Many audits use penetration tests to gather information about a company’s security posture. In this video, you’ll learn about pentesting perspectives, reconnaissance techniques, and more.
We often think of penetration testing as something that’s done over the internet in a digital form. But physical penetration testing can be an important security tool. That’s because it’s exceptionally easy to circumvent the security of an operating system if you have physical access to the device. You can modify the boot process. You can boot from other media that you might bring. Or you can modify or replace the files associated with that operating system.
This is why our servers tend to be locked inside of a highly secure data center because physical security is so important. So if a company participates in a physical penetration test, they’re going to try to gain access to your physical facility. They’ll try to enter the building without a key. They’ll try to see what type of access might be available inside the building. And they’ll try every possible way to gain access. They’ll try the doors, the windows, elevators, and anything relating to physical security of your location.
We tend to think of penetration testing as an offensive action. But there are many nuances to pen testing. Obviously, there is an aspect to pen testing that is on the offense. This is a group of people that’s called the red team, and they attack systems, they look for vulnerabilities, and they attempt to exploit those vulnerabilities. But there’s also a defensive side to pen testing. This would be the blue team that is able to identify the attacks coming in real time and block any of these attacks from occurring.
The best combination would be to integrate these two teams together to have a system that is constantly providing feedback on itself. You’ll have the red team constantly attacking systems. And when they identify an opening, they pass that information to the blue team to be able to patch it and better identify it next time.
The individuals performing the penetration tests may have different types of information depending on the test that’s occurring. And depending on what you know about the environment, you may use different techniques during the penetration test itself. For example, an organization may provide the pen tester with a known environment. This is full disclosure of all of the systems that we’ll be attacked during this penetration test.
There may be times when only some of that information is provided to the pen tester. This would be a partially known environment, which is a mix between the known environment and the unknown environment. This is often used when you want the pen testers to be sure to attack certain systems within your environment. And of course, there is the unknown environment where no information is provided to the pen tester and they have to find all of the information on their own. You’ll often hear this referred to as a blind test.
Even when all of the information is provided to the pen tester, there’s still information that needs to be gathered before making any type of attack. The reconnaissance processes used by the pen tester to gather as much information as possible about the environment. This allows them to understand exactly what security tools might be in place, what servers might be installed, and what applications might be running on those servers.
This allows the pen testing team to identify the key systems that may be in an infrastructure and focus their efforts on gaining access to those individual devices. Once they’re done with the reconnaissance, they can build out an entire network map, IP address configuration, the list of all the networks in the infrastructure, and understand better how they’re connected to any of their remote sites.
This reconnaissance process may not start with connecting to the customer’s network. Instead, they may be using other sources to gather information about what they might find. We refer to this as passive reconnaissance because we’re gathering information from sources that don’t tie us directly back to the customer’s network.
A good example of these might be finding information on social media about the customer’s networks. There might be details on a corporate website where you can browse and learn more about the company. There might be online forums or Reddit posts that can gather information about what’s in that company’s infrastructure. You could also perform social engineering to try to get information out of people who may work in the company. And of course, you might go dumpster diving to find documents that may have been thrown out in the trash. You could also talk to third-party companies that do business with that organization to learn what they might know about that customer’s infrastructure.
Active reconnaissance is a much more direct way to gather information because you’re going into the network and querying devices that might be there. With active reconnaissance, we can be easily seen on this network because we’re sending packets across their network, and very often the evidence that we were there is stored in log files that may be on a firewall or some other device.
An example of active reconnaissance might be a ping scan or a port scan of a device, perhaps a DNS query to the corporate DNS server, or maybe someone performing operating system scans or operating system fingerprinting. Any time you’re looking into individual services on a device or you’re performing some type of version scan, you are certainly performing active reconnaissance.