Sun Tzu’s well-known war theory says “know thy enemy”, and there’s no better demonstration of this than pen-testing. This hacking method simulates a real cyber-attack, and testers performing this need to be as malicious and relentless as the hackers trying to infiltrate the organizational network.
Time to dive into a pentester mind in this interview with one of Redentry’s testers, a cyber security company that specializes in providing pen testing services, with more than a decade of experience in the field.
Let’s start small – What is a penetration test?
Penetration Testing is a way of assessing the security level of systems, applications, mobile services, and infrastructure.
This assessment begins with mapping the organization’s digital assets, including integrated third-party tools, user behavior, etc. The purpose of the test is to identify the weaknesses and vulnerabilities in the defense systems and produce a report detailing the findings and recommendations.
Focusing on infrastructure pen tests, the goal is to identify the most exposed vulnerabilities in the security defenses of an organization’s internal network infrastructure.
This test can be divided into 2 categories, based on the access level we are given by the client.
If it’s an external test then we are simulating an outsider attacker with zero internal information.
If it’s an internal assessment, the goal is to simulate an attack from within the organization (internal threat) or to check if an external attacker was able to gain access to the organization and what level of damage and access it can achieve.
Read about all the types of PT in our full Penetration Testing article.
How often should organizations Pen Test?
According to accepted standards, it is recommended to perform a pen test on an annual basis (some standards also require this).
Who needs a Penetration Test?
Companies dealing with sensitive information such as medical, industrial, and economic information are usually more susceptible to cyberattacks, therefore need to take extra precocious. These companies are often required to perform a pen test to meet cyber regulations, the most popular being GDPR, SOC, HIPAA.
However, it is important to note that any company that has digital assets and stores information digitally, which is pretty much everyone these days, is advised to perform penetration tests to defend against cyber threats.
If you think about it, an attack is the best defense, and a penetration test gives an accurate picture of how vulnerable the organization is.
How do you penetrate the organizational network?
First I make a game plan and research the target. I start with the NMAP tool, one of the most popular tools among pen testers.
NMAP is short for Network Mapper and is a Linux-based open-source software that scans IP addresses and network ports. This tool maps the network quickly without the need for sophisticated commands and supports complex scripts using a script engine that serves as a database. That way I can enter an IP address, and the NMPA will try to connect to ports, one after the other. From the replies, one can discover information such as whether servers are running on the same endpoint, operating system versions, old components with known vulnerabilities that can be exploited, etc.
Then I continue to OSINT research, which means looking for information in open source platforms accessible to all, such as LinkedIn.
Information about company officials and the technologies used can be obtained, which can assist me to carry out a phishing attack later on. I also tend to search public sources like blogs, government listings, corporate websites, Github, DNS records on any issue, and the like.
Several tools help automate the process such as the harvester and spiderfoot, which collects and creates a list of all accessible information sources. For a further dive on the tools that pen testers use, continue to our full article.
All of this helps me build a status report of the target and the assets it owns, and the information obtained from this stage is what will help me forge ahead in the subsequent stages of the assessment.
After I exhaust all the tools available for gathering information, I start looking for any weak access points in the cyber defenses.
If I’m testing a website, I’ll use scanners like burp, which allows me to perform a MITM attack- an attack in which I insert myself between the user and the service provider, whether as a bystander listening or as an imposter of one party. The purpose of the attack is to steal personal information – credit card details, passwords, and account information.
Nesus is a great tool as well, scanning for vulnerabilities according to predefined criteria. The Nessus feature shows which devices connected to the corporate network are vulnerable.
I’ll look or folders and hidden pages, and go through all the components of the site manually in an attempt to inject malicious code into the input fields and requests. In addition, I will generally diagnose the behavior of the site and form of work, to locate a weakness that will allow me some kind of loophole.
If I’m testing an IP address then I’ll use tools like Nmap to search for services that are accessible to the external network, and try to find potential vulnerabilities- passwordless FTP servers, SMTP servers, RDP connections, sharing services like SMB, and any endpoint content information. The more information leaks out, the easier it is to find a weakness.
Next, I’ll take advantage of the vulnerabilities found to gain initial access to the network – if I gained access to a website management interface, I will take advantage of it to open a shell on the webserver.
If I found an outdated server, I’ll exploit known vulnerabilities in the operating systems.
When do you understand you’ve accessed the network??
Once I’m able to gain unauthorized access to the corporate network, the only question is how long it will take until I am discovered, and how much advantage I’ll be able to take from this loophole.
What do you do once you’ve infiltrated the system?
Once I’ve gained initial access to the network, I’ll try to “buy” myself time so that even if the original vulnerability is discovered and is blocked, I’ll have a foothold within the system. Sometimes I’ll use what’s called rootkits to hide the malware within legitimate components in the system.
Other times I’ll create a hidden user or predefine my access to a list of allowed actions.
From here, I’ll begin maximizing the use of my access, whether it be by obtaining sensitive information, spying on network traffic, listening through microphones and cameras, or establishing control over essential services and systems.
I’ll attempt to increase my permissions from the regular user level to the highest level. This is done using a variety of techniques – if software installation by users is allowed or there is poor privilege management, I’ll take advantage of that.
The next objective is to gain maximum information from sensitive folders to manipulate services, such as kerberos which stores passwords and account verification protocols. The goal is to perform a dump, meaning steal information regarding account login information.
We also collect data about the network’s structure and the domain with tools like bloodhound, the goal being to try to look for information that can be misused.
Can you get blocked during the Pen Test?
Yes, it happens quite a lot, mainly in organizations that uphold cyber security compliances and follow the accepted standards, including the use of EDR systems and SIEM systems.
At what point do you decide to stop the pen test?
When I feel that I have significantly covered the existing offensive paths and gained significant access, or that all access roads are blocked and there are no more loopholes to exploit.
Of course, we always stop before performing attacks that cause damage or disruption to the organizations functioning.
So no damage is done?
Exactly. We won’t perform a DDoS on the production environment, delete data that will cause disruptions in the service, or perform ransomware attacks on devices that don’t block file execution.
From this point analyze all the information accumulated during the test, and translate it into a report for the client that embodies within it all the vulnerabilities that allowed me to successfully hack into the system.
The report summarizes for the client the weaknesses of the defense system, the damage that was made possible as a result of the weakness, and course recommendations for repair and similar attack attacks.
Are all findings equally critical?
No, the findings are divided according to the criteria of the severity of impact, how difficult it is to exploit them, and how likely they are to be used. A weakness with a serious impact, easily exploitable and has a high likelihood of being discovered, will be classified at a very critical level.
What are the most interesting findings?
I’m a big fan of irony, so when I find vulnerabilities in security systems that are supposed to protect infrastructure, I’m surprised – like vulnerabilities in the firewall of embedded defense systems.
And what are the most common findings?
Very often the weaknesses are due to old software versions, as well as incorrect definitions of various services and components. There can also be a lack of maintenance and management, making a cyber attack on the organization easy. The irony is that these are all findings that are very easy to fix, so if organizations are looking for ways to become more efficient in terms of cyber defense, they should start with these aspects.
If you are a business owner or part of an organization’s technical team, contact cyber security companies for consultation regarding pen testing services, and prevent the next cyber attack.