It certainly seems that over the past few years the security ramifications of online activity have begun to permeate the national consciousness. Mainstream media have begun to take an interest in and glamorize the compromises that have taken place. Even Hollywood has movies about hacking, the latest being Warner Brothers' Swordfish starring John Travolta, Halle Berry, and Hugh Jackman as the world's foremost hacker.

Despite the growing level of interest in this field, there is still little known about the actual issues involved in securing networks and electronic assets. Many people consider anti-virus software used to defend against Internet e-mail viruses to be the cure-all for all varieties of information security threats. Viruses are a big problem, no doubt, potentially leading to huge losses in terms of lost productivity and corrupted intellectual assets. However, cyber crime (hacking) can be much more than the release of an e-mail attachment that proclaims love (the I LOVE YOU virus) or promises sexy pictures (the Anna Kournikova virus) to all the friends and business associates of unsuspecting victims.

The true dangers of cyber crime are of far greater consequence. Individuals with technical knowledge of networks and networking devices can steal sensitive information (for example, U.S. troop deployments from Department of Defense computers, source code for new software products, medical records) or money (through online access to bank accounts or credit card numbers used with online retailers) or conduct a host of juvenile pranks (erasing backup files recording the last six months of activity, raising the temperature in buildings, turning off phone systems).

While these may seem to be scare tactics used to get people to spend time, energy, and good money on unnecessary things, that is, unfortunately, not the case. The threats are real. They are evident in the latest “Computer Crime and Security Survey” by the Computer Security Institute and the Federal Bureau of Investigation and in news reports of cases of identity theft and firms facing the realization that they are being blackmailed by a hacker who has their customer list (including credit card information).

Given this burgeoning interest in keeping networks free from hacking minds, there has naturally been greater interest in taking steps to ensure networks are secure. One such step is to perform a professional penetration test, also called attack and penetration or ethical hacking. There are various parts of the security industry, namely those people who provide security consulting services (also called professional services), those who develop and market security products, and finally those who are managed security service providers (MSSPs).

MSSPs provide outsourced security monitoring and management of all or parts of a network in exchange for a retainer. Firewalls, intrusion detection systems, audit logs, and virus scanners can all be managed by an MSSP. The developers of security products include commercial interests, a large open-source community, and smaller groups of black hat hackers who aim to create tools to automate the network analysis and review process. Such tools include firewalls, intrusion detection systems, auditing tools, virus scanners, vulnerability scanners, network mappers, network sniffers, encryption tools, password crackers, banner grabbers … the list goes on. In addition, tools and scripts, such as denial-of-service exploits, that aid in the compromise of networks are also frequently developed and released. Naturally, this later set of tools come generally from the domain of open-source or black hat developers, while commercial interests stick to more benign offerings.

Penetration-testing services are a component of consulting services. Consulting services also include the development of security policies and procedures, the performance of security vulnerability and risk analysis of networks, and the design and implementation of security solutions (such as a firewall solution, a public key infrastructure, a single sign-on solution, or an IDS solution) and a host of related services. The goal of security consulting services, especially for penetration testing, is to improve or augment the security posture of a network or system.

This sentiment applies to penetration testing. Our testing does not intend to and never should actually cripple or compromise a network. However, testing must detect as many ways to do so as possible. The findings or results of the testing are aimed at improving the security posture of a network by presenting countermeasures for the vulnerabilities identified. The process is simple: take a few white hat hackers, give them black hats for a short period of time, and let them try to figure out all the possible ways a system can be compromised. Then, take the black hats away and have them report on their findings—to the client, not to the general Internet hacker community.

This book focuses on presenting a method for performing penetration testing. In doing so, we do not discuss other consulting services available. And while we do discuss in some detail the tools we use for penetration testing, this work should not be considered a comprehensive review of the security products available in the market today. We also do not address the burgeoning MSSP field, though we briefly discuss it in the final chapter on future trends.

We, the authors, share a connection with the professional services firm Ernst & Young LLP. We attest that the ideas and opinions presented throughout this work are not necessarily those of Ernst & Young but solely the critical analysis based on our years of field experience.

Truth be told, much of the information presented here can be found in various places on the Web, in news groups, in e-mail distribution lists, or at other destinations on the Internet (a listing is presented in Chapter 22). Those who believe writing such a book is dangerous since it may result in teaching people how to hack do not see the value in improving security through testing and measuring defenses against the techniques of opponents. Hackers already know how to hack and have the time and energy to research (and develop) hacking techniques. The good guys, who are busy battling the day-to-day fires of maintaining the corporate network, do not have the luxury of this time and cannot perform this level of research. We hope this book will be a tool for the good guys. It consolidates and organizes the information already available to the hacker community so that security professionals can arm themselves in the security battle.

We hope you find this text as useful to read as it was challenging for us to write. We are glad to provide our knowledge and intelligence on penetration testing. How you choose to use it is of your own volition. Remember: Penetration testing without permission is illegal—a point we hope this text makes clear.

Happy reading.