How to Conduct Internal Penetration Testing
Automated penetration testing tools and open source tools, especially those in Linux security distributions, are invaluable aids for internal pentests.
The best way to establish how vulnerable your network is to a hacker attack is to subject it to a penetration test carried out by outside experts. (You must get a qualified third party to help with penetration testing, of course, and eSecurity Planet recently published an article on finding the right penetration testing company.)
But there are two significant downsides to third-party penetration tests:
- They can be expensive
- They are effectively "out of date" as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered
One way to sidestep both of these problems is to carry out your own penetration tests.
Before continuing, it's important to point out that carrying out your own pentest won't be as effective as hiring an expert, because expert pentesting requires experience, skill and creativity. Those are qualities that only professional penetration testers (and expert hackers) are likely to have. Even if your security team has penetration testing experience, many experts believe that a third party coming to your network with fresh eyes is more likely to spot potential problems. Familiarity with your own network can actually leave you blinkered to possible security vulnerabilities.
Nonetheless, having the capability to run your own penetration tests is still a good idea because it enables you to run a test whenever you buy new equipment, install new software or make other big changes to your network, alerting you to obvious vulnerabilities you've overlooked.
Think of internal penetration tests as walking around your house, checking you haven't left any windows open before you go out: It's a sensible precaution that costs almost nothing. Here we share a penetration testing methodology that should prove useful for many organizations.
Penetration Testing Basics: 7 Steps
In the simplest terms, a penetration test consists of a number of steps:
Network enumeration and mapping. This step often involves port scanning to work out the topology of a network, and to establish which computers are connected to it and the operating system and services they are offering. Perhaps the most popular tool for carrying out this task is the open source Nmap, sometimes accessed through the Zenmap GUI.
Reconnaissance. This involves contacting the machines on the network and extracting information from them such as the applications they are running. Reconnaissance can also involve Googling for information about the organization being tested, for example to find out the names of IT staff and executives. This kind of information can be useful for social engineering and phishing exercises (see below). Social media accounts for such people can also reveal information such as pet names which are often used in passwords.
Network sniffing. This is used to examine traffic flowing over the network and to search for unencrypted data including passwords or VoIP traffic. The de-facto standard for network sniffing is Wireshark, another open source tool.
Vulnerability scanning. A scan can reveal whether any machines have insecure versions of software or other known vulnerabilities that can be exploited, or whether any wireless access points are open or have weak passwords. A popular open source vulnerability tool is OpenVAS. Other more specialist scanners can also be directed at web servers to look for vulnerabilities such as cross-site scripting (XSS) errors.
Open source scans can be enhanced by proprietary vulnerability scanners that can alert you to vulnerable applications which could be exploited.
- Nessus Professional
- Rapid7 Nexpose
- Qualys FreeScan
Exploit launching. This stage of penetration testing attempts to exploit any known vulnerabilities to gain control of a system. It's important to remember that although a vulnerability scan may reveal a vulnerability, not all vulnerabilities can be successfully exploited or necessarily lead to a serious breach. An exploitation framework like Metasploit contains a database of ready-made exploits that it can match to vulnerabilities, as well as tools for creating and launching your own exploits.
Many security systems are aware of and will detect Metasploit exploits, but it is important to note that a real hacker might tailor their own exploits, so don't be tempted to believe that your infrastructure is safe just because your security systems prevent a Metasploit exploit from working.
Further exploitation. Once a single vulnerable system is compromised, you can leverage this to penetrate the network further. For example, if it is possible to access a server's password file, a password cracking tool may then yield valuable passwords. Using the knowledge gained from the reconnaissance phase, these passwords can then be used to compromise more systems and access more data.
Password cracking tools include the offline John the Ripper, for processing password files that are exfiltrated from the network you are testing, or the online open source tool Hydra , a parallelized login brute forcer which can attempt to log in to services such as ftp by trying multiple login/password combinations in a very short space of time.
Phishing/social engineering. No penetration test is complete without seeing what it is possible via gaining access by tricking employees. That means sending out phishing emails or simply phoning them up to try to entice them to reveal login details or other confidential information.
Manual Penetration Testing and Linux Distros
No penetration testing tutorial would be complete without a guide to useful pentesting tools. To carry out a penetration test manually you'll need a number of tools including the ones mentioned above. The best way to access all the tools you need in one place is to download an open source Linux security distribution. Recommended distros include:
These distros contain hundreds of other open source tools for network reconnaissance and enumeration, vulnerability scanning, password cracking, wireless security auditing and much more.
The problem with these distros is that if you are not familiar with the tools they contain, it can be quite hard to know where to start. One solution is to complete training with some of the tools that you'll find on security distributions.
Training options include:
- Penetration Testing Training with Kali Linux. A self-paced online penetration testing course designed for network administrators and security professionals who want to take a serious step into penetration testing. The training is provided by Offensive Security, the creators of Kali Linux and one of the top penetration testing training and certification organizations.
- Metasploit Unleashed. The Metasploit Unleashed ethical hacking training course is provided free of charge and is probably the most complete and in-depth guide available for the famous Metasploit Project penetration testing tool.
- InfoSec Institute's Penetration Testing Online. InfoSec Institute's Penetration Testing Online is a comprehensive online penetration testing course containing over 100 modules and over 100 hours of online training. Because of the amount of material available, most students take a full 60 days to complete the course.
Automated Penetration Testing
An easier way to carry out your own penetration test is to use an automated penetration testing tool, which will carry out some or all of these steps for your with minimal intervention, or using wizards to guide you.
The benefit of this approach is that it can reveal more straightforward problems on your network. An additional benefit is that less skilled hackers may use some of these tools as well, so by running them before hackers do you are in a position to mitigate any problems found before hackers find them.
There is a limit to what these tools can do, however. A skilled hacker or penetration tester may use a combination of tactics including phishing and social engineering to compromise your defenses and wreak damage, or they may spot a vulnerability that may take a great deal of ingenuity and creativity to exploit. Automated tools are unable to replicate this.
Most automated penetration software is supplied as a commercial product. These products include:
Penetration Testing Risks
Before you think about carrying out your own penetration tests, be aware of what can go wrong. Penetration tests, whether manual or automated, involve unleashing scans and probes onto your network. These could slow it down, make your computers run sluggishly for time or even crash one or more of your systems, potentially disrupting your business.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.