The two that we’ll focus on here are both variances of zero-knowledge: zero-knowledge, external penetration testing; and zero-knowledge, internal penetration testing.
Zero-knowledge testing is defined by having little to no information before the assessment begins. In the strictest interpretation, the assessor would not be given any information at all. However, it’s very rare to receive no information whatsoever from a client. A tester usually needs to be given a set of acceptable targets lest they attack unknowing victims. In-scope URLs and IP addresses are usually provided along with exclusions, such as IP address blacklists and restrictions, on testing time windows.
In some cases, the scope of testing will be an organization’s entire external presence. With this approach, it’s common for the assessor to begin with zero-knowledge, and to attempt to identify all external assets as an exercise in replicating what a real-world attacker might find.
Special care must be taken when you ask an assessor to locate targets with zero-knowledge. In particular, no testing should take place until every asset identified has been confirmed to belong to the organization being tested. You don’t want the assessor attacking someone unrelated who happens to be in an adjacent IP range or who might have been assigned a range previously belonging to you. I’ve often found that being asked to identify and confirm the initial target set proves to be a beneficial exercise that helps my clients verify their asset databases and keep them up-to-date.
Most penetration testing is performed from the external perspective, with the most common scenario being an external attacker who has targeted the company but has no prior knowledge. While this is a popular scenario, there’s a lot to be gained from conducting an internal penetration test. Several major studies indicate that around 50 percent of security incidents involve an insider threat. So if you want to better understand the other side of the coin, then consider testing from an insider’s perspective.
Common scenarios in which an inside attacker might begin with zero-knowledge include contractors who have been granted temporary access to the network for the duration of their project. With targeted attacks against users and the increasing popularity of malware, the compromised user workstation is another situation that is frequently simulated.
When conducting a pen test from the zero-knowledge standpoint, it’s best to try and limit the amount of information provided to a tester to stay as close as possible to a real-world situation. One thing you should never give to any applications or systems in a zero-knowledge pen test is credentials. That only occurs in partial- or full-knowledge testing situations. That being said, those types of situations can be extremely valuable as well. In our next entry, we’ll take a closer look at the partial-knowledge testing approach.
Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless 1st and 2nd editions, Hacking Exposed Web Applications 3rd edition, and the upcoming Web Application Security, A Beginner's Guide.