Phase 3 - Exploitation: Verifying Security Weaknesses
In the third phase, exploitation, the penetration testers try to actively exploit security weaknesses. Exploits are developed to, for example, gather sensitive information or to enable the pentesters to compromise a system and manifest themselves on it. Once a system is successfully compromised, it is quite often possible to penetrate more systems, because the pentesters now have access to more potential targets that were not available before, for example because the compromised system is be able to interact with internal systems that are not accessible from the Internet. For any new targets, the reconnaissance and enumeration phases are re-entered, to gather information about these new systems and exploit them, too.
Exploits are frequently developed in-house at RedTeam Pentesting. This distinguishes a professional penetration test from the often advertised automated security scans. With regard to individual hard- and software, this approach is essential, as it leads to results of practical relevance. The penetration testers approach the systems like any other serious attacker. Industrial spies will also invest the needed time and effort to come closer to their goals. Many penetration tests reveal that the biggest weaknesses are particular to the individual client and that no exploits are publicly available for them.
Offense Is the Best Defense
In a penetration test, different attack techniques are used. During the test, the pentesters choose the appropriate technique, to check if a potential security flaw really exists. The graphics on this page show some exemplary attack vectors. For every target, different attack methods are listed. These lists are by no means exhaustive, but show a subset of possible attack vectors. All in all, there exist a plethora of possible targets and attacks. Because of the constant change and advancement of the IT landscape, new attack techniques are developed and published on a regular basis. Good pentesters are characterised by constantly expanding their knowledge about the newest methodologies, and are therefore able to perform realistic attacks.
What data and systems are particularly critical and should be in the main focus of the penetration test is different from customer to customer and therefore individually defined before the test.
In a network test, the main goal of the test can for example be to overcome network borders, to be able to talk to servers and other network devices in different network segments. The penetration testers try to penetrate WiFi networks, to circumvent firewall protection or to redirect traffic through the attacking computer. The idea is to penetrate those network segments that hold critical company data or are critical for day-to-day operations.
In a web application test of an online shop on the other hand, the goal can be to get read (or even write) access to the database with the product or customer data. In case of customer data, payment information can be concerned, which is especially valuable.
By meticulously documenting how to identify and exploit vulnerabilities, RedTeam Pentesting ensures that its clients are made aware of them, is provided with enough information to correct them, and is also enabled to identify and prevent or address similar issues in the future.
Overall, we were very impressed with the high level of professionality and competence of RedTeam Pentesting. They demonstrated deep knowledge with respect to many different systems ranging from Windows to Unix-based systems, to low-level administration tools that are hardly known, to development problems in languages such as PHP which may lead to new exploits. The knowledge that we aquired during the penetration test with them helped us to improve our system administration and increase the security of our systems.
During their attacks, the pentesters always act with great care, to avoid any disturbance of production systems. If any problems arise, a fast and direct communication is guaranteed by exchanging emergency phone numbers of contact persons before the test even starts. Our FAQ contains some more information about this topic. Regarding systems that are especially critical, attacks will only be done after consulting the client, possibly with an administrator closely monitoring the system while an attack is performed. To this day, experience shows that system crashes that affect the day-to-day operations happen only on extremely rare occasions. These systems normally suffered from crashes even before the pentest. To some extent, this can be traced back to the systems being attacked in the past, without these occurrences having been identified as a security incident.
A special type of attack is social engineering. As an extension to attacks on a purely technical layer, social engineering tries to exploit human weaknesses. This approach is surprisingly effective, as the human factor is often the weakest link in the security chain of a company. Especially within highly critical areas that have a very high level of technical security, this becomes important. When using social engineering, attackers try to obtain sensible information from company employees to which they would not have direct access otherwise. At the same time, they may try to talk them into carrying out actions that benefit the attackers. To accomplish this, the attackers try to get the employees' trust under false pretences, often combined with systematically building up stress.
Whether social engineering is to be used in a penetration test needs to be considered carefully. The chance of success may be high, but the learning effect is mostly limited to the immediate proximity of the affected employee. As a general rule, non-affected co-workers cannot imagine themselves falling for the same deception. From their own perspective, the social engineering attacks seem too obvious to be successful. Additionally, the attacked employees often feel deceived by their upper management, which may result in a lasting damage to the work atmosphere. For this reason, RedTeam Pentesting uses social engineering techniques only after a detailed consideration of the advantages and disadvantages of this type of attack. This also complies with the recommendation of the German Federal Office for Information Security (BSI) on this topic.