Many penetration tests include activities such as passive reconnaissance, active reconnaissance, initial exploitation, escalation of privilege, pivot, and persistence. If you’re planning to take the SY0-501 Security+ exam, you should have a basic understanding of penetration testing concepts.
For example, can you answer this question?
Q. A penetration tester has successfully attacked a single computer within the network. The tester is now attempting to access other systems within the network via this computer. Which of the following BEST describes the tester’s current actions?
A. Performing reconnaissance
B. Performing the initial exploitation
C. Pivoting
D. Escalating privileges
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Penetration testing actively assesses deployed security controls within a system or network. It starts with passive reconnaissance, such as a vulnerability scan, but takes it a step further and tries to exploit vulnerabilities by simulating or performing an attack.
Passive Reconnaissance
Passive reconnaissance collects information about a targeted system, network, or organization using open-source intelligence. This includes viewing social media sources about the target, news reports, and even the organization’s web site. If the organization has wireless networks, it could include passively collecting information from the network such as network SSIDs. Note that because passive reconnaissance doesn’t engage a target, it isn’t illegal.
Passive reconnaissance does not include using any tools to send information to targets and analyze the responses. However, passive reconnaissance can include using tools to gather information from systems other than the target. For example, you can sometimes gain information about a domain name holder using the Whois lookup site (https://www.whois.com). Other times, you can gain information by querying Domain Name System (DNS) servers.
Active Reconnaissance
Active reconnaissance includes using tools to send data to systems and analyzing the responses. It typically starts by using various scanning tools such as network scanners and vulnerability scanners. It’s important to realize that active reconnaissance does engage targets and is almost always illegal. It should never be started without first getting explicit authorization to do so.
The network scanning tools such as Nmap and Nessus can gather a significant amount of information about networks and individual systems. This includes identifying all IP addresses active in a network, the ports and services active on individual systems, and the operating system running on individual systems.
Remember this
Penetration tests include both passive and active reconnaissance. Passive reconnaissance uses open-source intelligence methods, such as social media and an organization’s web site. Active reconnaissance methods use tools such as network scanners to gain information on the target.
Initial Exploitation
After scanning the target, testers discover vulnerabilities. They then take it a step further and look for a vulnerability that they can exploit. For example, a vulnerability scan may discover that a system doesn’t have a patch installed for a known vulnerability. The vulnerability allows attackers (and testers) to remotely access the system and install malware on it.
With this knowledge, the testers can use known methods to exploit this vulnerability. This gives the testers full access to the system. They can then install additional software on the exploited system.
Escalation of Privilege
In many penetration tests, the tester first gains access to a low-level system or low-level account. For example, a tester might gain access to Homer’s computer using Homer’s user account. Homer has access to the network, but doesn’t have any administrative privileges. However, testers use various techniques to gain more and more privileges on Homer’s computer and his network.
Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide discusses privilege escalation tactics that attackers often use. The “One Click Lets Them In” section discusses how advanced persistent threats (APTs) often use remote access Trojans (RATs) to gain access to a single system. Attackers trick a user into clicking a malicious link, which gives them access to a single computer. Attackers then use various scripts to scan the network looking for vulnerabilities. By exploiting these vulnerabilities, the attackers gain more and more privileges on the network.
Penetration testers typically use similar tactics. Depending on how much they are authorized to do, testers can use other methods to gain more and more access to a network.
Pivot
Pivoting is the process of using various tools to gain additional information. For example, imagine a tester gains access to Homer’s computer within a company’s network. The tester can then pivot and use Homer’s computer to gather information on other computers. Homer might have access to network shares filled with files on nuclear power plant operations. The tester can use Homer’s computer to collect this data and then send it back out of the network from Homer’s computer.
Testers (and attackers) can use pivoting techniques to gather a wide variety of information. Many times, the tester must first use escalation of privilege techniques to gain more privileges. However, after doing so, it’s possible that the tester can access databases (such as user accounts and password databases), email, and any other type of data stored within a network.
Remember this
After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems. Pivoting is the process of using an exploited system to target other systems.
Q. A penetration tester has successfully attacked a single computer within the network. The tester is now attempting to access other systems within the network via this computer. Which of the following BEST describes the tester’s current actions?
A. Performing reconnaissance
B. Performing the initial exploitation
C. Pivoting
D. Escalating privileges
Answer is C. Pivoting is the process of accessing other systems through a single compromised system.
Reconnaissance techniques are done before attacking a system.
A successful attack on a single computer is the initial exploitation.
Escalating privileges attempts to gain higher privileges on a target.
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on risk management.
1 thought on “Penetration Tests Activities”