Two Sides of the Same Coin: A Glimpse into Pen Testing and Security Analytics

by James Stanger | Dec 05, 2018

I’m often asked to present examples of how a pen tester applies steps of what cybersecurity professionals often call the hacker lifecycle. I’m also often asked what these steps look like from not only the penetration tester’s, or pen tester’s, perspective, but also from that of the security analyst. The analyst is the person who sifts through network traffic and visuals to find evidence of the compromises that a pen tester generates. Here’s a quick overview of some of the tools that both pen testers and analysts use.

Pen Tester

Security Analyst

Discovery tools (e.g., OSINT tools, Nmap, Maltego) Packet capture tools (e.g., Wireshark, tcpdump)
Exploit tools (e.g., Metasploit and BeEF) Security information and event management (SIEM) and intrusion detection (e.g., AlienVault, Splunk, Bro, Snort, OpenWIPS-ng, Process Explorer)
Crackers (John the Ripper, THC Hydra) Logs, and log analysis tools (WinMerg, lnav, lynis, DiffNow, CyberChef, ManageEngine)
Kali Linux or Parrot (Debian Linux – includes many tools) Security Onion (Debian Linux – includes many tools)

 

This quick and dirty table is nowhere near perfect or thorough; but, it’s sometimes useful to think about the same activity – hacking – from two different perspectives, or buckets. I say this model isn’t perfect, because after all, a pen tester can use Wireshark just as effectively as a security analyst. The pen tester, though, simply would use it in a different way.

Hacker Lifecycles

First, there is no single, perfect hacker lifecycle. I’ve found that there are quite a few useful pen testing/hacker lifecycle models.

Here are two of the more popular models:

In my experience, pen testers and security analysts customize the lifecycle based on the systems and organizations they are working with. You modify your model and paradigm based on the current conditions, kind of like how a good hiker uses different clothing and equipment based on the conditions of the mountain being climbed. 

Same Activity, Two Perspectives

Based on the models given above, the table below gives a quick overview of the steps a pen tester takes, and also, what the security analyst uses to discover what the pen tester – or hacker – is doing.

Activity

Description

Pen Testing Tool

Security Analyst Tool

Discovery/Reconnaissance Use active and passive scanning techniques to identify vulnerable people, processes, and systems Whois, Shodan, Nmap, Metagoofil Phone call logs, end point log files (e.g., Windows/mobile phone logs)
Penetration Use social engineering to deliver attack vector End user/Metasploit, shell commands Antivirus, centralized logging tools for end point and firewall
Pen/Escalation/Lateral Movement Transfer the Windows security account manager (SAM), or the Linux/etc/shadow file Metasploit (includes Meterpreter), BeEF

Active Directory/Keberos/LDAP logs, SGUIL

Pen/Persistence

Decrypt the accounts database file/info

John the Ripper/Online resources Tripwire, Splunk
Persistence Insert a specific registry key to open a port or activate a service such as the Remote Desktop Protocol (RDP) Meterpreter/BeEF, scripts Regshot, WinMerge, RegistryChangesView
Action on Objectives/Data Egress Obtain or change sensitive information Native tools on victim system Process Explorer, Snort, Sagan, Bro, any SIEM tool

Lateral Movement

Identify pre-existing shares and stored credentials Native tools/Meterpreter AlienVault, Suricata

 

Action on Objectives

Using a tool such as Metasploit, a pen tester can attack a system. In Figure 1, below, a pen tester has used Meterpreter, which is a specific application found within Metasploit. Using Meterpreter, I have navigated to the /windows/smb/ms17_010_psexec/ directory. This directory contains specific exploits I can then deliver via social engineering to a victim.

To create the exploit code, I set the local and remote IP addresses and ports and then compile the code. By using the run command, I then connect to the victim system. In this case, the victim system is an older Windows 7 system that is being used to control a supervisory control and data acquisition (SCADA) system.

Using Meterpreter to identify exploit codes

Figure 1: Using Meterpreter to identify exploit codes.

Notice the last message in this image: It means that I’ve been able to compromise the system. 

Now, I can engage in some credential harvesting. Or, I can establish persistence. Or, I can move laterally to other systems.

Figure 2 shows I have uploaded the Windows Credentials Editor (WCE) from the /usr/share/wce/ directory. This file allows me to easily obtain user credentials from a Windows SAM. Notice that I’m doing this from within the already-established reverse shell that I created earlier. Once I upload the wce64.exe file, I can then execute it; it will discover any particular user credentials on the victim system. Notice the portion of the readout outlined in white in the image below.

Using the wce64.exe to obtain a user's credentials

Figure 2: Using the wce64.exe to obtain a user’s credentials.

In this case, I was able to grab the credentials for a default account that has been activated. This is the most important element, because it is the Windows SAM hash for a particular user. Now that I have obtained this hash, I can decrypt it using various tools. For example, I could use John the Ripper. In my case, I’ve decided to use an online password cracking tool, as shown in Figure 3.

Decrypting user credentials using an online cracking tool

Figure 3: Decrypting user credentials using an online cracking tool.

The result is that I have now been able to crack at least one user account. I can now go in any number of directions. To avoid creating further indicators of compromise, I could simply close down my connection and then simply walk up to the the victim system and log in interactively. 

From the security analyst’s perspective, I have various tools that will help me discover the above activities. Figure 4 shows a copy of Security Onion running SGUIL, which has logged how new groups and users have been created in the Windows system.

Running SGUIL with Security Onion

Figure 4: Running SGUIL with Security Onion.

The security analyst can also use Wireshark (Figure 5) and Process Explorer (Figure 6) to further trace attacks. 

Wireshark viewing packets from the attack

Figure 5: Wireshark viewing packets from the attack.

 

Viewing an attack in progress using Process Explorer

Figure 6: Viewing an attack in progress using Process Explorer.

The above applications make it possible to view exactly what the pen tester – or hacker – is doing. 

If you’re interested in learning more, join me on December 19 for the next Office Hours with James webinar to explore both sides of a hack. Click to register.If you’re reading this after the event has passed, don’t worry. Click the link to watch the on-demand version.

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story