Lurking in enterprise network packets are a host of potential threats: misconfigurations, human mistakes, poor...
security policies and other vulnerabilities that can be exploited by an attacker. The attacker can be an individual, a hacker group or a nation-state. Their ultimate goal is to render useless the applications, servers and the network -- temporarily or permanently. To defeat them, organizations should conduct penetration tests on a regular basis.
Security managers need permission from their company to test live networks, and they need the right pen testing tools for the job. Many tools with command-line interfaces now offer a GUI to make security managers' jobs easier. Once limited to computers, more and more pen testing tools now let you work from mobile devices.
To strengthen midmarket defenses, security professionals need to build a toolkit of both free and commercial tools. Some pen tests are free, and some are not, but they all serve one purpose: the administrator must find the vulnerabilities before the hackers do. No two tools have the same penetration techniques. Each tool differs in their scanning methods -- which security administrators can implement -- as well as the types of vulnerabilities they look for. Some offer an unlimited number of IP addresses or hosts to exploit; some don't. Some are specific to operating systems, and some are agnostic.
Here's a look at a suggested list of pen testing tools for midmarket companies. This list covers tools to test both network service and Web applications.
Nmap has been a favorite free, multi-platform tool among administrators. It now comes with Zenmap graphical interface to help make their job of scanning the network easier.
With Command Wizard, security administrators see the command-line options at the top of the screen for each profile (new or predefined). They can interactively edit them before they run them. This interaction feature helps to save time normally required to correct typing and/or configuration errors.
When creating a new profile, security administrators can choose a combination of options from scan, ping, target, source, timing and other advanced penetration testing techniques. They can save the scan results in a database and compare them at a later date to determine any unusual traffic patterns.
Complete lifecycle of vulnerability testing helps the administrator get a better view of how various tools work together. One favorite is Burp, a graphical Web application pen test that comes in two editions: Limited and Burp Suite Professional ($299 per user per year).
The free edition lets the administrators use Burp Proxy to modify traffic between their browser and the target application, Burp Spider for crawling content (e.g., finding new login attempts), Burp Repeater to resend individual requests, and Burp Sequencer for testing randomness of session tokens.
Available in the professional suite are two more tools: Scanner for automating scanning of vulnerabilities, and Intruder for customizing attacks to exploit unusual vulnerabilities. This suite lets the administrator search keywords, schedule tasks, analyze targets, and save, restore and compare scanning results. To perform complex tasks, Java-savvy administrators can create their own plugins.
Administrators who worked with Nessus should find it similar to OpenVAS (Open Vulnerability Assessment System). OpenVAS was forked off as a free tool from the last free version of Nessus in 2005. Both use multiple scanners to discover exploits in servers from a client machine. But this doesn't mean Nessus and OpenVAS can target the same vulnerability types.
To install OpenVAS-8, the administrator can choose a third-party package or compile source code. The scanner executes daily updates to network vulnerability tests (NVTs) via the OpenVAS NVT Feed or via a commercial feed service. The administrator works with Greenbone Security Assistant, a lean Web service with a user interface for Web browsers.
Coordinating with OpenVAS Manager service module, the administrator manages user accounts, and can change the rules to reset the number of OpenVAS Scanners that can target network and/or operating systems-specific hosts concurrently. The administrator can also change configurations to let a user scan his own host or manually synchronize his own NVT repository with an OpenVAS NVT Feed. He or she can control scan schedules and maintain a SQL database, like MySQL or SQLite, of scan configurations and results.
Some pen testing tools allow scanning on multiple mobile devices (in addition to computers). One favorite is Arachni, an open source free tool for Linux and Mac OS X that comes with graphical interfaces. This tool lets the administrator actively test Web applications with cross-site scripting (with DOM variants), SQL injection, NoSQL injection, code injection, file inclusion variants and other types of injections.
Administrators can configure the tool to limit passive checks of files to credit card numbers, Social Security numbers, private IP addresses and other types of information. From their client machine, they can scan a single server or multiple servers running on Windows, Solaris and/or other operating systems. Administrators acting as penetration testers who use the tool as part of their assessment toolkit are exempt from the requirement of a license for commercial use.
Finding the right pen testing tools
To build a functional toolkit for penetration testing tools, the administrators must consider each tool's capabilities. They should include the specific targets to be tested, the penetration testing techniques, the range of vulnerability types, the ease of use, and other variables. The pen testing tools, when used together wherever possible, should help the administrators find a wider range of vulnerabilities.
About the author:
Judith M. Myerson is a security and systems engineering professional that has researched and published articles on a wide range of security, risk management and Internet of Things topics. She is the author of RFID in the Supply Chain, and is CRISC (Certified in Risk and Information System Control) and a member of OPSEC and ISACA.
Read an excerpt from Hacking with Kali: Practical Penetration Testing Techniques