• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

Safe way to do penetration testing?

As head of IT, I've been asked to do a penetration test.  A search for free software was fruitless, except for Metasploit, but I'm concerned about running that in a production environment.  It sounds as though it tests by being doing invasive and potentially harmful simulations of actual attacks.  Obviously, I'm not looking to bring down my network.  Is penetration, by default dangerous?  What tools and software should I use?  Please note, I'm not looking to do a security audit, but a penetration test, as though I was someone malicious trying to gain network access/harm the network.  THank you.
2 Solutions
try nessus scan
I would ask yourself first if you or anyone on your team is qualified to complete such a test? If not, it is ok because there are many companies out there that does an excellent job. Read this:


acunetix is top notch.
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Yes, penetration testing is going to take up resources. Your boss wants to know if the network will hold up against one. So your answer is "Yes". All attacks are invasive, there meant to be. Only difference here is you call the shots and how deep the tests go, what you test for, what you don't is all up to you. You will only know how well your network security is when you attack I yourself or have someone do it for you professionally. I dont know why you placed this in digital forensics category either. Penetration testing is a different subject. Forensics is the finding of how it happened and who is responsible gathering evidence of a suspected attack. Installing metasploit framework isn't illegal software thousands of company's use it to make sure that they are not vulnerable to the attacks this framework offers to test out. You can uninstall it when your done too. If you want some good advice don't do blind scans it attacks this will land you with a broken network and no playground. Instead think about how the attacker would prepare before they attack the server. You need valuable information before you can attempt to exploit a server. We pen-testers are the real deal. If we tell you have a hole in your security you better believe it. You shouldn't need more then that framework and good coding knowledge, mixed with a good amount of security. If none of you do them I would do some searching and hire a company to do the pentest for you. You will learn a lot on the way as well.
btanExec ConsultantCommented:
Penetration testing highlights the identification of entry points (or sometimes called as low hanging fruits), verification one of the significant entry points, exploitation of the entry and listed down the impacts and potential attack surface cum damages. It can be blackbox or whitebox, to me, the whitebox is more controlled as you know the internal and can safely guarded against crashing key production services. The blackbox which is the more common one from the external perspective can be more exposed to test lapses causing downtime of services.

Potential extreme of exploitation if not well controlled would be denial of services (causing process to restart or stagnant) or data leakage (recon information leaked to public). I will not dwell into the threats as it is self-explanatory. But what leads to this "collateral damage" is of more significant in this discussion.

Factors (but not limited to these) I see that can help us to understand are

a) Do not fully know the test tool well and leads to uncontrolled "options" in commands leading to automated exploitation (or persistent denial e.g. online brute force scanning, massive overloading of test traffic)

b) Do not have rule of engagement put in place which leads to playing this "game" with no rules causing player to go for any targets. There would be some restriction in testing such as do not touch the external email server, website services, VVIP email account and machine etc. There is a need for controller if possible for such Red Vs Blue Team testing

c) Do not have well prepared or have segregated test environment whereby the penetration testing is done impromptu and the test sampling and payload is done in same production network. E.g. the test LAN is vLANed or even started from the external through the website entry points so that any mishap of the test tool or oversight in the test cases does not directly bring down the whole enterprise LAN, minimally to mitigate the damages can be easily done by some simple config to redirect traffic or switch off some router etc

There is some standards to state accountability for the testing and best practices such as OWASP, OSSTM, and NIST SP800-115. They also provide methodology to guide the testing to aid in gathering sufficient intelligence before you plan out your ops plan. Most of the time, you do not have the luxury to repeat the testing as you are "exposed".

@ http://searchsoftwarequality.techtarget.com/tip/Penetration-testing-best-practices

More importantly, it is not the proficiency in using penetration tools but the safeguards and rule of engagement that you should lay out straight at the front to protect the customer and yourself. Being a greenhorn does not mean you innocent if something when wrong during the testing e.g. unable to control DOS in time, etc (maybe at first you should not employ that...). Penetration testing comes with great responsibility and integrity.

For the selection of tools, I will suggest that you check out the tools stated in the above best practices. Note that tools has bugs too regardless of commercial or open source. Trust in the tool that it is not backdoor hence the need to use well known ones. The key is to test out the test cases in your test lab prior to actual operations. Always have complementary discrete tool and the all in one will typically kickstart the checks but for specific like brute force account (if agreed by stakeholder etc) should be done offline with more optimised tools.
LB1234Author Commented:
Thanks guys for the truly great and helpful write ups!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now