Change search
ReferencesLink to record
Permanent link

Direct link
Design and implementation of a non-aggressive automated penetration testing tool: An approach to automated penetration testing focusing on stability and integrity for usage in production environments
KTH, School of Information and Communication Technology (ICT), Communication Systems, CoS, Radio Systems Laboratory (RS Lab). (CCS)
2013 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

The focus of this Master’s thesis project is automated penetration testing. A penetration test is a practice used by security professionals to assess the security of a system. This process consists of attacking the system in order to reveal flaws.  Automating the process of penetration testing brings some advantages, the main advantage being reduced costs in terms of time and human resources needed to perform the test. Although there exist a number of automated tools to perform the required procedures, many security professionals prefer manual testing. The main reason for this choice is that standard automated tools make use of techniques that might compromise the stability and integrity of the system under test. This is usually not acceptable since the majority of penetration tests are performed in an operating environment with high availability requirements.

The goal of this thesis is to introduce a different approach to penetration testing automation that aims to achieve useful test results without the use of techniques that could damage the system under test. By investigating the procedures, challenges, and considerations that are part of the daily work of a professional penetration tester, a tool was designed and implemented to automate this new process of non-aggressive testing.

The outcome of this thesis project reveals that this tool is able to provide the same results as standard automated penetration testing procedures. However, in order for the tool to completely avoid using unsafe techniques, (limited) initial access to the system under test is needed.

Abstract [sv]

Det här examensarbete fokuserar i automatiserade penetrationstester.  Penetrationstester används av säkerhetsspecialister för att bedöma säkerheten i ett system. Processen av ett penetrationstest består av olika attacker mot ett system för att hitta säkerhetshål. Automatiserade penetrationstester har fördelar som faktumet att det kostar mindre i tid och i mänskliga resurser som krävs. Trots att det finns många olika automatiserade verktyg för penetrationstestning, väljer många säkerhetsspecialister att göra det manuellt. Den största anledningen till att det görs manuellt är för att automatiserade verktygen använder sig av tekniker som kan kompromissa systemets stabilitet samt integritet. Det tillåts ofta inte, eftersom majoriteten av penetrationstesterna utförs i produktionsmiljöer som kräver hög tillgänglighet.

Målet för det här examensarbetet är att introducera ett nytt tillvägagångssätt för automatiserad penetrationstestning, som inriktar sig på att ta fram användbara resultat utan tekniker som kan störa system under drift. Genom att undersöka procedurerna, utmaningarna samt vad som en penetrationstestare tar hänsyn till kommer ett verktyg designas och implementeras för att automatisera flödet av ett icke-aggressivt test.

Resultatet av examensarbetet visar på att verktyget utvecklat kan uppnå samma resultat som de standardiserade penetrations-procedurerna givet begränsad tillgång till systemet.

Place, publisher, year, edition, pages
2013. , xvi,88 p.
Trita-ICT-EX, 2013:87
Keyword [en]
Penetration testing, automation, production environment, IT security
Keyword [sv]
penetrationstester, automatiserade, produktionsmiljö, IT säkerhet
National Category
Communication Systems
URN: urn:nbn:se:kth:diva-122906OAI: diva2:623998
2013-05-24, Seminar room Motala, Isafjordsgatan 22, Kista, 14:00 (English)
Available from: 2013-05-29 Created: 2013-05-29 Last updated: 2013-05-29Bibliographically approved

Open Access in DiVA

fulltext(1816 kB)256 downloads
File information
File name FULLTEXT01.pdfFile size 1816 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Viggiani, Fabio
By organisation
Radio Systems Laboratory (RS Lab)
Communication Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 256 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 184 hits
ReferencesLink to record
Permanent link

Direct link