Ask a Pen Tester, Part 2: A Q&A With Rapid7 Pen Testers Gisela Hinojosa and Carlota Bindner

This blog post is part two of a two-part series. For more insights from Gisela and Carlota, check out part one here!

Rapid7 pen testers Gisela Hinojosa and Carlota Bindner are back, ready to answer another rousing round of questions from our customers about the mysterious art of penetration testing. Read on to learn about their go-to attack methods, and defenses that trip them up:

Q: What’s the most underrated thing about what you do?

Carlota: I think report writing is one of the more underrated parts of penetration testing. When people think of penetration testing, they think of gaining access to a network, or finding cross-site scripting on a web application, instead of writing a report about those vulnerabilities and remediation. While it is underrated, reporting is a crucial part of what we do, since it is the tangible product the client receives detailing the engagement and guiding them toward a more secure application or environment.

Q: Which pentesting method/technique (web app, infrastructure, social engineering, etc.) do you find the most interesting and why?

Carlota: I find IoT penetration testing to be most interesting because the methodology we use for testing is focused not only on the device, but also the ecosystem that includes physical and wireless networks and web and mobile applications that connect to and support the device’s function.

Q: What’s your go-to method for obtaining credentials for lateral movement?

Gisela: This really depends on the network environment, but reused Local Admin credentials comes to mind. Also, searching through SMB shares or Wiki pages for passwords is a common way to move laterally.

Q: How often would you recommend that a company perform pen tests?

Gisela: We usually advise getting an annual test, since there are new vulnerabilities discovered every day and the risk changes depending on whether you are keeping up-to-date with those vulnerabilities.

Q: What differences are there from a pen test vs. a vulnerability assessment?

Gisela: A vulnerability assessment only uses an automated vulnerability scanner, which in our case is Nexpose. A pen test is not only about what vulnerabilities we find, but how we can exploit those vulnerabilities. In general, a pen test is more manual and will have a goal in mind, such as finding personally identifiable information (PII).

Q: What is your success rate using credentials from known breaches?

Gisela: I have personally never had any success on using credentials from known breaches. However, I have heard other colleagues that have had better success with them. The main issue I have seen with breach credentials is that they are not always secure and usually do not meet the company’s password policy.

Q: What is the one control that causes you the biggest headache when pentesting an environment?

Gisela: Local Administrator Password Solution (LAPS) has probably given me the biggest headache. Even if we do get Local Administrator on a host, it is a lot harder for us to move laterally with that access.

Q. What is the first step you take for an external pen test?

Gisela: Whenever I do an external test, I start with Open Source Information Gathering (OSINT). I look for possible usernames, DNS results that can reveal potential portals, password dumps, etc. Not skipping this step can save you time later in the engagement.

For more insights on the art of penetration testing, please check out our 2020 Under the Hoodie report. If you have any additional questions about penetration testing you’d like the pair to answer, please comment below or tweet us @Rapid7.