by Natsuya Uesugi
An ethical hacker is someone who hacks into systems looking for security vulnerabilities and helps companies or institutions protect themselves.
Questions Ethical Hackers ask?
- What computer assets are in scope?
- Does it include all computers OS, mobile devices, cloud services, applications?
- Can the pentest include automated vulnerability testing?
- Should the professional attackers (red team) try to break in without being detected by the defenders (blue team) or should they use normal methods real intruders might use?
- Is social engineering allowed, what methods?
- What dates will pentesting be allowed, what times, days or hours to avoid outages?
- Should pentesters avoid outages or service interruptions like a real hacker would cause?
- Will the penetration testing be blackbox with no details or whitebox with inner knowledge of the attacked systems?
- Will security defenders be told of the pentest?
Ask these questions regarding the goals of the penetration test.
- Is dDOS in scope?
- Is this simply to show you can break into the computer or device?
- Is accessing a target machine and getting data out the goal or just gain priviledge?
- Should the test include all failed and successful attempts?
The Discovery Phase: Knowing The Target
Penetration testers begin asset hacking by learning as much as they can about their target, save social engineering techniques. The tester will want to know IP addresses, OS, applications, version, patch levels network ports, users and anything else that may lead them to “get inside.” Pentesters can spend a short time looking at an asset and find multiple ways to get in. At a minimum the obvious is glaring, information learning can be used to find other vulnerabilities to exploit.
The Exploitation Phase: Breaking in
Pentesters or ethical hackers are paid to “break in.” Using this information learned in discover, the pentester needs to exploit the vulnerability to gain unauthorized access. If the hacker can’t break into a particular asset, they need to try other in-scope items. If the pentester has done their discovery job they should find an exploit. The defender on the other hand will need to close all the found holes.
Depending on the vulnerability and exploit, the gained access may require enhanced privilege which can turn a normal user’s rights into that of an administrator. This can require further exploits after the attacker gains access.
Automated escalation can be used for exploitation including vulnerability scanning applications. These applications find the vulnerabilities but do not exploit them.
After finding the vulnerabilities, the pentester performs the agreed upon action or their ultimate destination. The tester can stay within the system or go horizontal or vertical depending on if the attacker moves within the same system or outward to non related systems. Sometimes just “getting the data” is enough for a successful test.
The Documentation Phase
Once the test is performed it needs to be documented thoroughly. Screenshots, reporting and assets as well as activities are logged. A detail listing of actions taken and results are used when the defenders work on fixing the vulnerable holes.
Ethical Hacking Tools
Penetration testers use standard sets of hacking tools, and obtain additional tools depending on the job. Most penetration testers use Linux OS distro specialized for penetration testing. Kali Linux is a popular tool and has distros with thousands of hacking tools
The most important fact about tools is that it needs to be right for the job. Make sure it does not include malware or tools to “hack the hacker.” The majority of freeware hacking tools on the internet include malware and undocumented backdoors. Common tools are better and the more popular hacking tools can be trusted like Nmap. Many pentesters write and use their own tools because they know they are safe because they don’t trust anyone else..
The Evolution of Ethical Hacking
Professional pentesting is maturing. Employers are looking for the complete professional hacker with toolsets and practice.
Penetration and vulnerability testing software is part of an ethical hacker’s tools. Tools are now automated for some jobs.
Professional hackers must not just turn in a list of vulnerabilities. They must identify and work with IT management on the threats and be part of risk management helping to reduce risk more than just find vulnerabilities. Ethical hackers jobs are value add by showing management and defenders what will likely happen and how a real life intruder would go about exploiting these weaknesses.
Professional penetration testing is not a job for everyone. It requires expert levels of different technologies and platforms as well as a desire to see something broken past the normal boundaries of IT. You can be a professional hacker is you have the skills, follow the legal rules and go at it just like the intruders would just helping close the gap in systems.