Those of us who have conducted or participated in a penetration test will understand that tools are not the only thing necessary to successfully complete a PenTest. Methodologies are essential for ensuring that the assessor identifies all vulnerabilities within the client’s network.
1Q: I don’t have any experience in professional penetration testing, which keeps me from getting a job. How can I gain experience? Can I do some Black Hat attacks and turn that into a career?
A: 20 years ago, there wasn’t a whole lot of people who understood information system security, which forced a lot of companies to contract with Black Hats for advice on how to harden and defend networks against malicious attacks. Today, the situation has changed; most people caught hacking illegally end up in jail, and their long-term prospects of getting into the information system security field are destroyed.
Enough professional penetration testers exist in today’s market that companies can hire professionals who have remained untangled with the law.
2Q: How do I find out more about local laws that might affect me during a professional penetration test?
A: A lawyer is your best friend. Obtain the services of an attorney who specializes in contracts and computer law. The money spent on a lawyer is money well spent.
3Q: I’m new at penetration testing, and don’t know where to begin. I have plenty of years experience doing system administration and am good at what I do. How do I take the next step?
A: Join some local organizations that focus on information system security. Not only are there local contacts that can be developed, you can find out what type of market exists in your area for professional penetration testing services.
4Q: Do I have to have certifications to conduct a penetration test?
A: There are no certification requirements for the profession of penetration testing. However, employers may be hesitant to hire someone without industry-recognized certifications. Obtaining certifications is often necessary to get past HR.
5Q: What type of certifications should I get to become a professional penetration tester?
A: It really depends on your interest. If networks or operating systems are your interest, obtain the networking or operating systems security certifications specific to the vendor you prefer.
If your interest is in databases or applications, look for high-level certifications and support them with certifications specific to the language or database version you are interested in.
6Q: How do I find a local association dedicated to penetration testing?
A: While there are no organizations specifically focused on penetration testing, there are numerous organizations that focus on information system security.
7Q: How do I become a good PenTester?
A: Surprisingly, we receive this question a lot. As we know, there are a lot of obstacles with learning to hack professionally. The ability to use hacking tools is only part of the equation, and creating a lab is a start. However, practice and use of a methodology is essential. Creating a lab will facilitate practice.
8Q: Can a penetration test team work without the project manager position?
A: Absolutely. It may not be the most effective way of conducting a penetration test, but the size of the PenTest or the experience of the PenTest team can sometimes dictate the need for project management.
9Q: So the penetration test team does not need a project manager?
A: Not true – a lot of the project management processes will still need to be performed, regardless of whether or not there is a person assigned as a project manager. The team manager often fulfills the role of project manager when there is no specific position available.
This can lead to conflicts of interest, and processes being overlooked or ignored because of time constraints.
10Q: We don’t really have a team champion in our organization; are they really necessary?
A: Penetration test teams are expensive, and they produce nothing but reports and headaches for network and system administrators. Without a team champion high in the organization, a PenTest team is always at risk of being cut for budget reasons, if nothing else.
11Q: Why should I care if I use a wireless access point in my lab, or if I use any encryption at all? If someone connects to it and their system is damaged as a result of penetration tests within the lab, it’s their own fault for connecting to a network they don’t have authorization to connect to.
A: The laws surrounding unauthorized access to wireless networks are still being written. The problem is that most wireless devices are configured to automatically connect to the strongest signal. If that signal is coming from the lab, the user may not even be aware that they have connected to a hostile network.
Strong encryption can prevent accidents from happening.
12Q: Should I be concerned with adding network devices to my lab if all I am interested in is Web hacking?
A: Probably not. However, the use of Web proxies in the network would provide an additional challenge and would also provide a more realistic scenario of what larger corporations do to protect their Web server. Adding network devices into a lab brings more realism into any PenTest scenario, and can improve the skills and knowledge of the PenTest engineer.
13Q: Why aren’t there any PenTest LiveCDs with the Windows OS on them?
A: Licensing. Linux distributions are licensed under a much more flexible license than Microsoft Windows software.
