the business of penetration testing
DESCRIPTION
Jacolon Walker. The Business of Penetration Testing. Agenda. Introduction about me Penetration testing Methodology Pentesting Frameworks Customizing your tool set Engagement Prep Post Engagement Wrapping it all up. The about me stuff. 6 years in InfoSec - PowerPoint PPT PresentationTRANSCRIPT
The Business of Penetration Testing
Jacolon Walker
Agenda●Introduction about me●Penetration testing Methodology●Pentesting Frameworks●Customizing your tool set●Engagement Prep●Post Engagement●Wrapping it all up
The about me stuff●6 years in InfoSec● My talk not sponsored by employers●Write code, exploits, reverse malware for fun and sometimes profit
●Have Certs●Placed 2nd in Sans Netwars●Disclaimer on ideology
Ethical Pentesting Methodology?
●No such thing if you want to be successful●You need to think like a hacker●Pentesting methodologies cover all grounds and help win assessments
●Attention to details and organization skills●Push the envelope but do not cross the line
Penetration Methodology●5 step process●Reconnaissance●Scanning & Enumeration●Gaining Access●Maintaining Access●Covering Tracks
Reconnaissance
Penetration Methodology Cont.
●Reconnaissance–Gathering information passively–Not actively scanning or exploiting anything–Harvesting information
● Bing, google, yahoo, yandex● Way back machine (archive)● Social media etc
Penetration Methodology Cont.
●Scanning & Enumeration–Target discovery–Enumerating–Vulnerability mapping
DEMO●Maltego●Recon-ng●Theharvester●Nmap
OSINT ALL THE DATA
Penetration Methodology Cont.
●Gaining Access–Mapped vulns–Important to penetrate gaining user and
escalating privs–Try multiple vectors. This is actually a decently
easy part–Web application, wifi, social engineer.–Use your research
Penetration Methodology Cont.
●Maintaining Access–Keeping account access–Privilege escalation–Pivoting to own all–ET phone home
DEMO●Metasploit●Post scripts
Broken? No luck?
Penetration Methodology Cont.
●Covering Tracks–Removing tools–Backdoors, ET phone homes–Clearing logs– Windows security, application and system logs–Linux /var/log/*–Remove audit logs carefully!!!!!
Penetration Frameworks●vulnerabilityassessment.co.uk●pentest-standard.org●Open Source Security Testing Methodology Manual (OSSTMM)
●Information Systems Security Assessment Framework (ISSAF)
●Open Web Application Security Project (OWASP) Top Ten●Web Application Security Consortium Threat Classification (WASC-TC)
Customizing your toolset●Kali Linux – The new backtrack●Use your methodology to help build this●Recon, Scanning, Exploitation, Post exploitation
●Become familiar with those tools●Change it up to add more to your collection
My toolset● A few things in my tool set●Recon-ng / Theharvester●Burpsuite●Nmap / p0f / ncat●Nessus / CoreImpact / Acunetix / Saint●Arachni / Vega / Metasploit / Websecurify ●Python Python Python●Keepnote / Lair / etherpad / (armitage *testing*)
Toolset Demo
●Demonstrating some of the tools I use
Pre-engagement Prep●You are selling a Service so....●Sell something●Tools customization●Knowing what offers and market rates are●Is this assessment for you?●Fixed pricing or hourly●What does the client want?●Can you provide what they want?
Engagement Sold!!! ●Scope of work●Understand what the client wants
●Black, gray, white box testing or red teaming ●How long assessment will take●What to expect from the assessment●Client contacts from project manager to network admins incase of emergencies
●Use methodologies that you have created ●Remember to log everything●Secure communication with clients
Post Engagement●Report writing●Any issues occur? Could they have been prevented? Can it be fixed?
●Did you get what you wanted from the engagement? Profit?
●Any new tools added or methodologies?●Possible new techniques? ●Was the customer satisfied?
Report Writing● It is the last thing the customer sees. Make it the best thing they see
● Customers are paying for quality
● Different reports for various teams
● Executive Summary
● Detailed Summary
● I could write a whole presentation about this but I will not
Wrapping it all up●Pentesting has numerous components●Its not always about hacking its about research and business
● Making sure you are NICHE at what you do. Know your target and field
●Always improve your methods while helping your client improve their infrastructure
●“Dont learn to hack, Hack to learn”