In a nutshell, infosec is the practice of protecting data from unauthorized access, changes, unlawful use, disruption, etc. Infosec professionals also take actions to reduce the overall impact of any such incident.

Data can be electronic or physical and tangible (e.g., design blueprints) or intangible (knowledge). A common phrase that will come up many times in our infosec career is protecting the “confidentiality, integrity, and availability of data,” or the CIA triad.

Red Team vs Blue Team

Red team - attackers’ role, Blue team - defenders’ role.

Red teamers usually play a role in breaking into the organization to identify any potential weaknesses real attackers may utilize to break the organization’s defenses. The most common task on the red teaming side is penetration testing, social engineering, and other similar offensive techniques.

The blue team makes up the majority of infosec jobs. It is responsible for strengthening the organization’s defenses by analyzing the risks, coming up with policies, responding to threats and incidents, and effectively using security tools and other similar tasks.

Role of Penetration Testers

A security assessor (network penetration tester, web application penetration tester, red teamer, etc.) helps an organization identify risks in its external and internal networks. These risks may include network or web application vulnerabilities, sensitive data exposure, misconfigurations, or issues that could lead to reputational harm.

  • A good tester can work with a client to identify risks to their organization, provide information on how to reproduce these risks, and guidance on either mitigating or remediating the issues identified during testing.

Getting Started with a Pentest Distro

Depending on the client environment or scope of the assessment, we may be using a Linux or Windows VM on our machine, our base operating system, a cloud Linux box, a VM installed within the client’s environment, or even perform testing directly from a client-owned workstation to simulate an insider threat.

Choosing a Distro

  • There are many Linux distributions (distros) for penetration testing. There are quite a few Debian-based pre-existing distros preloaded with many tools that we need to perform our assessments. Many of these tools are rarely required, and no distro contains every tool that we need to perform our assessments.
  • As we progress, we may even prefer to fully customize our own pentesting VM from a Debian or Ubuntu base image.
  • The choice of a distro is individual, and we can even choose to create and maintain our own from scratch. There are Linux distros that are explicitly customized for penetration testing, others are geared towards web application penetration testing, forensics, etc.
  • It is important to note that each penetration test or security assessment must be performed from a freshly installed VM to avoid including security-relevant details from another client environment in our reports by accident or retaining client-sensitive data for significant lengths of time.
  • For this reason, we must have the ability to quickly stand up a new pentest machine and have processes in place (automation, scripts, detailed procedures, etc.) for quickly setting up our distro(s) of choice for each assessment we perform.

Setting Up a Pentest Distro

  • There are many ways to set up our local pentest distro. We can install it as our base operating system (though not recommended), configure our workstation to dual boot (time-consuming to switch back and forth between operating systems), or install using virtualization.
  • There are quite a few options available to us: Hyper-V on Windows, using free hypervisors such as VirtualBox, or VMware Workstation Player, which can be installed and used as hypervisors on Windows and Linux operating systems. Another option is VMware Workstation, which requires a paid license but offers many more features than the free options.
  • A hypervisor is software that allows us to create and run virtual machines (VMs). It will enable us to use our host computer (desktop or laptop) to run multiple VMs by virtually sharing memory and processing resources.

Tips:

  • Everyone working in a technical information security role should be comfortable working with one or more hypervisors and building virtual machines competently for both work and practice.
  • To be successful, we must continuously work to hone our craft. A great way is by setting up a home lab to attempt to reproduce vulnerabilities, set up vulnerable applications and services, see the effects of remediation recommendations, and have a safe place to practice new attack techniques/exploits. We can build our lab on an old laptop or desktop but preferably using a server to install a bare-metal hypervisor.

I use a Parrot OS and a customised Kali on VMWare Workstation Player(Hyper-V)

Staying Organized

  • It is essential to prioritize clear and accurate documentation from the very beginning. This skill will benefit us no matter what path we take in information security or even other career paths.

Folder Structure

  • When attacking a single box, lab, or client environment, we should have a clear folder structure on our attack machine to save data such as: scoping information, enumeration data, evidence of exploitation attempts, sensitive data such as credentials, and other data obtained during recon, exploitation, and post-exploitation. A sample folder structure may look like follows:

      Projects/
  └── Acme Company
      ├── EPT
      │   ├── evidence
      │   │   ├── credentials
      │   │   ├── data
      │   │   └── screenshots
      │   ├── logs
      │   ├── scans
      │   ├── scope
      │   └── tools
      └── IPT
          ├── evidence
          │   ├── credentials
          │   ├── data
          │   └── screenshots
          ├── logs
          ├── scans
          ├── scope
          └── tools

  • Here we have a folder for the client Acme Company with two assessments, Internal Penetration Test (IPT) and External Penetration Test (EPT). Under each folder, we have subfolders for saving scan data, any relevant tools, logging output, scoping information (i.e., lists of IPs/networks to feed to our scanning tools), and an evidence folder that may contain any credentials retrieved during the assessment, any relevant data retrieved as well as screenshots.

  • It is a personal preference, but some create a folder for each target host and save screenshots within it. Others organize their notes by host or network and save screenshots directly into the note-taking tool. Experiment with folder structures and see what works best for you to stay organized and work most efficiently.

Note Taking Tools

  • Productivity and organization are very important. A very technical but unorganized penetration tester will have a difficult time succeeding in this industry. Various tools can be used for organization and note-taking. Selecting a note-taking tool is very individual. Some of us may not need a feature that another person requires based on their workflow. Some great options to explore include:

Cherrytree | Visual Studio Code | Evernote | Notepad++

Notion | GitBook | Sublime Text

  • Some of these are more focused on note-taking, while others such as Notion and GitBook have richer features that can be used to create Wiki-type pages, cheat sheets, and more. It is important to make sure that any client data is only stored locally and not synced to the cloud if using one of these tools on real-world assessments.

Tip: Learning Markdown language is easy and very useful for note taking, as it can be easily represented in a visually appealing and organized way.

Other Tools and Tips

  • Every infosec professional should maintain a knowledge base. This can be in the format of your choosing (though the tools above are recommended.)
  • This knowledge base should contain quick reference guides for setup tasks that we perform on most assessments and cheat sheets for common commands that we use for each phase of an assessment.
  • We should be aggregating every payload, command, tip as we never know when one may come in handy. Having them accessible will increase our overall efficiency and productivity.
  • We should also maintain checklists, report templates for various assessment types, and build a findings/vulnerability database.
  • This database can take the form of a spreadsheet or something more complex and include a finding title, description, impact, remediation advice, and references. Having these findings already written will save us considerable time and re-work during the reporting phase as the bulk of the findings will be written already and likely only require some customization to the target environment.

Connecting Using VPN

  • VPNs provide a degree of privacy and security by encrypting communications over the channel to prevent eavesdropping and access to data traversing the channel.

  • It is a secured communications channel over shared public networks to connect to a private network (i.e., an employee remotely connecting to their company’s corporate network from their home).

  • At a high-level, VPN works by routing our connecting device’s internet connection through the target VPN’s private server instead of our internet service provider (ISP). When connected to a VPN, data originates from the VPN server rather than our computer and will appear to originate from a public IP address other than our own.

  • There are two main types of remote access VPNs: client-based VPN and SSL VPN.

  • SSL VPN uses the web browser as the VPN client. The connection is established between the browser and an SSL VPN gateway and can be configured to only allow access to web-based applications

  • Client-based VPN requires the use of client software to establish the VPN connection. Once connected, the user’s host will work mostly as if it were connected directly to the company network and will be able to access any resources (applications, hosts, subnets, etc.) allowed by the server configuration.

Why Use A VPN?

  • We can use a VPN service such as NordVPN or Private Internet Access and connect to a VPN server in another part of our country or another region of the world to obscure our browsing traffic or disguise our public IP address. This can provide us with some level of security and privacy.

Note: Usage of a VPN service does not guarantee anonymity or privacy but is useful for bypassing certain network/firewall restrictions or when connected to a possible hostile network (i.e., a public airport wireless network). A VPN service should never be used with the thought that it will protect us from the consequences of performing nefarious activities.

Tips to stay safe:

Always consider the network to be “hostile.”

We should only connect from a virtual machine, disallow password authentication if SSH is enabled on our attacking VM, lockdown any web servers, and not leave sensitive information on our attack VM.

Common Terms

  1. Shell

  • On a Linux system, the shell is a program that takes input from the user via the keyboard and passes these commands to the operating system to perform a specific function. Ex- Linux terminal, Windows command-line (cmd.exe), and Windows PowerShell.
  • Bash - (Bourne Again Shell) Linux shell
  • “getting a shell” on a box (system). - This means that the target host has been exploited, and we have obtained shell-level access (typically bash or sh) and can run commands interactively as if we are sitting logged in to the host. A shell may be obtained by exploiting a web application or network/service vulnerability or obtaining credentials and logging into the target host remotely. There are three main types of shell connections:
  • Reverse shell - Initiates a connection back to a “listener” on attack box.
  • Bind shell - “Binds” to a specific port on the target host and waits for a connection from our attack box.
  • Web shell - Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command.

  1. Port

  • It can be thought of as a window or door on a house (the house being a remote system), if a window or door is left open or not locked correctly, we can often gain unauthorized access to a home. Ports are virtual points where network connections begin and end.

  • There are two categories of ports, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).

  • TCP is connection-oriented, meaning that a connection between a client and a server must be established before data can be sent.

  • UDP utilizes a connectionless communication model. There is no “handshake” and therefore introduces a certain amount of unreliability since there is no guarantee of data delivery. UDP is useful when error correction/checking is either not needed or is handled by the application itself. UDP is suitable for applications that run time-sensitive tasks since dropping packets is faster than waiting for delayed packets due to retransmission.

  • There are 65,535 TCP ports and 65,535 different UDP ports, each denoted by a number. Some of the most well-known TCP and UDP ports are listed below: 20/21 (TCP) FTP 22 (TCP) SSH 23 (TCP) Telnet 25 (TCP) SMTP 80 (TCP) HTTP 161 (TCP/UDP) SNMP 389 (TCP/UDP) LDAP 443 (TCP) SSL/TLS (HTTPS) 445 (TCP) SMB 3389 (TCP) RDP

  • Refer this guide for common ports.

  1. Web Server

  • A web server is an application that runs on the back-end server, which handles all of the HTTP traffic from the client-side browser, routes it to the requests destination pages, and finally responds to the client-side browser.
  • Web servers usually run on TCP ports 80 or 443, and are responsible for connecting end-users to various parts of the web application, in addition to handling their various responses.
  • Remember OWASP top 10 vulnerabilities here.

Basic tools

  1. SSH
  • Secure Shell (SSH) is a network protocol that runs on port 22 by default and provides users such as system administrators a secure way to access a computer remotely.
  • It can be configured with password authentication or passwordless using public-key authentication using an SSH public/private key pair.
  1. Netcat
  • arbitrary TCP and UDP connections and listens
  • Netcat, ncat, or nc, is an excellent network utility for interacting with TCP/UDP ports. It can be used for many things during a pentest.
  • Its primary usage is for connecting to shells.
  • netcat can be used to connect to any listening port and interact with the service running on that port. For example, SSH is programmed to handle connections over port 22 to send all data and keys. We can connect to TCP port 22 with netcat:

netcat 10.10.10.10 22

  • It can help identify what service is running on a particular port.
  • There’s another Windows alternative to netcat coded in PowerShell called PowerCat.
  • It can also be used to transfer files between machines.
  • Another similar network utility is socat
  1. Tmux
  • Terminal multiplexers, like tmux or Screen, are great utilities for expanding a standard Linux terminal’s features, like having multiple windows within one terminal and jumping between them.
  • Can be installed using sudo apt install tmux -y. Create a new terminal using Ctrl+B
  1. Vim
  • Vim is a great text editor that can be used for writing code or editing text files on Linux systems. One of the great benefits of using Vim is that it relies entirely on the keyboard, so you do not have to use the mouse, which (once we get the hold of it) will significantly increase your productivity and efficiency in writing/editing code.
  • Refer this Cheatsheet for more commands and tips to use Vim.