Penetration test

A penetration test, occasionally pentest, is a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats.^[1] The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.^{[citation needed]} This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.^{[citation needed]}

Security issues uncovered through the penetration test are presented to the system's owner.^{[citation needed]} Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.^{[citation needed]}

Penetration tests are valuable for several reasons:^{[citation needed]}

1. Determining the feasibility of a particular set of attack vectors
2. Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
3. Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
4. Assessing the magnitude of potential business and operational impacts of successful attacks
5. Testing the ability of network defenders to successfully detect and respond to the attacks
6. Providing evidence to support increased investments in security personnel and technology

Penetration tests are a component of a full security audit.^[2][3] For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing (after system changes).^{[citation needed]}

Standards and certification

The Information Assurance Certification Review Board (IACRB) manages a penetration testing certification known as the Certified Penetration Tester (CPT). The CPT requires that the exam candidate pass a traditional multiple choice exam, as well as pass a practical exam that requires the candidate to perform a penetration test against servers in a virtual machine environment.^[4]

Tools

Specialized OS distributions

There are several operating system distributions, which are geared towards performing penetration testing.^[5] Distributions typically contains pre-packaged and preconfigured set of tools. This is useful because the penetration tester does not have to hunt down a tool when it is required. This may in turn lead to further complications such as compile errors, dependencies issues, configuration errors, or simply acquiring additional tools may not be practical in the tester's context.

Software frameworks

• Metasploit
• w3af

Automated testing tools

The process of penetration testing may be simplified as two parts:

1. Discovering a combination of legal operations that will let the tester execute an illegal operation: unescaped SQL commands, unchanged salts in source-visible projects, human relationships, using old hash/crypto functions
   1. A single flaw may not be enough to enable a critically serious exploit. Leveraging multiple known flaws and shaping the payload in a way that will be regarded as valid operation is almost always required. Metasploit provides a ruby library for common tasks and maintains a database of known exploits.
   2. Under budget and time constraints, fuzzing is a common technique to discover vulnerabilities. What it aims to do is to get an unhandled error through random input. Why random is because the tester wants to exercise less often used code paths. Well-trodden code paths have usually been rid of errors. Errors are useful because they either expose more information, such as http server crashes with full info tracebacks or are directly usable such as buffer overflows. A way to see the practicality of the technique is to imagine a website having 100 input boxes. A few of them are vulnerable to SQL injections on certain strings. Submitting random strings to those boxes for a while will hopefully hit the bugged code path. The error shows itself as a broken html page half rendered because of SQL error. In this case, only text boxes are treated as input streams. But software systems have many possible input streams such as cookie/session data,the uploaded file stream(perhaps there is a bug in jpeg post processing library, which choked on some data sequence),rpc channels, or the memory(fuzzing subroutines or scrambling targeted memory blocks). The goal is first to get an unhandled error and then second come up with a theory on the nature of the flaw based on the failed test case. Then write an automated tool to test the theory until it is correct. After that, with luck it should become obvious how to package the payload so that its execution will be triggered. Or one could just give up and hope that the other error produced by the fuzzer will yield more fruit. At least time is not wasted on checking boringly perfect codepaths where all doors are shut.
2. Specifying the illegal operation also known as payloads according to metasploit terminology: remote mouse controller, webcam peeker, ad popupper, botnet drone or password hash stealer. Refer to metasploit payload list for more examples.

Some companies maintain large databases of known exploits and provide products to automatically test target systems if they are vulnerable.

• Nessus
• Retina Network Security Scanner

See also

Software Testing portal

• BackBox
• BackTrack
• IT risk
• ITHC
• Kali Linux
• Pentoo
• Tiger team

References

1. "Glossary". ISACA. Retrieved 9 January 2013. 
2. "Penetration test". Network Security Services. Retrieved 16 April 2012. 
3. "Corporate IT Security Courses". eLearnSecurity. 16 April 2012. 
4. "CWAPT - CERTIFIED PENETRATION TESTER". IACRB. Retrieved 17 January 2012. 
5. Faircloth, Jeremy (2011). "1". Penetration Tester's Open Source Toolkit, Third Edition (Third ed.). Syngress Publishing. ISBN 1597496278. ^{[need quotation to verify]}

• Johnny Long; Google Hacking for Penetration Testers, Syngress, 2007. ISBN 978-1-59749-176-1
• Stuart McClure; Hacking Exposed: Network Security Secrets and Solutions, McGraw-Hill, 2009. ISBN 978-0-07-161374-3

External links

• List of Network Penetration Testing software, Mosaic Security Research