Jose Cane
asked on
PEN TEST suggestions
We've started doing some PenTesting in our environment with KaliLinux and utilizing Metasploit as well. Since this is an internal test, we are going with a segmentation approach, but I wanted to know what would also be recommended for our small company. We have less than 1k users and smaller sites. We're also planning on visiting the sites and doing site surveys in the near future.
Thanks for your thoughts and suggestions.
Thanks for your thoughts and suggestions.
There is more than just technical breaches. How about social engineering, plain old breaking in (with or without damage).
Ability to get to systems without any keys or locks. Entering the building without token.
Dropping sticks, CD's etc. sending "fishy mails"
Besides breaking in how about verifying the hardening of systems? ( lynis might help as a tool; https://cisofy.com/lynis/ ).
In short the works. Also check auditing reports on systems are any attempts to compromise discovered?
Are the systems hardened anyway?
Ability to get to systems without any keys or locks. Entering the building without token.
Dropping sticks, CD's etc. sending "fishy mails"
Besides breaking in how about verifying the hardening of systems? ( lynis might help as a tool; https://cisofy.com/lynis/ ).
In short the works. Also check auditing reports on systems are any attempts to compromise discovered?
Are the systems hardened anyway?
A pen test is more then a little read up on and a download of Kali Linux.
A pen test has specific objectives, for example, check all servers are at the correct patch levels and certain ports are unavailable.
What you need is a vulnerability assessment, the two are massively different. A PEN test can be actually done by a script kiddie if it is just running tools, and I think you can do more objectively. Knowing how to do a ping sweep and runs Nessus or NMAP scan by themselves is not a pen test or a vulnerability examination.
Vulnerability assessments include looking for weaknesses for potential compromise, such as back patching, IP connectivity, application security and flaws, as well as a little education for users and some environmental discussion, for example, can screens be seen form external locations, such as the street.
Is there any particular thing that you are interested in or are you looking for general security. Otherwise, may be worth getting a decent company (CREST accrediated) in for a few days (depending upon the size of your environment) and get a sense of the knowledge out of them. If you are doing it for compliance you should be looking at independent party.
That said, it is certainly benefit in using the pen testing tools to verify that you have closed the vulnerabilities on your systems you are aware. But only if you know where to start and end with. If you know that some are missing patches, you don't need a pen tester to tell you that as well, go straight with the patching.
Also take a step back and understand how your IT systems support the business. Where are the locations of the most important data? Which systems support BAU and a security incident would affect the most? Start with the higher risk systems.
Do consider to still budget for the pen tester to do a follow up after the initial test is complete. You will want to confirm any recommendations they make and you implement, have been done so successfully.
A pen test has specific objectives, for example, check all servers are at the correct patch levels and certain ports are unavailable.
What you need is a vulnerability assessment, the two are massively different. A PEN test can be actually done by a script kiddie if it is just running tools, and I think you can do more objectively. Knowing how to do a ping sweep and runs Nessus or NMAP scan by themselves is not a pen test or a vulnerability examination.
Vulnerability assessments include looking for weaknesses for potential compromise, such as back patching, IP connectivity, application security and flaws, as well as a little education for users and some environmental discussion, for example, can screens be seen form external locations, such as the street.
Is there any particular thing that you are interested in or are you looking for general security. Otherwise, may be worth getting a decent company (CREST accrediated) in for a few days (depending upon the size of your environment) and get a sense of the knowledge out of them. If you are doing it for compliance you should be looking at independent party.
That said, it is certainly benefit in using the pen testing tools to verify that you have closed the vulnerabilities on your systems you are aware. But only if you know where to start and end with. If you know that some are missing patches, you don't need a pen tester to tell you that as well, go straight with the patching.
Also take a step back and understand how your IT systems support the business. Where are the locations of the most important data? Which systems support BAU and a security incident would affect the most? Start with the higher risk systems.
Do consider to still budget for the pen tester to do a follow up after the initial test is complete. You will want to confirm any recommendations they make and you implement, have been done so successfully.
Consider using a relevant penetration testing methodology.
Several are listed here: https://www.owasp.org/index.php/Penetration_testing_methodologies
Penetration Testing Execution Standard (PTES) is one to consider, instead of simply methodology or process, PTES also provides hands-on technical guidelines for what/how to test, the rationale of testing and recommended testing tools and usage.
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Several are listed here: https://www.owasp.org/index.php/Penetration_testing_methodologies
Penetration Testing Execution Standard (PTES) is one to consider, instead of simply methodology or process, PTES also provides hands-on technical guidelines for what/how to test, the rationale of testing and recommended testing tools and usage.
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Use Kali linux, Kali Linux is an operating system built specifically to be used by penetration testers, computer forensic experts, and security auditors. It comes prepackaged with over 300 different security tools, almost all of which are open source, and many of them industry-recognized. Such tools include:
• Nmap
• Wireshark
• Metasploit Framework
• John the Ripper
• Aircrack-ng
• Burp Suite
• Ettercap
• OWASP ZAP
• THC Hydra
• Maltego
• sqlmap
• Social Engineer Toolkit
https://www.experts-exchange.com/articles/31793/Vulnerability-Assessments-versus-Penetration-Tests.html
https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html [Check the PEN TEST section]
• Nmap
• Wireshark
• Metasploit Framework
• John the Ripper
• Aircrack-ng
• Burp Suite
• Ettercap
• OWASP ZAP
• THC Hydra
• Maltego
• sqlmap
• Social Engineer Toolkit
https://www.experts-exchange.com/articles/31793/Vulnerability-Assessments-versus-Penetration-Tests.html
https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html [Check the PEN TEST section]
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Going back to your main point, I'd include social engineering, wifi attacks, concentrate on high profile servers such as those running sql, ftp, smb. if you have http servers you can also use w3af