Ethical Hacking 简明教程

Ethical Hacking - Pen Testing

渗透测试是许多公司用来最大程度减少其安全漏洞的方法。这是一种受控方式,由专业人员试图入侵您的系统并向您展示您应该修复的漏洞。

Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix.

在执行渗透测试之前,必须达成一项协议,该协议将明确提及以下参数 -

Before doing a penetration test, it is mandatory to have an agreement that will explicitly mention the following parameters −

  1. what will be the time of penetration test,

  2. where will be the IP source of the attack, and

  3. what will be the penetration fields of the system.

渗透测试是由专业道德黑客执行的,他们主要使用商业的、开源工具、自动化工具和手动检查。没有限制;此处最重要的目标是尽可能发现更多安全漏洞。

Penetration testing is conducted by professional ethical hackers who mainly use commercial, open-source tools, automate tools and manual checks. There are no restrictions; the most important objective here is to uncover as many security flaws as possible.

Types of Penetration Testing

我们有五种渗透测试 -

We have five types of penetration testing −

  1. Black Box − Here, the ethical hacker doesn’t have any information regarding the infrastructure or the network of the organization that he is trying to penetrate. In black-box penetration testing, the hacker tries to find the information by his own means.

  2. Grey Box − It is a type of penetration testing where the ethical hacker has a partial knowledge of the infrastructure, like its domain name server.

  3. White Box − In white-box penetration testing, the ethical hacker is provided with all the necessary information about the infrastructure and the network of the organization that he needs to penetrate.

  4. External Penetration Testing − This type of penetration testing mainly focuses on network infrastructure or servers and their software operating under the infrastructure. In this case, the ethical hacker tries the attack using public networks through the Internet. The hacker attempts to hack the company infrastructure by attacking their webpages, webservers, public DNS servers, etc.

  5. Internal Penetration Testing − In this type of penetration testing, the ethical hacker is inside the network of the company and conducts his tests from there.

渗透测试还可能导致问题,例如系统故障、系统崩溃或数据丢失。因此,公司在进行渗透测试之前应权衡利弊。风险计算如下,并且是管理风险。

Penetration testing can also cause problems such as system malfunctioning, system crashing, or data loss. Therefore, a company should take calculated risks before going ahead with penetration testing. The risk is calculated as follows and it is a management risk.

RISK = Threat × Vulnerability

RISK = Threat × Vulnerability

Example

您有一个处于生产中的在线电子商务网站。您想在使其上线之前进行渗透测试。在这里,您必须首先权衡利弊。如果您继续进行渗透测试,可能会导致服务中断。相反,如果您不想执行渗透测试,那么您就有可能面临未修补的漏洞的风险,并且该漏洞将始终构成威胁。

You have an online e-commerce website that is in production. You want to do a penetration testing before making it live. Here, you have to weigh the pros and cons first. If you go ahead with penetration testing, it might cause interruption of service. On the contrary, if you do not wish to perform a penetration testing, then you can run the risk of having an unpatched vulnerability that will remain as a threat all the time.

在进行渗透测试之前,建议您书面记录该项目的范围。您应该明确要测试的内容。例如 -

Before doing a penetration test, it is recommended that you put down the scope of the project in writing. You should be clear about what is going to be tested. For example −

  1. Your company has a VPN or any other remote access techniques and you want to test that particular point.

  2. Your application has webservers with databases, so you might want to get it tested for SQL injection attacks which is one of the most crucial tests on a webserver. In addition, you can check if your webserver is immune to DoS attacks.

Quick Tips

在进行渗透测试之前,您应该牢记以下要点:

Before going ahead with a penetration test, you should keep the following points in mind −

  1. First understand your requirements and evaluate all the risks.

  2. Hire a certified person to conduct penetration test because they are trained to apply all the possible methods and techniques to uncover possible loopholes in a network or web application.

  3. Always sign an agreement before doing a penetration test.