Talking about security and the need to always stay one step ahead of the bad guys, or girls, is easy; you just open your mouth and say things like “A determined hacker can break into any system. It’s just a matter of time before we are hacked.” While such a statement might in many cases be true, how does it work? How do they actually hack their way in? Also, can hands-on security testing be used to lower the risk of someone breaking into to a system and creating havoc? And the perhaps most important question - “How can I become a professional security tester?”
This book was written to answers those very questions. The book you have in your hands will teach you how to do high-quality security and penetration testing. The following chapters will, in great detail, describe the step-by-step process used by security professionals to locate security weaknesses. This book will also teach the reader how to use the very same tools and techniques that hackers use to break into computer systems.
The pages you are about to read are meant to work as an introduction to professional security and penetration testing. This means that both hacking techniques and delivering a high-quality report, and many things in between (such as how to properly prepare for a security test), get the same amount of attention.
Each of the book’s chapters contains detailed step-by-step explanations on how to successfully, and professionally, take on a security test with ease.
An important aspect of the book is that it was written to give the reader a general understanding of how threats against our systems emerge and how thorough security and penetration testing can be used to deal with these threats before it’s too late. This means that while the book features many technically detailed explanations of specific threats and vulnerabilities, the knowledge you will gain from the coming chapters will give you a solid grasp of how to tackle any newly discovered threat.
A good security tester has to be creative, curious, and persistent, but the real world of communication protocols, unstable software implementations, and the almost always incorrect network charts will keep any creative mind trapped inside the inevitable box. The beauty of a good security test lies in how text and technology merge to form an entity. While the technical groundwork for that entity can only be done by someone who knows her way around most systems and platform architectures, it can only be brought to life if an equal amount of effort goes into describing the entire exercise with text (and the occasional figure).
It’s simple. There are no shortcuts. No high-quality security test has ever been carried out without the proper preparations. Even though they are most likely less formal, even hackers of the most vicious kind make preparations of some sort before attacking their victims. Taking the time to thoroughly prepare a security test before execution is the only way to get good results in the long run.
No two systems are identical. This means that each security test is more or less unique. But having the knowledge to categorize different types of security tests is key to getting a good and valuable result. This chapter explains the industry-standard security test types and how they can be applied to real- world scenarios. What vulnerabilities actually are and how they can be discovered, along with information on how they can be contained through security testing, is discussed in great detail.
This chapter also provides an in-depth look at the infamous Heartbleed bug and how that security vulnerability, and others like it, can be handled within a security testing program.
Many honest attempts have been made to define a universal security testing process. Some attempts to explain such a process have been more widely accepted than others. One of the most well-established processes is the penetration testing execution standard, or PTES.
While using the PTES during a security test is a relatively straightforward process, some consider PTES to be too big and too technically oriented to be applied to all security testing scenarios. This chapter will therefore aim to define a security testing process that can be applied to almost any technical environment in any organization.
The following sections will describe how a well-defined security test can transition from the early stages of planning to the delivery of a rock solid presentation that everyone in the organization can benefit from.
Even the most well-planned security test will eventually fail if the security tester does not have the right tools for the job. This chapter will explain how the security tester can prepare for the technically challenging tasks that lie ahead.
The following sections will give tried–and–true advice on how to best prepare oneself for a security test regarding how to capture network traffic, how to keep report drafts confidential, how to document the step- by-step progress of the security test, and much more. The sections will also provide advice on how to put together a reliable security testing platform.
This chapter is meant to provide a transition from the theoretical aspects of security testing to the hands- on hacking. The following sections will explain different technical approaches to security testing that will result in a well-structured report. This chapter will also address the benefits, and the potential side effects, of running security tests against pre-production and/or production systems.
It’s time to start hacking away. After the test scope has been set, the test has been planned and the security tester has prepared her technical platform - then it’s time to get hacking.
This chapter will open the door to the tools used by hackers and software testers alike. The pages that are about to follow will dig into the nitty-gritty of many hacking tools and methods used to carry out high- quality security testing.
The reader of this chapter, and the coming chapters, will learn how to configure, launch, and understand the result of today’s most popular hacking software. This includes the technical details of how to scan networks for live and potentially vulnerable hosts, how to identify vulnerable services, and how to break into them - the hacker way.
As we saw in the previous chapter, the identifying vulnerabilities step can be, and sometimes must be, broken down into several smaller substeps (See Figures 5-2 and 5-3 in Chapter 5). One such division is breaking it down into footprinting, scanning, and enumeration. Each of the three is discussed in greater detail below.
What makes an excellent carpenter? The most obvious answer would, of course, be excellent craftsmanship. But without the right tools, not even the world’s greatest carpenter could make a decent table. The same is true for a security tester; she needs the right tools to carry out a decent security test. These tools are, most of the time, the very same tools that a hacker would use to try to force her way into a system.
The chapter will explain how computer systems can be broken into. This includes how to hack conventional password implementations and how to break into traditional services like FTP servers, file- sharing systems, and database management systems.
This chapter will also guide the reader though how to exploit web application vulnerabilities using The Open Web Application Security Project’s top ten list (known as the OWASP Top Ten Project) as a guideline.
Last but not least, this chapter will show in great detail how both hackers and security testers can break their way into databases using SQL injection techniques. The techniques demonstrated for SQL injection will give the reader full insight into one of the most popular attack techniques employed by hackers.
The final report, and how it is presented, can be considered to be the most important step of the security testing process. A good security tester should be able to clearly present her findings to non-tech executives and systems administrators. She should also be able to explain every aspect of her report to everyone else involved in the project regardless of how knowledgeable they are of IT security solutions.
Included in this chapter are two sample security test reports. They are both based on security issues that have been addressed throughout this book.
The first one is a report on a general security test of three Linux-based servers providing a variety of services. It can be considered to be a black box test since little was known regarding the servers to the security tester before the test begun.
The second report is on a handful of web applications running on a single server. This test can be considered to be a gray box test since the security tester had access to data flow diagrams before the test took place.
While they are likely to be somewhat shorter than a real-world security test report since the test scope is rather narrow, both of the sample reports are meant to serve as examples of what a professional looking one could look like.
Although the two reports share much of the same structure, they are different in the sense that the first report was written from a “let’s scan the network and see what we can find” approach while the second report takes on a more checklist type of testing approach. The checklist applied to the testing featured in the second report is based on the well-established OWASP Top Ten list for web application vulnerabilities.
Being a good security tester takes a lot of passion and dedication. An interesting side to the security tester profession is that there will always be new threats and vulnerabilities to dig into. While the never-ending flood of reported security breaches may seem somewhat intimidating, the following list of tips on how to become a better security tester might help you stay afloat.