Tips for an Information Security Analyst/Pentester career - Ep. 65: My first real pentest (1) - considerations- & Going to BSidesLV!
Yesterday I completed my first real-world pentest with my company and I received much more support from the community than I expected.
I started drafting my report today and it hit me: this is a dream come true.
I worked hard for this over the last years and I finally got there.
But not too fast, kiddo!
Reality hit me hard like a brick wall.
It sucks, it's hard and it has to be.
Additionally, I was coming back from a vacation and I was mad, I should've been more prepared to this.
No excuses, who follows me knows that.
I could've done better.
My laptop wouldn't install Kali and I lost one whole day on a stupid issue with the latest version. I kept struggling with the can't retrieve data from the CD error.
What CD when I was using a bootable USB that supposedly should've contained all the needed files?
At the end of the day, I decided to burn Kali ISO to DVD and that took care of the problem.
I didn't think I'd pop shells all over the place but that's when you really and definitely understand the value of a good reconnaissance.
You can't break into a network if you don't know what you got there.
Where is the server, the domain controller, the low-hanging fruits?
A real-world engagement can really suck and is way harder than you might think.
You need to work hard and fast.
It's nothing like doing it in your lab, man.
When I do it in my lab, I control all conditions, I got all the time in the world.
Even if I break things, it's no big deal.
It's virtual machines, who cares?
Way different if you deal with real switches, routers and servers and you have a very limited time to get your job done.
Take a server or a switch down in a production network and see what happens.
Additionally, the client's sysadmin was there with us and, while he was a very likable and knowledgeable person, it can be quite embarrassing for you to work in this type of environment.
It was embarrassing talking to this guy in a nice and friendly manner while I was trying to screw his network.
I started thinking, please get me a shell, only one and I actually went pretty close.
Anyway the reason why I decided to write this post is because I think I could maybe help someone.
I can't, of course, go into the details of the client's network and what actions I performed, but I decided to give back to the community by writing some considerations that might hopefully help other newbies, giving them a better picture of what they should expect in a real-world pentest.
These considerations are only partial, because each engagement is different, each client, network and scope is different and you can't generalize, but there's something that goes before all this and I think it's worth talking about it.
BE PREPARED
The following considerations are heartfelt and aim at being a memento for my next pentest, because I sucked at this.
I wasn't sufficiently prepared.
Get your act together, dude.
Keep all your tools ready.
Kali comes with a bunch of pre-installed tools but you might need to install additional ones which don't come with it, such as Empire or Veil, for example.
Get them ready before your engagement starts.
Time is money and you're on the client's dime, so you can't waste time installing stuff.
Have all you need already installed.
TOOL LIST EXAMPLE
Recon tools
A) Dave Kennedy's PTF (PenTesters Framework): It'll be my go-to from now on. As it deserves a way wider consideration than I'm giving it here, I'll probably want to write a specific post about it.
As for now, notice its pervasive structure and how many areas of a pentest it covers.
If we analyze the intelligence-gathering folder only, there's a huge amount of tools.
B) SPARTA (Network Infrastructure Penetration Testing Tool): According to its official website, SPARTA is "a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way".
C) Penetration Testing Execution Standard (PTES): It's more a legal and compliance framework than a technical one, but it's a very useful reference point. The referenced page also provides useful links to software that can help in a pentest.
D) Operating Framework: "A framework based on fingerprint action, this tool is used for get information on a website or a enterprise target with multiple modules (Viadeo search,Linkedin search, Reverse email whois, Reverse ip whois, SQL file forensics …)".
E) https://github.com/jivoi/awesome-osint: A huge list of OSINT tools.
F) Maltego: My go-to to create network maps and retrieve company information, already included in Kali.
G) Low-Hanging Fruit (LHF): "A recon tool for penetration testing".
D) domain-recon: Shameless plug here: Bash script I wrote for domain reconnaissance.
F) CrackMapExec: A swiss army knife for pentesting networks
Post exploitation tools
Mimikatz is a Meterpreter extension, already coming with Kali, and is extremely powerful when it comes down to cracking passwords.
Do your homework
Start by understanding the network structure.
I started gathering information since I was waiting in the hallway.
How many PCs were in the lobby, the general secretary's attitude (did she move leaving you alone while you were waiting in there or not?, etc.), security camera locations, and so on.
I need to say I need to do a better job there.
Then you need information from the customer, what's in-scope and out of scope.
Have it formalized and written down.
Take notes while you do your stuff, so you can go back to them later when it's about writing your report.
I found a useful report template here and PTF includes reporting tools, too.
Don't get mad if you don't pop a shell
You're not there to show the client how much they suck but to help them address the vulnerabilities and issues on their network you were able to find.
Here's the point: if you n00b found them, guess what happens when a master hacker does.
Your purpose must be to help your client address any issues and improve their security posture.
You want to help them harden their network, not to screw them up.
An adversarial approach to this leads nowhere.
I widely expressed my opinions about this in my previous post Tips for an Information Security Analyst/Pentester career - Ep. 58: Blue vs red: does it still make sense? and so I invite you to check back out that post for your reference.
Don't let the fact you feel lost bring you down
You never did that before, right?
So, that's normal.
You'll do better next.
All you've done and accomplished in life is something you'd never done before, starting from when you learned how to talk and walk.
Life is a seamless learning experience and, if you think it's not, then you're dead inside, dumb or delusional (no offense meant).
There's constantly something new to learn and, especially in this industry, things change any second, while I'm typing these sentences right now.
Wrap up
I feel much more accomplished after this and, though I know I didn't deliver nor prove anything yet, I feel more like a real pentester now.
Yes, I felt like a red teamer before, too, but playing with VMs and virtual labs, though being cool and fun, isn't the real deal.
I left a bunch of stuff out and I feel like I should say something more about this, but I'll consider this as part one on this topic.
I'd like your feedback on how this post makes you feel and I'd also like for expert pentesters to tell me if I should add more stuff and especially if I'm on the right track.
I'm open to any feedback, whatever it might be.
Feel free to tell me I suck, I don't think I'm no genius and I don't believe I accomplished anything yet.
Only allow me to have one brief instant of gratification for getting to do this.
Being paid to hack, wow!
News flash: I'm going to BSides LV as a volunteer next month.
If any of you want to meet up with me while I'm there for a coffee, a beer or whatever, hit me up on Twitter.
I'd be very happy to share experiences and points of view with anyone willing to do so.
Thanks to each and everyone of you for your support and feedback.
Comments
Post a Comment