A penetration test (pen test or pentest and or ethical hacking) is a simulated cyber-attack against a computer system to check for exploitable vulnerabilities. You should not be confused it with a vulnerability assessment.
In fact, this test simulates a real-world attack to determine how any defenses will fare and the possible magnitude of a breach. A penetration test can help determine whether a system is vulnerable to attack if the defenses were sufficient, and which defenses the test defeated. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in and reporting back the findings.
In other words, a penetration test is a comprehensive way of testing an organization’s cybersecurity vulnerabilities. If a hacker were going to target you,
- How would they do it and
- Would they be successful?
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing. The information about security weaknesses that are identified or exploited through pen testing is aggregated and provided to the organization’s IT and network system administrators.
It’s best to have a pen test performed by someone with little-to-no prior knowledge of how the system is secured because they may be able to expose blind spots missed by the developers who built the system. For this reason, outside contractors (ethical hackers) are usually brought in to perform the tests. Many ethical hackers are experienced developers with advanced degrees and a certification for pen testing. In fact, penetration tests are also sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
What Are the Types of Penetration Tests?
A penetration test target may be a:
- White box (clear-box, open-box and or logic-driven) pen test: In a white box test, the hacker will be provided with some information ahead of time regarding the target company’s security info. This test is the most time-consuming type of penetration testing. In fact in this pen test, penetration testers are given full access to source code, architecture documentation and so forth. The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness. Familiarity with source code analyzers, debuggers and similar tools important for this type of testing.
- Black box (blind) pen test: This is one where the hacker is given no background information besides the name of the target company. Of course sometimes only basic information given to hacker. This test is quickest type of penetration testing. In fact, Black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. A black-box penetration tester must be familiar with automated scanning tools and methodologies for manual penetration testing. The major downside of this approach is that if the testers cannot breach the perimeter, any vulnerabilities of internal services remain undiscovered.
- Gray box pen test: This is a combination of the black box test and white pen test. So, hacker (auditor) starts this test with a limited knowledge of the target. In fact, we can say that a gray-box tester has the access and knowledge levels of a user. Using the design documentation for a network, pen testers can focus their assessment efforts on the systems with the greatest risk and value from the start, rather than spending time determining this information on their own.
- Covert (double-blind) pen test: This is a situation where almost no one in the company is aware that the pen test is happening, including the IT and security professionals who will be responding to the attack. A blind pen-test strategy simulates a real cyber-attackers modus operandi.
- External pen test: In an external test, the ethical hacker goes up against the company’s external-facing technology, such as their website and external network servers. In some cases, the hacker may not even be allowed to enter the company’s building. This can mean conducting the attack from a remote location.
- Internal pen test: In an internal test, the ethical hacker performs the test from the company’s internal network. This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall. This pen test duplicates an actual internal cyber-attack by being performed inside the organizations firewall using just standard access logons and passwords.
- Targeted (lights-on) Pen test: This type of pen test done by IT specialists. This test is a type of internal pen test. In this test, all those involved know that the test is being carried out and also know when it starts and ends.
The Penetration Testing Teams
Best types of Pen Testing come into play when multiple testers are utilized and are broken down into three teams, which are as follows:
- The Red Team: Members of this team are the actual pen testers. Their primary goal and objective are to mimic or emulate the mindset of an attacker. In other words, red team attacks all fronts possible.
- The Blue Team: Members of this team are personnel from within the infrastructure of the business itself. For example IT security team. The main goal of this team is to neutralize the attacks of the red team.
- The Purple Team: This team can be viewed as literally the “bridge” between the Red Team and the Blue Team, to help instill a sense of continuous integration amongst the two. This team adopts the security controls and tactics from the Blue Team, as well as the security weaknesses and vulnerabilities which are discovered by the Red Team. This is then all translated into a one, single narrative to implement a policy of continuous and constant security improvements for the enterprise organizations.
