table of Contents
Penetration Testing Methodology
Penetration testing (penetration testing, pentest)
* Vulnerability assessment and penetration testing
* Open Web Aplication Security Project (OWASP)
*Common Vulnerabilities and Exposures (CVE)
*Penetration testing implementation standards
*General penetration testing framework (√)
Service enumeration (that is, port scanning)
Vulnerability mapping (that is, vulnerability scanning)
Access and maintenance (that is, bury the back door)
*Simplified penetration testing process
Penetration Testing Methodology
Penetration testing (penetration testing, pentest)
It is a specific means to implement security assessment (ie audit).
Methodology is the rules, conventions and processes that need to be followed when formulating and implementing an information security audit program.
When assessing the security status of networks, applications, systems, or combinations of the three, people constantly explore various pragmatic concepts and mature practices, and summarize a set of theories-penetration testing methodology.
Types of penetration testing
* Black box testing
When conducting a black box test , the security auditor evaluates the security of the network infrastructure from the outside without knowing the internal technical structure of the unit under test .
In the various stages of penetration testing, black box testing uses real-world hacking techniques to expose the security problems of the target, and can even expose security weaknesses that have not been exploited by others.
Penetration testers should be able to understand security weaknesses, classify them and rank them according to risk levels (high risk, medium risk, low risk, information leakage). Generally speaking, the level of risk depends on the magnitude of the hazard that the related weakness may cause. Experienced penetration testing experts should be able to determine all attack patterns that can lead to security incidents.
After the testers have completed all the testing work of the black box test, they will sort out the necessary information related to the safety status of the test object, and use the language of the business to describe the identified risks, and then summarize them into a written report. The market price of black box testing is usually higher than that of white box testing.
* White box testing
The auditor of the white box test can obtain various internal data of the tested unit or even the undisclosed data , so the penetration tester has a broader vision.
If a white-box testing method is used to assess security vulnerabilities, testers can achieve the highest assessment accuracy with a small workload.
White box testing starts from the environment of the system under test itself and completely eliminates internal security issues. This increases the difficulty of penetrating the system from outside the unit. Black box testing can't do this. The number of steps required for white box testing is comparable to that for black box testing.
In addition, if white-box testing can be combined with the regular R&D life cycle, all security risks can be eliminated as early as possible before the intruder discovers or even exploits security weaknesses. This makes the incidents, costs, and discovery of white-box testing , The technical threshold for solving security weaknesses is all lower than black box testing.
* Vulnerability assessment and penetration testing
In layman's terms, vulnerability assessment is vulnerability scanning, vulnerability discovery, and essential tools.
Vulnerability assessment evaluates the security of internal and external security controls by analyzing the situation and degree of security threats to corporate assets.
This kind of technical information system evaluation not only exposes the existing risks in the existing preventive measures, but also proposes multiple alternative remedial strategies and compares these strategies .
Internal vulnerability assessment can guarantee the safety of internal systems, while external vulnerability assessment is to verify the effectiveness of perimeter defenses.
Regardless of internal vulnerability assessment or external vulnerability assessment, assessors will use various attack modes to rigorously test the security of network assets, so as to verify the information system's ability to deal with security threats and determine the effectiveness of countermeasures.
Different types of vulnerability assessment require different testing procedures, testing tools, and automated testing techniques. This can be achieved through an integrated vulnerability management platform.
The current security vulnerability management platform has an automatically updated vulnerability database that can test different types of network devices without affecting the integrity of configuration management and change management.
The biggest difference between vulnerability assessment and penetration testing is that penetration testing not only needs to identify the weaknesses of the target, it is also designed to perform vulnerability exploitation, privilege escalation, and access maintenance on the target system.
In other words, although vulnerability assessment can fully discover the flaws in the system, it will not consider measuring the harm caused by these flaws to the system.
In addition, compared to vulnerability assessment, penetration testing is more prone to intrusion, and will deliberately use various technical means to exploit security vulnerabilities; therefore, penetration testing may bring actual destructive effects on the production environment. The vulnerability assessment uses a non-intrusive way to identify known security weaknesses qualitatively and quantitatively.
