Tips for penetration testing

Tips for penetration testing

Learn how to identify and avoid phishing emails with these tips

Some useful tips for getting started with Pentest.

Over the years, cybersecurity has become a major concern for companies and organizations, regardless of their fields, size or revenue, with economic and privacy issues. The pandemic operates a shift to remote working, introducing numerous access management issues. This transition has forced a blazingly fast implementation of solutions (often unstable) and has increased the potential attack surface of your IT system (including endpoints, networks, software but also human practices).

At the same time, pirates became professional, cyberattacks take place on a global scale and companies are at the heart of nationwide conflicts.

In this context, it is no longer possible to wait passively for your turn… 

You must anticipate and prepare yourself by analyzing your system, discovering and fixing your flaws before they are exploited by someone else. This is the penetration testing principle.

Disclaimer:

This article is not about the analysis side of pentesting but is focused on web applications vulnerabilities and aims to introduce testing and exploitation steps.

Penetration testing: a red team philosophy.

Red Team:

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.

NIST Definition

No other choice to acquire knowledge about pentesting methods: you have to get your hands dirty to assimilate. Learning how to penetrate a system should not be aimed at becoming a black hat hacker but at understanding the techniques they use to find (and fix) vulnerabilities. That’s why you have to practice imitating the most common hacking techniques.

To do this, we will give you some explanations about resources, tools and concerning the main vulnerabilities .

Find the path to the right resources:

0. Pre-requisites:

There is a multitude of choices among the resources and platforms on the Internet for people who wants to learn more about penetration testing, to the extent that it is sometimes more difficult to find one’s way around and to start an efficient and coherent learning process than to acquire the technical knowledge itself.

Through this article, we will try to advise you on the best course, using our own experience and the advice we have received from our trainers.

It is not mandatory to have specific knowledge pre-requisite, but it is a great help and a way to speed up your learning path. We advise you to be comfortable with Linux and Web, but also to know a programming language such as Python, PHP or Javascript, they could be useful for both comprehension and exploitation of the application you will attack.

1. TryHackMe:

If you have little IT knowledge and a weak technical background, consider starting with TryHackMe but it is optional if you are familiar with IP addresses class, HTTP Protocol, Linux files navigation and main command…

TryHackMe starts with beginner-friendly lessons about Linux operating systems, networks, and the web… You will learn the basics thanks to a set of simple explanations, examples, and a bit of practice.

The learning path could become interesting with opening web intrusion lessons but is stopped by paid section, preventing further progress and generating a lot of frustration.

As there are a lot of paid sections, we recommend rapidly changing to the next resource.

2. Owasp Juice Shop:

Then, you should try OWASP Juice-Shop, a fake online shopping platform you can locally run with NodeJS containing a considerable number of various flaws (for a unique website) representing commons web vulnerabilities (Referenced in OWASP TOP10) like SQL injections, CSRF, bypass, XSS… even some OSINT!

The first challenge is to discover the “hidden” scoreboard page to retrieve the list of challenges, their type, difficulty, and some hints.

In cybersecurity, a challenge is a goal to be reached to prove the exploitation of a vulnerability. It often takes the form of a flag, but can also be the execution of a specific action.

The easiest challenges are accompanied by step-by-step interactive tutorials. Take the time to understand those tutorials, and try to resolve a majority of 1-, 2- and 3-stars challenges. To do this, you will probably need specific tools and additional documentation referred to in the next chapter.

At this point, you have acquired basic vulnerabilities exploitation and you can reach at least 200 points on Root-Me. (see below)

3. Root-Me:

Root-Me is an important set of various challenges: Scripting, Network, Forensic, Web back and front, System… An amount of points is awarded for each resolved challenge according to the level of difficulty. In contrast to OWASP Juice-Shop, the environment of each challenge is unique and isolated, and exercise statements have more mysteries than hints, that’s why it is better to explore Root-me in a second stage. On the other hand, this diversity allows you to outreach your expectations!

Consider having basic scripting knowledge and some previous practice to do more than just the easiest challenges. To achieve more of them you should read both generic and technical related documentation or do web research.

Another interesting feature of Root-Me is the “solution section” where you can discover all the solutions proposed by other challengers. In addition to classic explanations, there are always original ideas to explore, which allows you to change your mindset.

Info: The Root-Me profile score is a great reference on your resume.

Furthermore

There are other interesting platforms and resources such as HackTheBox and the new OpenClassroom course in partnership with Root-Me. We’ll try to investigate and update this article.

