oracle渗透常见测试_5个常见的渗透测试错误

oracle渗透常见测试

Penetration testing (or pentesting) is one of the most effective means of unearthing weaknesses and flaws in your IT infrastructure. It exposes gaps so you can plug them before a malicious party takes advantage. Whereas the benefits of pentesting are clear, a pentest is only as effective as its planning and execution.

渗透测试(或渗透测试)是发掘IT基础架构中的弱点和缺陷的最有效方法之一。它会暴露出漏洞，因此您可以在恶意方利用之前填补漏洞。虽然进行渗透测试的好处是显而易见的，但是渗透测试的有效性只有其计划和执行的有效性。

Substandard pentesting will not only yield results that add no value but could also endanger the very infrastructure it’s meant to help protect. Before you run a pentest or commission a third party like Emagined Security to do it for you, beware of the most common mistakes testers and businesses make. Here’s a look at some of these.

不合格的渗透测试不仅会产生没有任何价值的结果，而且还会危及旨在保护的基础设施。在进行渗透测试或委托 Emagined Security之类的第三方为您完成测试之前，请注意测试人员和企业所犯的最常见错误。以下是其中一些内容。

5个常见的渗透测试错误 (5 Common Pentesting Mistakes)

忽视职业道德 (Disregarding Professional Ethics)

A pentester must put themselves in the shoes of a real hacker if they are to model and run scenarios that mirror the real world. But that is the only thing that a tester should have in common with a cybercriminal. Importantly, the pentester should leverage their technical ability to improve security while subscribing to the highest level of ethics.

如果一个庞然大物要建模和运行反映真实世界的场景，就必须将自己摆在真正的黑客面前。但这是测试人员与网络罪犯唯一应具有的共同点。重要的是，pentester应该在遵循最高道德标准的同时，利用其技术能力来提高安全性。

During the test process, the pentester will likely gain access to sensitive corporate information. They’ll also become aware of the potential loopholes an attacker could use to break through the organization’s defenses. It would be a grave error if they were to disclose or utilize these privileges outside the boundaries of their authorization.

在测试过程中，五个月级可能会访问敏感的公司信息。他们还将意识到攻击者可能利用潜在的漏洞来突破组织的防御措施。如果他们在授权范围之外披露或利用这些特权，将是一个严重的错误。

Testers must hold sacred the great trust the target organization has bestowed on them. They must subscribe to the principles of legality, confidentiality, and privacy at all times.

测试人员必须拥有目标组织给予他们的极大信任。他们必须始终遵守合法性，保密性和隐私性原则。

未经授权的测试 (Unauthorized Testing)

The pentester aims to identify gaps in the system. Whereas they are paid to break the rules, this has to be done with pre-authorization and predefined terms of engagement.

五个月旨在确定系统中的差距。尽管需要付费才能违反规则，但这必须通过预授权和预定义的参与条款来完成。

Testers can get overly enthusiastic in demonstrating their skills and thus lose focus from their primary objectives. They may crash a critical system by going beyond what they are permitted to do. This can be especially destructive if part or all of the test is conducted in a live production environment.

测试人员可能过于热衷于展示自己的技能，从而失去了主要目标的注意力。他们可能会超出允许的范围而使关键系统崩溃。如果部分或全部测试是在现场生产环境中进行的，则这尤其具有破坏性。

Rules of engagement must be disseminated to all involved and any aspects that are unclear discussed beforehand. The rules would include scope, systems covered, systems excluded, types of tests, timeframe for testing, and escalation procedures during emergencies.

交战规则必须散布给所有相关人员，并且事先讨论不清楚的任何方面。规则将包括范围，涵盖的系统，排除的系统，测试类型，测试时间范围以及紧急情况下的升级程序。

没有适当地保护证据 (Not Properly Safeguarding Evidence)

‘Trust but verify’ is the golden rule of auditing. This could very well be applied to pentesting too. Like all techies, pentesters sometimes perceive the capture, retention, and documentation of evidence as a distraction. If you offer no evidence to back up your test report, it’ll be difficult for decision-makers and other stakeholders to accept and act on your claims.

“信任但验证”是审计的黄金法则。这也很可能适用于渗透测试。像所有技术专家一样，渗透测试者有时会认为捕获，保留和记录证据会分散注意力。如果您没有提供证据来支持您的测试报告，那么决策者和其他利益相关者将很难接受您的主张并对其采取行动。

From the start, determine what evidence you need to capture. At the minimum, this would include the exploited vulnerability, timestamp of the exploit, unauthorized actions you could perform, number of unsuccessful attempts, and any breach detection that occurred. This evidence is the foundation of a fact-based pentest report.

从一开始，确定您需要捕获的证据。至少，这将包括被利用的漏洞，利用的时间戳，您可以执行的未经授权的操作，失败尝试的次数以及发生的任何违规检测。该证据是基于事实的渗透测试报告的基础。

过度依赖工具 (Over-Reliance on Tools)

Enterprise IT infrastructure is highly complex. It’s virtually impossible to run a substantial pentest today without some reliance on automated tools – from applications like Wireshark that quickly scan targets and traffic, to solutions such as Metasploit that streamline the development of custom exploits.

企业IT基础架构非常复杂。如果不依靠自动化工具，今天几乎不可能进行大量的测试-从快速扫描目标和流量的Wireshark等应用程序到简化自定义漏洞利用开发的Metasploit之类的解决方案。

The range of tools at a pentester’s disposal is vast. So much so that one would be tempted to sit back and let these solutions do all the work. But tools are only as useful as the skill level of the person who wields them. Tools should never lead a pentesting program. Instead, they should implement the concepts, ideas, and plans the tester has already thought through.

耗时五个月的工具种类繁多。如此之多，以至于人们很想坐下来，让这些解决方案完成所有工作。但是工具仅与使用工具的人的技能水平一样有用。工具绝不能引导渗透测试程序。相反，他们应该实施测试人员已经考虑过的概念，想法和计划。

无法识别系统确实是安全的 (Failure to Recognize the System is Indeed Secure)

The focus of a pentest is not to achieve intrusion by all means. Instead, it’s to assess how protected the infrastructure is from the methods cybercriminals would use.

渗透测试的重点不是一定要实现入侵。取而代之的是，评估网络犯罪分子使用的方法对基础架构的保护程度。

Ergo, if you run an exhaustive test that doesn’t result in successful intrusion, that shouldn’t worry you. It’s ok for the test findings to conclude that the system is secure. Many rookie pentesters lose sight of the greater goal and go all out to prove some gap exists.

因此，如果您进行的详尽测试不会导致成功入侵，那么您不必担心。测试结果可以得出结论该系统是安全的是可以的。许多新手测试者看不到更大的目标，全力以赴证明存在一些差距。

The road to becoming a top-notch pentester is years-long. Achieving expertise is contingent on minimizing the number of mistakes you make. Recognizing these pentesting mistakes is essential to getting your tests consistently correct.

成为一流的戊二酸之路已有数年之久。获得专业知识取决于最大限度地减少您犯的错误。认识到这些最棘手的错误对于使测试始终如一地正确是至关重要的。

翻译自: https://www.thecrazyprogrammer.com/2020/09/common-pentesting-mistakes.html