So, you decided to conduct penetration testing. Do you want to discover vulnerabilities before a hacker exploits them? Are you already aware of network vulnerabilities, but need an authority to testify that your network security needs additional investments? Or does your company need penetration testing services to comply with a certain security regulation?
No matter the reasons for penetration testing, it is useful to become pentest-savvy to assess the vendor before and after the penetration testing. Below, you’ll find a guide that encompasses best practices to be implemented before, during and after network penetration testing.
This section lists the activities to pay attention to before a penetration testing.
- Define the scope. Regardless of the penetration testing type, state the number of networks, the range of IP addresses within one network, subnets, and computers to avoid any misunderstanding. Otherwise, pentesters might leave some network systems unattended or, what’s worse, hack some third party. Oops.
- Define the time frame. Penetration testing should not disrupt your company’s everyday business operations. Imagine if a pentester used a technique involving heavy network traffic. If used at high-peak times, it will overload the network and lead to its crash.
- Decide if you want your information security and technical stuff to be in the know. There’s no bright line rule here. Unannounced penetration testing is good to assess the response of your security and technical teams. Yet, they may slow down the process or even block it, for example, by cutting access from the internet for pentesters.
- Expect a “get out of jail free” statement from the vendor. This document protects providers of penetration testing services, so don’t be suspicious about signing one. What penetration testers do is breaking into someone else’s network, which, per se, is illegal. The “get out of jail free” statement specifies that all pentester’s operations are permitted and the customer is authorized to give permission.
This section covers best practices followed by pentesters while conducting network penetration testing. This knowledge helps customers to understand whether a certain penetration testing vendor provides the service of a decent quality.
- Gather as much customer information as possible. Pentesters use the customer’s website, WHOIS databases, and web search engines. Netcraft offers an online data mining service that monitors the web and provides datasets of visible hosts.
- Conduct a network survey. This process provides pentesters with domain and server names, the range of IP addresses owned by the organization, information about closed and open network ports, running OS and services. There is an array of open source, as well as commercial tools available for network survey, most popular being Nmap, Zmap, DirBuster, Burp Suite, and Metasploit.
- Determine existing vulnerabilities. At this stage, pentesters scan the network looking for vulnerabilities to use for a penetration attempt. Vulnerability scanning can be automated and manual. A combo of the two methods boosts the effectiveness of the process considerably. Automated scanning tools, such as Nessus, quickly cover a lot of ground but produce a high degree of false positives and false negatives (vulnerabilities are falsely identified or unidentified at all). So, automation should be followed by manual checking.
- Identify suitable targets. Penetration testing is always conducted within the timeframe set by the customer. So, out of the pool of vulnerable network targets, it’s essential to choose the proper ones not to waste time and effort doing unnecessary tasks. For example, a network consists of 1000 machines, and pentesters have already determined that most of the machines are staff PCs with only 20 servers. It’s sensible to choose the servers as the primary targets for penetration testing. Very often the task of finding proper targets is simplified, as the names of machines reflect their purpose (for example, Int_Surf for a computer performing Internet surfing).
- Attempt penetration. To exploit vulnerabilities, pentesters use standard tools, such as Metasploit, Burp Suite, or Wireshark. These tools categorize vulnerabilities based on the severity. This helps to provide a customer with the report that accentuates the vulnerabilities to be fixed immediately. However, to test the network at realistic threat levels, pentesters need to customize standard tools and to employ custom built exploits.
A common practice at this stage is to use password cracking methods. Password cracking methods are a dictionary attack (use of a dictionary file), a brute-force attack (trying all possible password combinations) and a hybrid attack (a combination of both).
Additionally, pentesters may resort to social engineering. This technique involves interaction with the customer’s staff to fish out for critical information, for example, credentials.
Network penetration, as such, is over. But the penetration testing procedure isn’t. Two important stages are left: report generation and cleaning up.
- Report generation. A well-structured report is a helping hand in risk management. Customers should expect it to start with an overview of the penetration testing process followed by the most critical network vulnerabilities that need to be addressed in the first place. Afterwards, less critical vulnerabilities should be highlighted.
- Cleaning up. Pentesters’ code of practice doesn’t allow them to leave any surprises (backdoors) in the customer’s network. To keep it clean, pentesters should maintain a detailed record of all actions performed throughout the stages of penetration testing. Still, double checking by the customer’s security staff isn't a bad idea.
No Single Effective Scenario
Reliable vendors of penetration testing services know too well that there is no one-size-fits-all penetration testing scenario. Choose those who not only follow the guide above but also customize the best practices for a particular customer’s network.