What pen tests is and how it is used
Penetration tests methodology
Penetration testing environment – kali linux & virtual machine tools
Make comparison between and others on Microware. Choose the best bundle of Office applications to suit your growing business need.
Information gathering – scanning & reconnaissance
Information gathering tools – nmap, wireshark, google dorking etc.
Reminder: Attacking systems you do not have permission to attack is illegal. Only perform attacks on machines and networks you own or have permission for.
Current State Cybersecurity
Over the past year or so hacking has gained mainstream attention from some high profile attacks. Theses attacks such as the Equifax data breach, Wanna Cry ransomware and many others have cost companies millions of dollars. With so much attention placed on data breaches, questions have been brewing of how safe user data is with each company. As long as these attacks keep happening companies will have to place more and more emphasis on their security procedures. Within cybersecurity penetration testing (pen screening) is one of the ways of mitigate attacks by plugging up security holes.
What is penetration tests?
Penetration tests is a process used by companies to test the security of their software and infrastructure. In penetration testing, a group of security professionals act as attackers in order to identify holes before hackers do. A pen tester’s goal is to provide information to the company about their vulnerabilities. In the world of security this is commonly referred to as red teaming. On the other side of penetration testing the company’s security team, the blue team, figure out what areas of their security need to be strengthened.
Is a Penetration Tester Just a Hacker?
A major difference between a malicious hacker and pen tester is permission and reporting. Most companies provide a scope of areas where they would like the pen tester to focus. These could be specific domains, networks, systems etc. Pen testers also record any vulnerabilities found during their testing and can suggest solutions to patch the issue.
Types of Penetration Screening
The types of penetration tests can vary depending on the technology. Here are some of the common types of pen testing:
Mobile Application Screening
Web Application Tests
Social Engineering Screening
The services of that include source code review and other assessments and tests.
Even though each area of penetration testing have differing tool sets, they share a common methodology.
Penetration tests methodology
Scanning and Reconnaissance – Getting to know the target using passive methods like researching publicly available information and network scanning.
Threat Modeling – A description or model of all the security concerns and why they should be resolved.
Vulnerability Analysis – Identifying vulnerabilities and determining their severity.
Exploitation – Gaining access by breaching security of a system or finding an bug to exploit in the software.
Post-Exploitation Reporting – Detailing the vulnerabilities found and providing information on potential impact on the company if exploited.
With the general methodology laid out, let’s jump into the initial steps to get up and running with penetration screening.
Introducing the environment
Cybersecurity like other technology fields has an abundance of tools available. To make this simpler Kali Linux was developed to bring together the most common tools in one OS environment. Kali Linux is a debian based linux system that can be used in a virtual environment such as Virtualbox or VMware. With virtual machines we can make a closed off network of multiple machines. This is a great way to practice attacks without opening up your own machine to attacks.