Penetration Testing Tactics and Techniques
Engineering Secure Software
Testing that Digs Deeper
Penetration testing is about attempting to
exploit as much as possible (ethically)
Purposes
Demonstrate the person-hours required to break in
Create a real scenario
Compared to typical SE testing
Typical: “found a stacktrace! Report bug”
Pentesting: “how can we use this stacktrace?
Map out a long set of chains of attacks
Preconditions
Requires a working system
Not necessarily finished, but working
As networked as possible – for pivoting
Highly skilled testers
Outsider
Not pre-knowing company secrets
Most companies hire out pentesters, but in-
house pentesters are highly marketable
Can be a good “side-hustle” for you in existing
dev organizations
MITRE’s ATT&CK & CAPEC
ATT&CK
A taxonomy of tactics and techniques for general-purpose
pentesting knowledge
Tactics: broad categories
Techniques:
○
tool-agnostic approaches
○
Somewhat technology-dependent
CAPEC
“Common Attack Pattern Enumeration and Classification”
A dictionary of attack patterns
Organized by mechanisms and domains
Not covered in this lecture, but referenced in a few VotD
Let’s talk about
(Enterprise version)
ATT&CK Tactics
P
r
e
-
A
T
T
&
C
K
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
b
u
i
l
d
i
n
g
c
a
p
a
b
i
l
i
t
i
e
s
a
n
d
d
o
i
n
g
i
n
i
t
i
a
l
r
e
s
e
a
r
c
h
I
n
i
t
i
a
l
A
c
c
e
s
s
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
g
e
t
i
n
t
o
y
o
u
r
n
e
t
w
o
r
k
.
D
i
s
c
o
v
e
r
y
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
f
i
g
u
r
e
o
u
t
y
o
u
r
e
n
v
i
r
o
n
m
e
n
t
.
P
r
i
v
i
l
e
g
e
E
s
c
a
l
a
t
i
o
n
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
g
a
i
n
h
i
g
h
e
r
-
l
e
v
e
l
p
e
r
m
i
s
s
i
o
n
s
.
D
e
f
e
n
s
e
E
v
a
s
i
o
n
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
a
v
o
i
d
b
e
i
n
g
d
e
t
e
c
t
e
d
.
C
r
e
d
e
n
t
i
a
l
A
c
c
e
s
s
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
s
t
e
a
l
a
c
c
o
u
n
t
n
a
m
e
s
a
n
d
p
a
s
s
w
o
r
d
s
.
C
o
l
l
e
c
t
i
o
n
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
g
a
t
h
e
r
d
a
t
a
o
f
i
n
t
e
r
e
s
t
t
o
t
h
e
i
r
g
o
a
l
.
ATT&CK Tactics cont.
E
x
e
c
u
t
i
o
n
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
r
u
n
m
a
l
i
c
i
o
u
s
c
o
d
e
.
P
e
r
s
i
s
t
e
n
c
e
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
m
a
i
n
t
a
i
n
t
h
e
i
r
f
o
o
t
h
o
l
d
.
L
a
t
e
r
a
l
M
o
v
e
m
e
n
t
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
m
o
v
e
t
h
r
o
u
g
h
y
o
u
r
e
n
v
i
r
o
n
m
e
n
t
.
C
o
m
m
a
n
d
a
n
d
C
o
n
t
r
o
l
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
c
o
m
m
u
n
i
c
a
t
e
w
i
t
h
c
o
m
p
r
o
m
i
s
e
d
s
y
s
t
e
m
s
t
o
c
o
n
t
r
o
l
t
h
e
m
.
E
x
f
i
l
t
r
a
t
i
o
n
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
s
t
e
a
l
d
a
t
a
.
I
m
p
a
c
t
.
T
h
e
a
d
v
e
r
s
a
r
y
i
s
t
r
y
i
n
g
t
o
m
a
n
i
p
u
l
a
t
e
,
i
n
t
e
r
r
u
p
t
,
o
r
d
e
s
t
r
o
y
y
o
u
r
s
y
s
t
e
m
s
a
n
d
d
a
t
a
.
ATT&CK Techniques
There’s a lot of techniques.
For this class, including exams, we’ll focus on just a few key ones..
