|PT06:21_Pentester's Guide 101_PREVIEW.pdf||Download|
Dear PenTest Readers,
Summer is a perfect time to start a journey with something new, isn’t it? That’s why this month we decided to prepare an issue dedicated to all of you who are keen on getting into cybersecurity, but are still waiting to take the very first practical steps. Our contributors present you with various aspects of pentesting that are pillars of every cybersecurity expert to-be!
You’ll learn about the basics of AWS security, Shell Scripting for your very first tools, and IoT. What’s more, you are going to learn about interesting tools that use the Shodan search engine - it is a must for your OSINT practice at the reconnaissance stage before your pentests :)
For those of you who are already more advanced in pentesting, we also have a lot of interesting reads! We highly recommend the article on starting your cybersecurity start-up, if you’re thinking about getting your own business ready. Moreover, in this edition, you will find articles on advanced ethical hacking techniques. You’ll read about two ways to gain access to a domain controller in situations where there is no way to attack the lsass process, and a super interesting case of threat hunting for Remote Desktop Protocol (RDP) discovery.
To sum up, something cool for everyone, as usual :)
Let’s dive into the reading!
PenTest Magazine's Editorial Team
Table of Contents
Shell Scripting for Bug Bounty Hunters and Pentesters
by Sushant Kamble
This article is suitable for beginner bug hunters/pentesters who want to automate their testing to reduce time. This article focuses more on a practical approach rather than a theoretical one.
AWS: Offensive & Defensive Cloud Security 101
by Tatjana Stojnic
IAM misconfigurations have their own section because IAM is one of the parts of AWS most vulnerable to security issues. For example, not disabling operations such as “Describe” such as “DescribeInstances” on roles allows the viewing of all network components. Allowing too many users to have Full Admin access might sound convenient but by taking shortcuts and being lazy with assigning permissions to users, it is creating an avenue for security problems to occur.
Three Scary Tools That Use the Shodan Search Engine [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
Shodan is a search engine very different from the classic search engines that we are used to. Indeed, when Google or Yahoo! crawl only for ports 80 (HTTP) and 443 (HTTPS) open and accessible on the world wild web, Shodan, crawls all the open ports from 1 to 65535. This means that Shodan, unlike any normal search engine, does not focus on searching for web pages but on collecting banners of services (server response to a request). These services include HTTP, HTTPS, FTP, SSH, Telnet, SNMP and SIP protocols.
Remote Desktop Protocol (RDP) Threat Information Exposed
by Huy Kang Kim and ByungTak Kang
Recently, open source intelligence (OSINT) using port scanning and web crawling has become useful to find possible security vulnerabilities from the attacker’s viewpoint. In this paper, we introduce threat hunting cases for remote desktop protocol (RDP) discovery. Today, many companies adopt work-at-home policies to overcome the COVID-19 situation, thus, RDP or VPN are widely used to support remote working from home. In such circumstances, OSINT-based scanning and crawling is the core technology to reveal possibly open ports to the public. Although several countries, such as South Korea, maintain strict security policies that do not allow port scanning or web crawling because of possible side effects; however, information gathering for good will is important to investigate security vulnerabilities. By using IP scanning and crawling, as a result, we expect these technologies can contribute to discover and remove possible vulnerabilities residing in the companies.
Entering the Dark Web
by Dinesh Sharma
We all know that Tor is installed in normal OSes like Windows, Linux, etc., and these OS are not considered anonymity friendly OSes. These OSes themselves store a lot of information about the user’s browsing, which will lead to de-anonymising the user.
Starting a Cybersecurity Startup
by Bruce Williams
The reason I wrote this article is to give the reader a brief roadmap of startups. This is based on twenty years’ experience in talking to startups and twenty years’ experience in teaching about startups. The article was inspired by my friend (your editor) coming up with ideas. In many ways, the understanding of the risk environment is the same for both cybersecurity and startups. I know that scanning the environment for risks is a key critical thinking skill that must be taught. In cybersecurity, it is seeing a threat emerging from the cybersecurity environmental mists; with a startup, it is the threat emerging from the business environmental mists. Apple turned the traditional SWOT into TOWS with the threats the focus of their strategic thinking. If you don’t address the threats, then you don’t have a business.
Introduction to IoT
by Amir Jhakhanbaksh
IoT “Internet of Things” is a computing concept in which physical devices ,digital objects can connect over the internet with their unique Identifiers and they can share data with each other without requiring human interaction. IoT devices could include wearable fitness trackers, “smart” televisions, wireless infusion pumps, and cars—among many others. Internet-connected devices generally sense, collect, process, and transmit a wide array of data, ranging from consumer personally identifiable information to proprietary company data to infrastructure data used to make critical real-time decisions or to effect a change in the physical world. All of the smart devices in our homes, cars, hospitals, offices and airplanes and on ourselves are all effectively endpoints in the IoT.
How Does a SCADA System Work?
by Mohammed Nasfi
SCADA has a wide range of applications ranging from small units to big plans and even enterprises with several plants. Monitoring can be useful in every aspect of automation because it allows us to collect useful data. Not only can this data help us decrease production cost, they can also help us improve the efficiency of a production and reduce maintenance cost. All because SCADA gives us the data to analyze.
Who Is Responsible for Better Cybersecurity?
by Bruce Williams
I have worked within the government for many years in the program delivery of innovative policy. Policy needs to be translated into programs and good policy good programs is the preferred solution. I then moved into teaching business and IT students the systems-based units, such as WHS, EMS. These were based on a simple loop PDCA to improve the current position to meet the vision of the organisation. I then moved into cybersecurity and would like to present some observations on how to better improve the cybersecurity of businesses based on this background. The examples will describe the Australian situation but can be adjusted to suit other countries.
Two Steps from Domain Admins
We really could have taken advantage of the privileged session of the domain admin from the very beginning. Actually, in order to use the domain admin session (execute the code on his behalf), we just need to inject this very code into his process. And that's all. This is possible because, within the current PC, the local administrator and the domain administrator have the same privilege levels. Moreover, we can do this even in two ways.