1.8 Explain the techniques used in penetration testing

  • Penetration Testing
    • Known Environment
    • Unknown Environment
    • Partially Known Environment
    • Rules of Engagement
    • Lateral Movement
    • Privilege Escalation
    • Persistence
    • Cleanup
    • Bug Bounty
    • Pivoting
  • Passive and Active Reconnaissance
    • Drones
    • War Flying
    • War Driving
    • Footprinting
    • OSINT
  • Exercise Types
    • Red Team
    • Blue Team
    • White Team
    • Purple Team

Penetration Testing

We previously discussed vulnerability scans.  We can take the vulnerability scan one step further by conducting a penetration test.  A penetration test is when an outside person is hired to find security risks in an organization.  Some organizations give the penetration tester permission to attack any system and discover all possible security holes because they want to make their systems better.  Others limit the penetration tester’s scope because they do not want to admit to their customers, employees, shareholders, or themselves that there are security flaws in their systems.

A penetration test does not have to be electronic in nature.  It can be as simple as an unauthorized person walking into a building and stealing papers from a filing cabinet.

To properly perform a penetration test, the tester must know

  • The common attack methods employed by hackers

  • The type of information and resources that a hacker would like to steal (intellectual property, financial information, etc.)

The tester should obtain written approval from the highest levels of the organization before proceeding with the penetration test.  Many of the actions performed by the tester could be considered crimes (trespassing, unauthorized access to a computer system, theft, fraud, etc.).  If the tester is caught in the act, local staff may report him to the police.

The Penetration Test is defined by the Rules of Engagement.  The Rules of Engagement is an agreement between the tester and the organization.  It defines

  • The duration of the test

  • The resources that will be tested

  • The techniques used by the test

  • How the tester will store or handle sensitive data

  • How the tester will safeguard any discovered vulnerabilities.  The tester may have an ethical or legal responsibility to report some vulnerabilities to the public or to law enforcement.

  • Areas that are off limits

  • The cost of the test

  • How the tester will report the results of the test to the organization

In active reconnaissance testing, the tester uses methods that can be detected.  These methods are more intrusive but allow deeper access.  In addition, if the active reconnaissance is not detected, then it is clear that the enterprise does not have intrusion detection systems or does not monitor them.

In passive reconnaissance testing, the tester uses methods that do not allow detection.  They do so through user interviews, phishing attempts, internet searches, and use of wireless packet sniffers such as Wireshark.  Passive reconnaissance methods cannot be detected.

A pivot is when a tester infiltrates part of a network and uses it to attack a second part of the network.  For example, a tester is unable to access the file server from outside the network.  But the tester can infiltrate a user’s computer, and then uses the user’s computer to access the file server.

The initial exploitation is the first attack that the tester completes.  It is not necessarily the goal of the tester.  It is to demonstrate how an attacker would enter a system.  Consider this example

  • An attacker would like to steal files from a file server

  • The attacker first sends a phishing e-mail to an employee at the company

  • The employee clicks on the link and allows the attacker to access his computer

  • The attacker then uses the employee’s computer to connect to the file server and steal the files

The initial exploitation is the phishing e-mail sent to the employee, but the actual goal is to take the files from the server.  The hacker might install a backdoor in the server, which he can access later.

When the system administrator discovers that the employee received a phishing e-mail, and that his computer was infiltrated, he will hopefully implement some training to prevent it from happening again.  But he might assume that only the employee’s computer was affected.  He might not think to check for a back door in the file server, which was the hacker’s ultimate target.  It is a common technique to attack one thing and then move through different systems until you reach the ultimate target.  Even if the first attack is detected, the last attack might not be.  We call this a lateral move.

Persistence is the act of placing an element (a backdoor) inside the network or system that does not go away.  A back door could be created through a security hole, a piece of malware, or a user account.  A back door could also be known as an Advanced Persistent Threat.  Persistence is mainly used to steal data over a long term.

