What is that mean? Traditional or Advanced? What are the differences in these types of penetration tests? Now we will discuss these penetration testing types. Firstly, we should know what hackers think. Security solutions evolved and more powerful nowadays. Security updates, extra security solutions, etc. Hackers don’t want to work hard 🙂 There are several simple ways to hack a company like phishing, vishing, baiting, etc.. In traditional ways, we want to see how many employees give information to us like a password or email (Social Engineering Tests) generally. But it doesn’t end with that in real life. Why can’t your secretary be a cat lover 🙂 Send a mail with a malicious file about a cat (you can use any file format which you want to use), decorate a little, let’s hack!… Simple, right! Now let’s dive a little.
Traditional Penetration Testing
Traditional Penetration Testing similar to Vulnerability Assessment but in PenTest operations we want to exploit them. Later that, we want to take a look at the file system for important files, information, etc. or we can jump to the other networks/computers… You can take a look at some methodologies about that.
Penetration Testing Methodologies:
- OWASP
- NIST
- OSSTMM
- PTES, etc.
Example Pentest Methodology like PTES
We said, “We should find a vulnerability.”. Every system can be hacked, but if this system hasn’t a vulnerability? Can we hack? Of course, our answer is “Yes!… But how?”. We may not find any vulnerability in every system. But we know one thing. “Humans”, has weaknesses every time. In this time, we may want to use extra techniques for hacking this company or system. We can hack every company nearly if we know human’s weaknesses. These types of attacks also known as “Advanced Persistent Thread” or you can say “Red Teaming” some cases. Anyway!..
Advanced Penetration Testing
How advanced? Up to you 🙂 But this time we will write some codes actually, for AV/SoC Evasion or for encrypting our data, commands, or obfuscate our code, etc. You don’t need for traditional ones but in advanced penetration testing, you must know how to write code., exploit writing, client-side exploits, etc. Additionally, you should know OSINT and Human Psychology. You may want to know some tricks or important extensions, for example, you hacked an employee machine which uses Microsoft Mail System, you can find some Personal Storage Table (.pst files) or Offline Stored Table (.ost files) for find mails and encrypted passwords.
Take a look at an APT methodology (You can find another or customize for your job/mission).
- OSINT/Information Gathering: You can find all information about your target like employees, using AVs, Plugins, Softwares, Employee’s family information (Child name, pet name, wife name, birthdays, etc.), and other informations. You should collect all the information that comes to mind.
- Scenario and Mission Selection: You know the company’s job, and you should know what types of information important to them. For example, if you test a 3D Animation Company, the most important things should be computers, animations, transactions, etc. Why you do not try to exfiltrate an animation, especially new ones.
- Malware Creation, AV/SoC Evasion: The scenario is okay. Now, we must select our malware and create a special one. You can use modified meterpreter, Veil, XORing, or try special techniques for evasion. Or you can create simple ransomware according to the scenario. In this case, you must know programming basic, sometimes (process injection, kernel exploitation, etc.) advanced programming techniques.
- Command and Control (C2) Server Configuration: The hackers’ don’t want to caught. Encryption, Tor networks, Tunnels… Why don’t you create a chain with that? Use Tor Services for C2 service and create a encrypted stage/commands/code for example you can use cryptlib, libgcrypt in C for encrytion operations, is everything okay? All Right!.. Finally for this section, you can use ssh tunnel into the service for some operations, thats up to you, imagine and create your own.
- Social Engineering: Everything is going well!. In this section, we must select a attack type. This can be phishing, baiting, client side exploits, vishing, etc. And than we have to prepare for attack. For example: If we want to use baiting, we must prepare a bad usb, or we want to use phishing, we must prepare a vivid mail, web site, etc. Up to you and your mission.
- Post Exploitation: Human weakness exploited, done!. In the post-exploitation side, you want to exfiltrate some data from the company, or you may read some data only. This section of the test is the whole of things you will do after a successful login to the compromised machine. If you want to exfiltrate data, you can even use a smart lamp to hijack the binary.
Comparison
I think you can compare, too. I created a list and I added some important points to the list.
You can find more information about these with a little search. I hope I was able to convey the points I wanted.
Thanks for your time. I hope this post helped to you.
Best Regards, Berk KIRAS | PwC – Cyber Security Consultant