As a penetration tester, your work tends to be fairly straightforward. You obtain a client engagement, define the scope of your penetration testing work, and then use your knowledge, skills, and tools to provide the client with a report of their vulnerabilities. As more and more people are starting to learn the value of penetration testing, it is slowly starting to become a market with more competition. This is excellent for the customer and for us as testers as a larger market footprint tends to lead to better tools and more recognition of the value of penetration testing. However, it also means that we need to be able to provide even more value to our customer in order to stay ahead of our competition.
One method of providing more value is to reuse our penetration testing skills to perform other tasks that our client may need. A common trend exists around using these skills to aid clients in performing internal audits. Outside of the penetration testing aspect of audits, it is very common for clients to need to audit their installed software and hardware inventory. If you are able to assist them with this process, you can demonstrate your versatility, offer additional services (at additional cost), and potentially become a full-service provider for your client. This can, of course, lead to additional revenue and set you apart from your competitors.
So the question then becomes, how do you leverage your penetration testing skills to perform this type of audit work? As penetration testers, we use reconnaissance and enumeration to gather data on the systems that we are testing and these processes can be easily reused to audit systems. As an example, a client was recently required by Oracle to audit the number of installed Oracle databases that exist within their company. Using a tool such as Nmap, we can easily perform this type of scan:
To scan a single server for port 1521 and reverse resolve hostname:
nmap -p 1521 10.10.10.10 -R
To scan multiple servers:
nmap -p 1521 10.10.10.1/24 -R
To scan Oracle version, etc (takes a lot longer):
nmap -p 1521 10.10.10.1/24 -R –sV
This works great for software installed and running as a service, but what about client-side software? Occasionally, a client is required to scan for a specific software product on client workstations to gather an inventory of the software install base. Since the client software may not run as a service, it may not have an open port to scan for. In situations like this, we can use other tools that leverage existing services provided by the operating system such as SNMP or WMI. For example, on a Windows XP system running the SNMP service, the snmpwalk tool can be used to display a software inventory using the following syntax:
snmpwalk -c public -v1 127.0.0.1 1 | findstr 220.127.116.11.18.104.22.168.1.2
Of course, running this from a UNIX system, one would replace “findstr” with “grep”, but the syntax is similar. Using this method, you can easily audit all software installed on a client system or all client systems on a network.
Hardware audits are another area where your skills can be valuable. In some cases, companies will need to audit their installed hardware base and determine what they have on the network. Nmap is, of course, the tool of choice for this type of audit as well. Using Nmap, you can simply scan the subnet(s) in question and report back on the detected system types.
In conclusion, be aware that the knowledge, skills, and tools that you use as a penetration tester can be reused in a number of ways. This can help increase your personal value to your clients as well as drive new business and new service offerings. Additional details on the tools discussed in this article as well as a plethora of other open source tools can be found in my book, Penetration Tester’s Open Source Toolkit, Third Edition available at http://www.amazon.com/Penetration-Testers-Source-Toolkit-Edition/dp/1597496278 or your favorite technical book retailer.