Penetration Testing For Dummies book cover

Penetration Testing For Dummies

Author:
Robert Shimonski
Published: May 19, 2020

Overview

Target, test, analyze, and report on security vulnerabilities with pen testing

Pen Testing is necessary for companies looking to target, test, analyze, and patch the security vulnerabilities from hackers attempting to break into and compromise their organizations data. It takes a person with hacking skills to look for the weaknesses that make an organization susceptible to hacking. 

Pen Testing For Dummies aims to equip IT enthusiasts at various levels with the basic knowledge of pen testing. It is the go-to book for those who have some IT experience but desire more knowledge of how to gather intelligence on a target, learn the steps for mapping out a test, and discover best practices for analyzing, solving, and reporting on vulnerabilities.

  • The different phases of a pen test from pre-engagement to completion
  • Threat modeling and understanding risk
  • When to apply vulnerability management vs penetration testing
  • Ways to keep your pen testing skills sharp, relevant, and at the top of the game

 

Get ready to gather intelligence, discover the steps for mapping out tests, and analyze and report results!

Target, test, analyze, and report on security vulnerabilities with pen testing

Pen Testing is necessary for companies looking to target, test, analyze, and patch the security vulnerabilities from hackers attempting to break into and compromise their organizations data. It takes a person with hacking skills to look for the weaknesses that make an organization susceptible to hacking. 

Pen Testing For Dummies aims to equip IT enthusiasts at various levels with the basic knowledge of pen testing. It is the go-to book for those who have some IT experience but desire more knowledge

of how to gather intelligence on a target, learn the steps for mapping out a test, and discover best practices for analyzing, solving, and reporting on vulnerabilities.

  • The different phases of a pen test from pre-engagement to completion
  • Threat modeling and understanding risk
  • When to apply vulnerability management vs penetration testing
  • Ways to keep your pen testing skills sharp, relevant, and at the top of the game

 

Get ready to gather intelligence, discover the steps for mapping out tests, and analyze and report results!

Penetration Testing For Dummies Cheat Sheet

Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing. [caption id="attachment_269927" align="alignnone" width="556"] © Den Rise/Shutterstock.com[/caption]

Articles From The Book

10 results

Cybersecurity Articles

10 Tips for Becoming a Better Pen Tester

Penetration testing is always evolving. More complex cyberattacks require more sophisticated pen tester. Here are ten tips to help you refine your pen testing skills as you continue in your career or education.

Continue your education to improve your pen testing skills

Keep learning. Study often and do not limit the scope of your studies. You can get by in your career by learning the basics, getting the tools, and running them. However, you need to learn the finer details of information technology systems, networks, and services and how they are secured or threatened. The ways you can continue your education are unlimited. However, if on a budget (or have resources to access resources within a budget), here are a few ways you can help yourself:
  • Use your library. To access the internet, books, publications, magazines, and other materials, use your public library system. Some libraries even hold IT classes, and in some cases, even security classes.
  • Use the internet. You can find many sites to help with pen testing, learning about IT, security, and many other topics. You can gain access to tools and sites that allow you to learn how to conduct penetration testing, and learn operating systems and other valuable programs.
  • Build a test PC. If you can gain access to a PC or laptop that you can turn into a test system, acquire it and use it. There are many companies likely have an older system laying around unused that you can turn into a pen test toolkit.
  • Use virtualization. Similar to the extra PC or laptop, you can set up virtualization software that allows you access to even more systems so you can build a small virtual network within a computer and you can conduct pen testing on multiple systems from one system. The image below shows an example of a tool running within a virtualized system.
  • Use freeware. Many demo tools give you full access for a period of time, or at least with limited functionality, that you can use to learn with.

Build your penetration testing toolkit

Carpenters and other trades rely on their tools to be able to do their jobs. Auto mechanics, welders, and others who use tools to conduct their work can’t do great work without tools that are maintained and preserved. The same is true of IT professionals, especially those who function in the security realm as pen testers. No matter what, consider your tools as the most important thing you can maintain. Keep the following in mind as you build your toolkit:
  • Keeping your toolkit current is one of the hardest things to do as a pen tester. You will find some tools (sometimes older tools) are more helpful to getting the results you need. Some tools are scripts that are created and maintained by each individual pen tester.
  • Some tools are expensive, and you need to license for them. You also need to keep them updated. For example, any tools, software, programs, applications, and systems you use need to be patched, virus scanned, updated, and kept up to date.
  • All software must be updated. Any software that requires signature files, digital certificates, block ciphers, and any other form of additional software needs to be updated and maintained.
  • Technology changes over time. There will be updates to the systems you use, and there will be different systems in different organizations — all this means you need to keep your toolkit current with new additions as you find you need them.
  • Make sure your computer is updated and safe. Make sure you keep the system you run all this on current as well. Nothing is worse than the embarrassment of getting your own system hacked as a pen tester. Keep your own stuff pristine, secure, and tested.

