From The Art of Network Penetration Testing by Royce Davis
This article describes penetration testing: what it is and why a company might want a penetration test. We will also delve into the job of the penetration tester.
This article covers:
- Corporate data breaches
- Adversarial attack simulations
- When organizations don’t need a penetration test
- The four phases of an internal network penetration test
Everything today exists digitally within networked computer systems in the Cloud. Your tax returns, the pictures of your kids that you take with a cellphone, the locations, dates and times of all the places you’ve navigated to using your GPS. It’s all there ripe for the picking by a dedicated and sufficiently-skilled attacker.
The average enterprise corporation has ten times (at least) as many connected devices running on their network as they do employees who use them to conduct normal business operations. This probably doesn’t seem alarming to you at first thought, considering just how deeply integrated computer systems have become to our society, our existence, and our survival.
Assuming that you live on planet Earth, and I have it on good authority that you do, there’s a better than average chance you have the following:
- An email account (or four)
- A social media account (or seven)
- At least two dozen username/password combinations you’re required to manage and securely keep track of to log in and out of the various websites, mobile apps and cloud services that are essential in order to function productively within your normal everyday life.
Whether you’re paying your bills or shopping for groceries, booking a hotel room or doing really anything at all online, you’re required to create a user account profile containing at the very least a username, legal name, and an email address. Often, you’re asked to provide additional personal information ,such as the following:
- Mailing address
- Phone number
- Mother’s maiden name
- Bank account & routing number
- Credit card details
We’ve all become so jaded to this reality. In fact, we don’t even bother to read the legal notices that pop up telling us exactly what companies plan to do with the information we’re giving them. We simply click “I Agree” and move on to the page we’re trying to reach — the one with the viral cat video or the order form to purchase an adorable coffee mug with an ironic and equally sarcastic joke on the side about how tired you feel all the time.
Nobody has time to read all that legal mumbo-jumbo especially when the free shipping offer expires in the just 10 minutes. Wait, what’s that, they’re offering a rewards program!? Just have to create a new account really quick. Perhaps even more alarming than the frequency with which we provide random Internet companies with our private information is the fact that most of us naively assume all of these corporations we’re interacting with are taking the proper precautions to house and keep track of our sensitive information in a secure and reliable fashion. We couldn’t be more wrong.
Corporate data breaches
If you haven’t been hiding under a rock, then I’m guessing you’ve heard a great deal about corporate data breaches. There were 943 disclosed breaches just in the first half of 2018, according to a report from Breach Level Index (https://safenet.gemalto.com/resource/PartnerAsset.aspx?id=64424543955). From a media-coverage perspective most breaches tend to go something like this:
Global Conglomerate XYZ has just disclosed that an unknown number of confidential customer records have been stolen by an unknown group of malicious hackers who managed to penetrate their restricted network perimeter using an unknown vulnerability or attack vector. The full extent of the breach including everything they made off with is, you guessed it, unknown.
Cue the tumbling stock price, a flood of angry tweets, doomsday headlines in the newspapers and a letter of resignation by the CEO as well as several of his or her advisory board members. The CEO assures us this has nothing to do with the breach, he’s been planning to step down for months now. Somebody, of course, has to take the official blame for all of it, which means the CISO who’s given 18 years to the company doesn’t get to resign, instead he or she is fired and publicly stoned to death on social media, insuring that — as movie directors used to say in Hollywood — they’ll never work in this town again.
How hackers break in
So why does this happen so often? Are companies just that bad at doing the right things when it comes to information security and protecting our data? Well, yes and no.
The inconvenient truth of the matter is that the proverbial deck happens to be stacked disproportionally in favor of cyber attackers. Remember my earlier remark at the number of networked devices that enterprises have connected to their infrastructure at all times? This significantly increases a company’s attack surface or threat landscape, if you want to use a Super Sexy Industry Buzzword (SSIB).
The defender role
Allow me to elaborate further. Suppose it was your job was to defend an organization from cyber threats, then you would need to identify every single laptop, desktop, smartphone, physical server, virtual server, router, switch and even every Keurig machine that’s connected to your network.
Then you’d have to make sure that every application running on those devices is properly restricted using strong passwords (preferably with two-factor authentication) and properly hardened to conform to the current standards and best practices for each respective device.
Also, you’d need to make sure you’ve applied every security patch and hotfix issued by the individual software vendors as soon as they become available. Before you can do any of that though, you first have to triple-check that the patches don’t break any of your business’s day-to-day operations or people will get mad at you for trying to protect the company from hackers.
You need to do all of this all of the time for every single computer system with an IP address on your network. Sounds easy right?
