Hack me if you can or what is penetration testing
Recently, I was lucky enough to take a course from Offensive Security called Penetration Testing with Kali Linux, which introduces students to the basics of penetration testing. From my point of view, this course is one of the best I have ever taken. I had to participate in various types of trainings and courses in different areas of theory and practice, but this one made me one of the strongest impressions in life.
Information security services, called penetration testing or pentest, are in fact not represented in our country (Uzbekistan), there are no specialists of the appropriate level and training. It was extremely interesting for me to understand the insides of how penetration testing specialists work, and given the fact that Offensive Security is considered the recognized world leader in teaching this skill, the choice of this training was the ideal option.
In this article I would like to share my experience of touching the world of information security experts of the highest level and the lessons that I learned for myself from this. Let's go in order - I will tell as part of what is permitted by agreement with Offensive Security about the course itself. It consists of video and written materials in pdf format, which are provided to the student for self-study. However, the beauty of the course is not the point. The most interesting begins in the laboratory, in which it is proposed to test a number of virtual machines for existing vulnerabilities, which are organized as a corporate network of a potential customer.
Without going into the technical details of the course materials and laboratory work, which are forbidden to disclose, I would like to highlight the following points that each student will face:
')
1. The main motto of the course, which is saturated with all the training - “Try Harder” or translated into Russian - “Try harder”. My main lesson learned during the training is that you need to explore all possible software on the target computer, analyze what should work and how it works. Researching a working server or user computer is the basis for the success of any penetration testing. This work can take many hours and even days, but if it is not done properly, you will most likely fail. It is perseverance, perseverance and curiosity that allow the pentester to be successful.
2. In the process of work, a specialist in the field of information system security research has to deal with many different frameworks, programming languages, operating systems, and types of software. The modern world of IT is so large and diverse that it’s impossible for one person to know everything. Frequently, the specialist who is engaged in testing the security of a system must conduct serious research work on a new system for itself, in order to understand the vulnerabilities. In many ways, this work is similar to the work of researchers in research and research. As a result, finding weaknesses in software packages that lead to the compromise of the system in one form or another. The course teaches you to be prepared for constant acquaintance with new software systems, their analysis and the identification of vulnerabilities.
3. Knowledge of the direct tools by which the work of specialists in testing is carried out, as well as the refinement of skills in their application, is one of the most useful things that students receive courses. Tasks in the field of information security research are often simply impossible to accomplish without the knowledge of the necessary tools and utilities. Such software systems as Metasploit, NMAP, SQLmap allow you to automate a large amount of routine work of the pentester, not to reinvent the bicycle every time and invent software code for solving standard tasks of the information security researcher. There are a lot of software utilities for carrying out pentest tests in the Kali Linux distribution kit. It’s probably not worth much to memorize how each works, but the basic skills of using basic utilities must be confidently developed to conduct high-quality testing of various information systems.
4. The most interesting and important in the course is a test lab environment with a large number of virtual machines, each of which has certain vulnerabilities that allow a student to hone those or other skills in penetrating computers and servers. The degree of difficulty for penetrating each machine is very different, starting from very simple ones, which are obeyed thanks to one known exploit and ending with those in which you need to do a great deal of intellectual work in finding a potentially problematic application, modifying existing exploits, and identifying internal application mechanisms and operating systems. The laboratory work presents a wide range of operating systems, both client and server, as well as a wide variety of applications and programming languages ​​that they use.
After the course is completed, comparing its preliminary expectations, and what happened it is actually possible to say the following. Firstly, according to my preliminary estimates, it took about 100 hours to complete the course. However, in reality, the time spent on this course was much greater. I think the total cost of my time on the course was about 300 hours. I assess my expertise in information technology as a whole at a fairly high level, I have good knowledge both in operating systems and server applications, and in network technologies, as well as basic knowledge and skills in writing programs in various programming languages. But I hadn’t had any serious experience or knowledge in penetration testing before. And this course was a real challenge for me, which requires specific skills and innovative thinking. Often this or that task baffled, it took time to think and strengthen the use of Internet search engines. It is likely that for those already working specialists in the field of penetration testing, this course will seem simple. It is essentially an introduction to this area of ​​information security and serves as a base for expertise, for those who want to do this professionally. In the future, as skills are developed, skills can be pumped not only by how to correctly find vulnerabilities and use exploits, but also how to create exploits yourself.
What I would like to say to those who are planning to take this course, but does not have extensive experience in pentest behind them - order the course for the maximum number of days that you can afford in finance. Get ready for the fact that all free time will be spent on the passage of this course. You will be engaged in a course at work, at home, on vacation, in a dream, you will have dreams about how to access a particular computer in the laboratory. Most likely, your loved ones will “lose” you for the time you are on a course and you need to be ready for this. If for one reason or another you are not ready to allocate a sufficiently large number of hours for the course, then it is better to set it aside and not throw money away.
One of my colleagues once asked whether it is possible to carry out rapid penetration tests for customers, which do not take much time and allow you to quickly identify security problems. Now it’s obvious to me that if customers are not organizations of the same type in the organization of IT infrastructure, then each new work on pentest will largely represent a new study and require a decent amount of time for its implementation. Identifying real problems in the security of IT infrastructure without serious preparation and in-depth study of the network is unlikely.
In the process, as well as after the course was completed, there were many thoughts in my head about what could be useful for myself in the future for use in work and in life. I would like to pay particular attention to the following things:
1. The first thing you start to think about when you study materials is courses — anti-virus software and personal firewall software on your personal computer. Even if they do not provide complete protection for your workplace, they at least make the task of an attacker who is about to steal data from your computer, much more difficult. This is how confusing many computers are hacked using publicly available data from the Internet - the course shows various techniques that allow using both the vulnerabilities of the operating system and the software installed on it from remote computers and the vulnerabilities in Internet browsers that give the possibility of attackers to penetrate your computer without your knowledge, while watching various web content on the network.
Intrusion techniques are so varied, and vulnerabilities appear new in the set every day, that being confident about the security of your personal computer becomes an unaffordable luxury.
I do not want to advertise any specific product, but I made a conclusion for myself one more time - there must be an antivirus on the computer, and it must be constantly updated. Of course, everyone should choose the type of antivirus software that they trust.
2. The second thing that is most important when building protection for your network, and what the course convinces again is the need to regularly update all the software components of the IT infrastructure. Most of the known vulnerabilities, and even more known exploits, exist only in software that is not updated or is updated irregularly. The primary task of any administrators, both network and system administrators, is to install updates, especially security-critical updates, on all monitored servers, computers, network devices, etc. Only by performing these simple actions can one significantly reduce the risk of intruders entering their corporate network and make it scarcely accessible to outsiders.
3. To engage in penetration testing you need to love this thing madly. It will not work in the meantime or under the lash. Most of the work is initially non-formalized tasks that the pentester must understand and solve. There are often no ready-made paths and recipes for finding vulnerabilities, each server, each virtual machine has its own characteristics, which often interfere with the work of ready-made exploits. But before using exploits, you still need to find vulnerabilities in this or that application, understand how these applications work, and where is weakness. As already mentioned above, the refined skills of working with Pentester tools, as well as a clear understanding of the testing methodology, make this process more transparent and easy to implement. However, even taking into account these skills and knowledge, a pentester needs a non-trivial approach to solving emerging problems, as well as diligence and hard work to bring their work to its logical end. The entire described process of work pentester pours into a huge investment of time during the work. The work of pentesters can be compared with the profession of a doctor - you need an extensive theoretical base and knowledge, plus passion for your work and perseverance.
Summarizing everything written, I would like to give a brief summary of the penetration testing in the complex of information security services, as well as whether it is necessary to conduct such a study of its infrastructure. Pentest, as a service, allows you to identify vulnerabilities in the work of the network, servers, applications and various IT services that can be exploited by attackers and result in the loss or modification of data. Testing itself is very dependent on the people who conduct it, on their expertise and skills. The more theoretically and practically savvy the participating pentesters, the better the result will be. The need to carry out such work primarily depends on how important and critical the information is, the work of IT systems and the entire IT infrastructure for the management of the organization. If you comply with the security of the internal IT infrastructure for the organization is not required, and the recovery time of the services in the event of a failure can be quite large, then a Pentest is definitely not needed. Pentest serves as one of the building blocks in the organization’s information security, which allows, from a technical point of view, to conduct a real audit of the security of the organization’s systems and to identify those places that need to be strengthened and something needs to be worked on. On paper and in words, the protection of an organization can be beautiful, but in practice it may not be so rosy, and the forgetfulness of administrators or the negligence of programmers can often lead to huge security gaps. It seems to me that Pentest will allow the heads of organizations to be sure that their information security system is built correctly and functions as it was intended.
Information security services, called penetration testing or pentest, are in fact not represented in our country (Uzbekistan), there are no specialists of the appropriate level and training. It was extremely interesting for me to understand the insides of how penetration testing specialists work, and given the fact that Offensive Security is considered the recognized world leader in teaching this skill, the choice of this training was the ideal option.
In this article I would like to share my experience of touching the world of information security experts of the highest level and the lessons that I learned for myself from this. Let's go in order - I will tell as part of what is permitted by agreement with Offensive Security about the course itself. It consists of video and written materials in pdf format, which are provided to the student for self-study. However, the beauty of the course is not the point. The most interesting begins in the laboratory, in which it is proposed to test a number of virtual machines for existing vulnerabilities, which are organized as a corporate network of a potential customer.
What gives the listener a course from Offensive Security?
Without going into the technical details of the course materials and laboratory work, which are forbidden to disclose, I would like to highlight the following points that each student will face:
')
1. The main motto of the course, which is saturated with all the training - “Try Harder” or translated into Russian - “Try harder”. My main lesson learned during the training is that you need to explore all possible software on the target computer, analyze what should work and how it works. Researching a working server or user computer is the basis for the success of any penetration testing. This work can take many hours and even days, but if it is not done properly, you will most likely fail. It is perseverance, perseverance and curiosity that allow the pentester to be successful.
2. In the process of work, a specialist in the field of information system security research has to deal with many different frameworks, programming languages, operating systems, and types of software. The modern world of IT is so large and diverse that it’s impossible for one person to know everything. Frequently, the specialist who is engaged in testing the security of a system must conduct serious research work on a new system for itself, in order to understand the vulnerabilities. In many ways, this work is similar to the work of researchers in research and research. As a result, finding weaknesses in software packages that lead to the compromise of the system in one form or another. The course teaches you to be prepared for constant acquaintance with new software systems, their analysis and the identification of vulnerabilities.
3. Knowledge of the direct tools by which the work of specialists in testing is carried out, as well as the refinement of skills in their application, is one of the most useful things that students receive courses. Tasks in the field of information security research are often simply impossible to accomplish without the knowledge of the necessary tools and utilities. Such software systems as Metasploit, NMAP, SQLmap allow you to automate a large amount of routine work of the pentester, not to reinvent the bicycle every time and invent software code for solving standard tasks of the information security researcher. There are a lot of software utilities for carrying out pentest tests in the Kali Linux distribution kit. It’s probably not worth much to memorize how each works, but the basic skills of using basic utilities must be confidently developed to conduct high-quality testing of various information systems.
4. The most interesting and important in the course is a test lab environment with a large number of virtual machines, each of which has certain vulnerabilities that allow a student to hone those or other skills in penetrating computers and servers. The degree of difficulty for penetrating each machine is very different, starting from very simple ones, which are obeyed thanks to one known exploit and ending with those in which you need to do a great deal of intellectual work in finding a potentially problematic application, modifying existing exploits, and identifying internal application mechanisms and operating systems. The laboratory work presents a wide range of operating systems, both client and server, as well as a wide variety of applications and programming languages ​​that they use.
Preparation for the course
After the course is completed, comparing its preliminary expectations, and what happened it is actually possible to say the following. Firstly, according to my preliminary estimates, it took about 100 hours to complete the course. However, in reality, the time spent on this course was much greater. I think the total cost of my time on the course was about 300 hours. I assess my expertise in information technology as a whole at a fairly high level, I have good knowledge both in operating systems and server applications, and in network technologies, as well as basic knowledge and skills in writing programs in various programming languages. But I hadn’t had any serious experience or knowledge in penetration testing before. And this course was a real challenge for me, which requires specific skills and innovative thinking. Often this or that task baffled, it took time to think and strengthen the use of Internet search engines. It is likely that for those already working specialists in the field of penetration testing, this course will seem simple. It is essentially an introduction to this area of ​​information security and serves as a base for expertise, for those who want to do this professionally. In the future, as skills are developed, skills can be pumped not only by how to correctly find vulnerabilities and use exploits, but also how to create exploits yourself.
What I would like to say to those who are planning to take this course, but does not have extensive experience in pentest behind them - order the course for the maximum number of days that you can afford in finance. Get ready for the fact that all free time will be spent on the passage of this course. You will be engaged in a course at work, at home, on vacation, in a dream, you will have dreams about how to access a particular computer in the laboratory. Most likely, your loved ones will “lose” you for the time you are on a course and you need to be ready for this. If for one reason or another you are not ready to allocate a sufficiently large number of hours for the course, then it is better to set it aside and not throw money away.
One of my colleagues once asked whether it is possible to carry out rapid penetration tests for customers, which do not take much time and allow you to quickly identify security problems. Now it’s obvious to me that if customers are not organizations of the same type in the organization of IT infrastructure, then each new work on pentest will largely represent a new study and require a decent amount of time for its implementation. Identifying real problems in the security of IT infrastructure without serious preparation and in-depth study of the network is unlikely.
Thoughts on safety awareness in practice
In the process, as well as after the course was completed, there were many thoughts in my head about what could be useful for myself in the future for use in work and in life. I would like to pay particular attention to the following things:
1. The first thing you start to think about when you study materials is courses — anti-virus software and personal firewall software on your personal computer. Even if they do not provide complete protection for your workplace, they at least make the task of an attacker who is about to steal data from your computer, much more difficult. This is how confusing many computers are hacked using publicly available data from the Internet - the course shows various techniques that allow using both the vulnerabilities of the operating system and the software installed on it from remote computers and the vulnerabilities in Internet browsers that give the possibility of attackers to penetrate your computer without your knowledge, while watching various web content on the network.
Intrusion techniques are so varied, and vulnerabilities appear new in the set every day, that being confident about the security of your personal computer becomes an unaffordable luxury.
I do not want to advertise any specific product, but I made a conclusion for myself one more time - there must be an antivirus on the computer, and it must be constantly updated. Of course, everyone should choose the type of antivirus software that they trust.
2. The second thing that is most important when building protection for your network, and what the course convinces again is the need to regularly update all the software components of the IT infrastructure. Most of the known vulnerabilities, and even more known exploits, exist only in software that is not updated or is updated irregularly. The primary task of any administrators, both network and system administrators, is to install updates, especially security-critical updates, on all monitored servers, computers, network devices, etc. Only by performing these simple actions can one significantly reduce the risk of intruders entering their corporate network and make it scarcely accessible to outsiders.
3. To engage in penetration testing you need to love this thing madly. It will not work in the meantime or under the lash. Most of the work is initially non-formalized tasks that the pentester must understand and solve. There are often no ready-made paths and recipes for finding vulnerabilities, each server, each virtual machine has its own characteristics, which often interfere with the work of ready-made exploits. But before using exploits, you still need to find vulnerabilities in this or that application, understand how these applications work, and where is weakness. As already mentioned above, the refined skills of working with Pentester tools, as well as a clear understanding of the testing methodology, make this process more transparent and easy to implement. However, even taking into account these skills and knowledge, a pentester needs a non-trivial approach to solving emerging problems, as well as diligence and hard work to bring their work to its logical end. The entire described process of work pentester pours into a huge investment of time during the work. The work of pentesters can be compared with the profession of a doctor - you need an extensive theoretical base and knowledge, plus passion for your work and perseverance.
Summary
Summarizing everything written, I would like to give a brief summary of the penetration testing in the complex of information security services, as well as whether it is necessary to conduct such a study of its infrastructure. Pentest, as a service, allows you to identify vulnerabilities in the work of the network, servers, applications and various IT services that can be exploited by attackers and result in the loss or modification of data. Testing itself is very dependent on the people who conduct it, on their expertise and skills. The more theoretically and practically savvy the participating pentesters, the better the result will be. The need to carry out such work primarily depends on how important and critical the information is, the work of IT systems and the entire IT infrastructure for the management of the organization. If you comply with the security of the internal IT infrastructure for the organization is not required, and the recovery time of the services in the event of a failure can be quite large, then a Pentest is definitely not needed. Pentest serves as one of the building blocks in the organization’s information security, which allows, from a technical point of view, to conduct a real audit of the security of the organization’s systems and to identify those places that need to be strengthened and something needs to be worked on. On paper and in words, the protection of an organization can be beautiful, but in practice it may not be so rosy, and the forgetfulness of administrators or the negligence of programmers can often lead to huge security gaps. It seems to me that Pentest will allow the heads of organizations to be sure that their information security system is built correctly and functions as it was intended.
Source: https://habr.com/ru/post/354250/
All Articles