Getting started with penetration testing
Penetration testing is often looked on as an elite set of skills that only a few can learn. It’s also thought that expensive equipment and tools are needed to perform a penetration test. You may think that you can’t get started in it because you don’t have the money to buy the required gear. It’s not hard to find indications that this might be true. A quick look at penetration testing software suites can blow you out of the water with their price tags. You may also feel that you need to have all this gear at once before you can get started. Fortunately, the reality is quite different. Let’s take look at this idea and how what you can do to start building your penetration testing kit now. You’ll likely find that you already have most of these tools available to you already!
Let’s start out with the basics that you will need for your first pen test. Network penetration tests are some of the least expensive (in terms of required equipment) to perform. You’ll need a reasonably powerful laptop, some kind of vulnerability scanner, a way to write your notes and report, internet access and liability insurance. What does a “reasonably powerful” laptop mean? Mostly we are talking about something with enough CPU, memory and storage to run virtual machines, some Java applications and any other tools and apps you want to have open while you work. No one enjoys using a resource starved machine while trying to get work done. I personally use a Macbook Pro with 16 GB of memory. Honestly, 16 GBs of memory is kind of my baseline requirement for a laptop. The operating system you use is somewhat less important. You can use Windows, Linux or OS X to perform a penetration test. Pick what you are most productive in and don’t get too caught up in arguing over the benefits of your choice. That said, you will need decent familiarity with Linux.
Next, you’ll want some form of a vulnerability scanner. This can get a bit expensive if you want to go the commercial software route. However, if you just want to get started you can always use OpenVAS, which is an open source scanning application. It has it’s issues, but it does a decent job. Once you get a paid engagement or two under your belt you can look at buying something like Nexpose, Nessus or whatever. It’s important to note that the vulnerability scanning is only a starting place for your assessments. You use it to get an idea of what is on the client’s network quickly and efficiently. Simply running a scan is just that. You ran a scan and did not perform a penetration test. So look at this for what it is and not what you wish it was. It’s a tool to get things rolling and not the end of testing.
You’ll need to be able to take notes and write your report to perform a penetration test. I generally use some kind of word processor and let it go at that. Google Docs, Word, whatever. There are applications and frameworks such as Dradis to share testing information amongst testers and to organize your data, but they aren’t required. Sometimes they become more of a pain than a benefit. The easiest way to do this is to open up a document, drop screenshots, URLs, notes and results into the document as you go. Then you can take this data and put it into your separate report.
Internet access is kind of a “duh, of course” requirement. However, there is one note here for you to pay attention to. If you are working from home using consumer focused internet access, you may find that your ISP filters some outbound and inbound network traffic. Things like access to port 25 (SMTP) and others. Generally this is to limit SPAM from compromised customers. This filtering can really mess with your results. So be aware and be prepared. Either pay for business oriented internet access or use a server outside your home network to test through. I’ve used various cloud providers and they’ve all done well in this regard.
Insurance isn’t something that’s usually mentioned in articles like this, but it is an important part of doing security testing. You want to make sure you don’t lose your house because something went bad during a test. I’m not going to get into that here, but I wanted to highlight the need for adequate liability insurance. Make sure you are protected!
With those basics out of the way, let’s take look at some of the tools you’ll want to use. First off, you are going to need some kind of virtualization. VirtualBox from Oracle is free and you can get it at https://www.virtualbox.org/. I tend to prefer VMWare Fusion, but that costs a few bucks and you may not have or want to spend that money. One of the reasons that I like VMWare’s products is that most virtual machines that you download are in the VMWare format. Yes you can import them into VirtualBox, but I’ve seen some wonky things happen.
On the subject of virtualization, you are going to want a few virtual machines. At a bare minimum, you are going to want Kali Linux and a Windows based VM. Kali is just awesome. Period. It has almost anything you’d need during a penetration test and it’s free. OpenVAS is installed already, as is nmap, Burp, Metasploit, wireless tools, password guessing tools, web app tools, etc. Download it and get familiar with it.
Your Windows based VM is probably not going to be used a ton, but there are apps like Cain that can be very useful during a test. Also, in an internal penetration test you will find a ton of SMB shares and digging through them can be tedious on OS X and Linux. You’ll also end up with situations where you need to install a Windows app that is used by a client. I tend to setup all my VMs with a base install, take a snapshot of them before the test, perform the assessment, and then revert back when the test and report is completed.