14Q: I’ve looked at some of the exploitation scripts in Metasploit and on exploit-db.com, and I cannot understand what they do – I don’t have the programming skills to comprehend the syntax.
A: Now is a good time to learn programming, which helps in not only understanding exploitation scripts but also speeding up the penetration test project by automating attacks.
15Q: Between the OSSTMM and the ISSAF, which methodology is the best?
A: It depends on the skills of the penetration tester. In some cases, both methodologies can be used, to ensure that nothing is overlooked. Methodologies are not rigid and should not be applied to a penetration test in a rigid manner. It is often necessary to expand on any process beyond documented best practices; penetration testing is no exception.
16Q: The OSSTMM seems to discuss penetration testing at too high a level. Why aren’t there examples of penetration tests, using well-known tools?
A: Unfortunately, each penetration test is different, requiring different methods to obtain a successful result. Providing examples in which penetration testers can follow can limit assessor’s thinking process and force them into simply repeating steps and commands in every penetration test they conduct.
In other words, suggesting tools and providing examples do not require any thinking and turn the engineer into a “script kiddie“.
17Q: Can I use members on the PenTest team as subject-matter experts when assigning risk?
A: Absolutely, but it is not always the best way. Members of a PenTest team may view vulnerabilities in a different way than the rest of the Information Security industry because they are exposed to exploitable vulnerabilities all the time.
Frequency of attack, network defenses, and industry-wide use of a vulnerable application needs to be taken into account before assigning risk, which doesn’t always occur in small, isolated groups, such as a PenTest team.
18Q: Can I still use quantitative analysis even though I don’t have a lot of data?
A: Sometimes the PenTest engineers must use whatever data is available to them, even if it is not sufficiently large enough from a statistical point of view. The danger is that a decision made because of weak data is never followed up on.
If a decision is made without sufficient information, the PenTest team should review the risk at a later date, when additional and relevant information is gathered so that the risk can be assigned properly.
19Q: Which is better – a third-party risk level or something made in-house?
A: For an organization just starting out, the use of a third-party analysis of risk is preferable to something made in-house. Over time, the third-party data should be modified to reflect the real risk present in a corporate network.
If the PenTest engineers have enough knowledge of the target network, have enough experience in performing risk analysis, and use a well-defined methodology, the end result will be a very focused and pertinent risk assessment.
20Q: When do I know I have enough information?
A: You will never have all the information you need before heading into the next phases of the penetration test. It is not unusual that you will need to return to this phase to gather additional information, based on later findings. Move on when you understand the target’s network sufficiently to begin the Vulnerability Identification phase.
21Q: How do I find the Web groups containing employee and/or company comments?
A: The easiest way is to search for e-mail addresses – often engineers will post their e-mail address in their posts, especially in forums. This facilitates a quicker response. However, be aware that the e-mail address may be modified to hide from Web crawling software specifically designed to harvest e-mail addresses for spamming purposes.
As an illustration, if the company’s domain name is example.com, you may need to search for “example dot com” or even more complicated word combinations.
22Q: I cannot find information about a target on any archival sites. Why?
A: Google.com and Archive.org have a policy that permits data owners to request their data be removed from any archival process. The reason can be based on legal needs to prevent confusion or to protect themselves from hackers who use these sites to gather information for malicious attacks.
23Q: I did some information gathering on myself and was horrified with what I found. How do I get the information taken off the Internet?
A: Some material is required to be public information, especially many government records, such as land deed, court, marriage, and death records. As government agencies see the benefit of moving access to these records onto the Internet, expect more of these records to be made available and privacy to be lessened overall.
Information that is not public record can be removed under some circumstances, especially if you are the copyright holder of the information; otherwise, there may not be much you can do.
24Q: What is the best way to prevent scope creep in this phase of the penetration test?
A: Most scope creep comes from the penetration test engineers in this phase. Engineers will often find systems that are not within the target list, which may contain exploitable vulnerabilities. If these targets can be added without severely affecting the project, it is best to use the project scope management plan and the change control system to get the targets added into the scope.
If the cost or risk is prohibitive, the client should be made aware of the omission and a follow-up penetration test should be scheduled.
25Q: How slow should I conduct my scan to avoid IDSes?
A: It depends entirely on the network administrators who set up the rules on the IDS. Large corporate networks are scanned frequently by malicious users, especially those networks that are Internet-facing (such as a DMZ). In cases where systems are exposed to the Internet, scans rarely need to be slowed down, because IDSes often ignore scans entirely due to the volume. Scans within internal networks are a different matter.
Network administrators may configure IDSes to look specifically for scanning attacks, which will require a much slower attack. The actual speed in which to conduct the attack is simply a guess, but can be slowed down to cover days, if needed.
26Q: Why isn’t the OS number very specific in any of the scans?
A: The scans we use examine the TCP stack. When an OS kernel is updated, the TCP protocol may or may not be modified. It is possible that no changes are made to the network stack for many years, which makes it more difficult to know exactly what version of the OS we are looking at.
27Q: If a service does not provide any banner information and does not respond to any tools (like the example with smbclient), what can be done to determine what service is running?
A: There are some “fuzzing” programs that can be used to query a communication port. These programs might be able to get the application to respond and give some insight into what the application is for. Another technique is to intercept and analyze all communication entering that port, by capturing all packets destined for the target system.
28Q: What is a good source to find usable exploits?
A: Exploit-db.com as a repository for numerous exploits and is usually a great starting point. The Metasploit framework also contains many exploits as well. When these two sources do not have what you need, start looking around the Internet. Many security experts have posted exploits on their personal Web site or in Github only.
29Q: The exploit I downloaded doesn’t work – what do I do?
A: Often, an exploit is written for a specific operating system and language pack. Different systems often require different methods of exploiting vulnerabilities. Chances are the exploit works, but needs to be rewritten to function on the target’s version of the operating system.
30Q: What’s the best way to prevent scope creep in this section of the penetration test?
A: To understand the totality of the security threat in a network or system is almost impossible, so there will almost always be something new to pursue. Based on the engineer’s feedback, a newly discovered vulnerability may not yield sufficient results to pursue.
However, the vulnerability should still be mentioned in the final report and examined in a future penetration test. A well-defined scope at the beginning of the project will help the project manager know when the scope has been crossed and controls need to be implemented to contain the project from expanding.
31Q: What additional learning tools would you suggest to better learn Web hacking, reverse engineering, fuzzing and so forth?
A: There are many Web sites devoted to these topics and can provide a good understanding of techniques needed to conduct a penetration test. However, these topics are advanced, and learning on your own takes a lot of time.
For professional penetration testers, We strongly encourage they attend professional training courses and acquire the latest books available on the topics. Qualified training courses and industry-recognized books are a quicker way to obtain the information, and in this industry time is definitely money.
32Q: I cannot obtain administrative privileges on the target system. What should I do?
A: In a professional penetration test, it is not always possible to obtain admin access. It is reasonable to conclude a PenTest without this access.
33Q: How do I sniff network traffic from a different network?
A: You can only sniff traffic on the network to which you are currently connected. To sniff traffic on a network different from your own, you need to compromise a system (or place one) in the target network.
34Q: I have a lot of IVs from a wireless WEP attack, but aircrack-ng still hasn’t been able to crack the key. What am I doing wrong?
A: Although improvements have been made to reduce the number of IVs needed to crack a key, sometimes everything goes wrong for a penetration tester, and the “right” IVs are not captured. The exact moment a WEP key is cracked will vary significantly between one PenTest and the next.
35Q: How do I create a reverse shell if I don’t have access to the server?
A: To create a backdoor to a system, the target system must be exploited first. Some exploit payloads include reverse shells. However, until you gain access to the system, creating a backdoor will have to wait.
36Q: How concerned should I be about unencrypted tunnels?
A: Besides detection avoidance, an encrypted tunnel protects the client’s data. Using encrypted data in a professional penetration test is the prudent choice.
37Q: During a professional penetration test, what sort of rules need to be in place when log data is manipulated or deleted?
A: Log files often contain data beyond just login information – most log files are intended to provide a method of troubleshooting problems on a system. By modifying or deleting log data, you run the risk of deleting critical data beyond simple login information.