When It Is Best to Have a Pen Test
- Regularly once a year
- Whenever new infrastructure or programs are added to the network
- Whenever applications or infrastructure are upgraded or significantly modified
- When establishing a new office or branch
- Whenever security patches are applied
- Whenever time end-user policies change
Penetration Testing Domains
There are some different domains of Pen Testing which can be engaged. These are as follows:
- Network Services
- Web Application
- Client Side
- Social Engineering
This is most common and most in demand test to perform a pen test. This type of test involves examining the following:
- Firewall configuration testing
- Stateful analysis testing
- Firewall bypass testing
- IPS evasion
- DNS attacks which include (it include Zone transfer testing, Any types or kinds of switching or routing issues)
This domain of pen test is much more thorough and detailed. With this test, any security vulnerabilities or weaknesses are discovered in Web-based applications. Such components as ActiveX, Silverlight, and Java Applets, and APIs are all examined.
This domain of test designed to find any types or kinds of security vulnerabilities on software which can be exploited very easily on an employee workstation, such as web browsers or content creation software packages and etc.
This domain involves examining all of the wireless devices which are used in a corporation (like tablets, notebooks, smartphones) and also Wireless security protocols, Wireless access points and Administrative credentials. This test better is performed at client site.
This type of test involves attempting to get confidential or proprietary information by purposely tricking an employee of the corporation to reveal such items. One of the methods of performing this test is creating and launching a Phishing E-mail Campaign. Another ways are Dumpster Diving, Impersonation, threatening and/or convincing phone calls, etc.
Penetration Testing Tools
A wide variety of security assessment tools are available to assist with penetration testing. Pen testers often use automated tools to uncover standard application vulnerabilities. The tools used generally fall into two categories: dynamic and static.
Dynamic Analysis Tools
The following are some of the must-have tools in a pen tester’s toolkit.
- A Metasploit Frameworks like Rapid7
- A GUI front-end to Metasploit like armitage
- A Packet capture utilities like Wireshark and Kismet
- A Password checkers (like John the Ripper, Aircrack-ng and Ophcrack )
- A Port scanner like Nmap or Zenmap
- Vulnerability scanners like Nikto, Nessus and OpenVAS
- Web proxy like Fiddler and Burp Suite
Static Analysis Tools
White-box testers are expected to perform static analysis of provided source code. This requires proficiency in the use of static pen testing tools. Common static tools include the following tools:
- A debugger like Ollydbg or Windbg
- A compiler like IDA Pro, Hopper, gdb, radare2
- A source code analysis tools (SASTs). Click here to get a list of these types of tools.
Specialized OS Distributions
Several operating system distributions are geared towards penetration testing. Such distributions typically contain a pre-packaged and pre-configured set of tools. Notable penetration testing OS examples include:
- BlackArch based on Arch Linux
- BackBox based on Ubuntu
- Kali Linux (replaced BackTrack December 2012) based on Debian
- Parrot Security OS based on Debian
- Pentoo based on Gentoo
- WHAX based on Slackware
Penetration Testing Phases
The process of penetration testing may be simplified into six phases:
- Reconnaissance: The first thing to do is defining the scope and goals of a test. Then the important information on a target system (e.g., network and domain names, mail server) must gathered. This information can be used to better attack the target.
- Scanning: This phase is to understand how the target application will respond to various intrusion attempts and it uses technical tools to further the attacker’s knowledge of the system. In fact, this phase include static analysis and also dynamic analysis.
- Gaining Access: Using the data gathered in the previous phases, the attacker can use a payload to exploit the targeted system. In fact, this phase uses web application attacks (like cross-site scripting, SQL injection and backdoors), to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
- Maintaining Access: The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system? Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible.
- Covering Tracks: The attacker must clear any trace of compromising the victim system, any type of data gathered, log events, in order to remain anonymous.
- Analysis: The results of the penetration test must compiled into a report detailing: (1) specific vulnerabilities that were exploited (2) sensitive data that was accessed (3) the amount of time the pen tester was able to remain in the system undetected.