Port scanning and network discovery
Executive Summary
This penetration testing report concerns the infiltration of the AlheimLabs system. Following an initial briefing the preliminary objective was established to attain root level privileges, using suitable strategies and tools via an established process; thus comprisingconfidentiality, integrity or availability of AlheimLabs (‘the target’). The formal engagement began 22 August 2021. This report both outlines the scope of this engagement and the findings following successful compromise and control of this system. This engagement was conducted in-line with the reputable industry-standard code of ethics constructed by the International Information Systems Security Certification Consortium (ISC)2(ISC2, 2007). Additionally, a client-service agreement (CSA) was signed by both parties (‘the agreement’) prior to any penetration testing (‘pentest’). The CSA was also inclusive of a non-disclosure agreement (NDA). As will be further detailed in the following section, the signed CSA agreement combined with the scope-of-work (SOW) agreement constitutes the signed and sanctioned pentesting engagement for a defined SOW.
Various mythologies outlined in subsequent sections underpin the engagement. Primarily, aspects of Penetration Testing Execution Standard (PTES) and Information Systems Security Assessment Framework (ISSAF)were integrated with established pentest stages per Weidman (2014a) and PTES (2017); pre-engagement, information gathering, threat modelling, vulnerability assessments, exploiting, post-exploit and final reporting stage.
1.0 Introduction
1.1 Objectives and scope
As previously discussed, following the signing of the agreement the SOW was established, which included compromising the system over the network. As part of the SOW also was the pursuit of five flags; an established process representing validation points of exploitation (Dalalana Bertoglio & Zorzo, 2017; Regalado et al., 2015; Social-Engineer, 2017; Weidman, 2014a). As will detailed further; local, physical or other attacks requiring direct interaction with the target system were not requested and thus are out of scope. Other out-of-scope measures were social engineering and any hosts/IPs outside the target.
1.2 Types of tests
Based on industry-wide definitions this
engagement falls between a grey-box and black-box testing (Regalado et al., 2015; Weidman,
2014a). Whilst it is the casea system has been provided; based on the fact we have no login details nor any sort
of system information provided at all, this environment resembles more a black-box scenario.
1.3 Ethical Considerations
It is important to re-iterate the ethical standards under which this engagement was completed and as such all individuals involved with the pentest agreed in the CSA that all findings, information and data are treated confidentially via an NDA instrument. It is also important to note all findings must be considered as a whole and that this report must be considered in its entirety. Any organisational decisions to implement recommendations are at the discretion of the client.
2.0 Defined Methodology
The methodology was outlined in an initial briefing with the client prior to any testing. Dalalana Bertoglio and Zorzo (2017)provided an impressive comparative study of a number of methodologies with each presenting some advantages/disadvantages. As briefly discussed, the pentesting methodology that was formulated prior to testing draws upon aspects of PTES and ISSAF. The PTES methodology provides several advantages;particularly in the planning stage and for scope. This was specifically cited in the study and figure 2 outlines further comparisons between methodologies. ISSAF was also chosen for its ability to map well with the stages of pentest outlined previously (pre-engagement, information gathering, threat modelling, vulnerability assessments, exploiting, post-exploit and a final reporting stage).
Figure 2: DalalanaBertoglio and Zorzo (2017) conducted a comparative study
of various pentest processes and methodologies
The traditional ISSAF has three stages; planning/preparation, assessment, and the clean-up/artefact-destruction/reporting stage (Dalalana Bertoglio & Zorzo, 2017). As discussed, the stages of pentesting drawn from Weidman (2014a) and used in this engagement map well to this general framework, though as can be seen in figure 3 and outlined in following sections the hybridised methodology gave more depth to the ISSAF assessment stage whilst aspects of the clean-up/artefact-destruction/reporting stage were not required by the client.
