6 CORE SKILLS THAT PROFESSIONALS LACK
23
Apr

6 Critical Penetration Testing Skills Gaps That Are More Common Than You Think

Reading Time: 8 minutes

6 CORE SKILLS THAT PROFESSIONALS LACK

BACKGROUND

EC-Council invested heavily in research on penetration testing requirements, standards, and skills with the aim to create a new, hands-on penetration testing program and certification that would represent real world skills demanded by enterprises today.

The expectation was to create a penetration testing certification like no other – a 100% hands-on, proctored certification exam that would require candidates to demonstrate skills that are in-demand in the global landscape today. What we uncovered in this process is that many of these skills, which are deemed to be fundamental in nature given the rapidly advanced and evolving tech landscape, are worryingly missing in many penetration testers today. Skills such as advanced Windows attacks, accessing hidden networks with pivoting, attacking IOT systems, double pivoting, evading defense mechanisms, bypassing a filtered network, attacking automation with scripts, weaponizing exploits, pentesting operational technology (OT), and writing professional reports, etc. seemed to be the exception rather than the norm.

We identified these gaps during the recent CPENT Challenge, where we invited industry practitioners that had the requisite qualifications (at least, on paper) to take the CPENT exam. Unfortunately, they could not even get through the initial stage. This underlines the alarming inability of the testers to deal with a commercial grade, industry specific, filtered environment as opposed to a “capture the flag” type of an exam.

Let’s discuss the skills gaps that we discovered in the penetration testers who helped beta test our CPENT exam. Most of them are certified with what they claim to be “hands on industry certifications in penetration testing.” CPENT was built to go beyond the basics and as such, we built challenges that are actually based on real world engagements. These are the skills that every organization should look for when they hire team members.

6 CORE SKILLS THAT
PROFESSIONALS LACK

1. Lack of network knowledge

As a tester, you are not always going to be connected into the network and they network will not always automatically work. To expect that is evidence of lack of proper training. As a penetration tester it is very likely that you will be an external tester. As an outsider, the first thing you should do is to see if you have routes in the table for which you are trying to scan. Once you have done this, need to determine if there is anything between you and the target.

2. Lack of knowledge of filtering

Lack of knowledge of filtering – when a filter is in place between you and a target and/or network, many testers just stalled! Trust us, in the real world, there will be a filter somewhere and this is another unique component of the CPENT program. We teach extensively what a Penetration tester should do when faced with filters in the real world. So, what do you do? Go deeper and analyze it. The first questions you should ask are:

  1. Is it a stateless filter (like a router)?
  2. Is it a stateful filter ruining firewall software, or a device?
  3. Is it an IP tables rule set?

You may not get the entire answer, but in the CPENT course we teach you a systematic approach and how to analyze it and take what the network gives you and “Go Deeper.” We know it is challenging and that is by design.

3. Assuming ICMP is allowed

Another common skill we see lacking is dealing with a network where ICMP is blocked. Since the SMURF attack, best practices have been to block ICMP, so any enterprise network that follows the simplest guidance is going to block or restrict ICMP. So, what do you do? Try another protocol, document what works and does not work, and update your target database information. Remember, not all networks will be directly reachable.

4. Assuming every target is exploitable

This is once again a very common mistake the professionals tended to make during the challenge. Once again, this is unique to the CPENT program because in an actual test in the real world, are we going to be able to access every machine on the client network? We have never seen this in testing, so we want you to be able to analyze what can and cannot be exploited because the client needs to know if their machines are protected.

5. Not understanding segmentation

We learned through our testing that many professionals do not understand segmentation sufficiently. Segmentation is not a new concept, even though it is largely ignored. Testers must know how the network is designed, because you will want to document it to the client if lateral movement is possible and if it is, how easy it was to get there. In the CPENT course, we have designed segments and layers, so you have to analyze what the network is showing you. Take a Domain Controller as an example. In an enterprise, should it be exposed to an external tester? Your answer should be no! So, how do we find it? You find the machines that are visible and map the attack surface, then once you gain access, you then look from that position of access. This is critical, both from a standpoint of a positive find that the domain controller is not directly reachable and a negative find that one of the reachable machines provided access to the forest! That is essential, critical information for the client and that is the goal of a professional assessment.

6. Not understanding egress or outbound traffic

We found that most testers are well-versed in knowing they need a reverse shell to get out of a filtered and/or segmented environment, but few understand how to do a technique we call “egress busting.” Metasploit is a great tool, but with the default port of 4444, people have gotten too comfortable with using defaults. The CPENT program will make you think differently. Can you think of any valid reason for an enterprise network to not egress filter? This was the case years ago, but it is no longer the case. Most environments egress filter – that is, only allow out what is required and deny all else. So, in the CPENT exam, we have set basic egress filters so you have to figure out how to egress bust. In the course we teach how to create scrips to do this, and these are the types of things you have to do to get the shell back to you.

