The act of performing a pentest is akin to developing a mind map to illustrate the relationship of items. Only with pentesting it's to organically grow an attack path based on findings. Pentests are not research assignments. They are to be fast, efficient and and thorough. In order to be fast, efficient and thorough, one has to have systems setup that encourage, if not enforce, the practice of operationalization.
OIAS (Organized, Indexed, Available, and Searchable)
To operationalize is make a task to perform a specific action asefficient and as extensible as possible while ensuring its execution can be performed in one step. For example, maintaining a collection of exploits that work for common services and their coresponding versions can be operationalized by developing a local application that ensures all content is organized, indexed, available and searchable. Operationalized software is never cloud based as it has to exist without the existence of a network connection.
Pentesters should always be looking for new and more efficient ways to perform essentially the same actions. The CI-Index breaks down these essential pentest actions into these following sub-sections:Delivery Methods
: The initial exploit. The way in which a target is forced to perform an action (usually download a dropper from an external data store.Secure Data Stores
: A data storage repository that can be publicly accessed.Post-Exploitation Procedures
: Immediate actions to memorize once a system has been compromised.
System Download Methods: Techniques for downloading content after compromise (via shell)
Password / Credential Acquisition: Credential harvesting, acquisition, and cracking techniques.
Persistence Techniques: Techniques to add backdoors and persistence access to a system
Removing Tracks: Cover Your Ass (CYA) techniques to remove evidence of presenceSituational Awareness:
Tools techniques and procedures for enumerating the accessed networkLateral Movement
: Fundamental techniques for further compromising systems on the networkSensitive Data Searching:
Techniques and strategies for finding sensitive/valuable contentExfiltration Techniques:
Tools and techniques for extracting data from a network or system
Attackers and pentesters alike will always perform a variation of the above actions. Their techniques may change but the overall actions will always remain the same. This is why it's important to organize not only the tasks at hand, but the variety of ways each task can be performed. Pentesting is 80% what (needs to be done) and only 20% of the how (it's performed). The key is to understand the process enough to be able to shift between the techniques as needed.
Pentesting also includes the heavy task of maintaining not only a record of what techniques and attacks you perform, but also keeping track of ALL of the results. During an engagement, the attack vectors, exploit potential, and tool results of the target you're assessing grow organically like a conceptual mind map. To keep track of results and potential attack vectors I use a combination of two tools. The first is an open source application called FreeMind
that makes creating mind maps incredibly easy. It has a nice set of keyboard shortcuts to make things fast and efficient. Once you learn the basics of building maps, this application becomes an invaluable tool during a live engagement. The second tool is a custom built tool called Penzoil that allows you to copy and past the raw test results of CLI tools and keep moving. The tool categorizes the Pasting of the text and allows you to dump a C&P or search everything that's indexed. Currently it needs to be able to export everything to a text file. I'd also like the ability to dump useful items and artifacts using common regular expressions (i.e. Extract all IP addresses, email addresses, URI's, etc.).
I'm in the process of operationalizing the PTES framework. I think it's a nice collection of standard practices that should at least be considered during a live engagement. I'l be integrating the tool into the CI_Index_UI application as I continue to promote local security application development and a single pane of glass philosophy.
I'm also bouncing around some loose ideas of integrating a Vuln/Exploit aggregator into the UI as well. It would contain:
http://www.securityfocus.com/rss/vulnerabilities.xml http://www.symantec.com/xml/rss/listings.jsp?lid=advisories https://nvd.nist.gov/download/nvd-rss.xml https://www.exploit-db.com/rss.xml https://rss.packetstormsecurity.com/files/tags/exploit/ https://rss.packetstormsecurity.com/files/tags/proof_of_concept/ https://rss.packetstormsecurity.com/files/tags/vulnerability/ http://www.blackasylum.com/index.php?q=SSH&e=1 http://cxsecurity.com/exploit/
- RSS Feed information from the following sites:
- A collection of common and vulnerable service variants per service and the known (and tested) exploits of those services (because low hanging fruit should be picked!)
FTP (TrueFTP, VSFTPd,
HTTPd (Apache, IIS,
The goal of this PENTRN component is to have a local resource that has an organized index of known (and reliable) attacks that can you execute quickly.
Finally (because I need to get to work), I'd like to mention that May 20 saw the revealing of the Beareau of Industry and Security's proposed Wassenaar rule updates. In essence, the new rules make security research, exploit development and the sale of exploits (export) illegal. This is a problem. --or is it? The new report attempts to define intrusion software as software specifically designed or modified or avoid detection by monitoring tools. It goes further and attempts to basically outlaw the practice of defeating protective counter measures of a compuer or network-capable device --as well as identifying the modification of the "standard execution path of a program or process in order to allow the execution of externally provided instructions" as something punishable by law.
In layman's terms, the Wassenaar Arrangement proposal makes exploit code and hacking completely illegal. I think this is fascinating as I knew this was coming. I doubt the Wassenaar Arrangement will get passsed unless it undergoes numerous revisions, but I recognize its significance in the growing and alarming space that is global information security.