Unveiling the Art of PenTesting
Penetration testing, often abbreviated as PenTesting, is a method employed by cybersecurity professionals to identify, exploit, and report on security vulnerabilities in a system or network. There are a variety of tools and resources available for penetration testers. Regardless most experts rely on the MITRE ATT&CK Framework as a major layer of analysis ofered to clients. The inclusion is typically aimed at offering a uniform and enriched perspective on testing and mitigation strategies.
Exploits used are generally known to be safe, granting access to network systems and resources. Post successful exploitation, the penetration testers also perform post-exploitation activities, which comprise of privilege escalation and lateral movement within the network.
Many exploits used have undergone extensive testing over several years to assure minimum possible disruption. For example, PuriCloud's security research team works with several industry partners and not only contributes to the penetration testing community but also develops tools and scripts that are often used by other security professionals. We are constantly refining our methods and tools to validate and test the emerging security threats.
The methodology behind network penetration testing is intricate and depends on the environment conditions, meaning there isn't an entirely predetermined list of commands or tasks. However, much of the methodology follows a standard process as similar techniques and penetration testing concepts and principles are conducted by our penetration testers.
Here's a step by step outline of some of the methodology:
Step 1: Open Source Intelligence (OSINT) Gathering
OSINT Gathering involves collecting as much information as possible about a given organization. This phase involves gathering data like domains, sub-domains, IP address ranges, list of employees, etc., which can later be utilized to craft effective attack strategies.
The following sources are examples of where to obtain valuable insights and data for collecting information about organizations during the OSINT gathering process.
-
-
-
-
- Search Engines
-
-
-
-
-
-
-
- Social Media Platforms
-
-
-
-
-
-
-
- Publicly Accessible Databases (e.g., WHOIS)
-
-
-
-
-
-
-
- Online Forums and Discussion Boards
-
-
-
-
-
-
-
- Job Boards and Career Websites
-
-
-
-
-
-
-
- Publicly Available Reports and Publications
-
-
-
-
-
-
-
- Open Source Software and Code Repositories (e.g., GitHub)
-
-
-
-
-
-
-
- Publicly Available Information from Third-party Vendors and Partners
-
-
-
-
Step 2: Host Discovery
During this stage, the active systems within a network are identified. This could involve several techniques, from ping sweeps to port scans, depending on the scheduled assessment conditions. The following tools provide different capabilities for identifying active systems within a network during the host discovery phase.
-
-
-
-
- Nmap: A versatile network scanning tool that can identify active hosts and open ports.
-
-
-
-
-
-
-
- Masscan: An ultra-fast port scanner for quickly scanning large networks.
-
-
-
-
-
-
-
- Hping: A command-line tool for sending customized packets to probe hosts and detect responses.
-
-
-
-
-
-
-
- Zenmap (Nmap GUI): A user-friendly graphical interface for conducting host discovery and port scanning.
-
-
-
-
-
-
-
- Angry IP Scanner: A cross-platform tool for scanning IP addresses and identifying active hosts and open ports.
-
-
-
-
-
-
-
- NetScanTools Pro: A comprehensive toolkit that includes tools for host discovery, port scanning, and more.
-
-
-
-
-
-
-
- Unicornscan: A flexible network scanning tool that supports asynchronous scanning and various packet types.
-
-
-
-
-
-
-
- Nessus: A popular vulnerability scanning tool that includes host discovery capabilities.
-
-
-
-
-
-
-
- OpenVAS: An open source vulnerability scanning tool with host discovery functionality.
-
-
-
-
-
-
-
- Metasploit Framework: A penetration testing framework with modules and tools for host discovery.
-
-
-
-
Step 3: Enumeration
The enumeration stage involves identifying and analyzing the services running on the discovered ports. The goal here is to identify vulnerabilities related to configuration, patching, or authentication. The following tools can assist in identifying services, configurations, and potential vulnerabilities during the enumeration stage of a security assessment.
-
-
-
-
- Nmap: A versatile network scanning tool that identifies services, versions, and potential vulnerabilities associated with open ports.
-
-
-
-
-
-
-
- Nessus: A widely used vulnerability scanner that performs detailed scans to identify service configurations and potential vulnerabilities.
-
-
-
-
-
-
-
- OpenVAS: An open source vulnerability assessment system that scans for services, configurations, and vulnerabilities in target systems.
-
-
-
-
-
-
-
- Nikto: A web server scanner that detects misconfigurations, outdated software, and known vulnerabilities in web services.
-
-
-
-
-
-
-
- DirBuster: A tool for brute-forcing and discovering hidden directories and files on web servers.
-
-
-
-
-
-
-
- enum4linux: A tool for Windows and Samba enumeration, providing information on domains, user accounts, and network resources.
-
-
-
-
-
-
-
- SNMPWalk: A utility for enumerating SNMP-enabled devices to retrieve network device configurations and potential vulnerabilities.
-
-
-
-
-
-
-
- Hydra: A password cracking tool used for enumerating weak credentials and conducting password-based attacks on various services.
-
-
-
-
-
-
-
- WPScan: A specialized tool for enumerating vulnerabilities in WordPress websites, focusing on outdated plugins, weak configurations, and known vulnerabilities.
-
-
-
-
-
-
-
- Enumerate-IT: A comprehensive enumeration tool that automates information gathering and service enumeration using various techniques and tools.
-
-
-
Step 4: Exploitation
At this stage, attempts are made to exploit identified vulnerabilities with the goal of gaining system access. This not only demonstrates the existence of a vulnerability but also shows the potential implications of a successful exploit. Some of the following tools are often used to assist in actively exploiting vulnerabilities and gaining unauthorized access during the exploitation stage.
-
-
-
-
- Metasploit Framework: A powerful exploitation framework with a vast collection of prebuilt exploits, payloads, and post-exploitation modules.
-
-
-
-
-
-
-
- Burp Suite: A comprehensive web application security testing tool that includes features for automated and manual exploitation of web vulnerabilities.
-
-
-
-
-
-
-
- Cobalt Strike: A commercial tool for advanced penetration testing, offering powerful exploitation capabilities and post-exploitation features.
-
-
-
-
-
-
-
- Core Impact: A commercial vulnerability assessment and penetration testing tool with an extensive arsenal of exploits and advanced post-exploitation capabilities.
-
-
-
-
-
-
-
- Social Engineering Toolkit (SET): An open-source tool designed for social engineering attacks, providing modules for phishing and social engineering campaigns.
-
-
-
-
-
-
-
- PowerShell Empire: A post-exploitation framework leveraging PowerShell for controlling compromised systems and conducting various actions.
-
-
-
-
-
-
-
- SQLMap: A specialized tool for exploiting SQL injection vulnerabilities in web applications to gain unauthorized access to databases.
-
-
-
-
-
-
-
- BeEF (Browser Exploitation Framework): A tool focused on exploiting web browser vulnerabilities to gain control over target browsers.
-
-
-
-
-
-
-
- PowerShell: A powerful scripting language in Windows used for exploiting vulnerabilities and conducting post-exploitation activities.
-
-
-
-
-
-
-
- ExploitDB: An online platform providing a vast collection of exploits and vulnerabilities for different software applications, operating systems, and devices.
-
-
-
Step 5: Post Exploitation & Lateral Movement
This phase aims to extract as much information as possible from the system. By showing the potential consequences of a vulnerability, it's easier to convince organizations to address vulnerabilities that they might have previously considered non-urgent.
The severity of reported findings is typically based on the CVSS scores of the identified vulnerabilities. Occasionally, the severity of a finding may be adjusted based on the specific circumstances of the test.
The tools below can assist in extracting information, lateral movement, and demonstrating the potential consequences of vulnerabilities during the post exploitation and lateral movement phase of a security assessment.
-
-
-
-
- Metasploit Framework: An exploitation framework with post-exploitation modules for privilege escalation, lateral movement, and data exfiltration.
-
-
-
-
-
-
-
- Cobalt Strike: A commercial tool with advanced post-exploitation capabilities, including command and control infrastructure, persistence, and lateral movement techniques.
-
-
-
-
-
-
-
- PowerShell Empire: A framework with post-exploitation modules for persistence, privilege escalation, lateral movement, and data exfiltration using PowerShell.
-
-
-
-
-
-
-
- Mimikatz: A tool for extracting plaintext credentials and hashes from compromised systems, facilitating lateral movement and privilege escalation.
-
-
-
-
-
-
-
- BloodHound: A tool for graphing and visualizing Active Directory environments, aiding in identifying and exploiting trust relationships for lateral movement.
-
-
-
-
-
-
-
- PowerSploit: A collection of PowerShell scripts for post-exploitation activities, including privilege escalation, persistence, and lateral movement.
-
-
-
-
-
-
-
- CrackMapExec: A versatile tool for post-exploitation activities, such as lateral movement, credential theft, and pivoting within the network.
-
-
-
-
-
-
-
- Empire: A post-exploitation framework enabling lateral movement, privilege escalation, and persistence on compromised systems.
-
-
-
-
-
-
-
- Responder: A tool for capturing and relaying authentication requests, facilitating credential theft and potential lateral movement through relay attacks.
-
-
-
-
-
-
-
- Pupy: A cross-platform post-exploitation tool with capabilities for remote code execution, lateral movement, privilege escalation, and data exfiltration.
-
-
-
Step 6: Documentation and Reporting
After exploiting the system and gathering valuable information, findings are documented and reported. This report is crucial, as it not only outlines the vulnerabilities discovered but also details the potential impact and recommends mitigation strategies.
Each reported finding is detailed with its CVSS score, which helps in understanding the severity of the vulnerabilities. Score may be adjusted depending on the specific circumstances of the test and the potential risk to the system.
Step 7: Validation and Verification
Following the documentation, findings are validated and verified. This involves testing the vulnerabilities once again to ensure their existence, and to ensure that the suggested mitigation techniques are effective. This step provides a degree of assurance and reliability to the client and also confirms the accuracy of the previous steps.
Step 8: Client Consultation
Once the verification is completed, the penetration tester consults with the client, explaining the findings and discussing the recommended mitigation strategies. This dialogue helps the client understand the threats they are facing and the best course of action to secure their systems.
Step 9: Implementation of Remediation Steps
Based on the client consultation, the penetration tester may assist in the implementation of the remediation steps. This could involve patching systems, strengthening network defenses, and implementing stronger authentication protocols.
Step 10: Retesting
After all remediation actions have been taken, a retesting phase is initiated. This ensures that the fixes have been successful and that no other vulnerabilities have been inadvertently introduced during the remediation process.
Step 11: Final Report
Once all retesting has been completed, a final report is generated. This includes a full rundown of the initial vulnerabilities, the remediation steps taken, and the results of the retest. The report serves as a comprehensive document for understanding the penetration test process and its outcomes.
Ultimately, a penetration tester carries out comprehensive and detailed penetration testing to provide valuable insight into a network's security posture. The steps outlined here are a general guide and the actual process may vary depending on the client's environment and specific needs. The goal is to provide the most accurate and useful assessment of the system's vulnerabilities, and to guide the client in mitigating any discovered risks.
About the author
Erik V. Castle