Robert Shimonski

Cheat Sheet / Updated 03-01-2022

Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.

Article / Updated 12-29-2021

Penetration testing is always evolving. More complex cyberattacks require more sophisticated pen tester. Here are ten tips to help you refine your pen testing skills as you continue in your career or education. Continue your education to improve your pen testing skills Keep learning. Study often and do not limit the scope of your studies. You can get by in your career by learning the basics, getting the tools, and running them. However, you need to learn the finer details of information technology systems, networks, and services and how they are secured or threatened. The ways you can continue your education are unlimited. However, if on a budget (or have resources to access resources within a budget), here are a few ways you can help yourself: Use your library. To access the internet, books, publications, magazines, and other materials, use your public library system. Some libraries even hold IT classes, and in some cases, even security classes. Use the internet. You can find many sites to help with pen testing, learning about IT, security, and many other topics. You can gain access to tools and sites that allow you to learn how to conduct penetration testing, and learn operating systems and other valuable programs. Build a test PC. If you can gain access to a PC or laptop that you can turn into a test system, acquire it and use it. There are many companies likely have an older system laying around unused that you can turn into a pen test toolkit. Use virtualization. Similar to the extra PC or laptop, you can set up virtualization software that allows you access to even more systems so you can build a small virtual network within a computer and you can conduct pen testing on multiple systems from one system. The image below shows an example of a tool running within a virtualized system. Use freeware. Many demo tools give you full access for a period of time, or at least with limited functionality, that you can use to learn with. Build your penetration testing toolkit Carpenters and other trades rely on their tools to be able to do their jobs. Auto mechanics, welders, and others who use tools to conduct their work can’t do great work without tools that are maintained and preserved. The same is true of IT professionals, especially those who function in the security realm as pen testers. No matter what, consider your tools as the most important thing you can maintain. Keep the following in mind as you build your toolkit: Keeping your toolkit current is one of the hardest things to do as a pen tester. You will find some tools (sometimes older tools) are more helpful to getting the results you need. Some tools are scripts that are created and maintained by each individual pen tester. Some tools are expensive, and you need to license for them. You also need to keep them updated. For example, any tools, software, programs, applications, and systems you use need to be patched, virus scanned, updated, and kept up to date. All software must be updated. Any software that requires signature files, digital certificates, block ciphers, and any other form of additional software needs to be updated and maintained. Technology changes over time. There will be updates to the systems you use, and there will be different systems in different organizations — all this means you need to keep your toolkit current with new additions as you find you need them. Make sure your computer is updated and safe. Make sure you keep the system you run all this on current as well. Nothing is worse than the embarrassment of getting your own system hacked as a pen tester. Keep your own stuff pristine, secure, and tested. Think outside the box to be a better pen tester Never get comfortable with the same vectors, tools, patterns, and attacks. Always consider another option — the plan B. You have to constantly think outside the box to stay ahead of those who commit crimes. Think of hackers and attacks like running water. It will find a way. You, too, need to think like running water and consider, anticipate, and get ahead of different types of attacks and vectors for attacks by developing this dynamic mindset. Below is an example of a planned penetration test where the pen tester wanted to enter the network via the wireless access point. In a situation where one pen tester was working with an organization that agreed to trying another path if possible, he found another way through the internet connection (plan B) to access the network externally. He could also have accessed the network from picking up a signal from the parking lot. Think like a hacker to be a better pen tester You need to know what hackers do. As an ethical person, it’s not easy to think like a criminal. This is where the great pen testers excel. You have to think beyond what a good guy would do . . . to what someone who has ethics would do. You can read attacks that took place in the past to learn about the people who conducted the attacks. One of the oldest hackers of the past is Kevin Mitnick, who conducted hacks back in the 1990s and was arrested in 1995. Learning about Kevin and how he turned into a grey hat hacker over time helps to get inside the mind of those who conduct crimes and their motives. Get involved to improve as a pen tester Whether through conferences, online communities, or social outlets online or in person, spend some time networking with others in your field. Two conferences where you can continue your education, learn specifics of pen testing from experts in the field, meet book authors, and get access to current trends and classes about current products is Defcon and Blackhat. Normally, both are held in the United States, but over the years, the conference has grown and expanded to other countries as well. Both of these conference websites will have options to sign up for a conference, but have other options as well to view older media, papers, and research conducted over the years. It is also a great way to meet other experts in your field as you continue to grow within it. There are professional organizations that cater to pen testers, schools that form groups of like-minded individuals, governance committees, and other types of groups that allow those who conduct ethical hacking to join together and share ideas. There are government agencies that you can join to share ideas and information. Regardless of who you join up with, a community-based approach to sharing ideas has led to some of the larger crowdsharing/crowdsourcing and other group-like successes there are today. Pair up and work on some projects together to share ideas and learn more about pen testing. Use a lab for penetration testing If you buy and build one, rent space, or lease system time from others, use online resources available to you for testing or through the use of virtual machines in a lab you build — hands-on time is crucial to your success. You need to be able to run the tools, hacks, tests, and see what is possible. It’s one of the best ways to learn how to become an elite pen tester. Because there are many challenges to do this, you can still learn ways to get hands-on training: Online test sites: Online test sites let you experiment with your penetration-testing skills. A test machine: You can also set up on one computer in your home a virtual system of other machines (a virtual network) and test the systems on your base machine. The image below lays out a nice lab strategy you can use to start to develop a pen testing practice lab at work or at home. Some of the items you may want to consider in building your pen testing lab may include (but not limited to): Server infrastructure: You can either set up a server physically on your mock network or a virtual one. Either way, make sure that you have allocated resources so that you can configure targets such as a database (can be large in size), as well as multiple network connections for redundancy (cluster) or other advanced setups. Network infrastructure: From the cabling to the wireless systems —the routers, switches, access points, firewalls, and everything in between — you can configure all the network components to interconnect the devices you want to set up as resources on your mock network. Pen test system: The point of origin, which can be the laptop that you use as an ethical hacker to conduct the penetration testing. As you learn more and more, you can add systems and infrastructure to further build out the lab so you can conduct more tests. Stay informed on penetration testing Just like any other role, skill, or function, the more you know the better off you will be. Up-to-date threat information can help you learn about the myriad of attacks and patterns coming out daily. This information deepens your knowledge of what you need to be aware of as a pen tester protecting against them. You should also stay abreast of things going on in the pen test community. One great way to do this is by meeting up with others pen testers to swap information. Stay ahead of new technologies to be a better pen tester Technology is always changing. Remember when virtualization became important? Cloud? Wireless? Mobile? As each of these technologies emerged (and in some instances converged), it was important to stay on top of them because the minute they came to market, there seemed to be a ton of attacks that came right along with them. When wireless hit the market, for example, there were drive-by scanners hanging out of cars — hackers were cracking into systems in companies from the parking lot. You must know about new technologies, learning about them, and anticipating how black hat hackers might use them. There are countless resources available to learn of new technology. For example, if you know your primary targets are going to be Cisco, Citrix, Microsoft, VMWare, Linux (select a distribution), and EMC Storage, you may want to add yourself to those vendors’ websites and their mailing lists to stay ahead of updates, new patches, version updates, and so on. If you have a contract with any of these vendors, they should be sending you information; however, anyone can contact these vendors and be added to their mailing lists so you can learn more about them. For example, if you were a large Cisco networking customer, you can gain access to RSS feeds, field notices, security advisories, bug alerts, software updates, and so much more. Build your reputation as a pen tester Building your reputation is easy. For someone (anyone) to let you into these protected networks where all their data sits, they absolutely must trust you. Trust. It’s the critical piece of the proverbial pie of your career in pen testing. Identify as someone who can’t be trusted, and it’s likely you will never work for a company that needs your assistance in thwarting crime again. This means you cannot be a criminal! You need to make sure you act professionally and ethically. Build your network of peers and people who can vouch for you and continue to act in a way that is honorable and as a consummate professional. Learn about physical security All the technical knowledge, skill, tools, and experience in the world can’t save you and a company from a social engineering attack. Nothing can thwart technical security faster than social engineering. Card swipes, magnetic door locks, bio-sensor reading, cameras, physical security guards, wall hopping, and all of the other things that fall outside of the computer network where data is kept can’t stop someone from breaking and entering. Always consider physical security challenges as a pen tester and augment your technical vulnerability analysis and scans with checking how physical security and defense in depth stacks up. Ultimately, any efforts you can take to learn will help to make you a better pen tester. Learning is key.

Article / Updated 12-29-2021

As an IT professional, it doesn’t matter how much you know about penetration testing today — there is always more to learn! What you know today could become outdated as technology evolves and morphs into new innovations. With that said, here is a list of penetration testing websites and resources that will be extremely helpful to you as a security professional. If any of the websites are no longer assessible at any time, do your own online searches for keywords such as pen testing, penetration testing, and security hacking. Also make sure to fact check any data not coming from a reputable site. The sites listed here are generally reputable, but you should still consider researching things before you implement them regardless. One of the best sources of information you can use for your studies is in the help files of your software. If you use the knowledge bases that come with the tool and online at the vendor’s website, you will learn how to better use the tools and help to reinforce some of the topics learn about penetration testing along the way. SANS Institute SANS.org leads to the SANS Institute where since 1989 the site has been filled with a large amount of useful security information that is freely accessible to all. This online resource is easily searchable from the home page and within it contains many resources a pen tester can use, including the SANS Information Security Reading Room that hosts approximately 3,000 original research papers in 110 important categories of security. You can sign up for weekly bulletins, alerts, newsletters, risk alerts, and other email items that can keep you abreast of threats. You can also access the Internet Storm Center, which is an early warning system for threats. There are many other resources available such as templates, vendor product information, information on open and closed source software, and so much more. Another point of interest on the SANS website is the connection to their focused areas on pen testing. If you’re looking to make pen testing a career, being connected to this community and digging deep into their online resources can help made a value add to your education and knowledge. GIAC certifications Another point of interest on the SANS website is the connection to their certification arm of SANS, which is called Global Information Assurance Certification (GIAC). It's focused on different areas of security, such as incident response and handling, forensic, and of course pen testing. When you’re ready, you can obtain GIAC Penetration Tester certification (GPEN). Aside from being an industry standard exam that tests your ability to conduct a pen test, the GIAC website also has a wealth of information about pen testing. You’ll need to pay for the exam and the study materials that come with it. There are other tests available such as CompTIA’s Pentest+ and others, but the benefit to getting GPEN certified is that you get to connect to a community of expert pen testers as well as getting certified and educated. Software Engineering Institute Carnegie Mellon University (CMU) has long been a source of amazing security information. You’ll find information about risk assessments, pen testing, forensics, and security-based incident handling. The CMU site has a CERT landing page that hosts publications and other scholarly works about cybersecurity: CERT partners with industry experts (from areas such as technology industry, law, government, and academia) to provide advanced studies and research on relevant topics. Legal penetration sites Legal penetration sites are variously hosted by groups that provide a realistic way for ethical hackers to learn real hacking skills on networks and systems that have been left in a semi-hardened state. If you run a search on Google for “legal penetration sites,” you will pull up reputable sources to find these sites. Cisco has information in their help forums as well as security magazines (another great resource) and other sites that host these penetration test hubs where you can hone your skills. If you can’t afford to set up your own lab environment for testing purposes, then seeking outside resources such as this can really help develop your skills. Open Web Application Security Project The Open Web Application Security Project (OWASP) was established in 2001 and is currently a not-for-profit organization that works on the foundation of group collaboration. OWASP is a group that boasts open source and does so with no affiliation of any kind. Their focus is on web application hacking and the security of applications, software, web apps and programs. The frameworks, information, and resources provided help to guide a pen tester into areas of risk and vulnerabilities surrounding applications such as hacking APIs. This site can really help you better understand more in-depth details about programing and software hacking, and what you should seek to penetrate and exploit these systems as an ethical hacker. The following image shows the top ten application security risks at the any time. Tenable Tenable makes Nessus, and you can visit the website for more information on vulnerability scanning, pen testing, and risk assessments. One of the greatest things you can find on the Tenable website is a series of tools and information primarily focused on pen testing. In their research papers are details on how to become a better pen tester: The image below shows the Tenable website, where you can download Nessus for trial use, or purchase a license for permanent use. Nmap Nmap is undeniably one of the hottest and most used tools for pen testing outside of Nessus and Metasploit. Contained in Kali, Nmap is a tool that can really do it all. On the website you will find advanced usage of the tool to include subverting firewalls, spoofing scans, getting around IDS, automation and scripting of the tool, and so much more. Wireshark Wireshark is one of the de facto tools in your toolkit and a primary source of information for troubleshooting networks, information gathering, or pen testing. Within the main website you will find tons of detailed information on how to use this tool. As well, the forums where engineers talk about issues and things they find are loaded with literally thousands of pieces of valuable information that will help you learn more about networking, TCP/IP, the Internet, and how packets and frames traverse a network. Need to learn more about ports, channels, communication, sockets, protocols, packets, headers, and so on? This is the site you need to go to learn more about these details. Dark Reading In today’s pen testing world, one of the go-to sites for security professionals is Dark Reading. Dark Reading helps provide information not only on old but breaking news stories geared towards an online community of security gurus and professionals looking for more information about topics like pen testing. You’ll find newsletters and feeds and the sections on Attacks and Breaches can help you emulate scenarios in your pen testing, stay on top of trends, and conduct ethical hacks to test your security posture. Offensive Security From the distributors of Kali, Offensive Security is a company that specializes in doing penetration testing. Offensive Security offers penetration testing services as a service, and they provide a certification as well. On this site, you can learn more about pen testing from the experts who do it day in and day out. You’ll find sample checklists, tools, reports, and a lot of the things you might want to emulate in your own pen tests.

Article / Updated 12-17-2021

Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for penetration testers and professionals with a background in IT security and the ability to do penetration testing. As a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. You also need to know about security vulnerabilities as well as penetration testing tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe. Skills needed for penetration testing You’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of networking and general security. To be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool. You need to also know the difference between vulnerability scanning and penetration testing and why they’re similar and how they’re different. The following image shows the basics of setting up an IP addressing range to scan and identify vulnerabilities. After you know the risks and weaknesses, you can them move into the details on how to exploit (pen test) what has been found so you can learn whether the technology is secure. It’s also crucial to understand IP, protocols, networking, and other technologies related (and also not directly related) to security analysis because as weaknesses are identified (perhaps with a scan), then you can then move to exploit them (pen test) no matter what technology you’re presented with (database, mainframes, virtualized systems, for example). No stone is unturned as a pen tester and what you need to expect is everything and anything. You are tested just as much as the systems you’re testing. Additionally, criminal activity isn’t confined to computers. The Internet of things (IOT) is an ever-expanding network of connected devices that includes, but is not limited to, tablets, phones, and smart home devices such as TVs and thermostats. You may not encounter all those devices working as a professional pen tester in the corporate world, but you need to be aware of all connected devices. And when you’re pen testing, take time to find out which devices could be affected, such as mobile devices and assets used by field staff. Also be aware of a hacker’s reconnaissance procedures. Hackers often begin attacks by using general research techniques, such as Internet searches that point a hacker in a direction, to learn more about accessing your company. For example, a simple Whois search might provide an address. A DNS search or query could provide a clue. Google searches may help to identify paths of attack, URLs, domain names, IPs, email addresses, and more. Basic networking Basic networking includes, but is not limited to, understanding the OSI (open systems interconnect) model. Knowing how data transits from one location (a sender) to another (a receiver) is key to being able to unwind how many attacks occur. It also includes knowing how routers, switches, hubs, load balancers, firewalls, intrusion prevention devices, and other network black boxes on the wire work. (Black-box security testing refers to testing software security from the outside in. Generally, the tester has little or no knowledge of the internal workings.) If you pen test a router, you need to know how it operates. The TCP/IP protocol suite also falls under basic networking knowledge. The transmission control protocol (TCP) and Internet protocol (IP) controls how computers connect to the Internet. It includes many of the protocols in the 7-layer OSI model. The Open Systems Interconnection (OSI) model is used as a logical framework to show how data travels from the source to the destination and back to the source through the many technologies that comprise the network, systems, and applications. It’s a model of standards that shows the under the hood actions of the technologies at each layer. The protocols used in a suite (such as TCP/IP) map to the various layers of the model and perform different functions. For example, FTP operates at a higher layer in the model than TCP or IP. The theory is that, if the lower layers don’t work, then the higher layer protocols won’t operate correctly. The OSI allows you to troubleshoot problems in a workflow manner. The image below shows a wire packet capture that shows a lot of the information you need to read through to conduct a pen test with a tool such as Wireshark. Here you can see packets that when captured can be decoded to tell you the details within them. Having knowledge of these protocols, how and where they operate, and what is contained in the frames, headers, and other inner details of the packet is what will make you a great pen tester. If you run a pen test and it reports back, for example, that you have a vulnerability in telnet that’s sending packets back and forth in cleartext, you need to determine what path a hacker may take. You can more easily make that determination if you know how the protocols work and what is expected behavior and what can be manipulated versus what could be impacted by a software bug. This way, you can test it yourself first to identify whether you have an issue that might need to be remediated or mitigated. If you want to be a great pen tester, you should study more on TCP/IP. It’s the main protocol suite in use today across the world; when it was first put into production many years ago it came with many flaws. Its ease of use is one of the biggest flaws and the fact that security was an afterthought behind usability. Although today’s networks and systems can account for these flaws, there is always danger in the shadows. Study TCP/IP and all of its sub-protocols and how they work to get better at testing weaknesses in your enterprise. General security technology In the general security technology category are firewalls. Most scans against devices such as a firewall turn up little to no information. Knowing why is helpful to your report. For example, in a ping sweep, you ping the interface and find nothing because the firewall has disabled that protocol that responds. The image below shows a Cisco router firewall log that lists the source and destination IP addresses used to make each connection as well as a description of what that connection did. Another example is when you run a scan and find open ports are in use on a web server in a DMZ behind a firewall that shouldn’t be. By examining the firewall log that sits in front of these servers, you can see what the source IP address is that’s attempting to make those connections. You can detail it as an active attack and prioritize it immediately to patch or fix. Other general yet important technologies to consider would be devices such as intrusion prevention and detection systems, load balancers, access control lists (ACLs) on routers and wireless access points, controllers, and mobile extenders. Each and every one of these devices all can be exploited and the more you know about them and how to review the logs on them, the better you are at identifying risks and conducting ethical hacking. Systems infrastructure and applications You must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports. If you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report. You may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately. Web applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched. Mobile and cloud Mobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed, whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome. You might worry about testing them to make sure they’re secure, but you approach this like you approach all the other systems you’re accountable for — you scan, test, and report based on your findings and handle the risks as you identify them. Cloud is another boundary IT security pros are trying to cross in the world of security and pen testing. Because cloud technologies fall under the purview of their cloud provider, as long as you’re working in conjunction with the cloud provider’s security team and they’re conducing pen tests, then you have achieved the same goal as if you did it yourself. You might face the fallout of mistakes or mishaps committed on the vendor side. Penetration testers need a wide variety of skills and knowledge, but they are essential to helping ensure the security of our IT infrastructure.

Article / Updated 12-17-2021

After you complete the preparation work, you’re ready to do a pen test! Here you walk through the process of the penetration test and then look at the results of the assessment, as well as methods of prevention. Always be absolutely careful when you’re working on a live network in production. Even better is to use a lab to learn how to conduct a pen test prior to doing it on a live network. In the spirit of "measure twice and cut once," please make sure you are careful. For this pen test you will be starting at the network edge externally and attempting to make your way inside via any weaknesses found outside the network perimeter. Here, you review each portion of the pen test so you can see a building block approach that you can adapt to future projects. Successful attacks might differ regarding your intentions and methods, but each successful attack essentially contain these actions, which happen in this order and which you’ll mimic during a pen test: Infiltration. Just gaining access is fairly easy and straightforward where those with access to hacking tools such as script kiddies can basically run attacks all day probing your defenses, looking for ways in and if they are lucky enough… get in. This means that an attacker had to be connected to the technology that they want to exploit. You want to make sure that you test and scan for vulnerabilities that disallow anyone who is unauthorized to connect to a network they don’t belong to. This should at least minimize the amount of attacks just by who is able to sneak past and connect with this first level of security. Defense in depth should start to thwart an attack. Make sure that you disallow login access from devices that can be probed in this fashion. An access control list (ACL) can be configured on the device to tell it to only allow access from trusted IPs. Penetration. Once access is gained, another level of access can be gained. This hop-by-hop strategy is used by more experienced hackers who can gain access (via malware as an example in the form of a Trojan horse) and then launch another attack or move to another segment of your network looking for more access or data. By attempting to spoof, connect, gain access, raise, and escalate privilege, assume the roles of other systems, and get in the middle of conversations, the attacker is able to potentially do a vast amount of damage. An attacker could have run an advanced persistent threat test (APT) and conducted eavesdropping that may have provided them more passwords or data. By running tools such as Burp Suite, Nessus, and Wireshark you can assess these vectors and ensure that access is limited in this area. Exploit. At this stage, the hacker builds upon the previous level where access and access to data is actually achieved or granted and something of value can be garnished from the attack. Exploit is when the attacker has conducted the attack to gain and assume control; however, the next step would be to actually do the exploit. Steal data, take credentials, lie in wait for an APT, and do what they do. You can conduct similar attacks to see whether tools can flag these types of attacks taking place and how the security team can better monitor (and respond) to them. Conduct an advanced persistent threat. The final level of this multilevel attack is the APT. To gain access, maintain it, have the ability to move around, and eventually gain access to valuable data while being undetected is the most valuable attack of them all. Exfiltration. If they’re able to do the previous steps and vanish without a trace, they have been highly successful in their attack. You want to do the same as a pen tester and see whether you can set up ways to identify whether someone has been in the system without your knowledge. In the scenario with Company X, finish your pen test with an exfil and see whether any systems picked up a trace of your ability to access. Company X, a technology company publicly traded on the market, is a medium to large sized company with approximately 10,000 employees. The target will be data held internally, such as trade secrets on new technology development (research and development) that may be awaiting patents, sales data, or marketing information that has yet to be released to the public. You know the name of the company, and you want to launch a pen test to see whether you can find where this data may be located and/or saved. Here are the steps (and remember to document what you do and what you find as you go): Find out where the data is stored. For the example of Company X, you’d do some preemptive reconnaissance work. You discover that the corporate data center and its mirror are in Colorado and Texas. With location information in hand, track down the phone numbers at the main site and start probing from spoofed phone numbers. You can simply call the help desk and claim to be an internal resource looking to open a ticket and gain helpful information, such as source IPs (so you can get an actual IP address range for the internal network) and some other target information. To gain access externally, use the WHOIS database for the DNS and locate a public IP address that you may be able to scan. The following image shows an example of looking up public information to gain some valuable insight when trying to find an attack vector. Here, if you run a search on a domain, you may be able to find their name servers that may be located on their network. Not all companies do this, but this might provide a clue. Run a ping to get the IP address from the domain name. Start to run Nmap or another tool against that IP. The goal is to find a public IP address or range to scan with your network mapper, such as Kali or Nmap, which can help to give you some access into the network. Once in, find a way to access your targets. The target in this case is internally held data. Some of the easiest and most common ways to get the data are these: 6.1 Deploy a piece of malware into the network via email or other means. When users click it, you can gain access to their machine via a Trojan horse and from there you can control it like a zombie to do more reconnaissance work. 6.2 Brute-force attack a router (as an example) on the edge of a network you’re scanning to see whether you can gain access by password cracking. In this scenario, say a router is left with HTTP configured and you can probe it with Kali’s xhydra, shown below. Using this tool, you can find the router’s username and password and can now enter and gain access. Once access is gained, get console access and then telnet or SSH to the device. The goal here is to use the device as a springboard into the next target that you identify. When you have console access, look at the routing table, ARP table, configuration, and other items to develop a manual map of what can be seen. Start to scan, map, and identify the rest of the network looking for assets. In the following image, a manual map has been created to reflect the pen tester’s expectations from this first router hop. Begin an APT, a long-term engagement. At this point in the test, you have done enough to begin an APT. You can lie dormant inside the network and remain undetected for the purpose of continuing research and removing more information. From moving from one device to another a Unix server has been found (which looks like a dual node cluster) at 10.1.2.10 and 10.1.2.11. Here the pen tester has probed ports and found a possible database port open that I may be able to gain access to. Get out. You have successfully gained access using tools from basic identification of a possible entry point, built a map, and found a potential database that you can continue to manipulate to get more (hopefully valuable) data. At this point, you have proved enough that this pen test was successful and can disconnect from the system or get out by shutting down the tool or connection to the system. Next steps to take after your penetration test Although it may look like this hack took about five minutes to do, it can take much longer than that. It may take a week to get valuable information that allows you to probe a perimeter network with a public IP address. It may take days to crack a router if it is even set up to answer to non-specified IPs it doesn’t know. It can take a long time to get to the next hop, which you may not be able to reach as well. After you get through these edge devices, you may have a firewall that tracks your movement or flags you as a threat. Host intrusion detection system (IDS) applications such as Tripwire may flag your probes of a critical database system that required priority protection. This attack may take a long time (for many reasons) for anyone to perform when coming from the outside in. Many hacks come from the inside because, when there is an avenue inside to take, it reduces time and effort just in gaining access. Can it be done? Absolutely, and that is why you do vulnerability assessments and pen tests to find and close every single one of the holes you identified. What would detection look like if you are caught in the system mimicking a hacker? Well, because you’re performing a test, you would likely have given notice that you would be in the system. However, if running a test undetected, you stand the same chance any hacker would in being caught in a system and either terminated (your connection) or left alone based on the protocols of the incident response team.

Article / Updated 12-17-2021

As a pen tester you need a solid understanding of how attackers operate and how potential attacks occur. Here, you discover a few items you need to make sure your system, identity, session, or other form of communications are not assumed by an attacker. Many of these tools — such as Kali, Nessus, Wireshark — should be in your penetration testing toolkit. What makes assumption attacks so difficult to detect is that when they’re pulled off correctly, the hackers act like a pen tester, security analyst, or the CEO of the company! They can infiltrate quickly and be gone before you know there was a breach. For this reason, the lessons learned will highlight the need to harden (fortify) systems as the best form of defense against these types of attacks. Burp Suite Burp Suite is a web security pen testing tool that allows you to conduct web vulnerability scans as well as other types of scans to identify issues with cross site scripting (XSS), SQL injection, cross site request forgery (CSRF), and other advanced web attacks. It also uses the Burp Proxy that allows you to capture and intercept all requests sent and responses received between a web browser and a target system or application to conduct session hijacking and eavesdropping attacks. Here, the examples are simple, but you can customize Burp Proxy for more complex scenarios. For example, you can have it generate certificates and sign from its internal Certification (or Certificate) Authority (CA). Burp Suite generates the tests that show how vulnerable your web architecture is. Web architecture (say, the Amazon’s shopping cart) consists of three tiers: Tier 1: This is client facing and generally called web and is exactly as it sounds: You access a web page as a client and browse the web. Tier 2 (or N tier): This is the middleware tier where many of the cross-connection technology exists, such as COM and COM+ components, applications functions, and other software that provides functionality to the web access layer and helps to further connect users to the database tier. For example, in a shopping cart, the actual shopping cart software may reside on the middleware.Some applications have architectures that collapse or expand into other tiers; those are called N-tier architecture. N is any number more than 2. Tier 3: This tier is where the databases for all transactions are stored and conducted. It’s where an attacker finds the most useful information, such as credit card numbers, account information, and other valuable data. The following image shows this tier architecture. Using Burp Suite or other pen testing tool, you can start to see where an advanced persistent threat (APT) attack, MiTM attack, or other assumption, can be very valuable for both parties. For the attacker who gains access, there’s a treasure trove of valuables to acquire. The pen tester might just be able to find the weaknesses before the hacker does. With Burp Suite, you can set up a proxy that allows you to test your web architecture by routing all web traffic through it. You can then conduct an MiTM scenario that allows you to capture (and further analyze) all traffic back and forth to find any weaknesses, looking for areas where hackers have the potential to conduct replay attacks, eavesdrop, data gather, and find injection. After you have this information, your next step is to tighten security. If you can get Burp Suite running these pen tests, you have encountered one issue: Can a hacker do the same? If you then run it and find weaknesses, you have a second problem to address, which is the culmination of a pen test report on the weaknesses that are found. Other advanced attacks you can find using the Burp Suite tool are SQL injection attacks, cross-site scripting (XSS), fuzzing attacks, and others. A tool such as Burp Suite really focuses on these areas in particular, so if you’re conducting more advanced-level tests on web applications, Burp Suite can help you identify those threats more easily. Wireshark Vectors, paths and places where hackers can exploit a weakness, are just as important as the penetration itself. Wireshark gives you the ability to find vulnerable vectors. The image below shows how a hacker can use Wireshark to divert legitimate traffic from the user (victim) to the server or resource being used. The gateway to more advanced level attacks is gaining access in the first place. Because of this, you need to see firsthand what gaining access from the vector of network access can provide you. Consider the scenario shown above. You’re either playing the role of hacker or pen tester. How can you connect to the network to get in the middle of this conversation? The picture is actually simplified. Quite a few steps need to take place for that to happen. Here are some key considerations to think about before you pen test: You need to have a computer with Wireshark installed. This is likely the system you use with your pen test toolkit on it. This way you have your tools available to test with. You need to connect to the network that the systems you want to interrupt and the data you want to intercept is riding on. You need to connect to the network in a way where you can be undetected and remain so. You might want to assume the IP address of a computer (IP spoofing), so you can appear to be the victim and or the resource based on the vector of your attack. You can run Wireshark and have a network interface card (or NIC) running in promiscuous mode, so you can capture all traffic on the network, not just the traffic intended to be sent to you. You need to do this in a switched environment where the communications are controlled. You can run the capture on a computer and have enough space to capture the data on your toolkit system. The only alternative to this is to know exactly when the communication will take place to shorten the capture or set up a capture filter with the specific details of the source and or destination IPs that will send and receive traffic. You need to filter for and isolate the communications to review the captured data. You can set up new tests (or hacks) based on what you previously captured. Penetration tests are only beneficial if you take measures to eliminate your vulnerabilities.