Think outside the box to be a better pen tester

Never get comfortable with the same vectors, tools, patterns, and attacks. Always consider another option — the plan B. You have to constantly think outside the box to stay ahead of those who commit crimes.

Think of hackers and attacks like running water. It will find a way. You, too, need to think like running water and consider, anticipate, and get ahead of different types of attacks and vectors for attacks by developing this dynamic mindset.

Below is an example of a planned penetration test where the pen tester wanted to enter the network via the wireless access point. In a situation where one pen tester was working with an organization that agreed to trying another path if possible, he found another way through the internet connection (plan B) to access the network externally. He could also have accessed the network from picking up a signal from the parking lot.

Think like a hacker to be a better pen tester

You need to know what hackers do. As an ethical person, it’s not easy to think like a criminal. This is where the great pen testers excel. You have to think beyond what a good guy would do . . . to what someone who has ethics would do. You can read attacks that took place in the past to learn about the people who conducted the attacks. One of the oldest hackers of the past is Kevin Mitnick, who conducted hacks back in the 1990s and was arrested in 1995. Learning about Kevin and how he turned into a grey hat hacker over time helps to get inside the mind of those who conduct crimes and their motives.

Get involved to improve as a pen tester

Whether through conferences, online communities, or social outlets online or in person, spend some time networking with others in your field. Two conferences where you can continue your education, learn specifics of pen testing from experts in the field, meet book authors, and get access to current trends and classes about current products is Defcon and Blackhat. Normally, both are held in the United States, but over the years, the conference has grown and expanded to other countries as well. Both of these conference websites will have options to sign up for a conference, but have other options as well to view older media, papers, and research conducted over the years. It is also a great way to meet other experts in your field as you continue to grow within it. There are professional organizations that cater to pen testers, schools that form groups of like-minded individuals, governance committees, and other types of groups that allow those who conduct ethical hacking to join together and share ideas. There are government agencies that you can join to share ideas and information.

Regardless of who you join up with, a community-based approach to sharing ideas has led to some of the larger crowdsharing/crowdsourcing and other group-like successes there are today. Pair up and work on some projects together to share ideas and learn more about pen testing.

Use a lab for penetration testing

If you buy and build one, rent space, or lease system time from others, use online resources available to you for testing or through the use of virtual machines in a lab you build — hands-on time is crucial to your success. You need to be able to run the tools, hacks, tests, and see what is possible. It’s one of the best ways to learn how to become an elite pen tester. Because there are many challenges to do this, you can still learn ways to get hands-on training:
  • Online test sites: Online test sites let you experiment with your penetration-testing skills.
  • A test machine: You can also set up on one computer in your home a virtual system of other machines (a virtual network) and test the systems on your base machine.
The image below lays out a nice lab strategy you can use to start to develop a pen testing practice lab at work or at home. Some of the items you may want to consider in building your pen testing lab may include (but not limited to):
  • Server infrastructure: You can either set up a server physically on your mock network or a virtual one. Either way, make sure that you have allocated resources so that you can configure targets such as a database (can be large in size), as well as multiple network connections for redundancy (cluster) or other advanced setups.
  • Network infrastructure: From the cabling to the wireless systems —the routers, switches, access points, firewalls, and everything in between — you can configure all the network components to interconnect the devices you want to set up as resources on your mock network.
  • Pen test system: The point of origin, which can be the laptop that you use as an ethical hacker to conduct the penetration testing.
As you learn more and more, you can add systems and infrastructure to further build out the lab so you can conduct more tests.

Stay informed on penetration testing

Just like any other role, skill, or function, the more you know the better off you will be. Up-to-date threat information can help you learn about the myriad of attacks and patterns coming out daily. This information deepens your knowledge of what you need to be aware of as a pen tester protecting against them.

You should also stay abreast of things going on in the pen test community. One great way to do this is by meeting up with others pen testers to swap information.

Stay ahead of new technologies to be a better pen tester

Technology is always changing. Remember when virtualization became important? Cloud? Wireless? Mobile? As each of these technologies emerged (and in some instances converged), it was important to stay on top of them because the minute they came to market, there seemed to be a ton of attacks that came right along with them. When wireless hit the market, for example, there were drive-by scanners hanging out of cars — hackers were cracking into systems in companies from the parking lot. You must know about new technologies, learning about them, and anticipating how black hat hackers might use them. There are countless resources available to learn of new technology. For example, if you know your primary targets are going to be Cisco, Citrix, Microsoft, VMWare, Linux (select a distribution), and EMC Storage, you may want to add yourself to those vendors’ websites and their mailing lists to stay ahead of updates, new patches, version updates, and so on. If you have a contract with any of these vendors, they should be sending you information; however, anyone can contact these vendors and be added to their mailing lists so you can learn more about them. For example, if you were a large Cisco networking customer, you can gain access to RSS feeds, field notices, security advisories, bug alerts, software updates, and so much more.

Build your reputation as a pen tester

Building your reputation is easy. For someone (anyone) to let you into these protected networks where all their data sits, they absolutely must trust you. Trust. It’s the critical piece of the proverbial pie of your career in pen testing. Identify as someone who can’t be trusted, and it’s likely you will never work for a company that needs your assistance in thwarting crime again. This means you cannot be a criminal! You need to make sure you act professionally and ethically. Build your network of peers and people who can vouch for you and continue to act in a way that is honorable and as a consummate professional.

Learn about physical security

All the technical knowledge, skill, tools, and experience in the world can’t save you and a company from a social engineering attack. Nothing can thwart technical security faster than social engineering. Card swipes, magnetic door locks, bio-sensor reading, cameras, physical security guards, wall hopping, and all of the other things that fall outside of the computer network where data is kept can’t stop someone from breaking and entering. Always consider physical security challenges as a pen tester and augment your technical vulnerability analysis and scans with checking how physical security and defense in depth stacks up. Ultimately, any efforts you can take to learn will help to make you a better pen tester. Learning is key.

Cybersecurity Articles

10 Sites for Learning More about Penetration Testing

As an IT professional, it doesn’t matter how much you know about penetration testing today — there is always more to learn! What you know today could become outdated as technology evolves and morphs into new innovations. With that said, here is a list of penetration testing websites and resources that will be extremely helpful to you as a security professional.

If any of the websites are no longer assessible at any time, do your own online searches for keywords such as pen testing, penetration testing, and security hacking. Also make sure to fact check any data not coming from a reputable site. The sites listed here are generally reputable, but you should still consider researching things before you implement them regardless.

One of the best sources of information you can use for your studies is in the help files of your software. If you use the knowledge bases that come with the tool and online at the vendor’s website, you will learn how to better use the tools and help to reinforce some of the topics learn about penetration testing along the way.

SANS Institute

SANS.org leads to the SANS Institute where since 1989 the site has been filled with a large amount of useful security information that is freely accessible to all. This online resource is easily searchable from the home page and within it contains many resources a pen tester can use, including the SANS Information Security Reading Room that hosts approximately 3,000 original research papers in 110 important categories of security. You can sign up for weekly bulletins, alerts, newsletters, risk alerts, and other email items that can keep you abreast of threats. You can also access the Internet Storm Center, which is an early warning system for threats. There are many other resources available such as templates, vendor product information, information on open and closed source software, and so much more. Another point of interest on the SANS website is the connection to their focused areas on pen testing.

If you’re looking to make pen testing a career, being connected to this community and digging deep into their online resources can help made a value add to your education and knowledge.

GIAC certifications

Another point of interest on the SANS website is the connection to their certification arm of SANS, which is called Global Information Assurance Certification (GIAC). It's focused on different areas of security, such as incident response and handling, forensic, and of course pen testing. When you’re ready, you can obtain GIAC Penetration Tester certification (GPEN). Aside from being an industry standard exam that tests your ability to conduct a pen test, the GIAC website also has a wealth of information about pen testing. You’ll need to pay for the exam and the study materials that come with it. There are other tests available such as CompTIA’s Pentest+ and others, but the benefit to getting GPEN certified is that you get to connect to a community of expert pen testers as well as getting certified and educated.

Software Engineering Institute

Carnegie Mellon University (CMU) has long been a source of amazing security information. You’ll find information about risk assessments, pen testing, forensics, and security-based incident handling. The CMU site has a CERT landing page that hosts publications and other scholarly works about cybersecurity: CERT partners with industry experts (from areas such as technology industry, law, government, and academia) to provide advanced studies and research on relevant topics.

