2. @haydnjohnson
Whoami
Haydn Johnson -
Twitter: @haydnjohnson
From: Australia, Lives in Toronto
Talks : http://www.slideshare.net/HaydnJohnson
Certs: OSCP | GXPN
Just shy of 4yrs Industry Experience
8. @haydnjohnson
The differences
Vulnerability Assessment
List Oriented
Penetration Testing
Goal Oriented
https://danielmiessler.com/study/vulnerability-assessment-penetration-test/
VULN A
VULN B
VULN C
Phishing
Local
Admin
Dump
Hashes
Domain
Admin
18. @haydnjohnson
Where does one start
In order to understand what a Penetration Test is, we must look at some
standards.
No really. A standard exists!
20. @haydnjohnson
Let us look at
The PTES standard What is in the standard Compare VA -> PT
first second third
Will explain the key points
Compare with vulnerability assessment
Show example
22. @haydnjohnson
Penetration Testing Execution Standard
By REAL infosec people:
Chris Nickerson
Dave Kennedy
Carlos Perez
John Strand
Chris Gates
+ Many more
http://www.pentest-standard.org/index.php/FAQ
23. @haydnjohnson
The Penetration Testing Execution Standard
Main Section
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
http://www.pentest-standard.org/index.php/Main_Page
24. @haydnjohnson
Goals of the standard
Businesses
The goal is to enable them to demand a specific baseline of work as
part of a pentest.
Service Providers
The goal is to provide a baseline for the kinds of activities needed.
25. @haydnjohnson
“The standard is written for us….anyone and everyone who’s dealing with
penetration testing. It is not about a specific product, or even a specific
approach or methodology for testing.”
“It is designed so that when it is adhered to, the delivery will be well
above a “minimal standard”.
http://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insisting-on-
high-standards/
26. Pre-engagement
Time Estimation
Tied to experience of tester.
20% for padding
Scoping Meeting
What will be tested
Customer owned?
Validate assumptions
General Questions
Network Pentest
Web Pentest
Physical Pentest
Scope Creep
Wanting more covered
How to deal with
Specific IP ranges and
Domains
IP blocks
Owned by client
Payment Terms
Up front
Half way
End
30. Intelligence Gathering
Level 1
Compliance
Automated Tools
Level 2
Best practice
Understanding of business
Physical location, org chart
Level 3
State Sponsored
Heavy analysis,
Social Networks etc
What is it
Information gathering to be utilized
to penetrate a target during
vulnerability and exploitation
phases.
More information, the better.
What it is not
Nothing found from on-premises
Footprinting
Scanning
IP blocks
35. Threat Modelling
High Level Process
Gather relevant documentation
Identify & Categorize Assets
Identify & Categorize threats
Map threats against assets
Business Asset Analysis
Asset centric view
Assets most likely to be targeted
Value of assets and impact of loss
Business Process Analysis
How it makes money
Critical vs noncritical processes
How they can be made to lose money
Threat Agents
Internal / External
Community within location
Capabilities / Motivation
Motivation Modelling
Constantly changing
Increase decrease
Threat Capability
Probability of success
Technical and opportunity
36. @haydnjohnson
Threat Modelling - High Level
Gather relevant documentation
Identify and categorize primary and secondary assets
Identify and categorize threats and threat communities
Map threat communities against primary and secondary assets
Threat Modelling - High Level
37. @haydnjohnson
Threat Modelling - Business Asset Analysis
Identify assets that are most likely to be targeted
Organisational Data - how the organization does business
Trade secrets
Infrastructure design
**Can feed other areas - intel?
43. @haydnjohnson
Threat Modeling - Key Points
Enables the tester to focus on delivering an engagement that closely
emulates the tools, techniques, capabilities, accessibility and general
profile of the attacker….
Tools | Techniques | Capabilities | Access
44. @haydnjohnson
Threat Modelling - Example
Tofsee Malware
Javascript Downloader
PE32 executable into the %USERPROFILE% directory.
Spam
Delivered via RIG Exploit Kit
http://blog.talosintel.com/2016/09/tofsee-spam.html
https://www.recordedfuture.com/threat-actor-types/
46. Vulnerability Analysis
Discovering Flaws /Testing
Leveraged by attackers
Host & service
Insecure design
Relevant
Correct level of depth
Expectations
Goals
Passive
How it makes money
Meta Data Analysis
Active
Direct Interaction
Automated
Manual
Research
Constantly changing
Increase decrease
Validation
Probability of success
Technical and opportunity
49. @haydnjohnson
Vulnerability Analysis VA comparison
Primarily focused on KNOWN vulnerabilities.
Network / Business Logic Not assessed.
Whitelisted | Trusted
No Evasion Needed
50. Exploitation
Countermeasures
Encoding
Process Injection
DEP | ASLR
Evasion
Prevent detection
Physical
Network
Precision Strike
Not hail mary
Based on previous steps
Tailored Exploits
Customize known exploit
Zero Day Angle
Last resort
Fuzzing
Code Analysis
58. @haydnjohnson
Exploitation - IS NOT THE DIFFERENCE BETWEEN A VA & PT
Exploitation can be used in a VA or a PT.
Clients may want a high risk vulnerability proven.
Exploitation is highly used in a Penetration Test - but not the definition
https://danielmiessler.com/study/vulnerability-assessment-pen
etration-test/
63. Post Exploitation
Rules of engagement
Protecting Client
Protecting yourself
Infrastructure Analysis
Routing
Network Services
Neighbors
Pillaging
Installed Programs | services
File/Printer Shares
Host configuration
Monitoring
Deep in target
Identification of impact
Affect 1 system
Affect infrastructure
Persistence & Pivoting
Backdoors
Lateral Movement
Data Exfiltration
Testing
Measure controls and detection
64. @haydnjohnson
Post Exploitation - think like the attacker
What is in the network
Where is the Data - customer - financial - health - Credit Card
Where is the domain admin
66. @haydnjohnson
Post Exploitation VA comparison
Exploitation proves the vulnerability can be exploited
This does not show the business impact.
Not “how deep, real impact”
68. Reporting
Exec Summary
Goals of Pentest
High Level Findings
Background
Overall posture
C-Level | management
Systemic issues
Technical Report
Introduction
Information Gathering
Vulnerability Assessment
Exploitation / Vuln Confirmation
Post Exploitation
Risk Exposure
Conclusion
69. @haydnjohnson
Reporting - Exec Summary
High level Background
Key points
Key impact and ratings
Recommendations
Strategic Road map
Similar to VA - But shows real impact not just Vulns
70. @haydnjohnson
Reporting - Technical Report
Deep Explanation of each stage
Step by step of process / exploitation
Step by step of Post exploitation
Similar to VA - But shows much more than a list of vulns
77. @haydnjohnson
Further Reading
Pentesting in detail
http://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents
/GW2015/081115-10AM-Pentesting.pdf
PTES and high Standards
http://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insi
sting-on-high-standards/
Post Exploitation Blogs with Empire:
https://www.powershellempire.com/?page_id=561