In all cases, as it is a training challenge, cheating is awful. Try, think, search for additional documentation or hints (not the response), and rethink. It is also relevant to read more documentation and other resources after resolving, to further anchor learning.

Hack the set of documentation and tools:

Insomnia

Insomnia is an open-source API client for GraphQL, REST, gRPC and SOAP requests. It is a very good alternative to Postman which lets you send multiple types of requests and see the response in the right panel. This software is easy to start with and very powerful. You can save several requests and organize them to save your time and launch test suites. Changing the header and the body is straight and simplifies the testing of APIs.

SQL Map

SQLmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. This tool support (almost) all database management systems and all sqli techniques described below and includes advanced techniques.

BurpSuite

Burp Suite Community edition is a proprietary security toolkit that provides a set of penetration testing tools such as a proxy, a decoder, a comparer and others. This software is a complete learning tool to start with web application security, but for those who want to go further, there is a professional edition that is a standard in the cyber security community.

OWASP ZAP

Zed Attack Proxy (ZAP) is an open-source toolkit for web application security. It is maintained by the well-known Open Web Application Security Project (OWASP) and its community. It provides a web application scanner and a proxy. It can find vulnerabilities automatically in a web application so it is useful during the development of the application and also for penetration testing.

Firefox

Firefox is an open-source browser that provides several developer tools like a console, a network monitor, a debugger and many others. These tools can be very useful for penetration testing and inspecting how a web application works. It is very useful software to send modified requests quickly, but it is not as powerful as a reel API client.

More documentation: Port Swigger

As said before, documentation relative to Root-Me challenges is interesting either as technical culture or as flaws exploitation. However, it has many faults, starting with its lack of clarity, and it would be harmful to do not to take advantage of the bottomless pit of the internet.

If you are a search engine master, any doubt you will find what you are looking for. Nevertheless, we would like to recommend you the Port Swigger website (Burp Suite editor), it is complete, reliable, and efficient documentation. The content is approachable, qualitative, and well illustrated with concrete examples, maintaining consistency for each of the concerned vulnerabilities. You can go deeper into different layers of comprehension and technical subtlety, and train yourselves with a dedicated lab.
Last but not least, Port Swigger offers a handy cheat sheet of each vulnerability for further exploit training or analysis.

Ex: https://portswigger.net/web-security/cross-site-scripting

Exploit most common vulnerabilities:

Here is a non-exhaustive list of common web vulnerabilities we will explore together through the next weeks.

SQL injections:

SQL injection (SQLi) is a set of vulnerabilities that allows an attacker to interfere with the queries that an application makes to its database. Identifying flaws by bypassing authentication is not an end, more information or the whole database can be extracted with the following methods:

  • In-Band: Request and Response are both in the same communication channel

    • Error-based: relies on an error message thrown by the database containing some information about the structure of the database.
    • Union-based: use the UNION operator to combine another request and retrieve some information in the original request response
  • Blind SQL: The response did not contain data from the SQL request. The input validation is based on the resulting web application behavior.

    • Boolean-based: Also called Content-based method, check for an altered response depending on whether the query returns a TRUE or FALSE result
    • Time-based: Same principle as above but using response time instead of response content
  • Out of band SQLi: Use different intermediate between attacker and database

    • is not very common, mostly because it depends on the ability of the attacker to send a query response to a third party

XSS:

There are three main types of XSS attacks. These are:

  • Reflected XSS, where the malicious script comes from the current HTTP request.
  • Stored XSS, where the malicious script comes from the website’s database.
  • DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

CSRF:

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform by letting them execute a forged request to change their password or to make a funds transfer.

SSRF:

Server-Side Request Forgery is similar to CSRF but take place in the back-end of the web application. The attacker forces the server to perform a request to an unintended location, secret files or external services.

Directory traversals:

Directory traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server including application code and data, credentials for back-end systems, and sensitive operating system files.

File uploads:

File uploads are a family of vulnerabilities that is based on bad verification of uploaded files. Generally, the attacker uploads PHP scripts in order to get information from the server or gain privileged access. This script is launched by the server when someone wants to access the file. However, it is not the only threat when it comes to file uploads. When the path of the uploaded file is not verified, the attacker can use a Directory traversals vulnerability and overwrite important files such as server configuration files.

Open redirects:

An open redirect vulnerability occurs when an application allows a user to hijack a redirect or forward from a legitimate domain to an attacker’s phishing site.

 

We hope you will enjoy our journey in security testing…

Nathan & Alan
Security Testing Team