Legal penetration sites

Legal penetration sites are variously hosted by groups that provide a realistic way for ethical hackers to learn real hacking skills on networks and systems that have been left in a semi-hardened state. If you run a search on Google for “legal penetration sites,” you will pull up reputable sources to find these sites. Cisco has information in their help forums as well as security magazines (another great resource) and other sites that host these penetration test hubs where you can hone your skills.

If you can’t afford to set up your own lab environment for testing purposes, then seeking outside resources such as this can really help develop your skills.

Open Web Application Security Project

The Open Web Application Security Project (OWASP) was established in 2001 and is currently a not-for-profit organization that works on the foundation of group collaboration. OWASP is a group that boasts open source and does so with no affiliation of any kind. Their focus is on web application hacking and the security of applications, software, web apps and programs. The frameworks, information, and resources provided help to guide a pen tester into areas of risk and vulnerabilities surrounding applications such as hacking APIs. This site can really help you better understand more in-depth details about programing and software hacking, and what you should seek to penetrate and exploit these systems as an ethical hacker. The following image shows the top ten application security risks at the any time.

Tenable

Tenable makes Nessus, and you can visit the website for more information on vulnerability scanning, pen testing, and risk assessments. One of the greatest things you can find on the Tenable website is a series of tools and information primarily focused on pen testing. In their research papers are details on how to become a better pen tester: The image below shows the Tenable website, where you can download Nessus for trial use, or purchase a license for permanent use.

Nmap

Nmap is undeniably one of the hottest and most used tools for pen testing outside of Nessus and Metasploit. Contained in Kali, Nmap is a tool that can really do it all. On the website you will find advanced usage of the tool to include subverting firewalls, spoofing scans, getting around IDS, automation and scripting of the tool, and so much more.

Wireshark

Wireshark is one of the de facto tools in your toolkit and a primary source of information for troubleshooting networks, information gathering, or pen testing. Within the main website you will find tons of detailed information on how to use this tool. As well, the forums where engineers talk about issues and things they find are loaded with literally thousands of pieces of valuable information that will help you learn more about networking, TCP/IP, the Internet, and how packets and frames traverse a network.

Need to learn more about ports, channels, communication, sockets, protocols, packets, headers, and so on? This is the site you need to go to learn more about these details.

Dark Reading

In today’s pen testing world, one of the go-to sites for security professionals is Dark Reading. Dark Reading helps provide information not only on old but breaking news stories geared towards an online community of security gurus and professionals looking for more information about topics like pen testing. You’ll find newsletters and feeds and the sections on Attacks and Breaches can help you emulate scenarios in your pen testing, stay on top of trends, and conduct ethical hacks to test your security posture.

Offensive Security

From the distributors of Kali, Offensive Security is a company that specializes in doing penetration testing. Offensive Security offers penetration testing services as a service, and they provide a certification as well. On this site, you can learn more about pen testing from the experts who do it day in and day out. You’ll find sample checklists, tools, reports, and a lot of the things you might want to emulate in your own pen tests.

Cybersecurity Articles

What You Need to Know to be a Penetration Tester

Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for penetration testers and professionals with a background in IT security and the ability to do penetration testing. As a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. You also need to know about security vulnerabilities as well as penetration testing tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe.

Skills needed for penetration testing

You’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of networking and general security. To be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool. You need to also know the difference between vulnerability scanning and penetration testing and why they’re similar and how they’re different. The following image shows the basics of setting up an IP addressing range to scan and identify vulnerabilities. After you know the risks and weaknesses, you can them move into the details on how to exploit (pen test) what has been found so you can learn whether the technology is secure. It’s also crucial to understand IP, protocols, networking, and other technologies related (and also not directly related) to security analysis because as weaknesses are identified (perhaps with a scan), then you can then move to exploit them (pen test) no matter what technology you’re presented with (database, mainframes, virtualized systems, for example).

No stone is unturned as a pen tester and what you need to expect is everything and anything. You are tested just as much as the systems you’re testing. Additionally, criminal activity isn’t confined to computers. The Internet of things (IOT) is an ever-expanding network of connected devices that includes, but is not limited to, tablets, phones, and smart home devices such as TVs and thermostats.

You may not encounter all those devices working as a professional pen tester in the corporate world, but you need to be aware of all connected devices. And when you’re pen testing, take time to find out which devices could be affected, such as mobile devices and assets used by field staff.

