Lead Image © Natalia Lukiyanova, 123RF.com

Open source intelligence tools for pen testing

Private Eye

Article from ADMIN 45/2018

By James Stanger

Automating the pen test discovery process in the era of IoT, the cloud, and social media.

The activity of penetration testing has been around for decades, but the past five years or so have seen radical changes in networking, beginning with the dissolved perimeter. Remember the good days of threats "inside the firewall" and "outside the firewall?" Those days are long gone, because of the advent of the cloud and the use of mobile devices.

A second problem is radically changed endpoints. From mobile phones and new peripherals, to the cloud, to the Internet of Things (IoT), the current environment is a long way from the typical end-user PC. Today's endpoint can be the cloud, a wearable device, or a traditional PC, notebook, mobile phone, or tablet.

A third threat is social engineering. The con man has been around for thousands of years in one form or another, but the majority of successful attacks start with clever pretexting. Good pen testers know this and use it to their advantage.

Finally, you must consider social media. Hackers have focused on end users. Why? One reason is because so many are revealing nearly everything about themselves to the world.

Considering all of the changes mentioned above, it is all the more important to consider automating certain steps of the penetration test, and it is especially important to obtain accurate information about the organization you are testing. Still, the step of gathering information for a penetration test can be quite time-consuming, so given all of the changes you need to address, what can you do to speed up that process? Also, what is the relationship between the first part of the penetration test, and all of the other parts?

To begin, I talk about the hacker lifecycle and its relevance to the penetration test.