Whiteboard Wednesday:

Under the Hoodie 2018 Report

October 24, 2018

Kwan Lin, Senior Data Scientist at Rapid7, takes us through an overview of our findings from our most recent Under the Hoodie penetration testing report. Learn which three categories of compromise were targeted, and what our pen testers did to hack into these systems. Understand how these vulnerabilities were so easily exploited and what you can do to effectively secure your organization even more.


Video Transcript

Hi, my name is Kwan Lin, Senior Data Scientist at Rapid7, and one of the contributors to the 2018 Under the Hoodie report. Penetration testing, or pen testing in brief, is often opaque or mysterious to non practitioners, even to seasoned pen testers themselves who are remarkably skilled, their understanding of pen testing as a practice is often limited to their individual experiences.

The Under the Hoodie report was penned as an effort to demystify pen testing with a combination of data-driven analysis, and in-depth narratives. Now, between September 2017, and mid June of 2018, we collected survey responses on 268 engagements from Rapid7 pen testers. In those surveys, we questioned pen testers about client expectations, methods employed, successes and failures, amongst other details. We collected all those survey responses and performed a macroscopic analysis to elucidate trends and patterns.

This approach allows us to draw conclusions about pen testing using expansive data rather than narrow anecdotes. I think it's important to point out that these pen test engagements are professional engagements with negotiated statements of work, and specifications for project scope.

Our pen testers were able to explore some sort of in-production vulnerability in 96% of internal penetration tests. While longer engagements do typically reveal more issues, most critical issues can be discovered within that one week window. In general. What those two findings together conveys is our pen testers can often exploit most major critical issues at a client site in a very narrow window of time.

Now, let's take a deeper dive into what our pen testers found on the job. Our pen testers were able to exploit some sort of software vulnerability in about 84% of all engagements. Some of the most common exploits included SMB relaying, broadcast name resolution, and cross-site scripting (XSS). The prevalence of vulnerabilities encountered differed between internal and external engagements. For instance, vulnerabilities like broadcast name resolution, and local privilege escalation were much more common with internal engagements than external.

We also took a close look at misconfigurations, which often exist due to implementation errors by target organizations, and they create opportunities for pen testers to succeed. Overall, our pen testers were able to utilize some sort of misconfiguration in about 80% of engagements.

The most common types of misconfigurations involved services, particularly networks, account privileges, and passwords. Pen testers often rely on utilizing valid usernames and passwords as a means of compromising targets. After all, no matter how hardened an organization's network is, it must inevitably provide channels for legitimate users to pass through, which in turn creates opportunities for pen testers to crack through the layers of safeguards.

Our pen testers were able to successfully capture credentials in 53% of all engagements. On internal engagements where pen testers had access to the local area network, the success rate for credential capture rose to about 86%. There are a number of ways to capture credentials. Based on the survey results, we found that by far, the most reliable way to find valid credentials was to collect open source intelligence for usernames, and to manually guess passwords. This approach accounted for about 10% of successfully captured credentials.

Furthermore, we took a closer look at thousands of passwords and we're able to identify some notable patterns in the passwords. It's worth looking at our findings to get a sense of how you could possibly modify password policies to make credentials more secure.

Once our pen testers were able to achieve some foothold in an organization's environment, their next objective was to gain administrative control. Overall, our pen testers gained site-wide administrative control in 28% of engagements. Unsurprisingly, they tended to be much more successful on internal engagements rather than external engagements.

Many organizations implement measures to either deter or detect malicious actors, but how effective are those mechanisms, exactly? Our pen testers were able to entirely evade detection in 61% of engagements. The results also suggest that if they were not detected within the first day of engagement, it was unlikely that they would be detected at all.

Now, I just shared quite a few details and statistics about Rapid7's collective pen testing experience over the last few months. Still, I encourage you to head on over to Rapid7 to grab a copy of the full report. While I hope the details shared in today's presentation are interesting and useful, there's significantly more detail in the full report itself.

If you have any questions, feel free to reach out to us at research@rapid7.com. That's it for this week's Whiteboard Wednesday. Have a great day, and do make sure that you're using a solid, unpredictable password.

UTH 2018 Full Report

Read our full report for more in-depth details of our findings.

Read More

Watch: Under the Hoodie in Action

Each year, Rapid7 penetration testers complete more than 1,000 assessments. In this video series, we've collected their stories to give you some true insight into what goes on beneath the hoodie.

Watch Now