Also be aware of a hacker’s reconnaissance procedures. Hackers often begin attacks by using general research techniques, such as Internet searches that point a hacker in a direction, to learn more about accessing your company. For example, a simple Whois search might provide an address. A DNS search or query could provide a clue. Google searches may help to identify paths of attack, URLs, domain names, IPs, email addresses, and more.

Basic networking

Basic networking includes, but is not limited to, understanding the OSI (open systems interconnect) model. Knowing how data transits from one location (a sender) to another (a receiver) is key to being able to unwind how many attacks occur. It also includes knowing how routers, switches, hubs, load balancers, firewalls, intrusion prevention devices, and other network black boxes on the wire work. (Black-box security testing refers to testing software security from the outside in. Generally, the tester has little or no knowledge of the internal workings.) If you pen test a router, you need to know how it operates. The TCP/IP protocol suite also falls under basic networking knowledge. The transmission control protocol (TCP) and Internet protocol (IP) controls how computers connect to the Internet. It includes many of the protocols in the 7-layer OSI model. The Open Systems Interconnection (OSI) model is used as a logical framework to show how data travels from the source to the destination and back to the source through the many technologies that comprise the network, systems, and applications. It’s a model of standards that shows the under the hood actions of the technologies at each layer. The protocols used in a suite (such as TCP/IP) map to the various layers of the model and perform different functions. For example, FTP operates at a higher layer in the model than TCP or IP. The theory is that, if the lower layers don’t work, then the higher layer protocols won’t operate correctly. The OSI allows you to troubleshoot problems in a workflow manner. The image below shows a wire packet capture that shows a lot of the information you need to read through to conduct a pen test with a tool such as Wireshark. Here you can see packets that when captured can be decoded to tell you the details within them. Having knowledge of these protocols, how and where they operate, and what is contained in the frames, headers, and other inner details of the packet is what will make you a great pen tester. If you run a pen test and it reports back, for example, that you have a vulnerability in telnet that’s sending packets back and forth in cleartext, you need to determine what path a hacker may take. You can more easily make that determination if you know how the protocols work and what is expected behavior and what can be manipulated versus what could be impacted by a software bug. This way, you can test it yourself first to identify whether you have an issue that might need to be remediated or mitigated.

If you want to be a great pen tester, you should study more on TCP/IP. It’s the main protocol suite in use today across the world; when it was first put into production many years ago it came with many flaws. Its ease of use is one of the biggest flaws and the fact that security was an afterthought behind usability.

Although today’s networks and systems can account for these flaws, there is always danger in the shadows. Study TCP/IP and all of its sub-protocols and how they work to get better at testing weaknesses in your enterprise.

General security technology

In the general security technology category are firewalls. Most scans against devices such as a firewall turn up little to no information. Knowing why is helpful to your report. For example, in a ping sweep, you ping the interface and find nothing because the firewall has disabled that protocol that responds. The image below shows a Cisco router firewall log that lists the source and destination IP addresses used to make each connection as well as a description of what that connection did. Another example is when you run a scan and find open ports are in use on a web server in a DMZ behind a firewall that shouldn’t be. By examining the firewall log that sits in front of these servers, you can see what the source IP address is that’s attempting to make those connections. You can detail it as an active attack and prioritize it immediately to patch or fix. Other general yet important technologies to consider would be devices such as intrusion prevention and detection systems, load balancers, access control lists (ACLs) on routers and wireless access points, controllers, and mobile extenders. Each and every one of these devices all can be exploited and the more you know about them and how to review the logs on them, the better you are at identifying risks and conducting ethical hacking.

Systems infrastructure and applications

You must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports. If you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report. You may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately. Web applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched.

Mobile and cloud

Mobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed, whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome. You might worry about testing them to make sure they’re secure, but you approach this like you approach all the other systems you’re accountable for — you scan, test, and report based on your findings and handle the risks as you identify them. Cloud is another boundary IT security pros are trying to cross in the world of security and pen testing. Because cloud technologies fall under the purview of their cloud provider, as long as you’re working in conjunction with the cloud provider’s security team and they’re conducing pen tests, then you have achieved the same goal as if you did it yourself.

You might face the fallout of mistakes or mishaps committed on the vendor side.

Penetration testers need a wide variety of skills and knowledge, but they are essential to helping ensure the security of our IT infrastructure.