Pentesting: What It Is, Why You Need It, and How to Get Started
In today’s digital world, companies are increasingly dependent on technology. They are also targets of...
In today’s digital world, companies are increasingly dependent on technology. They are also targets of cyber-attacks, which may have a serious detrimental influence on their finances.
If you work in the marketplace, it’s important to protect your company’s website and other internet assets. Pentesting, also known as penetration testing, is useful in this situation. Pen-testing is the process of breaking into a computer system or network to look for security issues (or penetration testing). Websites, networks, cloud computing platforms, and web services can all be used for it.
Many organizations around the world employ hackers (ethical hackers in this case) to test their IT systems by trying to break into them. As data and digital information increase in value and importance to the global economy, so does the demand for IT security. Businesses including banks, financial institutions, healthcare facilities, and software corporations must safeguard their computer networks against genuine hackers. Digital security is a field in which they make significant financial and material investments, and it is now a rewarding and exciting professional path.
In this blog post, we will define pentesting, explain why it is important, and discuss how you can get started. We will also look at some of the companies that offer testing services and discuss the features of their offerings.
What is a Penetration Tester?
Penetration testers/ethical hackers are the private detectives of the information security universe. As with many PI operations, the task is to uncover threats before any potential invasive operators have a chance to implement their plans.
One of the fundamental facts of human nature in general, and of digital information systems in particular, is that dishonest individual will constantly try to take advantage of openings to exploit vulnerabilities. Pen testers look into potential vulnerabilities in wired and wireless network systems, as well as in web-based applications, and they help to find and fix them.
The push and pull between the pre-emptive work of ethical hackers and the efforts of real-life hackers is a constant arms race. Each side persistently attempts to advance its knowledge, skills, and techniques beyond the other side’s capabilities.
Pen testers use an offensive defense technique. By offensively assaulting computer systems in the same way that a real-world hacker would, the aim is to provide the highest level of information security while also helping to close the weakness. As a result, systems will be attacked and information will need to be protected.
Penetration tester skills and experience
According to the specific duties of each position and the degree of the role, employer expectations for new hires will vary greatly in the penetration testing area, as they will in all cybersecurity disciplines. In the realm of penetration testing, associate or junior pen testers, mid-level pen testers, and senior or lead pen testers plainly indicate successively increasing expertise levels and responsibilities.
Some professions still only call for the display of pertinent abilities and a suitable level of cybersecurity expertise. However, businesses are increasingly looking for applicants having a bachelor’s degree in computer science or a related field, such as information security. A master’s degree is necessary for some more prestigious occupations.
Work experience that often leads to careers in penetration testing includes software development and coding, security testing, vulnerability assessment, network engineer or administrator, and security administrator.
Skill requirements likely to be encountered with employers include:
Knowledge of specific computer languages, such as:
Experience with network OS, Windows/ Linux/ macOS, communications protocols, firewalls, IPS/IDS systems, virtual environments, data encryption, and mobile penetration testing of IOS/Android systems.
Knowledge of standard pen test and application security tools, such as:
- Web Inspect
- Network Mapper (NMAP)
- Nessus, and others
Common professional certifications often sought by employers include those available from IEEE (Institute for Electrical and Electronics Engineers) OSCP (Offensive Security Certified Professional), SANS Technology Institute, GIAC (Global Information Assurance Certification), and EC-Council.
Soft skills and experience sought by employers include excellent communication skills; self-driven, creative, and resourceful; contributions to open source projects and bug bounty programs; and familiarity with OWASP Top 10 vulnerabilities.
What Are Exploitable Vulnerabilities?
As we now know, pentesting is the process of testing for vulnerabilities in a system. But what exactly are these vulnerabilities? And how can they be exploited?
A vulnerability is a weakness in a system that could be exploited by an attacker. These flaws can be detected in a system’s hardware as well as its software. Weak passwords, unpatched software, and unsecured ports are examples of common vulnerabilities.
When an exploit is found, the attacker will attempt to utilize it. This is where the real damage can be done, as the attacker will gain access to the target system and be able to exfiltrate sensitive data.
To prevent these attacks, businesses must regularly conduct pentests on their systems. This way, any vulnerabilities can be found and fixed before they can be exploited.
What is the difference between pen testing and vulnerability assessment?
Although it is a different kind of study, vulnerability testing is a subset of IT security. In general, vulnerability tests are performed independently of or occasionally ahead of penetration tests. They are intended to define, recognize, and classify a system’s flaws. Then, based on the risk they represent, these vulnerable points can be prioritized and handled individually through upgrades, the installation of firewalls, or software updates. Vulnerability assessments are frequently performed by penetration testers, albeit their goal is very different from that of pen tests.
Types of pentests
There are three main categories of tests in pentesting. White box, black box, and grey box are the names given to these. Depending on how much they are familiar with a company’s computer network, these three ways look at various circumstances that a criminal hacker might be in.
- Gray box penetration tests give the tester some knowledge about the system they are trying to hack
- Black box pentests provide the tester with zero knowledge about the system
- White box pen testing gives the tester all the details about a system or network
A proactive method to guarantee the security of an IT network is penetration testing. The three forms of pentest offer a thorough overview of the possible threats that a company might be exposed to and cover the various situations that a hacker might be in.
Black Box Penetration Testing
During a black box penetration test (also known as external penetration testing) the pen tester is given little to no information regarding the IT infrastructure of a business.
The main benefit of this method of testing is to simulate a real-world cyber attack, whereby the pen tester assumes the role of an uninformed attacker.
One of the longest forms of penetration tests is the black box test, which can take up to six weeks to perform. Businesses should budget between $10,000 and $25,000 because the report will require a lot of planning, execution, testing, and completion.
This, of course, all depends on the scope of the project.
One of the easiest ways for pen testers to break into a system during a black box test is by deploying a series of exploits known to work, such as Kerberoasting.
This method of testing is also referred to as the “trial and error” approach, however, there is a high degree of technical skill involved in this process.
White Box Penetration Testing
White box penetration testing (also called clear box testing, glass box testing, or internal penetration testing) is when the pen tester has full knowledge and access to the source code and environment.
A white box penetration test’s objective is to carry out a thorough security audit of a company’s systems and to give the pen tester as much information as possible.
As a result, the tests are more thorough because the pen tester has access to areas where a black box test cannot, such as quality of code and application design.
Indeed, white box tests have drawbacks. For instance, choosing which regions to concentrate on can take longer given the level of access the pen tester has. Additionally, this testing approach frequently calls for expensive, complex tools like debuggers and code analyzers.
White box tests can take two to three weeks to complete and cost between $4,000 – $20,000.
In the end, it doesn’t matter whether you perform a black box or a white box penetration test so long as the primary goal of the test is being met.
Gray Box Penetration Testing
An internal network or online application is partially known to or accessible to the pen tester during a gray box penetration test.
A pen tester may begin with user privileges on a host and be told to escalate their privileges to a domain admin. Or, they could be asked to get access to software code and system architecture diagrams.
A gray box penetration test’s reporting offers a more accurate and targeted evaluation of the security of your network, which is one of its key benefits.
For instance, instead of spending time with the “trial and error” approach, pen testers performing a gray box penetration test are able to review the network diagrams to identify areas of greatest risk.
From there, the proper countermeasures can be recommended to fill the gaps.
Why Are Penetration Tests Performed?
Penetration testing has become a widely adopted security practice by organizations in recent years.
This is especially true for industries, such as banks or healthcare providers, that store and access sensitive or private information.
While the primary purpose is to expose vulnerabilities or exploit weaknesses, it’s important to note that the main goal of a pen test is often tied to a business objective with an overarching strategy.
For example, Department of Defense contractors must have adequate processes in place to protect Controlled Unclassified Information (CUI) as part of the Cyber Security Maturity Certification (CMMC).
A penetration test is one of many security controls needed to pass auditor requirements depending on the level that the contractor must attain.
On the other hand, a software company’s security goals may vary greatly.
For example, application penetration testing aids in locating code faults and weaknesses that might be exploited. After then, programmers try to update the codebase with fixes.
Ultimately, the business goals determine the types of penetration testing performed, which we will cover shortly.
- Top 10 BEST Ethical Hacking Courses For Beginners
- Best Hacking App For Android
- 20+ Ethical Hacking Books For Beginners
Types Of Penetration Testing
The different types of penetration testing include:
- Network Services
- Web Application
- Client Side
- Social Engineering
- Physical Penetration Testing
Each type of penetration test requires specific knowledge, methodologies, and tools to perform and should align with a specific business goal.
These goals may include increasing employee understanding of social engineering attacks across the entire organization, using secure code development to quickly detect software bugs, or meeting legal or compliance requirements.
Network Service Penetration Testing
Network service penetration testing, or infrastructure testing, is one of the most common types of penetration testing performed.
The major objective is to locate the most exposed security vulnerabilities in an organization’s network infrastructure (including servers, firewalls, switches, routers, printers, workstations, and more) before they can be exploited.
Why Should You Perform A Network Service Penetration Test?
Network penetration tests should be performed to protect your business from common network-based attacks, including:
- Firewall Misconfiguration and Firewall Bypass
- IPS/IDS Evasion Attacks
- Router Attacks
- DNS Level Attacks:
- Zone Transfer Attacks
- Switching or Routing-Based Attacks
- SSH Attacks
- Proxy Server Attacks
- Open Ports Attacks
- Attacks on Databases
- Man In The Middle (MITM) Attacks
- FTP/SMTP-Based Attacks
It is advised that both internal and external network penetration testing be carried out at least once a year because a network gives a business mission-critical services. This will offer your company enough protection against these attack vectors.
Recommended Article : Termux Tutorial | Complete Termux Commands
Web Application Penetration Testing
Web application penetration testing is used to discover vulnerabilities or security weaknesses in web-based applications. It uses different penetration techniques and attacks with aim to break into the web application itself.
The typical scope for a web application penetration test includes web based applications, browsers, and their components such as ActiveX, Plugins, Silverlight, Scriptlets, and Applets.
Because they are so much more specialized and targeted, these tests are perceived as being more complex. To carry out a successful test, the endpoints of each web-based application that frequently communicates with the user must be identified.
This requires a fair amount of effort and time from planning to executing the test, and finally compiling a useful report.
The methods for performing web application penetration testing are constantly evolving throughout time as a result of the daily rise in risks coming from web applications. This threat has grown dramatically after the COVID-19 outbreak, which has caused a 600% spike in cybercrime. #quilbot
Why Should You Perform A Web Application Penetration Test?
Finding security flaws or vulnerabilities in web-based applications and their components, such as the database, source code, and the back-end network, is a fundamental goal of web application penetration testing.
It also helps by prioritizing the determined weaknesses or vulnerabilities and provides possible solutions to mitigate them.
In software application development, it’s considered best practice to continuously improve the codebase. Deploying a secure and agile code is the phrase often used to describe this practice.
Agile code deployment is the preferred method over large batch deployments, as the more variables introduced into the code in a single deployment, the more opportunities there are to create bugs or errors, leading to security vulnerabilities.
As a result, technical debt forms, where developers gradually spend more time implementing fixes to problems then they do develop new features or updates.
Agile approaches, in contrast, evaluate the functionality and usability of the code in a sandbox environment before putting it into production. Developers can quickly identify the change and roll the code back to a previous version history if the deployment is unsuccessful.
The trick is balancing daily code deployment with security in mind.
It’s not uncommon for enterprise software companies to employ pen testers to continuously test their code. Google, as well as other tech giants, offer a reward for finding and reporting on vulnerabilities within their applications.
Client Side Penetration Testing
Client side penetration testing is used to discover vulnerabilities or security weaknesses in client side applications.
These could be a program or applications such as Putty, email clients, web browsers (i.e. Chrome, Firefox, Safari, etc.), Macromedia Flash, and others. Programs like Adobe Photoshop and the Microsoft Office Suite are also subject to testing.
Why Should You Perform A Client-Side Penetration Test?
