Under the Hoodie 2018: Lessons from a Season of Penetration Testing

Last updated at Wed, 13 Dec 2023 23:52:49 GMT

Today, I’m excited to announce the release of our 2018 edition of Under the Hoodie: Lessons from a Season of Penetration Testing by the Rapid7 Global Services team, along with me, Tod Beardsley and Kwan Lin. In this paper, we collect and analyze the results of a long-running exit survey we give to our penetration testing team that covers what goes on in real-world pentests: what kinds of vulnerabilities are exploitable, what kinds of software and network misconfigurations are leveraged to enhance access, and how user credentials are obtained and used.

268 Engagements Surveyed

Probably the most scientifically relevant feature of this paper is the fact that we’re able to collect data from hundreds of penetration testing engagements. A particularly industrious and busy individual pentester might be involved in about forty penetration tests in a given year, and most are involved in far fewer engagements. Drawn from hundreds of engagements across all sorts of industries and organization sizes, Under the Hoodie can only help penetration testers learn more about what the normal baselines in their own specializations look like.

Exploitation Success Rates

We found that, overall, Rapid7 penetration testers were able to exploit at least one in-production vulnerability in 84% of all engagements. That figure rises to 96% of all internally-based penetration tests, where the pentester has (or gains) local network access. This finding tells us that while penetration testers don’t quite always win (by gaining administrative control of a network), when they are able to touch the internal LAN or WLAN, the attacker success rate significantly rises. While this finding might be intuitive to practitioners in this space, we believe there’s a lot of value to be had in actually measuring this success rate in the field.

Credential Capture

Just over half the time (53%) on a given engagement, at least one useful username and password is collected from the target organization, and that capture rate rises to 86% when the attacker is already in the local, internal network. Penetration testers will be the first to tell you that it’s usually easier to simply guess (or ask for) passwords than to exploit vulnerabilities and leverage network misconfigurations, and attacks involving capturing credentials tend to afford longer-lasting access.

This One Time on a Pentest

While the statistics around success and failure rates on penetration tests are fascinating on their own, this paper also pulls in a number of “war stories” related by individual penetration testers. These stories are both wildly entertaining tales of technical derring-do as well as illustrative examples of vulnerability exploitation, investigative techniques, and examples of the kind of in-the-moment flexibility that a seasoned professional penetration tester can provide to an organization. After all, when companies are paying for professional services, they should expect a level of experience and expertise that (alas) cannot be comprehensively provided by an automated scan-and-patch IT security solution.