What is vPenTest's methodology for automated penetration testing?
Overview
When performing a network penetration test, it is essential to understand the methodology that's being executed behind the scenes. This article will provide information about some of the activities we perform as part of our network penetration test engagements. Please note that these activities may vary depending on certain conditions within the environment, so there is not a 100% predefined/guaranteed list of commands or tasks that are run.
Our automated network penetration testing methodology follows the exact same processes as consultants would if they were to perform a penetration test manually. In fact, we've completed many penetration tests side-by-side with real-world consultants and were able to accomplish the same results, if not more, in some scenarios.
IMPORTANT Disclaimer: Since our penetration tests focus on demonstrating maximum impact, our activities can be deemed intrusive or malicious to most security devices designed to protect the environment. In addition, post-exploitation techniques can sometimes result in interruption of services. However, we have set up many conditions to prevent this from happening (just like a security consultant doing a manual penetration test would). The assessments conducted by vPenTest are not any more or less risky than traditional penetration test assessments conducted by humans.
Open Source Intelligence (OSINT) gathering
OSINT gathering is a process whereby one tries to find as much information as possible about an organization. This is typically conducted passively and doesn't set off any alarms as it's not scanning the organization's infrastructure. Information such as the domains, sub-domains, IP address ranges, list of employees, etc., are gathered.
Using such information could be extremely valuable for a penetration test because it's able to take into consideration different things when conducting authentication-based attacks based on what systems are in-scope for testing. For example, suppose it's able to gather a list of employees from a publicly accessible resource. In that case, these employees can be converted into usernames and email formats, providing the additional ability to query external services for compromised passwords, perform password attacks, etc.
Host discovery
Host discovery is the process of identifying systems that are active within the network environment. Many consultants have different techniques to perform this task, but most of them are pretty standard amongst other consultants. For example, some consultants may perform one of the following methods to find active systems:
- Perform a ping sweep across the network initially to find systems that respond to ICMP requests.
- Disable ping sweep and perform a port scan across common ports to see which systems have opened ports.
- Disable ping sweep and perform a port scan of all 65,535 ports on every system to see which systems have common and/or uncommon ports.
- Perform an ARP sweep across the local subnet to identify active systems through layer 2 ARP requests (e.g., who has 192.168.1.1?)
Before implementing some of the advanced techniques, vPenTest would automatically decide which of these methods to execute depending on certain conditions of the scheduled assessment. However, with the recent implementation of the advanced tab of the Scheduled Assessment Wizard, these options are now available for our partners and customers to adjust.
At the end of the Host Discovery process, vPenTest will compile a list of active systems within the network, which will then be used and funneled into the next assessment phase.
Enumeration
The enumeration phase is where things get very interesting. Based on the list of active systems within the network, enumeration tasks are performed to essentially enumerate the services running on those ports. For example, suppose a system is running on port 21/tcp (FTP). In that case, vPenTest will attempt to check for anonymous login, any patch-related deficiencies and perform a password attack against the FTP server using a list of common default usernames/passwords. Depending on the manufacturer of the FTP server (detected via service version scan), we're able to automatically adjust this list of usernames and passwords.
The ultimate goal of the enumeration phase is for the penetration test to identify weaknesses such as configuration, patching, and/or authentication deficiencies. This enumeration process is extremely thorough and tries to enumerate as much information as possible from each and every service that's listening.
Exploitation
During exploitation, vPenTest carefully attempts to exploit systems and/or services with the intention of gaining access to systems. There are two main goals for exploiting systems:
To demonstrate that a vulnerability doesn't just exist, but can be used to gain access to a system. Refer to What is the difference between a penetration test and a vulnerability assessment?
To gain access to the compromised system to perform additional enumeration, which may lead to discovering sensitive information, or information that's valuable and can contribute to another attack (for example, shared credentials).
As mentioned previously in this article, exploits run by vPenTest are similar to those run in the real world by traditional consultants. While the risk is never guaranteed to be 100% safe, we exercise the same caution as a human pen tester would manually, except we do it more intelligently by automating logic.
Post-exploitation and lateral movement
Essentially, the purpose of post-exploitation and lateral movement is to find as much information as possible. Unlike vulnerability assessments, the objective of a penetration test is to show how exploiting a vulnerability could result in a significant impact within the environment. By demonstrating this impact, it's possible to get organizations to reconsider the priority of remediating vulnerabilities that vulnerability scanners may have reported as non-urgent.
vPenTest is able to take into consideration all of the information that it's identified as part of the test to escalate privileges and find many pieces of valuable information. This includes enumerating shares, configurations of systems and services, comparing the differences between data found on multiple systems, etc.
