So, you need to run a penetration test (or “pen test”) on a client’s network? No problem. Here’s a checklist that should help you discover potential security loopholes in your customers’ networks.
The basic steps to follow are:
- Vulnerability scanning
- Vulnerability analysis to determine best attack vectors
- Vulnerability exploit attempts
- Remediation recommendations
- Final report
The goal of footprinting is to gain information that can potentially be used to successfully exploit vulnerabilities. Since hackers typically only have an IP address or a URL initially, perform an ARIN (American Registry for Internet Numbers) or “WhoIS” domain search to determine who owns the IP address or URL.
Go to the owner’s website and check for any email addresses listed that can provide guidance as to how user IDs are defined.
Find any executives mentioned on the website and perform both a Google search and LinkedIn profile review. Use the results to develop a custom attack database for any logins identified during the pen test.
Next, perform a vulnerability scan of the intended target IP address or URL. The results of the scan, performed by either commercial software or toolkits provided with the Certified Ethical Hacker (CEH) certification, will also list all open ports and services, as well as the operating system (OS) of the target platform.
This is critical because hackers use these open ports to enter the network and install backdoor code.
The OS of the target IP address or URL is also important, as there are always vulnerabilities attributed to the OS.
Analyze vulnerability scan results
Review the results of the vulnerability scan to determine the most appropriate attack vectors for the vulnerabilities identified.
Now, you’ll need to attempt to exploit those vulnerabilities. If you’re successful in gaining access, stop. Don’t read or write any data on the target system. Document your successful exploit via a screenshot.
Create final report
Take the results of these steps and develop a final report that includes your remediation recommendations. Be sure to include links to appropriate download sites if software downloads or patch installations are required for remediation.
It’s also important to include a summary of all vulnerability statistics and screenshots of exploit attempts.
For added impact, we recommend developing a companion PowerPoint presentation that highlights work performed, vulnerability results, critical areas to address and all recommendations for remediation.
Ingram Micro can help you perform network assessments like this one, as well as web security assessments, wireless network assessments, network threat assessments, social engineering test assessments and many more.
Those who perform security assessments with Ingram Micro are all CEHs, and your entire project—including the final report and companion PowerPoint presentation—can be white labeled if desired.
For a complete list of what’s available, contact your Ingram Micro Professional Services team or go to https://ingrammicrolink.com/services-portfolio.