Tech Guides - Penetration Testing

A rise in multiple cyber-attacks and the lack of knowledge and defenses to tackle them has made it extremely important for companies to use ethical hacking to combat hackers. While Black Hat hackers use their skills for malicious purposes to defraud high-profile companies or personalities, Ethical Hackers or White Hat hackers use the same techniques (penetration testing, different password cracking methods or social engineering) to break into a company’s cyber defense but to help companies fix these vulnerabilities or loose ends to strengthen their systems. Ethical hackers are employed directly by the company’s CTO or the management with a certain level of secrecy without the knowledge of the staff or other cybersecurity teams. Ethical hacking can also be crowdsourced through bug bounty programs (BBP) and via responsible disclosure (RP). There are multiple examples in just the past couple of years where ethical hackers have come to the rescue of software firms to avert a crisis that would have potentially incurred the organizations huge losses and put their product users in harm’s way. 10 instances where ethical hackers saved the day for companies with software vulnerabilities 1. An ethical hacker accessed Homebrew’s GitHub repo in under 30 minutes On 31st July 2018, Eric Holmes, a security researcher reported that he could easily gain access to Homebrew’s GitHub repo. Homebrew is a popular, free and open-source software package management system with well-known packages like node, git, and many more, and also simplifies the installation of software on macOS. Under 30 minutes, Holmes gained access to an exposed GitHub API token that opened commit access to the core Homebrew repo; thus, exposing the entire Homebrew supply chain. On July 31, Holmes first reported this vulnerability to Homebrew’s developer, Mike McQuaid. Following which, McQuaid publicly disclosed the issue on Homebrew blog on August 5, 2018. After receiving the report, within a few hours the credentials had been revoked, replaced and sanitized within Jenkins so they would not be revealed in the future. In a detailed post about the attack invasion on Medium, Eric mentioned that if he were a malicious actor, he could easily make a small unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. 2. Zimperium zLabs security researcher disclosed a critical vulnerability in multiple high-privileged Android services to Google In mid-2018, Tamir Zahavi-Brunner, Security Researcher at Zimperium zLabs, informed Google of a critical vulnerability affecting multiple privileged Android services. This vulnerability was found in a library, hidl_memory, introduced specifically as part of Project Treble and does not exist in a previous library which does pretty much the same thing. The vulnerability was in a commonly used library affecting many high-privileged services. The hidl_memory comprises of: mHandle (HIDL object which holds file descriptors, mSize (size of the memory to be shared), mName (represents the type of memory). These structures are transferred through Binder in HIDL, where complex objects (like hidl_handle or hidl_string) have their own custom code for writing and reading the data. Transferring structures via 64-bit processes cause no issues, however, this size gets truncated to 32 bit in 32-bit processes, so only the lower 32 bits are used. So if a 32-bit process receives a hidl_memory whose size is bigger than UINT32_MAX (0xFFFFFFFF), the actually mapped memory region will be much smaller. Google designated this vulnerability as CVE-2018-9411 and patched it in the July security update (2018-07-01 patch level), including additional patches in the September security update (2018-09-01 patch level). Brunner later published a detailed post explaining technical details of the vulnerability and the exploit, in October 2018. 3. A security researcher revealed a vulnerability in a WordPress plugin that leaked the Twitter account information of users Early this year, on January 17, a French security researcher, Baptiste Robert, popularly known by his online handle, Elliot Alderson found a vulnerability in a WordPress plugin called Social Network Tabs. This vulnerability was assigned with the vulnerability ID- CVE-2018-20555  by MITRE. The plugin leaked a user’s Twitter account info thus exposing the personal details to be compromised. The plugin allowed websites to help users share content on social media sites. Elliot informed Twitter of this vulnerability on December 1, 2018, prompting Twitter to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached. 4. A Google vulnerability researcher revealed an unpatched bug in Windows’ cryptographic library that could take down an entire Windows fleet On June 11, 2019, Tavis Ormandy, a vulnerability researcher at Google, revealed a security issue in SymCrypt, the core cryptographic library for Windows. The vulnerability could take down an entire Windows fleet relatively easily, Ormandy said. He reported the vulnerability on March 13 on Google’s Project Zero site and got a response from Microsoft saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run. Further on June 11, he received a message from Microsoft Security Response Center (MSRC) saying “that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing”. Ormandy disclosed the vulnerability a day after the 90-day deadline elapsed. This was in line with Google’s 90 days deadline for fixing or publicly disclosing bugs that its researchers