The year was 2020, people were delighted to read another article about how bad it is to open letters from strangers, especially with attachments, how dangerous it is to insert dubious flash drives into a computer, how in a distant country hackers transferred millions of dollars from account to account at the snap of their fingers. The analytics, which said that 7 out of 10 banks can be hacked by the efforts of two hackers in a couple of evenings, seemed to people in the 2020th routine. As for ordinary users, they were not even scared: they simply perceived such news as a separate Marvel universe and occasionally asked familiar computer scientists to hack VK. And only security experts understood that everything was not as simple as it seems ...
In 2020, the word "pentest" is already familiar to many, and all mature companies carry out such work on a regular basis. Some have even formed a staff of specialists and self-test every day. The number of information security tools (ISS) is constantly increasing, the best information security practices are distributed free of charge on the Internet, information security processes are built according to the best methodologies. At the same time, the thought still sits in people's minds that nothing is a hindrance to hackers: if they need something, they will achieve it. As a direct penetration testing specialist, I want to talk about this phenomenon today.
"What was a feat for the previous generations is a regular job for the next"
10-15 years ago, information security was associated with fun: you could hack everything, and you got nothing for it. Everything was "full of holes", but it frightened few people. The hackers racked up for interest and bragged about their feats to friends at the bar. Today information security is already a big business, hacking something can be easily and quickly possible only by accident, and doing it "expertly" is expensive.
The threshold for entering the practical area of information security has become higher: if earlier someone could afford to come to the customer not in the best physical shape, repeat a couple of videos watched on the Internet, and hack the organization, for example, take a domain controller, now this can be done far not everywhere. Problems are starting to occur at every turn and in every area, in part, at least because recommendations from previous pentests have been adopted. Below I will analyze the problems that can be encountered when starting work on a penetration test.
Internal testing (or disloyal employee)
Network connection
Let's take a penetration test from the internal network: now you can't even connect to an organization's network outlet just like that. You come to a customer, take out a laptop, connect with a wire to Ethernet and ... nothing. You assume that you need to bypass the control of connected devices, and it's good if you need to find a legitimate MAC address somewhere, but if it binds to a port? What if the number of MACs on one port is limited? And if there is 802.1x (Cisco ISE) with certificates and competent profiling? Then you need to find a domain account with a client certificate in addition to either crash MITM into someone else's traffic and pretend to be a printer or proxy through a legitimate host. Do you feel it? This is not for you to quickly knock your fingers on the keyboard, as shown in the movies.
Scanning
You start scanning, as usual, subnets (10.0 / 8, 172.16 / 12, 192.168 / 16), and all ports are closed or filtered, and then access is completely lost. These are our favorite ITUs with a properly configured segmentation policy. You slow down, use shadowy reconnaissance techniques, but you are thrown out when using exploits: it’s already IDS / IPS “arrived”, and goodbye, unauthorized access.
Endpoint
I made my way to the host, but then the antivirus will either finish you off, or the SIEM will burn you, and if you got the shell, it turns out that it has limited rights, and all the current patches for LPE are rolled out, and in addition the lsass.exe process is isolated. In addition, mechanisms for detecting anomalous user behavior are screwed on, DLP is implemented, albeit poorly configured, but your running PowerShell on the accountant's workstation will already be noticed.
"Iron"
If you physically try to hack someone else's PC while an employee is on sick leave, you will find that the BIOS is password protected, the hard disk is encrypted with a bitlocker in conjunction with a pin code and a TPM module, and nothing can be extracted from the computer.
Domain Attacks
I received an Active Directory domain account and are glad that you will now carry out your favorite attacks on AD: Kerberoasting, AS-REP Roasting, delegation attacks, but that was not the case. Everything is provided, passwords are not "brutal", attacks on the domain are detected by Microsoft ATA, and outdated hosts are separated into a separate domain, in addition, the architecture is built using RedForest , and that's it, even a compromise of the user's domain will not bring the desired result.
External Testing (Internet Hacker)
You are trying to hack something on the outer perimeter, and Anti-DDoS and WAF are already there, the application is developed according to the principles of SSDLC and tested before being released in production. Data between client and server is encrypted and any user input is validated in several ways. Sometimes an application is written on some newfangled framework and is overlaid with a bunch of enterprise-techs, the developers themselves have just figured out how to add a module in six months, where are you going with your fuzzing using the “black box” method for a week?
Mobile testing (hacker with phone)
Let's take a mobile application, here the platform itself already protects would-be developers from many shots in the foot. Traffic in the open form will soon be completely banned. Conscious developers have shifted the emphasis to protecting the server side, because if the server does not implement "holes", then they will not work in the client. Those who went further, mastered the OWASP Testing Guide, learned how to detect root devices and implement ssl-pinning. And that's it, the impact from other shortcomings is insignificant.
Wi-Fi (hacker with Wi-Fi adapter)
There is no point in discussing it too much. Either wpa2-enterprise is used with client certificates or not. Now wpa3 is on its way, even the service traffic is encrypted there, and the session key is reliably protected. At first, of course, there will be errors in implementation, but these are no longer the shortcomings of the whole protocol.
Bonus
One more, additional factor: all GIS are now starting to unite into one ecosystem, and as soon as you touch one edge, the whole web begins to shake. Just looking at the Cisco and Microsoft family of solutions, as a pentester, I am already frightened by all the pain of attempts to covert work in subsequent years. Moreover, “auto-pentals” appear on the market, for example, PenTera or Cymulate solutions, which will soon begin to take part of the bread from the pentester. And there are still information security startups with Machine Learning, neural networks, pseudo-AI ahead. So far, it all looks damp, but for a couple of years ...
Someone will say that this is an ideal situation, and there will always be holes, and I will answer that, watching how information security matures in companies, I come to the conclusion that in two years the "cost" of hacking will be quite high even for experienced specialists ... I think that in the near future, hacking a bank remotely will be as rare as physically robbing it in 2020 (do you know many recent successful cases?).
What did I end up with? Security is becoming more complex, and, perhaps, in the future, the problems in this area will become more controllable. But should we just close our eyes and wait for the future to come? No, we must take steps to build this very future.
5 tips for companies
- « » .
nmap Nessus, , . , . , , , , . , , .
: 10 , . , , , , . - .
, ( ) - , - . . . - Red Teaming continuous pentest.
, , ? ? , , -- ? Red Teaming , «» , , (3-9 ). - .
, : , . - .
. 100500 - . , , .
- .
. Bug Bounty GitHub CTF, . , — . - .
. , , . , . telegram- twitter. - , «» , . - Be with the community.
Form a professional social circle: it is much more efficient to do something together than to sit alone in a closet. It is in the movies that a lone hacker breaks into the world, but in reality there is an APT with clear roles and tasks for everyone: one scans, another exploits, the third analyzes, the fourth withdraws money. Be open and share knowledge, because others have already done 100 times what you are planning, and, conversely, you can help them reduce the time for routine and free it up for creativity.
What to do for regular users
It is unlikely that you are reading this article, but still. Security is under control: do not wait for the weather near the sea, come up with a normal password, go through awareness-raising courses in information security and just follow their advice. Trust me, it's not difficult.
conclusions
I wrote this article not to show how good everything is in information security, but to make sure that everything is not as bad as many are used to thinking. Negative news allows us to develop and become better, but answer: we are safer than 10 years ago? Well, if you don't, who of you can hack, for example, VK: not a user, not throw XSS, but just the entire infrastructure?