• United States




5 tips for DIY pen testers

Oct 03, 20176 mins
Application SecurityData and Information SecurityData Breach

Hints, tips and tricks for do-it-yourself penetration testers.

Internet of think with padlock showing security
Credit: Thinkstock

Following on from our recent post about Pen testing for businesses, we wanted to talk a bit about the idea behind DIY pen testing.  If you’re not familiar with the term – pen testing is short for penetration testing and is the practice of strengthening network security by identifying the weaknesses, mainly by employing the same techniques a hacker would use. Pen testing is the only real way to understand where the gaps in your security systems are, and proves far more cost effective than trying to recover from a cyber attack.  But investing in pen testing by professionals isn’t always cheap, and recently there have been a lot of people toying with the idea of doing their own pen testing.  So today, we’re going to talk about the pro’s and cons of DIY Pen testing, and give you a few bits of friendly advice.  Please note that these tools and techniques are more aligned to vulnerability scanning, which is a part of the penetration testing process. Penetration testers and hackers will then take the results of these scans and look at ways of compiling vulnerabilities before using manual techniques to exploit these vulnerabilities.

A preface

First, we want to preface this by saying that we don’t recommend DIY pen testing over professional services – because we wouldn’t. The main reason for this is that you are unlikely to be a fully trained, qualified pen tester, and so will have little to no experience in hacking systems safely. But it’s not such an awful risk that it’s a complete ‘no go’ either. If you are comfortable with undertaking a DIY pen test and you are confident in the knowledge of your network and its more fragile areas, it’s certainly better than not having one done at all. Now, with that done, let’s move on to our tips:

1. Think risk

Before you dive in and start poking and prodding at your security systems, take a step back and think about what you are trying to achieve. Look at what exactly you are trying to protect, where it’s held and how hackers would most likely get to it. If you aren’t sure, evaluate how badly your business would be damaged if each system or resource went down or was comprised individually – this gives you a pretty clear idea of where your priorities are. Once you have that, you can look at which of those systems represents the most risk, and work from there.

2. Utilize tools

Unless you are a dedicated coder or ethical hacker in your spare time, we don’t recommend trying to manually pen test your business. Manual testing requires a high level of time and experience to perform effectively. Luckily there are a lot of tools out there which real testers use today that can help businesses perform rudimentary security tests on their systems, without the need for much manual intervention. A few of our favorites include the Metasploit Framework, OpenVAS  SQLmap, Burpsuite and Sparta – all of which either come already installed, or can be easily installed on the Kali Linux Operating System.  While these aren’t exactly a “pen test in a box” these are just a few of the resources out there that can help automate the fundamental basics of Pen testing and save time and resources by identifying the most obvious and dangerous vulnerabilities. There are a lot of tools out there, so try a few demos on a test environment and opt for one that your team can use effectively. Always test the tools on a test environment first and understand how they work – we don’t recommend firing any tools, no matter how basic, at your network without understanding how they operate and the potential consequences.

3. Understand different types of attack

There is more than one way a hacker can access your system – in fact there are thousands. In order to do an effective pen test, you will need to understand the different ways attacks can happen, so that you can search for ways in using the same approach (that’s the point after all, to see if it can be done). For example, are you more prone to man in the middle attacks, phishing attacks, brute-force attacks, DDoS attacks or weak service exploitation? Understanding all the different ways hackers work is crucial to effective pen testing.

4. Clean up after yourself

Generally, this only applies to those who are opting for the true DIY approach, rather than using automated tools. In these instances, manually uploading files, adding users and making configuration changes.  If you simply abandon the system when you are done, you risk leaving a trail of evidence a mile long behind you. Not only could this significantly reduce incident response capability if there were a breach further down the line, but could also lead a trail of breadcrumbs for a real attacker to weak areas of your network So, remember what your mother always told you – clean up and put everything back where you found it when you’re done.

5. Report back

Doing the pen test itself is sadly only part of the job. Once you have conducted a thorough test and have an idea of what’s going on and the weaknesses in the system, you need to report back to management or IT about what you have found. The best way to measure success in pen testing is not through the actual finding of problems, but in the reporting and handling of those problems. If you don’t compile a report and act to rectify the issues you found, you might as well have not bothered.

If all of that seems a bit complicated to you – stop researching and pick up the phone to an expert. A lot of things can go wrong with DIY pen testing, and the result is often heavy costs of time and resources to fix the problem and land you back at square one. DIY pen tests that go wrong can slow down your network, crash your systems, lose valuable data and even leave your systems wide open for attack. So unless you’re confident that you can handle the task and accept the risks, we don’t recommend you handle it on your own.


Anthony Young specializes in the provision of security and risk support services across the UK for Bridewell Consulting.

Anthony commenced his information security career in 2003. He worked as a security consultant primarily within central government and the gaming industry where he reduced threat profiles by establishing security frameworks and management systems. He is a BS7799/ISO27001 Lead Auditor with a number of certifications from CESG.

The opinions expressed in this blog are those of Anthony Young and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.