The Purple Files - Methodology

Pentesting Methodology

Introduction and Background
Preparation
Reconnaissance
Enumeration
Attack
Demonstrating Intrusion
Reporting
Resources

Introduction

Methodology: a body of methods, rules, and postulates employed by a discipline: a particular procedure or set of procedures (www.merriam-webster) wither a criminal, activist, or well-meaning hobbyist most attackers, and by far most successful attackers, each follows a methodology when performing their attacks. A methodology has the same advantages when conducting an authorized penetration test (pentest).

Over the years the successful habits of attackers and pentesters has evolved into ever increasingly complex methodologies that act as frameworks to organize the steps taken to gain unauthorized access to systems. In addition, it seems that in order to stand out as more credible, many methodologies today have become huge and complex. There is often more emphases on outlining every detail than on being a framework that can adjust to the different situations and environments that are typically encountered during pentesting.

Comparison of Methodologies

This is a comparison of the "Hacking Exposed" and the tpf Methodologies. Notice that in some cases multiple steps of the Hacking Exposed methodology are compressed into one step in the tpf methodology. Also, there also several steps in the Hacking Exposed methodology that are not represented in the tpf approach. This illustrates some of the significant differences between the two. The Hacking Exposed approach is much closer to the way an actual intruder would go about attacking a target, while the tpf approach takes into consideration limiting the potential of disruption.

Preparation
Reconnaissance
Footprinting
Scanning
Enumeration
Gaining Access
Attack
Irrelevant
Escalating Privilage
Harvesting
Irrelevant
Covering tracks
Creating Backdoor
DoS

The Tpf methodology Preparation Purpose: Finalize all agreed upon tasks, responsibilities, limitation, and requirement that define this particular pentesting engagement. Relationship to other steps (flow of info): The actions taken here help to insure that any risk to the pentester is minimized, the client has a reasonable expectation of how the engagement will be conducted, both parties know their responsibilities, both parties have a reasonable expectation of the goals and results will be. Tools used and their purposes: For the workstation used to preform the pentedty: Software updating services to update Kali Linux and all bundled applications, LibraOffice open source office software for reporting. Illustrated in tpf: Nmap, nc, tcpdump, metasploit framework, nikto, Types of notes and observations to log. Here you should log the version of Kali, your IP and MAC addresses, the IP address of the target, the date and time you begin and end the active portion(s) of the engagement. You should verify and note that the preparation documents have been properly filled out and that you have copies in hand. Reconnaissance - Passive information gathering. Gather information from public sources, as well as directly from the target. Purpose Relationship to other steps (flow of info): In this step you will gather a large amount of information about the target. That information will be used in the next step to determine the types of attacks to test, and to infer potential weaknesses. Tools used and their purposes: Several Open Source utilities along with web based scanners and databases to gather and solicit information about and from the target. Types of notes and observations to log: In this step all of the output from all of the utilities used is spoiled into ASSCI text files for later analysis. As the results come in on screen you should note any problems you notice that would indicate that the target or network are experiencing disruption. Attack - The actual attempts to exploit potential vulnerabilities. Purpose The goal here is not to find a way to circumvent the security that is in place on the target, but rather to identify as many vulnerabilities as possible. But in doing this, you will run into false positives often enough that you should verify at least most of the vulnerabilities that are identified. In many cases this is best done but comparing the results either with another tool, actually attacking the vulnerability, or manually inspecting the issue. Relationship to other steps (flow of info) In this step you are investigating the specific potential vulnerabilities identified in the Reconnaissance step. The findings and notes you collect here will be used to create the final report. Tools used and their purposes: Metasploit framework, web browser, nc, telnet, ftp, and so on. Types of notes and observations to log You will want to note for each potential vulnerability examples of the commands you run and the results in the form of screen shots, output logs, and any other information of how the target responded to the command. Demonstrating Intrusion - Record of each successful or potential intrusion. Here " intrusion" refers to accessing confidentialvor exploitable material, or gaining "unauthorized" access, or causing the target or it's applications to behave in any way other than how they are expected to behave. Purpose In the step you are gathering a collection of files, screenshots, and so on that illustrate that a given action you have taken has either accomplished an intrusion, or caused the target to behave in some way other than expected. Ben pick up here Relationship to other steps (flow of info) Tools used and their purposes Types of notes and observations to log Reporting Post Engagement Reporting and Debriefing - Provide the report, and appropriate and actionable remediation information as needed. Purpose Relationship to other steps (flow of info) Tools used and their purposes Types of notes and observations to log

There is another complicating factor: the idea of a "security engagement", has evolved from simple scanning and attacking to many variations on pentesting, vulnerability scanning, red team testing, application testing, code review... each having their own methodology fine-tuned for that situation, but that also overlaps other methodologies.

