The 5 Steps of every Penetration Test!
This post is also available in:
Deutsch
When it comes to Hollywood, hacking can sometimes look like magic. Rapid keystrokes, random characters racing across the screen, suddenly the firewall is hacked and the attacker has control over the systems. In reality, there is usually a lot more to it. This is why in this post we take a look at how professional hackers actually operate and how the 5 phases of a Penetration Test work.
The Art of Hacking
Hacking requires a meticulous procedure and often times a lot of patience. However, movies almost always show only a small section, specifically the phase in which the target system is eventually attacked. Yet vulnerabilities which could be exploited for such attacks are not as easy to come by as it may seem. Without proper preparation, even the best hacker will only achieve a fraction of the possible results.
Professional hacking actually has a lot in common with the work of a detective where you move from clue to clue. Our goal is to use the available resources in order to make a computer behave in a completely new way. Now let’s take a closer look on how the individual steps look like in detail.
Phase 1: Passive Reconnaissance
Many terms used in the hacker scene have their origin in the military field. Our first action is Passive Reconnaissance. The word “passive” plays a decisive role in this, since we do not yet come into direct contact with our target – we rather gather all publicly available information. The term Open Source Intelligence or OSINT is often used for such context.
We start with a basic Google search and try to find out how our target is actually represented on the Internet. Using so-called Google-Dorks, i.e. advanced search parameters, it is also possible to search specifically for information that has unintentionally or unconsciously ended up on the World Wide Web. Next, we check DNS and WHOIS entries and try to identify other websites and servers. In addition, we can search employee profiles and forum posts, for example, for information on the technologies they use. Furthermore, the required knowledge in job advertisements, such as “good Java skills”, can also be a good clue. Of course, there are many other sources and techniques available.
As already mentioned, up to this point we have only used publicly available information. Accordingly, this is also the last step, which is not illegal even without a contract between both parties (more about hacking and the legal situation can be found here [??]).
Phase 2: Active Reconnaissance
Things look different for the second step of the reconnaissance phase. During the Active Reconnaissance we get in direct contact with our target. In other words, this is the first time we send requests to the previously identified systems. Our goal is to understand and analyze the entire attack surface. Otherwise, we will miss important correlations in the further course, and almost certainly overlook numerous attack scenarios.
Which services are running on the servers? Are firewalls in use that can influence or perhaps even prevent our attacks? Is there any outdated software in use for which known vulnerabilities already exist?
In order to answer these questions, the first thing we do is use a port scanner like Nmap. As an example, such scanners will tell us that the ports 22, 443, and 3389 are open on our target system, which in turn tells us that we can look for vulnerabilities in the SSH (port 22) and RDP (port 3389) configuration, and that a website is likely accessible via HTTPS (port 443).
If we come across any websites during the Passive or Active Reconnaissance, the first thing to do is to take our time and understand the different use cases. Basically, we want to collect all interface methods from which we can get data or to which we can send data.
Once we have a good understanding of the environment, we can also use an automated vulnerability scanner like Nessus. These scanners send out predefined requests to the various services and check whether they are vulnerable to already known vulnerabilities.
Whenever a certain automatism is used, there is of course also the possibility that we receive incorrect results. Consequently, if we get a “False Positive “, a behavior was mistakenly classified as a vulnerability. Since vulnerability scanners can only check for known vulnerabilities using known metrics, “False Negatives” are obviously also an issue. In other words, just because the scanner could not find a vulnerability does not mean that our target is actually secure. It is important to understand that these tools only provide initial clues, but never replace a manual examination of our target.
Phase 3: Exploitation
In step 3, the Exploitation phase, we reach the point that is usually seen as actual hacking. However, a precise understanding of the target environment is a fundamental prerequisite for this. We now iterate through all the services and check, on the one hand, whether the findings identified by the vulnerability scanners are actually exploitable, i.e. whether they are False or True Positives, and, on the other hand, which vulnerabilities we can find and exploit manually. In principle, there is no universal formula that can be applied. How or if a service is vulnerable always depends heavily on the configurations, versions or additional security measures such as firewalls and intrusion prevention systems. Over time, however, it becomes more and more obvious which mistakes are made again and again and which attack technique have a good chance of success.
Nevertheless, a skilled hacker has never finished learning and must keep up to date with the latest trends. As simple as it sounds, Twitter is the perfect place to keep up with the latest developments in the scene. Secret underground forums in Darknet are a thing of the past.
Since websites or web applications probably offer the largest attack surfaces, I would like to briefly mention a few of the most popular attack scenarios.
Injection Attacks
Injection attacks are attacks in which external code is injected into the data being processed. Probably most popular vulnerability of this type is the SQL Injection. Essentially, SQLi allows us to intervene in a database call, which for example can be used to bypass password checks.
Attacks on Authentication
When attacking authentication mechanisms, we try to find vulnerabilities that would allow an attacker to act as an existing user. In the worst case, this would end in a complete takeover of the user account.
Attacks on Authorization
In contrast to authentication, an attack on authorization is based on a flawed permission management. An easy example might be when we can access a restricted area by simply adding “admin=true” to the end of a URL (www.example.com?admin=true). At first this may sound ridiculous, but such errors do indeed occur again and again.
Client Attacks
Client attacks focus on the end user. This can range from secretly intercepting personal data, fraud attempts by tampered websites, or even the infection of the personal computer by malicious code.
Such vulnerabilities perfect for phishing campaigns. If one of the administrators falls for this, it can have devastating consequences for the whole company.
Phase 4: Post Exploitation
If we manage to successfully exploit a vulnerability during the previous phase, our work is far from done. The actual extent can only be determined in the Post Exploitation phase. Our goal is to combine different vulnerabilities and misconfigurations in such a way that we can extend our privileges as well as exfiltrate and crawl through interesting data. In many cases this allows us to significantly extend the attack surface once again and to enter the Reconnaissance and Exploitation phase in a new iteration.
Depending on the contract, we also set up a persistent back door, which allows us to easily access the system again at any time in the future. Should stealthiness be a concern, we also use our acquired permissions to remove our traces, for example in log entries.
Phase 5: Reporting
The last and actually most important phase is the Reporting. The greatest ethical hacker, no matter how technically skilled, may penetrate systems in seconds and find the most unusual vulnerabilities. But if we fail to deliver detailed and, above all, easy-to-understand results to our contractor, all the previous steps were a waste of time. The important thing is that this is not about blaming incompetent programmers or administrators. At the end of the day we all want to create a secure environment.
In our report we first describe how we, and especially the customer, can reproduce the vulnerabilities we found. In addition, we explain which security risks may thereby result for the company and ultimately what should be done to effectively remediate the issues.
Good reporting requires practice just like all the other stages. However, the task will be so much easier if we take detailed notes and document all steps during the entire penetration test – this applies to successful attacks as well as to failed attempts.
The 5 Phases in Fast Forward
We began with (1) Passive Reconnaissance, in which we exclusively use public information. Phase two is (2) Active Reconnaissance, meaning we actually interact with our target for the first time to get a complete overview of the attack surface. Step three, the (3) Exploitation phase, is the attack on our target, in which we actively exploit existing vulnerabilities. In (4) Post Exploitation we extend our permissions, open a permanent back door and cover our tracks. Finally, in the (5) Reporting phase, we summarize the results in a detailed and easily comprehensible customer report.
