====== Penetration Testing ====== === see also === * [[hacking:hardware|pentest hardware]] * [[ctf|CTF exercises]] * [[https://github.com/sbilly/awesome-security|awesome-security]] * [[guide:linux:distributions#penetration-testing|Pentesting Linux Distributions]] ===== Software ===== * Burp Suite * [[Metasploit]] * [[https://github.com/intelowlproject/IntelOwl|Intel Owl]] – single point to query threat intelligence data composed of analyzers that can be run to retrieve data from external sources or generate intel from internal analyzers * wig – scan web app version number * [[https://virustotal.github.io/yara/|Yara]] – rule/pattern matching engine for malware and threat analysis ===== What can be penetration tested? ===== ==== Web Applications ==== When testing against a web application, the tester will map the site to understand the application and run tests against it such as trying open ports or any default or misconfigured settings. Testers will look for verbose error messages and scrutinize login pages or online forms. Some of the vulnerabilities testers are looking for include [[sqli|SQL injections]], [[xss|cross-site scripting]], encryption flaws, or XML and template injections. ==== Mobile Applications ==== Similar to web application testing, mobile testing includes an OS assessment and application mapping. Penetration testers will analyze various factors such as file system, runtime, or open ports. Possible vulnerabilities that can be revealed are insecure APIs, sensitive file artifacts, plain text traffic, and SQL injections. ==== Infrastructure and network ==== The objective of an infrastructure penetration test is to identify exploitable vulnerabilities in network devices, systems, and hosts. Penetration testers will want to identify protocols in use such as CDP, WEP, and SNMP. They will also look to discover network device models and what software versions are in use. Vulnerabilities most likely to be discovered include the use of weak or default passwords, missing patches, unnecessary open ports, and SNMP v1 or v2 still in use. ==== Cloud Applications ==== Pentesting public cloud applications means you must notify the provider before beginning any testing and some restrictions as to what types of tests can be performed is common. Pentesting in the cloud can include applications, storage, virtualization, and compliance. So depending on what is in the scope of the test, testers could be checking items such as data access, virtual machine isolation, and regulation compliance. Results of the test could include encryption not compliant, virtual machines not properly isolated, API vulnerabilities, and weak passwords. ===== Colours of Pentesting ===== ==== Black Box ==== When conducting a black box assessment, penetration testers have limited knowledge of the network. For example, they will know the hostname and IP of a public server, but not have information for the network infrastructure, operating systems, or security protections. In attempting to penetrate the network to discover as many vulnerabilities as they can find, this method imitates a real world environment to find vulnerabilities using many of the same tools attackers would use. ==== White Box ==== In this scenario, the testers have more access to and information about the environment such as admin login data and configuration files. This usually also includes unhindered physical access. This type of testing is less time consuming than black box testing, but doesn't reveal how attackers can gain unauthorized access externally. It can provide insight into vulnerabilities if an attacker has gained internal access and rights. ==== Gray Box ==== Gray box testing falls somewhere between black box and white box testing. The customer shares some limited information, such as a user login or an overview of the network. The scope and what information and access is provided all depends on the testing requirements of the customer. Grey box has the benefits of black box testing but can also do deeper testing where needed with additional information provided. ==== Red Team, Blue Team ==== Red team members perform offensive security techniques based on specific objectives such as attempting to penetrate a database and extract sensitive records. The red team simulates an attacker and look for exploitable vulnerabilities. The blue team is tasked with defending against attacks by the red team. They make use of logs, traffic captures, SIEM and threat intelligence data to detect and defend against red team attacks. The blue team is the internal security team of an organization and exercises with the red team are to improve the internal team’s defense and response to attacks. ==== Purple Team ==== The idea of the red team and blue team working together is a purple team. This type of engagement allows the blue team to gauge their detection and incident response capabilities against real-world-like threats. ===== Learning resources ===== see also: [[guide:congress|Chaos Communication Congress]] ==== Talks ==== * [[https://www.youtube.com/watch?v=rnmcRTnTNC8|I'll Let Myself In: Tactics of Physical Pen Testers]] – Wild West Hacking Fest * [[https://www.youtube.com/watch?v=5CWrzVJYLWw|No-tech hacking]] – DefCon 15 T112 * [[https://www.youtube.com/watch?v=JsVtHqICeKE|Steal Everything, Kill Everyone, Cause Total Financial Ruin!]] – DEFCON 19 ===== companies doing penetration tests ===== //this is a non-exhaustive list and we by no means endorse any of these companies.// * [[https://www.x41-dsec.de|X41 D-Sec GmbH]] – security research, application security services, penetration tests, red teaming * [[https://cure53.de|Cure53]] – web application tests * [[https://codeblau.de|Code Blau]] – analysis of computer systems relevant to information security