The document highlights the integration of penetration testing within ISO 27001’s framework, emphasizing its critical role in identifying system vulnerabilities and maintaining security posture. It links pen testing to the standard’s risk management and continuous improvement principles, focusing on Annex A controls, such as Operations Security and Compliance.
It details the importance of scoping, balancing business needs with potential risks. The guide underscores embedding pen testing into broader risk assessment efforts to enhance resilience.
There are three stages in your ISMS project when penetration testing can make a significant contribution:
As part of the risk assessment process, to uncover vulnerabilities in any Internet-facing IP addresses, web applications or internal devices and applications, and link them to identifiable threats.
As part of the risk treatment plan, to ensure that security controls work as designed.
As part of the ongoing performance evaluation and improvement processes, to ensure that controls continue to work as required and that new and emerging vulnerabilities are identified and dealt with.
ISO 27001 says that you must identify information security risks within the scope of the ISMS (Clause 6.1.2.c). This involves identifying all assets and information systems within scope of the ISMS, and then identifying the risks and vulnerabilities those assets and systems are subject to.
A penetration test can help identify these risks and vulnerabilities. The results will highlight detected issues and guide remedial action, and are a key input for your risk assessment and treatment process. Once you understand the threats you face, you can make an informed decision when selecting controls.
For further details, access the full document here.
Contact us to explore how we can turn security challenges into strategic advantages.
🔵 Important reminder for Azure users! When utilizing Azure cloud for your application, don’t overlook key testing areas such as user access, data protection, secure deployment, and other critical functions…
Top 10 threats to Azure applications
When deploying and managing applications on Microsoft Azure, it is essential to be aware of various security threats that could compromise the integrity, availability, and confidentiality of your services. Here are the top 10 threats to Azure applications:
Misconfiguration of Security Settings:
Misconfigured security settings in Azure resources such as Storage Accounts, Virtual Networks, and Azure Active Directory can lead to unauthorized access and data breaches.
Insecure APIs and Endpoints:
APIs and endpoints that are not properly secured can be exploited by attackers to gain unauthorized access or manipulate data.
Insufficient Identity and Access Management (IAM):
Weak IAM policies can result in inadequate permission controls, allowing unauthorized users or applications to access sensitive resources.
Data Breaches and Data Leakage:
Data stored in Azure services, if not properly encrypted and secured, can be susceptible to breaches and leakage.
Denial of Service (DoS) Attacks:
Azure applications can be targeted by DoS attacks, which aim to overwhelm the application with traffic, making it unavailable to legitimate users.
Vulnerable Virtual Machines and Containers:
Unpatched or poorly configured VMs and containers can be exploited by attackers to gain access to the underlying infrastructure.
Insufficient Logging and Monitoring:
Lack of comprehensive logging and monitoring can prevent detection of security incidents and hinder incident response efforts.
Weak Network Security:
Inadequate network security measures such as poorly configured Network Security Groups (NSGs) and lack of Virtual Network (VNet) isolation can expose Azure resources to external threats.
Phishing and Social Engineering Attacks:
Azure accounts and services can be compromised through phishing and social engineering attacks, leading to unauthorized access.
Vulnerabilities in Third-Party Dependencies:
Applications often rely on third-party libraries and services, which may have vulnerabilities that could be exploited by attackers if not properly managed and updated.
Mitigation Strategies
To mitigate these threats, organizations should implement a comprehensive security strategy that includes:
Regular Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and fix vulnerabilities.
Secure Configuration Management: Utilize Azure Security Center and Azure Policy to enforce security best practices and compliance.
Robust Identity and Access Management: Implement multi-factor authentication (MFA), role-based access control (RBAC), and conditional access policies.
Data Protection: Encrypt data at rest and in transit using Azure Key Vault and other encryption services.
Network Security: Use Azure Firewall, NSGs, and VNets to segment and secure network traffic.
Threat Detection and Response: Enable Azure Monitor, Azure Sentinel, and other logging and monitoring tools to detect and respond to security incidents.
Secure Development Practices: Follow secure coding practices and regularly update third-party dependencies to mitigate known vulnerabilities.
User Training and Awareness: Conduct regular training sessions to educate users about phishing and social engineering threats.
By being proactive and implementing these strategies, organizations can significantly reduce the risk of security threats to their Azure applications.
Ensuring thorough testing is vital for a secure seamless experience 🔴
The Definitive Guide to Testing and Securing Deployments…
There are a variety of Python security tools are using in the cybersecurity industries and python is one of the widely used programming languages to develop penetration testing tools.
For anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out mastering in Python For Hacking From Scratch.
It has highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to an advanced level.
The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, Bluetooth smashers, web application vulnerability scanners, war dialers, etc. Here you can also find 1000s of hacking tools.
Best Python Security Tools for Pentesters
Python Course & Papers
Hacking with Python – Learn to Create your own Hacking Tools
Mastering in Python Programming For Hacking From Scratch
Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
WSBang: perform automated security testing of SOAP based web services
Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support
Misc
InlineEgg: A Python security tools toolbox of classes for writing small assembly programs in Python
Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
RevHosts: enumerate virtual hosts for a given IP address
Security analysis of web applications is, first of all, a search and investigation of cases of incorrect functioning of program code and vulnerabilities. Those who choose a penetration tester’s profession should keep in mind that it requires continuous learning and the ability to use a library of resources for self-education. A common situation is that while you are studying vulnerabilities in one framework, a dozen new reports are published. To quickly understand the potential vulnerabilities associated with previously unknown technologies, you need to be well-versed in the sources of information. When working in a team on an actual pentest project, there is usually no time for a thoughtful search. So, if your skills are combined with a strong foundational education, you are looking at promising career opportunities.
Your initial understanding of the subject can be developed through cybersecurity analysis courses at the university. These courses can also help you decide if this career path is right for you. It is good to receive foundational training in software development and networking, including web applications, while you are at university. Afterward, you can gain hands-on experience by practicing infrastructure penetration testing.
Usually, your initial attempts to secure a job as a web penetration tester might reveal gaps in your knowledge. Seeking employment at companies like VentureDive, where the work could help fill these educational gaps and offer valuable experience, is a smart approach. For instance, you could start as a technical support specialist in information security at a large company. After about two to four months, you might go for your first interview for a security analyst position, during which you could identify any weak points you might still have. With a few more months of work under the guidance of a mentor and diving into training materials, you could successfully land a position as a penetration tester.
Choosing where to work in the future is not as straightforward as it may appear. In a large, well-known company, you will be surrounded by a high level of expertise and likely assigned a mentor. However, the opportunity to find truly interesting vulnerabilities in real projects might be limited. This is because such organizations often have costly services, and their clients are usually not willing to skimp on development and security. Consequently, you will be working with quality products that have undergone thorough security testing, reducing the likelihood of encountering situations that provide valuable experience.
In a small company, you should not expect to find a mentor, a high level of expertise, or an impressive salary. However, these companies often get orders to pentest applications with many vulnerabilities, providing invaluable experience for those new to the profession. With this experience under your belt, you could eventually transition to a larger company.
Mastering Interview Techniques
Given that we cannot cover everything, let’s go over the essential knowledge and skills you need to analyze vulnerabilities in web applications.
A pentester needs to understand how applications function on the network level, which includes knowing about TCP handshakes, domain names, IPs, proxies, etc. It is also important to grasp the basics of how HTTP and HTTPS protocols work. Being prepared to answer questions like “What is the difference between HTTP methods?” “When should PATCH be used as opposed to POST?” and “How do HTTP 0.9/1.1 differ from HTTP/2?” is a part of this foundational knowledge.
Vulnerabilities are not always tucked away in a web application’s code; sometimes, they are embedded in its architecture, like within the web server itself. Often, a pentester might not have a direct view of the application’s architecture but can infer how it functions. Therefore, having knowledge in this area is incredibly useful.
As vulnerabilities become more complex, it is important to grasp the basics. This foundational understanding allows you to tackle more complex issues as they arise.
Developing the ability to search for answers to your questions using open sources is vital, even if you have someone to ask. Always start by seeking out information and attempting to solve problems on your own before seeking help.
Being able to write and read code in various languages, including PHP, Python, JavaScript, Java, and C#, is essential. When it comes to analyzing web applications, you will encounter different approaches, such as white box, gray box, and black box testing. For example, if you are doing white box testing and have access to the application’s source code, having development experience is a big plus. Additionally, the ability to write automation scripts and tailor third-party tools to fit your needs is a valuable skill.
Pentest projects frequently require examining the application from the outside in. You need the ability to scan the network and identify vulnerable services to ensure no obvious security flaws are overlooked.
In your work, you will often need to theoretically explain the nature of a vulnerability. This requires understanding basic concepts, such as how databases operate, the properties of information, and what constitutes vulnerability and exploitation. Essential skills also include system administration for both Windows and Linux.
Simply studying a vast number of vulnerabilities will turn you into a top-tier professional because it does not cultivate the skill of discovering them. During actual pentest projects, the toughest part is often identifying vulnerabilities. It is advised to search for vulnerable applications and analyze them without peeking at the technology stack or hints about the vulnerabilities. This practice offers foundational experience and insights into how things operate in an actual project.
For those lacking a basic education in security analysis, paid penetration testing courses are an option to consider. Unfortunately, the better courses tend to be expensive, and it is difficult to recommend any budget-friendly options that are truly effective. It is crucial to realize that these courses will not turn you into an expert overnight, as some might claim, but they will provide you with a solid understanding of the profession.
Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.
He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.
“I built Faction to be extendable in ways like you would extend BurpSuite. It’s designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,” Summitt told Help Net Security.
Faction features
With Faction, you can:
Streamline penetration testing and security assessment reporting through automation.
Facilitate peer review and monitor modifications in reports.
Design docx templates for various assessments and follow-up retests.
Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
Oversee assessment teams and monitor organizational progress.
Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
Leverage a comprehensive Rest API for seamless integration with other tools.
Other features:
LDAP, OAuth 2.0 and SMTP Integration.
Extendable with Custom Plugins similar to Burp Extender.
Custom Report Variables.
Future plans
The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.
“Faction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it won’t work for these teams out of the box but it could be more flexible,” Summitt added.
Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering open ports, troubleshooting live systems, and services, and grabbing system banners.
The pen-testing helps the administrator close unused ports, add additional services, hide or customize banners, troubleshoot services, and calibrate firewall rules.
You should test in all ways to guarantee there is no security loophole.
Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.
The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.
Network penetration testing is a critical process for evaluating the security of a computer network by simulating an attack from malicious outsiders or insiders. Here is a comprehensive checklist for conducting network penetration testing:
Pre-Engagement Activities
Define Scope: Clearly define the scope of the test, including which networks, systems, and applications will be assessed.
Get Authorization: Obtain written permission from the organization’s management to conduct the test.
Legal Considerations: Ensure compliance with all relevant laws and regulations.
Set Objectives: Establish what the penetration test aims to achieve (e.g., identifying vulnerabilities, testing incident response capabilities).
Plan and Schedule: Develop a testing schedule that minimizes impact on normal operations.
Reconnaissance
Gather Intelligence: Collect publicly available information about the target network (e.g., via WHOIS, DNS records).
Network Mapping: Identify the network structure, IP ranges, domain names, and accessible systems.
Identify Targets: Pinpoint specific devices, services, and applications to target during the test.
Threat Modeling
Identify Potential Threats: Consider possible threat actors and their capabilities, objectives, and methods.
Assess Vulnerabilities: Evaluate which parts of the network might be vulnerable to attack.
Vulnerability Analysis
Automated Scanning: Use tools to scan for known vulnerabilities (e.g., Nessus, OpenVAS).
Manual Testing Techniques: Perform manual checks to complement automated tools.
Document Findings: Keep detailed records of identified vulnerabilities.
Exploitation
Attempt Exploits: Safely attempt to exploit identified vulnerabilities to gauge their impact.
Privilege Escalation: Test if higher levels of access can be achieved.
Lateral Movement: Assess the ability to move across the network from the initial foothold.
Post-Exploitation
Data Access and Exfiltration: Evaluate what data can be accessed or extracted.
Persistence: Check if long-term access to the network can be maintained.
Cleanup: Remove any tools or scripts installed during the testing.
Analysis and Reporting
Compile Findings: Gather all data, logs, and evidence.
Risk Assessment: Analyze the risks associated with the identified vulnerabilities.
Develop Recommendations: Propose measures to mitigate or eliminate vulnerabilities.
Prepare Report: Create a detailed report outlining findings, risks, and recommendations.
Review and Feedback
Present Findings: Share the report with relevant stakeholders.
Discuss Remediation Strategies: Work with the IT team to discuss ways to address vulnerabilities.
Plan for Re-Testing: Schedule follow-up tests to ensure vulnerabilities are effectively addressed.
Continuous Improvement
Update Security Measures: Implement the recommended security enhancements.
Monitor for New Vulnerabilities: Regularly scan and test the network as new threats emerge.
Educate Staff: Train staff on new threats
and security best practices.
Tools and Techniques
Select Tools: Choose appropriate tools for scanning, exploitation, and analysis (e.g., Metasploit, Wireshark, Burp Suite).
Custom Scripts and Tools: Sometimes custom scripts or tools are required for specific environments or systems.
Ethical and Professional Conduct
Maintain Confidentiality: All findings should be kept confidential and shared only with authorized personnel.
Professionalism: Conduct all testing with professionalism, ensuring no unnecessary harm is done to the systems.
Post-Engagement Activities
Debrief Meeting: Conduct a meeting with the stakeholders to discuss the findings and next steps.
Follow-Up Support: Provide support to the organization in addressing the vulnerabilities.
Documentation and Reporting
Detailed Documentation: Ensure that every step of the penetration test is well-documented.
Clear and Actionable Reporting: The final report should be understandable to both technical and non-technical stakeholders and provide actionable recommendations.
Compliance and Standards
Adhere to Standards: Follow industry standards and best practices (e.g., OWASP, NIST).
Regulatory Compliance: Ensure the testing process complies with relevant industry regulations (e.g., HIPAA, PCI-DSS).
Final Steps
Validation of Fixes: Re-test to ensure vulnerabilities have been properly addressed.
Lessons Learned: Analyze the process for any lessons that can be learned and applied to future tests.
Awareness and Training
Organizational Awareness: Increase awareness about network security within the organization.
Training: Provide training to staff on recognizing and preventing security threats.
By following this checklist, organizations can conduct thorough and effective network penetration tests, identifying vulnerabilities and strengthening their network security posture.
Let’s see how we conduct step-by-step Network penetration testing using famous network scanners.
1. Host Discovery
Footprinting is the first and most important phase where one gathers information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.
A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
MX – Records responsible for Email exchange.
NS – NS records are to identify DNS servers responsible for the domain.
SRV – Records to distinguish the service hosted on specific servers.
PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
CNAME – Cname record maps a domain name to another domain name.
We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.
Ping&Ping Sweep:
root@kali:~# nmap -sn 192.168.169.128
root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IP
To obtain Whois information and the name server of a website
root@kali:~# whois testdomain.com
http://whois.domaintools.com/
https://whois.icann.org/en
Traceroute
Network Diagonastic tool that displays route path and transit delay in packets
root@kali:~# traceroute google.com
Online Tools
http://www.monitis.com/traceroute/
http://ping.eu/traceroute/
2. Port Scanning
Perform port scanning using Nmap, Hping3, Netscan tools, and Network monitor. These tools help us probe a server or host on the target network for open ports.
Open ports allow attackers to enter and install malicious backdoor applications.
root@kali:~# nmap –open gbhackers.com
To find all open ports root@kali:~# nmap -p 80 192.168.169.128
Specific Portroot@kali:~# nmap -p 80-200 192.168.169.128
Range of ports root@kali:~# nmap -p “*” 192.168.169.128
Perform banner grabbing or OS fingerprinting using tools such as Telnet, IDServe, and NMAP to determine the operating system of the target host.
Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.
root@kali:~# nmap -A 192.168.169.128 root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level
IDserve is another good tool for banner grabbing.
Online Tools
https://www.netcraft.com/
https://w3dt.net/tools/httprecon
https://www.shodan.io/
4. Scan For Vulnerabilities
Scan the network using vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us find vulnerabilities in the target system and operating systems. With these steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch management, vulnerability assessment, and network auditing services.
Nessus
Nessus is a vulnerability scanner tool that searches for bugs in the software and finds a specific way to violate the security of a software product.
Data gathering.
Host identification.
Port scan.
Plug-in selection.
Reporting of data.
5. Draw Network Diagrams
Draw a network diagram about the organization that helps you to understand the logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.
6. Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads.
Proxies such as Proxifier, SSL Proxy, Proxy Finder, etc., are used to hide from being caught.
6. Document All Findings
The last and very important step is to document all the findings from penetration testing.
This document will help you find potential vulnerabilities in your network. Once you determine the vulnerabilities, you can plan counteractions accordingly.
You can download the rules and scope Worksheet here – Rules and Scope sheet
Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in value and finance.
Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.
The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.
You should test in all ways to guarantee there is no security loophole.
Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.
The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.
Let’s see how we conduct step-by-step Network penetration testing by using some famous network scanners.
1. Host Discovery
Footprinting is the first and most important phase where one gathers information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.
A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
MX – Records responsible for Email exchange.
NS – NS records are to identify DNS servers responsible for the domain.
SRV – Records to distinguish the service hosted on specific servers.
PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
CNAME – Cname record maps a domain name to another domain name.
We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.
Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.
Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.
Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.
Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.
Nessus
Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.
Data gathering.
Host identification.
Port scan.
Plug-in selection.
Reporting of data.
5. Draw Network Diagrams
Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.
6. Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.
Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.
6. Document All Findings
The last and very important step is to document all the findings from penetration testing.
This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.
You can download the rules and scope Worksheet here: Rules and Scope sheet
Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.
Kali Linux turns 10 this year, and to celebrate, the Linux penetration testing distribution has added defensive security tools to its arsenal of open-source security tools.
It remains to be seen if Kali Purple will do for defensive open source security tools what Kali Linux has done for open source pentesting, but the addition of more than 100 open source tools for SIEM, incident response, intrusion detection and more should raise the profile of those defensive tools.
For now, Kali is primarily known for its roughly 600 open source pentesting tools, allowing pentesters to easily install a full range of offensive security tools.
In this article, we’ll focus primarily on how to use this powerful OS to run a pentest and mistakes to avoid. We’ll give you an overview of what can be achieved with Kali Linux using a short selection of pre-installed tools. While this guide serves as an introduction to common pentesting phases, with practical examples that highlight best practices, it’s not a substitution for a complete professional pentesting methodology.
SpecterOps released version 5.0 of BloodHound Community Edition (CE), a free and open-source penetration testing solution that maps attack paths in Microsoft Active Directory (AD) and Azure (including Azure AD/Entra ID) environments. It is available for free on GitHub.
Identifying simple Attack Paths between two objects is a straightforward “search and click” exercise
This update brings many enterprise-grade usability features to BloodHound CE, like containerized deployment, REST APIs, user management, and access control. It also significantly improves performance while streamlining development allowing for faster development and incorporation of community contributions.
“The way that BloodHound Community Edition maps out Attack Paths in AD and Azure is unique – there isn’t another tool (or feature within either of those) that can find hidden and unintentional relationships to identify complex Attack Paths that attackers can exploit. After this update, the tool will offer a user experience closer to an enterprise-grade product than an open-source tool,” Andy Robbins, co-creator of BloodHound and a Principal Product Architect at SpecterOps, told Help Net Security.
The entire UI is driven via RESTful APIs and includes a full Swagger spec within the application
New features
Support for REST APIs – BloodHound CE is a three-tier application with a database, an API layer, and a web-based user interface. Users can now use REST APIs to interact with data rather than needing to write queries directly to the database.
Containerized deployment – The tool will deploy as a containerized product. This much simpler process will reduce deployment time by 80%. This also makes it easier for users with different sized environments to manipulate the resources assigned to BloodHound.
Enterprise-grade user management – This update adds built-in full multi-user support with RBAC, the ability to create and assign user roles, and support for two-factor authentication and SAML to BloodHound CE.
Protected Cypher searches – Cypher queries will include available guardrails to automatically cancel queries that will cause performance or security issues.
Reliability and performance upgrade – Routine maintenance updates will make the tool faster, more resilient, and more reliable.
More frequent updates and community contributions – These changes will allow SpecterOps to increase the rate of updates and new features added to BloodHound CE going forward and will increase the number of pull requests from the community that can be implemented.
Better community support – More similarities between BloodHound CE and BloodHound Enterprise under the hood means users will have better access to support and documentation for both.
BloodHound was created in 2016 by Rohan Vazarkar, Will Schroeder, and Andy Robbins. It has been downloaded nearly 500,000 times and has over 12,000 users in the BloodHound Community Slack. The tool has been recommended by CISA and Microsoft to help secure Microsoft Active Directory and Azure AD.
Red Siege has developed and made available many open-source tools to help with your penetration testing work.
The company plans to continue to support the tools listed below, whether in the form of bug fixes or new features. Give them a try, they’re all available on GitHub for free.
“I find joy in writing code, turning it into a logic puzzle to create powerful software tools. The satisfaction of seeing my creations in action, like EyeWitness, brings a sense of pride and saves valuable time. Motivated by the possibility of filling a software gap, I open source my creations, hoping they’ll benefit others as they did for me,” Chris Truncer, Senior Security Consultant & Director of Training, Red Siege, told Help Net Security.
AutoFunkt
AutoFunkt is a Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles.
C2concealer
C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
DigDug
Dig Dug works by appending words from a dictionary to an executable. This dictionary is appended repeatedly until the final desired size of the executable is reached. Some AV & EDR engines may measure entropy to determine if an executable is trustworthy for execution. Other vendors inspect executables for signs of null byte padding.
dumpCake
dumpCake will dump password authentication attempts to the SSH daemon. Every SSHD child process will get attached to and at the completetion of the process, the attempted passwords and connection logs will be dumped to the script.
EyeWitness
EyeWitness takes screenshots of websites, collects server header info, and identifies default credentials if possible. Saves a lot of time triaging web sites on large tests. This tool is very commonly used by penetration testers looking to sift through a long list of websites.
EDD – Enumerate Domain Data
Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
GPPDeception
This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers. Blue teams can use this file as a honeyfile. By monitoring for access to the file, Blue Teams can detect pen testers or malicious actors scanning for GPP files containing usernames and cpasswords for lateral movment.
Just-Metadata
Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. It is used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen.
ProxmarkWrapper
ProxmarkWrapper is a wrapper around the Proxmark3 client that will send a text alert (and/or email if warranted) if a RFID card is captured.
Wappybird
Wappybird is a ultithreaded Wappalyzer CLI tool to find web technologies, with optional CSV output. You can also provide a directory and all scraped data will be saved with a subfolder per host.
WMImplant
WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant requires local administrator permissions on the targeted machine.
WMIOps
WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements.
ChatGPT is one of the biggest and most sophisticated language models ever made, with a massive neural network of over 175 billion parameters.
Recent research has revealed how ChatGPT for penetration testing can enable testers to achieve greater success.
ChatGPT was launched by OpenAI in November 2022, causing significant disruption in the AI/ML community.
Sophisticated email attacks are on the rise, thanks to threat actors leveraging the power of Artificial Intelligence.
However, researchers are staying one step ahead by utilizing ChatGPT for threat analysis and penetration testing.
A recently published research paper by Sheetal Tamara from the University of the Cumberlands highlights the effective use of ChatGPT in Reconnaissance.
Recently an automated penetration testing tool PentestGPT released;
The ChatGPT can be used in the initial reconnaissance phase, where the penetration tester is collection detailed data about the scope of assessment.
With the help of ChatGPT, pen-testers able to obtain reconnaissance data such as Internet Protocol (IP) address ranges, domain names, network topology, vendor technologies, SSL/TLS ciphers, ports & services, and operating systems.
This research highlights how artificial intelligence language models can be used in cybersecurity and contributes to advancing penetration testing techniques.
Pentesters can obtain the organization’s IP address using the prompt (“What IP address range related information do you have on [insert organization name here] in your knowledge base?”).
This prompt would deliver the possible IP addresses used by the organization.
“What type of domain name information can you gather on [insert target website here]?”
ChatGPT could provide the list of domain names used by the organization, such as primary domains, subdomains, other domains, international domains, generic top-level domains (gTLDs), and subsidiary domains.
“What vendor technologies does [insert target website fqdn here] make use of on its website?”
Answering this question, ChatGPT will provide various technologies, such as content delivery networks (CDNs), web servers, advertising engines, analytics engines, customer relationship management (CRM), and other technologies organizations use.
“Provide a comprehensive list of SSL ciphers based on your research used by [insert target website fqdn] in pursuant to your large corpus of text data present in your knowledge base.”
ChatGPT could provide the ciphers, SSL/TLS versions, and types of TLS certificates used, also, with this question, ChatGPT above to check the encryption standard used.
“Please list the partner websites including FQDN based on your research that [insert target website here] has direct links to according to your knowledge base.”
In response to the question, ChatGPT is able to provide a list of partner websites that are directly linked.
“Provide a vendor technology stack based on your research that is used by [insert organization name here].“
This prompt would extract the include application server type, database type, operating systems, big data technologies, logging and monitoring software, and other infrastructure-related information specific to the organization.
“Provide a list of network protocols related information that is available on [insert organization name here].”
ChatGPT will return a list of network protocols the target organization uses, including HTTPS, SMTP, NTP, SSH, SNMP, and others.
The research determined that “ChatGPT has the ability to provide valuable insight into the deployment of the target organization’s technology stack as well as specific information about web applications deployed by the target organization,” reads the paper published.
“The research performed on ChatGPT required trial and error in the prompting as certain requests can either be outright rejected or may result in responses that do not contain usable data for the reconnaissance phase of a penetration test.”
A Vulnerability Scanner Tools is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.
The Vulnerability scanning tools help detect security loopholes in the application, operating systems, hardware, and network systems.
Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.
What do Vulnerability Scanner Tools do?
Vulnerability scanners are one right way to do this. With their continuous and automated scanning procedures, they can scan the network for potential loopholes.
It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.
Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.
In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.
What are the Three types of Vulnerability Scanners?
This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.
Following are the types of vulnerability scanners
Discovery Scanning
Full Scanning
Compliance Scanning
What is an example of a Vulnerability Scanner?
The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online
In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.
Lynis is an open source security auditing tool. Its main goal is to audit and harden Unix and Linux based systems. It scans the system by performing many security control checks. Examples include searching for installed software and determine possible configuration flaws.
Many tests are part of common security guidelines and standards, with on top additional security tests. After the scan, a report will be displayed with all discovered findings. To provide you with initial guidance, a link is shared with the related Lynis control.
Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.
Intended audience:
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.
Security specialists, Penetration Testers, System auditors, System/network managers, Security Engineers.
Lynis is compatible with many Operating Systems, such as:
AIX
Arch Linux
BackTrack Linux
CentOS
Debian, DragonFlyBSD
Fedora Core, FreeBSD
Gentoo
HPUX
Kali, Knoppix
Linux Mint
MacOS X, Mageia, Mandriva
NetBSD
OpenBSD, OpenSolaris, openSUSE, Oracle Linux
PcBSD, PCLinuxOS
Red Hat Enterprise Linux (RHEL) and derivatives
Sabayon, Scientific Linux, Slackware, Solaris 10, SuSE
TrueOS
Ubuntu and derivatives
Lynis can alsobe auditing software such as :
Database servers: MySQL, Oracle, PostgreSQL
Time daemons: dntpd, ntpd, timed
Web servers: Apache, Nginx
Once lynis starts scanning your system, it will perform auditing in a number of categories:
System tools: system binaries
Boot and services: boot loaders, startup services
Kernel: run level, loaded modules, kernel configuration, core dumps
Memory and processes: zombie processes, IO waiting processes
Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask
Shells
File systems: mount points, /tmp files, root file system
Storage: usb-storage, firewire ohci
NFS
Software: name services: DNS search domain, BIND
Ports and packages: vulnerable/upgradable packages, security repository
Security frameworks: AppArmor, SELinux, security status
Software: file integrity
Software: malware scanners
Home directories: shell history files
How Lynis works:
In this Kali Linux Tutorial , To run it for the first time, it is recommended to use -c paramater. -c parameter means doing all tests to check the systems. If you want to put the Auditor name, just add –auditor parameter there. Here’s some
Once Installed then Start with Auditor or Pentester name .
# lynis -c –auditor “BALAJI”
Figure 1. Initialize
Figure 2. System Tools
Figure 3. Boot & Services and Kernel
Figure 4. Users and Group
Figure 5. Shell and storage
Figure 6. Software, Ports and Packages
Figure 7. Networking and Printer
Figure 8. Email, Firewalls and Web Server
Figure 9. SSH, SNMP and Databases
Figure 10. PHP, Squid Proxy and Logging
Figure 11. Inetd, Banner and Cron
Figure 12. Accounting, NTP and Cryptography
Figure 13. Virtualization, Security Frameworks and File Integrity
Figure 14. Malware Scanners, System Tool and Home directory
Figure 15. Kernel Hardening
Figure 16. Hardening, Custom Tests and Result
Figure 17. Hardening Index
Run Lynis with Custom Tests
Your system may not need to run all the tests. If your server not running a web server, you don’t need to test it. For this purpose, we can use –tests parameter. The syntax is :
# lynis –tests “Test-IDs”
there are more than 100 tests that we can do. Here are some list of Lynis Tests-ID.
[04:57:04] Reason to skip: Test not in list of tests to perform
KRNL-5770 (Checking active kernel modules)
KRNL-5788 (Checking availability new kernel)
KRNL-5820 (Checking core dumps configuration)
Below is a sample command to run Check uptime of system and Checking core dumps configuration tests. If you want to add more tests, just add more Test-ID separated by space.
# ./lynis –tests “BOOT-5202 KRNL-5820”
To get more Tests-IDs, you can find it inside /var/log/lynis.log. Here’s a trick how to do it.
1. First, we need to run lynis with -c (check-all) parameter.
# ./lynis -c -Q
2. Then look at inside /var/log/lynis.log file. Use cat command and combine it with grep. Let say you want to search Test-ID which related to Kernel. Use keyword KRNL to find it.
# cat /var/log/lynis.log | grep KRNL
Below is a complete keywords of Test-IDs that available in Lynis.
If you feel that put a lot of Test-IDs is painful, you can use –test-category parameter. With this option, Lynis will run Test-IDs which are included inside a specific category. For example, you want to run Firewall and Kernel tests. Then you can do this :
# ./lynis –tests-category “firewalls kernel”
Run Lynis as Cronjob
Since security needs consistency, you can automate Lynis to run periodically. Let’s say you want to run it every month to see if there is any improvement since the last Lynis run. To do this, we can run Lynis as a cronjob. Here’s a sample cronjob to run it every month.
cd /usr/local/lynis ./lynis -c –auditor “${AUDITOR}” –cronjob > ${REPORT}
mv /var/log/lynis-report.dat ${DATA}
# End
Save the script into /etc/cron.monthly/lynis. Don’t forget to add related paths (/usr/local/lynis and /var/log/lynis), otherwise the script will not work properly.
Penetration testing, also known as pen testing, is a process of assessing the security of a computer system or network by simulating an attack from a malicious outsider or insider. The goal is to identify vulnerabilities and weaknesses that can be exploited by attackers to gain unauthorized access to the system.
There are many penetration testing tools available that can help security professionals and ethical hackers to perform effective tests. Here are some of the best penetration testing tools:
Metasploit Framework: It is an open-source penetration testing framework that provides a range of exploits, payloads, and auxiliary modules. It is widely used by penetration testers and security professionals to identify vulnerabilities and exploit them.
Nmap: It is a network exploration and security auditing tool that can be used to scan networks and identify hosts, ports, and services. It can also be used to detect operating systems and versions.
Wireshark: It is a network protocol analyzer that allows you to capture and analyze network traffic. It can be used to detect and analyze network attacks and vulnerabilities.
Burp Suite: It is an integrated platform for performing web application security testing. It includes a proxy server, a scanner, a spider, and other tools that can be used to identify vulnerabilities in web applications.
Aircrack-ng: It is a suite of tools that can be used to crack wireless network passwords. It includes tools for capturing and analyzing network traffic, as well as tools for cracking encryption keys.
John the Ripper: It is a password cracking tool that can be used to test the strength of passwords. It can be used to crack passwords for a range of operating systems and applications.
SQLmap: It is an open-source penetration testing tool that can be used to test the security of SQL-based web applications. It can be used to detect and exploit SQL injection vulnerabilities.
Hydra: It is a password cracking tool that can be used to test the strength of passwords for a range of protocols, including HTTP, FTP, and Telnet.
Nessus: It is a vulnerability scanner that can be used to scan networks and identify vulnerabilities. It can also be used to generate reports and prioritize vulnerabilities based on their severity.
OWASP Zap: The world’s most popular free web security tool, actively maintained by a dedicated international team of volunteers.
