A penetration test (pen-test) is an attempt to evaluate the overall security posture of a network in order to detect vulnerabilities that could be exploited. Pen-tests are often confused with a “vulnerability scan,” “compliance audit,” or a “security assessment.”
The difference is that a pen-test doesn’t just expose vulnerabilities, it actually exploits them in order to prove the actual attack vectors. Pen-tests are conducted by a penetration tester (PT), a skilled individual, often an independent contractor, hired to conduct a white-hat hack on a company’s network.
Many companies are reluctant to have their networks evaluated by an outside PT due to the misconception of being exposed to the outer world. Such concerns are unfounded because pen-tests are conducted within boundaries set by company authorities. PTs are restricted within legal boundaries, moral laws and professional ethics. A professional PT would never indulge beyond his or her agreed-upon boundaries.
Reasons for conducting a pen-test include assessing network exposure, testing defenses, meeting industry compliance standards, and oftentimes post-security-incident as a way to determine which vectors were used to gain access to the network. When combined with a forensic analysis, the pen-test can be used to recreate the outside hack and help develop safeguards against such attacks in the future.
For a PT, no two days at the office are alike. Because of the nature of the job, one can work from anywhere — on a client’s premises or from the comfort of your home while wearing your pyjamas. You can also expect to move around frequently from your home office to the client premises — perhaps tailgating into the building in order to perform some social engineering reconnaissance.
PTs can work as a team or individually depending on circumstances. Although most of the work is pretty mundane and straightforward, many tasks require innovation, out-of-the-box thinking, and the ability to learn quickly. If you are working for a large organization, then expect to write a lot of reports, create documentation in detail, and following certain methodologies or frameworks.
Some of the common methodologies a PT might follow include the Open Source Security Testing Methodology Manual Testing Guide, NIST’s Technical Guide to Information Security Testing and Assessment, and the Open Web Application Security Project.
As a PT, I’m frequently asked what sort of skills are needed on a daily basis. While there is no definite answer, I would say that successful pen-testing requires deep technical abilities, project management skills, creative ability, and strong analytical and writing skills.
One common challenge faced by PTs is knowing where to begin and when to stop while conducting a pen-test. Often the company you work for will grant you access to some unknown network territory and simply leave it up to you to make the right decisions.
I strongly recommend that you make sure you have all of the proper contract permissions in place before carrying out any sort of pen-test. If in doubt, it is always better to stop and seek permission than to risk violating the terms of your contract.
As to the sort of tools a PT uses in a pen-test, I personally use a lot of different ones. Some of my favorites include Nmap, Nikto, Nessus, Metasploit framework, Burpsuite, SQLMAP, OpenVas, Cain & Abel, and Hydra. The best tool really depends on the type of testing you are conducting and the environment in which you are working.
Fortunately, most pen-test tools are open-source and freely available on the Internet. As you gain experience and programming expertise, you will create your own custom scripts or tools tailored specifically to the needs of your job.
Some of the languages I use to create my custom scripts are Python and PHP, C/C++, C#, and so forth. Kali Linux is also a great penetration testing OS that you can use — it has all of the above mentioned tools readily available for you.
Remember to have all the needed tools in your arsenal when visiting a company to perform onsite pen-testing. External hard drives or bootable USB flash drives with the Kali OS can be handy in this regard.
Pen-testing is somewhat paradoxical — exciting and at times boring, complex yet often straightforward, innovative and structured. Like I said above, no two days are alike for a pen-tester. But still, there are basic steps and procedures that one follows when conducting a pen-test.
I, and most PTs, conduct a typical pen-test in four stages.
Step One: Planning and Reconnaissance — (The more time spent on this stage, the less time you will have to spend on the following stages.) During this stage I scout out my targets — gathering all the information and access I need from my contractor. I also do my personal active or passive reconnaissance. The tools I typically use are Nmap, Google custom search, Netcat, Maltego, and so forth.
Step Two: Vulnerability Assessment and Validation — Often pen-testers have to give reports on vulnerabilities, and target systems probed in order to discover vulnerabilities. I like to use Nessus, Metasploit, Nikto, and OpenVas tools. During this stage, I often find a few directory traversal vulnerabilities.
Step Three: Exploitation and Escalation — This is the fun stage where you try to hack into the client’s network. You have to be careful during this stage, as it is very easy for a PT to exceed what he is legally permitted to exploit. You usually spend the least amount of time on this stage as you only have to hack in and validate the vulnerabilities. On my latest pen-test, I was able to easily access an unauthorized folder within the web folder directory of the target domain.
One caveat: You need to carefully schedule your pen-test. Certain systems or portions of the network should be tested only during appropriate times. You don’t want to run your test of the online payment system, for example, during peak business hours. The best way to do this is to coordinate with company officials and make certain everyone understands the issues.
Step Four: Analysis and Reporting — This is the wrap-up stage where you piece it all together. Include the information and proof of vulnerabilities you managed to capture, and then report it in nice, comprehensible, easy-to-read format. Client companies will often provide their own template for you to follow; if not, then you can use an automated tool to help write the report. Most of the tools mentioned can easily export results to HTML and PDF formats.
Penetration testing isn’t something you learn as part of your basic IT education. One must make a conscious decision to pursue this realm of IT. It takes a lot of curiosity, learning, and practice. The one thing you can do to set you apart from others is to add a proper certification behind your name. Some of the well-known certifications that can help you market yourself as a PT include:
- Certified Ethical Hacker (CEH)
- GIAC Penetration Tester (GPEN)
- GIAC Certified Incident Handler (GCIH)
- Certified Penetration Tester (CPT)
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security professional (CISSP)
To be a successful penetration tester, you have to be a self-starter. This profession requires constant self-learning to stay up to date. Keeping your skills sharp and being able to think like a hacker can help you go a long way in this field. The median starting annual salary for PTs in India is ₹365,456. It is also a great stepping stone to higher-level security positions such as Security Engineer, IT auditor, and Security Consultant.
Penetration Testing is one of the more demanding and highly rewarding IT jobs available. There are lots of openings, and demand isn’t slowing down. India currently has an enormous talent-gap in IT security.
A 2014 Parliamentary Standing Committee on IT found that there were less than 75,000 IT professionals with the proper training to handle cyber security issues. Current estimates are that India needs an additional five lakh cybersecurity professionals. Not every security pro will need to be a PT, but a whole lot of them will.
If you enjoy working on a team and venturing into unknown and fast-changing territory, and can think on your feet and have self-control, then you can have a very rewarding career. One that makes a difference for your clients — and for yourself.