Client-side tests are performed to identify specific cyber attacks including:
- Cross-Site Scripting Attacks
- Clickjacking Attacks
- Cross-Origin Resource Sharing (CORS)
- Form Hijacking
- HTML Injection
- Open Redirection
- Malware Infection
Wireless Penetration Testing
During a wireless penetration test, all of the devices connected to the business’s wifi are identified and their connections are examined. Laptops, tablets, smartphones, and other internet of things (IoT) devices are among these gadgets.
Wireless penetration tests are typically performed onsite as the pen tester needs to be in range of the wireless signal to access it. Alternatively, a NUC and WiFi Pineapple can be deployed onsite to remotely perform the test.
Why Should You Perform A Wireless Penetration Test?
Wireless communications are an invisibly running service that allows data to flow in and out of the network. Therefore, this wireless network must be secured from any weaknesses like unauthorized access or data leakage.
Before performing a wireless penetration test you should consider the following:
- Have all access points been identified and how many use poor encryption methods?
- Is the data flowing in and out of the network encrypted and if so, how?
- Are there monitoring systems in place to identify unauthorized users?
- Is there any possibility the IT team could have misconfigured or duplicated a wireless network?
- What are the current measures in place to protect the wireless network?
- Are all wireless access points using WPA protocol?
Social Engineering Penetration Testing
Social engineering penetration testing is where a malicious actor attempts to persuade or trick users into giving them sensitive information, such as a username and password.
Common types of social engineering attacks used by pen testers include:
- Phishing Attacks
- Imposters (i.e., fellow employees, external vendors, or contractors)
- Name Dropping
- Dumpster Diving
Why Should You Perform Social Engineering Tests?
According to recent statistics, 98% of all cyber attacks rely on social engineering. This is because internal users are one of the biggest threats to a network’s security and due to how lucrative the scams are.
Social engineering tests and awareness programs have proven to be one of the most effective methods of mitigating an attack.
For example, KnowBe4, the popular email phishing platform, simulates an email phishing attack. When the user clicks on the link they’re taken to a page that informs them that it was a phishing test.
Remediation training is then provided to help educate and inform users on the most current cyber attacks and how to avoid them.
Physical Penetration Testing
Physical penetration testing simulates a real-world threat whereby a pen tester attempts to compromise physical barriers to access a business’s infrastructure, buildings, systems, or employees.
Why Should You Perform A Physical Penetration Test?
Most firms rarely give physical barriers any thought, but if a bad actor can physically enter your server room, they could take control of your network. Consider the effects that might have on your company, your clients, and business alliances.
A physical penetration test’s main advantage is that it reveals the faults in physical controls (such as locks, barriers, cameras, or sensors) so that they may be fixed right away. By detecting these flaws, the appropriate mitigations can be implemented to improve the physical security posture.
Skills needed to be a pentester
What technical and soft skills are necessary to work as an ethical hacker or penetration tester professionally? The top 25 topics that any penetration tester should be knowledgeable with are covered in detail in this post, along with the abilities you should prioritize if you want to work as a professional penetration tester.
Let’s dive right into it.
Hardware and Networks
Naturally, we all in the infosec industry know about hardware and networks. But let’s discuss what is particularly important for pentesters.
1. Computer networks
Every pentester should understand computer networks and the OSI model. It is important to know at least the most common network protocols such as:
- Link layer (L2) protocols
- 802.3 (Ethernet/ARP)
- 802.1Q (VLANs)
- 802.11 (Wi-Fi)
- Network layer (L3) protocols
- IP (IPv4, IPv6)
- Transport layer (L4) protocols
- Application layer (L7) protocols
- DNS, HTTP, HTTPS, DHCP, LDAP, FTP, SMTP, IMAP, POP, SSH, Telnet etc.
We should understand how these protocols work, and what is their function and purpose.
For instance, we should be able to describe in detail what happens when we visit a website and answer questions such as:
- How does the communication occur between our browser and the remote web server?
- How and which network protocols are being utilized on each OSI layer?
Furthermore, we should be comfortable using packet capture tools such as Wireshark. We should understand which network protocols are safe and which are not safe, allowing anyone to sniff sensitive information from the network.
We should also understand, for instance, how to perform a man-in-the-middle attacks using ARP poisoning.
Lastly, we should be able to read network diagrams and schemas, because many times these things are discussed with the client. This brings us to the next point..
2. Network components
We should understand what kind of network equipment it takes for a network to function, how a typical organization builds its network, what security controls are typically implemented, and so on.
At a minimum, we should be familiar with:
- Network switches
- Firewalls, NAT
- Zoning, VLANs
From the pentester perspective, we should be able to perform an assessment of the network access controls (NAC) implementation and know tactics on how to bypass it (e.g. MAC cloning, MITM).
We should also know how to check for VLAN hoping.
Furthermore, we should be somewhat familiar with common network device manufacturers such as:
- F5 Networks
As pentesters, we should have at least basic experience in using them so that we can leverage situations when we get access to them (e.g. via weak or default credentials)
Once we get access to them, we should know how to go through the configuration and identify sensitive information such as SNMP community strings, for example.
With regards to Cisco devices, we should know how we can decrypt various Cisco password types that we find stored in them.
3. Wireless networks
Wireless networks are everywhere and we simply have to understand them. We must be knowledgeable about the following topics:
- Wi-Fi security and encryption modes, e.g.:
- WPA/2/3 Personal
- WPA/2/3 Enterprise
- EAP authentication
- Pros and cons of SSID broadcast hiding
- Captive portal security
- Client isolation
We should have an understanding of known attack vectors against wireless networks.
For instance, we should know when it makes sense to run a de-authentication attack or when to deploy a rogue access point.
We should know how to obtain password hashes and how to crack them (e.g. using aircrack-ng).
We should also know which equipment to use for testing and know how to analyze wireless networks (e.g. using Kismet).
4. Server room hardware
Having experience with physical hardware and knowing our way throughout the server racks in a data center is not really essential for our job, but it can definitely help.
Here’s some of the equipment we can find in a typical server room:
- Patch panels
- Core routers
- Network switches
- KVM switches
- Physical servers
- Storage and backup systems
- Firewalls, IDS, IPS, and other network appliances
- UPS systems
From our perspective, we should understand that many of these things have administrative interfaces. And if we happen to get into them, we should know what we can do with them. Let’s have a look at some examples.
One thing we should know about physical servers is that they typically have management web consoles that are online even if the server is powered down.
Here are some examples:
- Dell iDRAC (integrated Dell Remote Access Controller)
- HP iLO (Integrated Lights-Out)
- Huawei iMana (Intelligent Management System)
- IBM HMC (Hardware Management Console)
- Sun Oracle ILOM (Integrated Lights Out Manager)
As pentesters, we should understand the ramifications of having access to these things. Typically it means that we can take complete control over the server including the operating system installed on it, thanks to the KVM functions and the remote console (display).
We should also understand that we should not be able to reach these interfaces from the user VLAN, for example.
Network devices and appliances
Another thing to keep in mind is that some systems may be integrated with other systems together. For instance, an intrusion detection system (IDS) may be communicating with firewalls or honeypot systems deployed in the network.
In case we happen to gain access to such a device, we should know how to navigate through its administrative interface. For instance, we should know how to reveal credentials that are stored within the interface.
Software and Services
5. System administration
Having professional experience in system administration can be a really great advantage for a pentester.
At a minimum, we should be able to administer the following operating systems:
- Linux or other UNIX-like systems.
- Microsoft Windows
We should know how to configure them, where the important configuration file is, where the log files are, and also how to perform network and system diagnostics.
We should also understand permissions and access controls in each system and have knowledge about various vulnerabilities and attack techniques on each system.
Here’s one of the best resources covering a broad spectrum of attack techniques: https://attack.mitre.org/
6. Network services
As pentesters, we should have extensive experience with administering various network services and servers.
This topic is obviously huge, but we should know how various network services work, and what are some of the common misconfigurations or deficiencies in their protocols. For instance:
- SMTP open relay
- DNS zone transfer
- SMB NULL session
- LDAP NULL bind
- FTP anonymous login
- Webserver directory listing
As pentesters, we have to have extensive knowledge about these things.
Furthermore, we should also know how to set up things when we need them.
For instance, knowing how to quickly setup up an HTTP server, DHCP server or an SMB/CIFS shared folder can be truly essential during pentests.
7. Active Directory
Windows Active Directory (AD) deployments are practically everywhere and so we have to know them.
We should be able to assess the security posture of the AD from multiple angles and know about various attack techniques against it. For instance:
- GPP passwords
- Password spraying
- Lateral movement
- Privilege escalation
We should have extensive knowledge about these things. We should also know what are some of the countermeasures such as LAPS or PAM.
Here’s one of the best resources on AD security and in fact the whole Microsoft ecosystem: Active Directory Kill Chain Attack & Defense.
And one more thing. As pentesters, we should never call it a day after we get Domain Admin privileges. We should understand that we have to keep digging for more vulnerabilities.
8. Command-line tools
We have to be comfortable with the command line. This is simply a must. It is absolutely essential that we can navigate through the file system, work with files easily, and do other things from the command line.
Whether we have a UNIX background or a Windows background, we simply have to know the command line by hearth on both.
On UNIX (Linux), we should be comfortable using the following text-processing tools:
These tools give us tremendous power for processing textual data – log files, outputs from other programs, and so on. They give us the ability to extract any piece of information we need.
On Windows, the PowerShell interpreter has equivalent functionalities. In fact, it can be even more powerful thanks to its objectification.
Check out the PowerShell infosec reference with examples of equivalent commands on both Linux and Windows systems.
That brings us to the next topic.
9. Regular expressions
Regular expressions (regex or regexp) are the most powerful way of pattern matching. Knowing regular expressions can be extremely beneficial for a pentester because it allows us to do:
- Pattern searching. With regexps we can for instance filter out all IP addresses from a text file. We can find email addresses, domain names, host names, MAC addresses, or pretty much anything really.
- Text replacement. Regexps have powerful search & replace functionalities that allow us to do various textual transformations.
- Data grouping and splitting. Using regexp we can group certain data together, or split them apart. This is essential for further automation/machine processing.
As pentesters, we must know regular expressions by the hearth as well.
10. Shell scripting
Regardless of which Linux hacking distribution is your favorite, one thing is common to all of them – the shell.
As pentesters, we spend a significant portion of our time working in shells. Therefore, every pentester should absolutely master it.
Knowing the shell gives us tremendous power and the ability to automate things. For instance, we can:
- Automate repetitive tasks quickly and easily
- Write powerful one-liners from top of your head
- Interconnect pretty much all thinkable utilities together
- Write custom scripts and tools quickly
- Grow our efficiency exponentially
Every senior pentester should be able to throw intricate one-liners left and right.
11. Programming language
Let’s be honest. As hackers, we are trying to find vulnerabilities in computer systems and programs that were most likely written in some programming language. How are we supposed to find bugs in these things if we don’t have experience with programming?
Throughout our reports, we are giving advice to programmers and developers and we should understand what it takes to implement something.
For instance, we should understand how a registration/login procedure works, how to store data in a database, or how to safely read input from a user.
We should understand these things at least to the extent that we can comprehend the SANS TOP 25 most common software errors.
12. Python scripting language
Knowing Python’s scripting language can be a tremendous advantage for every pentester. Here’s why.
First of all, Python is:
- Extremely powerful
- Easy to learn
- Easy to code in
Moreover, Python has been widely adopted by the infosec community and many great projects were written in Python. Here are some examples:
Furthermore, many security researchers and exploit writers write their code in Python. And sometimes we need to modify something here and there.
Therefore, we should definitely know this language at least so that we can modify what we need.
This brings us to the next skill.
13. Ability to find PoCs and exploits
Every pentester needs to know where to find a Proof of Concept (PoC) code or an exploit to verify a vulnerability.
Once our scanners tell us that the target is vulnerable to CVE-XXX-YYYY, we cannot simply take this as it is and blindly report it to the customer.
Everything should always be verified. That’s what we do. We must offer proof and evidence. Our customers will be happier and more impressed with the more evidence we include in our report.
Therefore, we need to know where to look for PoCs and we also need to know how to use them. The following list provides some resources on where to find PoCs and exploit codes:
- https://github.com/Metnew/uxss-db (Browser vulns)
Technology and Methodology
14. Internet services
As pentersters, we should have extensive knowledge about the Internet. We should know not only how it works, but also how to set up a server on the Internet, for instance.
We should have experience and know how to:
- Register a new domain
- Setup a virtual private server
- Associate the domain with the server
- Setup a secure network service using a certificate
Sometimes we need to prepare infrastructure for other activities (e.g. a phishing site) and as pentesters we should definitely know how to do it.
15. OSINT gathering
Every pentester should be able to find technical and other information about a specific company and its workers by navigating via the public sources.
At a minimum, we should be able to use sources such as:
- DNS records
- WHOIS records
- Search engines
- Social networks
For instance, we may need to perform an OSINT exercise on a target organization and collect a list of the following information:
- Registered domain names
- Hostnames and subdomains
- IP addresses and network ranges
- Email addresses
- Phone numbers
We should know how to do that e.g. by using various automated tools.
Here’s one of the best resources available on OSINT: https://github.com/jivoi/awesome-osint
Every pentester should be somewhat knowledgeable about databases. I’m not suggesting to become database administrators or a PL/SQL developers, but we should at least have experience using the most popular databases such as:
- Microsoft SQL
We should know how to connect to them, how to list logical databases in them, how to list tables and how to read data from them.
We should also understand what can we do with them after they are compromised.
Can we write it onto the file system? Can we read arbitrary files? Are we able to achieve remote code execution (RCE) and get a shell? These things are essential for a pentester.
See for instance our guide on Firebird database exploitation.
17. Web technologies
As pentesters, we should have an extensive range of skills in web technologies in order to perform web application penetration tests.
This topic is obviously huge, but for instance, we should be knowledgeable about topics such as:
- JSON, URL encoding, HTML entities
- HTTP family protocols
- SOAP and REST web services
- Web servers and application servers
- Web frameworks (SharePoint, Silverlight etc.)
- CMS (WordPress, Drupal etc.)
- Web application firewalls and filters
We should have extensive experience using testing tools such as:
- Burp Suite
- Fiddler Proxy
We should know techniques and methods how to assess the security posture of web servers and deployed web applications.
For instance, we should know how to port scan a website.
We should also know about insecure coding practices, misconfiguration, and other things that are included in the OWASP TOP 10 most common vulnerabilities.
18. Mobile technologies
When it comes to performing mobile application penetration tests, every pentester should know the core concepts and testing methodologies at least for the following two platforms:
- Apple iOS
We should know how to perform static and dynamic analyses of the mobile application. For instance, we should know how to:
- Use mobile phone emulators
- De-compile and re-compile an application
- Reverse engineer an application
- Inspect the network communication
We should know about code obfuscation, certificate pinning, or how the application should be storing data on the phone. We should know about jailbreaks, rooting, and other things.
The involvement of a server-side component, or a system on the Internet with which the mobile application talks, is another issue we should be aware of.
Therefore, a typical mobile app pentest includes certain elements of a web app pentest. We should therefore be quite knowledgeable about web technologies.
Here’s one great resource on mobile security: https://mobisec.reyammer.io/.
As pentesters, we should have somewhat extensive knowledge about cryptography and related topics.
For starters we should know:
- Concepts of symmetric and asymmetric cryptography
- The difference between HTTP and HTTPS, or Telnet and SSH
- SSL and TLS encryption and the concept of certification authorities
- How to SSH public key authentication work
We should also understand the differences between:
- Encoding (e.g. Base64)
- Checksum (e.g. CRC32)
- Obfuscation (e.g. XOR)
- Hashing (e.g. MD5, SHA1, SHA256, SHA512)
- Encryption (e.g. RC4, DES, BlowFish, AES)
When and how to use them should be clear to us. We should be aware of which ones we can decode, decrypt, or just try to crack. For example, take a look at our blog post on cracking and decrypting Cisco passwords.
As pentesters we should also know, for instance, how to employ obfuscation or encryption to bypass various defenses and other things.
20. Password and hash cracking
Another thing every pentester should know is how to crack things.
We should have extensive experience with cracking tools such as John the ripper or Hashcat.
We should be knowledgeable about cracking not only password hashes but also other things. For instance:
- Documents (MS Office, PDF..)
- Compressed archives
- Password managers
- Encrypted volumes
We should understand methods and limitations when it comes to cracking speed, cracking on CPU vs. GPU, or what is realistic to crack and what is not.
We should also know where to find dictionaries and which cracking tactics to use, e.g.:
- Wordlist with rules
Here’s one of the best publicly available repositories of wordlists: https://github.com/danielmiessler/SecLists
21. Physical security
Even though penetration testing is primarily concerned with information technology, physical penetration tests are occasionally necessary, and we should be able to carry them out.
We should have an understanding of physical security controls and at minimum be able to recognize deficiencies such as:
- Weak locks being in use
- Insecure door mechanisms
- Insufficient restrictions to enter restricted areas
- Insecure cabling (e.g. for an access control system)
- Insufficient video surveillance
- Unsafe disposal practices
We should also know something about RFID access card cloning and related topics.
22. Auditing and Compliance
We should also understand topics of compliance audits and security benchmarks. This includes CIS, PCI DSS, DISA STIG, and so on.
Not everybody knows them, but knowing them can make a big difference not just in front of the client. For instance, we should know:
- What are the organizations that made them?
- What are they actually testing / bench-marking?
- When and why does it make sense to comply with them?
Here’s a quick way to get up to speed:
- Defense Information Systems Agency (homepage)
- Security Technical Implementation Guides (link)
- FAQ (link)
- Microsoft Security Compliance Toolkit (link)
23. Soft skills
Although the majority of penetration testing is technical, we also require some soft skills to perform our duties. Here is a list of the top 5 soft skills that every pentester has to possess.
Penetration testing is an extremely sensitive area which often times includes dealing with confidential information and other people’s data.
Therefore, we have to be extremely cautious and always keep the work private. Protecting our clients is the number one mission and we must never forget this.
Although our work is mostly technical comprising of working with computers, we also have to interact with people and clients a lot.
Therefore, we have to be able to explain our work and various technical information to others in a way that they can understand us.
Empathy can help us understand who our audience is and how best to serve them.
Whether we are presenting our work in front of a group of company executives, or a technical crowd, we should always tailor our delivery to provide the most value to our audience.
The result of our work is reports. They stand in for what we have accomplished throughout the engagement. As a result, learning how to create effective reports is crucial.
Our reports should look professional, clean, and without grammar mistakes and typos. We should always use a spell checker even before passing it on to our teammates for a QA.
The work of a pentester sometimes also requires a certain level of boldness. For instance during social engineering attacks, phishing calls, or physical intrusions.
As professional pentesters, we must appear confident and keep our cool during these times.
Because we have so much material to memorize every day as pentesters, taking effective notes is an absolutely crucial ability.
We should cultivate this skill as our personal gardens. The items that we can put into our notebooks are:
- Methods and techniques
- Command examples
- Code snippets
- Tools and links
Start building your own personal knowledge base now, if you don’t have one yet. Your efficiency and abilities will skyrocket as I have witnessed so many times among my coworkers.
25. Staying informed
Staying informed in the cybersecurity industry is the last essential skill every pentester should have. We should all maintain a collection of resources that keeps us up-to-date. For instance:
- Mailing lists
- News outlets
- Security blogs
- Technical reports
- Social media groups
How much do penetration testers make?
As of September 2021, Payscale reported a typical base salary of nearly $87,000 per year for pen testers. At the low end (bottom 10%), pentesters earn about $59,000 per year. At the high end (top 10%), they make up to $138,000 per year.
Pentesting is an important part of keeping your business secure in the digital age. Finding and addressing security flaws can help you avoid data breaches, financial losses, and damage to your reputation. There are many firms that provide pentesting services; therefore, do your homework before selecting one.
Thanks for reading! I hope this post has helped you to better understand pentesting and how it can benefit your business.