Saturday, 21 July 2012


As organizations create documents, the software that they use to create these documents embeds an enormous amount of information in the document files. A good deal of metadata is also included in the file. Much of this metadata is associated with formatting and display of the other data in the file. Besides this formatting metadata, a lot of file creation and editing tools include additional metadata entries that can be very useful for penetration testers during our reconnaissance phase, such as:

  • User names: Penetration testers often need user names for exploitation and password-guessing attacks
  • File system paths: Knowing the full path of the original file when it was created can reveal useful tidbits about the target organization
  • E-mail addresses: This data can be useful if the penetration test scope includes spear phishing tests
  • Client-side software in use: Given that client-side exploitation is such a common attack vector, it can be helpful to penetration testers to know which client-side programs are in use

Almost every document type has some form of metadata, but some are richer in metadata than others. The following types of documents, generated and used by most enterprises, are of particular interest to penetration testers:

  • pdf files: These files are associated with Acrobat Reader and a variety of other pdf creation and editing tools.
  • doc/docx, xls/xlsx, and ppt/pptx files: These files are associated with Microsoft Office suite, but are also used by several other related tools.
  • jpg and jpeg: These image files often contain a significant amount of metadata, including data about the camera used to take a picture, the file system of the machine where the image was edited, and details about the image-editing software.
  • html and htm: These file types contain web pages, and may at first seem uninteresting. However, their comments and hidden form elements could contain metadata that is very useful to a penetration tester. Additionally, scripts embedded in the HTML may reveal sensitive information or undocumented features of a web application.

Thursday, 19 July 2012

The Purpose of Pen-Testing

The purpose of pen-testing is simple: to find security flaws before an external or malicious internal party does.

How effective the process is at doing this is debatable, but the purpose remains the same nether the less.

After applying their security policies, procedures, and technology, organizations can use thorough penetration tests to see how effective their security really is in light of an actual attack, albeit by friendly attackers.

The scope does mean that an attack from an external party will be different to a pen test and the quality of the tester is important. An added benefit of ethical hacking and penetration testing is that, because they show real vulnerabilities and indicate what a malicious attacker might be capable of achieving, they can get management’s attention. Decision makers, when presented with the carefully formulated results of a test in business terms, are more likely to provide resources and attention to improve the security stance of an organization.

If a double blind test is used, the test can act as a validation of the Incident Handling process with the people monitoring the site having no notice of the test and thus being tested themself.

A major goal of penetration testing and ethical hacking is discovering flaws so that they can be remediated (by applying patches, reconfiguring systems, altering the architecture, changing processes, etc.).

It is important to note that in most tests, not all of the discovered vulnerabilities are actually addressed!

A common recommendation is that all high-risk vulnerabilities be addressed in a timely fashion, but the truth is that some vulnerabilities linger long after a test is complete, even high-risk issues. Remember, information security is all about managing risk, not eliminating it.