7 common penetration testing mistakes and how to avoid them

In the last article we discussed penetration testing (pen test), in which we introduced its types, methods, procedures, tools and much more. In this article, we will discuss common mistakes in penetration testing.

What is penetration testing?

A penetration test, also known as a pen test, is a simulated cyber-attack on a computer system in order to verify whether exploitable vulnerabilities are present. The goal of this simulated attack is to identify weaknesses in a system’s defenses that could be exploited by attackers. A nice way to visualize things is to ask an experienced professional pentester how they feel about their job. He will undoubtedly tell you about the endless, tedious hours spent scouting or scanning, the frustration of repeatedly failing because of some small configuration error in exploiting a vulnerability, and the hopelessness and near-despair he feels when a prime target is found that seems unbeatable. But he will also tell you about the endless joy of discovering that persistence was not in vain after a nearly impossible but successful penetration. Ask any real pentester and they will tell you without a doubt that it is one of the most amazing, challenging and rewarding kinds of work – not to mention that it is also very well paid. The truth is that the road to becoming a skilled pentester is quite long and, as expected, includes a few setbacks before well-deserved success arrives. It is in this process that professionals gain most of their knowledge. Learning from one’s own failures is a very good thing because it is much less painful to learn from other people’s mistakes.

  1. Forgetting professional ethics

The key difference between an ethical hacker and an ordinary cybercriminal, aside from the obvious difference between the ultimate goals of each party, is legality. Conducting pentests is an activity that requires a heightened level of technical skill and an even higher level of professional ethics. During this type of work, it is quite common to gain access to sensitive or confidential information, including details of security breaches that can expose the entire corporation to real attacks with a high level of destructive potential. Again, in addition to technical expertise, a good pentester can handle aspects such as confidentiality, privacy and legality quite seriously.

  1. Interfering with something without proper authorization

What is the key difference between an ethical hacker and a common cybercriminal? As we mentioned earlier, pentesters are usually paid for breaking the rules. A common problem for many penetration testers starting out in this field is that even when breaking the rules, they forget that there are rules that must be followed! For example, an inexperienced pentester, eager to demonstrate their knowledge and skills, may stop focusing on the real goals of the assessment and create situations with an impact similar to a real attack, such as a critical system crash. If the test is conducted in a non-productive environment, such as a development instance, the impact may not be as great. However, it is important to keep in mind that some intrusion tests are performed in a live production environment. Sometimes, for example in a black box testing scenario, not all members of the customer’s team will know about the tests. This type of situation can be addressed by combining pentesters with different levels of experience, but it is not always possible. So, in any situation, it is very important to remember that the rules of engagement must be formally registered and approved by the customer. This includes:

  • defining a clear scope for evaluation,
  • an explicit indication of which systems or assets may not be affected,
  • what type of tests can be performed,
  • time windows for execution,
  • a clear communication channel for emergency situations.
  1. Lack of care for evidence

Collecting and adequately preserving evidence is a very important task during penetration testing; after all, it will form the basis of the final report. Throughout the pentesting process, it is important to have a clearly defined type of evidence that must be stored, including information such as:

  • what vulnerability has been successfully exploited
  • time stamp
  • examples of activities that may have been carried out (i.e. unauthorised copying or modification of files)
  • whether there was any detection by the client’s team
  • or even the number of failed attempts.

Collectively, all of this information is very useful in compiling a fact-based report, which brings us to another common mistake.

  1. Failure to accept that the system may in fact be secure

In fact, the intrusion test does not focus on the intrusion itself, but rather on assessing how well the target is protected against techniques used by hackers and cybercriminals. Therefore, if a target has been thoroughly tested and still shows no signs of a successful intrusion, it is perfectly acceptable to inform the customer that the system is secure. Many beginner pentesters do not have this insight and end up spending time and resources when it is no longer necessary.

  1. Relying solely on tools to get the job done

There are many tools that can make the pentester’s life easier. Simple software such as Nmap or Wireshark can help with recon activities such as target scanning, traffic capture and vulnerability assessment, while solutions such as Metasploit that can streamline the process of creating custom exploits. There are several free Linux distributions that are completely dedicated to penetration testing, and professional solutions that can automate most pentesting tasks. The range of solutions that a pentester can adopt is quite extensive. Of course, when performing pentests, it is important to know how to use these tools properly, but that is quite different from being solely dependent on tools to do all the work. In many cases, even the best solutions will require a skilled expert to determine what to scan or how to create a context-specific exploit. Mere familiarity with the use of hacking tools may not be enough; a resourceful pentester knows the concepts behind a breach test. This will provide a level of flexibility that will help in cases where specific software is not available.

  1. Failure to develop report writing skills

The end result of the pentest is a report that provides information on each activity performed and any findings that emerged during the process. A common mistake made by inexperienced pentesters is creating a report that is essentially the output of an automated tool. Sure, there are plenty of pentesting tools that can be very helpful throughout the process and even automate much of the report writing, but if you want to provide real value to the customer, you need to take the next step. A skilled pentester can create meaningful reports that are truly relevant to the client’s business context. This includes the ability to detail aspects such as specific laws and regulations, different types of business influences (i.e.

meaning operational, financial, legal and reputational, and while still providing sufficient technical detail, explain the key findings in a way that even a non-technical person can understand. This kind of skill is in high demand when it comes to career advancement.

  1. Relying solely on self-study

As mentioned earlier, the essential characteristic of a good pentester is resistance to multiple failures and learning from mistakes. Many professionals develop their talents by reading books, participating in newsgroups, or even creating labs where they learn hacking techniques through trial and error. All of these methods are extremely valid, but that doesn’t mean you should rely on them alone. One way to quickly gain knowledge is by attending one of the many training courses and bootcamps in intrusion testing that are available on the market. Advice: Before signing up for a course, make sure the instructors are professional pentesters with proven hands-on experience. This way you can develop a good mix of theory and hands-on learning and prepare for certifications such as EC-Council Certified Ethical Hacker (CEH) or Licensed Penetration Tester (Master), GIAC Penetration Tester (GPEN), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), and Offensive Security Certified Professional (OSCP). All of these certifications are of high value and can put you ahead of the competition.

If you speak German and are an IT Tester Consultant Medior or IT Automation Tester, take a look at our employee benefits at msg life Slovakia and respond to job vacancies.

About the author

Michaela Kojnoková

Agile Test Engineer

Po štúdiu informatiky na ŽU a TUKE som sa najviac ponorila do oblasti automatizácie testovania. Okrem toho sa venujem tvorbe webov, databázam, dátovej analytike, umelej inteligencii a strojovému učeniu. Mám rada cestovanie, šport a najviac si užívam čas strávený v prírode s mojimi blízkymi. LinkedIn

Let us know about you