You’ll find Penetration Testing, often just called Pen Testing, explained differently, depending on where you get your input. Most sources agree that Pen Testing is essentially an ethical hacker carrying out attacks, like a malicious attacker, to help expose environmental vulnerabilities. While accurate, that’s a bit of a convoluted definition. Let’s pull it apart a bit.
First and foremost, Pen Testing is an activity intended to help an organization – not to hurt it. The idea is to have security professionals, (i.e. the “good actors” or “white hat hackers”), act like attackers (i.e. the “bad actors” or “black hat hackers”.) Pen Testers do this to expose weaknesses, or vulnerabilities in systems, networks, and devices, before real attackers find them. Pen Testing can be a valuable part of a solid security if it is implemented well and the sponsoring organization responds to the findings.
Where to Start?
Being a Pen Tester can be fun. You get to act like an attacker without actually being bad. So, how does one get started in having fun and making environments more secure at the same time? A quick Internet search will return many articles on how to do just that. The problem is, many of them jump into the process too far in. Its easy to find books and articles on “Pen Testing using ______ (insert your favorite tool or scripting language here.) Common titles include Pen Testing using Kali Linux, Python, Bash Shell, Powershell, Perl, and the list goes on and on. The point is that many of the resources you’ll find focus on tools, as opposed to the actual process. A much better place to start is at the beginning.
Understanding Pen Testing
Pen Testing is far more than just running software. Pen Testing software tools are just that – tools. If you don’t really know why you need each one, you aren’t adding much value to the process. I think of Pen Testing like the process of flying an airplane. If you know what you’re doing, flying an airplane isn’t really that hard. But you just don’t jump into an airplane and go. You need some training and experience on things like weather awareness, airplane preparation, airport and airspace navigation, and interacting with air traffic control. And all that is in addition to knowing how to actually fly an airplane. Successful pen testing, like flying, is all about being prepared and planning well.
Pen Testing is all about looking at a computing environment to find the vulnerabilities an attacker wants to find and exploit. You can only do that if you thoroughly understand how your environment works, its architecture, and its attack surface. That’s a LOT more than just downloading a Kali Linux virtual machine image and running some tools from a menu. But that doesn’t really answer our question yet. Where do I start to become a Pen Tester?
Know Thy Environment
Before you start running Pen Testing tools, you need to know a good bit about your network, its connected systems, and its devices. In almost all cases, a good place to start is learning about TCP/IP and its administration. System administration skills are essential. Know how to add computers and devices to your network, and then configure each one. Can you add a new database server to your network and ensure that only the ports needed to operate are opened? Can you add a new user to your environment and permit that user to access only required resources? Those skills will help you to better understand how various components work together in an environment.
Hers’s a great self-test to see how well you understand your environment. Describe the process that starts with a user entering a URL in a web browser, and ends with active content being rendered in that user’s browser. Can you describe precisely what traffic travels across the network, and where? Can you explain all of the devices and systems in your network involved in the process? If so, you have a good understanding of all of the pieces – and the opportunities for vulnerabilities to exist. A solid understanding of network protocols is needed to explain the round trip of a web request. You can bet that the attackers that launch successful attacks understand these protocols, implementations, and their weaknesses.
Scripting is Helpful
Another key skill a good Pen Tester possesses is the ability to write scripts. You don’t have to be a scripting guru, but a good knowledge of at least a couple scripting languages will make your life easier and unlock lots of neat tools that others have written for their own use. If you are completely new to scripting, I’d suggest learning Python and either Powershell, if you primarily work in Windows, or bash shell scripting, if you primarily work in UNIX or Linux. Knowing these two scripting languages will enable you to build your own toolbox and leverage your time when conducting Pen Testing.
What About Permission?
Before you ever run the first Pen Test, be aware that you are simulating attack activity. Some of the activities you’ll carry out in Pen Testing can be dangerous, or even outright harmful. NEVER conduct Pen Testing activities without explicit permission from the system owners. Pen Testing without appropriate permission can result in civil or criminal proceedings. In short, if you don’t have permission (in writing), you could be sued or prosecuted for your activities. Don’t risk it. Get explicit permission in writing first.
Permission includes the network you use as well. If you are operating within a single organization, make sure you have permission to access the network as well as computers and devices. Your tests may cause excessive or malicious traffic that could interrupt normal operations. If you are conducting tests remotely, be aware that your Internet Service Provider (ISP) may very well take a dim view of having their network used for attack purposes. You could see your home or business Internet service terminated. Understand your ISP policies.
Finally, Using the Tools?
Once you have the basics under your belt, its time to roll up your sleeves and get started. But that doesn’t mean to start running Pen Testing tools (yet). There’s still a lot left to do. In the next two articles, we’ll talk about how to plan your Pen Testing activities as a project, and how to determine which tools you’ll need. Planning is crucial to determine the scope of your tests and set expectations for your stakeholders. After that we’ll talk about Kali Linux and a few alternatives to get started. But you’ll have to wait until next time for those details. In the meantime, review the basics. Knowing how your environment really works is the most important requirement to becoming an effective Pen Tester.
Article by Michael Solomon. Michael Solomon PhD CISSP PMP CISM is Professor of Information Systems Security and Information Technology at University of the Cumberlands and Director of the Ph.D. Information Technology Program.