Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,151,045 members, 7,810,864 topics. Date: Saturday, 27 April 2024 at 05:15 PM |
Nairaland Forum / Nairaland / General / Crime / Importance Of Penetration Testing (1043 Views)
Certificate Of Penetration / 19-Year-Old Boy Impregnates His Mother In Asaba, Delta While Testing Love Charm / We Had Sex But No Penetration - Doctor Accused Of Raping Patient Says (2) (3) (4)
(1) (Reply)
Importance Of Penetration Testing by jasonsmit9818: 5:24pm On Mar 27, 2020 |
The [vulnerabilities][https://www.avanturebytes.com/penetration-testing-services] scan allows identifying weaknesses in the evaluated system, based on the details obtained during the previous phases; the objective is to identify the most effective attack method and anticipate the type of information that will be obtained when the vulnerability found is exploited. You should take the same approach that a real attacker would take, viewing the organization as a potential adversary and trying to inflict as much damage as possible on it. There are different methods to discover vulnerabilities, as well as there, are different automated tools that can help in this phase. Here are some techniques that can be used to discover vulnerabilities: Check the software version: It is one of the most common techniques, identifies the version number, and compare it with the lists of free vulnerable versions for free in different security sites. At this point, you should also check for patches and upgrades applied that could eliminate the vulnerability. Here the free tools Nmap and a map could be used. Check the communication protocol version: The software version probably does not contain vulnerabilities, but could use some network protocol with security problems. Verify the configuration: It is necessary to analyze the different accesses that could be given, remote, local and with different types of privileges, it is not enough to analyze if there is a default configuration, it is necessary to check if the configurations applied by the administrator are enough to avoid security issues. Exploit execution: Exploits can be executed without knowing the current vulnerabilities, based on the prestige of the exploit and the information obtained during the previous phases. This technique can be dangerous as it could cause system damage, including denial of service. However, it is possible to represent a technique very close to what would happen if they were subjected to real attacks. On the other hand, there are automatic tools that allow the identification of vulnerabilities, among the most common are the following: 1. Nessus: It is a tool with a commercial and free option, it has the advantages of creating different scan profiles depending on the type of evaluation required and the site from which the tests are run. Nessus generates reports categorizing the vulnerabilities found according to impact and associates an identifier for each one of them that facilitates the search for information related to the exploitation. 2. OpenVas: It is another free software option that has flexibility in the application of different evaluation profiles, it is a client-server tool, despite not being as "friendly" as Nessus, it is an excellent option to verify the vulnerabilities found by other tools. It is the most exciting part of running penetration tests and the one that makes it different from a vulnerability scan, often incorrectly called "vulnerability analysis," where you only go to the previous stage, only the vulnerabilities are found without checking if they can be exploited. This stage will depend on the results obtained in the previous stages so that each test will be different according to the existing services and the current vulnerabilities. At this stage, different actions can be carried out as a result of exploitation, to mention a few: Copy files to the target Copy files from the target View confidential traffic Reconfigure the target Install software Take full control Cause denial of service Use one goal to reach another Obtain passwords There are a vast number of tools to exploit vulnerabilities; there are sites where independent exploits can be found, and there are complete attack frameworks, one of the most useful and essential is Metasploit, which contains hundreds of exploits applicable to different operating systems, to different services. And in different versions, it contains three types of interfaces that facilitate execution. On the other side, on the target, you can see a fault in the system. The example shown above is only a small part of what a pentester does when checking vulnerabilities, there are other tools for exploitation, some commercial and some free, it is necessary to make a combination of the different tools. On the other hand, in some cases, the exploit does not exist to check specific vulnerabilities, so it is necessary to generate it, for which there are also different tools and frameworks, including Metasploit again. The final and most crucial stage is the creation of the report of findings since it is in this phase where it is communicated what was done, how it was done and how the organization can eliminate the vulnerabilities detected during the analysis, so it is great importance to generate reports with the highest possible quality. The format of a report can be very variable, but here are some points that must be presented: Table of Contents Executive Summary Methodology used Findings ordered according to impact Detailed evidence including screenshots of the find It is recommended to present the evidence hierarchically, since taking as the fact that all vulnerabilities must be eliminated, some may represent a more significant impact on the organization, so an immediate solution is a priority. It is possible to believe that the report is not important when an internal pentest is carried out, but it is necessary to have a log that stores the history of the security problems that have been encountered, this could help to solve problems in the future. To conclude, it is necessary to say that the task of a pentester is not easy, but it is decisive for a good security strategy, so it is advisable to carry out internal evaluations and periodically request professional services.
|
Re: Importance Of Penetration Testing by sapientia(m): 7:44pm On Mar 27, 2020 |
1. You went and copied a computer stuff 2. You pasted it in the wrong section. 3. You can still make copied stuffs appealing to be read. |
Re: Importance Of Penetration Testing by CirocBoi(m): 7:45pm On May 05, 2020 |
If we ask you how to install Nessus...u dnt know... Nessus is A-okay but Nmap is your friend...... Mr copy and paste!!!! |
(1) (Reply)
Unlock Bet9ja Ticket / Nigerian Youth Investment Fund, Scam Alert! / Police Release Photos Of Boyfriend Who Conspired With Friends To Beat His Girlfr
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 24 |