There is no doubt today that the threat landscape is changing on a daily basis. It seems like that hardly one threat is discovered that many unknown ones are still lurking. One of the best ways for businesses and corporations to defend themselves is through Penetration (Pen) Testing. This article will provide an overview of what Pen Testing is, its benefits, and the most commonly used tools used today.
A Brief Review of Penetration Testing
Generally speaking, a Penetration Test (also known as a “Pen Test”) is a described set of procedures which are used to discover any unknown weaknesses in the Network Infrastructure f a business or a corporation. However, in technical terms, it can be specifically defined as follows:
“Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.” (SOURCE: 1)
They are some key benefits to doing a Pen Test, which is as follows:
It can give the IT team a different perspective on how to fortify their lines of defense:
Many business entities are typically stuck in their own way as to how they feel the Information Technology should be protected. Very often, this is a reactive way of thinking, and by bringing in a professional Pen Tester(s), a fresh and unbiased perspective will be brought in, thus creating a much more proactive mindset.
Honest feedback is given:
In any Pen Test which is conducted, the main objective is to break the system from the inside out, using even the most untraditional methods, just a like a real Cyber attacker. After these exhaustive tests have been conducted, the Pen Tester(s) will then provide recommendations and strategies as to how the lines of defense can be improved, in an unbiased format.
It is not just limited to the hardware:
When the image of a Pen Test is conjured up, the image of testing servers, wireless devices, network intrusion devices, routers, etc. all comes into mind. However, keep in mind also that Pen Testing also involves breaking all software applications as well. In this regard, it can also help software developers to see where the Security vulnerabilities are in the source code.
However, to execute and complete a successful Pen Test, the right tools are needed. Obviously, Pen Testing can be a quite sophisticated and complex task. It could take literally hours and even days if it all had to be done by hand. Thus, the need for automated tools arises, to carry out these tests quickly and efficiently. This is reviewed in the next section.
The Tools to Be Used in a Successful Pen Test
The various Pen Testing tools can be broken down into the following, major categories:
These kinds of tools typically gather information and data about a specific target in a remote network environment. Typically, these tools try to ascertain which of the network services are available on target (or host) which is being scanned. In this regard, both the UDP and TCP ports can be detected. This tool can perform a number of different types of probing activities, which include the following:
- The SYN-SYN-ACK-ACK sequence for TCP ports;
- Various half-scans (this is when a Cyber attacker attempts to connect to a remote computer but does not send any ACK data packets in response to the SYN/ACK data packets);
- Detecting the operating system type.
The Vulnerability Scanner:
This kind of device attempts to find any known vulnerabilities on the targeted system. There is often confusion between this and the Port Scanner. With this, only the number of total services which are available on each port is kept track of. There are two kinds of Vulnerability Scanners:
These only scans for the targeted operating system and the network infrastructure in which they reside in; as well as other TCP/IP based devices which may exist in this kind of environment. However, these kinds of scanners cannot detect for any general applications.
These can scan an entire operating system for any known vulnerabilities and weaknesses, as well as for any software configuration problems (this includes file access/user permission management protocols). It is important to note that a Host based scanner cannot analyze any specific software application, but they can detect any holes and back doors which may reside in the source code. Therefore, this kind of tool is very useful for conducting a Pen Test in a software driven environment.
The Application Scanner:
This kind of tool examines for any Security weaknesses in Web based applications (such as, for example, an E-Commerce site). These include the following:
- Memory buffer overruns;
- Cookie manipulations;
- Malicious SQL injections;
- Cross site scripting (also known as “XSS”).
The main disadvantage of using an Application Scanner is that it can only test for a very small set of known attack vectors.
The Web Application Assessment Proxy:
This is a tool which can be placed in between the web browser of the Pen Tester and the target Web server. As a result, all of the information and data flow between the two can be examined at a close level. For instance, the value fields of hidden HTML fields can be manipulated in such a way that the application will allow the Pen Tester to gain access when they should not have those sets of permissions in the first place.
The following list of criteria should be used when evaluating the tools which will be needed in a Pen Test:
The reporting, analysis, and results must be a transparent process across not only to the Pen Test team but the client as well.
It must be able to be highly customizable to fit the needs of the requirements of the Pen Test.
It must be able to be easily fit into the environment that it is supposed to serve in.
Avoid any Pen Test tools which lock the range of IP Addresses of which it scans for.
The Top Pen Testing Tools Today
Here are the top tools which are being used by Pen Testing teams worldwide:
The Network Mapper (also known as “NMAP”):
As the name implies, this tool is used primarily for discovering just about kind of weaknesses or holes in the network environment of a business or a corporation. It can also be used for auditing purposes as well. NMAP can take the raw data packets which have just been created and use that to determine the following:
- What hosts are available on a particular network trunk or segment;
- The information about the services which are being provided by these hosts;
- What operating system is being used (this is also known in technical terms as “Fingerprinting”);
- The versions and the types of data packet filters/firewalls are being used by any particular host.
In other words, by using NMAP, you can create a virtual map of the network segment, and from there, pinpoint the major areas of weaknesses that a Cyber attacker can penetrate through without any difficulty. This tool can be used at any stage of the Pen Testing process, and even has built in scripting features available to help automate any testing process. It comes in both the command and GUI (known as “Zenmap”) formats. Best of all, NMAP is a free tool and can be downloaded at this link: www.nmap.org
It is not just one tool, but rather, it is a package of different Pen Testing tools. It is essentially a project, or a framework, which is constantly evolving to keep up with today’s threat landscape. It is currently used worldwide by both Cyber security professionals at all levels and even Certified Ethical Hackers. They also contribute their knowledge to this platform as well. This package is powered by the PERL platform and comes with an entire host of built in exploits which can be used to execute any kind of Pen Test, and these are even customizable as well. For example, it already comes with a built-in network sniffer, and various access points from which to mount and coordinate various kinds of Cyber based attacks. This is accomplished via a quick, four step processes:
- Determine which prepacked exploit should be used (or customize your own);
- Configure this particular exploit with both the remote port number and IP address;
- Ascertain which payload should be used;
- Configure the payload with both the local port number and IP address;
- Launch the exploit at the intended target.
This tool also comes with what is known as a “Meterpreter” which displays the results after an exploit has occurred. As a result, this can be quickly analyzed and interpreted by the Pen Tester to the client, and from there, formulate the appropriate strategies that need to be implemented. Metasploit has been developed on an open source platform, and more information can be found on its website: www.metasploit.com.
Ethical Hacking Training – Resources (InfoSec)
Unlike NMAP, this tool is an actual network protocol and data packet analyzer which can analyze the Security weaknesses of the traffic in real time. For example, live information and data can be collected from:
- IEEE 802.11
- Token Ring
- Frame Relay
- Any Ethernet based connections.
Some of the advantages of using Wireshark are that the analyses of the results come out in a form which can even be understood by the client at first glance. With this tool, the Pen Tester can apply such features as color coding to delve and investigate deeper the network traffic flow, as well as to isolate any individual data packet which may be of concern. Wireshark is particularly useful in analyzing the Security risks which are inherent when information and data are posted to forms on Web based applications. Some of these threats include data parameter pollution, SQL injection attacks, and memory buffer overflows. Wireshark can be downloaded for free at www.wireshark.org.
The Web Application Attack and Audit Framework (also known as the “W3AF”):
This Pen Testing suite has been created by the software developers at Metasploit, and its main purpose is to find, ascertain, and exploit any Security weaknesses or holes in Web based applications. This package consists of many tools which can root out threats such as:
- User-Agent Faking;
- Custom Headers to Requests;
- DNS Cache Poisoning (this is also known as “DNS Spoofing,” and it occurs when the DNS Name Servers return an incorrect IP address. As a result, the legitimate network traffic is diverted to the Cyber attacker’s computer).
One of the strongest advantages of the W3AF is that the parameters and variables which were used in one Pen Test instance can be saved quickly and easily into a Session Manager file. As a result, they can be reconfigured and reused quickly for another, upcoming Pen Test on a Web application. Thus, critical time is not wasted into re-entering these parameters and variables again. The results of the Pen Test are displayed in both easy to understand graphical and text based formats. Best of all, its database also consists of the top known threat vectors along with a customizable Exploit Manager to execute an attack and exploit it to its maximum possible. The W3AF has also been created on an open source platform and can be downloaded at this website: http://w3af.org/.
John the Ripper:
One of the biggest Cyber Security threats has been and will continue to be is that of the inherent weaknesses of the traditional password. As a result, this is one of the hottest areas in Pen Testing, and thus, many tools have evolved. One of the best-known tools is that of “John the Ripper.” It is also commonly abbreviated as “JTR.” There is nothing too complex about this tool; its elegance is its simplicity in of itself. Pen Testers have used it primarily to launch Dictionary Attacks (this is where the Cyber attacker tries to guess the cipher or the authentication mechanism which is used to lock the password database) to determine any unknown holes weaknesses in the database. This tool accomplishes this task by taking text string samples from a word list which contains the most complex and most popular words which are found in the traditional dictionary. These samples are then encrypted in the same format as the password which is being cracked, stolen, or hijacked. The output of this analysis is then compared to the actual encryption string to ascertain the vulnerabilities and weaknesses. A strong advantage of this tools is that it can be modified to test for all the varieties of Dictionary Attacks which could occur. A key distinction of the John the Ripper is that be used to Pen Test password databases which are both online and offline. JTR has also been created and developed on an open source platform, and it can be found at this link: http://www.openwall.com/john/.
In summary, this article has examined the importance of Pen Testing, as well as some of the criteria that should be taken into account when selecting the right tool to be used. Finally, the top 5 Pen Testing tools used today have also been examined.
It is important to note that the tools reviewed are all open source based; meaning that they can be downloaded for free. Given this nature, they can be modified or enhanced by the Pen Testing team to meet the needs of the specific test(s) which are to be carried out.
A prime advantage of using open source Pen Testing tools is that they are constantly being refined by contributors and other kinds of Cyber security professionals to ensure that they stay at the forefront of the ever-changing threat landscape.
However, this list is not an exclusive one, meaning that there are many other sophisticated Pen Testing tools available to be used for any Security based environment. Our next article will review the other top Pen Testing tools.