Reuse Your Skills: Penetration Testing for Auditing

As a penetration tester, your work tends to be fairly straightforward. You obtain a client engagement, define the scope of your penetration testing work, and then use your knowledge, skills, and tools to provide the client with a report of their vulnerabilities. As more and more people are starting to learn the value of penetration testing, it is slowly starting to become a market with more competition. This is excellent for the customer and for us as testers as a larger market footprint tends to lead to better tools and more recognition of the value of penetration testing. However, it also means that we need to be able to provide even more value to our customer in order to stay ahead of our competition.

One method of providing more value is to reuse our penetration testing skills to perform other tasks that our client may need. A common trend exists around using these skills to aid clients in performing internal audits. Outside of the penetration testing aspect of audits, it is very common for clients to need to audit their installed software and hardware inventory. If you are able to assist them with this process, you can demonstrate your versatility, offer additional services (at additional cost), and potentially become a full-service provider for your client. This can, of course, lead to additional revenue and set you apart from your competitors.

So the question then becomes, how do you leverage your penetration testing skills to perform this type of audit work? As penetration testers, we use reconnaissance and enumeration to gather data on the systems that we are testing and these processes can be easily reused to audit systems. As an example, a client was recently required by Oracle to audit the number of installed Oracle databases that exist within their company. Using a tool such as Nmap, we can easily perform this type of scan:

 

To scan a single server for port 1521 and reverse resolve hostname:

nmap -p 1521 10.10.10.10 -R

 

To scan multiple servers:

nmap -p 1521 10.10.10.1/24 -R

 

To scan Oracle version, etc (takes a lot longer):

nmap -p 1521 10.10.10.1/24 -R –sV

 

This works great for software installed and running as a service, but what about client-side software? Occasionally, a client is required to scan for a specific software product on client workstations to gather an inventory of the software install base. Since the client software may not run as a service, it may not have an open port to scan for. In situations like this, we can use other tools that leverage existing services provided by the operating system such as SNMP or WMI. For example, on a Windows XP system running the SNMP service, the snmpwalk tool can be used to display a software inventory using the following syntax:

 

snmpwalk -c public -v1 127.0.0.1 1 | findstr 3.6.1.2.1.25.6.3.1.2

 

Of course, running this from a UNIX system, one would replace “findstr” with “grep”, but the syntax is similar. Using this method, you can easily audit all software installed on a client system or all client systems on a network.

Hardware audits are another area where your skills can be valuable. In some cases, companies will need to audit their installed hardware base and determine what they have on the network. Nmap is, of course, the tool of choice for this type of audit as well. Using Nmap, you can simply scan the subnet(s) in question and report back on the detected system types.

In conclusion, be aware that the knowledge, skills, and tools that you use as a penetration tester can be reused in a number of ways. This can help increase your personal value to your clients as well as drive new business and new service offerings. Additional details on the tools discussed in this article as well as a plethora of other open source tools can be found in my book, Penetration Tester’s Open Source Toolkit, Third Edition available at http://www.amazon.com/Penetration-Testers-Source-Toolkit-Edition/dp/1597496278 or your favorite technical book retailer.

Pentesting Training Lab

I’ve been asked many times for the Linux distribution that I use for my pentesting classes. This distro is a modified version of the BackTrack Linux distribution with a number of vulnerable virtual machines stored within the distro for testing skills and tools. This lab is open source so feel free to download it and give it a try. If you’re interested in one of my penetration testing classes, please let me know and I can work with you to get you enrolled.

BackTrack 5r2 Lab Edition

StarEast 2014

It was truly a pleasure to speak at StarEast 2014 in Orlando, FL. While primarily focused on testing and quality assurance, the conference organizers were kind enough to let me speak about including security concepts as part of the software development lifecycle. With the complexity of software today, I think it’s important that we don’t look at security as something that has to be bolted on at the end of the SDLC just before code goes into a Production environment. I also think it’s important that we don’t expect all developers to know everything that us “security guys (and gals)” know about security. The same concept of Defense in Depth that we use when protecting assets also applies to software development. By adding security in the beginning (design, development patterns, training), the middle (testing, QA), and the end (penetration testing, application scanning), we build a more secure process and therefore a more secure product.

 

I feel that the audience at my talk was receptive to this and interested in how to make it practical. That, to me, is the greatest of compliments! I’ve added a few links below that may help turn the concepts that I spoke about into actionable work.

 

OWASP discussion on misuse stories that can be used for misuse cases: https://www.owasp.org/index.php/Agile_Software_Development:_Don’t_Forget_EVIL_User_Stories

SAFECode document on security-related Agile user stories: http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf

Great article on misuse cases: http://perceval.gannon.edu/xu001/teaching/shared/re_eng/termpaper/readingList/ElicitingSecReq_MisuseCases.pdf