Zero Trust, OSINT, Pentesting Tools
Critical Infrastructure
Application Security
Network Security
Internet of Things Security
Cloud Security
It's a framework for controlling and monitoring users of a computer system (ie. a network)
Enterprises typically use AAA server: Identity Service Engine (ISE) is Cisco’s AAA server
AAA servers support the following two protocols:
1.
TACACS+: A Cisco proprietary protocol
2.
RADIUS: An open standard protocol
The Threat Landscape

Explorers, Hacktivists, Cyberterrorists, Cybercriminals, Cyberwarriors
White Hat: Ethical authorized test of vulnerabilities
Black Hat: Malicious attack the network for profit or harm
White Hat: Not malicious, but not always ethical
Blue Hat: Ethical, hired third party
A vulnerability is any potential weakness that can compromise the CIA of a system. A potential weakness isn’t a problem on its own.
An exploit is something that can potentially be used to exploit the vulnerability. Something that can potentially be used as an exploit isn’t a problem on it’s own.
A threat is the potential of a vulnerability to be exploited. A hacker exploiting a vulnerability in your system is a threat.
A mitigation technique is something that can protect against threats. Should be implemented everywhere a vulnerability can be exploited: Client devices, servers, switches, routers, firewalls, etc.
First Line of Defense
Internal Security Program (People)
For example, a company might send out false phishing emails to make employees click a link and sign in with their credentials.
For example, dedicated training sessions which educate users on the corporate security policies, how to manage strong passwords, and how to avoid potential threats
Locks can protect access to restricted areas
Zero Trust
Security policies + Security tools
ISO 27001
International standard for information security management systems (ISMS).
It provides a framework for organizations to identify and assess potential security risks, implement appropriate security controls, and establish processes for monitoring and managing information security on an ongoing basis. By achieving certification to ISO 27001, organizations can demonstrate to customers, partners, and other stakeholders that they have implemented effective information security practices and are committed to protecting their information assets.
OWASP Top 10 - 2021
The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks:
Open Source Intelligence (OSINT)
The process of gathering publicly available information about a person, company or organization, from a variety of sources that are accessible for anyone to see.
OSINT Tools
Google Dorking - “Search target” filetype:pdf OR filetype:xlsx OR filetype:docx
IntelTechniques - Multi-tool for OSINT
Shodan - Search engine for Internet-connected devices (IoT)
URL Scan - Behavioural analysis
Spiderfoot - Data collection
Maltego - OSINT Framework (Entity link analysis)
Recon-ng - Automate collections
HaveIBeenPwned - Breached passwords and emails
images.google.com - Search by image (Reverse search)
PimEyes - Face recognition search engine
Epieos - Email and phone reverse search
Thatsthem - Email and phone reverse search
The Harvester - email address, usernames, subdomains, IPs and URLs
Social-Searcher - Search person on multiple social media platforms
Checkusername - Quick search of username in social networks
Tineye - Reverse image search
PicTriev - Age guesser
WayBack Machine - Archives
ZoomEye - Chinese version of Shodan
Backup Protection and Disaster Recovery Plan
Protection against loss of service due to hardware failure or natural disaster
Short-term protection against user and admin error (Recycle Bin, soft delete)
Hackers, ransomware, and other malware
Malicious insiders, departing employees

It provides a structured approach for responding to unplanned incidents that threaten the IT infrastructure, including hardware, software, networks, processes and people.
1.
Assemble Plan
2.
Identify Scope
3.
Appoint Emergency Contacts
4.
Designate Disaster Recovery Team
5.
Assign Roles & Responsibilities
6.
Data & Back Ups Location
7.
Restore Technology Functionality
8.
Testing & Maintenance
Backup Image OS: (dedicated drive for the images)
macOS Time Machine
Windows Built-in Solution
Acronis Cloud Backup
On-Premise:
NAS (TrueNAS)
Veeam Agent for Windows
Acronis Cyber Protect
The Five Stages of Hacking (Web Application)
1.
Target Validation: WHOIS, nslookup, dnsrecon
Finding Subdomains: Google, dig, Sublist3r, Bluto, crt.sh
Fingerprinting: Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat
Data Breaches: HaveIBeenPwned and similar lists
1.
Look for vulnerabilities and enumerate them. Gather as much information as possible (Burp Suite, Nmap, Nikto, )
1.
(Exploitation)
1.
2.
(Deleting log files)
The 11-Step Pen Test Plan
1.
Define Objectives and Scope
2.
Assemble the Testing Team
3.
Choose a Testing Methodology
4.
Design the Test
5.
Obtain Authorization
6.
Conduct Reconnaissance
7.
Perform an initial Vulnerability Assessment
8.
Execute the Pen Test
9.
Document and Analyze Findings
10.
Report and Remediate
11.
Retest and Validate
Pentesting Methodologies
In a Gray box penetration test, a limited amount of information is given to the pentesters conducting the pentest. A gray box test strikes a balance between a white box and a black box.
Pentesting Execution Plan for WordPress
1.
Use automated scanning tools like WPScan to identify the version of WordPress, themes, and plugins. WPScan can check for known vulnerabilities associated with specific versions.
Manually review the website's HTML source code and HTTP headers to find any indications of the WordPress version.
2.
Perform password guessing or brute force attacks using tools like Hydra or Burp Suite Intruder to attempt multiple login combinations. This can be automated with a wordlist or dictionary attack.
Analyze login error messages for clues about the existence of weak usernames or passwords.
3.
Use tools like Hydra, Medusa, or Burp Suite Intruder to launch brute force attacks on login forms, trying various combinations of usernames and passwords.
Monitor server logs for an unusual number of failed login attempts.
4.
Identify installed themes and plugins using tools or by inspecting the website's HTML and JavaScript files.
Use vulnerability scanners like OWASP ZAP or Nessus to check for known vulnerabilities associated with detected themes and plugins.
5.
Attempt to upload files containing malicious scripts using file upload forms.
Use tools like Burp Suite to intercept and modify file upload requests to include malicious content.
Test if uploaded files are executed or processed on the server.
6.
Input malicious scripts into various input fields and observe if the scripts are executed on the site.
Use tools like OWASP ZAP or Burp Suite to automate the process of injecting and detecting XSS vulnerabilities.
7.
Input SQL injection payloads into user input fields to see if the application responds with unexpected behavior.
Utilize tools like SQLMap to automate SQL injection testing and identify potential vulnerabilities.
8.
Create a malicious website with crafted requests and lure the victim into visiting it to perform unwanted actions on the target site.
Use tools like Burp Suite to capture and modify requests to test for CSRF vulnerabilities.
9.
Manually inspect the application and server configurations for default settings, unnecessary services, or exposed sensitive information.
Use tools like Nikto or Nessus to automatically scan for common misconfigurations.
10.
Manually check the website's URL to see if it uses "http://" or "https://".
Inspect the browser's address bar for the padlock symbol, indicating a secure connection.
Use tools like SSL Labs or Qualys SSL Labs to perform a detailed analysis of the SSL/TLS implementation.
11.
Attempt to escalate privileges by exploiting vulnerabilities or manipulating user roles.
Test if regular users can access administrative functionality or sensitive information.
12.
Test for vulnerabilities in the XML-RPC functionality by sending crafted requests.
Use tools like Metasploit or custom scripts to automate testing for XML-RPC vulnerabilities.
Pentesting Tools
Wireshark
Wireshark is the de facto open-source application to capture and investigate network traffic. It is widely used for network troubleshooting, analysis, software development, and education.

host IP-address # This filter limits the captured traffic to and from the IP address
net 192.168.0.0/24 # This filter captures all traffic on the subnet
dst host IP-address # Capture packets sent to the specified host
port 53 # Capture traffic on port 53 only
port not 53 and not arp # Capture all traffic except DNS and ARP traffic
ip.addr == 192.168.1.1 # IP Address Filter
tcp.port == 80 # Port Filter
http # Protocol Filter
host www.example.com # Host Filter
ip.src == 192.168.1.1 # Filter by Source
ip.dst == 192.168.1.2 # Filter by Destination
ip.addr == 192.168.1.0/24 # Filter by Subnet
eth.addr == 001122334455 # Filter by MAC Address
tcp.port == 443 && SSL # Filter by Protocol and Port
http.request.method == "GET" # Filter by HTTP Method
http.response.code == 200 # Filter by Response Code
dns # Filter by DNS Queries
icmp # Filter by ICMP (Ping) Traffic
tcp.flags.syn == 1 && tcp.flags.ack == 0 # Filter by TCP Flags
frame.len == 100 # Filter by Packet Length
dns.qry.name == "example.com" # Filter by Specific Domain
Nmap
Nmap (Network Mapper) is an open-source tool used for network discovery and security auditing. It is used by network administrators, security professionals, and ethical hackers to assess the security of computer networks.
Usage: nmap [Scan type(s)/Flags] [Options] {hostname/IP addresses/networks}
$ sudo apt install nmap # Install Nmap in Ubuntu/Debian Linux
% ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
% brew install nmap
$ nmap --version # Check version of Nmap
$ nmap target_ip # Default quick scan to map ports, state and protocol.
$ nmap -sS target_ip # TCP SYN Scan sends TCP SYN packets to target and open ports respond with a SYN/ACK, while closed ports respond with a RST(reset) packet.
$ nmap -sU target_ip # UDP Scan is used to identify open UDP ports on the target.
$ nmap -sT target_ip # TCP Connect Scan simulates a full TCP connection. It connects to each port and determines if it is open, closed, or filtered.
$ nmap -p 22 target_ip # Scan for specific port (22) in the target ip.
$ nmap -p ssh target_ip # Scan for a specific protocol (ssh)
$ nmap -p 1-100 target_ip # Custom Port Range allows to specify a custom range of ports to scan. For example, '-p 1-100' scans ports 1 through 100.
$ nmap -sP 192.168.1.0/24 # Ping Scan is used for host discovery by sending ICMP echo request to determine which hosts are alive on the network.
$ nmap -sn 192.168.1.1-254 # Same function than -sP
$ nmap -O -sV target_ip # To perform OS detection along with version detection
$ nmap -sA target_ip # ACK Scan sends TCP ACK packets to determine how a firewall or intrusion detection system (IDS) is filtering ports. It doesn't reveal open or closed ports but helps understand the filtering policy.
$ nmap -sV target_ip # Service Version Detection Scan probes open ports to determine the version of the services (Applications) running on them. It can provide information about specific sofware (Applications) and versions.
$ nmap -sV --version-intensity 0 target_ip # To perform a "stealthy" version detection scan.
$ nmap -A target_ip # Aggressive Scan is a combination of All scan types. It is a comprehensive scan for detailed information but it is CPU intense in the machine performing the scan.
$ nmap --script vuln target_ip # Nmap Scripting Engine (NSE) allows users to execute custom scripts to automate various tasks, including vulnerability detection, exploitation, and more.
$ nmap -sC vuln target_ip # To execute a specific NSE script (e.g., a script to detect common vulnerabilities)
$ nmap --script-help vuln # To list available NSE scripts
$ nmap -oX output.xml target_ip # To save the scan results in XML format
$ nmap -oN output.txt target_ip # To save the results in a human-readable format
WPscan
WPScan is an enterprise vulnerability database for WordPress. It provides a comprehensive set of features to assess the security posture of WordPress installations.
$ sudo apt install ruby-full # Install Ruby Ubuntu/Debian
$ sudo dnf install ruby # Install Ruby Fedora
$ sudo gem install wpscan # Install WPScan
$ wpscan --version
$ wpscan --url your-website.com
By default, WPscan will not provide Vulnerabilities in the result, and to get that we have to generate an API key. Go to the official website and select the free plan to register.
$ wpscan --url your-website.com --api-token your-api-key
$ wpscan --url your-website.com --detection-mode aggressive --api-token your-api-key
Mixed is the default on the WPScan tool is a combination of aggressive and passive mode to provide a balanced scan.
$ -e vp # Vulnerable plugins
$ -e ap # All plugins
$ -e p # Popular plugins
$ -e vt # Vulnerable themes
$ -e at # All themes
$ -e t # Popular themes
$ -e tt # Timthumbs
$ -e cb # Config backups
$ -e dbe # Db exports
$ -e u # User IDs range. e.g: u1-5
$ -e m # Media IDs range. e.g m1-15
$ wpscan --url your-website.com -e vp --detection-mode mixed --api-token your-api-key
## Examples ##
$ wpscan --url your-website -e u # Scan Users
$ wpscan --url your-website -e vp --api-token my-token # Scan Vulnerable Plugins
--random-user-agent
--stealthy
Burp Suite
Burp Suite is a leading set of security testing tools developed by PortSwigger, it is widely used for web application security testing.
Key features:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Nessus
Nessus is a widely used vulnerability scanner and security assessment tool developed by Tenable, Inc. It is designed to identify and assess vulnerabilities in computer systems, networks, and applications.
Key features:
1.
2.
3.
4.
5.
6.
7.
8.
Dirbuster
DirBuster is a security tool used for performing directory brute-force attacks on web servers. The primary purpose of DirBuster is to discover hidden directories and files on a web server by systematically attempting to access different paths and analyzing the server's responses.
Other Tools
Sublist3r (Subdomain enumeration)
Wappalyzer (Web Technologies)
WHOIS
NSLookup
DNSrecon
Bluto
crt.sh
dig
WhatWeb
BuiltWith
Netcat
HaveIBeenPwned
Metasploit
Nikto
Domains (Whois lookup)
IPs (NSLookup)
SSL Certificate
Pentesting with Python or JavaScript
WordPress common vulnerabilities (wp-admin)
Check for open ports in the server (Firewall)
Network Exploitation (Protocols)
CTFs Cyber Security
Cybersecurity Reports