Howdy, it’s your old pal Dave Collins here with a post answering the question “What is it like to be a penetration tester?”. I’ve been working in offensive security since May of 2017 and have conducted penetration testing engagements for a wide variety of clients in different fields. If you’ve ever wondered what it’s like to conduct a penetration test, this article is for you! I should also note that almost everything I am going to describe here will take more than one day. Depending on the number of IP addresses to be scanned, engagements can take a few days to a few weeks or more.
Win-Doze and Scoping
One more caveat, I’m going to be assuming the client environment is a Microsoft shop because that’s what most companies use. I will do my best to share every part of the engagement without giving away any proprietary information. The first order of business will be a scoping meeting. Some firms do an internal scoping meeting before meeting with a company. At the meeting typically is a project manager, the penetration tester, and any stakeholders from the client.
The Penetration Test Begins
Once all the scoping has been determined and a date set, the engagement gets interesting. Typically there will be both an internal and an external penetration test. Generally speaking, you will want to start your report the day you start your assessment, so you can directly add screenshots as they happen and while the pwnage is fresh in your mind. It’ll also reduce the time in the end to finalize your report from having to go back. Generally, you’ll be assigned target IP addresses to attack, and you’ll go after them. Some pentesters will let clients know about what they find during recon, but I’ve found it can annoy them, so many firms just won’t do it.
External Penetration Test
For the external assessment, I will attack from an internet-connected machine and poke at the client systems. I’ll kick off a scan from whatever paid automated scanner my firm uses and wait. Sometimes run Nmap scans as well if I’m really feeling impatient. While reconnaissance is something that attackers do, you almost never do it in a penetration test. While I wait for scans to finish I’ll start to poke at anything interesting that is in scope. I’ll pretty much go wild as long as the engagement allows, trying all attacks except a denial of service (distributed or otherwise). When I run out of hours for the external assessment I start on the internal penetration test.
Internal Penetration Test
Internal assessments are somewhat similar with one big difference. Your firm ships a device to the client. They connect it to their internally so the test starts inside. Before starting to scan, it’s important to poison traffic in that Microsoft environment. You want to poison LLMNR and NetBIOS-type traffic to capture and crack some hashes. You can use that to learn about the network, including a pathway to becoming domain administrator. I’ll continue this for as long as the engagement allows. If the automated scanner finds anything, it might be easier to pop shells that way. If I gain administrative access to the environment, I’ll try to dump interesting files and attempt to crack passwords in the environment.
Time For The Report
Regardless of how much (if any) of the clients systems or networks are compromised, when I am out of hours for the penetration testing portion of the engagement, I’ll generally have a call or meeting with the client to let them know how far I was able to get, and if there are any immediate issues to resolve. If there aren’t, the next order of business is every security professional’s favorite part of the job – writing the report! Fortunately for me, I hold liberal arts degrees and enjoy writing. I just grab (maybe too much) coffee, crank the tunes, and write out the report.
What Happens Next?
When the report is done, I’ll send it to wherever the firm tells me to. Sometimes that’s internal peer review or a technical editor or some mix of the two. I’ve even read about some mythical firms hiring technical writers to write reports for the penetration testers. I’m sure that’s probably just a dream, or a myth, like unicorns? From there the report is sent off to the client where it either sits on a shelf or is directly thrown in the garbage. Six months later, when you come back to re-test, you’ll find all the same vulnerabilities and discover that nothing has changed. (No, Seriously)
The Sad Truth
If you haven’t gathered from the last two sentences, I’ve started to grow somewhat disillusioned with penetration testing. While I think there is a value in having a hacker regularly attack your network, this only does any good if you do something about it. I’ve met with bank presidents who got a change made before I left their office, and I’ve also seen things that are too terrible to write about. Silly mistakes that cost companies tens of thousands of dollars.
Shrinking the Scope
I guess what I’m trying to say is that if you’ve paid for a penetration test, don’t shrink the scope to be so tiny the tester cannot do their job. You know what no attacker has ever said? “Oh dang! I can’t attack that legacy server because it is not in scope!” Don’t be a doofus – if the bad guys don’t have a scope, perhaps you shouldn’t either? If you are only doing a penetration test because of $complianceRequirement that’s fine, just ask yourself what sort of value you want from the engagement?
A Little History
We should also take some time to remember that penetration testing hasn’t been around all that long. Some trace it back to the Tiger Teams of the U.S. military, with the US Air Force ordering security testing as early as 1971. All computing technology, in general, has not been around nearly as long as other established disciplines. As such, we should all hesitate to just fall in line with the old tired mantra of, “we’ve always done it that way.” That’s a great way to ensure the state of the art never moves forward.
The Lazy Way
There are plenty of firms out there who just run a $proprietaryScanner and pipe the output to a report and call it a penetration test. However, that’s just the other side of the “take the report and throw it into the already-burning dumpster fire” coin. If we really want to move security forward and be more secure, red and blue and are going to have to come together.
Don’t Get Disheartened
Information security has a number of problems right now, from toxic masculinity to almost constant infighting. However, for all its problems, there is a great community of people who are tremendously passionate about what they do. This is not necessarily a bad thing, but it is one thing that makes infosec different from other industries.
For example, as I write this guest post it is the second Friday of the month, which means I am off to a local hacker group called Irvine Underground. On the first Friday of the month, I generally go to 2600 meetings. I really believe that most of us go into security because we are fascinated by how things work, and how to make them work in unintended ways. We stuck around in security because we wanted to make things better, and we made some great friends along the way.
The Definition Of Insanity
None of us want to feel like Sisyphus, the dude from Greek mythology whose punishment from the Gods was to continually push a rock up a hill, only to have it roll back down halfway through. Sometimes we all have felt like this – that nothing we do is going to make a difference. Some of us have taken that feeling of burnout and just quit.
I don’t blame those people, it’s part of the reason I earned my liberal arts degrees. However, I want to use my frustration to help make organizations more secure. Popping shells and getting a domain administrator is great fun, but helping to make firms more secure is much more rewarding. If you want to pop shells, then spend your weekend doing Hack the Box or entering a CTF. If you want to help make your organization more secure, we all need to work together, red and blue, and together we can make a difference!
Interested In Writing a Guest Post?
If you work in the world of Information Security and would like to write about it, we are always interested in guest posts. Please contact me at [email protected]