Phase 3 - Exploitation: Verifying of security weaknesses

In the third phase, Exploitation, the penetration testers try to actively exploit the located security weaknesses. Exploits are developed to gather sensitive information or to enable the pentester to compromise a system and manifest himself on it. Is this successful, the network can be penetrated deeper, because the pentester now has access to more potential targets which were not reachable before. Information can be gathered about these new, unknown systems with the techniques of Reconnaissance and Enumeration, to be able to further attack these systems.

Own developments

Often, RedTeam Pentesting develops its own exploits. This distinguishes a professional penetration test from the often advertised automated security scans. With individual hard- and software, this approach is essential, as it leads to results with a practical value. The penetration testers proceed like a seriously determined attacker. An industrial spy will also invest the needed time and effort to come closer to his goal. It has been shown during various penetration tests that the biggest weaknesses for the companies are those where no public exploits are known.

Attack for defense

In the context of a pentest, different attacking techniques are used. During the pentest, the pentester chooses the appropriate technique, to check if a possible security flaw really exists. The graphics on this page show some exemplary attack vectors. For every target, different attacking methods are listed. This list is by no means exhaustive, but shows an excerpt of possibilies. All in all, there exists a plethora of possible targets and attacks. Because of the constant change and advancement of the IT landscape, new attacking techniques are developed on a nearly monthly basis. A good pentester excels in reacting to this development, constantly extending his own knowledge regarding the newest techniques, and therefore being able to conduct a realistic attack.

The goal of attacking the network infrastructure is to overcome network borders, to be able to talk to servers and other network devices in different network segments. The penetration testers try to penetrate WLANs, to circumvent firewall protection or to redirect traffic through the attacking computer. The idea is to penetrate those network segments which hold critical company data or which are critical for the daily business.

Acting carefully

During their attacks, the pentesters always act with great care, to avoid any disturbance of the normal server operation. With especially critical systems, an attack will only occur after consulting the responsible administrator. If any problems arise, a fast and direct communication is ensured by providing emergency phone numbers and contact persons beforehand. To this day, experience shows that system crashes which affect the daily business happen only on extremely rare occasions. These systems normally suffered from crashes even before the pentest. To some extent this can be traced back to the systems being attacked in the past, without these occurrences having been identified as a breach of security.

Social Engineering

A special type of attack is Social Engineering. As an extension to attacks on a purely technical layer, Social Engineering tries to exploit human weaknesses. This approach is surprisingly effective, as the human factor is often the weakest link in the security chain of a company. Especially within highly critical areas, which are secured on a high level, this becomes important. When using Social Engineering, the attacker tries to obtain sensible information from the employees, to which he would not have direct access otherwise. At the same time, he tries to talk them into undertaking actions which are advantageous for the attacker. To accomplish this, the attacker tries to get the trust of the employee by giving false pretences, often combined with systematically building up stress.

In the context of a penetration test, the usage of Social Engineering has to be weighted up thoroughly. The chance of success may be high, but the learning effect is mostly limited to the immediate proximity of the affected employee. As a general rule, not affected co-workers cannot put themselves in the place of the successfully exploited employee. From one's own perspective, the Social Engineering attacks seem too easy to be successful. Additionally, the directly concerned employees often feel deceived by the upper management, which may have a lasting damage on the working atmosphere. For this reason, RedTeam Pentesting uses Social Engineering only after a detailed clarification of the pros and cons of this type of attack. This also corresponds with the recommendation of the german Federal Office for Information Security (BSI) on this topic.