Open in app

Sign in

Write

Sign in

Planning Your First Ethical Hack on a Corporate Network

Ángel Cortez
4 min readDec 26, 2021

After researching and pitching several potential clients, you landed your first contract as a Penetration Tester.

Now what?

Let’s first make a checklist for your legal paperwork:

  • Non-Disclosure Agreement — NDA protects the client’s private information from being shared by you during or after the contract according to the contract
  • Rules of Engagement — RoE establishes targets, communication protocols depending on discovered vulnerability, type of assessment, length of assessment, goals and expectations of assessments, as well as name + version of tools you are going to use
  • Scope- Similar to RoE, but focuses on detailing target’s boundaries. May include limits on privilege escalation for some endpoints and not others

Your first client seems to be the fast food giant Burger Queen.

After a few discussions you both happily agreed that none of the data discovered during the penetration test will be shared outside of the agreed party for the next 10 years. You noted that they only want endpoints relating to their remote workers tested; including laptops, routers and SaaS apps used to communicate.

Even though they are aware of vulnerable services running in their restaurants, they are only interested in having you measure the risks relating their new Work from Home Policy for their corporate team.

They want the test to mimic a real attack from malicious hackers, so think like one(Within the scope of course!). Since no information will be provide to you by Burger Queen, your goal is to uncover as much information as possible to discover vulnerabilities and determine overall risk.

In your discussions, Burger Queen mentions that they want to avoid disturbing normal business functions.

Since it was legally determined that this was a Black Box assessment, it’s up to you to research information about Burger Queen that relates to the scope and goal of the Penetration Test.

Let’s begin planning by asking questions and brainstorming for pieces of information that relate back to our goal.

Remember, you were hired to answer

How secure is the Work From Home Policy for remote workers?

Questions we might want answered include:

  • Who are the remote workers and what are their jobs?
  • What services do the targets use?
  • Are there any cyber attacks that exploited targets under a similar policy?
  • Is personal target information readily available?

Other helpful pieces of information may include:

  • The location of their corporate office
  • Number of employees that fall under the policy
  • Exact policy presented and signed by the employees

At this stage so far, you’ll find yourself doing more OSINT(Open Source Intelligence) research. If you are really lucky, you’ll find all of the target data on LinkedIn. This phase is often overlooked because you are not “hacking”, but this is one of the most important parts of an ethical hack.

OSINT can be helpful in finding:

  • potential passwords
  • behavior patterns
  • accounts with leaked credentials
  • contact information
  • potential attack vectors via other services
  • personal information for efficient phishing attacks

Google (or my favorite DuckDuckGo) is your best friend as an ethical hacker!

Now it’s time to plan potential attacks with all the research you did.

Because your goal is to test a specific policy, you need to find scenarios that the policy doesn’t protect against and/or directly caused by it.

For example the Work From Home Policy may state:

  • The usage of a specific laptop with previously discovered vulnerabilities if not configured/updated properly
  • Allowing all permissions and default settings in downloaded software
  • The employee can use the work laptop for personal use
  • Employees can do work using a public wifi network like a coffee shop

With our example policy, as an ethical hacker you might want to cook up a remote code execution attack, phishing attack and brute force attempts. If you know where the target does work, you might plan wifi hijacking or a social engineering attack. Depending on the potential vulnerabilities, you might be able to plan a privilege escalation attack that roots to corporate level admin!

Make sure that you communicate with the client all the tools you are going to use and document them.

Per request, Burger Queen doesn’t want you to exploit the discovered vulnerabilities. They want to use data from your assessment to adjust their policy and educate their employees. So rather than executing a damaging attack, your focus should be on finding where people “trip”. For example, you might plan a phishing attack and report how many people opened the malicious email. Or you might test a few accounts with weak or exposed credentials to report them back directly to the accounts that need attention.

The most important theme throughout this is to keep in mind the legal agreements. As an ethical hacker, it’s easy to pivot because you spotted a different vulnerability, but doing so can damage the business operations and you’ll be to blame. Without a legal document protecting your actions, you can land yourself in jail or owing a huge fine.

Be thorough in how you verbally and legally communicate with your client to lay out boundaries and scenarios if an incident happens or is discovered.

At the end of the day, your goal as an Ethical Hacker is to help the business discover potential vulnerabilities that malicious hackers will happily exploit.

Penetration Testing
Ethical Hacking
Cyber Security Awareness
Cybersecurity
Hacking

--

--

Ángel Cortez

Written by Ángel Cortez

362 Followers

Ethical Hacker | Fitness Coach | Programming Nerd

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams