Bases of Penetration Testing and Security (PTES)
Penetration Testing or Pentesting comprises the procedures, techniques and tools that allow to simulate the methods that a potential attacker could use to overcome or avoid the control and security mechanisms, with the final objective of gaining access to the organization's systems.
Penetration testing and techniques are not based on performing simple scans, applying automated tools and generating reports, but rather there are sophisticated methodologies that require years of practice. The process to become proficient is long and complex, as it is vital to have real-world experience in all types of environments, systems and workflows in different corporations.
The Penetration Testing Execution Standard PTES redefines the way of conceiving these tests within the security industry. This standard has been generated to facilitate the work of all types of professionals, with the mission of raising awareness and methodological definition of an appropriate pentesting approach. This is achieved by establishing a methodology to comply with a set of fundamental principles required for any penetration test.
The PTES standard defines a set of phases for the purpose of establishing penetration tests and ensuring the minimum requirements established in the assessment of the target organization. Anyone carrying out this procedure will be ensuring an appropriate level of effort in order to guarantee quality in penetration testing. The standard is divided into seven phases, each requiring different levels of effort to complete, and of course, totally dependent on the characteristics, complexity and scope of the organization to be evaluated.
Pre-Engagement Interactions generally occur when the terms of the penetration tests are negotiated and discussed with the client, as well as when the scope and context of the penetration test is determined within the organization, including its business model, infrastructures, services and applications. It is vital that the objectives of the engagement are agreed, and it is usually a period when the client can be educated on the importance of the process. This includes the tasks and tests to be performed, clearly indicating what is expected to be achieved once performed, as well as expressing the existing restrictions to conduct the tests (and those that are essential and must be solved).
In the Intelligence Gathering phase, any type of information that can be obtained from the organization to be attacked is investigated and collected. In this phase all kinds of gathering methods are used, from social networks and media, search engine hacking (Google, Bing, Baidu, DuckDuckGo), "interrogation" of protocols and services to active and passive footprinting techniques (Open-Source, DNS, network and services). A fundamental skill of any pentester is the ability to learn as much as possible about a target, including its behaviors, ways of operating and ultimately how to be attacked. Any information gathered will be welcomed, giving value and background to the attack operation. This fosters knowledge of all types of controls and security mechanisms that a victim may have, as each organization is different.
Generally, the protection mechanisms in each system are determined by a slow process of inspection, packet injection/tracing, probes (beacons with payloads), identification patterns, verification against known heuristics, etc. For example, some systems only allow to be connected by specific IP ranges, Ethernet masks or identification via tracing of magic numbers, and any other way will be temporarily or permanently blocked by its own firewall, making the collection of information even more difficult. If we consider web applications and services, it is logical to also restrict our access due to a number of requests (X calls every Y time), certain types of requests (URLs
/login, code injections via URL Query, etc) or ways of being used (loading forbidden or potentially malicious files, repeated requests for authentication and recovery mechanisms, forcing insecure or outdated protocols, SSH connections with exploratory parameters outside conventional guidelines and regulations, etc). For this reason, it is advisable to play with all possible search and inquiry alternatives before we are filtered and blocked, and in case it happens, to have a repertoire of IPs, MACs, destination URLs, referrer URLs, source nodes, UAs,.... that we can count on, making recognition patterns more difficult.
As a curiosity, any entity exposed to the Internet is constantly suffering this type of actions, with the aim of collecting information to exploit potential vulnerabilities. The more chaotic and seemingly random our requests and queries are, the better, as it will be camouflaged with the environment. In general, it is advisable to collect information from different machines/IPs/origins than those with which the attacks will be carried out.
Threat Modeling uses the information gathered in the previous phase to identify any existing vulnerabilities in the system. When the modeling is done, the most effective method of attack, the type of information being sought and how the organization could be attacked are determined. It is important to adopt the role of the attacker, considering the organization as the adversary that concentrates a set of weaknesses and try to exploit them as a real attacker would.
The Vulnerability Analysis phase focuses on studying ways to gain access to the target organization, once the most viable attack methods have been identified. Here the information learned in previous phases, often referred to as intelligence, is combined and used to understand the types of attacks, their ease and compromise in development and execution. For example, port, service and vulnerability scanning, information gathering from Web applications and operating systems (Web server & OS fingerprinting), as well as data gathering by means of software and service versioning techniques (banner grabbing), among others, are taken into account.
Once the previous phases have been completed, one of the most interesting and popular parts of penetration testing, the Exploitation, is performed. It is advisable to focus on precision attacks, often surgical, but this does not rule out attempts to bombard by brute force. In this phase, exploits are used, i.e. software, data sets or scripts that take advantage of a vulnerability, security flaw or bug in an application or system. Thus, an exploit should be used when it is known "for sure" that it will be successful in its execution. It is advisable that before launching an attack we know that the system is vulnerable in that aspect, although it is always necessary to consider that unforeseen situations can occur for the pentester. That is, there could be hidden security measures and defensive contention mechanisms not collected in the previous phases that end up disabling the attack. Carrying out chaotic attacks where all types of exploits are tried to be executed is not recommended, since it is noisy and complicates the analysis, detracting value both for the pentesting process and for the client itself.
The Post-Exploitation phase begins once a system has been compromised as part of the exploitation process, although the pentesting work is far from being completed. This phase is fundamental, since it allows making the difference with respect to other security analysts and pentesters, providing useful information for the organization and really determining the contribution of value and intelligence in a differentiating way to the client. Post exploitation targets specific systems, identifies critical infrastructure and tries to obtain data and information of great importance for the organization, which is why it is hidden and secured. The pentester unleashes attacks on systems, applications and services with the purpose of obtaining the maximum impact on the client's business.
When performing this phase of attacks and their analysis, it is important to consider the different roles and capabilities of the users of each system, as well as the technical performance and operational behavior of each entity in the organization. It is a wide field to accommodate all possibilities, hence its complexity and potential results. For example, even by performing an effective attack on the network layer and obtaining DNS poisoning and spoofing, we are still not able to interfere with all communications systems and their authentication, as we have not fully considered cases such as Kerberos Ticket Authentication, LDAP or Active Directory. Have we considered the possibility of attacking the financial system and payroll mechanisms? The corporate network and impersonation via corporate email? Patents and intellectual property? Contract replacement and service expiration? Exploitation of backdoors in deployed software, modification of open collaborative code or mechanisms for delivering personalized code to customers or manufacturers? Facilities for damaging corporate credibility, networks and commercial image? As can be seen, the possibilities are endless. After all, this phase contemplates all kinds of scenarios where the pentester must take the time to analyze the available information and use it to his own advantage. It is not necessary to elaborate sophisticated attack plans where a multitude of conditions are required to successfully complete the exploitation, but if the organization is large and with a multitude of intricacies in its infrastructures, roles, services and applications, the more complex and convoluted the exploitation paths can be to obtain an impact on its business. There are all kinds of situations, sometimes the most common and "simple" attacks are the most fruitful, but in other occasions it is necessary to precisely fit several security holes and elaborate a set of routes with sub-objectives to achieve the trophy with the greatest impact on the organization.
Finally, the last and most important, the Reporting phase, because it shows and communicates what has been done, how it has been done, and above all, what the organization can do to protect itself and solve the vulnerabilities discovered during the penetration tests. A key aspect is that these phases are performed from the point of view of a potential attacker, so the value contribution is clear for the client's organization, drastically improving security and favoring the blocking of future attacks. As the findings are documented, we think about how the organization can benefit from them to increase its awareness, patch systems and remediate security holes found in its services and applications. Once the results materialize, it is advisable to present and communicate at least two types of reports: an executive presentation (dossier-summary) and a technical document. However, the reporting process can be more ambitious and include periodic evaluation and verification of previous stages, especially if collaborative agreements are in place, involving the implementation and review of bug and vulnerability fixes.
It is important to note that the PTES methodological standard is generally performed in an iterative manner, often contrasting technical and operational changes in the organization in a cyclical fashion. This does not mean that steps that have been carried out in previous studies should be avoided, as there may be significant novelties that influence any of the other phases, affecting the procedure and the achievement of a correct evaluation of the penetration tests.
This article has covered the phases and general guidelines included in the standard, but the work is often extremely complex and exhaustive, especially if we are talking about transnational organizations with a high commercial impact. Nevertheless, the pentester must be nourished with a set of tools, technical skills and methodologies to be able to make effective the security analysis, but without neglecting the more artistic side. In short, one must be creative and value one's own methods more than automated tools, while always being able to adapt quickly, as information is constantly increasing throughout the process.