Olivia A. Gallucci

Offensive security phases and frameworks

This blog post serves as a guide and training resource on basic offensive security topics for individuals looking to develop their understanding of the field. By outlining the different attack phases and frameworks used by attackers, as well as some of the key tools and techniques employed, this post aims to provide a foundational understanding of offensive security concepts. It also serves as a starting point for individuals interested in pursuing a career in cybersecurity or for those who want to enhance their existing knowledge and skills. With regular practice, additional research, and further training, individuals can build on this foundation and develop the expertise needed to defend against and prevent cyber attacks.

What is offensive security

Offensive security involves simulating a real-world cyber attack to identify vulnerabilities in an organization’s security measures, and it has become a popular method for ensuring the security of sensitive data and infrastructure. However, the process of offensive security can be complex, involving multiple phases and frameworks. In this post, we will explore the offensive security attack phases and frameworks that are commonly used by cybersecurity professionals to carry out effective security assessments. We will also discuss the importance of offensive security, the benefits of using frameworks, and how they can be adapted to meet the specific needs of an organization. Whether you are a cybersecurity professional or just interested in learning more about offensive security, this post will provide valuable insights into this critical aspect of cybersecurity.

Penetration testing

Penetration testing, also known as pen testing, is a type of offensive security assessment that involves simulating a real-world cyber attack on an organization’s systems and infrastructure. Pen testing typically follows a series of well-defined attack phases, which are designed to simulate the different stages of a real-world cyber attack.

Testing types

Source: N-able Types of Penetration Techniques and Methods

Name	Black Box	White Box	Grey Box
Attack style	Brute-force Trial and error	Testing specific parts of the system	White and black box hybrid
Common labor	Automated	Manual	Automated + manual
Attacker knowledge of infrastructure	Nothing	All-knowing (i.e., access to the source code and software architecture)	Partial knowledge (i.e., receive software code, but not system architecture details)
Speed	Slow	Fast	Medium
Notes	Most closely mimics a real-world scenario	Sophisticated tools (i.e., debugging and code analyzers)

Approaches

Types

Source: Redlegg Blog’s Pen Testing: Internal vs External and Why Both Are Important

Approach	Definition
Internal	Identifies how far an attacker can laterally move through a network (aka within the organization) once an external breach has occurred.
External	Attacker assesses the externally facing assets for an organization.
Others	Blind testing, double-blind, and targeted testing.

Techniques

Source: Pratum’s Internal Penetration Testing vs External Penetration Testing: Why You Need Both

Name	Internal / External	Definition
Checking Public Information for Leakages	E	Online lists publicize which companies have been hacked; check those sources to see if the company’s name appears
Foot-printing/Banner Grabbing	E	Gathering information from a system in order to launch attacks against it.
IDS/IPS	I E	Examines whether Intrusion Detection Systems and Intrusion Prevention Systems are doing their job of analyzing network traffic and packets for known cyberattack signatures.
Manual Testing of Identified Vulnerabilities	E	Attacker exploits vulnerabilities that are widely known in the hacking community. This is a key step, considering that an estimated 60% of breaches involve vulnerabilities for which patches are available.
Open Source Intelligence (OSINT) reconnaissance	E	Looking for clues in social media, websites, etc.
Compliance-based Testing (e.g., PCI and HIPPA)	E	Many frameworks have specific requirements organizations must meet to achieve compliance.
Segmentation Testing	E	Checks if networks are properly separated to keep an attack from pivoting from one to the other.
Social Engineering	I E	About 80% of all breaches gain access through social engineering, so security tests should include phishing (bogus emails) and vishing (bogus phone calls).
System/Service/Port Scanning for Vulnerabilities	E	Automated network tests that look for open ports, services, and systems.

Internal things to examine include WiFi networks, physical access, mobile devices, HVAC, cameras, and firewalls.

Attack phases

Attack phases are the phases of a penetration test.

Source: N-Able’s Penetration Techniques and Methods

1. Planning for penetration testing
   • Goal: Understand scope, client logistics, and objectives.
   • Usually involves speaking directly with the client
2. Reconnaissance and information gathering
   • General Reconnaissance (recon)
     • Gather information about end uses, systems, and applications
     • Used for precision
   • Active recon → directly probing a system
   • Passive recon → info on the internet without direct interaction with the target system
     • Usually OSINT (e.g., search engine queries, domain name searches, internet foot-printing, social engineering, and looking up tax records to find personal information).
3. Scanning and discovery
   • Goal: discover how the target system responds to various intrusion attempts
   • Usually involves automated tools for initial vulnerability scanning
   • Approach types:
     • Static analysis → inspects an app’s code, attempting to predict how it will react to an incursion.
     • Dynamic analysis → examining an app’s code as it runs, providing a real-time view of how it performs.
     • Other aspects attackers discover include network systems, servers, and devices, as well as network hosts.
4. Attack and gaining access
   • Goal: see how far the attacker can get into an environment without detection in a controlled environment
   • Scope determines the limits of the test (e.g., protect PI and other sensitive data)
   • Example attacks: may take control of a device to extract data; cross-site scripting; SQL injection; physical attacks.
5. Maintaining access and penetration
   • Goal: stealthily expand access and maintain presence via expanding permissions, and finding user data
   • Already compromised target
6. Risk analysis, assessment, and reporting
   • Goal: update the clients.
   • The last phase of the engagement.
   • Once the attacker is caught or the timeline is complete, a final report is generated.
   • Report provides:
     • Testing summary
     • How the attacker infiltrated systems and processes
     • All vulnerability details and suggestions for security fixes.
     • How the attacker cleaned up after the stress test, an examination of the limit at which the system or software or hardware breaks (Fran Na Jaya).
     • The estimated value of the compromised systems (i.e., how much financial impact would incursion cost?)

Mandiant attack lifecycle

The Mandiant attack lifecycle is a model used to describe the stages of a typical advanced persistent threat (APT) attack. Note that the attack phases described previously are the phases of a penetration test, while the Mandiant attack lifecycle details the phases of a malicious attack. They are very similar. P.S., I presented on the Mandiant attack lifecycle during my first-year of college.

---

Source

---

Stages

The tooling section will be expanded upon at a later date to include description of the tools and download links.

---

Source

---

Initial compromise

The initial compromise phase is a critical stage in the penetration testing engagement where the penetration testing team attempts to gain an initial foothold in the target system or network. This phase is typically preceded by the reconnaissance and scanning phases, where the team gathers information about the target system and identifies potential vulnerabilities.

During the initial compromise phase, the team will use a range of techniques and tools to attempt to gain access to the target system or network. This may include exploiting known vulnerabilities, using social engineering techniques such as phishing or spear-phishing, or using malware to gain access.

• Phishing

Establishing foothold

Once the team has gained access to the system or network, they will attempt to establish persistence, which involves maintaining their access to the target system or network even after the testing engagement has ended. This can involve setting up backdoors, creating new user accounts, or modifying existing system settings.

Tooling

• Amadey – *
• AndroMut – An Android malware that can take control of a device and exfiltrate data.
• BARBWIRE – A tool used to detect and prevent the spread of malware within a network.
• BEACON – A tool used to maintain persistence and evade detection in a compromised network.
• FlawedAmmy – A RAT that can control a victim’s machine and exfiltrate data.
• FLOWERPIPE – A backdoor trojan used to gain access to a network and steal data.
• FORKBEARD – A backdoor trojan used to gain access to a network and steal data.
• FRIENDSPEAK – A RAT used to gain control of a victim’s machine and exfiltrate data.
• MADRABBIT – A tool used to exploit vulnerabilities in Windows systems and gain access to a network.
• Metasploit – A widely used penetration testing framework that contains a range of tools for testing network security.
• METASTAGE – A tool used in the Metasploit framework for staging payloads on a target machine.
• MINEDOOR – A tool used to exploit vulnerabilities in Windows systems and gain access to a network.
• MIXLABEL – A tool used to evade detection and maintain persistence in a compromised network.
• POPFLASH – A tool used to exploit vulnerabilities in Adobe Flash Player and gain access to a network.
• RMS – A tool used to maintain persistence and evade detection in a compromised network.
• ServHelper – A backdoor trojan used to gain access to a network and steal data.
• SPOONBEARD – A backdoor trojan used to gain access to a network and steal data.
• TIMEWARP – A tool used to manipulate timestamps on files to evade detection.
• TINYLOADER – A tool used to download additional malware onto a victim’s machine.
• TINYMET – A tool used to maintain persistence and evade detection in a compromised network.
• WOOLYBEAR – A tool used to evade detection and maintain persistence in a compromised network.

Escalate privilege

The “Escalate Privilege” stage in an engagement involves attempting to gain administrative or privileged access to the target system or network. This allows the tester to gain full control of the system, manipulate or extract data, and carry out further attacks.

To escalate privileges, testers may use a variety of techniques, such as exploiting vulnerabilities in the operating system or installed applications, brute-forcing login credentials, or manipulating access control lists. Some common tools used during this stage include Metasploit, PowerShell, Mimikatz, and John the Ripper. These tools can be used to exploit known vulnerabilities, extract password hashes, and crack passwords, among other things.

Tooling

• Attacker obtained Domain Admin rights – Refers to the highest level of privileged access an attacker can obtain in a Windows Active Directory domain.
• BARBWIRE – A tool used to detect and prevent the spread of malware within a network.
• CVE-2018-8120 – A Microsoft Windows vulnerability that can be exploited by attackers to gain elevated privileges.
• FORKBEARD – A backdoor trojan used to gain access to a network and steal data.
• Harvested credentials – Refers to the practice of stealing login credentials (e.g., usernames and passwords) to gain unauthorized access to a system or network.
• Metasploit – A widely used penetration testing framework that contains a range of tools for testing network security.
• Mimikatz – A tool used to extract plaintext passwords, hashes, and other credentials from memory on Windows systems.
• Modified Windows DLL – Refers to the practice of modifying a dynamic link library (DLL) file in the Windows operating system to execute malicious code or gain unauthorized access.

Internal reconnaissance

• AdFind
• Built-in Windows commands
• EMASTEAL
• Metasploit
• Mimikatz
• NetScan
• PingCastle
• PowerShell
• ProcessHacker
• SPOONBEARD
• TINYMET

Move laterally

• BARBWIRE
• BEACON
• FORKBEARD
• Metasploit
• Meterpreter. Learn the basics.
• SPOONBEARD
• TINYMET
• PuTTY
• Remote Desktop Protocol (RDP)

Maintain presence

• Amadey* – Emerged on Russian-speaking hacking forums, where it is sold for approximately $500. The botnet operates by regularly sending system and anti-virus software information to its command and control (C2) server, and by requesting new instructions from it. Its primary feature is the ability to install other malicious payloads, referred to as “tasks”, on all or specific computers that have been compromised by the malware.
• Appshim
• BARBWIRE
• BEACON
• FlawedAmmy
• FLOWERPIPE
• FORKBEARD
• Metasploit
• METASTAGE
• MIXLABEL
• ScheduledTasks
• ServHelper
• SHORTBENCH
• SPOONBEARD
• TINYMET
• WINDSPAN
• WOOLLYBEAR

Complete mission

• BLUESTEAL
• CLOP
• Compress data using WinRAR
• Data theft for later use in extortion
• MBRKiller
• NAILGUN
• SALTLICK
• SPOONBEARD

Offensive security services

In conclusion, understanding the different phases and frameworks used in offensive security attacks is crucial for organizations to identify and defend against potential threats. While the specific techniques and tools used by attackers may vary, having a comprehensive understanding of the typical attack lifecycle can help security professionals to develop effective defense strategies and implement appropriate security measures. By conducting regular penetration testing and staying up to date with the latest threats and vulnerabilities, organizations can better protect themselves from cyber attacks and safeguard their valuable assets and data.