PART 3, PART 4 & PART 5: EXPLOITING and GAINING ACCESS & PRIVILEGE ESCALATION — Phases and Stages of Pen Testing | Scanning | Exploitation/Gaining Access & Post-Exploitation | Payloads Generation with Msfvenom to Create a Reverse Shell Connection | Preparing the Windows Machine for an Attack | Setting Up a Listener on the Attacker Machine | Pivoting the Compromised System and Maintaining Access | Conducting Privilege Escalation
1. How do you think performing the advanced searches with OSNIT, Google SE, and CLI search with theHarvester facilitates pen testing by IT/cybersecurity professionals?
This allows the team to gain knowledge of the target before simulating the attack. Pen Testers can info such as emails, domains/sub-domains, hosts, names of those employed, ports open, public info from search engines, PGP key servers, and SHODAN PC database. It can be used in passive recon by those who need to know what organizational data is visible to a potential attacker.
2. Indicate what other valuable information other than IP addresses, DNS and domain info, SSL certificates, email addresses, and hosts can be grabbed from this search.
Open ports on the target network may aid in identifying security weaknesses. Public Key Servers can help uncover public keys of users or the organization, these can be used to encryption or communication. SHODAN search engine is used to search for IoT devices, e.g., webcams, routers, and even ICS’s (industrial control systems). This data can aid in identifying vulnerabilities.
3. What is the difference between active reconnaissance and passive reconnaissance?
Passive recon is researching data about a target system, but without interacting with the system itself, whereas with active recon, the target system is directly engaged to determine vulnerabilities, such as open ports.
4. Research two other search engines and provide the details to conduct the same type of information gathering. Provide the search results, what you searched for, and a screenshot.
5. While conducting information gathering of a target company’s website, no search engine provided any details. After manually reviewing the website, you noticed an email address with a different domain than that of the website. How can this be used?
You can attempt social engineering or obtain data about sub-domains. Using this email address, you can send phishing attempts to garner more data, or embed malicious code or links.
6. What ports are open (listening) and what services did tools, Nmap, theHarvester, and the Legion identify? Is there anything else of value? What type of information would you look for when performing information gathering?
The following services and open ports were identified: Port 21, Port 22 SSH, Port 23 Telnet, port 25, port 53, Port 80, port 111, and port 443. Harvester uncovered sub-domain, email addresses, and hosts. Legion was able to tell us about open ports and services. We also uncovered IP addresses, DNS records, OS’s, user accounts, and server configs.
7. While conducting information gathering of a target company’s website, no search engine provided any details. After manually reviewing the website, you noticed an email address with a different domain than that of the website.
It may be worthwhile to send out fishing and/or social engineering email attempts to gain additional information. Additionally, passive recon such as Whois and DNS lookup could prove beneficial when attempting to gain additional information.
8. Based on your pen testing experience gained in this lab, what can you do to ensure that your client organization incorporates pen testing as part of its implementation procedures to ensure optimum internal or external security?
a. Assemble a team of security professionals to assess and harden the organization’s security posture.
b. Utilize security policy and procedure, such as penetration tests.
c. Hire an outside party to provide a risk assessment on vendors.
d. Utilize employee cyber awareness tools to educate the users.
e. Utilize new tech, e.g., AI, and machine learning to alert abnormalities, address and mitigate risks.
f. Purposefully monitor the system for unusual activity, using scans (scheduled, unscheduled, periodic, etc.). Utilize malware defenses, keep systems up to date with patches, and updates.
9. Assuming you are a member of a pen testing team, and you identify vulnerabilities and exploits in your client’s network, should you obtain written permission prior to compromising the known vulnerability? Why or why not in terms of rules of engagement?
Yes, having explicit written consent from the target organization is crucial before exploiting vulnerabilities. It shows that the client is aware of the risks, and that the penetration testers have permission before proceeding. This consent would also layout rules-of-engagement (ROE), and the scope of the test.
10. As a cybersecurity consultant, you were part of a team hired to conduct pen testing to evaluate the security of your client’s IT infrastructure. Why is it critical to perform pen testing on the internal network of your client prior to production implementation?
Penetration tests bring to light system vulnerabilities, so we can be proactive and mitigate risks before a bad actor exploits them. Penetration testing is important to do in a test environment, so the corrections can be made before putting into production, this way system downtime is mitigated. A pen test is an assessment of an organization’s system security posture and can assess if the company has implemented proper safeguards against future attacks, and to uncover weaknesses so they can be fixed. Cyber attackers learn quickly how to overcome mitigation efforts, making it more important than ever before to make proper mitigation efforts to protect from attacks. I mentioned above about pentesting in a test or non-production environment, but sometimes testing in production is required, either one has its ups and downs.