Q&A: Penetration testing
by Mirko Zorz - Wednesday, 26 August 2009.
Where ethics becomes an issue is how we handle our findings and maintain confidentiality. It's exciting to discover a way into a system, and report the findings to our clients. The risk at that point is how well we retain this data without exposing our clients to additional risks; one thing we always have to remember is that mitigation of risks is a business decision, which may be to not remediate the identified vulnerability. If we release data on the vulnerability, even if we exclude information about the client, there is still a chance that our client may come under attack simply through chance. As professionals, we should not put our clients at additional risks, and need to be careful as to what we do after a penetration test - not just during one.

What kind of hardware do you use and why?

I use a combination of Windows and Linux-based systems, depending on what tools I need access to. I have to admit when looking for laptops, my highest priority is to find a system that has a wireless modem that can be put into monitor and promiscuous mode, for wireless attacks, if and when they come up. I also have begun to favor my jailbroken iPod Touch as an attacking platform for testing purposes, especially since it runs a Unix-compliant Operating System that can compile and run most of the linux-based hacking programs; the size and storage capacity of the iPod Touch makes it a fun tool to work with.

Which software solutions can you recommend?

I often get flack for mentioning some of the high-end commercial tools, such as WebInspect and Core IMPACT, but the time of a penetration tester is simply too valuable to spend looking for low-hanging fruit. The simple ability to automate scans and attacks with Core IMPACT makes it invaluable - plus, there's additional functionality that makes IMPACT a great attack tool, especially the ability to use exploited systems as attack systems almost trivially.

The commercial software is often just a starting point to save time and get a better understanding of the target network or system. After that, we inevitably need to get are hands dirty and use tools that we have more control over, such as Nmap, scapy, netcat, etc. Out of the "Top 100" network security tools listed at sectools.com, I probably have used half of them at different points in my career; that's not even including scripts written as needed. To answer your question directly, I would recommend whatever tool is best for the challenge.

What would your advice be for anyone interested in taking up penetration testing seriously?

Professional penetration testing is about helping the client better understand and secure their network and systems. We are not there to make them secure their network - that is a business decision that the client's management needs to make for themselves. Because we are simply an audit tool in the eyes of our client's management team, it can be frustrating to see our remediation suggestions ignored; but that is how business works.

I would also like to explain that penetration testing is a lot of work, and involves a lot of research and learning. Keeping up with security trends, reading about the latest exploits, setting up a lab and recreating exploits, and documenting findings can be taxing on a person's time, especially if one wants to maintain their skills and be an asset to the team.

How long did it take you to write Professional Penetration Testing: Creating and Operating a Formal Hacking Lab? What was the writing process like?

The book took about a year from inception to print; however the training videos on the accompanying DVD had already been developed as part of the online classes at Heorot.net. The book was originally intended to support the training on the DVD, but it took on a life of its own. I ended up writing the book more as a college textbook, that would take the reader from conception to conclusion of a professional penetration test. The impetus behind writing the book in this manner was that I needed a solid textbook to use in my own college classroom at Colorado Technical University, where I teach students how to conduct a professional penetration test. As a result, the book and DVD can be used independently from each other, or together to provide a deep understanding of penetration testing and methodologies.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th