How A Penetration Test Uncovered Astonishing Network Flaws

Many IT Solution Providers and Managed Service Providers (MSPs) are familiar with a cybersecurity penetration test.

Historically, MSPs have employed third-party cybersecurity experts to do manual penetration tests on their clients’ networks.

However, advances in Artificial Intelligence (AI), Machine Learning (ML) and other technologies have changed things. MSPs are now being given the option of using automated penetration testing.

So, I did some research to see if these automated penetration tests are as effective and reliable as a manual pen test run.

I asked the team at UK-based cybersecurity specialists Endida to run a thorough automated pen test of my home network.

As you’re about to read, the results of the penetration test were surprising!

What is a Penetration Test?

Before we dive into Endida’s work, let me explain exactly what a penetration test is.

A penetration test, often referred to as a “pen test,” is a simulated cyber attack against an IT system, network or infrastructure. The goal of the pen test is to identify vulnerabilities that could be exploited by cybercriminals.

Traditionally, pen tests have been conducted by ethical hackers who use a variety of tools and techniques to probe a system with the aim of uncovering security weaknesses before malicious actors do.

The results of a pen test often provide valuable insights to an MSP into the security posture of their clients’ systems, revealing recommendations for strengthening defences and mitigating potential risks.

What is Automated Pen Testing?

As mentioned, there is a new breed of AI/ML-based automated pen tests becoming available to MSPs.

These pen tests are still run by cybersecurity experts. But rather than manually probe an infrastructure for vulnerabilities, an automated pen test relies on artificial intelligence to scan a system and highlight issues.

UK-based Endida is a cybersecurity company that offer an Autonomous Penetration Testing platform — or Pen Testing-as-a-Service (PtaaS).

I engaged Endida’s founder and CEO Ian Schenkel to perform an automated pen test of my home network here at Chez Tubb.

My Home Infrastructure

Now, being a huge tech geek, my home network contains:-

• A multitude of IP-based security cameras
• A Network Attached Storage (NAS) server
• A CAT6e-based ethernet network, spanning multiple switches and routers
• A mesh-based WiFi network
• Desktop PCs, Raspberry Pi machines, Laptops, Printers and Scanners.
• Dozens of home automation devices

In short, my home network is very much a “prosumer” setup, and probably contains more devices than the majority of MSPs’ typical client networks.

Therefore, I was intrigued to see how Endida’s automated pen testing would perform against my infrastructure.

Preparing for the Pen Test

After engaging the team at Endida, Ian jumped on a call with me to understand my home network.

Surprisingly, Ian said that the pen test wouldn’t just look at devices on my network, but would also test cloud-based systems such as our web-site, DNS, email and other services.

I provided Ian with details of names and websites registered to my company, to enable Endida to create an “Asset group” they could run tests on.

In order to facilitate the pen test, I was given some instructions on setting up a laptop to host the pen test on my home network.

The laptop — which had a decent, but not powerful spec (16GB RAM, Quad Core CPU 20GB free HDD space) ran a virtual machine.

We used the freely available Oracle VM VirtualBox Manager. The Endida team install their automated pen testing platform onto it. It’s based on Horizon3.ai NodeZero software.

Ian and I then scheduled some mutually convenient time to not only run the pen test on my network, but to show me how the entire process works.

Preparing for the Automated Pen Test

Within a few days, Ian and I jumped on a video call. I was introduced to Will and David from the Endida team, who would be performing the pen test.

I had to grant the Endida team permission to remotely access my laptop. Then, they walked me me through setting up an account on their web-based system.  Next, the Endida team had to install the virtual machine to run some exploratory tests.

With the Endida team confident the laptop was configured correctly, there was a run-through on how they would configure the pen test.

They made a note of external resources (websites, domain names, etc) the Endida team also asked me if I wanted to inject some credentials into the test.

Injected credentials are typically Windows domain accounts, local user accounts, AWS access keys and similar. Cybercriminals don’t have to work hard to discover these. It includes usernames like admin, administrator, or firstname.lastname user accounts.

The Pen Test then injects those credentials into its process. This will show how far an attacker could get if they compromise a credential within your system.

The Endida platform has a bank of default and weak credentials, which is used to attempt to gain access. So effectively, they guess or brute force the credentials. The testers also perform an OSINT to uncover relevant employee names/company details to guess username/password combinations.

Carrying out the Pen Test

Once these credentials were entered, the automated test would run for 6 hours to discover every device on my network (and beyond!) and ascertain any vulnerabilities.

Once the pen test completed, they would deliver a PDF-based report to me, and schedule a follow-up meeting to explore their feedback on any vulnerabilities that the test found.

And that was it! The setup process was simple, and inside an hour, the automated pen test was off and running.

Monitoring the Pen Test

Of course, the whole point of an automated, AI-based pen test was that you don’t have to monitor the test as it runs!

Nevertheless, the geek in me wanted to see any vulnerabilities as they were discovered!

Therefore, I could watch the pen test running through Endida’s Horizon3.ai dashboard. That’s accessed from any machine, not just the laptop being used for the pen test. And I could see the results as they were discovered.

Once my curiosity was met, and I saw the test doing its thing, all that was left for me to do was wait for the results.

The Results of the Pen Test

The next day, the Endida team sent me an email to let me know the pen test was completed!