In this specific methodolgy, we began with an older methodology that is associated with the "Hacking Exposed" book series. A very straightforward and flexible methodology that covers the entire attack process. It has been modified to reflect the types of engagements and goals typically dealt with. For example, there is less emphasis on identifying and fingerprinting hosts that are logically near the target, and less emphasis on gathering profile information from social media and other Internet resources. In addition, gaining a remote administrative shell or altering the operation of the target is not the exclusive goal as much as identifying issues that either actually lead to any level of compromise, or would entice an attacker to probe further and deeper.

There are many reasons for studying an attack methodology:

insight into the processes that we are protecting against
the ability to better identify actual vulnerabilities
an organized approach helps maintain consistency
to better make the details of an engagements clear and repeatable
to product a report contains clear and actionable information

Pentesting is the practice of employing all available tools and techniques including; proofs-of-concept attack code, malicious/crafted/false communications packets, and brute-forcing credentials in order to interfere with or functionally violate any of the three aspects of security: Confidentiality, Integrity, and Availability.

This means:

Arbitrarily accessing material that require some sort of permission to access
Altering information or code
Altering the execution path of code
Cause a service or some other aspect of the system to become unusable

The scope of a pentest engagement usually includes the system(s), components, applications, and other aspects or functions that are considered under review and subject to probing, interrogation and attack. This typically means all physical and logical aspects of the target host system, unless explicitly excluded from review.

In the case of pentesting, the scope includes a computer's operating system, network interfaces, communications, out-of-band communications channels, applications, services, configurations and peripherals. In other words, the entire computer, everything connected to it, everything it is running, and all means of communicating with it.

The goal of a pentest is to identify attack vectors that can actually be exploited to compromise the security standing of a target host or network. While pentesting typically is an attempt to gain a remote shell on the target system, escalate privileges and create backdoors for further use, our perspective is different. We want to identify exploits that the target is susceptible to, issues that may alone or in combination represent a risk, and attain all other goals as stated in the engagement agreement agreed on in the Preparation section of this methodology.

Not all of the tools listed in this page will always be used in every engagement. This page lists the primary tools that should be considered, but does not limit an actual engagement to the tools listed here.

As you find that a tool or technique seldom returns useful results: the documentation should be reviewed, help page reviewed, manpages reviewed, Google searched for examples and suggestions, and so on to find better strategies or parameters. If this does not lead to useful results, the team members should consider changing how the tool or technique is used, and if another should be used in its place, or if it should simply be dropped.

Likewise, we must be aware of new tools and techniques that could add to the processes, both Vulnerability Scanning and Pentesting.

During the engagement rather than being focused exclusively on the host in question, the operator should remain open to attack vectors and insecure conditions that may be possible by pivoting through other hosts or applications.

When performing a pentest, you want to keep in mind the ROI (Return on Investment) in time and effort you spend. A pentest can takes days and weeks to probe every potential issue. We need to balance the time and effort spent on the different steps of a pentest so that the most significant information is discovered within a reasonable amount of time. Below is an illustration of the "rule of thumb" for the relative amounts of time spent during a typical engagement. Over all, you should begin to reevaluate your time management if steps 2-5 take longer than 16 work hours. The first and last steps typically span several days due to scheduling and availability of the stakeholders'.

Preparation

Before the first keystroke, you want to address your authorization to perform a pentest and define its scope, timeframe, limitations, and goals.

Once you have the necessary information, submit a VAN for approval that clearly states this project is a pentest.

Define the scope of the pentest. Typically, an entire host computer and all of its hardware and software components, or possibly a collection of hosts or a network unless explicitly defined as out-of-scope.
Timeframe: Starting time and duration of active queries and attacks. Passive or indirect queries can be performed at any time.
In order to demonstrate actual vulnerabilities and their potential impact identifiable characteristics of the target host such as screen shots of processes, directory listings, file contents, network interfaces, and other system information can be collected.
Prior to the engagement, the analyst who will be conducting this engagement must insure that backups have been created and verified for the system(s) within scope, data, applications, configurations and all else that is needed to recover from an unexpected disruptive event.
The client should understand that many of the tasks included in a pentest are intended to, within scope, results in the remote compromise of the system, disruption of the systems operation, or denial of services conditions. Many techniques and exploits can destabilize a system leading to the interruption of services/availability.
There must be agreement on the types of tests that are in scope, and any that are specifically out of scope. These include Denial of Service, Buffer overflow, SQLInjection, Social Engineering, password guessing, remote shells, and so on. These are all potentially disruptive, so remediation steps must be in place and understood before the engagement begins. For example, the client needs to be on-call to reboot a host after a successful buffer overflow or confirm a successful DoS. Note that avoiding being logged, tampering with logs, intentionally altering production/system data or code, are all typically be considered out-of-scope.
Identify the goals of the engagement. Typically, these include identifying as many issues as possible that alone or in combination may present a risk to the target's security stance, identify publicly know exploits that the target is susceptible to while substantiating the effectiveness of the exploit.
Deliverables: A PDF report of the observations, findings and suggested remediation will be delivered to the client.