The attacker role
Now for the flip side of the coin: suppose your job is to break into the company — to compromise the network in some way or another and gain unauthorized access to restricted systems or information. You’d need to find only a single system that slipped through the cracks. Just one single device that missed a patch or contains a default or easily guessable password. Just one single non-standard deployment that needed to be spun up in a hurry to meet some impossible business deadline driven by profit targets, so one single insecure configuration setting (which ships that way by default out-of-the-box from the vendor) was left on.
That’s all it takes to get in, even if the target managed to do an impeccable job keeping track of every node on the network. New systems get stood up on a daily basis by various teams who need to get something done fast. If you’re thinking to yourself that it isn’t fair, or that it’s too hard for defenders and too easy for attackers, then you get the point because that’s exactly how it is. So, what should organizations do to avoid being hacked? This is where penetration testing comes in.
Adversarial attack simulation: penetration testing
One of the most effective ways for a company to identify security weaknesses before they lead to a breach is to hire a professional adversary or a penetration tester to simulate an attack on its infrastructure. The adversary should take every available action at his or her disposal to mimic a real attacker, in some cases acting almost entirely in secret, undetected by the organization’s IT and internal security departments until it’s time to issue their final report. Throughout this article, I’ll refer to this type of offensive-security exercise simply as a penetration test.
The specific scope and execution of a penetration test can vary quite a bit depending on the motivations of the organization purchasing the assessment (the client) as well as the capabilities and service offerings of the consulting firm performing the test. Engagements could focus on web and mobile applications, network infrastructure, wireless implementations, physical offices, and anything else you can think of to attack. Emphasis could be placed on stealth while trying to remain undetected or on gathering vulnerability information on as many hosts as possible in a short period of time. Attackers could leverage human hacking (social engineering), custom-exploit code, or even dig through the client’s dumpster looking for passwords to gain access. It all depends on the scope of the engagement. The most common type of engagement, however, is one that I have performed for hundreds of companies over the past decade. I’ll call it an Internal Network Penetration Test (INPT). This type of engagement simulates the most dangerous type of threat actor (SSIB) for any organization, a malicious or otherwise compromised insider.
DEFINITION: A threat actor is a fancy way of saying attacker, i.e. anyone attempting to do harm to an organization’s information technology assets.
During an INPT, you assume that the attacker was able to successfully gain physical entry into a corporate office or perhaps was able to obtain remote access to an employee’s workstation through email phishing. It is also possible that the attacker visited an office after-hours, posing as a custodial worker, or during the day, posing as a vendor or flower delivery person. Maybe the attacker is an actual employee and just used a badge to walk into the front door.
There are countless ways to gain physical entry into a business, which can be easily demonstrated. For many businesses, an attacker simply needs to walk through the main entrance, smile politely at anyone that passes by while wandering around appearing to have a purpose or talking on a cell phone until they identify an unused area to plug into a data port. Professional companies offering high-caliber penetration testing services typically bill by the hour, anywhere from $150.00 to $500.00 per hour. As a result, it’s often cheaper for the client purchasing the penetration test to skip this part and place the attacker on the internal subnet from the beginning.
Either way the attacker has managed to get access to the internal network; now what can they do? What can they see? A typical engagement assumes that they know nothing about the internal network and have no special access or credentials. All they have is access to the network, and coincidentally, that’s usually all they need.
Typical INPT workflow
A typical INPT consists of four phases executed in order as depicted in the following diagram. The individual names of each phase are not written stone nor should they be. One pentest company might use the term “resonances” in place of information-gathering. Another company might use the term “post-exploitation” in place of privilege escalation. Regardless of what each phase is called, most people in the industry agree on what it is that the penetration tester should do during each phase.
- Phase 1. Information Gathering
- Map out the network
- Identify possible targets
- Enumerate weaknesses in the services running on those targets
- Phase 2. Focused Penetration
- Compromise vulnerable services (gain unauthorized access to them)
- Phase 3. Post Exploitation/Privilege Escalation
- Identify information on compromised systems which can be leveraged to further their access (pivoting)
- Elevate their privileges to the highest level of access on the network effectively becoming the company’s system administrator.
- Phase 4. Documentation
- Gather evidence
- Create final deliverable
Once the testing portion of the engagement has concluded, the penetration tester now makes a mental shift from that of an adversary and transitions into a consultant. They will now spend the rest of the engagement creating as detailed a report as possible. That report contains the specific explanation of all the ways in which they were able to breach security controls as well as the detailed steps the company can take to close these identified gaps and insure that they can no longer be exploited by anyone. In 9 out of 10 cases, this process takes about 40 hours on average but can certainly vary depending on the size of the organization.
When a penetration test is least effective
You’ve heard the familiar saying, ”to a hammer, every problem looks like a nail.” Turns out you can apply this saying to just about any profession you imagine. A surgeon wants to cut, a pharmacist wants to prescribe a pill, and a penetration tester wants to hack into your network. But does every organization truly need a penetration test?
The answer is that it depends on the level of maturity within a company’s information security program. I can’t tell you how many times I’ve been able to completely take over a company’s internal network before lunch time on the first day of a penetration test, but the number is somewhere in the hundreds. Now of course I would love to tell you that this is because of my super leet hacker skillz or that I’m just that good, but that would be a gross exaggeration of the truth.
In actuality it has a lot more to do with an exceedingly common scenario where immature organizations that aren’t even doing the basics have been sold an advanced-level penetration test when they should be starting with a simple vulnerability assessment or even just a high-level threat model and analysis gig. There is no point in conducting a thorough penetration test of all your defense capabilities if there are gaping holes in your infrastructure security. Holes so wide even a novice can spot them.
Attackers often seek out the path of least resistance and try to find easy ways into an environment before breaking out the big guns and reverse-engineering proprietary software, or developing custom zero-day exploit code. Truth be told, your average penetration tester doesn’t know how to do something so complex, simply because it’s never been a necessary skill for them to learn. No need to go that route when easy ways in are widespread throughout most corporations. We call these easy ways in low-hanging fruit (LHF) Some examples might include the following:
- Default passwords/configurations
- Shared credentials across multiple systems
- All users having local administrator rights
- Missing patches with publicly available exploits
There are many more but these four are extremely common and extremely dangerous. On a positive note though, most LHF attack vectors are the easiest to remediate. Make sure you’re doing a good job with basic security concepts before hiring a professional hacker to attack your network infrastructure.
Organizations with significant amounts of LHF systems on their network shouldn’t bother paying for a “go-all-out” penetration test. It would be a better use of their time and money to focus on basic security concepts like strong credentials everywhere, regular software patching, system hardening and deployment, and asset cataloging.
When does a company really need a penetration test?
If a company is wondering whether or not they should be doing a penetration test, I would advise them to answer the following questions about the organization honestly. Start with simple yes/no answers. Then, for every question that was answered yes, can they back up that answer with, “Yes, because of internal process/procedure/application XYZ, which is maintained by employee ABC.”
Before Buying a Penetration Test
- Is there an up-to-date record of every IP address & DNS name on the network?
- Is there a routine patching program for all operating systems and third-party applications running on the network?
- Do we use a commercial vulnerability scan engine/vendor to perform routine scans of the network?
- Have we removed local administrator privileges on employee laptops?
- Do we require and enforce strong passwords on all accounts on all systems?
- Are we utilizing multi-factor authentication everywhere?
If you can’t answer a solid yes to all of these questions, then it’s most likely the case that a decent penetration tester would have little to no trouble breaking in and finding the crown jewels for your organization. I’m not saying you absolutely shouldn’t buy a penetration test just that you should expect painful results.
Now it may be fun for the penetration tester, they may even brag to their friends or colleagues about how easily they penetrated your network. But I am of the opinion that this provides very little value to your organization. It’s analogous to a person never exercising in their life or eating a healthy diet and then hiring a fitness coach to look at their body and say, “You’re out of shape, that’ll be $10,000 please.”
Executing a network penetration test
So, you’ve gone through all the questions and determined that your organization needs a network penetration test; good! What’s next? Up until now I’ve discussed penetration testing as a service that you would typically pay a third-party consultant to conduct on your behalf. However, more and more organizations are building internal red teams (SSIB) to conduct these types of exercises on a routine basis.
DEFINITION: A red team is a specialized subset of an organizations internal security department focused entirely on offensive security and adversarial attack simulation exercises
I’m going to make an assumption from here on that you’ve been or are hoping to be placed into a role that would require you to perform a penetration test for the company you work for. Maybe you have even done a handful of penetration tests already but feel like you could benefit from some additional guidance and direction.
My intention for writing this book is to provide you with a “start-to-finish” methodology that you can use to conduct a thorough INPT, targeting your company or any other organization from which you receive written authorization to do so.
You’ll learn the same methodology that I have matured over a decades-long career and used to successfully and safely execute hundreds of network penetration tests targeting many of the largest companies in the world. This process for executing controlled simulated cyber-attacks that mimic real-world internal breach scenarios has proved successful in uncovering critical weaknesses in modern enterprise networks across all vertices. After reading this book and working through the companion exercises, you should have the confidence to execute an INPT, regardless of the size or industry of the business you’re attacking. You will work through the four phases of my INPT methodology leveraging the virtual Acme Corp network which I have setup as a companion to this book. Each of the four phases will be broken up into several chapters demonstrating different tools, techniques and attack vectors that penetration testers use frequently during real engagements.
