Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Internet resulta una herramienta muy útil para todas las empresas en la actualidad,
que están llevando su negocio al medio digital y a su vez comienzan a almacenar
sus datos en la nube. Pero también se enfrentan a riesgos, cada día más
frecuentes, que pueden afectar los sistemas. Para poder prevenirlos y saber cómo
enfrentarlos, es importante ser consciente de los peligros que podría correr el
sistema.
Es aquí donde entra el término de pentesting, o también llamado test de
penetración, que se refiere a la práctica de atacar un sistema informático con
ayuda de herramientas para poder identificar o detectar fallos,
vulnerabilidades y demás errores de seguridad existentes. De esta forma
podrán prevenir los ataques externos, corrigiendo las brechas de seguridad que se
encuentren.
Si se ve de forma técnica, el pentesting se puede considerar como un tipo de
hacking pero legal, conocido también como hacking ético, pues los dueños de
los equipos dan su consentimiento para realizar el testeo sin tener la intención de
causar un daño real, sino simplemente para poder clasificar y determinar tanto
el alcance como la repercusión de las vulnerabilidades en seguridad, así
como también proporcionar datos acerca de las probabilidades de éxito de dicho
ataque al sistema, y a su vez saber con qué defensas cuenta en conjunto con el
nivel de eficiencia.
Este concepto es algo reciente, y que ha surgido por la gran cantidad de ataques y
filtraciones importantes sufridos por varias empresas en los últimos años, y es por
eso que aún no hay gran cantidad de certificaciones oficiales que acrediten a una
persona como Pentester o, dicho de otra forma, expertos en seguridad
informática. No obstante, esto revaloriza las pocas existentes.
Tipos de Pentesting
Hay diferentes maneras de realizar las pruebas de pentesting de acuerdo al tipo
de información que se tenga acerca del sistema. Resulta importante conocerlos
porque en algunos casos el test se llevará a cabo en base a lo establecido por el
cliente. Te presentamos tres de los tipos existentes:
1. Pentesting de caja blanca: se realizan cuando se tiene toda la información
acerca del sistema, la aplicación o la arquitectura a testear. Es el pentest
más completo, forma parte de un análisis integral que se encarga de
evaluar toda la infraestructura de la red. Dado que se maneja mucha
información suele ser realizado por el equipo de IT de la empresa.
2. Pentesting de caja negra: en este caso no se cuenta con ninguna
información sobre el objetivo a testear, se trata de una prueba a ciegas y
es el más similar a tener características de un ataque externo, pues se
aborda de manera similar a como actúan los cibercriminales.
3. Pentesting de caja gris: es el pentest más recomendado, ya que integra
los dos tipos anteriores, de modo que se tiene cierta información, pero no
tanta como para conocer todo el sistema, lo cual conlleva a invertir tiempo y
recursos para poder detectar todos los errores, vulnerabilidades y
amenazas, de acuerdo con la información proporcionada.
Proceso de Pentesting
Para llevar a cabo los test de penetración los pasos a seguir son los siguientes:
1. Recopilación de información: en este paso se busca encontrar toda la
información posible vía online en fuentes abiertas, redes sociales, foros y
blogs, sobre la organización y los empleados.
2. Búsqueda de una base técnica: se tienen que lograr definir los recursos
existentes, aplicaciones y medios técnicos de la una empresa.
3. Análisis de vulnerabilidades y amenazas: haciendo uso de un conjunto
de herramientas tanto comerciales como desarrolladas por la empresa
Pentester, se busca detectar las vulnerabilidades en sistemas y
aplicaciones de seguridad
4. Operación y procesamiento de datos: después de tener los datos
necesarios se procede a realizar la imitación de un ciberataque real para
luego hacer un análisis posterior que identifique las vulnerabilidades.
5. Generación de informes: una vez que se realiza el análisis final, se genera
un informe donde se presentan los resultados del pentest completado y a
su vez se dan propuestas para mejorar el sistema de seguridad.
Métodos utilizados
The Internet is a very useful tool for all companies today, which are taking their
business to the digital medium and in turn are beginning to store their data in the
cloud. But they also face increasingly frequent risks that can affect systems. In
order to prevent them and know how to deal with them, it is important to be aware
of the dangers that the system could run.
