Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,300 --> 00:00:02,640 Instructor: As we move forward with planning and scoping, 2 00:00:02,640 --> 00:00:05,520 we need to find a valid target for us to attack. 3 00:00:05,520 --> 00:00:07,650 This is conducted from a technical perspective 4 00:00:07,650 --> 00:00:09,390 as we go through our information gathering 5 00:00:09,390 --> 00:00:11,430 and vulnerability scanning phase. 6 00:00:11,430 --> 00:00:13,470 But as a penetration tester, 7 00:00:13,470 --> 00:00:15,360 we first are gonna conduct target selection 8 00:00:15,360 --> 00:00:17,310 in the planning and scoping phase, 9 00:00:17,310 --> 00:00:19,860 as we negotiate this with the targeted organization 10 00:00:19,860 --> 00:00:22,680 inside of our contract and our statement of work. 11 00:00:22,680 --> 00:00:23,700 We first need to ask: 12 00:00:23,700 --> 00:00:26,370 Is our targets gonna be internal or external? 13 00:00:26,370 --> 00:00:29,100 Are they gonna be first party or third party hosted? 14 00:00:29,100 --> 00:00:30,600 And if we can do physical attacks, 15 00:00:30,600 --> 00:00:32,280 or if we can go after the users, 16 00:00:32,280 --> 00:00:33,990 if we can go after their wireless networks, 17 00:00:33,990 --> 00:00:35,730 if we can target applications, 18 00:00:35,730 --> 00:00:38,220 and numerous other scoping concerns. 19 00:00:38,220 --> 00:00:39,540 That's what we're gonna focus on 20 00:00:39,540 --> 00:00:42,300 in this lesson as we discuss target selection. 21 00:00:42,300 --> 00:00:44,400 And we'll leave the more technical target selection 22 00:00:44,400 --> 00:00:46,169 for later on when we cover information gathering 23 00:00:46,169 --> 00:00:47,850 and vulnerability scanning 24 00:00:47,850 --> 00:00:49,980 at a later phase in the engagement. 25 00:00:49,980 --> 00:00:52,980 First, we have to determine if our scope is going to consist 26 00:00:52,980 --> 00:00:55,350 of internal or external targets. 27 00:00:55,350 --> 00:00:56,820 Internal targets are those 28 00:00:56,820 --> 00:00:58,650 inside the organization's firewall 29 00:00:58,650 --> 00:01:02,100 and require us to be on-site, gain access through a VPN, 30 00:01:02,100 --> 00:01:03,540 or exploit a user's computer 31 00:01:03,540 --> 00:01:05,400 inside the organizational network 32 00:01:05,400 --> 00:01:07,260 and use that as a pivot point. 33 00:01:07,260 --> 00:01:08,130 On the other hand, 34 00:01:08,130 --> 00:01:10,620 external targets are publicly facing targets 35 00:01:10,620 --> 00:01:12,990 which can be accessed directly across the internet, 36 00:01:12,990 --> 00:01:15,930 such as a website, web application, email, 37 00:01:15,930 --> 00:01:18,120 or DNS server in a screen subnet 38 00:01:18,120 --> 00:01:21,210 that's outside of the protected local area network. 39 00:01:21,210 --> 00:01:25,140 Second, we have first party and third party hosted assets. 40 00:01:25,140 --> 00:01:27,051 Are the targets provided in our statement of work 41 00:01:27,051 --> 00:01:30,390 hosted by the organization itself in their own data center, 42 00:01:30,390 --> 00:01:33,450 in which case we call these first party hosted assets, 43 00:01:33,450 --> 00:01:34,860 or are they gonna be hosted 44 00:01:34,860 --> 00:01:38,370 by a third party service provider, like Amazon Web Services, 45 00:01:38,370 --> 00:01:42,090 Microsoft Azure, Google Cloud, or other cloud providers? 46 00:01:42,090 --> 00:01:44,340 Now, due to the massive migration of the cloud, 47 00:01:44,340 --> 00:01:47,010 there are a lot of third party service providers out there 48 00:01:47,010 --> 00:01:48,930 that are hosting different assets that you may 49 00:01:48,930 --> 00:01:52,200 or may not be able to include in your assessment scope. 50 00:01:52,200 --> 00:01:54,450 This includes the major cloud providers I just listed, 51 00:01:54,450 --> 00:01:57,090 like Amazon Web Services, Microsoft Azure, 52 00:01:57,090 --> 00:01:58,800 and Google Cloud, but there are also 53 00:01:58,800 --> 00:02:01,950 numerous smaller cloud service providers as well out there. 54 00:02:01,950 --> 00:02:03,780 During the planning and scoping phase, 55 00:02:03,780 --> 00:02:05,820 the target organization needs to inform us 56 00:02:05,820 --> 00:02:07,110 if we're only allowed to attack 57 00:02:07,110 --> 00:02:08,910 their first party hosted servers 58 00:02:08,910 --> 00:02:10,620 or are we allowed to also go 59 00:02:10,620 --> 00:02:13,590 after the assets hosted in a third party environment. 60 00:02:13,590 --> 00:02:17,070 For example, my company's website, diontraining.com, 61 00:02:17,070 --> 00:02:19,950 is hosted by a third party cloud service provider. 62 00:02:19,950 --> 00:02:21,660 If you are hired to conduct an engagement 63 00:02:21,660 --> 00:02:24,736 of my company's e-learning platform, I have to first decide, 64 00:02:24,736 --> 00:02:26,040 are you gonna be allowed to go 65 00:02:26,040 --> 00:02:28,080 after our office networks and file servers 66 00:02:28,080 --> 00:02:30,990 that we host locally using our first party model, 67 00:02:30,990 --> 00:02:33,810 or are you also gonna be allowed to go after our website 68 00:02:33,810 --> 00:02:37,290 and e-learning platform, which uses third party hosting? 69 00:02:37,290 --> 00:02:38,430 Maybe I only want you to go 70 00:02:38,430 --> 00:02:41,400 after third party hosted applications, and if so, 71 00:02:41,400 --> 00:02:42,600 that has to be accounted for 72 00:02:42,600 --> 00:02:44,400 during the planning and scoping phase 73 00:02:44,400 --> 00:02:46,350 so that you can gain all the necessary permissions 74 00:02:46,350 --> 00:02:48,510 from that cloud service provider in addition 75 00:02:48,510 --> 00:02:51,210 to gaining permission from your client's organization. 76 00:02:51,210 --> 00:02:53,700 Next, we need to discuss the physical aspects 77 00:02:53,700 --> 00:02:54,900 of the engagement. 78 00:02:54,900 --> 00:02:57,570 Are we gonna test the organization's physical security? 79 00:02:57,570 --> 00:02:59,640 Do they want us to do an on-site assessment? 80 00:02:59,640 --> 00:03:01,440 Should we try to sneak past the guards, 81 00:03:01,440 --> 00:03:03,750 overcoming the security cameras, the pin pads, 82 00:03:03,750 --> 00:03:05,670 and other physical security controls? 83 00:03:05,670 --> 00:03:07,830 Again, this is something that must be answered 84 00:03:07,830 --> 00:03:09,750 as part of the planning and scoping phase 85 00:03:09,750 --> 00:03:12,630 to determine if a physical assessment is going to be used. 86 00:03:12,630 --> 00:03:14,310 We have to know whether physical security 87 00:03:14,310 --> 00:03:17,370 is part of the assessment, or are we just gonna be hired 88 00:03:17,370 --> 00:03:20,220 to conduct a technical assessment of the network. 89 00:03:20,220 --> 00:03:22,500 If a physical assessment is gonna be in scope, 90 00:03:22,500 --> 00:03:24,480 you're also gonna need to determine which locations 91 00:03:24,480 --> 00:03:26,640 are covered by the scope of the assessment. 92 00:03:26,640 --> 00:03:28,688 For example, my small company has employees 93 00:03:28,688 --> 00:03:32,280 and assets located across six different countries right now. 94 00:03:32,280 --> 00:03:33,990 If I hire you for an engagement, 95 00:03:33,990 --> 00:03:35,070 will you conduct an assessment 96 00:03:35,070 --> 00:03:39,240 of all six locations or just our main officer headquarters? 97 00:03:39,240 --> 00:03:40,590 Additionally, physical locations 98 00:03:40,590 --> 00:03:43,680 of the organization's assets are usually gonna be defined 99 00:03:43,680 --> 00:03:46,410 as either being on-site or off-site. 100 00:03:46,410 --> 00:03:49,150 An on-site asset is any asset that is physically located 101 00:03:49,150 --> 00:03:51,510 where the attack is being carried out. 102 00:03:51,510 --> 00:03:53,880 For example, if you're trying to break into my offices 103 00:03:53,880 --> 00:03:56,310 as part of a physical penetration test and gain access 104 00:03:56,310 --> 00:03:59,520 to my infrastructure, my server room, or my employees, 105 00:03:59,520 --> 00:04:02,880 these are all considered on-site assets or targets. 106 00:04:02,880 --> 00:04:05,220 Conversely, off-site assets are defined 107 00:04:05,220 --> 00:04:07,271 as any asset that provides a service for a company 108 00:04:07,271 --> 00:04:08,912 but is not necessarily located 109 00:04:08,912 --> 00:04:11,430 at the same place as that company. 110 00:04:11,430 --> 00:04:13,650 For example, I used to be an IT director 111 00:04:13,650 --> 00:04:16,740 for an organization whose data center was located in Italy, 112 00:04:16,740 --> 00:04:18,795 but we also had regional satellite offices 113 00:04:18,795 --> 00:04:22,230 located in four other countries spread across Europe. 114 00:04:22,230 --> 00:04:24,590 Often, you're gonna find that these smaller regional offices 115 00:04:24,590 --> 00:04:27,600 or satellite offices have less stringent security 116 00:04:27,600 --> 00:04:29,730 than the main data center or headquarters. 117 00:04:29,730 --> 00:04:31,830 So if those off-site locations 118 00:04:31,830 --> 00:04:34,350 and assets are considered part of your engagement scope, 119 00:04:34,350 --> 00:04:36,720 you might find an easier way into the headquarters 120 00:04:36,720 --> 00:04:39,660 by pivoting through one of those off-site locations. 121 00:04:39,660 --> 00:04:42,190 In today's deparameterization environment, it is common 122 00:04:42,190 --> 00:04:45,360 that employee-owned devices may also be categorized 123 00:04:45,360 --> 00:04:47,010 as an off-site location 124 00:04:47,010 --> 00:04:49,470 because their home office is essentially an extension 125 00:04:49,470 --> 00:04:51,510 of your headquarters network once they connect 126 00:04:51,510 --> 00:04:54,450 into that organizational network using a VPN. 127 00:04:54,450 --> 00:04:56,850 Next, we should also consider whether testing 128 00:04:56,850 --> 00:04:58,800 of the users is considered authorized 129 00:04:58,800 --> 00:05:01,230 or if it's considered off-limits. 130 00:05:01,230 --> 00:05:03,600 Can we use spear phishing or even phishing attacks 131 00:05:03,600 --> 00:05:05,670 against the organization's user base? 132 00:05:05,670 --> 00:05:07,680 Can we do social engineering against them? 133 00:05:07,680 --> 00:05:09,060 Can we try to trick the employees 134 00:05:09,060 --> 00:05:10,770 in order to get them to let us into the building 135 00:05:10,770 --> 00:05:12,810 and bypass their physical security? 136 00:05:12,810 --> 00:05:14,370 Now, again, there's no right 137 00:05:14,370 --> 00:05:16,170 or wrong answer to these questions. 138 00:05:16,170 --> 00:05:18,150 It's all negotiable as part of the planning 139 00:05:18,150 --> 00:05:19,980 and scoping for the engagement. 140 00:05:19,980 --> 00:05:22,667 For example, in a past assessment, my team was told 141 00:05:22,667 --> 00:05:25,170 that we could not target any of the executives, 142 00:05:25,170 --> 00:05:27,707 but any of the regular users was considered fair game 143 00:05:27,707 --> 00:05:29,940 for our social engineering attempts. 144 00:05:29,940 --> 00:05:32,250 In other assessments, we've been told specifically 145 00:05:32,250 --> 00:05:33,690 to target the sales department 146 00:05:33,690 --> 00:05:35,220 to determine if the user awareness training 147 00:05:35,220 --> 00:05:37,920 they received a few months earlier was effective or not. 148 00:05:37,920 --> 00:05:39,540 Remember, users tend to be 149 00:05:39,540 --> 00:05:41,205 the easiest attack vector to go after, 150 00:05:41,205 --> 00:05:42,870 especially if they're considered 151 00:05:42,870 --> 00:05:44,700 in scope for the assessment and you're allowed 152 00:05:44,700 --> 00:05:47,550 to use various social engineering attacks against them. 153 00:05:47,550 --> 00:05:49,050 The next area of concern we have 154 00:05:49,050 --> 00:05:50,970 is regarding wireless networks. 155 00:05:50,970 --> 00:05:52,483 I'm always careful to ask an organization 156 00:05:52,483 --> 00:05:54,757 to specify which wireless network identifiers 157 00:05:54,757 --> 00:05:59,160 or SSIDs or within the scope of my engagements. 158 00:05:59,160 --> 00:05:59,993 If we're being asked 159 00:05:59,993 --> 00:06:01,950 to conduct wireless penetration testing, 160 00:06:01,950 --> 00:06:03,990 we need to ensure that we're only targeting equipment 161 00:06:03,990 --> 00:06:06,180 that's owned and operated by the organization 162 00:06:06,180 --> 00:06:07,950 that we're actually doing the testing for 163 00:06:07,950 --> 00:06:09,930 because they're the only ones who can grant permission 164 00:06:09,930 --> 00:06:11,940 for the networks they own and operate. 165 00:06:11,940 --> 00:06:13,920 For example, at many offices, 166 00:06:13,920 --> 00:06:15,390 there's a company wireless network 167 00:06:15,390 --> 00:06:18,210 and a guest wireless network, or at a hotel, 168 00:06:18,210 --> 00:06:20,760 there's one wireless network for the point of sale systems 169 00:06:20,760 --> 00:06:23,340 and another one that's used by the guests of the hotel. 170 00:06:23,340 --> 00:06:25,140 If we're gonna assess the hotel, 171 00:06:25,140 --> 00:06:27,510 we need to negotiate which network is in scope 172 00:06:27,510 --> 00:06:30,570 of the engagement and which one is outside of our scope. 173 00:06:30,570 --> 00:06:32,160 Are you allowed to set up an evil twin 174 00:06:32,160 --> 00:06:33,900 or rogue access point using the same 175 00:06:33,900 --> 00:06:35,700 or similar service set identifier 176 00:06:35,700 --> 00:06:38,040 as a organization's trusted wireless network? 177 00:06:38,040 --> 00:06:40,590 Well, maybe you are. Maybe you aren't. 178 00:06:40,590 --> 00:06:42,870 Again, there's no right or wrong answer here. 179 00:06:42,870 --> 00:06:44,645 We just need to make sure that the penetration tester 180 00:06:44,645 --> 00:06:47,022 and the organization are both agreeing to the scope 181 00:06:47,022 --> 00:06:49,440 during the planning and scoping phase 182 00:06:49,440 --> 00:06:51,540 so we're all on the same page. 183 00:06:51,540 --> 00:06:52,800 As we consider the wired 184 00:06:52,800 --> 00:06:54,780 and wireless organizational networks, 185 00:06:54,780 --> 00:06:55,920 we also need to identify 186 00:06:55,920 --> 00:06:57,839 which assets are gonna be considered in scope 187 00:06:57,839 --> 00:07:00,870 based on their IP addresses or IP ranges, 188 00:07:00,870 --> 00:07:03,060 the domain or subdomain associated with them, 189 00:07:03,060 --> 00:07:06,263 or their DNS or domain name system servers. 190 00:07:06,263 --> 00:07:09,060 Now, IP addresses of the in scope asset 191 00:07:09,060 --> 00:07:11,070 should include the appropriate network ranges 192 00:07:11,070 --> 00:07:14,250 and the autonomous system numbers known as ASNs. 193 00:07:14,250 --> 00:07:15,983 These ASNs are used by the organization 194 00:07:15,983 --> 00:07:17,903 as a globally unique identifier 195 00:07:17,903 --> 00:07:20,865 that defines a group of one or more IP prefixes 196 00:07:20,865 --> 00:07:23,370 that are run by one or more network operators 197 00:07:23,370 --> 00:07:26,730 that maintain a single, clearly-defined routing policy. 198 00:07:26,730 --> 00:07:29,250 ASNs are used with the Border Gateway Protocol, 199 00:07:29,250 --> 00:07:31,020 and if they're changed inadvertently, 200 00:07:31,020 --> 00:07:33,420 it can cause all sorts of disastrous routing issues 201 00:07:33,420 --> 00:07:36,270 for the organization's traffic going over the internet. 202 00:07:36,270 --> 00:07:38,280 It's also important to include a list of domains 203 00:07:38,280 --> 00:07:39,810 and subdomains that are considered 204 00:07:39,810 --> 00:07:41,550 in scope for the assessment. 205 00:07:41,550 --> 00:07:44,460 For example, since I use an elastic cloud architecture 206 00:07:44,460 --> 00:07:47,190 for my learning management system, we're constantly adding 207 00:07:47,190 --> 00:07:50,070 and removing IP addresses behind our load balancer, 208 00:07:50,070 --> 00:07:51,060 but our domain names 209 00:07:51,060 --> 00:07:54,030 and our subdomain names are not changing rapidly. 210 00:07:54,030 --> 00:07:55,770 Therefore, you should always have a list 211 00:07:55,770 --> 00:07:57,900 of our domains and subdomains that are considered 212 00:07:57,900 --> 00:07:59,730 in scope for the assessment. 213 00:07:59,730 --> 00:08:04,350 For example, maybe my website, www.diontraining.com, 214 00:08:04,350 --> 00:08:06,863 is considered in scope, but my support portal 215 00:08:06,863 --> 00:08:11,040 at support.diontraining.com is not in scope. 216 00:08:11,040 --> 00:08:12,750 By having a clear list of in scope 217 00:08:12,750 --> 00:08:14,910 and out of scope domains and subdomains, 218 00:08:14,910 --> 00:08:17,790 you can avoid any issues during the engagement. 219 00:08:17,790 --> 00:08:19,020 Also, you need to know 220 00:08:19,020 --> 00:08:20,760 if the organization will allow you to target 221 00:08:20,760 --> 00:08:23,490 or modify their DNS servers and its records. 222 00:08:23,490 --> 00:08:26,700 For example, are you allowed to conduct DNS poisoning? 223 00:08:26,700 --> 00:08:28,020 How about a watering hole attack 224 00:08:28,020 --> 00:08:30,000 as part of a social engineering campaign? 225 00:08:30,000 --> 00:08:32,442 Again, there's no right or wrong answer here. 226 00:08:32,442 --> 00:08:34,230 It's just up to you and your client 227 00:08:34,230 --> 00:08:36,630 to determine the proper scope for the engagement based 228 00:08:36,630 --> 00:08:39,630 on your objectives and goals that the organization has. 229 00:08:39,630 --> 00:08:42,087 Now, the final area to think about is that of applications 230 00:08:42,087 --> 00:08:44,760 and more specifically, web applications 231 00:08:44,760 --> 00:08:48,480 and their application programming interfaces, known as APIs. 232 00:08:48,480 --> 00:08:50,081 If we're gonna do a web application test, 233 00:08:50,081 --> 00:08:52,163 are we gonna be focused on a single application 234 00:08:52,163 --> 00:08:55,500 or all applications on a given web server? 235 00:08:55,500 --> 00:08:56,490 For example, 236 00:08:56,490 --> 00:08:59,400 if a penetration tester is assessing a web application, 237 00:08:59,400 --> 00:09:01,830 are they only looking at the code developed by the company 238 00:09:01,830 --> 00:09:02,663 or should they look 239 00:09:02,663 --> 00:09:05,070 at the applications underneath the code as well? 240 00:09:05,070 --> 00:09:07,800 Can the penetration tester target the Apache web server, 241 00:09:07,800 --> 00:09:09,759 the MySQL database, the PHP code, 242 00:09:09,759 --> 00:09:12,390 or even the underlying software development kits, 243 00:09:12,390 --> 00:09:14,220 known as SDKs? 244 00:09:14,220 --> 00:09:15,990 All of these things may or may not be 245 00:09:15,990 --> 00:09:17,310 in the scope of the engagement 246 00:09:17,310 --> 00:09:19,560 depending on what was contracted and agreed upon 247 00:09:19,560 --> 00:09:22,470 by your company and your client organization. 248 00:09:22,470 --> 00:09:24,558 A web application and its associate APIs 249 00:09:24,558 --> 00:09:27,146 could be used for either public facing applications 250 00:09:27,146 --> 00:09:30,570 or they may only be internal to the organization. 251 00:09:30,570 --> 00:09:32,280 For example, in my company, 252 00:09:32,280 --> 00:09:34,170 we have several APIs that we have developed 253 00:09:34,170 --> 00:09:37,290 in order to deliver our courses, our labs, our textbooks, 254 00:09:37,290 --> 00:09:40,440 and our exams to all of our students at diontraining.com. 255 00:09:40,440 --> 00:09:41,790 For example, in the version 256 00:09:41,790 --> 00:09:44,130 of this course located at diontraining.com, 257 00:09:44,130 --> 00:09:46,470 we also include hands-on labs where students 258 00:09:46,470 --> 00:09:49,020 can enter a cloud-based penetration testing environment 259 00:09:49,020 --> 00:09:50,940 and practice with all different kinds of attacks 260 00:09:50,940 --> 00:09:52,920 and tools that we cover in this course. 261 00:09:52,920 --> 00:09:54,450 Our learning management system, though, 262 00:09:54,450 --> 00:09:56,430 didn't have this capability initially, 263 00:09:56,430 --> 00:09:58,830 so we had to develop our own API that accepts 264 00:09:58,830 --> 00:10:01,200 the student's unique user identification number, 265 00:10:01,200 --> 00:10:03,450 their email, and the lab they wanna access, 266 00:10:03,450 --> 00:10:06,630 along with the secret authentication token, and in return, 267 00:10:06,630 --> 00:10:09,450 the API provides the link to launch the lab, 268 00:10:09,450 --> 00:10:11,070 and this allows the students to click a button 269 00:10:11,070 --> 00:10:13,950 and access and utilize these cloud-based labs. 270 00:10:13,950 --> 00:10:16,740 Now, during the scoping, it's also important to determine 271 00:10:16,740 --> 00:10:18,270 if there's a particular application 272 00:10:18,270 --> 00:10:21,120 on the client's system that's considered mission critical, 273 00:10:21,120 --> 00:10:23,160 and therefore, the client cannot afford 274 00:10:23,160 --> 00:10:26,040 to have it experience any downtime during the engagement. 275 00:10:26,040 --> 00:10:28,372 For example, a credit card processing application 276 00:10:28,372 --> 00:10:31,110 might be such a system in a retail environment. 277 00:10:31,110 --> 00:10:32,910 While the patient record management application 278 00:10:32,910 --> 00:10:35,040 in a hospital might be equally important 279 00:10:35,040 --> 00:10:37,320 in that organization's situation. 280 00:10:37,320 --> 00:10:39,631 The penetration tester and the client need to work together 281 00:10:39,631 --> 00:10:42,017 to both understand which applications or systems 282 00:10:42,017 --> 00:10:44,790 need to be excluded from the scope of the engagement 283 00:10:44,790 --> 00:10:46,980 to ensure that the organization can still be able 284 00:10:46,980 --> 00:10:50,040 to conduct its mission successfully during the attacks. 285 00:10:50,040 --> 00:10:52,650 Once again, this really depends on your negotiations 286 00:10:52,650 --> 00:10:54,900 with the client during the planning and scoping phase 287 00:10:54,900 --> 00:10:56,223 of your penetration test. 288 00:10:57,113 --> 00:10:59,566 (light upbeat music) 22703