A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.
Who performs Penetration Tests or pen tests?
Trained cybersecurity experts or teams, called penetration testers or pen testers or ethical hackers, perform pen testing. They actively search for and exploit security weaknesses in computer systems and networks to help organizations identify and fix vulnerabilities before real hackers can exploit them.
6 types of penetration tests
There are six types of penetration tests that would collaboratively provide 360-degree security to your organization’s IT infrastructure. Let’s dive deeper into understanding each one of them in detail.
1. Network services penetration test
Network services penetration tests involve examining your network devices, such as LANs, switches, and routers. It’s possibly the most common penetration test in the industry. Experts recommend conducting both internal and external network tests at least once annually.
2. Web application penetration test
The web application penetration test scrutinizes web-based applications for exposed weaknesses that can put your cybersecurity at risk. In addition to testing applications, the test also finds vulnerabilities in databases, browsers, and their components, such as plugins, java scriptlets, and more. These tests are targeted and detailed and are carried out by identifying every touchpoint of the application with the user and examining it for flaws.
3. Client-side penetration test
You can conduct these tests to identify possible attacks on client-side applications or programs such as web browsers, email clients, multimedia flash players, and others. These detect attack vectors such as cross-site scripting, HTML injection, open redirections, and others.
4. Social engineering penetration test
You can conduct a social engineering penetration test by copying a hacker’s act in retrieving sensitive information from internal users through phishing, tailgating, or others. These tests allow you to train your internal team better and always keep an eye out for malware and any fraudulent activity.
5. Wireless penetration test
These tests involve examining your IT assets connected with one another and the internet. The scope of these tests includes investigating your laptop, PCs, and other IoT-enabled devices in your IT infrastructure. You should perform these tests in the office so that you can have access to the WiFi network.
6. Physical penetration test
In such tests, the security professional attempts to overcome physical barriers to reach your organization’s IT assets and employees. These tests expose flaws in the physical barriers (such as locks, sensors, etc.) and recommend proper measures to strengthen your business’s security posture.
Penetration Testing Steps and pen testing tools
These Steps and tools are a complete toolkit for a pentester.
Step 1: Plan and Conduct Reconnaissance
This stage of pen testing involves thorough planning and information gathering about the target system or network. You should collect as much data as possible to understand the organization’s infrastructure, including IP addresses, domain names, network topology, and potential entry points.
You can use techniques such as DNS reconnaissance, WHOIS lookups, and searching for publicly available information on social media platforms, company websites, and online forums.
Let’s learn through examples below.
Recon tools:
Open Source Intelligence (OSINT) Tools:
Shodan: Known as the “search engine for internet-connected devices,” Shodan allows you to discover specific types of computers connected to the internet using various filters.
theHarvester: Use this tool for gathering information, like email addresses, subdomains, hosts, employee names, open ports, and banners. Where does it get this info? It searches through various public sources such as search engines, PGP key servers, and even a computer database called SHODAN.
Recon-ng: A full-featured Web Reconnaissance framework written in Python. Use this for a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly.
Maltego: An open-source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
B. Domain and IP Analysis Tools:
nslookup, digFor DNS reconnaissance to identify domain names and IP addresses. The tools ‘nslookup’ and ‘dig’ are used for something called DNS reconnaissance.DNS stands for Domain Name System. It’s like the address book of the internet. When you type in a URL, like www.google.com, the DNS translates that into an IP address, which is a numerical label assigned to each device connected to a computer network.‘Nslookup’ and ‘dig’ are tools that help us to look up this information. We use them to identify domain names and IP addresses.
Nslookup’ and ‘dig’ are tools that help us to look up this information. We use them to identify domain names and IP addresses.
The “whois” tool is like an online directory for websites. When you use “whois” with a domain name, it tells you who owns that domain. Use whois to get information such as the domain’s registration and expiry dates, and who registered it. To use it, you type “whois” followed by the domain, like this:
whois [example.com](<http://example.com/>)
How is penetration testing done?
Plan the penetration test
Conducting a penetration test requires a great deal of preparation. It’s advisable to call a kickoff meeting with the security professionals to decide the project’s scope, objectives, and stakeholders. It would also help if you fixed a timeline for these tests, as you don’t want to disturb the company’s everyday operations amid the testing.
During the tests, there is a possibility that some systems may crash due to inflated network traffic. You can exclude those systems from the scope to prevent such incidents. In the planning phase, it is vital to decide whether the staff needs to be informed.
Complete penetration testing involves breaching a network/system illegally. You must ensure that you have obtained legal clearance from the company before conducting the test, as it protects the company’s interest and prevents the tester from legal action.
Gather information
After planning the penetration test, the next step is to gather information. You can conduct network surveys and identify the number of reachable systems. Here, you can expect the domain names, database server names, ISPs, host IP addresses, and a network map as a result of the survey.
Once you have completed the network survey, you can move on to port scanning. Now you have to detect the open and closed ports in the network. This is also the place where you exclude those ports which the organization doesn’t want to test.
Scan for vulnerabilities
Now that you have gathered sufficient information about the systems, the next step is to identify the vulnerabilities that exist in those systems. You can use vulnerability scanning tools to automate this process and prepare a list of vulnerabilities to target closely.
Vulnerability scanners prepare the list of vulnerabilities automatically and prioritize them based on the risk score. This enables you to target those that can have a higher impact on your cybersecurity or those that are easier to exploit.
Attempt the penetration
Once you have identified the vulnerabilities, the next step is to attempt the penetration test. Now before moving ahead with it, you must estimate how long a particular pen test will take and what the targets will be.
Even if vulnerabilities exist, it does not imply that they can be exploited easily. It might take a lot of effort and time to yield benefits for the attacker. So you can manage them in the long-term plan, whereas vulnerabilities that are easy to exploit and pose a considerable risk should be taken up as a priority.
These days password cracking is normal practice in penetration tests. You have services like telnet and file transfer protocol (FTP) running on systems, making it a good place to start and use a password cracker. You can use a dictionary attack (using a word list of dictionary files), hybrid crack (using a variation of words in a dictionary file), or brute force (testing passwords made up of characters going through all the combinations possible).
It doesn’t end here. You have two more areas with which you can penetrate the company’s security. You can do it by social engineering or by bypassing physical security. You have to check these as well to conduct a comprehensive penetration test.
Analyze and report
Once you have completed all the steps mentioned above, the subsequent step is reporting. Your report starts with an overview of penetration testing. Moving forward, you can highlight the most critical vulnerabilities that could substantially impact the company. Then, you state the less critical ones.
The sole reason for separating the vulnerabilities into critical and less critical is to help organizations make decisions. Altogether, your report should cover a summary of the process, a comprehensive list of information gathered, a list of vulnerabilities, their description and suggestions, and recommendations for the remediation process.
Clean up
The last step of the penetration testing process is cleaning up. You have to clear the mess that might have come up during the pen test. Then, you should execute the cleaning up of compromised hosts securely so that you don’t affect the organization’s normal operations. It’s the penetration tester’s responsibility to inform the organization about the changes that were created during the penetration test and revise them back to normal.
