Advanced penetration testing

Some environments will be more secured than others. You will be faced with environments that use:

• Effective patch management procedures
• Managed system configuration hardening policies
• Multi-layered DMZ's
• Centralized security log management
• Host-based security controls
• Network intrusion detection or prevention systems
• Wireless intrusion detection or prevention systems
• Web application intrusion detection or prevention systems

Effective use of these controls increases the difficulty level of a penetration test significantly. Clients need to have complete confidence that these security mechanisms and procedures are able to protect the integrity, confidentiality, and availability of their systems. They also need to understand that at times the reason an attacker is able to compromise a system is due to configuration errors, or poorly designed IT architecture.

Note that there is no such thing as a panacea in security. As penetration testers, it is our duty to look at all angles of the problem and make the client aware of anything that allows an attacker to adversely affect their business. 

Advanced penetration testing goes above and beyond standard penetration testing by taking advantage of the latest security research and exploitation methods available. The goal should be to prove that sensitive data and systems are protected even from a targeted attack, and if that is not the case, to ensure that the client is provided with the proper instruction on what needs to be changed to make it so. 

A penetration test is a snapshot of the current security posture. Penetration testing should be performed on a continual basis.

Many exploitation methods are poorly documented, frequently hard to use, and require hands-on experience to effectively and efficiently execute. At DefCon 19 Bruce "Grymoire" Barnett provided an excellent presentation on "Deceptive Hacking". In this presentation, he discussed how hackers use many of the very same techniques used by magicians. It is my belief that this is exactly the tenacity that penetration testers must assume as well. Only through dedication, effort, practice, and the willingness to explore unknown areas will penetration testers be able to

mimic the targeted attack types that a malicious hacker would attempt in the wild.

Often times you will be required to work on these penetration tests as part of a team and will need to know how to use the tools that are available to make this process more endurable and efficient. This is yet another challenge presented to today's pentesters. Working in a silo is just not an option when your scope restricts you to a very limited testing period.

In some situations, companies may use non-standard methods of securing their data, which makes your job even more difficult. The complexity of their security systems working in tandem with each other may actually be the weakest link in their security strategy.

The likelihood of finding exploitable vulnerabilities is directly proportional to the complexity of the environment being tested.

Penetration testing

Penetration testing expands upon vulnerability assessment efforts by introducing exploitation into the mix

The risk of accidentally causing an unintentional denial of service or other outage is moderately higher when conducting a penetration test than it is when conducting vulnerability assessments. To an extent, this can be mitigated by proper planning, and a solid understanding of the technologies involved during the testing process. Thus, it is important that the penetration tester continually updates and refines the necessary skills.

Penetration testing allows the business to understand if the mitigation strategies employed are actually working as expected; it essentially takes the guesswork out of the equation. 

The penetration tester will be expected to emulate the actions that an attacker would attempt and will be challenged with proving that they were able to compromise the critical systems targeted. The most successful penetration tests result in the penetration tester being able to prove without a doubt that the vulnerabilities that are found will lead to a significant loss of revenue unless properly addressed. Think of the impact that you would have if you could prove to the client that practically anyone in the world has easy access to their most confidential information!

Penetration testing requires a higher skill level than is needed for vulnerability analysis. This generally means that the price of a penetration test will be much higher than that of a vulnerability analysis. 

If you are unable to penetrate the network you will be ensuring your clientele that their systems are secure to the best of your knowledge. If you want to be able to sleep soundly at night, I recommend that you go above and beyond in verifying the security of your clients.

Vulnerability assessments

Vulnerability assessments are necessary for discovering potential vulnerabilities throughout the environment. There are many tools available that automate this process so that even an inexperienced security professional or administrator can effectively determine the security posture of their environment. Depending on scope, additional manual testing may also be required. Full exploitation of systems and services is not generally in scope for a normal vulnerability assessment engagement.

Systems are typically enumerated and evaluated for vulnerabilities, and testing can often be done with or without authentication. Most vulnerability management and scanning solutions provide actionable reports that detail mitigation strategies such as applying missing patches, or correcting insecure system configurations.

