, , , , , , , , , ,

In the past I’ve always argued that ‘ethical hacking’ isn’t really hacking as such, because our ‘ethical hacker’ is following a methodology within various contractual and legal constraints, as opposed to exploring a system. I’ve changed my opinion on this somewhat, having recently done a simulated (but proper, notheless) pen test myself, which genuinely was a learning curve from start to finish.

One of the things I learned is that pen testing manuals, and even ‘hacking tools’ alone are pretty useless. Originally I intended to follow an existing methodology by the book, one that’s accepted and recommended among the professionals, but instead ended up having to develop a sound procedure myself through trial-and-error. Networking expertise plays a huge part in this, especially in the case of a ‘black box’ test against an enterprise network where the tester cannot simply use something like Metasploit against random hosts. As it turned out, our exploit was the outcome of a lengthy decision-making process.

A huge amount of research also went into interpreting the vulnerability scan results and producing a report that’s useful, the latter being what a client essentially pays for. Why do the vulnerabilities exist? What exactly should the client do about them? How exactly would a given exploit work, and is it liable to cause damage?

And along the way, I was shown a certain ‘network administration’ technique involving a couple of tools that gave me a taste of what an INFOSEC professional is dealing with in the real world – it hypothetically enabled me to control an hypothetical enterprise network spanning multiple sites, with potentially 9,500 computers and 200 servers, all from one legitimate user account (which itself might have been compromised and used as a ‘pivot’). While it’s not strictly related to the assessment, anyone with knowledge of this could see how a backdoor could be hidden within a network vastly more complex than anything I’ve previously seen, with numerous sequentially-numbered but otherwise identical dormant accounts.