WEBVTT

00:00.180 --> 00:07.170
Penetration testing better known as a pen test is the process where somebody manifest themselves as

00:07.170 --> 00:15.170
an outsider and actually tries to grab sensitive data sensitive information from within your infrastructure.

00:15.180 --> 00:20.220
Now you've got to be careful or you don't want to confuse a vulnerability assessment with a penetration

00:20.220 --> 00:22.520
test a vulnerability assessment.

00:22.530 --> 00:29.910
At no time will ever actually try to grab the data a penetration test will actually try to grab the

00:29.910 --> 00:31.130
data itself.

00:31.170 --> 00:35.850
So when we're talking about a penetration test there's a few steps that are always going to take place.

00:35.850 --> 00:40.470
Number one you're going to be discovering vulnerabilities in this case you're going to be doing some

00:40.470 --> 00:41.950
form of reconnaissance.

00:42.090 --> 00:45.200
You're going to be trying to get information.

00:45.270 --> 00:51.150
And in many cases you actually end up using vulnerability scanners to do that.

00:51.150 --> 00:55.620
Second and this is what you would never do in a vulnerability assessment is you're actually going to

00:55.620 --> 00:57.780
exploit those vulnerabilities.

00:57.780 --> 01:00.460
You're going to go in and you're going to grab usernames and passwords.

01:00.460 --> 01:05.700
Are you going to pull down the database or you're going to corrupt the web page you're going to actually

01:05.700 --> 01:13.030
do some form of exploit that does something very concrete to that target network.

01:13.320 --> 01:15.240
So those are your first two steps.

01:15.330 --> 01:20.610
Well your third step actually you know what let's make this the first step your first step before you

01:20.610 --> 01:29.160
do any of this stuff is authorization because of the implicit naughtiness of the penetration test the

01:29.160 --> 01:31.080
buy in from management.

01:31.200 --> 01:37.260
The authorization is incredibly important at the very minimum you're going to have to do two things.

01:37.260 --> 01:42.180
Number one you're going to have to define the targets most the time when you're doing a pen test you're

01:42.180 --> 01:47.500
trying to say you know can you do this can you crack our Web site or something like that.

01:47.640 --> 01:52.350
But the second thing you're going to have to define is something known as the attack model unattacked

01:52.350 --> 01:57.430
model defines what the attacker knows before they do a penetration test.

01:57.600 --> 02:00.540
The first attack model is known as a white box.

02:00.600 --> 02:04.280
In this case the attacker has extensive knowledge about the target.

02:04.380 --> 02:06.270
They know IP addresses.

02:06.270 --> 02:08.080
They know who's running what.

02:08.100 --> 02:10.830
They might even have user names and passwords.

02:10.830 --> 02:14.760
In this case attackers are more like trusted insiders.

02:14.760 --> 02:19.310
This is the cheapest and fastest type of attack model for a pin test.

02:21.120 --> 02:24.780
On the other side is a black box attack model.

02:24.870 --> 02:28.430
In this case the attackers know nothing about the target.

02:28.440 --> 02:31.220
This is more where the attackers are like strangers.

02:31.290 --> 02:35.690
And invariably this is going to be some form of external hacking.

02:35.700 --> 02:42.180
The downside to black boxes is that they are potentially expensive and slow due to the nature of the

02:42.180 --> 02:48.860
amount of time we need for reconnaissance and alternative is what we call a gray box the gray boxes

02:48.890 --> 02:57.080
somewhere between the two extremes for example we may know where a sequel server is but we may not have

02:57.080 --> 03:00.010
usernames passwords or something like that.

03:00.020 --> 03:04.820
So you've got it worked out with upper management that you're going to do some form of pen test.

03:04.820 --> 03:08.770
So let's kind of march through the processes that are actually going to take place.

03:08.870 --> 03:11.520
Once you've been given the go ahead to get started.

03:11.540 --> 03:15.380
So the first thing we're going to be doing is we're going to be discovering vulnerabilities.

03:15.380 --> 03:18.070
To me this is more what I call the reconnaissance mode.

03:18.230 --> 03:23.920
Now you've got three different ways to do an exploration to discover these vulnerabilities.

03:23.930 --> 03:29.600
First of all you can do what's known as a passive discovery with a passive what you're talking about

03:29.840 --> 03:37.310
is you're not putting any of your packets onto the target so you can be doing a who is look up for example

03:37.550 --> 03:44.000
or you can be making some phone calls with a passive you're not doing anything from a computer that's

03:44.000 --> 03:46.460
sending packets over to your target.

03:46.460 --> 03:49.000
The second thing would be semi passive.

03:49.100 --> 03:54.830
So the passages you're actually putting packets onto the target but you're not doing anything that would

03:54.830 --> 03:59.570
raise any alarms or set off a intrusion detection or anything like that.

03:59.570 --> 04:04.070
So for example you've got a target web server that you're looking for.

04:04.070 --> 04:09.830
You could just go to the Web site and check it out a little bit and go to do whatever reconnaissance

04:09.830 --> 04:12.160
you need to do in that particular situation.

04:13.470 --> 04:20.010
The third one is an active discovery an active reconnaissance in this situation.

04:20.010 --> 04:27.060
You are actually putting packets downrange on the target you're running scanners you're running unmap

04:27.180 --> 04:33.600
you're running tools like that that could possibly alert an intrusion detection system or block you

04:33.810 --> 04:38.190
by a intrusion prevention system or by a firewall.

04:38.190 --> 04:43.140
The bottom line is that you're going to go through these processes and in these cases you're often just

04:43.140 --> 04:48.500
using standard vulnerabilities scanners to get this reconnaissance information.

04:48.630 --> 04:51.230
But you do reach a point re suddenly go.

04:51.630 --> 04:52.830
I have a target.

04:52.920 --> 04:56.230
I wonder if it has a particular exploit.

04:56.340 --> 04:59.490
And that's where we need to talk about exploiting the target.

04:59.500 --> 04:59.790
No.

04:59.820 --> 05:05.460
By the way the tools that I tend to use when I'm exploiting the target are probably the most single

05:05.460 --> 05:08.850
famous one is the infamous met a spoiler.

05:09.000 --> 05:14.610
And in particular I'm a big fan if you've been watching any of my other episodes I love Cali Linux distro

05:14.610 --> 05:16.010
it's a big popular one.

05:16.080 --> 05:21.210
It includes Metis spoilt as long as a lot of other tools go along with it.

05:21.240 --> 05:25.180
The thing to keep in mind about métis point is that métis point is not a program.

05:25.200 --> 05:29.220
All right it's a it's a penetration testing what we call a framework.

05:29.250 --> 05:34.440
It really gives you little more than a command line and a number of tools that allow you to make an

05:34.440 --> 05:35.190
exploit.

05:35.190 --> 05:41.100
So for right now let's go ahead and talk about what we have to do to exploit a target and then we'll

05:41.100 --> 05:45.340
take a look at middes point when we're in a Target we're ready to exploit it.

05:45.360 --> 05:51.820
First we're going to start off with some initial exploitation based on the idea of banner grabbing.

05:51.930 --> 05:56.480
Here's an example of me banner grabbing a web site using telnet.

05:56.520 --> 06:02.980
I have enough information that allows me to try to do some form of initial exploitation.

06:03.270 --> 06:09.240
Now this initial exploitation in and of itself may be sufficient but we can often do is do something

06:09.240 --> 06:16.440
what's known as a pivot a pivot is nothing more than an initial exploitation which allows us to act

06:16.440 --> 06:20.190
as a launching point to do even more exploitation.

06:20.190 --> 06:27.420
So for example if I were to be able to get root access to a system that is in and of itself a exploitation.

06:27.420 --> 06:33.920
However once I have root access I can treat that as a pivot to do all kinds of interesting things.

06:33.930 --> 06:41.220
The other thing to keep in mind is that we do what's known as persistence persistence simply means that

06:41.580 --> 06:44.310
we keep doing something for a while.

06:45.280 --> 06:51.550
Most good penetration testing doesn't happen over the course of a few hours or a few days what will

06:51.550 --> 06:57.180
normally take place is it will go over weeks looking for a particular issue.

06:58.230 --> 07:04.560
Last and this is what it's all about is escalation of privilege as I just described getting root access

07:04.800 --> 07:07.570
is the holy grail of penetration testing.

