CompTIA PenTest+ Articles

Cheat Sheet / Updated 03-08-2022

Welcome to the CompTIA PenTest+ Certification For Dummies online cheat sheet! Here, you'll find quick facts to remember on test day to help you answer questions found on the CompTIA PenTest+ certification exam. It includes some of the major concepts you need to know for the exam such as the phases of the penetration testing process, OSINT tools, exploitation tools, wireless cracking tools, Nmap command-line switches, and parts of the penetration test report.

Article / Updated 03-23-2021

The second category of pentesting tools that appears in the CompTIA PenTest+ objectives is credential testing tools. Credential testing tools help you crack passwords for user accounts on a system. There are a number of password cracking tools out there, but these are the tools the PenTest+ exam wants you to be familiar with. Hashcat Hashcat is a common password-cracking tool used to crack the hashes on passwords. Hashcat can crack hashes from a number of different hashing algorithms, including MD5, SHA1, and more. Hashcat can use dictionary attacks and brute-force attacks to crack the password hashes. For example, you could use the following command: hashcat -m 0 -a 0 -o output.txt target_hashes.txt /usr/share/wordlists/rockyou.txt Where: -m 0 specifies the hash mode. 0 means MD5, while 100 is SHA1. -a 0 specifies the attack mode. 0 means a dictionary attack. -o specifies the output file to write the cracked passwords to. In this example, I used txt. txt is the file that contains the hashes to be cracked. txt is the dictionary list file that comes with Kali Linux. You can view the many parameters of Hashcat and their possible values by typing hashcat -h in a Linux terminal. Medusa and Hydra Medusa and Hydra are also password-cracking tools included with Kali Linux you can use to crack passwords. Medusa is a fast password-cracking tool that can encapsulate the password attack into different protocols, such as HTTP, FTP, IMAP, MSSQL, POP3, SMTP, TELNET, SSH, and many more. For Medusa on Kali Linux, use the following command: medusa -h 192.168.1.3 -u admin -P rockyou.txt -M ssh This command will try to crack the password for a user known as admin on system 192.168.1.3 using SSH as the protocol and the password list file of rockyou.txt. Hydra is a password-cracking tool that can encapsulate the attack inside many protocols as well, such as FTP, HTTP, HTTPS, LDAP, MS-SQL, MySQL, RDP, POP3, SMB, SSH, and many more. Notice that you can use it to crack passwords over RDP. So you could use Nmap to discover all systems on the network running RDP and then use Hydra to attempt to crack the admin password. For example, use this command to detect systems with RDP on the network: nmap -sS 192.168.1.0/24 -p 3389 Once you have discovered the systems running RDP, you can then try to crack the passwords with the following command (assuming 192.168.1.3 is one of the systems): hydra -l administrator -P rockyou.txt rdp://192.168.1.3 Where: -l is the name of the user account to crack. Note you can use -L instead with a text file containing a list of users. -P specifies the password list file to use. In this example I used txt. Rdp://192.168.1.3 is the system we want to crack the password on. Note the URL starts with the protocol. If you want to crack the password over FTP or HTTP, you would simply start the URL with those protocols. Hydra can be used to crack passwords using many different internet protocols; for example, you can use Hydra to brute force into a website using HTTP or HTTPS. In the following example, I demonstrate how to use Hydra to crack the login DVWA site that is running on the Metasploitable2 VM: 1. Ensure the Kali Linux and Metasploitable2 VMs are running, run ifconfig on each, and record the IP address: Kali Linux: __________________ Metasploitable2: _____________ 2. On Kali Linux, launch a browser and type http://<ip_metasploitable2>. 3. Choose the DVWA link. 4. Right-click on the page and choose Inspect Element. You should now have the web page and the HTML source code shown on the screen. 5. In the bottom half of the screen, choose the Network tab to monitor network traffic as you try to logon to the site. 6. In the main logon screen, type your name in the Username and Password textboxes and then choose the Login button. You will notice that your login fails (on the web page under the Login button), but you will also see on the Network tab that the page was posted to login.php. 7. Select the login.php POST method line (see the following figure). On the right you can see the details of the request (Header, Cookies, Params). 8. Choose the Edit and Resend button in order to recreate the HTTP post request message and gather information that Hydra needs to perform the password attack. Hydra needs the hostname or IP address, the login page URL, the request body, and the error message. Record the information: Host/IP: ______________________________________________ Login page (Referer without host/IP): ______________________ Request body: _________________________________________ Error message: _________________________________________ In my example, I recorded the following information: Host/IP: 192.168.67.137 Login page (Referer without host/IP): /dvwa/login.php Request body: username=glen&password=glen&Login=Login Error message: Login failed (error shown on page) 9. Next, replace the actual username and password with variables of ^USER^ and ^PASS^ as shown below: Host/IP: 192.168.67.137 Login page (Referer without host/IP): /dvwa/login.php Request body: username=^USER^&password=^PASS^&Login=Login Error message: Login failed (error shown on page) Note that ^USER^ and ^PASS^ are variables, which means that for every username and password read from a user list file and password list file, those words will be placed in those variables in order to try a large number of usernames and passwords from the one command. 10. Now that we have all of the information, Start a terminal session in Kali Linux. 11. Enter the following Hydra command to attempt to crack the login page of the site: hydra -L userlist.txt -P passlist.txt <host_IP> http-post-form “<login_page>:<request_body>:<error_message>” Note that: -L refers to a text file containing a list of users. -P specifies the password list file to use. <host_IP> refers to the IP or hostname of the website. http-post-form is the method to use to perform password attack. <login_page> refers to the URL of the login web page. <request_body> refers to the username and password parameters. <error_message> is the error message that was displayed on the page when the login failed. In my example, this is the command I executed to perform the password attack on the DVWA site: hydra -L userlist.txt -P passlist.txt 192.168.67.137 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed” If a username and password are found, you will see them displayed on the screen, as shown. Note that if you would like to see the actual username and passwords that are attempted display on the screen while the attack is occurring, you can add -V to the end of the command like this: hydra -L userlist.txt -P passlist.txt 192.168.67.137 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed” -V For the PenTest+ certification exam, remember that Hashcat, Medusa, and Hydra are all examples of password-cracking tools available on Kali Linux. CeWL CeWL, short for Custom Word List generator, is a unique credential-cracking tool in the sense that it is used to generate a text file containing potential passwords by crawling through a site. You could use the following command to generate a wordlist file: cewl -d 2 -m 5 -w words.txt http://www.yourcustomer.com Where: -d 2 specifies the depth in the site to go. Here we are going two links deep. -m 5 specifies the minimum length of characters in the words picked up. -w specifies the file to write the list of potential passwords to. John the Ripper John the Ripper is a multiplatform password-cracking tool that runs on platforms such as Windows and Linux, and can crack passwords stored in different hash forms such as MD5 and SHA. The John package that comes with Kali Linux includes a number of tools such as: mailer: The mailer command is used to email users who have their passwords cracked. john: The john command is the John the Ripper password-cracking tool. unafs: The unafs command is used to warn users about their weak passwords. If you have the passwords in a file, you can attempt to crack those passwords with the following command: john --format=raw-md5 target_hashes.txt Where: --format specifies the type of hash values being cracked (MD5 in my example). target-hashes.txt specifies the text file containing the list of hashes. In this figure you can see that I ran John the Ripper against a file called target_hashes.txt and it was able to crack two of the passwords: Password and HELLO. You can also use a wordlist file with John the Ripper to perform a dictionary attack on the password list using the following command: john --format=raw-md5 --wordlist rockyou.txt target_hashes.txt Cain and Abel Cain and Abel is an older password-cracking tool that has a number of features. It can easily capture traffic on the network and then discover passwords that are sent in clear text. It can also be used to crack many different types of passwords, such as MD5 hashes, Cisco hashes, Windows passwords, and password-protected files. Mimikatz Mimikatz is a post-exploitation tool available in Kali Linux that is used to steal passwords off a Windows system after the system has been exploited. The tool steals the passwords by locating passwords stored in memory on the exploited system and aids in gaining access to other systems on the network. Prior to Windows 10, Windows would load the encrypted passwords into memory with a feature called WDigest and the secret key to decrypt the passwords. Mimikatz leverages this and is able to decrypt the passwords. In Windows 8.1, Microsoft added the capability to disable the WDigest functionality, and it is disabled by default in Windows 10. However, after compromising a system, you could enable it again. To use Mimikatz after you have exploited a system, you can use the commands shown here: mimikatz # <strong>privilege::debug</strong> Privilege ‘20’ OK Note that the first command is to verify that you have the privileges to run the command (you must be an administrator to run Mimikatz). If you receive a return status code of Privilege '20' OK, then you are an administrator. Next, we load the Sekurlsa module for Mimikatz, which will retrieve the passwords from memory: mimikatz # sekurlsa::logonpasswords As output you will receive a list of usernames found in memory with the LM hash, the NTLM hash, and the SHA1 hash of the passwords, as well as information such as the username, domain name, and the password in plain text. For the PenTest+ certification exam, know that John the Ripper and Cain and Abel are password-cracking tools. Also know that Mimikatz is a post-exploitation tool that can be used to steal passwords after gaining administrative access to the system. patator and DirBuster Two additional password-cracking tools to be familiar with are Patator and DirBuster. Patator is a password-cracking tool that is used to crack passwords given the hash values of the password, while DirBuster is an Open Web Application Security Project (OWASP) designed to locate directory and filenames on a web server.

Article / Updated 03-23-2021

The first category of tools that appears in the CompTIA PenTest+ objectives is scanners. A number of different types of scanners exist—some scanners will scan for open ports, while other scanners are designed to find vulnerabilities within a system. Nmap Nmap is a common network scanner used by pentesters to locate systems on the network and determine the ports that are open on those systems. You can also use Nmap to identify the software running on the ports and the type of operating system being used. You need to know the Nmap syntax for the PenTest+ certification exam! Nikto and w3af Nikto is an open-source web application vulnerability scanner. When you run it against a website or web application, Nikto performs a number of tests to determine if the web application is vulnerable to different types of attacks. To perform a Nikto scan against a system, you would use the following command: nikto -h <IP_or_FQDN> For example, to perform a web vulnerability scan on the system with the internet protocol (IP) address 192.168.1.3, you could use the command, nikto -h 192.168.1.3, as shown. If the web application was using SSL, you could use the following command to scan a HTTPS site: nikto -h 192.168.1.3 -ssl. Another example of an open-source web application vulnerability scanner is w3af, which is labeled as a web application attack and audit framework to assess the security of your web servers. You can download w3af, or it comes preinstalled on Kali Linux where you can access it from Applications | Web Application Analysis. With w3af you can select the different types of vulnerabilities to check for by selecting the appropriate plugins and then starting the scan. Note that the CompTIA objectives list w3af under the credential testing tools, but I have placed it in the “Scanners” section as that is what the tool is best known for. Nessus Nessus is a commercial tool used for vulnerability scanning of systems on the network. Not only will Nessus scan for a wide range of vulnerabilities, but it will also scan a number of different types of devices for those vulnerabilities. Nessus also offers a downloadable free edition that is limited to scanning 16 devices, which is a perfect learning tool! OpenVAS OpenVAS is an open-source vulnerability scanner. OpenVAS can perform the vulnerability scan in a number of different ways, including authenticated and unauthenticated testing. SQLmap SQLmap is a program you can download to help automate SQL injection attacks against the web application you are authorized to test in your penetration test. SQLmap comes preinstalled on Kali Linux. If you want to perform an automated test with SQLmap, you need to pass in the URL to be tested, such as sqlmap -u http://192.168.1.3/product.php?id=5. This means the request to the page accepts parameters as input, and SQLmap will try a number of malicious input on the ID parameter. For the PenTest+ certification exam, remember that Nikto is a web application vulnerability scanner; SQLmap is an automated SQL injection attack tool; and Nessus is a system vulnerability scanner used to identify weaknesses in a product.

Article / Updated 03-22-2021

Active information gathering for a pentest involves polling the target systems to find out about the systems that are up and running, the ports that are open, and the software being used. This involves communicating with the systems and potentially being detected. For the PenTest+ certification exam, remember the difference between active and passive information gathering. Active information gathering involves engaging with the target environment, such as via scans, while passive information gathering involves using public internet resources to discover information about the target without being detected. Many of the active information gathering techniques involve scanning target systems to find out things like the operating system that is running and the services running on the system. Domain name system (DNS) profiling involves sending queries to DNS servers to retrieve information on the systems that might exist within the company, such as a mail server or a web server. Keep in mind that in passive information gathering you were able to obtain the DNS server information for a company by doing a Whois lookup. The next step is to send queries to those servers to find out what DNS records exist. You can use a number of tools to perform DNS profiling. The two most common are the commands nslookup and dig. nslookup nslookup is a TCP/IP command in Windows and Linux that allows you to query DNS servers for different types of DNS records. You can use nslookup as a command or as an interactive prompt where you type nslookup commands into the prompt. Here is an example of using nslookup as a regular command to retrieve the internet protocol (IP) address of a host: nslookup www.wiley.com In the following figure, you can see the address of the DNS server you have sent the query to at the top of the output, and at the bottom of the output, you can see the IP addresses of the fully qualified domain name (FQDN) of www.wiley.com. In this example, four IP addresses answer the FQDN. With nslookup you can also do things like specify you want to see the email servers for a company by setting the type of query to MX (mail exchange) records. To do this, use the following commands: nslookup set type=MX wiley.com In the following figure, you can see the output of the command. It looks like wiley.com has four mail servers. When performing the pentest, you would document the four FQDNs of the mail servers and then resolve those to IP addresses by using nslookup <fqdn>. As one final example, you can try to retrieve all of the DNS records for a particular company by doing a DNS zone transfer. DNS zone transfers should be controlled by the server administrators, so if you are successful, you definitely want to make a note of it and add it to your remediation list in the pentest report. To attempt a zone transfer from Windows using nslookup, use these commands: nslookup server <ip_or_fqdn_of_company_DNS_server> set type=all ls -d <company_domainname> Keep in mind you would have retrieved the DNS server information from the Whois lookup you performed during your passive information gathering earlier. Pretending the DNS server is 192.168.1.1 for wiley.com (which it is not), you could use the following commands to do a zone transfer: nslookup server 192.168.1.1 Set type=all ls -d wiley.com dig dig, which is short for Domain Information Gopher, is a command in Linux used to perform DNS profiling. I like the output of dig a bit better than the output of nslookup because I think it's easier to read. To find out the IP address of www.wiley.com, type the following command on a Kali Linux machine: dig www.wiley.com Notice in this figure that the question section is seeking information about the IP address of www.wiley.com, and the answer section is listing the four IP addresses associated with it. What I like about dig as a command is that you can ask for the short version of the output by adding +short to the command. For example: dig www.wiley.com +short Notice that the output in the following figure is much cleaner than the output shown in the preceding figure, and the IP addresses stand out right away. If you want to use dig to retrieve specific records, such as MX records to find out the email servers for a company, you could use the following command: dig wiley.com MX You could also clean up the output by adding +short to that command: dig wiley.com MX +short This figure displays the output of using dig to find the MX records. If you want to do a zone transfer with dig to attempt to retrieve all of the DNS records that exist, you could use the following dig command: dig wiley.com axfr You may notice that you do get a few records that identify the DNS servers for the company (NS) and also a few host records (A); however, you may also notice that at the bottom of the output it says “Transfer Failed.” This is because the server administrators for that company are blocking full zone transfers as it exposes too much information to the hacker. If you are testing a company and zone transfers are not refused, you want to be sure to document that in your pentest report. For the PenTest+ certification exam, know that dig and nslookup are two tools that can be used to perform DNS profiling to help identify hosts that exist within an organization.

Article / Updated 03-22-2021

When you are conducting a penetration test, it is important to take a methodological approach to information gathering and divide the task up into two parts: passive information gathering and active information gathering. Passive information gathering should come first. It involves collecting public information from the internet about the company being assessed — without invoking any kind of communication with the target systems. Passive information gathering involves using internet resources to find out publicly available information about the company that could help you exploit the company’s systems and bypass security controls while performing the pentest. There are different techniques to passive information gathering: you could surf public internet sites manually, query DNS, or use open-source intelligence (OSINT) gathering tools to automate the discovery of information. Most of these techniques are not technical in nature, but they do represent the mindset of a hacker, so you want to follow similar strategies when performing your pentest. Open-source intelligence gathering The term used for discovering information from public data sources available on the internet is open-source intelligence (OSINT) gathering. Through OSINT gathering, you can collect information about a company from the company’s website, social media sites, domain name system (DNS) information, blogs, and so on. The goal of OSINT gathering is to gather information such as contact names, email addresses, DNS records to aid in the penetration test. Browsing internet resources The first technique to use when information gathering is to surf the company website for information that could aid in an attack, such as software the company is using or email addresses and phone numbers of company employees that you could use in a social engineering attack. Look for web pages, such as About Us, Job Postings or Careers pages, that could offer information like names, phone numbers, and email addresses of employees or upper management. This is great information to use in a social engineering attack. In addition, a Job Postings or Careers page may list active jobs that could help you understand the technologies the company is using. For example, if the company is looking for an Exchange Server 2016 Messaging Administrator, then you know the company is most likely running Exchange Server 2016. For the PenTest+ certification exam, know that you can use tools such as the popular wget in Linux or the BlackWidow utility for Windows to copy the contents of a website to a local folder on your system so that you can leisurely review the contents offline. Using Google hacking Google hacking is the term used for an information gathering technique in which specific keywords are used to search Google or other search engines for specific information on the internet. Here are a few of the Google keywords you should be familiar with that I find quite useful: site: : The site keyword is used to search a specific website for a keyword. For example, if you are performing a security test for the Wiley publishing company, you could use site: www.wiley.com password to locate the login pages on the Wiley website. This could be useful if you wanted to test Wiley’s login pages against SQL injection attacks. intitle: : You can use the intitle keyword to search the title of a page for specific keywords. For example, if you want to find web pages that contain the word “intranet” in the title, you could use intitle: intranet. inurl: : The inurl operator will search the keyword given in the URLs found in the Google database. For example, if you want to locate sites that have the word “intranet” in the URL, you could use inurl: intranet. intext: : The intext operator searches a web page for specific text. For example, if you want to search my company site for pages that contain the word “video,” you could use site: dcatt.ca intext: video. filetype: : One of my personal favorites is the filetype operator, which you can use to find results containing a specific file type. For example, you could search the internet for sample penetration reports by filetype: pdf penetration test report. Referencing online cybersecurity sources In addition to browsing internet resources and using Google hacking to conduct your passive information gathering, research from many official sources is available for OSINT gathering, especially in the realm of cybersecurity information. You should be familiar with the following sources of cybersecurity information for the PenTest+ certification exam: CERT: Short for Computer Emergency Response Team, there are many CERT groups available worldwide that share cybersecurity information. Example CERT groups are the US CERT group and the Canadian version. JPCERT: The PenTest+ certification exam makes special mention to JPCERT, which is the Japan CERT group used to share information on cybersecurity. You can visit the JPCERT NIST: The National Institute of Standards and Technology (NIST) is a standards organization that develops a number of documents related to cybersecurity known as special publication (SP) documents. For example, SP 800-115 is a guide to security testing and assessments, while SP 800-17 is a guide to risk management. There are a number of SP documents well worth reading. CAPEC: The Common Attack Pattern and Enumeration Classification (CAPEC) is an information resource provided by a company called MITRE that identifies and documents attack patterns. The MITRE site also provides information on mitigation techniques for the attacks. Full disclosure: You can subscribe to mailing lists that share information related to vulnerabilities and exploitation techniques known as full disclosure lists. CVE: The Common Vulnerabilities and Exposures (CVE) list is responsible for identifying known vulnerabilities by their name, number, and description. CWE: The Common Weakness Enumeration (CWE) list is a list of common weaknesses found in software and the mitigation techniques used to protect against those weaknesses. Passive information-gathering tools In addition to using Google or surfing the company website, you can use a number of passive OSINT tools to help collect such company information as contact names, email addresses, DNS information, and internet protocol (IP) addresses. Whois Whois is a widely used database search tool used to discover domain name information and IP address information about a company. The domain name information sometimes contains important contact information of senior IT professionals that you can use in a social engineering attack, while the IP information is the public IP addresses purchased by the company. Having this information handy will aid in the next phase of the pentest — discovering active hosts. A number of Whois databases that you can search are available online. For example, you could go to www.godaddy.com/whois to perform a search, or you could go to www.networksolutions.com/whois, which is shown in the following figure. What is cool about the Network Solutions search page is you can search by domain name or IP address. Note that with the Whois lookup, you can collect information, like the organization’s name, the DNS servers hosting the DNS data, and sometimes contact information, such as email addresses and phone numbers of company employees. Many people are now using private registration with their domain registration information, which helps protect the personal information by obfuscating the information that is displayed with Whois lookups. You can also use Whois programs to discover domain name and IP address information. For example, Kali Linux comes with a Whois program you can execute from a terminal with the following command: whois wiley.com Another site with detailed Whois information is ARIN. When search results come back, choose the handle. You can then see the public IP addresses that are used by that organization. theHarvester theHarvester is a program in Kali Linux that you can use to perform passive information gathering to collect information such as employee names, email addresses, and subdomains, and discover hosts owned by the organization. You can use it to collect public information from Google, LinkedIn, Twitter, and Bing. The following command searches LinkedIn users for Wiley: theharvester -d wiley.com -b linkedin To collect information from all sources such as Google, LinkedIn, and Twitter, use the following command: theharvester -d wiley.com -b all -l 100 In this example, shown in the following figure, I limited the results to 100. Shodan Shodan is a search engine that collects information about systems connected to the internet, such as servers and internet of things (IoT) devices. To use Shodan, you need to register with a free account and then you can search the company or organization being assessed. When you perform a search in Shodan, you get a list of the target company’s publicly available servers and devices along with the IP address, the services running, and the ports that are open on that system. When you view the details for that system, you can get a list of its vulnerabilities. A map view shows the physical location of those servers as well. Maltego Maltego is OSINT software that shows a graphical representation of relationships between people, groups, webpages, and domains by analyzing online resources like Facebook, Twitter, DNS, and Whois information. For example, you could create a graphic and add a website address to the graphic, then use Maltego to search for additional information. This could be Whois information, phone numbers, location information, and email addresses associated with that website, and then you can have them added to the graph. Recon-ng Recon-ng is an OSINT tool built into Kali Linux that allows you to retrieve information like contact names, email addresses, DNS information, IP address information, and the like. Recon-ng is not as easy to use as theHarvester because it uses the module concept similar to the Metasploit framework, a modular penetration testing platform based on Ruby. Let’s take a look at an example of Recon-ng you can use on Kali Linux. To start Recon-ng and add a workspace, use the following commands (a workspace represents a project you are working on): recon-ng workspaces add wiley Now let’s add the domain names and company names to the Recon-ng database tables so that it uses them when performing all of the information gathering with future commands we use: add domains wiley.com add domains www.wiley.com add domains dummies.com add domains www.dummies.com add companies Wiley~A publishing company add companies Wiley Publishing~A publishing company add companies ForDummies~A Wiley product line To view the domains and company tables that have been populated, use these commands: show companies show domains The Recon-ng tool has modules that you use to collect the different types of information from online resources. Next, let’s collect the points of contact from Whois databases: use recon/domains-contacts/whois_pocs run Now, let’s discover other domain names and hosts on the internet related to the company by using a Bing search and a Google search: use recon/domains-hosts/bing_domain_web run use recon/domains-hosts/google_site_web run After running these commands, you can see the contact names and email addresses listed in the terminal, but it would be nice to output the information to a web page that you could use for a report. The following commands will load the reporting module and specify the creator of the report, the customer, and the report filename to generate: use reporting/html set CREATOR 'Glen E. Clarke' set CUSTOMER 'Wiley Publishing' set FILENAME /root/Desktop/Wiley_recon.html run If you open the HTML file on your desktop by double-clicking it, you will see a report similar to the report shown in the following figure. Keep in mind that if we would have used other modules to collect additional information (such as the IP ranges), that information would have been included in the report as well. Again, this is just a small example; know that there are a number of recon-ng modules that enable you to do things like view social media posts by an IP address. Censys Censys is another browser-based search engine that identifies hosts on the internet for a particular organization. In addition to identifying the hosts, Censys will also identify the services and ports that are open on those systems. FOCA Fingerprinting Organizations with Collected Archives (FOCA) is a tool used to scan documents to collect metadata that is typically hidden from the user. Some examples of document types that can be scanned by FOCA to extract the metadata are Microsoft Office files, Open Office files, and PDF files. For the PenTest+ certification exam, remember that Whois, theHarvester, Maltego, Recon-ng, and Censys are all tools used for OSINT gathering.

Article / Updated 03-22-2021

For the PenTest+ certification exam, you are expected to have an understanding of the basics of pentest report writing, including familiarity with the different sections of the report, what goes into the report, and how to securely store and transmit the report. At the completion of a pentest, the pentest report is a valuable asset for a business. Not only will the report contain a list of vulnerabilities that need to be fixed and remediation steps to follow to reduce the vulnerabilities, but it will also discuss the methodology that was followed for the current engagement and can act as a guide for future penetration tests. Before jumping into the structure of the report, let’s discuss two important concepts of pentest reports: normalization of data and risk appetite. Normalization of data It is important that you document your steps during the penetration test so that you can include them in your penetration report. You should also take screenshots during the penetration test so that you can include the screenshots within the pentest report as well. You also should normalize results so that they are all based on the same scale. For example, some testing tools may use a scale from 1 to 10, while others may use a scale of 1 to 8. You will need to convert the results based on a scale of 1 to 8 to be out of 10 so that all results are normalized and based on the same scale. Also, some tools may report the value of 1 being bad, while 10 is good, while another tool may report 1 as being a good value and 10 is a bad value. In this example, you will need to normalize the data by reversing the scale so that all the data can be plotted on the same chart in the pentest report. Risk appetite Risk appetite refers to the level of risk an organization is willing to accept. It is important to understand the organization’s risk appetite because you will need to prioritize the pentest results and provide remediation steps to the customer based on the organization’s tolerance of risk. The recommendations on remediation steps will stem from the results of the vulnerability scan and exploitation, but should also align with the company’s risk appetite. The risk appetite will depend on the function of the organization, for example, if it is an organization that affects public safety then the risk appetite (tolerance) will be low. Report structure It is important to remember that the purpose of the penetration test is to report on the findings of the pentest and give remediation steps on how to better secure the environment and reduce the risk to attack. The pentest report is a written report of findings and remediation steps that should include the following sections as outlined here. Title page and table of contents The title page for the report should contain a title for the report, such as “White Box Penetration Testing for Company ABC,” and the name of the company or person who performed the pentest and authored the report. The title page should also show a version number and date for the report. After the title page, the report should include a table of contents that specifies the page references for each of the other parts of the report. Executive summary The executive summary is a summary of the pentest for upper-level management or the executive team. It is typically written after the rest of the report has been written. The executive summary contains key information regarding the pentest that you would like to communicate to the executive team, such as the methodology used, the key tasks performed, and a high-level overview of your findings and recommendations. Methodology The methodology section of the report outlines the types of testing performed during the penetration test, the steps taken during each phase, and how the attacks were carried out. The methodology section also discusses the process used to identify and rate the risks for each vulnerability found and what tools were used by the pentesters. Within the methodology section you should also discuss the metrics and measures used to identify the risk rating for each of the vulnerabilities found during the assessment. For example, you could explain in the risk rating methodology that you are calculating risk by assigning a probability of low, medium, or high to each vulnerability and then assigning an impact of low, medium, or high to each vulnerability. Low has a value of 1, medium has a value of 2, and high has a value of 3. You can then calculate risk with the following formula: Risk = probability * impact You can then display a graphic outlining the scores for low risk (in my example it will be scores from 1 to 3), medium risk (scores 4 to 6), and high or critical risk (scores 7 to 9) as shown. Again, this is just an example. You can go with a 4- or 5-number scale for each category of probability and impact, which will give you a bit more variance in the risk rating scores. It is important to show how the risk scores are calculated, and use graphics in your report to help the reader relate to the results. Having a legend showing that low is green, medium is orange, and high or critical is red is also important, as you can use those colors in your findings to draw out critical vulnerabilities. Findings and remediation The findings and remediation section of the report is used to discuss the security issues found and the remediation steps to take to fix each security issue. Each security issue should have a paragraph or two describing the security issue and a paragraph describing the remediation steps. For example: Vulnerability Finding 1: Weak passwords used by user accounts Impact: High Likelihood: Medium Risk Rating: 6 Description: While assessing passwords on the network, it was found that many user accounts are using weak passwords made up of words found in the dictionary. These passwords were easily cracked by the John the Ripper tool. Remediation: It is recommended that password policies are configured to enforce complex passwords, lock out an account after three failed log-on attempts, keep a password history of 12 passwords, and require passwords to change every 60 days. Conclusion The conclusion is the last section in the report and should summarize the results as well as identify any parts of a typical penetration test that were not included in the assessment that the company may want to do in the future. For example, if social engineering was not part of the scope of the penetration test, you could recommend the organization perform social engineering during the next penetration test. In the conclusion of the report, you should also give the organization an overall risk score so that it can compare this result to the overall risk score of future penetration tests. The goal would be to see this risk score get lower with each penetration test. Secure handling and disposition of reports The penetration testing report contains a lot of sensitive information about an organization, such as Internet Protocol (IP) addresses of different systems, vulnerabilities that exist for the different systems, and the steps taken to exploit those vulnerabilities. This information is worth gold for a hacker, so you want to be sure to protect and control access to the report. Format The first point to make about keeping the report secure is that you must store penetration testing reports in an encrypted format to ensure that the information is kept confidential, and there should be a limited number of people who have access to the report. Any hard copies of the report should be kept in a secure location for an agreed-upon time. For the PenTest+ certification exam, remember that the pentest report should always be encrypted, both in storage and in transit. Storage time The second point to remember about keeping the report secure is how long the report is stored. The original pentest agreement should specify how long the pentesting organization has a copy of the report in its possession — and it must be stored in a secure location. The purpose for the pentesting organization to hold on to a copy of the report is to be able to answer questions from the customer related to the penetration test. Once the report is no longer needed, the pentest company should securely delete the digital copies and shred the hard copies.

Article / Updated 03-22-2021

Take a look at some penetration testing terminology you need to be familiar with for the CompTIA PenTest+ certification exam. Types of assessments The CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments: Goals-based/objectives-based: This type of assessment is focused on a specific purpose. For example, you may have installed a new server or piece of software and want to test that specific asset for security flaws. Some examples of goals for goal-based assessments is the company may want to assess the security of only the wireless network, or maybe only perform social engineering attacks to test the effectiveness of the security education program with the employees. Another common goal may be simply to test the security of a public website or web application. Compliance-based: A compliance-based assessment is an assessment that is driven by standards and regulations. With compliance-based assessments, you must follow a standard assessment methodology, such as the National Institute of Standards and Technology’s (NIST’s) SP800-15 series of guidelines, or the PCI DSS from the PCI Security Standards Council. Red team/blue team: The term red team refers to the internal team of professionals performing a penetration test acting as hackers. With a red team test, you are not as focused on reporting and remediation steps after the fact; you are more focused on trying to bypass security controls and determining how your security team will respond to the attack. The security team responsible for defending against attacks is known as the blue team. Pentest strategies You can follow several different strategies when performing a penetration test. You can go with a black box text, a white box test, or a gray box test: Black box: In a black box penetration test, the testers are given zero information about the environment and the targets. The goal of the black box test is to treat the pentesters as if they are hackers — they have to discover the environment before they can attack the environment. In a black box test, you would not share Internet Protocol (IP) address information, network infrastructure details, or public services on the internet, such as websites, domain name system (DNS), or file transfer protocol (FTP) servers. It is up to the penetration testers to discover all assets and then try to exploit those assets. White box: In a white box penetration test, the testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information. Gray box: In a gray box penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges being used by the company or addresses of your public internet servers. With this information, the pentesters will discover what services are running on each system and then try to exploit those systems. For the PenTest+ certification exam, remember the different pentest strategies. Black box is when no details about the target are given, white box is when all known information about the targets is given to testers, and gray box testing is when limited information such as IP addresses or server names are given to keep the pentest focused on those targets. Threat actors and threat models The purpose of penetration testing is to simulate attacks that could occur in real life. A big part of information security — and something all security professionals should be aware of — is who you are protecting against. Who would attack your network or website? Capabilities and intent Before we look at the types of hackers and threat models, it is important to understand the different levels of hacking capabilities for each type of hacker, or threat actor, and the different reasons of intent for hacking. The capabilities of a hacker will vary depending on the type of threat actor the hacker is and the types of attacks being performed. Some attacks are basic in nature, so you may find that all types of hackers can perform these attacks, while more sophisticated attacks are performed by hackers with more detailed knowledge of the underlining technologies being hacked, their vulnerabilities, and how to exploit those vulnerabilities. A hacker may be motivated to hack for many reasons, such as for financial gain (for example, hacking into bank accounts or selling sensitive data that was obtained in the hack) or for the fame or notoriety that is earned by hacking into a big-name company. A hacker may also be motivated by a personal cause or a group cause, as is the case with terrorists or activists. Threat actor A threat actor is a person or entity that causes the threat against your assets. When it comes to hacking, you should be aware of some common threat actors: Script kiddies: A script kiddie is a person who does not necessarily have much background on how attacks work, they simply run some automated tools to try to exploit systems. Their intent is typically for the challenge, and also bragging rights. Hacktivist: A hacktivist is a person who hacks for a cause, such as for political purposes or for social change. The capabilities of the hacktivist can range from basic to advanced hacking knowledge such as is the case with the infamous hacking group called “Anonymous.” Insider threat: Insider threats are threats from inside your organization or inside your network. These can be very serious threats of malicious destruction from a disgruntled employee or even innocent mistakes made by other employees. APT: An Advanced Persistent Threat (APT) is an advanced hacking process such as one found in a nation-state–sponsored group or person that gains unauthorized access to a network for political or economic reasons. The attack typically happens to gain unauthorized access for a long period of time, such as many months, by planting malicious software on the system that will monitor activity, collect sensitive data, or damage the system. APT also includes advanced hacks on financial institutions, defense contractors, and software companies, such as Twitter or Facebook, which would contain a wealth of sensitive information the hacker would like to collect. Adversary tier Threat actors are typically identified in an adversary tier that ranks the threat actors by their capabilities and the damage they can perform. The threat actors discussed earlier are ranked based on their threat level and capabilities, as follows (1=low, 4=high): Script kiddie Insider threat Hacktivist APT This figure summarizes the adversary tier, with script kiddies at the bottom of the skillset and APT at the top. Threat modeling Penetration testing typically involves an exercise known as threat modeling. Threat modeling refers to the act of documenting company assets and then defining the types of attacks or threats against those assets. The threats are then assigned a likelihood (the chances the attack will happen) and impact (how serious the result of the attack if successful) so that the threats can be prioritized. Based on the priority of the threats, security professionals put security controls in place to prevent those threats from occurring or to minimize the impact.

Article / Updated 03-22-2021

Social engineering from a security standpoint refers to the deliberate use of deception to try to trick a user into compromising system security through social contact such as an email message, a text message, or a phone call. Social engineering attacks are a common way to test the effectiveness of a company’s security education program. If the engagement rules and scope of the penetration test support social engineering attacks, you should plan for them in the penetration test. There are different types of social engineering attacks such as phishing, shoulder surfing, and USB key drop, among others. Take a look at the different types of social engineering. Phishing Phishing is a type of social engineering attack that occurs when the hacker sends an email message to a user with the hope that the user will click on hyperlinks within the message. These hyperlinks link to malicious websites that collect information from the user. For example, a hacker may send an email message that appears to be from the user’s banking institution, and links within the message take the user to a site that looks like the bank’s site. Because the site looks familiar to the user, the user may then feel comfortable supplying his or her account information, not knowing it is a fake bank site. All the time this is going on, the hacker is collecting the information that is typed into the fake site. With a regular phishing attack, the hacker sends the email message to a pool of email addresses the hacker was able to discover without really any thought to who the email goes to. When you do a penetration test, you can do the same: collect a bunch of email addresses for the target organization and then email all of the addresses to see if someone goes to the fake site. Phishing attacks occur in the following different forms: Spear phishing: Refers to a phishing attack that targets a specific person SMS phishing: Phishing attacks conducted through text messaging instead of email Voice phishing: Phishing attacks that use voice over the phone instead of email Whaling: Refers to a phishing attack that targets the “big fish” of a company, such as the CEO For the PenTest+ certification exam, remember the different forms of phishing attacks. Also remember that the rules of engagement should identify whether social engineering attacks are allowed in the penetration test. Shoulder surfing Shoulder surfing is a traditional type of attack in which the hacker watches over the shoulder of the user to see what the user is typing on the computer or mobile device to obtain information. USB key drop Another type of social engineering attack common with penetration testing is a USB key drop. With a USB key drop, the pentester will leave USB flash drives all over the organization in hopes that an employee picks it up and plugs it into a computer to see what is on the drive. As a penetration tester, you will configure a script or application to automatically run when the drive is connected that will send an email message to you that includes information such as the IP address of the system the drive is connected to. With USB key drop, you are able to find out the security awareness level of the organization. If you set out ten USB drives and you get eight email messages, it is obvious that the employees do not understand that they should not connect untrusted devices to their computers. Another benefit of using a USB key drop with your penetration test is that you can use it to collect information such as IP addresses of hosts on the network. You can then use these IP addresses as IP addresses of potential targets. Other forms of social engineering In addition to the types of social engineering attacks discussed in the previous sections, social engineering attacks may also take the form of impersonation and interrogation. For example, a hacker (or pentester) could impersonate an administrator to try to trick the user into compromising security (for example, maybe the hacker convinces the user to change his or her password). If social engineering attacks are in the scope of the assessment, you could try calling or emailing employees and impersonating the administrator to trick the employee into compromising security. You could also impersonate a user who contacts the administrator and see if the administrator can be tricked into helping you access the system. In addition, interrogation is another form of social engineering attack specifically called out in the objectives of the CompTIA PenTest+ certification exam. When interviewing or interrogating people, a number of physical reactions to questions can be used to identify topic areas that should lead to more questioning. For example, when people start to feel stress, they usually start to touch their face a lot — watch for these visual cues during interviews and interrogation. The key point to remember about social engineering is that your goal is elicitation. You would like to elicit a response or reaction from employees that cause them to compromise security. You could also use a business email compromise (BEC) attack where you gain access to an employee’s corporate email account and use that to send messages to other employees in the company. Motivation techniques in social engineering attacks What are some of the motivation techniques used in social engineering attacks that cause the attack to be successful? A common technique is to evoke a sense of urgency for the end user to click the link in an email message from the hacker. When social engineering attacks are sent out, the hacker usually stresses a sense of urgency to act now as a method to get the user to click the link or run the application without thinking about it too much. Following is a list of motivational techniques often used by the hacker or penetration tester to get a user to compromise security: Authority: The hacker or penetration tester pretends to be a person of authority requesting that the user perform an action. This action, such as clicking a link in an email message or changing a password, is enough to help the hacker gain access to the system. Scarcity: The communication from the hacker or pentester typically implies a shortage in time or the chance of a prize in order to trick the person into acting now. Social proof: The hacker or pentester relies on the concept that if users see others doing something, they feel it is the correct thing to do, so they do it too. For example, if everyone is downloading a certain program, a user may feel that it must be safe if everyone else is doing it. Urgency: The hacker or pentester evokes a sense of the importance of a swift action in order to get users to act on the request. Likeness: People respond well to people they like, and are, by nature, typically willing to help someone in need. If the attacker can appear to be in need and has a friendly demeanor, the victim may let his or her guard down and be more likely to respond to the social engineering attack. Fear: The hacker or pentester uses fear to elicit a response from the user. For example, a hacker sends an email message telling the user that a security vulnerability was found in the system that gives someone full access to the system, and to remove this vulnerability, the user must install a “patch.” In reality the patch is the malicious software that allows the attacker into the system.

Article / Updated 03-22-2021

Physical security plays an important role in any organization’s security program and defensive posture, and you need to know some basics about attacks on physical security to pass the CompTIA PenTest+ exam. Physical security involves controlling who has physical access to the facility, the servers, network equipment, and end-user devices. Types of physical security controls Organizations use a number of physical security controls to regulate who gains access to the facility or what areas in the facility they gain access to. Highly secured environments control access to the facility by having high fencing around the perimeter of the property with only one or two entrances used to enter or leave the facility. These entrances will have gates and security guards that control who gains access to the building. In highly secured locations, the guard ensures that everyone who enters has an ID badge. Visitors typically need to get a guest badge and be escorted by the employee that has the visitor to the facility. Once inside the building, doors are locked to control who can gain access to different areas of the building. Companies can use traditional lock and keys, combination locks, or use electronic locking systems where a card needs to be swiped in order to gain access to that area of the building. Exploiting physical security A number of methods may be used to bypass physical security controls. As a penetration tester, you may need to test these physical controls and see if you can bypass the security to gain access to areas of the building you should not have access to. Piggybacking/tailgating To compromise physical security as a penetration tester, you can try to follow an employee who does have access into a restricted area of the building after the employee unlocks the door. There are two terms for this type of physical security attack: Piggybacking: Piggybacking occurs when employees use their swipe card (key) to unlock a door and they allow the person behind them into the locked area as well without making that person swipe his or her card. This is exploiting the person’s human nature to hold the door open for the next person. As the penetration tester, you want to test to see if you can piggyback into the facility as this identifies a huge security concern. Note that with piggybacking, the person is aware that he or she is allowing you in. Tailgating: Tailgating is similar to piggybacking with the exception that the employee has no idea you slipped through the door after he or she had unlocked it. For the PenTest+ certification exam, remember the difference between piggybacking and tailgating. Piggybacking involves the employee knowing and allowing someone to gain access to a restricted area, while with tailgating, the employee did not know someone was able to gain access after the employee unlocked the door. A great countermeasure to implement to prevent piggybacking and tailgating is a mantrap. A mantrap is an area between two locked doors. The second door does not unlock until the first door locks. This ensures employees know who is with them at all times. Revolving doors is another type of mantrap that helps ensure no one else slips through the door while an employee is going through. Dumpster diving A method to discover sensitive information about a company and its employees is to dumpster dive. With dumpster diving, the attacker goes through the garbage of the intended victim trying to locate information that could help in an attack. It is important to shred all sensitive documents so that the sensitive information cannot be discovered via a dumpster dive attack. Badge cloning Electronic badges often are used to gain access to restricted areas within a building. If attackers can get their hands on a badge, they can use a badge cloning device to copy the electronic data stored on the badge that can then be used to gain access to the building. Fence jumping Having a fence around the perimeter of the facility is only going to keep the innocent people out. A determined hacker can easily climb the fence to gain access to the facility, so it is important that you have designed a fencing strategy that makes it difficult to climb. Most highly secured environments will use a high fence that angles out at a 45-degree angle at the top to make it difficult for someone to climb over. Companies will also have barb wire at the top to prevent someone from trying to climb over the top. Attacks on locks Traditional locks are susceptible to lock picking in order to gain access to the locked area. A bump key is one example of a lock-picking technique where a filed-down key is placed in the lock and then tapped (bumped) lightly while turning the key slightly. This causes all of the cylinders within the lock to jump up above the cylinder breaking point (hopefully), which would then unlock the door. Many high-quality locks today advertise that they are “bump proof.” Lock bypass is another lock-picking technique in which different methods are used to bypass the locking system. Some techniques used to bypass a lock is loiding, in which a credit card is used to bypass a self-closing latch system. Car locks can be bypassed by inserting a stiff wire between the door and the car structure in order to manipulate the locking system. Another example of an attack on locks is for motion-sensor doors that are in a locked state until they detect that someone is trying leave from the inside, at which time the door is unlocked. These doors use egress sensors (to detect people going out) that are motion sensors. There is a known hack where hackers are able to spray compressed air from outside through the cracks in the door to trigger the motion sensor to unlock the door.

