You’ve built an awesome business — it is booming and making money. You’ve streamlined all the processes and operations. Business is good. But, when you build something great, it attracts cyber criminals. Your business is valuable to you and cybercriminals can leverage it. That’s why security is important.
You can use different security approaches to secure your application, infrastructure and network. In this post we’ll focus on one such approach: penetration testing. In this post, we’ll look at:
- How penetration testing helps improve security
- The different stages of penetration testing
- Examples of penetration testing tasks
- Penetration testing tools
What is penetration testing?
Penetration testing is a way of identifying security weaknesses or loopholes in a system by simulating attacks on the system. Sometimes known as pentesting, penetration testing helps you to:
- Identify parts of your application or environment that have weak or no security.
- Learn how attackers can bypass your security.
- Prioritize fixing issues. Based on the impact of an attack, you can learn which security weaknesses are high risk and which ones are lower risk.
All of this information will help you improve your overall security posture. With the penetration testing approach, you’re thinking like an attacker. This change in perspective helps you understand what part of your application is an easy target — and how an attacker would try to take advantage of that weakness.
Now that you know how penetration testing can help, let’s look at how to go about penetration testing.
Stages of penetration testing
Penetration testing is a multistage process. You take one step at a time and make your way through. Each stage has its own importance, and following these steps makes penetration testing efficient.
Step 1. Gathering information
Information gathering and reconnaissance is the first step in penetration testing. It acts as the basis for the following steps. This is the step where you gather as much information as possible about your target. You’ll want to understand the target, the surface area for testing and the points to start checking security weaknesses.
Some common information to gather are IPs, servers, frameworks, subdomains and operating systems.
Step 2. Scanning
Once you find points where attackes could break in, you start testing these points for potential weaknesses. Scanning is used to identify possible security weaknesses.
It is not efficient to go around testing each weakness, as most of the weaknesses might not even be related to the architecture or system. Scanning can be used to create a list of weaknesses to focus on. So instead of blindly throwing stones and trying to hit the target, you use intelligence to increase your chances of success. Here, you can either:
- Identify a version of a framework or tool that is known to be vulnerable.
- Check how the application behaves to intrusion attempts and see if it can be exploited.
Step 3. Exploiting
This is the stage where the actual penetration happens, and the security weaknesses are exploited. Examples of exploitation include:
- Gaining access to a component or data
- Causing system failures
- Modifying or updating data
Of course, you can get creative here and try different ways to break in.
What happens next? In an actual cyberattack, the attackers decide what to do depending on their intent. But as testers, we need to identify all the possible impacts. You don’t want to cause real harm while you’re testing — but you want to know what harm can be done.
For example, if an attacker gained admin privileges to a database, they might run a command to delete the complete database. As a penetration tester, of course, you check if you have enough permissions to delete the database and stop there — you don’t want to delete the database.
If you want to do exactly what an attacker would do, first replicate your target system or application and test it in a virtual environment. As a result, you will be able to test thoroughly without causing harm.
Step 4. Maintaining the connection
In this stage, we try to create a way to maintain a connection with the affected system or network. Depending on the affected system, an attacker can use different techniques to maintain access.
The main purpose of maintaining access is so that the attackers can come back to cause more harm. For example, an attacker might have exploited a vulnerability and attained admin privileges. The attacker might want to have a way to gain access to the exploited machine to launch a ransomware later. Maintaining access could be as simple as creating users/accounts that can be used later. Or it could be creating backdoor or other vulnerabilities to exploit later.
Step 5. Covering tracks
A successfully complete cyberattack is the one that goes unnoticed.
To avoid detection of the attack and prevent tracking the attacker, attackers try to clear all proofs and indicators of an attack. This includes:
- Modifying or deleting logs
- Undoing changes made in intermediate steps of the attacks
- Taking additional or creative actions
From a testing standpoint, covering your tracks is an important test to know your system’s capability to detect a breach and also retain the information. Almost every infrastructure has logging enabled. It is equally important to check how difficult it is to corrupt the logs or any data that helps trace a breach.
Step 6. Reporting
Without reporting, all the previous stages carried out by a penetration tester go to waste.
All previous stages of penetration testing resemble a real cyberattack. But the main difference between an actual cyberattack and penetration testing is that a penetration tester must report all findings of the penetration testing.
A penetration testing report will be used as reference for security fixes and updates. A report must be as detailed as possible. A good report contains at least the following:
- Information found that can be used by attackers
- Vulnerabilities and security weaknesses found — and the risks associated with them
- Explanation of how vulnerabilities and security weaknesses were exploited or can be exploited
- Impact after exploitation
- Recommendations to improve security
That covers the different stages of penetration testing.
How to perform penetration testing
If you want to become a penetration tester, don’t be intimidated by the process. In this section, we’ll look briefly at the skillsets and tools useful for penetration testing and then we’ll walk you through a hands-on example.
Penetration testing team skills
Here are some of the most important skills for a penetration tester or a penetration testing team:
- Knowledge of operating systems and networking
- Network and application security skills
- Ability to gather intelligence from OSINT
- Knowledge of authentication and authorization mechanisms
- Up-to-date information on vulnerabilities
- Awareness of security and pentesting tools
- Documentation and presentation capabilities
- Programming knowledge
Now that you know what skills you need, the next question is how to gain these skills. Here are some ideas:
- Start with reading and learning. There are many resources available on the internet.
- Take a penetration testing course.
- Practice. You can find many intentionally vulnerable systems and applications designed for pentesting practice. Set them up and practice different techniques.
A manager also plays an important role in upskilling the team. A manager has to assess their team’s skills and see where they need to improve. Upskilling can be done through seminars, workshops, and knowledge-sharing sessions. A manager can also arrange hackathons to make things interesting.
Now let’s look at some pentesting tools in action.
Penetration testing tools
You can use various tools for pentesting based on your requirement and comfort. Some tools can also be used in different stages of penetration testing. In this section, we’ll go through some tools and simple practical examples.
Penetration testing on an application, server, network, etc., without prior permissions and clearance is illegal. So, we’ll set up a test environment to use our tools.
Setting up a test environment
I will use two virtual machines on VMware for this exercise:
- The attacker machine. I will use Kali Linux for this, which is the industry-standard platform for pentesting and ethical hacking.
- The victim machine. I’ll use Metasploitable, a free and open-source vulnerable machine that also hosts a vulnerable web application.
To set up this environment, you first have to install VMware. Then download VMware images for Kali Linux and Metasploitable and import them into VMware.
Once you install these machines, you need to find the IP address of the victim system. In real-life scenarios, you can use different tools to find this information. But to keep it simple, I’m just going to find the IP by running the ifconfig command on the victim system.
Now on to the first tool.
This is an information-gathering tool. It provides basic registration information of an IP or domain. Let’s take duckduckgo.com for example. If you run the whois duckduckgo.com command in Kali terminal, you will see information related to the domain.
You can also use the Whois web application to gather information.
Shodan is a search engine that crawls the internet and collects information about reachable servers and endpoints. You can then use shodan to get information about your target or find targets that match a particular condition.
For example, if I want to look for servers with port 21, I’ll use the query port: 21. This will give me a list of IPs that have port 21 open.
Similarly, you can use a combination of queries to find specific information.
Nmap is a network scanner that you can use to collect specific information about your target, such as services, operating system, and hosts. You can also use NSE scripts to run custom scans. Let’s try to run a scan on our vulnerable machine and see what we can find.
Command: nmap -O -sV 192.168.211.129
The option -O is used for OS detection, and -sV is used for service/version detection.
As you can see, the result shows different ports and services open and their versions. The Linux version running is also shown. Now an attacker can use this information to find vulnerabilities specific to a service and version, and then try to exploit it.
The Metasploit Project and framework is a favorite of attackers. It has many payloads, exploits, auxiliaries, etc. It’s one of the most famous penetration testing tools used to identify and exploit vulnerabilities and also test security fixes.
Let’s look at a simple example of how we can use this framework. From the previous nmap scan, we know that our victim machine is running vsftpd 2.3.4. This version is vulnerable. So we’ll use metasploit to exploit this.
First, we get into metasploit console:
Then we select the exploit for vsftpd 2.3.4 and configure the port and IP address. Make sure to replace the IP address with the victim’s IP address in your environment.
set RHOST 192.168.211.129
set RPORT 21
Then we finally execute it by running the following command:
After successful exploit, you’ll have a backdoor shell that allows you to run commands on the victim system.
Wireshark is a packet analyzer that helps you monitor your network. Wireshark comes preinstalled in Kali — simply find it in the menu and start the tool. Then, select a network interface that you want to monitor.
Now Wireshark will start capturing traffic on the selected interface.
You can then click on each entry to view more information about that traffic.
John the Ripper
John the Ripper is a password-cracking tool. It can crack passwords and also detect weak passwords that need to be more secure. To show you how easy it is to use this tool, I will crack a user’s password. First let’s create a zip file with a password. I’m setting the password to 1234 so that John the Ripper takes less time to crack.
echo ‘hello’ > a.txt
zip -e a.zip a.txt
zip2john a.zip > a.hashes
You can see how John the Ripper was able to crack the password.
Burp Suite is one of the most powerful tools for web application testing. It lets you intercept traffic and manipulate data. Attackers can use Burp Suite to craft malicious queries or requests and send it to the server.
Let’s see an example of how Burp Suite intercepts traffic. Burp Suite comes preinstalled in Kali. You just need to start it using default configuration. To intercept traffic using Burp, you need to set a proxy in your browser. First, check the proxy in Burp, then add the same in your browser.
Now visit any website in your browser. You will see the traffic intercepted in Burp Suite. The screenshot below is an example of traffic to a login page where a username and password are entered and submitted.
Along with such tools you can also use automated scanning tools, such as Nessus or Owasp ZAP, to identify security issues in an application.
Now, you’ve completed penetration testing and you’ve found various weaknesses. How do you prioritize fixing these weaknesses?
How to prioritize vulnerabilities
In the cyber world, you will usually find two types of attackers.
- Highly skilled attackers who think outside the box, build their own tools, etc.
- Less skilled attackers who mainly depend on existing tools.
We should first focus on finding the most common vulnerabilities and go for the low-hanging fruit. We can use OWASP Top 10 list or the vulnerabilities most scanners look for as reference. Start by fixing the most easy-to-exploit issue with high risk, then walk your way through other fixes.
Penetration testing trends
Penetration testing has come a long way over the years. In earlier days, penetration testing was performed after the product was completely ready and when it became popular. But in recent years, people have started to understand the importance of security and have begun incorporating penetration testing earlier — a main tenet of DevSecOps.
As a penetration tester or penetration testing team, it’s very important to keep yourself up-to-date with the latest trends, technologies, and vulnerabilities. The use of the cloud is a common architecture trend that is becoming the norm. This means it’s important for penetration testers to be aware and work on their cloud security and penetration-testing skills.
What is Splunk?
This post was written by Omkar Hiremath. Omkar is a cybersecurity team lead who is enthusiastic about security, ethical hacking, and Python. He is keenly interested in bug bounty hunting and vulnerability analysis.
This posting does not necessarily represent Splunk's position, strategies or opinion.