How to perform a penetration test of a server?
A potential customers previous hosting company said their server passed penetration tests. So I would like to look into doing this, so we can identify any issues and fix them, and also pass a penetration test.
Does anyone know how best to perform our own tests, or some affordable service/software that can do it? Google doesn't give much away, a bunch of sites I have to contact for a quote which will inevitably mean an expensive service probably. So ideally some software we can run ourselves or something?
Thanks
2 Replies
A what is usually referred to as a pen test involves hiring skilled security specialists to attack more than just a given server. The goal is to find weaknesses that could compromise vital business functions the same way someone skilled and malicious would. For instance, you mentioned your local systems are allowed remote access. A pen tester who knows or guesses this will likely drive by your office to see how your wifi holds up. They may attempt to social engineer employees or vendors, dumpster dive, drop interesting thumb drives in your parking lot to see if people plug them in to a work machine, etc. Depending on what you contract, you may get detailed reports on topics from physical security to cost-benefit analyses of various mitigation strategies. This is invariably not cheap.
It sounds like you're actually looking for a vulnerability scan. Someone else mentioned the Qualsys tools; you might also google 'Metasploit', one (very good) tool in the tool of professional pen testers. While you're playing with that, you might also want to check things like MX Toolbox (which will help audit your email security and incidentally possibly point out DNS issues). This will help you look for known vulnerabilities in software, but don't confuse it with a pen test. A clever attacker is infinitely more flexible than any pile of bits.