[Editor's Note: For this year's SANS Pen Test Poster, we asked some of the best pen testers and instructors in the industry to share their wisdom in a series of tips, tricks, tools, and useful resources for various kinds of penetration tests. We got some great input on network pen testing, web app pen testing, mobile pen testing, exploit writing, and wireless pen testing. We'll be posting these really useful recommendations as a series of blog posts over the next few weeks. The first in the series is this set of recommendations from the amazing John Strand of Black Hills Information Security. -Ed.]
Methodology
- Recon - This is the one area most people skip over or put the least amount of effort into. Don't. Without question, this is the most important phase. If done correctly, it is possible to gain access to a network without using a single exploit. For example, take a look at the modules available in recon- ng. Some of our favorites are the pwnlist modules and namechk.
- Scanning - Try to be as accurate as possible. If your scanner supports a scan dedicated to PCI, don't use it. PCI scans have a very high false positive rate. If the project is a Crystal-box or Grey-box test, look into credentialed scanning. It will reduce the false positives, and the scan will run much faster. As an added bonus, it will also dramatically reduce the likelihood of crashing a system. Finally, always review the low and medium risk findings. These lower-risk findings may add up and result in significant potential for attack.
- Exploitation - Always explicitly set the TARGET in Metasploit, as it will reduce the likelihood of a target crash and will increase the likelihood of successful exploitation. Get very comfortable with the Social Engineering Toolkit. Learn how to bypass AV, see the reference section below.
- Post-Exploitation - After you have access to a target system, put the exploits away. Dump the passwords, crack the passwords. Get familiar with mimikatz. Get familiar with passing the hash. Get familiar with password spraying. Pivot mercilessly.
- Reporting - Tell a narrative and demonstrate the risk through screenshots and videos. Never, ever, copy and paste results from an automated tool.
Must-Have Tools
Software
- Kali Linux & Backtrack - An incredible collection of pen testing tools integrated together in a fantastic Linux distro.
http://www.kali.org/downloads - Mimikatz - Ever wished to pull clear-text passwords from memory? This tools grants that wish. By Benjamin Delpy
http://blog.gentilkiwi.com/mimikatz - Metasploit - Open Source exploit environment. Over 600 exploits. By HD Moore & the Metasploit development team
Metasploit.com - Recon-ng - The world's finest reconnaissance environment. By Tim Tomes lanmaster53.com
- Nmap - The best port scanner there is, and a whole lot more! By Fyodor and the Nmap development team
nmap.org - Maltego* - Doing open source reconnaissance can be hard and lead to a tremendous amount of data and work. Maltego makes it easy. By Paterva https://www.paterva.com/
- Python - If you have to learn one language, learn C++. But C++ is hard. Learn Python first. By Guido van Rossum
http://www.python.org - The Social Engineering Toolkit - Social engineering attacks, like phishing, made easy. So easy in fact, a 10 year old can use it. By Dave Kennedy http://www.trustedsec.com/downloads/social-engineer- toolkit
- Anonymizer Universal* - A fast and stable anonymizing proxy. By http://www.anonymizer.com
- FOCA - Automatically pull down files and extract metadata.
By Informatica64
http://www.informatica64.com/foca.aspx - THC-Hydra - The world's best remote password guessing tool. By Van Hauser http://www.thc.org/thc-hydra
- Ettercap - The world's best ARP cache poisoning and session hijacking tool. By Alberto Ornaghi (ALoR), Marco Valleri (NaGA), Emilio Escobar, and Eric Milam —http://ettercap.github.com/ettercap
- Cain and Able - Outstanding ARP cache poisoning and password- cracking tool. By Massimiliano Montoro http://www.oxid.it/cain.html
- John The Ripper - Our favorite general-purpose password- cracking tool. By Solar Designer http://www.openwall.com/john
- Oclhashcat - Hyper fast GPU based password-cracking tool. By Atom and Trac https://hashcat.net
- ISR-Evilgrade - Intercept and hijack software updates. By infobyte https://code.google.com/p/isr-evilgrade
- Wireshark - You will spend a tremendous amount of time analyzing packets. Wireshark makes it easy. By Gerald Combs http://www.wireshark.org
- Netcat - General purpose networking tool. It does just about everything. By The Hobbit http://netcat.sourceforge.net
- Scapy - The finest packet crafting tool in the world. By Philippe Biondi http://www.secdev.org/projects/scapy
Hardware
- Teensy* — Emulate keyboards to take over systems.
- Pwnplug* — Small, portable, powerful covert pen testing platform.* These tools are available on a commercial (cost) basis.
Resources for Staying Current
- http://www.pauldotcom.com
- http://pen-testing.sans.org/blog/
- http://www.darknet.org.uk/
- http://computer-forensics.sans.org/blog/
- http://www.darkoperator.com/
- http://lanmaster53.com/
- http://blog.commandlinekungfu.com/
- http://www.pentest-standard.org/
- https://community.rapid7.com/community/metasploit/blog
- http://www.tenable.com/blog
People to Follow on Twitter:
Associated SANS Courses
- SEC504: Hacker Techniques, Exploits, and Incident Handling www.sans.org/sec504
- SEC560: Network Penetration Testing and Ethical Hacking www.sans.org/sec560
-John Strand
@strandjs
