CompTIA Pentest+ PT0-002 – Section 3: Scooping an Engagement Part 5

22. Limitations and Permission (OBJ 1.1 and OBJ 1.3)

During your penetration test, you may also find a lot of confidential information about the target organization. Remember, it is your responsibility to safeguard this information, and if you’re able to access an area of their network you think you shouldn’t be in, it’s important to notify the trusted agent inside that organization immediately. You want to be careful not to have the confidential information leak out onto the internet because if there’s an unauthorized disclosure by accident, then your company could be held liable.

Again, make sure your lawyer has properly drawn up your contracts to ensure your liability is limited in the case of accidental disclosures to minimize your exposure to fees and fines in this area. When you’re conducting your penetration test, you always need to sure that you’re complying with the requirements and performance standards that have been set forth in any of your contractual documents. This includes your statement of work, your master service agreements, your service level agreements and non-disclosure agreements.

These documents help set forth the boundaries of your relationship with your client organization as well as the expectations that they should have for your team and the results you’re going to deliver at the end of the assessment. In your contracts and final documentation, you should always include any disclaimers and liability limitations to also protect yourself and your company.

Now, all of these contractual documents should be reviewed by an attorney or lawyer before the client organization and your company signs them. Once both parties are comfortable with the terms of the contracts, then they should be signed and the engagement can officially begin. Remember, these contracts serve as your get-out-of-jail free card in the case that the engagement goes poorly. So always ensure you have these signed documents granting you permission before you begin your assessment.

When you begin your engagement, always maintain your professionalism as a penetration tester. You should seek to complete your tasks and tests as quickly, efficiently and effectively as possible. There are a lot of moving parts to a penetration test. So keeping good notes and documentation of your activities is going to be essential, as is conducting proper time management. Now, time management occurs not only during the actual attack and exploitation phase, but also during the planning and scoping phase, the information gathering and vulnerability scanning phase, and the reporting and communication phases, too.

When you’re working as a penetration tester, always focus on the tasks you’re assigned, try to avoid any distractions, ensure you’re following the planned timeline, and keep any status meetings with the team short and to the point. As you will soon find out, there is always more work to be done than time available. So practicing these time management tips can really help you become more effective as a penetration tester. Now, during your penetration test, you’re going to have a lot of restrictions placed upon you based on the statement of work, the rules of engagement, and the scope that was agreed upon with the client organization. Your team will be limited to performing only what is considered allowable tests.

Now, these allowable tests help to further define the method of assessing the targets inside of the engagement scope. For example, the list of allowable tests might include things like social engineering, injection attacks, buffer overflows, and physical security testing. While at the same time, it may prohibit specific tests, like a distributed denial-of-service attack. Your team must also adhere to the scope of the assessment as it was agreed upon with the client in your contractual documents.

If a client attempts to have you expand your testing outside the agreed upon scope, you need to explain that you cannot do that due to legal reasons, and that the scope must be officially changed in the contracts prior to you testing those additional systems. This will help protect you and your company from liability and potential legal issues. Also, when it comes to scope, you need to be careful to limit the invasiveness of your engagement upon the agreed upon scope.

In coordination with your client, you need to identify any sensitive or mission critical systems that should either be excluded, avoided, or only targeted for specific types of attacks. For example, you may be able to conduct an SQL injection against a targeted credit card processor’s database server, but you may be prohibited from using a buffer overflow exploit because that might be considered too invasive or dangerous for that mission critical system. During a particular engagement, it’s also important to limit the use of specific tools for different types of engagements.

Now, for example, if you’re conducting a PCI DSS compliance scan, you may be required to use certain tools for that part of the engagement. Conversely, if you’re conducting a HIPAA or GDPR compliance assessment, you’re going to use different tools and techniques for those. Always use the right tool for the right type of engagement and don’t carry data from one client’s network into another client’s network as you move from engagement to engagement. Additionally, you need to recognize other restrictions that may be placed on you, whether those are technically based or location based.

