Question on real world pen testing

Viewing 7 reply threads
  • Author
    Posts
    • #6844
      blueaxis
      Participant

      Hey All,

      Thought I’ll post this question here as I try to understand pen test from the field perspective. Please forgive any typos, I am using iPhone.

      1. If a client engages you for a pen test but their defenses are strong enough and you failed to compromise the network or a system. how is this situation reported? Is this scenario common?

      2. My understanding is large companies are spending huge amounts of money on securing their networks – so I am not sure if the conventional pen test tools and techniques taught in books and class would still work in today’s world.

      Sorry if the question doesn’t clarify the point. I will try to repost later. Thanks in advance.

    • #42258
      cd1zz
      Participant

      Perimeters are indeed tighter than they were in the past. However, if SE is part of your scope you’re likely to get in.

    • #42259
      mambru
      Participant

      Of course this happens some times. That’s why it is so important to have a sound documenting process while performing the tests, so you can show your client all the attack vectors you tried.

    • #42260
      Triban
      Participant

      Last place I worked we had one done and our perimeter was really tight.  Only thing open was Citrix portal.  But like most environments, it was hard candy shell on the outside, but soft squishy filling on the inside.  The test, unfortunately, did not include SE since the ISO and CIO did not want to put employees through such attempts (way to check to see if your Sec Awareness training is working :p ).  In any case, there are always ways in, but sometimes you need to get in to expose them.  Many of the current breaches have occurred due to a phishing email getting through the perimeter and some poorly trained individual clicked the link or opened the attachment.  Many large orgs are most likely not fully patched when it comes to Adobe Reader, so that vector typically works well.

    • #42261
      blueaxis
      Participant

      Very interesting perspectives. Thanks for sharing them. When you say orgs are weak from inside – do you mean network layer or application layer?

    • #42262
      Triban
      Participant

      Based on systems I’ve seen, a little of both.  I have yet to see a full implementation of app whitelisting and I’ve been in some places that use a completely flat network topology even though they have the ability to properly segment.  The reasons I have seen for both these factors have been typically due to impatience and lack of training.

      So ok we have this nifty layer 3 core switch with all these lesser switches.  Cool lets set up VLANs so we can better secure our servers… 6 months later the ACLs have been all but removed because there are too many problems with traffic being blocked and rather figure out how to resolve, someone in upper management makes them turn off the rule that is blocking it.

      We install a nifty enterprise level client side security suite.  We run all the pieces (firewall, heuristics and regular AV).  We figure cool lets use Application and device controls!  Rather than follow the vendor provided whitepapers and set the system to logging only on your test group, you decide to just add MS Office apps but then nothing else is working…  Rather than figure it out, you turn it off and only use blacklisting.

      One more on Apps, patching…  Well we use WSUS so all our problems are solved!! 
      “Ok so what about Java and Adobe patches?”
      ….
      We don’t patch those.
      “How bout MS Office?”
      Well WSUS does that right?
      “No your WSUS is configured with default settings, you are only downloading Windows OS patches, you don’t have Office checked off.”

      So with all that, your apps are not properly patched, your network is no longer segmented and your client-side endpoint protection is about as good as free AVG.  I won’t even get started on the unused IDS/IPS appliance 😛

      Most companies who don’t invest in talented individuals to run their networks tend to have all the shiny tools but none of them are configured properly or at all.  Back in the day, you would have to try very hard to crack the shell, but now you just need to compromise the human piece and then make your way back out of the shell.  Our traditional methods of detection no longer work unless you utilize the added pieces and start whitelisting the network.  Do not allow the unknown to run!

      Or I am completely full of crap but that is for others to decide.  😀

    • #42263
      MaXe
      Participant

      @blueaxis wrote:

      2. My understanding is large companies are spending huge amounts of money on securing their networks – so I am not sure if the conventional pen test tools and techniques taught in books and class would still work in today’s world.

      It depends on what books you read, and what classes you attend. Some (actually a lot of) ancient knowledge, can still be used today (even flaws in IPv6, and Arp Spoofing on many networks. Think of them as often insider attacks, as these can occur). However, SQL Injection and XSS for example, these are application layer attacks. Both are around 10 years old, and still taught. Buffer overflows, are also very old, these also works still. Even though blackhats target the client applications more and more often, such as the browsers and plugins (like java, flash, adobe reader, etc.) as there’s a larger attack surface, and thereby more ways to compromise a client, which may be connected to a network.

      But in essence, it is not about the tools, because if you’re a good hacker, then you can write these tools yourself if you need to, but writing your own port scanner from scratch (no using netcat, telnet, or whatever), takes time and often there’s already a good solution to that such as NMAP, randscan, or whatever you use. NMAP is.. Over 10 years old and it’s still being used by pretty much all pentesters? It has it quirks yes, and it’s detectable, but if you use it with care, and know how the tool works, you can also avoid detection when you use this program.

      There is of course, even protocol attacks you can barely patch against.

      @blueaxis wrote:

      Very interesting perspectives. Thanks for sharing them. When you say orgs are weak from inside – do you mean network layer or application layer?

      Any layer. Even the physical layer. Often they’re vulnerable to various network attacks, but there are also outdated clients and servers on some networks, which goes all the way up to application level vulnerabilities.

    • #42264
      hayabusa
      Participant

      A big key is, if you use existing tools (to save time,) you need to be familiar enough with them to understand ‘proper’ usage in a pentest (such as running scanning tools in a way which avoids, or at least minimizes, detection of your activities.)  And that familiarity comes with lots of lab time / practice with each tool, etc.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?