Cyber security is paramount in today’s digital age. ‘Penetration testing’ or ‘pen test,’ often called ethical hacking, serves as a critical method. This authorized simulation of a cyber-attack on a computer system, network, or web application is conducted to evaluate the security standing and uncover potential vulnerabilities that could be exploited by attackers.
Security posture indicates how well an organisation would be prepared to fight against a cyber threat. It takes into account anything from the security status of software and hardware assets, networks, information, and services, to the quality of controls and measures which are in place to prevent from, respond to, and recover from cyber-attacks.
The main goal of conducting a pen test is to identify security weaknesses and to use the results to improve the cyber security of the target environment. Typically, risks are prioritised and categorised into levels of severity of the damage they might cause, and these are: critical > high > medium > low.
Penetration testing is usually performed by security experts who use an array of various tools as well as techniques to attempt gain unauthorised access to the target system.
Stages of a Pen Test
- Reconnaissance – this is the planning stage where the pen tester gathers as much information about the target as possible using techniques such as social engineering and open-source intelligence (OSINT).
- Scanning – this stage focuses on mapping out the attack vectors and identifying vulnerabilities. Pen testers use multiple tools depending on their discoveries during stage one.
- Exploitation – in this phase, the tester attempts accessing the target system and exploiting previously identified vulnerabilities using different tools (some of which we’ll mention in a moment).
- Reporting – based on what’s been gathered in previous phases, this stage collects and records all the findings from the penetration test which are then assessed and used for improvement of the targeted system.
I should note that some sources distinguish between five, six, or even seven phases of a pen test, however, they all revolve around getting to the same outcome in the best way possible.
Pen Testing Tools
There is a multitude of tools designed for penetration testing and the choice of tools used in a test will depend on the specific needs and requirements of the target organisation, and the type of system which is being tested. We can make a distinction between hardware and software tools.
From a hardware perspective, we look at physical tools that can help a pen tester gain access over a system.
Some of these are:
Rubber Ducky: looks like a USB but is so much more – it’s a key injection and works as a keyboard allowing it to rapidly execute pre-programmed keystroke sequences which can automate tasks such as opening a command prompt, launching a remote connection, or installing malware. It can be used to compromise an unattended computer or to bypass security measures such as locked screens or password-protected accounts.
LAN Turtle: also looks like a harmless USB drive – functions as a wireless access point when plugged in which can be used to connect to the target system and can potentially bypass security measures like firewalls and intrusion detection systems. It can be used to perform a man-in-the-middle attack, where an attacker can intercept and modify network traffic in real-time.
Flipper Zero: another highly portable, open-source electronic device designed for security research. It can be used for wireless network scanning, data exfiltration, and password cracking. It can be programmed to act as wireless access point, a rogue access point, or a client.
Wi-Fi Pineapple: this tool can be utilized as an unauthorised access point (AP) in a man-in-the-middle (MitM) attack – attackers use it to create a rogue AP to sneakily obtain credentials.
Bash Bunny: another USB drive looking tool – one of the key features of the Bash Bunny is its ability to operate in multiple modes, allowing it to be used in a wide range of testing scenarios. It can be configured to act as a keyboard, a network adapter, or a mass storage device, depending on the needs of the tester.
Packet Squirrel: pocket sized man-in-the-middle – designed to look like a common USB drive, but it contains a number of features that make it a powerful tool for network reconnaissance and exploitation. It is designed to intercept network traffic and redirect it through the device, allowing users to monitor and analyse network traffic in real-time.
It’s important to note that the use of these tools should only be done with the explicit consent of the owner of the target system and within the bounds of applicable laws and regulations.
The use of such hardware for malicious purposes, such as stealing sensitive information or installing malware, is illegal and unethical.
Pen testers usually have a ‘get out of jail free card’ when on a job as if they get caught, they would surely be asked a lot of questions! For this reason, they are supplied with a document stating they are authorised to be performing the pen test. Pretty cool, hey? (⌐■_■)
Kali Linux is the most prominent open-source operating system used to perform pen tests on. It is important to note that having access to such a tool, or any open-source tool for that matter, is a double-edged sword. The explanation is simple and that is that both offenders and defenders will work with the same tools trying to ‘outsmart’ each other. In the cyber sec world, we refer to defenders as white-hat hackers – ethical hackers, those who work towards exploiting for the purpose of improving security, and then on the other hand we have offenders, the black-hat hackers, or adversaries – those who hack out of malicious intent.
There is a number of pen testing software and tools such as:
- Hashcat: an advanced password recovery tool used for cracking passwords – capable of cracking a variety of hash formats. It operates by using brute-force attacks, dictionary attacks, and rule-based attacks to crack passwords.
*Brute-force attacks try every possible combination of characters until the correct password is found. Dictionary attacks try words from a predefined list of words, while rule-based attacks modify words from the dictionary in a pre-defined way. By cracking passwords, organisations can identify weaknesses in their password policies and improve the security of their systems.
- Wireshark: a network protocol analyser that can be used to capture, analyse, and debug network traffic. It is often used for network troubleshooting but can also be used for network security testing and forensics.
- Metasploit: an open-source platform for developing, testing, and executing exploits. It’s one of the most used pen testing automation frameworks out there – it helps professionals verify and manage security assessments.
- Nmap: a network mapping tool used for port scanning, host discovery, and service enumeration. It can also be used for vulnerability scanning and detection of misconfigured systems.
- Burp Suite: a comprehensive suite of tools used for web application security testing. It includes a web proxy, scanner, spider, and other tools for detecting and exploiting web application vulnerabilities.
- Aircrack-ng: a suite of tools used for Wi-Fi network security testing. It includes tools for monitoring and capturing Wi-Fi traffic, cracking WEP and WPA-PSK keys, and performing various other Wi-Fi network security tasks.
The use of these tools requires a deep understanding of security principles and a thorough understanding of the target environment, as well as a strong ethical foundation.
How do networks get exposed to exploits and vulnerabilities?
There are various ways in which networks can get exposed to exploits and vulnerabilities. Let’s name a few:
- Outdated software: Networks can become vulnerable to exploits if the software and operating systems used on the network are not kept up to date with the latest security patches and updates.
- Unsecured configurations: If networks are not configured properly, they can become vulnerable to exploitation. Using weak passwords, not using encryption, or leaving services running that are not needed can all make a network more vulnerable.
- Human error: It is actually people who are considered the weakest link in network security. They may inadvertently download malware, click on phishing links, or reuse passwords, putting the network at risk.
Employee cyber awareness training!!! I cannot stress enough the importance of training your employees on the importance of cyber security hygiene. In this day and age, companies cannot afford not to have their employees trained on basic security practices. Training should be completed during employee onboarding and should be revisited at least once a year.
The best way to test employees is by simulating phishing attacks. These will often involve emails sent from within your organisation that are designed to look like legitimate messages. They will include links which are meant to lure the employees to click on them and this is then monitored by the security team. In this way, the company will get a better understanding on their security posture and will be able to determine if additional security training and education should be implemented.
A strong security posture helps an organisation minimise the likelihood and impact of cyber-attacks, reduces the risk of data breaches, and maintains the trust and confidence of customers and stakeholders.