They say the best defense is a good offense, and when it comes to network and data security, there’s no better way to proactively head off hackers than with penetration testing. In our article What is Penetration Testing? A Look at The One Cybersecurity Tactic You Should Never Skip, we took a deep dive into how it works and a few of its benefits. If you’re looking to invest in better security for your network or are launching a new web application, there’s no better time to do a thorough round of pentesting—but what can you do to ensure it’s a success?
Here are some steps to take during your penetration test and tips for each.
1. Set goal(s) for the pentest
The best penetration tests are those with a clear scope and specific goals in mind. This helps the penetration tester create a schema for their test, and ensures you get the most focused results possible.
Identify what you’d like the pentester to attempt. For example, you might set goals like “Breach the credit card database,” “Crack passwords,” or “Break in and create a new admin account.” Otherwise, you could end up spending too much time (and money) running a pentest with no clear end in sight.
2. Give written permission and define the rules of engagement
You’ll want to give your pentester permission in writing that you’re allowing the exploit. This can include non-disclosure agreements and any ethical considerations, especially if you’re dealing with regulated data or systems.
3. Get everyone on the same page
The beauty of a penetration test is that it can be performed in-house within your network walls, or it can be outsourced to a remote professional or team. If you’re having an external consultant conduct the pentest, decide how you’ll align internal teams with the process. Will you let them know what systems are being tested, or is the test also to see how they’ll respond to a breach? Be sure everyone is on board with the goals before you begin to prevent any friction or confusion.
4. Reconnaissance phase
During the first phase, the penetration tester will act as any hacker would, scouting the web, social media, and your site to gather as much publicly available information as they can. They’ll gather both technical and non-technical data, which can be used in tandem to draw some interesting conclusions. Non-technical info can include your location, internal personnel structures, and industry, while technical insights can include email addresses, hardware, IP ranges and components of your IT infrastructure.
5. Discovery and vulnerability identification phase
Using that reconnaissance, the pentester will come up with a plan of attack and begin actively querying systems to gather more information. Initially, they might use network and port scanning to see if they can identify your operating system and web server versions. The primary goal of this step is to identify as much about your systems as possible and create a list of potential vulnerabilities to exploit.
6. Exploitation and intrusion phase
Next, the pentester will attempt to exploit the vulnerabilities identified, using any means necessary. Depending on the vulnerability, the pentester might utilize efforts like brute force hacking, social engineering (e.g., leaving an infected thumb drive in the lobby or parking lot for an employee to pick up), or other remote exploits. Note: If your pentester is using any tactics involving individuals at your company, determine if and when you’ll reveal the exploit. Learn more our article Should You Phish Your Own Team?
7. Taking control and collecting evidence phase
Once they’re in, the pentester will carry out various actions you can expect from a hacker, and gathering evidence that they were inside: taking screenshots, grabbing password files, uploading or downloading files, looking at webcams, listening in on and recording audio, etc. They might pivot from one machine to another on the network as well, to demonstrate how they’re able to move around.
Delivery of a security report. Along with evidence of what they were able to accomplish, the pentester will submit a full report of any weaknesses and successful exploits, which you can then turn into action items to secure the network where it needs it most.
8. Remediating any found weaknesses
With the report in hand and skilled network security experts, you’ll want to address the vulnerabilities located in the pentest.
Tip: If you don’t already have an incident response plan in place, this is an excellent time to work one up and put it to the test.
Top Pentesting Tools
What frameworks, software, and tools do skilled pentesters use? Here’s a brief list of a few top tools to look for in your penetration tester’s arsenal.
- Metasploit open-source software framework for security development and testing
- Nmap scanner, which can identify ports and services used in your network
- Rapid 7Nexpose vulnerability scanner is used to discover and remediate network exposures in real time
- Wireshark “packet sniffer,” which allows pentesters to monitor and analyze data packets moving through a network
- Nessus vulnerability scanner to identify malware and network configuration issues
- Core Impact covers all the bases, allowing testers to replicate attacks on a system, penetrate mobile device security, and identify and crack passwords with a slew of features
- Kali Linux (formerly BackTrack Linux), another penetration testing solution
- W3af open-source web app attack and audit framework that uses cross-site scripting (XSS), SQL injection, and more to locate vulnerabilities and reduce security risk
- Sqlmap “takeover tool,” which can detect and exploit SQL issues in your system’s database
- Password cracking tools like John the Ripper, Cain and Abel or rainbow tables might be used to try and sniff passwords or crack encrypted passwords and network keys
Ready to get started with penetration testing? Find a skilled web app pentester or network pentester on Upwork to remotely carry out an ethical hack on your network today.