented Permission
● Reporting
Case study
“We are developing a new web application that
can only be accessed internally from the
developer’s network zone. The zone was
designed to only available in branch B. We
want to ensure the application is free from
vulnerabilities.”
“We are going to deploy this new introduced
software into our network. The aim is to let
our customers to access and use our
current internal application by relying this
software’s secure transportation.”
Common Methods
● Preparation ● Information that can be gathered from public

● Passive scanning
● Reconnaissance ● What you can do with the information gathered
● Scanning ○ Search engines
○ History engines : Domain, DNS, IP, Cached
● Exploitation
○ Recruiting sites
● Analysis
● Reporting
Let’s practise reconnaissance
https://anotepad.com/notes/gixmm5jy
Common Methods
● Preparation
● Crucial in any pentesting works
● Reconnaissance ● Clear and easy to understand
● Scanning ● Structured formatting
● Proper recommendations
● Exploitation
● Analysis
● Reporting
Good report formatting
1. Background
a. Objectives
b. Timeline
c. Scope of engagement
2. Summary of pentesting
a. Summarise of findings
b. Conclusion and recommendations
c. Statistics
3. Technical findings
a. Clear and correct definition
b. Screenshots or any proof captured during the testing
c. Steps to reproduce
d. Impact analysis
e. Recommendations
The World's Worst Penetration Test Report by
#ScumbagPenTester
https://it.toolbox.com/blogs/chiefmonkey/the-worl
ds-worst-penetration-test-report-by-scumbagpent
ester-012814
https://tinyurl.com/y3xvv242
Common Methods
● Dig deeper
● Preparation ● Port scanner
● Reconnaissance ● Vulnerability scanner
○ Nmap, OpenVAS, Nessus, Qualys, Nexpose, etc
● Scanning ● What’s running on it?
● Exploitation ● What’s running using it?
● Analysis ● What’s the version?
● Reporting
Let’s practise Nmap
Download the following MindMap
http://donlod.yappare.com/training-my/mindmap.png
Instructions:
1. Visit https://nmap.org/download.html
2. Download based on your Operating system (32/64 bit, Linux,OSX,Windows)
3. Follow the steps given and install in your machine
4. Next, download the following vulnerable images
https://download.vulnhub.com/stapler/Stapler.zip
5. Extract the zip file and load it in your Virtualbox/VMWare
6. Set VM connection to host-only connection
Virtual Machines /
Stapler
Host/Local PC
Let’s go a bit deeper
in network pentest
Common Methods
● Preparation
● Reconnaissance
● Practise in class
● Scanning
● Exploitation
● Analysis
● Reporting
End
Web
Application
Penetration
Testing
Contents
1. Web application technologies
2. HTTP
3. OWASP Top 10
4. BurpSuite
5. Practises
Web Application Technologies
HTTP Protocol
● Core communications protocol used to access World Wide Web
HTTP Requests
GET / HTTP/1.1
Host: www.training.my
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/78.0.3904.108 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,
application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
HTTP Requests
GET / HTTP/1.1 ● HTTP Methods
Host: www.training.my ○ GET
Connection: keep-alive ■ Retrieve requests
Upgrade-Insecure-Requests: 1 ■ URLs are displayed on screen
■ x86_64)
User-Agent: Mozilla/5.0 (X11; Linux Logged AppleWebKit/537.36 (KHTML, like Gecko)
○ POST
Chrome/78.0.3904.108 Safari/537.36
■ Perform actions
Accept: ■ Parameters in body
■ Excluded from logs
○ HEAD : same as GET, but without body content
○ OPTIONS : to ask server to list HTTP methods allowed
○ TRACE : diagnostic purpose
○ PUT : upload/put
○ DELETE : delete/remove
HTTP Requests
GET / HTTP/1.1 ● HTTP versions
Host: www.training.my● Commonly 1.1 (Host header is mandatory)
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/78.0.3904.108 Safari/537.36
Accept:
HTTP Requests
GET / HTTP/1.1 ● HTTP headers
Host: www.training.my● Host : to specify hostname appeared in full URL
Connection: keep-alive● Cookie : submit additional parameters that were issued to
client
● User-agent : Agent information
User-Agent: Mozilla/5.0● Referer : indicate the AppleWebKit/537.36
(X11; Linux x86_64) URL coming from (KHTML, like Gecko)
Chrome/78.0.3904.108 Safari/537.36
Accept:
HTTP Responses
HTTP/1.1 200 OK
Date: Sat, 28 Dec 2019 02:02:47 GMT
Server: thin 1.2.11 codename Bat-Shit Crazy
X-Runtime: 83
Content-Type: text/html; charset=utf-8
ETag: "fff332147ec19fa1952cb62011639f84"
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 28236
Set-Cookie: _training.my_session=BAh7BzoPc2Vzc...8d64356b5e6528030dd2ea0ba1;
path=/; HttpOnly
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
HTTP Responses HTTP version used
HTTP/1.1 200 OK
Date: Sat, 28 Dec 2019 02:02:47 GMT
Server: thin 1.2.11 codename Bat-Shit Crazy
X-Runtime: 83
ETag: "fff332147ec19fa1952cb62011639f84"
path=/; HttpOnly
HTTP Responses ● HTTP Status Code
○ 20X
HTTP/1.1 200 OK ○ 30X
Date: Sat, 28 Dec 2019 02:02:47 GMT ○ 40X
○ 50X
Server: thin 1.2.11 codename Bat-Shit Crazy ●Will learn later
X-Runtime: 83
ETag: "fff332147ec19fa1952cb62011639f84"
path=/; HttpOnly
HTTP Status Codes
● A number that summarizes the response associated to it
● https://devhints.io/http-status
HTTP Status Codes 20X ; tldr
HTTP Status Codes 30X ; tldr
A 302 redirect means that the page was temporarily moved, while a 301 means that it
was permanently moved.
HTTP Status Codes 40X; tldr
The 503 Service Unavailable error is an HTTP status code that means the website's
server is simply not available right now
HTTP Responses ● Cookies generated which will be used
in next request
HTTP/1.1 200 OK ○ HttpOnly : JavaScript will not be
Date: Sat, 28 Dec 2019 02:02:47 GMT able to read this authentication
cookie in case of XSS
Server: thin 1.2.11 codename Bat-Shit Crazy exploitation
X-Runtime: 83 ○ Secure : Cookie will only be sent
Content-Type: text/html; charset=utf-8 over HTTPS, which is HTTP over
ETag: "fff332147ec19fa1952cb62011639f84" SSL/TLS.
Cache-Control: private, max-age=0, must-revalidate ○ SameSite : Declare if your
cookie should be restricted to a
first-party or same-site context
path=/; HttpOnly
HTTP Security Headers
● Not a bulletproof option but HTTP security headers provide yet another layer
of security by helping to mitigate attacks and security vulnerabilities.
● Regularly comes out in a pentest report
● Not all headers are needed
● Misconfigurations of headers could lead to security bypass
Let’s explore HTTP security headers
Content Security
Policy
● Helps prevent attacks such as ● Misconfiguration could provide
Cross Site Scripting (XSS) and bypass
other code injection attacks
X-XSS-Protection
● Enable the cross-site scripting
(XSS) filter
● By default has been enabled by
major browsers
● Enable can enforce the use of it
HTTP Strict
Transport
Security (HSTS)
● Security enhancement that ● Ensures the connection cannot
restricts web browsers to be establish through an insecure
access web servers solely over HTTP connection
HTTPS
X-Frame-Options
● To indicate whether or not a
browser should be allowed to
render a page in a <frame>,
<iframe>, <embed> or <object>
Identifying the technologies
● What programming language?
● Custom codes or framework or CMS?
● Server’s hosting the application
● Version..any known vulnerabilities? Any available source codes?
Identifying the technologies..WHY?!
Tools
● https://whatcms.org/
● https://github.com/ajinabraham/CMSScan
● https://github.com/Dionach/CMSmap
● https://www.wappalyzer.com/
Say Hi to OWASP
Server-Side Attacks vs Client-Side Attacks
Server-side attacks (also called service-side Client-side attacks occur when a user
attacks) are launched directly from an attacker downloads malicious content. The flow of data
(the client) to a listening service. is reversed compared to server-side attacks:
client-side attacks initiate from the victim who
downloads content from the attacker.
Server-Side Attacks vs Client-Side Attacks
Let’s practise Web Application testing
Thank you for attending the training

Basic Pentest Training

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Basic Pentest Training

Caricato da

Copyright:

Formati disponibili

Day 1

● Basic penetration testing for beginners.

● Basic web application penetration testing for

Loss of accountability : Are the threat agents' actions traceable to an individual?

● Preparation ● Information that can be gathered from public

Potrebbero piacerti anche