A penetration test is an invasive attack of your operating systems and applications. In this video, you’ll learn how a potential vulnerability can be exploited with penetration testing tools.
<< Previous: Vulnerability ScanningNext: Denial of Service >>
In our previous video, we discussed vulnerability scanning. In this video, we’re going to take things to the next level and talk about penetration testing. As with vulnerability scanning, penetration tests are almost always seen as an attack, so you want to be sure you have permission before you do any type of penetration testing. A penetration test or a pentest is when we, the good guys, are trying to attack a particular device. But unlike a vulnerability scan, we are actively trying to take advantage of that vulnerability. We are performing the exploit and trying to gain access to the operating system of that particular device.
This is certainly something you should do as a best practice in network security, but it’s occasionally something that is mandated for your particular environment. Maybe you handle very sensitive information, maybe there’s credit card or health care information, and there may be laws, rules, regulations that require that you perform a pentest occasionally. And usually you’ll have a third party come in to perform that and they have no idea what’s in your network and it’s up to them to try to gain access to your resources.
If you’re new to penetration testing or you’d just like to know more about the process, you can look at a document that’s at the National Institute of Standards and Technology at nist.gov, and this is a publication that is a “Technical Guide to Information Security Testing and Assessment.” This gives you a very nice overview of some of the important aspects of pentesting. If you want to protect from exploits, then you’re going to need to know where your vulnerabilities are, and a good place to do that is at the National Institute of Standards and Technology. There is a National Vulnerability Database here in the United States. You can find that at nvd.nist.gov.
You might also want to perform vulnerability scans yourself where you’re not actively trying to exploit that vulnerability, you’re just trying to identify if a vulnerability does exist in an operating system or an application. One good way to keep track of this is to watch the news. The bad guys try to use things that are happening in the news or trying to find that zero day vulnerability that they can use to get into your systems.
With a penetration test, you are trying to force your way into a system. This may be physically force your way in through a locked door or it may be through an operating system. Perhaps through a firewall or through an intrusion prevention system. Sometimes you are literally walking into a building to perform the penetration test. Becomes very easy to sneak behind someone with a badge while you’re carrying some boxes.
This is a very common way for people to get on the inside of the network where it’s so much easier to get around and avoid any of the security systems that are on the perimeter of the network. The penetration test should always consider if there is a lack of control. If you have a wide open area where people can access data, the penetration test should also identify that and let people know that this particular vulnerability exists. In fact, it’s very common for a penetration tester to use exactly the same technologies that your users do to circumvent your existing security controls.
They’ll use encryption to get around some of your URL filters. Or they’ll use proxies to appear that they’re coming from a different location. This is what your user base takes advantage of when they need to get around your security controls. And if they can do it, certainly the penetration testers can do it as well. With a vulnerability scan, we were testing just enough to know if a vulnerability really existed, but very rarely were we trying to take advantage or exploit that particular vulnerability.
With a penetration test, there are no rules. You are trying to actively get into a system and you may be using many different ways to do this. You’re going to try to figure out the way the bad guys are going to access this system and you’re going to perform the same process. You want to get through the firewall, you want to avoid the intrusion prevention system, you want to take advantage of an application vulnerability. And this is generally not just one type of test that you might do.
There are many different ways to exploit a system. And a very good pentester is going to use as many different ways as possible. The results that you get with a penetration test will be very similar to what the bad guys are seeing from the outside, so you want to take advantage of all of the different security controls that you have and examine how they’re reacting to the different penetration tests that are occurring. These penetration tests are not something to be taken lightly.
Someone is attacking an operating system or an application and sometimes it can get messy. The application can stop working, you might even lose data with the application. Sometimes these buffer overflows that are used to attack these systems can cause instability with the operating system itself. So you want to be very careful when these are happening that you have backups and that you are watching the availability of all of your systems.
The pentester is going to use a lot of different methods to gain access to a system. Some of them rely on technology, some of them don’t. You could perform a password brute force to try to identify a password or maybe you just call someone and try to coax the password out of them using social engineering. Perhaps you’re performing buffer flows or database injections. All of those are very diverse ways to try to get around these security controls, and you can bet that a good pentester is going to take advantage of every single one of them.
These penetration tests by the good guys are valuable because if they can gain access to the operating system or direct access to the data, then certainly the bad guys would be able to as well. This is what the hacker slang calls pwning a system. You want to make sure that you are able to pwn the system before they have an opportunity to do it. That way you can close the doors, tighten up your operating system, and make sure that the bad guys never gain access to that data.