I have been on a business trip for external projects recently. I have learned a lot in the evaluation project, and I have accumulated some experience. I always want to take some time to sort it out, this is also a summary of my previous work.
This article will summarize the penetration tests in the risk assessment project. If we mention penetration tests, we will think of hacker intrusion, the biggest difference between penetration testing and hacker intrusion is that penetration testing is authorized by the customer and uses controllable and non-destructive methods to discover vulnerabilities in the target server and network devices.
Penetration Testing is only part of the risk assessment project. A complete evaluation project should include management evaluation and technical evaluation, management evaluation mainly covers management systems, personnel interviews, and surveys, technical evaluation mainly uses tool scanning, manual evaluation, application evaluation, penetration testing, and network architecture evaluation. Penetration Testing is only a part of technical evaluation. It complements tool scanning because we all know that tool scanning has high efficiency and speed, but due to software limitations, in actual scanning, there will be some problems of false negatives and false positives, and the high-level and complex security problems cannot be found. In this case, penetration testing should be used as a supplement.
A complete penetration test process should include the determination of the scope, the formulation of the scheme, the specific implementation, and the preparation of the report, such:
The following describes my understanding of penetration testing from the above aspects.
1. Determine the penetration test Scope
Before conducting penetration testing, we must first know what the goal of penetration is? This goal is the scope of penetration testing given by the customer, and the scope of penetration testing is clearly defined. What we need to do next is to develop a penetration testing solution.
2. Develop a penetration test plan
The penetration testing solution is a description of the penetration testing work, that is, to show you the testing methods and tools you may take during the penetration testing process. The following shows the overall framework of the penetration test scheme:
1. Objectives
2. Scope
3. Necessity of Penetration Testing
4. Feasibility of Penetration Testing
5. system backup and recovery measures
6. Risk Avoidance
Objective: To describe what is the goal of this penetration test? That is, what problems can we help users find through penetration testing? For example, discovering vulnerabilities and threats in servers and network devices.
Scope: it indicates the scope of penetration testing. penetration testing has a limited scope, that is, the user may set a range, which may be an application system, an IP address, or even the entire intranet, this is the scope of penetration testing. In principle, penetration testing does not allow penetration of hosts and network devices out of the authorization scope.
The necessity of penetration testing: It mainly explains why penetration testing is required? What problems does penetration testing help solve.
The feasibility of penetration testing: because customers do not know much about penetration testing, penetration testing and hacker intrusion are usually classified into the same category, therefore, in the penetration testing solution, we want to explain to users what is penetration testing? What are the procedures and methods of penetration testing? And what tools may be used for penetration testing? For example:
◆ AppScan scans the web application infrastructure, tests security vulnerabilities, and provides feasible reports and suggestions.
◆ Acunetix Web Vulnerability scanning network Vulnerability scanning tool. It uses Web crawlers to test your website security and detect popular attack methods. It automatically checks your Web application vulnerabilities, for example, SQL injection, cross-site scripting, and weak password cracking on verification pages.
◆ WebInspect is used for scanning network applications.
◆ Thc-orakel Oracle Test Tool
System backup and recovery measures: although penetration testing uses controllable and non-destructive methods, unpredictable risks may occur in the actual penetration testing process, therefore, before the penetration test, remind the user to back up the system before performing the penetration test. Prevents timely recovery when a problem occurs.
Risk Avoidance: It mainly describes the possible risks in penetration testing, and measures we will take to effectively control these risks. For example, penetration testing scanning does not adopt a Denial-of-Service Strategy, and penetration testing is arranged at low business hours. It is worth noting that during the penetration test, if the service or server downtime of the evaluated system is found, the test should be stopped immediately, contact the customer's management personnel to analyze the cause and continue the test after finding out the cause.
Iii. Implementation of Penetration Testing
The specific implementation of penetration testing is to simulate hacker attacks to penetrate the evaluated system. General steps for penetration testing are as follows:
Everyone is familiar with the above penetration testing process, because these are some of the frequently used methods and the methods adopted are nothing more than the above. However, it should be noted that the biggest security risk during Intranet penetration is the weak password problem. When penetrating the Intranet, we should formulate a dictionary based on the user's password rules during the Penetration Process, because the Intranet administrator generally manages multiple machines, when we access a server through a weak password, we should capture the HASH, crack SAM, and other methods to collect the passwords on the current server. The passwords should include but are not limited to the following:
1. System Management Password
2. FTP Password
3. Application System Password (usually available in the configuration file)
4. passwords of remote management tools, such as PcAnywher, Radmin, and VNC
Make these passwords into a dictionary and then scan the target machine to obtain certain information.
Another noteworthy problem is that after the penetration test is completed, we need to write a penetration test report based on the results of the penetration test. In the report, we need to use images to show our penetration results. There are also some skills. Because the penetration test report is different from the hacker intrusion articles we see at ordinary times, the difference is that the target readers are different. the readers of penetration test are usually the heads of security departments and senior leaders, they often don't know much about hacker attacks. For example, the figure we cut down the Remote Desktop in 3389 is far less convincing than the data in the database. Many leaders may tell you that I have obtained system permissions, he doesn't think there is any harm, but if you tell him that you get their sensitive data, such as financial data and customer data, he will think this is a very serious problem.
4. Write the penetration test report
The penetration test report is the final result submitted to the user. The penetration test report should describe the methods and methods used in the penetration process. This process is similar to the intrusion-type tutorials we usually write, that is, vulnerability discovery-> exploitation of vulnerabilities-> obtaining permissions-> elevation of permissions. At the end of the report, the vulnerability reinforcement suggestions should be provided, and the operability of the reinforcement suggestions should be noted. For example, if you know how to use SQL injection, you can tell the user to filter sensitive functions and perform input/output verification, it should be more detailed, it is best to detail the operation steps of each step. The penetration test report summarizes the following points based on your own experience:
1. The penetration test report should take into account the technical level of the readers. The report should be easy to understand, but should not reveal detailed technical details too much. As mentioned above, the penetration test report is not a hacker intrusion tutorial. We only need to clarify the vulnerability discovery process and hazards, instead of listing in detail which methods or even commands are used in each step.
2. The report should focus on user concerns. Many users care about data security, but do not pay too much attention to system risks. For example, if a financial system obtains financial data, it is far more convincing than obtaining system permissions.
3. The penetration test report should reflect your work results. The result here is not what data or system permissions you have obtained, but what exactly have you done in this penetration test? Because penetration tests rely on luck and technology, not every penetration can produce results. How can we write a report without any results? It is impossible to write a sentence "This penetration test has not found any problems !", This will make users feel cheated! They will think that the money they spent does not reflect the bid value. So we have to explain in the penetration test report what methods and means we have tried? For example, if SQL injection, cross-site, Sniffer, and other methods are used, but no problems are found, it is concluded that the user's system is secure. This will make users feel that it is worth spending money to invite you to perform penetration testing. After all, you have done so much work. This is important because penetration often happens when there is no result in the actual evaluation project, penetration testers should learn to write penetration test reports without any results.
4. Pay attention to the appearance of the details in the penetration test report. The details are mainly about the document layout. A good penetration test report should give people a professional feeling, rather than writing it casually. This is also a demonstration of their work attitude, do not leave users with unprofessional feelings.
The above is my personal opinion and summary on the penetration test project. Due to limited technology, there are inevitable omissions. For your reference
From the personal space of the magic arrow