Detection and Exploitation Phases: This Is Where the Fun Begins!
Hack Your Pentesting Routine
In this Cup O’ Joe series, we’re discussing the ten key phases of a penetration test, talking about the serious pain points in each, and demonstrating how PlexTrac can eliminate these problems.
In my approach, there are 10 phases of the penetration test engagement, each defined by a different group of stakeholders, participants or activities requiring a serious context shift.
Check out the complete discussion of Phase One in my “Introducing ALL the Phases of Pentesting” article and Phases Two and Three in the article “Discovery and Enumeration Phases: A Foundation for Success”
Want to learn more about how PlexTrac can transform your pentesting practice today? Request a demo.
Penetration Testing Phases Four and Five
Our next phases include
Detection verifies the services and applications associated with the ports identified during the Enumeration phase. Exploitation provides the initial vector into your network or application. But before you start going gangbusters on exploitation, you need to look at whatever constraints are outlined in the rules of engagement (RoE). Intended to be more than just a buzzkill, the RoE keeps the operator safe from reprisal and helps ensure uptime of the production assets under examination.
Detection and Exploitation Tools of the Trade
Typically Detection is a step that can be automated using the application’s responses and banners. Tools like Tenable’s Nessus can make quick work of detection with a high level of confidence, albeit in a very noisy manner. Manual detection may be required when the port is associated with a wide variety of service daemons, like port 80 & 443, or when a firewall or content delivery network (CDN) is interfering with detection.
Detection includes determining the components used within the application. WPScan is a tool that can be used to identify the version of WordPress installed and what plugins and themes are present and if they’re affected by any known vulnerabilities. Nikto is a web server scanner that performs comprehensive tests against web servers, including identifying over 6700 potentially dangerous files/programs, checking for outdated versions of over 1250 servers, and uncovering version specific problems on over 270 servers.
BloodHound is an Active Directory attack path detection tool. Pentesters can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly detect. Every set of credentials obtained provides a new perspective and attack path allowing you to quickly determine which credentials are valuable for escalation and exploitation.
With more and more services migrating to the cloud, having good detection tools like NCC’s ScoutSuite will make your detection phase of cloud services efficient and effective.
In the Exploitation phase, automation can’t also mean unattended. Our automated tools aren’t 100 percent foolproof, and keeping a close eye on the responses and output can make the difference between a successful engagement and being asked to leave. Who else remembers db_autopwn? A script kiddies delight that was removed from the Metasploit distribution for being “more likely to fall over and crash than produce useful results.” Use automation judiciously and only with tools you’re confident will do no harm.
The aforementioned Metasploit is one of the top tools in your exploitation arsenal. This framework comes in two versions, a community supported version and a commercially supported version. Both are filled with a massive number of exploits and post-exploitation tools that can take you from your initial vector all the way through the attack chain to your final target. With so much power packed into one tool, you should spend the time to go through the free Metasploit Unleashed ethical hacking course.
With better C2 and evasion capabilities, Core Impact is a favorite with red teams (and ransomware teams) around the world. This commercial tool has a price tag starting at $12,600 for the most popular version, putting it out of reach of most script kiddies and independent consultants. Cracked versions pop up from time to time and are guaranteed to be filled with malware, making legally acquired versions the only way to go.
Benefits and Challenges of the Detection Phase of Penetration Testing
The Detection phase of testing is where many vulnerability services offerings stop. Vulnerability scanning tools and services like Qualys or the Rapid 7 Insight Platform do not perform exploitation and, because of this, can include false positives in their output. But this phase is still invaluable for performing firewall ingress validation or patch management effectiveness.
The detection phase of penetration testing will generate a lot of data, not all of which will be useful to progressing through the attack chain. This is where the experience and expertise of more senior pentesters will be necessary. Often, taking a collaborative approach with multiple testers brainstorming next steps will yield better results than a lone tester operating with Google and a copy of Kali. Having the right collaboration tools is just as important as having a licensed copy of Nessus or Burp Suite. The PlexTrac WriteupsDB module combined with the ability to import the results from over 19 automated tools will let the team collaborate even when working from home and distributed across the globe.
Benefits and Challenges of the Exploitation Phase of Penetration Testing
Exploitation of a vulnerability takes it out of the theoretical and into the practical. It removes all doubt and immediately prioritizes patching and remediation. This doesn’t mean it’s game over. A layered defense might make the initial exploit a dead end. Further testing in the post-exploitation phase will ultimately determine if what’s found here is dangerous or just a flash in the pan.
Flash in the pan or not, any exploitation is invasive and can potentially impact the system or application. Frequently reviewing the rules of engagement can keep the team out of trouble. In addition, keeping a run log of all activities, including all systems exploited, can help troubleshoot any anomalies that occur during testing. Use the PlexTrac Assessments module to create a daily run-log questionnaire and keep it up to date. If your client sees something sketchy, you’ll be able to confidently respond that it wasn’t you.
Use PlexTrac Every Step of the Way
The Detection and Exploitation phases are the beginning of the most impactful parts of the pentest. By using PlexTrac to document and store evidence from these phases, you can ensure a smooth handoff between pentesters and have everything you need if a client sees something suspicious during the test.
Read the full Hack Your Pentesting Routine series on the PlexTrac blog.