# Assess Organizational Security Network Reconnaissance Tools [[Principles of Security]] ## ipconfig, ping, and arp - Foot printing the network layout and rogue system detection - `ipconfig, ping, arp` -> all windows - remember `ipconfig /all` - `ping` - test connectivity with a host with ICMP - ping sweep to detect live hosts on a subnet (nmap) - `arp` - address resolution protocol cache - shows IP to MAC address mapping - detect spoofing (validate MAC of default gateway) -> on path attack (man in the middle) - `arp -a` - `ifconfig / ip` - `ifconfig` is generally depreciated, `ip` is newest on linux - but they both will report the local IP configuration ## route and traceroute - `route` - shows the local routing table on windows and linux. - "on-link" in the gateway column means directly connected - `tracert (windows) | traceroute (Linux)` - shows path to remote host - when it goes to `*` ICMP is blocked and you are most likely within a network at that point - `pathping/mtr` - also does traceroute but gives latency statistics ## IP scanners and nmap - host discovery - test whether host in IP range responds to probes - Port scan (service discovery) - test whether TCP or UDP port allows connections ## Service Discovery and Nmap - Service discovery - scan custom TCP/UDP port ranges - Service and version detection - fingerprinting each port - protocol - application/version - OS type - Device type - this can be used offensively or defensively (auditing) ## netstat and nslookup - `netstat` - Report port status on local machine - switches to filter by protocol - display process name or PID that opened up - `netstat -an` - all open connections on local machine - `nslookup and dig` - query name servers - zone transfers - `nslookup google.com` ## Other Reconnaissance and Discovery Tools ![[Pasted image 20230627145344.png]] ## packet capture and tcpdump - packet analysis vs protocol analysis - Sniffer -> tool for capturing network frames - Use software to interface with host network drive (libpcap/winpcap) - mirrored ports/switched port analyzer (SPAN) - use a test access port (TAP) device to read frames from network media - placement of sensors - `tcpdump` - write to pcap - .pcap is the file for wireshark - read to pcap - filters - generally you will capture and dump the data to a file and then open with wireshark ## Packet Analysis and Wireshark - output panes - packet list - packet details (headers and fields) - packet bytes (hex and ASCII) - Capture and display filters - coloring rules - follow tcp stream (right click on what ya want) ## Packet injection and replay ![[Pasted image 20230627145900.png]] ## Exploitation Frameworks ![[Pasted image 20230627145924.png]] ## Netcat - simple tool capable of very wide range of network tasks - typically used for getting a reverse shell - port scanning and fingerprinting - command prompt listener over arbitrary port - file transfer over arbitrary port # Explain Security Concerns with General Vulnerability Types ## Software Vulnerabilities and Patch Management - Exploits for faults in software code - Applications - different impacts and exploit scenarios - client vs server apps - Operating System (OS) - obtain high level privileges (privilege escalation) - Firmware - PC firmware - network appliances and IoT devices - Improper or weak patch management - Undocumented assets - failed updates and removed patches ## Zero-day and Legacy Platform Vulnerabilities - **Zero-day** - unknown vulnerability to a vendor - threat actor develops an exploit for which there is no patch - likely used again high value targets - Legacy platform - Vendor no longer releases security patches ## Weak Host Configuration **at SOME POINT IN SCENARIOS THE ROUTER WILL HAVE DEFAULT CREDENTIALS** - allowing a system to keep default settings is a nono - vendor may not release product in a default-secure configuration - Unsecured root accounts - Threat actor will gain complete control - Limit ability to login as a superuser - Open permissions - configuration errors allowing unauthenticated access - allowing write access when only read access is appropriate ## Weak Network Configurations - open ports and services - restrict using an ACL - disable unneeded services or block ports - block at network perimeter - Unsecure protocols - cleartext data transmissions are vulnerable to snooping and eavesdropping - Weak encryption - Storage and transport encryption - key is generated from a weak passwords - cipher has weaknesses - key distribution is not secure - Errors - Error messages that reveal too much information ## Impact from Vulnerabilities - data breaches and data exfiltration impacts - Data breach is where confidential data is read or sent without authorization - Data exfiltration is the methods and tools by which an attacker transfers data without authorization - Identity theft - Abuse of data from privacy breaches - Data loss and availability loss impacts - Availability is also a critical security property - Financial and reputation impacts ## 3rd Party Risks - supply chain - solar wind - supermicro spy chips - vendor management - process for selecting suppliers and evaluating risks - system integration - lack of vendor support - Outsourced code and development - Data storage - Cloud-based vs on-prem risks # Summarize Vulnerability Scanning Techniques ## Security Assessment Frameworks - NIST has lots of different frameworks and publications - Testing (nist special pub 800-115) pentester blueprint - Examining - interviewing - Vulnerability assessment -> scan for vulnerabilities and assess if its vulnerable. No exploitation - Penetration testing -> actually exploiting the found vulnerabilities - Threat hunting -> searching to see if there is already an invader on the network ## Vulnerability Scan Types - automated scanners configured with list of known vulnerabilities - Network vulnerability scanner - configured with tests for most network hosts - Focused on scanning OS plus some desktop and server applications - Application and web app scanners - configured with application specific tests ## Common Vulnerabilities and Exposures - vulnerability feed/plug-in/test - **Security Content Automation Protocol (SCAP)** - mechanism for updating scanner via feed - common identifiers - mitre.org - Common vulnerability and exposers (CVE) - Common vulnerability scoring system (CVSS) ## Intrusive vs non Intrusive scanning - non intrusive is passively testing security controls - like scanning packets but not engaging with the system - could have low-interaction with hosts (port scanning/banner grabbing) - Intrusive/active scanning - establish network sessions - agent-based scan - Exploitation Frameworks (metasploit) - Highly intrusive/risk of system crash - used with pen testing ## Credentialed vs Non-Credentialed Scan - Non credenialed - anonymous or guest access to host only - may test default passwords - Credentialed - scan configured with logon - can allow privileged access to configuration settings/logs/registry - use dedicated account for scanning ## False Positives, False Negatives, and Log review - Analyzing and validating scan contents - **False Positives** - scanner identifies a vulnerability that is not actually present - **False Negatives** - scanner fails to identify a vulnerability - Review logs to confirm results ## Configuration Review ![[Pasted image 20230627160243.png]] ## Threat Hunting - Use log and threat data to search for IoCs (indicators of compromise) - Advisories and bulletins - plan threat hunting project in response to newly discovered threat - Intelligence fusion and threat data - Use a SIEM and threat data feed to automate searches - Maneuver - consider possibility of alerting adversary to the search - use techniques that will give positional advantage - ![[Pasted image 20230627160603.png]] # PenTesting Concepts ## PenTesting - Pentest vs ethical hacking - Verify threat - identify vulnerability and the vector by which it could be exploited - Bypass security controls - Identify lack of controls or ways to circumvent those controls - Actively test security controls - Examine weaknesses that render controls ineffective - Exploit vulnerabilities to prove threat exists (pwned) - Active and highly intrusive techniques, compared to vulnerability assessment ## Rules of Engagement - agreement for objective and scope - Authorization to proceed from system owner and affected 3rd parties - Attack Profile - Black box (unknown environment) - White box (known environment) - Gray box (partially known environment) - Bug bounty programs (grey hat) ## Exercise Types - Red team (PenTesters) - performs the offensive role - Blue team (SOC) - Performs the defensive role - White team - Sets the rules of engagement and monitors the exercise - Purple Team - Exercise setup to encourage collaboration - Red and blue teams share information and debrief regularly - Might be assisted by a facilitator ## Passive and Active Reconnaissance - Pen testing and kill chain attack life cycle - Reconnaissance phase - Passive techniques unlikely to alert target - Active techniques are detectable - OSINT - Social engineering - Foot printing - war driving - UAV and war flying ## PenTest Attack Life Cycle - Initial exploitation - Obtain a foothold via an exploit - Persistence - Establish a command & control backdoor - Reconnect across host shut down/user log off events - Privilege escalation - Internal Reconnaissance - Gain additional credentials and compromise higher privilege accounts - Lateral movement - Compromise other hosts - Pivoting - Access hosts with no direct remote connection via a pivot host - Actions on objectives - Cleanup