Cybersecurity is one of the most rapidly growing fields in information technology. Every day, numerous attacks are executed against various entities, from individuals to large enterprises and even governments. Due to these threats in the digital world, new professions are being created within organizations for people who can protect assets. This book aims to give you the knowledge and techniques that an aspiring penetration tester needs in order to enter the field of cybersecurity. A penetration tester is a professional who has the skills of a hacker; they are hired by an organization to perform simulations of real-world attacks on their network infrastructure with the objective of discovering security vulnerabilities before a real attack occurs. The penetration tester does this task with written legal permission from the target organization. To become a highly skilled hacker, it's vital to have a strong understanding of computers, networking, and programming, as well as how they work together. Most importantly, however, you need creativity. Creative thinking allows a person to think outside the box and go beyond the intended uses of technologies and find exciting new ways to implement them, doing things with them that were never intended by their developers. In some ways, hackers are artists.
Throughout this book, we will be using one of the most popular operating systems for penetration testing, Kali Linux. The Kali Linux operating system has hundreds of tools and utilities designed to assist you during a vulnerability assessment, penetration test, or even a digital forensics investigation in the field of cybersecurity. We will use Kali Linux to take you through various topics using a student-centric approach, filled with a lot of hands-on exercises starting from beginner level to intermediate to more advanced topics and techniques.
In this chapter, you will become acquainted with what hackers are and how they can be classified based on motivations and actions. You'll learn important terminology and look at methods and approaches that will help you throughout this book and set you on your path to becoming a penetration tester. You'll be introduced to the workflow of a hack as well.
In this chapter, we will look at the following topics:
- Who is a hacker?
- Key terminology
- Penetration testing phases
- Penetration testing methodologies
- Penetration testing approaches
- Types of penetration testing
- Hacking phases
Hacker, hack, and hacking are terms that have become ubiquitous in the 21st century. You've probably heard about life hacks, business hacks, and so on. While these may be, in some sense of the word, forms of hacking, the traditional form of hacking we'll discuss in this book is computer hacking. Computer hacking is the art of using computer-based technologies in ways they were never intended to be used to get them to do something unanticipated.
Hacking has taken on many different names and forms throughout the years. In the late 20th century, a common form of hacking was known as phreaking, which abused weaknesses in analog phone systems. Computer hacking has been around for more than half a century and, over the past few decades, has become a pop culture sensation in Hollywood movies and on television shows. It's all over the news, almost daily. You hear about things such as the Equifax, NHS, and Home Depot data breaches all the time. If you're reading this book, you have made your first step toward better understanding this fringe form of engineering.
Now that we have a better idea of what a hacker is, let's explore the various classifications of hackers.
Hacking has many varieties or flavors, and so there are many classifications for hackers. In this section, we'll explore the various types of hackers, including the activities, skill sets, and values associated with each.
The following are the different types of hackers:
- Black hat
- White hat
- Gray hat
- Script kiddie
- Cyber terrorist
At the end of this section, you will be able to compare and contrast each type of hacker.
Every field has certain terms that become a major part of the language of that field. Information security and cybersecurity are no different. The following are the most common terms, and we'll explore them in detail in this section:
- Hack value
Let's delve into these terms in more detail.
A threat in terms of cybersecurity is something or someone that intends to cause harm to another person or system. Furthermore, we can look at a threat as something that has the potential to cause malicious damage to a system, network, or person.
Whether you're on the offensive or defensive side in cybersecurity, you must always be able to identify threats. However, while we need to be aware of threats, we also need to know what has to be protected against threats. We call the entity in need of safeguarding an asset. Let's look at what constitutes an asset.
Assets, in terms of cybersecurity, are systems within a network that can be interacted with and potentially expose the network or organization to weaknesses that could be exploited and give hackers a way to escalate their privileges from standard user access to administrator/root-level access or gain remote access to the network. It is important to mention that assets are not and should not be limited to technical systems. Other forms of assets include humans, physical security controls, and even data that resides within the networks we aim to protect.
Assets can be broken down into three categories:
- Tangible: These are physical things such as networking devices, computer systems, and appliances.
- Intangible: These are things that are not in a physical form, such as intellectual property, business plans, data, and records.
- Employees: These are the people who drive the business or organization. Humans are one of the most vulnerable entities in the field of cybersecurity.
One key step in vulnerability assessment and risk management is to identify all the assets within an organization. All organizations have assets that need to be kept safe; an organization's systems, networks, and assets always contain some sort of security weakness that can be taken advantage of by a hacker. Next, we'll dive into understanding what a vulnerability is.
A vulnerability is a weakness or defect that exists within technical, physical, or human systems that hackers can exploit in order to gain access to or control over systems within a network. Common vulnerabilities that exist within organizations include human error (the greatest of vulnerabilities on a global scale), web application injection vulnerabilities, and the oldest of vulnerabilities, the buffer overflow.
Now that we know what a vulnerability is, let's take a look at what is used by a hacker to take advantage of a security weakness in the next section.
Exploit attacks are the ways hackers take advantage of weaknesses or vulnerabilities within systems. For example, take a hammer, a piece of wood, and a nail. The vulnerability is the soft, permeable nature of wood, and the exploit is the act of hammering the nail into the wood.
As a cybersecurity professional, you must understand vulnerabilities and exploits to reduce the likelihood of being compromised. In the next section, we will describe risk.
Risk is the potential impact that a vulnerability, threat, or asset presents to an organization calculated against all other vulnerabilities, threats, and assets. Evaluating risk helps to determine the likelihood of a specific issue causing a data breach that will cause harm to an organization's finances, reputation, or regulatory compliance.
Reducing risk is critical for many organizations. There are many certifications, standards, and frameworks that are designed to help companies understand, identify, and reduce risks. Later, in the Penetration testing methodologies section, we will cover such standards and frameworks. Next, we'll look at threats that companies do not know about because no one has identified them yet—zero-day attacks.
A zero-day attack is an exploit that is unknown to the world, including the vendor, which means it is unpatched by the vendor. These attacks are commonly used in nation-state attacks, as well as by large criminal organizations. The discovery of a zero-day exploit can be very valuable for ethical hackers and can earn them a bug bounty. These bounties are fees paid by vendors to security researchers that discover previously unknown vulnerabilities in their applications.
Today, many organizations have established a bug bounty program, which allows interested persons who discover a vulnerability within a system of a vendor to report it. The person who reports the vulnerability, usually a zero-day flaw, is given a reward. However, there are hackers who intentionally attempt to exploit a system or network for some sort of personal gain; this is known as the hack value, which we will explore next.
The hack value is commonly referred to as the motivation or the reason for performing a hack on a system or network. It is the value of accomplishing the goal of breaking into a system.
You are now able to better describe the terminology used in penetration testing. In the next section, we will look at each phase of a penetration test.
While penetration testing is interesting, we cannot attack a target without a battle plan. Planning ensures that the penetration testing follows a sequential order of steps to achieve the desired outcome, which is identifying vulnerabilities. Each phase outlines and describes what is required before moving onto the next steps. This ensures that all details about the work and target are gathered efficiently and that the penetration tester has a clear understanding of the task ahead.
The following are the different phases in penetration testing:
- Information gathering
- Threat modeling
- Vulnerability analysis
- Report writing
Each of these phases will be covered in more detail in the following sections.
During the pre-engagement phase, key personnel are selected. These individuals are key to providing information, coordinating resources, and helping testers understand the scope, breadth, and rules of engagement in the assessment.
This phase also covers legal requirements, which typically include a non-disclosure agreement (NDA) and a consulting services agreement (CSA). The following is a typical process overview of what is required prior to the actual penetration testing:
An NDA is a legal agreement that specifies that a penetration tester will not share or hold onto any sensitive or proprietary information that is encountered during the assessment. Companies usually sign these agreements with cybersecurity companies who will, in turn, sign it with employees working on the project. In some cases, companies sign these agreements directly with the penetration testers from the company carrying out the project.
The scope of a penetration test defines the systems that the testers can and cannot hack or test. To ensure that the penetration tester remains within the legal boundaries, he or she must acquire legal permission in writing from the client or company who is requesting the services. Additionally, the penetration tester must provide an NDA. The agreement between the ethical hacker and the client also defines sensitive systems as well as testing times and which systems require special testing windows. It's incredibly important for penetration testers to pay close attention to the scope of a penetration test and where they are testing in order to always stay within the testing constraints.
The following are some sample pre-engagement questions to help you define the scope of your penetration test:
- What is the size/class of your external network? (Network penetration testing.)
- What is the size/class of your internal network? (Network penetration testing.)
- What is the purpose and goal of the penetration test? (Applicable to any form of penetration testing.)
- How many pages does the web application have? (Web application penetration testing.)
- How many user inputs or forms does the web application have?
Now that we've understood the legal limitation stages in penetration testing, let's move on to learn about the information-gathering phase and its importance.
Most types of penetration tests involve an information-gathering phase, which is vital to ensuring that testers have access to key information that will assist them in conducting their assessment. This is not the case in a black box approach, which we will deal with later. Most information gathering is done for web-based application penetration testing, so the questions involved are generally geared toward web-based applications, such as those given here:
- What platform is the application written in?
- Does the application use any APIs?
- Is the application behind a web application firewall (WAF)?
- How does the application handle authentication?
- Does the application use active directory credentials to authenticate users?
- Do users access this application in any other way than through the web URL?
- Is the application internet-facing or internal?
- Does the application serve any sensitive information or system access?
Understanding the target is very important before any sort of attack as a penetration tester, as it helps in creating a profile of the potential target. Recovering user credentials/login accounts at this phase, for instance, will be vital to later phases of penetration testing as it will help us gain access to vulnerable systems and networks. Next, we will discuss the essentials of threat modeling.
Threat modeling is a process used to assist testers and defenders to better understand the threats that inspired the assessment or the threats that the application or network is most prone to. This data is then used to help penetration testers emulate, assess, and address the most common threats that the organization, network, or application faces.
Having understood the threats an organization faces, the next step is to perform a vulnerability assessment on the assets to further determine the risk rating and severity.
Vulnerability analysis typically involves the assessors or testers running vulnerability or network/port scans to better understand which services the network or application is running and whether there are any vulnerabilities in any systems included in the scope of the assessment. This process often includes manual vulnerability testing/discovery, which is often the most accurate form of vulnerability analysis or vulnerability assessment.
There are many tools, both free and paid for, to assist us in quickly identifying vulnerabilities on a target system or network. After discovering the security weaknesses, the next phase is to attempt exploitation.
Exploitation is the most commonly ignored or overlooked part of penetration testing, and the reality is that clients and executives don't care about vulnerabilities unless they understand why they matter to them. Exploitation is the ammunition or evidence that helps articulate why the vulnerability matters and illustrates the impact that the vulnerability could have on the organization. Furthermore, without exploitation, the assessment is not a penetration test and is nothing more than a vulnerability assessment, which most companies can conduct in-house better than a third-party consultant could.
To put it simply, during the information-gathering phase, a penetration tester will profile the target and identify any vulnerabilities. Next, using the information about the vulnerabilities, the penetration tester will do their research and create specific exploits that will take advantage of the vulnerabilities of the target—this is what exploitation is. We use exploits (malicious code) to leverage a vulnerability (weakness) in a system, which will allow us to execute arbitrary code and commands on the target.
Often after successfully exploiting a target system or network, we may think the task is done—but it isn't just yet. There are tasks and objectives to complete after breaking into the system. This is the post-exploitation phase in penetration testing.
Exploitation is the process of gaining access to systems that may contain sensitive information. The process of post-exploitation is the continuation of this step, where the foothold gained is leveraged to access data or spread to other systems within the network. During post-exploitation, the primary goal is typically to demonstrate the impact that the vulnerability and access gained can pose to the organization. This impact assists in helping executive leadership better understand the vulnerabilities and the damage it could cause to the organization.
Report writing is exactly as it sounds and is one of the most important elements of any penetration test. Penetration testing may be the service, but report writing is the deliverable that the client sees and is the only tangible element given to the client at the end of the assessment. Reports should be given as much attention and care as the testing.
I will cover report writing in greater detail later in the book, but report writing involves much more than listing a few vulnerabilities discovered during the assessment. It is the medium in which you convey risk, business impact, summarize your findings, and include remediation steps. A good penetration tester needs to be a good report writer, or the issues they find will be lost and may never be understood by the client who hired them to conduct the assessment.
Having completed this section, you are now able to describe each phase of a penetration test. Furthermore, you have a better idea of the expectations of penetration testers in the industry. Next, we will dive into understanding various penetration testing methodologies, standards, and frameworks.
In the field of penetration testing, there are many official and standard methodologies that are used to perform a penetration test on a target system or network.
In the following sections, we will discuss the most popular standards and frameworks that are used in cybersecurity to ensure that organizations meet an acceptable baseline of operating in a secure environment.
OWASP stands for Open Web Application Security Project, and it provides methodologies as well as lists of the top 10 biggest security weaknesses present in web applications. This list is the de facto framework used by web application penetration testers and is what most corporations are looking for when hiring penetration testers to test their web applications. This is also the most common and prevalent form of penetration testing.
This is one of the most popular frameworks, and every penetration tester should have a clear understanding of it when it comes to web application testing. However, it's equally important to understand others, such as NIST.
NIST stands for the National Institute of Standards and Technology. NIST is a division of the US government, and it publishes a number of special publications defining best practices as well as standards for organizations to employ in order to improve their security. It's important to understand NIST in order to map findings or discovered vulnerabilities to their appropriate rules in order to help organizations understand the compliance implications of the issues discovered during the assessment.
At times, a target organization may require security testing using a specific framework or standard. Being familiar with the OSSTMM can be useful for your engagements with the target organization as a penetration tester.
OSSTMM stands for the Open Source Security Testing Methodology Manual. This is a community-driven, frequently updated, and peer-reviewed set of security testing standards that every ethical hacker should be aware of and keep updated on. These standards tend to cover a wide array of testing subjects and are especially valuable to those entering the industry to help them better understand the process as well as testing best practices.
The knowledge found in OSSTMM will be a great asset as a penetration tester. In the next section, we will discuss the benefits of also understanding SANS 25.
SANS 25 is a list of the top 25 security domains as defined by the SANS Institute. When conducting assessments, it's good to be familiar with this list and understand how your findings pertain to the list. In addition, understanding the top 25 domains can assist in helping increase the breadth of your knowledge of security vulnerabilities. These issues typically extend far beyond what will be discovered through nothing but penetration testing, and understanding these issues may even help you identify additional vulnerabilities or risk trends during your assessments.
In my job opportunities, the employer usually wants to ensure that their penetration tester is familiar with and understands each of these penetration testing frameworks and standards. This information is useful when conducting a security test/audit on an organization of a particular industry.
Now that you have a better understanding of popular penetration testing methodologies, let's dive into the three penetration testing approaches.
The following are different approaches to performing a penetration test on a target organization:
- White box
- Black box
- Gray box
Let's see what each of these entails.
A white box assessment is typical of web application testing but can extend to any form of penetration testing. The key difference between white, black, and gray box testing is the amount of information provided to the testers prior to the engagement. In a white box assessment, the tester will be provided with full information about the application and its technology, and will usually be given credentials with varying degrees of access to quickly and thoroughly identify vulnerabilities in the applications, systems, or networks.
Not all security testing is done using the white box approach; sometimes, only the target company's name is provided to the penetration tester. Next, we will cover the fundamentals of black box testing.
Black box assessments are the most common form of network penetration assessment and are most typical among external network penetration tests and social engineering penetration tests. In a black box assessment, the testers are given very little or no information about the networks or systems they are testing. This particular form of testing is inefficient for most types of web application testing because of the need for credentials in order to test for authenticated vulnerabilities, such as lateral and vertical privilege escalation.
In situations where black box testing is not suitable, there's another approach that exists between white and black box; this is known as gray box.
Gray box assessments are a hybrid of white and black box testing, and are typically used to provide a realistic testing scenario while also giving penetration testers enough information to reduce the time needed to conduct reconnaissance and other black box testing activities. In addition to this, it's important in any assessment to ensure you are testing all in-scope systems. In a true black box, it's possible to miss systems and, as a result, leave them out of the assessment. The gray box is often the best form of network penetration testing as it provides the most value to clients.
Each penetration test approach is different from the other, and it's vital that you know about all of them. Imagine a potential client calling us to request a black box test on their external network; as a penetration tester, we must be familiar with the terms and what is expected.
Now that we have covered the different approaches of testing, let's dive into the various types of penetration testing.
Vulnerability and port scanning cannot identify the issues that manual testing can, and this is the reason that an organization hires penetration testers to conduct these assessments. Delivering scans instead of manual testing is a form of fraud and is, in my opinion, highly unethical. If you can't cut it testing, then practice, practice, and practice some more. You will learn legal ways to up your tradecraft later in this book.
In the following sections, we will dive into various types of penetration tests.
Web application penetration testing, hereafter referred to as WAPT, is the most common form of penetration testing and likely to be the first penetration testing job most people reading this book will be involved in. WAPT is the act of conducting manual hacking or penetration testing against a web application to test for vulnerabilities that scanners won't find. Too often testers submit web application vulnerability scans instead of manually finding and verifying issues within web applications.
Now you have the essential understanding of WAPT, let's take a look at mobile application penetration testing in the next section.
Mobile application penetration testing is similar to web application penetration testing, but is specific to mobile applications that contain their own attack vectors and threats. This is a rising form of penetration testing with a great deal of opportunity for those who are looking to break into penetration testing and have an understanding of mobile application development.
As you may have noticed, the different types of penetration testing each have specific objectives. Next, we will look at a more human-oriented approach, social engineering.
Social engineering penetration testing, in my opinion, is the most adrenaline-filled type of testing. Social engineering is the art of manipulating basic human psychology to find human vulnerabilities and get people to do things they may not otherwise do. During this form of penetration testing, you may be asked to do activities such as sending phishing emails, make vishing phone calls, or talk your way into secure facilities to determine what an attacker targeting their personnel could achieve. I have personally obtained domain admin access over the phone, talked my way into bank vaults and casino money cages, and talked my way into a Fortune 500 data center.
There are many types of social engineering attacks, which will be covered later on in this book. Most commonly, you'll be tasked with performing security auditing on systems and networks. In the next section, we will discuss network penetration testing.
Network penetration testing focuses on identifying security weaknesses in a targeted environment. The penetration test objectives are to identify the flaws in the target organization's systems, their networks (wired and wireless), and their networking devices such as switches and routers.
The following are some tasks that are performed using network penetration testing:
- Bypassing an Intrusion Detection System (IDS)/Intrusion Prevent System (IPS)
- Bypassing firewall appliances
- Password cracking
- Gaining access to end devices and servers
- Exploiting misconfigurations on switches and routers
Now that you have a better idea of the objectives in network penetration testing, let's take a look at the purpose of cloud penetration testing.
Cloud penetration testing involves performing security assessments and penetration testing on risks to cloud platforms to discover any vulnerabilities that may expose confidential information to malicious users.
Before attempting to directly engage a cloud platform, ensure you have legal permission from the vendor. For example, if you are going to perform penetration testing on the Azure platform, you'll need legal permission from Microsoft.
In the next section, we will cover the essentials of physical penetration testing.
Physical penetration testing focuses on testing the physical security access control systems in place to protect an organization's data. Security controls exist within offices and data centers to prevent unauthorized persons from entering secure areas of a company.
Physical security controls include the following:
- Security cameras and sensors: Security cameras are used to monitor physical actions within an area.
- Biometric authentication systems: Biometrics are used to ensure that only authorized people are granted access to an area.
- Doors and locks: Locking systems are used to prevent unauthorized persons from entering a room or area.
- Security guards: Security guards are people who are assigned to protect something, someone, or an area.
