In order to assess the security of an information system, a very pragmatic approach consists of conducting a cyberattack in the most realistic possible way. Can a security auditor really put itself in the shoes of the “bad guy”? Is it possible not to bias the tests by not providing information beforehand?
Yes, it is actually possible with a “100% Black Box” security audit. In this situation, the pentester starts the audit having only the name of the company as information. Up to him to discover the scope exposed to attacks and then to carry out attacks trying to maximise the impact of the tests within the time that was given.
The benefits for the company that order this type of black box audit are:
- no need to give any information about your information system to the company carrying out the security audit;
- the black box pentest brings real answers to the question “Is my information system secured?”, as the attack conditions are as close as possible to the real ones (simulation of an external attack);
- as the company ordering the pentest doesn’t define the scope of attacks, it prevents to test only elements that the client feels as potentially vulnerable (and so we avoid the risk to not test some elements only because the client believes they are safe, or has forgotten it could be entry doors for external attacks);
- the black box audit is simple and fast to set up, subject to signing the necessary authorizations and ensuring communication in case of emergency.
The teams of the client are not informed that a black box pentest will occur, which allows to see their reaction to the attacks under realistic conditions.
This type of security audit can mix technical and social engineering attack, in order to test all types of threats on the information system. For pentesters, “no holds barred”. They can then prioritize attacks according to the context they are discovering along the audit.
It is possible to define general objectives with the client (such as embezzling money), or to give priority to the classic objectives of a cyberattack: embezzling money, obtaining confidential information, gain access to the internal information system, damaging the activity and image of the targeted company.
To achieve these objectives, the pentester follows the steps described below, the same way as a malicious attacker could do it. The main difference is that the pentester has limited time (a package time defined by the client beforehand), and he will be reachable by the audit contractor in case an incident is detected by the client (to define if the detected attacks are related to the black box pentest or to a real attack, and to interrupt the audit and advise the client if necessary).
Recon is a crucial phase in the assessment of a company and its products’ exposure. It includes both technical and personal data research. It consists of searching all domain, subdomains and DNS record related to the target company, on the one hand, and collecting email addresses, passwords and login – which would have been put online following another company’s hack – on the other hand. All information is legally retrieved from the internet, using for example Google hacking and searching both in the present and in past versions of the targeted web platform.
Active recon, during with the pentester comes into direct contact with the target, is also conducted. This involves in particular port scanning to determine the services used by the target.
We explain in that article more in detail the recon audit.
Once as many targets as possible have been identified, the pentester checks if versions of servers and services are up to date and if they have known vulnerabilities. Vulnerable components and incorrect configurations are among the most easily usable inputs for an attacker.
Automatic scans are launched on websites, web applications and other interfaces. Theses scans will show pentesters what types of attacks are possible on the targets. Tools, such as Burp, are running scans to detect anything that could represent a risk to the platform. Among the vulnerabilities detectable by Burp, we find for instance the vulnerabilities listed in the OWASP Top 10.
At the same time, manual tests are run, as automatic scans have their limits. False positives are common and some types of flaws are not detected. For example, scans do not identify sensitive information written in plain text in the comments of an HTML page or they do not see logic flaws.
Contrary to automatic tools, pentesters do not follow rules but call for their experience and thinking to spot the most hidden vulnerabilities.
In this phase of the audit, the pentester will use all information he has collected so far to reach its objectives.
If the client accepts social engineering attacks, the pentester sets up phishing and vishing (voice phishing) scenarios, to name just two examples.
A common social engineering attack can be conducted when an XSS flaw is detected on a web application. The pentester will first create a copy of the login page of the application, links a ‘listener’ to retrieve the information entered on the fake login page.
Then, pretending to be a colleague or a manager, the fake login page is sent per email. The target connects itself and sends without knowing it its credential to the pentester.
We detail in this article other social engineering attacks that we run during security audits.
If the client doesn’t want to have social engineering attacks, the exploitation of technical vulnerability starts. To take an example, after a scan, the pentester has found that a page on a shopping website is vulnerable to SQL injections attacks. He decides then to exploit it, manually or with a dedicated tool, by trying to obtain information from the database. He can succeed to retrieve the database with logins and passwords of users and admins.
In conclusion, even if the black box audit runs in the same conditions as a malicious attack and that the pentesters use the same tools that attackers, there is generally no major risks to the target. Vulnerabilities are exploited in such a way as not to alter nor delete anything.
To receive other articles: click here