If you’ve ever worked as a professional penetration tester then you definitely know what a TOE is. For those of you who do not, the TOE or “Target Of Evaluation” is “the product or system that is the subject of evaluation” (Wikipedia).
For the sake of simplicity, a system connected to the internet with an IP address is the TOE for an external penetration test. Your client has provided a list of IP addresses, maybe in CIDR notation, maybe they’ve just dropped you a spreadsheet with a list of targets that fall within the scope of testing, at the end of the day, they’ve provided to you with a list of assets that are in play.
Side note: I won’t stress the importance of performing thorough reconnaissance and the value it will provide to both you (during the assessment) and to your client. There are plenty of books and training courses that have done a fine job conveying that message.
However, I do want to provide you with the following scenarios and why it is important to validate and verify your targets:
You’ve laid out your pentest, you’ve got a list of IP addresses that the client has provided (using CIDR notation), testing schedule is set, and you’ve studied the scope enough to know it as if it were inked on the back of your eyelids. Sweet.
You are a a few days into testing and still conducting passive reconnaissance. Interestingly enough, you can’t help but notice some obvious domain names that are attributed to several of the IP addresses. Why on God’s green earth are domains that clearly resolve to the website and mail servers of an online retailer attributed to your client’s IP’s when your client’s industry is banking!?!?
Alright hotshot, what do you do? Easy… contact your client and ask them to verify this information. If they are unsure, have them reach out to their ISP. Don’t be the pentester that inadvertently hacks the wrong target. Even if you argue that your client provided you with bad information, your reputation can’t win that battle.
Root Cause: Client screwed up the network mask. Yep. They provided you with X.X.X.X/24, but in actuality it should have been X.X.X.X/25. See how ugly this can get?
Similar situation to the one above, but not quite. Let’s say that your client was VERY careful and gave you a list of addresses that were verified over and over and they are 100% confident that you will only be testing their systems.
During the course of performing your reconnaissance mission, again… you happen to notice some strange domains and corresponding WHOIS registration information. This time, it belongs to an elementary school. Ok… now things are really weird.
You dig a little further and can confirm that the crappy student information system used by the elementary school is definitely being hosted at your client’s data center.
Now this is officially bizarre.
Digging deeper, you scour LinkedIn and find that the person that registered the domain (WHOIS info) was a former employee of your client’s company. You also determine that the location of the school is approximately 20 miles away from your client’s data center.
What do you do? Again… you definitely don’t want to hack a student information system. You definitely don’t want to look at the data within. You need to contact your client.
Root Cause: That former employee is now the systems administrator for the elementary school. He’s been writing invoices out to a hosting provider (his company) and splitting the money with an old friend who happens to be a current employee at your client’s data center.
These are just two examples of actual situations that I have found myself in while conducting penetration tests. This doesn’t highlight all of the times that I have had a client tell me, “The last company that we had perform a pentest actually hacked into someone else and we didn’t know about it until we received the report.” Exactly why regular communication, thorough reconnaissance, and validating the TOE are extremely important. This is definitely one of those things that separates the pro’s from the Joe’s and your client’s will remember you for it.
Maintain regular communication, perform thorough reconnaissance, and validate your targets.