Learn security testing at OWASP

OWASP is more than just a top 10: The Netherlands has local OWASP meetings where security knowledge is shared. The last meeting was a workshop about Pen-testing with tips and tricks from security expert Jacco van Tuijl. Interested? We hope to see you at the next local meeting.

What is pentesting?

Pentesting or penetration testing is a security test where an outsider tries to get access to the systems and data of a company. The security expert (sometimes called an ethical hacker) tries to find any vulnerabilities and weaknesses and will ultimately report these to the client so that they can be fixed. Pentesting is important for security because it makes sure that companies focus their efforts on the weakest spots.

Types of pentests

There are different types of pentests that can be executed:

• Black box versus crystal box: In a black box test, the pentester is told nothing about the systems. In a gray box or crystal box test, he or she gets documentation beforehand
• Privileged / unprivileged: In a privileged pentest, the tester gets some user credentials and has to get full access to a system. In an unprivileged test, the pentester starts without any access.
• Passive / active: In an active test, the pentester is allowed to make changes in order to validate that attacks actually work. In a passive test, the pentester tries to avoid making any changes.b

Which type of test is most appropriate depends on the situation. A passive test is for instance useful when there is a risk the system can be damaged and no backup is available. Traditional pentests are unprivileged, but for many companies the risk that hackers already have user credentials is important to test in a privileged pentest. For this reason, Jacco recommended doing moe privileged pentests.

Pentest recommendations

Every pentest must start with an explicit agreement from the system owner, typically in the form of a pentest waiver. Without such a waiver, the pentester could get into legal trouble. Other details to agree on upfront are scope, type of test, time available and how and when to report. After this has been agreed, the pentest proceeds with the following steps:

• Footprinting
• Fingerprinting
• Vulnerability assessment
• Verification and exploitation
• Post-exploitation
• Reporting

The footprinting is a very important step that makes the rest of the process easier. In this step an attacker (pentester) finds out the footprint of an organisation: which domains, IP addresses and servers an organisation has, or what components a device has. By doing the footprinting right, one can discover unexpected weak spots.

One then proceeds with fingerprinting (finding out what operating system and software is used), looking for vulnerable components and verifying the suspected vulnerabilities by trying to get in. For each step there are many tools available making the work much easier: from dnsmap to code1000 to nmap to burpsuite to metasploit and searchsploit. Some tools actually contain pre-scripted attacks in a fully automated way.

One interesting type of attack demonstrated on stage was the pass-the-hash attack. In many cases passwords are not stored in readable form but changed into a cryptographically strong hash code. It is hard for attackers to retrieve the password from a hash. Unfortunately this is often not necessary. Many protocols do not require the actual password but only the hash of the password. Stealing the hash is thus good enough for many attacks.

Next steps

This workshop was organised by OWASP: the open initiative to improve online security. OWASP is well known as the organisation behind the OWASP top 10: an overview of the most common vulnerabilities for online systems. OWASP however has much more initiatives, including local chapters where people interested in security can meet up and network. The Dutch OWASP chapter is led by security expert Martin Knobloch. If you are interested in security we recommend you to sign up to the OWASP meetup and go to the next social meeting on October 1st. If you would like to know more about Jacco van Tuijl’s talk, the slides have been made available here.

If you are as a company interested in improving security, ICT Institute can help you with security strategy and application security (including code reviews and SDLC workshops). We are not specialised in pentesting but are happy to help you find the right specialized company.

Image: still from mission impossible (presumed fair use)