THM: Introduction to Penetration testing

Woo-hoo! First Try Hack Me write-up.

A while ago I was working through the "Complete Beginner" path, but since they're getting rid of that this month, why not start with the pentesting path?

This write-up will be about the first room which is the "Introduction to Penetration Testing" one. SO let's get started!


Room: Penetration Testing Fundamentals

Task 1: What is penetration testing?:

This section begins by explaining what a penetration tester is, which is an individual who uses the same technology, tools, and methods as a hacker to break into a system. Except they do this ethically, and with the person/organization's experience in order to help them learn where their vulnerabilities are before they are exploited. A statistic was also mentioned that really shocked me: "there are over 2,200 cyber attacks every day - 1 attack every 39 seconds". Of course, I knew that cyber attacks were so incredibly frequent, but seeing that it happens every 39 seconds was crazy.

Task 2: Penetration Testing Ethics:

So... isn't hacking...like...illegal??

Well, yes. Of course, it is. Unless you have permission to do it. Penetration testers exist to perform authorized audits of a system's defenses. However, the tester and organization need to sit down and create the Rules of Engagement (ROE). This will have a statement from the company explicitly stating permission for the test to occur It will also include the test scope, which included the specific systems and/or buildings being targeted. Lastly, it includes the rules for the engagement, which outlines what tools, methods, and practices are allowed to be performed but the testers.

Also included in this section are the different types of hackers. There are three types of hackers: white hat, grey hat, and black hat. White hat hackers would be penetration testers, who use their skills to help others. Grey hat hackers are people who use their skills to benefit others but do not always follow laws or ethics. Lastly, black hat hackers are criminals who want to cause harm and do not follow laws.

Questions for this section:

Not sure if I should include answers or not, for now, I won't I guess!

Task 3: Penetration Testing Methodologies

A penetration testers methodology is the steps they take during their tests. It's important that your methodology is relevant to the goals within the test because each one is different. However, all tests seem to follow the same general path. The first step is information gathering, which involves gathering as much publically available information about the target without interacting at all with it. This usually involves Open Source Intelligence gathering (OSINT). The next stage is enumeration and scanning. During this stage, the tester's main goal is to discover applications and services on certain systems and see if any of them are vulnerable. After this is the exploration stage, where, you guessed it, the tester exploits the vulnerabilities they have found. Once they have done this, they move into the privilege-escalation stage where they try to move further into the system and move either horizontally (to a user with the same permissions) or vertically (to a user with even more permissions) to expand their reach into the system. Lastly, they go into their post-exploitation stage where they see what other hosts they can access (within the scope), what information they can gain with the privilege escalated users, then they cover their tracks and leave the system in order to create the report.

Penetration testers can also use The Open Source Security Testing Methodology Manual as a framework tool for their tests. It details strategies for many different aspects of cybersecurity and mostly focuses on telecommunication, wired networks, and wireless communication. Testers can also use the Open Web Application Security Project (OWASP) framework for web application security tests. This resource will update on top vulnerabilities with web applications as well as their testing approach and solution. There is also the National Institute of Standards and Technology (NIST) which is used as a framework for standards for protection in an organization against threats. The last framework this section talks about is the NCSC Cyber Assessment Framework. This one is used to assess the risk of various threats and an organization's defense against them.

Here are the questions for this section:

Task 4: Black box, Grey box, and White box Penetration Testing

These are the three types of testing scopes within a penetration test. Black box tests occur when the testers are given no prior knowledge about the target. Grey box challenges are when they receive limited knowledge, and white box is when they receive full knowledge about the target.

Questions for this section:

Task 5: Practical: ACME Penetration Test

From the task: "ACME has approached you for an assignment. They want you to carry out the stages of a penetration test on their infrastructure. View the site (by clicking the green button on this task) and follow the guided instructions to complete this exercise. "

The next part of this task walks you through a "Penetration Test" but mostly is just re-explaining the different phases until it gives you a flag at the end. This was the task in this room!

Room: Principles of Security

Task 1: Introduction

This room outlines fundamentals in information security. It is an introduction to "Defense in Depth" which is the use of different layers of security in order to provide redundancy and protection in a system

Task 2: The CIA Triad

The CIA triad is an information security model that is used to create a security policy. CIA stands for confidentiality, integrity, and availability. Confidentiality is the practice that ensures all sensitive information is kept confidential and protected from eyes that should not see it. Depending on the organization this could be any number of things, employee records, credit card numbers of customers, patient's medical information, etc. Integrity means that the data within the system is not altered and is unchanged through storage, transmission, and usage. Lastly, availability means that the data can be accessible by the necessary users at all times.

Questions:

Task 3: Principles of Privileges

An essential aspect of security is making sure only the right users have certain privileges. They should only be given based on two factors:

  • A person's role in the organization

  • The sensitivity of the information in the system

The two concepts used to manage the privileges given to users are Privileged Identity Management (PIM) and Privileged Acces Management (PAM). PIM is used to transition the user's role into a system and PAM is used to manage the privileges.

Questions:

Task 4: Security Models Continued

The Bell-La Padula Model is another model used for confidentiality. It is mostly used in organizations with a hierarchal setup like a government. In this model, each person can read/access information at their level and below, but cannot access anything above them. It is assumed in this model that when people move to a higher level, they are already vetted and can have access to more information.

There is also the Biba Model, which is kind of the opposite of the Bell-La model. Users are able to access the items above them, but not the ones below them. Where the Bell-La model prioritized confidentiality, the Biba model prioritizes integrity. However, users cannot write above their level, and cannot read below their level. It ensures that users only have access to things that are necessary for their job.

Questions:

Task 5: Threat Modeling and Incident Response

Threat modeling is used to review, improve and test an organization's security practice. It is also essential to identify the possible threats to the system.

There are four principles to threat modeling which are:

  • Preparation

  • Identification

  • Mitigations

  • Review

but it should also include threat intelligence, asset identification, mitigation capabilities, and risk assessment. In order to make these concepts easier to implement there are frameworks like STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) or PASTA (Process for Attack Simulation and Threat Analysis). Each of these will explain the attacks and the subsequent response to each one.

When a cyberattack happens, organizations will have a Computer Security Incident Response Team (CSIRT) in charge of the incident response. Each incident response plan must contain the following stages:

  • Preparation (making sure the right tools and plans are available)

  • Identification (what is the threat/is there a threat actor?)

  • Containment (how can we isolate the threat so that other systems are not affected)

  • Eradication (removal of the threat)

  • Recovery (rebuild impacted systems)

  • Lessons Learned (briefing with the team to go over what happened and what can be learned from it.

Questions:

Conclusion

That's a wrap folks! I really liked this first part of the path. It gave tons of useful information, and even though I didn't get my hands on too many tools or fun stuff yet, the fundamentals were still interesting to learn. I am not 5% don't with the path, and I'm excited to keep working on it!