07:07.710 --> 07:14.700
So what I've got here in front of me is good old men is spoilt now Mendus ploy is a framework it's not

07:14.700 --> 07:21.210
a single program but as a framework it allows me to run different programs that will work together and

07:21.210 --> 07:25.740
know what each other is doing so métis point is absolutely amazing.

07:25.740 --> 07:29.970
Now what I'm doing is I'm running something called Armitt Taj.

07:29.970 --> 07:35.810
On top of métis boy Armitt ties just helps me run with the framework a little bit.

07:35.820 --> 07:42.550
So if we take a look here this is Taj but down here is just good ole met a sport right here.

07:42.560 --> 07:45.370
And that MSF means métis point framework.

07:45.380 --> 07:52.550
So for example if I want to take a look at all the stuff that's going on for SMB clients on this network

07:53.030 --> 08:01.670
you can see that I run this unmap but I run a Met a split script right here so this dot in a c file

08:01.940 --> 08:08.680
is basically it's a script and it runs through and it does all kinds of stuff.

08:08.680 --> 08:14.910
So it's going through and it's looking for user names for SMB.

08:15.280 --> 08:18.530
You can see a lot of these are disabled unfortunately.

08:18.560 --> 08:24.690
Let's keep scrolling.

08:24.800 --> 08:26.510
It took me a minute but there it is.

08:26.600 --> 08:28.840
This is not a disabled account.

08:28.940 --> 08:34.310
So there is an account called NSF admin on a particular system.

08:34.310 --> 08:41.390
So the cool part about this is and I jump ahead a little bit remember that with pen testing we're going

08:41.390 --> 08:47.810
to first discover our vulnerabilities so I can run and map and tools like that and it does this pretty

08:47.810 --> 08:52.810
little graphical representation of all the different systems that have found on this network.

08:52.820 --> 08:57.470
So the reconnaissance does a really really good job.

08:57.470 --> 09:03.950
Now if I were to run a spoiler in its typical way I would then start running these very esoteric commands

09:03.950 --> 09:10.850
of one type or another and I would be injecting all of these different types of exploits métis boy literally

09:10.850 --> 09:16.690
uses vulnerability databases and you can look for particular vulnerabilities.

09:16.700 --> 09:21.650
But what netspeak does it's particularly nice is that it does a banner grab on the system so it'll sit

09:21.650 --> 09:22.390
there and go on.

09:22.550 --> 09:28.040
This is a window system or whatever it might be that's running this version of Apache web server or

09:28.040 --> 09:32.840
whatever it is and then it makes a listing of the types of attacks you can do.

09:32.840 --> 09:38.750
This is where Armytage the graphical front end becomes kind of nice if you take a like a look here you

09:38.750 --> 09:44.540
can see I can pick different attacks and it's only showing me the ones that can do.

09:44.540 --> 09:52.560
If you take a look over here it's services you can see here here's this computer 192 168 5.9.

09:52.620 --> 09:59.390
And look at all the open services this thing's running just about everything there is in fact this is

09:59.390 --> 10:03.260
a very specific type of machine called met a spoiled table.

10:03.500 --> 10:06.920
And it's actually a virtual machine that's designed for people to attack.

10:06.920 --> 10:09.170
It's a fun thing to practice on.

10:09.230 --> 10:14.210
And as you can see by looking at this easy it's running just about everything you could possibly think

10:14.210 --> 10:14.840
of.

10:14.960 --> 10:20.800
And the fun part is as we can just right click on this guy pick an attack

10:24.380 --> 10:26.090
lots and lots of HTP attack.

10:26.090 --> 10:26.970
Let's try that again.

10:33.030 --> 10:36.510
And it will go ahead and do that attack for me with that guy launch

10:40.170 --> 10:42.300
and maybe it'll work and maybe it won't.

10:42.300 --> 10:45.730
It just depends on the patch level for that particular system.

10:45.750 --> 10:53.370
So make sure you're familiar with métis boy it's probably the first go to pen testing tool that's out

10:53.370 --> 10:53.780
there.

10:53.910 --> 10:55.640
And don't you ever call it a program.

10:55.740 --> 10:57.150
It's a framework.