Learning Pentest

Last modified by Riino Site on February 15, 2023 Pentest Cybersecurity

Outline

Computer network

  • HTTP

  • HTTPS

  • UDP/TCP

  • Proxy

  • ports and IP

nmap

  • Scan IP in selected scope

  • Scan IP randomly

  • Scan DNS address

  • Scan IP only

  • Scan UDP Service only

  • Check specific ports’ status

  • Load scripts

  • Zenmap GUI

  • Nmap Cheat Sheet

Burp Suite

flowchart LR
    APP --Request--> Brup_Suite_Intercept
    Brup_Suite_Intercept --Forward--> Server
    Server --Response-->Brup_Suite_Intercept
    Brup_Suite_Intercept --Response --> APP
  	Brup_Suite_Intercept --Drop--x N
  	Brup_Suite_Intercept --Send--> Brup_Suite_Comparer
  	Brup_Suite_Intercept --Send--> Brup_Suite_Decoder
  	Brup_Suite_Intercept --Send--> Brup_Suite_Intruder
  	Brup_Suite_Scanner --Request--o Server
  	Brup_Suite_Spider --Request--o Server
  	Brup_Suite_Repeater --Request--o Server
  	Brup_Suite_Intercept --Send--> Brup_Suite_Sequencer

Practice

  • nmap practice

  • brup practice

  • google hacking practice

  • firece & thehavester learning

  • SQLmap learning

  • netcat learning

Vulnerability Knowledge

Unsecure mechanism

Login; Logout; CAPTCHA ; Directory; Local File Vulnerability; Remote file Vulnerability ; File Inclusion Vulnerability

Session Management Testing

HTTP Only scenario; Secure Cookies; Session Fixation; CSRF; Bypass anti-CSRF;

Input Validation Testing

CSS Attacks

  • Reflected
  • Stored
  • DOM-based

SQL injection

  • In-band SQL injection

    • Error-based

    • Union-based

  • Blind SQL injection

    • Boolean-based

    • Time-based

  • Out-of-band (OOB) SQL injection
  • Automation
    • Commix
  • Command Injection
  • XML/XPATH Injection
  • PHP Code Injection

CVE/CWE Cases

  • Druppal SQL injection CVE-2014-3704

  • SQLite Manager File Inclusion CVE-2007-1232

  • SQLite Manager XSS CVE-2012-5105

  • Heartbleed CVE-2014-0160

  • HTML5 Insecure local storage CWE-922

  • ShellShock CVE-2014-6271

OWASP

MS-SDL

https://www.microsoft.com/en-us/securityengineering/sdl/practices

Pen-testing

flowchart LR
    a{Scan Services} --> b{Intercept Communication}
    b --> c{Testing}
    a -.- a1(Bypass firewall)
    a -.- a2(Scann ports, hosts)
    b -.- b1(Bypass client-side CA)
    b -.- b2(Burp Suit CA)
    b -.- b3(Domain target)
    c -.- c1(Generate payload)
    c -.- c2(vulnerability database)

Mobile Testing

  • MobSF learning/code reading

  • Pithos

  • Frida

  • iOS Jailbreak knowledge

  • Android smali scirpt editing

  • iOS client-side server CA

  • android client-side server CA

  • Bypass proxy CA issue

Hacking

Generate payload using metasploit

OWASP Mobile 10

SSDLC

  • Development lifecycle

  • Requirement -> Architecture -> Test Planning -> Coding -> Testing(CICD)-> Release

  • SSDLC Framework

  • NIST 800-64

  • MS SDL

    • Provide Training

    • Define Security Requirements

    • Define Metrics and Compliance Reporting

    • Perform Threat Modeling (e.g. STRIDE)

    • Threat Desired property
      Spoofing Authenticity
      Tampering Integrity
      Repudiation Non-repudiability
      Information disclosure Confidentiality
      Denial of Service Availability
      Elevation of Privilege Authorization

    • Establish Design Requirements

    • Define and Use Cryptography Standards

    • Risk of 3-rd Components Management

    • Use approved tools

    • Static Security Testing (SAST)

    • Dynamic Security Testing (DAST)

    • Penetration testing

    • Establish Standard Incident Response Process

  • OWASP CLASP

    image-20211207155425732

Anti-Sql injection in development

Anti-XSS

Anti-CSRF

Anti-Code injection

  • XPath
  • Json