Key Techniques: Initial Access
Drive-by compromise
Users visit malicious sites
e.g. executing Javascript with a browser exploit in it that
takes control of a machine
Hardware additions
Introducing new hardware to the system
e.g. hardware keystroke loggers, keystroke injection,
network sniffers, portable cell-phone towers
Spearphishing
Confidence scamming exploiting the specific company
We see these at RIT all the time
Discovery
Network and Service Scanning (we’ll
explore this later)
Run tools to enumerate hosts and ports
Figure out what services are running
e.g. nmap, unicornscan
Account Discovery
Find a listing of the existing accounts
e.g. /etc/passwd
Credential Access
Brute Force
Credential Dumping
e.g. dump a database table with credentials
e.g. copy the /etc/shadow file
Valid Accounts
e.g. using default accounts
e.g. using discovered credentials from other
access
Execution & Persistence
Execution
Command-line interface
○
e.g. ssh terminal, powershell
Service execution
○
e.g. adding a new “service” to be executed
Persistence
Bootkit
○
Place malware in the Master Boot Record of the HDD
○
Executed even after reformatting OS partition
Scheduled task
(also an Execution technique)
e.g. crontab or Windows Task Scheduler
Create account
Component firmware
Privilege Escalation
Process Injection
Executing arbitrary code in an existing, legit
process space
e.g. Changing the path of a DLL at runtime,
stack smashing, LD_LIBRARY_PATH
setuid and setgid
(we’ll cover this later)
Defense Evasion
Techniques that adversaries use to
avoid detection throughout their
compromise
Access Token Manipulation
Binary Padding
Clear Command History
Connection Proxy
… many more …
Lateral Movement
Pass the Hash
Remote File Copy
CPTC, Kali, and OSCP
Collegiate PenTesting Competition
RIT helps and competes in an annual national competition
(Oct-Nov)
Like a varsity sport
Kali Linux
A distro designed for penetration testing
TONS of tools, steep learning curve on many of them
Offensive Security Certified Professional
One of the best certs out there for pentesting
About the effort of a college course
24-hour final exam where you have to break into every
machine
In the realm of secure software engineering, penetration testing plays a crucial role in proactively identifying vulnerabilities. This involves delving deep to exploit potential weaknesses and simulate real-world attack scenarios. Skilled testers, both in-house and external, use frameworks like MITRE's ATT&CK and CAPEC to map out attacks, understand pre-ATT&CK phases, and address tactics from initial access to impact.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Engineering Secure Software PENETRATION TESTING PENETRATION TESTING
Testing that Digs Deeper Penetration testing is about attempting to exploit as much as possible (ethically) Purposes Demonstrate the person-hours required to break in Create a real scenario Compared to typical SE testing Typical: found a stacktrace! Report bug Pentesting: how can we use this stacktrace? Map out a long set of chains of attacks
Preconditions Requires a working system Not necessarily finished, but working As networked as possible for pivoting Highly skilled testers Outsider Not pre-knowing company secrets Most companies hire out pentesters, but in- house pentesters are highly marketable Can be a good side-hustle for you in existing dev organizations
MITREs ATT&CK & CAPEC ATT&CK A taxonomy of tactics and techniques for general-purpose pentesting knowledge Tactics: broad categories Techniques: tool-agnostic approaches Somewhat technology-dependent CAPEC Common Attack Pattern Enumeration and Classification A dictionary of attack patterns Organized by mechanisms and domains Not covered in this lecture, but referenced in a few VotD
Lets talk about ATT&CK ATT&CK (Enterprise version)
ATT&CK Tactics Pre-ATT&CK. The adversary is building capabilities and doing initial research Initial Access. The adversary is trying to get into your network. Discovery. The adversary is trying to figure out your environment. Privilege Escalation. The adversary is trying to gain higher-level permissions. Defense Evasion. The adversary is trying to avoid being detected. Credential Access. The adversary is trying to steal account names and passwords. Collection. The adversary is trying to gather data of interest to their goal.
ATT&CK Tactics cont. Execution. The adversary is trying to run malicious code. Persistence. The adversary is trying to maintain their foothold. Lateral Movement. The adversary is trying to move through your environment. Command and Control. The adversary is trying to communicate with compromised systems to control them. Exfiltration. The adversary is trying to steal data. Impact. The adversary is trying to manipulate, interrupt, or destroy your systems and data.
ATT&CK Techniques There s a lot of techniques. For this class, including exams, we ll focus on just a few key ones..
Key Techniques: Initial Access Drive-by compromise Users visit malicious sites e.g. executing Javascript with a browser exploit in it that takes control of a machine Hardware additions Introducing new hardware to the system e.g. hardware keystroke loggers, keystroke injection, network sniffers, portable cell-phone towers Spearphishing Confidence scamming exploiting the specific company We see these at RIT all the time
Discovery Network and Service Scanning (we ll explore this later) Run tools to enumerate hosts and ports Figure out what services are running e.g. nmap, unicornscan Account Discovery Find a listing of the existing accounts e.g. /etc/passwd
Credential Access Brute Force Credential Dumping e.g. dump a database table with credentials e.g. copy the /etc/shadow file Valid Accounts e.g. using default accounts e.g. using discovered credentials from other access
Execution & Persistence Execution Command-line interface e.g. ssh terminal, powershell Service execution e.g. adding a new service to be executed Persistence Bootkit Place malware in the Master Boot Record of the HDD Executed even after reformatting OS partition Scheduled task (also an Execution technique) e.g. crontab or Windows Task Scheduler Create account Component firmware
Privilege Escalation Process Injection Executing arbitrary code in an existing, legit process space e.g. Changing the path of a DLL at runtime, stack smashing, LD_LIBRARY_PATH setuid and setgid (we ll cover this later)
Defense Evasion Techniques that adversaries use to avoid detection throughout their compromise Access Token Manipulation Binary Padding Clear Command History Connection Proxy many more
Lateral Movement Pass the Hash Remote File Copy
CPTC, Kali, and OSCP Collegiate PenTesting Competition RIT helps and competes in an annual national competition (Oct-Nov) Like a varsity sport Kali Linux A distro designed for penetration testing TONS of tools, steep learning curve on many of them Offensive Security Certified Professional One of the best certs out there for pentesting About the effort of a college course 24-hour final exam where you have to break into every machine
