Penetration Testing

Overview

The ultimate test of security is to put yourself in the shoes of an attacker and test your own system. This section covers how to organize and conduct a penetration test. While from prior sections we've learned that there are many attack types hackers can choose from, we'll focus on password attacks as an example.

Penetration testing, also known as pen testing, is a method of vulnerability discovery where ethical hackers target a resource to determine whether vulnerabilities can be exploited to compromise and environment or asset. These tests can target all resources from technology devices and networks, to physical offices and even employees via social engineering tests.

Red Team vs Blue Team

Penetration tests include two sides that are categorized as teams. One side is the offensive team (red team) who are pretending to be the “bad” actors launching attacks. The other is the defensive team (blue team) who is acting as the “good” side trying to prevent attacks.

Penetration Testing Approaches

Penetration tests are also characterized by how the red team approaches testing and how much insider knowledge is available to them. Typically, the less knowledge the penetration tester has, the more realistic the simulation is because attacks don’t usually know everything about a network they are targeting in the beginning. However, note that insider threats sometimes launch attacks as well and will have internal knowledge. The main testing approach are:

• White box testing: A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object.

• Black box testing: A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object.

• Gray box testing: A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object.

Definitions from the NIST CSRC Glossary: https://csrc.nist.gov/glossary/

Penetration Test Example: Password Cracking using Dictionary Attack Mode

An example penetration test component that may be carried out, is a password cracking test.

Password cracking is the process of guessing, recovering, or reverse calculating a secret password stored in a computer system or transmitted over a network. It’s like picking a lock on a virtual door.

There are many approaches available to cracking a password:

• Brute Force Attack - The attacker tries every possible password combination until one works.

• Dictionary password attack – The attacker uses a dictionary list of common user passwords in a hashed format, and compares it to a password hash list "stolen" from a system. For example the MD5 hash for password123 is 482c811da5d5b4bc6d497ffa98491e38. If that string is found in system password file, it means that a user has their password set to "password123".

• Social engineering password - Attackers who pretend to be employees try to get access to systems information by asking other employees for their usernames and passwords. Once they successfully get the credentials from the employees, they'll try to use the information to gain access to the company's systems.

Password Cracking Tools

Weak passwords can be cracked in a matter of seconds using password cracking technology like HashCat (open source). Within HashCat, there are four components of basic attack:

(hash type) (attack mode) (hash file) (dictionary file)

Example Command

To crack a password using a dictionary attack type, for example, you may specify this command ** -m 0 -a 0 hash.txt file.txt** which translates into the following arguments:

• Hash type: - m 0
• Attack mode: -a 0
• Hash file: hash.txt
• Dictionary file: file.dict

Translated example of command: -m 0 -a 0 hash.txt file.dict

• -m 0 represents the hash type MD5

• -a 0 represents to dictionary attack mode

• -hash.txt and secret.dict represent the target files

Check out the help section of the site to access source code, introductory videos, and more https://hashcat.net/hashcat/

Syntax for additional hash types can be found here: https://hashcat.net/wiki/doku.php?id=example_hashes

If you’d like to learn more about HashCAT, here’s a good intro video https://www.youtube.com/watch?v=EfqJCKWtGiU

There are some cases in which penetration testing works well, such as to periodically check for security gaps or testing security after major network changes. However, there are also times when penetration testing may not be the best answer, or extra precautions should be taken. For example, Black Friday in the U.S is one of the biggest sales days for retailers. A retail company may not want to conduct a penetration test against the company website during this time since this activity could potentially take down services. It’s also important to outline rules of engagement with testers to provide guidance on just how far attackers can go. For example, if the test can hack the site and gain access to shut it down, should they stop there and notify you? Or should they keep going and actually try to shut it down? The bottom line is that planning a penetration test at the right time and with the right rules is important. In between, leverage vulnerability scanning and manual testing to continue finding issues with less potential impact.

Additional Resource

Most Popular Tool for Penetration Testing
Metasploit: https://metasploit.help.rapid7.com/docs