Posted by Alex Trent

When recommending penetration testing for a corporate network the first question is usually, ”Why would we need penetration testing?”

The first answer is, if you don’t they will. Everyday malicious and sometimes just overly curious people use their computers to run automated testing scripts that look for system vulnerabilities to record and potentially later exploit. Sometimes the people running the scripts just want to find problems and notify the administrators that they need to be fixed. However, not all administrators are so lucky. If businesses do not take a proactive stance and run penetration tests on their own network to find and fix problems, it is likely that they will be the recipient of an attack that could have been prevented.

Today, its easy to run penetration tests, the Metasploit Framework provides fully automated network penetration testing. Some time ago, to test exploits on your own machines you’d have to go find them from obscure websites, download them, and sometimes even compile them. Today the Metasploit Framework can replace these time consuming tasks with a single tool.

Using Metasploit to find security holes may sound dangerous, but as long as you have your data backed up and are properly monitoring your systems there is little chance it will have any noticeable impact on your network. Metasploits is designed to find vulnerabilities, exploit them, and open a remote shell on the affected machine(s) if possible. It is possible that in doing this a service may be shut down and have to be restarted, but that is usually the worst of it. Also any printers on the network may print out some random data as Metasploit looks for vulnerabilities. As long as users are aware that the test is being run and it has the potential to cause minor annoyances for a short time, your testing should go smoothly.

Another question often asked is, “I keep my servers and desktop systems up to date, why would I need to?” This is a perfectly reasonable question, but the proper response is, “Why assume, when you can test and know?” Why not run a simple automated test to check for vulnerabilities so that they can be found and fixed before they are exploited by malicious tools. Nothing will ever prevent attackers 100%, but by using the Metasploit Framework, you can get one step closer.

Download the Metasploit Framework here.

This entry was posted on Monday, May 10th, 2010 at 11:08 am and is filed under Network, Security, Tips. You can leave a response, or trackback from your own site.

About the Author: Alex Trent is a staff writer for WebProNews