Skip to content

Page265

Penetration Testing Tools and Methodology

Penetration testers often use penetration testing tools, which include the open source Metasploit (https://www.metasploit.com) and closed source Cobalt Strike (https://www.cobaltstrike.com/) and Immunity Canvas (https://www.immunitysec.com/). Pen testers also use custom tools, as well as malware samples and code posted to the Internet.

Penetration testers use the following methodology:

  • Planning
  • Reconnaissance
  • Scanning (also called enumeration)
  • Vulnerability assessment
  • Exploitation
  • Reporting

Unethical hackers typically follow a similar methodology (though they may perform less planning, and obviously omit reporting). They will also cover their tracks (erase logs and other signs of intrusion), and frequently violate system integrity by installing back doors (in order to maintain access). A penetration tester should always protect data and system integrity.

Note
Penetration tests are sometimes controversial. Some argue that a penetration test really tests the skill of the penetration tester, and not the perimeter security of an organization. If a pen test is successful, is there value to the organization. But what if the penetration test fails? Did it fail because there is no perimeter risk? Or did it fail because the penetration tester lacked the skill or the time to complete the test? Or did it fail because the scope of the penetration test was too narrow?

Assuring Confidentiality, Data Integrity, and System Integrity

Penetration testers must ensure the confidentiality of any sensitive data that is accessed during the test. If the target of a penetration test is a credit card database, the penetration tester may have no legal right to view or download the credit cards. Testers will often request that a dummy file containing no regulated or sensitive data (sometimes called a flag) be placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data.

Penetration testers must be sure to ensure the system integrity and data integrity of their client’s systems. Any active attack (where data is sent to a system, as opposed to a passive read-only attack) against a system could potentially cause damage: this can be true even for an experienced penetration tester. This risk must be clearly understood by all parties: tests are often performed during change maintenance windows for this reason.

One potential issue that should be discussed before the penetration test commences is the risk of encountering signs of a previous or current successful malicious attack. Penetration testers sometimes discover that they are not the first attacker to compromise a system: someone has beaten them to it. Attackers will often become more malicious if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test, and immediately escalate the issue.

Finally, the final penetration test report should be protected at a very high level: it contains a roadmap to attack the organization.