Pen test report example - worth reading for anyone in IT.
This is worth reading, even if you are not in itsec, or maybe especially if you are not in security. A well written case study that shows how a cascading series of vulnerabilities is leveraged into completely owning a company.
Penetration Test Report 2013
Penetration Test Report 2013
Comments
-
--chris-- Member Posts: 1,518 ■■■■■□□□□□Their server must be getting pounded, its taken 5+ minutes to d/l half of the file. Thanks for the link though!
-
CoolAsAFan Member Posts: 239Thanks for the share!IvyTech - AS CINS (Completed: May, 2013)
WGU Indiana - BS IT Security (Started: August 1st, 2013)
Transferred: AGC1 CDP1 BVC1 CLC1 CVV1 DHV1 DJV1 GAC1 CIC1 CDC1 UBT1 IWC1 IWT1 TCP1 TJP1 TJC1 EBV1 WFV1 EUP1 EUC1 CJC1 UBC1 TBP1
Completed: CUV1 BOV1 DRV1 DSV1 CTV1 CJV1 COV1 CQV1 CNV1 TPV1 MGC1 TXC1 TXP1 BNC1 TYP1 TYC1
Required: SBT1 RGT1 RIT1 -
Master Of Puppets Member Posts: 1,210I already downloaded it and started going through it. Nice read indeed!Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
-
Vask3n Member Posts: 517Thank you for the link, this is a great document with nice screenshots.Working on MS-ISA at Western Governor's University
-
bermovick Member Posts: 1,135 ■■■■□□□□□□This is ... amazingly impressive stuff and makes me want to get into pentesting so much.Latest Completed: CISSP
Current goal: Dunno -
LarryDaMan Member Posts: 797Thanks, nice read. Patch. Patch. Patch. Unless your company is a specifically intended target, most attackers will simply move on to an easier target if you've patched up all vulnerabilities with known exploits.
-
Roguetadhg Member Posts: 2,489 ■■■■■■■■□□Nice. I like this already. Rep given.In order to succeed, your desire for success should be greater than your fear of failure.
TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams -
--chris-- Member Posts: 1,518 ■■■■■□□□□□Good read. I knew very little of the technical detail, but I can see what happened and how to avoid it.
It makes me wonder though, to be successful in info security should you also be comfortable with programming languages? I see mentions of modifying off the shelf programs to suit their needs. -
lsud00d Member Posts: 1,571Some pretty cool techniques...I like seeing the progression of the pentest. Thanks for sharing!
-
boredgamelad Member Posts: 365 ■■■■□□□□□□I wouldn't say programming is necessary to be successful. You can get pretty far with a respectable level of networking and web application knowledge (how they work, not necessarily how they're written), knowing the right tools to leverage and when, and knowing how to get the most out of those tools.
However, if you want to get to the next level--to be the type of security pro that people know by name--you should definitely have some programming knowledge and be pretty damn good at it. Particularly if you want to get deep into apps or systems discovering your own zero day attacks and writing exploits/POCs for them, or modifying scripts that others have written for a particular exploit that you've discovered, or writing your own tools from scratch.
I have a few things to say about this report, that will maybe serve as a wake up or shock to the system for people reading this that want to get into penetration testing but think they can't or don't know enough to make it. Now, as a caveat, I don't purport to be an expert penetration tester, but these are some of my observances having been in the trade for about 6 months and my thoughts reading this report.
1.) These victories are less common than you might think. I say this not because these types of attacks are impossible or terribly difficult to pull off, but because you will often be restricted by the companies you are targeting in how far you can go and stay within scope. Many penetration tests are done for compliance and not for impact (as OffSec notes on the last page of their report). AFAIK they don't do this type of pentesting but we often do (hey, it pays) and find ourselves limited in the types of attacks we can attempt/vulnerabilities we can exploit. Many times I've been on the verge of being able to completely take down a system only to learn that since it's a production webserver that actually taking it over is not acceptable, etc. etc. This all goes in the report but it's frustrating to get so far and then be stopped.
Now, if you can actually get contracts that let you test for impact... well, let me just say that they're a lot of fun and can make you feel like
2.) The attack scenario in this report is not terribly advanced. I'm not trying to badmouth OffSec when I say this. They are far more experienced than I am so I am not trying to say anything about their skills and I know the point of this report is to show what a successful pentest looks like, not necessarily to show off their latest and greatest skills and tools. What I'm trying to get across for people who might read this and say "wow, that's so advanced, I could never do that/it would take me forever to learn how to to that" is this: the procedure depicted is relatively straightforward and you could learn how to do all of this in a few months once you know the right tools. This report should encourage anyone who is interested in pentesting because it shows how a few simple techniques can be used to fully compromise a network.
3.) Note that there was not much programming knowledge needed to pull off the attacks shown. Of the 5 dedicated penetration testers at my company, only 2 of them come from programming backgrounds, but we've all had successes similar to this (I was able to open a reverse shell on my first real pentest, for example). Being successful means knowing when to use a script/tool/etc., when to craft or modify your own, knowing what to look for when targeting systems and recognizing vulnerabilities (known or unknown), etc. We each have our strengths and weaknesses so don't think you have to be an expert at taking down all types of systems and environments to make it as a pentester. This isn't to say that you won't be more successful more often if you know more, but to say that the barrier for entry is probably not as high as you think it is.
4.) There's a lot of writing. Not much to say here. You write a lot to put together a report like this, particularly if you're successful. While it can be fun to write about your exploits, it can also be quite tiring and in some cases take longer than the actual test itself.
That being said, it's a great report and very well written. It's an example of the type I'd rather be writing than the ones we do now. Going to have to show this one to our lead and see if we can't change up our template a little bit... -
coffeeluvr Member Posts: 734 ■■■■■□□□□□Thanks for sharing!!!"Something feels funny, I must be thinking too hard. - Pooh"
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□Brute forced the admin page of a web server - using a dictionary made up of words from the web server itself - Awesome