Safe way to do penetration testing?

Posted on 2011-04-20
Last Modified: 2012-05-11
As head of IT, I've been asked to do a penetration test.  A search for free software was fruitless, except for Metasploit, but I'm concerned about running that in a production environment.  It sounds as though it tests by being doing invasive and potentially harmful simulations of actual attacks.  Obviously, I'm not looking to bring down my network.  Is penetration, by default dangerous?  What tools and software should I use?  Please note, I'm not looking to do a security audit, but a penetration test, as though I was someone malicious trying to gain network access/harm the network.  THank you.
Question by:LB1234
    LVL 3

    Expert Comment

    try nessus scan
    LVL 13

    Expert Comment

    I would ask yourself first if you or anyone on your team is qualified to complete such a test? If not, it is ok because there are many companies out there that does an excellent job. Read this:

    LVL 11

    Expert Comment

    acunetix is top notch.
    LVL 15

    Assisted Solution

    Yes, penetration testing is going to take up resources. Your boss wants to know if the network will hold up against one. So your answer is "Yes". All attacks are invasive, there meant to be. Only difference here is you call the shots and how deep the tests go, what you test for, what you don't is all up to you. You will only know how well your network security is when you attack I yourself or have someone do it for you professionally. I dont know why you placed this in digital forensics category either. Penetration testing is a different subject. Forensics is the finding of how it happened and who is responsible gathering evidence of a suspected attack. Installing metasploit framework isn't illegal software thousands of company's use it to make sure that they are not vulnerable to the attacks this framework offers to test out. You can uninstall it when your done too. If you want some good advice don't do blind scans it attacks this will land you with a broken network and no playground. Instead think about how the attacker would prepare before they attack the server. You need valuable information before you can attempt to exploit a server. We pen-testers are the real deal. If we tell you have a hole in your security you better believe it. You shouldn't need more then that framework and good coding knowledge, mixed with a good amount of security. If none of you do them I would do some searching and hire a company to do the pentest for you. You will learn a lot on the way as well.
    LVL 60

    Accepted Solution

    Penetration testing highlights the identification of entry points (or sometimes called as low hanging fruits), verification one of the significant entry points, exploitation of the entry and listed down the impacts and potential attack surface cum damages. It can be blackbox or whitebox, to me, the whitebox is more controlled as you know the internal and can safely guarded against crashing key production services. The blackbox which is the more common one from the external perspective can be more exposed to test lapses causing downtime of services.

    Potential extreme of exploitation if not well controlled would be denial of services (causing process to restart or stagnant) or data leakage (recon information leaked to public). I will not dwell into the threats as it is self-explanatory. But what leads to this "collateral damage" is of more significant in this discussion.

    Factors (but not limited to these) I see that can help us to understand are

    a) Do not fully know the test tool well and leads to uncontrolled "options" in commands leading to automated exploitation (or persistent denial e.g. online brute force scanning, massive overloading of test traffic)

    b) Do not have rule of engagement put in place which leads to playing this "game" with no rules causing player to go for any targets. There would be some restriction in testing such as do not touch the external email server, website services, VVIP email account and machine etc. There is a need for controller if possible for such Red Vs Blue Team testing

    c) Do not have well prepared or have segregated test environment whereby the penetration testing is done impromptu and the test sampling and payload is done in same production network. E.g. the test LAN is vLANed or even started from the external through the website entry points so that any mishap of the test tool or oversight in the test cases does not directly bring down the whole enterprise LAN, minimally to mitigate the damages can be easily done by some simple config to redirect traffic or switch off some router etc

    There is some standards to state accountability for the testing and best practices such as OWASP, OSSTM, and NIST SP800-115. They also provide methodology to guide the testing to aid in gathering sufficient intelligence before you plan out your ops plan. Most of the time, you do not have the luxury to repeat the testing as you are "exposed".


    More importantly, it is not the proficiency in using penetration tools but the safeguards and rule of engagement that you should lay out straight at the front to protect the customer and yourself. Being a greenhorn does not mean you innocent if something when wrong during the testing e.g. unable to control DOS in time, etc (maybe at first you should not employ that...). Penetration testing comes with great responsibility and integrity.

    For the selection of tools, I will suggest that you check out the tools stated in the above best practices. Note that tools has bugs too regardless of commercial or open source. Trust in the tool that it is not backdoor hence the need to use well known ones. The key is to test out the test cases in your test lab prior to actual operations. Always have complementary discrete tool and the all in one will typically kickstart the checks but for specific like brute force account (if agreed by stakeholder etc) should be done offline with more optimised tools.
    LVL 1

    Author Closing Comment

    Thanks guys for the truly great and helpful write ups!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now