A vulnerability scan doth not a penetration test make. OK, we’ve all felt the disappointment of reading a rebadged Nessus scan dressed up as a full-blown penetration test in the past, but it’s simply not the same thing, and simply isn’t meant to be.
Don’t get me wrong, vulnerability assessments alone can have massive value, particularly when you need a snapshot of a large number of hosts, or a regular review of rectification progress across an entire estate, but vulnerability scanning also has a number of limitations, not least the inability to assess the risk of chaining multiple vulnerabilities, or the ability to intelligently weed out false positives, of which there are often many.
To move our vulnerability assessment up a notch, we’re going to need add some additional tools to our arsenal. The good news is that many of them are free, the bad news is they may not be as point and click as you are used to. I’m going to talk about specific penetration testing tools here, but if you want a great penetration testing Linux distribution to install/learn these tools on, you could do a lot worse than – Kali Linux
Can’t find the budget for a vulnerability scanner? Good news, there’s a good, open source and freely available tool called openVAS. A fork of the previously open source Nessus project, OpenVAS has a number of similarities to earlier versions of Nessus, but has been constantly updated with new updates to find a myriad of potential vulnerabilities. Reports can be exported in both human and machine readable formats, and a number of third party extensions and plugins exist to expand its capabilities further.
The original exploit arsenal, Metasploit (which comes in free community and commercial GUI flavours) allows you to take your Nessus/OpenVAS/Whatever vulnerability scans up a gear to actual exploitation. Covering a myriad of systems and applications, and growing all the time, Metasploit is the must have exploitation tool. The value of exploitation in a penetration test is two fold: Firstly, it demonstrates the vulnerability is exploitable in a real-world scenario (many vulnerabilities remain largely theoretical, due to exploit complexity). Secondly, it gets attention. Show a C-level exec the reference MS08-067 in a report and watch their eyes glaze over. Exploit the vulnerability, show them the FD’s screenshot containing a confidential report, and their password, and bask in the glow of realisation.
Unfortunately, the security world carries a bit of a stigma against Windows based tools, which is a shame, as some of them are fantastic. Cain & Abel is one of them. It’s difficult to cover all the ways in which this tool can help you. Need to intercept some RDP traffic via ARP poisoning in order to capture keystrokes? Cain does that. Need to intercept & record some VOIP traffic via the same method? No problem. Need to dictionary attack a Windows SAM file? Sorted. I have lost count of the number of times Cain has been the difference between having no access and Domain Administrator privileges
Comprehensively testing a web application for vulnerabilities can be a deeply involved process. While simple aspects such as looking for default and predictable files can be automated, there is simply no avoiding that a lot of web app vulnerabilities, such as business logic flaws require manual intervention. Burp Suite, which comes in freely available, and highly affordable Pro flavours, provides the tools for both automated and manual assessment. From an initial automated spider and scan of your web application, through to a man-in-the-middle proxy for the capture, modification and transmission of browser requests, Burp Suite is a great tool for tearing web applications apart to see exactly how they tick.
When it comes to cracking passwords, a good dictionary can be priceless. Unfortunately, many of the older dictionary files floating around the Internet are based on, well, dictionaries, which can make them somewhat “sterile”. When rockyou.com was hacked in 2009, 32 million real-world passwords were leaked onto the Internet. These are real passwords, chosen by real people. This makes the dictionary an absolute favourite for password cracking, before resulting to slower, brute-force attacks. Works very well with Cain & Abel mentioned above.
In Summary
There is no panacea. By combining a small number of best of breed tools, we can extend our vulnerability assessment efforts considerably. In PT 2 of this blog post, we’ll take a look at some of the more advanced security tools, which include PowerShell, AV evasion, and a number of post-exploitation favourites that can make escalating even the most limited privileges a snap.