The do's and don'ts of DIY pen testing

Davey Winder

Penetration testing – the art of bolstering your network security by discovering how weak it is – has long been part of the security strategy for many large organisations. Testing of any process or product is a vital cog in the successful business machine; that much is a given. Not putting your security to the test is as much of a false economy as not testing your data recovery plans. However, the big question is: If professionals are out of your budget, is doing it yourself better than not doing it at all?

I'm not going to say that I would recommend DIY pen testing over and above a professional consultancy, because I wouldn't. However, neither would I say it's a red flag idea. My rule of thumb would be to do what you are comfortable with, what management is comfortable with and what will do no harm. Which really means that you will be stopping short of real penetration testing and sticking with vulnerability assessments instead.

So, what's the difference between a vulnerability assessment and an actual penetration test? The former is a way of identifying security issues within your organisation by producing, in effect, a list of vulnerabilities. A proper pen test, however, is much more goal-oriented and as such should be thought of as attack-simulated scenarios designed to hit a specific target such as accessing a particular database or finding and modifying a designated file. Done properly it's not a list producer, but rather a methodology mapping tool. 

cableguy.jpgBeyond this, there's Red Teaming, which you can think of as pen testing on steroids. It's the most similar you can get to an actual attack, possibly because that's what it is; an attack but by trained ethical white hats with the permission of senior management. Red teaming is very attacker-oriented rather than goal-oriented, with the task of discovering just what the bad guys could do if they tried. It is not something for the “do-it-yourselfer” to attempt. And that's a big block caps NOT EVER!

DIY pen testing should only be thought of as being the equivalent of a 'quick check up' rather than an in-depth full-body health scan. It is best used not to replace the work of the professionals, but rather to add evidential weight to your case for budgeting to bring them in.

But, assuming that you are going to go down the route of vulnerability assessments – or even pen testing lite – what do you need to know? Here are my top five DIY pen testing caveats:

1. If you are planning on testing any hosted sites then the best advice is don't 

Such usage will almost certainly be against the terms of service agreement. What's more, if you don't get permission from the service owner before you start any testing then you will probably end up in breach of the Computer Misuse Act – Section 2 (1990). 

2. Don't take the DIY approach to buy-in for any pen testing

It's vital you have the understanding and agreement of the management team before starting anything.

3. Clear up after yourself

This applies mostly to those going “off piste” and not using automated tools, but rather opening shells and being truly DIY. Leaving evidence trails could hinder incident response following a real breach further down the line, and leaving open shells could help hackers control the network you are trying to secure.

4. Don't expect your results to be as reliable as those from a professional pen testing team

The trouble is that you will likely know too much and too little simultaneously. By which I mean that it's all too easy to explain away vulnerabilities courtesy of your insider view of the network and the business. Equally, if you don't know what you’re looking for then how will you know when you have (or haven't) found it?

5. Make sure you can report back on everything you find

The measure of success when it comes to penetration testing isn't in the vulnerabilities you find or the shadowy routes to an objective you discover: it's being able to report these things in a meaningful and objective way. Finding problems is one thing; fixing them is another. This is probably the biggest false economy in going down the DIY pen testing route: the professionals know how to produce reports and have the skill to help action their findings.

 

Top Three DIY Pen Testing Tools

While you shouldn’t expect to have access to all the tools of the trade – most of which will be custom-developed and highly treasured – there are some resources that serve to automate parts of the process and are available to anyone. Here are our top three:

1. Metasploit Framework 

A free edition of the well-known tool that helps test for vulnerabilities and breaks into systems by executing exploit code. On top of this, Metasploit Unleashed is a free of charge ethical hacking training course for Metasploit users wanting to be effective and responsible in their efforts.

2. Kali Linux 

This is almost a one-stop-pen-testing-shop in that it comes with most of the basic tools you could need already installed. What's more, they are authorised copies so you don't have to worry about whether they come with malware attached. Included in this you’ll find intercepting proxies, traffic analysis tools and automated vulnerability scanners.

3. SQLmap 

This is a great tool for discovering, and exploiting, SQL injection issues in web applications. As well as being in most pen testing toolkits, it's also in most script kiddie attacker toolkits as well! If the bad guys are using it, you should be as well.