Introduction to Penetration Testing
What is a penetration test?
What is penetration testing? Penetration testing, often called “pentesting”,“pen testing”, "network penetration testing" or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Of course, you do this without actually harming the network. The person carrying out a penetration test is called a penetration tester or pentester.
Let’s make one thing crystal clear: Penetration testing requires that you get permission from the person who owns the system. Otherwise, you would be hacking the system, which is illegal in most countries – and trust me, you don’t look good in an orange jump suit.
In other words: The difference between penetration testing and hacking is whether you have the system owner’s permission. If you want to do a network penetration test on someone else's system, we highly recommend that you get written permission. In this case, asking first is definitely better than apologizing later!
You can become a penetration tester at home by testing your own server and later make a career out of it.
What is a vulnerability?
A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.
To test if you have any vulnerabilities in your systems, you typically use a vulnerability management solution, also known as a vulnerability scanner or vulnerability assessment solution. If you would like to get your hands on a free vulnerability scanner, try NeXpose Community Edition, one of Metasploit’s sister projects.
What is security research?
What is an exploit?
To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.
What is a payload?
A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture.
Metasploit’s most popular payload is called Meterpreter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. If you’re feeling particularly bad-ass, you can even turn on a laptop’s webcam and be a fly on the wall.
What is penetration testing? Penetration testing, often called “pentesting”,“pen testing”, "network penetration testing" or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Of course, you do this without actually harming the network. The person carrying out a penetration test is called a penetration tester or pentester.
Let’s make one thing crystal clear: Penetration testing requires that you get permission from the person who owns the system. Otherwise, you would be hacking the system, which is illegal in most countries – and trust me, you don’t look good in an orange jump suit.
In other words: The difference between penetration testing and hacking is whether you have the system owner’s permission. If you want to do a network penetration test on someone else's system, we highly recommend that you get written permission. In this case, asking first is definitely better than apologizing later!
You can become a penetration tester at home by testing your own server and later make a career out of it.
What is a vulnerability?
A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.
To test if you have any vulnerabilities in your systems, you typically use a vulnerability management solution, also known as a vulnerability scanner or vulnerability assessment solution. If you would like to get your hands on a free vulnerability scanner, try NeXpose Community Edition, one of Metasploit’s sister projects.
What is security research?
Vulnerabilities are typically found by security researchers, which is a posh term for smart people who like to find flaws in systems and break them. At Rapid7.
Like penetration testing, security research can be used for good and evil. Some countries don’t make the distinction and outlaw security research completely, so make sure you check your country’s legislation before you start researching and especially before you publish any research.
What is an exploit?
To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.
The Metasploit Project host the world’s largest public database of quality-assured exploits. Have a look at rapid7 exploit database
Even the name Metasploit comes from the term “exploit”. Metasploit was the first software to provide a common framework for a large selection of exploits. Think of it as an abstraction layer (“Meta”) for exploits (abbreviated “sploits”). Get it?
What is a payload?
A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture.
Metasploit’s most popular payload is called Meterpreter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. If you’re feeling particularly bad-ass, you can even turn on a laptop’s webcam and be a fly on the wall.
Introduction to Penetration Testing
Reviewed by Haxbaba Tech
on
08:07
Rating:
Wonderful blog about Software Testing Services in Chennai to read and further more tips on the Software Testing Services in India have been learnt. It's great time spending on this. I am waiting for new post here about Software Testing Companies in Bangalore and Please keep it up in future..
ReplyDeleteConsult today to - Software Testing Services in Mumbai
Thanks for sharing this update!
ReplyDeleteThat was very interesting
Vulnerability Assessment and Penetration Testing Services