Pentesting

What is pentesting?

A penetration test is a process whereby the IT-systems of a company are “tested” for any known vulnerabilities. These could be related to software defects (bugs), misconfigurations, as well as policy defects. This is mostly done by having an external security company conduct this methodical test, to document the security of the systems. In many cases, the job of the pentester will replicate what a “real” hacker would do. Therefore, most of the tools and methods used during a pentest are the same tools that black hats would use.

A successful penetration test is one that tests available services and devices within scope, for known defects, misconfigurations, sensitive data exposure and makes sure to document all the findings.

How does a pentester work?

A pentester generally follows the penetration testing method. This method is based on a structured procedure that performs penetration testing step-by-step.

The penetration testing method has generally 7 steps:

Planning & Preparation
Reconnaissance
Discovery
Analyzing information and risks
Active intrusion attempts
Final analysis
Report Preparation

How does each phase work?

1. Planning & Preparation

In the first step of this model the pentester plans and prepares the strategy for the penetration test and the scope of the test. This step starts with defining the goals and objectives of the penetration testing.

The common objectives of penetration testing are:

To identify the vulnerabilities and improve the security.
To test the IT-security of the technical systems of the company by an external third party.

2. Reconnaissance

In the second step, information is gathered with passive and active reconnaissance, meaning that the pentester interacts directly with the target system/network and then collects all information on public available servers, social media, databases, etc.

3. Discovery

Afterward the pentester uses automated tools to scan target assets and discover vulnerabilities.

Types of discovery:

Network discovery - Discovery of additional systems, servers and other devices.
Host Discovery - Open ports on these devices.
Service Interrogation – Interrogates ports to discover actual services that run on them.

4. Analyzing information and risks

In this step the pentester begins to classify the discoveries, by analyzing the information and putting each discovery in a risk group.

5. Active intrusion attempts

Then the pentester starts attempting the exploit discover in an organized order.

6. Final analysis

When all attempts on the found discoveries are done, it will be followed by a final analysis of all the findings.

7. Report preparation

Then the report preparation starts with overall testing procedures, followed by an analysis of vulnerabilities and risks. Going from the high risks and critical vulnerabilities that must be prioritized by the company to the low risks that must be done but it is not urgent.

The pentesting ends up with a report, containing:

Overall summary of the penetration testing.
Details of each step and the information gathered from the test.
Details of all the vulnerabilities and risks discovered.
Details of fixing the systems.
Suggestions for future improvements of the IT-security in the company.

Source: https://www.youtube.com/watch?v=cEk3z3Loa_k&ab_channel=GarrettSmith

To see this video you must

Pentesting roles

A pentesting team is sometimes referred to as a red team. Although these terms are used many times as synonyms, a red team attack can be a more extensive attack, and therefore requiring much more planning and execution time. If performed correctly a red team can effectively simulate an Advanced Persistent Threat (APT) attack. A red team also tests things like Time-To-Detect (TTD) and Time-To-Mitigate (TTM).

TTD will test the ability of the system defenders (also called the blue team) to detect an attack within a reasonable time. This includes testing whether they have the correctly implemented Intrusion Detection Systems and logging/alerting.

On the other hand, the TTM will test the defender’s ability to react to these alarms without panicking. It will also reveal how well the automated systems will react to attacks, and how long it takes to be triggered. These automated processes could include automated firewall setups, ACL lists etc.

While a pentesting is done within 1-2 weeks, and finalized with a report, a red team can be working on a single attack for months.

Another team that can be involved in penetration testing is referred to as the purple team. As the name suggests it is a combination of the blue team and the red team. The purpose of that is to close the gap between the red team and the blue team and have a team that has a very good understanding of how the attackers work, and at the same time knows how to secure the systems.

As a sidenote, a pentesting can be combined by companies with a bounty-hunting program. That encourages white hats (ethical hackers) to conduct some pentesting as well.

What are the different approaches to penetration testing?

There are different kinds of approaches to penetration tests, depending on the weaknesses they attempt to exploit.

Different approaches to penetration testing:

Black Box Penetration Testing

This is the most common penetration testing approach that is used when hiring external companies, for example during an audit. Here the pentester has very little, or no knowledge at all on the internal systems or procedures of the IT-systems to be pentested.

This would then replicate what an attacker with no prior knowledge or access to the internal system, and networks would be able to find regarding the vulnerabilities and information leakages.

White Box Penetration Testing

During white box penetration testing, the team has access to the open systems, and their belonging source-code, configurations etc. Therefore, the pentester can perform not only test against the services/devices, but can also scan the code against any code or architectural defects. This includes doing code review on specific sensitive features. This makes finding vulnerabilities much more likely, but also requires some very extensive work and expertise.

White box testing is not the most common, because of its comprehensiveness and its cost.

Gray Box Penetration Testing

Comparing the approaches

While all of the above fall within the category of pentesting, there are big differences in the use of resources required for each, and equally a big difference in price. In most cases, the black box pentesting would at most replicate a day-to-day attack. Whereas the white box pentesting being the most comprehensive and effective, but also the most expensive, could be an overkill for many companies. Therefore, a gray box test can be a golden middle way, since it combines the 2 approaches, and is still reasonably priced.

Depending on these described conditions a company can choose the penetration test that would be optimal for its demands.

Pentesting tools

This section will deal with tools for web pentesting.

Burp

https://portswigger.net/

One of the most used tools for doing web pentesting is called Burp. It comes in a limited community edition, and 2 editions for enterprise and professional. We will here show some of the features that are available in the community edition, and how they can be used for pentesting.

Burp can be used during multiple of the fases we mentioned before, among others: active reconnaissance, active intrusion attempt.

Here you can see it maps all the requests, links and paths that it encounters during some clicking around on kea.dk.

Interception Proxy

When working with web applications it is always useful to be able to view the content of the requests and responses being sent back and forth. You can of course do that in wireshark or many other tools. But since burp is specialized http, you can not only view the headers and payload, but also edit them, and replicate.

Here you can see a request for kea.dk, with all the generated headers. This is a request from the web-browser, intercepted by Burp. You can forward this request as is, or you could edit some of the headers, and then forward it to KEA’s web server.

The response is equally intercepted, and both header and content can again be viewed or modified and then sent back to the browser.

Burp also keeps track of all the requests that have been made during the interception.

This makes it is possible to simply, right-clicking on any of the requests and sending it to the repeater. There the request header can again be tampered before being resent to the server.

Here is an example where the employee search (https://kea.dk/find-medarbejder) request is being repeated, to test multiple of the params sent in the request, and thereafter see the response that these generate.

Intruder

In Burp you also have the possibility to do intruder attacks, where it is possible to replace certain positions in a request with placeholders. You can then specify a list that these placeholders should be replaced with. Thereby you can very easily try out posting different values, and control what the response is to these changes.

In the following example we are trying to automatically test the response when changing the value of the name to search for (in this case “hans”). A number of different attack types can be applied. In this case Sniper is used, which is useful when only dealing with one value to intrude.

Now we can provide a list of names that the tools should use, and we can click on attack. Then the tool will start sending a request with each of these names, and save the response that is coming back from the server. In this case 1296 names were loaded, therefore 1296 requests will be sent.

Here you see the partial result of this attack. You can eventually keep an eye the length returned or you can set up a keyword to match against to flag that particular request.

Keep in mind that the community edition is a bit limited in that you are only allowed to run 1 thread, and you are not able to throttle the speed, that the requests are sent in.

Bash bunny

https://shop.hak5.org/products/bash-bunny

A pentesting can also leave cyberspace, and have a more physical form, such as a combination of social engineering, and sneaking around. Here small physical devices come in handy. For many years USB-Keyloggers, which can be placed hidden between the keyboard and the PC, have been used to capture user’s login information, including passwords. These can then be used by the penetration tester to elevate the attack. Other devices include rubber ducky, which looks like an innocent USB flash drive, but acts like a small keyboard, that automatically starts typing in the preprogrammed exploits as soon as it is connected.

The bash bunny takes it a step further, placing a lightweight Linux terminal in a small USB device. This device when connected can act as an HID but can also perform more advanced data exfiltration or network hijacking.

During a pentest, many other tools are used for reconnaissance, scanning, exploiting (like Nmap, Nessus, Metasploit, etc). So please refer to the other courses for some of these tools (for example Reconnaissance).

Writing the report

A penetration testing should always be documented in written form. The documentation should provide easy access to the findings during the penetrations test.

The Report should include:

Executive summary
Here a summary of non-technical nature is presented. This is meant for executives, who would like to get a quick overview of how severe the findings are, and what the consequences are if not fixed. Using technical descriptions (like SQLi, XSS etc) is discouraged in this section.
Technical summary
Here the audience are the technical employees. Therefore, the summary should be written in a more technical fashion. It should still be short, and used as an overview of the findings.
Assessment results
- Vulnerability descriptionsHere you have the detailed descriptions of the findings. This includes the vulnerability, where it is located (server, service, url etc.), and it is eventually related to a CVE (https://cve.mitre.org/). It should preferably state the accessibility of that vulnerability as well as the severity in case it is exploited.
- RecommendationsIn this section recommendations for fixing that vulnerability are stated. Normally these are not stated as “code fixes” ready to implement, since most penetration tests are done in blackbox setup. These are instead generic fixes for the specific vulnerability. For example if SQLi is found, then a recommendation would be to make sure that all sql requests go through ORM or parametrized queries.
Supporting information
- Output from toolsHere you provide output from the different tools. This includes screenshots and eventual logfiles. You should here remember to redact sensitive information that your penetrations test might have exposed.
- Methodology for testHere you describe the scope that was targeted (servers, services etc.). In case there were servers/services that were omitted from the penetration test it should be stated here as well, together with a reason, and an eventual mitigation. Here is also where the pentester, stated the tools/techniques that were used during the pentesting.
- These tools and techniques should be described quite precisely. For example, if nmap was used for the scan then, it should be stated what version of nmap, and what options were applied to the scan. This is important to make sure that the situation can be replicated, and eventually retested after an eventual fix.

It is also recommended to make sure that the most significant findings are highlighted with strong colors, in such a way that we force the report readers eye to notice them.

One important thing to keep in mind as a pentester is that blue teams/system admins can end up being offended revealing the vulnerabilities in the pentesting report and get quite defensive. This makes it even more important to have screenshots and other program output as documentation.

There are several tools that can assist in report writing, among them is dradis in its community edition (https://dradisframework.com/ce/). The strength of using a tool like dradis, is that it automatically can import the output of several pentesting tools, and combine/pivot the results. That makes report writing much easier and more consistent than using a standard text editor.

References:

Exercise

Exercise 1

Try to find companies that do perform pentesting. How much info do they provide on their webpages about their tools/techniques?

Exercise 2

Download and install the tool Burp (https://portswigger.net/burp). Then try to replicate the techniques in this video: