Effective management of penetration tests

One of the most difficult aspects of penetration testing is remembering to test all of the relevant parts of the network or system target, or trying to remember if the target was actually tested, after the testing has been completed.

BT 5r3 emphasized the use of management tools such as Draedis and MagicTree. These tools facilitate group testing by providing a central repository for test data. In addition, they usually provide some framework so that testers know where they are within a testing methodology, and what tests remain to be completed. Tools of this nature are excellent in coordinating defined group activities during a vulnerability assessment or penetration test.

These tools remain in the Applications | Kali Linux | Reporting Tools | Evidence Management menu.

But what about complex penetration tests where the methodology may be more fluid as it adapts to the network target?

Some testers use keyloggers or Wireshark during testing to record keystrokes and packet traffic generated during the test. This data can be especially useful if the testing is causing a network or application outage, because replaying and analyzing the packets sent can identify which packet tools impacted the network.

Kali Linux includes several tools that are more suited to making rapid notes and serving as a repository of rapidly added cut-and-paste data, including KeepNote and the Zim desktop wiki.

Testers not only need to perform tests and collect data, they also need to be able to provide their findings to the client. This can be difficult, as some results are transient—a test demonstrates a finding at one point in time, and then something is changed on the target system, and future testing fails to demonstrate the exploitable vulnerability, even though it's possible for it to re-emerge.

The other challenge with positive results is that they need to be demonstrated to a client in a way that's understandable.

The golden rule is to always grab a screenshot of any positive, or potential, finding. Use a tool such as Shutter to capture images from the desktop.

By default, Kali is configured with CutyCapt, which is a cross-platform command-line utility that captures a web page and creates a variety of image types, including PDF, PS, PNG, JPEG, TIFF, GIF, and BMP.

For example, to create an image of a specific size from the Google search page, enter the following from a command-line prompt:

..cutycapt --url=http://www.google.com --out=google.png --min-width=300 --min-heightheight=250.

On execution, an image of the size specified in the previous command is displayed, as shown in the following screenshot:

CutyCapt is especially useful when demonstrating the presence of web-based vulnerabilities such as cross-site scripting.

Static images can be very useful, however, a video of an exploit that compromises a target network and shows the actions of an attacker as they compromise sensitive data is a very compelling tool. The instanbul screen recorder creates a video of an "exploit in progress," which allows the exploit to be replayed for training purposes, or to demonstrate the vulnerability to the client.