Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network systems managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
Penetration Testing Strategies
- Targeted testing – Targeted testing is performed by the organization’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.
- External testing – This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.
- Internal testing – This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
- Blind testing – A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
- Double blind testing – Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.
Penetration Test Value
- Determining the feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology to C-level management, investors, and customers
- Meeting compliance (for example: the Payment Card Industry Data Security Standard (PCI DSS) requires both annual and ongoing penetration testing (after any system changes)
- Post security incident, an organization needs to determine the vectors that were used to gain access to a compromised system (or entire network). Combined with forensic analysis, a penetration test is often used to re-create the attack chain, or else to validate that new security controls put in place will thwart a similar attack in the future.
Tools
Several operating system distributions are geared towards penetration testing.[18] Such distributions typically contain a pre-packaged and pre-configured set of tools. The penetration tester does not have to hunt down each individual tool, which might increase the risk complications—such as compile errors, dependencies issues, configuration errors. Also, acquiring additional tools may not be practical in the tester’s context.
Popular penetration testing OS examples include:
- Kali Linux (which replaced BackTrack in December 2012) based on Debian Linux
- Pentoo based on Gentoo Linux
- WHAX based on Slackware Linux
Many other specialized operating systems facilitate penetration testing—each more or less dedicated to a specific field of penetration testing.
A number of Linux distributions include known OS and Application vulnerabilities, and can be deployed as targets. Such systems help new security professionals try the latest security tools in a lab environment. Examples include Damn Vulnerable Linux(DVL), the OWASP Web Testing Environment (WTW), and Metasploitable.
Software frameworks
- Metasploit
- nmap
- w3af
Process
Planning – It is a process of creating one or more detailed plans to achieve optimum balance of demands with the available resources. The planning process involves following actions in sequence
- Identifies the goals or objectives to be achieved
- Formulates strategies to achieve them
- Arranges or creates the means required
- Implements, directs, and monitors all steps in their proper sequence.
Planning an hacking attack evaluates existing business processes, how they relate to a new business endeavor, and to make choices on which characteristics are worth doing and those in which you’re not willing to accept risk.
Existing security policies, culture, laws and regulations, best practices, and industry requirements will drive many of the inputs needed to make decisions on the scope and scale of a test. Arguably, the planning phase of a penetration test will have a profound influence on how the test is performed and the information shared and collected, and will directly influence the deliverable and integration of the results into the security program.
Planning describes many of the details and their role in formulating a controlled attack. Security policies, program, posture, and ultimately risk all play a part in guiding the outcome of a test. What drives a company’s focus on security, its core business needs, challenges, and expectations will set the stage for the entire engagement.
Maintain Anonymity – Anonymity is the quality or state of being unknown or unacknowledged. Various techniques are used for being anonymous which usually includes
- Hacking and using open or unsecured wireless networks usually in residential buildings
- Making use of anonymous or disposable e-mail accounts from free e-mail services
- Using infected computers or zombies or bots (at other organizations)
- Using borrowed or stolen remote desktop and VPN accounts
- Using public computers at libraries, schools, etc.
- Using internet proxy servers or anonymizer services
- Workstations or servers on the victim’s own network
Goal setting
- Define more specific goals. Align these goals with your business objectives. What are you and the management trying to get from this process? What performance criteria will you use to ensure you’re getting the most out of your testing?
- Create a specific schedule with start and end dates as well as the times your testing is to take place. These dates and times are critical components of your overall plan.
Target System Identification
You might decide which systems to test based on a high-level risk analysis, answering questions such as
- What are your most critical systems? Which systems, if accessed without authorization, would cause the most trouble or suffer the greatest losses?
- Which systems appear most vulnerable to attack?
- Which systems crash the most?
- Which systems are not documented, are rarely administered, or are the ones you know the least about?
After you’ve established your overall goals, decide which systems to test. This step helps you define a scope for your ethical hacking so that you establish everyone’s expectations up front and better estimate the time and resources for the job. The following list includes devices, systems, and applications that you may consider performing your hacking tests on
- Routers and switches
- Firewalls
- Wireless access points
- Web, application, and database servers
- E-mail and file servers
- Mobile devices (such as phones and tablets) that store confidential information
- Workstation and server operating systems
Attack Tree Analysis
Attack tree provides a way for modeling goals of an attack and alternative ways to achieve that goal. This helps us to study the system from the attackers’ point of view, which may lead us to determine possible ways that the system can be compromised. By assigning cost or probability measures to the nods of attack tree, one can analyze if the attackers efforts worth the value that can be achieved or not, and as a result, this helps analyzing if the system is at risk and vulnerable.
Attack trees are multi-leveled diagrams consisting of one root, leaves, and children. From the bottom up, child nodes are conditions which must be satisfied to make the direct parent node true; when the root is satisfied, the attack is complete. Each node may be satisfied only by its direct child nodes.
Structuring, Executing and Reporting Penetration Test
One miscommunication or slip-up can send the systems crashing during your ethical hacking tests. No one wants that to happen. To prevent mishaps, develop and document testing standards. These standards should include
✓ When the tests are performed, along with the overall timeline
✓ Which tests are performed
✓ How much knowledge of the systems you acquire in advance
✓ How the tests are performed and from what source IP addresses (if performed across the Internet)
✓ What you do when a major vulnerability is discovered
Make sure that the tests you perform minimize disruption to business processes, information systems, and people. You want to avoid harmful situations such as mis-communicating the timing of tests and causing a DoS attack against a high-traffic e-commerce site in the middle of the day or performing password-cracking tests in the middle of the night. It’s amazing what a 12-hour time difference (2 p.m. during major production versus 2 a.m. during down time) can make when testing your systems! Even having people in different time zones can create issues. Everyone on the project needs to agree on a detailed timeline before you begin. Having the team members’ agreement puts everyone on the same page and sets correct expectations.
If possible and practical, notify your Internet service providers (ISPs) or hosting collocation providers. These providers have firewalls or intrusion detection systems (IDS) or intrusion prevention systems (IPS) in place to detect malicious behavior. If your provider knows you’re conducting tests, it’s less likely to block your traffic.
You might have been charged with performing a general penetration test, or you may want to perform specific tests, such as cracking passwords or trying to gain access to a web application. Or you might be performing a social engineering test or assessing Windows on the network. However you test, you might not want to reveal the specifics of the testing. Even when your manager or client doesn’t require detailed records of your tests, document what you’re doing at a high level. Documenting your testing can help eliminate any potential miscommunication and keep you out of hot water.
When you start rolling with your ethical hacking, keep a log of the tests you perform, the tools you use, the systems you test, and your results. This information can help you do the following – track what worked in previous tests and why.