CISSP Penetration Testing – Bk1D6T2St2

Penetration testing is another assessment activity similar to vulnerability scanning, but goes further. A vulnerability scan enumerates the issues it finds on a server that present a risk of compromise, and it provides a report of those vulnerabilities but does not work to exploit them. A penetration test may include the same activity as the vulnerability scan  to identify potential targets. In addition, the penetration test then continues to attempt    to exploit, or take advantage of, the discovered vulnerability. For instance, a vulnerability scan may indicate there is an unpatched flaw in the operating system. The flaw allows remote code execution for an attacker. A penetration test takes the information provided from the vulnerability scan and attempts to take advantage of the flaw and remotely execute code. This code may give the penetration tester a remote shell, or command prompt, on the target system. From there, the penetration tester may target other systems, create a user account, gather sensitive information from the server, and scan neighboring hosts for additional targets to compromise.

A penetration test can therefore take a vulnerability report a step further and show the potential real-world impact of missing patches, weak configurations, and bad practices. A penetration test can help identify insufficient operational, administrative, and technical controls in an environment. When the test is complete and the tester provides a final report, the target organization is then able to identify and remediate an actual pathway a malicious actor could take into their network. Few things can test an organization’s defenses better than a good penetration test.

Penetration testing should be conducted only with permission from the owners of the system. It isn’t ethical to test systems without authorization and may be illegal.

Penetration testing without appropriate permission can result in legal action against the tester. Additionally, it is prudent when testing to request a letter or documentation from an organization representative that the tester is permitted to conduct penetration testing activities. The letter (a “get out of jail free card”) assures the penetration tester that if they are caught or discovered, they can show the letter, thus proving the legitimacy of the tester’s activities.

Penetration testing is an effective way to assess the state of an organization’s security. A comprehensive penetration test can identify weaknesses in administrative, technical, and detective controls by exploiting configuration issues, cracking weak passwords, and com- promising servers undetected. As with any endeavor, however, the skill of the penetration tester or team performing the test can greatly impact the depth and scope of the findings. In addition, the time allotted is also a significant contributing factor. A penetration tester with 20 hours allotted to an assessment will rarely find as many issues as a tester allotted 40 hours. To understand why, it’s important to understand the process behind penetration testing.

Penetration testing must be carefully considered by the organization. Vulnerability scanning can be disruptive, as discussed. Penetration testing has an even greater capability to create outages and disruptions. While the risk of an outage is mitigated when the test is conducted by an experienced penetration tester, the risk of an outage can never be eliminated, only reduced. Penetration tests that specifically test the availability of a system through denial-of-service attacks, or that have a known chance of causing services to fail, must be carefully planned and executed with the understanding that an outage may occur. Therefore, management needs to engage the services of a penetration tester fully aware of the risk that accompanies such activities.

Agreeing to which penetration testing standard will be used can be an important part of engagement planning. The Open Web Application Security Project (OWASP) maintains a list of penetration testing methodologies at https://www.owasp.org/index.php/

Penetration_testing_methodologies.
  • The Penetration Testing Execution Standard
  • PCI-DSS guides
  • The Penetration Testing Framework
  • NIST SP800-11penetration testing as a service
  • The Information System Security Assessment Framework
  • The Open Source Security Testing Methodology Manual
Other decision points in this process include the scope of the test.
  • Which systems will be targeted by the test?
  • What level of access, if any, will the testers be granted?
  • Will social engineering be permitted as part of the test?
  • Will physical security be in scope for the test?
  • Are only Internet-facing systems in scope?
  • Will LAN or physical access be granted?
  • Who will manage the pen test team and handle communication?
  • Who will perform the test?

There are a wide variety of individuals and firms offering penetration testing services, and the quality of your results depends on making the right choices. It is important to do your due diligence in retaining someone to perform a penetration test for your organization, including doing the following:

  • Obtaining past references
  • Performing background checks
  • Requesting industry-recognized certifications
  • Conducting in-depth interviews

During the interview process, a list of questions should be included, requesting information regarding all aspects of their testing process. Here are some questions to ask:

  • What is the firm’s approach and process for testing?
  • How is your organization’s data protected?
  • How will communication of sensitive information be protected?
  • How is sensitive data collected during the testing process secured?
  • At the test’s conclusion, how is sensitive data destroyed?
  • How will the risk of service disruption be mitigated?
  • What are the emergency lines of communication?
  • How much of your testing is automated versus manual?
  • What tools are used?
  • What time frames are available to perform testing?
  • When and how are findings reported?
  • Do you background check your employees?
  • What documentation and logging do you perform while testing?
  • What are the rules of engagement?
  • What happens when a critical issue is found?

The answers to these questions typically either increase or decrease your comfort  level with a prospective penetration tester. You want to confirm that they will handle your data securely and that they have processes in place to handle all the questions you’ve asked. Any reputable firm should have documented processes, for instance, that indicate how they will handle your data, what actions they take if they find an actual malicious intruder on your network, and how they check for and mitigate the chances of disruption to your organization.

Phases of Penetration Testing

It is helpful to understand the penetration tester’s process. Penetration testers may use different names for the phases, but the general concepts are consistent. The typical flow of a penetration test includes the following phases:

Phase 1: Discovery or reconnaissance

Phase 2: Scanning and  probing

Phase 3: Exploitation

Phase 4: Post-exploitation Phase 5: Reporting findings

The Discovery Phase

In the discovery or reconnaissance phase, the pen tester gathers information regarding  the target system and network. The information gathered using passive techniques is known as open source intelligence (OSINT). A surprising amount of information can often be found without sending any traffic to the target system or network. This allows the tester to avoid detection and to prioritize targets without interacting with them. For instance, several websites provide valuable information regarding targets. Websites such as the regional Internet registries (RIRs) and others that provide similar lookup services can reveal the public IP ranges assigned to a company. Security search engines like Shodan and Censys can be used to check pre-existing scan data for systems, services, and vulnerabilities. Social network sites, especially those that have a business or professional network component, can reveal vendor equipment and software installed at an organization based on the resumes and profiles of employees who work at the target. WHOIS information regarding domain records may also reveal employee names and contact information. Depending upon the parameters given to the tester, the tester may also use other techniques, such as physically observing the building, employees, and routines of the target. Facilities may be photographed and potential weaknesses documented. The tester may drive around the buildings and campus of the organization with a laptop and   a wireless card to identify the wireless network footprint. All these information-gathering techniques can be used by penetration testers as well as malicious attackers to profile your organization without detection by your monitoring systems. The primary goal in this phase is to gather as much information regarding the footprint of the target organization  as possible.

The penetration tester may also be given information by the organization. For instance, if the organization has an Internet presence, they may choose to provide the  pen tester with the public IP address range. Alternately, a single IP may be all that is provided. Assessments may even grant the pen tester access to a server or to the corporate network, and reconnaissance will begin from that vantage point. This is entirely driven by the objectives of the organization hiring the penetration tester.

The Scanning and Probing Phase

The second phase of the process, scanning or probing, involves using the information gathered in the first phase to identify potential targets and gather more detailed information. Ideally, this is the first phase where the penetration tester actually sends traffic destined for the target network. The goal in this phase is to identify entry points into the network. This may be accomplished in several ways.

  • Ping sweeps: Pinging an IP or IP range looking for hosts that respond
  • Port scans: Probing a selection of ports on a target IP for ports in the listening state
  • Banner grabs: Collecting information provided by a service when connecting to the service port
  • Vulnerability scans: Using a vulnerability scanner to enumerate vulnerabilities on the target

It is always preferable as a penetration tester to avoid setting off any alerts or alarms on the target system. It is not uncommon for the probes to alert staff of the activity. While this confirms that the monitoring processes are working, it can create barriers for the tester. For instance, the tester’s IP address may be temporarily (or permanently) shunned. The tester will have to either change IPs or contact the organization to have the shun action lifted. Therefore, scans and sweeps should not be overly aggressive in their timing and may use other concealment techniques to increase the likelihood of avoiding detection. This is especially important if using a typical vulnerability scanner to identify issues on the target network. A vulnerability scanner generates a significant amount of traffic, and a full scan for all vulnerabilities will almost certainly be detected by the target organization.

After completing this phase, the penetration tester will have a list of systems with potentially vulnerable services. For instance, perhaps an Apache or IIS web server was identified, or FTP, SMTP, DNS, and SSH servers were found, including one or more systems with known vulnerabilities.

The Exploitation Phase

The next phase is the exploitation phase. With the list of potentially exploitable systems and services in hand, exploitation can commence. This can include a variety of methods, including manually executing attacks, running scripts, and executing automated attacks. The goal in this phase is to gain additional access to a system. This may be done by cracking a password, finding a discovered hash in a rainbow table, or using a buffer over- flow to gain system-level access to a target system. Other possibilities include executing SQL injection attacks. The end result is the same: the tester has gained more access than they should have been capable of, and the organization is compromised.

The penetration tester likely has a long list of potential ways to compromise the target at this point. Typically, it is not feasible based on time limitations to try every possible avenue into the system. The penetration tester will use their experience to determine which paths are most likely to yield additional access via a compromised system. This means that while the penetration tester ends up choosing one path into a network, multiple paths may exist but simply were not explored. However, a good penetration tester will include all of the potential and theoretical paths into the network in the report. Even if a vulnerability was not exploited, it can still be investigated and addressed by the organization’s technical staff.

Another area of concern that may arise during this phase is the discovery by the pen- etration tester of indicators of compromise: signs that a malicious intruder has previously gained access to a resource. The penetration tester may even identify an ongoing attack. Prior to beginning the penetration test, it is advisable to document how these situations will be addressed by the organization and the penetration tester. Best practices dictate that indicators of compromise will cause all testing activities to cease, and appropriate personnel will be notified. Management approval must be given to resume testing activities. This is equally true if the penetration tester believes an active attack was uncovered. The penetration test cannot continue until the issue is remediated and resolved.

Often, a penetration tester may identify an open port and then attempt an exploit against the port. In some cases, this may cause the service that has the port open to crash. If the penetration tester is not diligent, they may not realize the service is no longer responding to traffic. This is important because it may create a disruption in services for the organization. A penetration tester should make every effort to ensure that services are not disrupted. If a service has failed, a notification and communication plan should be in place that dictates what actions the penetration tester should take. For instance, it’s common to provide the tester with a schedule of on-call personnel to contact in the event anything goes awry. A good, experienced penetration testing firm will ensure they have this information prior to beginning any testing.

The Post-Exploitation Phase

The next phase is the post-exploitation phase. The attack continues in this phase, using information gathered from the prior three phases. However, with successful exploitation in phase 3, the penetration tester has a new perspective. Perhaps a privileged account  has been compromised, or the tester has gained access to a server in the demilitarized zone (DMZ). This elevated, additional access gives the tester a new insight into things. It is possible, for instance, that with access to the DMZ server, the tester can launch reconnaissance scans from the DMZ server, initiating the penetration testing phases  again. Previously limited by the firewall rules protecting devices in the DMZ, the penetration tester can now scan other DMZ devices from the compromised DMZ server. This new vantage point will then restart the reconnaissance phase as the tester gathers information. The new recon scan may identify additional services and servers that are exploit- able, and the cycle of exploitation continues. The process of compromising a server and using that access point to locate and compromise additional targets is often referred to as pivoting within the target network. Since this phase can lead to more discoveries, it is common for penetration testers to cycle through scanning, exploitation, and post-exploitation phases multiple times as they gain more access and discover additional targets.

The Reporting Phase

The final phase is the reporting phase. The penetration tester gathers all of their findings and compiles them into one or more reports. Typically, an executive-level report is created. It omits technical detail and focuses on the risk and exposure of the organization.   A second report is also created, which includes technical details of value to the organization’s technical staff. This second report is used to drive remediation efforts. The penetration testing team meets with both executive and technical staff to discuss the report, testing, outcome, and findings generated during the test.

Documentation and Cleanup

A final critical step exists for the penetration tester upon the conclusion of their test—and typically prior to the reporting phase. During the testing, documentation is critical. The penetration tester must log all of their activity, such as the following:

  • What servers were targeted
  • When traffic to the target was sent, how the target responded, and when it ceased
  • Hosts and services that responded
  • Results of each phase, such as hosts found and vulnerabilities identified
  • Screenshots of banners, login pages, errors, and terminal sessions
  • Configuration changes on a target, such as accounts created, services stopped, or tools installed
  • Any potential indicators of compromise: signs of a past, or even active, malicious attack

This documentation allows the penetration tester to properly convey their findings and, even more importantly, clean up any remnants from the penetration testing process. It is a failure on the part of the penetration tester to create an account, for example, and leave it on the system.

Testing Types

The type of penetration test being performed can be divided into three separate categories: black-box testing, gray-box testing, and white-box testing. These test types are differentiated by the amount of knowledge and access granted to the tester. In black-box, also called blind or zero knowledge testing, the tester has no knowledge of the systems being tested. This test creates a situation most like an external malicious actor, who also typically would have no prior knowledge of a target system. The testing in this scenario can take longer, as the tester is starting from scratch, discovering all of the details regarding the system via scanning, probing, and trial and error.

Black-box testing that is done in a way that simulates an actual attack is called red teaming. Red team exercises test how well an organization’s security designs, responses, policies, and procedures respond to an actual adversary. The defending team, or blue team, is the defending team in security exercises like this. Black-box testing that is per- formed without prior knowledge of the IT staff and security team for an organization is sometimes called double blind or covert testing.

On the opposite end of the spectrum is white-box, or full knowledge, testing, also sometimes known as covert testing. As the term implies, the tester is given full knowledge and access to the system. They may even receive application source code to review, if applicable. Where black-box testing is from the outside in, white-box testing is from the inside out. The additional access may allow the testers to uncover more vulnerabilities than in a black-box test. However, this test tends to be less like a real-world scenario and doesn’t simulate an actual attack as well as a black-box test. Overt testing is done with the knowledge of the IT and security staff of an organization, which means that penetration testers need to be aware that they may use that knowledge to stop attacks that would otherwise work, potentially making the testing less useful.

In between the two is gray-box testing. As the name implies, it sits somewhere between the other two test types. The penetration tester is given some information regarding the system(s) to be tested. However, it is unlikely they have full access and source code availability. Their access and knowledge sits somewhere between full knowledge and no knowledge at all.

Physical Penetration Testing

Security issues aren’t limited to networks and systems. A complete penetration testing effort can involve assessing and testing the physical security of an organization and its facilities. Physical access attacks may target locks, entry access control systems, front-office personnel, security guards, staff behavior, and any other physical security control or mechanism.

Physical penetration testing efforts will frequently leverage social engineering techniques to persuade employees that the penetration tester should be allowed into a secured area or through a locked or access-controlled door. Gaining physical access can result in more danger to the penetration tester, as staff, security guards, and police who discover a penetration tester in areas they are not authorized to be in can respond in unexpected ways. This makes it even more important for physical penetration testers to have well- documented emergency contact procedures and a fully documented letter of permission or “get out of jail free” document.