Begin

When you kick off a pentest you will start implimenting you attack strategy, begin scanning for vulnerabilities, and start extracting information.

Subsections of Begin

Strategy

Attack Strategy

Overview

  • Think of external pentests like home security.
    • cameras, lighting, dogs, alarm system.
  • Low chance/high chance of RCE (remote code execution), or weak passwords.
  • OSINT and logical guessing are your best friends.

External Pentest

  • There should be good software/system patching.
  • There might be alarm systems or other protections in place.
  • The network facing the outside world is the most vulnerable point.
  • The chances of RCE (remote code execution) are very low.
  • Once someone breaks into the network from an external location, there a lot less defense mechanisms.
  • Weak password policies, weak security, and the lack of multi factor authentication are some of the most common vulnerabilities. If you can get into an email, then the chances are you will be able to get into other things that aren’t protected enough. Sometimes you will see partial multi factor which is not enough. Just finding sensitive information is bad, even if you don’t get onto the network.
  • There may be web portal logins, but don’t start pen testing a web app. You are looking to get onto the internal network. You can try default credentials or SQLi, but that’s about it.

Scanning

Vulnerability Scanning

By this point you should be ready to start and already have completed these things:

  1. Signed Rules of Engagement
  2. Scoping information
  3. Validated scope
  4. Sent kickoff email

Nessus

tenable.com/products/nessus $$$

Nessus Essentials is free:
tenable.com/products/nessus/nessus-essentials

Alternatives to Nessus

  1. Astra Pentest
  2. Indusface WAS
  3. Invicti (formerly Netsparker)
  4. Intruder
  5. ManageEngine Vulnerability Manager Plus
  6. Acunetix
  7. Open VAS
  8. Metasploit
  9. Burp Suite
  10. Qualys Cloud Platform
  11. Tennable.io
  12. OpenSCAP
  13. Tripwire

Scan Demo

Demo is based on tesla at bugcrowd. bugcrowd.com/tesla
To use bugcrowd.com you needs an account set up and configured.

Note: In this case you would need to find out if automated scanning is out of scope.

Steps

Interface is probably different now and steps may have changed.

  • Nessus - Advanced Scan
    • Name, description.
    • Targets: paste in IP address from scope.
    • Schedule: you can set when it will run.
    • Discovery: usually left at default for external.
    • Port Scanning: 1-65535
    • Service Discovery: leave as default.
    • Web Applications: Turn on Scan web applications.
    • Check through the rest of the settings and understand what they are for.

Information

Reviewing and Extracting Information

Nessus

Note: These instructions might be different in new versions.

When the scan is finished

  • Click on it to see the results
  • Check Hosts, Vulnerabilities and History
  • Export results (drop down)
    • Click Nessus to export
  • Report (drop down)
    • Click PDF to export
      • Executive Summary
      • Custom Summary with everything
    • Click HTML to export

Nessus Parsers

melcara.com - last updated in 2017
perl parse_nessus_xml.v24.pl -f Tesla_mbpjyt.nessus
It will create a spreadsheet file.

github.com/Ebryx/Nessus_Map

git clone https://github.com/Ebryx/Nessus_Map
cd Nessus_Map
mkdir env
cd env
python3 -m venv .
source bin/activate
cd ..
pip install -r requirements.txt
python manage.py runserver