Book Review: “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide”

You may have layers of security, popularly known as “Defense in Depth”, but are your security features setup properly? Are their configuration errors that a vulnerability scan will not find?

What information is being broadcast by your computers, company, or employees, that don’t show up in a software scan?

Many companies think that if they just run a vulnerability scan and it passes that they are good, but is this an accurate test of your network security?

Even if you have a secured environment how could you test this using the actual techniques that a hacker would use to see if your security is up to the challenge?

Enter “Advanced Penetration Testing for Highly Secured Environments: The Ultimate Security Guide” the latest book by Lee Allen and Packt Publishing.

From preparing the scope of a pentest, to learning the tools of pentesting, to installing and running a full mock pentest on a virtual lab, this book truly is the ultimate security guide!

Here is a quick overview of the main topics:

Reconnaissance

Learn about DNS data siphoning techniques, Shodan, and the Google Hacking Data Base. The chapter also covers numerous tools that can help with recovering network, computer, and user information. And sometimes even user documents.

Enumeration

This section includes a very good tutorial on Nmap scanning including using decoys and zombie hosts in your scans, and a look at gathering pertinent information from SNMP.

Exploitation

Exploitation covers installing Kioptrics (a purposefully vulnerable Linux install) and running attacks against it from the Backtrack system. In this chapter the user learns how to retrieve service information from the target system. Then searching the Exploit-DB database (online and in Backtrack) to find exploits against it, and once an exploit is found, compiling and using it in Backtrack.

This chapter then covers transferring data to and from the system and cracking passwords, and finally exploiting the machine with the Metasploit Framework.

Web App Exploitation

Covers creating a virtual lab by installing Kioptrics level 3, pfSense (firewall), HAProxy (load Balancer) and Irongeek’s Mutillidae (contains the OWASP top 10). The author covers detecting Load Balancers and WAP firewall and scanning with the Web Application Attack and Audit Framework (w3af). You also learn how to use WebScarab to record and analyze your pentest and are introduced to Mantra, the pentester’s Plug-In toolkit.

Client Side attacks

Client side attacks are covered including Buffer Overflows, fuzzing, using David Kennedy’s (ReL1K) Fast Track and the Social Engineering Toolkit.

Post Exploitation

This chapter explains data and service enumeration on the target system. This includes which files to try to recover, which logs to analyze, what processes and networking details to view on both Linux and Windows systems. And finally using the exploited machine to scan or gain access to other hosts via pivoting.

Conclusion

The book also covers bypassing firewalls, avoiding detection, data collection tools and reporting.

Okay, after you have learned all of this excellent information, what are you going to do with it? Why not put it to the test with the last two chapters where you build a full testing lab and then run through a mock penetration test using the lab and all the skills that you have learned from the book.

This book is packed full of excellent training and tutorials. The author masterfully walks you through each section with step by step instructions, including screenshots.  It is easy to read and follow, for novice and expert alike. If you are new to pentesting or want to learn more about it, then this is the book for you.

I highly recommend this book.

Advertisements

Backtrack Video: Introduction to Metasploit

Intro to Metasploit by Jeremy Druin (@webpwnized).

This is the 5th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae for the Kentuckiana ISSA. This one covers Metasploit.

From Irongeek.com.

Adrian Crenshaw (Irongeek) is the creative genius behind “Mutillidae” the purposefully vulnerable web application for learning about the OWASP Top 10. Check out Adrian’s site for a ton more videos and some great security information.

Is Sandboxing the End-All Solution?

When you have millions of lines of code, like you have in an Operating System, you will have bugs. Hackers can use these coding bugs to create exploits. Microsoft and Adobe products have been a favorite target for hackers. But how do you protect software from hackers when there are unknown bugs?

The answer just might be sandboxing. But what is sandboxing? According to Wikipedia:

A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.

We see this technology used in Virtual Machines. Several guest operating systems can run on a host system, and each has its own memory space, hard drive storage, etc.  They are on a single machine but are not allowed to communicate with each other. These types of features are being used in the development of secure Operating Systems. The client user space will not be allowed to communicate (or theoretically infect) the core functions of the system.

Programs can be sandboxed too.  Google and Adobe have added sandboxing features to their Chrome and PFD Reader products. If the products are compromised, this should limit the ability of the hacker to access the rest of the system.

But how well will this work? Sandboxing is a great idea, and will help a lot in dealing with buggy code. Although in reality is just another level of defense. Granted it adds to the difficulty of penetration, but it will be compromised just like everything else is over time.

Unfortunately security, like Anti-Virus, is a constantly evolving process. As soon as a new anti-virus definition comes out for the latest virus, three more new viruses are detected. The same is true in the security field. When a new security product comes out to address an issue, exploits and ways to bypass it follow along shortly.

At this point in the game, your hope is that you have added enough protection to your systems that the attacker gives up and moves on to easier pray. And to keep logs and monitor your systems in case they don’t.

SANS Webcast: Manipulating Web Application Interfaces

Complimentary security webcast today at SANS.org. Today, April 19, at 1:00 pm SANS presents “Manipulating Web Application Interfaces”:

Not much has changed since the beginning of the web application penetration testing in terms of process for performing manual input validation tests. Place a client proxy between the browser and the application, generate requests, intercept them and modify the HTTP parameters.

It’s true that we have seen some nice improvements at the client proxy level (compare the old Achilles to the last version of the Burp suite), but the general approach still remains the same. This webcast will propose a new way to look at input data and a new approach to manually test it. It will introduce Groundspeed, a Firefox add-on that allows the penetration tester to manipulate the interface of web applications in order to adapt it to the penetration test needs, removing the annoying client-side limitations and making the test more efficient.

– Felipe Moreno will present the webcast, he is a New York City security professional and a member of the Information Security Team at Markit Group. You need to register for the event before the webcast begins.