Tips for an Information Security Analyst/Pentester Career - Ep. 94 - Never Give Up, Try New Stuff for the Win (Ode to Manual Testing)

In five years of penetration testing projects, I've led a huge number of perimeter pentests.

Most of these projects end up showing the same findings, as most clients have alike network environments, exposing a limited attack surface.

When clients harden their perimeter the right way, they only expose some login portals, and their underlying applications run the latest versions, not vulnerable to specific exploits.

It would be easy at that point for testers to give up, thinking there's nothing else to it.

 

That's when they need to hold tight, observe things under a different angle and/or try out new tools that can offer fresh perspectives.  

Over my perimeter pentests, I often feel this pressure, as time's running out and I seem to make no progress. My usual go-to tools only find low to informational issues leading nowhere in terms of exploitation, or the specific application(s) in use got patched, and the exploits available for older versions do not work on the version in use.

That's when I delve with manual testing. I don't trust automated tools too much. Blindly relying on automated tools can lead to missing a lot of vulnerabilities, sometimes even critical. I go through a number of manual enumeration techniques, such as:

1. Track and list in a spreadsheet all significant web hosts, their related URLs, their purpose, their underlying technologies and related vulnerabilities. Specifically highlight login portals.
   
2. Screenshot all web hosts to have an overview of what each URL is about. I  ended up liking Aquatone best for this, but other tools such as EyeWitness, Scrying or GoWitness are equally valid alternatives. I often make interesting discoveries that way. Sometimes reading the results from Nmap doesn't supply an accurate idea of what application(s) a specific host is running, while a visual inspection may sometimes reveal very interesting details, such as the version of the operating system or web server in use. This, in turn, might lead to identifying specific vulnerabilities affecting that version.
3. Use Wappalyzer and whatweb to identify the technology implemented by each URL. 
4. Use gobuster for web directory enumeration and nikto for vulnerability scanning on all web hosts. These tools can sometimes identify interesting directories, or potential vulnerabilities.
5. Don't be afraid to try out new tools. Sometimes a fresh look is what you need to discover stuff you missed, plus a new tool can identify some issues other tools don't, because it leverages new advancements in technology or programming. I recently discovered how impactful a new tool can be in a major way. Nessus had flagged a high finding related to an outdated version of a very popular application, affected by an information disclosure vulnerability. Those vulnerabilities don't normally lead to anything interesting, and I was going through this project in a quite aloof mood, thinking I was wasting my time. However, I had recently read good things about Nuclei, so I decided to give it a go. I immediately found an interesting URL, leading to a page displaying a user profile without needing any authentication to the API whatsoever. The URL I discovered ended up by 1, so I tried changing the 1 to a 2 and ..bingo! I had found another user profile. In other words, I had found an insecure direct object reference (IDOR) that led me to enumerate thousands of valid users for that specific app. I then leveraged this list of users to password spray the related login portal. None of this would have been possible if I hadn't tried out a new tool, though.
6. Don't be afraid to build your own tools. It doesn't matter if it's only a few lines of code, or they're not super cool, coding per se is a plus. For example, I'm working on a tool that runs Amass, saves the output to a file, and then runs Aquatone on it. Sure, I could use someone else's code but building a tool myself forces me to learn a bunch of things, like how to run an external command in Python through the subprocess module, how to run a ping command through it, etc. Plus, running your own tools, you could implement a unique solution no one's yet thought about. All this will make me a better security professional. If a team works on a tool and everyone contributes with a tiny bit, the end result will be better than anyone alone would accomplish.
   

Other than that, security professionals need to keep their minds sharp and in good working order. In a recent project, I was basically running on empty for the first two days. Sleeping issues and client-related delays held me back. On day 3, I started fresh after a good night's sleep, and accomplished more in two hours than I had done over the previous two days.

Conclusions

When the game gets tough, the tough gets going.

Giving up is the easiest choice.

Most people give up on anything all the time. 

To be successful in the penetration testing scene, persistence, grit and resourcefulness are needed.

Leave no stone unturned and go the extra mile, have no regrets at least.

Don't be afraid to dig deeper and try new things, as this can sometimes lead to the pot of gold at the end of the rainbow.