Pen test report example - worth reading for anyone in IT.

wes allen

This is worth reading, even if you are not in itsec, or maybe especially if you are not in security. A well written case study that shows how a cascading series of vulnerabilities is leveraged into completely owning a company.

Penetration Test Report 2013

MrAgent

Nice find!

--chris--

Their server must be getting pounded, its taken 5+ minutes to d/l half of the file. Thanks for the link though!

CoolAsAFan

Thanks for the share!

Master Of Puppets

I already downloaded it and started going through it. Nice read indeed!

Vask3n

Thank you for the link, this is a great document with nice screenshots.

bermovick

This is ... amazingly impressive stuff and makes me want to get into pentesting so much.

LarryDaMan

Thanks, nice read. Patch. Patch. Patch. Unless your company is a specifically intended target, most attackers will simply move on to an easier target if you've patched up all vulnerabilities with known exploits.

Roguetadhg

Nice. I like this already. Rep given.

--chris--

Good read. I knew very little of the technical detail, but I can see what happened and how to avoid it.

It makes me wonder though, to be successful in info security should you also be comfortable with programming languages? I see mentions of modifying off the shelf programs to suit their needs.

lsud00d

Some pretty cool techniques...I like seeing the progression of the pentest. Thanks for sharing!

boredgamelad

I wouldn't say programming is necessary to be successful. You can get pretty far with a respectable level of networking and web application knowledge (how they work, not necessarily how they're written), knowing the right tools to leverage and when, and knowing how to get the most out of those tools.

However, if you want to get to the next level--to be the type of security pro that people know by name--you should definitely have some programming knowledge and be pretty damn good at it. Particularly if you want to get deep into apps or systems discovering your own zero day attacks and writing exploits/POCs for them, or modifying scripts that others have written for a particular exploit that you've discovered, or writing your own tools from scratch.

I have a few things to say about this report, that will maybe serve as a wake up or shock to the system for people reading this that want to get into penetration testing but think they can't or don't know enough to make it. Now, as a caveat, I don't purport to be an expert penetration tester, but these are some of my observances having been in the trade for about 6 months and my thoughts reading this report.

1.) These victories are less common than you might think. I say this not because these types of attacks are impossible or terribly difficult to pull off, but because you will often be restricted by the companies you are targeting in how far you can go and stay within scope. Many penetration tests are done for compliance and not for impact (as OffSec notes on the last page of their report). AFAIK they don't do this type of pentesting but we often do (hey, it pays) and find ourselves limited in the types of attacks we can attempt/vulnerabilities we can exploit. Many times I've been on the verge of being able to completely take down a system only to learn that since it's a production webserver that actually taking it over is not acceptable, etc. etc. This all goes in the report but it's frustrating to get so far and then be stopped.

Now, if you can actually get contracts that let you test for impact... well, let me just say that they're a lot of fun and can make you feel like

2.) The attack scenario in this report is not terribly advanced. I'm not trying to badmouth OffSec when I say this. They are far more experienced than I am so I am not trying to say anything about their skills and I know the point of this report is to show what a successful pentest looks like, not necessarily to show off their latest and greatest skills and tools. What I'm trying to get across for people who might read this and say "wow, that's so advanced, I could never do that/it would take me forever to learn how to to that" is this: the procedure depicted is relatively straightforward and you could learn how to do all of this in a few months once you know the right tools. This report should encourage anyone who is interested in pentesting because it shows how a few simple techniques can be used to fully compromise a network.

3.) Note that there was not much programming knowledge needed to pull off the attacks shown. Of the 5 dedicated penetration testers at my company, only 2 of them come from programming backgrounds, but we've all had successes similar to this (I was able to open a reverse shell on my first real pentest, for example). Being successful means knowing when to use a script/tool/etc., when to craft or modify your own, knowing what to look for when targeting systems and recognizing vulnerabilities (known or unknown), etc. We each have our strengths and weaknesses so don't think you have to be an expert at taking down all types of systems and environments to make it as a pentester. This isn't to say that you won't be more successful more often if you know more, but to say that the barrier for entry is probably not as high as you think it is.

4.) There's a lot of writing. Not much to say here. You write a lot to put together a report like this, particularly if you're successful. While it can be fun to write about your exploits, it can also be quite tiring and in some cases take longer than the actual test itself.

That being said, it's a great report and very well written. It's an example of the type I'd rather be writing than the ones we do now. Going to have to show this one to our lead and see if we can't change up our template a little bit...

coffeeluvr

Thanks for sharing!!!

YFZblu

Brute forced the admin page of a web server - using a dictionary made up of words from the web server itself - Awesome