If log files are modified during a PenTest, the risks should be made clear to the appropriate stakeholders and specifically explained in writing within the PenTest plan. Stakeholders need to acknowledge their understanding as well, before any log data is modified.
38Q: If I cannot modify the log, is there any other way to hide my tracks?
A: Because log files contain information beyond just login information, you can generate messages that will bury or delete your login attempts. To prevent a file from filling up with log data, controls are often in place to delete the oldest log data. If it appears this is the case with your target, try to flood the log files with irrelevant and innocuous data. It might help.
39Q: If there is no way to modify log data and I cannot flood it, what other alternative is there?
A: If you can modify the application configuration, you may be able to redirect or halt the logging altogether.
40Q: During a penetration test, should I report all vulnerabilities, even if they are minor?
A: Just because a system vulnerability might be minor now, an exploit may be just around the corner. The purpose in listing vulnerabilities in the final report is so the client’s management may make informed decisions on how best to secure the target system or network.
By not including a vulnerability, you are effectively making decisions on their behalf; include all vulnerabilities, no matter how minor.
41Q: We all know that the abstract in a penetration test is called an executive summary – what should the text area be called?
A: The different areas in a report will be called different things, depending on who is writing it. We’ve seen the text body tiled many different things, including “findings,” “discoveries,” and “synopsis.”
If we were writing for a scientific journal, the topics within the paper would be very well defined. However, we are not constrained by such formalities, meaning, the different areas can be titled whatever you fancy.
42Q: I don’t work on a penetration test team – who can I find to perform a peer review?
A: If you haven’t joined a local information security organization, now is the time. Besides the information-packed meetings, information security organizations provide networking opportunities. Chances are, you can find someone in the group who is willing to do peer reviews. Don’t expect them to do it for free; you get what you pay for.
43Q: If I discover illegal activity during a penetration test, can’t I just inform the client and let them deal with the finding?
A: Contact your attorney. We know that sounds like an excuse, but the law is complicated and fluid. Every penetration test team should have access to an attorney familiar with the laws surrounding information system assessments.
44Q: Who is responsible for disaster recovery and business continuity in a penetration test team?
A: Typically, the functional manager will have corporate guidelines on how to satisfy disaster recovery and business continuity requirements and is ultimately responsible for the team’s adherence to the guidelines.
45Q: Should I archive network devices, such as firewalls and routers?
A: If you attack any of those systems using malware, it is prudent to archive the information for future inquiries. Otherwise, it’s probably not necessary to include those devices in the archival process.
46Q: When working with virtual images, what is the best way to save data – should I share data between the virtual image and the host system?
A: By allowing the virtual machine access to your host system, you run the risk of infecting the host itself. If infection of the host system is not a problem, then it may be fine to share data between the two systems. It is not something I would do, but should be fine in some cases.
47Q: Why can’t I simply delete a file, instead of using a program like shred?
A: When files are deleted by the OS, the only thing removed is typically the file listing – not the file. This means that the data is still there. If we are worried about sensitive information regarding our client’s network, we really should erase all data, not just the file reference.
48Q: How often should a risk management register entry be re-evaluated?
A: Every time a risk becomes reality, the project team should evaluate the results of the event and modify the register entry accordingly. Unless there is a pressing need, an entry should not be re-evaluated unless the risk materializes.
49Q: As a decision maker dealing with a risk, can I chose to perform a different action other than those listed in the risk register?
A: The risk register is a guideline, intended to provide options that were developed in moments of calm. It is impossible to know all the variables involved in future events, so decisions can be made that are contrary to those listed in the risk register.
However, in real-world cases when a manager deviates from the risk register options, the manager is often pressed to explain why they didn’t follow the suggestions.
50Q: How is a knowledge database different from the information found in vulnerability databases found on the Internet?
A: Entries related to vulnerabilities in the knowledge database may be quite similar to the common vulnerabilities and exposures (CVE) information posted in vulnerability databases.
The difference in this case is that the knowledge database entry is only created when vulnerability is found within the corporate or client’s network.