Reconnaissance - Passive/Indirect Reconnaissance

Description - Here you reference Internet based resources for information about the target host, the owning agency, people who are close to the system or may have elevated permissions, historic information about the target and so on. You do not yet query the target or its environment directly.

All of the information you discover is used to begin building a profile of the target. That profile is then used to determine additional probes and pertinent attacks techniques.

Goal - To begin building a profile of the target. You want to construct a dossier of the target that gives you enough information and insight about the target to select and prepare the attacks that are most likely to succeed.

Tools & Techniques

Google, and Google Dork, for references to the target host, agency, application...
Search the Wayback Machine for snapshots of the target and review any previous versions of the target for information leakage or additional information that will add to the profile.
Search for references to the target's privileged users and support staff to see if there is anything pertinent. Include Google Groups in this search.
Search the Whois database
Resole the hostname, IP and aliases with the host command.
Review online User/Installation/Setup manuals for each product to determine if it has any default accounts that could be checked.

Use the different search resources in the guide page to search for this and other relevant information that will help you fill-out a detailed target profile in the report template.

Enumeration - Active Reconnaissance

Description - "Enumeration is the process of gathering information about a target machine by actively connecting to it." www.ehacking.net

Here for the first time you begin to query and probe the target directly rather than indirectly.

The goal here is to identify as much detail as you can about the target system, its hardware, its configurations, and its software components. The information you are looking for will help fill-out your target profile in the report template.

As you identify specifics such as the make and model of component hardware and software, you will return to the Internet to search for specifics of those components. This includes default credentials and know vulnerabilities. Refer to the different online database that provide information about vulnerabilities in those components.

Search within Metasploit and searchsploit, to identify potential exploits to test against the target or its components.

Goal - Identify the target's potential attack vectors and known vulnerabilities. These include outdated software, vulnerable software, default account names (for password guessing)

Tools & Techniques

nmap SYN scans to identifying responsive services
nmap, telnet, ftp, and netcat for banner grabbing
check for assessable SMB network shares
telnet to unknown ports to check for interactive consoles
nmap scripts for detailed queries based on initial findings
metasploit's enumeration and scanning features
As specific components are identified, check the different vulnerability databases for relevant exploits
Metasploit and searchsploit exploit databases

Attack

Description - Here you take the targeting information you have gathered and organize into a target profile and launch the actual attacks.

test all default credentials
brute force password guessing attacks of all authentication systems
attempt to run all reasonable and pertinent exploit attacks
probe using URL manipulation
submit probes and unexpected/unintended material where possible

Goal - Establishing an otherwise unauthorized functional session with a host's OS or applications. Gain otherwise unauthorized access to the file system, processes, etc...

Create a Denial-of-service condition that can both be confirmed and terminated, which may mean restarting the service(s) or host.

Tools & Techniques

Search Metasploits and searchsploit to launch specific attacks
Browser to test Default Credentials
Browser to probe all user data input vectors
Hydra to attempt password Guessing

Demonstrating Intrusion

Description - In this phase, you want to collect evidence of the success of the intrusion or exploit. This means screen shots of remote shells showing identifying information about files on the file system, and system information such as network interfaces.

Goal - Gather and record adequate information to demonstrate the degree to which information could be accessed or vulnerabilities could be leveraged and security violated.

Tools & Techniques

metasploit to gain remote access and take screen shots the ipconfig /all command, or a directory listing of the CONFIG directory.

Reporting

Description - Throughout the above process, you will want to make detailed and timestamped notes of your observations, actions and their results, along with potential implications. Specifically the information that entices you to look further as well as any actual intrusions.

Goal - Use the information gathered in the Attack and Demonstrating Intrusion section, along with any others, to add value to the report. This includes observations, findings and their remediation.

There is no need to classify these findings in detail because everything discovered in a pentest is considered either an actionable compromise, or an informational issue that the client should be made aware.

Do not include examples of the actual exploit in the report. Instead, include a description of the intrusion, the name and type of exploit used, and the results. Conclude with the suggested steps for remediation.

Tools & Techniques

The report starts with an Open Document Format document template into which select material can be copied so as to be actionable steps that do not disclose the details of how the intrusion was accomplished except in general terms.
Include screen shots of issues along with narratives explaining the screen shot and its implications and remediation if applicable.
The MSWord report template will contain blocks of text common to all/most pentest reports