Couldn't compromise a company during a penetration test

yzT · June 2014

I got my first penetration testing "job", it's more like a test which will open other doors.

The CEO of a consulting firm wants to add security consulting to its services, and after speaking for a couple of hours, basically he told me to hack them and come back with a report and my expected salary, and then we'll talk about the future.

I have to admit that I need to improve a lot in exploitation because I rely so much on tools. I'm good at information gathering, though, both technical and non-technical (social engineering).

I identified a couple of "harmless" vulnerabilities, but he's expecting to read something more serious like getting into their DBs, running system commands, defacing... So my question is, what do you do when you cannot find anything relevant during a penetration test? Or when you find something but you're not able to exploit it?

JoJoCal19 · June 2014

Do you have pentesting knowledge or experience at least on the OSCP level?

it_consultant · June 2014

yzT wrote: »

I got my first penetration testing "job", it's more like a test which will open other doors.

The CEO of a consulting firm wants to add security consulting to its services, and after speaking for a couple of hours, basically he told me to hack them and come back with a report and my expected salary, and then we'll talk about the future.

I have to admit that I need to improve a lot in exploitation because I rely so much on tools. I'm good at information gathering, though, both technical and non-technical (social engineering).

I identified a couple of "harmless" vulnerabilities, but he's expecting to read something more serious like getting into their DBs, running system commands, defacing... So my question is, what do you do when you cannot find anything relevant during a penetration test? Or when you find something but you're not able to exploit it?

If this is an external pen-test, then I am not too surprised. If they have a public website you are obviously looking for SSL renegotiation vulnerabilities, cross script vulnerabilities (depending on web host) default passwords left on etc. Try to get in there firewall, you shouldn't be able too, but if you can/can't if they don't detect the attempt and take action, that is actually a vulnerability even though you ultimately failed to exploit the firewall management plane - if they didn't detect the attempt that means a hacker could sit on that firewall and try and brute force it.

Internal pen tests usually a reveal a lot more because admins are more lazy with their internal stuff.

yzT · June 2014

it's external. Brute forcing is possible because I tried to brute force their WP admin page for 14h or so, and my connection wasn't blocked

colemic · June 2014

I would suggest creating a report that outlines everything that you were able to find out, and ideally, make some inferences from that data (that hopefully are correct.) It's not always about penetrating externally, with enough information you could spearphish and make the employees do the dirty work for you.

MSP-IT · June 2014

Have you tried any social engineering attacks?

ajs1976 · June 2014

i hope you got written consent before trying.

Heero · June 2014

It's not all too odd that you can't hack into a security company's external facing services. In fact, I would be surprised if you could if you assume that social engineering is off the table for this particular exercise. It's a whole different ball game if you have internal access.

I suggest that you write a report on everything you did. What penetration tests you ran, what you found, etc. That will probably mean more than whether or not you found a vulnerability.

yzT · June 2014

MSP-IT wrote: »

Have you tried any social engineering attacks?

physical attack is somewhat complicated because the building is rather small and everyone saw me already. And basically, since the moment I show up there, the CEO will see me.

they have three domains, two of them use wordpress. I found a URL redirection in the only one that doesn't use wordpress.. if the wordpress powered sites had such vulnerability, I could try some phising attack to harvest the admin credentials and then leverage a remote code execution vulnerability available in WP 3.6.

tkerber · June 2014

Heero wrote: »

It's not all too odd that you can't hack into a security companies external facing services. In fact, I would be surprised if you could if you assume that social engineering is off the table for this particular exercise. It's a whole different ball game if you have internal access.

I suggest that you write a report on everything you did. What penetration tests you ran, what you found, etc. That will probably mean more than whether or not you found a vulnerability.

So I'm not a security professional, however I do deal with a lot of security on a daily basis. I have to say if someone asked me to hack into a network, one of the first things I would attempt would be a well planned social engineering attack. Having worked in several different sectors of IT and now for a managed service provider, I can honestly say I could have easily social engineered any of my clients before working with them initially.

kanecain · June 2014

yzT wrote: »

physical attack is somewhat complicated because the building is rather small and everyone saw me already. And basically, since the moment I show up there, the CEO will see me.

they have three domains, two of them use wordpress. I found a URL redirection in the only one that doesn't use wordpress.. if the wordpress powered sites had such vulnerability, I could try some phising attack to harvest the admin credentials and then leverage a remote code execution vulnerability available in WP 3.6.

You don't always have to be on-site to perform social engineering hacks. You can always harvest their HR website, call a random user, have him/her connect to the site, and have them enter their user credentials. I run these social engineering tests all the time at my company with surprisingly successful results.

Heero · June 2014

tkerber wrote: »

So I'm not a security professional, however I do deal with a lot of security on a daily basis. I have to say if someone asked me to hack into a network, one of the first things I would attempt would be a well planned social engineering attack. Having worked in several different sectors of IT and now for a managed service provider, I can honestly say I could have easily social engineered any of my clients before working with them initially.

I'm not surprised at all. It sounded like the OP was limited to non social engineering attacks so I replied with that assumption. Looking back, he doesn't really say that he is limited from that avenue of attack, so he probably should be making attempts on that side as well.

If you can't get access through a security vulnerability, just convince someone that does have access to give you theirs.

JB3 · June 2014

I assume you've hit them with WPScan?

