Having worked with such a large number of our customers in both technical support and training has really shed some light on the truths of commercial penetration testing. The reality we face is that even the most advanced pen testers who currently hold security related positions in organizations, large or small, are only getting to unleash about 10% of what they are actually capable of. With exceptions of course, the focus of many security teams appears to be based on achieving compliance. With compliance being the driving force behind the implementation and use of these security tools, it’s fair to say that these testers are only getting to unleash a tiny portion of the features and capabilities that these tools have to offer.
Every now and then, a familiar request comes up in conversation: modularization. My enthusiasm on this particular subject comes from a recent discussion regarding the use of IMPACT *solely* for Client-Side testing. First off, let’s take *any* client-based attack that has happened over the past few years. Obviously, client attacks are becoming more advanced and more calculated, and the technology behind them is evolving at a scary rate from an increasingly large number of sources. Sure, we can factor in things like current events or the economy as motivation but, in the end, everyone everywhere is facing more client-based attacks. These attackers are not stopping at the client though, that would be pointless for them. All that work and no play make hacker a dull boy. They will first leverage the client as a means to gain access to the network and, once that is achieved, their fun begins. Our quest to *be* secure is never-ending, especially when you throw in the BIGGEST vulnerability of them all: humans.
If we put the last few years in perspective, there have been 516,949,944 (that we know of) records that have been breached in over 2,395 attacks (that we know of). To do any proactive testing, you are going to need just as many tools in your arsenal as the person willing put in the time to successfully hack you. When we start talking about gaining remote code execution, stemming from a client-based attack, the end goal *is* to “pillage the village” (thanks again Skoudis). However, if we were to limit IMPACT Pro to just the Client-Side functionality, you now miss the ability to prove just how dangerous, or useful, that particular entry point may be. IMPACT Pro is giving you the chance to safely leverage the same “malicious” tools a hacker would use, only now, the return on investment comes from an understanding as to how accessible those assets, that you try so hard to protect, actually are.
It’s the 1,000th door out of 1,000 doors you have been trying to open – only this one has a maintenance corridor behind it. You finally broke into something that was worth the time and effort, even amidst all those previous failures. Now, turn those 1,000 doors into applications, services, ports, thumb drives, humans – basically everything available to us that can be leveraged in the realm of client-based exploitation, and multiply it by 1,000,000. That certainly opened up the playing field, didn’t it?
IMPACT has evolved quite a bit over the past decade, and I agree; if someone is not living and breathing the product, you won’t learn everything inside and out. However, with Client-Side testing via IMPACT Pro, the wizards reduce the amount of time and skill required for a tester to perform quality tests without sacrificing quality results, exploitation or not. Let’s think of client-based attacks from the other white meat perspective, WiFi. There is no room to underestimate an attack of any kind – especially wireless attacks. Haven’t the past 20 years taught us that yet? Wireless attacks put a new outlook on client-based attacks, forcing analysts to think outside of the box. It drives me crazy to think of all those business travelers using any WiFi network to cram in as much work as they can via their company laptop, whether it be at the airport, hotel, coffee shop, cigar lounge (you know who you are) – or anywhere for that matter.
At this stage of the game, you should be expecting WiFi attacks to blend techniques commonly used to establish trust relationships. The “oh snap” factor increases when you effectively become the MiTM (Man in the Middle), whether it be via a Fake Access Point you configured and got someone to connect to, or enabling Karma with the Fake AP, thus creating a bunch of known (trusted) access points the target device(s) are beaconing for. IMPACT’s Client-Side functionality incorporates the ability to do file harvesting during your recon phase too. So take all of the information you gather on your targets, including any docs and metadata found within the docs, spin up some Fake AP’s, and leverage one of the many MiTM-based attacks, and you are now looking at the bigger picture – not just trying to exploit applications. Each of the attack vectors IMPACT offers is just another part of that bigger picture, so unless you start thinking like a criminal, you will easily become the victim.
What this boils down to is that any organization rolling out Client-Side testing has to keep up with the times – times that will not be slowing down anytime soon. You have the ability to do what criminals won’t give anyone the chance to see coming, but you can do it in the name of security. As I mentioned before about the whole modular argument, it has been tough deciding where those lines are supposed to stop from one particular attack vector to another – but we still come to the same conclusion that attackers come to time and again: they shouldn’t.
To all my info warriors out there fighting the good fight, stay safe, stay secure, and PEN TEST!
- Caitlin Johanson, Technical Specialist