We’ve all done it—a term is mentioned in conversation, and we nod our heads casually and pretend we know what they’re talking about. So when someone says “pen test,” you’re not alone if you pictured someone clicking a ball point pen top, drawing scribbles to see if any ink comes out. But if you keep listening, it actually seems like pen testers are paid to hack into computers all day long. So what do they actually do? We went behind the scenes, taking a closer look at the day in the life of a pen tester.
We spoke to Diego Sor, the Director of Security Consulting Services at Core Security. With over 20 years of experience in the security industry, both as a software developer and a security consultant, Sor is more than qualified to shed some light on the field of penetration testing.
What does a pen tester do? How would you describe a pen tester to your family?
A pen tester is a person that uses his or her skills and knowledge to find security weaknesses in a system. A system typically has controls to limit the user’s actions and expects the user to operate within the boundaries of these controls. Pen testers aim to find ways to circumvent these controls, often by using the system in a different way than it was designed for, which forces it to respond to unexpected actions. For example, a product user manual says, follow steps 1, 2, and 3 to complete a task. A pen tester would ignore these steps entirely and instead attempt any number of different actions, and seeing if any of them indicate security weaknesses.
What kind of background does one need to be a pen tester?
Ideally, they would have a technical background like engineering, mathematics, physics, or of course, computer science. However, there are many excellent pen testers that are completely self-taught.
There are also important traits a pen tester needs to thrive. They need the ability to think outside the box to be able to find a system’s edge cases—loopholes in specifications or simply unexpected usage. A pen tester should also be able think through all the different types of threats to a system and how to test them.
Finally, dealing with frustration is also important for a pen tester, since a portion of the work is hypothesizing how to circumvent access controls, so there is quite a bit of trial and error.
What type of tools do pen testers use?
Whatever tool is needed for the particular task. You can think about the toolbox analogy: There are many different types of tools, but if you need to detach a screw, you’ll need a screwdriver.
Pen tester usually have, commercial, open source, and homegrown tools. In the first two categories, you will find network/port scanners, vulnerability scanners, penetration testing software, web application scanners, decompliers, debuggers, fuzzers, and more.
Homegrown tools are built by pen testers (sometimes on a daily basis) for many reasons, such as accomplishing a specific project task, integrating different tools, creating new test cases, etc. Sometimes these are just quick python or PowerShell scripts, and other times they may be long term projects.
Do you mostly perform tests remotely, or have you also performed physical penetration tests?
Most pen tests can be performed remotely, which is the most convenient method for both the tester and the customer. That is the most common type of engagement currently, especially with the COVID-19 pandemic.
Have you ever been “caught” during a test, virtual or physical?
Of course I have, and whoever says otherwise simply hasn’t executed enough pen tests! It is important to note that current pen test best practices are not always focused on evasion (not getting caught). 10-15 years ago the situation was different, but with the level of specification we have today and the way the attack/defense landscape has evolved, each offensive security project has their own scope.
Evasion is typically a goal for red teams, where practitioners play the role of a real adversary and evaluate, among other things, the way the security operations team (defense) detect, contain, and terminate an attack.
What security weakness have you found to be the most common?
That depends on the assets you are testing. For web applications, I would say that XSS, XSRF, Idors, SQLi are among the most common vulnerabilities. The OWASP top threats is a good resource to consult for web application threats.
For corporate infrastructure, common issues are unpatched operating systems and applications, weak credentials, open shares, open admin consoles, excessive user privileges, SMB and Kerberos issues, or weak configurations.
When it gets to cloud-based solutions, you have evaluate the specific assets (web applications, microservices, etc.) as well as the way the cloud resources are configured. For example, for AWS, we look at the way S3 buckets are configured or how the EC2 metadata can be obtained.
What’s the most unexpected thing you’ve found during a pen test?
When conducting a pen test about a year ago, we found a corporate printer exposed and accessible from the internet. When we asked about this an IT member told us that from time to time users reported that inappropriate language printouts were found in the printer and they were trying to find who in the organization was printing these messages. They had no idea that the device was exposed and publicly accessible.
During another engagement, we were testing an application and it exposed a REST API for integration. We had access to documentation and source code. Before starting the dynamic analysis, one thing we do when we audit software is to verify that the exposed API calls in the code matches the documentation. After verifying 120 API calls, we found that the code routes exceeded the number of API in the documentation. We started to dig into the code and we found an undocumented call that retrieved information from user’s database. While it looked like a ‘debug’ function that simply wasn’t removed before going into production, some indicators lead us to think that it was actually a backdoor left by a threat actor.
What’s one thing you wish everyone knew about pen testing?
Pen testing isn’t all about tools. As in many practices, tools are needed and can help greatly but practitioners make the difference.
What’s your greatest frustration as a pen tester?
Not having enough time! You may want to explore all the exploitation venues for a finding that looks promising but time constraints prevent you from seeing it through.
What’s the best part of pen testing?
It is a constant challenge, fun, diverse, and allows you to explore many different technologies and solutions using the attacker’s approach. You get to help people and organizations become more secure and resilient.
Do you own a black hoodie and look sinister while performing pen tests as stock photos seem to imply? Or since you’re also known as ethical or white hat hackers, maybe it’s a white hoodie?
I don’t anymore, but someone told me that these are still in use! I like to think of pen testers as security professionals with a well developed attacker’s mindset doing the right things.
Want to learn how pen testing can help your organization?
Find out why no business should go without pen testing in our blog, 3 Reasons Every Organization Should Leverage Third-Party Pen Testers.