What happens when clients pay you to hack them

459new-sans-adrien

When Adrien de Beaupré is having a good day at work, you’ll often find him giggling. The independent senior information security consultant specializes in penetration testing for corporate and government clients, while also teaching penetration testing at the SANS Institute.

de Beaupré, who will talk about hacking web applications at SecTor this year, said that when clients call him up and he’s laughing, it typically means that it’s also a bad day for them – because he’s all over their systems.

His career wasn’t always technical – his original degree was in political science and he only took computer science later. But he has been working with computers since the early 1980s. As one of a small community of elite penetration testers in Canada, he spends time trying to gain access to his clients’ systems to expose weaknesses in their security.

Unlike black hat intruders, penetration testers are restricted in what they can do, because clients give them specific rules of engagement, dictating what systems they are allowed to target, and how they are allowed to approach them.

“Pen testers are restricted by legality, morality and ethics, and there are rules of engagement, so we always have both hands tied behind their backs. We can’t do all the things that the attackers can do,” he said.

The uninitiated may imagine penetration testing to be an exciting, dynamic occupation, full of cloak and dagger activity and ninja-style intrusions. Nothing could be further from the truth, though. de Beaupré paints an altogether different picture of the profession.

A lot of the work is mundane and methodical, he explained. Pen testers typically work in teams, each with their own specialized area of operation, and they walk through the process in minute, heavily-documented detail, only deviating from the methodology where required for creativity, and documenting the change in plan.

There are several methodologies outlining the penetration testing procedure. Examples include the SANS PenTest methodology, the Open Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP) Testing Guide, and NIST’s Technical Guide to Information Security Testing and Assessment (SP 800-115).

Anatomy of a pen test

Although they may be tailored for particular organizations or engagements, most methodologies follow the same basic steps, de Beaupré explains:

  • Planning and logistics
    Here, the tester puts the basic framework in place, deciding whether they can do the test, and how it will play out. This is a good time to schedule specific phases of the process and allocate tasks to various team members.
  • Reconnaissance and intelligence gathering, and identification of targets
    This is where the pen tester finds out about the target organization. A lot of this can happen without any packets travelling between their computer and the target’s, he explained. Open source intelligence (OSINT) including reading past employees’ resumes on LinkedIn can give pen testers a wealth of information about organizational structure, for example.When packets do start travelling between the pen tester’s machine and the target network, they’re often scanning assets at this stage, identifying IP address ranges and sniffing for live systems.
  • Vulnerability assessment and validation
    The pen tester identifies vulnerabilities during this phase. de Beaupré looks at the output of automated tools at this point, but also looks at information gathered from the earlier stages to identify vulnerabilities that the tools may not see.
  • Exploitation
    This is the part that movies will focus on, but it’s the least important piece of the process. “The focus is often put on the exploitation phase, but honestly, in a five-day engagement, the exploitation phase is 20 mins,” de Beaupré reveals.
  • Post exploitation – pillaging and pivoting
    However, once into the network, pillaging can be lots of fun, as the pen tester makes their way around the network owning various systems and collecting data – all within the rules of engagement, of course.
  • Analysis and report writing
    Finally, the analysis and report writing stage focuses on documenting what happened for the client. Ideally, a lot of this can be provided by the automated tools that the pen tester used along the way, with some additional description from the tester where necessary.

What devious toolbox of hackery do pen testers need to own their clients’ systems? “The only required tool is the matter most people have between their ears,” de Beaupré argued. Of course, other tools make it easier. “The honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in,” he said.

There are other automated tools that can help pen testers along the way. “For Internet-based testing a port scanner such as Nmap or unicornscan, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit,” he said. Tools may vary based on the environment. A wireless network or a set of web applications may have a different set of tools to a purely wired environment, for example.

Enough knowledge to be dangerous

Part of the problem with the toolsets available is that they can give people a lot of power without the knowledge to use it. Like a new driver at the wheel of a high-performance vehicle, the results of giving someone these tools can be suboptimal, to put it mildly.

“Finding the tools is not difficult. Often they are free and open source, readily available for download by anyone,” he said. “In the hands of a skilled penetration tester they are incredibly useful. In the hands of a wannabe they are a disaster waiting for a place to happen.”

At worst, a pen tester might venture outside the scope of a project and trash systems or data, in a move which de Beaupré calls not only career limiting, but also potentially freedom limiting.

“There are people who download a tool and knock a server over, and do damage to data because they don’t really know what they’re doing,” he said.

The other danger lies with firms that run some automated tools but don’t really dig into a network to find the flaws that the tools won’t. “You have a lot of wannabes who claim to be pen testers but don’t have the skills or experience,” he said. “These people do a lot of damage to the people that they sell product or service to, and to the industry.”

A distaste for labels and seals

He reserves a special dislike for certifications and seals displayed on web sites to prove that they’re secure. “Really it’s an automated tool, and the automated tool finds only the low hanging fruit that any automated tool can find, but doesn’t find any of the interesting things that a true pen tester would,” he said. “I think it’s negligent.”

Wherever possible, when he compromises a web site that displays such a seal, he tries to include the label in the documenting screen shot as a special hat-tip.

To get into pen testing, be good at working in teams, said de Beaupré. Have a technical background in computing, naturally, but also have a sense of self-control and method. These are the folks most likely to succeed, he concludes: “People with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner.”

Interested in pen testing? Don’t forget to check out the Getting Started With Penetration Testing training session at SecTor on October 19, organized by Metasploit publisher Rapid 7. And if you want some handy references in the meantime, check out the SANS 2015 Pen Testing poster.

Interested in finding out more? Register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto on October 20-21, with a training day on October 19.