Kali Linux: It is a Linux distribution that is specifically designed for penetration testing and ethical hacking. It includes a range of tools for network analysis, vulnerability testing, password cracking, and more.
Latest Pen Testing Titles
Cobalt’s Pentest as a Service (PtaaS) platform, coupled with an exclusive community of testers, delivers the real-time insights you need to remediate risk quickly and innovate securely.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
API security is an undervalued but crucial aspect of information security. Some of the most common cyber attacks exploit APIs and web applications, and if organisations are to stay secure, they must test their systems to identify and eradicate weaknesses.
Organisations can achieve this with API penetration tests. An ethical hacker (or ‘penetration tester’) will examine your applications using the same techniques that a cyber criminal would use. This gives you a real-world insight into the way someone might compromise your systems.
Web application and API tests look specifically at security vulnerabilities introduced during the development or implementation of software or websites. There is no single checklist of how exactly the test should be conducted, but there are general guidelines.
Benefits of API penetration testing
The primary purpose of an API penetration test is to protect your organisation from data breaches. This is crucial given the increased risk of cyber attacks in recent years; according to a UK government report, 39% of surveyed organisations said they suffered a security breach in the past year.
By conducting an API penetration test, you will gain a real-world overview of one of the biggest security threats that organisations face. The tester will use their experience to provide guidance on specific risks and advise you on how to address them.
But penetration tests aren’t only about closing security vulnerabilities. Mitigating the risk of security incidents has several other benefits. For instance, you protect brand loyalty and corporate image by reducing the likelihood of a costly and potentially embarrassing incident.
Penetration testing also helps you demonstrate to clients and potential partners that you take cyber security seriously. This gives you a competitive advantage and could help you land higher-value contracts.
Perhaps most notably, penetration testing is a requirement for several laws and regulations. Article 32 of the GDPR (General Data Protection Regulation), for example, mandates that organisations regularly test and evaluate the effectiveness of their technical and organisational measures employed to protect personal data.
Likewise, if your organisation is subject to the PCI DSS (Payment Card Industry Data Security Standard), you must conduct external penetration tests at least once per year and after any significant changes are made to your systems.
API penetration testing checklist
IT Governance has its own proprietary checklist when conducting API and web application penetration tests.
The system is modelled on the OSSTMM (Open Source Security Testing Methodology Manual) and the OWASP (Open Web Application Security Project) methodologies.
A high-level overview of our process is outlined below, with a brief description of what is assessed during each section.
1. Authentication
The penetration tester ensures that appropriate mechanisms are in place to confirm a user’s identity. They then review how the authentication process works, using that information to circumvent the authentication mechanism.
2. Authorisation
The tester verifies that access to resources is provided only to those permitted to use them.
Once roles and privileges are understood, the tester attempts to bypass the authorisation schema, finding path-traversal vulnerabilities and ways to escalate the privileges assigned to the tester’s user role.
3. Session management
The tester ensures that effective session management configurations are implemented. This broadly covers anything from how user authentication is performed to what happens when logging out.
4. Input validation and sanitisation
The tester checks that the application appropriately validates and sanitises all input from the user or the environment before using it.
This includes checking common input validation vulnerabilities such as cross-site scripting and SQL injection, as well as other checks such as file uploads, antivirus detection and file download weaknesses.
5. Server configuration
The tester analyses the deployed configuration of the server that hosts the web application. They then verify that the application server has gone through an appropriate hardening process.
6. Encryption
The tester assesses encryption security around the transmission of communication. This includes checking for common weaknesses in SSL/TLS configurations and verifying that all sensitive data is being securely transferred.
7. Information leakage
The tester reviews the application configuration to ensure that information is not being leaked.
This is assessed by reviewing configurations and examining how the application communicates to discover any information disclosure that could cause a security risk.
8. Application workflow
The tester determines whether the application processes and workflows can be bypassed.
Tests are conducted to ensure that application workflows cannot be bypassed by either tampering with the parameters or forcefully browsing. This ensures the integrity of the data.
9. Application logic
The tester analyses how the application uses, stores and maintains data. They do this by checking the underlying technology and any mitigating controls that may affect the risk to the application.
10. Report
The tester documents their findings. Their reports contains an executive summary, which provides a high-level, non-technical summary of any identified vulnerabilities, alongside a summary of the organisation’s business risks and an overall risk rating.
It also contains a comprehensive review of testing details, such as the scope of the assessment, descriptions of the vulnerabilities identified and their impact, plus proofs of concept that support the findings.
Finally, the report provides the tester’s commentary, where they discuss the issues identified and how the vulnerabilities could be linked within an attack chain. This is supplemented with remediation advice and supporting references.
Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.
Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.
Android is the biggest organized base of any mobile platform and developing fast—every day. Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.
Online Analyzers
Following are the online analyzers used to pentest the android applications.
Mobile Security Framework is an intelligent, all-in-one open-source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis, and web API testing.
Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.