It's Summer 2019! (whoops, did I just dox your password?), which means it’s time for another edition of our wildly fun and informative survey of the art and esoterica of penetration testing, Under the Hoodie. This report covers the measurable results of about 180 penetration tests conducted by Rapid7’s crack penetration testing team, then analyzed and examined by Data Scientist Kwan Lin and me, Research Director Tod Beardsley.
Not only is this a fun report to read, but it was fun to write, too. For example, I learned that about 50% of the time we’re on an internal engagement, we uncover at least one target Windows machine that’s vulnerable to the now-rather-ancient MS08-067 and the starting-to-get-old MS17-010.
The good news here is that MS08-067 is slowly but surely disappearing from corporate LANs around the world. The bad news—aside from this 50/50 shot at a total remote code execution exploit—is that the patches for MS17-010 are not only already two years old, but are also connected to THE most talked-about widespread exploitation the world has ever seen, WannaCry.
Of course, that’s why you pen test in the first place. Often, the goal of a penetration test is to find those dark, cobwebby corners of your IT infrastructure. Even if you think your asset management and patch pipeline is tip-top, you never really know until you release the hounds to sniff out those isolated bits of badness that can lead to a full domain compromise.
But hey, maybe you’re not into stats and graphs. Never fear! This report also has a handful of fun sidebar stories, “This One Time on a Pen Test,” direct from the consultants themselves. For example, if you learn nothing else from this report, you might want to read up on how mousejacking was used in a real engagement by Jesse Gardner to hijack a wireless mouse and use it as a remote keyboard from a couple dozen meters away. It’s some pretty neat, Hollywood-hacking-style stuff that’s actually practical.
So, head on over here and check out the report, and if you're just dead set against literacy, you can join me and Kwan at our webcast about the findings. I’ll also be hanging around Hacker Summer Camp in Las Vegas (Booth 804 at Black Hat, and at the Metasploit Merch Table at DEF CON), if you want to talk about this stuff in person.
By the way, we're looking to expand our coverage beyond just Rapid7-performed penetration testing for 2020, so if you're part of a penetration testing organization and would like to participate in the next survey, get in touch with us at firstname.lastname@example.org. We'll set you up with our survey materials; after all, part of the purpose of this research is to not only illustrate what pen testers find on the typical engagement, but to illuminate people who may be a little fuzzy on what pentesting actually is (and is not). I figure the best way to do this is to strive for something more vendor-neutral. After all, Rapid7 is a big booster of open source, and that goes for research and data, too. Anyway, go read the report, and if this is the kind of thing you'd like to help out on, drop us a line.