Dear PenTest Readers,
We would like to start with wishing Happy New Year to all of you! May it bring you success in your professional and personal lives. As we all know, the new year means new challenges in the world of cybersecurity. 2018 is now described as the year of data breaches, and it is more than likely that 2019 is going to be even more intense. That is why we would like to provide you with the best articles, case studies, and tutorials - our mission is to keep our readers up to date with current trends so that we can all avoid being lost in the course of sometimes chaotic events on the scene of cybersecurity.
We start the first month of 2019 with the issue focused on building your own pentest lab. Our authors present step-by-step tutorials on how to configure a proper testing environment with your own resources. Also, what is equally important, they provide a reflection on the way of thinking that pentesters should apply. The content is composed of the materials suitable for beginning, intermediate, and advanced pentesters. Everyone should find something of interest to them. As always, there is a couple of articles related to the other topics as well, as we want to present the broad horizon of cybersecurity knowledge and practice.
Without further ado, let’s dive in the reading!
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Inspiring The Pentester
by Bruce Williams
Convergent and divergent thinking are not mutually exclusive. Each problem-solving process should be used in conjunction with the other to obtain maximum results. The best approach is to come up with the type of big-picture ideas that generate many possibilities or alternatives. The obvious possibilities are detailed first, however, they are followed by wild, random or outrageous ideas. At this point, convergent thinking is employed to filter out the least desirable ideas to work with more viable ones.
Building a Virtual Home-Lab for Pentesting Purposes
by Michael Lehmann Weng
No OT machine should ever need to go out on to the Internet, so no traffic should be allowed from the inside interface (LAN) of the firewall to the outside (WAN). Only to the DMZ. Always. No discussion. A key security design requirement. And apropos, as we are speaking about virtualization anyway, it should be obvious, that any enterprise environment based on virtualization technology also should be separated. Yes, that means that any company that takes cyber security seriously should not run IT and OT VMs in the same hypervisor environment but have two different environments and infrastructures. And they should be separated by a very strong, and very physical NGFW. Any pentester knows that companies who share the same hypervisor environment between IT and OT basically have no security, as vulnerabilities in the hypervisor software packages make it quite easy to move laterally (pivot) when inside the same environment. But hey, iron and storage are so cheap today, so there is hardly any excuse, right?
Pentest Lab in 2019
by Ahmed Mostafa
Don’t forget that one of the greatest malware worldwide, “Stuxnet”, was very hard to discover and professionals say it was awesomely coded. You can use artificial intelligence in this code, so it’s awesome that it runs without remote access and also bypasses very high secured devices. This workstation will be for learning how to make backdoors, virus, worms, ransomware and bots.It is the one of the most important things to add to your lab, as you will need this to gain access to your target and give you the Lafarge. Remember that this workstation is very important to create and to care about as everyday there are hundreds of new malware and viruses. Many are detected but many are not because awesome writers keep writing code that is hard to detect.
Pentesting Active Directory Infrastructure
by Mohit Panwar
All the attacks mentioned above abuse the NTLM authentication protocol, so the only complete solution to this is disabling NTLM completely and using Kerberos as a network authentication mechanism. Many organizations have legacy infrastructure that cannot be modified to support Kerberos authentication, thus disabling NTLM will have a major business risk. As a mitigating factor, there are several settings that can be enabled to minimize the risk of enumeration, information disclosure, reconnaissance and relaying. These configurations and changes are specific to the infrastructure. Hence no screenshots or cmdlets to be included for mitigation. The auditor/assessor would have to dig down deep and get such information for the infrastructure.
Build Your Own Pentesting Lab While Playing With Computers
by Dinesh Sharma
Let’s take one more example to understand why we need pentesting labs. There is a very busy airport in a country and there are many threats from the terrorist groups. The government is very worried for the security of its people. They decided to test whether the existing police and bomb squad can handle the worst situation or not. They planned a mock drill with the police. The police received a call from an anonymous person that “There is bomb inside the airport”. Police called the bomb squad and they try to find the bomb and then they defused it. In other words, they are preparing for the real time situation. Likewise, in hacking, the pentester practices all the attacks in a virtual environment so they can fight with the real hackers who will try to attack the Internet in real time.
Pentesting Lab on Budget
by Tyrone Reedy
In this article I am going to show you how to create your own Pentesting lab that will emulate a standard office environment with no cost to you. This setup assumes that you have a decent computer ( 4 to 5 years old), with a least 8 GB of Ram and around 50 GB of HardDrive Space. This setup is great for Beginner pen testers to seasoned professional. Before I continue I want to thank John Douherty at his website itpro.outsidesys.com for his pfsense guide. Without further ado let’s get started.
Cyber Security for Maritime Industry in Bangladesh
by Tawhidur Rahman
An essential step to mitigating cyber-attacks on maritime vessels is to begin updating existing ship systems and, more importantly, begin designing ships for increased security. This does not necessarily require fancier, more expensive equipment, but can be achieved with intelligent isolation of different systems and more secure, but still usable, passwords etc. to safeguard these systems. Compromised systems must also be designed to recover quickly and effectively so that the vessel is not left drifting and/or vulnerable. Furthermore, modifying systems to allow valid functions and prevent or flag dangerous options could detect attempted exploits and other cyber-attacks.
Hacking vs Penetration Testing
by Jeremy Walker
Hackers determine which resources they want to attack, and they determine the date and the time of day. They can attack vendors, clients, or partners in their pursuits. They are not burdened by artificial limitations of scope, and they aren’t hindered by written agreements. They can use unlicensed tools and modify code or programs to meet their objectives. They have the ability to go further and do more than the majority of penetration testers. Penetration testing is limited to a defined set of resources and often further restricted to specific days or even times of day. There are routinely restrictions on both tools and methods. Penetration testing requires written authorization from all parties whose resources are within scope, and each party may have unique restrictions.
Crowdsourcing Improvement in Cybersecurity and Bangladesh
by Tawhidur Rahman
Such crowdsourcing programs can help enterprises and software developers to allocate, monitor, and take the necessary measures to solve information security issues. The reported problems include, but are not limited to, direct and third-party hacking attacks, DDoS attacks, remote code execution exploitation, cross-site scripting, malware, viruses, and others. The collaborators are invited to detect such issues either before releasing a website or software or while it is functioning online. The technique of a crowdsourced reporting about information security problems is used by a vast number of major enterprises, such as Facebook, Microsoft, Mozilla, WordPress, Dropbox, Twitter, and Samsung.
Attacking Without Announce
by Jonathan Armas and Rafael Alvarez
We talk a lot about the advantages of extreme connectivity and availability of information, but so little about how our company’s, client's, or even our own, personal data is secure. Here we want to guide you about some management policies we suggest that you could take in advance to be able to answer with high precision how secure your information is, how effective your defense measurements are; also what could happen if you don’t apply these policies. From our experience, we know that company heads usually assume that "buying more technology" should solve all their security problems. Such a solution is, in fact, the main cause of the issue, because poorly implemented, built and/or configured technology is the source of all vulnerabilities.