SlideShare a Scribd company logo

WTF is Penetration Testing

NetSPI, profile picture
NetSPI

Penetration testing, or "pen testing", involves evaluating systems to identify vulnerabilities by simulating attacks from an unauthorized user. Companies pen test to comply with regulations, validate security controls, identify unknown issues, and prevent breaches. Tests are conducted by internal employees, security analysts, consultants or third parties according to a rules of engagement. Skills needed include technical skills like administration, programming and tools, as well as soft skills like communication. Common tools are used to test networks and applications, while understanding techniques and technologies is most important. Pen testing can be a career path involving internal security roles or consulting.

Technology
Related topics:
Penetration-Testing
1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
WTF is Penetration Testing? An Overview of Who, What, Where, When, and Why Scott Sutherland Ryan Wakeham
• Scott Sutherland Principle Security Consultant NetSPI • Ryan Wakeham Director of Consulting NetSPI Who are we?
Presentation Overview • What is a “pen test”? • Why do companies “pen test”? • Who does “pen testing”? • What skills are required? ‒ Non Technical Skillset ‒ Basic Technical Skillset ‒ Offensive and Defensive Knowledge • What are some Common Tools? • Pen Testing as a Career • Attack Demo: SQL Inject World • Questions
What is Penetration Testing? Our Definition: “The process of evaluating systems, applications, and protocols with the intent of identifying vulnerabilities from the perspective of an unprivileged or anonymous user to determine the real world impact…” “…legally and under contract”
Why do Companies Pen Test? • Compliance Requirements • Validate Existing Controls • Identify Unknown Security Gaps • Prioritize Existing Security Initiatives • Prevent Data Breaches • Test IDS / IPS / IRP
What are the Technical Objectives? • Client specific objectives first • Identify and verify all entry points • Identify critical escalation points • Gain unauthorized access to: ‒ Application functionality ‒ Critical systems ‒ Sensitive data
Assessment VS. Penetration • Vulnerability Assessment and Penetration Testing Answer: ‒ What are my system layer vulnerabilities? ‒ Where are my system layer vulnerabilities? ‒ How wide spread are my system layer vulnerabilities? ‒ Can I identify attacks? ‒ How do I fix my vulnerabilities?
Assessment VS. Penetration • Penetration Testing Answers: ‒ What are my high impact network layer issues? ‒ What are my high impact application layer issues? ‒ Can an attacker gain unauthorized access to: • critical infrastructure that provides privileged access or cause service disruptions • critical application functionality that the business depends on • sensitive data that the business would be required to report on if a breach occurs ‒ Can an attacker bypass our IPS / WAF? ‒ Can an attacker pivot from environment A to environment B?
Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
Who Conducts Pen Testing? • Internal Employees • Security Analyst • Security Consultant • Third Parties • Audit Firms • Security Consultants
Rules of Engagement • Have fun, but…Hack Responsibly! • Written permission • Stay in scope • No DoS • Don’t change major state • Restore state • Clear communication
What Skills are Needed? • Non Technical • Basic Technical • Offensive • Defensive • Common Tools
Non Technical Skillset • Written and Verbal Communications • Emails/phone calls • Report development • Small and large group presentations • Professionalism • Respecting others, setting, and meeting expectations • Troubleshooting Mindset • Never give up, never surrender • Where there is a will, there is a way • Ethics • Don’t do bad things • Pros (career) vs. Cons (jail) • Hack responsibly
Basic Technical Skillset • Windows Desktop Administration • Windows Domain Administration • Linux and Unix Administration • Network Infrastructure Administration • Application Development • Scripting (Ruby, Python, PHP, Bash, PS, Batch) • Managed languages (.Net, Java, Davlik) • Unmanaged languages (C, C++)
Offensive and Defensive Knowledge • System enumeration and service fingerprinting • Linux system exploitation and escalation • Windows system exploitation and escalation • Network system exploitation and escalation • Protocol exploitation • Web application exploitation (OWASP) • Reverse engineering client-server applications + AV Evasion • Social engineering techniques (onsite, phone, email)
Common Tools There are hundreds of “hacker” tools. Generally, you need to have enough knowledge to know what tool or tool(s) is right for the task at hand…. …and if one doesn’t exist, then create it.
Common Tools That being said…
Common Tools • Knowledge > Tools • Understand the core technologies • Understand the core offensive techniques • Understand the core defensive techniques • Network Penetration Testing • BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS, NEXPOSE, WCE, MIMIKATZ, AirCrack-ng, METASPLOIT… and NATIVE TOOLS! • Application Penetration Testing • BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQL Ninja, and BEEF…. and commercial tools
Pen Testing as a Career: Common Paths • Internal Paths • Help Desk • IT Support • IT Admin • Security Analyst • Senior Security Analyst • Internal Consultant • CISO • Security Consulting Paths • Internship • Consultant • Senior Consultant • Principle Consultant • Team Lead • Director Security consultants often end up in malware research or exploit development, but some go corporate. Internal employees often stay internal.
Pen Testing as a Career: How to Start • Read and learn! – There is no “end” • Tap into the community! • Research and Development • Contribute to open source projects • Present research at conferences • Training and Certifications • Community: DC612, OWASP, Conferences, etc • Professional ($): SANS, OffSec, CISSP, etc • Volunteer • Internships
BE SAFE and HACK RESPONSIBLY
Questions Questions, comments, curses?

More Related Content

PPT
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
PDF
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PPTX
NETWORK PENETRATION TESTING
Er Vivek Rana
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PPTX
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PPT
Penetration testing, What’s this?
Dmitry Evteev
 
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Client-Side Penetration Testing Presentation
Chris Gates
 
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Ch 6: Attacking Authentication
Sam Bowne
 
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Penetration testing, What’s this?
Dmitry Evteev
 

What's hot (20)

PDF
The Web Application Hackers Toolchain
jasonhaddix
 
PDF
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
PPTX
Automated tools for penetration testing
devanshdubey7
 
PDF
Ethical Hacking & Penetration Testing
Won Ju Jub
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PPT
Web attacks
husnara mohammad
 
PDF
Shmoocon 2015 - httpscreenshot
jstnkndy
 
PDF
Addios!
Chong-Kuan Chen
 
PDF
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
PDF
Malware collection and analysis
Chong-Kuan Chen
 
PDF
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
PDF
Defcon 22-gregory-pickett-abusing-software-defined-networks
Priyanka Aash
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
The Web Application Hackers Toolchain
jasonhaddix
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Automated tools for penetration testing
devanshdubey7
 
Ethical Hacking & Penetration Testing
Won Ju Jub
 
External to DA, the OS X Way
Stephan Borosh
 
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Web attacks
husnara mohammad
 
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Addios!
Chong-Kuan Chen
 
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Malware collection and analysis
Chong-Kuan Chen
 
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Priyanka Aash
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Real World Application Threat Modelling By Example
NCC Group
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Ad

Viewers also liked (18)

PDF
Thick Application Penetration Testing - A Crash Course
NetSPI
 
PDF
Introduction to Windows Dictionary Attacks
NetSPI
 
PDF
Declaration of Mal(WAR)e
NetSPI
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
PDF
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
PDF
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
PDF
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
PPTX
Extracting Credentials From Windows
NetSPI
 
PPTX
GPU Cracking - On the Cheap
NetSPI
 
PDF
What is pentest
itissolutions
 
PDF
System of security controls
S.E. CTS CERT-GOV-MD
 
PDF
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
PDF
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
PPT
Open Source Tools & Data Science Competitions
odsc
 
PPTX
1114 sasaki-metadata
Felix Sasaki
 
PDF
Convegno “ Stress, molestie lavorative e organizzative del lavoro: aspetti pr...
Drughe .it
 
PPT
Como Planejar sua Campanha Promocional com Brindes | Apresentação 2 de 3
Memory Promotional Enterprise
 
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Introduction to Windows Dictionary Attacks
NetSPI
 
Declaration of Mal(WAR)e
NetSPI
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Extracting Credentials From Windows
NetSPI
 
GPU Cracking - On the Cheap
NetSPI
 
What is pentest
itissolutions
 
System of security controls
S.E. CTS CERT-GOV-MD
 
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Open Source Tools & Data Science Competitions
odsc
 
1114 sasaki-metadata
Felix Sasaki
 
Convegno “ Stress, molestie lavorative e organizzative del lavoro: aspetti pr...
Drughe .it
 
Como Planejar sua Campanha Promocional com Brindes | Apresentação 2 de 3
Memory Promotional Enterprise
 
Ad

Similar to WTF is Penetration Testing (20)

PDF
WTF is Penetration Testing
Scott Sutherland
 
PDF
Application Lecurity Lectures by professor
OmarKhattab41
 
PPTX
Career In Information security
Anant Shrivastava
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
WTF is Penetration Testing v.2
Scott Sutherland
 
PPTX
What is penetration testing and career path
Vikram Khanna
 
PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PPTX
Assessing System Risk the Smart Way
Security Innovation
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
PPTX
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
PPTX
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PDF
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
apidays
 
PDF
The_Pentester_Blueprint.pdf
gcara4
 
PPTX
Starting your Career in Information Security
Ahmed Sayed-
 
PPT
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
WTF is Penetration Testing
Scott Sutherland
 
Application Lecurity Lectures by professor
OmarKhattab41
 
Career In Information security
Anant Shrivastava
 
The What, Why, and How of DevSecOps
Cprime
 
AppSec in an Agile World
David Lindner
 
WTF is Penetration Testing v.2
Scott Sutherland
 
What is penetration testing and career path
Vikram Khanna
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Assessing System Risk the Smart Way
Security Innovation
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Apidays Helsinki & North 2024 - Security Vulnerabilities in your APIs by Luká...
apidays
 
The_Pentester_Blueprint.pdf
gcara4
 
Starting your Career in Information Security
Ahmed Sayed-
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 

Recently uploaded (20)

PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Approach and Philosophy of On baking technology
30anthuong17
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

WTF is Penetration Testing

  • 1. WTF is Penetration Testing? An Overview of Who, What, Where, When, and Why Scott Sutherland Ryan Wakeham
  • 2. • Scott Sutherland Principle Security Consultant NetSPI • Ryan Wakeham Director of Consulting NetSPI Who are we?
  • 3. Presentation Overview • What is a “pen test”? • Why do companies “pen test”? • Who does “pen testing”? • What skills are required? ‒ Non Technical Skillset ‒ Basic Technical Skillset ‒ Offensive and Defensive Knowledge • What are some Common Tools? • Pen Testing as a Career • Attack Demo: SQL Inject World • Questions
  • 4. What is Penetration Testing? Our Definition: “The process of evaluating systems, applications, and protocols with the intent of identifying vulnerabilities from the perspective of an unprivileged or anonymous user to determine the real world impact…” “…legally and under contract”
  • 5. Why do Companies Pen Test? • Compliance Requirements • Validate Existing Controls • Identify Unknown Security Gaps • Prioritize Existing Security Initiatives • Prevent Data Breaches • Test IDS / IPS / IRP
  • 6. What are the Technical Objectives? • Client specific objectives first • Identify and verify all entry points • Identify critical escalation points • Gain unauthorized access to: ‒ Application functionality ‒ Critical systems ‒ Sensitive data
  • 7. Assessment VS. Penetration • Vulnerability Assessment and Penetration Testing Answer: ‒ What are my system layer vulnerabilities? ‒ Where are my system layer vulnerabilities? ‒ How wide spread are my system layer vulnerabilities? ‒ Can I identify attacks? ‒ How do I fix my vulnerabilities?
  • 8. Assessment VS. Penetration • Penetration Testing Answers: ‒ What are my high impact network layer issues? ‒ What are my high impact application layer issues? ‒ Can an attacker gain unauthorized access to: • critical infrastructure that provides privileged access or cause service disruptions • critical application functionality that the business depends on • sensitive data that the business would be required to report on if a breach occurs ‒ Can an attacker bypass our IPS / WAF? ‒ Can an attacker pivot from environment A to environment B?
  • 9. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 10. Who Conducts Pen Testing? • Internal Employees • Security Analyst • Security Consultant • Third Parties • Audit Firms • Security Consultants
  • 11. Rules of Engagement • Have fun, but…Hack Responsibly! • Written permission • Stay in scope • No DoS • Don’t change major state • Restore state • Clear communication
  • 12. What Skills are Needed? • Non Technical • Basic Technical • Offensive • Defensive • Common Tools
  • 13. Non Technical Skillset • Written and Verbal Communications • Emails/phone calls • Report development • Small and large group presentations • Professionalism • Respecting others, setting, and meeting expectations • Troubleshooting Mindset • Never give up, never surrender • Where there is a will, there is a way • Ethics • Don’t do bad things • Pros (career) vs. Cons (jail) • Hack responsibly
  • 14. Basic Technical Skillset • Windows Desktop Administration • Windows Domain Administration • Linux and Unix Administration • Network Infrastructure Administration • Application Development • Scripting (Ruby, Python, PHP, Bash, PS, Batch) • Managed languages (.Net, Java, Davlik) • Unmanaged languages (C, C++)
  • 15. Offensive and Defensive Knowledge • System enumeration and service fingerprinting • Linux system exploitation and escalation • Windows system exploitation and escalation • Network system exploitation and escalation • Protocol exploitation • Web application exploitation (OWASP) • Reverse engineering client-server applications + AV Evasion • Social engineering techniques (onsite, phone, email)
  • 16. Common Tools There are hundreds of “hacker” tools. Generally, you need to have enough knowledge to know what tool or tool(s) is right for the task at hand…. …and if one doesn’t exist, then create it.
  • 18. Common Tools • Knowledge > Tools • Understand the core technologies • Understand the core offensive techniques • Understand the core defensive techniques • Network Penetration Testing • BT, CAIN, YERSINIA, NCAT, NMAP, NESSUS, NEXPOSE, WCE, MIMIKATZ, AirCrack-ng, METASPLOIT… and NATIVE TOOLS! • Application Penetration Testing • BURP, ZAP, NIKTO, DIRBUSTER, SQLMAP, SQL Ninja, and BEEF…. and commercial tools
  • 19. Pen Testing as a Career: Common Paths • Internal Paths • Help Desk • IT Support • IT Admin • Security Analyst • Senior Security Analyst • Internal Consultant • CISO • Security Consulting Paths • Internship • Consultant • Senior Consultant • Principle Consultant • Team Lead • Director Security consultants often end up in malware research or exploit development, but some go corporate. Internal employees often stay internal.
  • 20. Pen Testing as a Career: How to Start • Read and learn! – There is no “end” • Tap into the community! • Research and Development • Contribute to open source projects • Present research at conferences • Training and Certifications • Community: DC612, OWASP, Conferences, etc • Professional ($): SANS, OffSec, CISSP, etc • Volunteer • Internships
  • 21. BE SAFE and HACK RESPONSIBLY