Penetration testers are hired ethical hackers tasked with simulating a real-world attack on an organization’s networks and systems. Think of it as an intrusive security assessment that measures the organization’s level of resistance to an attack. The great thing about penetration tests are that they test the organization’s capabilities to defend against real-world attacks and uncover unknown vulnerabilities that require a solution. Penetration testers are often called “white hat” hackers for their ethical commitment in hacking for benevolent reasons. Organizations that hire penetration testers outside of their company are also white hat hackers, but can also be referred to as “blue hat” hackers.
When the scope of the security assessment is defined, a penetration testing team can evaluate an organization’s servers, network infrastructure devices, endpoints, mobile infrastructure, remote-access infrastructure, access control mechanisms, and even the personnel that work there. However, not every system is free-game to a penetration tester. Some systems are too important to test or even scan. For instance, if an organization has a Web server that generates $10,000 an hour in revenue, then that might be strictly hands-off. Some organizations are even required to perform penetration testing. If your organization must comply with PCI DSS, then you must perform periodic penetration testing.
Planning is critical to any security assessment. During the planning phase, the penetration testing team gathers information about the organization, the scope of the test, what systems and subnets are authorized to attack, what defenses are in place, and so forth. Objectives and team roles are also identified as well as any other responsibilities, limitations, resources, or timelines. How much knowledge the penetration testers gain before the assessment varies in degree depending on which type assessment the organization wishes to employ.
- Whitebox Test: This type of test gives the penetration testers full knowledge about the organization’s network and systems; therefore, they will know key systems to target and what sensitive information they hold. They will essentially know the ins-and-outs and may even be given credentials to certain accounts for credentialed scans. They may also be provided with the source code of certain applications. The penetration testers basically get to interview key players in the organization that can elaborate more on the network infrastructure. This allows for a much more detailed and thorough testing, but with the disadvantage is that a whitebox test doesn’t simulate a real-world attack.
- Blackbox Test: This type of test gives the penetration testing team no knowledge about the organization’s networks and systems. Accordingly, they come into the assessment blind and must create a network map and identify target systems on their own. This simulates a real-world attack, but may unintentionally leave areas untested.
- Greybox Test: This is an assessment that combines whitebox and blackbox testing in that the penetration testers are given some previous knowledge about the network and systems, but not so much that it would be considered a whitebox test.
- Double-blind Test: This is a type of test in which the penetration testers and the organization’s defenders don’t know about each other. It is a type of blackbox test in that the penetration testers are coming into the assessment with no prior knowledge; however, the defenders also have no idea whether the attack is real or simulated.
The Kill Chain
The penetration test can be accomplished in a 4-step process called the “Kill Chain,” which is describe next.
- Reconnaissance: During this phase of the assessment, the penetration testers are gathering intel about their target. They may use a passive reconnaissance approach whereby they gather various kinds of opensource intelligence via Google hacking, Internet Registries, DNS harvesting, WHOIS lookups, Job sites, and social media profiling. With this type reconnaissance, penetration testers can reveal server-side vulnerabilities or identify key employees and their roles in the organization. Imagine finding the social media and job site profiles of the organization’s system administrators or network technicians. Perhaps a specially crafted phishing e-mail could lure them into revealing sensitive information? Or, penetration testers can take an active approach to reconnaissance whereby they scan the network to identify the systems on the network, a process called “topology discovery.” This can be done using tools like nmap. They can also conduct port scanning, which enumerates the services running on each system. Some ports, if left open, can be used as an attack vector if a vulnerability is discovered. There is also OS fingerprinting and version scanning, which depending on the response back from the target systems, can paint a pretty picture of the types of systems the testers are targeting. From there, they can research exploits and vulnerabilities on the systems they’ve identified. One grey area of reconnaissance is network sniffing and packet captures. Although they do allow penetration testers the ability to examine network traffic, unencrypted payloads, and header information, it may violate the privacy of employees, which could have legal implications. But, I can’t keep going on; these are just some of the many ways penetration testers conduct recon.
- Exploitation: During this phase, the penetration testers are taking the vulnerabilities they discovered during the reconnaissance phase and exploiting them to gain illicit access. So, imagine the penetration testers discovered an unpatched server that allowed them to exploit a vulnerability to open a backdoor and access the system. Or, imagine they found a router with a default password. They may be able to access the router and identify other types of attacks, such as a DoS. Sometimes, an exploit doesn’t even need to occur, but rather identified. This is because some attacks may be too disruptive. Recall the example of the Web server that generates $10,000 in revenue every hour. If there were a buffer overflow vulnerability discovered, it might not be a good idea to remotely execute malicious code into memory because for every hour that server is down, the organization loses $10,000. Of course, the more likely scenario is that the Web server won’t be included in the scope of the test, but with that approach, organizations would miss out on the opportunity to test their most important assets. For that reason, some testers can “clone” the asset by duplicating another server with the exact same configurations. A big thing penetration testers are looking for are credentials. In some instances, they may try brute forcing specific accounts, or if they can somehow gain access to a list of hashed passwords where they can attempt an offline dictionary or rainbow table attack. Penetration testers will also attempt to socially engineer employees to do things they wouldn’t normally do, such as granting the penetration testers access to unauthorized areas or revealing sensitive information. Perhaps they found an unlocked telecommunications room where they can install a physical tap device? The list goes on.
- Lateral Movement: Once the penetration testers have gained access to a system(s), they can attempt to compromise additional systems in a process called “lateral movement.” Lateral movement can be accomplished in many ways, one of which is through a horizontal or vertical privilege escalation attack. Or, a penetration tester can craft payloads that steal hashed passwords of local users and users in the same domain. They may also analyze log files for anything useful for lateral movement.
- Reporting: The last phase is a report to management of all the findings during the assessment. This will determine if the technical and management controls, policies, and procedures implemented by the organization are comprehensive. It will identify any gaps or weaknesses that need to be patched, such as misconfigured systems, misconfigured firewall rules, unnecessary services, improper privilege assignments, and so on. The report will also identify any countermeasures that will help prevent or mitigate the attacks simulated during the assessment.
The Rules of Engagement
The Rules of Engagement, shortened to “ROE,” are extremely important and must be identified before the assessment begins. Some of the rules that must be identified include:
- Timing: This identifies the timeline of the penetration test. It identifies how long the test will be and during which hours the testing will commence. Some organizations want the test to take place during normal business hours and some don’t because they don’t want the test interfering with their business processes.
- Scope: This is perhaps the most important aspect in the ROE. Most penetration testers will be given specific subnets where they are free to test, but if they go beyond the scope of the test they risk damaging critical assets or systems that don’t even belong to the organization. Penetration testers must also consider if the organization sits in a regulatory environment. Think about a company that handles credit card information and personal health information. Compromising a server that contains PCI or PHI information could violate the regulations laid out in PCI DSS or HIPAA.
- Authorization: The penetration testing team must be authorized to perform the security assessment by signing some form of agreement, document, or letter that contains the ROE. This is called a “Get Out of Jail Free Card” because penetration testers can present this document whenever they are discovered performing malicious activity.
- Exploitation: As I mentioned above, some exploits might not be a good idea, so it’s good to know what is allowed and what is not allowed. Permanently shutting down a production server, for example, wouldn’t be an authorized exploit, but mistakes can happen.
- Communication: Who will the penetration testers contact when something goes wrong? It helps to already have a list of contacts, such as senior leaders who can be contacted when an incident does occur.
- Reporting: This section pretty much contains the same content as the Reporting phase in the 4-step Kill Chain process. The penetration team presents a report to management about how the organization can be successfully attacked and where they can improve or implement better security controls. In the report, they may even review the organization’s system configurations, rulesets, logs, and so forth, identifying areas where they can improve or introduce a new technical control.
Though this seems like a good amount of information, I feel as if this is still just the tip of the iceberg. I would have liked to go more in-depth about the other forms of reconnaissance, their advantages and disadvantages, and the most common vulnerabilities usually seen on servers, endpoints, and mobile devices. Nevertheless, I think this information will still serve as a good resource to those particular individuals discovering how penetration testing is executed.
Maymi, F. J., Chapman, B. (2018). All-in-One CompTIA CSyA+ Cybersecurity Analyst Certification Exam Guide CS0-001. McGraw-Hill Education: New York, NY.
Souppaya, M. P., Cody, A., Orebaugh, A. & Scarfone, K. A. (2008). Technical Guide to Information Security Testing and Assessment (NIST Special Publication 800-115). Retrieved from the National Institute of Standards and Technology Web page https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf