The Benefits and Usage of Checklists in Penetration Testing

The Importance of Penetration Testing in Cybersecurity

In today’s digital landscape, where new security vulnerabilities are discovered almost hourly, penetration testing has become a crucial method for protecting organizations against cyber threats. Penetration testing provides a snapshot of an organization’s security posture and offers recommendations for improvement. However, many organizations mistakenly believe that conducting a penetration test guarantees their security.

Challenges in Penetration Testing

One of the primary challenges faced by penetration testers is occupational blindness. Even the most experienced professionals can overlook different security vulnerabilities when examining the same system at various times. The worst-case scenario for a penetration testing firm is when a client experiences a security breach. Many organizations limit the scope of their penetration tests due to cost constraints, focusing only on what they perceive as critical systems. However, cyber attackers do not discriminate between systems; they exploit any available entry point, often targeting the least significant systems.

Another critical aspect of penetration testing is the need for transparency in the testing process. The lack of a standardized checklist means that the results of penetration tests can vary significantly depending on the individual tester’s expertise and approach. This inconsistency can lead to vastly different reports for the same organization.

The Solution: Penetration Testing Checklists

In 2013, Our Security developed a comprehensive “Penetration Testing Checklist” comprising 13 different categories and approximately 400 items. This checklist was created in response to a client’s request and aimed to address several key objectives:

Initially shared only with Our’s clients, this checklist is planned to be made publicly available in the future. The goal is to gather contributions and establish a standard for penetration testing. The document includes step-by-step instructions on how to perform each test item using specific tools.

Benefits of Using a Penetration Testing Checklist

Using a checklist in penetration testing offers numerous benefits:

Penetration testing is an essential component of an organization’s cybersecurity strategy. By using a comprehensive checklist, organizations can ensure that their penetration tests are thorough, consistent, and transparent. This approach not only helps in identifying and addressing security vulnerabilities but also provides a clear roadmap for improving overall security.

For more information on cybersecurity best practices, you can refer to authoritative sources such as the National Institute of Standards and Technology (NIST).

What is Penetration Testing?

Penetration Testing, often referred to as Pentest, is a security testing process used to identify vulnerabilities in computer systems. This process simulates the actions of attackers who exploit security weaknesses. By conducting a pentest, organizations can identify and address security vulnerabilities before a cyber attack occurs.

Importance of Penetration Testing

With the advancement of technology and the emergence of new systems, new security vulnerabilities are constantly being discovered. Organizations must be prepared to protect their computer systems from cyber threats. Regular pentesting is essential to ensure that security measures are up-to-date and effective.

Firms specializing in pentesting provide security testing services to organizations. These firms offer pentest proposals to organizations interested in their services. Under confidentiality agreements, certified cybersecurity experts conduct security tests on the organization’s systems. The experts performing these tests are known as Pentesters. They attempt to infiltrate the organization’s systems from the perspective of an attacker and prepare a pentest report detailing their findings.

Objectives of Penetration Testing

• Identifying security vulnerabilities that affect an organization’s assets
• Revealing risks and threats that impact the organization
• Verifying the accuracy of implemented procedures, policies, and designs
• Planning to secure systems to prevent security breaches by attackers
• Determining the points that successful attackers can access
• Modifying or improving the existing security architecture
• Preventing potential image damage and financial loss due to security breaches
• Evaluating the efficiency of security devices used by the organization
• Identifying threats to prevent future attacks on organizations that have experienced security breaches

Approaches to Penetration Testing

Pentesting is conducted using three main approaches: Blackbox, Graybox, and Whitebox.

Blackbox Testing

In Blackbox testing, security experts are not provided with any information about the organization’s systems. The goal is to simulate the actions of attackers who have no prior knowledge of the system.

Graybox Testing

Graybox testing involves providing security experts with some information about the organization’s systems, such as IP addresses and server versions. This approach simulates the actions of attackers who have gained access to the organization’s network infrastructure.

Whitebox Testing

Whitebox testing provides security experts with complete information about the organization’s systems. This approach simulates the actions of malicious insiders who have full knowledge of the systems.

Penetration Testing Methodologies

Pentesting is conducted based on national and international methodologies to ensure standardization. Some of these methodologies include:

National Methodologies

• TSE (TS-13638)
• SOME Guide published by Civil Aviation
• BDDK (Banking Regulation and Supervision Agency) General Communiqué on Penetration Tests for Information Systems

International Methodologies

• NIST 800-115
• OSSTMM
• OWASP
• ISSAF

Stages of Penetration Testing

Pentesting involves several stages:

Information Gathering

This stage involves collecting information about the target systems. It is the most crucial stage of pentesting. The more information an attacker has about an organization, the higher the likelihood of causing damage. Information gathering can be passive or active. Passive information gathering involves researching the target systems without direct interaction, while active information gathering involves interacting with the systems to collect data.

Enumeration

During enumeration, the goal is to gather as much information as possible about the target systems. This includes identifying open ports, services running on those ports, and their versions. This information is used to scan vulnerability databases and identify known vulnerabilities.

Vulnerability Scanning

This stage involves scanning for vulnerabilities that affect the target systems based on the gathered information.

Exploitation

In this stage, attempts are made to exploit the identified vulnerabilities to gain access to the target systems. Successful exploitation results in obtaining a session on the target system, allowing command and control.

Post-Exploitation

After gaining access to a system, the pentest continues to identify and exploit other devices connected to the organization’s network. This stage involves privilege escalation and lateral movement to gain control over other systems.

Reversing Changes

Before concluding a pentest, any changes made to the organization’s systems must be reversed to restore them to their original state.

Reporting

The final stage involves preparing a report detailing the findings of the pentest. This report includes an executive summary of the security audit, vulnerability identification cards with criticality levels and solution recommendations, and other relevant information.

Types of Penetration Testing

The process of pentesting varies depending on the type of target systems. Pentesting is conducted based on scenarios determined by the organization. Some types of pentesting include:

• Web Application Security Testing

Introduction to iSMET

In the realm of penetration testing, we often find ourselves in need of specialized tools. Among these, tools for “Malware Development” or “Bypassing Anti-Malware Products” are indispensable. Cybersecurity is one of the fastest-growing sectors, constantly evolving and branching into various sub-specialties. With this evolution comes the development of protective measures against different attack vectors. One of the most significant advancements is the integration of Microsoft Defender into Windows 10 and Server 2016 operating systems, and its inclusion in all subsequent versions.

The Need for Advanced Tools

The integration of Microsoft Defender is a game-changer because it means Microsoft has entered the anti-malware sector, embedding its solution directly into the operating system. Microsoft Defender is capable of detecting all payloads within Metasploit. Additionally, the encryption modules used within Metasploit for payload encryption are also recognized by Defender. For instance, if we manage to infiltrate a few systems using various methods and attempt to use Psexec to pivot to other systems using credentials obtained via Mimikatz, all our payloads will be detected by Microsoft Defender, rendering our efforts futile.

Due to these and many other reasons, we decided to develop tools that can be used in penetration testing and Red Teaming tests. One such tool is iSMET, which we developed a while ago and continue to use in our tests. We have decided to release this highly successful Red Teaming tool as open-source soon.

What is iSMET?

iSMET is a tool that can use both “asymmetric” and “symmetric” encryption techniques. It can generate meterpreter agents for various applications, payloads, and encryption types as shown in the table below:

• 12 different types of meterpreter payloads
• 8 different encryption techniques
• 2 different application types

iSMET provides encryption support for the most commonly used meterpreter agents. Before delving into the details of the encryption modules, let’s look at the modules used by iSMET:

Modules Used by iSMET

• iSMET: The user interface (UI) that transfers user input to other modules.
• iSMET.CSharp.Collection: A library of frequently used functions for strings, bytes, arrays, etc.
• iSMET.Encryption: A library containing encryption algorithms.
• iSMET.Packer: A library for memory management and advanced obfuscation functions.
• iSMET.ShellCode: A library containing shellcodes for meterpreter agents.

How iSMET Works

iSMET requires four main modules to function. The “iSMET” module is the UI that transfers user input to other modules. The “iSMET.Csharp.Collection” library is used for various operations such as generating random passwords for symmetric encryption, converting byte arrays to strings, or creating random file names. The “iSMET.Encryption” library supports encryption algorithms like DES, TripleDES, RC2, Rinjdael, RSA, AES-CBC, and Blowfish. The “iSMET.ShellCode” library is a dynamic library containing shellcodes for meterpreter and shell (cmd) payloads. This library allows us to dynamically change the IP and port information of the malware we want to create and generate a meterpreter or shell agent through the compiler library.

User Interface

iSMET features a simple interface based on the “Modern UI” Windows Presentation Foundation project. The IP address field represents the IP address for the reverse connection, and the port field represents the port number for the reverse connection. The “Type” field specifies the type of application in which the malware should be created. If “Console Application” is selected, a payload that runs within a classic console application will be created. If “Windows Form Application” is selected, a payload that runs within a Windows Form Application will be created. Each technique has its own advantages and disadvantages. For example, if a payload is created as a Console Application and run on the target, it will run in a classic cmd.exe window. If a Form Application is selected, the payload will run from an application that hides itself in the background. The likelihood of being detected by anti-malware products will differ for each application type.

ShellCode Library

The MeterpreterShellCode class within the iSMET.ShellCode library contains the main functions needed to create meterpreter and shell agents. This library stores many meterpreter and shell agents in both x86 and x64 formats, such as ReverseTcp, ReverseTcpRc4, and BindTcp. Each variable in the class is triggered by a string-type IP and a string-type port information. The IP and port information sent to each meterpreter and shell agent is dynamically changed within the shellcode, and the shellcode is recreated as a byte array and sent to the compiler.

Encryption Techniques

Shellcodes created using Non-Encryption, Base64, Rinjdael/AES, DES, 3DES, and RSA algorithms are embedded into an executable application (exe) created dynamically by iSMET and sent to the target. Shellcodes created using RC2, AES-CBC, and Blowfish algorithms are written to a file named “Stub.bin”. Separating the shellcode from the application and writing it to a different file in an encrypted form is a highly effective method for bypassing anti-malware products.

BuildCode Class

The BuildCode class within the iSMET.Csharp.Collection library consists of three separate classes: Console, Form, and Powershell. These classes contain the code needed to dynamically create C#-based executables that will run the meterpreter malware.