For example, if you’re assessing a car manufacturer’s network, they may place certain limitations on the different types of tests or the locations for different tests based on their unique industrial control systems that are being connected to their operational technology networks. Now a different client may have a legacy system that still runs an older operating system, like an embedded version of Windows, and that would simply fail if it was tested with some of our modern, automated scanning tools during a penetration test. During these situations, you need to make sure you’re discussing them carefully with the client in advance to clearly identify any restrictions that you might need to add to your team’s engagement plan. For example, in a previous organization I worked at, we were conducting penetration tests against numerous legacy and ICS SCADA systems within our organization. And we decided to hire some outside penetration testing team members to supplement our internal pen testers.

Now to protect the systems and the networks, we had an approved list of commercial, open source and proprietary tools that were authorized for use by our penetration testers, who were going to be assigned to work on those specific systems. In their contracts, we provided a list of all the approved tools that we had and added a clause that stated this, “If additional tools are needed for a specific test, the penetration tester must submit the tool for review, along with a request for approval with the rationale for why a tool on the existing approved tool list cannot meet the testing requirements. Any tool not listed on the approved tool list cannot be used on the production network without written approval from the chief technology officer.” So as you can see, there are many different places where restrictions and limitations will be placed on your penetration testing teams.

, it is better to ask permission than to beg forgiveness when it comes to the world of penetration testing. My philosophy is that if permission isn’t in writing, it really didn’t happen. I’ve been bitten too many times by people giving their verbal approval for my teams to go run an exploit only to have them yelling at us 30 minutes later when their network defense teams begin to see negative effects that were caused by that same exploit. It is always better to be safe rather than sorry. So take the extra time needed to get the written approval before you officially begin your engagement. And then you can move safely into your information gathering, vulnerability scanning, creating your attacks, and running your exploits.

23. Build a Virtual Lab

As an aspiring penetration tester, it’s important for you to understand how to use virtual machines to be able to practice your techniques by being able to have your own pen testing environment. Now, in this course, I’m going to do a lot of demonstrations to show you all the different tools and techniques that you might want to use. And if you’re in my course at diontraining.com, that also includes cloud-based hands on labs. But if you want to be able to build these things for yourself and start playing around with them, that’s what I’m going to show you in this video. Now, I will say that this video is going to be very generic in nature. I’m showing you the basic steps. I’m going to show you how I do this on my machine, which is a Mac OSX machine. But if you’re using Windows or Linux, you’re going to be follow similar steps, but the installation process will be a bit different. What I want you to take away here is the concepts and the basic steps. As an aspiring penetration tester, you should be able to go onto YouTube or go online and Google exactly how to do this for your hardware and your operating system. Now, the first thing you’re going to need is some sort of a virtualization environment. I recommend using VirtualBox, because it’s an open source free tool that works on all of the different operating systems. To get VirtualBox, just go to virtualbox.org and on the homepage, click the big Download button. Now, when you go to the download screen, you’re going to see that it says there are platform packages.

These platform packages are based on the operating system that your machine is going to be using, not the virtualization machines that you want to be hosting. So for example, I’m using a MacBook Pro, so I need to click on OSX Hosts. If you’re using Windows, you’ll click on Windows Host, and if you’re using Linux, you’ll click on Linux Distributions and pick your distribution. Once you click on your distribution or your operating system, it’s going to download that file. At that point, you’re going to be installing this software known as VirtualBox into your host operating system. Now that it’s been downloaded, I can go into my Downloads folder, I can click on VirtualBox and this is going to mount the ISO, or the DMG in the case of a Mac, which allows me to reach that installer file. Now on a Windows machine, you’re going to have an EXE or an MSI executable file for you to run the installation. But on a Mac, it’s a PKG file. You’ll simply double-click it and it will open up the installer.

At this point, you’re going to say Allow, and you’re going to walk through the basic steps of doing the installation. If you’re asked to add your admin password, you can simply put that in and this will allow it to fully install the software. Once it’s completed, it’s going to take about one to three minutes depending on how fast your machine is. You’ll be ready to start using VirtualBox. Now that VirtualBox has been installed, you can close the installer, you can move it to trash, and you can close that mounted image. At this point, we no longer need the VirtualBox website, so I’m going to close that tab. Now, the next thing we need is some sort of operating system that we’re going to conduct our attacks from, because VirtualBox is just a virtualization system that provides you emulated hardware for you to use. Now, I personally like to use Kali, and Kali is what is mentioned in your official textbook as well. So we’re going to go ahead and download Kali and use that in this course.

To download Kali just go to kali.org and then click on Download. Once you click Download, you’ll be brought to this page where there’s a lot of different options, because Kali can be run on lots of different things. Now, if you see the one on the left that says Bare Metal, that would be, if you want to format your entire hard drive and install Kali as your default operating system. As somebody who is learning penetration testing, I do not recommend using that option. Instead, you’re going to want to use a virtual machine, and that’s what we’re going to use here up on the right. Go ahead and just click on Virtual Machines. And then you’re going to select either 64 bit or 32 bit depending on the operating system of your host OS and whether you’re using VMware or VirtualBox. In my case, I’m going to be using VirtualBox and I’m going to be using the 64-bit edition, and you’ll download it by clicking on the Download link where it says 3.7 Gb, which is 3.7 gigabytes. Now to help speed up this process, I’ve already downloaded that 3.7 gigabyte file and I have it in my downloads. We’re going to go to our Applications folder.

We’re going to scroll down until we find VirtualBox and then we’re going to open up VirtualBox. Now you can see here that there’s nothing showing in VirtualBox, because we haven’t created any hardware to emulate yet, and there’s no virtual machines. But we did just download a virtual Kali Linux machine, and so if we want to use that we’re simply going to go to our Downloads folder, and in my case, it’s right there with this OVA file, which is a VirtualBox system. So if I click on that, it’s going to open up and it’s going to ask to import this appliance into VirtualBox. I can go ahead and select the normal default settings that it gives me.

In this case, you can see it’s using Kali Linux, it’s from Offensive Security. It is a rolling x64 version in 2021.4a, which is the current version of Kali at the time of this recording. You can see the guest type of the operating system is a Debian Linux machine which is 64 bit. It’s going to give it two processor cores from my computer and two gigabytes of RAM. And if we go down a little bit further, we do have an emulated DVD, USB controller, sound card and network adapter, as well as some storage controllers for IDE and SADA and a virtual disc image which is already being mounted for us, the base folder and the primary group. From here, we’re going to go ahead and hit Import. From here, we’ll then say Agree.

And now we’re just going to wait as it imports. Usually this will take just a couple of minutes depending on the speed of your system and your hard drive. All right, once it’s done, you can now see it listed in the left panel, showing that I have one machine here which is Kali Linux 2021.4a as a virtual machine. And this means we’ll be able to use this machine and be able to add settings to it, changes to it or just load it up and use it as if it was a real computer. Now, this is great, except for one thing. This is my attack machine. I have no targets right now, and so if I want to practice my penetration testing skills, I need someone to hack against. Now, as we talked about, you need to have permission from the system owner before you hack them. So the best way to do this is to create your own systems, and this is the great thing about virtual machines. You can create your own virtual machines and you can then hack against them and you have your own permission to do so.

Now to do this, one of the great websites that I find out there is called VulnHub. And if you go over here and go to vulnhub.com, you’re going to find hundreds and hundreds of virtual machines here. These are all to download and free to use. And these have all been created by the community to create different levels of challenges for people who are practicing their pen testing skills. Now, the bad thing about these is none of these are directly tied to the PenTest+ exam. For instance, you’re not going to find one here called PenTest+ Objective 3.7 that you can download and practice those particular skillsets. Again, this is one of the good things about using something like CompTIA Cert Master labs or the labs at diontraining.com, because we tie them directly to the objectives of the PenTest+ exam. But as you’re building your skills and going beyond the exam, VulnHub is a great place to go. Now, what I’m going to do here is point out the fact that there are different difficulties here, and as you’re starting out, you definitely want to stick to the easy ones.

So what I’m going to do is I’m just going to download the one on the right here, which is an easy difficulty, and it says the secret to this box is enumeration. So that’s their hint they’re giving us. And I’m going to go ahead and choose that one because enumeration is really the next phase of penetration testing as you go into information gathering and vulnerability scanning. So we’re going to go ahead and use that one as one of our targets, just so we can play around with it and have a target to play with. Now to download it, you simply go over here and click on it. When you do that, you’re going to learn a little bit about the release, when it came out, who the author was and then the links to download it. Now, notice we have that OVA file again. That is an appliance image for VirtualBox. So if I click that and download it, you can see this one is 827 megabytes and it’ll take me less than a minute.

Now, below that you can go down and you can see the description of this box. Some of these have better descriptions than others. This one doesn’t have a very big description. It just says it’s an easy difficulty box, the secret to the box is enumeration. If you have questions, you can email the author at their Gmail address. And this works better with VirtualBox than VMware, which is good because we’re using VirtualBox. And down here, they actually have some file information, so if you wanted to check the hash and make sure it wasn’t corrupted during the download, you could do that. And then you could see what type of system it is. It’s a virtual machine running Linux. It has DHCP enabled, and it has an automatic assignment of the IP address for that particular box. And there’s two basic screenshots.

Now that’s all the information they’re giving you. From here, you’re going to be able to try to hack into this box and figure it out on your own. If you get stuck, though, I will tell you, most of the boxes on VulnHub do have walkthroughs available, and this one is no exception. There’s actually a great video on YouTube that’s about eight to nine minutes long of a pen tester walking through exactly how they crack this box, going through the enumeration, finding the passwords, using that, creating reverse shells and all the other exploits he does to win at this particular box. But for our purposes right now, I just wanted to have some machine that I can use inside a VirtualBox and be able to talk to it from the Kali Linux machine. So what I’m going to do is just go down here to my downloads, and again, we have that file, jangow.ova.

Click on that. It’ll do the same import process, click on Import. This one’s a little bit smaller, so it should take less than a minute to import. And once I have both of those, we’re now going to be able to start up our Kali Linux machine and this vulnerable machine. Now, the great thing with VulnHub is these tend to be smaller images that are based on Linux. This one, for example, is only one gigabyte. So you saw, I had two gigabytes assigned to Kali. I have one gigabyte assigned to this box. That’s three gigabytes. My system has 16 gigabytes, so I can actually load up two, three, four maybe five of these virtual machines and have a whole network of vulnerable machines for me to scan and attack from my Kali Linux machine. All right, now that I’m done with VulnHub, I’m just going to go ahead and close that out and clear it out of the way. And now we want to go ahead and start VirtualBox. Now on Mac, there is going to be an error if I try to start this up right now, and I’m going to show you that exactly.

When you click on the machine you want to start and you click Start, by default, you’re going to get this kernel driver not installed error. Now, what do you do if you get this error? Well, the first thing I would do is actually take that error message, put it into Google, and it will tell me what the problem is and how to solve it. If you get an error on Windows or Linux, Google the error and you’ll be able to figure out what’s wrong. Now, in this particular case, I know what the error is, and it’s the fact that the support driver is not installed and it hasn’t been signed. So what I’m going to do is actually go down here and hit Okay. I’m going to ignore that error, and I’m going to go to my System Preferences.

And underneath my Security and Privacy, this is a security setting on Macs that does this, I have to go in here and you’ll see right here, it says system software developer Oracle America has been updated and nobody has allowed it yet. So I have to unlock my machine, and then I can allow that to happen. And then it’s going to require me to restart my computer. I’m going to go ahead and restart my computer and I’ll be right back. Okay, my machine has restarted and it brought me right back to here and it already loaded up VirtualBox for me. To verify that driver has now been signed and approved in Security and Privacy, just click on that box and you’ll see it’s no longer listed here as something that’s a problem. So I can close that window, and now we should be able to go ahead and click on Kali and then click on Start. Once you do this, it should open up Kali in a window just like it did there.

