eBook - ePub
Learn Penetration Testing
Understand the art of penetration testing and develop your white hat hacker skills
Rishalin Pillay
This is a test
Share book
- 424 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Learn Penetration Testing
Understand the art of penetration testing and develop your white hat hacker skills
Rishalin Pillay
Book details
Book preview
Table of contents
Citations
About This Book
Get up to speed with various penetration testing techniques and resolve security threats of varying complexity
Key Features
- Enhance your penetration testing skills to tackle security threats
- Learn to gather information, find vulnerabilities, and exploit enterprise defenses
- Navigate secured systems with the most up-to-date version of Kali Linux (2019.1) and Metasploit (5.0.0)
Book Description
Sending information via the internet is not entirely private, as evidenced by the rise in hacking, malware attacks, and security threats. With the help of this book, you'll learn crucial penetration testing techniques to help you evaluate enterprise defenses.
You'll start by understanding each stage of pentesting and deploying target virtual machines, including Linux and Windows. Next, the book will guide you through performing intermediate penetration testing in a controlled environment. With the help of practical use cases, you'll also be able to implement your learning in real-world scenarios. By studying everything from setting up your lab, information gathering and password attacks, through to social engineering and post exploitation, you'll be able to successfully overcome security threats. The book will even help you leverage the best tools, such as Kali Linux, Metasploit, Burp Suite, and other open source pentesting tools to perform these techniques. Toward the later chapters, you'll focus on best practices to quickly resolve security threats.
By the end of this book, you'll be well versed with various penetration testing techniques so as to be able to tackle security threats effectively
What you will learn
- Perform entry-level penetration tests by learning various concepts and techniques
- Understand both common and not-so-common vulnerabilities from an attacker's perspective
- Get familiar with intermediate attack methods that can be used in real-world scenarios
- Understand how vulnerabilities are created by developers and how to fix some of them at source code level
- Become well versed with basic tools for ethical hacking purposes
- Exploit known vulnerable services with tools such as Metasploit
Who this book is for
If you're just getting started with penetration testing and want to explore various security domains, this book is for you. Security professionals, network engineers, and amateur ethical hackers will also find this book useful. Prior knowledge of penetration testing and ethical hacking is not necessary.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Learn Penetration Testing an online PDF/ePUB?
Yes, you can access Learn Penetration Testing by Rishalin Pillay in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.
Information
Section 1: The Basics
In this section, we will begin with the basics. You will learn about penetration testing and what it entails. Understanding the stages of a penetration test is the key to success. We will start to prepare our environment by using an operating system that is geared toward penetration testingâKali Linux. You will learn how to set up and configure the various elements of Kali Linux.
The following chapters will be covered in this section:
- Chapter 1, Introduction to Penetration Testing
- Chapter 2, Getting Started with Kali Linux
Introduction to Penetration Testing
In this chapter, we begin our journey by building a solid foundation. Having a good understanding of the basics of penetration testing will help you conduct a successful penetration test, as opposed to haphazardly scanning networks and performing tests blindly. We will define penetration testing and how it differs from other security assessments. Before the actual penetration test occurs, there are a few things that need to be done in order to ensure that the correct authorization is in place and the correct scope is defined. Every successful penetration testing student requires a lab environmentâit can be daunting to build one, but don't despair. We will look at what options exist for a lab environment.
As you progress through the chapter, you will learn the following:
- What is penetration testing?
- Stages of a penetration test
- Getting started with your lab
- Creating virtual machines (VMs) in VMware, Hyper-V, and Virtualbox
Technical requirements
The following technical requirements are required for this chapter:
- Kali Linux version 2019.1
- Any hypervisor, such as VMware, Hyper-V, or Virtualbox
What is penetration testing?
Today, penetration testing is often confused with vulnerability assessments, red team assessments, and other security assessments. However, there are some differences between them, as follows:
- Vulnerability assessment: This is the process of identifying vulnerabilities and risks in systems. In a vulnerability assessment, the vulnerability is not exploited. It merely highlights the risks so that the business can identify the risks and plan for remediation.
- Penetration testing: This is the authorized process of finding and using vulnerabilities to perform an intrusion into a network, application, or host in a predefined time frame. Penetration testing can be conducted by an internal team or an external third party. Penetration testing goes one step further as opposed to a vulnerability assessment, in that a penetration test exploits the vulnerability to ensure it is not a false positive. Penetration testing does not involve anything that is unauthorized or uncoordinated. During a penetration test, some tests might affect business applications and cause downtime. For this reason, awareness at the management and staff levels is often required.
- Red team assessment: This is similar to a penetration test, but it's more targeted. As a penetration test's main aim is to discover multiple vulnerabilities and exploit them, the goal of a red team assessment is to test an organization's response capabilities and act on vulnerabilities that will meet their goals. In a red team assessment, the team will attempt to access information in any way possible and remain as quiet as possible. Stealth is key in a red team assessment. In a red team assessment, the duration of the assessment is much longer than a penetration test.
As you start your penetration testing journey, it's important to understand what penetration testing is. To illustrate what penetration testing is, let's consider a scenario.
You currently own an organization that holds customer data. Within your organization, you have SQL databases, public-facing websites, internet-facing servers, and a sizeable number of users. Your organization is a prime target for a number of attacks, such as SQL injections, social engineering against users, and weak passwords. Should your organization be compromised, there is a risk of customer data being exposed, and more.
In order to reduce your exposure to risks, you need to identify the holes in your current security posture. Penetration testing helps you to identify these holes in a controlled manner before an attacker does. Penetration testing uses real-world attacks that attackers would leverage; the aim is to obtain accurate information as to how deep an attacker could go within your network and how much information the attacker could obtain. The results of a penetration test give organizations an open view of the vulnerabilities and allow them to patch these before an adversary can act on them.
Think of penetration testing as looking through the eyes of an enemy.
Penetration testing is often referred to as ethical hacking, white hat hacking, pentest, or pentesting.
As the security maturity of organizations differs, so will the scope of your penetration tests. Some organizations might have really good security mechanisms in place, while others might not. As businesses have policies, business continuity plans, risk assessments, and disaster recovery as integral parts of their overall security, penetration testing needs to be included.
Stages of a penetration test
Now that you understand what penetration testing is, you may be wondering what the flow of a penetration test is. Penetration testing has a number of stages, and each stage forms an important part of the overall penetration test.
There are various standards that relate to penetration testing. This book does not follow any one of them specifically. There are other known standards, such as the following:
- NIST SP800-115 standard â https://csrc.nist.gov/publications/detail/sp/800-115/final
- Open Source Security Testing Methodology Manual (OSSTMM) â http://www.isecom.org/research
The following stages follow the Penetration Testing Execution Standard (PTES), which I found to be a great starting point. The full standard can be found at http://www.pentest-standard.org/.
Pre-engagement
This is the most important phase in every penetration test. In this phase, you start defining the blueprint for the penetration test and align this blueprint to the business goals of the client. The aim is to ensure that everyone involved is on the same page and expectations are set well in advance.
During this phase, as a penetration tester, you need to take time to understand your client's requirements and goals. For example, why is the client performing a penetration test? Was the client compromised? Is the client performing the penetration test purely to meet a compliance requirement, or does the client intend to perform remediation on the findings? Talking to the client and understanding their business goals will help you plan and scope your penetration test so that any sticky situation can be avoided.
The pre-engagement phase consists of a few additional components that you need to consider.
Scoping
This component defines what will be tested. Here, the key is in finding a balance between time, cost, and the goals of the business. It's important to note that everything agreed upon during the scope must be clearly documented and all legal implications must be considered.
During this component, you will ask questions such as the following:
- What is the number of IP address ranges or systems that will be tested?
- Does the ...