The process of exploiting a vulnerability in a controlled environment is a penetration test. In this video, you’ll learn about pentesting, rules of engagement, exploiting vulnerabilities, and more.
<< Previous Video: Security Information and Event Management Next: Reconnaissance >>
If you’re performing a penetration test, then you are actively trying to gain access to a system. This is simulating the same type of exploits and attacks that would be done by an attacker that is external to your organization. This is similar to the process you go through with vulnerability scanning, but you’re taking it one step further. You’re actually trying to exploit the vulnerabilities you find, to see if you can gain access to these systems.
This is often a process that is mandated. You have to do this by some type of set of rules or regulations, and you’ll usually contract with a third party that will perform these penetration tests on a regular schedule.
A great document to view some of the information that can help you design, and plan for these penetration tests, is from NIST. This is their Technical Guide to Information Security Testing and Assessment, and you can find that at professormesser.link/800115.
Penetration tests can be very invasive. And it’s important that everybody understands exactly what the rules are for these particular tests. These rules of engagement defined the purpose of the test, and what the scope will be for the people who are performing this test on the network. This means that everybody will be aware of what systems will be considered, and perhaps the time of day that will be used to perform these tests.
Most organizations will define a type of test. So this may be a test of a third party coming in from the outside, or it might be a test that you’re performing internally to your network. And then you also have to make sure that everybody understands this is something that might be occurring during the normal working hours, or it might be something done after everyone’s gone home.
Also in the rules of engagement will be a list of IP addresses of devices that are in scope for the penetration test, and the devices that should not be used or considered as part of the test. You also want to be sure that you have the emergency contacts listed in the rules of engagement because occasionally things will happen and you’ll need to make sure that everyone is aware of the situation.
There’s also probably going to be some type of sensitive information discovered, especially if you’re performing vulnerability exploits against some of these systems, you could very easily gain access to databases and documents, that normally you would not have access to.
Depending on the type of penetration tests you want to do, will depend on what information you make available to the person performing that test. For example, there might be an unknown environment, where you tell the penetration tester nothing about the systems. They have to go into the test completely blind and build out the database of everything they find as they go.
There might also be penetration test where the person performing the test knows everything about the environment. That’s certainly very common if you’re performing your own test internally. And it could be a mix of known and unknown. You may be contracting with a third party and you may provide them with information about some key systems, that they can then perform the penetration tests based on the information they have at hand.
Now that everybody understands the rules of engagement, and understands what systems they’ll be attacking, we can perform the actual penetration test. It’s important that the person performing these tests have permission to exploit the vulnerabilities that are on that system. We’re actively trying to break into these systems and gain access to that data.
During the process of doing that, there’s certainly potential for creating a denial of service, or crashing the system that this particular data might be on. So keep in mind, that if you are performing one of these tests, and something does fail there needs to be a process in place to get that system back up and running.
There’s also never one single way to be able to gain access to these systems, and a good penetration test will try many different techniques to gain access. You might try performing password brute-force, based on what the known passwords or popular passwords might be. There might be a little social engineering to try to get a password out of someone else.
You could try database injections, buffer overflows, in path attacks. There could be many different scenarios and a good penetration tester is going to find the best way to gain access to those systems.
If the person performing the penetration test is able to get through your security, and be able to take advantage of these exploits, then conceivably, anyone would be able to do that. That’s why it’s so important to perform these penetration tests so that you can identify these holes, and fill the holes before the attackers do.
Getting access to a system during a penetration test is really just the first part. We need to get into a system and gain that access, so from there we can start moving to other devices on the inside of the network.
This is called lateral movement, as we move from device to device on the inside of a network. It’s very common to have very strong security on the perimeter of the network, and security that is less involved on the inside. That makes some of this lateral movement a little bit easier than perhaps that initial exploit into the system.
Once you’ve worked so hard to gain access to these systems, you want to be sure that you’re able to return. But you don’t want someone to close these vulnerabilities and leave you without a way back.
So once you gain access to these systems, you need to create persistence. You’ll create a back door, you’ll reconfigure an existing account so that you can gain access to the system through those accounts, or change, or configure default passwords for a particular service, that will allow you into that system later on, even if the exploit happens to be fixed.
Many pen testers will take advantage of a pivot point. They’ll gain access to one system, and that will be the jumping-off point to get to any other system that’s on the inside of the network. They could use this as a proxy, they could use it as a relay, but it will be the central point that they can start their efforts on the inside of the network and from there they’re able to gain access to other trusted systems on the inside.
The process of performing the penetration test can sometimes modify systems and change some of the files on these devices. After the test is over, we need to make sure that all of these systems are reverted back to the way they were prior to the test taking place. So we want to make sure that any network reconfigurations are put back to their original form. If there were files or executables added to a system, to assist with the penetration test, we need to make sure those files are removed.
We also want to make sure that any back doors or pivot points are removed from the network, and if there were accounts that were created during the test to assist with the pen test, we need to make sure those accounts are removed as well.
In some cases, people are able to make a living performing penetration tests on devices and applications, in the search for a bug bounty. This is a reward that is provided by the owner of these systems, to people that identify vulnerabilities, or exploits that can be taken advantage of. These are usually exploits that are identified by researchers. The more exploits they identify, the more bug bounties they can submit, and ultimately, the more money they can make.