Article / Updated 12-17-2021

Every pen tester needs a solid toolkit. There is no one size fits all when it comes to penetration testing. Keep these considerations in mind as you’re building your toolkit: The toolkit you create will be on a portable device. A laptop or portable workstation provides you with the best outcome. You need to connect to networks to conduct tests. Your network connections should be robust, and you should have a wired as well as a wireless network interface card (NIC) or antenna. It takes some time (and effort) to build a really good and high-quality toolkit. Be wise in selecting the operating system you will use. For example, there is a wide amount of support for Window and Apple OS, however, Linux allows for the greatest variety of tools used in their native environment. You can also set up a virtual machine to launch your tools. Make sure you keep your toolkit system secure. You don’t want your tools ever used for malicious activities. The tools you use and the kit you build need to be as dynamic as the attacks, threats, vulnerabilities, and issues you find along the way. There is nothing static about information technology and all of its moving parts. For example, code changes when it’s upgraded to newer versions, potentially introducing bugs. Your toolkit is no different. Keep your toolkit updated and free of issue. Download and set up your tools from reputable resources to avoid malware. As an example, you might use Google to find a tool such as Nmap, and it might take you to a place where you download and install a Trojan horse application instead. Look for software that has been around a long time and is owned by a reputable company. Ideally, you want software from a company that invests time and money into the operation and upkeep of the tool and also has a great support structure. Is the software supported? If something happens, can you get help? Following, you’ll find some reputable tools that you can easily download and will be useful throughout your pen testing careers. Nessus Let’s start with Nessus because it’s one of the most commonly used tools in penetration testing and you’ll definitely want to get familiar with it. This image shows a scan produced from Nessus. Nessus allows you to scan hosts on your network and the tool also lets you know whether there are concerns in the form of known risks, vulnerabilities, and exploits. Nessus offers a free trial to try before you commit. Take advantage of that offer to see whether the tool suits you. You can go to Tenable to sign up for an account and download Nessus. Be sure to select the Nessus professional executable and select either 32- or 64-bit, based on the hardware or software install you have. Tenable sends you an activation code. Once you register and have a key, insert the key and create a set of credentials to use with the tool. This is what you use to log into your Nessus console to run scans and get reports. If you install this on a local system (such as the one you run your toolkit on), it installs as part of localhost and be accessible at https://localhost:8834. Here’s how to get started with Nessus: Open the Nessus console by going to the link provided or opening the Nessus Web Client.This image shows the output from a scan that was conducted against a network router on a local subnet. To create a new scan, select My Scans from the navigation pane on the left side of the console, and then Basic Network Scan from the template selection.Over a dozen templates are available for advanced scans, cloud scans, and other types. But for now, you can stick with a Basic Network Scan. Enter your information requested, such as name of scan and hosts to scan. Save your scan, close it, and retrieve it from My Scans to repeat the scan post remediation and/or when it's fixed as per the risk register. Wireshark Wireshark is a tool that can look at data and show you the various communication paths that exist — including those that are not authorized. Wireshark is one of the most powerful penetration testing tools out there. You use the tool primarily to capture data from your network, so you can analyze it. You’ll need to be able to decode information that you capture with it. Wireshark is good for conducting vulnerability assessments and finding risks. With this tool, your machine grabs packets promiscuously off the network where you review them. This information can be very valuable. Imagine being able to see what is traversing a network you’re responsible for. As you can imagine, hackers often use this information to exploit a network and its hosts. Although labeled a protocol analyzer, Wireshark functions as a vulnerability scanner. Its primary functions are to capture and filter traffic on a network and perform deep inspection of capture packets and protocol analysis. The way it works is simple. It sets up your wired or wireless interface cards on your toolkit system to promiscuously sniff and capture network traffic. The following image shows simple output from Wireshark; it clearly shows a Secure Sockets Layer (SSL) in use that is protecting the traffic. Download Wireshark from wireshark.org. Select which version you’d like based on your system architecture and then follow the installation instructions. Select all defaults to include WinPcap, which is the API (application programming interface) required to install Wireshark. To use Wireshark to run a vulnerability scan, follow these steps: Launch the Wireshark tool from your start menu.The Wireshark Network Analyzer launch pad opens. Select the interface you want to use. Capture packets and then stop the capture and save it when you have collected enough information to run your review.Select Start Capture from the toolbar or the Capture menu. Run the capture briefly to find what data is traversing your network.You can select any packet captured and drill down into it. Now you can use Wireshark for the following purposes: Look at passwords and ports in use. With the data above, you can see whether any passwords were sent in cleartext. You can look at the hexadecimal output in the packet window and see it’s all encrypted, leaving passwords masked away from hackers.You can also see what ports are in use, what the source and destination IP and MAC addressing in use is, and many other details that provide clues on either a risk-free network or things you should be concerned with, such as passwords sent in cleartext. This is also known as a password capture hack that a Man in the Middle (MiTM) attack may produce. What hosts are communicating with other hosts: You can look at the endpoints communicating back and forth. You can see whether any hosts are more in use, which are vulnerable to hackers. You can then scan them with Nessus and secure them if needed. Test FTP access: An FTP to a remote host can very quickly expose cleartext passwords if you’re not careful. By conducting this test, you can quickly create a process in which all users must use Secure FTP (an encrypted FTP tool) to mitigate risk and secure your users and systems. Kali Linux Kali Linux is a toolset, part of a Debian-based Linux distribution, purpose-made for pen testing, vulnerability scanning, and forensics. It includes security tools (such as Aircrack-ng, Armitage, Burp suite, Cisco Global Exploiter, Ettercap, John the Ripper, Kismet, Maltego, Metasploit framework, Nmap, OWASP ZAP), social engineering tools (Sqlmap, Wireshark, Hydra), and reverse engineering tools (Binwalk, Foremost, and Volatility). You can download it directly to your Linux install, or you can download it to a virtual machine (which is what I’m doing for the purpose of this book) from Offensive Security, which packages it with either VMware or VirtualBox software. There are directions to do either directly from kali.org, based on which one you’d like. You can install many of the tools that come with Kali independently, but it's a good idea to install the complete toolset. You’ll use many of them. Before you download Kali, make sure you have a system large enough to handle it and the required memory to run the applications. It generally takes more than three gigabytes to install. Kali.org recommends a minimum of 3.8GB hard disk and 2GB of RAM to install Kali. The following image shows a console in Kali with the preloaded tools ready to go. For this example, a tool called tcdump was used to sniff the network traffic coming through the network to and from the source computer to multiple destinations. Kali is a Linux install, and it’s unforgiving. Everything is case sensitive; for example, nmap or tcpdump. Typing Nmap or TCPdump is incorrect. To start using Kali, follow these steps: Find your Kali install through the Applications menu.There are top ten tools, information gathering, and sniffing/spoofing tools (like Wireshark) all found within. When you have time, be sure to explore them all. Choose the Vulnerability Analysis category and then nmap.Or you can open a console and type nmap. Nmap (short for network mapper) is a pen testing tool that allows you to find and discover hosts on the network or if you know about one, point Nmap to it so it can scan it for vulnerabilities. After you run a scan of the network, examine the output.Nmap lists the various open ports found on various hosts, as shown below. An attacker can gain access to these ports. You can track down which should be open and which shouldn’t. For example, Port 80 is generally used for web traffic and almost always left open. Port 22 is used for Secure Shell (SSH) and is an encrypted telnet method. To learn more about ports and see which ones are configured by default visit the iana.org website. Nmap Nmap is a network mapper that’s used to discover hosts and services on a computer network. It does so by sending packets and analyzing the responses. (You can download and install Nmap for Windows.) In the image below, one pen tester used an example of a possible SYN stealth scan to probe TCP ports for them to answer, thus proving a map of the network within the tool. When you finish mapping the network, you can study the topology map to find places you might want to secure from hackers who are looking for jump-off points to get around your network and into other areas or secure hosts. Hackers don’t always come in from the outside through your firewall, sometimes they’re sitting in cubicles inside your network running a tool just like this, looking for holes. Zenmap is Nmap — just the front-end shell to a console-based tool (as found in Kali) — to manipulate the GUI, and uses Nmap on a Windows desktop. On the Nmap Output tab is the syntax used by the GUI, which you can use in the console-based Kali version to get the same effect. It’s a way to dummy-proof yourself in learning the many, many ways to get Nmap to work, especially in a Linux system.

Article / Updated 12-17-2021

Your pen test report should come from a combination of the tools you use (some generate reports) and your own written work to explain overall health of the environment. A pen test report comprises any sections outlined in the scope of the project, but this list shows sections that commonly appear: Executive summary: The executive summary briefly summarizes all of the key details of the report. It will speak to the reader in a way that lets them know what steps were taken, what the report ultimately found, and an overview or highlight of next steps, which might include recommendations. Tools, methods, and vectors: This section covers the tools you used and the methods you chose to conduct the pen test. In addition to providing a general outline or narrative of your ethical hacks, also detail the paths you took with detailed step-by-step attack patterns and selected vectors. Detailed findings: This is where you will list all security risks, vulnerabilities, penetration points, threats, and concerns. Include the technical aspects of each finding in detail. Conclusion: This section of the report reiterates the executive summary but with a focus on the next steps. Recommendations: Although your job is ultimately to do the pen test and assess the health of the organization’s overall security posture, you might be additionally responsible for providing guidance on ways to improve the security. If so, put those in a separate section and be as detailed as possible. Appendix: Include this section for charts, logs, and any information that falls outside the project scope but which you think could be helpful. This list shows how some penetration test reports are structured to give you a starting point. Your company may have specific ways in which they would like you to report, or you can find other examples online that can give you more ideas to choose from. Executive summary The first part to consider in your penetration test report is your Executive Summary. A summary becomes an executive summary when you conduct a summary response in an organization that is likely read by the executive leadership staff. For those of you who work in penetration testing and other technical fields, many times you have very little time to speak with and meet with senior executives so think of the executive summary as an elevator pitch. You need to very quickly and concisely talk to your goals, outcomes, and provide a high-level view of key findings. Keep details for the body of the report, not in the summary. Overall, the goal of the summary is to let the reader know what steps were taken, what was ultimately found, and next steps. If these are the details of a pen test, an executive summary might look like what’s shown below: A company-wide issue with all Apache web servers that can be accessed remotely without a required patch (more suited for the body in findings). You have or had a goal to identify whether your company-wide web architecture was secure for the upcoming holidays because the company relies on the integrity of these systems to be profitable in the fourth quarter. This (as noted) is only a suggestion; however, it fits all audiences. I didn’t get into details about patches, vendors, systems names, technical jargon or any other albeit important, but unnecessary information for the executive summary. Those details can be added into other sections and appendices. Another one of the biggest items to consider for the executive summary is scope. This should read very clearly in the first part of your report. The pen test report covered that a scan was needed and completed. The pen tester didn’t get into what vectors were chosen, tools used, methods and so on. The pen tester had to identify the web architecture because that was in scope. The pen tester didn’t have to scan every part of and pen test the entire enterprise’s technical footprint. The scope of the pen test was to identify whether security posture was high on the web architecture, and that’s what the pen tester included in the summary. Tools, methods, and vectors This section of the report is where you can get more detailed, covering the tools that were used, what methods were chosen to conduct the pen test, paths taken, attack patterns, vectors selected. You can also write a general outline or narrative of the ethical hacks. The following image shows an example. You can either detail or map the specifics of what paths or vectors you took, what tools you used, and any specific methods of attack. This can be considered the attack narrative. This image shows an example of what this section may look like. Depending on the length and complexity of the pen test, this section can continue on with a step-by-step (or hop-by-hop) layout of the attack narrative and how certain information was found based on the assessment. The specifics here can really help to build a technical map for other teams you might collaborate with to address the risks. You should always assume other technical teams (with permission of course) may be reading your report to help mitigate the risks. You are the pen tester, but the system administrator will likely be the one who needs to patch the DNS server that’s providing zone transfers. The report findings may need to go to the SQL database administrator (or developers) who can help to fix the DBs to stop injection. These folks work with the risk register to close out the items prior to retest. Detailed findings All security risks, vulnerabilities, penetration points, threats, and concerns with a list of all technical aspects of each finding are provided in detail. This is the part of the report that allows you to really dig deeply into the specifics of your findings. If you were able to penetrate a specific port and IP address combo or thwart a router’s security, all that should go into detailed findings. You can also use the notes created and the tools report and audit output for help building your main report. The biggest difference between this section and the one previous is that this is where you can place the items identified and outcomes from the attack narrative. In this example, you may want to use the Metasploit audit logs to show all the vulnerabilities identified. You may want to show the specifics of the logs (in minute detail) where you found the zone transfer issue. You should show all details; however, if it seems to be too much information, you can choose to summarize for the sake of brevity. Be cautious so you don’t remove information that is needed for your report. It’s these details that allows the technical teams to not only fix what you found in the pen test, but also identify any and all other issues that may be (or not) relevant to the conducted pen test. For example, your goal (in scope) may have been to protect web architecture, but the technical teams found that all of the Windows Servers are missing critical patches that help mitigate other issues that the tools may have found. You don’t want to overwhelm anyone, confuse the report, or stray too wildly from the goal/scope, but you’re beholden to inform those of any and all security infractions you identify along the way. Cover those details that fall outside the project’s scope in the appendices. Conclusion The Conclusion section takes everything you compiled into your report and succinctly wraps it up with a focus on next steps if any. Repeating what you wrote in the executive summary can be okay, as long as you switch the focus to next steps. You can of course outline next steps in the body or anywhere else in the report, but the conclusion at the end should take one last look at next steps holistically and purposefully. As you can see, the next step is to do a retest to ensure that any documented changes, fixes, risk avoidance, or compliance items were handled and done so correctly. A retest will prove that. Recommendations As a pen tester you may need to supply some help to those who need it depending on the scope of the project or the size of the company. Smaller organizations may require you to help fix what you found and if you can, add this to your report. You can create a separate section or add it into the detailed findings. As you will see, the detailed findings, appendices, and recommendations can be repurposed and reorganized based on what you need for your report. You could have a recommendations list in your appendix. Recommendations should be made if they’re in scope. Not all pen testers are required to recommend how to fix the items they found in the pen test. Should you know how to fix the items you have identified? If you want to learn more about security and how to be a better pen tester than the answer is yes, but it doesn’t mean that it needs to be in the report you submit. If it is in scope then you should by all means create a list of items you believe that the company or organization should do to mitigate the risks you have identified. Appendix/appendices Many reports might have extra information that may or may not be fully relevant to the scope or goal of your pen test and report. Place such information at the end of the report in an appendix or appendices (if you have multiples). Other information that can go here may be port charts, maps, full audit, or tool logs and other items that can be helpful to those using or reading the report. Want to learn more about pen testing? Check out these ten penetration testing sites.

Article / Updated 12-17-2021

The ultimate goal to penetration testing is to test your technology assets for their security, their safeguards, and controls by trying to penetrate through any configured defenses. But pen testing can be broken down into individual smaller goals. Pen testing, although a hot topic, isn’t a new concept nor is it an incredibly difficult one. While the underlying technologies, concepts, and techniques can go very deep, conducting pen testing can be very easy if you’re trained and have the right knowledge. The breadth of pen testing is where the complexity grows because networks, systems, infrastructure, mobility, and cloud architecture all stretch what needs to be assessed. That requires you to look at every aspect of everything your client, company, or business is accountable for. Protecting assets through pen testing Your goal as a security analyst (one of the good guys) should be to keep the bad guys (hackers) out of things that they should not be in. It’s important to protect assets so that they can’t be damaged or corrupted (rendering them unusable), altered (changed), infected (with a virus), stolen, hijacked, or the myriad other security threats that could happen. This list breaks down various security scenarios by industry type: The banking industry: Money can be stolen, moved to other accounts, or debt added to others. Credit card industry: Identities are stolen and that information is used to penetrate accounts that have monetary assets or credit that can be used. The sales industry: Patents can be stolen and products made outside in foreign competitor companies, which causes businesses to fail and stock prices to drop (or rise) based on the intention of the hacker. Health industry: Electronic medical record systems can be infiltrated to change, gather, or corrupt info. Power industry: The power grid needs to stay online, so the government, private industry, and residents can access energy to carry on daily tasks. Military (and other governmental) industries: Secrets need to stay secret and information needs to be protected to prevent harm. You can be proactive by conducting daily, weekly, monthly, quarterly, and yearly tests to find weaknesses that can be monitored or fixed. Identifying risks with penetration testing Risk is another important word to define prior to discussing vulnerabilities to your systems. What is at risk is the technology that runs much of our world today and the data that resides on that technology. By testing the technology, pen testers can reduce the risk of it being exploited and causing harm. What is at risk is simple: security. Risks run the gamut regarding what level of damage might be done if the risk isn’t mitigated properly although you don’t necessarily handle all risks the same: A small, identified risk: The risk can be small where you know there is a problem, but you accept its risk because you can’t fix it at this time. Maybe a patch is not yet available by a software vendor and you need to wait. An identified risk to monitor: You identify a risk and monitor it, but a penetration and exploitation would lead to very little threat. An example may be hurting the company’s reputation slightly by upsetting a few clients who rely on the systems because they temporarily weren’t available. This risk is low level. There are also other situations where some vulnerabilities can’t be exploited, and it makes sense to monitor them. Other vulnerabilities can be exploited and are of a very high priority (and risk) and, therefore, must be monitored until they’re corrected, which may take some time to accomplish. An identified high-risk ripe to be exploited: This risk is likely to be exploited and may cause loss to a company’s finances, high-level reputation, or worse, a loss of life. You record all these risks in a risk register and log the results of most security assessments (your pen test results) with a marker denoting the level of risk and the priority in which it should be addressed. A risk register is a list of known risks and vulnerabilities that you compile as you scan, assess, penetrate, and test. The risk register is the official document (or information stored and accessible in a database, spreadsheet, or other facility) that shows the following: What risks (and vulnerabilities) you’ve found How you may have found those risks The weight you’ve assigned to each risk A priority level in fixing or correcting each risk The table below shows what a typical risk register looks like. A Risk Register Risk Register Entry # Risk Category Risk Sub-category 1 Security Virus 2 Network Wireless 3 Power UPS 4 Environmental Fire Suppression 5 Datacenter Space 6 Environmental Fire Suppression 7 Environmental HVAC 8 Security Physical 9 Server Operating System 10 Datacenter Consolidation 11 Storage Capacity 12 Storage Capacity 13 Security HIPPA And PHI 14 Database Backup 15 Database Corruption 16 Database Network 17 Datacenter Space The risk register is a great tool to help you identify problems, but it would be hard to guess what changes could cause problems, which is why companies have pen testing conducted: to test their systems for weaknesses. A company might have an in-house team doing the testing or outsource to a security firm or individual consultant. Testing continues throughout the year(s) — perhaps weekly, monthly or quarterly — to ensure you find all the problems that may have surfaced or been exposed. A risk register is a living document that you’re constantly updating. Finding vulnerabilities with penetration testing A vulnerability is simply a weakness that can be exploited in your technology or something as simple as information disclosure. The technology weakness can be through misconfiguration of an asset, a bug, or code problem in the software installed, or any anomaly in your enterprise. For example, your hardware vendor updated your firewall, inadvertently introducing a bug. You can be completely unaware of the exploit until either it’s identified by the vendor or another end user, or you run a pen test on your firewall. This doesn’t mean all bugs are exploits, but some can cause and lead to exploits. Vulnerabilities are a type of risk that can be rated and used as a recorded artifact that can be logged, reviewed, and corrected by people who are responsible for its correction. Two examples of vulnerabilities are: A buffer overflow: Buffers are memory spaces in computers, systems, routers, switches, and many devices in your infrastructure that help to speed up things and make transferring data more efficient. For example, two devices communicating may get impacted by one sending way too much data for the other one to absorb and compute, so it may buffer it (send it into memory, essentially slowing it down for a) moment to let the internal computing of the receiving system catch up. Malware: Malware (malicious software) is a type of exploit created by a hacker that can take this seemingly good service and turn it into a vulnerability. If a malicious party now sends too much data to the buffer in an effort to exploit a weakness and overwhelm (or overflow) it, it could cause performance to be impacted or in the worst-case scenario, crash the system or cause it to be unresponsive. Password usage: Weak passwords (easily guessed or easily cracked with a password cracking tool) allow immediate entry into a system with the click of the tools button. This is a real-world example of a very common vulnerability, which can be found and prevented by a pen test. A good corporate password policy (with a system that secures and enforces it) is the best chance to protect against this vulnerability. Unfortunately, it’s still common in many places around the world, and I’m sure during your own pen testing, you will find instances of it during your own pen testing. Scanning and assessing with penetration testing The successful pen tester uses tools (both hardware and software) to run penetration tests (sometimes also called penetration assessments) to find vulnerabilities and exploit them. You scan for vulnerabilities on your system, network, or entire enterprise to find risks that you can either fix or acknowledge. The following image shows a scan from Nessus (scanning software). Never run a pen test, assessment, scan, or security test on a live production network without permission! Many things can go wrong. For example, you could run a scan on a segment of the network configured with devices to block penetration attempts that shut services off that could impact a production system that’s servicing clients. Another example: In a hospital system, if you decide to run a scan during the day on a protected network segment without making some adjustments, it could shut down services and prevent patients from receiving care. Securing operations with pen testing Typical security operations conducted in an enterprise range from simple to complex. It all depends on many factors, including size of the company, importance of the assets, available budget, leadership’s interest in any (or all) of these factors, and the knowledge and skills of those entrusted to secure and keep secure the assets of the enterprise. To do this, you can either conduct your own security assessments, outsource them, and in some cases even crowdsource them. Responding to incidents What if you can see an active attack taking place because of issues you identified through pen testing and which you are now monitoring as part of your ongoing risk assessment? The answer lies in a process or workflow called incident response. Incident response (which is sometimes called incident handling) is the event management of an attack based on an exploitation of a known or unknown vulnerability. As a security analyst, however, you should know what an incident response team (IRT) is and why it exists. You might wonder why you’d need a specialized team to handle security-related issues, and the answer is actually very simple: The need is based on containing the incident. Special training is required, and special procedures must be followed for an incident to be handled correctly, as these examples show: A need-to-know basis: You don’t want to tip off someone conducting an active attack that you know it’s happening and are watching. To prevent the attacker from knowing their movements are being monitored, who needs to know about the attack as it happens will be restricted to trained individuals who can react appropriately to the incident. Containing the chain of custody on evidence: You might also want to control the actual message of the day as the incident could wind up on social media platforms or the evening news. You just never know how an incident may impact you or your organization, so you have specific handling procedures and a trained team in place to handle the details. Note that one part of containing the event is to provide tangible evidence in a court of law. Should the company decide to take legal action against the perpetrator, documented evidence will be needed. What do you do if you have an active incident take place? The answer depends on the following: Where you are: Location is everything! If you’re local to the attack you can start to work the issue and can conduct all tests and other actions without fear of being disconnected from the network. If you’re working on a virtual private network (VPN) connection or remotely connected to a system over a network, it may be part of the attack vector and you could become disconnected. Being local to the system allows you console access directly from the system itself and in most cases, this can be the most reliable option. Who you are (that is, what role you have): To be designated an active member of an IRT, you simply need to be assigned the role. It may be a full-time role in a larger organization or consulting firms, or in smaller firms you may be assigned it as a collateral duty. Either way, the responsibility is the same and understanding your role and the procedures, processes, and plans are important.The actual team you’re assigned to needs to train together. There is value in understanding everyone’s place on the team and how to handle an active incident. What you believe to be happening: Most companies have an IRT that’s responsible for providing support in the case of an active incident handling request, such as a firewall breach, a virus or malware outbreak, an intrusion, or any other security-related matter. What event is actually happening dictates your course of action. Obviously, you don’t ever want to have to respond to an active attack. Hopefully, you might be able to prevent it in the first place, and that is why pen testing is so valuable in the entire security framework and defense in depth. If you’re able to secure everything properly or identify any weaknesses and fix them (or accept and monitor them), you solve half the exploit battle.

