One Flew Over the Cuckoo's Test
Penetration Testing with Methodology
“All I know is this: nobody’s very big in the first place, and it looks to me like everybody spends their whole life tearing everybody else down.” -One Flew Over the Cuckoo’s Nest (1975)
I love this quote from this film and unfortunately, despite the fact that it’s now 41 years later since the film’s release, it’s still relevant and in my experience is quite systemic in the IT security field. In the sixteen years I’ve worked in the industry, the “more elite than thou” attitude has in my humble opinion turned what could have been the greatest penetration testers ever into less than simply because of their attitude.
I’m here to debunk the common attack on penetration testers that seems to be so prevalent in the industry, which is “you’re not as good of a penetration tester as someone who can write code.”
I’m sorry, but this simply couldn’t be further from the truth. The best penetration testers in the world that I’ve met, from the United States to Europe, couldn’t code their way out of a paper bag. I’ve published numerous vulnerabilities, including how to hack VPN appliances, which I spoke about at Blackhat Briefings in 2001 (in my former life as Eric Hines) at Cesar’s Palace, Las Vegas, which uncovered numerous flaws in the company’s routing logic of packets from the public side of the VPN to its private network without IPSec and without IKE. You could simply route traffic right into the private network from the outside simply by setting your default gateway to the VPN’s public IP address. This attack could even be performed from the Internet as well because the VPN allowed source routed packets to traverse its interfaces! Now, 15 years later, I’m hacking into connected automobiles and autonomous cars for European automakers remotely from the Internet, taking control of the steering wheel and braking system by hacking the car’s ECUs through GSM.
Ask me how only programmers could identify these vulnerabilities.
So before I go into today’s article, I’ll end with this, do not listen to the “nay-sayers,” there will always be someone out there to tell you that you aren’t good enough or “elite” enough to be as good of a penetration tester as someone who can code.
Remember, “you must be imaginative, strong-hearted. You must try things that may not work, and you must not let anyone define your limits because of where you come from. Your only limit is your soul. What I say is true – anyone can cook [be a penetration tester]… but only the fearless can be great.” – Chef Gousteau, Ratatouille (2007).
Okay, so you want to perform a penetration test? You must adopt a methodology. Otherwise, you will be flying all over the place with no intended direction. Whether you choose the Penetration Testing Execution Standard (PTES), the OWASP web application penetration testing project, or your own bastardized version of those that creates your own unique modus operandi, it’s important to have one.
In any case, your methodology should include at the minimum:
Reconnaissance: This is where you will footprint your attack surface, such as running portscans and identifying services and their versions. Don’t make the mistake of running a regular portscan (1-1024/TCP) against a large number of target IP addresses. If you are performing a large penetration test against a significantly large number of targets, make sure to leverage your auxiliary scanners within Metasploit for specific services, such as SSH, FTP, SNMP, HTTP, Oracle, MSSQL, and other services that you’ll quickly become partial to going after. For example, my favorite services to hunt for are MSSQL and Oracle. Learn these auxiliary scanners and be more purposeful with your port scanning rather than “nmap -sS -T insane..”
Vulnerability Analysis: If you can invest in a good commercial off-the-shelf (COTS) vulnerability scanner, do it! It’s worth it. Nessus is great, NeXpose is better. Yes, for those mud slingers out there, I get there are people who think Nessus is better than NeXpose and that it’s a religious debate. But I also strongly believe in you pay for what you get. Rapid7 is known for being very expensive, but they make good stuff — end of story.
NOTE: There is a free, community version of NeXpose available as well (Cool!) Your war chest should consist of more than just a commercial vulnerability scanner, you should be leveraging open source tools as well (e.g. sqlmap, bbqsql, w3af, vega, smbscan, etc) — there are some very powerful tools out there. Find them, learn them, use them. Don’t know how to? YouTube and SecurityTube are your friends.
Exploitation: Once you’ve found exploitable vulnerabilities, you need to well, exploit them (duh!). I love Metasploit. If you haven’t yet, go check out the Metasploit Unleashed (free tutorials) at Offensive Security. They walk you through the basics of being an honorary ninja in Metasploit. Find matching exploits for your vulnerabilities that you’ve found and press-and-pray
Post-Exploitation: Believe it or not, getting that Meterpreter shell or bind shell is not the hard part. Do you know your list of effective “net use” commands for Windows command lines that will help you find the Active Directory server in the network or list all of the domain admins in the domain? Have that cheat sheet for Windows administrators ready for when you need to add yourself as a Domain Admin or find out the hostname of the AD server to dump all those domain accounts for offline cracking!
That’s it. No matter what methodology you use or if you are at a point where you’ve created your own, have something! Don’t just start spraying target IP addresses just because you’ve learned how to boot into Kali.