Pentesting: The truth behind the myth

Hi fellas,

Following my conversations with you guys on IRC about the job of pentester, I decided to introduce you the different facets of a pentesting and maybe enlighten gray areas that remain in this domain.

Disclaimer : Once again, it will be a long reading :slight_smile:

Pentesting

Companies spend millions of dollars into countermeasures in order to protect as much as possible their infrastructures. Those treatments can be separated into two types :

  • Organisational treatments, which concern audit, reminder or security policies, focusing, mainly, on the establishment and maintenance of the information security at an organisational level.
  • Technical treatments, referring to the implementation of backup or encryption technology whose aim is to ensure the security and availability of their services.

However, even working with the best engineers or DevOps will not guarantee that the configured system will be flawless. As stated Wright C. from the SANS Institute in 2011, “absolute security does not exist and nor can it be achieved”. That is why pentesting and vulnerability assessment are mandatory. Moreover, such audit affords the possibility to be certified ISO27001 or CREST (Council of Registered Ethical Security Testers), certifications which are critical for the company reputation and have an indubitable impact on the competitive edge and profit.

Definition

Pentesting, or also known as penetration testing, consists of the assessment of a given scope, which can be an entire network or a web application, with the intention of detecting potential breaches that can be exploited to “break into” a system, in order to access confidential information or provoke damages. Techniques used by pentesters are quite similar to those used by hackers and are not restrained to technical tools. Indeed, pentesters can be allowed to assess the human vulnerability of the company, using social engineering to bypass the existing security.

“Three basic models are utilized by the Ethical hacker in order to [assess] the network. These models are the Black Box Model, the White Box Model and the Gray Box Model […]. Each model approaches the [assessment] from a different vantage point, all will have a different focus and therefore, a unique perspective that will be derived from the [standard evaluation]” (Hafele, 2004).

White Box :

In this configuration, the pentesters team possesses a complete documentation about the infrastructure, the security policies and any security system which have been implemented to avoid external access.

This type of pentesting allows to dive deeper and to detect specific flaws involved by the usage of an insecure module or a particular protocol. Thanks to that information, the team will be able to target and focus their attacks on the right place and save time by skipping the reconnaissance phase.

Black Box :

Black Box pentesting is the exact opposite of the White one. In this case, no information is disclosed to the team and the pentesters have to go through the entire procedure to detect flaws which can be exploited.

This context is well more realistic than previously and gives a better idea of the information system security.

Gray Box :

Gray box is more a mix of the previous configurations. Indeed, the employer can choose the information that he want to communicate with the pentesters in order to assess and test a particular aspect of their system. This context is often chosen when the company intends to certify a given scope for further requirements.

Once done, pentesters have to provide a complete report, showing every flaw detected and treatments that have to be implemented to thwart them.

To conclude, a pentesting “can uncover aspects of security policy that are lacking […], provide feedback on the most at risk routes into a company or application […] and penetration testing reports can be used to help train developers to make fewer mistakes.” (Pearson, 2014).

Pentesting phases

The schema above helps to have a better understanding of the pentesting methodology. However, it is necessary to describe each phase that makes up a penetration testing. Indeed, it follows six principal stages :

Determining the scope is the primary and the most important phase during which the pentesters and the customer establish any aspects of the information system that has to be assessed.

Reconnaissance or Recon phase consists of gathering as much as possible of information about the current infrastructure and technologies in place.

Discovery phase is the study of information collected during the previous step and is crucial to determine weaknesses and flaws present within the scope.

Attacking phase is the exploitation of the detected flaws, that can be achieved through a brute-force, social engineering or adapted payload (small executable that carries an exploit and allows to take control of a target or install backdoor).

Taking control and pivoting represents the fact to use attacks to obtain a granted access to a system and spread out the infection to the entire network.

Report phase is the final step which consists of collecting any evidence about flaws and breaches detected and providing treatments to undertake those risks.

It is important to note, that this procedure can change according to the situation. However, it reflects the overall idea of a penetration testing process.

Ethics

As stated earlier in this paper, penetration testers are hired to detect flaws and misconceptions of an internal network infrastructure, a web application or a software. However, it is important to differentiate them from hackers. Indeed, the pentesters perform their analysis according to the legality and the ethics. Indeed, “penetration testing vivifies ethics, forcing practitioners to think about the consequences of a variety of situations, ranging from agreeing the parameters of a test, to deciding which techniques should or should not be allowed during a test (Bishop, 2007)” (Faily, S. et al., 2015).

To guide them during their activity the SANS and the CERT published a set of rules whose aim is to determine what has to be respected to be compliant with the law and the ethics.

According to the CERT (Code of Ethics, 2016) pentesters must:

  • Keep private and confidential information gained in their professional work.
  • Never knowingly use software or process that is obtained or retained either illegally or unethically.
  • Not to associate with malicious hackers nor engage in any malicious activities.
  • Ensure all penetration testing activities are authorized and within legal limits.
  • Ensure ethical conduct and professional care at all times on all professional assignments without prejudice.
  • Use the property of a client or employer only in ways properly authorized, and with the owner’s knowledge and consent.

From an other side, the SANS (IT - Code of Ethics, 2004) is much more focused on the interpersonal skills and the need to be honest with his own capabilities, essential qualities to work in this domain, such as :

  • I will strive for technical excellence in the IT profession by maintaining and enhancing my own knowledge and skills.
  • When possible I will demonstrate my performance capability with my skills via projects, leadership, and/or accredited educational programs […].
  • I will not hesitate to seek assistance or guidance when faced with a task beyond my abilities or experience. […] I will treat this as an opportunity to learn new techniques and approaches.
  • I will strive to be perceived as and be an honest and trustworthy employee.

However, those guidances are more theoretical than practical and, unfortunately, little research has been done in this area, which “fail[s] to provide advice on how to deal with conflicts of ethical significance“ (Faily, S. et al., 2015), and the problematics associated with this activity remains unknown. The following text, extract from Critical Review : Ethical Dilemmas and Dimensions in Penetration Testing wrote by, …, myself :smile:, clarify this subject.

Indeed, this research paper highlights the ethical dilemmas and dimension associated with penetration testing and the potential fallacies and biases involved with the position taken by the pentesters. Moreover, it demonstrates how the client’s trust can be gained and how they can assure the result of their works. The study of those challenges which face pentesters will definitely help to improve methods and tools used to penetration test a system.

In order to assess those problems eight professionals and certified pentesters, working in the UK, have been interviewed at their workplace for forty-five minutes each. For the sake of this study, four principal areas of debate have been chosen: responsibilities, practices, ethics and assurance.

Those interviews allow one to highlight two mains dilemmas which are how to manage the penetration testing in order to satisfy the client and the staff without breaking the established trust between both parties and how to manage the testing phase by using a structured strategy or an unstructured one which allows more flexibility and more creativity. Thanks to those dilemmas two different positions have been identified, the individual / unstructured position (IU) and the whole / structured position (WS). Each of them has a different point of view about the value of ethics, the ethical appeal, the client and the practice focus.

Indeed, IUs are more likely to consider ethics as an interpersonal skill acquired by experiences and considers the ethical appeal common sense. Moreover, they tend to establish individual relationships with people within the company and due to the fact that they do not consider the organization as a whole, they are often subject to hostility from uneducated employees in terms of security. Finally, the focus of their practice is narrow with regards to knowledge of their tools, which assure the reliability of their report.

WS works in a different way. In fact, ethics and moral issue are discussed within the team by placing the associated risk in the right context in order to evaluate each facet of the dilemma. Furthermore, they consider the client organization more as a whole and pay attention to educating employees about penetration tests and try to keep them in touch of any discovery. Lastly, the focus of their practice tries to avoid any automatic report and logs in order to assure the veracity of the final report and, consequently, to avoid any doubt that the client may have towards automatized tools.

To conclude, there exists different approaches that can be chosen by a pentester. However, each of them has their own fallacies and biases. Indeed, the IU can be influenced by his team members and that can affect his proper definition of ethics if his co-workers have a wrong perception of this area and the WS, by educating the client about penetration test and providing a fully personnel report, cannot be sure that every countermeasure indicated will be applied. In fact, the client could just use this result to obtain his accreditation, whereas a technical report does not allow this kind of misuse. Moreover, both are exposed to the same dilemmas and must deal with them. Consequently, the choice of position is purely a question of point of view. Finally, the guidances exposed above are more an unofficial code that needs to be implicitly respected by pentesters, and companies have no guaranty about their integrity.

Report

The report is an essential part of a penetration testing and, as said Lam et al., “if you do not document it, it did not happen”. Indeed, this report describes the methodology, timeline and scope of the pentesting. Moreover, it highlights vulnerabilities and associated countermeasures than can be implemented to ensure the security of the information system. However, like ethics, little papers and researches have been published in this domain, and any norm has been established yet. As stated Alharbi Mansour A., “Writing a penetration testing report is an art that needs to be learned to make sure that the report has delivered the right message to the right people”.

Nevertheless, the reporting process can be broken down into four stages :

report planning

In a first place, pentesters have to define at least six entities :

Report objectives : The objectives allow to determine the aim of the penetration testing precisely and consequently, the scope which has to be assessed.

Time : Pentesters have to define the testing time with their client to allow the company to be prepared and able to react adequately to any issues involved in the penetration testing. Moreover, this agreement is mandatory for testers to be compliant with the law and act as a “Get out jail free Card” if something goes wrong.

Consider the target audience : The content and the technical aspect used in a report will depend on the targeted audience. The consideration of this factor will ensure the readability and the understandability of the document and, in a case of incomprehension, can invalidate the entire operation.

Report classification : Because pentesters deal with sensitive data, it is recommended to classify and control the report to avoid any leak at a lower level of clearance. This classification will be done according to the company security policy.

Report distribution : According to the level of security of the report, it is advised to state the number of soft and hard copies that will be distributed once the document drafted and reviewed. Controlling its distribution is crucial to limit the risk of electronic or physical eavesdropping.

Information cleanup : Once, submitted, any residual information present on the pentesters machines has to be deleted to avoid any problem. Indeed, “ethical responsibilities do not stop when the test is done, however. After the test is completed, [pentesters] should perform due diligence to ensure the confidentiality of the test results. Some penetration testing firms have been known to circulate test results to other companies as samples of their work. These results contain detailed steps on how to break into an e-finance website for a particular financial institution and collect sensitive customer data. [The] institution [was shocked] when it discovered these contents being distributed to its competitors! Therefore, [penetration testers] are under an ethical obligation to keep the details of the report confidential. Shred any hard copies of the report, and delete all soft copies using a wiping utility such as PGP or Axcrypt.” (Newman & Whitker, 2006).

Information collection

Due to the amount of information gathered during the penetration testing, it is considered as a best practice to record constantly the data that will be useful for the report such as screenshots, outputs, logs, etc. For security and confidentiality concerns, pentesters had to use a secure platform to store and centralised those materials.

Draft and final review

Before taking into consideration the layout and the proofreading, pentesters have to write a rough draft that will represent at least 60% of the final report. Later, in order to ensure the quality and the relevance of this document, a person, according to the type of pentesting, will be assigned to its review. The reviewer can be, in the case of white boxing, an employee of the established company with strong knowledge about the infrastructure and the current security or an other pentester if and only if the penetration testing is on black box configuration.

Layout

To improve the readability and the impact of the report, it has to follow a sober and classical layout, consisting on :

  • Cover Page
  • Document properties and Version control, showing the document modifications, the author, the date of creation, etc
  • Table of content and table of tables and figures
  • Executive summary, describing the methodology used, the scope, the objectives, the timeline, the summary of findings and a summary of recommendations
  • Glossary, to define technical terms
  • Appendices, used for further details about outputs or logs but the content of the report should be completely independent of this section

Vulnerabilities and risks classification

One of the essential parts of the report is the vulnerabilities and risks classification whose aim is to summarise the detected flaws and provide a baseline for the chief security officer in charge of the company security.