Three Biggest Hacking Threats to Your Android

Three Biggest Hacking Threats to Your Android

• Data in transit: Android devices and mobile devices in general are especially susceptible because they use wireless communications exclusively and often public WiFi, which can be insecure. An attack that is used frequently by hackers is a man-in-the-middle attack where an attacker breaks into the device and redirects data to exploit the resources on it before forwarding it to the original destination. This method allows the hacker to spy on Internet browsing activity, steal keystrokes to identify passwords and isolate the individual's physical location, along with potentially listening to calls and intercepting texts.

• Third party apps: In a recent study, 57% of malicious apps in the Android marketplace were found in third party app stores.

• SMS Trojans: By including premium dialing functionality into a Trojan app an attacker can run up the victim’s phone bill and get the mobile carriers to collect and distribute the money to them. Another malicious usage of SMS involves using an infected device to send out SMS text messages to all contacts in the address book with a link to trick the recipients into downloading and installing the worm, thereby infecting many devices at one time.

Three Steps you can take to protect your Android device

• SSL encryption for the device: SSL is one of the best ways to secure sensitive data in transit.

• Test third party apps: Try to install Apps from first party vendors like Google. If you do buy apps from a third party store, vet the security/authenticity of any third party code/libraries used in your mobile application by using a mobile security vendor. Read the permissions that apps require before downloading them. Examples of permissions apps can request that may raise red flags are permission to reveal your identity or location or send messages to the Internet.

• Be wary of SMS Trojans: Implement controls to prevent unauthorized access to paid-for resources. If an application asks for a payment via SMS, exercise additional caution.

Serve Side Vulnerability assessment

Server-side attacks are exploiting and finding vulnerabilities in services, ports, and applications running on a server.

For example, a web server has several attack vectors. It is a server running an operating system and running various pieces of software to provide web functionality. It has many open TCP ports. Each one of these vectors could harvest a vulnerability that an attacker could exploit to get into the system and obtain valuable information. Many protocols on servers are handled through readable non-encrypted text.

Let's take a look at some tools available in Kali for identifying vulnerabilities on servers.

Webshag

Webshag is a multi-threaded, multi-platform tool used to audit web servers. Webshag gathers commonly useful functionalities for web servers such as port scanning, URL scanning and file fuzzing. It can be used to scan a web server in  HTTP or HTTPS, through a proxy and using HTTP authentication (basic or digest).

In addition, Webshag can use IDS evasion capabilities aimed at making correlation between requests more complicated.

Webshag provides additional innovative capabilities such as retrieving the list of domain names hosted on a target machine as well as fuzzing using dynamically generated filenames. Webshag can perform fingerprinting of web pages while being resistant to content changes. This feature is designed as a false positive removal algorithm aimed at dealing with "soft 404" server responses.

Webshag is accessed through a GUI or a command-line console and available with the Linux and Windows platforms. Webshag can be found under Web Applications| Web Vulnerability Scanners as webshag-gui.

Webshag is easy to use. Each feature has a tab on the top. Select the desired feature tab, enter in your target URL under the target space and click on OK to execute. You can run multiple tabs simultaneously.

Features include Port Scanning, Spider, URL Scan, and Fuzzing.

Skipfish

Skipfish is a web application security Reconnaissance tool. Skipfish prepares an interactive sitemap for the target using recursive crawl and dictionary-based probes.

The resulting map provides output after being scanned by security checks. Skipfish can be found under Web Applications | Web Vulnerability Scanners as skipfish. When you first open Skipfish, a Terminal window will pop up showcasing the Skipfish commands. Skipfish can use built-in or customizable dictionaries for vulnerability assessment.

Note that some dictionaries may not be found in Kali. You can download the latest version of Skipfish and default dictionaries from https://code.google.com/p/skipfish/.

ProxyStrike

ProxyStrike is a web application proxy built to identify vulnerabilities while browsing an application. It runs like a proxy listening on port 8008 by default, meaning you have to configure your Internet browser to run through ProxyStrike so that it can analyze all the parameters in the background while your surf the target's website.

The proxy features are great for identifying, intercepting, and modifying requests. To configure an Internet browser such as Firefox to use ProxyStrike, select in FireFox Preferences | Advanced | Network and select Settings. Select Manual Proxy and enter the IP address of your Kali server followed by the port of 8008 (unless you plan to change the ProxyStrike default port).

 To use ProxyStrike, go to Web Applications | Web Vulnerability Scanners and select ProxyStrike. Assuming your Internet browser is sending traffic to ProxyStrike, you should see captured traffic in the Comms tab.

Vega

Vega is a security testing tool used to crawl a website and analyze page content to find links as well as form parameters.

To launch Vega, go to Web Applications | Web Vulnerability Scanners and select Vega. Vega will flash an introduction banner and display a GUI.

Owasp-Zap

Owasp-Zap also known as Zaproxy is an intercept proxy designed for the security testing of web applications.

Open Zaproxy by going to Web Applications | Web Application Fuzzers and selecting owasp-zap. There will be a disclaimer pop-up that must be accepted to start the program.

Websploit

Websploit is an open source project used to scan and analyze remote systems to find vulnerabilities.

To access Websploit, go under Web Applications | Web Application Fuzzers and select websploit. A Terminal window will pop up with the Websploit banner. You can see all the available modules and what is required to run a specific module by typing show modules.

Exploitation

If a Penetration Tester invests the proper time and resources during the Reconnaissance of a target, the Penetration Tester should end up with a list of targets with possible vulnerabilities. The next step is prioritizing each target's value to your mission, approximating the level of effort required to exploit potential vulnerabilities, and judging the associated risk with performing the attack. The vulnerability and exploitation available in Kali are ideal for identifying and exploiting vulnerabilities found during the Reconnaissance of web application servers.

Metasploit

The Metasploit framework is one of the most popular tools for exploiting server-side attacks. It is considered one of the most useful tools for Penetration Testers. HD Moore created it in 2003. It is used as a legitimate Penetration Testing tool, as well as a tool used by attackers to conduct unauthorized exploitation of systems.

There are a plenty of sources dedicated to teaching how to use the Metasploit framework. In the context of this book, we will examine how Metasploit is used for server-side exploitation for testing potential web applications.

The first step is to open up a console and type in msfconsole to launch Metsaploit. msfconsole is the most popular way to launch Metasploit. It provides a user interface to access the entire Metasploit framework. Basic commands such as help and show will allow you to navigate through Metasploit.

Note to make sure Postgres SQL and Metasploit services are started. You can do so by typing service postgres start and service metasploit start in the Terminal window as root.

Note that there are other methods to launch Metasploit such as msfgui (GUI-based) and msfcli (command line-based).

In addition to Metasploit commands, msfconsole will allow you to invoke underlying OS commands such as ping or nmap. This is helpful because it allows an attacker to execute routine tasks without leaving the console.

Researching networks

Many people do not understand the true purpose of researching the network of a target prior to launching an attack. Amateur Penetration Testers understand the need to pick a target before they can perform a Penetration Test. After all, a Penetration Tester needs someplace at which to point their arsenal of tools. Many amateurs will run Nmap, ping sweeps, or other noisy tools to determine what targets are available disrupting the environment, which later yields poor results.

Network Reconnaissance is about selecting a target. A seasoned network security professional will tell you good Reconnaissance is about selecting a quality target, spending the majority of their time watching, rather than acting. The first step of every Penetration Test is accurately finding and selecting quality targets.

The following are the best available tools in Kali for web application Reconnaissance.

• HTTrack – clone a website
• ICMP Reconnaissance techniques
• DNS Reconnaissance techniques
• Maltego – Information Gathering graphs
• Nmap (Zenmap)
• FOCA – website metadata Reconnaissance

Reconnaissance

The term Reconnaissance by definition comes from the military warfare strategy of exploring beyond the area occupied by friendly forces to gain information about the enemy for future analysis or attack. Reconnaissance of computer systems is similar in nature, meaning typically a Penetration Tester or hacker will attempt to learn as much as possible about a target's environment and system traits prior to launching an attack. This is also known as establishing a Footprint of a target. Reconnaissance is typically passive in nature and in many cases not illegal (however, we are not lawyers and cannot offer legal advice) to perform as long as you don't complete a three-way handshake with an unauthorized system.

Examples of Reconnaissance include anything from researching a target on public sources such as Google, monitoring employee activity to learn operation patterns, and scanning networks or systems to gather information, such as manufacture type, operating system, and open communication ports. The more information that can be gathered about a target brings a better chance of identifying the easiest and fastest method to achieve a penetration goal, as well as best method to avoid existing security. Also, alerting a target will most likely cause certain attack avenues to close as a reaction to preparing for an attack. Kali's official slogan says this best:

"The quieter you become, the more you are able to hear"

Reconnaissance objectives

• Target background: What is the focus of the target's business?
• Target's associates: Who are the business partners, vendors, and customers?
• Target's investment in security: Are security policies advertised? What is the potential investment security, and user security awareness?
• Target's business and security policies: How does the business operate? Where are the potential weaknesses in operation?
• Target's people: What type of people work there? How can they become your asset for the attack?
• Define targets: What are the lowest hanging fruit targets? What should be avoided?
• Target's network: How do the people and devices communicate on  the network?
• Target's defenses: What type of security is in place? Where is it located?
• Target's technologies: What technologies are used for e-mail, network traffic, storing information, authentication, and so on? Are they vulnerable?

Kali Linux contains an extensive catalog of tools titled Information Gathering specified for Reconnaissance efforts. It could fill a separate book to cover all tools and methods offered for Information Gathering. This chapter will focus on various web application Reconnaissance topics and relate the best tools found on the Internet as well as that offered by Kali Linux.

Initial research

Reconnaissance should begin with learning as much as possible about people and business associated with the target.

As a Penetration Tester, you need to know your target. If your target happens to be a website, you should look at all aspects of that website. It will give you a better understanding of how the site is maintained and run. Great Reconnaissance returns more possible vulnerabilities.

It is scary how much information is available on public sources. We have found the unimaginable, such as classified documents, passwords, vulnerability reports, undesirable photography, and access to security cameras. Many Penetration Testing project objectives start with leveraging information off public sources. Here are some starting points for gathering information from public sources.

Company website

There is a lot of valuable information that can be obtained from a target's website. Most corporate websites list their executive team, public figures, and members from recruiting and human resource contacts. These can become targets for other search efforts and social engineering attacks.

The Robots.txt file is publicly available and found on websites that gives instructions to web robots (also known as search engine spiders), about what is and not visible using the Robots Exclusion Protocol. The Disallow: / statement tells a browser not to visit a source; however, a Disallow can be ignored by giving a researcher intelligence on what a target hopes to not disclose to the public.

 

Web history sources

There are archived versions of most public websites available on sources such as the WayBack Machine at archive.org. Interesting information can be found in an older version of a target's website, such as outdated organizational charts, phone numbers, customer intelligence, systems information listed in fields, such as view source or /robots.txt, older business partnerships, vulnerabilities fixed in later versions, and other useful data, the target doesn't want on the current website version. It is important to understand that the publicly available information is hard to remove completely, making historical sources a valuable place for Reconnaissance research. To access the WayBack Machine, open up the web browser and navigate to  http://archive.org, you will see the Internet Archive WayBack Machine in the middle of the page

As a Penetration Tester, this is a valuable tool, because it doesn't leave evidence of Reconnaissance on your target. In fact, your target is never even touched using this tool. All the information has been archived online in the Wayback Machine.

Social media resources

Social media is everywhere, and in most cases, publicly accessible. Most people have a Facebook, LinkedIn, blogs, or other forms of cloud accounts containing valuable information. This information can be used as a means of social engineering intelligence from a target's current or previous staff. An example is searching Glassdoor.com to identify previous employees that are disgruntled, based on feedback.

There are many people finding web resources such as Maltego (found in Kali Linux) that can comb popular social media, public records, and job recruiting websites to fingerprint an individual based on limited information, such as a first and last name. A researcher could gather information such as everywhere an individual has lived, done business, people with which they socialize, special interests, favorite sport teams, and other useful data for future research and social engineering attacks.

Trust

Most people are naturally trusting and assume information posted on public sources is real. To test this concept, the writers of this book created a fake person through social media and pretended to be a new hire for a target company. The fake person would become friends with associates of our target, post fake holiday cards that are linked to a BeEF system designed to compromise vulnerable Internet browsers (using BeEF is covered later in this book), and captured sensitive information from compromised systems. We were able to map out the entire organization, obtain network information, and even had hardware shipped to us without an internal e-mail or phone number.

Our fake person, Emily Williams isn't real, yet received job offers, was provided inside information, and access to events hosted by the target. Information is power, and people will give it to a requester who seems like they can be trusted. More information on this project can be found at: http://www.thesecurityblogger.com/?p=1903

Job postings

Job postings contain a wealth of knowledge about a target's environment. Job listings can provide details on what type of systems are installed, who manages them, how large the staff is, and the staff's skill level. Human Resource representatives are typically eager to share information with a potential new hire, which can be used as an avenue to inside information. An example is targeting a job posting for a Oracle developer to understand the hardware, version of Oracle, names of existing and previous administrators, existing operation issues, security gaps, and methods to access such as asking "can administrators work from home, and how do they access the systems?"

Glassdoor.com is an example of a popular source for this type of data.

Location

The investment in cyber security for a target can typically be determined based on the level of physical security. One would assume a building with fences and armed guards would have a higher investment in cyber security than a target located within a public building. Online mapping sources such as Google maps can help identify where physical security is implemented, and trends on how people move to and from the target. Other areas of interest are identifying where a Penetration Tester could camp out to scan for wireless networks, and possible methods to bypass access controls, such as attire and badges used to obtain physical access.

Shodan

Shodan is a search engine that can identify a specific device, such as computer, router, server, using a variety of filters, such as metadata from system banners. For example, you can search for a specific system, such as a Cisco 3850, running a version of software such as IOS Version 15.0(1)EX.

http://www.shodanhq.com/

Google hacking

Google hacking is the most common form of search engine Reconnaissance of web applications. Google hacking uses advanced operations in the Google search engine to locate specific strings of text within search results. Search filters can zero in on specific versions of vulnerable web applications such as Powered by Apache in the intitle:"index of" operator or identify log files such as ws_ftp.log, containing sensitive IP information. The following few screenshots demonstrate using a Google search for Linksys to find publicly available Linksys cameras. The first screenshot shows the search command followed by some example results from issuing the search.

The last screenshot shows a camera feed that could be found using this technique.

 

Some example search queries are as follows:

• Identifies sensitive documents: intext: classified top secret
• Identifies Linksys Camera Management GUIs (caution: you may not like what you find): inurl:main.cgi
• Identifies Nessus reports to find vulnerable systems: inurl:NESSUSXXXXXXXX

For more information on Google hacking, check out a very good book titled Google Hacking for Penetration Testers by Johnny Long, as well as his website at http://johnny.ihackstuff.com.

Google Hacking Database

The Google Hacking Database (GHDB) created by Johnny Long of Hackers For Charity (http://www.hackersforcharity.org/), is the definitive source for Google search queries. Searches for usernames, passwords, vulnerable systems, and exploits have been captured and categorized by Google hacking aficionados. The aficionados who have categorized the Google searches are affectingly known as Google dorks. To access the GHDB, navigate to http://www.exploit-db.com/google-dorks/. You will see the latest GHDB searches listed on the web page. You can click on any of the search queries yourself.

Step 5 – maintaining a foothold

The final step is maintaining access by establishing other entry points into the target and, if possible, covering evidence of the penetration. It is possible that penetration efforts will trigger defenses that will eventually secure how the Penetration Tester obtained access to the network. Best practice is establishing other means to access the target as insurance against the primary path being closed. Alternative access methods could be backdoors, new administration accounts, encrypted tunnels, and new network access channels.

The other important aspect of maintaining a foothold in a target is removing evidence of the penetration. This will make it harder to detect the attack thus reducing the reaction by security defenses. Removing evidence includes erasing user logs, masking existing access channels, and removing the traces of tampering such as error messages caused by penetration efforts.

Kali Linux includes a catalog titled Maintaining Access focused on keeping a foothold within a target. Tools are used for establishing various forms of backdoors into a target.

The following is a list of goals for maintaining a foothold:

• Establish multiple access methods to target network
• Remove evidence of authorized access
• Repair systems impacting by exploitation
• Inject false data if needed
• Hide communication methods through encryption and other means
• Document findings

Step 4 – Privilege Escalation

Having access to a target does not guarantee accomplishing the goal of a penetration assignment. In many cases, exploiting a vulnerable system may only give limited access to a target's data and resources. The attacker must escalate privileges granted to gain the access required to capture the flag, which could be sensitive data, critical infrastructure, and so on.

Privilege Escalation can include identifying and cracking passwords, user accounts, and unauthorized IT space. An example is achieving limited user access, identifying a shadow file containing administration login credentials, obtaining an administrator password through password cracking, and accessing internal application systems with administrator access rights.

Kali Linux includes a number of tools that can help gain Privilege Escalation through the Password Attacks and Exploitation Tools catalog. Since most of these tools include methods to obtain initial access and Privilege Escalation, they are gathered and grouped according to their toolsets.

The following is a list of Privilege Escalation goals:

• Obtain escalated level access to system(s) and network(s)
• Uncover other user account information
• Access other systems with escalated privileges
• Document findings

 

Step 3 – Exploitation

This step exploits vulnerabilities found to verify if the vulnerabilities are real and what possible information or access can be obtained. Exploitation separates Penetration Testing services from passive services such as Vulnerability Assessments and Audits. Exploitation and all the following steps have legal ramifications without authorization from the asset owners of the target.

The success of this step is heavily dependent on previous efforts. Most exploits are developed for specific vulnerabilities and can cause undesired consequences if executed incorrectly. Best practice is identifying a handful of vulnerabilities and developing an attack strategy based on leading with the most vulnerable first.

Exploiting targets can be manual or automated depending on the end objective. Some examples are running SQL Injections to gain admin access to a web application or social engineering a Helpdesk person into providing admin login credentials.

Kali Linux offers a dedicated catalog of tools titled Exploitation Tools for exploiting targets that range from exploiting specific services to social engineering packages.

The following is the list of Exploitation goals:

• Exploit vulnerabilities
• Obtain foothold
• Capture unauthorized data
• Aggressively social engineer
• Attack other systems or applications
• Document findings

Step 2 – Target evaluation

Once a target is identified and researched from Reconnaissance efforts, the next step is evaluating the target for vulnerabilities. At this point, the Penetration Tester should know enough about a target to select how to analyze for possible vulnerabilities or weakness. Examples for testing for weakness in how the web application operates, identified services, communication ports, or other means.

Vulnerability Assessments and Security Audits typically conclude after this phase of the target evaluation process.

Capturing detailed information through Reconnaissance improves accuracy of targeting possible vulnerabilities, shortens execution time to perform target evaluation services, and helps to avoid existing security. For example, running a generic vulnerability scanner against a web application server would probably alert the asset owner, take a while to execute and only generate generic details about the system and applications. Scanning a server for a specific vulnerability based on data obtained from Reconnaissance would be harder for the asset owner to detect, provide a good possible vulnerability to exploit, and take seconds to execute. Evaluating targets for vulnerabilities could be manual or automated through tools. There is a range of tools offered in Kali Linux grouped as a category labeled Vulnerability Analysis. Tools range from assessing network devices to databases.

The following is the list of Target Evaluation goals:

• Evaluation targets for weakness
• Identify and prioritize vulnerable systems
• Map vulnerable systems to asset owners
• Document findings

Step 1 – Reconnaissance

You should learn as much as possible about a target's environment and system traits prior to launching an attack. The more information you can identify about a target, the better chance you have to identify the easiest and fastest path to success.

Black box testing requires more reconnaissance than White box testing since data is not provided about the target(s). Reconnaissance services can include researching a target's Internet footprint, monitoring resources, people, and processes, scanning for network information such as IP addresses and systems types, social engineering public services such as help desk and other means.

Reconnaissance is the first step of a Penetration Testing service engagement regardless if you are verifying known information or seeking new intelligence on a target.

Kali Linux offers a category labeled Information Gathering that serves as a Reconnaissance resource. Tools include methods to research network, data center, wireless, and host systems.

The following is the list of Reconnaissance goals:

• Identify target(s)
• Define applications and business use
• Identify system types
• Identify available ports
• Identify running services
• Passively social engineer information
• Document findings

Kali Linux Penetration Testing concepts

Kali  Linux Penetration Testing concepts

Kali Linux is designed to follow the flow of a Penetration Testing service engagement. Regardless if the starting point is White, Black, or Gray box testing, there is a set of steps that should be followed when Penetration Testing a target with Kali or other tools.

1. Step 1 – Reconnaissance
2. Step 2 – Target evaluation
3. Step 3 – Exploitation
4. Step 4 – Privilege Escalation
   
5. Step 5 – maintaining a foothold

Key difference between a Penetration Test and Vulnerability Assessment

Penetration Testing is the method of attacking system vulnerabilities in a similar way to real malicious attackers.

Typically, Penetration Testing services are requested when a system or network has exhausted investments in security and clients are seeking to verify if all avenues of security have been covered. Penetration Testing can be Black, White, or Gray box depending on the scope of work agreed upon.

The key difference between a Penetration Test and Vulnerability Assessment is that a Penetration Test will act upon vulnerabilities found and verify if they are real reducing the list of confirmed risk associated with a target.

A Vulnerability Assessment of a target could change to a Penetration Test once the asset owner has authorized the service provider to execute attacks against the vulnerabilities identified in a target.

Typically, Penetration Testing services have a higher cost associated since the services require more expensive resources, tools, and time to successfully complete assignments. One popular misconception is that a Penetration Testing service enhances IT security since services have a higher cost associated than other security services:

• Penetration Testing does not make IT networks more secure, since services evaluate existing security! A customer should not consider a Penetration Test if there is a belief the target is not completely secure.

• Penetration Testing can cause a negative impact to systems: It's critical to have authorization in writing from the proper authorities before starting a Penetration Test of an asset owned by another party. Not having proper authorization could be seen as illegal hacking by authorities. Authorization should include who is liable for any damages caused during a penetration exercise as well as who should be contacted to avoid future negative impacts once a system is damaged. Best practice is alerting the customers of all the potential risks associated with each method used to compromise a target prior to executing the attack to level set expectations. This is also one of the reasons we recommend targeted Penetration Testing with a small scope. It is easier to be much more methodical in your approach. As a common best practice, we receive confirmation, which is a worst case scenario, that a system can be restored by a customer using backups or some other disaster recovery method.

Penetration Testing deliverable expectations should be well defined while agreeing on a scope of work. The most common methods by which hackers obtain information about targets is through social engineering via attacking people rather than systems. Examples are interviewing for a position within the organization and walking out a week later with sensitive data offered without resistance. This type of deliverable may not be acceptable if a customer is interested in knowing how vulnerable their web applications are to remote attack. It is also important to have a defined end-goal so that all parties understand when the penetration services are considered concluded.

Usually, an agreed-upon deliverable serves this purpose.

A Penetration Testing engagement's success for a service provider is based on profitability of time and services used to deliver the Penetration Testing engagement. A more efficient and accurate process means better results for less services used. The higher the quality of the deliverables, the closer the service can meet customer expectation, resulting in a better reputation and more future business. For these reasons, it's important to develop a methodology for executing Penetration Testing services as well as for how to report what is found.

Calculating risk

It is important to understand how to calculate risk associated with vulnerabilities found, so that a decision can be made on how to react. Most customers look to the CISSP triangle of CIA when determining the impact of risk.

CIA is the confidentiality, integrity, and availability of a particular system or application.

When determining the impact of risk, customers must look at each component individually as well as the vulnerability in its entirety to gain a true perspective of the risk and determine the likelihood of impact.

It is up to the customer to decide if the risk associated to vulnerability found justifies or outweighs the cost of controls required to reduce the risk to an acceptable level. A customer may not be able to spend a million dollars on remediating a threat that compromises guest printers; however, they will be very willing to spend twice as much on protecting systems with the company's confidential data.

The Certified Information Systems Security Professional (CISSP) curriculum lists formulas for calculating risk as follow.

A Single Loss Expectancy (SLE) is the cost of a single loss to an Asset Value (AV).

Exposure Factor (EF) is the impact the loss of the asset will have to an organization such as loss of revenue due to an Internet-facing server shutting down. Customers  should calculate the SLE of an asset when evaluating security investments to help identify the level of funding that should be assigned for controls. If a SLE would cause a million dollars of damage to the company, it would make sense to consider that in the budget.

The Single Loss Expectancy formula:

SLE = AV * EF

The next important formula is identifying how often the SLE could occur. If an SLE worth a million dollars could happen once in a million years, such as a meteor falling out of the sky, it may not be worth investing millions in a protection dome around your headquarters. In contrast, if a fire could cause a million dollars worth of damage and is expected every couple of years, it would be wise to invest in a fire prevention system. The number of times an asset is lost is called the Annual Rate of Occurrence (ARO).

The Annualized Loss Expectancy (ALE) is an expression of annual anticipated loss due to risk. For example, a meteor falling has a very low annualized expectancy (once in a million years), while a fire is a lot more likely and should be calculated in future investments for protecting a building.

Annualized Loss Expectancy formula:

ALE = SLE * ARO

The final and important question to answer is the risk associated with an asset used to figure out the investment for controls. This can determine if and how much the customer should invest into remediating vulnerability found in a asset.

Risk formula:

Risk = Asset Value * Threat * Vulnerability * Impact

It is common for customers not to have values for variables in Risk Management formulas. These formulas serve as guidance systems, to help the customer better understand how they should invest in security. In my previous examples, using the formulas with estimated values for a meteor shower and fire in a building, should help explain with estimated dollar value why a fire prevention system is a better investment than metal dome protecting from falling objects.

Penetration Testing methodology

There are logical steps recommended for performing a Penetration Test. The first step is identifying the project's starting status. The most common terminology defining the starting state is Black box testing, White box testing, or a blend between White and Black box testing known as Gray box testing.

Black box assumes the Penetration Tester has no prior knowledge of the target network, company processes, or services it provides. Starting a Black box project requires a lot of reconnaissance and, typically, is a longer engagement based on the concept that real-world attackers can spend long durations of time studying targets before launching attacks.

As a security professional, we find Black box testing presents some problems when scoping a Penetration Test. Depending on the system and your familiarity with the environment, it can be difficult to estimate how long the reconnaissance phase will last. This usually presents a billing problem. Customers, in most cases, are not willing to write a blank cheque for you to spend unlimited time and resources on the reconnaissance phase; however, if you do not spend the time needed then your Penetration Test is over before it began. It is also unrealistic because a motivated attacker will not necessarily have the same scoping and billing restrictions as a professional Penetration Tester. That is why we recommend Gray box over Black box testing.

White box is when a Penetration Tester has intimate knowledge about the system. The goals of the Penetration Test are clearly defined and the outcome of the report from the test is usually expected. The tester has been provided with details on the target such as network information, type of systems, company processes, and services. White box testing typically is focused on a particular business objective such as meeting a compliance need, rather than generic assessment, and could be a shorter engagement depending on how the target space is limited. White box assignments could reduce information gathering efforts, such as reconnaissance services, equaling less cost for Penetration Testing services.

Gray box testing falls in between Black and White box testing. It is when the client or system owner agrees that some unknown information will eventually be discovered during a Reconnaissance phase, but allows the Penetration Tester to skip this part. The Penetration Tester is provided some basic details of the target; however, internal workings and some other privileged information is still kept from the Penetration Tester.

Real attackers tend to have some information about a target prior to engaging the target. Most attackers do not choose random targets. They are motivated and have usually interacted in some way with their target before attempting an attack. Gray box is an attractive choice approach for many security professionals conducting Penetration Tests because it mimics real-world approaches used by attackers and focuses on vulnerabilities rather than reconnaissance.

Kicking off a Penetration Testing service engagement should include an information gathering session used to document the target environment and define the boundaries of the assignment to avoid unnecessary reconnaissance services or attacking systems that are out of scope. A well-defined scope of work will save a service provider from scope creep (defined as uncontrolled changes or continuous growth in a project's scope), operate within the expected timeframe and help provide more accurate deliverable upon concluding services.

Real attackers do not have boundaries such as time, funding, ethics, or tools meaning that limiting a Penetration Testing scope may not represent a real-world scenario.

In contrast to a limited scope, having an unlimited scope may never evaluate critical vulnerabilities if a Penetration Test is concluded prior to attacking desired systems. For example, a Penetration Tester may capture user credentials to critical systems and conclude with accessing those systems without testing how vulnerable those systems are to network-based attacks. It's also important to include who is aware of the Penetration Test as a part of the scope. Real attackers may strike at anytime and probably when people are least expecting it.

Some fundamentals for developing a scope of work for a Penetration Test are as follows:

• Definition of Target System(s)
• Timeframe of Work Performed
• How Targets Are Evaluated
• Tools and software
• Notified Parties
• Initial Access Level
• Definition of Target Space
• Identification of Critical Operation Areas
• Definition of the Flag
• Deliverable
• Remediation expectations