Article / Updated 12-14-2021

Metasploit is a penetration testing tool maintained by Rapid7. You can download a free trial for Linux or Windows and get it up and running pretty easily for test and use within minutes. If you want to learn to use this penetration testing tool and run your first pen test with it, simply sign up for an account by accessing the free trial links. You’ll get a copy of Metasploit Pro for download; install it (an easy process), and then request a trial key via the login interface where you set up the tool and you’re on your way to penetration testing. Before you discover the specifics of using this penetration testing tool, a few words of caution: Be patient. Depending on your network segment and what options you select, the pen test can take some time. Do not scan without permission. Make sure you’re conducting an ethical hack/pen test and that you not only have permission but have created awareness about it with key IT personnel. This way if something goes wrong, you can stop the scan and assess the damage and correct it. Even when you take precautions, scans cause issues at times, especially on a production network. Always monitor a scan. Scanning and walking away from your pen test isn’t recommended because you may identify a critical risk that needs to be assessed (and perhaps corrected) immediately. It should also be monitored by security operations analysts for this reason alone. Keep your tools up to date. The Metasploit Administration menu has a software update option (in the top-right corner of the dashboard). Back up any critical data before you scan. You’ll want to back up data on hosts you think might be corrupted or otherwise negatively impacted by the scan. Follow these steps to run a scan with Metasploit Pro: Access Metasploit on your local system by going to the URL set up for you during the installation process:https://localhost:3790/ Log in and click the Quick PenTest link.The Quick PenTest wizard shown below opens. Choose a target profile, give your project a name, and enter the Target Addresses.You can choose the Everything option, which takes longer to conduct, or specific targets, such as Windows Targets. At this prompt you will want to leave all of the defaults (if you’re a beginner) and add a project name and a target address to scan. This tool has some intelligence to start with a default scan of the local subnet you’re attached to based on your IP address. Here it captured a small private addressing range of 192.168.1.0/24. It allows for the scanning of 254 hosts on the subnet. Click Start Scan.The image below shows the scan as it runs. One of the tools it starts with is a network mapping service with Nmap. Once the scan completes and the segment is mapped, the tool then probes, tests, and runs a series of vulnerability tests and other services to get a complete picture of the segments risks and what can be exploited. When the scan is complete, access the findings by viewing the output on the Metasploit console window and buffer or in logs.When you complete your scanning and assessment, you’ll review reports and findings to see what you need to fix, monitor or add to a risk register. Your penetration testing toolkit leverages some of the same tools found in other aspects of your toolset. For example, having Kali in your toolkit includes Nmap. Having Metasploit in Kali includes Nmap. You can also use Nmap by itself as a standalone tool.