The Horizon3.ai dashboard is easy to navigate and shows the internal and external pen test results, plus:-

• Impacts
• Weaknesses
• Credentials discovered
• Compromised hosts

My network’s overall exposure level was scored as “Medium” (Yellow) with 4 weaknesses, and 1 credential discovered by the pen test.

Thankfully, 3 of the 4 weaknesses were rated as “low”, with SMB Signing not turned on some devices such as my Synology NAS.

More worryingly, the pen test discovered one of my IP-based security cameras had Telnet turned on, with the default credentials still in place. Eek!

The pen test also discovered over 600 different services running on my network,  from web-servers I was previously unaware of. And the aforementioned Telnet service, which shouldn’t have been turned on.

Additionally, the pen test highlighted 10 different certificates on my network, many of which were outdated and needed replacing.

The external pen test also found a host of sub-domains and services that we no longer use. So we’ve now flagged those for retirement.

The NodeZero software that Endida uses allows you to download a comprehensive PDF and CSV based reports showing the results of each of the pen tests. You can download a single ZIP file with all the reports, which allows you to then browse them offline.

The Executive Report was especially useful, and Endida tell me that this report can be white labelled so that MSPs can deliver it directly to their own clients.

AI-based Pen Test Remediation

One of the most interesting aspects of Endida’s service was the AI-based remediation platform they provided me, post-test. This is a service that they’re rightly proud of.

Helpfully, the mediation advice includes relevant screenshots and multiple options based on the identified environment. So it’s easy to see what changes need to be made.

Furthermore, the platform allows you to interrogate the results of your pen test in plain English.

For instance,  unsure how to fix an SMB signing issue, I could ask Endida’s platform. “What is SMB Signing and how should I secure it against the issue?”

And for MSPs, they are able to charge their end customers for remediation. They just follow the instructions given, and perform a one-click verify to prove to the customer that the remediation was effective.

The AI-based platform then produced a series of easy to understand steps to secure the issue.

This ChatGPT-esque tool will be incredibly useful for any MSP who needs help to understand how to remediate any issues the Endida pen test discovers.

And once you resolve all the vulnerabilities that the pen test finds, Endida allows you to re-run the pen test at no charge, to ensure you’ve not missed anything.

I think that this offer of unlimited pen tests will be of real value to any MSP.

As we shared in Championing the Cybersecurity Right of Boom and the MSP Revolution, anything that enables MSPs to highlight left of boom issues is a bonus.

An unexpected result!

But our story doesn’t finish just yet!

The most interesting aspect of the pen test on my home network was an entirely unanticipated one.

Before the pen test, Endida had, quite naturally, sought my written permission to perform the test on my network.

After all, running a pen test without permission is dangerously close to being seen as a hacker!

However, during the test routine, my wife, who works for a local government authority in the education space, had arrived to work from home and connected to our home WiFi.

Being a part of the network, the AI then ran a penetration test on my wife’s laptop. And scarily, it found some serious vulnerabilities.

Suffice to say, her employer’s IT team absolutely freaked out. And despite explaining the situation, my wife’s laptop was disconnected and her work access was cut off.

What Happened Next?

Within hours, Ian at Endida had been connected with my wife’s employer’s IT team, and explained the situation. Ian shared that we were the good guys, not cybercriminals — and that quite by accident, we’d found a fairly serious vulnerability.

Ian went out of his way to give the IT team details of the exploit, and how they could resolve it. However, at the time of writing, we don’t know if things have changed.

The head of IT no longer responds to email enquiries on whether they have patched the vulnerability.

This is very disappointing, as the local authority involved is responsible for some extremely sensitive and critical data of a personal nature. Perhaps the vulnerability has been patched — we really can’t be sure.

I think the lesson for MSPs here is that many internal IT departments are under-resourced. And so they’re overwhelmed when it comes to cybersecurity.

Therefore, if you accidentally find a vulnerability and highlight it to these organisations, don’t be surprised if you, the messenger, are attacked rather than thanked.

Conclusion

As we’ve seen, there are now more cost-effective ways for an IT Managed Service Provider (MSP) to support their clients. But today, an AI tool can carry out a cybersecurity penetration test on any network.

And many of them offer retesting as part of the price, so there’s no cost for making sure updates have worked. So it’s easier and cheaper than ever for MSPs to keep their clients’ data safe.

However, thanks to Artificial Intelligence/Machine Learning, MSPs are now able to engage autonomous, or automated pen testing to keep their networks safe.

Companies such as Endida provide these autonomous pen testing services in affordable, easy to access solutions for MSPs.

And the AI pen testing solution they offer is backed by years of experience from cybersecurity experts. These experts can help an MSP to resolve any vulnerabilities. Hopefully, my experiment with Endida’s Continuous Penetration Testing platform on my home network will reassure you that it works.

So clients will look to MSPs for more cybersecurity advice, guidance and the responsibility for keeping their infrastructures safe. I can see autonomous pen testing becoming a serious weapon in the arsenal of any MSP business.

Do you have any experience with automated pen testing? Is autonomous pen testing useful within your MSP business? Or do you have concerns about handing across the keys to your infrastructure to an AI-based solution? Get in touch, or leave a comment below with your thoughts.

You Might Also Be Interested In

• Podcast – TubbTalk 106: Application Allowlisting, Cybersecurity and Ringfencing
• Article – How Huntress’ Product Lab Shares News, Trends and Improvements with Partners
• Podcast – TubbTalk 138: How to Become the Go-To Threat Operations Expert for MSPs

You might like: