Proposed Pentest Project Considerations

2018-03-01  ·  Pentesting   Planning

Design considerations for building out an internal penetration testing program. Focused on MITRE ATT&CK alignment, tooling selection, and operational assumptions.

Orange Cyberdefense AD pentest mindmap

Requirements for Consideration

• Framework: MITRE ATT&CK — Persistence, PrivEsc, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration, C2
• Reporting design to train Blue Teams
• Ability to attack both Web and Network devices
• Attack from inside and outside environment
• Feed results into Risk Team, DFIR/Detection Teams with IoCs via Mandiant IOCe
• Primary prioritization by Risk team, secondary by management needs
• Use HaveIBeenPwned API to check password reuse
• Pentest standards: pentest-standard.org

Tooling

Infrastructure

• Metasploit Pro (inside/outside Azure) — Web App & Network exploitation
• Kali (inside/outside Azure)
• Ngrok, ProxyChains
• C2 frameworks: Cobalt Strike (commercial), Mythic (open source), Sliver
• Empire (PowerShell post-exploitation)

Web Application

• WPScan (WordPress vuln scanner)
• Nikto (Web App vuln scanner)
• Burp Suite Pro
• OWASP ZAP
• AMASS (asset discovery)

Active Directory

• BloodHound
• PingCastle, GoodHound, PurpleKnight
• AdFind
• SpecterOps / GhostPack tools (Rubeus, SharpHound, etc.)
• Responder (Windows hash harvesting)
• John / Hashcat (password cracking)
• Hydra (brute force)

Endpoint / OS

• WinPEAS, LinPEAS
• DLL Sideloading techniques
• Rainbow tables (password cracking)
• Custom Windows / Mac boxes for OS-specific exploitation

Physical / Social

• WiFi Pineapple
• Physical access in-scope: data centers, workspaces
• Spear phishing via Metasploit Pro

Lab / Validation

• VMware Workstation — replicate org environment
• Test exploits against OS versions, AV evasion methods, MITRE ATT&CK automation
• Loki IOC Scanner

Assumptions

• Written permission from CISO/Department/Organization before any testing
• Rules of Engagement and Scoping completed before Pentest/Red Team ops
• Pentest/Red Team ops plan documented and approved
• Asset Inventory available (IP ranges or domains)
• Management of reporting and measurements of results

References

• MITRE ATT&CK Framework
• Trimarc — AD Security Review
• OCD Mindmaps
• Pentest Standard

← Back to posts