As discussed earlier, Escalation of Privilege is when Lower-level account is used to obtain higher privileges.  A process that runs on a user device might need administrative privileges.  If it contains a security hole, the tester could take advantage of it to obtain additional privileges.

A Black Box test is when the tester has no knowledge of the inner workings of the system.  This is also known as an Unknown Environment test.  The tester interacts with the system just like a normal (or malicious) user, attempting different inputs to damage or infiltrate the system.  A Black Box test simulates the normal operation of the application or system but does not detect all vulnerabilities.

A White Box test is when the tester has full knowledge of the inner workings of the system.  This is also known as a Known Environment test.  The tester attempts to penetrate any item that he believes is weak.  A white box tester will understand how data flows through the application and will be able to take advantage of all the different routes.

A Gray Box test is when the tester has some knowledge of the inner workings of the system.  This is also known as a Partially Known Environment test.  The tester interacts with the system just like a normal user but can also eliminate areas that are a waste of time to test.  A Gray Box test can be the most efficient form of testing because all possible attack points are tested.

A Bug Bounty is where an organization pays you for each vulnerability that you discover.  The amount that the organization pays depends on the severity of the vulnerability.

Once you have finished the penetration test, you must cleanup all the software that you installed.  You must return the system back to normal.

Passive and Active Reconnaissance

We can also spy on our targets.  There are several ways.

  • Drones.  A drone is a small remote-controlled airplane that we can fly around and capture video or photographs.  We can use a drone to spy on facilities that we normally can’t access.  This could include warehouses, chemical plants, and industrial facilities.  If the drone is high enough, it can’t be spotted from the ground.

    It is not likely that an organization will install a radar to detect drones.

  • War Driving.  War driving was the idea of driving around town with a laptop and capturing different wireless networks and their locations.  We can capture the following information

    • The SSID being broadcast

    • The physical location of the network

    • The MAC address of the access point

    • The make and model of the access point (or access points)

    • The type of security on the network

  • War Flying.  When drones became popular, hackers started using war flying.  War flying captures the same information as war driving but uses drones.
  • Footprinting.  Footprinting is the act of capturing a blueprint of the network being tested.  This could include

    • The make and model of each network device

    • The MAC address and serial number of each network device

    • The physical location of each network device

    • The connections between each device

    • Whether any ports are open and what they are patched in to

    • Whether any ports have PoE enabled

    • The configuration on each device

    • The name and number of each VLAN and the ports corresponding to each VLAN

  • OSINT.  OSINT stands for Open Source Intelligence.  There are many online resources to gather information about a specific target.

    Check out the OSINT Framework (available on https://osintframework.com/) for links to some useful OSINT tools.  Some of the information you can search

    • Social Media Profiles

    • E-mail addresses

    • Usernames

    • Search Engines

    • IP Addresses

    • Domain Names

    • Telephone Numbers

    • Public Records

    • Business Records

    • Forums

    • Blogs

    • Metadata

    • Dark Web

    • Malicious Files

Exercise Types

If we have the resources, we might conduct a security test for an extended period with multiple participants.  This is more than a penetration test because it can simulate the behavior of a determined threat actor over a long period.  We might have multiple participants and can divide them into multiple teams.

  • Red Team.  The red team conducts the attack from the outside.  The red team acts like a specific actor or group of actors and runs the test for a long time using tools or techniques that those actors are likely to have.

  • Blue Team.  The blue team defends against the attack from the inside.  The blue team is distinct from the organization’s normal security team because they are defending specifically against the attack that the red team has created.  The blue team is aware of the attack and is proactively defending against it.

  • White Team.  The white team monitors and controls the test exercise.

  • Purple Team.  The purple team takes ideas from the red team and the blue team.  The purpose of the purple team is to take ideas from the red team and use them to improve the blue team, and also to take ideas from the blue team and use them to improve the red team. 

    By improving each team, we can simulate the most intelligent attackers. 

    In an ideal scenario, we won’t have a purple team.  The red team and the blue team will collaborate.  If the red and blue teams are not willing to share information, then we might need an actual purple team.