Imagine the engineers who designed the entire corporate network sitting down with you and going over the massive diagram explaining all the zones and subnets and where everything is and why they did it that way. Your job during Part 1, the information gathering phase of a penetration test, is to come as close as you can to that level of understanding without the network engineers’ help. The more information you gain, the better your chances of identifying a weakness.
Throughout the first few chapters of this book, I’ll teach you how to gather all of the necessary information about the target network that is needed to break in. You’ll learn how to perform network mapping using Nmap and discover live hosts within a given IP address range. You’ll also discover listening services that are running on network ports bound to those hosts. Then you’ll learn to interrogate these individual services for specific information, including but not limited to the following:
- Software name & version number
- Current patch and configuration settings
- Service banners & HTTP headers
- Authentication mechanisms
In addition to using Nmap, you’ll also learn how to use other powerful open-source penetration testing tools such as the Metasploit Framework Crack Map Exec (CME), Eyewitness, and many others that you’ll use to further enumerate information about network targets, services, and vulnerabilities that can be leveraged to gain unauthorized access into restricted areas of the target network.
Let the fun begin! The second phase of an INPT is where fruit finally starts to bear from all of the seeds planted during the previous phase. Now that you have identified vulnerable attack vectors throughout the environment, it’s time to compromise those hosts and begin to take control of the network from the inside.
During this section of the book you’ll learn several types of attack vectors that will result in some form or another of remote code execution (RCE) on vulnerable targets. RCE means we can connect to a remote command prompt and type commands to our compromised victim that will get executed and send output back to us at our prompt.
I’ll also teach you how to deploy custom web shells using vulnerable web applications.
By the time you’re finished with this part you’ll have successfully compromised and taken control over database servers, web servers, file shares, workstations, and servers residing on Windows and Linux operating systems.
One of my favorite security blogs is written and maintained by a very respected penetration tester named Carlos Perez (@Carlos_Perez), and the heading at the top of his page (https://www.darkoperator.com) is absolutely fitting for this section of the book: “Shell is only the beginning”
After you’ve learned how to compromise several vulnerable hosts within your target environment, it’s time to take things to the next level. In fact, I like to refer to these initial hosts that were accessible via some direct access vulnerability or another as level-1 hosts. This phase of the engagement is all about getting to level-2.
Level-2 hosts are targets that were not initially accessible during the Focused Penetration phase because you were not able to identify any direct weaknesses within their listening services. But after you’ve gained access to level-1 targets you were able to find information or vectors previously unavailable to you which allowed you to compromise a newly accessible level-2 system. This is referred to as pivoting.
During this section you’ll learn post-exploitation techniques for both Windows- and Linux-based operating systems. These techniques include harvesting clear-text and hashed account credentials to pivot to adjacent targets. You’ll practice elevating non administrative users to admin level privileges on compromised hosts. I’ll also teach you some useful tricks I’ve picked up over the years for searching through passwords inside hidden files and folders, which are notorious for storing sensitive information.
Additionally, you’ll learn several different methods of obtaining a Domain Admin account (a super user on a Windows Active Directory network).
By the time you’ve finished with this section of the book, you’ll understand exactly why we say in this industry that it only takes a single compromised host to spread through a network like wildfire and eventually capture the keys to the kingdom.
I realized early on in my career that hiring a professional consulting firm to execute a network penetration test is kind of like buying a $20,000 PDF document. Without the report, the penetration test means nothing. You broke into the network, found a bunch of holes in their security, and managed to elevate your initial access all the way up to the highest it can go. How does that benefit your target organization?
Truth be told, it doesn’t unless you can provide detailed documentation illustrating exactly how you were able to do it and exactly what the organization should do to ensure that you (or someone else) can’t do it again.
I’ve written hundreds of pentest deliverables and I’ve had to learn, sometimes the hard way, what clients want to see in their report. I’ve also came to the realization that they’re the ones paying thousands of dollars to read the report, so it’s probably a good idea to make sure they’re impressed.
In addition to showing you exactly what to put in an engagement deliverable, I’ll also share some efficiency habits I’ve learned over the years that have saved literally thousands of production hours of my time — time I was then able to spend doing things I enjoy, like breaking into corporate networks and not staring at a Word document editor.
The world as we know it is operated by networked computer systems.
- It is increasingly more and more difficult for companies to manage the security of their computer systems.
- Attackers need to find only a single hole in a network to bust the doors wide open.
- Adversarial attack simulation exercises or penetration tests are an active approach to identifying security weaknesses in an organization before hackers can find and exploit them.
- The most common type of attack simulation is an Internal Network Penetration Test which simulates threats from a malicious or otherwise compromised insider..
- A typical INPT can be executed within a 40-hour work week and consists of four phases:
- Information Gathering
- Focused Penetration
- Privilege Escalation