Penetration Testing – CompTIA Security+ SY0-501 – 1.4

If you really want to determine if your systems are vulnerable to an attack, you’ll have to try attacking them yourself. In this video, you’ll learn about penetration tests and how pentesting can be used to make your network more secure.

<< Previous Video: Threat Actors Next: Vulnerability Scanning >>

If you’re performing a penetration test or a pentest, then you are simulating an attack against another device. This is similar to vulnerability scanning, except with vulnerability scanning we were trying to determine if a possible vulnerability existed. With penetration testing, we’re going to try to exploit the potential vulnerability and gain access to that system.

This may be a mandated function. In your organization, you may contract with a third party, and they’re required to try to break into your systems by performing a penetration test. If you’re interested in a primer on penetration testing, you can get one at the National Institute of Standards and Technology. They have a Technical Guide to Information Security Testing and Assessment. And you can access that through

Security researchers are identifying new threats all the time. Every day, there will be a new set of potential vulnerabilities that might already exist in your services, so it’s important to stay up-to-date. One place where you can get a nice index of known vulnerabilities is the National Institute of Standards and Technology National Vulnerability Database. You can find that

And you should, of course, yourself perform regular scans on your systems. You can see if any vulnerabilities exist in your environment and patch them before someone has an opportunity to perform a pentest. And of course, check the news, check trade magazines and publications websites. You want to be sure to stay up-to-date with what the latest vulnerabilities might be. And when one is found, you may find that there are many copycats trying to take advantage of that vulnerability.

A penetration test generally doesn’t start with someone trying to gain access to a known vulnerability. Instead, there is a information gathering phase, a passive reconnaissance, where you’re not touching any of that equipment. You’re instead trying to gather as much information as you can from sources that are already available.

For example, social media sites have a wealth of information about your company and the people that work there. The corporate website for an organization may give information about where data centers are located or where offices may be located. You can also find information on online forums or Reddit, especially if people inside the organization are posting to those sites. Social engineering is another great way to gain information from someone without them even realizing that they’re being attacked. You can, of course, go to the site, into the dumpster, and try to find information there as well. And sometimes, organizations that work with the business can be a wealth of information as well.

After you’ve passively gathered information, you can now go actively try those systems. Usually, this is done with a vulnerability scan. This is the step before you start taking advantage of those vulnerabilities. It might be something easy. Maybe someone has left a guest account enabled or has not changed any default passwords.

You can perform ping scans and port scans on the outside of the system. Maybe look at DNS queries and see what results you get back from a publicly available DNS. If you want to find out more information about an individual system, you can perform an operating system scan, or what we call OS fingerprinting, to find out what operating system may be running on a system without having to actually authenticate into that system. Once you find a system with services running on it, you may want to perform service scans or version scans to see exactly what types of services are running on those systems.

At this point, we’ve gathered quite a bit of information. We’ve passively discovered information about the organization. And we’ve actively seen what systems are available, what operating systems might be running, and what services might be running on those computers. Now, it’s time to try to take advantage of possible vulnerabilities that may exist in the operating systems or applications running on those computers. This is where we begin to break into the system. And if you’re going to create a problem on a computer, crash the operating system, or cause a denial of service, this will be the step that that occurs. You have to be very careful about doing this on production systems during production hours, because there is the potential for bringing those systems down and potentially losing data.

This is where we would try a number of different exploits against some of these vulnerabilities. Maybe check for a password brute force attack. Try the social engineering, and see if you can get the password from someone else. Or try something more advanced, like a database injection or a buffer overflow, to try to take advantage of a coding problem with an operating system or application.

For most people, this is the ultimate test of security. You only know if you’re secure if somebody really tries to gain access to these systems. If you can get through, then the bad guys can get through. So it’s always good for you to be the first one to try these penetration tests before the bad guys get a chance to try it themselves.

With most of these penetration tests, and with actual exploits, usually there is an initial exploitation where a vulnerability is taken advantage of. Someone gets into the network, or gets into a system, and that is usually the hardest part. Once you get past that first initial exploitation, things tend to be a little bit easier.

Once the bad guys find a way into our systems, they want to stay there. They want to make sure that they have a way back in even if you were to patch this vulnerability that they found. So they’ll usually set up a backdoor that only allows them into these systems, or they might build out their own user account so they can log in normally just like any other user.

Unfortunately, many organizations have spent a lot of time and money making sure the outside of their network was secure and not spending a lot of time on the inside of their network. Once somebody gets inside and sets up a foothold point, it becomes relatively easy to move around inside the network without any other types of security controls. This is where someone usually starts is at the foothold point, and then they move from there to anywhere else they’d like inside your network.

If you’re contracting with a third party to provide a penetration test, there’s different levels of information you can provide before they begin the testing process. One method is to go at it as a black box. The penetration testing team has no idea about the systems or the network. They’re starting with relatively no information about what they’re getting into. And it’s up to them to build out the maps and logically figure out what types of systems they may be attacking.

The polar opposite would be a white box test, where you’re giving the penetration testers all of the information about your operating systems, your network, your services. And they’re jumping right to the point where they can start exploiting these vulnerabilities. A gray box would then be a combination of a black box and a white box. It’s where you’re focusing really on a subset of the network or the services or maybe only providing a certain amount of information about those. It’s up to the pentesting team to gather additional details and then begin attacking those systems.

I’m going to perform my own penetration test using one of the industry’s most popular penetration testing tools, Metasploit. This version of Metasploit has 1,697 different exploits in there. I’ve also downloaded a virtual machine that is an intentionally vulnerable server. There’s many of these that you can download over the internet, so that you can try different exploits, try to take advantage of those operating systems.

The server that I have has a known vulnerability with an internet relay chat client. And I’m going to load up that vulnerability in the system. The vulnerability is an unreal IRC daemon.

I’m simply going to tell Metasploit to use that exploit. It’s going to ask for parameters associated with that exploit. And the only one I’m really going to give is the remote host IP address of that virtual machine. I’ll give that information, and then I’ll tell Metasploit to perform the exploit.

When I hit Enter, it will begin communicating to that device, find the IP address, and in this case, runs the exploit against that known IRC daemon vulnerability and tells me that it has created a command shell into that machine. This command shell also has root access. So if I wanted to go to the etc and perform an ls, I am in that device right now and can perform every function as a root user.

You can see that finding these vulnerabilities and testing them to see if they can be exploited becomes pretty important. You want to find them before the bad guys do. So make sure that you have your own strategy for penetration testing in your organization.