2. Disclaimer
Never ever try to do a pentest based on this slideshow
Many things are not included because
I don’t know everything
90 minutes is not enough to explain this
4. The source for this
http://www.pentest-standard.org
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
5.
6. Structure of this presentation
Project management part
● 99% of the people think this is boring
● The more projects you do, the more you value a good project management
The hack part
● Bad news, only the second part will deal with this
● Business logic goodies
7. Is this legal?
Check that you own the system (warning, trolling potential ahead)
If not, check that the client who pays you owns the system
Check that the project already started - Once I did not check this :)
If possible, know ahead what is test env and what is production env
If possible, test the test environment
Basic tests should be done on prod as well
Check the IP range at least twice
8. Pre-engagement
Estimate time
Define scope
Define scope exactly - very very important
Avoid scope creep
Use a questionnaire (pentest-standard.org)
Pro-tip: provide your static external IP address to the client before any test starts
10. Typical web questionnaire
● How many web applications are being assessed?
● How many login systems are being assessed?
● How many static pages are being assessed? (approximate)
● How many dynamic pages are being assessed? (approximate)
● Will the source code be made readily available?
● Will there be any kind of documentation?
○ If yes, what kind of documentation?
● Will static analysis be performed on this application?
● Does the client want fuzzing performed against this application?
● Does the client want role-based testing performed against this application?
● Does the client want credentialed scans of web applications performed?
11. Define goal of the test!
Pentesters usually want to be domain admin!
Not every client wants this
Define limits
E.g. I promise not to use local root exploits to gain root privileges on prod
I promise not to use any memory corruption exploits
I promise not to dump the whole database
I promise not to lockout all the users from the prod
Communications - PGP / Signal instead of plain text email
13. Blind test / double blind test
Blind test
Pentesters have same starting point as any hacker, no info, no credz
Double blind
Will the security monitoring group/ IT group know about the test?
If not, what happens when they detect an incident?
14. Gather intelligence
Most overlooked part of the test
People look at this as boring - I want XSS and SQLi and RCE!
Hot topic - find resources which are live for 1-2 minutes
Professionals know proper intelligence gathering is key to success
Can find new entries to the company network even the admins don’t know about
There are thousands of non-technical ways for intelligence gathering
Use your creativity
Check http://www.pentest-standard.org/index.php/Intelligence_Gathering
15. Gather intelligence - technical stuff
● Passive Reconnaissance
○ WHOIS Lookups
○ BGP looking glasses
○ Google Dork
● Active Footprinting
○ Port Scanning - Zsombor NMAP
○ Banner Grabbing
○ SNMP Sweeps
○ Zone Transfers
○ SMTP Bounce Back
○ DNS Discovery
○ Forward/Reverse DNS - SHARED HOSTING FTW!!!!!
○ DNS Bruteforce
○ Web Application Discovery
○ Virtual Host Detection & Enumeration
16. If this is an internal test system
Ask to turn off IPS/WAF
If behind cloud WAF, you might be able to completely bypass it
Ask to turn off Captcha
17. Discuss with the system admin/system
owner/whatever
Whitebox/grey box /black box???
Vulnerability assessment / ethical hacking / both
● https://silentsignal.hu/docs/S2_Fogalomtar_v1.pdf
Ask for users, probably users from different roles
Ask for 2 users on the same level
2 admin + 2 user == 4 user to test with
18. Threat agent/capability analysis
Internal External
Employees Business
Partners
Management (executive, middle) Competitors
Administrators (network, system, server) Contractors
Developers Suppliers
Engineers Nation
States
Technicians
Organized Crime
Contractors (with their external users) Hacktivists
General user community Script Kiddies (recreational
19. Understand the application
First, always click through the app
Map all the functionalities
Read the man/doc if any
● Check for credentials in the doc, it happens
21. A good test needs
An experienced, motivated tester with dedicated time
Good tools (e.g. automated scanner, …)
The tester should know how to use the tools, and when not to use it
The tester should know how to create new tool if needed
22. Automated scanners
Automated scanners are good at many things
● Find SQLi, test many many parameters, create a good baseline test
Automated scanners are bad at
● Find/exploit business logic flaws
● Exploiting found vulns
● Chaining vulns
● Find vulns in the not first step of a workflow (multi-page forms)
24. Business logic tests
Rewrite the price for the item to be purchased
● A.k.a how college students were able to buy flat-screen TV when it was new
to the market
Navigate to last form page to bypass security checks
Rewrite the account ID to see someone else’s account
● Error, account #x belongs to client #z
○ Rewrite both #x and #z
Use the same coupon multiple times in the same session
25. Business logic tests
Bypass Captcha-s via OCR
Bypass password resets, bypass 2FA
Transfer -10000 USD to “friend”
Access “company news” before release - predictable sequential news ID
● Use for trading before market know this
Jeremiah Grossman; Arian Evans;Trey Ford
Get Rich or Die Trying - Making Money on the Web the black hat way - 2009
https://www.youtube.com/watch?v=SIMF8bp5-qg
