Have you ever carried a PT in which the starting point was “outside” of the company network? (i.e. social engineering/ web app PT etc.) If so please describe.
I mainly perform two ways of attacking. Firstly, from outside the network so that I am not biased from internal networks or access. Secondly, I would also like to perform it from inside the network because that can be faster in discovering and fixing the vulnerabilities found.
I was hired to perform penetration testing from outside the company network and this also included social engineering the employees of that particular company because the Director of the company was also interested in inside security and weaknesses in the people working.
Platform: Web / Mobile / Internet of (Every)thing
My key tasks:
- Identify the rogue insiders
- Perform elicitation on the employees by social engineering
- Perform OWASP Top 10 Attacks
- Go beyond OWASP Top 10
- Provide counter-measures in terms of algorithm
- Suggestions to improve security controls and making it harder for the bad guys
Social Engineering: I found the author names from the javascript files and I tried gathering information about the author (programmers in this context) and found their phone numbers from the public records. Once found, I dialed their number and spoke to them addressing their name and the work they were doing at that company. I also mentioned, I am a new employee and I need some quick help. It’s urgent as I need to send the reports to the Director of the Company. I also took the Director’s name to make myself sound more confident and be persuasive.
With this simple telephone call, I got following information:
- Firewall (Third-Party)
- Version of the Firewall
- Admin login URL path
- Credentials to the production database (Ha ha, this was crazy)
- Other team members who were working on “X” features
All of this was just in one call. This mission was solved and my report said, “Training the employees about cyber security is a must”. And I also was hired to conduct training for all staff”.
I performed OWASP Top 10 Attacks across all the features while I automated some of the features with the same payloads. Not only I addressed OWASP Top 10 attacks, but also spoke to them about smaller vulnerabilities turning out to be nightmares. For example: In the domain who.is information, I found out the name of the admin, phone number, email address and office address. I told them, instead of hacking your application, someone may hack into the email address of the web administrator and bring down the domain or delete all the files.
I also did a missing security headers scan and told them why “X” headers are important to improve your security and harden the security layers. I insisted they not show the “Administrator Login Webpage” to the whole world, but just allow such sensitive pages to be rendered / loaded only when the URL is accessed by a specific static IP address or company IP network range. I told them, the cost of investigation during a hack is less compared to when your sensitive webpage is publicly accessible around the globe. Maintaining the whitelist of IP addresses to access sensitive pages improves security.
During the end of 10 days of web application pen testing, I was able to find at least 30 Vulnerabilities out of which 2 were 0-day vulnerabilities and others included critical ones and minor ones. The list included CSRF mixed with XSS, Directory Listing, Authentication wasn’t encrypted, SSL certificate misconfiguration, Mixed content allowing a hacker to see the credentials plainly as login form was integrated in HTTP page and not HTTPS, SQL Injection bringing down their server down (but no access to data) by looping and many others.
Please describe the method you use to perform a Penetration Testing.
Here are some of the high-level ways on how I approach penetration testing.
- Agreements like Non-Disclosure, Explicit Written Permission in order to perform Pen Testing related activities (In addition, I would also like to quickly understand the cyber laws of what’s legal and what’s illegal because I don’t want my biased nature as laws change based on jurisdiction).
- Understand the Business
- Understand the Application by using Touring Heuristics
- Create a Feature Map using Mind-Maps
- Identify the Pen Testing Objectives / Goals and Establish a Context
- Perform Threat Risk Modeling
- Identify Vulnerabilities in the System
- Write Exploits / Do Vulnerability Advocacy through Risk Analysis
- Use Vulnerability Scoring System that suits the context (DREAD / STRIDE or CVSS is what I use in my work, but I can tweak these models in order to suit the context of the client and project)
- Create a Report that matters to the various stakeholders of the project
About Author – Santhosh Tuppad
Santhosh Tuppad has played different roles in his life which include being a passionate entrepreneur, liar, lover, boyfriend, thief, software tester, blogger, reader, trainer, coach, black-hat hacker, white-hat hacker, grey-hat hacker and what not. In this amazing journey of life, he has experienced his salvation. Not to forget that “Salvation comes at a price” and of course he has paid that price. Before he was known for being merciless, ruthless, unkind, evil etc. And today he is known for kindness, humbleness, and some people call him “Privacy Fighter”. Santhosh is also one of the OWASP Cheatsheet Contributors and shares his knowledge on Security and Testing unconditionally. The world finds his ways “Unconventional”, but he thinks that it’s the best 😉
