Advanced Infrastructure Penetration Testing: Defend your systems from methodized and proficient attackers

In this first phase, before taking any action, the attacker must be prepared by carrying out an information-gathering exercise on the target. The attacker collects, from many sources, every piece of publicly available sensitive information, such as target clients, employees, and network information. At the end of this phase, the hacker will have a clear view of the network (domain name, IP ranges, TCP/UDP services, and authentication mechanisms), the system (user/group names, system banners, and system architecture), and organizational information (employee details, press released, and location). There are two types of reconnaissance or footprinting.

After gathering a good amount of information on the target, the attacker has to scan it to reveal useful information about the system and use this information for the next phase (the gaining access phase). During this process, the attacker will look for different types of information, and for that, he will use different types of scanning.

At this stage, the attacker already has what they need to launch their attack, including IP range, identified systems, services, user lists, security vulnerabilities, and flows. Now they only need to bypass security controls to gain access to the system, using several techniques such as password cracking, social engineering or privilege escalation, and gaining other user permissions.

Mostly, the aim of a hacking attack is not only to get information using unauthorized access, but to also maintain that access. Every day, attackers are coming up with new ways to maintain access. The most well-known technique is hiding files from the system owner and users to avoid being caught.

The final phase of every successful hacking attack is clearing the tracks. It is very important, after gaining access and misusing the network, that the attacker cover the tracks to avoid being traced and caught. To do this, the attacker clears all kinds of logs and malicious malware related to the attack. During this phase, the attacker will disable auditing and clear and manipulate logs. The order of the hacking phases is shown here:

During white box pentesting, or what's sometimes named complete-knowledge testing, the organization gives the pentesters all required information. This type of pentesting is used when the organization wants to perform a full audit of its security and maximize the testing time. It can be done at any point to check its security position. The information provided before performing the pentesting could be, and it is not limited to the following things:

In a black box pentesting session, the pentester simulates a real-world attack to gain access to a system or IT infrastructure. Thus, he opts for a pentesting approach with no information about the organization and no prior knowledge of the infrastructure. This type of pentesting is very effective because the pentester wears a black hat and uses a black hat hacker's techniques to bypass the organization's security guards. It is carried out from a black hat hacker's point of view. So, they use fingerprinting techniques to discover everything about the organization.

Gray box pentesting involves simulating an attack by an insider. The pentester is given partial and limited information, like any normal user. This sort of testing lies between black box and white box pentesting.

The role of a red team is clear. They generally have a specific mission, which is testing the current state of physical and digital security of an organization. The members of a red team have an offensive mindset. They try to attack a specific area.

Blue teams are the defensive layer. Their mission is to defend against the red team. In general, they are the internal security team.

To ensure effective penetration testing, a new team is created named the purple team. This team has an effective approach to make the communication between red teams and blue teams clearer, as shown in the following figure:

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive document released by Pete Herzog and distributed by the Institute for Security and Open Methodologies (ISECOM). According to OSSTMM, every penetration testing should include security testing of information, processes, internet technology (port scanning, firewalls, and so on), communications, wireless, and physical environment.

The Information Systems Security Assessment Framework (ISSAF) is a methodology where the penetration tester imitates the hacking steps with some additional phases. It goes through the following phases: 

The Penetration Testing Execution Standard (PTES) is a set of technical sections. It helps the penetration tester to deliver an effective pentesting report by walking through the following seven sections: 

The Payment Card Industry Data Security Standard (PCI DSS) is an important reference for organizations that are planning to work with major brand credit cards'. It was released in 2014. It is used to assure the security of credit card holders' data and avoid frauds. The compliance is performed once per year by a qualified security assessor, who is provided by the PCI Security Standards Council or internally for small data amount cases. PCI DSS goes through the following four phases:

It specifies the target of the pentesting, including the scope (IP addresses and hosts), in a very detailed way. In general, it also contains what assets are to be tested and what is out of bounds. The pre-engagement must also include the time period of the penetration testing mission.

Hacking is an illegal act, so you need to assure that all your work will be done in a legal way. A get out of jail card usually signed by a high-level manager will be enough to get you out of trouble. Here the word "card" is a contract between the two parties that should solve the legal problem if any.

To avoid any panic situations when you find something serious, a predefined contact information list is a good idea to ensure a fast and efficient communication channel when it's needed. For example, If you are having an overwhelming network traffic issue because of an intensive automation tool, you need to contact the network engineer.

Payment information indicates the payment terms of the penetration testing. When discussing the schedule of the testing, the pentester should also discuss payment arrangements. During the negotiation, you can discuss the payment structure, for example, getting paid after delivering the final report, half amount up-front before conducting the pentesting, or according to a payment schedule. Also, non-payment penalties could be added to the agreement.

The aim of a signed non-disclosure agreement (NDA) is to make the pentester commit to keeping all the confidential information and the findings safe. During penetration testing, you will be exposed to a certain amount of data with different classification ranks. That is why, it is a wise decision to sign a document to reassure the upper management that all the collected information is protected.

Public intelligence is the process of gathering all possible information about the target, using publicly available sources, and not only searching for it but also archiving it. The term is generally used by government agencies for national security operations. A penetration tester should also adopt such a state of mind and acquire the required skills to gather and classify information. In the era of huge amounts of data, the ability to extract useful information from it is a must.

Social engineering attacks are when employees or others are psychologically deceived into providing sensitive information. Social engineering is the art of manipulating people to gain information about the users in order to ascertain sensitive information, such as login credentials or classified information. Using a human quality like trust in a deceptive way always shows that the human is the weakest layer in information security. One of the social engineering techniques is phishing, which is a technical method of social engineering. As we all know, Phishing is sending an email or text message that appears to come from a legitimate institution and tricking the user to type his login credentials. Spear-phishing is the same technique, but in a more specific range, such as sending phishing emails to short lists of high profile contacts

Physical security is really critical in the information security landscape. Identifying physical equipment plays a huge role in intelligence gathering.

This technique searches out information about the target including network services, devices, domains, and the information system information.

There are many intelligence gathering categories: human intelligence, signal intelligence, open source intelligence, imagery intelligence, and geospatial intelligence.

Human intelligence 

Human intelligence (HUMINT) is the process of collecting information about human targets, with or without interaction with them, using many techniques such as taking photographs and video recording. There are three models of human intelligence:

• Directed Gathering: This is a specific targeting operation. Usually, all the resources are meant to gather information about a unique target
• Active Intelligence Gathering: This process is more specific and requires less investment, and it targets a specific environment. 
• Passive Intelligence Gathering: This is the foundation of human intelligence. The information is collected in opportunistic ways such as through walk-ins or referrals. So there is no specific target, except collecting information and trying to find something. 

Open source intelligence 

Open source intelligence (OSINT), as its name suggests, involves finding information about a defined target using available sources online. It can be done using many techniques:

• Conducting search queries in many search engines
• Gaining information from social media networks
• Searching in deep web directories and the hidden wiki
• Using forum and discussion boards

For example, if you want to search for a specific employee, you can use a theHarvester tool, and it will help find all public information about that person.

You can get theHarvester from its GitHub repository using this command from your console:

git clone https://github.com/laramies/theHarvester

Then, type ./theHarvester to run the script.

For example, if you want to collect information about a targetwebsite using Google search, simply run the following command:

theharvester -d   targetwebsite.org  -l 100 -b google

Here, the -l option is the limited number of results and -b  indicates the search engine. In our case, we used the Google search engine:

Note

Do you know that the known web represents only 4% of the internet. There is another space called the deep web. It contains 7,500 terabytes of information that means more than 500 billion pages.

It is an advantage to gather information from the hidden web, not only for reconnaissance purposes but for competitive intelligence. To access the deep web, you simply have to download the Tor Browser via its official website https://www.torproject.org/ and install it. Open the browser and hit Connect to access the network:

Now, you are surfing the hidden web. You can use the hidden wiki for Tor websites from this link, http://wiki5kauuihowqi5.onion (they are represented as  DomainName.onion), or simply use the DuckDuckGo search engine:

Not only you can search for personal identifiable information, but you can also search for online devices and even industrial control systems. For example, you can check www.shodan.io. This search engine will help you find devices online. The following screenshot is publicly available information about wind turbines searched by Shodan.io:

To discover the great potential of the Shodan search engine, let's take a glimpse into the power of this giant. First, go to www.shodan.io and create a new account:

Use the search bar to enter a search query, or you can simply hit a predefined category: Netcams, default password, dreambox, industrial control systems, and so on. This is a snippet of the most popular search tags:

Let's hit Netcams as a demonstration. According to the screenshot listed as follows, the search engine found at least 8,632 publicly available sources of Netcam information, including their IP addresses with detailed descriptions about them:

 

Also, you can use a real-time map to search online devices such as routers:

Imagery intelligence 

In the battlefield, imagery intelligence (IMINT) is the process of analyzing images and videos from different sources and devices such as electronic display images and infrared cameras. In penetration testing, image intelligence also works in the same way, where it is the operation of identifying information about the target using different photos and videos from different public resources as follows:

• Social media (Facebook, LinkedIn, and so on) videos
• Reverse searched photos for other editions
• Live streams

There are many image analysis tools that you can use to extract data from an image. One of them is ExifTool. It is a small tool used to extract juicy information about a defined image. Like the following graph, just download ExifTool from this link, https://www.sno.phy.queensu.ca/~phil/exiftool/, and type ./exiftool image.png:

Geospatial intelligence 

Geospatial intelligence (GEOINT) is the exploitation and analysis of imagery and geospatial information to describe, assess and visualize a defined area. The term GEOINT has become associated with information security and penetration testing. Identifying and collecting information about an organization will give penetration testers the ability to anticipate the physical intrusion of the organization. Thus, the role of a penetration tester is to make sure that data and sensitive information is safe from external threats. There are many available sources to check for geospatial information. Google Maps is a free geospatial service provided by Google. The following is the result of a search, using a Google Map query:

During the business asset analysis, the pentester focuses on the assets by gathering any related documents about the assets, and in other situations, conducting interviews within the organization. It could include information about the following:

Information about the technical assets is not sufficient to obtain efficient modeling. Penetration testers should gather information about all the policies and the procedures of the organization, and sometimes, the organization plan, if needed.

Business is the central point in information security. A wise information security analysis will certainly assure that the organization works in a proper way and generates revenues. All the assets that are in a relationship with business processes are required to be mapped and analyzed, starting with the most critical ones. The following are the assets:

During this type of analysis, all the threats based on the location metric are mapped. We can divide threats into two categories—internal and external threats. Employees of the organizations, including the upper management, are also part of this classification because humans are the weakest layer when it comes to information security.

After having a clear understanding about threat agents, now it is time to check for any available tools, exploits, and payloads currently out there that could be used against the organization infrastructure, in addition to analyzing the possible communication mechanisms.

A penetration tester could model the motivations behind an attack. In competitive environments and volatile businesses, motivation modeling should be added to the pentester checklist.

There are many vulnerability management tools currently available that can help the penetration tester during a vulnerability assessment mission, such us Beyond Security, Qualys, Core Security, and many other tools. One of the most well-known vulnerability management tools is the Rapid7's Nexpose. Nexpose assesses vulnerability in a defined infrastructure.

Installing Nexpose

You can install Nexpose by following the below steps:

• Downloading the community edition from the official website, https://www.rapid7.com/products/nexpose/.
• For the demonstration, we installed Nexpose for Windows 64 edition. You can use the Linux edition as well:

• Fill in the required information and move to the next steps:

Start a scan

To start a Nexpose scan, open a project, click on Create and select Site, for example. Then, enter a target IP or an IP range to start a scan:

After the scan is finished, you can generate a scanning report:

Networks are the backbone of every modern organization and institution. So an infrastructure analysis will start by identifying the following:

Not only network information but also identifying networking services is critical. They include the following:

By definition, pillaging is gathering all possible information from the systems. Knowing where the data is located, for example, could help predict the pivoting techniques. To perform an effective penetration testing, you need to gather all, and not limited to, the following information, installed software and services:

High profiles are extremely desirable from a hacker's perspective. Your job as a penetration tester is to make them top of your target list because compromising a high profile could result in compromising a business unit. Don't forget that curiosity and challenging spirit are motives for black hat hackers. That is why, C-level profiles are highly targeted.

During data exfiltration, the pentester maps all the exfiltration paths. The aim of this step is to make sure that there is no data leaving the organization in a sneaky way. Analyzing the data flow is of high priority, whereas data is the center of attention for hackers.

Backdoors and meterpreters are very common techniques to assure the persistence, even after rebooting the system. Also, creating new accounts with complex passwords will gain you some presence time.

Finally, the penetration tester must clean up the compromised systems of any used scripts, binaries, new accounts, and configurations during the previous post-exploitation steps.

This section gives a high-level glimpse of the findings and specifies the main aims of the penetration testing. The target audience of this section is the upper management because they care about the security of the organization, more than the technical details. That is why, in an executive summary, it is not recommended you mention the technical specifications of the findings. The executive summary includes the following:

This section is made for technical managers and information technology staff. It includes detailed information about all the conducted steps and operations. It is structured the following way: