Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,300 --> 00:00:02,640
Instructor: As we move forward with planning and scoping,
2
00:00:02,640 --> 00:00:05,520
we need to find a valid target for us to attack.
3
00:00:05,520 --> 00:00:07,650
This is conducted from a technical perspective
4
00:00:07,650 --> 00:00:09,390
as we go through our information gathering
5
00:00:09,390 --> 00:00:11,430
and vulnerability scanning phase.
6
00:00:11,430 --> 00:00:13,470
But as a penetration tester,
7
00:00:13,470 --> 00:00:15,360
we first are gonna conduct target selection
8
00:00:15,360 --> 00:00:17,310
in the planning and scoping phase,
9
00:00:17,310 --> 00:00:19,860
as we negotiate this with the targeted organization
10
00:00:19,860 --> 00:00:22,680
inside of our contract and our statement of work.
11
00:00:22,680 --> 00:00:23,700
We first need to ask:
12
00:00:23,700 --> 00:00:26,370
Is our targets gonna be internal or external?
13
00:00:26,370 --> 00:00:29,100
Are they gonna be first party or third party hosted?
14
00:00:29,100 --> 00:00:30,600
And if we can do physical attacks,
15
00:00:30,600 --> 00:00:32,280
or if we can go after the users,
16
00:00:32,280 --> 00:00:33,990
if we can go after their wireless networks,
17
00:00:33,990 --> 00:00:35,730
if we can target applications,
18
00:00:35,730 --> 00:00:38,220
and numerous other scoping concerns.
19
00:00:38,220 --> 00:00:39,540
That's what we're gonna focus on
20
00:00:39,540 --> 00:00:42,300
in this lesson as we discuss target selection.
21
00:00:42,300 --> 00:00:44,400
And we'll leave the more technical target selection
22
00:00:44,400 --> 00:00:46,169
for later on when we cover information gathering
23
00:00:46,169 --> 00:00:47,850
and vulnerability scanning
24
00:00:47,850 --> 00:00:49,980
at a later phase in the engagement.
25
00:00:49,980 --> 00:00:52,980
First, we have to determine if our scope is going to consist
26
00:00:52,980 --> 00:00:55,350
of internal or external targets.
27
00:00:55,350 --> 00:00:56,820
Internal targets are those
28
00:00:56,820 --> 00:00:58,650
inside the organization's firewall
29
00:00:58,650 --> 00:01:02,100
and require us to be on-site, gain access through a VPN,
30
00:01:02,100 --> 00:01:03,540
or exploit a user's computer
31
00:01:03,540 --> 00:01:05,400
inside the organizational network
32
00:01:05,400 --> 00:01:07,260
and use that as a pivot point.
33
00:01:07,260 --> 00:01:08,130
On the other hand,
34
00:01:08,130 --> 00:01:10,620
external targets are publicly facing targets
35
00:01:10,620 --> 00:01:12,990
which can be accessed directly across the internet,
36
00:01:12,990 --> 00:01:15,930
such as a website, web application, email,
37
00:01:15,930 --> 00:01:18,120
or DNS server in a screen subnet
38
00:01:18,120 --> 00:01:21,210
that's outside of the protected local area network.
39
00:01:21,210 --> 00:01:25,140
Second, we have first party and third party hosted assets.
40
00:01:25,140 --> 00:01:27,051
Are the targets provided in our statement of work
41
00:01:27,051 --> 00:01:30,390
hosted by the organization itself in their own data center,
42
00:01:30,390 --> 00:01:33,450
in which case we call these first party hosted assets,
43
00:01:33,450 --> 00:01:34,860
or are they gonna be hosted
44
00:01:34,860 --> 00:01:38,370
by a third party service provider, like Amazon Web Services,
45
00:01:38,370 --> 00:01:42,090
Microsoft Azure, Google Cloud, or other cloud providers?
46
00:01:42,090 --> 00:01:44,340
Now, due to the massive migration of the cloud,
47
00:01:44,340 --> 00:01:47,010
there are a lot of third party service providers out there
48
00:01:47,010 --> 00:01:48,930
that are hosting different assets that you may
49
00:01:48,930 --> 00:01:52,200
or may not be able to include in your assessment scope.
50
00:01:52,200 --> 00:01:54,450
This includes the major cloud providers I just listed,
51
00:01:54,450 --> 00:01:57,090
like Amazon Web Services, Microsoft Azure,
52
00:01:57,090 --> 00:01:58,800
and Google Cloud, but there are also
53
00:01:58,800 --> 00:02:01,950
numerous smaller cloud service providers as well out there.
54
00:02:01,950 --> 00:02:03,780
During the planning and scoping phase,
55
00:02:03,780 --> 00:02:05,820
the target organization needs to inform us
56
00:02:05,820 --> 00:02:07,110
if we're only allowed to attack
57
00:02:07,110 --> 00:02:08,910
their first party hosted servers
58
00:02:08,910 --> 00:02:10,620
or are we allowed to also go
59
00:02:10,620 --> 00:02:13,590
after the assets hosted in a third party environment.
60
00:02:13,590 --> 00:02:17,070
For example, my company's website, diontraining.com,
61
00:02:17,070 --> 00:02:19,950
is hosted by a third party cloud service provider.
62
00:02:19,950 --> 00:02:21,660
If you are hired to conduct an engagement
63
00:02:21,660 --> 00:02:24,736
of my company's e-learning platform, I have to first decide,
64
00:02:24,736 --> 00:02:26,040
are you gonna be allowed to go
65
00:02:26,040 --> 00:02:28,080
after our office networks and file servers
66
00:02:28,080 --> 00:02:30,990
that we host locally using our first party model,
67
00:02:30,990 --> 00:02:33,810
or are you also gonna be allowed to go after our website
68
00:02:33,810 --> 00:02:37,290
and e-learning platform, which uses third party hosting?
69
00:02:37,290 --> 00:02:38,430
Maybe I only want you to go
70
00:02:38,430 --> 00:02:41,400
after third party hosted applications, and if so,
71
00:02:41,400 --> 00:02:42,600
that has to be accounted for
72
00:02:42,600 --> 00:02:44,400
during the planning and scoping phase
73
00:02:44,400 --> 00:02:46,350
so that you can gain all the necessary permissions
74
00:02:46,350 --> 00:02:48,510
from that cloud service provider in addition
75
00:02:48,510 --> 00:02:51,210
to gaining permission from your client's organization.
76
00:02:51,210 --> 00:02:53,700
Next, we need to discuss the physical aspects
77
00:02:53,700 --> 00:02:54,900
of the engagement.
78
00:02:54,900 --> 00:02:57,570
Are we gonna test the organization's physical security?
79
00:02:57,570 --> 00:02:59,640
Do they want us to do an on-site assessment?
80
00:02:59,640 --> 00:03:01,440
Should we try to sneak past the guards,
81
00:03:01,440 --> 00:03:03,750
overcoming the security cameras, the pin pads,
82
00:03:03,750 --> 00:03:05,670
and other physical security controls?
83
00:03:05,670 --> 00:03:07,830
Again, this is something that must be answered
84
00:03:07,830 --> 00:03:09,750
as part of the planning and scoping phase
85
00:03:09,750 --> 00:03:12,630
to determine if a physical assessment is going to be used.
86
00:03:12,630 --> 00:03:14,310
We have to know whether physical security
87
00:03:14,310 --> 00:03:17,370
is part of the assessment, or are we just gonna be hired
88
00:03:17,370 --> 00:03:20,220
to conduct a technical assessment of the network.
89
00:03:20,220 --> 00:03:22,500
If a physical assessment is gonna be in scope,
90
00:03:22,500 --> 00:03:24,480
you're also gonna need to determine which locations
91
00:03:24,480 --> 00:03:26,640
are covered by the scope of the assessment.
92
00:03:26,640 --> 00:03:28,688
For example, my small company has employees
93
00:03:28,688 --> 00:03:32,280
and assets located across six different countries right now.
94
00:03:32,280 --> 00:03:33,990
If I hire you for an engagement,
95
00:03:33,990 --> 00:03:35,070
will you conduct an assessment
96
00:03:35,070 --> 00:03:39,240
of all six locations or just our main officer headquarters?
97
00:03:39,240 --> 00:03:40,590
Additionally, physical locations
98
00:03:40,590 --> 00:03:43,680
of the organization's assets are usually gonna be defined
99
00:03:43,680 --> 00:03:46,410
as either being on-site or off-site.
100
00:03:46,410 --> 00:03:49,150
An on-site asset is any asset that is physically located
101
00:03:49,150 --> 00:03:51,510
where the attack is being carried out.
102
00:03:51,510 --> 00:03:53,880
For example, if you're trying to break into my offices
103
00:03:53,880 --> 00:03:56,310
as part of a physical penetration test and gain access
104
00:03:56,310 --> 00:03:59,520
to my infrastructure, my server room, or my employees,
105
00:03:59,520 --> 00:04:02,880
these are all considered on-site assets or targets.
106
00:04:02,880 --> 00:04:05,220
Conversely, off-site assets are defined
107
00:04:05,220 --> 00:04:07,271
as any asset that provides a service for a company
108
00:04:07,271 --> 00:04:08,912
but is not necessarily located
109
00:04:08,912 --> 00:04:11,430
at the same place as that company.
110
00:04:11,430 --> 00:04:13,650
For example, I used to be an IT director
111
00:04:13,650 --> 00:04:16,740
for an organization whose data center was located in Italy,
112
00:04:16,740 --> 00:04:18,795
but we also had regional satellite offices
113
00:04:18,795 --> 00:04:22,230
located in four other countries spread across Europe.
114
00:04:22,230 --> 00:04:24,590
Often, you're gonna find that these smaller regional offices
115
00:04:24,590 --> 00:04:27,600
or satellite offices have less stringent security
116
00:04:27,600 --> 00:04:29,730
than the main data center or headquarters.
117
00:04:29,730 --> 00:04:31,830
So if those off-site locations
118
00:04:31,830 --> 00:04:34,350
and assets are considered part of your engagement scope,
119
00:04:34,350 --> 00:04:36,720
you might find an easier way into the headquarters
120
00:04:36,720 --> 00:04:39,660
by pivoting through one of those off-site locations.
121
00:04:39,660 --> 00:04:42,190
In today's deparameterization environment, it is common
122
00:04:42,190 --> 00:04:45,360
that employee-owned devices may also be categorized
123
00:04:45,360 --> 00:04:47,010
as an off-site location
124
00:04:47,010 --> 00:04:49,470
because their home office is essentially an extension
125
00:04:49,470 --> 00:04:51,510
of your headquarters network once they connect
126
00:04:51,510 --> 00:04:54,450
into that organizational network using a VPN.
127
00:04:54,450 --> 00:04:56,850
Next, we should also consider whether testing
128
00:04:56,850 --> 00:04:58,800
of the users is considered authorized
129
00:04:58,800 --> 00:05:01,230
or if it's considered off-limits.
130
00:05:01,230 --> 00:05:03,600
Can we use spear phishing or even phishing attacks
131
00:05:03,600 --> 00:05:05,670
against the organization's user base?
132
00:05:05,670 --> 00:05:07,680
Can we do social engineering against them?
133
00:05:07,680 --> 00:05:09,060
Can we try to trick the employees
134
00:05:09,060 --> 00:05:10,770
in order to get them to let us into the building
135
00:05:10,770 --> 00:05:12,810
and bypass their physical security?
136
00:05:12,810 --> 00:05:14,370
Now, again, there's no right
137
00:05:14,370 --> 00:05:16,170
or wrong answer to these questions.
138
00:05:16,170 --> 00:05:18,150
It's all negotiable as part of the planning
139
00:05:18,150 --> 00:05:19,980
and scoping for the engagement.
140
00:05:19,980 --> 00:05:22,667
For example, in a past assessment, my team was told
141
00:05:22,667 --> 00:05:25,170
that we could not target any of the executives,
142
00:05:25,170 --> 00:05:27,707
but any of the regular users was considered fair game
143
00:05:27,707 --> 00:05:29,940
for our social engineering attempts.
144
00:05:29,940 --> 00:05:32,250
In other assessments, we've been told specifically
145
00:05:32,250 --> 00:05:33,690
to target the sales department
146
00:05:33,690 --> 00:05:35,220
to determine if the user awareness training
147
00:05:35,220 --> 00:05:37,920
they received a few months earlier was effective or not.
148
00:05:37,920 --> 00:05:39,540
Remember, users tend to be
149
00:05:39,540 --> 00:05:41,205
the easiest attack vector to go after,
150
00:05:41,205 --> 00:05:42,870
especially if they're considered
151
00:05:42,870 --> 00:05:44,700
in scope for the assessment and you're allowed
152
00:05:44,700 --> 00:05:47,550
to use various social engineering attacks against them.
153
00:05:47,550 --> 00:05:49,050
The next area of concern we have
154
00:05:49,050 --> 00:05:50,970
is regarding wireless networks.
155
00:05:50,970 --> 00:05:52,483
I'm always careful to ask an organization
156
00:05:52,483 --> 00:05:54,757
to specify which wireless network identifiers
157
00:05:54,757 --> 00:05:59,160
or SSIDs or within the scope of my engagements.
158
00:05:59,160 --> 00:05:59,993
If we're being asked
159
00:05:59,993 --> 00:06:01,950
to conduct wireless penetration testing,
160
00:06:01,950 --> 00:06:03,990
we need to ensure that we're only targeting equipment
161
00:06:03,990 --> 00:06:06,180
that's owned and operated by the organization
162
00:06:06,180 --> 00:06:07,950
that we're actually doing the testing for
163
00:06:07,950 --> 00:06:09,930
because they're the only ones who can grant permission
164
00:06:09,930 --> 00:06:11,940
for the networks they own and operate.
165
00:06:11,940 --> 00:06:13,920
For example, at many offices,
166
00:06:13,920 --> 00:06:15,390
there's a company wireless network
167
00:06:15,390 --> 00:06:18,210
and a guest wireless network, or at a hotel,
168
00:06:18,210 --> 00:06:20,760
there's one wireless network for the point of sale systems
169
00:06:20,760 --> 00:06:23,340
and another one that's used by the guests of the hotel.
170
00:06:23,340 --> 00:06:25,140
If we're gonna assess the hotel,
171
00:06:25,140 --> 00:06:27,510
we need to negotiate which network is in scope
172
00:06:27,510 --> 00:06:30,570
of the engagement and which one is outside of our scope.
173
00:06:30,570 --> 00:06:32,160
Are you allowed to set up an evil twin
174
00:06:32,160 --> 00:06:33,900
or rogue access point using the same
175
00:06:33,900 --> 00:06:35,700
or similar service set identifier
176
00:06:35,700 --> 00:06:38,040
as a organization's trusted wireless network?
177
00:06:38,040 --> 00:06:40,590
Well, maybe you are. Maybe you aren't.
178
00:06:40,590 --> 00:06:42,870
Again, there's no right or wrong answer here.
179
00:06:42,870 --> 00:06:44,645
We just need to make sure that the penetration tester
180
00:06:44,645 --> 00:06:47,022
and the organization are both agreeing to the scope
181
00:06:47,022 --> 00:06:49,440
during the planning and scoping phase
182
00:06:49,440 --> 00:06:51,540
so we're all on the same page.
183
00:06:51,540 --> 00:06:52,800
As we consider the wired
184
00:06:52,800 --> 00:06:54,780
and wireless organizational networks,
185
00:06:54,780 --> 00:06:55,920
we also need to identify
186
00:06:55,920 --> 00:06:57,839
which assets are gonna be considered in scope
187
00:06:57,839 --> 00:07:00,870
based on their IP addresses or IP ranges,
188
00:07:00,870 --> 00:07:03,060
the domain or subdomain associated with them,
189
00:07:03,060 --> 00:07:06,263
or their DNS or domain name system servers.
190
00:07:06,263 --> 00:07:09,060
Now, IP addresses of the in scope asset
191
00:07:09,060 --> 00:07:11,070
should include the appropriate network ranges
192
00:07:11,070 --> 00:07:14,250
and the autonomous system numbers known as ASNs.
193
00:07:14,250 --> 00:07:15,983
These ASNs are used by the organization
194
00:07:15,983 --> 00:07:17,903
as a globally unique identifier
195
00:07:17,903 --> 00:07:20,865
that defines a group of one or more IP prefixes
196
00:07:20,865 --> 00:07:23,370
that are run by one or more network operators
197
00:07:23,370 --> 00:07:26,730
that maintain a single, clearly-defined routing policy.
198
00:07:26,730 --> 00:07:29,250
ASNs are used with the Border Gateway Protocol,
199
00:07:29,250 --> 00:07:31,020
and if they're changed inadvertently,
200
00:07:31,020 --> 00:07:33,420
it can cause all sorts of disastrous routing issues
201
00:07:33,420 --> 00:07:36,270
for the organization's traffic going over the internet.
202
00:07:36,270 --> 00:07:38,280
It's also important to include a list of domains
203
00:07:38,280 --> 00:07:39,810
and subdomains that are considered
204
00:07:39,810 --> 00:07:41,550
in scope for the assessment.
205
00:07:41,550 --> 00:07:44,460
For example, since I use an elastic cloud architecture
206
00:07:44,460 --> 00:07:47,190
for my learning management system, we're constantly adding
207
00:07:47,190 --> 00:07:50,070
and removing IP addresses behind our load balancer,
208
00:07:50,070 --> 00:07:51,060
but our domain names
209
00:07:51,060 --> 00:07:54,030
and our subdomain names are not changing rapidly.
210
00:07:54,030 --> 00:07:55,770
Therefore, you should always have a list
211
00:07:55,770 --> 00:07:57,900
of our domains and subdomains that are considered
212
00:07:57,900 --> 00:07:59,730
in scope for the assessment.
213
00:07:59,730 --> 00:08:04,350
For example, maybe my website, www.diontraining.com,
214
00:08:04,350 --> 00:08:06,863
is considered in scope, but my support portal
215
00:08:06,863 --> 00:08:11,040
at support.diontraining.com is not in scope.
216
00:08:11,040 --> 00:08:12,750
By having a clear list of in scope
217
00:08:12,750 --> 00:08:14,910
and out of scope domains and subdomains,
218
00:08:14,910 --> 00:08:17,790
you can avoid any issues during the engagement.
219
00:08:17,790 --> 00:08:19,020
Also, you need to know
220
00:08:19,020 --> 00:08:20,760
if the organization will allow you to target
221
00:08:20,760 --> 00:08:23,490
or modify their DNS servers and its records.
222
00:08:23,490 --> 00:08:26,700
For example, are you allowed to conduct DNS poisoning?
223
00:08:26,700 --> 00:08:28,020
How about a watering hole attack
224
00:08:28,020 --> 00:08:30,000
as part of a social engineering campaign?
225
00:08:30,000 --> 00:08:32,442
Again, there's no right or wrong answer here.
226
00:08:32,442 --> 00:08:34,230
It's just up to you and your client
227
00:08:34,230 --> 00:08:36,630
to determine the proper scope for the engagement based
228
00:08:36,630 --> 00:08:39,630
on your objectives and goals that the organization has.
229
00:08:39,630 --> 00:08:42,087
Now, the final area to think about is that of applications
230
00:08:42,087 --> 00:08:44,760
and more specifically, web applications
231
00:08:44,760 --> 00:08:48,480
and their application programming interfaces, known as APIs.
232
00:08:48,480 --> 00:08:50,081
If we're gonna do a web application test,
233
00:08:50,081 --> 00:08:52,163
are we gonna be focused on a single application
234
00:08:52,163 --> 00:08:55,500
or all applications on a given web server?
235
00:08:55,500 --> 00:08:56,490
For example,
236
00:08:56,490 --> 00:08:59,400
if a penetration tester is assessing a web application,
237
00:08:59,400 --> 00:09:01,830
are they only looking at the code developed by the company
238
00:09:01,830 --> 00:09:02,663
or should they look
239
00:09:02,663 --> 00:09:05,070
at the applications underneath the code as well?
240
00:09:05,070 --> 00:09:07,800
Can the penetration tester target the Apache web server,
241
00:09:07,800 --> 00:09:09,759
the MySQL database, the PHP code,
242
00:09:09,759 --> 00:09:12,390
or even the underlying software development kits,
243
00:09:12,390 --> 00:09:14,220
known as SDKs?
244
00:09:14,220 --> 00:09:15,990
All of these things may or may not be
245
00:09:15,990 --> 00:09:17,310
in the scope of the engagement
246
00:09:17,310 --> 00:09:19,560
depending on what was contracted and agreed upon
247
00:09:19,560 --> 00:09:22,470
by your company and your client organization.
248
00:09:22,470 --> 00:09:24,558
A web application and its associate APIs
249
00:09:24,558 --> 00:09:27,146
could be used for either public facing applications
250
00:09:27,146 --> 00:09:30,570
or they may only be internal to the organization.
251
00:09:30,570 --> 00:09:32,280
For example, in my company,
252
00:09:32,280 --> 00:09:34,170
we have several APIs that we have developed
253
00:09:34,170 --> 00:09:37,290
in order to deliver our courses, our labs, our textbooks,
254
00:09:37,290 --> 00:09:40,440
and our exams to all of our students at diontraining.com.
255
00:09:40,440 --> 00:09:41,790
For example, in the version
256
00:09:41,790 --> 00:09:44,130
of this course located at diontraining.com,
257
00:09:44,130 --> 00:09:46,470
we also include hands-on labs where students
258
00:09:46,470 --> 00:09:49,020
can enter a cloud-based penetration testing environment
259
00:09:49,020 --> 00:09:50,940
and practice with all different kinds of attacks
260
00:09:50,940 --> 00:09:52,920
and tools that we cover in this course.
261
00:09:52,920 --> 00:09:54,450
Our learning management system, though,
262
00:09:54,450 --> 00:09:56,430
didn't have this capability initially,
263
00:09:56,430 --> 00:09:58,830
so we had to develop our own API that accepts
264
00:09:58,830 --> 00:10:01,200
the student's unique user identification number,
265
00:10:01,200 --> 00:10:03,450
their email, and the lab they wanna access,
266
00:10:03,450 --> 00:10:06,630
along with the secret authentication token, and in return,
267
00:10:06,630 --> 00:10:09,450
the API provides the link to launch the lab,
268
00:10:09,450 --> 00:10:11,070
and this allows the students to click a button
269
00:10:11,070 --> 00:10:13,950
and access and utilize these cloud-based labs.
270
00:10:13,950 --> 00:10:16,740
Now, during the scoping, it's also important to determine
271
00:10:16,740 --> 00:10:18,270
if there's a particular application
272
00:10:18,270 --> 00:10:21,120
on the client's system that's considered mission critical,
273
00:10:21,120 --> 00:10:23,160
and therefore, the client cannot afford
274
00:10:23,160 --> 00:10:26,040
to have it experience any downtime during the engagement.
275
00:10:26,040 --> 00:10:28,372
For example, a credit card processing application
276
00:10:28,372 --> 00:10:31,110
might be such a system in a retail environment.
277
00:10:31,110 --> 00:10:32,910
While the patient record management application
278
00:10:32,910 --> 00:10:35,040
in a hospital might be equally important
279
00:10:35,040 --> 00:10:37,320
in that organization's situation.
280
00:10:37,320 --> 00:10:39,631
The penetration tester and the client need to work together
281
00:10:39,631 --> 00:10:42,017
to both understand which applications or systems
282
00:10:42,017 --> 00:10:44,790
need to be excluded from the scope of the engagement
283
00:10:44,790 --> 00:10:46,980
to ensure that the organization can still be able
284
00:10:46,980 --> 00:10:50,040
to conduct its mission successfully during the attacks.
285
00:10:50,040 --> 00:10:52,650
Once again, this really depends on your negotiations
286
00:10:52,650 --> 00:10:54,900
with the client during the planning and scoping phase
287
00:10:54,900 --> 00:10:56,223
of your penetration test.
288
00:10:57,113 --> 00:10:59,566
(light upbeat music)
22703
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.