Having completed this section, you are now able to describe the various types of penetration testing. Your journey ahead won't be complete without understanding the phases of hacking. The different phases of hacking will be covered in the next section.
During any penetration test training, you will encounter the five phases of hacking. These phases are as follows:
- Gaining access
- Maintaining access
- Covering tracks
In the following sections, we will describe each in detail.
The reconnaissance or information-gathering phase is where the attacker focuses on acquiring meaningful information about their target. This is the most important phase in hacking: the more details known about the target, the easier it is to compromise a weakness and exploit it.
The following are techniques used in the reconnaissance phase:
- Using search engines to gather information
- Using social networking platforms
- Performing Google hacking
- Performing DNS interrogation
- Social engineering
In this phase, the objective is to gather as much information as possible about the target. In the next section, we will discuss using a more directed approach, and engage the target to get more specific and detailed information.
The second phase of hacking is scanning. Scanning involves using a direct approach in engaging the target to obtain information that is not accessible via the reconnaissance phase. This phase involves profiling the target organization, its systems, and network infrastructure.
The following are techniques used in the scanning phase:
- Checking for any live systems
- Checking for firewalls and their rules
- Checking for open network ports
- Checking for running services
- Checking for security vulnerabilities
- Creating a network topology of the target network
This phase is very important as it helps us to create a profile of the target. The information found in this phase will help us to move onto performing exploitation on the target system or network.
This phase can sometimes be the most challenging phase of them all. In this phase, the attacker uses the information obtained from the previous phases to exploit the target. Upon successful exploitation of vulnerabilities, the attacker can then remotely execute malicious code on the target and gain remote access to the compromised system.
The following can occur once access is gained:
- Password cracking
- Exploiting vulnerabilities
- Escalating privileges
- Hiding files
- Lateral movement
The gaining-access (exploitation) phase can at times be difficult as exploits may work on one system and not on another. Once an exploit is successful and system access is acquired, the next phase is to ensure that you have a persistent connection back to the target.
After exploiting a system, the attacker should usually ensure that they are able to gain access to the victim's system at any time as long as the system is online. This is done by creating backdoor access on the target and setting up a persistence reverse or bind connection between the attacker's machines and the victim's system.
The objectives of maintaining access are as follows:
- Lateral movement
- Exfiltration of data
- Creating backdoor and persistent connections
Maintaining access is important to ensure that you, the penetration tester, always have access to the target system or network. Once the technical aspect of the penetration test is completed, it's time to clean up on the network.
The last phase is to cover your tracks. This ensures that you do not leave any traces of your presence on a compromised system. As penetration testers, we would like to be as undetectable as possible on a target's network, not triggering any alerts while we remove any residual traces of the actions performed during the penetration test.
Covering tracks ensures that you don't leave any trace of your presence on the network, as a penetration test is designed to be stealthy and simulate real-world attacks on an organization.
During the course of this chapter, we discussed the different types of hackers while outlining their primary characteristics. The various types of penetration tests and phases were covered, including an exploration of popular testing methodologies and approaches used in the cybersecurity industry.
You are now able to compare and contrast the different types of hackers. You have gained knowledge and understanding of various terms used within the cybersecurity industry, and you have got to grips with the importance of and different phases of penetration testing. You are able to distinguish between various types of penetration testing, such as network, web, and even cloud penetration testing.
In Chapter 2, Setting Up Kali - Part 1, and Chapter 3, Setting Up Kali - Part 2, we will be covering the steps involved in setting up your own virtual penetration testing lab for practicing and building your skill set. I hope this chapter has been helpful and informative for your studies and career.
- What type of hacker depends on instructions and tools created by others but does not understand the technical aspects of hacking?
- What is the last phase of hacking?
- Which penetration testing methodology is used on web applications?
- What is the approach where the penetration tester has the least knowledge about the target?
- What type of hacker is employed by a nation's government?
- Penetration testing methodologies: https://www.owasp.org/index.php/Penetration_testing_methodologies
- Penetration testing phases: https://www.imperva.com/learn/application-security/penetration-testing/