The Business of Penetration Testing
description
Transcript of The Business of Penetration Testing
The Business of Penetration Testing
Jacolon Walker
Agenda●Introduction about me●Penetration testing Methodology●Pentesting Frameworks●Customizing your tool set●Engagement Prep●Post Engagement●Wrapping it all up
The about me stuff●6 years in InfoSec● My talk not sponsored by employers●Write code, exploits, reverse malware for fun and sometimes profit
●Have Certs●Placed 2nd in Sans Netwars●Disclaimer on ideology
Ethical Pentesting Methodology?
●No such thing if you want to be successful●You need to think like a hacker●Pentesting methodologies cover all grounds and help win assessments
●Attention to details and organization skills●Push the envelope but do not cross the line
Penetration Methodology●5 step process●Reconnaissance●Scanning & Enumeration●Gaining Access●Maintaining Access●Covering Tracks
Reconnaissance
Penetration Methodology Cont.
●Reconnaissance–Gathering information passively–Not actively scanning or exploiting anything–Harvesting information
● Bing, google, yahoo, yandex● Way back machine (archive)● Social media etc
Penetration Methodology Cont.
●Scanning & Enumeration–Target discovery–Enumerating–Vulnerability mapping
DEMO●Maltego●Recon-ng●Theharvester●Nmap
OSINT ALL THE DATA
Penetration Methodology Cont.
●Gaining Access–Mapped vulns–Important to penetrate gaining user and
escalating privs–Try multiple vectors. This is actually a decently
easy part–Web application, wifi, social engineer.–Use your research
Penetration Methodology Cont.
●Maintaining Access–Keeping account access–Privilege escalation–Pivoting to own all–ET phone home
DEMO●Metasploit●Post scripts
Broken? No luck?
Penetration Methodology Cont.
●Covering Tracks–Removing tools–Backdoors, ET phone homes–Clearing logs– Windows security, application and system logs–Linux /var/log/*–Remove audit logs carefully!!!!!
Penetration Frameworks●vulnerabilityassessment.co.uk●pentest-standard.org●Open Source Security Testing Methodology Manual (OSSTMM)
●Information Systems Security Assessment Framework (ISSAF)
●Open Web Application Security Project (OWASP) Top Ten●Web Application Security Consortium Threat Classification (WASC-TC)
Customizing your toolset●Kali Linux – The new backtrack●Use your methodology to help build this●Recon, Scanning, Exploitation, Post exploitation
●Become familiar with those tools●Change it up to add more to your collection
My toolset● A few things in my tool set●Recon-ng / Theharvester●Burpsuite●Nmap / p0f / ncat●Nessus / CoreImpact / Acunetix / Saint●Arachni / Vega / Metasploit / Websecurify ●Python Python Python●Keepnote / Lair / etherpad / (armitage *testing*)
Toolset Demo
●Demonstrating some of the tools I use
Pre-engagement Prep●You are selling a Service so....●Sell something●Tools customization●Knowing what offers and market rates are●Is this assessment for you?●Fixed pricing or hourly●What does the client want?●Can you provide what they want?
Engagement Sold!!! ●Scope of work●Understand what the client wants
●Black, gray, white box testing or red teaming ●How long assessment will take●What to expect from the assessment●Client contacts from project manager to network admins incase of emergencies
●Use methodologies that you have created ●Remember to log everything●Secure communication with clients
Post Engagement●Report writing●Any issues occur? Could they have been prevented? Can it be fixed?
●Did you get what you wanted from the engagement? Profit?
●Any new tools added or methodologies?●Possible new techniques? ●Was the customer satisfied?
Report Writing● It is the last thing the customer sees. Make it the best thing they see
● Customers are paying for quality
● Different reports for various teams
● Executive Summary
● Detailed Summary
● I could write a whole presentation about this but I will not
Wrapping it all up●Pentesting has numerous components●Its not always about hacking its about research and business
● Making sure you are NICHE at what you do. Know your target and field
●Always improve your methods while helping your client improve their infrastructure
●“Dont learn to hack, Hack to learn”