What are the main ethical concerns surrounding penetration testing?

Sometimes "ethics" is viewed as an obstacle to the actual attacks during a professional penetration test; the idea is that the black hats don't follow any ethical patterns when attacking a system, so ethics can only prevent a "good guy" from really understanding the risks to a system or network. This isn't a strong argument, since there aren't too many restrictions in a pentest, other than those that might jeopardize the continual operation of production systems; even then, the types of attacks that can disrupt a network or system typically fall under the umbrella of Denial of Service (DoS) attacks. The susceptibility of a system to a DoS attack is often a risk that the system owner acknowledges beforehand. Therefore, ethics doesn't really become an overwhelming issue in the actual attacks against a system (other than expanding the scope of the attacks without permission).

Where ethics becomes an issue is how we handle our findings and maintain confidentiality. It's exciting to discover a way into a system, and report the findings to our clients. The risk at that point is how well we retain this data without exposing our clients to additional risks; one thing we always have to remember is that mitigation of risks is a business decision, which may be to not remediate the identified vulnerability. If we release data on the vulnerability, even if we exclude information about the client, there is still a chance that our client may come under attack simply through chance. As professionals, we should not put our clients at additional risks, and need to be careful as to what we do after a penetration test - not just during one.

What kind of hardware do you use and why?

I use a combination of Windows and Linux-based systems, depending on what tools I need access to. I have to admit when looking for laptops, my highest priority is to find a system that has a wireless modem that can be put into monitor and promiscuous mode, for wireless attacks, if and when they come up. I also have begun to favor my jailbroken iPod Touch as an attacking platform for testing purposes, especially since it runs a Unix-compliant Operating System that can compile and run most of the linux-based hacking programs; the size and storage capacity of the iPod Touch makes it a fun tool to work with.


Which software solutions can you recommend?

I often get flack for mentioning some of the high-end commercial tools, such as WebInspect and Core IMPACT, but the time of a penetration tester is simply too valuable to spend looking for low-hanging fruit. The simple ability to automate scans and attacks with Core IMPACT makes it invaluable - plus, there's additional functionality that makes IMPACT a great attack tool, especially the ability to use exploited systems as attack systems almost trivially.

The commercial software is often just a starting point to save time and get a better understanding of the target network or system. After that, we inevitably need to get are hands dirty and use tools that we have more control over, such as Nmap, scapy, netcat, etc. Out of the "Top 100" network security tools listed at sectools.com, I probably have used half of them at different points in my career; that's not even including scripts written as needed. To answer your question directly, I would recommend whatever tool is best for the challenge.