I have been learning and practicing “hacking” for years now. In the last year, I conducted an experiment as part of my master’s thesis and wanted to explore how servers are attacked on the Internet. I also offer services for companies to test their security. Recently I was asked about pentesting from three different people, who have heard about the term, but did not exactly know what it means. So here is my blog post about it!
Security testing vs. hacking vs. pentesting
There are different concepts of security services that one can perform for money:
- Security assessment is the corporate term for penetration testing. It describes the simulation of an attack from an attacker’s perspective. The results show what can be seen, retrieved and exploited in a system.
- Penetration testing is what people often describe as “Hire a hacker”. This testing involves the analysis of specific system, checks for vulnerabilities and usually exploits them to expose potential problems in the security. They are rather short-term operations within a limited time-frame and scope.
- Red team engagements plays in the field of “Red team – Blue team”. Red teams focus on the attacker’s view (hackers, angry ex-employees etc), blue teams on the defendant’s view (IT department, sysadmins, SOC). Red team engagements are long-term operations that simulate attacks in a real-world setting in order to test an organisation’s security defenses (the Blue team).
- Vulnerability assessments (or scans) are about identifying network and system vulnerabilities, either manually or through automated scanners. The goal is to fix potential problems before they can get exploited. As a result, you often have a compiled list of potential vulnerabilities that were found.
All these have some common characteristics.
- The goal of all services is to improve the security of an organization.
- All concepts try to test security measures from the perspective of a potential attacker.
- You mostly search for specific issues in your systems. You do not get a complete view of security.
I will be focusing on penetration testing (or pentesting) for this post.
How does it work?
A pentest is not a one-time service to perform. Companies are not considered safe when they performed a pentest once. Security is a process. Vulnerabilities are often discovered decades later. So, periodic tests are a must. Unfortunately, most companies are not willing to invest money for security. Real-world examples show that companies only think about security after a compromise. Whenever something changes on the technical side of your business (new software dependency, new operating system, different cloud provider), you should test the new configuration for security. But, and this is not discussed enough, you also need new tests after changes on the organizational side. Often employees need access to data that was previously unaccessible to them. Or your new sales team wants to contact specific users. Organizational changes often cause technical changes, such that the sales people get access to the production database, for retrieving the customer mail addresses. This is a vulnerability that may cause actual security issues and a pentest might uncover this.
What you need to do (as a pentester) before an actual engagement is pretty much the same for most situations. You need to set up a contract with the details of the service, such as:
- Why is this penenetration test being performed? Is it a legal requirement (for compliance) or a measure to improve security for the company?
- When is the penetration test to be performed?
- During business hours: might prevent actual workers from doing their work.
- After business hours: only a limited number of employees are active.
- Only specific hours/days/time frames.
- Which systems are to be tested?
- Which IP addresses? Internal or external systems?
- What is the scope? Are third-party systems included (e.g. cloud providers)?
- Which security measures are there in place that might interfere with the pentest?
- Firewalls, Intrusion Detection, security staff
- What to do if a system is to be found vulnerable?
- Exploit it to gain access -> classical pentest
- Do not exploit further -> vulnerability assessment
- Are you allowed to further escalate privileges (gain administrator rights)?
- Are you allowed to perform dictionary or bruteforce attacks on passwords during the assessment?
Once you clarify these points and have written permission for this, you can start the actual penetration test.
The actual test
There are different ways to perform penetration tests, but typically you have different phases, and “hacking into a system” is only one part of the whole procedure. Depending on who you ask and how you define specific actions, there are about 3-7 phases. I summarized it into 4 phases:
This is basically what you write into the contract, as shown above. What are the targets, how much time you have, and what kind of test is required. There are also black-box and white-box pentests. Black-box tests are nearer to what actual attackers do: find information by scanning the systems, finding publicly available information and more. With white-box tests, you get insights into operating systems, software versions and an enumeration of the internal network beforehand. Basically, with a white-box approach you can skip the next phase.
Reconnaissance aka Information Gathering aka Scanning
One of the most challenging and overlooked phases of pentests. The goal is finding out what systems are running, which versions (and vulnerabilities) are deployed and how the network is set up. One extra interesting task is getting additional information through public information, called Open Source Intelligence (OSINT). With OSINT, you use information from homepages, social networks and public listing services to find additional information on your targets and potential victims. Often you can narrow down the cracking process for an administrator account by using the names of family members or pets, as people do not hesitate to publicly disclose those and often include them in their passwords. Other pieces of information include working hours of specific employees, internal mail addresses and in general additional information that any attacker might use against the company.
A more offensive approach is using network scanners to perform an extensive search for targets in the company network. The most popular tool for this is nmap, which is a port scanner with lots of fingerprinting features. While OSINT is mostly passive, port scanning can be picked up by firewalls and other security products. Therefore, one has to define beforehand if aggressive port scans are allowed.
Gaining access aka Exploitation aka “the actual hack”
If your reconnaissance was successful, you might have collected enough information to attempt to break into the network. Usually, you first have to circumvent any firewall system. Once you successfully breached a system (logged in as a user, for example), you work on maintaining access and increasing your foothold in the network. Maybe you are able to get root/admin access on the system, maybe you can use your new credentials to gain access to other protected systems. This is an iterative process:
- Gain access
- (optional) Escalate privileges
- Check for sensible data you can access (credentials, trade secrets)
- Check which other systems are accessible
- Repeat 1.
During this phase, it is important to document every step. What was used to bypass a login? Was any vulnerability exploited? Were there any plaintext credentials on the system?
Of course, you need to use a lot of different tools for this phase, as every network is different. Ideally, you have your trusted hacking toolset that contains most required tools, and you should be pretty familiar with the tools. This is something you can train on your own, reading tutorials and testing your tools on your own systems. I will be talking about the actual tools I use in a future blog post.
Post-exploitation aka Analysis aka Report generation
In this phase, you document any system access, any credentials used and any other findings. For the final report, you might also include screenshots and graphics. The most important task in this phase is writing the final report for the customer, in which you include which problems were discovered and how these problems could be solved (update software, save passwords hashed, set firewall rules etc). Some people also like to include severity ratings for every issue (low to extreme severity). Since the goal is to improve the security, this is where security knowledge is especially required.
Security testing is an interesting method to assess the security of your business and a process that requires periodic repetitions. A pentest can uncover vulnerabilities in your system that your security team did not think about, by using the tools and entering into the mindset of a real attacker. Still, pentests are organized and need planning like any other organizational process. Therefore, include it in your security processes for lowering the risk of a real attack, which might cost you your entire business.