You Will Learn:

• What is Penetration Testing
• The Different Penetration Testing Types
• Understand the differences between White, Grey and Black box Testing
• Penetration Testing Phases
• Benefits of Penetration Testing

What are the Benefits of Penetration Testing

Assess systems, networks, applications or devices to find vulnerabilities that could have been missed during engineering or development. Pen testing can help an organization with the following:

1. Gain an understanding of the current security posture of the assessed environment.


2. Identify vulnerabilities that may not be identified using automated testing.


3. Support compliance and data standards such as HIPPA, GDPR, DPA, PCI DSS.


4. Test existing security controls against an attack simulation; to see if they are sufficient.

Penetration Testing Types:

Internal vs External Penetration Tesring

External Penetration Testing: The target scope is assessed from the perspective of an attacker positioned externally, e.g., attacking from the internet with no other information provided by the client organization.

Internal Penetration Testing: The target scope is assessed from the perspective of an attacker who gained a foothold within the network, or for example a rogue employee.

In a nutshell: External testing is conducted remotely to simulate a remote attacker, internal testing is typically conducted in person or via remote access (VPN, deployed appliance) to simulate an in-person attacker or rogue employee.

What is White, Grey & Black box Security Testing?

The following testing types, often called “testing basis” covers the information provided by the organization to the penetration tester, ultimately defining how much accesses is given to the ethical hacker:

• What is Black box pen testing: Black box penetration testing is performed with no prior knowledge of the target network, system or application. E.g., a client gives you an IP address range and provides no other information regarding the scope. A Black box penetration test is often also referred to as single-blind testing or closed-box.
• What is White box pen testing: White box testing is performed with prior knowledge of the target and potentially client-side access to the network, system or application. E.g., a mobile app penetration test with a client who has provided the source code for their application. A White box penetration test is often also referred to as open-box testing, or transparent-box.
• What is Grey box pen testing: Grey box testing is a mixture of black and white box testing, some information is provided but only to assist with the penetration test. E.g., a web application penetration is typically performed grey box as the client provides user accounts for the pen test.

In a nutshell: Black box pen testing provides little to no details of the target; white box provides target information and grey box testing is a mixture that provides the bear minimum to get the penetration test done.

Penetration Testing Phases: Step by Step

1. Scoping: Define the scope, goals, and objectives of the test. Identify the systems and networks to be tested and establish a clear understanding of the testing environment.


2. Reconnaissance: Gather information about the target, like domain names, IP addresses, and network infrastructure. If the target is an application, you would step through the functionality and observe how the application is intended to be used.


3. Vulnerability Scanning: Use automated tools to discover live hosts, open ports, and services. It's like finding all the doors and windows of a building you want to break into. If an application is the target web application vulnerability scanning tools can be used to help identify any low hanging fruit.


4. Exploitation: An attempt to exploit vulnerabilities to gain unauthorized access or in the case of an application abuse a function to do things the developer did not intend, just like a real attacker would. This process could involve using known exploits and attack vectors or trying to find new ones.


5. Escalation: Attempt to escalate privilege of the vulnerability, either by chaining vulnerabilities and/or performing exploiting the host operating system.


6. Persistence: Aka pivoting, after a single host has been compromised the machine could be used to access other services or hosts using a process called pivoting.


7. Reporting: Fun time is officially over, now it is time for the consultant to document the issues discovered in the above processes and present them in a report that documents the discovered issues, severity, risk, and a recommendation to fix any discovered vulnerabilities.

Taking Care

Stay in Scope

As a penetration tester you are carrying out a controlled simulation; care must be taken to always adhere to the scope and not step outside of the agreed upon assessment scope.

Technical Contact

If issues or questions arise, always ensure you have a direct contact with the organisations technical contact. You may need to clarify an area of the scope or seek additional approval before executing a potentially disruptive exploit. Firewalls and WAF’s might cause issue during testing and require you to contact the client to add your testing IP on their allow list.

Penetration Testing Tools

During an assessment multiple tools will be used depending on the phase of the test and type of pen test that is being performed.

An example of an indicative list of some pen test tooling for an infrastructure penetration test:

1. Reconnaissance: Tools such as subfinder, Google dorks, Waybackurls, Nmap, Naabu, Shodan, recon-ng, TheHarvester.


2. Vulnerability Scanning: OpenVAS, Nessus, Nuclei.


3. Exploitation: Exploit-db, Metasploit Framework, OpenVAS, Nessus, Nuclei.


4. Escalation: Typically privilege escalation is performed manually against appliances or operating systems, e.g., using a Linux local privilege escalation script or by performing this manually.


5. Pivoting: Again, this phase is performed manually and depends greatly on the target operating system which has been compromised, see our pivoting cheat sheet for more information.

For more information see our cheat sheet on penetration testing tools.

Penetration Testing FAQ

How Much How Much Does a Penetration Test Cost?

The cost of a penetration test can vary widely depending on several factors such as the scope of the test, the complexity of the systems being tested, the size of the organization, and the expertise of the security firm conducting the test. This is another reason why careful, and accurate scoping should be performed.

Generally, you can expect to pay anywhere from a few thousand dollars to tens of thousands of dollars for a comprehensive penetration test. Some firms may charge hourly rates, while others may offer fixed-price packages for specific types of tests.

It's essential to carefully consider your organization's needs and budget when selecting a penetration testing provider and to ensure that you're getting a thorough and reliable assessment of your security posture.

What is Enumeration?

In the context of penetration testing, enumeration refers to the process of actively gathering information about a target system or network to identify potential vulnerabilities or weak points that could be exploited by attackers.

Enumeration typically involves using various techniques such as scanning, probing, and querying to gather information about network services, system configurations, user accounts, and other relevant details. This information can then be used by the penetration tester to assess the security posture of the target environment and identify potential avenues for further exploitation.

How Often Should an Organization Perform a Penetration Test?

Organizations should perform penetration tests regularly to proactively identify and address security vulnerabilities and assess the effectiveness of their security controls. The frequency of testing may vary depending on factors such as regulatory requirements, changes in the IT environment, and the organization's risk profile. Typically, organizations should conduct penetration tests annually or more frequently if there are significant changes to the IT infrastructure, applications, or security policies.

Regular penetration testing helps organizations stay ahead of evolving threats, validate the effectiveness of security measures, and ensure compliance with regulatory requirements. It also provides valuable insights into potential weaknesses in the security posture that can be addressed to mitigate the risk of security breaches and data breaches. Ultimately, the goal is to establish a proactive approach to security that helps organizations identify and address vulnerabilities before they can be exploited by malicious actors.

What Systems Should Be Tested?

During a penetration test, it's essential to test a wide range of systems, networks, and applications to identify potential vulnerabilities and assess the overall security posture of an organization. This includes testing both internal and external-facing systems, as well as web applications, databases, and other critical assets.

Overview:

• External-facing systems:
  • Web servers
  • Email servers
  • DNS servers
  • VPN gateways
  • Remote access services


• Internal systems:
  • Workstations
  • Servers
  • Printers and other network devices
  • Internal applications and services


• Web & Mobile applications:
  • Customer portals
  • E-commerce platforms
  • Content management systems
  • Web APIs
  • iOS & Android mobile apps


• Databases:
  • SQL servers
  • NoSQL databases
  • Data warehouses
  • Data lakes


• Wireless networks:
  • Wi-Fi access points
  • Wireless controllers
  • Bluetooth devices


• Cloud services:
  • Infrastructure as a Service (IaaS) platforms
  • Platform as a Service (PaaS) offerings
  • Software as a Service (SaaS) applications


• Physical security:
  • Access control systems
  • Surveillance cameras
  • Alarm systems


• Human factors:
  • Social engineering attacks
  • Phishing simulations
  • Security awareness training

What Is Recon?

“Recon” is an abbreviation for reconnaissance, which refers to the preliminary phase of information gathering about a target system or network. Reconnaissance involves collecting data about the target environment to understand its structure, components, and potential vulnerabilities.

What is Persistence?

In this context, "persistence" refers to the ability of an attacker to maintain access to a compromised system or network over an extended period without being detected. After gaining initial access through a vulnerability or exploit, an attacker may seek to establish persistence by deploying reverse shells, creating hidden user accounts, installing malicious software, or modifying system configurations to maintain access even after the initial breach has been remediated.

Conclusion

In conclusion, penetration testing serves as a crucial pillar of proactive cybersecurity strategies, offering organizations a vital means to assess and fortify their digital defenses. By simulating real-world cyber-attacks, penetration testing provides invaluable insights into potential vulnerabilities, helping organizations identify and mitigate risks before they are exploited by malicious actors. From uncovering weaknesses in network infrastructure to evaluating the security of web applications and cloud services, penetration testing empowers organizations to proactively strengthen their security posture and safeguard sensitive data. Embracing penetration testing as a regular practice enables organizations to stay ahead of emerging threats, comply with regulatory requirements, and instill confidence in their ability to protect against cyber threats in an increasingly interconnected digital landscape.