What is Penetration Testing?
Penetration testing, often called “pentesting”, “pen testing”, "network penetration testing", or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Pen testing tries to gain control over systems and obtain data. The person carrying out a penetration test is called a penetration tester or pen tester. For the rest of the article, we will refer to it as a pen test or pen testing.
Why Pen Test?
Pen testing is done for several reasons, including:
Depending on your industry pen testing might be a requirement of operation. Industries such as healthcare and finance usually require pen testing as part of their regulations. One example is PCI DSS compliance that requires pen testing regularly.
Check Your Network Security Protocols
You may already have security protocols in place. This can include firewalls, encryption, and protocol that staff should follow in the event of a breach. Conducting a pen test will allow you to identify any weakness in your deployed solutions and fine-tune any internal policies.
Simulate Network Attacks
A pen test is designed to detect openings in your security. Simulating an attack on yourself is a great way to make sure you are prepared for a breach and learn where you are exposed.
Pen Test Steps
Each pen test might have different steps, but a pen test generally has the following:
- Set the scope
- Brute Forcing
- Social Engineering
- Take Control
- Gather Evidence
Set the Scope
It’s import to set the scope of a pen test, so you know what vulnerabilities you are looking for and how these vulnerabilities are being tested. To set the scope, ask yourself questions such as “What is the most important data to my company?”. This can include social security numbers, credit card data, and health information. Once identified, the pen tester can then try to access that data.
A pen tester will find out as much as possible about the target company and the systems being audited. This occurs both online and offline. Publicly available company and employee information can give a pen tester valuable information. A pen tester may also try to follow employees into secure spaces and see how much access they can gain.
A pen tester will conduct port or vulnerability scanning of the IP ranges in question to learn more about the environment. Scanning the network will return servers and devices along with their relationship to each other. Armed with this information, a pen tester can create an attack plan.
After running a discovery scan, the pen tester can decide which vulnerabilities and systems to exploit in order to gain access. They will attempt exploitation either at the operating system or application level.
A brute force attack tests all systems for weak passwords to gain access. An attack attempts all possible combinations of username and passwords in an attempt to gain access. A pen testers goal is to get a username and password combination that will give them system access, and from there they can move through the network and attempt privilege escalation.
Social engineering is exploiting people though phishing emails, malicious USB sticks, phone conversations, and other methods to gain access to information and systems. Human targets are the most insecure part of most security systems. The pen tester will attempt to get email recipients to click on the links or download malicious files in order to steal information from the computer.
The major goal of a pen tester is to gain access to data on target machines (such as passwords, password hashes, screenshots, files), install keyloggers, and take over screen control. Often this can open new doors to more exploitation, brute forcing, or social engineering.
After taking control of target machines, a pen tester will attempt to access different network segments. The pen tester will use a compromised server to jump to other parts of the network connected to the server. Pivoting from one network to another allows a pen tester avoid firewalls and other detection systems.
A proxy pivot creates a gateway on a compromised host and allows attacks to be launched from there. The compromised host becomes a SOCKS, or Socket Secure proxy. SOCKS allow any type of traffic generated by a program or protocol. Proxy pivots are restricted to TCP and UDP ports that the proxy supports.
A VPN pivot creates an encrypted layer tunnel from a compromised host back to the attacker. A VPN pivot allows an attacker to access to all the networks and devices the compromised host is able to see. Using a VPN pivot a pen tester can run a scan to see anything the compromised host is connected to and dig deeper into the system.
A pen tester will gather evidence such as collecting screenshots, passwords hashes, and files as proof they gained access. Gathering evidence is what sets a pen tester apart from an attacker. A pen tester will gather evidence as proof that a system can be compromised into a report.
A pen tester will create a report that describes how they breached the network and the information they accessed.
After a pen test, this step address the issues that enabled the pen tester to enter the network. This is typically not done by the pen tester but by other resources in the IT department.
Types of Pen Tests
Pen testing can be broken down into two categories:
Decide What to Test
During the scope portion of pen testing, the pen tester and the client will decide what systems should be tested. That is usually one or more of the following:
This is the most common pen test. This is also known as a Network Service Test or Internal Network or External Network pen test. A network infrastructure test looks for vulnerabilities in the network infrastructure of a company. Some systems that are usually tested include:
- DNS Attacks
- Legacy Systems
- Intercepting Network Traffic
Web application testing comprises of testing the application on the server side and the client side. These tests are detailed and intensive. Since businesses rely heavily on web applications, these can take the most time.
Wireless involves testing all wireless devices in a company. Pen testing looks for unsecured devices and wireless protocols looking for an entry point.
Social engineering is one of the most well known attack types. This can involve phishing emails or using a physical item, such as USB, to get employees to load malicious code on their device and network.
Client side looks for local vulnerabilities. This can include applications such as Adobe Photoshop, Microsoft Word, and Firefox. Any software that is used on a computer that connects to the company network is usually part of the test.
Pen Tester Access and Knowledge
The amount of access to systems and source code will determine how much information a pen tester has before beginning an engagement. This can affect the length of the pen test and what is discovered.
Black Box Testing
In black box testing, the pen tester has no information about the systems being tested. This test mimics what the average hacker will attempt. The pen tester will gather information and attempt to exploit the system using the gathered information. This is most like an external hacker attack.
White Box Testing
In white box testing, the pen tester is given full access to any necessary systems. They can review source code, architecture, and network information. With this knowledge, a pen tester can evaluate both internal and external vulnerabilities.
Gray Box Testing
In gray box testing, the pen tester is usually given the same level of access to a system as an admin user. They also have some knowledge of how the system works. This attack can simulate the damage an attacker can do if they have access to credentials with higher permissions.