Pentesting Frameworks And How They Work - A Dive Into Web And Mobile App Pentesting.
These processes explains how to obtain the information you need for a successful campaign.
Hey everybody, welcome back to the series. Today, we will be taking a deep dive into the world of what a real pentest engagement looks like and the processes involved. We will also look at how the process looks regarding mobile.
During mobile app pentesting, there is some interesting information we set out to look for, some low-hanging fruits to get the ball rolling. With that said, let’s dive in.
The Penetration Testing Process
Reconnaissance
Information gathering can be both active and passive. We do this to learn more about the target.
Active - physical recon, interacting with targets via social engineering, anything with a hands-on target approach.
Passive - using tools like LinkedIn, google, and publicly available information to enumerate the target.
Scanning / Enumeration
Using tools that touch the target's physical or digital infrastructures to enumerate vulnerabilities, open ports, etc. After scanning, we enumerate to find if there’s anything of value.
For example, using tools like nmap, dirb, nikto, nessus, etc.
Exploitation
Taking advantage of the vulnerabilities you discovered during enumeration and recon to gain access to the system.
Privilege Escalation
Once inside of the system or environment, moving laterally or vertically to obtain more access or maintain access should we be kicked out of the system.
Lateral movement - from a device or app to another device or app as the same user.
Vertical movement - from low-level user to higher-level account
Covering Tracks
Eliminating evidence that may incriminate you or leave signs of exploitation. Example: Deleting the malware you uploaded to gain access, Changing timestamps, deleting logs, erasing video footage, etc. As a pentester, you need to clean up.
Reporting
The results of your hard work whether successful or not is outlined with the findings and exploits to the company including steps on how to fix them. Find a list of resources on how to write a great report at the end of this article.
If you want to dig a little deeper into this, then check out The Cyber Mentor ethical hacking course on youtube. It’s in two parts, part 1 and part 2.
Now that we’ve seen what the process looks like for web apps and networks, let’s dive into what we do when testing mobile applications.
The Mobile Pentest Process
Reconnaissance
Look at earnings reports and press releases often contain info about mobile apps.
Find the target app on the play store or apple store
read the reviews
enumerate who created the app
enumerate the different app versions and patch notes
enumerate the company's other apps
Note:
Sometimes new apps are released for androids and are not available for iOS yet. There's no need to sign in to Play Store, search {name of app} google/apple store. On the Apple store, we're given the version history
Static Analysis
Reading the application code via manual or automated tools to assess the security. Looking for hardcoded strings, security misconfigurations, or additional targets extracted from the app.
Static analysis will sometimes result in the pen-testing process being triggered, especially additional enumeration or fingerprinting.
Find a URL - recon, enumerate, exploit, etc
- Many companies use other API gateways/paths for mobile apps vs the traditional website.
Find an email/username - recon using phonebook.cz, etc
Find a storage bucket - recon, enumerate with cloud_enum
What we're looking for
API keys
Emails and passwords
Hard coded strings
URL
Dynamic Analysis
Running the application, monitoring and manipulating it to figure out what it’s doing based on its behavior. This allows us to look at the backend of the application because some applications download extra data during runtime.
Monitor the file system, app interactions and operating system interaction
Intercepting traffic with proxies like burp suite/proxyman
Dumping memory from the application to check for insecurely
Stored secrets
Checking local storage for files created in runtime (app running )
Breaking SSL pinning at runtime
Dynamic analysis can often result in attacks related to the OWASP top ten SQL injection, Cross-Site Scripting, IDOR, XXE, etc
Note on XSS: you often will get XSS in the mobile app itself, but sometimes this can affect the full version of the website.
Learn more about dynamic analysis from this webcast on SANS by Jeroen Beckers.
Reporting
Often contains an executive summary as well as specific vulnerabilities discovered
Write a report for both OWASP top ten (web) and OWASP top ten (mobile) in mind
Provide the business with the criticality as well as steps to reproduce
Remember to mention the positive security implementations!
Here’s a good resource to learn how to write a penetration testing report by hackersploit and here is a list of public pentest reports by juliocesarfort. For more information on report writing check out Gabrielle B’s post on Linkedin which contains some useful links to great resources and insights.
If you’re enjoying this series, consider following me here, like comment and share this with friends and colleagues.