I’ve been in computer security for over 30 years, and no job has been more challenging and fun than professional penetration testing (a.k.a. pen testing or ethical hacking). You essentially get paid to legally break into computers or devices, and there is no downside. If you hack in past the current defenses, you’ve given the client a chance to close the hole before an attacker discovers it. If you don’t find anything, your client is even happier because they now get to declare their product “secure enough that even paid hackers couldn’t break into it.” Win-win!
This is not to say that ethical hacking is always easy. It isn’t (but you don’t have to have a high IQ, either). It’s also not without its some seemingly insurmountable challenges in different scenarios. If you like to get paid to stay on the cutting edge of technology and break into things, however, then penetration testing is your dream job.
Hacker to penetration tester
Any hacker must take some common steps to become an ethical hacker, the bare minimum of which is to make sure you have documented permission from the right people before breaking into something. Not breaking the law is paramount to being a professional pen tester. All ethical hackers should follow a code of ethic to guide everything they do. The EC-Council, creators of the Certificated Ethical Hacker (CEH) exam, have one of the best public code of ethics available.
Ethical hacking steps
1. Scope and goal setting
It is essential for any professional pen tester to document agreed upon scope and goals. These are the kinds of questions regarding scope you need to ask:
- What computer assets are in scope for the test?
- Does it include all computers, just a certain application or service, certain OS platforms, or mobile devices and cloud services?
- Does the scope include just a certain type of computer asset, such as web servers, SQL servers, all computers at a host OS level, and are network devices included?
- Can the pen testing include automated vulnerability scanning?
- Is social engineering allowed, and if so, what methods?
- What dates will pen testing be allowed on?
- Are there any days or hours when penetration testing should not be tried (to avoid any unintentional outages or service interruptions)?
- Should testers try their best to avoid causing service interruptions or is causing any sort of problem a real attacker can do, including service interruptions, a crucial part of the test?
- Will the penetration testing be blackbox (meaning the pen tester has little to no internal details of the involved systems or applications) or whitebox (meaning they have internal knowledge of the attacked systems, possibly up and involving relevant source code)?
- Will computer security defenders be told about the pen test or will part of the test be to see if the defenders notice?
- Should the professional attackers (e.g., red team) try to break-in without being detected by the defenders (e.g., blue team), or should they use normal methods that real intruders might use to see if it sets off existing detection and prevention defenses?
Ask these questions regarding the goals of the penetration test.
- Is it simply to show that you can break into a computer or device?
- Is denial-of-service considered an in-scope goal?
- Is accessing a particular computer or exfiltrating data part of the goal, or is simply gaining privileged access enough?
- What should be submitted as part of documentation upon the conclusion of the test? Should it include all failed and successful hacking methods, or just the most important hacks? How much detail is needed, every keystroke and mouse-click, or just summary descriptions? Do the hacks need to be captured on video or screenshots?
It’s important that the scope and goals be described in detail, and agreed upon, prior to any penetration testing attempts.
2. Select the proper pen-testing tools
The penetration tester usually has a standard set of hacking tools that they use all the time, but they might have to look for and stock up on different tools depending on the ethical hacking job. For example, if the penetration tester is asked to attack SQL servers and has no relevant experience, they might want to start researching and testing different SQL attack tools.
Most penetration testers start with a Linux OS “distro” that is specialized for penetration testing. Linux distros for hacking come and go over the years, but right now the Kali distro is the one most professional penetration testers prefer. There are thousands of hacking tools, including a bunch of stalwarts that nearly every pen tester uses.
The most important point of any hacking tool, beyond its quality and fit for the job at hand, is to make sure it does not contain malware or other code designed to hack the hacker. The vast majority of hacking tools that you can get on Internet, especially for free, contain malware and undocumented backdoors. You can usually trust the most common and popular hacking tools, like Nmap, but the best pen testers write and use their own tools because they don’t trust anything written by someone else.
3. Discovery: Learn about your pen-test target
Every penetration tester begins their asset hacking (excluding social engineering techniques for this discussion) by learning as much about the pen test targets as they can. They want to know IP addresses, OS platforms, applications, version numbers, patch levels, advertised network ports, users, and anything else that can lead to an exploit. It is a rarity that a pen tester won’t see an obvious potential vulnerability by spending just a few minutes looking at an asset. At the very least, even if they don’t see something obvious, they can use the information learned in discovery for continued analysis and attack tries.
4. Exploitation: Break into the target asset
This is what the ethical hacker is being paid for – the “break-in.” Using the information learned in the discovery phase, the pen tester needs to exploit a vulnerability to gain unauthorized access (or denial of service, if that is the goal). If the hacker can’t break-in to a particular asset, then they must try other in-scope assets. Personally,
if I’ve done a thorough discovery job, then I’ve always found an exploit. I don’t even know of a professional penetration tester that has not broken into an asset they were hired to break into, at least initially, before their delivered report allowed the defender to close all the found holes. I’m sure there are penetration testers that don’t always find exploits and accomplish their hacking goals, but if you do the discovery process thorough enough, the exploitation part isn’t as difficult as many people believe. Being a good penetration tester or hacker is less about being a genius and more about patience and thoroughness.
Depending on the vulnerability and exploit, the now gained access may require “privilege escalation” to turn a normal user’s access into higher administrative access. This can require a second exploit to be used, but only if the initial exploit didn’t already give the attacker privileged access.
Depending on what is in scope, the vulnerability discovery can be automated using exploitation or vulnerability scanning software. The latter software type usually finds vulnerabilities, but does not exploit them to gain unauthorized access.
Next, the pen tester either performs the agreed upon goal action if they are in their ultimate destination, or they use the currently exploited computer to gain access closer to their eventual destination. Pen testers and defenders call this “horizontal” or “vertical” movement, depending on whether the attacker moves within the same class of system or outward to non-related systems. Sometimes the goal of the professional pen tester must be proven as attained (such as revealing system secrets or confidential data) or the mere documentation of how it could have been successfully accomplished is enough.
5. Document the pen-test effort
Lastly, the professional penetration tester must write up and present the agreed upon report, including findings and conclusions.
The pen-test job is sophisticated and evolving
Like every other IT security discipline, professional pen testing is maturing. Standalone hackers who simply show technical prowess without professionalism and sophistication are becoming less in demand. Employers are looking for the complete professional hacker – both in practice and the toolsets they use.
Better toolkits: Penetration or vulnerability testing software has always been a part of the ethical hacker’s toolkit. More than likely, the customer already is running one or both of these on a regular basis. One of the most exciting developments in pen testing are tools which essentially do all of the hard work from discovery to exploitation, much like an attacker might.
An example of this type of tool is opensource Bloodhound. Bloodhound allows attackers to see, graphically, relationships among different computers on an Active Directory network. If you input a desired target goal, Bloodhound can help you quickly see multiple hacking paths to get from where you start to that target, often identifying paths you didn’t know existed. I’ve seen complex uses where pen testers simply entered in starting and ending points, and Bloodhound and a few scripts did the rest, including all hacking steps necessary to get from point A to Z. Of course, commercial penetration testing software has had this sort of sophistication for much longer.
A picture is worth a thousand words: It used to be that to sell a defense to senior management, pen testers would hack senior management or show them documentation. Today, senior management wants slide decks, videos or animations of how particular hacks were performed in their environment. They use it not only to sell other senior managers on particular defenses but also as part of employee education.
Risk management: It’s also not enough to hand off a list of found vulnerabilities to the rest of the company and consider your job done. No, today’s professional penetration testers must work with IT management to identify the biggest and most likely threats. Penetration testers are now part of the risk management team, helping to efficiently reduce risk even more so than just pure vulnerabilities. This means that ethical hackers provide even more value by showing management and defenders what is most likely to happen and how, and not just show them a one-off hack that is unlikely to occur from a real-life intruder.
Training and certifications: Today, there exists all sorts of avenues for people to become professional penetration testers, including a wide range of courses and certifications. This courses often come with exposure to different hacking tools in sophisticated looking simulation labs, taught by expert instructors. Students graduating or earning certification often become part of a larger community of pen testers, continuing their education and contributing back to the society that taught them so much.
Professional penetration testing isn’t for everyone. It requires becoming a near-expert in several different technologies and platforms, as well as an intrinsic desire to see if something can be broken into past the normally presented boundaries. If you’ve got that desire, and can follow some legal and ethical guidelines, you, too, can be a professional hacker.