whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

refractoring

This commit is contained in:
gurkenhabicht 2023-08-14 13:42:40 +02:00
parent 1bd88497c1
commit 3842ce9514
1 changed files with 100 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
README.md
View File

@ -4,32 +4,58 @@ The "KillChain Compendium" is a steadily growing, organized collection of in-dep
## Penetration Testing ## Penetration Testing
Penetration testing, often referred to as pen testing, is a systematic and controlled process of evaluating the security of computer systems, networks, applications, and environments. The primary objective of penetration testing is to identify vulnerabilities and weaknesses that could potentially be exploited by malicious actors. Penetration testing, often referred to as pen testing, is a systematic and controlled process of evaluating the security of computer systems, networks, applications, and environments. The primary objective of penetration testing is simulate real-world cyberattacks to identify vulnerabilities and weaknesses that could potentially be exploited by malicious actors.
## Pentetration Testing Standards ## Pentetration Testing Standards
* [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) Penetration Testing Standards are guidelines and frameworks that provide best practices and methodologies for conducting thorough and effective penetraton testing activities. These Standards help ensure consistency, quality, and rigor in the penetration testing process.
Authorized audit of security systems of computers and networks.
* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) and [redteam.guide ROEs](https://redteam.guide/docs/templates/roe_template/)
* Permissions
* Engagement --> internal/external pentest or adversary emulation of APTs
* Scope --> networks, IPs, exfilration of data, which stage, downtime, DDoS
* Rules
* NDA
## Pen Testi Campaign The [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) provides the following sections for penetration testing execution
* [Checklist](https://redteam.guide/docs/checklists/red-team-checklist/) * Pre-engagement Interactions
* [vectr.io](https://vectr.io) * Intelligence Gathering
* Threat Modeling
* Vulnerability Analysis
* Exploitation
* Post Exploitation
* Reporting
* Authorized audit of security systems of computers and networks.
* Engagement --> Concept of Operations (CONOPS), Resource and Personnel Requirements, Timelines ## Rules of Engagement (RoE)
* Operations --> Operators, Known Information, Responsibilities
* Mission --> Exact commands to run and execution time of the engagement
* Remediation --> Report, Remediation consultation
## Methodology Rules of Engagement (RoE) in the context of penetration testing refer to guidelines, boundaries, and limitations that are established and agreed upon between the penetration testing team (red team) and the organization or client requesting the testing. These rules ensure that the testing is conducted in a controlled manner. They define the scope, targets, and acceptable activities for the engagement. RoE help prevent misunderstandings, conflicts, and unintended consequences dduring the testing process.
A brief summary of the steps included in the RoE are the following
* **Permissions** of the penetration testing team
* How the **Engagement** is done, e.g. internal/external pentest or adversary emulation of [advanced persistent threads](https://csrc.nist.gov/glossary/term/advanced_persistent_threat)
* **Scope** of how the tests are going to be executed, e.g. networks, IPs, exfilration of data, which stage, downtime, DDoS
* **Non-Disclosure Agreement (NDA)** as a contract describes how knowledge about sensitive data is handled
In practical terms there is a [Rules of Engagement -- Worksheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) provided by [SANS](https://www.sans.org/) and [a sample of RoEs](https://redteam.guide/docs/templates/roe_template/) provided by the [RedTeam.Guide](https://redteam.guide).
## Penetration Testing Campaign
A penetration testing campaign is a planned and organized series of penetration tests conducted on a specific target, like a computer system, network, or application. It involves a structured approach to identifying and addressing vulnerabilities in order to improve the overall security posture of the target.
A brief summary of the steps included are the following
* **Engagement** includes the planning and information gathering
* **Operations** includes vulnerability scanning, manual testing, analysis an communication with the client
* **Remediation** includes fixing the identified vulnerabilities, validation by re-testing, the final reporting and the lessons learned
To support your engagement, a [campaing checklist](https://redteam.guide/docs/checklists/red-team-checklist/) is provided by [RedTeam.Guide](https://redteam.guide/). A tool to support the organization of teams in an engagement is [vectr](https://github.com/SecurityRiskAdvisors/VECTR).
## Penetration Testing Methodology
Penetration testing methodologies typically follow a structured approach to
systematically identify and exploit vulnerabilities.
Included steps are the following
* Steps
* Reconnaissance * Reconnaissance
* Enumeration/Scanning * Enumeration/Scanning
* Gaining Access * Gaining Access
@ -38,44 +64,62 @@ Authorized audit of security systems of computers and networks.
* Reporting * Reporting
### Reconnaissance ### Reconnaissance
* Duck / SearX / metacrawler / google
* Wikipedia
* [Shodan.io](http://www.shodan.io)
* PeopleFinder.com
* who.is
* sublist3r
* hunter.io
* builtwith.com
* wappalyzer
### Enumeration **Passive Reconnaissance** describes the gathering of information about the
* nmap target system or organization without directly interacting with it. This
* nikto involves searching for publicly available data, such as domains names, IP
* gobuster addresses and employee information.
* dirbuster
* metasploit
* enum4linux / linpeas / winpeas / linenum
### Exploitation **Active Reconnaissance** describes the interaction with the target system to
collect more detailed information, using tools like WHOIS lookups, DNS
enumeration, and network scanning. The goal is to map out the target's network
and identify potential entry points.
### Post Exploitation ### Enumeration/Scanning
* Pivoting
#### Privilege Escalation
* Vertically or horizontally
#### Covering Tracks **Network Scanning** is the identification of active hosts, open ports, and
services runing on these ports. This helps the penetration tester understand
the network's architecture and potential attack vectors.
#### Reporting **Service Enumeration** is the gathering of detailed information about services
* Includes running on open ports, such as version numbers and configurations. This
* Vulnerabilities information can be sued to identify known vulnerabilities associated with
* Criticality specific services.
* Description
* Countermeasures ### Gaining Access
* Finding summary
**Exploitation** is the attempt to exploit identified vulnerabilities in order to gain unauthorized access to systems or applications. This might involve using known exploits, custom scripts, or socail engineering techniques.
**Password Attacks** describes the attempt of trying to crack passwords or gain unauthorized access by exploiting weak or default credentials.
### Privilege Escalation
**Vertical Movement** is the attempt to gain higher levels of access within the system, potentially through exploiting misconfigurations or vulnerabilities that allow for privilege elevation.
**Lateral Movement** is the attempt to move laterally within a computer system to compromise additional systems, potentially exploiting trust relationships or shared vulnerabilites.
### Covering Tracks
**Removing Evidence** describes taking steps to erase or alter any traces of the penetration testing activities to avoid detection. This might involve deleting logs, altering timestamps, or other techniques to hide the tester's presence.
**Backdooring** is the introduction of backoors to persistent access points to maintain access.
### Reporting
**Findings Documentation** includes detail of the vulnerabilities that were successfully exploited, the impact of each vulnerability, and the steps taken to exploit them.
**Risk Assessment** is the assessment of potential business impact of each vulnerability, considering factors such as data exposure, service disruption, and financial consequences.
**Recommendations** provide actionable remmediation, including prioritization of vulnerabilities based on their severity and potential impact.
**Lessons Learned** reflect on the testing process and provide insights int o the organization's security posture, including areas of strengths and improvements.
## References
## Frameworks
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
* [NIST](https://www.nist.gov/cyberframework) * [NIST](https://www.nist.gov/cyberframework)
* [OWASP](https://owasp.org/www-project-web-security-testing-guide/v42/)
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
* [CREST](https://www.redscan.com/news/a-guide-to-crest-penetration-testing/)
* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance) * [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)
* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) as a practical approach * [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) as a practical approach
* [Red Team Handbook](https://usacac.army.mil/sites/default/files/documents/RT_Handbook_v6.pdf)