Beginner Guide | Introduction to #VAPT (Vulnerability Assessment and Penetration Testing) and Reporting Tools.
Here we discuss about Vulnerability assessment and penetration testing and reporting tools.
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a target.
Assessments are typically performed according to the following steps:
- Cataloging assets and capabilities (resources) in a system.
- Assigning quantifiable value (or at least rank order) and importance to those resources
- Identifying the vulnerabilities or potential threats to each resource
- Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
Penetration testing is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in.
Types of penetration testing:
A penetration test target may be a White box (which provides background and system information) or Black box (which provides only basic or no information except the company name). A Grey box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help determine whether a system is vulnerable to attack if the defenses were sufficient, and which defenses (if any) the test defeated.
There are various areas of Penetration Testing:
- Application penetration testing — Web, Mobile and Thick client application
- API penetration testing
- Network penetration testing
- IOT penetration testing
- Cloud penetration testing
- Device penetration testing
VA – Vulnerability Assessment is a process set with a goal of finding loopholes in the IT infra, it could be in your application, software system, network, etc. PT- Penetration Testing is the test conducted to investigate the severity of the loopholes found by VA testing. Let me give you a simple example to understand better, VA testing identifies weak cryptography in the host, to know how it will impact the system can be done by penetration testing tools, either it can be decoded and have access to the database possibly by phishing attack than that could be a threat. VA is a list of loopholes wherein PT is to identify the severity of each loopholes.
REPORTING TOOLS:
VAPT tools are tools that automatically identifies the vulnerability in the system and also generate report on penetration testing.
Pros
- Easily available, open-source applications are available.
- Time-consuming, on adding the IP addresses in few mins to hours reports are auto-generated
- Manual expertise is not required, as it runs automated & shows the end results in the form of reports
- Helps to understand the IT environment for small scale companies, even a Non-IT can operate these tools
Cons
- Compromise with the data security as you will be sharing the access of IP to untrusted tools without any agreement.
- Free application results may not be accurate.
- Penetration testing could open the portals which may entertain the hackers, it is important to close all the portals after testing, where some tools fail to do so.
- Some of the tools are expensive to own and sensitive for the starters.
There are many tools to generate reports and their reports consist of false positives cases.
Some of the tools are given below:
Netsparker
Acunetix
Indusface
Wapiti
Dradis
Vega
Nessus
Metasploit
Retina
Nexpose
Nikto
OpenVAS
WebReaver
Arachni
Prithvi
Lynis
You can follow me on twitter.
