When we conduct penetration tests, we are trying to mimic the actions an actual intruder or attacker would use to gain illicit access or otherwise compromise target systems. Knowing how they attack influences how we plan our penetration test. Most pen testers mimic some version of the Cyber Kill Chain discussed in a previous post. When Jason and I sought to write the Raspberry Pi pentesting update, we took some liberty with the Kill Chain.  We crafted a version to suit our needs for penetration testing. We did our best to show how different tools we used to get our Raspberry Pi through the entire operation:

Screenshot 2018-07-02 21.25.04.png

A more general, Raspberry Pi focused version of the Pen Test Kill Chain! No one size fits all.

Right tool for the job

I once tried my hand at woodworking.  My shop in the basement still technically exists, but is a graveyard of good stock and half-baked projects. One of the hardest things to learn on your own is how to properly select the right tool for each task. Making a rip cut? You might be tempted to use a table saw. After some trial and near-fatal error, I have discovered that a circular saw and guide were much better.  Or at least, that combo was much less likely to see my family cashing in on my life insurance policy. The same trades come throughout each project. Band saw vs. jig saw, sander vs. planer, band-aide vs. tourniquet.  So it goes in pen testing or hacking.

When you are looking at the phases of the Penetration test Kill Chain, it is helpful to think about what sorts of penetration testing we may be called upon to conduct. We also want some clue as to what the targets might be, as they can all impact how much of each of the phases we actually are on the hook to do. Again, we covered some of these types in that same post, under “Hacking Scopes“. White box testing in that light might be conducted without intensive Recon and maybe even Weaponize phases. If Recon is done here, it may be through more open methods such as interviews and in-person inspections or audits. Black box testing – as we can imagine, is more cloak-and-dagger – we’ll be attacking without prior knowledge and therefore the Recon and Weaponize phases will be essential, and subsequent phases will hinge on those findings. When you look at the combination of hacking scope, target system, and yes – our own bias, experience, and scar tissue, we might be opting for very different tools and still getting to the same place.

Filling your Kill Chain toolbox

My basement is only so big, so I have had to make some hard decisions about how much money to spend room to use. I don’t have planer and jointer – just can’t find the room! So guess what? I choose projects that I can do without them on, or find someone else (outsourcing!) who will take on that subtask for me.

The same can be said of pen testing.  If we can apply our requirements to the Penetration test Kill Chain, it will assist us in staying focused and efficient without overdoing it. Unnecessary activities waste our time and the customer’s money, but they can also generate noise, expose our inexperience, or add unusual delay that may give us away. If this is a black box test, getting caught would be a poor move. Some customers may allow us to continue with the charade. Where we are conducting Red Team operations (mock attacks), our reputation may suffer and we won’t be working in this field for long. The customers are the ones who miss out.  They come away from the engagement without being truly tested. As a result, they have wasted their funding and leave without a true understanding of their security posture and vulnerabilities. They may even mistake our failures for a false sense of security. This in turn prevents them from moving to improve their architecture and continually pursue a secure environment.

Mastering each tool

So we’ve figured out what tools we want in our shop!  Great, the purchasing or downloading has begun. When I went to built my wife a bench, I immediately put a new router to work on an expensive piece of oak without testing and perfecting my technique.  I can still see the blemish, despite using wood putty like it was free.

Only a fool would take a new tool into the field before truly understanding and testing it in a representative environment. Before we use it live, it’s a smart move to spend some quality time with prospective tools. As you map these out, you’ll want to master a handful of tools in each phase of the kill chain and ensure you have both breadth and options. Depending on the gig, you may not have your favorite tool to use, either through some sort of operational constraint (hardware platform, authentication schema, etc.) or a customer requirement that dictates you use something different than previous testing approaches. Even different disciplines might have a different take.  When working on web pentesting, I developed my own take on it to help guide my studies:

Screenshot 2018-07-02 21.44.10.png

This variant shows how we might alter the kill chain for our own needs.

Large team dynamics

More established teams might see something in their process that actually breaks down the phases or sub-phases per role.  Maybe they staff SE specialists, DBAs, hardware whizzes, or malware developers/reverse engineers handling their specific portions of the test. It might be that more well-rounded pentesters or program/project managers orchestrate the overall test. They may be in charge of monitoring the SOW and possibly interact with the client. Even the systems these folks may use through each phase might be different. Password cracking might take advantage of a multi-GPU beast (if it weren’t for the cooling issues, I might have one of these in my basement). C2 nodes might reside in the cloud. Small and lightweight boxes hide on premise to act as low-profile sniffers and delivery devices.

This might seem good or bad, depending on your background. Not being a professional pen tester, I would think that this would be a win-win for newbies like me. You can come into a team with a mastery in a certain focus area. Assuming a supportive employer, you may pick up or receive tutelage from the experts in adjacent phases or specialties.  Sure, you might not be a full spectrum pen tester yet.  But I can’t think of a cooler way to learn.

Summary

I think that the exercise of laying out tools throughout the continuum has helped me maintain a focus. Grading myself and tracking my progress in learning in real time keeps me improving, and helps me develop. I encourage you to do the same – just sketch out your kill chain and start finding tools to add to your repertoire!