I’m going to go ahead and move this over to my left side here. And you’ll see, it’s pretty small, and I’m going to go ahead and just hit Enter. It’s going to go into the GUI environment, and it will expand into a larger size as it starts booting up and getting the right things into it. In this case, VirtualBox wants access to my microphone. You can allow that or not. In my case, I have no need for my Kali machine to use my microphone, so I’m going to say Don’t Allow. Then I’m going to go ahead and get rid of these little boxes here. And we are going to make this a little bit bigger so we can see it by going here, and then we’re going to go here and go to Scaled Mode.
This will stretch it out and make it so it’ll be easier for us to see. Okay, to log into your Kali Linux machine, you’re going to use the username Kali and the password Kali. This is the default on the 2021 version. In older versions, it was root as the username, toor, which is root spelled backwards, as the password. Now, once you’re into the system, we’re going to want to make this larger so it’ll be easier to work with. And as you can see here, because I’m using a MacBook with a retina display, it is really going to be a very small portion of my screen. Now, if you want to make Kali Linux larger and take up more of your real desktop, you need to make the virtual display little bit larger. By default, it’s only set to 800 by 600 pixels, which is really small on a MacBook which has a retina display. So what I’m going to do is just right-click on the desktop, go to Applications, go up to Settings and then go over to Display. When you do this, it will allow you to go here and create your virtual resolution for this display. Now here you can see my resolution is 800 by 600.

I want to go ahead and set that to something like 1920 by 1080, which is full HD, and then I’ll just hit Apply. Once I do that, it’s now going to say yes, do I want to keep this or do I want to restore? I’m going to say, yes, keep the configuration. And now I can actually maximize my window and take up a lot more space, and it now looks like a full machine that I can use. I’m going to go ahead and close my Display Settings here, and in the meantime, I’m going to go ahead and take Kali and move it on the left side of my screen to get it out of the way. Now on my Mac, I actually have a program called BetterSnap which allows me to move things left and right just like you can on Windows. By default on your Mac, that setting does not exist, so you’ll have to resize the windows by yourself. Now let’s go back to VirtualBox and over here on VirtualBox, we want to start up the other machine, which is our target. Just go in here, click Start, and it’s going to go ahead and boot up.

Now it is going to say there’s a problem here. It’s saying the physical network interface was not found for VirtualBox host only ethernet adapter, adapter one. Now this happens sometimes when you download somebody else’s virtual machines like we did from VulnHub. Sometimes their adapters are not the same as what’s on your system. So to fix this, you’ll just click on Change Network Settings. Now, from here, we can just select whichever adapter we want. Now, in this case, we have a host only adapter, so we’re just going to take that and we’re going to change that to a NAT adapter. And from there, we are going to hit the Advanced tab and just make sure everything looks fine. It looks like it is, and we’ll go ahead and hit Okay. And now we should be able to start up this machine. Now because I set it as a NAT adapter, that means that this machine can actually talk to the internet, because it’s using my internet connection to talk to the internet and the rest of my home network.

Now here, we’re having the same problem. You can see that is a very small amount of my screen because it is using that 800 by 600 pixels by default. We we’ll give it a second here and let it load all the way up. There we go. Now we’re at the login screen. Now we can’t really do anything to fix this particular machine, because we don’t know the login credentials. That’s part of what we want to hack and part of what we want to have a challenge with. So what we want to do first is we want to figure out where that device is on the network. Now, as I said, right now, use NAT for both of these, so these are both able to talk to the internet. And so if I go over here on my Kali machine, I’m going to make it full screen real quick, I can go ahead and click on Firefox and I can go online and access any website I want.

For instance, I can go to google.com, because I’m tied to the internet, okay? If you don’t want to be able to do that and you want them to talk on their own isolated network as you’re doing your hacking and practicing, we can do that as well. Now that we have both the Kali machine and Jangow set up, we have an attacker and a target. We’re going to play a lot more with this environment as we go through the course, and I do some demonstrations to show you how we can find out what the IP address is of that target and how we can exploit and attack that target based on the vulnerabilities we find, and we’ll go through and do this as we go through the course together. But for now, I just wanted to make sure you could set up a basic environment consisting of VirtualBox, Kali Linux, and some form of vulnerable machine that you can attack against. It doesn’t have to be Jangow. That’s just the one I’m using for this course. You can use any of the ones you want that you find on VulnHub. And as you go through, you’ll play with multiple of those to increase your skills and get more comfortable with the tools as we go through the course.

• Category: Uncategorized