PENETRATION TEST
A penetration test, colloquially known as a pen test,
is an authorized simulated attack on a computer system, performed to evaluate
the security of the system. The test is performed to identify both weaknesses
(also referred to as vulnerabilities), including the potential for unauthorized
parties to gain access to the system's features and data, as well as
strengths, enabling a full risk assessment to be completed.
The process typically
identifies the target systems and a particular goal—then reviews available
information and undertakes various means to attain the goal. A penetration test
target may be a white box (which provides background and system
information) or black box (which provides only basic or no
information except the company name). A penetration test can help determine
whether a system is vulnerable to attack if the defenses were sufficient, and
which defenses (if any) the test defeated.
Security issues that
the penetration test uncovers should be reported to the system owner. Penetration
test reports may also assess potential impacts to the organization and suggest
countermeasures to reduce risk.
The goals of a
penetration test vary depending on the type of approved activity for any given
engagement with the primary goal focused on finding vulnerabilities that could
be exploited by a nefarious actor and informing the client of those
vulnerabilities along with recommended mitigation strategies.
Penetration tests are
a component of a full security audit. For example, the Payment Card
Industry Data Security Standard requires penetration testing on a regular
schedule, and after system changes
Flaw hypothesis
methodology is a systems analysis and penetration prediction
technique where a list of hypothesized flaws in a software
system are compiled through analysis of the specifications and
documentation for the system. The list of hypothesized flaws is then
prioritized on the basis of the estimated probability that a flaw actually
exists, and on the ease of exploiting it to the extent of control or
compromise. The prioritized list is used to direct the actual testing of the
system.
Tools
|
Tool
|
Type
|
License
|
Tasks
|
Commercial status
|
|
Aircrack-ng
|
GPL
|
Packet sniffer and injector; WEP encryption key recovery
|
Free
|
|
|
Metasploit
|
application,
framework
|
EULA
|
Vulnerability
scanning, vulnerability development
|
Multiple
editions with various licensing terms, including one free-of-charge.
|
|
Nessus
|
Proprietary; GPL
(2.2.11 and earlier)
|
Vulnerability scanner
|
||
|
Nmap
|
terminal
application
|
GPL v2
|
computer security, network management
|
Free
|
|
Swascan
|
Cloud based, SaaS
|
Vulnerability assessment, network scan, code review
and GDPR assessment
|
Commercial
|
|
|
Wireshark
|
desktop
application
|
GPL2
|
Network
sniffing, traffic analysis
|
Free.
also offers limited vendor support, pro tools, and hardware for a fee
|
Specialized OS distributions
Several operating system distributions are geared towards penetration testing. Such distributions typically contain a pre-packaged and pre-configured set of tools. The penetration tester does not have to hunt down each individual tool, which might increase the risk complications—such as compile errors, dependencies issues, configuration errors. Also, acquiring additional tools may not be practical in the tester's context.
Notable penetration testing OS examples include:
BackBox based on Ubuntu
Kali Linux (replaced BackTrack December 2012) based on Debian
Parrot Security OS based on Debian
Pentoo based on Gentoo
WHAX based on Slackware
Many other specialized operating systems facilitate penetration testing—each more or less dedicated to a specific field of penetration testing.
A number of Linux distributions include known OS and Application vulnerabilities, and can be deployed as targets. Such systems help new security professionals try the latest security tools in a lab environment. Examples include Damn Vulnerable Linux (DVL), the OWASP Web Testing Environment (WTW), and Metasploitable.