Forgive me if you've already know this, but another trick to getting Wordpress usernames is going to www.thedomain.com/?author=1 . This will return the username with the ID 1, which is usually an admin account. You can keep doing this, or use the username enumerate part of WPScan.

Pupil · June 2014

That's really cool. But you're making this much more difficult than it needs to be. Users are always the lowest hanging fruit. You say you're good at info gathering, so what do you have on the people that work there? Single out like 5-7 of them and send them a phishing email containing a payload. One of them is guaranteed to click on it and that will get you access to their machine behind the firewall. From there, you can start having your fun. Look into the Social Engineering Toolkit (SET) if you haven't already.

bigdogz · June 2014

The others are correct...

"we have ways" to get in and I sounds like if you had more tools or were more prepared that you could have been successful.

Is there a timeline ?
Was there a methodology when the pen test was performed?
f you wish, you can PM me t be more specific.

linuxabuser · June 2014

Forget all of the technical stuff. Do you have a signed document giving you permission to do this?

YFZblu · June 2014

Personally, I would start considering client-side attacks. Having a difficult time penetrating internet-facing devices isn't all that unusual. Set up a web server on the internet, craft some phishing emails, and bait User's into interacting with your content.

ipchain · July 2014

Some good discussion but think about it - the CEO is expecting a report from you, a hacker. Need I say more?

Good Luck!

thenjduke · July 2014

I really hope you have signed document between you and the CEO before doing this? The next thing is Social Attack is the easiest and best results. This is a interesting on getting a job.

GAngel · July 2014

1) Signed document.
2) ISP permission

Just talking about it on here could land you in a world of hurt.

PsychoData91 · July 2014

Seriously though yzt, you have WRITTEN (not just verbal) permission from the client and ISP Written permission. Even with written permission and permission from the ISP there have been cases where pentesters have been sued by other parties.

But on the actual front. Write up what you have found/confirmed. Even a URL redirection vuln is a vuln. Even if you dont find any really good vulns or crack them from a fully external Black Box penetration test may not even show any minor vulns from the outside. Now, if you were more white box and knew that "OH this is their standard domain but oh! they have a hole in the nat for bla" and knew to test then you might be able to find more things. That way you're testing everything that's public facing not just what you know about thats public facing. Make sure you record everything, even if it's positive news. Especially if you're trying to impress for possible future work. If you can document and write up something halfway nice saying that this is what you were able to enumerate and scan for these type of vulns/problems, but weren't able to detect any vulns other than this fairly minor redirection, no open ports that you could take advantage of, and three domains that seem fairly secure externally - then thats good news for the customer! it may not be the best news for you, the pentester, but if you do a good write up of external and make it clear you tried everything you knew about, then maybe they will be interested in letting you have another go with more information and a better target that you know about now, or an internal test where everything will be easier to enumerate.

You as good as said this is your foot in the door to more work, even if there wasn't anything to find (or you didn't find it) then you had best document what you did, what you did it on, what you found, what you didn't find, what issues could still be present that you can test for.

yzT · July 2014

ooo ****. I had found a DNS Cache Snooping vulnerability but didn't take screenshots at that moment, and now that I'm filling the report, it seems they fixed it already ¬¬. Lesson learned.

ISP permission? Never heard that it was needed. Just client permission.

PsychoData91 · July 2014

Read the forum Here provides examples. Think about it this way. You are not scanning the customers IP in most cases, you are scanning the IP that has been assigned to the customer by their ISP. You are actually attacking the ISP's digital property. Sure you have the permission of the person borrowing the car to beat the crap out of it, but that doesn't mean the owner couldn't come after you.

This thread I linked to also brings up a "Get out of jail free card" - which basically says XXXX bossman says not to press charges or call the cops, doesn't actually mean you aren't breaking the law if you impersonate an official (very illegal), though it could get you out of something like breaking and entering charges by showing you had permission.

I'm not sure it mentions it on either, but if you cause harm IE intentionally crash a production server, delete data, drop tables, damage backups, deface a website, leak information, steal information. ALL of that is still very illegal and, unless you have a 100% airtight agreement that you are not responsible for anything you intentionally or unintentionally cause, you had best tread very lightly. (You never know, Joe Psychopath might have some crazy packet capture that when it sees more than three failed password attempts erases the database because it's better than losing it)

AAND that get out of jail free card isn't just for if you're onsite. I've read news stories where either your or their ISP reported, quite accurately, "malicious traffic" to the authorities and on day two or three of scanning the police were banging on doors to arrest the pen testers.

PsychoData91 · July 2014

Yeah, I started off planning Joe Psychopath to have shotguns rigged to kill someone and then I thought of a realistic situation and forgot to change it

yzT · July 2014

Tomorrow I'm going to hand over the report.

Should I add some sort of disclaimer saying that maybe there are vulnerabilities that weren't identified?

joehalford01 · July 2014

No, that makes it sound like you aren't sure about everything you are doing. Just explain what you did and what you found.

yzT · July 2014

well... another meeting scheduled!

Yet I'm not sure if this is what I want LOL! I'm being offered a "jump" of 8~ years in my career, basically skipping all the ladder up and becoming director of a brand new security division.

LinuxNerd · July 2014

yzT wrote: »

well... another meeting scheduled!

Yet I'm not sure if this is what I want LOL! I'm being offering a "jump" of 8~ years in my career, basically skipping all the ladder up and becoming director of a brand new security division.

Excellent. Good things happen to good people!

Couldn't compromise a company during a penetration test

Comments