Interview With A Pen Tester
Sun Tzu’s well-known war theory says “know thy enemy”, and there’s no better demonstration of this than pen-testing. This hacking method simulates a real cyber-attack, and testers performing this need to be as malicious and relentless as the hackers trying to infiltrate the organizational network.
Time to dive into a pentester mind in this interview with one of Redentry’s testers, a cyber security company that specializes in providing pen testing services, with more than a decade of experience in the field.
What Is A Penetration Test?
Penetration Testing assesses the security level of systems, applications, mobile services, and infrastructure.
Focusing on infrastructure pen tests, the goal is to identify the most exposed vulnerabilities in the security defenses of an organization’s internal network infrastructure.
Read about all the types of PT in our full Penetration Testing article.
How Often Should Organizations Pen Test?
According to accepted standards, it is recommended to perform a pen test on an annual basis (some standards also require this).
Who Needs A Penetration Test?
Companies dealing with sensitive information such as medical, industrial, and economic information are usually more susceptible to cyberattacks, therefore need to take extra precocious. These companies are often required to perform a pen test to meet cyber regulations, the most popular being GDPR, SOC, and HIPAA.
However, it is important to note that any company that has digital assets and stores information digitally, which is pretty much everyone these days, is advised to perform penetration tests to defend against cyber threats.
PT Methodology From Pen Tester POV
First, I research the target’s digital assets. I start with the NMAP tool, one of the most popular tools among pen testers.
NMAP is short for Network Mapper and is a Linux-based open-source software that scans IP addresses and network ports. This tool maps the network quickly without the need for sophisticated commands and supports complex scripts using a script engine that serves as a database. That way I can enter an IP address, and the NMPA will try to connect to ports, one after the other. From the replies, one can discover information such as whether servers are running on the same endpoint, operating system versions, old components with known vulnerabilities that can be exploited, etc.
Then I continue to do OSINT research, which means looking for information in open source platforms accessible to all, such as LinkedIn.
Information about company officials and the technologies used can be obtained, which can assist me to carry out a phishing attack later on. I also tend to search public sources like blogs, government listings, corporate websites, Github, DNS records on any issue, and the like.
Several tools help automate the process such as the harvester and spider foot, which collects and create a list of all accessible information sources. For a further dive into the tools that pen testers use, continue to our full article.
All of this helps me build a status report of the target and the assets it owns, and the information obtained from this stage is what will help me forge ahead in the subsequent stages of the assessment.
After I exhaust all the tools available for gathering information, I start looking for any weak access points in the cyber defenses.
If I’m testing a website, I’ll use scanners like burp, which allows me to perform a MITM attack- an attack in which I insert myself between the user and the service provider, whether as a bystander listening or as an imposter of one party. The purpose of the attack is to steal personal information – credit card details, passwords, and account information.
Nesus is a great tool as well, scanning for vulnerabilities according to predefined criteria. The Nessus feature shows which devices connected to the corporate network are vulnerable.
I’ll look or folders and hidden pages, and go through all the components of the site manually in an attempt to inject malicious code into the input fields and requests. In addition, I will generally diagnose the behavior of the site and form of work, to locate a weakness that will allow me some kind of loophole.
If I’m testing an IP address then I’ll use tools like Nmap to search for services that are accessible to the external network, and try to find potential vulnerabilities- passwordless FTP servers, SMTP servers, RDP connections, sharing services like SMB, and any endpoint content information. The more information leaks out, the easier it is to find a weakness.
Next, I’ll take advantage of the vulnerabilities found to gain initial access to the network – if I gained access to a website management interface, I will take advantage of it to open a shell on the web server.
If I found an outdated server, I’ll exploit known vulnerabilities in the operating systems.
Once I’m able to gain unauthorized access to the corporate network, the only question is how long it will take until I am discovered, and how much advantage I’ll be able to take from this loophole.
Inside The Internal Network
Once I’ve gained initial access to the network, I’ll try to “buy” myself time so that even if the original vulnerability is discovered and blocked, I’ll have a foothold within the system. Sometimes I’ll use what’s called rootkits to hide the malware within legitimate components in the system.
Other times I’ll create a hidden user or predefine my access to a list of allowed actions.
From here, I’ll begin maximizing the use of my access, whether it be by obtaining sensitive information, spying on network traffic, listening through microphones and cameras, or establishing control over essential services and systems.
I’ll attempt to increase my permissions from the regular user level to the highest level. This is done using a variety of techniques – if software installation by users is allowed or there is poor privilege management, I’ll take advantage of that.
The next objective is to gain maximum information from sensitive folders to manipulate services, such as Kerberos which stores passwords and account verification protocols. The goal is to perform a dump, meaning steal information regarding account login information.
We also collect data about the network’s structure and the domain with tools like a bloodhound, the goal being to try to look for information that can be misused.
Can Pen Testers Get Blocked?
Yes, it happens quite a lot, mainly in organizations that uphold cyber security compliances and follow the accepted standards, including the use of EDR systems and SIEM systems.
When Do You Stop The PT?
When I feel that I have significantly covered the existing offensive paths and gained significant access, or that all access roads are blocked and there are no more loopholes to exploit.
Of course, we always stop before performing attacks that cause damage or disruption to the organizations functioning.
Can PT Cause Damage?
Yes and no. We won’t perform a DDoS on the production environment, delete data that will cause disruptions in the service, or perform ransomware attacks on devices that don’t block file execution.
From this point analyze all the information accumulated during the test, and translate it into a report for the client that embodies within it all the vulnerabilities that allowed me to successfully hack into the system.
The report summarizes for the client the weaknesses of the defense system, the damage that was made possible as a result of the weakness, and course recommendations for repair and similar attack attacks.
Categorizing Pen Tests Results
The findings are divided according to the criteria of the severity of impact, how difficult it is to exploit them, and how likely they are to be used. A weakness with a serious impact, easily exploitable, and has a high likelihood of being discovered, will be classified at a very critical level.
Interesting Findings In PT
I’m a big fan of irony, so when I find vulnerabilities in security systems that are supposed to protect infrastructure, I’m surprised – like vulnerabilities in the firewall of embedded defense systems.
Most Common Findings In PT
Very often the weaknesses are due to old software versions, as well as incorrect definitions of various services and components. There can also be a lack of maintenance and management, making a cyber attack on the organization easy. The irony is that these are all findings that are very easy to fix, so if organizations are looking for ways to become more efficient in terms of cyber defense, they should start with these aspects.
If you are a business owner or part of an organization’s technical team, contact cyber security companies for consultation regarding pen testing services, and prevent the next cyber attack.