Penetration Testing: Methodologies and Standards

With so much technology around, there is an increased risk of cyber-attacks. Businesses have increased their dependency on IoT, cloud, social media, and mobile devices. With the rise in dependency on technology, there is a rise in cyber risk. You can find headlines about cyber-attacks almost every day. Hackers use improved methods to steal billions of important records and dollars at an alarming rate. The way, which can prove useful to combat these attacks is penetration testing.

One of the most widely used methods for identifying vulnerabilities is penetration testing.

Penetration testing involves deliberate attacks on the system for identifying vulnerabilities. Weaker areas are the ones that can provide a passage to unauthorized and malicious attacks and alter the veracity and integrity. Penetration testing helps in fixing various loopholes and security bugs.

Penetration testing also tests the capability of the system to stop unexpected malicious attacks. Following are the common reasons for system vulnerability:

• Complexity
• Error in designing
• Network connectivity
• System and configuration mismatch
• Human-induced error
• Communication

Penetration testing is great for finding gaps in the security tools of the organization. It finds misconfigurations and various attack vectors. Penetration testing prioritizes the risks, resolve them, and drastically improve the security response time.

Various Phases of Penetration Testing

The work of penetration tester starts by assimilating the target information. The next thing is detecting the vulnerabilities by the process of scanning. After that, the tester launches an attack. After the attack, he analyses each and every vulnerability and the various risks involved. Finally, the penetration tester submits a detailed report to higher authorities, which contains a summary of the results of the penetration test.

Depending on the organization and type of testing, penetration testing can be categorized into multiple phases.

Let’s discuss every phase:

Observation & Planning

Observation and planning come in the very first phase of penetration testing. Here, the penetration tester gathers detailed information about the target. The information can be mail servers, network topology, IP addresses, domain details, etc. In this phase, the penetration tester also outlines the scope and aim of a test, including the testing methods and systems, which need to be addressed. An expert penetration tester spends most of the time in this phase, as this phase sets the tone of other phases, and it helps in the coming phases of the attack.

Scanning

To identify the vulnerabilities, the penetration tester interacts with the target and uses the data assimilated in the first phase. This method provides a great way to launch attacks using all the vulnerabilities in the system. The phase involves the use of tools like vulnerability scanners, port scanners, network mappers, and ping tools.

The scanning part, while testing web applications, can be either dynamic or static.

•  The goal in static scanning is to identify libraries, the vulnerable functions, and logic implementation
•  Dynamic analysis is considered more practical as, in dynamic analysis, the penetration tester records the responses and passes inputs to the application.

Actual Exploit

Actual Exploit is a crucial phase and needs to be performed with care. The actual damage is done in this step. Penetration Tester is required to have some out of the box techniques and skills to launch an attack on the target system. With the usage of techniques, the penetration tester will try to compromise the system, get the data, launch attacks, etc. The phase helps to understand to what extent the application, network, or computer system can be compromised.

Risk Analysis & Recommendations

After the completion of penetration testing, the final goal is to gather proof of the exploited vulnerabilities. The step includes considering all the steps that we have discussed above and the evaluation of all the vulnerabilities present, which can pose potential risks. Sometimes, the step includes providing useful recommendations by the penetration tester to improve security levels.

Report Generation

Report generation is the final step of penetrating testing and is also one of the most important steps. The step involves compiling the results of the penetration test into a detailed report. 

The report consists of the following details:

• Identified vulnerabilities and the risk levels they posses
• Summary of the penetration test
• Suggestions for future security

The phases may vary according to the type of organization and the type of penetration test they conduct.

 Now, we will explore different types of Penetration Testing:

The penetration testing can be divided based on different parameters such as the position of the penetration tester, the area where the penetration testing is performed, knowledge of the target.

Types of Penetration Testing on the Basis of Knowledge of the Target

Black Box

When the penetration tester is not aware of the target, it is called a black box penetration test. The black box test requires a lot of time. Penetration testers use automated tools for finding the weak spots and all the vulnerabilities.

White Box

In white box testing, the penetration tester is provided with the complete knowledge of the target. The penetration tester has complete knowledge of the code samples, IP addresses, operating system details, etc. It requires much less time than black box penetration testing.

Grey Box

In grey box testing, the penetration tester has partial information about the target. In this case, the tester has some knowledge of the target information like IP addresses, URLs, etc., but he doesn’t have complete knowledge.

Penetration Testing Types in terms of the Position of Tester:

• When the penetration test is done from outside the network, it is called external penetration testing.
• When the attacker has a presence inside the network, simulation of the scenario is referred to as internal penetration testing.
• A firm’s IT team and the penetration testing team performs the targeted testing. Both teams work together to perform targeted testing.
• Then there is a blind penetration test, in which the penetration tester is provided with no information except the name of the organization.
• In a double-blind test, not more than one or two persons within the organization are aware of the test.

Penetration Testing Types in Terms of where it is Performed

The aim of network penetration testing is to find the vulnerabilities and weaknesses of the network infrastructure of the company. Network penetration testing involves bypass testing, firewall configuration, DNS attacks, stateful analysis testing, etc. The most common software packages under examination during this test are:

• SQL Server
• Secure Shell (SSH)
• MySQL
• Simple Mail Transfer Protocol (SMTP)
• File Transfer Protocol

Application Penetration Testing

Wireless Penetration Testing

Wireless penetration testing involves testing of all the wireless devices used in an organization. It includes items such as smartphones, tablets, notebooks, etc. This test spots vulnerabilities regarding wireless access points, wireless protocols, and admin credentials.

Social Engineering

The Test involves attempting to get sensitive or information by purposely tricking an employee of the company. There are two subsets here.

Remote testing – comprises of tricking an employee into revealing sensitive information of the organization via an electronic means, such as mail, fax or phone.

Physical testing – involves the use of a physical mean to get sensitive information, like threatening or blackmailing an employee.

Client-Side Penetration Testing

The client-side penetration testing is done to know about the security issues regarding the software running on the workstations of customers. The primary goal of client-side penetration testing is searching and exploiting vulnerabilities in client-side software.

The aim of this type of testing is to know about the security issues in terms of software running on the customer’s workstations. Its primary goal is to search and exploit vulnerabilities in client-side software programs.

Tools used for Penetration Testing

Nessus

Nessus is a web application and network vulnerability scanner. It has the potential of performing various types of scans and helps in identifying vulnerabilities. The full version of the tool is powerful and has some exceptional features, which help during the scanning phase.

Dirbuster

It is a directory busting tool and helps penetration tester to find the directories. The tool helps in finding directories, which are difficult to find. Dirbuster takes an input list and tests its availability.

Metasploit

This exploitation framework is packed with numerous capabilities. A skilled penetration tester can generate shellcodes, payloads, gain access, and perform escalation attacks. The framework uses python and ruby for most of the scripts. Therefore knowledge of the languages will be beneficial.

Burp Suite

The tool is used for testing web applications. For example, there is a test web application, which is not used after the production push. A penetration tester can use Burp Suite to dig deeper and hunt for vulnerabilities in the application.

Why There is a Need for Tools?

• The benefit of using penetration testing tools is, that it saves time as well as effort. Tools identify the vulnerabilities, and you can focus on the next stage.
• With tools, you can be more accurate with the findings; the false positives get minimized to a large extent.
• A penetration tester might not be an expert in all the phases of the test. Thus there is a need for tools.
• Tools generate easy to understand reports, which can be used by executive management.
• Tools automate manual tasks, which allow penetration testers to focus on skilled work.

Final Words