Hint: do not select a port that is typically proxied.

BACKGROUND OF THE CPENT EXAM

The initial planning started in March 2020. The EC-Council team created a draft of skills the industry would want in someone they hire for an engagement, and then while this plan was under review, we built a network design based on one of the real-world assessments that my team and I had completed in the past of a large company. This assessment was unique because it required knowledge and skills across a wide variety of topics. We set out to creating a program with never-before-seen components including the industry-first of binary analysis and exploitation, IoT firmware analysis, SCADA, and OT as well as single and double pivoting.

We understand that this is different and hard, but that is how we designed it. For us, the key to a great tester is someone who can analyze what the network shows them. This is a required industry skill. Professionals analyze the network and determine what is present. Once you have done that you can go deeper. The CPENT exam is not a CTF-style exam. Trying to anticipate what the CTF designer did will not get you anywhere, as this is not how things are in the real world.

So, what do we mean by this Go Deeper? In the CPENT exam guide, we have provided tips that help you take what the packets show you to help you design your strategy. In industry testing, we have to analyze the network and look for the attack surface. The CPENT exam also requires this at a deep level.

THE BASICS BEFORE YOU TEST

THE BASICS BEFORE YOU TEST

We know methodology gets a bad name, but every professional tester who is successful will have a systematic approach for testing. To be successful in the CPENT exam, here is a high-level abstract may help you:

01. Planning

This is often overlooked, but it is critical that you do this. You start by READING the exam guide. We have provided you IP blocks to scan and the goal is for you to create a target database. This is the same requirement we have given team members for many years. You have to build the target database. Note: we have told you right from the start that this is not a flat network, so you cannot just throw a default scan at this network. Also, not all networks will be directly reachable. Some may be, but others will require access to one        network first. This is called “Island Hopping” and you will be required to do a lot of it on this exam.

02. Map the Attack Surface

This is critical, but FIRST you need your target database of live systems. Another first in the CPENT exam is we have filters deployed, so you have to deal with those as well. In the real world, very few networks will be wide open and those that are do not present any real challenges and should be easy to assess.

03. Look for Weaknesses

You have to find the weakness – there may be many or none! Either way, you have to discover if there are any weakness. From what we have seen, too many testers just fire blindly without a method behind the madness as opposed to approaching it via a systematic process. Any weaknesses you find must be documented and analyzed to see if they can be breached to gain access.

04. Prioritize the Targets

It is critical to prioritize the targets. If there is only one port open on one machine and ten other ports are open on another, a seasoned tester will start with the machine with more ports open, unless they know that there is a weakness in that single open port that they can use for leverage. When you have time, then you should come back to that machine. If you start with the hard target first, then you might get stuck and spend all the time on that target. An industry expert tester will identify which target to start with and the plan to follow against all targets systematically.

05. Document results

One of the most important things that is often overlooked is the final report. For an industry expert, this is where they display their skills. The final report is the one thing that the client gets to keep and use to improve their security policy long after the testers are gone. The content for this report comes from the data you have collected and analyzed. If you have done a respectable job on this then the report should be a simple task of extracting the required details from the target database. Also, while it is nice to exploit targets, the client does not require the information on how or what we did. All they need is what their attack surface is, the risk from a given vulnerability, and how they can reduce or mitigate it.

The above is an abstract, systematic step and process that has not changed for a very long time – only the tools and the targets have. By following this systematic approach, a tester can assess ANY environment and get the required data. This methodology may not provide you with direct access, but it will help you research methods and find a way in.

The principle of penetration testing has always been to find a weakness and then try and find an exploit for that weakness. The CPENT challenges you to Go Deeper in a real world environment. One of the ways that you are challenged is via the network zone filters between you and the target.

We have built something unique and exclusive with the CPENT and we acknowledge it is very challenging. We believe building an exam that mirrors what the industry requires is the best way to build industry-ready penetration testers. In order to attain the CPENT certification, you have to go beyond the typical CTF and flat network mindset and Go Deeper by analyzing what the network gives you and leveraging it.

If you do earn the CPENT and want to potentially contract on engagements, do reach out. Once you have the CPENT certification, we know you have the skills that the world is looking for, and we will proudly stand behind you.

Now, standby for heavy rolls

Good luck!

get certified from ec-council
Write for Us