_Penetration Testing: with great power comes great responsibility

From the first hacker films to the Mr Robot series, the figure of the hacker has always aroused great interest and curiosity.

But what are hackers and how does hacking work?

Not all hackers, however, have bad intentions: ethical hackers use their skills to find potential security holes and remedy them. In this article, we want to explore their main activities in detail. Using ethical hacking to look for holes in security has a precise name: Penetration Testing. And is it enough to do this by opening lots of windows with coloured texts? Clearly not, the process is much broader and proceeds in stages. The first of these is Enumeration, which means spending time exploring the target, analysing all useful information to find a way in.

Is it enough to find good information? Again, no. Often the information obtained is not sufficient and requires further analysis. Once the access route has been identified, the tool to be used to exploit the chosen access route must be chosen, in order to get to the machine. This second step is called Exploitation.

But gaining access to the machine is still not enough, we must succeed in gaining more ‘power’. And if with great power comes great responsibility, in order to gain the most important privileges that allow complete control of the target, we must rely on our ability to obtain information that is useful to our outcome. We thus enter the third phase, called Privilege escalation.

Having completed these three steps, in fact, the Penetration Testing process can be said to be complete. However, there are two steps to follow in order to complete our activity in the best possible way. The first step consists of removing all traces we have left during the testing phase, while the second involves writing an accurate report containing the information detected. Reporting may seem tedious but it is necessary to understand potential risks and their solutions. It is advisable to use non-technical language so that it can be readily understood by all parties involved.

In conclusion: carrying out Penetration Testing is therefore fundamental in organisational contexts and can be a lot of fun, without having to apply fancy processes or Elliot Anderson experiences.