A penetration test, when carried out by outside experts, is the best way to establish how vulnerable your network is from a malicious hacker attack.
But while thorough, third-party penetration testing can be expensive and is effectively out of date as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered.
One way to sidestep both of these problems is to carry out your own network penetration tests. In this article, we’ll discuss both how to do your own security testing and conduct internal penetration testing, and how to find the best third-party service should you choose to hire an outside pen tester.
Penetration testing, also called vulnerability assessment and testing or “pen testing” for short, is a simulated attack on your organization’s network to assess security and determine its vulnerabilities. These white hat attacks are designed to do the following:
- Identify network security issues and other vulnerabilities
- Identify policy compliancefailures
- Improve employee awareness of proper security practices
- Assess an organization’s effectiveness in responding to an attack.
Penetration testing: the DIY basics in 7 steps
Think of internal penetration tests as walking around your house and making sure you haven’t left any windows open before you go out. It’s a sensible precaution that costs almost nothing. Here we share a 7-step penetration testing methodology that should prove useful for many organizations.
1Network enumeration and mapping
This first step often involves port scanning to work out the topology of a network, and to establish which computers are connected to it and the operating system and services they are offering. Perhaps the most popular tool for carrying out this task is the open source Nmap, sometimes accessed through the Zenmap GUI.
This involves contacting the machines on the network and extracting information from them such as the applications they are running. Reconnaissance can also involve Googling for information about the organization being tested, for example, to find out the names of IT staff and executives. This kind of information can be useful for social engineering and phishing exercises (see Step 7 below). Social media accounts for such people can also reveal information such as pet names, which are often used in passwords.
3 Network sniffing
Network sniffing is used to examine traffic flowing over the network and to search for unencrypted data including passwords or VoIP traffic. The de-facto standard for network sniffing is Wireshark, another open source tool.
4 Vulnerability scanning
A vulnerability scan can reveal whether any machines have insecure versions of software or other known vulnerabilities that can be exploited, or whether any wireless access points are open or have weak passwords. A popular open source vulnerability tool is OpenVAS. Other more specialist scanners can also be directed at web servers to look for vulnerabilities such as cross-site scripting (XSS) errors.
Open source scans can be enhanced by proprietary vulnerability scanners that can alert you to vulnerable applications that could be exploited. These include:
- Nessus Professional
- Rapid7 Nexpose
- Qualys FreeScan
5 Exploit launching
This stage of penetration testing attempts to exploit any known vulnerabilities to gain control of a system. It’s important to remember that although a vulnerability scan may reveal a vulnerability, not all vulnerabilities can be successfully exploited or necessarily lead to a serious breach. An exploitation framework like Metasploit contains a database of ready-made exploits that it can match to vulnerabilities, as well as tools for creating and launching your own exploits.
Many security systems are aware of and will detect Metasploit exploits, but it is important to note that a real hacker might tailor their own exploits, so don’t be tempted to believe that your infrastructure is safe just because your security systems prevent a Metasploit exploit from working.
6 Further exploitation
Once a single vulnerable system is compromised, you can leverage this to penetrate the network further. For example, if it is possible to access a server’s password file, a password cracking tool may then yield valuable passwords. Using the knowledge gained from the reconnaissance phase, these passwords can then be used to compromise more systems and access more data.
Password cracking tools include the offline John the Ripper, for processing password files that are exfiltrated from the network you are testing, or the online open source tool Hydra, a parallelized login brute forcer which can attempt to log in to services such as ftp by trying multiple login/password combinations in a very short space of time.
7 Phishing and social engineering
No penetration test is complete without seeing what access is possible by tricking employees. That means sending out phishing emails or simply phoning them up to try to entice them to reveal login details or other confidential information.
Penetration testing tools, training and Linux distros
No penetration testing tutorial would be complete without a guide to useful pen testing tools. To carry out a penetration test manually you’ll need a number of tools including the ones mentioned above. The best way to access all the tools you need in one place is to download an open source Linux security distribution. Recommended distros include:
- Kali Linux
- Samurai Web Testing Framework