PREVIEW: Best 20 Pentesting Articles - Pentestmag

PREVIEW: Best 20 Pentesting Articles


Dear PenTest Readers,

On the very special occasion of the last month of a decade, we would like to present you with a collection of 20 remarkable articles, chosen by our editors and grouped into 5 thematic blocks. The choice was based on our opinion, as well as valuable feedback from our internal reviewers and readers. There is about 250 pages of our best articles, therefore this edition is a great treat for every ethical hacker.

Section “Colors of Pentesting” is filled with great tutorials on Red Teaming and Blue Teaming. “Be Business-wise” will lead you into the world of attack vectors within the finance sector, as well as some tips how to secure your API, automate your SOC, or organize the most efficient CTF model for your company. Next, “Model the Threat” will help you explore the art of threat modeling and the landscape of threat intelligence. Last but not least, something crucial for collective security - “Critical Infrastructure”

In the end there is also “miscellaneous” section, full of various interesting articles which don’t fit into any of above-mentioned categories. And they don’t need to! They are just awesome reads on their own. No matter if you are into automation of API Pentesting, binary exploitation, pentesting with Python, or a report from really interesting CTF competition, you will definitely find something for yourself!

Without further ado,
Let’s dive into the reading!

Table of Contents

I. Colors of Pentesting

Red Teaming Operations and Threat Emulation

by Boumediene Kaddour

In a real Red Team engagement, making communications occur directly between the target and C2 server is a silly decision for an advanced operator. Attackers and Red Teamers use C2 redirectors to hide the real C2 server for the purpose of protecting the C2 server IP address from identification. The best way to build a C2 infrastructure is to wisely choose legitimate domain names with valid SSL certificate (LetsEncrypt), IP addresses, and well-known protocols like HTTP(s). There’s various techniques and tools that can be used to implement a C2 redirector, including iptables, socat and the built-in Microsoft tool netsh.

Red Team C2 and Blue Team Detection

by Jesse Moore

Blue Teams can simulate Red Team Operations by leveraging Atomic Red Teams Github where they have provided many Red Team commands to test detection mechanisms. Blue Teams can capture what Red Teams commands are tested by standing up a Kansa environment. Kansa is free from Github which is a framework that helps defenders capture anything with the use of WinRM and PowerShell on Windows Operating systems. If you can script it with PowerShell than Kansa is able to push that script out to a fleet of Windows machines and return the output to further analysis of adversarial TTPs.

Red Team Scenario: Delivering a Trigger-able Outlook Malware via Macros

by Alexandros Pappas

By executing this malware, the Red Teamer can bypass this security prompt and in fact make the security prompt disappear from the end-user’s screen. Red Teamer can achieve this by loading simultaneously those series of keystrokes that grant attacker access to the victim's email box. In fact, by tuning out the sleep values, the whole outlook security prompt will never appear in front of the user's screen.

II. Be Business-wise

Social Engineering in the Age of Fintech

by Jeremy Walker and Sean Butler

Even as Fintech systems become increasingly automated, Social Engineering continues to be a major attack vector. According to the Cyber Security Firm KnowBe4, ninety-seven percent (97%) of malware is targeting users, rather than technical vulnerabilities. This article explores an example of both a remote and an on-prem social engineering method being combined with low sophistication attacks to obtain data associated with Fintech systems.

Securing the API Economy

by Abhi Singh

The network by virtue implements least privilege without relying on developers for it. This can be a manageability and scalability headache. One method to implement these capabilities is to use “Service Mesh”. This mesh will determine how each service discovers each other (discovery) and talk to each other (routing). This was previously done using load balancers in front of each service. Following this logic, most of these load balancers are manually managed and if you were to add a new service, you would open a change ticket that would be serviced by IT. Load balancers introduce a cost penalty and an agility penalty based on how fast an organization turns around the tickets, thereby defeating the overall purpose of rapidly scaling using microservices.

Security of the FIX Protocol: How To Intercept, Modify and Crash FIX Server with Mal-formatted Message

by napoleon182

The only confirmation of the counterparty identity during the FIX communication is the check of field SenderCompID (field id: 49). It is possible that by accident the SenderCompID will be revealed (for example, sent to another firm via email), which should be treated as a security breach as knowing the SenderCompID will allow the attacker to steal the identity of the holder and use it in the attack (see chapter on different attack methods and approach). All things considered, firms should practice due diligence and treat SenderCompID as sensitive information.

Corporate Capture The Flag (CCTF) – Creating “The Hacker Mindset”

by Rohit Nambiar and David Kosorok

While external bug bounties are a great way to PenTest your application, what if you could achieve something similar by harnessing internal talent and maybe even develop new ones? The process would be slower but possibly more fruitful in the long run. While this cannot replace the regulatory required external PenTests, there could be a gradual substitute for many of the bi-annual or more frequent PenTests that don’t require external auditing. In the long haul, not only do your applications get tested but you have also created an army of security experts, each with unique mindsets gained from solving diverse types of challenges as part of the CTF.

The Red Pill of SOC Automation

by Nicolas Mattiocco

Because the assets are in continuous transformation and the spectrum of threat scenarios is reshaped every day, it became clearly obvious that manual security assessments, classical yearly penetration testing or quarterly configuration reviews are not best practices anymore. Maybe it already belongs to a bygone age. Because attackers are impressively gaining in velocity, organizations have to adapt their detection strategy of cyber threats. On the defensive side, a SOC will never be able to hire enough people to analyze and respond to all alerts.

III. Model the Threat

Threat Modeling for Supply Chain Risks

by Cecilia Clark

To include vendors, work with them to develop their independent risk management strategy, mirroring the stringency of your own. If they are already security-focused and have a risk management plan in place, review it to ensure it includes the three basic categories of a cybersecurity plan. Once satisfied with their plan, use their text-based, detailed threat model to create a threat model map. Determine where your vendor’s systems connect to yours and link your threat model map to the vendor’s map at those points.

Preemptive and Proactive Protection from DDoS through Threat Intelligence

by Jalasutram Sai Praveen Kumar

Botnets are the sole of DDoS attacks. Botnets and DDoS attacks are interrelated when it comes to causing disruption to its victims. Threat actors create their own botnet networks by compromising multiple systems (bots/zombies) at various locations and coordinate them accordingly to divert enormous amounts of data packets towards their target, rapidly increasing the target’s bandwidth criteria and disrupting its normal operations.

Purple Team Tactics and Threat Intelligence

by Alexandros Pappas

There is increasing recognition that Red Teams and Blue Teams should work together, creating a Purple Team. This Purple Team isn’t necessarily new, but a combination of existing Red and Blue Teams working together to serve an identical goal: improved organizational security posture! It might be regarded as a process (by engaging both Teams), as opposed to a unique entity. The Red Team should be conducting objective assessments mimicking known and quantifiable threats. As part of this process, the threat actor’s TTPs should be known. Based on this modern approach, the Purple Team improves security by removing the “win or lose” mentality between Teams, and enhances cooperation, as transparency benefits everyone.

IV. Critical Infrastructure

Deterministic Unidirectional Devices: Protecting OT Networks with Data Diodes

by Marlene Ladendorff, PhD

The Ukraine power grid compromise offers an example of the consequences that can result from a cyber-attack. A deterministic unidirectional device (data diode) would have circumvented the attack via the wired network cyber threat vector. Once the diode is installed, confirmation of unidirectional communication should be performed via penetration testing. Other possible circumventions of IT/OT network separation include data diode bypasses, improper data diode configuration, primary and backup diode composition, and incident response plans in the event of diode failure.

Industrial Cyber Physical Security Enhancement

by Cevn Vibert

Industrial Cyber Security is now deeply into a form of arms race. Defenders are needing more defence tools and monitoring wizardry to detect and prevent attacks, but only if they can afford the resource time and expertise costs. They are usually seriously hampered by lack of budget and resources. Automation and Security Vendors are building more and more complex systems to help the defenders, but only if the defenders can afford the prices.

Pentesting SCADA Architecture

by Marlene Ladendorff, PdD

Significant differences exist between Enterprise IT and OT SCADA system architecture and functionality. IT systems are upgraded on a much more frequent basis than SCADA systems but the lifetime of SCADA systems is substantially longer than their IT counterparts. Penetration testing for IT systems can be performed on active networks while SCADA penetration testing should be limited to test bed or development systems and executed in a passive manner to not disrupt operations. All personnel involved or potentially affected by a penetration test should be included in a review of the test, an activity that some industries refer to as a pre-job brief.

V. Miscelanneous

Automating API Testing

by Chrissa Constantine

There is considerable value in automating portions of API pentesting. Commonly pentesters open the web application and navigate to all of the pages, capturing the requests and responses in a security testing tool like Burp or OWASP Zap. The use of API testing tools like SoapUI or Postman can help pentesters generate and submit web service requests. For SOAP calls, the WSDL can be challenging to read and derive manual tests. Tools that can be used to point to a WSDL or Swagger file (REST) are essential to use so that testers can work more efficiently. It is essential to spend time setting up the testing environment in preparation for analyzing the API.

APT In Action - Advanced Python Programming

by Bomediene Kaddour

If you are a penetration tester or incident responder, you should have asked yourself a question while conducting a penetration test project or responding to a massive attack, where “off-the-shelf” tools did not achieve what you were expecting, why did this tool fail to exploit this clear as blue vulnerability, and how can I move fast to provide a POC to my customer who’s paying me to emulate such a threat? Or how can I retrieve these forensics artifacts from this operating system before the case goes cold? The answer to the aforementioned questions is to develop your own tools using a fully featured, easy to use programming language like Python.

A Report From Western Regional Collegiate Cyber Defense Competition [February 28, 2019]

by Eric Crutchlow

As the end of day 2 approaches, it’s time to nuke all the Blue Team systems. The goal before was to create just enough havoc in a way that a Blue Team should be able to identify and remediate. This is one of the key areas that Blue Teams can make points, identify and remediate a hack and then report it (aka document the incident). But at one hour before the end of the competition, the Red Team is given the OK to use the nuclear option; take down all systems through any means possible (except DDoS).

10 Pitfalls When Working With Kubernetes

by Jeroen Willemsen and Eric Nieuwenhuijsen

When looking at accessing the workload, you should remember that at its core, the Kubernetes nodes just run Docker containers but Kubernetes just calls them pods. One interesting attack vector to expand your foothold is via the actual containers themselves. When a container proves vulnerable by, for example, allowing SSH, kubectl exec or the applications allows you to do an RCE you have a great starting point. If you’re able to get inside a container, check if you can create new files and/or run/install kubectl: if not, then the container storage volumes are probably read-only, which will prevent a lot of manipulation of the containers.

Next-Generation Binary Exploitation

by Alcyon Junior (aka AlcyJones)

In this article, I propose to present a simple way of understanding the binary code to a basic enumeration of the program to start the binary exploitation. This modern technique is used for initial binary exploration, and aids in understanding how it works to perform one of the most commonly used methods in systems and programs known as Buffer Overflow.

Reverse Engineering SAP Security Notes

by Fred van de Langenberg

Using only two such SQL statements, an attacker can create a new SAP user and subsequently assign it super user privileges, which may then be used to attack the SAP system. In effect, it would be a major (and very efficient) type of attack if this vulnerability could be exploited.


July 23, 2021
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023