It was the year 2020, people were delighted to read another article about how to open letters from strangers badly, especially with attachments, how dangerous it is to insert dubious flash drives into a computer, how in a distant country hackers transferred millions of dollars from one account to another with the click of a finger. The analytics, which said that 7 out of 10 banks can be hacked by the efforts of two hackers in a couple of evenings, seemed to people in the 2020th routine. As for ordinary users, they weren’t even afraid: they just perceived such news as a separate Marvel universe and occasionally asked familiar computer scientists to hack VK. And only security experts understood that everything is not as simple as it seems …
In 2020, the word “pentest” is already familiar to many, and all mature companies conduct such work regularly. Some even formed a staff of specialists and self-test daily. The number of information security tools (ISS) is constantly increasing, the best information security practices are distributed free of charge on the Internet, information security processes are built according to the best methodologies. At the same time, the idea that there is nothing to hackers is still sitting in people’s heads: if they need something, they will achieve it. As a direct specialist in penetration testing, I want to talk about this phenomenon today.
“What was a feat for previous generations is normal work for subsequent generations”
About 10-15 years ago, information security was associated with fun: you could hack everything, and you had nothing for it. Everything was “full of holes”, but it scared few people. Hackers broke for interest and boasted of exploits in front of friends in a bar. Today, IS is already a big business, hacking something easily and quickly can be done only by chance, and doing it “expertly” is expensive.
The threshold for entering the practical field of information security has become higher: if earlier someone could afford to come to the customer in poor physical shape, repeat a couple of videos viewed on the Internet, and hack into an organization, for example, take a domain controller, now you can turn this far not everywhere. Problems begin to occur at every step and in each area, partly at least because the recommendations from previous pentests were accepted into the work. Below I will analyze the problems that you may encounter when starting work on the pentest.
Internal testing (or disloyal employee)
Let’s take a pentest from the internal network: now it’s just impossible to even connect to the organization’s network outlet. You come to the customer, take out the laptop, connect with a wire to Ethernet and … nothing. Do you think that it is necessary to bypass the control of connected devices, and well, if you need to find somewhere a legitimate MAC address, but if it binds to a port? And if the number of MACs on one port is limited? And if there 802.1x (Cisco ISE) with certificates and competent profiling? Then you need to find a domain account with a client certificate in addition to either crash MITM into someone else’s traffic and pretend to be a printer or proxy through a legitimate host. Feel it? It’s not for you to quickly pound your fingers on the keyboard, as shown in the movies.
You start scanning, as usual, subnets (10.0 / 8, 172.16 / 12, 192.168 / 16), and all ports are closed or filtered, and then access disappears completely. These are our favorite ITUs with properly configured segmentation policies. You slow down, use shadow intelligence techniques, but it throws you out when using exploits: it’s IDS / IPS that has already arrived, and goodbye, unauthorized access.
I made my way to the host, but then either the antivirus will finish you up or SIEM will burn it, and if you get the shell, it will turn out that it has limited rights, that all current patches for LPE are rolled up, and in addition the lsass.exe process is isolated. In addition, the mechanisms for detecting abnormal user behavior are screwed on, DLP is introduced, albeit poorly configured, but your accountants running PowerShell on the workstation will already be noticed.
If you physically try to hack someone else’s PC while the employee is on sick leave, you will find that the BIOS is password-protected, the hard disk is encrypted with a bitlocker in conjunction with a PIN code and TPM module, and you can’t extract anything from the computer.
I got an Active Directory domain account and are happy that you will carry out your favorite attacks on AD now: Kerberoasting, AS-REP Roasting, attacks on delegation, but it wasn’t there. Everything is provided, passwords are not “gross”, attacks on the domain are detected by Microsoft ATA, and outdated hosts are allocated in a separate domain, in addition, the architecture is built using Redforest, and that’s all, even compromising the user domain will not bring the desired result.
External Testing (Internet Hacker)
You are trying to hack something on the external perimeter, and there are already Anti-DDoS and WAF, the application is developed on the principles of SSDLC and tested before going into production. Data between the client and server is encrypted, and any user input is validated in several ways. Sometimes an application is written in some newfangled framework and overlaid with a bunch of enterprise-techniques, the developers themselves in six months only figured out how to add a module, where do you go about your fuzzing using the black box method for a week?
Mobile testing (hacker with phone)
Take a mobile application, here the platform itself already protects the unfortunate developers from many shots in its foot. Clear traffic will soon be completely banned. Conscious developers have shifted focus to protecting the server side, because if the server does not implement “holes”, then they will not work in the client. Those who went further mastered the OWASP Testing Guide, learned how to detect root devices and implement ssl-pinning. And all, the impact of the remaining shortcomings is negligible.
Wi-Fi (hacker with Wi-Fi adapter)
There is no particular point in discussing this. Either wpa2-enterprise is used with client certificates, or not. Now wpa3 is coming, even service traffic is encrypted there, and the session key is reliably protected. At first, of course, there will be errors in implementation, but these are no longer the flaws of the whole protocol.
Another, additional factor: all SPIs are now starting to merge into one ecosystem, and when you touch one edge, the entire web begins to shake. At one glance at the Cisco and Microsoft family of solutions, I, as a pentester, am already frightened by the pain of attempts at hidden work in the coming years. Moreover, “auto-pentals” appear on the market, for example, PenTera or Cymulate solutions, which will soon begin to take part of the bread from the pentester. And ahead are IS startups with Machine Learning, neural networks, pseudo-AI. So far, it all looks damp, but a couple more years …
Someone will say that this is an ideal situation, and there will always be holes, and I will answer that, watching how the information security is ripening in companies, I come to the conclusion that in two years the “cost” of hacking will be quite high even for experienced specialists . I think that in the near future hacking a bank remotely will be as rare as physically robbing it in 2020 (how many recent successful cases do you know?).
What did I end up with? Security is becoming more complex, and perhaps in the future, problems in this area will become more controlled. But should we just close our eyes and wait for the future to come? No, we must take steps to build this very future.
5 tips for companies
- Start using the “gray box” in pentests more often.
Everyone is already tired of scanning your hosts using nmap and Nessus, then determining the version of the software, stumble upon a bunch of SZI and try to detect and bypass them by unmasking signs. As a result, the lion’s share of the time is spent on routine work, which is not profitable for you and not interesting for technical specialists. Think over the model of the intruder and the real terms, provide login accounts and instructions for working with the system, consult work specialists, wish yourself to be hacked and all the pitfalls revealed. Use each time a new model of the intruder and the starting point, go from all sides or from each component, only in this way you will build an echeloned defense.
There is such a joke: 10 pentesters will not be able to withdraw even one ruble, even if all the bank’s servers are hacked. This is partly true, because here you need a person who understands the software of a particular bank, works with it every day, and not an expert on hacking from the outside.
- Spend more time on pentests.
Historically, work on pentest (in one direction) takes one to two weeks, which is already an extremely low assessment of the objectivity of any work. Vulnerabilities are not always in the short term. It is necessary to increase the interval and enable specialists to conduct thorough analytical work.
- Try Red Teaming or continuous pentest.
When you bring a new administrator to the state, how much time does he need to figure it out? Few months? And this is only for its circle of tasks, what about Pentesters who are obliged to come-see-win in a couple of weeks? For this, Red Teaming is needed in order to give “attacking” specialists a time commensurate with the time that real attackers spend on an attack (3-9 months).
- Develop an internal team.
If there are enough resources, it is even better to develop your team: these guys will already be able to build a matrix of connections and components and go to systematically test each element, which no external organization can do.
- Build an ecosystem.
Many disparate SZI do not lead to anything good. Going to 100,500 web panels and watching events is not the most effective solution. Build the system from the beginning so that each component enriches the rest, and they all work in concert.
How to be a beginner pentester
- Download faster qualifications.
The entry threshold is growing every day. It’s time to finish reading the articles about paying Bug Bounty for a discovered password on GitHub and gain points in CTF, it’s time to start seriously plowing. Deploy virtual machines, raise virtual infrastructure and industrial GIS and forward – cut them.
- Think about your specialization and concentrate on it.
You can no longer be an expert in everything. Choose the areas you like and study them first. But if you try to master everything in a row, then you will not have time. I have thousands of unread messages in telegram channels and as many on twitter. As long as you read only the IB news for the last day, the “mental fuel” in the head is already over, and the brain is simply overloaded.
- Be with the community.
Form a professional circle of communication: it is much more effective to do something together than to sit alone in a closet. This is a lone hacker in films cracking the world, but in reality there is APT with clear roles and tasks for everyone: one scan, another exploit, the third analyzes, the fourth withdraws money. Be open and share knowledge, because others have already done 100 times what you are planning, and, conversely, you can help them reduce the time for routine and free it up for creativity.
What to do for ordinary users
It is unlikely that you are reading this article, but still. Security is under control: do not wait for the weather near the sea, come up with a normal password, go through awareness-raising courses in information security and just follow their advice. Believe me, this is not difficult.
I wrote this article not to show how everything is fine in information security, but to make sure that it’s not so badas many are used to thinking. Negative news allows us to develop and become better, but answer: are we safer than 10 years ago? Well, and if they didn’t, which of you can hack, for example, VK: not a user, not an XSS, but the whole infrastructure?