Security Testing Methodology
* Open Web Aplication Security Project (OWASP)
Test guide
[https://www.owasp.org/index.php/OWASP_Testing_Project]
Developer's Guide
[https://www.owasp.org/index.php/Gategory:OWASP_Top_Ten_Project]
Code review
OWASP top 10
Ten security vulnerabilities on the web
Top 10 Web Application Security Risks
1. Injection . When untrusted data is sent to the interpreter as part of a command or query, injection vulnerabilities such as SQL, NoSQL, OS, and LDAP injection can occur. The hostile data of the attacker may induce the interpreter to execute unexpected commands or access the data without proper authorization.
2. Identity verification failed . Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to destroy passwords, keys, or session tokens, or use other implementation flaws to temporarily or permanently assume the identity of other users.
3. Exposure of sensitive data . Many web applications and APIs cannot properly protect sensitive data, such as finance, healthcare, and PII. Attackers may steal or modify these poorly protected data to commit credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without additional protection, such as encryption at rest or encryption in transit, and special precautions need to be taken when exchanging with the browser.
4. XML external entities (XXE) . Many older or poorly configured XML processors evaluate external entity references in XML documents. External entities can use file URI handlers, internal file sharing, internal port scanning, remote code execution, and denial of service attacks to expose internal files.
5. Access control is damaged . In general, restrictions on the operations allowed by authenticated users are often not implemented correctly. Attackers can use these flaws to access unauthorized functions and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users' data, changing access permissions, etc.
6. Security configuration error. Security configuration errors are the most common problem. This is usually caused by insecure default configurations, incomplete or temporary configurations, open cloud storage, misconfigured HTTP headers, and detailed error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be configured securely, but they must also be patched/upgraded in a timely manner.
7. Cross-site scripting XSS . This happens whenever an application contains untrusted data in a new web page without proper validation or escaping, or uses a browser API that can create HTML or JavaScript to update an existing web page with user-supplied data XSS vulnerability. XSS allows the attacker to execute scripts in the victim's browser. These scripts can hijack the user's session, destroy the website, or redirect the user to a malicious website.
8. Unsafe deserialization . Insecure deserialization usually leads to remote code execution. Even if deserialization flaws do not lead to remote code execution, they can also be used for execution attacks, including replay attacks, injection attacks, and privilege escalation attacks.
9. Use components with known vulnerabilities . Components such as libraries, frameworks, and other software modules run with the same privileges as applications. If vulnerable components are utilized, such attacks may result in severe data loss or server takeover. Applications and APIs that use components with known vulnerabilities may undermine application defenses and cause various attacks and impacts.
10. Insufficient logs and monitoring . The lack of logging and monitoring, coupled with the lack or ineffective integration of incident response, allows attackers to further attack the system, maintain persistence, turn to more systems, and tamper with, extract or destroy data. Most non-compliance studies have shown that it takes more than 200 days to detect a non-compliance, and it is usually detected by external parties rather than internal processes or surveillance.
*Common Defect List (CWE)
In layman's terms: the number of the vulnerability category
CWE-79: XSS vulnerability
[http://cwe.mitre.org/data/definitions/79.html]
CWE-89 : SQLi
[http://cwe.mitre.org/data/definitions/89.html]
*Common Vulnerabilities and Exposures (CVE)
In layman's terms: the number of a specific vulnerability
A specific vulnerability
[http://cve.mitre.org/]
MS17-010 (Microsoft Security Bulletin) [The 10th Security Bulletin issued by Microsoft in 2017]
One bulletin corresponds to one vulnerability
KB begins
S2-053 (S2 is strtus2, which is the framework of APACHE open source development java)
[The 53rd security bulletin of strtus2]
A security announcement is a vulnerability
*Other methodology
Open Source Security Testing Methodology (OSSTMM)
http://www.isecom.org/research/osstmm.html
Information System Security Assessment Framework (ISSAF)
http://www.oissg.org/issaf
Web Application Security Joint Threat Classification (WASC-TC)
http://projects.webappsec.org
Penetration testing process
*Penetration testing implementation standards
The pioneers of Penetration Testing Execution Standards (PTES) are all elites in the penetration testing industry, which consist of seven stages.
A successful penetration test can be conducted in any environment.
[http://www.pentest-standard.org/index.php/Main_Page]
@7 stages
- Pre-interaction
- Intelligence gathering
- Threat modeling
- Vulnerability analysis
- Exploit
- Deep use
- Written report
Main features and advantages
The main features and advantages of PTES are as follows
1. It is a very comprehensive penetration testing framework that covers the technical aspects and other important aspects of rope penetration testing, such as scope spreading, reporting, and methods for infiltrators to protect themselves.
2. He introduces the specific methods of most testing tasks, which can be used to guide You accurately test the security status of the target system.
3. He has gathered the rich experience of several penetration testing experts who are "infiltrating" on a daily basis.
4. It contains the most commonly used and very rare related technologies.
5. He is simple and easy to understand. Adjust the corresponding test steps according to the needs of the test work
*General penetration testing framework (√)
From the perspective of technical management, following a formal testing framework is extremely important for security testing. The general penetration testing framework covers the various stages involved in typical audit testing and penetration testing.
Related stages:
- Scoping
- Information gathering
- Target Recognition
- Service enumeration
- Vulnerability mapping
- Social engineering
- Exploit
- Privilege escalation
- Visit maintenance
- Documentation report
Whether it is white box testing or black box testing, it is the responsibility of a penetration tester to select and use testing procedures.
Before the test starts, the tester needs to specify the best test strategy according to the actual environment of the target system and the situation of the relevant target system that has been mastered.
Scoping
1. What is the test object?
2. Which test method should be used? Black box/white box
3. What are the conditions that need to be met in penetration testing?
4. What factors may limit the process of test execution?
5. How long does it take to complete the test?
6. What mission objectives should this test achieve?
Information gathering
Penetration testers need to use various public resources to obtain as much information as possible about the test target.
The main channels for collecting information from the Internet are:
forums | bulletin boards | newsgroups | media files | blogs | social networks | other commercial or non-commercial websites.
In addition, relevant data can be obtained through various search engines.
Such as Google, Yahoo, MSN Bing, Baidu, etc. The
collected information mainly includes DNS, servers, routing relationships, whois, databases, email addresses, phone numbers, personal information, and user accounts.
The more information collected, the higher the probability of a successful penetration test.
Target Recognition
Identify the status of the target network, operating system and network architecture.
You need to know which networked devices your tested unit has, and how these networked devices communicate. The
current devices mainly use the tcp/ip protocol.
You need to know how many hosts are online in our target and what are the IP addresses of these hosts. , What is the network architecture? Network topology?
Service enumeration (that is, port scanning)
In this stage, based on the results of the previous stages, all open ports of the target system are further identified.
Once all open ports are found, the services running on the target system can be listed through these ports.
The open ports on the host have corresponding service programs. After in-depth analysis of this information, possible vulnerabilities in the target network infrastructure can be further explored.
Vulnerability mapping (that is, vulnerability scanning)
Find known and unknown vulnerabilities based on discovered open ports and service programs
Social engineering
If the target network does not have a direct entrance, the art of deception will play an important role in attracting new ideas.
A targeted attack on the personnel of the target organization is likely to help us find the entrance to the target system.
For example, a malicious program that entices users to install a backdoor may form a breakthrough in the penetration of auditors.
Social engineering penetration is divided into many different forms of realization.
Disguised as a network administrator, by requiring the user to improve their telephone account information; send phishing emails to hijack the user's bank account; even entice someone appears in a place, these are social engineering attacks
should be noted that in the target Before deceiving to reach the penetration target, in most cases it takes a long time to study the psychology of the target person.
In addition, it is necessary to study whether the local law allows
Exploit
After finding the vulnerability, you can use the existing exploit program to infiltrate
the target system. The main task at this stage is to control the target system.
This process can be divided into three steps, involving related actions before, after and
Privilege escalation
Penetration testers can freely play in the target system according to their access rights. To
increase rights is to elevate ordinary user rights to administrator rights.
Access and maintenance (that is, bury the back door)
In most cases, auditors need to maintain their access to the target system for a period of time.
That is to bury the back door (clear the back door when you leave)
Documentation report
Auditors should record, report, and demonstrate on-site security vulnerabilities that have been identified, verified, and exploited.
And patch all existing security vulnerabilities based on these documents
*Simplified penetration testing process
clear goal
Determine the scope | Determine the rules | Determine the needs
collect message
Basic Information | System Information | Application Information | Personnel Information | Protection Information
Vulnerability detection
System Vulnerabilities | Web Service Vulnerabilities | Web Application Vulnerabilities | Other Ports | Communication Security
Vulnerability verification
Manual verification | Tool verification | Experimental verification
Exploit
Customized EXP | Defense Bypass | Further Penetration | Clear Traces
The complete exploit program is called EXP
Form a report
Organize the results | Supplementary introduction | Repair suggestions
*General process of hacking
