Introduction to Penetration Testing Practice
PA211 Advanced Topics of Cyber Security
October 11, 2022
Ádám Ruman, Ivan Kotora
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz1
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz2
Agenda
‒ Response to the Exit Ticket from Last Week
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz3
Exit tickets from last week – I
̶ Q: From where does the auditbeat get the data?
̶ A: From Linux audit framework. It obtains auditd data.
̶ Q: After detecting something strange, what would be the next part?
̶ A: Response. For example, validation of true positives, investigation of
possible consequences, and mitigation of cyber threats.
̶ Q: Why did we set MITRE ATT&CK Credential Access tactic in our rule?
̶ A: The attacker could be trying to obtain SSH password. The tactic
represents a tag.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz4
Exit tickets from last week – II
̶ Q: I am not really sure if kibana was the web app we used or whether it was
elastic instead, it seemed as if those two names were used interchangeably.
̶ A: We did not use "Elastic". We used Kibana UI and one of its sections
containing Elastic Security app. See also [1].
Elastic – name of company.
Kibana (UI) – visualization and navigation of Elastic Stack.
Elastic Security – SIEM (Security information and event management).
Elasticsearch – a set of tools for data ingestion, storage, and analysis.
Logstash – a pipeline collecting data from data sources.
Beat – single-purpose data shipper.
Week Date Class Topic
1 13.09.2022 Course organization and motivation
2 20.09.2022 Asset management
3 27.09.2022 Vulnerability management
4 04.10.2022 Threat management
5 11.10.2022 Penetration testing – introduction
6 18.10.2022 Penetration testing – process
7 25.10.2022 Penetration testing – report
8 01.11.2022 Penetration testing – exemplary report and presentations
9 08.11.2022 Introduction to web application hardening
10 15.11.2022 OS-level, virtualization and containerization
11 22.11.2022 Access control mechanisms
12 29.11.2022 Web server and application hardening
13 06.12.2022 Course feedback session5
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz6
Part II – Penetration testing practice
̶ Syllabus: Process, report, and presentation
̶ Objectives:
̶ Understand the process of authorized penetration testing
̶ Focus on the process, not individual tools
̶ Learning outcomes:
̶ Hands-on experience with penetration testing of a realistic application in a team
̶ Knowledge of the structure of a testing report
̶ Exercising skills for preparing reports and presentation
̶ Assessment: 1 homework – report and presentation
̶ Deadline: November 1, 2022
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz7
Agenda
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz8
Why Offensive Security (OffSec)?
Blue teams implement
security measures
on a product or
system.
However, someone
has to test/assess the
adequacy and
quality of these
measures.
Audits are cool ‘n all,
BUT they solve
problems on a
different plane
(design,
documentation).
Leaving the testing to
an actual attacker is a
bad idea.
Thus, red teams
specialize in offensive
security. Their goal is
to test security
measures by trying to
breach them ‒ usually
without destructive
intentions.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz9
The Offensive Security Pyramid
Red Teaming /
Adversary Emulation
Penetration Testing
Vulnerability
Assessment
v Target is the entire system with users and defenders included.
v Almost no limitations for red team operators.
v Includes vulnerability research and exploit development.
v Goal is to assess processes, detections, and responses to
incidents.
v Target is either a part of a system or an application.
v Rather substantial limitations for penetration testers.
v Find well-known vulnerabilities and try exploiting them.
v Goal is to test the technical implementation.
v Target is either a part of a system or an application.
v Strong limits for the assessing team.
v Find all well-known vulnerabilities and assess if they are
True Positives.
v Easy to automate → scalable.
Great blog articles can be found here, here and here
(also motivation for the pyramid).
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz10
Agenda
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz11
Definition(s)
̶ “A method for gaining assurance in the security of an IT system by
attempting to breach some or all of that system's security, using
the same tools and techniques as an adversary might.” – NCSC
̶ Multiple definitions in the NIST glossary.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz12
Penetration Testing Primer – I
‒ Why? – To find security holes in a system before an adversary.
‒ Assess the level of their criticality and associated risk.
‒ Report them.
‒ Provide remediation ideas where possible.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz13
Penetration Testing Primer – II
‒ Who? – Internal or external penetration testers.
‒ As a CISO, which one would you prefer using?
I – Internal team.
II – External team.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz14
Penetration Testing Primer – III
‒ How often? – Depends on the target.
‒ What do you think is the best practice for companies?
I – When we need to spend some money.
II – Periodically, driven by product development.
X – Periodically, strict time intervals.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz15
The Duality of Penetration Testing
‒ The technical plane:
‒ You are testing implementation.
‒ You report to and offer remediation techniques to developers.
‒The social plane:
‒ Your main customer is the executive board/management of a company, and they are
interested in the results as well.
‒ For successful testing, synergy and good communication are needed between the tester
and the customer.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz16
Required Skills for Penetration Testers
‒ Well-versed in CVEs, and CWEs.
‒ Some experience with exploitation.
‒ Knowledge about standard technologies:
‒ You need to know what you might disrupt/damage if not careful enough.
‒ Soft skills.
‒ Good to have an overview of laws regarding privacy.
‒ Hardcore programming and SWING skills are not needed, but it’s good to be
able to write scripts and understand code.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz17
Penetration Testing Taxonomy
• Internal
• External
Based on testing
team
• Web.
• Infrastructure.
• Mobile.
• Physical, etc.
Based on target
• Black-Box – no prior information about the target.
• Grey-Box – some information about the target (design, topology).
• White-Box – full information about the target (source code, technical details).
Based on access
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz18
Penetration Testing in Product Development
Source: MS-SDLC.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz19
Agenda
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz20
Penetration Test Life-Cycle
Preparation
• Defining goals
and rules.
Testing
• Technical
assessment of
the system.
Reporting
• Informing the
customer about
the results.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz21
Agenda
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz22
Test Preparation
Settle the goals. Define the scope. Agree on
engagement rules.
Make testing
plans.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz23
Defining Goals
‒ Prioritization
‒ Which system parts are most valuable for the company?
‒ Does the system process or store sensitive data?
‒ Filtering out client requirements:
‒ You are not able to meet (unqualified).
‒ Are not worth the resources.
‒ Are impractical or unrealistic.
‒ A lot of communication is involved.
‒ You want to help your client, not make them feel dumb.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz24
The Scope
‒ Describes the precise target of the test.
‒ Systems, applications, or their components.
‒ De facto the “holy writing” for penetration testing.
‒ Violating the scope is the fastest way to lose contracts and credibility.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz25
Rules of Engagement
‒ Time constraints.
‒ Should we do social engineering?
‒ Special requirements – mainly if the test is done in production.
‒ You can not disrupt the functionality of assets.
‒ How to handle sensitive data.
‒ What if something gets out of hand accidentally?
‒ Reporting rules, recovery plans, and responsibility sharing.
‒ Sometimes testers learn valuable (for a competitor) information – solved by a
Non-Disclosure Agreement (NDA).
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz26
Planning
‒ Receive documentation from the client.
‒ About the system or devices.
‒ For efficiency and safety.
‒ Contacts.
‒ Choose a methodology. (more later)
‒ Create a test schedule – for synchronization and special timings.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz27
Agenda
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz28
The Test
Reconnaissance. Threat modeling. Vulnerability
identification.
Exploitation. Post exploitation.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz29
Reconnaissance
̶ Exploring the system as a user.
̶ Find discrepancies with the documentation.
̶ Scanning the target.
̶ OSINT (Open-Source INTelligence)
Think how an attacker would compromise
the system.
Find a way to achieve
the attacker’s goal.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz30
Threat Modeling & Vulnerability Identification
Think how an
attacker could use
this.
Try to get the system into
an unexpected state.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz31
Exploitation
̶ We found vulnerabilities and we have an idea how to misuse them.
̶ Create a proof-of-concept exploit (PoC).
̶ Should you use it right away?
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz32
Exploitation
̶ We found vulnerabilities and we have an idea how to misuse them.
̶ Create a PoC exploit.
̶ Should you use it right away? No.
̶ Exploits might be damaging – consider all scenarios before action.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz33
Post Exploitation
̶ We used an exploit (it was not disruptive) and got new capabilities
(knowledge or access).
̶ We could probably do harm, but that’s not the goal.
̶ We use our new capabilities to dig deeper – iteratively.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz34
General “two cents”
̶ If you break something, don’t delay reporting it to the client.
̶ Take notes of anything that might prove valuable.
̶ Screenshots are a great help, but be careful with info leakage.
̶ If possible, use a throwaway environment for the tests – to prevent leakage.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz35
Collaborative Tools
̶ Sharing information between penetration testers is crucial.
̶ Some tools (CoreImpact, CobaltStrike) have built-in collaboration options
or at least result exporting.
̶ PwnDoc – mostly for collaborative report writing.
̶ PenteRep.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz36
Penetration Testing Methodologies
̶ Guidelines for different scenarios.
̶ OWASP Web Security Testing Guide
̶ Open-Source Security Testing Methodology Manual
̶ Penetration Testing Execution Standard
̶ NIST 800-115
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz37
Agenda
‒ Introduction to This Part of the Course
‒ Offensive Security
‒ Introduction to Penetration Testing
‒ Penetration Testing Process – Overview
‒ Penetration Testing Process – Preparation
‒ Penetration Testing Process – Testing
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz38
Reporting will be covered in two weeks.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz39
Optional Reading Materials
̶ Metasploit Unleashed.
̶ Vx-Underground.
̶ All the links in the slides.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz40
Team formation
̶ In this part of the course, you will work in a team of three.
̶ This settings simulates a real work role and workplace.
̶ The team organization is up to you.
̶ You will submit your homework (report and presentation) as a
team. All team members will receive the same number of points.
̶ Now meet your colleagues a sit together.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz41
Teams
̶ Team 1: Kobyda, Simon; Caby, Jules; Urban, Michal
̶ Team 2: Biloš, Tomáš; Smejkal, Jan; Kleman, Matej
̶ Team 3: Filo, Denis; Štěpán, Daniel; Mercell, Peter
̶ Team 4: Fouček, Šimon; Šoška, Marek; Mann, Radomír
̶ Team 5: Saloň, Benjamin; Ambros, Samuel; Mika, Kristián
̶ Team 6: Saloň, Juraj Samuel; Fischer, Glenn; Rýpar, David
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz42
Change your seats.
Boot your own machines.
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz43
Teams
̶ Team 1: Kobyda, Simon; Caby, Jules; Urban, Michal
̶ Team 2: Biloš, Tomáš; Smejkal, Jan; Kleman, Matej
̶ Team 3: Filo, Denis; Štěpán, Daniel; Mercell, Peter
̶ Team 4: Fouček, Šimon; Šoška, Marek; Mann, Radomír
̶ Team 5: Saloň, Benjamin; Ambros, Samuel; Mika, Kristián
̶ Team 6: Saloň, Juraj Samuel; Fischer, Glenn; Rýpar, David
PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz44