Hack me if you can or what penetration testing is

    Recently, I was fortunate enough to take a course from Offensive Security called Penetration Testing with Kali Linux, which introduces students to the basics of penetration testing. From my point of view, this course is one of the best that I have ever taken. I had to participate in various types of trainings and courses in various fields of theory and practice, but this one made one of the strongest impressions in my life.

    Information security services, called penetration testing or pentest, are essentially not represented in our country (Uzbekistan), there are no specialists of the appropriate level and training. It was extremely interesting for me to understand the insides of how penetration testing experts work, and taking into account the fact that Offensive Security is considered a recognized world leader in the field of teaching this skill, the choice of this training was an ideal option.

    In this article I would like to share my experience from touching the world of the highest level of information security specialists and the lessons that I have learned from this. Let's go in order - I will tell you as part of the course permitted by agreement with Offensive Security. It consists of video materials and written materials in pdf format, which are provided to the student for independent study. However, the whole charm of the course is not that. All the fun begins in the laboratory, which proposes to check for vulnerabilities in a number of virtual machines, which are organized as a corporate network of a potential customer.

    What gives the listener a course from Offensive Security


    Without going into the technical details of the course materials and laboratory work, which are forbidden to disclose, I would like to highlight the following points that each student will encounter:

    1. The main motto of the course, which is saturated with all training - “Try Harder” or translated into Russian - “Try harder”. My main lesson learned during the training is that you need to research all the possible software on the target computer, analyze what and how it should work, what and how it actually works. Investigating a running server or user computer is fundamental to the success of any penetration testing. This work can take many hours and even days, but if it is not done properly, you will most likely fail. It is perseverance, perseverance and curiosity that allows the Pentester to be successful.

    2. In the process, a specialist in the study of the security of information systems has to deal with many different frameworks, programming languages, operating systems, types of software. The modern world of IT is so large and diverse that one person can’t know everything. Often, a specialist in testing system security must conduct serious research on a new system for himself to understand vulnerabilities. In many ways, this work is similar to the work of research and development researchers. As a result, finding weaknesses in software systems that lead to a compromise of the system in one form or another. The course teaches you to be prepared for constant acquaintance with new software systems, their analysis and the identification of vulnerabilities.

    3. The knowledge of the immediate tools with which the work of testing specialists is carried out, as well as the honing of skills in their application, is one of the most useful things that students receive. Tasks in the field of information security research are often simply impossible to solve without knowledge of the necessary tools and utilities. Such software systems as Metasploit, NMAP, SQLmap allow you to automate a large amount of pentester routine work, not to reinvent the wheel every time and come up with program code to solve the standard tasks of an information security researcher. There are a lot of software utilities for pentest work in the Kali Linux distribution; memorizing how each of them works by heart probably doesn't make much sense,

    4. The most interesting and important thing in the course is a test lab environment with a large number of virtual machines, each of which has certain vulnerabilities that allow a student to hone certain skills to penetrate computers and servers. The degree of difficulty for penetrating each machine is very different, from very simple ones that obey thanks to one well-known exploit and ending with those that need to do a lot of intellectual work to find a potentially problematic application, modify existing exploits, and also identify the internal mechanisms of the applications and operating systems. The laboratory work presents a wide range of operating systems, both client and server, as well as a wide variety of applications and programming languages,

    Course preparation


    After the course is completed, comparing your preliminary expectations and what happened, you can actually say the following. Firstly, according to my preliminary estimates, about 100 hours were needed to complete the course. However, in reality, the time spent on this course was many times greater. I think the total cost of my time on the course was about 300 hours. I evaluate my overall expertise in information technology at a fairly high level, I have good knowledge of both operating systems and server applications, and network technologies, as well as basic knowledge and skills in writing programs in various programming languages. But before that I did not have any serious experience or knowledge in the field of penetration testing. And this course was a real challenge for me, which requires specific skills and innovative thinking. Often this or that task was perplexing, it took time for reflection and increased use of Internet search engines. It is likely that for existing experts in the field of penetration testing, this course will seem simple. It is essentially an introduction to this area of ​​information security and serves as the basis for examination for those who want to do this professionally. In the future, as skills develop, you can pump skills not only on how to correctly find vulnerabilities and use exploits, but also on how to create exploits yourself. that for already working experts in the field of penetration testing, this course will seem simple. It is essentially an introduction to this area of ​​information security and serves as the basis for examination for those who want to do this professionally. In the future, as skills develop, you can pump skills not only on how to correctly find vulnerabilities and use exploits, but also on how to create exploits yourself. that for already working experts in the field of penetration testing, this course will seem simple. It is essentially an introduction to this area of ​​information security and serves as the basis for examination for those who want to do this professionally. In the future, as skills develop, you can pump skills not only on how to correctly find vulnerabilities and use exploits, but also on how to create exploits yourself.

    What I would like to say to those who plan to take this course, but do not have rich experience in pentest, order a course for the maximum number of days that you can afford on finance. Get ready for the fact that all your free time will be spent on completing this course. You will take the course at work, at home, on vacation, in a dream you will dream about how to access one computer or another in the laboratory. Most likely your loved ones will “lose” you for the time that you will be busy with the course and you need to be prepared for this. If for one reason or another you are not ready to allocate a sufficiently large number of hours to complete the course, then it is better to postpone it and not throw money away.
    One of my colleagues once asked whether it is possible to conduct express penetration tests for customers, which do not take much time and allow you to quickly identify security problems. Now it’s obvious to me that if the organizations customers are not the same in the field of organizing IT infrastructure, then each new work on the pentest will in many respects represent a new study and require a decent amount of time for its implementation. It is unlikely to identify real problems in the security of IT infrastructure without serious preparation and in-depth study of the network.

    Thoughts on safety inform in practice


    In the process, and also after the course was completed, there were many thoughts in my head about what useful things could be brought out for myself in the future for use in work and in life. I would like to pay special attention to the following things:

    1. The first thing you start thinking about when studying course materials is antivirus software and a personal firewall on your personal computer. Even if they do not provide full protection for your workplace, at least they make the task of an attacker about to steal data from your computer much more difficult. How many computers are hacked with the help of publicly accessible data from the Internet - the course shows various techniques that allow you to use vulnerabilities of the operating system itself and the software installed on it from remote computers, as well as vulnerabilities in Internet browsers, which gives the ability for attackers to infiltrate your computer without your knowledge while viewing various web content on the network.

    Penetration techniques are so diverse, and vulnerabilities appear new in a variety every day, that to be sure of the security of your personal computer becomes an inadmissible luxury.

    I don’t want to advertise any specific product, but I concluded one more time for myself - there must be an antivirus on the computer, and it must be constantly updated. Everyone, of course, must choose the type of antivirus software that he trusts.

    2. The second thing that is most important when building protection for your network, and what the course convinces you again, is the need for regular updating of all software components of IT infrastructure. Most of the known vulnerabilities, and even more so known exploits, exist only in software that is not updated, or updated irregularly. The primary task of any administrators, both network and system, is to install updates, especially critical security-related ones, to all monitored servers, computers, network devices, etc. Only by performing these simple actions can you reduce the risk of intruders penetrating your corporate network at times and make it less accessible to outsiders.

    3. To engage in penetration testing, you need to love this business insanely. You won’t be able to do this from time to time or from under the stick. Most of the work is originally unformalized tasks that the pentester must understand and solve. There are often no ready-made paths and recipes for searching for vulnerabilities, each server, each virtual machine has its own characteristics, which often interfere with the work of ready-made exploits. But before using exploits, you still need to find vulnerabilities in a particular application, understand how these applications work and where the weakness is. As already noted above, honed skills in working with Pentester tools, as well as a clear understanding of the testing methodology, make this process more transparent and easy to implement. However, even taking into account these skills and knowledge, a pentester requires a non-trivial approach to solving emerging problems, as well as diligence and hard work to bring their work to its logical conclusion. The whole described process of the Pentester's work translates into a huge investment of time during the work. The work of pentesters can be compared with the profession of a doctor - you need an extensive theoretical base and knowledge, plus dedication and perseverance.

    Summary


    Summarizing everything written, I would like to give a brief summary of the penetration testing in the complex of information security services, as well as whether it is necessary to conduct such a study of their infrastructure. Pentest, as a service, allows you to identify vulnerabilities in the operation of the network, servers, applications and various IT services that could be exploited by cybercriminals and lead to data loss or modification. Testing itself very much depends on the people who conduct it, on their expertise and skills. The more theoretically and practically savvy the participating pentesters are, the better the result will be. The need to carry out such work primarily depends on how important and critical the information, the operation of IT systems and the entire IT infrastructure for the management of the organization is. If the security of internal IT infrastructure is not required for the organization, and the recovery time of services in the event of a failure can be quite large, then conducting a pentest is definitely not necessary. Pentest serves as one of the bricks in the information security of the organization, which allows, from a technical point of view, to conduct a real audit of the security of the organization's systems and to identify those places that need to be strengthened and what needs to be worked on. On paper and in words, the organization’s defense can be excellent, but in practice, things may not be so rosy, and the forgetfulness of administrators or the negligence of programmers can often lead to huge security holes. It seems to me that the pentest will allow heads of organizations to be sure that their information protection system is built correctly and functions as

    Also popular now: