The term penetration testing generally refers to white-hat hackers – independent or through a business – acting as a hired gun to try and break through your company’s defences. In essence, it’s a way of simulating real world attacks to test your network for weaknesses.
It’s by no means a “magic bullet”, warns the National Cyber Security Centre in its official guidance, but it can help businesses tighten up their security, especially in heavily regulated industries where compliance is key. For example the Payment Card Industry Data Security Standard (PCI DSS) – where you’d think businesses would be running water-tight ships but the reality is far from the case.
The long and short of it is a penetration test will tell your company the problems with your network or organisation at that time but without ongoing efforts to secure your business that information can quickly become dated.
But what if you want to figure it out for yourself?
Report after report suggest there’s a tremendous skills shortage for security professionals in the UK. So penetration testing looks to remain a lucrative line of work for some time yet.
Alec Auer of Falanx Cyber regularly conducts various types of penetration and compliance testing – including for web applications, internal infrastructure, and the social engineering side, such as email phishing.
He tells Computerworld UK: “The number of penetration testing tools, both open source and commercial, is vast. Over the years I’ve narrowed them down to the necessary essentials which can be used for almost any penetration test.
“Each tool can serve multiple purposes and have a variety of uses, however they stand out in certain categories and are my first option for penetration tests as a result. While other options are available, these are the ones I’ve personally found effective and easy to use.”
You’ll want to map out ports to figure out the potential entry points for an attack against the system. A popular choice is Nmap – a free and open source tool for network discovery and security auditing. The developers themselves say many network and sysadmins find the tool useful for tasks like network inventory, managing upgrade schedules, and monitoring host or service uptime.
“Not only can it perform different port scans, it has an added scripting engine that gives a significant amount of information about open services,” Auer says. “The output of scans is also in several useful formats that can be manipulated and combined with other tools, and since it’s quite popular there are lots of additional plugins that have been developed for increased functionality.”
Another early port of call is vulnerability scanning to comb the network for potential targets. There are tools out there, proprietary and open source, that will help you do this.
One popular option for scanning web applications is Acunetix. It automates security testing for web applications, checking for vulnerabilities such as SQL injection and cross-site scripting. The company says it sets itself apart from traditional vulnerability management tools (like Nessus and Nexpose – more on those in a moment) by going further in depth and specifically for web application vulnerabilities and variants. A 14-day free trial is available here.
Auer recommends combining Nessus with Nmap for an efficient first stage to “find some juicy targets ripe for exploitation”.
“To help make penetration tests more time-efficient, a vulnerability scanner is essential,” Auer says. “I tend to choose Nessus as it is straight forward to use and has different vulnerability scans for an added level of flexibility, depending on the test.”
You can get yourself a trial copy of Nessus by Tenable here.
Another option is Burp Suite, which features a vulnerability scanner for web applications as well as a brute-force tool for credentials and an app store for any additional plug-ins you want to bolt on.
“Once I have found the perfect target, I will look to the Metasploit Framework to exploit it,” says Auer. “While there is a paid version, I’ve found the free community edition is more than enough for my needs.”
Metasploit is a tool developed by Rapid7 that will allow you to safely simulate real attacks on the network, automated. You can get the community or pro edition here.
“It’s updated on a regular basis, which ensures I have the most up to date public exploits to hand,” Auer explains. “Along with a reliability rating to ensure I don’t crash client systems. The Metasploit database is a nice extra feature which helps me keep track of targets during large infrastructure tests.”
Use Metasploit plugins to further your privileges on a compromised host, Auer adds.
Offensive security describes Meterpreter as: “An advanced dynamically extensible payload that uses in-memory DLL injection stages and is extended over the network at runtime.”
“Meterpreter is a flexible shell which has additional modules for stealing passwords, which can then be fed into additional post-exploitation modules within Metasploit itself,” Auer says.”Popular tools such as the password cracker, ‘John’, have connected functionality within Metasploit to make the post-exploitation phase even smoother.”
“Arguably the most important part of any penetration test is being able to clearly present your finds to the client,” says Auer, who prefers Dradis for its built-in vulnerability database.
“This ensures I’m not spending hours searching around previous reports for vulnerabilities,” he adds. “Additionally it’s possible to upload the output from other tools such as Nmap and Nessus and match these to vulnerabilities, which makes the reporting process even simpler.”
The weakest link in the chain before you even approach a network is more often than not people – particularly those who haven’t completed security training or those related to an unsuspecting third party.
There are a lot of ethical questions around social engineering so we aren’t going to go into great details here, but for some horror stories of why it’s important to test your staff too, take a look at our day to day guide to pen-testing here.