7 Guidelines for Being a TRUSTED Penetration Tester
The best way to learn is by doing. But when it comes to penetration testing, learners risk legal implications and bad habits if they don't follow ethical, safe procedures. Those wishing to develop penetration testing skills are often unaware of the number of resources available for legally and safely testing penetration tools and techniques. In this blog post, I'll describe seven general practices, outlined in the acrostic "TRUSTED," that pen testing learners and professionals should follow to avoid legal consequences and earn trust. I'll also provide resources for learning how to pen test.
How To Be TRUSTED
Below is the TRUSTED acrostic, which outlines seven guidelines for staying within ethical and legal boundaries when pen testing.
Take your time in both learning and pen testing.
There are a lot of important concepts you need to consider in order to avoid damaging a system or facing legal consequences. Be curious, but be patient. Impulsiveness may lead to scanning the wrong IP address or executing the wrong command. Take, for example, accidental execution of the Linux 'rm -rf /' command. This command will recursively remove all files below the root directory. The '> filename' command will erase the contents of a file. There are many ways to modify data or systems, so take your time and make sure you're taking the right steps.
Refrain from touching systems you don't own.
Never touch systems or networks you don't own, unless you have a legal agreement that permits you to perform certain actions on them. If you do have a legal agreement, only perform actions within the agreement's scope and rules of engagement. To practice with pen testing tools and techniques, set up your own environment or use one explicitly designed for anyone to use. Online resources, such as Hack The Box and VulnHub, provide a controlled environment for practicing pen testing skills.
Use tools, exploits, and guides from trusted sources.
Malicious tools and exploits for compromising systems or publicly humiliating users are sometimes falsely advertised to trick people into using them. Use trusted exploit databases, such as Exploit DB, and tools, such as those included in Kali Linux. A malicious tool or exploit can result in data loss or theft, open a door for attackers to get into the system or network, impact the performance of the system or network, or cause other harm. If a tool from an untrusted source is vital to an operation, thoroughly vet it and its developers. Dissect any untrusted exploits to confirm their legitimacy. If you can't vet a tool or exploit, find an alternate approach.
Segregate and segment appropriately.
Ensure important data and systems are separated and protected from your test or target environment. Human error in pen testing, even in carefully executed campaigns, can result in unexpected, and often unwanted, outcomes. It's important to contain the potential damage as much as possible by utilizing network segregation, network segmentation, and security tools and practices. This is especially true when dealing with malware, which can spread to and infect other systems.
Test exploits and tools in a safe, controlled environment.
Ensure your exploits and tools work as expected. Use a test environment to gain further understanding of what the exploit or tool does and the artifacts it may generate. Keep in mind how different factors, such as operating system, anti-virus software, internet access, and firewalls, may change tool and exploit behavior. Test the impact of these factors, where possible. Look for logs or other byproducts that the tools and exploits generate or affect.
Exploit smartly, not blindly.
Understand how an exploit works and what it does before trying it. Not all exploit code comes perfectly pre-packaged for your needs, so modify it to suit your purposes. For example, an inexperienced or reckless pen tester may be tempted to quickly throw exploits one after another at a target and not stop to look at or adjust the apparent shellcode. On closer inspection, the shellcode could actually be code that runs the 'rm -rf /' command, mentioned previously, or other harmful functions. Avoid blind exploitation, especially when dealing with exploits from unvetted sources.
Don't use your skills maliciously.
However tempting it may be, don't use your skills maliciously. It may cost you a lot of money and prison time. If you're ever uncertain as to whether or not you are permitted to do something, chances are you probably shouldn't. Consult with someone who has relevant legal experience, keeping in mind that every country and state has its own laws. Whether you're already pen testing or just starting to learn how, do it for the right reasons. There are already a lot of people doing it for the wrong ones.
Pen testing can be incredibly challenging and intimidating, given the fast-paced nature of cybersecurity and the constant potential for unintended harm. It takes a lot of practice, patience, and persistence, combined with awareness of safe practices and resources. Whether you're a beginner or an expert, there will always be new tools and techniques to learn and corresponding ethics and laws to understand and practice.
I've listed below some resources for ethical penetration testing, such as intentionally vulnerable virtual machines and web applications, online labs and challenges, open-source tools, competitions, training courses, certifications, and other effective learning tools. These should be a good start for anyone interested in learning more about penetration testing. You can find additional resources and more on being a TRUSTED penetration tester at my website, https://www.hack-hub.com.
Training and Walkthroughs