find. 5. Oracle’s critical vulnerability in its WebLogic servers On June 17, this year, Oracle published an out-of-band security update that had a patch to a critical code-execution vulnerability in its WebLogic server. The vulnerability was brought to light when it was reported by the security firm, KnownSec404. The vulnerability tracked as CVE-2019-2729, has received a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability was a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war. 6. Security flaws in Boeing 787 Crew Information System/Maintenance System (CIS/MS) code can be misused by hackers At the Black Hat 2019, Ruben Santamarta, an IOActive Principal Security Consultant in his presentation said that there were vulnerabilities in the Boeing 787 Dreamliner’s components, which could be misused by hackers. The security flaws were in the code for a component known as a Crew Information Service/Maintenance System. Santamarta identified three networks in the 787, the Open Data Network (ODN), the Isolated Data Network (IDN), and the Common Data Network (CDN). Boeing, however, strongly disagreed with Santamarta’s findings saying that such an attack is not possible and rejected Santamarta’s “claim of having discovered a potential path to pull it off.” He further highlighted a white paper released in September 2018 that mentioned that a publicly accessible Boeing server was identified using a simple Google search, exposing multiple files. On further analysis, the exposed files contained parts of the firmware running on the Crew Information System/Maintenance System (CIS/MS) and Onboard Networking System (ONS) for the Boeing 787 and 737 models respectively. These included documents, binaries, and configuration files. Also, a Linux-based Virtual Machine used to allow engineers to access part of the Boeing’s network access was also available. A reader on Bruce Schneier’s (public-interest technologist) blog post argued that Boeing should allow SantaMarta’s team to conduct a test, for the betterment of the passengers, “I really wish Boeing would just let them test against an actual 787 instead of immediately dismissing it. In the long run, it would work out way better for them, and even the short term PR would probably be a better look.” Boeing in a statement said, "Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack.” Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. While the DHS didn't respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it's "satisfied with the manufac­turer’s assessment of the issue." Santamarta's research, despite Boeing's denials and assurances, should be a reminder that aircraft security is far from a solved area of cybersecurity research. Stefan Savage, a computer science professor at the University of California at San Diego said, "This is a reminder that planes, like cars, depend on increasingly complex networked computer systems. They don't get to escape the vulnerabilities that come with this." Some companies still find it difficult to embrace unknown researchers finding flaws in their networks. Companies might be wary of ethical hackers given these people work as freelancers under no contract, potentially causing issues around confidentiality and whether the company’s security flaws will remain a secret. As hackers do not have a positive impression, the company fails to understand it is for their own betterment. 7. Vulnerability in contactless Visa card that can bypass payment limits On July 29 this year, two security researchers from Positive Technologies, Leigh-Anne Galloway, Cyber Security Resilience Lead and Tim Yunusov, Head of banking security, discovered flaws in Visa contactless cards, that can allow hackers to bypass the payment limits. The researchers added that the attack was tested with “five major UK banks where it successfully bypassed the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal”. They also warned that this contactless Visa card vulnerability can be possible on cards outside the UK as well. When Forbes asked Visa about this vulnerability, they weren’t alarmed by the situation and said they weren’t planning on updating their systems anytime soon. “One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer. Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world,” a Visa spokesperson told Forbes. 8. Mac Zoom Client vulnerability allowed ethical hackers to enable users’ camera On July 9, this year, a security researcher, Jonathan Leitschuh, publicly disclosed a vulnerability in Mac’s Zoom Client that could allow any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. Around 750,000 companies around the world who use the video conferencing app on their Macs, to conduct day-to-day business activities, were vulnerable. Leitschuh disclosed the issue on March 26 on Google’s Project Zero blog, with a 90-day disclosure policy. He also suggested a ‘quick fix’ which Zoom could have implemented by simply changing their server logic. Zoom took 10 days to confirm the vulnerability and held a meeting about how the vulnerability would be patched only 18 days before the end of the 90-day public disclosure deadline, i.e. June 11th, 2019. A day before the public disclosure, Zoom had only implemented the quick-fix solution. Apple quickly patched the vulnerable component on the same day when Leitschuh disclosed the vulnerability via Twitter (July 9). 9. Vulnerabilities in the PTP protocol of Canon’s EOS 80D DSLR camera allows injection of ransomware At the DefCon27 held this year, Eyal Itkin, a vulnerability researcher at Check Point Software Technologies, revealed vulnerabilities in the Canon EOS 80D DSLR. He demonstrated how vulnerabilities in the Picture Transfer Protocol (PTP) allowed him to infect the DSLR model with ransomware over a rogue WiFi connection. Itkin highlighted six vulnerabilities in the PTP that could easily allow a hacker to infiltrate the DSLRs and inject ransomware and lock the device. This could lead the users to pay ransom to free up their camera and picture files. Itkin’s team informed Canon about the vulnerabilities in their DSLR on March 31, 2019. On August 6, Canon published a security advisory informing users that, “at this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm” and asking them to take advised measures to ensure safety. 10. Security researcher at DefCon 27 revealed an old Webmin backdoor that allowed unauthenticated attackers to execute commands with root privileges on servers At the DefCon27, a Turkish security researcher, Özkan Mustafa Akkuş presented a zero-day remote code execution vulnerability in Webmin, a web-based system configuration system for Unix-like systems. This vulnerability, tracked as CVE-2019-15107, was found in the Webmin security feature and was present in the password reset page. It allowed an administrator to enforce a password expiration policy for other users’ accounts. It also allowed a remote, unauthenticated attacker to execute arbitrary commands with root privileges on affected servers by simply adding a pipe command (“|”) in the old password field through POST requests. The Webmin team was informed of the vulnerability on August 17th 2019. In response, the exploit code was removed and Webmin version 1.930 created and released to all users. Jamie Cameron, the author of Webmin, in a blog post talked about how and when this backdoor was injected. He revealed that this backdoor was no accident, and was in fact, injected deliberately in the code by a malicious actor. He wrote, “Neither of these were accidental bugs – rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” he wrote. TD;LR: Companies should welcome ethical hackers for their own good Ethical hackers are an important addition to our cybersecurity ecosystem. They help organizations examine security systems and analyze minor gaps that lead to compromising the entire organization. One way companies can seek their help is by arranging Bug bounty programs that allow ethical hackers to participate and report vulnerabilities to companies in exchange for rewards that can consist of money or, just recognition. Most of the other times, a white hat hacker may report of the vulnerability as a part of their research, which can be misunderstood by organizations as an attempt to break into their system or simply that they are confident of their internal security systems. Organizations should keep their software security upto date by welcoming additional support from these white hat hackers in finding undetected vulnerabilities. Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT How has ethical hacking benefited the software industry 5 pen testing rules of engagement: What to consider while performing Penetration testing Social engineering attacks – things to watch out for while online

In an online world infested with hackers, we need more ethical hackers. But all around the world, hackers have long been portrayed by the media and pop culture as the bad guys. Society is taught to see them as cyber-criminals and outliers who seek to destroy systems, steal data, and take down anything that gets in their way. There is no shortage of news, stories, movies, and television shows that outright villainize the hacker. From the 1995 movie Hackers, to the more recent Blackhat, hackers are often portrayed as outsiders who use their computer skills to inflict harm and commit crime. Read this: Did you know hackers could hijack aeroplane systems by spoofing radio signals? While there have been real-world, damaging events created by cyber-criminals that serve as the inspiration for this negative messaging, it is important to understand that this is only one side of the story. The truth is that while there are plenty of criminals with top-notch hacking and coding skills, there is also a growing and largely overlooked community of ethical (commonly known as white-hat) hackers who work endlessly to help make the online world a better and safer place. To put it lightly, these folks use their cyber superpowers for good, not evil. For example, Linus Torvalds, the creator of Linux was a hacker, as was Tim Berners-Lee, the man behind the World Wide Web. The list is long for the same reason the list of hackers turned coders is long – they all saw better ways of doing things. What is ethical hacking? According to the EC-Council, an ethical hacker is “an individual who is usually employed with an organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a malicious hacker.” Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast] The role of an ethical hacker is important since the bad guys will always be there, trying to find cracks, backdoors, and other secret ways to access data they shouldn’t. Ethical hackers not only help expose flaws in systems, but they assist in repairing them before criminals even have a shot at exploiting said vulnerabilities. They are an essential part of the cybersecurity ecosystem and can often unearth serious unknown vulnerabilities in systems better than any security solution ever could. Certified ethical hackers make an average annual income of $99,000, according to Indeed.com. The average starting salary for a certified ethical hacker is $95,000, according to EC-Council senior director Steven Graham. Ways ethical hacking benefits the software industry Nowadays, ethical hacking has become increasingly mainstream and multinational tech giants like Google, Facebook, Microsoft, Mozilla, IBM, etc employ hackers or teams of hackers in order to keep their systems secure. And as a result of the success hackers have shown at discovering critical vulnerabilities, in the last year itself there has been a 26% increase in organizations running bug bounty programs, where they bolster their security defenses with hackers. Other than this there are a number of benefits that ethical hacking has provided to organizations majorly in the software industry. Carry out adequate preventive measures to avoid systems security breach An ethical hacker takes preventive measures to avoid security breaches, for example, they use port scanning tools like Nmap or Nessus to scan one’s own systems and find open ports. The vulnerabilities with each of the ports is studied, and remedial measures are taken by them. An ethical hacker will examine patch installations and make sure that they cannot be exploited. They also engage in social engineering concepts like dumpster diving—rummaging through trash bins for passwords, charts, sticky notes, or anything with crucial information that can be used to generate an attack. They also attempt to evade IDS (Intrusion Detection Systems), IPS (Intrusion Prevention systems), honeypots, and firewalls. They carry out actions like bypassing and cracking wireless encryption, and hijacking web servers and web applications. Perform penetration tests on networks at regular intervals One of the best ways to prevent illegal hacking is to test the network for weak links on a regular basis. Ethical hackers help clean and update systems by discovering new vulnerabilities on an on-going basis. Going a step ahead, ethical hackers also explore the scope of damage that can occur due to the identified vulnerability. This particular process is known as pen testing, which is used to identify network vulnerabilities that an attacker can target. There are many methods of pen testing. The organization may use different methods depending on its requirements. Any of the below pen testing methods can be carried out by an ethical hacker: Targeted testing which involves the organization's people and the hacker. The organization staff will be aware of the hacking being performed. External testing penetrates all externally exposed systems such as web servers and DNS. Internal testing uncovers vulnerabilities open to internal users with access privileges. Blind testing simulates real attacks from hackers. Testers are given limited information about the target, which requires them to perform reconnaissance prior to the attack. Pen testing is the strongest case for hiring ethical hackers. Ethical hackers have built computers and programs for software industry Going back to the early days of the personal computer, many of the members in the Silicon Valley would have been considered hackers in modern terms, that they pulled things apart and put them back together in new and interesting ways. This desire to explore systems and networks to find how it worked made many of the proto-hackers more knowledgeable about the different technologies and it can be safeguarded from malicious attacks. Just as many of the early computer enthusiasts turned out to be great at designing new computers and programs, many people who identify themselves as hackers are also amazing programmers. This trend of the hacker as the innovator has continued with the open-source software movement. Much of the open-source code is produced, tested and improved by hackers – usually during collaborative computer programming events, which are affectionately referred to as "hackathons." Even if you never touch a piece of open-source software, you still benefit from the elegant solutions that hackers come up with that inspire or are outright copied by proprietary software companies. Ethical hackers help safeguard customer information by preventing data breaches The personal information of consumers is the new oil of the digital world. Everything runs on data. But while businesses that collect and process consumer data have become increasingly valuable and powerful, recent events prove that even the world’s biggest brands are vulnerable when they violate their customers’ trust. Hence, it is of utmost importance for software businesses to gain the trust of customers by ensuring the security of their data. With high-profile data breaches seemingly in the news every day, “protecting businesses from hackers” has traditionally dominated the data privacy conversation. Read this: StockX confirms a data breach impacting 6.8 million customers In such a scenario, ethical hackers will prepare you for the worst, they will work in conjunction with the IT-response plan to ensure data security and in patching breaches when they do happen. Otherwise, you risk a disjointed, inconsistent and delayed response to issues or crises. It is also imperative to align how your organization will communicate with stakeholders. This will reduce the need for real-time decision-making in an actual crisis, as well as help limit inappropriate responses. They may also help in running a cybersecurity crisis simulation to identify flaws and gaps in your process, and better prepare your teams for such a pressure-cooker situation when it hits. Information security plan to create security awareness at all levels No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. Such a plan is called a security program which is framed by information security professionals. Primarily the IT security team devises the security program but if done in coordination with the ethical hackers, they can provide the framework for keeping the company at a desired security level. Additionally by assessing the risks the company faces, they can decide how to mitigate them, and plan for how to keep the program and security practices up to date. To summarize… Many white hat hackers, gray hat and reformed black hat hackers have made significant contributions to the advancement of technology and the internet. In truth, hackers are almost in the same situation as motorcycle enthusiasts in that the existence of a few motorcycle gangs with real criminal operations tarnishes the image of the entire subculture. You don’t need to go out and hug the next hacker you meet, but it might be worth remembering that the word hacker doesn’t equal criminal, at least not all the time. Our online ecosystem is made safer, better and more robust by ethical hackers. As Keren Elazari, an ethical hacker herself, put it: “We need hackers, and in fact, they just might be the immune system for the information age. Sometimes they make us sick, but they also find those hidden threats in our world, and they make us fix it.” 3 cybersecurity lessons for e-commerce website administrators Hackers steal bitcoins worth $41M from Binance exchange in a single go! A security issue in the net/http library of the Go language affects all versions and all components of Kubernetes

Security over the web is of the highest priority these days as most of our transactions and storage takes place on the web. Our systems are ripe for cracking by hackers. Don’t believe me? check out the below video. How can we improve our security belts around our system? Metasploit is one solution cybersecurity professionals look at to tight-lock their security with no risk of intruders. Metasploit, an open source project, allows individuals or organizations to identify security vulnerabilities and develop a code using which network administrators can break into their own code and identify potential risks. They can then prioritize which vulnerabilities need to be addressed. The Metasploit project offers Penetration (pen) testing software Tools for automating the comparison of a program's vulnerability Anti-forensic and advanced evasion tools Some tools are also built-in the Metasploit framework. The Metasploit Framework  is a collection of tools, libraries, modules and so on. It is popular among cybersecurity professionals and ethical hackers to carry out penetration testing or hacking. They can use it to exploit vulnerabilities on a network and also make Trojans, backdoors, botnets, phishing and so on. You can check out our article on 12 common malware types you should know, to know about the different malware types. The Metasploit Framework is supported by various operating systems including, Linux, MAC-OS, Windows, Android and so on. One can use metasploit in both free and paid versions, where the free version(Metasploit Framework and Metasploit community)can be used to find out basic exploits. However, a full paid version(Metasploit Pro) is preferred as it allows one to carry out deep pen-tests and other advanced features. A paid version offers: Collects integrations via remote APIs Automate several tasks, which include smart exploitation, penetration testing reports, and much more. Infiltrates dynamic payloads to evade the top antivirus solutions Also, in order to use this hacking tool, one can make use of the different interfaces it offers. Metasploit Interfaces Msfconsole Msfconsole is one of the highly popular interfaces in the metasploit framework. Once you have a hang of this interface and its syntax, it will provide a coherent access to all the options within the Metasploit Framework. Some advantages of msfconsole include: With the msfconsole, one can access all the features in the MSF Most stable and provides a console-based interface With msfconsole executing external commands is possible One can experience a full readline support, tabbing, and command completion Msfcli Msfcli enables a powerful command-line interface to the framework. Some features of this interface include: Support for the launch of exploits and auxiliary modules. Great for use in scripts and basic automation. However, one should be careful while using msfcli as variables are case-sensitive, and are assigned using an equal to (=) sign. MsfGUI Msfgui is the GUI of the framework and a tool to carry out demonstrations to clients and management. The msfgui: provides a point-and-click interface for exploitation a GTK wizard-based interface for using the metasploit framework Armitage Developed by Raphael Mudge, Armitage, is an open source Java-based frontend GUI for the metasploit framework. Its primary aim is to assist security professionals to understand hacking, by getting to know the true potential of Metasploit. Advantages of using Metasploit One can automate each phase of penetration testing Metasploit allows pentesters and cyber professionals to automate all phases within the penetration test. This is because, the amount of time required to carry out a complete and thorough pen-test is huge. Metasploit automates tasks; right from selecting the appropriate exploit to streamline the evidence collection and reporting of the attack. Credentials can be gathered and reused Credentials are the keys to any network, and the biggest prize for a penetration tester. With metasploit, one can catalog and track user credentials for reporting. Professionals and hackers can also make use of these credentials across every system in the network using a simple credential domino wizard. Become a next-Level Pen Tester If one has already worked with Metasploit framework for years together, its pro version is definitely the next step to head for. With Metasploit Pro, the expert can easily move through a network using the pivoting and antivirus evasion capabilities. They can also create instant reports on the progress and evidence. The best part is, one can seamlessly use custom scripts by going into the command line framework. Metasploit in competition with other pentesting tools Metasploit is not the only tool that offers penetration testing but it is one of the preferred ones. There are a number of other tools in the market that can give Metasploit a tough competition. Some of them include Wireshark, Nessus, Nmap, and so on. Wireshark is a famous network protocol analyzer. It can read captured information from other applications and is multiplatform. The only con it has is, it has a steep learning curve. Nessus is a vulnerability scanner and a popular tool among the professionals in security. It has a huge library of vulnerabilities and respective tests to identify them. It relies on the response from the target host to identify a breach. Here, metasploit is used as an exploitation tool to identify if the detected breach could be exploitable. Nmap (Network mapper) is a highly competent pen testing tool used for network mapping or discovery. On comparing with metasploit, it has a rudimentary GUI as compared to Metasploit. Metasploit is moving into web application security with its 3.5.0 release. The community has also added native PHP and Java payloads, which makes it easy to acquire advanced functionality through web application and Java server vulnerabilities. The community plans to port more exploits and modules to the metasploit platform. Additional modules that target embedded devices, hardware devices, etc.and BUS systems, such as K-Line could be added in the near future. 5 pen testing rules of engagement: What to consider while performing Penetration testing How to secure a private cloud using IAM Top 5 penetration testing tools for ethical hackers

Penetration testing and ethical hacking are proactive ways of testing web applications by performing attacks that are similar to a real attack that could occur on any given day. They are executed in a controlled way with the objective of finding as many security flaws as possible and to provide feedback on how to mitigate the risks posed by such flaws. Security-conscious corporations have implemented integrated penetration testing, vulnerability assessments, and source code reviews in their software development cycle. Thus, when they release a new application, it has already been through various stages of testing and remediation. When planning to execute a penetration testing project, be it for a client as a professional penetration tester or as part of a company's internal security team, there are aspects that always need to be considered before starting the engagement. [box type="shadow" align="" class="" width=""]This article is an excerpt from the book Web Penetration testing with Kali Linux - Third Edition, written by Gilberto Najera-Gutierrez, Juned Ahmed Ansari.[/box] Rules of Engagement for Pen testing Rules of Engagement (RoE) is a document that deals with the manner in which the penetration test is to be conducted. Some of the directives that should be clearly spelled out in RoE before you start the penetration test are as follows: The type and scope of testing Client contact details Client IT team notifications Sensitive data handling Status meeting and reports Type and scope of Penetration testing The type of testing can be black box, white box, or an intermediate gray box, depending on how the engagement is performed and the amount of information shared with the testing team. There are things that can and cannot be done in each type of testing. With black box testing, the testing team works from the view of an attacker who is external to the organization, as the penetration tester starts from scratch and tries to identify the network map, the defense mechanisms implemented, the internet-facing websites and services, and so on. Even though this approach may be more realistic in simulating an external attacker, you need to consider that such information may be easily gathered from public sources or that the attacker may be a disgruntled employee or ex-employee who already possess it. Thus, it may be a waste of time and money to take a black box approach if, for example, the target is an internal application meant to be used by employees only. White box testing is where the testing team is provided with all of the available information about the targets, sometimes even including the source code of the applications, so that little or no time is spent on reconnaissance and scanning. A gray box test then would be when partial information, such as URLs of applications, user-level documentation, and/or user accounts are provided to the testing team. Gray box testing is especially useful when testing web applications, as the main objective is to find vulnerabilities within the application itself, not in the hosting server or network. Penetration testers can work with user accounts to adopt the point of view of a malicious user or an attacker that gained access through social engineering. [box type="note" align="" class="" width=""]When deciding on the scope of testing, the client along with the testing team need to evaluate what information is valuable and necessary to be protected, and based on that, determine which applications/networks need to be tested and with what degree of access to the information.[/box] Client contact details We can agree that even when we take all of the necessary precautions when conducting tests, at times the testing can go wrong because it involves making computers do nasty stuff. Having the right contact information on the client-side really helps. A penetration test is often seen turning into a Denial-of-Service (DoS) attack. The technical team on the client side should be available 24/7 in case a computer goes down and a hard reset is needed to bring it back online. [box type="note" align="" class="" width=""]Penetration testing web applications has the advantage that it can be done in an environment that has been specially built for that purpose, allowing the testers to reduce the risk of negatively affecting the client's productive assets.[/box] Client IT team notifications Penetration tests are also used as a means to check the readiness of the support staff in responding to incidents and intrusion attempts. You should discuss this with the client whether it is an announced or unannounced test. If it's an announced test, make sure that you inform the client of the time and date, as well as the source IP addresses from where the testing (attack) will be done, in order to avoid any real intrusion attempts being missed by their IT security team. If it's an unannounced test, discuss with the client what will happen if the test is blocked by an automated system or network administrator. Does the test end there, or do you continue testing? It all depends on the aim of the test, whether it's conducted to test the security of the infrastructure or to check the response of the network security and incident handling team. Even if you are conducting an unannounced test, make sure that someone in the escalation matrix knows about the time and date of the test. Web application penetration tests are usually announced. Sensitive data handling During test preparation and execution, the testing team will be provided with and may also find sensitive information about the company, the system, and/or its users. Sensitive data handling needs special attention in the RoE and proper storage and communication measures should be taken (for example, full disk encryption on the testers' computers, encrypting reports if they are sent by email, and so on). If your client is covered under the various regulatory laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the European data privacy laws, only authorized personnel should be able to view personal user data. Status meeting and reports Communication is key for a successful penetration test. Regular meetings should be scheduled between the testing team and the client organization and routine status reports issued by the testing team. The testing team should present how far they have reached and what vulnerabilities have been found up to that point. The client organization should also confirm whether their detection systems have triggered any alerts resulting from the penetration attempt. If a web server is being tested and a WAF was deployed, it should have logged and blocked attack attempts. As a best practice, the testing team should also document the time when the test was conducted. This will help the security team in correlating the logs with the penetration tests. [box type="note" align="" class="" width=""]WAFs work by analyzing the HTTP/HTTPS traffic between clients and servers, and they are capable of detecting and blocking the most common attacks on web applications.[/box] To build defense against web attacks with Kali Linux and understand the concepts of hacking and penetration testing, check out this book Web Penetration Testing with Kali Linux - Third Edition. Top 5 penetration testing tools for ethical hackers Essential skills required for penetration testing Approaching a Penetration Test Using Metasploit

Cybercriminals are continally developing new and more sophisticated ways to exploit software vulnerabilities, making it increasingly difficult to defend our systems. Today, then, we need to be proactive in how we protect our digital properties. That's why penetration testers are so in demand. Although risk analysis can easily be done by internal security teams, support from skilled penetration testers can be the difference between security and vulnerability. These highly trained professionals can “think like the enemy” and employ creative ways to identify problems before they occur, going beyond the use of automated tools. Pentesters can perform technological offensives, but also simulate spear phishing campaigns to identify weak links in the security posture of the companies and pinpoint training needs. The human element is essential to simulate a realistic attack and uncover all of the infrastructure’s critical weaknesses. Being a pen tester can be financially rewarding because trained and skilled ones can normally secure good wages. Employers are willing to pay top dollar to attract and retain talent. Most pen testers enjoy sizable salaries depending on where they live and their level of experience and training. According to a PayScale salary survey, the average salary is approximately $78K annually, ranging from $44K to $124K on the higher end. To be a better pen tester, you need to upgrade or master your art in certain aspects. The following skills will make you stand out in the crowd and will make you a better and more effective pen tester. I know what you’re thinking. This seems like an awful lot of work learning penetration testing, right? Wrong. You can still learn how to penetration test and become a penetration tester without these things, but learning all of these things will make it easier and help you understand both how and why things are done a certain way. Bad pen testers know that things are vulnerable. Good pen testers know how things are vulnerable. Great pen testers know why things are vulnerable. Mastering command-line If you notice that even in modern hacker films and series, the hackers always have a little black box on the screen with text going everywhere. It’s a cliché but it’s based in reality. Hackers and penetration testers alike use the command line a lot. Most of the tools are normally command line based. It’s not showing off, it’s just the most efficient way to do our jobs. If you want to become a penetration tester you need to be at the very least, comfortable with a DOS or PowerShell prompt or terminal. The best way to develop this sort of skillset is to learn how to write DOS Batch or PowerShell scripts. There are various command line tools that make the life of a pen-tester easy. So learning to use those tools and mastering them will enable you to pen-test your environment efficiently. Mastering OS concepts If you look at penetration testing or hacking sites and tutorials, there’s a strong tendency to use Linux. If you start with something like Ubuntu, Mint or Fedora or Kali as a main OS and try to spend some time tinkering under the hood, it’ll help you become more familiar with the environment. Setting up a VM to install and break into a Linux server is a great way to learn. You wouldn’t expect to be able to comfortably find and exploit file permission weaknesses if you don’t understand how Linux file permissions work, nor should you expect to be able to exploit the latest vulnerabilities comfortably and effectively without understanding how they affect a system. A basic understanding of Unix file permissions, processes, shell scripting, and sockets will go a long way. Mastering networking and protocols to the packet level TCP/IP seems really scary at first, but the basics can be learned in a day or two. While breaking in you can use a packet sniffing tool called Wireshark to see what’s really going on when they send traffic to a target instead of blindly accepting documented behavior without understanding what’s happening. You’ll also need to know not only how HTTP works over the wire, but also you’ll need to understand the Document Object Model (DOM) and enough knowledge about how backends work to then, further understand how web-based vulnerabilities occur. You can become a penetration tester without learning a huge volume of things, but you’ll struggle and it’ll be a much less rewarding career. Mastering programming If you can’t program then you’re at risk of losing out to candidates who can. At best, you’re possibly going to lose money from that starting salary. Why? You would require sufficient knowledge in a programming language to understand the source code and find a vulnerability in it. For instance, only if you know PHP and how it interacts with a database, will you be able to exploit SQL injection. Your prospective employer is going to need to give you time to learn these things if they’re going to get the most out of you. So don’t steal money from your own career, learn to program. It’s not hard. Being able to program means you can write tools, automate activities, and be far more efficient. Aside from basic scripting you should ideally become at least semi-comfortable with one programming languageand cover the basics in another. Web people like Ruby. Python is popular amongst reverse engineers. Perl is particularly popular amongst hardcore Unix users. You don’t need to be a great programmer, but being able to program is worth its weight in goldand most languages have online tutorials to get you started. Final thoughts Employers will hire a bad junior tester if they have to, and a good junior tester if there’s no one better, but they’ll usually hire a potentially great junior pen tester in a heartbeat. If you don’t spend time learning the basics to make yourself a great pen tester, you’re stealing from your own potential salary. If you’re missing some or all of the things above, don’t be upset. You can still work towards getting a job in penetration testing and you don’t need to be an expert in any of these things. They’re simply technical qualities that make you a much better candidate for being (and probably better paid) hired from a hiring manager and supporting interviewer’s perspective. About the author Hari Vignesh Jayapalan is a Google Certified Android app developer, IDF Certified UI & UX Professional, street magician, fitness freak, technology enthusiast, and wannabe entrepreneur. He can be found on Twitter @HariofSpades.