Intelligence gathering

The picture below shows all the Intelligence Gathering activities:

Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized during the vulnerability assesment and exploitation phases. The more information you are able to gather during this phase, the more vector of attack you may be able to use in the future.

Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. OSINT takes 3 forms: passive, semi-passive and active:

• Passive Information gathering: it can be used as the very first step of footprinting or when we want to gather info about the target being 100% sure that the target can't identify us. Those info are generally stored or archived by thirdy-party organizations and may be limited, incorrect or out of date.
• Semi-passive Information gathering: the goal for semi-passive information gathering is to profile the target with methods that would appear like normal internet traffic and behaviour. We query only the published name servers for information, we aren't performing in-depth reverse lookups or brute force DNS requests, we aren't searching for servers or directories that aren't public. We aren't running network level portscans or crawlers and we are only looking at metadata in published documents and files ; not actively seeking hidden content. The key here is not to draw attention to our activities. Later the target may be able to discover the reconnaissance activities but not be able to attribute the activity back to anyone.
• Active Information gathering: Active information gathering should be detected by the target as suspicious or malicious behaviour. During this stage we are actively mapping the network infrastructure (IP range scans, port scanning, vulnerabilities enumeration..and so on).

Document metadata: Metadata provides information about the format file, the standard used, the author, date/time of creation. In images it also contains information about color, depth, resolution, camera type and even geotags sometimes, so you may be also able to discover where the picture was taken from its coordinates. How to do? There are some tools available to extract metadata info from files (pdf/word/image) like FOCA (GUI based), presented by Jose Palazon and Chema Alonso of Informatica 64, metagoofil (written in phyton) by Edge-Security, meta-extractor by the National Library of New Zealand, exif tool (perl based) by Phil Harvey. These tools are capable of extracting and displaying the results in different formats like HTML, XML, GUI, JSON etc. The info collected may be also used for performing a social engineering attack by using SET developed by Dave Kennedy. Even the NSA published a PDF warning on the danger of leaked metadata in their 26 pages "Hidden Data and Metadata in Adobe PDF Files: Publication risks and Countermeasures" document.

EDGAR: the Electronic Data Gathering, Analysis and Retrieval system is a database of the U.S. Security and Exchanges Commission (SEC) that can be used to retrieve the financial status of a society, the key personnel's names, addresses, legal proceedings against the company and other potentially interesting info.

Social Network (SocNet) Profile: social neworks provide a lot of info about the target, names, photos, relationships, habits about date and time of computer use, frequency, they also can be used to create a psychological profile of the target, discover interests, likes and dislikes of the person, websites visited and so on. Another important thing is the geolocation that is provided by services/websites like Bing Map Apps, Facebook, Foursquare, Google Latitude, Gowalla and Twitter.

Email address: the email address can be used to communicate with the target, send spam, malware, perform phishing and so on. Email addresses can be searched and extracted from various websites, groups, blogs, forums, social networks..a terget may use the same or similar nicknames for multible services so it's easy to widen the research from the first result.

Mobile footprint: phone number, mobile service operator, OS, installed apps, used browser.

Covert Gathering:

On-location gathering:

• Physical security inspections

• Wireless scanning /RF frequency scanning

• Employee behaviour training inspection

• Accessible/adiacent facilities (shared spaces)

• Dumpster diving

• Types of equipment in use

Offsite gathering:

• Data center locations
• Network provisioning/provider

Footprinting (external information gathering):

Passive reconnoissance: WHOIS lookup

• ICANN: http://www.icann.org
• IANA: http://www.iana.com 
• NRO: http://www.nro.net
• AFRINIC: http://www.afrinic.net 
• APNIC: http://www.apnic.net
• ARIN: http://ws.arin.net
• LACNIC: http://www.lacnic.net
• RIPE: http://www.ripe.net
• INTERNIC: http://www.internic.net

Active footprinting:

• port scanning: it allows to see open ports over TCP or UDP and do a network mapping. The best port scanner available nowadays is Nmap (http://nmap.org/).
• banner grabbing: it allows to discover network version, OS, running services. Tools commonly used for banner grabbing are Telnet, Netcat (http://netcat.sourceforge.net/)and Nmap (http://nmap.org/).
• SNMP Sweeps: they can offer a lot of info about a specific system. The SNMP protocol is stateless and datagram oriented.
• SMTP Bounce Back: it allows the attacker to get info about the victim's SMTP server exploiting the Non Delivery Status Notification.
• Reverse DNS lookup: it allows to translate one or more ip addresses into the DNS if there is a PTR(reverse) DNS record.
• DNS enumeration: it allows to perform an in depth scan of a DNS in order to see whether it is possible to exploit DNS Transfer Zone or discover new hostnames that aren't commonly known.
• Web Application discovery: it allows to scan a target for Web Application vulnerabilities. Please note that often some vulnerabilities aren't located in the web application itself but in its plugins.

Identify protection systems:

• Packet filters
• Traffic Shaping Devices
• DLP Systems
• Encryption / Tunneling
• Host based protections
• Stack / Heap protections
• Application whitelisting
• Identify application protections
• Encoding options
• Potential bypass avenues
• Whitelisted pages
• Storage protections
• HBA - Host level
• LUN Masking
• Storage controller
• iSCSI CHAP Secret
• User Protections
• AV/Spam filtering software

Watch the presentation "Osint Beyond The Basics" by Rick Hayes and Karthik Rangarajan at DerbyCon 2011:

Read more »

Pre-engagement Interactions

The picture below shows all the pre-engagement activities:

NETWORK PENETRATION TEST

1. Why is the customer having the penetration test against their environment?
2. Is the pen test require for a particular compliance requirement?
3. When does the customer wants you to execute the active parts of the pen test?
4. What's the range of IP addresses? Are they internal? External?
5. Are they security protections on the system? What are they?
6. What if the penetration is succesful? Does the customer want you to try to escalate privileges, crack passwords?

WEB APPLICATION PENETRATION TEST

1. How many web applications are being assessed?
2. How many logins?
3. How many static or dynamic pages?

WIRELESS NETWORK PENETRATION TEST

1. How many wireless networks are there?
2. Do they require an authentication?
3. What type of encryption is used?
4. How many clients will be using the wireless network?

PHYSICAL PENETRATION TEST

1. How many locations are being assessed?
2. How many floors are there?
3. How many entrances are there?
4. Are there guards?
5. Are there video cameras?

SOCIAL ENGINEERING

1. Will the client provide email addresses or phone numbers of personnel that we can attempt to social engineer?
2. How many people will be targeted?

----------------------------------------------------------------------------------

• Specify start and end date: this allows the project to have a definite end.
• Specify IP ranges and Domain: you have to be sure that the target allowed you to perform the test. If after testing you discover that some IP don't belong to the pc owned by the customer it's too late.
• Deal with Thirdy-parties: if a server is stored by using a hosting provider you'll need to be allowed to proceed also by the hosting provider.
• DOS testing: be sure your customer allowed because stressing the network may cause important services to be inactive till the end of the test.
• Emergency contact information: you'll need contacts you can use to communicate to your customer in case of emergency 24/7.
• Encryption is not an option: since sensitive data is stored into the customer system all the tests has to be done using an encrypted session and communications such as emails must be encrypted, when it's possible choose face to face meetings.

Read more »

Penetration testing phases

Doing pen testing isn't a random collection of information or delivery of attacks but every step must be organised well according to the specific situation and done in a professional way.

Things to remember:

1) You will need a letter from the private/organization who asked you to pen test their infrastructure saying that you are authorized to do so.

2) Being authorized to hack into their system doesn't mean that you can damage systems or cause data loss. You should tell your customer to backup all the data before the test starts, you have to define the types of attacks allowed and you have to avoid to destroy valuable targets.

3) Well, you have done your job or at least you think you did. Doing pen testing isn't limited to penetrating into a system but at the end of your job you have to generate a fully comprehensive report of all the steps that allowed you to grant the access to the systems, the tools or methods you used, the level of control you reached, the possible risks, threats and the consequent countermeasures to adopt in other to avoid that some black hat take control of the system with not so good intentions :).

Following are the main sections defined by the standard as the basis for penetration testing execution:

• Pre-engagement Interactions
• Intelligence Gathering
• Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post Exploitation
• Reporting

Below is the link to the Penetration Testing Execution Standard Guidelines:

• Technical Guidelines

Read more »

Here we are: Are you an Ethical hacker?

Well, first of all i want to thank you guys for joining my blog! There are many blogs out there, but since i believe i can provide good quality content, here i am..Computers have become of routinary use nowadays..well what are the PROS(+) and the CONS(-):
+ they can do tasks rather fast
+ they can communicate through a network and reduce the distance among people
+ they can help us storing a huge amount of data and retrieving it by using simple queries
+ they induce us being objective using math and logic (not bad uh?)

"There are only 10 types of people in the world: those who understand binary, and those who don't"

How long did you take to get it? :D

- they can be addictive at times :P

- they can be used to attack other computers, violate privacy or steal private contents


Computers are just an extension of our mind, we ask them to do something and as long as we are able to translate our thought into a program, they just execute any command line by line. They are powerful instruments, they are just machines, have no soul and it all depends on whether you want to create something the society considerates useful, useless, nice, tasteless, harmful.

"With great power comes great responsability"

A hacker is a computer security expert with a great knowledge of the main OS, programming languages, network interfaces, applications bugs / vulnerabilities client or server side. -A scientist of the IT-.

A person who uses hacking tools without having great programming skills is called newbie, script kiddie or it can be addressed by using the derogatory name lamer.

Not all the hackers are the same, it's time to distinguish them. 

BLACK HAT VS WHITE HAT

Often common people are scared when they hear the term "hacker" on tv, this is sometimes justified by the bad actions committed, but other times it's just a big prejudice.

Read more »