Introduction
The lab is composed of several deliberately vulnerable applications and configurations. Assume each web application runs on a separate host and participants are expected to fully compromise each target, culminating in shell access. Attacks must be conducted from the standpoint of an unauthenticated external attacker.
JMA, OSCE3
Overview
One of the most reliable ways for a company to spot security gaps before they turn into breaches is to engage a penetration tester, a professional who simulates real-world attacks against the company’s systems. The tester’s goal is to use every possible tactic to replicate the actions of an actual attacker, often working quietly under the radar so the organization’s IT and security teams remain unaware until the final report is delivered. For simplicity, I’ll refer to this kind of offensive security assessment throughout the tutorial as a penetration test.
A standard network penetration test typically follows four key phases:
- Information Gathering / Reconnaissance
- Map out the network
- Identify possible targets such as hosts, services, and applications
- Enumerate weaknesses or misconfigurations in the services running on these targets
- Vulnerability Assessment and Initial Exploitation
- Analyze identified services for known vulnerabilities
- Exploit those vulnerabilities to gain unauthorized access or initial foothold
- Post Exploitation and Lateral Movement
- Perform in-depth internal enumeration on the compromised system
- Leverage gathered information (e.g., credentials, tokens, trusts) to access additional systems or networks
- Pivot through the network and escalate privileges to gain full domain or enterprise-level access
- Documentation and Reporting
- Collect evidence of findings and actions taken
- Create a detailed final report that outlines vulnerabilities, attack paths, impacted assets, and remediation recommendations
Once the active testing phase is complete, the tester shifts from the role of an adversary to that of a consultant. They focus the remainder of the engagement on producing a detailed report outlining how the network was breached, which security controls were bypassed, and, most importantly, providing clear and actionable recommendations the organization can follow to close these gaps and prevent future exploitation.
Vulnerability Assessments
Vulnerability analysis is a generic term that can include vulnerability or security assessments and penetration tests. In contrast to a penetration test, vulnerability or security assessments are performed using purely automated tools. Systems are checked against known issues and security vulnerabilities by running scanning tools like Nessus, OepnVAS, and similar. In most cases, these automated checks cannot adapt the attacks to the configurations of the target system. This is why manual testing conducted by an experienced human tester is essential.
Penetration Testing
A Penetration Test (Pentest) is an organized, targeted, and authorized attack attempt to test IT infrastructure and its defenders to determine their susceptibility to IT security vulnerabilities. A pentest uses methods and techniques that real attackers use. As penetration testers, we apply various techniques and analyses to gauge the impact that a particular vulnerability or chain of vulnerabilities may have on the confidentiality, integrity, and availability of an organization's IT systems and data.
A pentest aims to uncover and identify ALL vulnerabilities in the systems under investigation and improve the security for the tested systems.
A pentest is a mix of automated and manual testing/validation and is performed after extensive, in most cases, manual information gathering. It is individually tailored and adjusted to the system being tested. Planning, execution, and selection of the tools used are much more complex in a pentest.
External PT
Many pentests are performed from an external perspective or as an anonymous user on the Internet. Some clients will not care about stealth, while others will request that we proceed as quietly as possible and approach the target systems to avoid being banned by the firewalls and IDS/IPS systems and avoid triggering an alarm. Ultimately our goal here is to access external-facing hosts, obtain sensitive data, or gain access to the internal network.
Internal PT
In contrast to an external pentest, an internal pentest is when we perform testing from within the corporate network. This stage may be executed after successfully penetrating the corporate network via the external pentest or starting from an assumed breach scenario. Internal pentests may also access isolated systems with no internet access whatsoever, which usually requires our physical presence at the client's facility.
Types of Penetration Testing
No matter how we begin the pentest, the type of pentest plays an important role. This type determines how much information is made available to us. We can narrow down these types to the following:
| Type | Information Provided |
|---|---|
Blackbox | Minimal. Only the essential information, such as IP addresses and domains, is provided. |
Greybox | Extended. In this case, we are provided with additional information, such as specific URLs, hostnames, subnets, and similar. |
Whitebox | Maximum. Here everything is disclosed to us. This gives us an internal view of the entire structure, which allows us to prepare an attack using internal information. We may be given detailed configurations, admin credentials, web application source code, etc. |
Red-Teaming | May include physical testing and social engineering, among other things. Can be combined with any of the above types. |
Laws and Regulations
Each country has specific federal laws which regulate computer-related activities, copyright protection, interception of electronic communications, use and disclosure of protected health information, and collection of personal information from children, respectively.
It is essential to follow these laws to protect individuals from unauthorized access and exploitation of their data and to ensure their privacy. We must be aware of these laws to ensure our research activities are compliant and do not violate any of the provisions of the law. Failure to comply with these laws can result in civil or criminal penalties, making it essential for individuals to familiarize themselves with the law and understand the potential implications of their activities. Furthermore, it is crucial to ensure that research activities adhere to these laws' requirements to protect individuals' privacy and guard against the potential misuse of their data.
Precautionary Measures during Penetration Tests
We have prepared a list of precautions we highly recommend following during each penetration test to avoid violating most laws. In addition, we should also be aware that some countries have additional regulations that apply to specific cases, and we should either inform ourselves or ask our lawyer.
| Precautionary Measure | |
|---|---|
☐ | Obtain written consent from the owner or authorized representative of the computer or network being tested |
☐ | Conduct the testing within the scope of the consent obtained only and respect any limitations specified |
☐ | Take measures to prevent causing damage to the systems or networks being tested |
☐ | Do not access, use or disclose personal data or any other information obtained during the testing without permission |
☐ | Do not intercept electronic communications without the consent of one of the parties to the communication |
☐ | Do not conduct testing on systems or networks that are covered by the Health Insurance Portability and Accountability Act (HIPAA) without proper authorization |
Network Penetration Testing Process
A penetration testing process is defined by successive steps and events performed by the penetration tester to find a path to the predefined objective.
Pre-Engagement
Pre-engagement is educating the client and adjusting the contract. All necessary tests and their components are strictly defined and contractually recorded. In a face-to-face meeting or conference call, many arrangements are made, such as:
Non-Disclosure AgreementGoalsScopeTime EstimationRules of Engagement
The entire pre-engagement process consists of three essential components:
- Scoping questionnaire
- Pre-engagement meeting
- Kick-off meeting
Before any of these can be discussed in detail, a Non-Disclosure Agreement (NDA) must be signed by all parties. There are several types of NDAs:
| Type | Description |
|---|---|
Unilateral NDA | This type of NDA obligates only one party to maintain confidentiality and allows the other party to share the information received with third parties. |
Bilateral NDA | In this type, both parties are obligated to keep the resulting and acquired information confidential. This is the most common type of NDA that protects the work of penetration testers. |
Multilateral NDA | Multilateral NDA is a commitment to confidentiality by more than two parties. If we conduct a penetration test for a cooperative network, all parties responsible and involved must sign this document. |
It is vital to determine early on in the process who has signatory authority for the contract, Rules of Engagement documents, and who will be the primary and secondary points of contact, technical support, and contact for escalating any issues.
This stage also requires the preparation of several documents before a penetration test can be conducted that must be signed by our client and us so that the declaration of consent can also be presented in written form if required.
| Document | Timing for Creation |
|---|---|
1. Non-Disclosure Agreement (NDA) | After Initial Contact |
2. Scoping Questionnaire | Before the Pre-Engagement Meeting |
3. Scoping Document | During the Pre-Engagement Meeting |
4. Penetration Testing Proposal (Contract/Scope of Work (SoW)) | During the Pre-engagement Meeting |
5. Rules of Engagement (RoE) | Before the Kick-Off Meeting |
6. Contractors Agreement (Physical Assessments) | Before the Kick-Off Meeting |
7. Reports | During and after the conducted Penetration Test |
Scoping Questionnaire
After initial contact is made with the client, we typically send them a Scoping Questionnaire to better understand the services they are seeking. This scoping questionnaire should clearly explain our services and may typically ask them to choose one or more from the following list:
| ☐ Internal Vulnerability Assessment | ☐ External Vulnerability Assessment |
| ☐ Internal Penetration Test | ☐ External Penetration Test |
| ☐ Wireless Security Assessment | ☐ Application Security Assessment |
| ☐ Physical Security Assessment | ☐ Social Engineering Assessment |
| ☐ Red Team Assessment | ☐ Web Application Security Assessment |
Under each of these, the questionnaire should allow the client to be more specific about the required assessment.
Aside from the assessment type, client name, address, and key personnel contact information, some other critical pieces of information include:
| How many expected live hosts? | |
| How many IPs/CIDR ranges in scope? | |
| How many Domains/Subdomains are in scope? | |
| How many wireless SSIDs in scope? | |
| How many web/mobile applications? If testing is authenticated, how many roles (standard user, admin, etc.)? | |
| For a phishing assessment, how many users will be targeted? Will the client provide a list, or we will be required to gather this list via OSINT? | |
| If the client is requesting a Physical Assessment, how many locations? If multiple sites are in-scope, are they geographically dispersed? | |
| What is the objective of the Red Team Assessment? Are any activities (such as phishing or physical security attacks) out of scope? | |
| Is a separate Active Directory Security Assessment desired? | |
| Will network testing be conducted from an anonymous user on the network or a standard domain user? | |
| Do we need to bypass Network Access Control (NAC)? | |
Finally, we will want to ask about information disclosure and evasiveness (if applicable to the assessment type):
- Is the Penetration Test black box (no information provided), grey box (only IP address/CIDR ranges/URLs provided), white box (detailed information provided)
- Would they like us to test from a non-evasive, hybrid-evasive (start quiet and gradually become "louder" to assess at what level the client's security personnel detect our activities), or fully evasive.
This information will help us ensure we assign the right resources and deliver the engagement based on the client's expectations. This information is also necessary for providing an accurate proposal with a project timeline (for example, a Vulnerability Assessment will take considerably less time than a Red Team Assessment) and cost (an External Penetration Test against 10 IPs will cost significantly less than an Internal Penetration Test with 30 /24 networks in-scope).
Based on the information we received from the scoping questionnaire, we create an overview and summarize all information in the Scoping Document.
Information Gathering
Information gathering describes how we obtain information about the necessary components in various ways. We search for information about the target company and the software and hardware in use to find potential security gaps that we may be able to leverage for a foothold.
Vulnerability Assessment
Once we get to the Vulnerability Assessment stage, we analyze the results from our Information Gathering stage, looking for known vulnerabilities in the systems, applications, and various versions of each to discover possible attack vectors. Vulnerability assessment is the evaluation of potential vulnerabilities, both manually and through automated means. This is used to determine the threat level and the susceptibility of a company's network infrastructure to cyber-attacks.
Exploitation
In the Exploitation stage, we use the results to test our attacks against the potential vectors and execute them against the target systems to gain initial access to those systems.
Post-Exploitation
At this stage of the penetration test, we already have access to the exploited machine and ensure that we still have access to it even if modifications and changes are made. During this phase, we may try to escalate our privileges to obtain the highest possible rights and hunt for sensitive data such as credentials or other data that the client is concerned with protecting (pillaging). Sometimes we perform post-exploitation to demonstrate to a client the impact of our access. Other times we perform post-exploitation as an input to the lateral movement process described next.
Lateral Movement
Lateral movement describes movement within the internal network of our target company to access additional hosts at the same or a higher privilege level. It is often an iterative process combined with post-exploitation activities until we reach our goal. For example, we gain a foothold on a web server, escalate privileges and find a password in the registry. We perform further enumeration and see that this password works to access a database server as a local admin user. From here, we can pillage sensitive data from the database and find other credentials to further our access deeper into the network. In this stage, we will typically use many techniques based on the information found on the exploited host or server.
PoC Documentation
In this stage, we document, step-by-step, the steps we took to achieve network compromise or some level of access. Our goal is to paint a picture of how we were able to chain together multiple weaknesses to reach our goal so they can see a clear picture of how each vulnerability fits in and help prioritize their remediation efforts. If we don't document our steps well, it's hard for the client to understand what we were able to do and, thus, makes their remediation efforts more difficult. If feasible, we could create one or more scripts to automate the steps we took to assist our client in reproducing our findings. We cover this in-depth in the Documentation & Reporting module.
Post-Engagement
During post-engagement, detailed documentation is prepared for both administrators and client company management to understand the severity of the vulnerabilities found. At this stage, we also clean up all traces of our actions on all hosts and servers. During this stage, we create the deliverables for our client, hold a report walkthrough meeting, and sometimes deliver an executive presentation to target company executives or their board of directors. Lastly, we will archive our testing data per our contractual obligations and company policy. We will typically retain this data for a set period or until we perform a post-remediation assessment (retest) to test the client's fixes.
| Stage | Description |
|---|---|
1. Pre-Engagement | The first step is to create all the necessary documents in the pre-engagement phase, discuss the assessment objectives, and clarify any questions. |
2. Information Gathering | Once the pre-engagement activities are complete, we investigate the company's existing website we have been assigned to assess. We identify the technologies in use and learn how the web application functions. |
3. Vulnerability Assessment | With this information, we can look for known vulnerabilities and investigate questionable features that may allow for unintended actions. |
4. Exploitation | Once we have found potential vulnerabilities, we prepare our exploit code, tools, and environment and test the webserver for these potential vulnerabilities. |
5. Post-Exploitation | Once we have successfully exploited the target, we jump into information gathering and examine the webserver from the inside. If we find sensitive information during this stage, we try to escalate our privileges (depending on the system and configurations). |
6. Lateral Movement | If other servers and hosts in the internal network are in scope, we then try to move through the network and access other hosts and servers using the information we have gathered. |
7. Proof-of-Concept | We create a proof-of-concept that proves that these vulnerabilities exist and potentially even automate the individual steps that trigger these vulnerabilities. |
8. Post-Engagement | Finally, the documentation is completed and presented to our client as a formal report deliverable. Afterward, we may hold a report walkthrough meeting to clarify anything about our testing or results and provide any needed support to personnel tasked with remediating our findings. |
Staying Organized
Whether we are performing client assessments, playing CTFs, taking a course, organization is always crucial. It is essential to prioritize clear and accurate documentation from the very beginning. This skill will benefit us no matter what path we take in information security or even other career paths.
Folder Structure
When attacking a single box, lab, or client environment, we should have a clear folder structure on our attack machine to save data such as: scoping information, enumeration data, evidence of exploitation attempts, sensitive data such as credentials, and other data obtained during recon, exploitation, and post-exploitation. A sample folder structure may look like follows:
`$ tree Projects/
Projects/
└── Keym4ker Inc.
├── External
│ ├── evidence
│ │ ├── credentials
│ │ ├── data
│ │ └── screenshots
│ ├── logs
│ ├── scans
│ ├── scope
│ └── tools
└── Internal
├── evidence
│ ├── credentials
│ ├── data
│ └── screenshots
├── logs
├── scans
├── scope
└── tools