Ready to Start Your Career?

Pentesting Methodology from an Attacker's POV

binel 's profile image

By: binel

June 3, 2017

 
In this article, I will use the term "pentester" or "attacker" for the same intent. The intent is to denote the one attacking the system. This means to compromise it by a hacker, or to secure it with a penetration tester.
 
Penetration testing (or pen testing) is the art of detecting, assessing and exploiting vulnerabilities found on a network or computer system. It is the most advanced technique used by security specialists to prove that a system is vulnerable and its vulnerabilities are exploitable by a malicious insider or outsider.
 
To perform an effective penetration test, use of a methodology is recommended.
 
A penetration testing methodology (or pen testing framework) is a set of basic steps that a pentester should observe to get results. Results can be validated later by another penetration tester.
 
In this field of ideas, many penetration testing methodologies have been imagined and formalized by professionals, including, but not limited to the following:
 
  1. OSSTMM: Open Source Security Threat Management Methodology
  2. ISSAF: Information Systems Security Assessment Framework
  3. NIST SP 800-115 technical guide to information security testing and assessment
  4. OWTF: Offensive Web Testing Framework
 
But, there are some limits to these traditional methodologies. The pentester's creativity can be hindered due to the need to cope with pre-defined steps. These methodologies rarely consider why a pen test is being taken or what the critical data is that needs protecting by a company.
 
To address these problems a new methodology has been created, which view the network from an attacker point of view: The kill chain.
 
The Attacker’s Kill Chain:
 
During a conference on Cyber Security in 2009, a Lockheed Martin researcher, Mike Cloppert, created the concept know as Attacker’s Kill Chain. This new framework takes into account all the steps an adversary can take while attacking a network.
 
A simple scheme of the attacker kill chain is from Robert W. Beggs' book.
 
Now we are going to explain in detail the phases of the attacker kill chain.
 
The Reconnaissance Phase:
This phase is the first stage of an attack. Here is where the attacker will collect as much information as possible on the target system before attacking it. Thus, an estimated 70 percent of the ‘work effort’ of a penetration test or attack is conducting reconnaissance. This phase is composed of two sub-phases: Passive and Active Reconnaissance.
 
Passive Reconnaissance:
In this phase, the attacker will collect publicly available information on the target. This includes everything from public websites and social media pages, to current employee names and other aspects. These pieces of information help to construct the ‘Attack surface’ of the target. It will serve to guess user passwords or login information using social engineering. It is called passive reconnaissance because it is very difficult to detect since it is not too different from regular user behavior.
 
Active Reconnaissance:
Unlike the passive method, this reconnaissance can be detected by the target. The activities included in this phase can include visiting target premises, port scanning, and remote vulnerability scanning.
 
The Delivery Phase:
During this step, the pentester develops and deploys the weapon he will use during the attack. The weapon used here will depend on the attack surface found (ethernet, wifi, public website, etc.), and the attacker's intent.
 
The Exploit Phase:
In this phase, the attacker applies a particular exploit on the target and can thus reach his goal. It can be a single phase (for example, exploiting a known vulnerability in the system) or many phases. For example, if an attacker accesses the phone book of an organization, then uses it to generate a brute-force attack on a password, he could also use it to send emails to employees with a crafted pdf file.
 
In real life, multi-phase attacks are the norm to have a better chance of success.
 
Post-Exploitation: Action on the Objective
 
In this phase, assume that the exploit phase was a success, and now you have to choose the actions you can conduct on the target. At this level, the attacker can steal sensitive data, financial information, cause a denial of service, or even escalate privileges.
 
Another post exploitation activity is often persistence. This means that the attacker finds a way to persist with access on the target to have access to the target when needed.
 
Note: When performing a pen test, security is an important concern. To stay anonymous while performing a reconnaissance phase, have a look at my previous article: "Anonymously Scan a Remote Website using Nmap."
 
Thanks for reading this article.
 
References:
Mastering Kali Linux for Advanced Penetration Testing – R. W. Beggs
Kali Linux – Assuring Security by Penetration Testing – Lee Allen
Schedule Demo