Tuesday, 28 May 2013
Tricks for Performing Your Own Penetration Test
In essence, a penetration test consists of a deep recon examination of an entire network, its servers, firewalls, routers, wireless connections, web connected software applications and work station devices; followed by a listing of all discovered and possible weaknesses that are then actively
attacked in an attempt to exploit them and gain entry to these systems. This is what a penetration test is and it should be contrasted with the often confused for the same thing vulnerability scan, which simply consists of scanning all possibly hackable systems in a network, servers or a machine and noting them for protective attention.
Thus, if you want to conduct your own personal pen test, you can’t simply scan your computer and network systems with several different anti-intrusion tools and call it a day. Instead, you’ll then have to go ahead and actually try to penetrate any weaknesses your initial scans may have found.
Simplify things with Pen Testing Software
One simple (though possibly pricey) solution for doing your own penetration testing involves using powerful and complete penetration testing packages that heavily guide you through the processes involved and assist you in performing your tests. Like we said, pricey, so that means that these software packages can range in cost from a few hundred to several thousand dollars for the most powerful commercial software packages.
However, if you’re feeling less than confident about a pen test conducted from scratch, solutions such as Core IMPACT penetration testing software will give very polished use environment with a gentle learning curve to it. You can also save a lot or all of your money for taking advantage of completely free open source testing software such as the Metasploit framework and the w3af penetration testing bundle. Again, these are both very robust systems, they’re free bit, because they’re open source, they’re also much more hands on and with much steeper learning curves to them.
Gather Intel and Create a Threat Modeling Plan
Now, though you’re putting together a pen test on your own systems, you need to act and think as if you were an external intruder or hacker. This means that you’ll have to go through a sequence of steps similar to what some of these kinds of people undertake.
As a first step in this direction, you need to start gathering intel on your own network and systems. This means creating an analysis on how your own network is interconnected. You can examine the publicly visible code of your websites, see what kinds of visible third party scripts and addons your sites use, take advantage of Google and footprint your own network by using some of the following intelligence tools:
Search engines (Google, Yahoo, DMOZ, etc), WHOIS information, domain registration data, DNS records, IP traces from emails, tools and websites like Sitedigger, archive.org, Nslookup, Ping, traceroute, Netcraft and also looking through social network information about visible sensitive information.
After you’ve gathered all of your intelligence data, you can then forma composite picture of all the potentially relevant data points that will allow you (or your would-be intruder) to conduct a successful hack of your site.
Scan for Access Points
Another key component of a successful penetration test is the process of scanning for access points to an enemy –in this case your own—network. This process is an active part of your pen test and involves taking the intelligence gathered from your earlier investigations and testing all the access points discovered in an effort to see what function they serve inside a network and how vulnerable they are.
Scanning can also be made easier through the use of numerous port, IP, TCP IP and UDP analysis tools such as Super Scan4, ScanRand and THC AMap. Numerous other scanning applications are also available, so you should investigate them and their different capacities before choosing the right tools for your own penetration test.
Conduct a Vulnerability Scan
As a precursor step to performing your own penetration test, You should also consider running vulnerability scans of your network and devices through commonly available scanning software. Some excellent examples of these vulnerability scanning tools include the free to use Retina Vulnerability Scanner, Nessus Vulnerability Scanner and GFI LANGuard, all of which can be looked up easily on Google.
These tools and the scan you may conduct with them are not part of a typical penetration test but they do give you a wealth of information on the different vulnerable spots located throughout your network. You can perform vulnerability scans before doing a pen test as part of a preliminary security protocol or right after you’ve done your own pen test, in an effort to scan for any remaining holes in your servers, network, websites and machines. Vulnerability scans are something that should be performed on a regular basis as part of a general security plan.
When all else fails and there is a security breach, be sure to contact a professional who can perform the right digital forensics and determine what happened. Companies such as LWG Consulting and Digits LLC are two sources that can help with this.
About the author: Stephan Jukic is a freelance writer who generally covers a variety of subjects relating to the latest changes in white hat SEO, mobile technology, marketing tech and digital security. He also loves to read and write about location-free business, portable business management and finance. When not busy writing or consulting on technology and digital security, he spends his days enjoying life’s adventures either in Canada or Mexico, where he spends part of the year. Connect with Stephan on LinkedIn.
Subscribe to:
Post Comments (Atom)
0 Responses to “Tricks for Performing Your Own Penetration Test”
Post a Comment