Penetration testing serves as a pro-active measure to try identify vulnerabilities in services and organizations before other attackers can.
Penetration testing can be offered within many areas, for example:
Depending on the engagement, the organization can decide to give information to the team doing the penetration testing. A no-knowledge penetration, sometimes called a black-box, implies the attacker is given no-knowledge in advance. Partial-knowledge, sometimes called a grey-box test, means the attackers are given some knowledge, and with a full-knowledge penetration test, sometimes called white-box, the penetration testers have everything they need from source-code, network-diagrams, logs and more.
The more information an organization can give the penetration testing team, the higher value the team can provide.
A great penetration test scenario is to prove the consequences of a stolen or lost laptop. Systems have privileges and credentials on them that attackers could use to get into the target organization.
The system might be protected with a password, but there exists many techniques which may allow the attackers to bypass this protection. For example:
As soon as the attackers have access to the system they can start to raid it for information, which can be used to further drive the attackers objectives.
A system is only as strong as the weakest member, and that is often a human being. Social Engineering involves targeting users with attacks trying to fool them into doing actions they did not intend to. This kind of technique is very popular and many of the biggest hacks in the world has involved using social engineering techniques.
Social Engineering often tries to abuse certain aspects to make victims comply with actions, for example:
When someone has been victimized with a good social engineering attack, they often do not realize they have been attacked at all.
Humans usually wants to be helpful to each other. We like doing nice things!
Consider a scenario where Eve runs into the reception of a big corporate office with her papers soaked in coffee. The receptionist can clearly see Eve in distress and wonders what is going on. Eve explains that she has a job interview in 5 minutes and she really needs her documents printed out for the interview.
In advance Eve has prepared a malicious USB stick with documents designed to compromise computers it is plugged into. She hands the receptionist the malicious USB stick and, with a smile, asks if the receptionist can print the documents for her. This might be what it takes for attackers to infect a system on the internal network, allowing them to compromise(pivot) more systems.
People often fear of failing or not do as ordered. Attackers will often use fear to try coerce victims into doing what the attackers need. They can for example try to pretend to be the company director asking for information. Perhaps a social media update revealed the director is away on vacation and this can be used to stage the attack.
The victim probably does not want to challenge the director, and because the director is on vacation, it might be harder to verify the information.
Reciprocation is doing something in return, like a response to someone showing you kindness.
If we consider someone holding the door for you to let you in the front-door of your office building. Because of this, you are likely to want to hold the next door for the person to reciprocate. This door might be behind access-control, needing employees to present their badges, but to offer the same kindness in return, the door is held open. This is called tailgating.
Humans are curious by nature. What would you do if you found a USB stick lying on the ground out-side the office building? Plug it in? What if the USB stick contained a document with the title "Salary Information - Current Updates"?
An attacker could deliberately drop many malicious USB sticks around the area where employees reside, hoping someone will plug them in.
Documents can contain malicious macros or exploits, or simply trick users into performing certain actions which makes them compromise themselves.
Phishing is a technique usually done through email. Attackers will try to coerce and trick employees into giving away sensitive details such as their credentials or have them install malicious applications giving attackers control of the system.
Phishing is a common technique for attackers to break in, something penetration testers also might try to exploit. It is important to never underestimate the human factor in cyber security. As long as humans involved, phishing will always be a possible way for attackers to gain access to systems.
Phishing should not be used to prove that humans make mistakes, but try prove the consequences of those mistakes. It can also be used to test the strength of anti-spam filters and user awareness.
A campaign of many phishing attempts can be done instead of a single round. A campaign of multiple phishing rounds can help determine the overall awareness of the organization and also let them know that not only attackers are trying to trick our users, but even the security department.
Vishing means to use phone calls to try get unsuspecting employees to perform actions for the attackers. If the employee believes they are in a phone call with someone they know, preferably someone with authority, the employee can be tricked to performed unwanted actions.
Here is an example where Eve calls Alice:
Eve: Hello, this is Miss Eve calling. I was told to call you personally by the CEO Margarethe; she said you would be able to help.
Alice: Ok... What can I do for you?
Eve: Margarethe is travelling right now, but urgently requests her password to be reset so we can get on with a business meeting happening the moment she lands.
Eve: We urgently request for her email password to be reset so she can deliver the meeting.
Eve: Can you proceed to reset her password to Margareth123?
Alice: I am not sure...
Eve: Please, Margarethe asked for you personally to comply with this request. It must be done now, I don't want to think of the consequences if not...
Alice: Ok. Password is reset
Vishing could try get victims to do information disclosure revealing sensitive information. It could be an attacker asking for a copy of a sensitive document or a spreadsheet.