FEB
1.What is your penetration testing methodology?
- Typical penetration testing methodology includes below steps:
- Information Gathering
- Planning and Analysis
- Vulnerability Identification
- Exploitation
- Risk Analysis and Remediation Recommendation
- Reporting
2. What are common network vulnerability identification steps?
- Fingerprinting – Obtain information on open ports, services, OS
- Vulnerability Scanning – using tools like Nessus, Nexpose
- Brute force default accounts – using password cracking tools
- Manual penetration testing
- Packet analysis – using tools like WireShark
- Analyse cryptographic issues
- Test published vulnerabilities specific to OS/Software/Service
- Phishing attacks
3. What are common ports and services to focus on during penetration testing?
Ideally, only required ports should be enabled and all other ports need to be disabled. Common ports to look for during penetration testing are:
- Port Service
- 20 FTP – TCP {Data Stream} (File Transfer Protocol
- 21 FTP – TCP {Control Stream}
- 23 Telnet
- 25 SMTP – TCP (Simple Mail Transfer Protocol)
- 53 DNS – TCP/UDP (Domain Name Service)
- 69 TFTP – UDP (Trivial File Transfer Protocol)
- 80 HTTP – TCP (Hypertext Transfer Protocol)
- 110 POP3
- 135, 139 NETBIOS -UDP (Network Basic Input Output System)
- 137, 138 NETBIOS – TCP
- 143 IMAP
- 389 LDAP – TCP/UDP (Lightweight Directory Access Protocol)
- 445 SMB – TCP ( Server Message Block)
- 2049 NFS v4 – TCP (Network File System)
- 5060 SIP – TCP/UDP (Session Initiation Protocol)
4. Why windows is considered less secure than other OS?
- Windows is the widely used Operating System. Hence, it is the target for many hackers.
- User account management in Windows is not very secure. Attackers first target is to crack windows user names and passwords on a organization network and then escalate privileges to Domain admin account.
5. What tools do you use for Network Penetration testing?
Kali linux has many open source penetration testing tools
- Port Scanners: Nmap
- Network Vulnerability Scanners: Nessus, Nexpose
- Packet analysis: WireShark
- Web proxy: Burp Suite, OWASP ZAP
- Web Scanners: WebInspect, AppScan, Burp Suite Professional
Reference: Security Products / Tools
6. List common network security vulnerabilities.
- Insecure open ports and services
- Authentication
- Authentication Bypass
- Default accounts enabled
- Weak passwords
- Plain text passwords
- Authorization
- Privilege Escalation
- Gaining access
- Improper Input Validation
- Cryptography
- Weak encryption
- Weak keys
- Denial of Service
- SYN flood
- UDP flood
- ICMP flood
- Ping to Death
- Distributed Denial of Service
- System Configuration
- Unpatched software
- Liberal access control
- Sensitive Information Leakage
- ARP Spoofing
- Vulnerabilities specific to Software or Operating System or Network Devices
7. What are common levels of network penetration testing?
- External penetration testing
- Testing the network from external network reveals vulnerabilities from external attackers perspective.
- Internal penetration testing
- Internal penetration testing allows testers to get additional access to internal assets and helps to assess threats from internal malicious users. Internal penetration testers need to crack the NAC and test network by connecting to the intranet.
8. What is the use of NIS
NIS – Network Information Service is commonly used for managing user credentials across a group of machines. It is a client-service directory service protocol for storing users and hostnames in a network. For instance, linux machines use /etc/hosts, /etc/passwd, /etc/shadow to store host names, list of users, secret auth hashes respectively.
9. How do you penetrate into an organization network in Internal penetration testing?
- Network Access Control (NAC) Bypass
- Crack user accounts
- Obtain Domain Controller access
- Escalate privileges to Domain Controller
- Obtain access to shared drives or FTP
- Retrieve sensitive files on shared drives or FTP
- Obtain DBA / sa account on databases
- Crack SMTP packets
10. What is NAC?
Network Access Control (NAC) enforces user authentication, endpoint security on devices connected to a network. Networks with NAC only allow devices that comply to the organization security policy. Meaning, any external device cannot obtain network access by connecting to a open LAN port of a network that implements NAC.
11. How do you bypass NAC?
Bypassing NAC is the first goal of a network pentester. Below are the easiest ways to bypass NAC:
- Connect to a open port using an ethernet cable and check if you can access the organization internet
- By spoofing IP Address / MAC address of a valid network device like a VOIP phone or a printer.
References for techniques to bypass NAC:
12. How can you obtain access to FTP servers?
- First, identify all the FTP servers on the organization network (eg: 192.168.1.1/24). Below nmap command can be used to obtain all the servers with FTP ports (20, 21) open.
- nmap -p 20,21 192.168.1.1/24 -vvv –randomize-hosts -sS -sV -oG –excludefile exclude.txt >> nmap_ftpservers.txt
- Check if any of the FTP servers have anonymous account enabled
- Type “ftp://[server name]” in browser
- Enter username as “Anonymous”
- Password as your email address
- Verify whether you are able to access the folders in the FTP server
- Check if any cracked user accounts work on FTP servers
- Brute force passwords for valid user accounts. Valid username and blank password could work some times.
13. How do you get sensitive files on the shared drives or FTP?
- We can search for words like “username”, “password”, “credit card”, “client data” in file search box
- Windows Grep is a useful tool to search file shares for sensitive files
14. What are the ways to crack database accounts?
- Check if default database accounts / passwords are enabled
- For Oracle DB, defaults dba user accounts are sys, system.
- For SQL Server, default administrator account is SA
- Note: These accounts should be disabled for better security
- Try to brute force passwords for DB administrator accounts
- Below are the metasploit commands to crack SA account on SQL Server
- use auxiliary/scanner/mssql/mssql_login
- set pass_file /usr/share/set/src/fasttrack/wordlist.txt
- set RHOSTS [IP]
- set threads 8
- run
- Caution: You may be caught by the organization intrusion detection system if you brute force passwords of SA accounts!
- Below are the metasploit commands to crack SA account on SQL Server
15. What is risk if database accounts are compromised?
If database administrator accounts (e.g: sa, dba) accounts are compromised, whole data in the database which could include Personally Identifiable Information (PII), user credentials can be compromised. The database could be deleted or shutdown which could cause Denial of Service (DOS) for some applications.
16. What tools/infrastructure do you have on your pentesting lab?
- Kali 2.0 VM
- Nmap
- Wireshark
- Responder
- Metasploit
- John the Ripper (password cracker)
- Burp Suite
- Windows 7 VM
- Power Shell
17. When network controls would you recommend to strengthen network security of an organization
- Implement Network Access Control (NAC) properly.
- Do not leave unattended network ports or rogue Wifi on the network
- Secure File Shares. Do not use anonymous FTP accounts.
- Implement proper authentication / authorization to Domain Controllers.
- Implement strong password policy
- Encrypt user passwords. Do not allow users to store passwords on their machines.
- Implement appropriate network, host, web firewalls.
- Regularly identify and remediate network vulnerabilities using tools like Qualys, Nexpose, Nessus
- Implement appropriate Intrusion Detection System, Intrusion Prevention System.
- Implement proper network segmentation
No comments:
Post a Comment