The Quick What, Why and How of Penetration Testing
For our upcoming September 30 day series we will be focusing on practicing our penetration testing skills using the online platform 'Hack The Box'. If you are unfamiliar with the platform and need help read the walk through I provided here. Before we jump into the series, I thought it would be helpful to explain about the what, why, and how of Penetration Testing.
Disclaimer: Do not use the technique and skills learned here against any organization, individual, or device you do not own without their explicit written consent.
Now that we have that out the way, let's dive right in!
What is Penetration Testing?
Penetration Testing, also known as pen-testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. This can be done automatically through software, such as Metasploit, or performed manually by the tester.
Why is it necessary to perform penetration tests?
While breaking into the machine or network is part of the pen-testing process, the real purpose of an engagement is to help the client improve their security. The testing process can be used to test an organization's security policy, make sure an organization is adhering to compliance requirements, test their employees' security awareness, as well as help organizations identify and respond appropriately to security incidents. The findings from these testings are reported back to the organizations IT or Security team and enable them to make strategic decisions and prioritize remediation efforts.
How often should penetration testing be performed?
The honest answer is that it depends. At a minimum, organizations should be performing testing regularly to ensure a consistent and secure network and especially after any major production changes or roll outs. Examples of this include:
adding new network infrastructure or applications
applying security patches
implementing significant application upgrades or modifications
There is no one-size-fits-all and several factors, such as company size, costs, and regulation requirement, could be at play to determine how often an organization should be performing these tests.
What tools can I use to perform these tests?
Automated tooling is usually the go-to choice as it allows developers and teams the ability to quickly identify and solve security problems through the life-cycle process. The tools utilized should be easy to deploy, configure, and use in order to provide accuracy and efficiency during the process. Many of the most popular penetration tools are free or open source software. Example include:
Metasploit: The Metasploit Project is an open-source project for network administrators to break into their network to research security vulnerabilities, develop code, identify security risks, and document vulnerabilities to prioritize efforts. This tool comes built into Kali Linux.
Nmap: Nmap is a free and open source network scanner used to discover hosts and services on a computer network by sending packets and analyzing the responses. This tool comes built into Kali Linux.
Wireshark: Wireshark is a free and open-source packet analyzer used for network troubleshooting, analysis, and software/communications protocol development. This tool comes built into Kali Linux
Burpsuite: Burp suite is a graphical tool for testing web application security. The tool is written in Java and has become an industry standard suite of tools for security professionals. It helps you identify vulnerabilities and verify attack vectors affecting web applications.
John the Ripper: John the Ripper is a fast password cracker that is available for a variety of OS' including Unix, MacOS, Windows and many more. It's primary purpose was to detect weak Unix passwords but has now expanded to exploit hundreds of additional hashes and ciphers.
There are many more tools to explore and I encourage you to search and find out more about them.
Okay, now how do I perform penetration tests?
For the purpose of this article, and series, I will be following the PTES framework, also known as the Penetration Testing Execution Standard. This was created by experts in the penetration testing industry and consists of seven phases to perform a test in any environment. The seven phases include:
Pre-engagement Interactions: Determining the scope and access
Intelligence Gathering: Learning about the system and targets
Threat Modeling: optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
Vulnerability Analysis: defining, identifying, classifying and prioritizing vulnerabilities
Exploitation: Leveraging a vulnerability to compromise security
Post Exploitation: Gaining administrative access privileges or accessing sensitive data
Reporting: Documenting and finalizing the presentation of collected data throughout the phases.
These steps cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.
There is so much more to learn regarding penetration testing and I encourage you to go out research, test some things and get your hands on the keyboard. I will primarily be using the tools leveraged in Kali Linux as so many tools are built into it but feel free to use other tools. Explore and happy testing!