Dear PenTest Readers,
While the Summer is still on, it’s worth remembering that soon enough it will be Autumn, and then things usually get a bit cloudy. That’s why in the current edition we take a closer look at AWS pentesting. All pentesters are undoubtedly aware of the fact that methodologies for ethical hacking of the AWS cloud differ from the standard procedures of assessing vulnerabilities, according to the company policies.
Our contributors present you with practical tutorials on useful (and legitimate!) techniques and tools, such as PACU exploitation framework, cognitive hacking, test scenarios, and recommendations to prevent certain types of attacks.
If you would like to learn other stuff than AWS pentesting, there is also a fine bunch of articles and write-ups on other cybersecurity topics! Inside, you will find a great tutorial on stack-based Buffer Overflow for Windows 32-bit systems, a fantastic article on Privileged Access Management, a piece on footprinting and reconnaissance for OSINT enthusiasts, a thorough guide for post-exploitation techniques in your pentests, an interesting article on Risk Assessment strategies in OT environments on the example of CIARA - a tool designed to help with such complex tasks, and an interview with a highly skilled and experienced pentester - Jeremy Walker, who is one of our regular contributors.
Special thanks to all authors, reviewers, and proofreaders who helped in creation of this edition.
Without further ado,
Let’s dive in the reading!
(but don’t forget to also enjoy the rest of the summer while it lasts :) )
Table of Contents
Pentesting the Cloud
by Staford Titus
Pentesting has made bounds in line with the technical prowess. Clouds (no pun intended) abound in the networked skies and hence are susceptible to attacks just like any other server or network. Securing them has emerged as a priority since clouds contain large amounts of data that, if compromised, could prove disastrous, especially for companies that store all business data on them. Well, cloud pentesting is not the easiest, since a testing lab of sorts would be needed at the least, which, of course, could cost a lot based on the latest cloud pricings. Even if, overcoming all those shortcomings, you do get your hands on something of sorts, you would still need vulnerable instances and the knowledge to exploit them to practice.
PACU: The AWS Exploitation Framework Equivalent to METASPLOIT
by Jhansi Jonnakuti
This article talks about AWS platform. Before even jumping into pentesting and hacking, it is important to go through the AWS services and AWS Lambda, a serverless computing platform that lets you run your code, to ensure that we understand the scope of pentesting AWS, the goal of pentesting and more. We need to know how to secure a cloud in a day as an administrator and it is an issue, even though it had built-in tolerance and monitoring services. If attackers target a cloud service, it is easy to exploit, just like any other traditional web hosting services, by attacking and creating backdoors. To avoid bad guys, here comes “PACU”, an open source exploitation framework to challenge attackers by providing offensive security testing against the cloud. This was created by Rhino Security Labs, and it allows pentesters to exploit configuration flaws and much more in your AWS account. Patch management has built-in tolerance and error handling that helps maintain security for our organization but providing layers of security is always a good principle to be followed by security professionals. Let’s go ahead!
Advanced Techniques to Pentest Web and Mobile Applications Hosted in Cloud Environment [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Baalaaji S
The article presents a couple of test scenarios with attacks on weakly configured cloud services, including cloud infrastructure, cloud web application, and API Key in a mobile application.
Cognitive Hacking of a resource in AWS Cloud
by Jamel Metmati
With the arrival of Cloud systems for organizations and unified communication supporting massive data and interconnection, there is a way to design the IT infrastructure and its management contribute to expose people to cognitive hacking. Not only can someone use social engineering and pretend to be in the same move like you, it can also claim the use of cognitive functions from your brain to stimulate an action that they want to do.
Windows Exploit Development: Stack-Based Buffer Overflow - Part 1
by Vinicius Vieira
The focus of this series of articles will not be to explain the basics about stacks, registers, etc., but rather to teach in a practical and didactic way the process of developing exploits for stack-based Buffer Overflow vulnerabilities. And for that we will start our studies through the classic buffer in Windows 32-bit systems.
Post Exploitation Techniques for Penetration Test
by Rafael Silva
In this article, we will focus on the post exploitation stage. The purpose of the post exploitation phase is to determine the value of the machine and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machine’s usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.
Privileged Access: How Many Keys to Your Kingdom, and Where Are They?
by Robbie Harriman, Scott Goodwin, Anthony Lucia, Jill Kamperides, and Michael Huffman
Privileged Access Management starts with a definition of “privilege” in the first stage of the PAM Lifecycle (Define). While some organizations only evaluate the most highly privileged accounts in their environment (e.g. Domain Admin in Active Directory, root access within Linux/Unix environments, “sa” account and db_owner on SQL Server databases), it is important to develop a definition of privileged access that takes into consideration the regulatory environment, as well as risks specific to the organization. Exploitation of an account with access outside of the above parameters could very well lead to regulatory compliance failure or even an information security breach if overlooked. Attackers will leverage lower-level privileges to gain a foothold and traverse a network, using lateral movement with the goal of escalating privileges. The earlier in the kill chain you can prevent exploitation of user privileges, the better.
Information Gathering: Footprinting
In this article, we will learn about footprinting and reconnaissance. We will see some of the useful tools and all you need is a PC with Kali Linux OS and a Metasploitable OS installed. I have demonstrated tools like dnsrecon, pingpath, tracert or traceroute, WhatWeb, and Nmap.
Risk Assessment Strategies for OT Environments
by Rani Kehat
The organization should select a particular risk assessment/analysis approach and methodology that identifies and prioritizes risks based upon security threats, vulnerabilities and consequences related to their IACS assets. Asset owners may assign different levels of integrity protection to different components, communication channels and information in their IACS.
“Technology is a rocket ship and training is a bus”
An Interview with Jeremy Walker
The breadth of technology landscape is evolving daily. Technology is a rocket ship and training is a bus. Training is difficult and time consuming to create, and by the time it is ‘release ready’ it is already dated. Training just can’t keep up. It’s the same with the job market. People are going to school for various cyber related fields and by the time they graduate they are behind. Demand is high, something like a few hundred thousand job openings last I looked, but if you haven’t already been in the business, it’s a huge spin up time.