2.1 Information Gathering
Whilst the first step of this engagement was the pre-engagement stage there has previously been a pre-engagement document delivered to the client and will not be further detailed here. Regarding this report, the first the first stage of the pentest was to information gathering. Whilst this can often involve open source intelligence gathering (OSINT) this was not required for this engagement. This is also an enumeration step thus tools such as port scanners are developed and utilised. NMAP was utilised as was a custom-built scanner (refer to appendix A. The objective of this step is to learn as much about the target system as possible without actively attacking (Weidman, 2014b). For example, are internet-facing servers listening on unnecessary ports? What software is running that may be notable? What OS is running? What IP ranges exist? What user accounts? The knowledge obtained in this stage is used in the threat modelling stage where plans of attack are developed. Prior to a pentest this range of possibilities could be possibly limitless without knowing much about the system. There could be a myriad of programs running with security vulnerabilities. Misconfiguration issues may exist, what live hosts exist, what ports are open and what services are identified?
2.1.1 Port scanning and network discovery
Both the PTES and ISSAF methodologies address the concept of network discovery and mapping (Dalalana Bertoglio & Zorzo, 2017). This is the process of establishing hosts on the network in preparation for threat modelling and vulnerability assessment stages (Regalado et al., 2015; Weidman, 2014b). PTES discusses the mapping of networks in the information gathering stage and defines a“target list”to include; mapping OS version, patch levels, web applications, lockout-thresholds and ports maps (PTES, 2017). ISSAF defines the options for network discovery and mapping to include; live host discovery, port/service scanning, perimeter network mapping (router, firewalls), identifying critical services, service and OS fingerprinting (OISSG, 2004).
2.2 Threat modelling
Following the information gathering stage the threat modelling step involves developing attack plans from the perspective of an attacker (Weidman, 2014b). This is a prioritisation and efficiency process that assists with ranking the risk to assets that may exist. Per the PTES methodology this engagement defined this as “delivering an engagement that closely emulates the tools, techniques, capabilities, accessibility and general profile of the attacker, while keeping in mind what are the actual targets inside the organization such that the more relevant controls, processes, and infrastructure are put to the test rather than an inventory list of IT elements” (PTES, 2017).
2.3 Vulnerability assessment
Before exploits are pursued there is the next stage of vulnerability assessment. This involves searching for problems that will be actively compromised in the exploitation stage (Weidman, 2014b). This does not constitute simply running automated exploitation tools. Manual research and “critical thinking” is important in this stage (Weidman, 2014b). For example, the Common Vulnerability Scoring System (CVSS) scoring system is one research tool utilised to rank against any vulnerability discovered; as will be further outlined. The culminative output from NMAP, Nessus, vulnerability scanners, CVE research and other manual research (e.g. finding credentials/usernames for password discovery) essentially forms this stage. It is the process of actively discovering vulnerabilities to inform the level of success of a particular exploit strategy; as inadequately planned exploit strategies potentially crash services and set off intrusion prevention/detection systems (Weidman, 2014b).
As per the PTES methodology the journey through the exploitation phase into the post-exploitation phase, “the attack vectors should rely solely on the mission of circumventing security controls” in order to reflect how the target can be significantly compromised (PTES, 2017).
2.5 Post Exploitation
Many pentesters declare that a pentest engagement only begins post-exploitation (Weidman, 2014b). This means that post-exploitation is an incredibly important stage that provides meaning to the organisation exploited and assists in even pivoting into other systems if that has been discovered. These are reflected in the recommendations of this report. Both the PTES and ISAAF methodologies provide detailed measures on everything from persistent infrastructure measures to implementing backdoors. The breadth and depth of any post-exploitation strategies obviously determine by the nature, scope and results of the engagement though it is important to recognise the general importance of this stage.
2.6 Reporting
As might be self-explanatory the final stage of this methodology involves the reporting stage that is manifested by this report. The results and recommendations form the peak of the previous steps and are reported in this document. The recommendation are sought to be explained in as general non-technical language as possible.
To View Complete Question See Below