This is where the term pentesting comes in, or also called penetration testing,
which refers to the practice of attacking a computer system with the help of tools to
identify or detect existing failures, vulnerabilities and other security errors. In this
way they will be able to prevent external attacks, correcting any security gaps that
are found.
This concept is something recent, and it has arisen due to the large number of
attacks and important leaks suffered by several companies in recent years, and
that is why there are still not a large number of official certifications that accredit a
person like Pentester or, In other words, computer security experts. However, this
revalues the few existing ones.
Types of Pentesting
There are different ways to perform pentesting tests according to the type of
information you have about the system. It is important to know thempentesting
The Internet is a very useful tool for all companies today, which are taking their
business to the digital medium and in turn are beginning to store their data in the
cloud. But they also face increasingly frequent risks that can affect systems. In
order to prevent them and know how to deal with them, it is important to be aware
of the dangers that the system could run.
This is where the term pentesting comes in, or also called penetration testing,
which refers to the practice of attacking a computer system with the help of tools to
identify or detect existing failures, vulnerabilities and other security errors. In this
way they will be able to prevent external attacks, correcting any security gaps that
are found.
This concept is something recent, and it has arisen due to the large number of
attacks and important leaks suffered by several companies in recent years, and
that is why there are still not a large number of official certifications that accredit a
person like Pentester or, In other words, computer security experts. However, this
revalues the few existing ones.
Pentesting process
To carry out the penetration test, the steps to follow are the following:
4. OSSTMM (Open Security Testing Methodology Manual): their tests are not
innovative, but they are quite close to the overall structure of the security
concept. The model is aimed at institutions that require quality, orderly and
efficient pentesting.
Pentesting tools
If after reading all this you have been convinced that the use of pentesting is
necessary to guarantee computer security in the company through knowledge of
the failures in the company's network, and thus prevent hackers from taking
advantage of your vulnerabilities in favor of them, so now so that you can apply it
we show you eight tools to perform the penetration test:
1. Kali Linux: one of the best programs on the market, it is a complete Linux
distribution dedicated to systems security auditing. His 300 tools to perform the
penetration test are specialized in offense. It will help you detect any failure in your
system in a short time and without much effort, and it is an operating system that
most professionals use.
3. Metasploit: this tool is useful when you have already identified your
vulnerabilities, but not their scope or the damage they can cause. It helps you to
know which countermeasures are the correct ones to paralyze the threat. In
addition, it has a base of exploits of different vulnerabilities that are what allow to
visualize the severity of the error.
4. Nmap: the program has the ability to scan the ports of a server, find out which
ones are open and the vulnerabilities they represent. Important for reconnaissance
analysis, widely used to know the public safety of a company and anticipate
possible incidents.
Wireshark: allows you to know the status of a company's network traffic, analyzing
various protocols, capturing the traffic in real time and thus knowing in detail
everything that happens. It is used to control TCP / IP connections. Pentesting
tools
1. If you have a good analyst, you can determine where threats are coming from
and act immediately.
2. Zed Attack Proxy: its use is between the web page and the browser used,
capturing all the traffic to inspect and modify it, recognizing the failures of the web.
It is easy to use, free and open source, allowing improvements or modifications to
add new functionalities.
3. John the Ripper: specializes in decrypting passwords while offline, allowing you
to know their reliability. It has the ability to act crudely using the processing power
of a computer to find the password, or toggle the signs of the passwords contained
in the database. As a plus, it has the function of decrypting files.
4. Burp Suite: of all the analyzers presented, this is one of the most complete on
the market. It analyzes web page vulnerabilities by launching various attacks on
the web in question, and in a short time it determines the flaws of it. It is mainly
recommended to professionals, so that its potential can be exploited, in addition, its
cost is 3,000 euros, which makes it only available to companies specializing in
security.
In short, the pentesting or penetration test is a very useful and relevant tool when
you want to provide the greatest security to your company's systems, knowing and
solving the vulnerabilities that it may present. You will need specialists, but in the
end the investment will surely be worth it, because this way you will keep your
business safe.