Learning Goals

What pen tests is and how it is used

Penetration tests methodology

Penetration testing environment - kali linux & virtual machine tools

Information gathering - scanning & reconnaissance

Information gathering tools - nmap, wireshark, google dorking etc.

Reminder: Attacking systems you do not have permission to attack is illegal. Only perform attacks on machines and networks you own or have permission for.

Current State Cybersecurity

Over the past year or so hacking has gained mainstream attention from some high profile attacks. Theses attacks such as the Equifax data breach, Wanna Cry ransomware and many others have cost companies millions of dollars. With so much attention placed on data breaches, questions have been brewing of how safe user data is with each company. As long as these attacks keep happening companies will have to place more and more emphasis on their security procedures. Within cybersecurity penetration testing (pen screening) is one of the ways of mitigate attacks by plugging up security holes.

What is penetration tests?

Penetration tests is a process used by companies to test the security of their software and infrastructure. In penetration testing, a group of security professionals act as attackers in order to identify holes before hackers do. A pen tester’s goal is to provide information to the company about their vulnerabilities. In the world of security this is commonly referred to as red teaming. On the other side of penetration testing the company’s security team, the blue team, figure out what areas of their security need to be strengthened.

Is a Penetration Tester Just a Hacker?

A major difference between a malicious hacker and pen tester is permission and reporting. Most companies provide a scope of areas where they would like the pen tester to focus. These could be specific domains, networks, systems etc. Pen testers also record any vulnerabilities found during their testing and can suggest solutions to patch the issue.

Types of Penetration Screening

The types of penetration tests can vary depending on the technology. Here are some of the common types of pen testing:

Network Screening

Mobile Application Screening

Web Application Tests

Cloud Tests

Social Engineering Screening

Even though each area of penetration testing have differing tool sets, they share a common methodology.

Penetration tests methodology

Scanning and Reconnaissance - Getting to know the target using passive methods like researching publicly available information and network scanning.

Threat Modeling - A description or model of all the security concerns and why they should be resolved.

Vulnerability Analysis - Identifying vulnerabilities and determining their severity.

Exploitation - Gaining access by breaching security of a system or finding an bug to exploit in the software.

Post-Exploitation Reporting - Detailing the vulnerabilities found and providing information on potential impact on the company if exploited.

With the general methodology laid out, let’s jump into the initial steps to get up and running with penetration screening.

Introducing the environment

Cybersecurity like other technology fields has an abundance of tools available. To make this simpler Kali Linux was developed to bring together the most common tools in one OS environment. Kali Linux is a debian based linux system that can be used in a virtual environment such as Virtualbox or VMware. With virtual machines we can make a closed off network of multiple machines. This is a great way to practice attacks without opening up your own machine to attacks.

相關文章：

What are PENETRATION Examination DELIVERABLES?

It was easy for me to walk away from the world

Precisely what is A Penetration Check And Why do I need It?

Why do I want A Penetration Exam?

Top rated eight Misconceptions About Penetration Testing