Penetration Testing

Today's networked systems have a greater attack surface because computers are interconnected and can be accessed remotely. Systems and servers are also complex since they offer dozens of services and run many different software packages. Anyone gaining access to such a system without authorization can damage operations and steal data. It's therefore essential to know what security vulnerabilities are present and take corrective action early on.

Penetration testing is a proactive attempt to discover and exploit vulnerabilities in the system. The idea is not to cause damage as a malicious hacker would. Instead, it's to discover what's wrong, show how much damage can be done, or prove that existing measures are mitigating these attacks as they happen. Penetration testing can be manual or automated.

Penetration testing is also called pen testing.

Discussion

  • What's a typical pen testing process?
    Typical stages involved in pen testing. Source: Imperva 2018, CC BY 4.0.
    Typical stages involved in pen testing. Source: Imperva 2018, CC BY 4.0.

    With pen testing, we typically explore or scan the system to discover vulnerabilities. Once discovered, we try to exploit them and see what happens. The behaviour is captured and reported for analysis. Scanning can be static code analysis or dynamic run-time analysis.

    Pen testing requires a proper testing plan. Reporting should be consistent. Problems should be marked with levels of severity. Finally, there should be an action plan to mitigate or manage vulnerabilities.

    Since attacks are often preceded by an assessment, Vulnerability Assessment and Penetration Testing (VAPT) is a term commonly used. It's also possible to do both these in parallel: vulnerability assessment involving scans and analysis; pen testing involving analysis and attacks. A vulnerability scan is faster than detailed pen testing but pen testing is more accurate since some reported vulnerabilities might be false positives.

  • What are some types of pen testing?

    Pen testing typically covers one or more of the following:

    • Network: Involves firewalls, routers, SSH, port scanning, and anything else that will allow an attacker to gain network access.
    • Wireless: Often systems involve wireless access. Pen testing should look at wireless traffic, encryption protocols, unauthorized access points, poor passwords, MAC address spoofing, etc.
    • Web: Any website or web app can be vulnerable at the application layer. Pen testing should check cross-site scripting, SQL injections, DoS attacks, web server misconfiguration, failure to protect sensitive data, etc. This could include vulnerabilities on the client-side of the app.
    • Physical: Systems have to be physically secure as well in terms of locks, motion sensors, etc.
    • Social Engineering: Users can be manipulated or fooled to provide unauthorized access to systems. Phishing, tailgating and eavesdropping are some techniques.
    • Cloud: When apps reside in the cloud, cloud pen testing may be required. You will need to know from your cloud provider what assets are off limits for pen testing.
  • What are some methods or approaches to pen testing?
    Black-box, white-box and gray-box testing are different approaches to pen testing. Source: Core Sentinel 2017.
    Black-box, white-box and gray-box testing are different approaches to pen testing. Source: Core Sentinel 2017.

    External testing is useful to mimic how an outsider might attack the system. Internal testing is to ascertain how much and what damage a disgruntled employee or another user with authorized access can cause.

    Targeted testing is when multiple teams work together and everyone can see the tests as they execute. Blind testing is when limited information is given to the pen tester. Double-blind testing goes one step further: very few in the company know that pen testing is happening. This will determine if security monitoring and responses happen as expected.

    Black box testing is an extreme case of blind testing. Pen testers are given no information. White box testing gives pen testers lots of useful information to speed up the process. Black box testing is more real but slow. White box testing is more thorough.

  • When is the right time to do pen testing?

    Pen testing should be done regularly. Previous approaches of doing this annually are seen to be outdated. The recommendation is to have pen testing as part of regular development and release processes. If this is not possible in-house, there are providers who offer pen testing as a service.

    Typically, vulnerability scans could be part of CI/CD pipelines and longer attack tests could be done nightly. In addition, when there are changes made to the app/network/server/system, pen testing should be done. Such changes might include moving to a new office premise, releasing a patch, changing user policies, or adding new infrastructure.

  • Could you mention some tools that help in pen testing?
    A selection of tools for pen testing, often bundled in Kali Linux. Source: Flora 2017.
    A selection of tools for pen testing, often bundled in Kali Linux. Source: Flora 2017.

    It's interesting to note that tools that might be used by malicious hackers can also be useful for pen testing. The site SecTools.Org maintains a list of 100+ network security tools.

    Angry IP Scanner is for scanning IP addresses and ports. Ettercap can read and inject packets into the network adaptor. For cracking passwords there's Cain and Abel or John the Ripper. To crack Wi-Fi passwords, Aircrack-ng is useful. For attacking web apps, we have Burp Suite and OWASP ZAP. For exploiting SQL flaws, there's sqlmap. Nessus is a well-known vulnerability scanner. Wireshark is a popular tool for interactively analyzing network logs. Metasploit is a framework to develop and reuse exploit code. System admins can use Responder, Powershell Empire, Hashcat, Arpspoof and Wireshark.

    In any case, you should select tools that are easy to use, are suited for automation, can re-verify previous exploits, and generate detailed logs.

    Kali Linux is a Linux distribution that includes many useful tools for easy installation and use.

  • Isn't pen testing the same as ethical hacking?
    Comparing pen testing with ethical hacking. Source: Kostadinov 2016.
    Comparing pen testing with ethical hacking. Source: Kostadinov 2016.

    Often these two terms are used interchangeably but there's a subtle difference. Pen testing may be seen as a subset of ethical hacking. Pen testing is narrowly focused to discover and show that vulnerabilities can be exploited. Ethical hacking has a broader scope. An ethical hacker can use pen testing plus various other methods across the entire IT infrastructure.

    While pen testing aims to give confidence about system security (usually based on known vulnerabilities), ethical hacking will try to see things from the perspective of a malicious hacker. An ethical hacker may use novel techniques of hacking. He may use social engineering, rummage through logs, examine patch installations, sniff networks, etc.

    An ethical hacker may infiltrate the system, move laterally within or to other systems, and even export sensitive data. However, some pen testers may try to include these in their tests.

    It's important to note that both pen testers and ethical hackers are required to get written authorization and clear understanding of the scope of work.

  • Are there any standards or methodologies to guide in pen testing?

    Among the more well-known standards is Penetration Testing Execution Standard (PTES) that was defined in 2009. Its goal is to provide guidance about tools and techniques. A standard such as PTES is particularly useful when organizations engage external testers or testing services. With PTES, it's easier to filter out low quality testers.

    PTES does have its limitations. Threats are evolving rapidly and it's impossible for a static standard to be comprehensive. Thus, PTES should be seen as a minimum requirement. PTES Technical Guidelines are available online and publicly accessible.

    Another standard is called Open Source Security Testing Methodology Manual (OSSTMM) from ISECOM. It's been around since 2001. Payment Card Industry Data Security Standard (PCI DSS) provides guidance for pen testing among things. There's also Information Systems Security Assessment Framework (ISSAF) but this is not actively updated.

Milestones

1960

This decade sees the growing popularity of time-sharing computer systems. Users can remotely access and time-share computers over communication lines. It's recognized that if the communication lines are compromised, computer systems could be attacked.

1967

At the annual Joint Computer Conference held in the U.S., the security of computer communication lines is discussed. The term "penetration" is used for the first time. Subsequently, RAND Corporation and Advanced Research Projects Agency (ARPA) publish a detailed report, commonly called The Willis Report. This report becomes influential for later studies.

1972

From late 1960s and during 1970s, tiger teams are formed. They're sponsored by governments and companies. Their task is to attack computer systems, uncover security holes and then fix them. Pen testing as we know it today starts here. In 1972, an early pioneer of pen testing, James P. Anderson outlines steps that tiger teams can follow for pen testing.

1974

U.S. government conducts pen testing on its Multics (Multiplexed Information and Computing Service) system, an early system that precedes UNIX. The pen tests reveal many vulnerabilities despite Multics being one of the most secure systems.

1995

Dan Farmer of Sun Microsystems and Wietse Venema of the Eindhoven University of Technology release a paper titled Improving the Security of Your Site by Breaking Into It. They use the term "uebercracker" to refer to a system cracker who has gone beyond simple cookbook methods of breaking into systems. They also describe SATAN (Security Analysis Tool for Auditing Networks), one of the earliest tools to automate pen testing. It's written in shell, perl, expect and C.

Sep
2001

Open Web Application Security Project (OWASP) is started. It's pen testing tool, Zed Attack Proxy (ZAP) is released in September 2010. OWASP ZAP is free, open source, cross-platform and well documented.

2009

Penetration Testing Execution Standard (PTES) is started by six information security consultants. PTES provides guidelines towards effective pen testing.

References

  1. Agarwal, Meenakshi. 2017. "Five Types of Penetration Test to Zero in Potential Vulnerabilities." TechBeamers, May 15. Accessed 2019-01-14.
  2. Alpine Security. 2019. "The History of Penetration Testing." Alpine Security. Accessed 2019-01-14.
  3. Bloom, Malcolm. 2018. "Ethical Hacking vs. Penetration Testing." Bank4YOUGroup, via Medium, January 31. Accessed 2019-01-14.
  4. Boden, Emily. 2017. "Cybersecurity 101: Vulnerability Assessment vs. Penetration Testing." Blog, eSentire, August 01. Accessed 2019-01-14.
  5. Cipher. 2019. "The Types of Pentests You Must Know About." Cipher. Accessed 2019-01-14.
  6. Core Sentinel. 2017. "Black Box vs. White Box Testing: Key Differences Every Organisation Should Know." Core Sentinel, June 09. Accessed 2019-01-15.
  7. Cyber Security Masters Degree. 2019. "What Is The PTES (Penetration Testing Execution Standard)?" Cyber Security Masters Degree. Accessed 2019-01-14.
  8. Dhobley, Pallav and Aditya Gupta. 2013. "The OWASP Zed Attack Proxy." SlideShare, May 06. Accessed 2019-01-17.
  9. Fahey, Ryan. 2016. "The History of Penetration Testing." Resources, InfoSec Institute, July 21. Accessed 2019-01-14.
  10. Farmer, Dan and Wietse Venema. 1993. "Improving the Security of Your Site by Breaking Into It." December 02. Accessed 2019-01-17.
  11. Flora, Julio Della. 2017. "Penetration Testing Tools,Powerful Penetration Testing Tools." Wordpress Blog, April 27. Accessed 2019-01-15.
  12. Garbade, Michael J. 2018. "7 Best Cyber Security Penetration Testing Tools." Cybrary, May 02. Accessed 2019-01-14.
  13. Help Net Security. 2013. "How important is penetration testing?" Help Net Security, September 09. Accessed 2019-01-14.
  14. ISECOM. 2019. "Homepage." ISECOM. Accessed 2019-01-17.
  15. Imperva. 2018. "Penetration Testing." Web Application Security Center, Imperva. Accessed 2019-01-14.
  16. Kostadinov, Dimitar. 2016. "Ethical Hacking vs. Pentesting." Resources, InfoSec Institute, June 10. Accessed 2019-01-14.
  17. Microsoft Docs. 2018. "Learn how to add continuous security validation to your CI/CD pipeline." Azure DevOps, Microsoft Docs, April 26. Accessed 2019-01-15.
  18. OWASP. 2016. "Penetration testing methodologies." OWASP, April 01. Accessed 2019-01-14.
  19. OWASP. 2017. "OWASP ZAP 2.6 Getting Started Guide." Accessed 2019-01-14.
  20. Rouse, Margaret. 2011. "pen test (penetration testing)." TechTarget. Accessed 2019-01-14.
  21. Scott-Jackson, Toby. 2016. "The Evolution Of The Penetration Test." ISBuzz News, July 21. Accessed 2019-01-14.
  22. SecTools. 2019. "SecTools.Org: Top 125 Network Security Tools." Accessed 2019-01-15.
  23. Sundar, Venkatesh. 2018. "8 Website Penetration Testing Tools." Blog, Indusface, July 17. Accessed 2019-01-14.
  24. Trinka, Jeremy. 2018. "Five Pentesting Tools and Techniques (That Every Sysadmin Should Know)." Software Engineering, via Medium, April 15. Accessed 2019-01-14.
  25. Veracode. 2014. "Vulnerability Assessment and Penetration Testing." Veracode, February 03. Accessed 2019-01-14.
  26. Wikipedia. 2018. "Penetration test." Wikipedia, December 19. Accessed 2019-01-14.

Further Reading

  1. Software Testing Help. 2018. "Penetration Testing – Complete Guide with Sample Test Cases." Software Testing Help, December 03. Accessed 2019-01-14.
  2. PTES. 2012. "PTES Technical Guidelines." PTES, April 30. Accessed 2019-01-14.
  3. Rouse, Margaret. 2011. "pen test (penetration testing)." TechTarget. Accessed 2019-01-14.
  4. Testbytes. 2017. "Penetration Testing Tutorial: Stages, Types, Methods & Tools." Testbytes, December 20. Accessed 2019-01-14.

Article Stats

Author-wise Stats for Article Edits

Author
No. of Edits
No. of Chats
DevCoins
3
0
1422
2
1
64
1558
Words
3
Likes
6921
Hits

Cite As

Devopedia. 2019. "Penetration Testing." Version 5, January 18. Accessed 2024-06-25. https://devopedia.org/penetration-testing
Contributed by
2 authors


Last updated on
2019-01-18 02:27:08
  • Vulnerability Assessment and Penetration Testing
  • Penetration Testing Execution Standard
  • Network Penetration Testing
  • Web Penetration Testing
  • Ethical Hacking
  • Advanced Persistent Threat