SY0-601: CompTIA Security+ certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

1.8 Techniques used in penetration testing

1. Penetration testing

In this video we're going Tobe talking about penetration testing. As you can imagine and as you followed me throughout this course and you know my background, it’s my most favorite topic to talk about. So I'm not going to try to keep this video too long or run off of the topic. It’s just going to stay on the exam topic, just what you need to know to pass your exam. But let me just start out by saying this, that in an organization a lot of companies would tell you, oh, we are secure. We have the best security. Unless you test the boundaries of your security, you will never know how strong it is. You always need that outsider perspectives on your security or the outsider tiffs on your security. No car manufacturer is going to tell you how safe the car is generally unless they submit into some kind of third party to be assessed. Here in the United States. The National Highway Association will give you crash ratings. Right? In all industries, this happens any time things are made. We generally get it tested to see how secure it is. So as an organization and you're working to your organization, you got to get your security tested by a third party. You need this external perspective.

And this is what Pen testing is, pen testing. The difference between Pen testing another one is security assessment. Security assessment is what you do in your organization, is what you're going to do to assess your own controls and to see the good of your own firewalls are configured right, whether your malware protectionism good, whether your training user is right. You would find vulnerabilities and you would stop. You would find, okay, this system is unpatched. So you patch it up and you move on. But a Pen test is different. In a Pen test not only dowel find vulnerabilities, we exploit the vulnerabilities. Almost all the different kind of attacks that I've shown you throughout this class so far, whether it was Misaddress flooding, mac flooding, or spoofing a Mac address, or doing a man in the middle attack. These are techniques we use in Pen test. And so not only are we finding the vulnerability, we're also exploiting the vulnerability and seeing this exposure, seeing what we could find.

So I'm going to go through the steps of a Pen test. Then we're going to take a look at different types of Pen test and then we're going to take a look at the terms in its this interesting stuff. Let’s go through this. Okay, so I have a great link here that really goes well through the different steps of a Pen test’s this website is called Cisohear.com and they have the Pen testing services. And here we go with the different steps of a Pentest that we should be familiar with for our example. These are basically standard steps that all Pen testers would follow so let's take a look. The first one here is reconnaissance. So step number one, reconnaissance. What are we doing in this phase when in the reconnaissance phase you’re gathering information about your target? All right, you know what, let me stop right here. Let me just make one thing clear. I think I've mentioned this in the class. You cannot do a Pen test without permission. The first thing you actually do in Pen test is to get permission.

Remember? You know what's the difference between hacking and pen testing? One has permission, one doesn’t. So the first thing you should do before you do number one here would be to get permissions, speak with the company, get permission to do a Pen test. It's going to hire you to do this. Okay? So let's go back here to this. So the first thing here is reconnaissance. So reconnaissance is going to be footprint in the organization doing who is to find out information about registered domain, looking at the company's website and social media. Now this is basically a reconnaissance, finding out information. The other thing here we have is vulnerability assessments.

Step two, now what you're going to does you're going to find, you're going Togo out there, you're going to find systems that are outdated, systems that have weak passwords, systems that are using insecure protocols like FTP. Then you can exploit them. Okay? You’re going to exploit those systems. You’re going to attempt to gain access and extract data from these all outdated systems or misconfigured systems, or systems with insufficient protocols or insufficient credentials. The fourth thing that is to determine your risk determination, you have to look at the likelihood that these things could happen and the impact it would have on the organization. Then of course, you want to report this to the organization. At the end of a Pen test, you're going to get a report. The Pen testers will tell you they found these rogue hoses. They found these were the impact that these hosts are left online. This was the data that could have been compromised and these are the things you can do to fix its this is for the organization.

This is what they're looking for. Things that they can fix right away. Things that may take longer to fix. But basically they're looking at what we need to do to improve our security and that's that report. And then finally remediation, the company actually goes and does it. So they get the report. They actually go, they update their system. They update their system. They are going to remove those unsecured protocols, close up all the ports. These are the steps that the organizations will go through and the Poetesses will go through. So this is generally, this is just a generic thing. All right, now there are others out there. You may find one in the Council set of steps that they have. You would footprint the organization. You would enumerate it. That's to connect to it and learn information about the system. You would then find your vulnerabilities.

You would then exploit those vulnerabilities. You would cover your tracks, right? So covering the tracks would be like clearing up the log files after you've exploited and stole the data, then you report it to the organization and then the organization would then fix it based on the report. So you have different phases that are out there. There’s no like set phases out there, but these are just some generic phases. All right, so one more time footprint. The organization gather information, know what type of systems they have, find your vulnerabilities, exploit those vulnerabilities, clean up your tracks, right? Clear out those log files, report it to the organization. Okay, so those are just in general Pen testing steps there. Now there's three types of Pen tests that we should know about. White, black and gray box. So white box is known as full knowledge, also known as a clear and open test. Black box is no knowledge and a gray box is partial knowledge. Let me explain that.

A white box is a Pen test that's done internally inside of the organization where the tester has access to all the company's information. This is generally a specific test, generally done to test something very specific, like a specific application. The Pen tester may have access tithe source code of that application. A black box is the opposite of this. A black box is an outside test from a hacker perspective. So you would get a black box test done when you want to know, well, what can the hackers see about my organization? What can they know? Like imagine you guys calling me up right now, it says, Andrew, I want you to pen testy organization and you're not going to tell me if you want me to find everything. You want to see what I could find. From a hacker perspective that would be a black box. No knowledge. Gray box or partial knowledge test is when they know something about the organization. Could be generally an internal test when it gives some of the information about the network, but not all. So they're missing some information. So that's why it's called a gray box. Now one term that we should be familiar with when it comes to Pentestingis something called the Rules of Engagement. Now the Rules of Engagement is the method in which the Pen test should be conducted.

And I'll show you guys a sample of what Rules of engagement looks like. So Microsoft in the Microsoft cloud, in the source cloud, if you store your data there, you have the ability if you have systems in the Microsoft cloud, you have the ability to pen test your systems. So Microsoft is like, well if you're going to do Pen testing on our cloud systems, you have to follow our rules. So they have rules that we should follow that's the rules of engagement. Every Pen test should have this document. I’m going to go beyond say, every Pen test must have this document. It outlines what's allowed and what’s not allowed on a Pen test. For example, can they do a Dodos attack? Can they do SQL injections? Can they do cross site scripting? It will outline what they could and what they could not do. So this is a very important document. So if we look at this here, it says here it's basically for the customers. It basically describes the unified rules for customers wishing to perform Pen testing on their actual Microsoft Cloud Services. Notice it says the following activities are prohibited scanning or testing assets belonging to any other customer. So Microsoft is saying, hey, you can only scan stuff that belongs to you, gaining access to any data that is not wholly owned by you.

And then it's a lot of stuff here. You guys can check out the link and then it says you should do this. And it does include doing things like doing a Fuzz, which is sending random data to your application, doing port scan vulnerability against your own and yours. Virtual machines do that to your own one, not to anybody else’s. So it's giving you the rules that you should follow when doing this. Okay, so the other one is called lateral movements. Lateral movement. When you break into an organization, this is basically moving sideways between devices, apps, throughout a network. So you break into an organization and you’re moving across within the same level. So I break into the accounting department, I bring an accountant up and I start to move throughout that section of the organization. When you break into different computers and different systems, one of the things you want to do is to gain access. You want to up your privileges, gaining more like admin access to a system. So you may break in as a normal user, but now you want to up your privileges to an administer so you can have complete control over the box. This would be something like installing a rootkit into a system to give you more admin access on that particular station. Persistence.

This is gaining access to the systems and maintaining it for a long period of time. It could go on for like weeks. So they would put exploits into machines and then they can remotely gain access to these machines for weeks on end because the administrator just doesn't know that they exist. Maybe there were ports that was open that the administrator didn't realize the firewall was letting through. One of the big things that we have to do as a Pentest guy is going to be to clean up our log files. When we are finished, we have to clean up our tracks behind us. This generally includes clearing the log files to hide the activity so no one knows. Hey you're, my systems was hacked by a Pen tester. Okay? So if you guys want to make a couple of quick bucks and you're very good at pen testing, you’re good at programming, you like doing these kinds of things. There are organizations, set ups out there that does bug bounty. So this is programs offered by organization to find bugs, exploits and vulnerabilities.

There's a bug bounty by Tesla, telemotors that make the electric cars. I think if you would have found bugs and I think they gave you a free car or something like that, you guys can check that out, you guys can do bug bounty, you can Google that and you notice there's many sites that have bug listing of bug bounties that you can apply to and basically you have access to their systems. So let's say I built a system and I want other people's perspective about it so I put out a bug bounty and you apply for it and I say I'm going to give a anybody I can find a vulnerability. So you take my software and you hack the hell out of it and you do find a vulnerability I give you a $1,000 but you got to report it back to me and I'm going to fix it. This is good because it forces good hack in, right? Good ethical hacking. It forces good Pen testing versus some body hacking you and holding your ransom. Now pivot so this is when you exploit a computer and then use that computer to gain access to other machine. So I am going to break and I'm going to take control of this. Let's say I got to this desktop. Now I'm going to use this desktop to launch attacks and to gain access to other computers in our network.

Okay so quite a lot of terminology there on Pen testing. I know Pen testing is a career that a lot of people taking security plus are very interested in. If you guys have had a lot of fun, or you were pretty interested in watching me doing the other attacks that you saw whether it was cracking a password with hash cat or you saw me doing flooding a actable running different kinds of Trojans on computers. If you guys were interested in me doing that and you found that fun to do, maybe there is a career for you in pen testing. But I've done it for a long time and I will tell you something about it. It's not easy. It’s a constant update. You’re always learning new things, new tools come out all the time. If you really like it though and you have a deep passion for it and you enjoy doing it, there's a good promising career for it, you make a lot of money, easy to find jobs in it but it's a very good career. It’s very rewarding. I find it to be very rewarding because I like it. If you don't like it, it could get real difficult but if you have a passion for it, go out and do it.

2. Passive and active reconnaissance.

In this video, I'm going to be going over passive and active reconnaissance for your example. You just want to know the difference between the two, and I'm going to take a look at a few different additional terms. Okay, so first of all, what is reconnaissance? Reconnaissance is one of the first things you do when doing a pen test.

During a pen test, you must first start off by doing reconnaissance to find out information about that particular organization. You're going to do reconnaissance to find out what type of routers they use. Do reconnaissance to find out what type of services they're running, what type of ports they have open, and what type of service they're running. You'll find out what type of firewalls they might even be using. Reconnaissance is all about finding out information about your organization. Now, you should know the difference between passive and active. Passive means not engaging with the organization.

Active is engaging with the organization. So, for example, a passive response would be like sniffing traffic. In that case, you're just standing back and sniffing the traffic as it goes by. You're doing things like figuring out who someone is and looking up information on their websites. You're not really touching the organization. But once you start scanning them, for example, now you're engaging with that particular server. That would be active reconnaissance. So you've got passive and active. Now, I do have some additional terms here we should be familiar with. For example, when conducting reconnaissance, one option is to use drones or unmanned aerial vehicles. These are little drones that fly around, and you could use these over buildings to find, like, points of entry without actually having to go and look around the building.

There's war flying and war driving. So you have war flying and war driving. Here's what this is: Wire-flying is the use of a drone to locate open or weekly secured wireless networks, such as those connected to the Internet. For example. The Wirefly is using a drone to find wireless networks. Wiredrive will be driving around in a car looking for these particular wireless networks. Now, footprinting is the name of the game here.

The name of the game is reconnaissance footprint. Footprinting is going to allow me to find information about your organization. And then you have Olsen. The ocean framework, which I discussed earlier in the class, and this framework, as well as this website, are two of the best ways to footprint an organization. Let's just go to it here. I'm just going to Google it here. Now, I went to this I did show you guys this a while back, a couple of videos ago. And you can do a lot of footprinting and finding things in here. So we can go in here and find IP addresses and organisation information. IP, version four. Lookups: maybe we can do a look at autonomous systems if we're looking for a certain type of IP address. I believe one of the things you could do with the domain I've shown you is look for subdomains.

And this is a pretty interesting one that you can learn about by looking up domain names. something I mentioned to you earlier So this is an amazing framework that allows you to do a lot of footprinting of an organisation and provides you with all of the tools in one place. Okay, so remember something about remembering for your exam: reconnaissance is finding out information about your target. Reconnaissance is what you do at the very beginning of the Pen test, not at the end of the beginning of the Pen test. You could do it passively, in which case you would sit back and observe more external traffic, or actively, by performing a port scan with Nmap to determine what type of service they are running.

3. Exercise types

In this video, we're going to be talking about exercise types. In particular, we'll talk about exercises that the Red Team, the Blue Team, the White Team, and the Purple Team do for your exam. Just know what the roles are of these different teams.

Okay, so what exactly is this is? Well, I'll tell you something. If I'm going to go work for an organization, I want to be on the "red team." That sounds like more fun than being on the "blue team." That's just my opinion. But what exactly are these? In an organization, you basically have two main teams. Now, I know I said White and Purple Team, but I'll get to those in a minute.

In an organization, you have Red Team and Blue Team. So the Red Team are the ones that are ethically hacking your network. These are generally outside contractors, but they could be internal employees that work to break the organization's security. Do you want to be the one breaking the security? Do you want to be the one securing it? These teams, of course, collaborate; they are not there to maliciously destroy your business.

So then you have, you know, let me pull this up here. You have a purple team. So a purple team is in an organisation when you have one team that does both red and blue testing, so they both hack it and secure your organization, then you have the white team. Well, the white team is the referee. So let's talk about some of the activities that we're doing. So the red teams are ethical hackers. The red team is penetration testing. These are the people who will run all of the hacking tools that you saw me do. This section of the class, they'll be the ones running the remote access Trojans, password cracking, using hashcat, attempting to inject malware into macOS. Now, these terms are very common in large businesses today.

Generally, if you come with a good security background, just plain security background, you've done firewall configuration, ideas configuration, and you're going to be on the blue team. If you come with an ethical hacking background, you've got a CEH certification, for example, then you're going to be on the red team. What do I study? If you want to work on the Red Team, go the Ethical Hacking route, get your CEH, get your OSCP certification. If you want to work on the Blue Team, get certification in vendor security, AWS security, Palato firewall certification, Checkpoint security certification, ASAS or Cisco's ASA.These are firewall and security technology certifications.

2.1 Security concepts in an enterprise environment.

1. Configuration management

In this video, I'm going to be talking about configuration management. So what exactly is this? Configuration management is basically the management of how you configure your systems in your network. This could be how you assign the methods that you used to assign IP addresses or the IP address and schema. This could be how you diagram your network and how you baseline the configurations, those minimum configurations. This is really what this includes.

So in this video, we're going to be looking at a And if you sign up for a free account, you can even get these diagrams. For example, here's a server network diagram page, and they're showing you that the switches in this network have a web server, a database server, and a storage server, and they're all just connected to switches. We have our users. Very simple diagram there. Here you have one with an office network, and another diagram. When I'm at Tia and working, we have educational versions of these things that I use and they have templates.

Like if you want to make a network diagram, you can just click on it and you can start creating it. Well, when businesses have a lot of computers on the floor, what you want to do is have a baseline configuration. So what is that? When a baseline configuration is the software, the minimum amount of software that needs to be installed, the minimum configuration for its firewall or antivirus software, the minimum configuration for even desktop software like Microsoft Office that you would have to install, so they have this minimum image that they have, so here's how it works: They take a computer, one computer, and this here we'll call the baseline to say BS. And then they put in a whole bunch of this—some lines here, a whole bunch of configurations. This is going to be how we configure Office, how we configure the group policies, how we configure the antivirus. Then they take this entire machine and make an image of it.

And then they take this image and deploy it to an image and server. And then that image and server deploys the image to all the desktops. Now in the organization, we're going to have different departments: you're going to have the accounting department, you're going to have the marketing department, you're going to have finance, and you're going to have sales. All right? So these are your different departments. Now how do you name the computer? They all have laptops; they may have desktops in there. How would you name them? Let's make up a convention right now. Let's say we name them after the name of the department. Our convention is going to be the department name followed by a number.

So we'll say according to one computer, according to two. For marketing, we'll say MK one, MK two, right? So when the technicians see each individual computer, they can say, "OK, that's a sales computer. That's a marketing computer that belongs in the finance department." Okay? Computer one was assigned to Bob. Computer zero three was assigned to Mary. So we know where the computers belong. Now the question is, where do you name computers? Right? So, hopefully, you completed your A+ certification, and this will be covered in A+ in the Nets.

But, just for a quick member, I'm going to right-click on the start button and go up the system. And here you can see my own is simply called Desktop, right? It's the default installed on this computer. So businesses would go in and say, "rename this computer," and then you would give it a name to match that department. Now if it's part of a domain, which it would be, it would be named correctly and then joined to the domain so it knows where in the domain to be stored, what organisational unit to be stored in your active directory domain. Well, your IP schema is going to be how you assign IP addresses. If you guys remember from hopefully your net plus or your A plus, you learned about private IP addresses.

So organisations use private IP addresses in their networks. So for them to do that, they're going to have to now determine which one of those blocks they have. So if you guys remember the three blocks, right, you had the private IP being tenX, you had 170, 216, and one 7231 X. You have 19216 eight. So, for example, suppose your organisation must first decide whether to use 192 or 172. Are we going to use the 10? Right? Let's say your organisation decides to use ISO 19216-8; then they must determine how they will determine what schema goes where.So let's go back to that department that came up.So let's do an IP schema right now. Let's say you have sales again, accounting, and we'll just stop with market in here. Okay? So for sales, we could sell the 19216 Eight. Maybe sales could be, say, ten X. And then for accounting, we do the 19216 Eight. We could do 20 X, and for marketing, 192-1683 X. Then they have to determine within those ranges what are going to be the servers, which are going to be the routers.

So we could say routers, where routers would be from 1216, 810.Let's say one router. Let's say You may be technicians now, but you will eventually become administrators, and hopefully, you will move on to network design. And you're going to be the one coming up with these schemas, right? You're going to be the one coming up with the name and convention that the technicians have to apply. Okay, so this is configuration management. Wasn't that difficult? Let's keep going.