This appears to be a long blog.
Take it in steps and digest it. I am not saying that you have any sort of attention deficit or anything like that!
Disagree with me if you want, we all come from learning initial tools and methodologies for ethical hacking. Please try to get through my small paragraphs to preface what I believe to be a most effective start to an ethical hack, IT sec-audit, IT security audit, penetration test, pen-test, whatever your company chooses to call it. Please muscle through points 1 and 2. They are important. The last several points are succinct and to the point.
Whether it was Sony hit by North Korea, Anonymous wreaking havoc using cyber-terrorism, corporate espionage, internal attacks on banks and commerce in general, the world is now hyper-aware of the fact that IT security is paramount to any entity that wishes to (1) maintain uptime, (2) maintain data, (3) keep proprietary things private and (4) maintain the reputation they have garnered through hard work. This should concern corporations across most industries.
Simply put: IT security needs to be a key ingredient that is marinated (discussed, tested, proved, retested, proved) and then infused into the foundation of any business that prizes the above mentioned points.
These entities are being breached through attacks using the Internet. And, perhaps, a few other strewn arsenals.
To combat this one can waddle through the manusha of open source, inexpensive commercial, and expensive tools but there is one thing that I do not hear that often which is of great importance in shoring up IT assets so that they cannot be breached. It is pretty obvious actually. See if you can pick up on this in this Top 6 Penetration (pen-testing) Tools of 2014; albeit while this is my own list I can guarantee that these top 6 tools work.
I am not saying that other tools should not be involved in the process of ethical hacking. In my penetration toolbox I house hundreds of tools. Yet, I believe these are the ones to start with and finish with.
So lets get started:
#1. Brain, Hands and Fingers.
Not a tool? Think again. You are the most valuable tool you have.
I think that most thinking people would subscribe to the thought process that company breaches/hacks occur only through computers. This is a fallacy. I am sure that the great hackers of the world including an acquaintance of mine, Kevin Mitnick, would also disagree. Getting the ‘goods’ on a business starts with using the brain.
Think about the term ‘brain hacked’. What does this mean? It means that someone can get employees of your company to give the culprit[s] what they want without even touching a key on their computer. Through malicious verbal cues and fake emotions it is possible to send signals through the cerebral cortex to the limbic system of a persons brain. This is the part of the cortex center of the nervous system that supports adrenaline flow, emotion, behavior, motivation, and many more things. You may have heard the phrase ‘the customer is always right’, ‘keep people happy and they will become repeat customers’, ‘don’t keep them on-hold for too long’, ‘give them a discount if they are disgruntled’, among many others.
How does this translate into ethically breaking into a business?
First, start by knowing the business. What do they do? What sensitive data do they house. What PII are they storing. Where is it stored? What does their network look like? How well trained are their employees? Example: If I made a few calls to their central office purporting to be a company manager how easy would it be for me to eventually create a organization chart, thereby identifying key people that I would then try to target or mimic?
You cannot come up with a list of employees at the company? Use the dial-by-directory. Usually #9. Do you get a switchboard operator when you call? Call after hours. A quick tangent: if you really need to use the punch and click approach, check out Paterva. You’ll appreciate this product but it does not beat Brains, Hands and Fingers.
Use LinkedIn, search by keywords for the business. Facebook, again, search by keyword for the business. The list goes on and on. If you want a pretty comprehensive list of social media sites then go here: A Pointer To a Comprehensive List of Social Media Sites on Wikipedia.
Use Google Dork commands to find email addresses of people at the company. There is a good chance that the email address nomenclature is email@example.com. Now you have a name and you can wring this through your brain, hand and finger tools to gain further information. Search the Internet.
Oh no! The company has tightened down their security? Nothing on their site gives information to the public that could be used to break into the business? Try the Web Archive. Nothing on the Internet goes away. Never.
We could go on for a long time on this step but hopefully this gives you some launching points with Brain, Hands and Fingers, Also Known as Manual Reconnaissance to start the ethical process of penetration testing.
#2. Hack The Mind Through Your Mouth.
Dr. Daniel Siegel, a professor of psychiatry at UCLA school of Medicine, co-director of the UCLA Mindfulness Awareness Research Center, executive director of the Mindsight Institute and author of several books, developed a field of study which has become known as interpersonal neurobiology.
He coined the term “mindsight” to describe the human capacity to perceive the mind of the self and others. On his website, Siegel writes:
“It is a powerful lens through which we can understand our inner lives with more clarity, integrate the brain, and enhance our relationships with others. Mindsight is a kind of focused attention that allows us to see the internal workings of our own minds. It helps us get ourselves off of the autopilot of ingrained behaviors and habitual responses. It lets us “name and tame” the emotions we are experiencing, rather than being overwhelmed by them.”
I would simply call it situational awareness. The problem is that a percentage of people in responsible positions lack this ability. I am not being disrespectful but some people can be tailed for blocks without realizing it and others will pick up on it within 200 feet.
The mind is made up of energy and information that flows back and forth. How?
Mouth. Words. Verbal allocution, external oration of internal monologue.
This can be successfully used in social engineering to gain access to proprietary data or nefarious endgames that can abolish the reputation of a company. Ergo the need to test these human pressure points to ensure that employees are properly trained.
However, this needs to be tempered to the appetite of the client involved because there are several variables involved that are important to company culture; trust, believing in management, not wanting to be tested. Resentment after a test. Attrition because of this. Balance is required in this endeavour.
#3. Tenable Nessus.
This one is short. Nessus is relatively inexpensive and works as a high-end vulnerability scanner. It is a launching point for The Top 1 and 2 Penetration (Pen-Testing) Tools of 2014. It will give you information that you can use to exploit security holes through software and through social engineering (which is really what points 1 and 2 come down to).
#4. Burp Suite.
A really great tool, well written and comprehensive in nature. Updated regularly. Commercial. Great support. When used in conjunction with Nessus you are starting to cover some of the field.
When you really want to get down to brass tacks please take heed of this advice: Injection attacks are still the #1 problem with web application security. Still. SQLMap has built in spidering ability, ergo my article on the Lazy Persons SQL Injection. Learn how to use it from the command line. Kill a two hour period in your day to do this and you’ll reap great rewards.
Notepad? Yeah. Or some sort of scratch pad to record odd looking URLs, subdomains that were not on your list, Google Dork results that appear to be out of scope but could simply be a result of the client not completely categorizing what they actually have in terms of IT assets. I have found more SQL injections than I wish to mention based on findings that were out of scope of the test process but which were unknown to the clients that I was working for. We own that?? Thats not us?? Yes and… yes.
I hope this helps those that read this blog as we continue our test efforts in 2015. Never forget that this is serious, important work and simply clicking a button to launch a scan is but a minute part of the IT security process.
My final thought in this blog, for whoever cares. There has been a lot of products, both quote and unquote open source and commercial, that have flooded the market this year. Scrutinize them before you utilize them.
If you can see that a product does not have a community, sustainability, upgradability and simple support, think twice. Go for tools that garner the support of a community that is professional and stands behind the product.
As we enter 2015 I hope that collaboration between ethical hackers/penetration testers continues to grow. That we can filter out useless tools and center more on The Top 6 Penetration Tools of 2014 points #1 and #2.
This is not Hollywood. It is the real world. Think about this going into 2015. How would you break into a business? That is the question that needs an answer from each of us.
Jock Pereira | jockpereira.com| firstname.lastname@example.org | 978-666-4000