Article / Updated 03-22-2021

Penetration testing, also known as ethical hacking, involves an information technology (IT) professional using the techniques a hacker uses to bypass the security controls of a network and its system. A security control is a protection element, such as permissions or a firewall, that is designed to keep unauthorized individuals out of a system or network. The act the IT professionals are performing is known as a penetration test, or pentest for short (which is where CompTIA’s term, PenTest+, came from). The penetration test follows the process the hacker would take, including the discovery of targets and the exploitation of targets. From a company’s point of view, the ultimate goal of a penetration test is to have an ethical person perform attacks on different assets to determine whether those assets could be penetrated, and if the attacks are successful, what remediation steps a company could take to prevent a real attack from being successful. For the PenTest+ certification exam, remember that remediation steps within the report are a must for any successful penetration test. A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear). Reasons for a pentest Why would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful. Another reason to perform penetration testing is to be in compliance with regulations. Depending on the industry a company services, organizations may be governed by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that collect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict requirements for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compliance” and “Penetration Testing Guidance” to learn more about PCI DSS compliance requirements. The following table summarizes two key requirements from the best practices document published by the PCI Security Standards Council. These requirements specify that organizations must perform an annual penetration test and implement any remediation actions identified by the test. Organizations must also perform a network segmentation penetration test every six months to maintain compliance. PCI DSS Best Practices Requirements Requirement Title Description 11.3 Penetration testing Perform annual penetration testing against preordinated use cases/attack scenarios and perform remediation actions to address any identified vulnerabilities 11.3.4.1 Six-month penetration testing for segmentation Bi-annual penetration testing conducted for network segmentation controls Source: PCI Security Standards Council. Best Practices for Maintaining PCI DSS Compliance. January 2019: pp 46-47. Available at www.pcisecuritystandards.org. The PCI Security Standards Council’s “Penetration Testing Guidance” document gives more detail on compliance requirements such as the fact that you must also perform a penetration test any time major changes are made to the network infrastructure or to applications within the organization (on top of doing annual penetration testing). The key point here is that compliance requirements could drive the need to perform penetration tests on a regular basis. For the PenTest+ certification exam, remember the two main reasons to perform a penetration test: (1) to get an accurate picture of the results of an attack, and (2) to be in compliance with industry regulations. Who should perform a pentest Now that you know what a penetration test is, the next logical question is who should perform the penetration test? You have two choices when it comes to who performs the penetration test: internal staff or an external third-party company. Internal staff Many organizations opt to have their internal security staff perform penetration testing. This is a good idea as it will save money, but you must make sure there is no conflict of interest with the group performing the pentest. You must also make sure the people performing the pentest are qualified to conduct it. The members of the internal team performing the penetration test should not be part of the team who installed, configured, or manages the systems or networks being assessed. They should also not be the people responsible for implementing the security of the systems, as that is a direct conflict of interest. A separate team should be dedicated to assessing security within the organization and performing the penetration tests. Companies may also create separate internal teams — a red team and a blue team — to help assess the security of assets within the organization. The red team is an internal security group that performs attacks on company assets, such as a penetration test and social engineering attacks to validate whether there is enough protection on the company assets. The blue team is the internal security group within the company that is focused on protecting the assets. This includes monitoring the security controls, the intrusion detection systems, and the logs to protect the asset and identify when a security breach occurs. It is important to note that the red team’s job is to stay up to date on any new attack methods, while the blue team must be current on any new technologies used to protect assets from attacks. The red and blue teams should also meet regularly to update each other on lessons learned so that both teams are fully aware of current attacks and mitigation strategies. Penetration testing can be a costly affair, so having an internal team can save the company lots of money and allow for more regular pentests. External third party Going with a third-party company to perform the penetration test also has its benefits. For example, the third-party company is most likely not familiar with the organization’s environment (as a hacker would not be), so it can provide an even better picture of an attack because the third party would have to discover all the systems (depending on the type of pentest). Using third-party external testers is also beneficial because you have a fresh set of eyes looking at your network and systems. Internal staff have designed the defensive posture based on the attack vectors they are aware of; while external testers may have knowledge of different attack vectors and may take a totally different approach to exploiting systems. However, using a third-party company also raises some concerns. For example, what are the qualifications of the consultants doing the pentest? And how will the details and results of the pentest be kept confidential? With a third-party company involved, confidentiality can be a bit more challenging than if a company used internal testers. A final concern is cost. Going with a third-party company can be very costly, as penetration testing is a time-consuming process and requires a specialized skill. Qualified pentesters Whether you choose to use internal staff or an external third-party company to perform the penetration test, it is critical you validate the qualifications of the individuals performing the penetration test prior to the engagement. The first qualification to look for in a pentester is whether or not that person holds industry-standard certifications that prove his or her penetration testing knowledge. For example, you may require that all individuals performing a penetration test have their CompTIA PenTest+ certification. However, certification is not enough. The pentester should also have prior experience performing penetration testing. Following are some questions to ask when hiring a third-party company to perform a penetration test: Does the penetration testing team have experience with prior penetration tests? Has the pen testing team performed a test against a similarly sized organization before? Does the team have experience with the types of systems and platforms being used by the company? Does the team have experience with network-layer testing (networking systems and configuration)? Does the team have experience with performing application-layer testing, and is it familiar with Open Web Application Security Project (OWASP) Top 10 validation techniques? (OWASP Top 10 is the top ten methods hackers are using to exploit web applications.) How often a pentest should be performed There is no concrete answer to how frequently you should perform a penetration test; however, it’s best to perform a pentest annually and after any major change to the infrastructure. Standards, such as the PCI DSS, state that in order to be compliant, organizations should perform external testing once a year, plus after making any major changes to the network infrastructure or application environments. The PCI DSS also states that you should perform internal testing once a year and after any major changes. Regular schedule If your organization is not governed by regulations that dictate when you need to perform a penetration test, you can create your own schedule that works for you. Hiring an external team of penetration testers can be expensive, so one option may be to create a schedule that uses internal staff to test internal and external assets more frequently than an external company. For example, a schedule could look like this: Every 12 months: Penetration testing of internal assets is performed by internal staff. Every 12 months: Penetration testing of external assets is performed by internal staff. Every 24 months: Penetration testing of internal and external assets is performed by a third-party company. Using internal staff for pentesting can help you reduce costs of the testing while still performing them on a regular basis. However, you should have a third-party company perform a penetration test at some point because it is a great way to get a real-world picture of your assets’ vulnerabilities. After major changes You should also perform a pentest after making any major changes to the network infrastructure or application environments, such as upgrades to software. Some examples of infrastructure changes could be adding a new server to the network, replacing a server with a new server, or adding a new network segment. These changes could introduce new ways for hackers to get into the network, so you want to make sure you perform a penetration test to verify all is secure. In addition, any changes to the software configuration, such as a piece of software being upgraded, should result in a penetration test of that component so that you can verify there are no vulnerabilities in the new software. For the PenTest+ certification exam, remember that a penetration test should be performed annually and after any major change to the infrastructure. Other considerations A few additional considerations should be taken into account related to the timing of pentests. For example, one of the risks of a penetration test is that you could end up crashing a system or network. So, to ensure your pentests are successful in providing you with the information you want, you want to make sure you follow these recommendations when possible: Perform pentests in a mockup environment. When performing penetration testing, you run the risk of crashing systems or networks due to the nature of the attacks. If possible, create copies of systems inside a test environment and perform the penetration test on the test system. It is critical that the test systems are an exact copy so that the penetration test accurately reflects the test of the real system. Perform pentests before deploying the system or application into production. If possible, perform a test before a system or application is put into production. This will help reduce the cost of maintaining the system, as it is more costly to fix security issues once the system or application is live. Perform pentests on a regular basis. Penetration testing is not a one-time thing. For example, if you perform a security test on a web server before it is put in production and you find it is ready for production because all simulated attacks were unsuccessful, it does not mean you do not need to test this system again. You will test the system again during the next annual penetration test.