Those should, ideally, be represented by some graphs, similar to those below, classifying and grouping vulnerabilities according to their severity.

For the sake of the report applicability, it is mandatory to analyse each risk by taking account of their threat, vulnerability and impact on the information system.

Thanks to the table above, pentesters are now able to calculate the risk rating and start the classification. However, it is important to take into consideration their likelihood in order to adjust the baseline provided to the customer.

Each vulnerability must be assessed and its risk score compared to the previously calculated risk rating, allowing to separate benign breaches from the critical one. Moreover, each flaw has to be described, rated, the exploit used has to be explained, and at least one treatment has to be provided in order to, according to its risk level, mitigate, prevent or acknowledge the vulnerability.

To conclude, the report is vital for any pentesting activity and shows the methodology and procedures used to achieve the objectives established previously. Moreover, by describing, classifying and highlighting each vulnerability, it provides a complete baseline to the company whose aim is to guide them in their security process.

Personal feedback

Pentesting is a real vocation and requires modesty, hard working and an insatiable thirst for knowledge. Indeed, you have to continuously maintain you up to date with the lastest CVEs and technologies in used by companies to be efficient at any time. Furthermore, the amount of knowledge required is colossal e.g Network infrastructure, protocols (MACAW, ALOHA, TCP/IP, OSI, etc.), architecture system, programming skills, etc. Moreover, you have to be at ease with your redaction skills and pass 20 hours on a report should not afraid you ! It is, from my point of view, a job very rewarding and interesting where each day will enrich your base of knowledge (almost :P). So, if you have the envy and the opportunity to work as a pentester, don’t hesitate you will not regret it !

FAQ

Which tools do you use ?

Mainly your brain :stuck_out_tongue: Cause you have to deeply understand how the inner things work to be able to detect any potential breaches that can be present in a wrong configuration, implementation , … (I would like to thanks every admin sys that make my work so enjoyable <3). Additionaly, we use several tools to help us during the discovery phase such as Metasploit, SQLmap, ZAP, Wapiti, Nessus, Burp suite, SSLscan, Qualys, Nmap, SIPvicious, VIPROY, etc. (non exhaustive list).

How many time the report takes ?

The report takes a third of the period associate to the mission. Basically, we write the report during the testing phase to avoid a shit load of work at the end of the contract.

Do you use social engineering ?

Unfortunately, nop. This is, generally, not allowed by the customer. Indeed, it can affect the targeted employee, … To resolve the human issue, an internal organizational assessment is done in parallel.

How much are you paid ?

It depends of your country, for a junior :

France : 40K / year
UK : 65K / year
US : 70K / year
Germany : 35K / year

Does it boring ?

Sometimes when the mission consists on assessing static website …

Do certifications are certifications mandatory?

Being certificated will definitely help you to get a job. However, if you know how to sell yourself and if you have a good background (being active on a forum, perform a technology watch, participate in CTFs or challenges) you will be ok.

Thanks for reading and I hope you enjoyed this article and that it helped you to have a better overview of a pentesting and the job of a pentester.

Best,
Nitrax

P.S : Feel free to ask me questions !

16 Likes

I skimmed over this amazing post and it is truly a masterpiece. I noticed you said a lot of the time was spent writing reports. From books and testimonies I read, most of the time is also spent on recon and then a very small fraction spent in the exploit phase.

Also I think social engineering shouldn’t really be tested because that’s a freebie. They want to see what issues exist in the network, and with SE you could probably get your way into any system. :stuck_out_tongue:

Employee and manager training should follow every penetration test.

2 Likes

Glad to see that you enjoyed this article mate :wink:

You are right ! Recon takes time and it is the most important phase of a pentesting. However, on a 7 days mission, the report will take 2/3 days, restraining the battery of tests possible and could potentially be interpreted as a time wastage ! People rarely know the real time spend on writing the report and that can be quite disappointing.

I agree with you about SE. Nevertheless, I think that it could be relevant to detect fallacies outside the scope and propose an assessment at an organizational and human level !

Thanks again for your support.

Best,
Nitrax

1 Like

Thank you for the article! Very informative.