DACS 2201 / 04-Penetration Testing and Malware

Fundamentals of Penetration Testing

• Definition: Penetration testing (often abbreviated as Pen Test) is a simulated cyber attack conducted against an information system. Its purpose is to identify, test, and verify exploitable vulnerabilities within the target environment.

• Comparison to Vulnerability Scanning: Unlike automated vulnerability scanning, a pen test goes deeper to uncover new vulnerabilities and provide a comprehensive understanding of how they can be exploited in a real-world scenario.

• Attacker Simulation:     * Tests must utilize the same techniques, tools, and methodologies employed by real-world threat actors.     * Testers must emulate the mindset and thinking processes of actual adversaries.

• The Importance of Planning: Rigorous planning is mandatory to avoid two primary risks:     * Creep: This refers to the expansion of testing activities beyond the predefined limitations or scope of the project.     * Legal Consequences: Lack of proper planning and documentation can lead to significant and unnecessary legal complications.

Rules of Engagement (ROE) in Cybersecurity Assessments

• Definition: The Rules of Engagement establish the parameters, limitations, and operational boundaries for the pen test to ensure it is conducted safely and professionally.

• Key Parameters and Considerations:     * Timing: Strictly defines when the test will commence and the total duration allowed for the engagement.     * Scope: Specifies exactly what is subject to testing. This may include web applications, internal networks, wireless infrastructures, or third-party services.     * Authorization: Requires documented, prior written approval from the system owners to conduct the attack simulations.     * Exploitation Level: Clarifies which discovered vulnerabilities are permissible to exploit and which specific assets or systems are strictly off-limits.     * Communication: Testers are mandated to notify the client organization at specific milestones: during the initiation of the test, upon the discovery of a critical vulnerability, or in the event of an emergency.     * Cleanup: Once the engagement is concluded, the tester must perform a comprehensive cleanup, which includes removing all installed software, scripts, backdoors, and any temporary user accounts created during the test.     * Reporting: The final deliverable must be a full report containing an executive summary (for management) and a detailed technical section (for security personnel).

Roles and Teams in Penetration Testing

• Personnel Options:     * Internal Security Employees: Staff within the organization's own security department.     * External Consultants: Professional third-party penetration testing firms.     * Crowdsourced Testers: Utilizing platforms like Bug Bounty programs (e.g., Hacker one), where independent security researchers find vulnerabilities in exchange for monetary rewards.

• Team Classifications:     * Red Team: Acts as the attackers, attempting to breach security controls.     * Blue Team: Acts as the defenders, monitoring and responding to the Red Team's activities.     * White Team: Acts as the referees or judges, ensuring the Rules of Engagement are strictly followed and managing the environment.     * Purple Team: A collaborative team that provides real-time feedback and knowledge sharing between attackers and defenders to maximize the educational value and security improvements of the test.

Methodological Classification of Penetration Tests

Tests are categorized based on the specific level of information and access provided to the tester at the start of the engagement:

• Black Box: The tester is provided with zero prior information and no special privileges, simulating an external attack by an outsider with no internal knowledge.

• White Box: The tester is granted full knowledge of the target environment, including network diagrams, architecture details, and application source code.

• Gray Box: The tester is provided with limited information or a restricted level of access, simulating an attack by an insider or a partner with partial knowledge.

The Multi-Phase Lifecycle of a Cyber Attack Simulation

Penetration tests follow a structured lifecycle reflecting the stages used by threat actors:

• Phase $1$: Reconnaissance (Footprinting): The process of gathering information about the target organization.     * Active Reconnaissance: Probing (فاحص) the system directly for vulnerabilities. Example: War driving or fly driving to locate unprotected wireless networks.     * Passive Reconnaissance: Gathering data through publicly accessible sources, known as Open-Source Intelligence (OSINT).

• Phase $2$: Scanning: Using specialized tools to analyze network traffic and identify open ports, which serve as potential entry points for an attack.

• Phase $3$: Initial Exploit: Leveraging (الاستفادة من ) a discovered vulnerability to gain the first point of entry into the system.

• Phase $4$: Establishing Persistence: Installing mechanisms like backdoors to ensure easier, long-term, and repeated access without needing to re-exploit the initial vulnerability.

• Phase $5$: Moving Laterally: Navigating the network to find the actual target data. This often involves Privilege Escalation (تصعيد الامتيازات ) , where an attacker moves from a standard user account to administrative or more restricted resources.

• Phase $6$: Accessing Data: Reaching the ultimate goal of the attack to perform malicious actions, such as exfiltrating password files, customer credit card numbers, or Research and Development (R&D) data. (Related Video Reference: "Watch hackers break into the US power grid" at timestamp $15:50$).

Understanding Malware: Evolution and Primary Functional Actions

• Definition: Malware (Malicious Software) is any software that enters a computer system without user knowledge or consent to perform unwanted and harmful actions.

• Evolution: Malware is constantly evolving to bypass modern security detection systems.

• Functional Classifications: Malware is classified based on its primary objective:     * Imprison: Blocking user access.     * Launch: Using the host to attack others.     * Snoop: Spying on user activities.     * Deceive: Posing as legitimate software.     * Evade: Hiding itself or other malicious payloads.     * (Related Video Reference: "Malware: Difference Between Computer Viruses, Worms and Trojans" at timestamp $2:45$).

Category: Imprisoning Malware (Ransomware and Cryptomalware)

• Goal: To remove the user's freedom to use their own device until a specific condition is met.

• Ransomware: Disables device functionality until a fee is paid.     * Fees range from 200\text{-}500$\text{ USD} for individuals to millions of dollars for large organizations.     * Persistence: Restarting the system typically does not remove the restriction.

• Cryptomalware: A sophisticated form of ransomware that encrypts all user files so they cannot be opened.     * Costs to unlock files often increase over time.     * Advanced variants can spread to encrypt files on connected Network Attached Storage (NAS), Direct Attached Storage (DAS), or servers.

Category: Launching Malware (Viruses, Worms, and Bots)

• Goal: To infect a host to launch further attacks locally or across a network.

• Virus: Malicious code that reproduces on the same computer by inserting its code into other files.     * File-based Virus: Attached to a physical file. It requires human intervention (sharing the file via email or USB) to spread to other computers. Malicious actions include deleting files, crashing the system, or disabling security settings.     * Fileless Virus: Loads directly into Random Access Memory (RAM) without attaching to a file on disk.         * Detection Avoidance: Uses native OS services and processes to hide.         * Power: Downloads code as scripts directly from the web.         * Persistence: Writes to the Windows Registry to relaunch upon system reboot.         * Defense Difficulty: Anti-malware scanners that target files cannot find them; terminating the host process may crash the entire system.

• Worm: A program that replicates and spreads itself automatically over a computer network (Network Virus).     * Enters through vulnerabilities and scans the network for other vulnerable hosts.     * Originally focused on increasing network traffic, modern worms carry payloads that can delete files or allow remote control.

• Bots: Software that places a computer under the remote control of an attacker.     * Infected computers are called "zombies."     * A network of infected computers is a Botnet.     * Controlled by a "bot herder" via Command and Control (C&C) structures.     * Uses: Sending spam, spreading other malware, Ad Fraud (mimicking clicks for profit), and mining cryptocurrencies.

Category: Snooping Malware (Keyloggers and Spyware)

• Goal: To spy on victims and collect sensitive data.

• Keylogger: Captured and stores every keystroke typed by the user.     * The aim is to steal passwords, credit card numbers, or Personally Identifiable Information (PII).     * Software Keylogger: Can also capture screens and activate cameras.     * Hardware Keylogger: A physical device (e.g., USB plug) that is invisible to anti-malware software but requires physical access to install and retrieve.

• Spyware: Tracking software deployed without consent to monitor user activities (web browsing, app usage) often using pre-existing embedded device technologies.

Category: Deceptive Malware (PUPs, Trojans, and RATs)

• Goal: To hide true intentions behind a benign appearance.

• Potentially Unwanted Programs (PUPs): Software the user likely does not want, often installed by accident during the setup of other programs.     * Examples: Adware, pop-up windows, search engine hijacking, and homepage hijacking.

• Trojan: An executable program that performs a helpful task while secretly executing malicious code.     * Example: A disk cleaner app that silently scans for credit card numbers and transmits them to an attacker.

• Remote Access Trojan (RAT): A Trojan that provides an attacker with unrestricted remote access to the victim's computer. The attacker can monitor use, change settings, copy files, and use the host as a bridge to attack other network computers.

Category: Evasive Malware (Backdoors, Logic Bombs, and Rootkits)

• Goal: To facilitate evasion of detection or provide secret access.

• Backdoor: A method of circumventing normal security protections to gain access to a system.     * Attackers install them to return later; developers may accidentally leave "legitimate" debugging backdoors in finished software.

• Logic Bomb: Malicious code that stays dormant within a legitimate program until a specific trigger event occurs (e.g., a specific date or an employee being removed from payroll), at which point it executes harmful actions like deleting data.

• Rootkit: A highly sophisticated tool that hides its own presence and the presence of other malware by accessing and altering the lower layers of the Operating System (OS).

Security Profiles of Common File Types and Extensions