“ Never underestimate the determination of a kid who is time-rich and cash-poor. ”
― Cory Doctorow, Little Brother
Penetration testing is actually an extra burden or cost to the company. But why put extra cost and effort for this test when we have firewall, automated intrusion detection and prevention systems, incident response team, secure application development and so many more things in place?
The reason is that penetration testing gives an overall overview of effectiveness of security measures in place. You may have installed world’s most expensive firewall but you have not changed its default configuration, how you will find about it? One way most companies find about these things is when they are already hacked by a malicious hackers and the confidential data is on sale in the dark web. Penetration testing no way replaces any of the security measure already implemented, instead it provides a view that whether they are implemented correctly. With the execution of pen tests, organizations try to learn that whether a malicious attacker who has similar skills and tools can break in and affect the CIA (Confidentiality, Integrity and availability) triad of the organization.
What is penetration testing?
In short, penetration testing is a process of testing IT systems, applications or company network to discover security vulnerabilities. These vulnerabilities if left undisclosed and unpatched then any outside malicious actor will be able to exploit them. Many times, these attacks have caused permanent damage to the company reputation and millions of dollars in cost.
There are several tools available for pen testing but usually it is done with a combination of automated tools and manual effort of skilled penetration tester. Most of the times a penetration tester starts with information gathering and then they go to scanning, finding vulnerabilities, exploiting vulnerabilities. The final step and most important is documentation and reporting. Penetration testing scope might be limited to a small application or it can be wide enough to test company’s security policies and also whether these policies are complied with local government laws.
What a Penetration Tester Does?
There are three terms which are used interchangeably – Penetration tester/Pen tester/Ethical hacker. A pen tester can be an external consultant or an internal employee. These guys use hacking tools and techniques to assess the security of an organization. The main difference between a malicious hacker and a pen tester is the intention and permission to perform the test. The result of penetration tests are confidential and only few authorized people in the organization shall have access to them.
There are certain steps which are usually followed in a pen testing process. These steps provide pen testers a structured way of doing the testing.
This is the starting phase and here pen testers use OSINT (open source intelligence) tools for information gathering. These are passive tools and they provide all the info using public channels. For example WHOIS tool us used to find the domain ownership info. Or Nslookup to get possible IP addresses in the network.
Once pen testers/testing team has gathered sufficient information through passive info gathering, it’s time to move to the next step with active scanning. Most important activity here is port scanning to find out open ports. Ping sweeping and vulnerability scanning are other activities which are also performed. The most important tool in this phase is Nmap.
Enumeration is the process of extracting meaningful information from the OSINT and scanning, such as OS used in the company, active directory usernames and similar things.
When pen testers have some understanding about the target and some results from the scanning, the fun begins. In this phase ethical hackers attempt to exploit the vulnerabilities discovered during the scanning and try to find how far they can go to compromise the network or system while staying within the scope defined in the rules of engagement. The tools and techniques used in this phase depends on what is the testing scope and target.
Reporting and communicating results
The job of penetration tester is not complete even after the successful exploitation. A key requirement for a successful penetration test is that it provide useful information to the client about their system or network. This info should be in a report and stated as proper actionable recommendations.
Penetration testing types
There are usually three types of penetration testing. Black box, white box and grey box.
In a black box testing no prior information about the target is given to the tester. No IP addresses or location or any other info. This makes the task more complex because it requires a lot of work in the first step of information gathering. However, this type of testing might be very important to organizations as they will get exact picture of how much data an outside attacker can get in the real situation. Black box testing takes longer time and the first step takes many days or weeks.
In the white box test, which is opposite of black box, all the required information about the system is provided to the tester upfront. These are usually internal testing and pen testers work together or closely with the team of organization. They are even given credentials to login in the system. With white box testing testers can perform full assessment of the system because they already have most of the required info.
Gray box testing is somewhere in between. Each gray box testing may be different to other. Sometimes approach is to provide initial configurations but no other data. This would be the IP addresses and hostnames that are in the scope.
Penetration testing tools
There are tons of tools and automated scripts available for ethical hacking/penetration testing. Here is a partial list of tools. These are same tools which are used by malicious hackers too. Some tools are used for more than one purpose.
Tool for Scanning –
Tools for network scanning/penetration testing –
- Web Proxies
Tools for mobile application testing –
- APK Studio
Tools for remote access –
- Secure Shell (SSH)
Tools for password hacking –
Tools for social engineering –
Web application hacking –
- OWASP ZAP
- Burp Suite
Understanding process, tools and techniques of penetration testing is one thing but with real system it requires certain skill to execute these. In reality, an organization’s system has become very complex today which includes cloud applications, web services to containerized solutions. Due to this there is no one single method of testing which can be applied to all the systems. Certain tools may not seems to work initially but with time and skill you will know how to make it work.
A skillful penetration tester has the technical skills necessary to run the tools but also he possess the creative knowledge to try different approaches. Also, ethics is an important component when it comes to penetration testing. Which makes the penetration tester and malicious hacker different.
If you are just starting with the penetration testing, observe the process and in time you will able to develop your own methodologies and process to test a system. When you have it, document it and overtime improvise and update it. This document will not only help you improve as an ethical hacker but also this will make your reports much more clear.
- What are the steps of penetration testing?
- Name two popular tools for ethical hacking.
- What is black box testing?