If the probability of your assets being prodded by attackers foreign and domestic doesn't scare the bejesus out of you, don't read this article. If you're operating in the same realm of reality as the rest of us, here's your shot at redemption via some solid preventive pen testing advice from a genuine pro.
CSO speaks with pen test tool designer/programmer/aficionado, Evan Saez, Cyber Threat Intelligence Analyst, LIFARS, about the latest and greatest of these tools and how to apply them.
Available pen test tools
The pen test tools for this discussion are Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish (Evan Saez is a developer on the Jawfish project). These tools are key to securing your enterprise because these are the same kinds of tools that attackers use. If you don't find your holes and seal them, they will exploit them.
[ ALSO ON CSO: Pen testing tool or exploit? 6 samples of ways hackers get in ]
Metasploit is a framework with a large programmer fan base that adds custom modules, test tools that test for weaknesses in operating systems and applications. People release these custom modules on GitHub and Bitbucket. Bitbucket, like GitHub is an online repository for coding projects. "Metasploit is the most popular pen test tool," says Saez.
The Nessus Vulnerability Scanner is a popular, signature-based tool for locating vulnerabilities. "Nessus' can only compare scans to a database of known vulnerability signatures," says Saez.
The Nmap network scanner enables pen testers to determine the types of computers, servers, and hardware the enterprise has on its network. The fact that these machines are identifiable via these external probes is in itself a vulnerability. Attackers use this information to lay the ground work for attacks.
Burp Suite is another popular web application pen test tool. It maps and analyzes web applications, finding and exploiting vulnerabilities, according to Burp Suite web security tool vendor, PortSwigger.
OWASP ZAP (Zed Attack Proxy) is the web application pen test tool from nonprofit OWASP, the Open Web Application Security Project. ZAP offers automated and manual web application scanning in order to serve the novice and the established professional pen tester. ZAP is an open source tool now available on GitHub.
SQLmap automates the discovery of SQL Injection holes. It then exploits those vulnerabilities and takes complete control of databases and underlying servers.
Kali Linux is an all-in-one tool comprising a suite of dedicated, pre-installed penetration testing (and security and forensics) tools. "It has tools for people who have no knowledge of security," says Saez.
Unlike most tools, which are signature-based, Jawfish is a pen test tool that uses genetic algorithms. "Genetic algorithms look for things in the context of search," says Saez. Based on search criteria, as Jawfish gets closer to what it is looking for, in this case a vulnerability, it can find a result. Jawfish does not require a signature database.
How to use them
Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish each have their uses. Most enterprises will need multiple tools. Metasploit offers both a Ruby interface and a CLI so your pen tester can opt for one or the other, depending on what you are trying to do. "The Ruby interface is more useful for testing a very large network because running commands in a CLI would be too tedious for that," says Saez.
Nessus Vulnerability Scanner checks computers and firewalls for open ports and for installations of potentially vulnerable software. "As far as pen testing, this tool is less useful as it is very noisy and goes in through the front door, communicating with the OS to determine vulnerabilities. This tool is normally used for compliance efforts to simply determine whether patches are up to date," says Garrett Payer, Lead Technologist, ICF International, a large technology solutions provider.
Apply Nmap to search for hosts, open ports, software versions, operating systems, hardware versions, and vulnerabilities--generally mapping the network's attack surface. It is useful at each stage of pen testing, wherever you have a new set of hosts, ports, and other resources to identify, such as when entering a new network segment. "This tool has a scripting feature and is useful for enumerating user access," says Payer.
Use Burp Suite with your web browser to map web applications. The tools inside Burp Suite discover application functionality and security holes and then launch custom attacks. Burp Suite automates repetitive functions while retaining user choice where the pen tester needs to have control of individualized options for testing. "This very feature rich tool investigates cross site scripting and other vulnerabilities using a proxy," says Payer; "it allows some transparency into what the website is actually sending to the server."
OWASP ZAP performs a variety of scans and tests including port scanning, brute force scanning, and fuzzing in order to identify unsecure code. Pen testers use an intuitive GUI similar to that of a Microsoft application or certain web design tools (such as Arachnophilia). Once you surf and perform activities on a website, you enter ZAP again to see the code and what transpired during those activities. When set as a proxy server, OWASP ZAP controls the web traffic that it processes. "This tool is newer than Burp Suite, is not as feature rich, but is free and open source. It provides a subset of features and a GUI that are useful for people who are just entering web application pen testing," says Payer.
Leverage SQLmap to test improperly coded sites and URLs attached to databases via python commands in a command line. If a malformed URL (link) to database information draws an error code, then the link is subject to attack. SQLmap installs on Ubuntu Linux, inside a VM. "Another script-friendly tool, SQLmap can determine such things as whether the programmer has parameterized the inputs," says Payer. If he hasn't, a pen tester or an attacker could forward a name, semi-colon, and an SQL command, for example, and run it on the database, gaining control, explains Payer.
Install Kali Linux and open any one of more than a dozen pen testing / exploit tools bundled with it. "Kali Linux comes with a lot of user documentation," says Saez.
You can try the Jawfish pen test tool using the available GUI form. Simply input an IP address for the server, a vulnerable web address at that IP address, then the vulnerability, method, and goal text. The tool returns the goal text when you have successfully hacked the address. This tool is entirely new and not vetted for enterprise adoption.
Compare, select, use, and patch
You will want to select tools based on where your most costly vulnerabilities lie. Once you find your vulnerabilities, it's important to patch them if there is a patch available, or secure around them if it is not.