While you’re relaxing at the beach or barbecuing smoky kebabs over the weekend, unbeknownst to you nasty elements in Mumbai, Turkey, Ukraine, China, Azerbaijan, Russia, Iran, New York, Dallas etc are relentlessly plotting to do your business harm by hacking your web site, stealing customer credit card details, filching Social Security Numbers, vandalizing the web pages and ruining your livelihood.
Some hackers do their nefarious deeds for money by selling the stolen information on shady online black markets while others are in it for the thrill.
As Alfred tells Bruce a.k.a. Batman in Dark Knight:
Some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.
Whether hackers are doing it for money or thrill, the damage is real.
In recent months, hackers have penetrated computer systems of Staples, Morgan Stanley, Target, UPS and countless other American companies and stolen valuable information like customer credit card details, address, social security numbers and other precious private information.
Every day brings worrisome news of a new security breach.
The U.S. Department of Homeland Security recently warned that over 1,000 U.S. retailers could have malware in their cash register computers.
Even employees of the Department of Homeland Security are not immune from the reach of malicious hackers. Media reports in August 2014 said internal records of 25,000 DHS employees containing sensitive information were exposed after a computer attack at a contractor.
Given the numerous security breaches, there’s obviously a good job market for people with solid Linux skills and expertise in penetration testing of computers and networks and who can help to to prevent the next round of attacks or mitigate its severity.
To understand penetration testing, there’s no better place to start than Professor Patrick Engebretson’s book The Basics of Hacking and Penetration Testing.
Although Professor Engebretson’s book is three-years old and the BackTrack Linux OS he describes in its pages has been succeeded by Kali Linux, it’s still a valuable primer on the subject of penetration testing.
Our below discussion on penetration testing draws from his book.
What is Penetration Testing
Simply put penetration testing refers to legally authorized attempts to exploit computers (including servers, desktops and point of sale systems) and networks to make them more secure (see chapter 1 of Prof. Engebretson’s book).
Besides testing computer systems for vulnerabilities, penetration tests will also prove that the vulnerabilities are real via proof of concept tests.
At the end of the tests, the penetration tester must provide solutions to mitigate the security weaknesses or holes he discovered during the testing process.
Penetration testing also goes by other names like pen testing, ethical hacking and white hat hacking.
Tools for Pen Tests
Penetration testing requires a special set of hacking tools.
Now there are two ways to get the tools.
You can either get the individual hacking tools one by one and install them on your computer running Linux Mint, Fedora, Ubuntu, SuSE Linux etc.
Or you get a distribution like Kali Linux which comes with all the tools you’ll need in one convenient place
I chose the second option. I had a 10-year-old HP computer (with 1GB memory) lying around.
I installed Kali Linux on the computer via the USB drive. The whole process took me about an hour.
Professor Engebretson in his book describes four steps in penetration testing:
* Reconnaissance/Information gathering
* Maintaining Access
In our next post, we’ll look at Reconnaissance or information gathering and how crucial it is to penetration testing.