Penetration Test Phases 3-5: Enumeration, Detection, and Exploitation

Transcript

Welcome to A Cup of Joe. We’re talking about the phases of the Pentest and how to use the Plex track platform to support phases three, four and five.

Typically we associate eight five phases to the Pentesting process. But as a practice director I needed to look at the whole picture and be sure to include phases that required all the different stakeholders or significant context switching. So after more than a few years of doing this, I came up with ten phases. Now, depending on your practice or your internal team, some of these phases may or may not exist or you may have slightly different versions. I’m not asking you to adopt what doesn’t work, just recognize that there are additional phases that you may want to address discreetly for better practice management and engagement. Efficiencies. So in my mind they go like this.

We begin with phase one, which is the set up phase. Now, this includes everything in the engagement before you even begin to send a single packet. So this would include the kick off, getting scoping documentation, looking at the sow, setting up the right resources. This is everything that needs to be done before we begin the actual testing. Then we look at the more traditional phases that we’re used to discovery, enumeration, detection and exploitation. And then we move into phase six, which is post exploitation. This is where we go beyond that initial vector.

Now we begin to put together an attack chain and once we are done with the engagement, we’ve either hit our success criteria or we’ve run out of time. Then we move into phase seven, which is our reporting phase. And here we’re going to have the operators, QA people, project managers, all of these stakeholders involved in this phase. Once it’s complete, then we have the phase of the readout. And the read out isn’t just going over the report with the customer. You may also have to negotiate some of the findings with them and go back and redo the report based on their needs. So they may have a different policy around how certain things are rated in terms of severity or they may disagree with the finding or you may not have been aware of a compensating control that would not have allowed you to exploit that thing further.

So you may see some iterations between reporting and read out. Now, once you’ve had solid report and you’ve done the readout, then the customer might have a remediation phase where they come back to you and ask we have to fix these for regulatory regime requirements or something along those lines. How would you recommend that we fix them? And this is where you provide additional value by guiding them and making sure that whatever work they put in the remediation is going to stand up against the next phase, which is the final testing to ensure that everything that they’ve done is in fact effective. Test it. One more time and then go back to the recording phase, give them one more final report and then they’re good for that time period.

In this Vlogging series we’ll touch on all of them. But today I just want to focus on phases three, four and five enumeration, detection and exploitation. There is a lot going on in these phases, so let’s break them down. Enumeration is that phase where you identify ports and services running on the assets identified. In phase two, detection is the phase where we identify the protocols and applications. Exploitation is the fun part, where we identify weaknesses in the applications or protocols that will provide us with further access or at least additional information. Now, these phases rely on just the right combination of experience, automated tools and a manual assessment of the results.

Enumeration feels pretty straightforward, but straightforward doesn’t mean simple a reason. You should definitely rely on automated tools to work through a large scope or a huge number of assets, but you can’t rely on them to be 100% accurate. You also need to be careful. Firing up Nmap and Nessus and flooding your targets with packets isn’t going to give you the results you want. You need to be cautious, otherwise you could just end up having your source IP shut down. There is some subtlety and experience required if you want to move into the detection phase with a solid foundation. The detection phase on its surface can be confusing due to the way firewalls can affect the responses.

Latency can alter your results and services running on nontraditional ports can trip up the newbie. Also, residential Internet services are frequently filtered by ISPs, so if you’re testing from home using your comcast Internet plan, it might not be the best way to go to get an accurate picture. You also may need to come at it from more than one direction, using tools hosted in different environments, in different geographical locations, even in order to get a complete picture of the target environment. Now, let’s not forget the rules of engagement. This is where brute force and ignorance approach to get you into great amount of trouble. If you have a certain amount of off limit assets, then throwing that entire slash 16 from scope into Nessus and letting it run wild is just going to end in tears. So keep your scope and your rules of engagement documents close at hand before you start throwing packets.

After all the work we’ve done, now we can safely move into the exploitation phase.

Now there’s exploitation and then there’s exploitation, if you know what I mean.

We got back a response that says it’s exploitable, so we put it in the report versus the we reached into the system, made it do bad things, dance to our music, cough up its secrets and here’s the evidence to prove we did it. How invasive your test can be will be entirely determined by the type of pentest contracted as well as the rules of engagement. There’s a lot of data being gathered here in these phases. So how can PlexTrac make these phases easier and more effective? Well, I think one of the greatest benefits PlexTrac can provide is its ability to integrate with the tools that you’re already using in the enumeration and discovery phase. To better organize and quantify the results, check this out.

Log into your Plex tract instance, and then select your project or client or business unit, whatever you’re using. Just use the demo and then select the report you’re working on. Now, from here, I can upload the data that I’ve collected in phases three and four, either by creating a brand new finding from scratch or importing from the write ups DB that repository previously created findings, or I can import it from one of the tools that I used in the previous phases. So we have a lot to choose from. Check this out. We’ve got everything from Nessus to Acumetics to Burp, the site the Vera code calls even open boss, we have a lot to choose from. Let’s go ahead and grab the Nessus one.

Let me show you how this works. Let’s drop a file here. There it is.

And let’s add some tags. Now, the tags will help me search through the data more easily when I’m trying to drill down, say, to a specific set of findings. Like, for example, if I want to add Nessus as a tag here, and I can add additional information specifically around the asset. So, for example, if I knew this was from a specific VLAN, I could say that I got this out of VLAN eight, and then I can submit it. This can take a couple of minutes, but be patient. Once you get it in here, we’ve got all this lovely information that we get to play with. I can go through and be a little bit more detailed.

I can see the different assets that this was associated with. I can go through and clean up the findings and tweak this basically to my liking. And then when I go to export this, it’s in the perfect format. Exactly what I was looking for. All right, that’s all the time we have today. Don’t forget to hit the like and the subscribe button to get the latest cup of Joe content and ideas. My name is Joe Perrini, and I am PlexTrac’s product evangelist.

Wishing you happy hacking.