4. Exploitation: Break into the target asset
This is what the ethical hacker is being paid for – the “break-in.” Using the information learned in the discovery phase, the pen tester needs to exploit a vulnerability to gain unauthorized access (or denial of service, if that is the goal). If the hacker can’t break-in to a particular asset, then they must try other in-scope assets. Personally,
if I’ve done a thorough discovery job, then I’ve always found an exploit. I don’t even know of a professional penetration tester that has not broken into an asset they were hired to break into, at least initially, before their delivered report allowed the defender to close all the found holes. I’m sure there are penetration testers that don’t always find exploits and accomplish their hacking goals, but if you do the discovery process thorough enough, the exploitation part isn’t as difficult as many people believe. Being a good penetration tester or hacker is less about being a genius and more about patience and thoroughness.
Depending on the vulnerability and exploit, the now gained access may require “privilege escalation” to turn a normal user’s access into higher administrative access. This can require a second exploit to be used, but only if the initial exploit didn’t already give the attacker privileged access.
Depending on what is in scope, the vulnerability discovery can be automated using exploitation or vulnerability scanning software. The latter software type usually finds vulnerabilities, but does not exploit them to gain unauthorized access.
Next, the pen tester either performs the agreed upon goal action if they are in their ultimate destination, or they use the currently exploited computer to gain access closer to their eventual destination. Pen testers and defenders call this “horizontal” or “vertical” movement, depending on whether the attacker moves within the same class of system or outward to non-related systems. Sometimes the goal of the professional pen tester must be proven as attained (such as revealing system secrets or confidential data) or the mere documentation of how it could have been successfully accomplished is enough.
5. Document the pen-test effort
Lastly, the professional penetration tester must write up and present the agreed upon report, including findings and conclusions.
The pen-test job is sophisticated and evolving
Like every other IT security discipline, professional pen testing is maturing. Standalone hackers who simply show technical prowess without professionalism and sophistication are becoming less in demand. Employers are looking for the complete professional hacker – both in practice and the toolsets they use.
Better toolkits: Penetration or vulnerability testing software has always been a part of the ethical hacker’s toolkit. More than likely, the customer already is running one or both of these on a regular basis. One of the most exciting developments in pen testing are tools which essentially do all of the hard work from discovery to exploitation, much like an attacker might.
Sign up for CIO Asia eNewsletters.