PTES reporting

00:02

so

00:03

uh welcome again to the lecture today's

00:06

topic is

00:08

the reporting penetration testing

00:10

reporting framework that we are going to

00:12

use the p test

00:15

and it's

00:17

closely related to your final report

00:19

since it should follow the peter's

00:21

instructions

00:23

and more specifically we are using a

00:26

subset of the standard

00:29

so you are not required to complete the

00:33

full peta standard report instead please

00:37

use this structure here

00:40

so

00:41

for your own report please create a

00:44

single

00:45

document that contains all the target

00:47

machines

00:49

and then

00:50

include these so include one executed

00:54

summary which describes quickly or

00:57

briefly what

00:59

what's the background uh in this case

01:02

this is a course assignment

01:04

um in general level the achieved

01:08

goals and then recommendations and then

01:11

list all the target hosts that you were

01:14

unable and you were able to exploit

01:18

so

01:18

for your report most of your create will

01:21

come from these

01:23

target hosts

01:24

that you were able to exploit but i will

01:27

grant

01:28

bonus points

01:30

for good reports that include

01:33

this

01:34

information

01:35

gathering

01:36

and

01:37

scanning and

01:39

conducted so

01:41

even if you are unable to actually

01:44

penetrate the host

01:47

please

01:48

include everything that you did or all

01:50

the information that you gathered

01:52

and all the attacks attacks that were

01:56

not really

01:57

uh that you ex

01:59

expected or assumed that would be

02:05

effective but turned out not to be so

02:08

just a reminder you are allowed to

02:10

report on other machines to not just the

02:13

ones that you were able to exploit

02:17

for the machines that you were able to

02:18

exploit

02:20

the same topics so information gathering

02:23

host information in this case these are

02:26

basically the same since

02:28

the target host or the target is an

02:31

individual host on all cases

02:34

then any vulnerabilities that you are

02:38

able to find um any attacks that you

02:41

conduct against those vulnerabilities

02:44

especially

02:46

just to verify that the vulnerability

02:48

exists or to find out that the

02:51

vulnerability isn't actually

02:55

active or

02:57

in this host

02:59

and then finally which vulnerabilities

03:01

you were success can be successfully

03:04

exploited

03:06

what kind of exploits did you actually

03:08

use

03:09

what level of access you gained what was

03:13

the escalation path so how did you gain

03:17

additional access once you gained so you

03:21

typically in these

03:23

penetration

03:25

tests you gain initial access on some

03:28

low level account and then you are able

03:31

to escalate to hire

03:33

more privileged account typically a root

03:36

account or an administrator account is

03:39

the

03:40

final target

03:42

and finally please do not forget

03:45

to include the remediation so so how

03:48

should this vulnerability or how should

03:52

this host be fixed

03:53

what the defenders should do

03:57

to actually

03:59

secure this machine

04:01

and this is always the most important

04:04

part of your feedback so

04:06

a penetration testing or a red team

04:08

report which

04:10

does not include any suggestions on how

04:13

to fix the situation is basically

04:16

worthless for the company for the

04:23

blue team for the software developers

04:27

so if you don't tell

04:30

how

04:31

the problems can be fixed then

04:34

no one is going to have time

04:36

to recreate the conditions and retest

04:40

and find out what happened instead

04:42

that's the main service that you are

04:45

providing as a penetration tester

04:48

you are telling

04:49

these are the problems and here are the

04:52

fixes

04:53

of course you don't have to give line by

04:56

line instructions

04:58

how to fix the code but you have to tell

05:01

what is the problem in the code that

05:04

should be

05:05

remediated

05:07

i hope that's clear and finally you can

05:11

basically

05:12

have a short conclusions chapter

05:15

but

05:16

if you don't

05:18

find anything interesting to write in

05:20

this chapter

05:23

it it can be one or two sentences long

05:26

so conclusions are not really necessary

05:28

in this case since you already have the

05:31

uh general executive recommendations

05:34

here

05:37

so the main split in these two parts is

05:40

executive summary is meant for the line

05:43

of business

05:44

this is for the people who have the

05:46

money but who do not have the technical

05:48

expertise

05:50

so here you should help them understand

05:54

what is the security posture of the

05:57

company

06:00

how secure they are how secure they

06:03

should feel themselves

06:06

and in the technical part you are giving

06:08

guidance to your uh your other your

06:11

colleagues in the organization the

06:14

people who are actually developing the

06:16

software

06:17

uh administering administering the

06:20

servers and so on

06:22

so technical part should contain

06:25

technical details executive summary

06:28

should contain just a high level

06:31

overview of the situation

06:35

and finally please remember that a

06:38

single target may contain more than one

06:40

exploitable vulnerability so

06:45

there can be and there are in couple of

06:48

the machines at least several

06:49

vulnerabilities

06:52

uh on some machines

06:54

they are on the

06:55

sort of initial access level

06:58

like in the target one there are at

07:00

least three ways of attacking that

07:02

machine

07:04

and on some machines they are

07:07

on the escalation path so there are at

07:09

least two or three different ways of

07:12

gaining

07:13

root access on those machines

07:17

so try

07:19

to

07:22

check everything

07:25

excuse me

07:26

once you have collected all the

07:27

information you have collected the

07:29

vulnerabilities please try to check all

07:32

of them don't just stop when you find

07:35

the first one

07:37

do a thorough job so

07:41

you are

07:42

being paid well in this case with uh

07:47

study credits but anyhow you are paid to

07:51

do a full scan and full attack on the

07:55

machine not just find a single entry

07:58

point

08:01

so this is not like the cpfs this is not

08:05

like the

08:07

in that sense these are not your typical

08:09

try hack me rules

08:11

where you are you expect to find one way

08:15

into the machine and then you just fill

08:17

in the

08:19

flags and be done with it

08:21

now these rooms

08:25

or of course they are try hackney rules

08:28

in the sense that that's where they are

08:30

hosted but they do contain at least some

08:32

of them do contain several

08:34

vulnerabilities

08:39

and for the

08:42

grading

08:43

so you have to find or you have to

08:47

successfully

08:49

penetrate and escalate at least three

08:51

machines and report on them that's a

08:55

one

08:56

great one and then for each

08:59

additional machine that you are able to

09:02

uh gain access to or gain root level

09:05

level access to gives you another point

09:08

up to

09:10

five so

09:14

and i may

09:16

deduct half a point for

09:19

incomplete report on a

09:23

host so you might lose basically half of

09:26

the points

09:27

for this assignment if you don't

09:30

include all the information especially

09:32

if you don't include remediation

09:35

guidance

09:37

so for that reason it's also a good idea

09:40

to also include the rest of the work

09:43

that you do because that will give you

09:45

bonus points back back and will give you

09:48

an idea

09:50

um and of course it's a good idea

09:53

to return

09:54

the first version already at the end of

09:56

the march because then you will receive

09:58

the feedback and hopefully you will see

10:01

where you can

10:04

make your report better and gain those

10:07

lost points back

10:12

okay

10:13

then for a couple of details on the

10:16

peta standard

10:18

and especially the reporting page so you

10:21

can check the whole peters technical

10:23

guideline on the petastandard.org

10:27

we'll focus only on the reporting here

10:30

for today

10:33

in the

10:35

sort of unabridged so the complete

10:38

report

10:39

the structure is the same so that's the

10:41

executing summary and then there's a

10:43

technical report

10:45

but especially the executive summary is

10:49

a lot more comprehensive than in our

10:51

document so

10:52

you are not required to do this security

10:56

risk rating

10:57

you don't have to generate risk scales

11:01

i believe you studied iso 27000

11:05

iso 27005

11:07

includes risk management techniques

11:11

let's leave it out of this report and

11:13

focus on the actual penetration testing

11:17

you don't have to create

11:19

risk origin category diagrams

11:22

you don't have to create road maps for

11:25

the fixes

11:26

so the only things that you should

11:31

document on some level is the

11:34

overall

11:35

okay the background

11:37

so

11:39

what you are doing the overall posture

11:44

so

11:47

what

11:49

what is the impact to the business

11:53

how badly things are

11:55

in the network if there is

11:58

something

12:01

a systemic

12:03

so

12:04

for example

12:06

lacking effective patch management

12:08

process so if it looks like the

12:11

uh

12:12

all the targets are missing missing

12:15

latest patches then that's

12:17

stuff that you can mention here

12:20

but

12:22

don't focus on these symptoms so even if

12:26

ms-08067

12:31

bug or deep

12:38

problem is on some host

12:41

please don't list them in this overall

12:44

posture those are the technical details

12:47

focus on what's

12:49

the impact to the business

12:55

and finally a summary of recommendations

12:58

so

13:00

you

13:00

have the

13:02

remediation descriptions for each target

13:06

then final once you are finished with

13:09

those pick

13:11

the

13:11

again the common theme

13:14

on those so what are the

13:18

what are the large steps that the

13:21

company should take to fix the security

13:24

posture so

13:26

all these message machines exist in one

13:29

company for this assignment

13:32

even though they don't look anything

13:33

like they would

13:35

exist in a single company

13:40

so what are the sort of

13:43

procedural or governmental issues

13:47

in the company

13:49

that you recommend them

13:51

to focus on to fix the security

13:55

not single technical fixes but

13:59

sort of

14:00

high level

14:01

for example

14:03

create a patch management process

14:07

conduct

14:09

quarterly

14:10

vulnerability scans

14:13

include vulnerability scanning in the

14:16

acceptance testing

14:18

that's sort of

14:20

already close to technical detail but

14:23

give the customer higher level

14:26

recommendations what to do how to create

14:29

the road map basically

14:31

you don't have to create the actual

14:33

roadmap so we are leaving that also out

14:36

of this

14:37

assignment

14:39

then for the technical report

14:42

so

14:43

here it's

14:45

in our case it's easiest if you split

14:48

the technical part

14:49

um

14:50

to a

14:52

target specific sections so create one

14:56

section for each target

14:59

from one to eight

15:02

missing two

15:06

you

15:07

probably will not be doing information

15:10

gathering you want to be doing passive

15:13

intelligence in this case the machines

15:15

are given to you

15:17

you receive the ib addresses and there

15:20

is really nothing

15:23

in in google or in anywhere else in the

15:26

internet

15:27

about these machines

15:30

so

15:32

the information gathering the open

15:34

source intelligence part can be left out

15:37

at this point

15:40

but you should

15:42

do the uh active intelligence so

15:47

this is the footprinting this is the

15:48

nmap scans this is

15:51

trying to find out so port scanning

15:56

identifying

15:58

the software versions stuff like that

16:01

trying to understand what are you are

16:05

up against

16:07

at this point

16:09

then corporate intelligence personal

16:11

intelligence

16:12

don't really con

16:14

concern us on this report

16:17

but vulnerability assessment

16:21

so this is the step where you

16:25

use the automatic automated tools to

16:27

scan

16:29

the

16:30

post

16:32

trying to find

16:35

any level

16:36

vulnerabilities in any technical level

16:39

of the target

16:42

[Music]

16:43

you

16:45

may

16:46

include a screenshot of the results

16:50

but please make sure that your results

16:54

are actually relevant

16:56

to the target host

16:58

so

16:59

don't just screenshot everything that

17:02

you do and include that

17:04

instead

17:06

either type out the relevant parts to

17:09

your report or screenshot things that

17:13

only contain

17:15

information that is

17:16

relevant one of the sort of

17:20

typical

17:21

problems with reports

17:25

on this course and on real life too is

17:30

on this step

17:31

you have to identify the operating

17:35

system

17:36

and

17:37

some have some level understanding of

17:40

the software versions that are installed

17:43

in the machine

17:45

so for example if you run the

17:49

nmap

17:52

vulnerability scan against the host

17:56

you will

17:58

find uh multiple occur occurrences of

18:02

the same cve

18:05

so that because the same cv i can't

18:08

recall now

18:09

what it is but there are are a couple of

18:12

cves that exist on all linux

18:15

distributions for example

18:18

so i don't want to see a report which

18:20

lists that this

18:23

host which we already know is a ubuntu

18:27

12.04 for example

18:29

contains

18:31

cve something something

18:34

for

18:35

oracle linux

18:37

because obviously

18:39

this cve concerns a different operating

18:42

system a different distribution it

18:46

cannot be relevant for this report

18:50

and especially if you have pages and

18:52

pages

18:53

of basically listing all possible linux

18:56

versions for example

18:58

that's not relevant that's not a good

19:00

report

19:02

so especially on those cases please just

19:05

pick

19:06

the relevant parts of the

19:09

output

19:11

and just include them

19:15

if you feel that you need to include

19:17

more information for completeness sake

19:20

then just create an appendix and include

19:22

it there that's a sort of

19:25

service for the

19:27

blue team

19:28

they can actually see

19:29

the scan and the results directly from

19:32

there but if

19:34

if you included it inside the actual

19:37

report it just makes it harder to read

19:42

then the exploits so

19:45

on this step you basically manually test

19:49

the vulnerabilities that you located in

19:51

the assessment phase

19:56

and at that point you basically check

19:59

whether this exploit works against this

20:02

host or not

20:04

there are exploits

20:08

that don't work

20:10

there are exploits that do work and then

20:13

there are exploits that should work but

20:15

for some reason just don't

20:20

you probably should report

20:22

though especially those that you believe

20:26

exist in the machine but you were unable

20:29

to actually get working

20:32

because um

20:34

that helps again the defenders

20:38

they might

20:40

identify that yes we are using an

20:43

exploitable or vulnerable version

20:45

but for some reason there is a some

20:48

configuration parameter

20:50

or there's

20:52

some closed port or non-standard

20:54

configuration option which for this case

20:58

prevented this exploit from running

21:02

these are things that you probably will

21:04

not be able to find out but the blue

21:06

team the

21:10

developers should have pretty good

21:12

understanding of

21:13

so

21:14

these are valid this is valuable

21:17

information

21:18

for the defenders

21:20

even if the attack is not successful

21:24

to understand

21:26

why you expected this attack to work

21:30

they can then verify from the source

21:33

code for example or fro from the

21:35

configurations that yep this actually

21:38

should have worked

21:40

except we had this parameter a bit

21:42

differently so if the attacker had

21:45

noticed this parameter they would have

21:48

been able

21:49

to exploit this vulnerability and they

21:52

then they can fix this

21:54

even if you were not able to gain access

21:57

through there

21:58

so don't leave

22:00

stuff out of the report just because you

22:03

were unable to exploit it

22:06

but please do

22:07

leave stuff out of the report that

22:10

should never be able to be exploited

22:12

against this host

22:14

so which is meant against a different

22:16

software version different uh operating

22:18

system

22:20

so on different processor architecture

22:24

what not

22:27

okay uh the indirect attack you can

22:30

basically skip completely

22:33

uh we are not performing these on this

22:36

course so no facing no client side

22:38

attacks no browser side attacks so

22:40

that's why i've left the directed attack

22:45

from the

22:46

structure

22:48

i've simplified this a bit

22:50

on that level too

22:52

and

22:53

rearranged it a bit too

22:57

okay and then we don't

23:00

really have to go to the post

23:01

exploitation so

23:03

yep you have to document the path that

23:06

you took

23:07

for the privilege escalation

23:10

it's sort of included here

23:14

but you don't have to evaluate

23:17

the countermeasure effectiveness

23:20

there is uh

23:23

at least one simple web application

23:25

firewall

23:28

or sort of

23:30

application level firewalling

23:32

going on in at least one of the machines

23:35

which does prevent

23:39

brute force attacks

23:42

after a couple of tries but

23:44

nothing really

23:46

heavily guarded on this

23:49

assignment

23:50

and finally you can leave the risk and

23:52

exposure

23:54

out of your report

23:58

and

23:59

so the conclusion as it says here

24:02

is that you echo portions of the test

24:06

and give ideas for the posture

24:09

yeah please do that but

24:12

you don't have to focus on the

24:13

conclusions so

24:15

the most

24:16

relevant part is the

24:19

directed attack this part here

24:27

what vulnerabilities exist what

24:29

vulnerabilities you were able to exploit

24:32

and

24:33

how you were able to escalate your

24:35

access and what are the remediation

24:38

steps that the defenders should take

24:42

that's the structure of a good report

24:50

and

24:51

as i mentioned this is the

24:56

this is the outline that i expect you to

24:59

use you can use

25:02

as your reporting

25:05

template

25:06

the

25:07

normal to us report template or just

25:10

grab a word template from the

25:12

default directory if you feel that

25:14

that's easier

25:16

what i do request is that include your

25:21

name and the course name on the front

25:24

page of the report so that that if i

25:27

have to

25:29

uh read them outside of its learning

25:32

i can still

25:35

attach them to you so that i can create

25:38

you

25:40

without too much default i should be

25:42

able to see them inside its learning and

25:44

then i can just directly create you

25:48

but just in case something happens

25:52

okay

25:53

any questions about

25:55

the peta's structure or the reporting

25:58

instructions at this point

26:05

okay

26:06

if not then

26:08

[Music]

26:09

thanks for listening i'll end the

26:11

english recording here and then we can

26:13

continue

26:15

with your specific questions