Red Team— Penetration testing

Penetration testing is a black hat (red team) activity to assess the security of a system by actively trying to exploit vulnerabilities at a program or application level. An external team uses tools and ingenuity to explore the systems’ attack surface and test it for weaknesses. This is conducted with varying levels of access from outsider to knowledgeable insider. Tools are used to probe the attack surface, gather information and test hypotheses and finally exploit a vulnerability if it exists. Parts of the process can be automated once patterns are established.

A pen tester

1. Knows the working of the target domain
2. Possible protocols/languages used
3. Possible Frameworks used in the domain
4. Common weaknesses in the software, Misconfigurations, Known bugs

For example, in web hacking the URL string plays an important role

• Introducing script tags into the URL to test for XSS
• Adding a semicolon to check for SQL injection
• Are client parameters (such as price) blindly trusted by server
• Try default passwords
• Directory brute-forcing (looking through files/dir)
• Checking configuration page (for root pwd etc)

The tools chosen depends on the target:

1. Enterprise network — need to find out about topology, routers
2. Single machine — need to check software, running processes, interesting files
3. Single program — explore and exploit possible inputs and interactions

Tools

Nmap (Network Mapper)

Free, open-source tool which finds the hosts on the network, services they’re using, their operating systems and the filters/firewalls in use (by sending raw IP packets)

1. Using the Ping protocol to ping a range of IPs
2. Looks for HTTP/HTTPS: ICMP Echo Request, Timestamp, TCP SYN to 443, TCP SYN/ACK to 80
3. Protocol-specific UDP packets, probes to TCP ports (different response on diff. OSes)
4. Control the rate of scanning to work under the radar

Zap (Zed Attack Proxy)

Web proxies are tools which sit b/w browser and server, modifying messages as directed and displaying exchanged packets

1. Zap has a GUI to inspect/modify exchanged packets
2. Can set up breakpoints to allow certain packets
3. Attempts XSS, SQL injection, Fuzzing etc

Spider

Explores a site and creates a model of its structure

Metasploit

An advanced open-source platform for developing, testing and using exploit code

1. Extensible model to integrate payloads, no-op generators, encoders and exploits
2. Scripting attacks via
   Probe (looking for vulnerable services),
   Construct (a payload based on the versions etc factors),
   Encode payload (to avoid detection),
   Inject payload,
   Wait for shellcode to connect back
3. Interactive console for metasploit commands — msfconsole (msfpayload and msfencode to generate payload and encode it)
4. Web-based GUI and command line
5. Active and passive attacks
6. Meterpreter
7. Tons of exploits against vulnerabilities (with modifiers for diff. platforms etc)
8. Password sniffing
9. Privilege escalation
10. Keylogging and backdoors

Kali

Kali Linux is an open-source distribution with tons of security tools installed:
Metasploit, Nmap, Burp Suite, Zap, John the Ripper, Valgrind (dynamic binary analysis), Reaver (wifi pwd cracking) , peepdf (scan PDFs for attack vectors)

Penetration testing ensures that security of the system improves, the tests are reproducible and find real vulnerabilities that may have led to a breach later on and its flexible since it can be applied to the whole application or specific components.
However, it could miss out on some vulnerabilities, needs to be carried out again once fixed, could introduce regressions.

Fuzzing

A kind of random testing to ensure undesired behaviour doesn’t happen. Occurs with functional testing

1. Black box — know nothing about program/input. Easy to start with, but explore only shallow states
2. Grammar based — generates input as defined by grammar, more work but explores deeper
3. Whitebox — new inputs by being partially/fully informed of the source code, computationally expensive

How can you perform fuzz testing?

• Mutation — mutate a legal input, might adhere to a grammar
• Generational — generate inputs from scratch or a grammar
• Combinations — generate initial, mutate, new inputs

Tools

1. Radamsa — Mutation based, black box tester
2. Blab — Generational grammar-based tester
3. American Fuzzy Lop — white box, mutation based
4. Spike — network-based, fuzzer creation kit
5. Burp intruder — network-based, automates customized attacks against web apps (attacker gives template, payloads fuzzed in), integrates with spider etc
6. Cert Basic Fuzzing Framework (CBFF) — based on Zzuf whihc found in Adobe flash, Quicktime,
7. Sully — monitors target health, records, can revert to good known state, detects and categorizes and tracks faults,

File-based fuzzing

Generate inputs, run target, see results

Network-based fuzzing

Inputs generated by replaying, modifying or from scratch
Man-in-the-middle and mutates inputs b/w parties

Fix

If a crash occurs, find minimal input due to which crash occurs
Find root cause of crash
is it an exploitable vulnerability (Eg.buffer overflow?)

Memory errors

Compile with Address Sanitizer (ASAN) -checks for dangling pointers and arrays overflows,
and then Fuzz it

That’s all for now, folks :)