One of the very few commercial tools that I recommend to purchase early on is Burp Suite Pro. The free version of Burp Suite is fine for learning, but is so limited that it can’t be used during an assessment. Intruder is one of my favorite tools with Burp and the free version is largely useless. Also, you can’t save your Burp state in the free version. You’ll want to save your Burp state at least once a day during an engagement. If you don’t, you’ll get bit when Burp crashes on you and you lose all of your testing data. I’ve had it happen and it sucks. The paid version of the Burp also has the active scanner. You don’t want to rely too heavily on this for your testing, but it definitely finds stuff and can help improve your test efficiency.
Finally, you are going to want things like network cables and a small network switch. The time you forget to bring these to an onsite engagement will be the time that the client doesn’t have them available.
Mobile Penetration Testing
Mobile penetration testing is very similar to web application testing. You’ll need an interception proxy to get between the mobile app and the back end web services. The testing workflow is pretty much the same as well. The major difference is the amount of equipment that is needed to perform these tests. The main platforms are iOS and Android, so you will need devices for each of them. You’ll need both platforms in phone and tablet forms. Some apps are substantially different between the tablet and the phone. Sometimes you’ll find apps that only work on a phone. Also be ready to purchase new devices to keep up with the requirements of your target applications. Android can be really interesting in this regard due to the fragmentation (the wide variance of OS versions and hardware specs) that is present within its ecosystem.
With iOS its important to be careful about which version of the OS you have applied. Keeping your devices up to date is important on any daily use device, but on testing systems you need to stick to versions that are able to be jailbroken. Why jailbroken? Apple is getting pretty strict about how it handles TLS certificates and recognizing valid ones. This is great for users, but makes life hard on testers. Also, some applications are using certificate pinning to require a specific certificate chain before the device will talk to a back end system. If you put up a proxy with a certificate outside of this chain, then the app won’t work. The only ways to get around this involve jailbreaking your device. So be aware of this issue.
You’ll also need a bit more equipment to perform wireless assessments. The main concern is to have a good antenna that allows you to work with 802.11 a/b/g/n/ac/etc. Alfa makes some great USB antennae that you can use for this purpose. The software tools that you will need are largely on Kali Linux, so you won’t need to hunt too much down in this regard. If you decide to get into testing NFC, bluetooth and other wireless protocols, then you’ll need equipment for each of them as well.
Other Fun Stuff
If you have everything mentioned above, you’ve got pretty much what you need for most penetration tests. There’s always other fun stuff out there that you may want later. One that I get a kick out of is using USB RubberDuckies. These devices look like a normal flash drive, but actually as devices like keyboards and have pre-programmed instructions on them to download exploit payloads and other fun stuff. A number of organizations believe that they have USB ports pretty well locked down and are very surprised when we plug one of these in and have a remote shell on the system in a few moments. Checking for this type of issue is particularly important when a client has computer systems that are in public areas. Banks and doctors offices are examples of these.
What you may find from here is that you will be doing assessments and a client will ask you if you could do a penetration test to simulate an attacker doing X. You look at the idea and may realize that you need some additional tools to perform this assessment. That’s when you end up going out and buying some new toys to work with. It’s always a lot of fun get to work with something new and these engagements typically end up being a little more challenging than normal. That’s one of the benefits of doing penetration testing. The variety of work you can run into always keeps you on your toes and keeps your equipment stash growing.
One last thing that I want to mention. This post is focused on tools and equipment, but penetration testing isn’t just about having lots of gadgets to work with. It’s about a mindset of thinking how things can fail and working through a methodology that allows you to get the results needed for your client. You can go out and buy a software suite that claims to be click and exploit, but if you don’t know what it is doing or how it is doing it, you aren’t helping anyone. You won’t be able to really explain what the risk of an issue is or how to fix it. As penetration testers we focus on how to break into things. Our clients are concerned with finding these issues and getting good information on how to fix them. The report of the issues and your recommendations are the result they are buying. If you can’t write well, explain the issues found, how they can be abused and how they can be fixed, then you performing a useful service for your clients. So make sure you bring the right tools to the job, but make sure that the knowledge you have is applied in a way that helps your clients better protect their environments.