Penetration testing is a combination of methods that take into account various system problems and tests, analyzes and provides solutions. It is based on a structured procedure that performs penetration testing step by step. Below are the seven steps of penetration testing:

Planning and preparation

Planning and preparation begins with defining the goals and objectives of penetration testing.

The client and tester jointly define the goals so that both parties have the same goals and understanding. Common penetration testing objectives are:

• Identify vulnerabilities and improve the security of technical systems.
• Ensure IT security by an external third party.
• Improve the security of organizational/HR infrastructure.

Study

Intelligence includes the analysis of preliminary information. Many times, the tester does not have much information other than the preliminary information, that is, the IP address or block of IP addresses. The tester begins by analyzing the available information and, if necessary, requests from the user to obtain additional information, such as system descriptions, network plans, etc. This step is a passive penetration test, of sorts. The only goal is to obtain complete and detailed information about the systems.

Opening

At this point, the penetration tester will likely use automated tools to scan target assets to detect vulnerabilities. These tools usually have their own databases that provide information about the latest vulnerabilities. However, the tester detects

• Network discovery- for example, opening additional systems, servers and other devices.
• Host Discovery- defines open ports on these devices.
• Service Interrogation- polling ports to discover the actual services that are running on them.

Information and risk analysis

In this phase, the tester analyzes and evaluates the information collected before the testing stages to dynamically penetrate the system. Due to the large number of systems and the size of the infrastructure, this takes a long time. When analyzing, the tester considers the following elements:

• Specific objectives of a penetration test.
• Potential risks to the system.
• Estimated time required to assess potential security flaws for subsequent active penetration testing.

However, from the list of identified systems, the tester can choose to test only those that contain potential vulnerabilities.

Active invasion attempts

This is the most important step and must be done with due care. This step entails the extent to which potential vulnerabilities discovered during the discovery phase that pose real risks. This step should be performed when potential vulnerabilities need to be checked. For those systems that have very high integrity requirements, potential vulnerabilities and risks must be carefully considered before critical cleaning procedures are performed.

Final analysis

This step firstly looks at all the steps taken (discussed above) up to this time and an assessment of the vulnerabilities present in the form of potential risks. In addition, the tester recommends eliminating vulnerabilities and risks. First of all, the tester must ensure transparency of the tests and the vulnerabilities discovered.

Preparing of report

Report preparation should begin with general testing procedures and then analyze vulnerabilities and risks. High risks and critical vulnerabilities should be prioritized, followed by lower order.

However, when documenting the final report, the following points should be considered:

• General overview of penetration testing.
• detailed information about each step and information collected during pen testing.
• Detailed information about all detected vulnerabilities and risks.
• Parts for cleaning and fastening systems.
• Proposals for future security.

Every business owner, IT specialist, and ordinary computer user has encountered cyber threats at least once. IN modern world they are becoming increasingly powerful and capable of causing enormous damage not only to business but also to the state.

There are two categories of hackers:

White hats- work to ensure security, counteract illegal intrusions.

Black hackers (Black hat)- break the law, steal personal data, empty bank accounts.

Our team will take on the task of conducting tests to find vulnerabilities in your corporate office network, on your websites and applications. And also with the help social engineering We will be able to identify the most poorly protected departments in your company and make recommendations on how to strengthen protection.

What is included in pentesting (security test)?

Company security testing may include:

• External network and perimeter analysis
• Pentest (penetration test)
• Internal network testing
• Search for vulnerabilities and exploitation
• Social engineering
• Testing company websites
• Testing mobile applications companies
• Test report and recommendations

The exact list of tests is determined at the negotiation stage, after studying the client’s needs.

Penetration testing cost

External corporate network testing

Price on request

Penetration testing (pentest)

Price on request

Testing web and mobile applications

Price on request

Social engineering

Price on request

Turnkey security test

Price on request

Cybercrime Investigation

Price on request

IMPORTANT

"Unfortunately, most often companies begin to think about information security when they have already suffered. Hackers don’t care about the size of your company and its turnover, they care about the number of companies hacked.”

Protect your company from cyber threats!

So what is a pentest?

Testing is a search, and penetration testing is one of the varieties of the most in-depth and effective search for the maximum number of points and areas with varying degrees of vulnerability for penetration of third-party resources and users. Such intrusions can be carried out either maliciously or indirectly to enter or obtain certain data.

This technique can be carried out separately and be included in regular or one-time test systems to create effective protective measures against the widest range of third-party attacks and intrusions.

Etiology of system vulnerability

A loss of security can occur at different stages of the operation of any system, but in any case it depends on the influence of such factors as:

• design error,


• incorrect configuration process when choosing a low-functional configuration of a combination of software and equipment associated with the system,


• security flaws in the network output system. The higher the security level network connection, the lower the likelihood of negative impact and the possibility of penetration of malicious influence into the system,


• human factor, expressed in the occurrence of a malicious or accidental error in the design, use or maintenance of a network during personal or team work with it,


• communication component, expressed in the unprotected transfer of confidential data,


• unreasonably high degree of complexity of the system. It is always easier to establish control over the degree of its security than to track the channels of data leakage from it. What is much easier to do in simple and functional systems than in their complex counterparts,


• lack of knowledge. Lack of an adequate level of professional training in security issues among specialists directly or indirectly related to the use of the system.

Testing is different from vulnerability assessment

Despite the similarity of the purpose of their use. Namely, searching and organizing the most secure software product. They work differently.

Penetration testing is carried out through real monitoring, carried out both manually and using certain highly specialized systems and tools. What is done through emulation of malicious influences, allowing to identify areas of vulnerability.

Determining the degree of vulnerability comes from carefully examining workflows to identify possible gaps through which data can escape during certain types of attacks. This helps to find areas vulnerable to hacker influence, which determines the degree of overall security of the system under test. During its implementation, identified “weaknesses” are identified, corrected and eliminated.

Thus, determining the degree of vulnerability is an established workflow. And penetration testing works “according to the situation” with common goal influence the system as strongly as possible to identify gaps in its protection.

What is it for

It allows you to find and fix gaps in the security system of the program you are using. This is proactive work to prevent the possibility of penetration of negative third-party influences, regardless of its goals and levels of implementation. This helps create the most competent system of protection against expected, and not just existing, threats from outside.

Such monitoring allows:

• find weaknesses/vulnerabilities in the system before they are exposed to external negative influences and give rise to data leakage. This is a great alternative frequent updates systems. Because the latter affect the compatibility and speed of operation of a system previously debugged without taking them into account. It is better to control updates than to carry them out uncontrolled;


• evaluate the security tool put into operation. Allows developers to obtain a realistic assessment of their competence, as well as the level of compliance with current security standards. In addition, penetration testing allows you to identify business risks, as well as other components of protection, which may be reduced during the trade-off between the combined use of authorized and newly activated software components. Makes it possible to structure and prioritize, reducing and eliminating the degree of detected risks and the negative impact of possible threats;
• identify risks to improve existing safety standards.

Monitoring process

Penetration testing today can be carried out using many techniques, but the main and most preferred ones are:

Manual testing is carried out according to the following algorithm

• planning or careful collection of data taking into account the needs, scope of use, purposes of upcoming monitoring, taking into account the level of existing protection. Specific areas for monitoring the degree of protection, the type of desired/planned impact and other requirements for future monitoring may also be indicated here.


• intelligence manipulations aimed at searching and cumulating the received data on system and third-party, combined, protective mechanisms necessary for targeting and specially organized attacks on specified blocks or the entire system. Goal: obtaining the most effective testing. Hence there are two varieties: passive and active, where the first is carried out without active influence on the system, and the second is its complete opposite,


• analysis of the identified results. This stage allows you to identify the most vulnerable points that will be used for further aggressive penetration into the system,


• use of the results obtained. Based on the identified places of “easy penetration” of the protection systems, a prepared attack is carried out on the software, both in the form of external and internal attacks. External influences are a threat to the system from outside, where direct external threats affecting the system and specialized attempts of unauthorized access to data of a system protected from this are emulated. Internal attacks represent the second stage of impact, which begins after successful penetration into the system from the outside. The range of goals for their further influence is wide and varied. The main one is the compromise of the system they penetrated,


• the results of operation make it possible to identify the objectives of each identified threat and determine its potential for the internal business processes of the system as a whole and its individual components in particular,
• a conclusion is a block of documentation of the work carried out and the results obtained, describing potential threats and the extent of their negative impact when achieving impact goals.



Testing with automated tools is not only effective, but also very useful when using highly specialized tools. It is convenient to use, the time required is minimal, and its effectiveness allows you to create “crystal clear” conclusions about the work done.




The list of the most popular tools includes: Nessus, Matesploit, Nmap, OpenSSL, Wireshark, w3af. Linux system collections offer a lot of interesting and functional things.




For work, choose tools that meet certain needs, for example:

• practicality of startup, use and further maintenance,


• ease of scanning,


• level of automation when identifying vulnerabilities,


• the degree of availability of testing of previously discovered areas weak for external attacks,


• the degree of ability to create detailed and simple reporting documents on the work performed and the results obtained.



A combination of the above methods together. This is the optimal penetration testing method because it can combine the advantages of both methods and become as fast and detailed as possible.

Types of penetration tests

The division is made depending on the tools used and monitoring objects:



• social or human, where people connect who can remotely or locally receive the necessary information and process it clearly,


• a software application used to identify security flaws. Several options for web offers and specialized services of the service used or third-party sources are used at the same time,


• a network resource that allows you to identify the possibility of unauthorized hacker access or penetration by an unauthorized user,


• client part, used in work special applications installed on the client’s website or application,


• remote access carried out by VPN testing or a similar object that allows proper access to this system,


• wireless connection, aims to test wireless applications, services and their tools.



The classification of monitoring methods is also carried out taking into account the type of approach to its implementation. What allows you to highlight:

• white, where the tester has access to data about the functions and tools of the system being tested. What makes his work as effective and productive as possible. Because possession of such information allows you to understand the intricacies and features of the system under test, and therefore carry out testing with maximum immersion,


• black gives access to basic or high-level information about the system. The tester feels more like a hacker than an employee operating from within the system. High degree of labor intensity this method requires time and thorough knowledge, as well as experience in its implementation. Therefore, there is a high probability of missing or incomplete testing,


• gray or limited access to system information sufficient to create a simulated external attack.



Penetration Testing Limits

There are many limitations on the range of such influence, but the main ones include:

• short time period with a high initial cost of this procedure,


• limitation on the number of tests per unit of time,


• the possibility of a penetration failure on the part of the system,


• high degree of vulnerability of the received data.



Conclusion

Modern hackers with a constantly updated set of programs and effective tools to carry out effective attacks. Therefore, they often enter systems of interest with the direct intention of compromising the network or taking advantage of its resources. Intrusion monitoring in this case is most effective as a tool for detecting vulnerabilities in any security systems. And it allows you to minimize the potential of external threats to the software as a whole.

The last couple of years have been rich in events that have sharply increased public interest in the topic of hacker attacks. The scandal involving the hacking of the systems of the US Democratic Party, the disabling of the energy infrastructure systems of the Ministry of Finance and the Treasury of Ukraine, ransomware viruses that not only encrypt files, but also block the operation of industrial and medical equipment, MIRAL, a giant botnet from household devices, which left half of the USA and Liberia without communications, attackers en masse gutting banks like wolves of defenseless sheep... Even SWIFT is under attack! Hackers from movie geeks have become part of the reality of billions of people.

It is quite natural that business today primarily invests resources in practical security, as opposed to formally meeting regulatory requirements with minimal means. And it is also natural for him to want to check how effectively the built security system protects against online sharks.

This time we decided to focus exclusively on practical aspects of information security (IS) related to computer attacks and direct protection against them. For hacking performed by “white hats”, i.e. specialists who legally imitate the actions of attackers use the term “penetration test” (pentest). This term hides several areas of security research, and each of them has its own specialists. In this article we will understand what a pentest is, why it is needed, and where the line between a hacker attack and penetration testing lies.

Pentest is essentially one of the types of information security audit. And this is its main difference from real hacking. The hacker is looking for the shortest route to control the victim's systems. If a hole is found on the perimeter, the attacker focuses on consolidating and developing the attack inward. And a pentester who has been ordered to perform external network testing must scrupulously examine host after host, even if a whole bunch of holes have already been found. If the hosts are of the same type (for example, 1000 identical workstations), the researcher, of course, can make a control sample, but it is unacceptable to skip fundamentally different systems. This is probably the easiest way for the customer to identify a low-quality pentest.

Pentest does not replace a full-fledged information security audit. It is characterized by a narrowly focused view of the systems under study. Pentest essentially deals with the consequences, and not the causes, of information security deficiencies. Why carry it out at all? When the industry produces a new model of military equipment, engineers carefully calculate the properties of the armor and the characteristics of the weapons, but during military acceptance the equipment is still rolled out to the training ground, fired at, blown up, etc. Experiment is the criterion of truth. Pentest allows us to understand whether our information security processes are built as well as we think, whether our security systems are reliable, whether the configuration on the servers is correct, whether we understand the path that a real hacker will take. Thus, one may get the impression that pentesting is necessary for companies that have already invested heavily in information security. In theory this is true, but in practice it is often quite different.

I came up with the following pentest formula:

Research is the most obvious part of a pentest. Just like in the movies: strange guys in hoodies destroy IT defenses at night. In reality, everything is often somewhat more prosaic, but this image allows pentesters not to comply with the corporate dress code.

Reporting is usually not a penetration tester's favorite part of the job, but it is critically important. The customer of the work must receive a detailed description of all successful and unsuccessful penetration attempts, a clear description of vulnerabilities and, very importantly, recommendations for eliminating them. For the last part, it is rational to involve specialized information security specialists, because knowing how to break it does not at all mean knowing how to correct it correctly and safely in the reality of a corporate IT infrastructure.

And the last component, for which the entire pentest is often organized, is the show. Such an audit is an order of magnitude superior to any other in terms of clarity, especially for non-professionals. This The best way demonstrate the shortcomings of information security to the company's management in a form accessible to non-specialists. Brief (a couple of pages) Executive Summary with a scan of the CEO’s passport, title page a confidential report and customer base can bring more benefits to the company’s information security than the entire 200-page report that follows. This is why pentests are often ordered by companies that have not really dealt with information security before, and business, and often IT, do not understand the seriousness of the existing risks.

Test parameters

Pentests can be classified into the most different ways. We will focus only on those that have practical value when configuring a pentest for yourself.

The goal of the attack set by the customer may vary greatly from pentest to pentest. “Just hack us” usually means seizing control of the IT infrastructure (domain administrator rights, network equipment), compromise of business systems and confidential information. And there are narrowly targeted pentests. For example, as part of the certification for PCI DSS card data security requirements, the purpose of the annual mandatory pentest is to compromise card data. Here, on the very first day of work, the bank’s network may be completely captured, but if the last bastion with secret data does not fall, the organization will successfully pass the test.

The model of knowledge about the system determines the starting position of the penetration tester. From complete information about the system ( White box) until it is completely absent (Black box). Often there is also a middle option (Grey box), when, for example, a pentester imitates the actions of an unprivileged user who has some data about the system. This could be an ordinary clerk, a partner company, a client with access to Personal Area and so on. White box is more of an audit rather than a classic pentest. It is used when you need to study security in a narrow area in detail. For example, a new customer portal is being tested. The researcher is provided with all the information on the system, often the source code. This helps to study the system in detail, but hardly simulates real attacks. Black box pentest customers want to receive a complete simulation of an attack by a hacker who does not have insider information about the system.

The knowledge model strongly overlaps with the concept of the intruder model. Who is attacking us: an external hacker, an insider, an administrator? This division is very arbitrary. Compromise workstation From a technical point of view, an ordinary user or contractor instantly turns an external hacker into an internal intruder.

The level of awareness of information security specialists determines who knows about the work being carried out and in what detail. Often, in addition to equipment, personnel are also tested, so the work is coordinated by the information security or IT director, and administrators believe that they are fighting real hackers, if, of course, they even notice the attack. Such cyber exercises make it possible to assess not only the presence of vulnerabilities in systems, but also the maturity of information security processes, the level of interaction between departments, etc. The exact opposite is to imitate the actions of an attacker in order to train defense systems. In this case, the pentester works in a small area, and administrators record the reaction of security tools and IT systems, adjust settings, prepare rules for SIEM, etc. For example, a situation is simulated when a hacker has already penetrated a closed segment. How will he escalate his privileges on systems? The pentester works one by one on all attack vectors known to him to ensure the most complete training of security systems.

Types of attacks

There are as many classifications of attack types as there are pentesters. Below I will give a classification of the basic attacks that we use. Of course, the most complete pentest is an attack in all possible directions. But limitations of budget, time, scope and pentest tasks force you to choose.

External infrastructure pentest - analysis of the network perimeter from the Internet. A pentester tries to compromise available network services and, if possible, develop an attack inside the network. Many believe that this is an imitation of a real attack aimed at penetrating a company’s network from the outside. In fact, attackers today overcome the network perimeter in 80–90% of cases using social engineering methods. There is no need to break into the fortress walls if there is a wonderful tunnel underneath them. However, there are often holes here too. For example, we recently carried out work for a large aircraft plant, during which, even at the stage of automatic analysis, the scanner guessed the password for the system remote control APCS. The negligence of a contractor who forgot to disable remote access allowed the hacker to increase the pressure in pipelines with technical fluids by an order of magnitude. With all that it entails, literally and figuratively.

A pentest is like an examination at the dentist: it is better to conduct it regularly to prevent problems in the early stages.

Shadow IT

Penetrations often occur using systems that fall outside of IT's radar. All servers on the perimeter have been updated, but they have forgotten about IP telephony or the video surveillance system. And the hacker is already inside. For such infrastructure that has fallen out of sight of administrators, there is a special term - Shadow IT. Gartner estimates that by 2020, up to a third of all hacks will involve Shadow IT. In our opinion, this is a completely realistic estimate.

For example, one day our pentester found unupdated call center systems on the perfectly protected perimeter of a bank, through which all the main bank AS systems were completely compromised in 2 days. It turned out that it was not the IT department that was responsible for them, but the telephone operators. In another case, the entry point for a pentest was a network of receptionists, completely isolated from the corporate one. Imagine the surprise of the customer when, a couple of days later, the pentester reported that the network had been completely captured. He managed to hack an unupdated printer, upload a shell to it and gain access to the printer management VLAN. Having compromised them all, the pentester gained access to all office segments of the company.

An internal infrastructure pentest simulates the actions of an insider or an infected node within the network. The network must be built in such a way that the compromise of individual workstations or servers does not lead to a complete breakdown of the defense. In fact, in more than half of the cases in our practice, no more than one working day passes from the rights “access to a network outlet” to “domain administrator”.

The company's network can be very large, so in some cases the customer should clearly define the attack targets for the pentester. For example, access to SAP and financial documents marked “Confidential”. This will allow the pentester to spend his time more efficiently and simulate a real custom hacker attack.

Web resources represent a separate world from the point of view of pentesting, with a huge range of different technologies and specific attacks. It is clear that the web can be understood as anything that has access to the network. Here we mean various websites, portals and specific APIs accessible from the network. Practice shows that on average, for a company, analyzing its entire network perimeter takes less time than one website, especially if it has some interactive elements, a personal account, etc. This area is experiencing a real boom, primarily due to the development of e-business by banks and the mass entry of retail onto the Internet.

The main results of an attack on a web resource are usually the compromise of data from the DBMS and the possibility of an attack on clients (for example, various types of XSS are found on the websites of every second bank). A little less often, compromising a web server allows you to penetrate the company’s network itself, but often, if the data you are looking for is already compromised, this may not be necessary for the attacker.

When analyzing the web, it is important to check not only the technical part, but also the very logic of operation and implementation of business functions. You can still sometimes get a 99% discount in an online store or use someone else’s bonus points, slightly modifying the request line to the server in the address bar.

Attacks on the web can also be carried out inside the network, because security is internal resources usually not thought about, but in reality most hackers attack the infrastructure first, since this is the shortest path to the domain administrator. They take up the web when nothing else has worked or when they need to get into isolated network segments.

The growing interest in DDoS resistance testing has been especially noticeable in the last couple of years. Information about major attacks constantly appears in the press, but the matter is not limited to them. In the online retail segment, for example, during peak sales (before the holidays), attacks occur almost continuously. What to do with primitive attacks aimed at exhausting the communication channel or server resources by sending huge volumes of traffic is generally clear. It is more interesting to study the resource’s resistance to application-level attacks. Even one client generating a relatively small number of specific requests to a website can crash it. For example, specific queries in the site search field can completely destroy the back-end.

Social engineering, i.e. Using human inattention, carelessness or lack of training to hack has become the most popular way to penetrate a company's network today.

Moreover, there is an opinion that there is no use for this scrap. This term combines a huge number of techniques, including sending fraudulent messages by mail, telephone and personal communication to gain access to a facility or systems, scattering flash drives with malicious attachments near the office of a victim company, and much more.

Attacks on Wi-Fi are mistakenly attributed to internal pentesting. If your smartphone does not pick up corporate Wi-Fi outside the entrance, this does not guarantee that attackers will not be able to reach it. A directional antenna from ebay costing $100 allowed us to carry out work from a distance of more than a kilometer from the access point. In pentesting, Wi-Fi is not always considered as a point of penetration into the network. More often it is used to attack users. For example, a pentester parks at the entrance of an enterprise before the start of the working day and deploys a network with the same name (SSID) as the corporate Wi-Fi. Devices in employees’ bags and pockets try to join a familiar network and transmit… domain login and password for authentication. The pentester then uses these leaks to access users' email, VPN servers, etc.

The analysis of mobile applications is simplified for an attacker by the fact that they can be easily downloaded from the store and examined in detail in the sandbox, restoring the source code. For ordinary web resources, one can only dream of such luxury. This is why this attack vector is so popular today. Mobile clients Nowadays they are very common not only among banks and retail. They are released all over the place, and safety is the last thing they think about.

Conventionally, the study of a mobile application can be divided into 3 components: analysis of the recovered source code for security holes, study of the application in the sandbox, and analysis of methods of interaction between the application and the server (package content, API, vulnerabilities of the server itself). We recently had a case where the API of the server side of a mobile banking application worked in such a way that it was possible to generate a packet that caused the transfer of an arbitrary amount of money from any bank account to any other account. And this was not research before the launch of the application - it had been in production for a long time. Many fraudulent schemes today are also implemented using mobile applications, since the fight against fraud is forgotten even more often than information security.

It is not entirely correct to consider analysis of the source code as a pentest, especially if the customer submits the source codes for research in open form. This is more of a white box application security audit. However, this work is often carried out in conjunction with pentesting to ensure a higher level of vulnerability detection, so it is worth mentioning here. Pentest allows you to confirm or refute flaws found during code analysis (after all, in a specific infrastructure, not all security problems can actually be exploited). This significantly reduces the number of false positives that plague code analysis, especially automated ones. At the same time, as a result of code analysis, holes are often found that the pentester did not guess about.

In our experience, code analysis of mobile applications and web services is most often ordered, as they are the most susceptible to attacks.

A pentest is like an examination at the dentist: it is better to conduct it regularly to prevent problems in the early stages

Pentest limitations

The main restrictions that distinguish a pentest from a real attack, making it difficult for white hats, are the criminal code and ethics. For example, a pentester most often cannot attack the systems of the customer’s partners, employees’ home computers, or the infrastructure of telecom operators; he does not use intimidation, threats, blackmail, bribery and other very effective methods of criminals in social engineering. All the more convincing are the results of successful penetration within the framework of a “pure” pentest. If your pentester breaks the law as part of his work, think ten times about whether you should allow such a person near your key systems.

Finally

Pentest, like a medical examination, is recommended by most standards to be carried out at least once a year. At the same time, it is a good idea to periodically change the specialists who carry out the work in order to avoid blurring the view and assess security from different angles. After all, any specialist or team develops some specialization to one degree or another.

Pentesting is time, expense, and stress for security professionals, but it is difficult to find a more visual and realistic way to assess the security of an IT infrastructure. In any case, it is better for a contracted specialist to find the hole than for a hacker. After all, the first often ends for the information security service with the allocation of additional funds for security, and the second - the search for a new job.

Penetration testing is a method of assessing the security of a company's IT infrastructure through authorized modeling of attacks by intruders.

Find out the cost of testing

×

Fill out the feedback form, you will be sent a questionnaire to determine the cost of the service

The preservation of confidential information and the company’s reputation depend on how reliably the IT infrastructure is protected from attackers. Therefore, it is so important to check its security in practice. Often, even the optimal set of security tools may have incorrect configuration settings, which leads to vulnerabilities and increases the likelihood of threats being implemented.

Penetration testing work is aimed at:

Obtaining an independent and comprehensive assessment of the current level of security.

Obtaining an independent assessment of employees' awareness of information security issues.

During the work, external and internal security analysis and testing using social engineering methods are carried out.

Problems solved when conducting security analysis:

• Identification of information security vulnerabilities and methods of their exploitation.
• Checking the possibility of penetration from external networks into the local computer network.
• Development of recommendations to improve the level of security by eliminating identified vulnerabilities.

If actions (for example, exploitation of certain vulnerabilities) may lead to a failure in the operation of the resources under study, then such work is carried out only after additional approval. If necessary, depending on the selected work scenario, after testing, work is carried out to eliminate the negative impact on resources.

If during the security analysis work a decision is made about the need to immediately eliminate the identified vulnerabilities, then the following actions are taken:

• recording the results of vulnerability exploitation (in the form of screenshots, recording of specialist actions, system operation logs, etc.)
• determining the need and agreeing on ways to eliminate the vulnerability
• eliminating the vulnerability

Stages of testing

When performing security analysis work, universal vulnerability scanners are used to detect vulnerabilities in applications, OS and network infrastructure, as well as specialized software. Penetration testing work is carried out in three stages and includes the following stages:

Stage 1 – external security analysis:

• Drawing up a plan for conducting an external security analysis and agreeing it with the working group

Stage 2 – internal security analysis:

The work is carried out at the customer's site.

• Drawing up an internal security analysis plan and agreeing it with the working group
• Analysis of results, preparation of a report and its approval by the working group

Stage 3 – testing using social engineering methods:

The work is carried out remotely using external data networks (Internet).

• Drawing up a testing plan using social engineering methods and agreeing it with the working group
• Analysis of results, preparation of a report and its approval by the working group

Conducting an external security analysis

The purpose of this stage of work is to test the attacker’s ability to gain unauthorized access to resources and confidential information.

Security analysis is carried out using a “black box” model (lack of authorized access, initial configuration data and information security measures used).

As part of an external security analysis, the following types of work are performed:

• collection of publicly available information about external resources accessible from external data networks
• searching for vulnerabilities of resources and their infrastructure components using security scanners and specialized software

• cross-site scripting
• cross-site request forgery
• open redirect
• incorrect error handling that provides additional information about the system under test

Conducting an internal security analysis

The purpose of this stage of work is to test the attacker’s ability to carry out unauthorized access (hereinafter referred to as ASD) to resources and confidential information.

Security analysis is carried out using a “gray box” model (providing authorized access to systems).

As part of the internal security analysis, the following types of work are performed:

• collecting data on infrastructure (network services, operating systems and application software of external resources), identifying vulnerabilities using specialized software and universal scanners security
• searching for vulnerabilities of the Customer’s resources and their infrastructure components using security scanners and specialized software
• exploitation of identified vulnerabilities using specialized software and manually to determine the relevance of identified vulnerabilities and the possibility of obtaining design documentation for software product components and confidential information

In the process of searching for vulnerabilities, the presence of, among other things, the following main types of vulnerabilities is checked:

• injection of code fragments (for example, injection SQL statements, implementation of operating system commands
• insecurely implemented authentication and session management procedures
• cross-site scripting
• access control errors (for example, direct links to objects with confidential information, directory traversal vulnerabilities)
• insecure software configuration (for example, enabling directory listings)
• disclosure of confidential information (for example, providing the user with personal data of other users)
• errors restricting user access to certain functions
• cross-site request forgery
• incorrect error handling that provides additional information about the system under test
• use of OS and software with known vulnerabilities
• open redirect
• processing external XML entities
• incorrect error handling that provides additional information about the system under test
• usage simple passwords during authentication

Conducting testing using social engineering methods

The purpose of this stage of work is to assess the awareness of customer employees in information security issues.

As part of social engineering testing, attacks are carried out on customer employees in the following scenarios:

• Phishing - an attack is carried out through Email. Example of an attack: An employee is sent a link on behalf of a company with a “new and very useful service” for his work. The letter contains a description of the service and how exactly it should help a specific employee in their work. Also, the letter asks you to check the functionality and whether everything works correctly. The work is aimed at getting an employee to go to this service and try to register using domain credentials.
• Trojan horse - an attack is carried out via email. Example of an attack: An employee is sent executable file, while the content of the letter may be different depending on the employee’s position: a contract for the manager, a list of errors for the programmer, etc. The work is aimed at ensuring that the employee launches the program on local computer and to record the fact of launching such a program.
• Telephone attack - an attack is carried out through phone call. The work is aimed at gaining the trust of an employee by coming up with a plausible cover story, and then finding out the employee's confidential information or credentials. Example of a legend: “New technical employee. support does the first task of deploying the service and needs to check that it works correctly. Asks the employee for help: log in independently or tell him your username and password.”

Analysis of results

The result of the work is a report containing the following information.

The basic tools used to check the security of a system are tools for automatically collecting system data and penetration testing. We propose to consider the principle of operation of such tools using the example of the Rapid7 Metasploit product from Rapid7, one of the leading manufacturers of analytical solutions for information security, which is highly rated by influential research and consulting companies, including Gartner and Forrester.

Introduction

Penetration testing (pentest) is one of the most effective methods for assessing the quality of a security system. It is carried out with the aim of identifying vulnerabilities in the IT infrastructure, demonstrating the possibility of exploiting vulnerabilities, and also preparing recommendations for eliminating them. Testing procedures are carried out at the initiative of the owner information system and are aimed at preventing information security incidents, often accompanied by financial and reputational losses, unpleasant explanations with clients and representatives of partner organizations, as well as other undesirable consequences.

IN Russian Federation A significant factor determining the need to conduct penetration testing is regulatory requirements. The latter consider checking the effectiveness of the protection system as an extremely important measure, and relevant provisions are included in the regulatory and methodological documents. First of all, in this regard, it is appropriate to mention the regulatory documents that cover a significant number of information systems - orders of the FSTEC of Russia No. 17 and 21.

These documents define a protection measure in the form of “testing the information security system by attempting unauthorized access (influence) to the information system, bypassing its information security system” at the certification stage. Certification of information systems, which involves checking the effectiveness of the security system, is also in demand for information systems that process state secrets.

On an international scale, it is advisable to note the payment card industry data security standard PCI DSS (Payment Card Industry Data Security Standard). Compliance with the provisions of the PCI DSS standard is mandatory for all organizations involved in the processing of Visa and MasterCard payment cards: merchants, processing centers, acquirers, issuers and service providers, as well as all other organizations that store, process or transmit holder data cards and sensitive authentication data. The provisions of the standard provide for vulnerability analysis and penetration testing both inside and outside the information system network. External and internal penetration tests should be conducted at least once a year and after any significant modifications or upgrades to the infrastructure/applications.

Penetration testing (pentest) can be performed as part of advanced training for information security specialists and the acquisition of practical skills by students who are studying in specialties related to information security, as well as for testing by information security tool developers of their own products.

Obviously, for all of these purposes, the most in demand is an integrated threat management solution that covers network security, web application security, database security and penetration testing strategies, and contains functionality sufficient to both comply with the requirements of domestic and international regulations, and use in the learning process. Such solutions include Rapid7 Metasploit produced by Rapid7, which was founded in 2000 and is one of the leading manufacturers of products for analyzing and organizing information security systems in IT environments. An important advantage software Rapid7 provides visibility into the security posture of assets and users across any environment, including virtual and mobile, as well as public and private clouds.

To evaluate the Rapid7 Metasploit solution, you can use the solution from the same manufacturer - a demo vulnerable Metasploitable virtual machine equipped Ubuntu Linux. Virtual machine Compatible with VMWare, VirtualBox and other common virtualization platforms.

An important help is that Rapid7 Metasploit is compatible with the Rapid7 Nexpose vulnerability scanner, can initiate its launch, and also use the results of the latter.

Let's look at the general procedure for working with Rapid7 Metasploit.

How to work with Rapid7 Metasploit

IN general view Working with Rapid7 Metasploit consists of the following steps:

1. Creating a project. The project contains the workspace that is used to create the penetration test and the configuration of the tasks to be performed. Each penetration test is run from its own project.
2. Collection of information. At this stage, Rapid7 Metasploit collects information about the target network: installed OS, open ports, running hosts and processes. The Rapid7 Nexpose vulnerability scanner can also be used at this stage. During scanning, all received data is automatically saved into the project.
3. Using exploits. The attack can be carried out manually or using an exploit database. This uses the network data obtained in step 2.
4. Actions taken on a compromised system. After gaining access, an exploit payload is used, with the help of which interactive sessions are initiated to collect additional information and it is also possible to use post-exploitation modules to automatically collect passwords stored in the operating system and applications, screenshots, images from web cameras, recording keystrokes, collecting configuration files, launching applications, etc.

Comparison of Rapid7 Metasploit editions

Rapid7 Metasploit is available in several editions, differing in the scope of functions provided and the type of license for use. The following product editions are currently available:

• Framework
• Community
• Express

The table provides information about which target functions are implemented in each edition of the product. For convenience, using different colors, the target functions are divided into groups according to their main purpose:

• Collect data on component characteristics and network vulnerabilities.
• Penetration testing.
• Perform phishing tasks.
• Testing web applications.
• Generating reports.
• Control.

Table 1. Comparison of Rapid7 Metasploit editions

Characteristic	Pro	Express	Community
Importing scan data (Scan data import)	✔	✔	✔
Scanning with detection (Discovery scan)	✔	✔	✔
Integration with Nexpose vulnerability management system (Nexpose scan integration)	✔	✔	✔
Export data (Data export)	✔	✔	✔
Manually launching exploits (Manual exploitation)	✔	✔	✔
Web interface (Web interface)	✔	✔	✔
Session management (Session management)	✔	✔	✔
Credential Management (Credential management)	✔	✔	✔
Penetration through a strong point (Proxy pivot)	✔	✔	✔
Modules executed after compromise (Post-exploitation modules)	✔	✔	✔
Session clearing (Session clean up)	✔	✔	✔
Selection method (Bruteforce)	✔	✔
Collection of evidence (Evidence collection)	✔	✔
Logging the inspection (Audit Report)	✔	✔
Activity reporting (Activity Report)	✔	✔
Reporting of compromised and vulnerable hosts (Compromised and Vulnerable Hosts Report)	✔	✔
Credential reporting (Credentials Report)	✔	✔
Reporting on service performance (Services Report)	✔	✔
Reusing Credentials (Credentials reuse)	✔	✔
An attempt to bypass the antivirus (Anti-virus evasion)	✔	✔
Attempt to bypass intrusion detection and prevention systems (IPS/IDS evasion)	✔	✔
Restarting a session (Session rerun)	✔	✔
Technological process of compromise (Exploitation workflow)	✔	✔
Playing tasks (Task replay)	✔	✔
Data Labeling (Tagging data)	✔
PCI DSS Compliance Reporting (PCI Report)	✔
FISMA Compliance Reporting (FISMA Report)	✔
"Master" for quick penetration testing (Quick PenTest Wizard)	✔
"Wizard" for checking vulnerabilities (Vulnerability Validation Wizard)	✔
Integration with Sonar code quality scanning system (Project Sonar integration)	✔
"Master" for phishing (Phishing Wizard)	✔
Sociotechnical analysis (Social engineering)	✔
"Wizard" for testing web applications (Web App Testing Wizard)	✔
Web Application Testing (Web app testing)	✔
Penetration through a strong point using VPN tunneling (VPN pivoting)	✔
Payload Generator (Payload generator)	✔
Macros executed after a compromise (Post-exploitation macros)	✔
Persistent sessions (Persistent sessions)	✔
Meta modules (MetaModules)	✔
Teamwork (Team collaboration)	✔
Task chains (Task chains)	✔
Backup and Restore (Back up and restore)	✔
Custom reporting (Custom reporting)	✔
Sociotechnical reporting (Social Engineering Report)	✔
Web Application Assessment Reporting (Web Application Assessment Report)	✔

The Metasploit Framework edition stands apart because it serves as the basis for creating commercial products. It is an open source project that provides access to a database of exploits for various applications, operating systems and platforms. Control is carried out via the interface command line. The Metasploit Framework user can create and add new exploits to the database or use existing ones as additional tools when performing penetration tests.

The remaining editions are commercial, they additionally implement management via a web interface, and, depending on the edition, certain functions are added. Mostly these additional functions are aimed at automating common testing tasks: vulnerability analysis, sociotechnics, payload generation, brute-force attacks.

conclusions

Rapid7 Metasploit has a wide range functionality. The solution can work either through a web interface or a command line interface - the option is determined at the user's request. However, the full set of functions is available only when working using the web interface. Rapid7 Metasploit supports operating systems Windows family and Linux.

A few more distinctive characteristics of Rapid7 Metasploit:

• Possibility of choosing an edition that meets the needs of a particular case.
• The ability to use the results of vulnerability analysis from third-party solutions.
• Possibility of training on a specially designed vulnerable system.
• Integration of the product (in the Framework edition) with Linux distributions:
  • Kali Linux
  • Backtrack linux (discontinued)
  • Pentoo
  • BlackArch
  • Backbox

Rapid7 Metasploit has several operational level limitations that are worth considering:

• Installation and subsequent correct operation of the product is possible only after disabling the firewall and antivirus.
• It is recommended to install Rapid7 Nexpose and Metasploit on separate tools computer technology. In this case, it is possible to install Rapid7 Metasploit in a virtual machine.
• Lack of full translation of operational documentation into Russian. With instruction manual on English language can be found on the manufacturer’s website in the Metasploit section.