Penetration Testing For Dummies E-Book

Penetration Testing For Dummies®

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2020 by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2020934346

ISBN 978-1-119-57748-5 (pbk); ISBN 978-1-119-57747-8 (ebk); ISBN 978-1-119-57746-1 (ebk)

Penetration Testing For Dummies®

To view this book's Cheat Sheet, simply go to www.dummies.com and search for “Penetration Testing For Dummies Cheat Sheet” in the Search box.

Table of Contents

Cover

Introduction

About This Book

Foolish Assumptions

Icons Used in This Book

What You’re Not to Read

Where to Go from Here

Part 1: Getting Started with Pen Testing

Chapter 1: Understanding the Role Pen Testers Play in Security

Looking at Pen Testing Roles

Getting Certified

Gaining the Basic Skills to Pen Test

Introducing Cybercrime

What You Need to Get Started

Deciding How and When to Pen Test

Taking Your First Steps

Chapter 2: An Overview Look at Pen Testing

The Goals of Pen Testing

Scanning Maintenance

Hacker Agenda

Doing Active Reconnaissance: How Hackers Gather Intelligence

Chapter 3: Gathering Your Tools

Considerations for Your Toolkit

Nessus

Wireshark

Kali Linux

Nmap

Part 2: Understanding the Different Types of Pen Testing

Chapter 4: Penetrate and Exploit

Understanding Vectors and the Art of Hacking

Examining Types of Penetration Attacks

Cryptology and Encryption

Using Metasploit Framework and Pro

Chapter 5: Assumption (Man in the Middle)

Toolkit Fundamentals

Listening In to Collect Data

Chapter 6: Overwhelm and Disrupt (DoS/DDoS)

Toolkit Fundamentals

Understanding Denial of Service (DoS) Attacks

Buffer Overflow Attacks

Fragmentation Attacks

Smurf Attacks

Tiny Packet Attacks

Xmas Tree Attacks

Chapter 7: Destroy (Malware)

Toolkit Fundamentals

Malware

Ransomware

Other Types of Destroy Attacks

Chapter 8: Subvert (Controls Bypass)

Toolkit Fundamentals

Attack Vectors

Phishing

Spoofing

Malware

Part 3: Diving In: Preparations and Testing

Chapter 9: Preparing for the Pen Test

Handling the Preliminary Logistics

Gathering Requirements

Coming Up with a Plan

Having a Backout Plan

Chapter 10: Conducting a Penetration Test

Attack!

Looking at the Pen Test from Inside

Documenting Your Every Move

Other Capture Methods and Vectors

Assessment

Prevention

Part 4: Creating a Pen Test Report

Chapter 11: Reporting

Structuring the Pen Test Report

Creating a Professional and Accurate Report

Delivering the Report: Report Out Fundamentals

Updating the Risk Register

Chapter 12: Making Recommendations

Understanding Why Recommendations Are Necessary

Seeing How Assessments Fit into Recommendations

Networks

Systems

General Security Recommendations: All Systems

More Recommendations

Chapter 13: Retesting

Looking at the Benefits of Retesting

Understanding the Reiterative Nature of Pen Testing and Retesting

Determining When to Retest

Choosing What to Retest

Running a Pen Retest

Part 5: The Part of Tens

Chapter 14: Top Ten Myths About Pen Testing

All Forms of Ethical Hacking Are the Same

We Can’t Afford a Pen Tester

We Can’t Trust a Pen Tester

We Don’t Trust the Tools

Pen Tests Are Not Done Often

Pen Tests Are Only for Technical Systems

Contractors Can’t Make Great Pen Testers

Pen Test Tool Kits Must Be Standardized

Pen Testing Itself Is a Myth and Unneeded

Pen Testers Know Enough and Don’t Need to Continue to Learn

Chapter 15: Ten Tips to Refine Your Pen Testing Skills

Continue Your Education

Build Your Toolkit

Think outside the Box

Think Like a Hacker

Get Involved

Use a Lab

Stay Informed

Stay Ahead of New Technologies

Build Your Reputation

Learn about Physical Security

Chapter 16: Ten Sites to Learn More About Pen Testing

SANS Institute

GIAC Certifications

Software Engineering Institute

(Assorted) Legal Penetration Sites

Open Web Application Security Project

Tenable

Nmap

Wireshark

Dark Reading

Offensive Security

Index

About the Author

Advertisement Page

Connect with Dummies

End User License Agreement

List of Tables

Chapter 2

TABLE 2-1 A Risk Register

Chapter 13

TABLE 13-1 Reviewing the Risk Register for Issues to Retest

List of Illustrations

Chapter 1

FIGURE 1-1: Adding an IP range to scan.

FIGURE 1-2: Examining the OSI model.

FIGURE 1-3: Digging into a network packet capture.

FIGURE 1-4: Review a firewall log.

FIGURE 1-5: Metasploit is one tool for pen testing.

FIGURE 1-6: Use Nessus to conduct an assessment.

FIGURE 1-7: Examining a Retina CS scan.

Chapter 2

FIGURE 2-1: Sample output from Nessus.

FIGURE 2-2: Nmap is a tool you use to conduct to ping sweeps.

FIGURE 2-3: Examples of commonly used AV programs.

Chapter 3

FIGURE 3-1: Nessus output.

FIGURE 3-2: Using Nessus to scan a network router.

FIGURE 3-3: Select a scan template type.

FIGURE 3-4: Create your first Nessus scan.

FIGURE 3-5: Using Wireshark Network Analyzer.

FIGURE 3-6: Launching and using Wireshark to analyze traffic.

FIGURE 3-7: Drilling down into captured data.

FIGURE 3-8: Examining the traffic between host endpoints with Wireshark.

FIGURE 3-9: Testing FTP access with Wireshark.

FIGURE 3-10: Using tcdump on Kali Linux.

FIGURE 3-11: Explore the Kali Linux toolset.

FIGURE 3-12: Loading and using Nmap in Kali Linux.

FIGURE 3-13: Creating a network map with Nmap.

Chapter 4

FIGURE 4-1: Accessing the Kali Linux menu to begin a social engineering attack.

FIGURE 4-2: From the Toolkit menu, choose Social-Engineering Attacks.

FIGURE 4-3: Choose Website Attack Vectors from this list.

FIGURE 4-4: Cloning a site re-creates an exact replica of it.

FIGURE 4-5: The options I chose to create a clone website.

FIGURE 4-6: I set up a clone Google.com — for pen-testing purposes only!

FIGURE 4-7: The different areas of attack vectors.

FIGURE 4-8: A password crack via Metasploit.

FIGURE 4-9: Using Wireshark to capture and expose data protected by SSL.

FIGURE 4-10: Metasploit Pro’s Quick PenTest wizard.

FIGURE 4-11: Running a quick pen test with Metasploit Pro.

Chapter 5

FIGURE 5-1: Using Burp Suite for pen testing.

FIGURE 5-2: Viewing an N-tier application.

FIGURE 5-3: Using Wireshark to pen test.

FIGURE 5-4: Using Wireshark to grab packets in a sniffing operation.

FIGURE 5-5: A card skimmer on an ATM.

Chapter 6

FIGURE 6-1: Using Kali for pen testing disruption attacks.

FIGURE 6-2: Launching an attack from outside the network.

FIGURE 6-3: Using Kali T50 to send a flood attack to a host.

FIGURE 6-4: Viewing resources with the Linux top command.

FIGURE 6-5: How a distributed denial of service (DDoS) attack works.

FIGURE 6-6: How the buffer overflow attack works.

FIGURE 6-7: Use Kali’s fragroute and fragmentation6 to determine your level of ...

FIGURE 6-8: Sending malformed packets to hosts with Kali’s fragtest.

FIGURE 6-9: Using ping to generate a sweep and smurf attack.

FIGURE 6-10: Use Wireshark to identify tiny packet attacks.

Chapter 7

FIGURE 7-1: Nessus offers various scan types for pen testing destroy attacks.

FIGURE 7-2: Looking for hosts that are vulnerable to known threats.

FIGURE 7-3: A typical external vector attack with the goal of destroying a data...

FIGURE 7-4: An example of a ransomware attack.

FIGURE 7-5: An example of AV endpoint protection.

Chapter 8

FIGURE 8-1: Kali’s Information Gathering menu can help you perform subvert and ...

FIGURE 8-2: Using Nmap to launch an attack against a router/routing device scan...

FIGURE 8-3: Conducting a SYN scan to identify open ports.

FIGURE 8-4: Identifying possible hosts and ports.

FIGURE 8-5: Learning the MAC address of the scanned device and distance by netw...

FIGURE 8-6: Internal and external subvert attacks operate under the same concep...

FIGURE 8-7: Host-based AV software indicates there’s an issue requiring attenti...

FIGURE 8-8: Updating and fixing your AV.

Chapter 9

FIGURE 9-1: Use a RACI chart to identify roles and responsibilities.

FIGURE 9-2: Consult past results to help with future tests.

FIGURE 9-3: Reviewing threats on the risk register.

FIGURE 9-4: Reviewing attack vectors to devise a test plan.

FIGURE 9-5: Reviewing Nessus scan templates.

FIGURE 9-6: Tuning tools with filters for prep.

Chapter 10

FIGURE 10-1: Doing a WhoIs search to gain intel.

FIGURE 10-2: Pinging at a command prompt to get an IP address or range to scan.

FIGURE 10-3: Using Kali (Xhydra) to crack a router password.

FIGURE 10-4: A network map with IP addressing.

FIGURE 10-5: Building a network map with Nessus.

FIGURE 10-6: Building a network map with Nmap.

Chapter 11

FIGURE 11-1: An example executive summary.

FIGURE 11-2: Documenting and reporting attack vectors is part of your narrative...

FIGURE 11-3: An example of a Tools, Methods, and Vectors section.

FIGURE 11-4: Include your main findings in your report.

FIGURE 11-5: An example of a report conclusion.

Chapter 12

FIGURE 12-1: Reviewing Nessus for hardening tips.

FIGURE 12-2: A large network map.

FIGURE 12-3: Disabling unneeded services, such as telnet services.

FIGURE 12-4: Changing a default port to help secure a system.

FIGURE 12-5: Using a firewall allows you to monitor access in and out.

FIGURE 12-6: Antivirus software is still an effective way to protect devices fr...

FIGURE 12-7: Finding SMB issues on the network with Nessus.

FIGURE 12-8: Use encryption such as SSL.

FIGURE 12-9: Saving copies of logs in case a hacker interferes.

Chapter 13

FIGURE 13-1: The pen testing and retesting processes are very similar.

FIGURE 13-2: Prioritizing retesting tasks with a tier system.

FIGURE 13-3: My updated documentation to reference during the retest.

FIGURE 13-4: Using Nessus to find ways to reduce risks in web architecture.

FIGURE 13-5: Mapping a network and finding new problems.

FIGURE 13-6: Using Nmap to exploit NTP.

Chapter 14

FIGURE 14-1: A sample metric of cyber threats and their growth.

FIGURE 14-2: Wireshark’s bug fix list.

FIGURE 14-3: A schedule of tests.

Chapter 15

FIGURE 15-1: Using Kali and VMware virtualization.

FIGURE 15-2: Using a plan B alternative.

FIGURE 15-3: Creating a viable lab.

Chapter 16

FIGURE 16-1: SANS.org.

FIGURE 16-2: The GIAC GPEN certification.

FIGURE 16-3: The top ten application risks on the Open Web Application Security...

FIGURE 16-4: Downloading Nessus.

FIGURE 16-5: Gain access to Kali.

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

1

2

3

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

147

148

149

150

151

152

153

154

155

156

157

158

159

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

235

237

238

Introduction

Welcome to Penetration Testing For Dummies! It is my goal to start you down the path to learning more about pen testing and why it’s such a hot topic for anyone interested in information technology security. This book shows you how to target, test, analyze, and report on security vulnerabilities with pen testing tools.

I break down the most complex of topics into easily digestible chunks that familiarize you with the details of conducting a pen test, but also why you need to do it and how the hackers you are trying to access your systems are doing so. Your purpose as a pen tester is to test systems, identify risks, and then mitigate those risks before the hackers do.

It takes a person with hacking skills to look for the weaknesses that make an organization susceptible to hacking. The topics in this book aim to equip IT professionals at various levels with the basic knowledge of pen testing.

About This Book

One of my main goals in writing this book is to give you an understanding of the different attacks, vectors, vulnerabilities, patterns, and paths that hackers use to get into your network and systems. Pen testing is intended to follow those same steps, so security pros know about them (and can fix or monitor them) before the hackers do.

For this book, I use a Windows workstation and where I must, I use Linux tools run from a virtual machine. I have chosen this because this is where many beginners are likely to start their pen testing journey. For this book, you can use any current supported version of Windows (Windows 7 and above) on a device that has a network connection (wired and wireless).

A highly experienced pen tester will likely use a native Linux system like Ubuntu (as an example), but you do not need to use it now.

If you are using Linux or Apple, you can follow the same steps throughout the book with a few modifications here and there.

Foolish Assumptions

As I was writing this book, I assumed you work in IT and want to transition to security. It is the go-to book for those who have some IT experience but desire more knowledge of how to gather intelligence on a target, learn the steps for mapping out a test, and discover best practices for analyzing, solving, and reporting on vulnerabilities.

You might have an entry-level or junior position, or you might be a manager or director, with more experience but coming from a different area of expertise. Either way, you want to know more about how pen testing fits into the big picture. As such, you’ll find that I explain even simple concepts to clarify things in the context of penetration testing and overall security.

Icons Used in This Book

Throughout the book, I use various icons to draw your attention to specific information. Here’s a list of those icons and what they mean.

This icon highlights pointers where I provide an easier way of doing something or info that can save you time. This icon points to content you definitely don’t want to miss, so be sure to read whatever’s next to it.

When you see this icon, you know it’s next to information to keep in mind — or something I’ve discussed elsewhere, and I’m reminding you of it. It’s often advice to help keep you out of trouble.

Pay close attention to this icon, which I use to point out pitfalls to avoid or where doing something (or not doing something) could land you in legal trouble (like pen testing something you don’t have permission to test).

Sometimes I provide particularly sticky details about an issue, which can get technical and which may not be of interest (or help). You could ignore any text marked with this icon, and you won’t miss it a whit.

What You’re Not to Read

This book is written so you aren’t required to read it beginning to end. If you’re familiar with the basics of penetration testing, for example, you can probably skip the first part. You can skip Part 2 if you feel you have a pretty good handle on attack types and various pen testing tools. Technical Stuff icons are truly technical pieces of information that I file under “nice to know” — skip those, as well, if you’re looking for need-to-know content only.

Where to Go from Here

If you’re truly new to the world of penetration testing, I recommend you begin with Chapter 1 and read from there. Readers with a grasp on pen testing fundamentals — what it is, the role of the pen tester, types of hackers, types of attacks, and so on — but who want to hone their testing and/or reporting skills, for example, can go straight to Parts 3 and 4, respectively.

Looking for information about a particular tool or attack? Use the Table of Contents or Index to find where I cover that thing and go straight to that discussion. More advanced readers might want to read only those sections that cover any area they need to bone up on.

Of course, I recommend Chapters 15 and 16 for everyone because continual learning is so important to becoming and remaining an excellent pen tester.

You can also find more pen testing topics on the book’s cheat sheet, such as pen testing terminology and specific certifications you’ll find useful in your career. Go to dummies.com and search for “Pen Testing For Dummies cheat sheet” to find it.

The more you study, read, and work in the field, the more you’ll learn as your journey continues. It can be something you eventually have a really good understanding of … but by that time, the technology will have changed many times! As a journey of lifelong learning and study that can be very rewarding and exciting as you progress, becoming a pen tester is a true commitment.

Part 1

Getting Started with Pen Testing

IN THIS PART …

Dive into the world of pen testing by exploring the skills and certifications necessary to get started.

Learn what kind of hackers there are, what goals you’ll have as a pen tester, and the basics of scan maintenance.

Build your pen testing toolkit.

Chapter 1

Understanding the Role Pen Testers Play in Security

IN THIS CHAPTER

Exploring pen testing positions

Discovering what tests and certs you need for pen testing

Understanding what skills are necessary for pen testing

Considering cybercrime

Doing your first pen test

Penetration (or pen, for short) testing is one of the hottest up and coming skills any IT professional needs to have. As more and more technology takes over our world, the need to ensure it’s safe and secure is at the forefront. Companies are actively looking for professionals with a background in IT security and the ability to do penetration testing.

As a pen tester, you need a solid understanding of how an attacker can access your systems and how they can conduct attacks. Not to fear, I walk you through these attacks and the mind of the hacker. You have to truly think like a hacker to be a good pen tester, which is why pen testers are called white hats, grey hats, or ethical hackers, which I explain in more depth in Chapter 2.

I also lay out everything you need to know about security vulnerabilities and introduce you to the tools, techniques, and skills that today’s most elite pen testers use on a daily basis to conduct penetration tests that keep their company’s assets safe.

I get to all that and more throughout the book, but in this chapter, I cover the basics, starting with what roles a pen tester can hold in a company. I move from there into the importance of getting certified and what skills are required. I end the chapter with a couple sections that can set you on the path to becoming a competent and sought-after pen tester.

Looking at Pen Testing Roles

The security arena has myriad names applied to anyone who does good or bad security stuff. If you’re new to pen testing, all that can be highly confusing. To clear up any and all confusion on the matter, I dedicate this section to describing the good guys who do pen testing and what roles you might have as a pen tester. (See Chapter 2 for a breakdown of the baddies.)

The pen tester’s role is to penetrate and to ethically hack to find weaknesses within a company’s IT security program. Securing the weaknesses might be someone else’s responsibility. You may or may not be responsible for making recommendations based on the weaknesses you uncover, but I discuss that task in Chapter 12.

You must have permission to conduct penetration testing if you don’t work in the field or for a company hired to conduct it. Even if you’re hired to pen test an organization’s security, you likely still need permission for certain types of pen testing activities. See Chapter 9 for more on that issue.

Crowdsourced pen testers

As big data grows as a concept and more and more systems grow in complexity and size, especially as companies move into cloud architecture and outsourced solutions, there is a need to leverage additional resources to stay on top of all the latest risks, issues, and threats. As more and more systems join massive compute models and virtualized systems are used in new architectural models, the global community of good guys (white hat hackers) can bring a wide array of benefits to the table.

Crowdsourcing is a form of security where pen testing is done via group-based team efforts of enthusiasts (who can also be experts) for the purpose of testing systems managed by enterprises much the same way a constant group may. For example, a crowdsource pen test group may be contacted to run the same types of attacks against you that a consultant may and report on their findings.

Crowdsourced pen testing is no different than any other crowdsourced solution. You’re using multiple resources to conduct your tasks to get a better outcome by leveraging a large pool of resources, knowledge, and abilities. But if you’re concerned about privacy and legal exposure, go with a consultant.

You can find crowdsourcers at sites such as www.hackerone.com. Join and offer your services or find pen testers to help you out with a project.

In-house security pro

In-house security operations versus consulting services for hire (which I discuss in the next section) are generally how pen testers work in the field. Large companies and government agencies generally employ in-house operations engineers who conduct pen tests for the business they work for.

Smaller organizations can’t always afford to keep staff of this kind, and they often don’t have enough work to keep them busy. Sometimes conducting pen tests isn’t a dedicated position but is a task given to a systems administrator, a network engineer, or other IT professional in the organization.

An in-house employee who’s dedicated to securing the organization’s interests, assets, and reputation is often called a security analyst. This is someone employed full-time by a company, firm, or business (public, private, non-profit, government, military, or otherwise) who is responsible for providing security services. That’s a broad term for what can be a very detailed role requiring a variety of security functions, the skills needed, and the tools that are used.

Depending on the organization and the exact role, security analysts might have many other names, such as these (not a complete list):

Chief Information Security Officer (CISO)

Security architect

Security engineer

Security operations staff

Risk analyst

Forensics technician

Security practitioner

These are obviously more detailed roles within security, but they all work with security, and they all analyze security at some level of degree.

Generally, to become a good security analyst you need to absorb, learn, or train in many other areas so you have a holistic view of the enterprise you are charged with securing. I discuss what you need to know in the later section, “Gaining the Basic Skills to Pen Test.”

Security consultant

You can hire a consultant to conduct a pen test for you or your firm. Consultants are for hire either as independent contractors or as part of firms you can hire. This may save you time and money in the future.

Consultants at times work for firms that specialize in security or provide security services under a contract. This means that they can scan remotely (externally) or come onsite and scan internally and do more intrusive testing. Either way, consultants allow a smaller organization to retain top talent for a reasonable price and still get the services needed to be current and secure. This route also paves the way for those entering into the field of pen testing an opportunity to gain employment through a company or a contract to conduct security services.

Getting Certified

Professional organizations and vendors both offer industry standard, generalized and specialized certification programs, as well as those based on specific vendor tools. Some of them mix the two.

For example, one of the biggest and most focused pen testing certifications on the market today is CompTIA’s pentest+ certification. Although it covers general topics on pen testing, it also goes in depth on the tools you use the most. There are also other certifications, such as the CEH (certified ethical hacker certification) and the SANS GIAC Penetration Testing certification (covered in Chapter 16).

You can also start with general security certifications such as the CompTIA Security+ or the ISC2 CISSP.

It would also benefit you to learn how to write and submit reports and present your findings. I cover these topics in detail in Part 4.

Gaining the Basic Skills to Pen Test

You’re going to need a wide variety of skills throughout your pen testing career, but the biggest (or most important) skills to have are in the realm of networking and general security, which I discuss in this section.

To be able to conduct a pen test with any amount of confidence, the more you know about security and network architecture, the better. For example, to run a basic pen test, you need to enter a network address or subnet range in your scanning tool.

You need to also know the difference between vulnerability scanning and pen testing and why they’re similar and how they’re different. Figure 1-1 shows the basics of setting up an IP addressing range to scan and identify vulnerabilities. After you know the risks and weaknesses, you can then move into the details on how to exploit (pen test) what has been found so you can learn whether the technology is secured.

It’s also crucial to understand IP, protocols, networking, and other technologies related (and also not directly related) to security analysis because as weaknesses are identified (perhaps with a scan), then you can then move to exploit them (pen test) no matter what technology you’re presented with (database, mainframes, virtualized systems, for example).

In the following sections, I outline what knowledge you need to be a successful pen tester.

No stone is unturned as a pen tester, and what you need to expect is everything and anything. You are tested just as much as the systems you’re testing. Additionally, criminal activity isn’t confined to computers. The Internet of things (IOT) is an ever-expanding network of connected devices that includes, but is not limited to, tablets, phones, and smarthome devices such as TVs and thermostats. You may not encounter all those devices working as a professional pen tester in the corporate world, but you need to be aware of all connected devices. And when you’re pen testing, take time to find out which devices could be affected, such as mobile devices and assets used by field staff.

Also be aware of a hacker’s reconnaissance procedures. Hackers often begin attacks by using general research techniques, such as Internet searches that point a hacker in a direction, to learn more about accessing your company. For example, a simple Whois search might provide an address. A DNS search or query could provide a clue. Google searches may help to identify paths of attack, URLs, domain names, IPs, email addresses, and more. See Chapter 2 for more about reconnaissance.

Basic networking

Basic networking includes, but is not limited to, understanding the OSI (open systems interconnect) model. Knowing how data transits from one location (a sender) to another (a receiver) is key to being able to unwind how many attacks occur.

It also includes knowing how routers, switches, hubs, load balancers, firewalls, intrusion prevention devices, and other network black boxes on the wire work. (Black-box security testing refers to testing software security from the outside in. Generally, the tester has little or no knowledge of the internal workings.) If you pen test a router, you need to know how it operates.

The TCP/IP protocol suite also falls under basic networking knowledge. The transmission control protocol (TCP) and Internet protocol (IP) controls how computers connect to the Internet. It includes many of the protocols in the 7-layer OSI model. The Open Systems Interconnection (OSI) model is used as a logical framework to show how data travels from the source to the destination and back to the source through the many technologies that comprise the network, systems, and applications. It’s a model of standards that shows the under the hood actions of the technologies at each layer. Figure 1-2 shows an example of the OSI model.

The protocols used in a suite (such as TCP/IP) map to the various layers of the model and perform different functions. For example, FTP operates at a higher layer in the model than TCP or IP. The theory is that, if the lower layers don’t work, then the higher layer protocols won’t operate correctly. The OSI allows you to troubleshoot problems in a workflow manner.

Figure 1-3 shows a wire packet capture that shows a lot of the information you need to read through to conduct a pen test with a tool such as Wireshark. Here you can see packets that when captured can be decoded to tell you the details within them.

Having knowledge of these protocols, how and where they operate, and what is contained in the frames, headers, and other inner details of the packet is what will make you a great pen tester. If you run a pen test and it reports back, for example, that you have a vulnerability in telnet that’s sending packets back and forth in cleartext, you need to determine what path a hacker may take. You can more easily make that determination if you know how the protocols work and what is expected behavior and what can be manipulated versus what could be impacted by a software bug. This way, you can test it yourself first to identify whether you have an issue that might need to be remediated or mitigated.

I highly recommend that you study more on TCP/IP. It’s the main protocol suite in use today across the world; when it was first put into production many years ago it came with many flaws. Its ease of use is one of the biggest flaws and the fact that security was an afterthought behind usability. That said, today’s networks and systems can account for these flaws, but there is always danger in the shadows. Study TCP/IP and all of its sub-protocols and how they work to get better at testing weaknesses in your enterprise.

General security technology

In the general security technology category are firewalls. Most scans against devices such as a firewall turn up little to no information. Knowing why is helpful to your report. For example, in a ping sweep, you ping the interface and find nothing because the firewall has disabled that protocol that responds.

Figure 1-4 shows a Cisco router firewall log that lists the source and destination IP addresses used to make each connection as well as a description of what that connection did.

Another example is when you run a scan and find open ports are in use on a web server in a DMZ behind a firewall that shouldn’t be. By examining the firewall log that sits in front of these servers, you can see what the source IP address is that’s attempting to make those connections. You can detail it as an active attack and prioritize it immediately to patch or fix.

Other general yet important technologies to consider would be devices such as intrusion prevention and detection systems, load balancers, access control lists (ACLs) on routers and wireless access points, controllers, and mobile extenders. Each and every one of these devices all can be exploited and the more you know about them and how to review the logs on them, the better you are at identifying risks and conducting ethical hacking.

Systems infrastructure and applications

You must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports.

If you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report. You may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately.

Web applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched.

Mobile and cloud

Mobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed — whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome.