Penetration testing concept

• Penetration testing is a technology and method that simulates attacks , A security test method that frustrates the security control measures of the target system and obtains control access .

• Network penetration test is mainly based on CVE(Common Vulnerabilities and Exposures) Security vulnerabilities that have been found , Simulate the attack method of intruders to apply to the website 、 The server system and network equipment are tested for non-destructive attack .

• The need for ：

  • There may be unknown risks in the new system
  • Save against a rainy day
  • After professional penetration testing , Even if the system is not broken , It can also prove that the previous defensive measures are effective .
  • Professional penetration testing can effectively evaluate the security status of the system , Put forward reasonable improvement plan .

• Classification of penetration test methods

  • Black box testing
  • White box testing
  • Grey box testing

• Penetration test By target

  • Host operating system penetration test
  • Database system penetration test
  • Application system penetration test
  • Network equipment penetration test
  • Intranet penetration test
  • Internet penetration test

• Penetration testing process

  • Pre interaction
    • Determine scope ： Time estimates 、 Scope determination 、 Q & a conversation 、 Identify test resources
    • Goal planning ： Set goals 、 Business analysis and demand analysis
    • Establish communication channels ： Emergency contact 、 Emergency response process 、 Progress reporting cycle 、 Encrypted communication , Contact information of the third party
    • Interactively determine rules ： Timeline 、 place 、 Control baseline 、 Disclosure of sensitive information
  • Intelligence gathering
    • DNS Probe 、 Operating system fingerprint discrimination 、 Apply discrimination 、 Account scanning 、 Configuration discrimination, etc
    • Commonly used tools ： Commercial network security vulnerability scanning software Nessus, Open source security tools Nmap etc. , Many built-in functions of the operating system can also be used for information collection ：telnet、nslookup、IE etc.
    • 21-ftp 22-ssh 80-http 443-openssl 445 --smb,ms08-067,ms17-010 1433 -mssql, Weak password 1521-oracle 3389 -win long-range , Weak password 6379-redis Unauthorized access , Weak password 8080-tomcat Loophole
    • Black box web penetration ： Known vulnerabilities CMS,sql Inject 、 Command injection 、 File upload includes reading 、xss、xxe、 Logical loopholes , Mail server ： go fishing 、 Pass the password 、 password
  • Threat modeling
    • Use the information obtained by intelligence collection , Identify possible vulnerabilities
  • Vulnerability analysis
    • Analyze which attack methods are feasible , Focus on port and vulnerability scanning results
  • Penetration attack
    • Penetration attacks that conduct in-depth research and testing on the target system
    • Include ： Precision strike 、 Bypass the defense mechanism 、 Customize the penetration attack path 、 Bypass the monitoring mechanism 、 Trigger attack response control measures 、 Penetration code testing
  • Post penetration attack
    • Infrastructure Analysis 、 Plunder sensitive information 、 Hide the trace 、 Persistence
  • The report

    

  • Report submission

    

APT(Advanced persistent threat): High level persistent threat

• Concept ： Use various advanced attack methods , Organize high-value goals 、 Have long-term persistent cyber attacks .

• describe ：apt It refers to the attacker or attack organization through including 0day Loophole 、 Fishing and other means , A highly purposeful long-term control of a target in a highly secretive situation .

• apt The analysis model ： Network kill chain

  • Reconnaissance information gathering
  • Weaponization Weapon carrier , Get ready exp/payload
  • Delivery Load delivery
  • Exploitation Exploit
  • Installation Install the implant （ Malware ）
  • Command & Control Establish remote control Easy access to
  • Actions on Objective Achieve the desired effect

• Purpose ： The purpose of penetration test is to evaluate the security of computer network system , and apt The purpose of is to carry out organized and long-term continuous control of goals .

• Means and methods ： Penetration test is to test the target by using the allowed simulated hacker attack , and apt Use any high-tech means to attack

• The results on ： Penetration testing improves the security level of the target system ,apt It will be seriously damaged by the target system .

Standard penetration test process

• information gathering

  • whois： Domain name query
  • whatweb： fingerprint identification
    Identify website information , For example, what is used CMS, What server and what web Container, etc .
  • tool.chinaz.com/subdomain/: Simple subdomain name query
  • Fishing and social workers

• Looking for Internet access

  • 21-ftp 22-ssh 80-http 443-openssl、https 445 --smb,ms08-067,ms17-010 1433 -mssql, Weak password 1521-oracle 3389 -win long-range , Weak password 6379-redis Unauthorized access , Weak password 8080-tomcat Loophole
  • Black box web penetration
    • The old version cms, Document leakage ,sql Inject , Command injection , File upload includes reading ,xss,xxe, Logical loopholes
  • Mail server

• Authority maintenance and promotion

  • Hide the back door
    • Avoid using common keywords ： If in php of use assert Instead of eval
    • Use all kinds of back door writing , Such as hiding the back door in the picture 、404 Horse 、 Memory horse, etc .
      404 Horse Use hander Function to write a 404 page , The original intention is to implement another php file
      Memory horse means that the connection is re established when the Trojan horse is deleted , The cleaning method is shutdown and restart
      In order to ensure smooth service, the server usually does not shut down
  • What is permission maintenance ？
    • When obtaining system user permissions or high-level user permissions , Gain long-term control of the target by hiding the back door and doing a good job of avoiding killing
  • What is privilege escalation ？
    • You may be a low authority user when entering the system , After taking measures, it will be promoted to high authority users

• Intranet penetration

  • Extranet 、DMZ District 、 Intranet
    DMZ Area is the network area between the external network and the internal network
  • Attack from the Internet , First, take DMZ Control authority of the zone , Then take this to launch penetration attacks on the intranet

• Trace removal

  • Clear history
  • Clear the command execution record
  • Clear the operation log