WTF is Penetration Testing?An Overview of Who, What, Where, When, and WhyScott SutherlandRyan Wakeham
Who are we?• Scott Sutherland Principle Security Consultant NetSPI• Ryan Wakeham Director of Consulting NetSPI
Presentation Overview•   What is a “pen test”?•   Why do companies “pen test”?•   Who does “pen testing”?•   What skills a...
What is Penetration Testing?Our Definition:“The process of evaluating systems,applications, and protocols with the intento...
Why do Companies Pen Test?•   Compliance Requirements•   Validate Existing Controls•   Identify Unknown Security Gaps•   P...
What are the Technical Objectives?•   Client specific objectives first•   Identify and verify all entry points•   Identify...
Assessment VS. Penetration• Vulnerability Assessment and  Penetration Testing Answer:  ‒ What are my system layer vulnerab...
Assessment VS. Penetration• Penetration Testing Answers:   ‒ What are my high impact network layer issues?   ‒ What are my...
Common Penetration Test Approach• Kickoff: Scope, cost, testing windows, risks etc•   Information Gathering•   Vulnerabili...
Who Conducts Pen Testing?• Internal Employees  • Security Analyst  • Security Consultant• Third Parties  • Audit Firms  • ...
Rules of Engagement•   Have fun, but…Hack Responsibly!•   Written permission•   Stay in scope•   No DoS•   Don’t change ma...
What Skills are Needed?•   Non Technical•   Basic Technical•   Offensive•   Defensive•   Common Tools
Non Technical Skillset• Written and Verbal Communications     •   Emails/phone calls     •   Report development     •   Sm...
Basic Technical Skillset•   Windows Desktop Administration•   Windows Domain Administration•   Linux and Unix Administrati...
Offensive and Defensive Knowledge• System enumeration and service  fingerprinting• Linux system exploitation and escalatio...
Common ToolsThere are hundreds of “hacker” tools.Generally, you need to have enoughknowledge to know what tool or tool(s) ...
Common ToolsThat being said…
Common Tools• Knowledge > Tools     •   Understand the core technologies     •   Understand the core offensive techniques ...
Pen Testing as a Career: Common Paths• Internal Paths   •   Help Desk   •   IT Support                Internal employees  ...
Pen Testing as a Career: How to Start• Read and learn! – There is no “end”• Tap into the community!• Research and Developm...
BE SAFE andHACK RESPONSIBLY
Questions   Questions,comments, curses?
Upcoming SlideShare
Loading in …5
×

WTF is Penetration Testing

1,469 views

Published on

This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in IT security.

More security blogs by the authors can be found @
https://www.netspi.com/blog/

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,469
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
54
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

WTF is Penetration Testing

  1. 1. WTF is Penetration Testing?An Overview of Who, What, Where, When, and WhyScott SutherlandRyan Wakeham
  2. 2. Who are we?• Scott Sutherland Principle Security Consultant NetSPI• Ryan Wakeham Director of Consulting NetSPI
  3. 3. Presentation Overview• What is a “pen test”?• Why do companies “pen test”?• Who does “pen testing”?• What skills are required? ‒ Non Technical Skillset ‒ Basic Technical Skillset ‒ Offensive and Defensive Knowledge• What are some Common Tools?• Pen Testing as a Career• Attack Demo: SQL Inject World• Questions
  4. 4. What is Penetration Testing?Our Definition:“The process of evaluating systems,applications, and protocols with the intentof identifying vulnerabilities from theperspective of an unprivileged oranonymous user to determine the realworld impact…”“…legally and under contract”
  5. 5. Why do Companies Pen Test?• Compliance Requirements• Validate Existing Controls• Identify Unknown Security Gaps• Prioritize Existing Security Initiatives• Prevent Data Breaches• Test IDS / IPS / IRP
  6. 6. What are the Technical Objectives?• Client specific objectives first• Identify and verify all entry points• Identify critical escalation points• Gain unauthorized access to: ‒ Application functionality ‒ Critical systems ‒ Sensitive data
  7. 7. Assessment VS. Penetration• Vulnerability Assessment and Penetration Testing Answer: ‒ What are my system layer vulnerabilities? ‒ Where are my system layer vulnerabilities? ‒ How wide spread are my system layer vulnerabilities? ‒ Can I identify attacks? ‒ How do I fix my vulnerabilities?
  8. 8. Assessment VS. Penetration• Penetration Testing Answers: ‒ What are my high impact network layer issues? ‒ What are my high impact application layer issues? ‒ Can an attacker gain unauthorized access to: • critical infrastructure that provides privileged access or cause service disruptions • critical application functionality that the business depends on • sensitive data that the business would be required to report on if a breach occurs ‒ Can an attacker bypass our IPS / WAF? ‒ Can an attacker pivot from environment A to environment B?
  9. 9. Common Penetration Test Approach• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation• Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation
  10. 10. Who Conducts Pen Testing?• Internal Employees • Security Analyst • Security Consultant• Third Parties • Audit Firms • Security Consultants
  11. 11. Rules of Engagement• Have fun, but…Hack Responsibly!• Written permission• Stay in scope• No DoS• Don’t change major state• Restore state• Clear communication
  12. 12. What Skills are Needed?• Non Technical• Basic Technical• Offensive• Defensive• Common Tools
  13. 13. Non Technical Skillset• Written and Verbal Communications • Emails/phone calls • Report development • Small and large group presentations• Professionalism • Respecting others, setting, and meeting expectations• Troubleshooting Mindset • Never give up, never surrender • Where there is a will, there is a way• Ethics • Don’t do bad things • Pros (career) vs. Cons (jail) • Hack responsibly
  14. 14. Basic Technical Skillset• Windows Desktop Administration• Windows Domain Administration• Linux and Unix Administration• Network Infrastructure Administration• Application Development • Scripting (Ruby, Python, PHP, Bash, PS, Batch) • Managed languages (.Net, Java, Davlik) • Unmanaged languages (C, C++)
  15. 15. Offensive and Defensive Knowledge• System enumeration and service fingerprinting• Linux system exploitation and escalation• Windows system exploitation and escalation• Network system exploitation and escalation• Protocol exploitation• Web application exploitation (OWASP)• Reverse engineering client-server applications + AV Evasion• Social engineering techniques (onsite, phone, email)
  16. 16. Common ToolsThere are hundreds of “hacker” tools.Generally, you need to have enoughknowledge to know what tool or tool(s) isright for the task at hand….…and if one doesn’t exist, then create it.
  17. 17. Common ToolsThat being said…
  18. 18. Common Tools• Knowledge > Tools • Understand the core technologies • Understand the core offensive techniques • Understand the core defensive techniques• Network Penetration Testing • BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS, NEXPOSE, WCE, MIMIKATZ, AirCrack-ng, METASPLOIT… and NATIVE TOOLS!• Application Penetration Testing • BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQL Ninja, and BEEF…. and commercial tools
  19. 19. Pen Testing as a Career: Common Paths• Internal Paths • Help Desk • IT Support Internal employees • IT Admin often stay internal. • Security Analyst • Senior Security Analyst • Internal Consultant • CISO• Security Consulting Paths Security consultants • Internship often end up in • Consultant malware research or • Senior Consultant exploit • Principle Consultant • Team Lead development, but • Director some go corporate.
  20. 20. Pen Testing as a Career: How to Start• Read and learn! – There is no “end”• Tap into the community!• Research and Development • Contribute to open source projects • Present research at conferences• Training and Certifications • Community: DC612, OWASP, Conferences, etc • Professional ($): SANS, OffSec, CISSP, etc• Volunteer• Internships
  21. 21. BE SAFE andHACK RESPONSIBLY
  22. 22. Questions Questions,comments, curses?

×