SWS2 Penetration Testing 3
Page content
Penetration Testing 3
Goals
- explain the activities of threat modeling, vulnerability analysis, exploitation and post exploitations
- discuss the main challanages in these phases and what methods or tools could be use
- discuss several reasson why vulnerability scanners might not work perfectly (false positives / false negatives)
- know the architecture and main features of the Metasploit framework and you can use it for vulnerability testing and exploitation tasks
Threat modeling
(when building software or systems)
- identify possible threats
- based on these threats, identify vulnerabilities in the systems design
Considering already defined security requirements or security controls - identified vulnerabilities provide the basis for additional security requirements
Methods to identify/Document threats
- STRIDE
- Attack Tree
Primary and Secondary Assets
- Identify Assets
- Primary: Part of the System/functionality under test
- Secondary: Not in scope but shared with or linked to the assets in scope
- Primary assets compromise can imply the compromise of a secondary asset
Attack Pattern
Understanding adversary behavior is important, especially for red-teaming
The following two are the most prominent examples of attack patterns.
MITRE1 CAPEC
- focus on application security
- Enumarates exploits against vulnerable systems
- includes social engineering / supply chain
- associates with Common Weakness Enumaration (CWE)
MITRE ATT&CK
- focus on network defense
- based on threat intelligence and red team research
- provides contextual understanding of malicious behavior
- supports testing and analysis of defense options
| CAPEC | ATT&CK |
|---|---|
| - Application threat modeling - Developer training and education - Penetration testing |
- comparing computer network defense capabilities - defending agains APT - Hunting for new threats - Enhancing threat intelligence - Adversary emulation exercise |
CAPEC is a valuable ressource providing
- a general description of the attack
- attack execution flow
- related vulnerabilities (by CVE numbers)
- Probing techiques
- attacker skill required
- consequences of successful exploitation
- solutions and mitigations
Vulnerability Analysis
- Is the process of discovering and confirming security issues in systems and applications which can be leveraged by an attacker.
Vulnerabilties can be anything from misconfiguration of systems to insecure application design. - The preocess to look for vulnerabilities varies and is highly dependent on the particular component being tested
- (Web application, network, building access, employees, …)
- possible goals of the analysis
- Validate that vulnerabilities exist
as employee with credentials
as outsider without credentials
with/without considering the impact of mitigations - validate mitigation is in place and working
- Validate that vulnerabilities exist
Discovery
- Port Scanners
- Scanners to detect well known vulnerabilities
- finding new vulnerabilities
- web application scanners
URLs are craweld to detect vulnerabilities - source code scanners
(mainly for custom made software) - manual analysis of source code
- manual analysis of system under test (using hardening Guides (CIS Benchmark))
Exploitation
Metasploit Framework
Meterpreter
- and advanced dynamically extendable payload
- runs in memory > not detactable by antivirus
- creates a network connection to the attacker
- no new processess on attacked host as meterpreter injects itself into the the vulnerable/compromised process
- DLL are upload from client(attacker) to server(victim)
-
MITRE is a non-profit organization focused on cybersecurity and solving security challenges to create a safer IT-environment for organizations. ↩︎