Getting skills in penetration testing

Summary

Over passed two weeks I have been learning penetration testing by practice: root-me.org practice, OWASP testing guide, Burp Suite labs.

Meanwhile, during the process of gaining skills in penetration testing I started to offer a cooperation for companies who specialized in InfoSeq and where we could complement each other to work on establishing information security of government's organizations caused by recent changes in Russian laws.

I decided do not focus solely on government organizations, but look for notable breaches over passed year to identify popular hacker's targets to offer similar companies in this business domain to work together on the information security of their organizations.

Discovery

During recent work on establishing information security of the government organization I discovered results of penetration testing are a major criteria of organization's information security current state. OWASP testing guide should be the main reference to perform audit of an organization.

Those, who read me often, already knew I consider the most reliable criteria of knowledge quality&completeness is doing something practical with it. In case of information security I develop my skills over resources as burpsuite labs, root-me.org, battle proved platforms like cyberpolygon

At first stage, I go through all of this challenges one-by-one, but later I changed this approach to focus at first on the most popular attacks vectors of this year. The list is:

                1. Server Security Misconfigurations (28.1%)
                2. Cross-Site Scripting (15.5%)
                3. Broken Access Control (14.7%)
                4. Sensitive Data Exposure (8.4%)
                5. Authentication and Sessions (8%)
            

Together with gaining skills to enter into the system I started to write-up steps which should be performed to mitigate such issues (link). It was done (but the work is in progress) for personal use, for general reader I would suggest again to check the OWASP testing guide.

When I became more or less confided with my set recently learned techniques, I tested them close-to-realistic scenarios. There are places which offers this without hacking a real endpoint of some ltd. I ended-up so far with such general attack scenario:

1. Get basic information from the endpoint:

                    $ nmap -A -Pn -sC -sV 'endpoint'
                

2. Perform directory traversal to find out restricted areas which has been left open:

                    $ dirb 'endpoint' 'path-to-bruteforce-dictionary-on-local-filesystem'
                

3. Investigate discovered artifacts:

• 3a. Found admin url:
  • - in case of Base64 try to bypass it over variation in http request method (e.g. PUT instead of POST)
  • - try sql injections

    $ sqlmap -u 'endpoint'

• 3b. Found exposed .git folder:
  • - dump the website and check history of commits for security holes in the software, e.g. GitDumper from GitTools

    $ ./gitdumper.sh -h 'API endpoint'/.git dest-dir 'path-to-folder-on-local-filesystem'

    
    
• 3c. Investigate html and js source code for clues to security holes (passwords, no public API methods, db table names, etc.)
• 3d. Go deeper with other penetration techniques

4. Based on fingerprint stage results do a search for recent vulnerabilities (and possible already published exploits) Nmap command launch and sql injections should give us information about endpoint operating system and database is used by the backend. This information might be used for search recently discovered vulnerabilities, e.g. in US National Vulnerability Database or Russian's FSTEC vulnerabilities database. This knowledge might be used to write own exploit to hack the system or even to use a developed one.

Tools like Nessus or alternative solutions might help to automate such search.

5. Focus on the post popular attack vectors
OWASP testing guide contains many vectors of attacks which is also updated every year. Over passed two weeks I touched only 5%-15% of this techniques and it is important to prioritize where will you put your efforts first. That's why it might be interesting to view several InfoSeq reports to identify the most common hacks in your target region and align your threat model to them.

To be continued...

Conclusion

This was done over two weeks. Besides general overview of this field described in ths publication, InfoSeq doesn't have limits, there is no end - no one tell you your system 100% secure, it is always competition between sword and shield. It is similar to your own health: each of us has pathogen bacteria and viruses even if you are considered healthy, you can pass a healthcheck, but next autumn get a flu or another health issue. InfoSeq measures will help you to make sure you did everything from your side to protect yourself.

The next steps should be go further over OWASP testing guide & improve skills in real-world scenarios and automate your attack steps by maximum.

A few related posts:
Case study: establishing information security of the government organization
Broad vs Narrow specialization
How I work