Kali Linux: Network Target Penetration Testing Planning (en)

From OnnoWiki
Jump to navigation Jump to search

In this writing, we will discuss the testing environment and how we choose the chosen platform. Here we will cover the following:

  • Introduction to advanced penetration testing.
  • How to be successful in your testing?
  • What needs to be prepared before testing
  • Setting limits - nothing lasts forever.
  • Planning actions.

Introduction to Advanced Penetration Testing

Penetration testing is necessary to know the actual attack footprint of our environment. It may often be confused with vulnerability assessment, and therefore, it is important that this difference is fully explained to your clients.

Vulnerability Assessment

Vulnerability assessment is necessary to find potential vulnerabilities across the environment. There are many tools available that can automate this process so that even inexperienced security professionals or network administrators can effectively determine the security posture of their environment. Depending on the coverage, additional manual testing may also be required. Full exploitation of systems and services is generally not within the scope of normal vulnerability assessments.

In conducting a vulnerability assessment, systems are typically scanned and evaluated for vulnerabilities, and testing can often be done with or without authentication. Most vulnerability management and scanning solutions provide actionable reports as a reference to testers detailing mitigation strategies such as deploying missing patches, or correcting insecure system configurations. Therefore, testers will perform their own analysis and make recommendations based on that.

Penetration Testing

Penetration testing can extend the efforts of vulnerability assessment by conducting exploitation into the target environment.

Penetration testing allows a company to understand whether the mitigation strategies used actually work as expected; It essentially tests the existing plan. Penetration testers are expected to mimic the actions that an attacker would perform, and will be challenged to prove that they can compromise the critical systems targeted. The most successful penetration tests result in penetration testers being able to prove without a doubt that the vulnerabilities found would lead to loss of revenue or significant business impact unless properly handled. Imagine the loss/reputation damage you would suffer if you could prove to clients that in fact anyone in the world has easy access to their most confidential information!

Penetration testing requires deeper and broader knowledge than needed for vulnerability analysis. This generally means that the price of penetration testing will be much higher than vulnerability analysis. If you cannot penetrate the network, you will reassure your clients that their systems are secure as far as you know. This must be demonstrated not only by your inability to penetrate their network, but also by displaying what you tried and showing that it did not work due to its mitigation. If you want to sleep peacefully at night, then it is recommended that you work far above and beyond just verifying your client's security. Advanced Penetration Testing

Some environments will be safer than others. You may be faced with environments that use:

  • Effective patch management procedures.
  • Managed system configuration testing policies.
  • Multi-layered DMZs.
  • Centralized security log management.
  • Host-based security controls.
  • Network or system intrusion detection or prevention.
  • Wireless intrusion detection or prevention systems.
  • Web application intrusion detection or prevention systems.
  • End-user security, executive security, and insider threat

Using effective controls will significantly increase the difficulty of penetration testing. Clients must have full confidence that the security mechanisms and procedures used can protect the integrity, confidentiality, and availability of their systems. They also need to understand that sometimes the reason attackers can break into systems is due to configuration errors, poor IT architecture design, and giving opportunities to target social engineering.

There is no such thing as a silver bullet in security. As penetration testers, it is our job to look at problems from all angles and make clients aware of all the possibilities that attackers will take to affect their efforts.

Advanced penetration testing goes beyond regular/standard testing by leveraging the latest security research and exploitation methods available. The goal is to prove that sensitive data and systems are protected even from targeted attacks and, if not, to ensure that clients get the right input on what needs to be changed and are aware of the importance of maintaining a solid incident response program, as there is always the possibility of breaches.

Penetration testing is a snapshot of the current security posture. Penetration testing should be done continuously.

Many exploitation methods require trained penetration testers who are eager to keep learning, and require hands-on experience to execute effectively and efficiently. Only through dedication, effort, practice, and willingness to explore unknown areas, can penetration testers mimic the kind of targeted attacks that would be carried out by malicious hackers out there.

Often, you will be asked to do penetration testing as part of a team, and you need to know how to use the tools available to make the process last longer and more efficient. This is another challenge faced by pentesters today. Working in a silo is not an option when your scope limits you to a very limited testing time.

In some situations, companies may use non-standard methods to ensure the security of their data, which makes your job more difficult. The complexity of their system security working together may be the weakest link in their security strategy.

The likelihood of finding exploitable vulnerabilities is proportional to the complexity of the environment being tested.

Before Testing

Before we start penetration testing, there are requirements that need to be considered. You need to determine the exact scope of the testing, duration, limitations, type of testing (white box / white box, black box / black box), and how to handle third-party equipment and IP areas.

Before you can accurately determine the scope of testing, you need to gather as much information as possible. It is important that the following points are fully understood before starting the testing procedure:

  • Who is authorized to give testing permission?
  • What is the purpose of testing?
  • What is the proposed duration for testing Are there any limitations on when testing can be done?
  • Does your client understand the difference between vulnerability evaluation and penetration testing?
  • Will you be testing with or without cooperation from the IT security operational team? Are you testing its effectiveness?
  • Is social engineering allowed? What about denial-of-service attacks?
  • Can you test the physical security measures used to secure servers, critical data storage, or other things that require physical access? For example, testing access to doors / doors, mimicking employees to enter buildings, or just walking into areas for the public.
  • Are you allowed to view network documentation or be informed about network architecture before testing to speed everything up? (Not necessarily recommended, because it can cast doubt on the value of your findings. Most companies/institutions do not expect this to be information that is easily accessible to you).
  • What is the range of IP allowed to be tested? There are laws against scanning and testing systems without proper permission. Be careful when ensuring that these devices and ranges actually belong to your clients, or you may be in danger of facing legal consequences.
  • Where is the physical location of the company? This is more valuable to you testers if social engineering is allowed because it ensures you are in the approved building when testing. If time permits, you should inform your clients whether you can access this information publicly in case they have the impression that their location is secret or hard to find.
  • What should be done if there are problems or if the initial purpose of testing has been done and achieved? Will you continue testing to find more entries, or is the testing complete? This section is very important and relates to the question of why clients want a penetration test.
  • Are there any legal implications you need to be aware of, such as systems being in different countries and so on? Not all countries have the same laws regarding penetration testing.
  • Will there be additional permissions after the vulnerability has been exploited? This is important when testing on segmented networks. Clients may not be aware that you can use their internal system as a channel to dig deeper into their network.
  • How are databases handled? Are you allowed to add records, users, and so on?

This list is not all and you may need to add questions to the list depending on your client's requirements. Most of this data can be collected directly from clients, but some will have to be handled by your own team.

If there are legal issues, it is recommended that you seek legal advice to ensure you fully understand the implications of your testing. It is better to have too much information than not enough when it's time to start testing. However, you should always verify yourself that the accuracy of the information you provide. You do not want to find that the system you access is actually not under your client's authority!

It is very important to get proper written authorization before accessing your client's system. Failure to do so can result in legal action and possibly jail. Use proper judgment! You also need to consider using insurance that insurance is a must when doing penetration testing.

Setting limits - nothing is permanent.

Setting the right limits is crucial if you want to be successful in conducting penetration testing. Your clients need to understand the full consequences that occur, and must be informed about additional costs incurred if additional services beyond those listed in the contract are required.

Make sure to clearly define the start and end date for your services. Clearly specify the Rules of Engagement include IP ranges, buildings, hours, and so on that may need to be tested. If it is not in your Rules of Engagement documentation, do not let it be tested. Meetings should be set before testing begins, and clients should know exactly what deliverables you will provide.


Interesting Links

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Kali_Linux:_Network_Target_Penetration_Testing_Planning_(en)&oldid=71368"