Introduction to Penetration

Testing
What is penetration testing?
Penetration testing (or pen testing) is a security exercise where a cyber-security expert attempts to find and
exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak
spots in a system’s defenses which attackers could take advantage of.

This is like a bank hiring someone to dress as a burglar and try to break into their building and gain access to
the vault. If the ‘burglar’ succeeds and gets into the bank or the vault, the bank will gain valuable information
on how they need to tighten their security measures.
Who performs pen tests?
It’s best to have a pen test performed by someone with little-to-no prior knowledge of how the system is
secured because they may be able to expose blind spots missed by the developers who built the system. For
this reason, outside contractors are usually brought in to perform the tests. These contractors are often
referred to as ‘ethical hackers’ since they are being hired to hack into a system with permission and for the
purpose of increasing security.

Many ethical hackers are experienced developers with advanced degrees and a certification for pen testing.
On the other hand, some of the best ethical hackers are self-taught. In fact, some are reformed criminal
hackers who now use their expertise to help fix security flaws rather than exploit them. The best candidate
to carry out a pen test can vary greatly depending on the target company and what type of pen test they
want to initiate.
Types of pen tests

Open-box pen test 1

In an open-box test, the hacker will be
provided with some information ahead of
time regarding the target company’s 2 Closed-box pen test
security info. Also known as a ‘single-blind’ test, this is
one where the hacker is given no
background information besides the
Covert pen test 3 name of the target company.
Also known as a ‘double-blind’ pen test,
this is a situation where almost no one in
the company is aware that the pen test is
happening, including the IT and security
professionals who will be responding to
the attack. For covert tests, it is
4 External pen test
especially important for the hacker to
In an external test, the ethical hacker
have the scope and other details of the
goes up against the company’s external-
test in writing beforehand to avoid any
facing technology, such as their website
problems with law enforcement.
and external network servers. In some
cases, the hacker may not even be
allowed to enter the company’s building.
Internal pen test 5
This can mean conducting the attack
In an internal test, the ethical hacker
from a remote location or carrying out
performs the test from the company’s
the test from a truck or van parked
internal network. This kind of test is
nearby.
useful in determining how much damage
a disgruntled employee can cause from
behind the company’s firewall.
Aftermath of a pen test
After completing a pen test, the ethical hacker will share their findings with the target company’s security
team. This information can then be used to implement security upgrades to plug up any vulnerabilities
discovered during the test. These upgrades can include rate limiting, new WAF rules, and DDoS mitigation,
as well as tighter form validations and sanitization.
Exactly What Gets Tested in a Pentest?
Penetration tests don't have to encompass an entire network and focus on specific applications, services,
and methodologies. Tests on larger environments can focus on a particular aspect of the network rather
than the entire company as a whole. This focus helps organizations budget for upgrades and make time to
implement the necessary remediations after a set of smaller pentests without becoming overwhelmed.

Different areas of a company that may get penetration tested include:

Web applications

Wireless networks

Physical infrastructure
Social engineering

Web Applications

Organizations use web application penetration testing to prevent bad actors from exploiting vulnerabilities
on client-facing apps. These tests can vary in complexity due to the vast amount of different browsers,
plugins, and extensions that all come into play when running a pen test on a web application.

Web app vulnerabilities can leak sensitive information that may help attackers during the information
gathering stage of an attack or get backend access into a specific application.

Agile code can be used to combat these attacks, along with regular testing in sandbox environments on a
web development branch. Even after testing and deployment, penetration testers can bring new exploits to
light to help companies avoid an actual real attack.

Bug bounty programs are a great way to incentivize ethical hackers to test the latest exploits against
different web applications.

Wireless Networks
The inherent openness of Wi-Fi makes it an attractive target for both curious passersby and dedicated
attackers. Penetration testers can use many specialized tools that test the reliability and security of different
wireless technologies.

Packet sniffers, rogue access points, and deauthentication attacks can be used to hijack wireless sessions
and gain a foothold into a private network. Wireless pen testers can also validate the security settings on a
guest Wi-Fi network.

For instance, if access rules aren't configured properly, and the guest network isn't on its own VLAN, an
attacker can potentially gain access to the private network from the guest wireless.

Physical Infrastructure

No security software can stop someone from physically picking up a server and walking out the door with it.
While that may seem far-fetched, brazen criminals utilize social engineering to masquerade as technicians,
janitors, or guests to gain physical access to sensitive areas.

In a physical penetration test, doors, locks, and other physical controls are put to the test to see how easily
bad actors can bypass them. They can be bypassed. Cheap locks and wireless motion detectors are often
easily picked or bypassed, while cheap wireless motion detectors can be or fooled with a bit of ingenuity.

If physical restrictions are present, a tester will usually use a series of non-destructive tools to attempt to
bypass any locks or sensors that are in place.

Social Engineering
Attackers use social engineering to trick staff members into giving privileged information or access to an
organization. This access may be in the form of a phishing email, phone call, or someone physically
pretending to be someone they're not on site.

The ultimate defense against social engineering is knowledgeable and trained staff. Email phishing training
has been shown to reduce the number of malicious emails opened. Having policies and procedures in place
for visitors can also prevent unauthorized physical access.

Social engineering tests often take place in email or over the phone. Software platforms can be used to send
fake phishing emails consistently. Those who click links or reply can be automatically given remediation
training. Over time this type of training helps strengthen both the IT infrastructure and the knowledge of all
staff members.
Stages of pen testing
Pen testing can be divided into the following six stages:

1. Reconnaissance and planning. Testers gather all the information related to the target system from public
and private sources. Sources might include incognito searches, social engineering, domain registration
information retrieval and nonintrusive network and vulnerability scanning. The information is vital for the
testers, as it provides clues into the target system's attack surface and open vulnerabilities, such as
network components, operating system details, open ports and access points.
2. Scanning. Based on the results of the initial phase, testers might use various scanning tools to further
explore the system and its weaknesses. Pen testing tools -- including war dialers, port scanners, security
vulnerability scanners and network mappers -- are used to detect as many vulnerabilities and loopholes
as possible. The vulnerabilities are then shortlisted for exploitation.
3. Obtaining entry. During this stage, testers exploit vulnerabilities assessed in the previous phase by
making a connection with the target. The testers conduct common web application security attacks --
including a denial-of-service (DoS) attack, SQL injections and backdoors, session hijacking and cross-site
scripting -- to expose the system's vulnerabilities, which are then exploited through privilege escalations,
traffic interception or data stealing techniques.
4. Maintaining access. This stage ensures that the penetration testers stay connected to the target for as
long as possible and exploit the vulnerabilities for maximum data infiltration. This stage imitates an
advanced persistent threat, which can stay active in a system for prolonged periods to steal sensitive
data and cause further damage.
5. Analysis. The testers analyze the results gathered from the penetration testing and compile them into a
report. The report details each step taken during the testing process.

6. Cleanup and remediation. Once the testing is complete, the pen testers should remove all traces of tools
and processes used during the previous stages to prevent a real-world threat actor from using them as an
anchor for system infiltration. During this stage, organizations should start remediating any issues found in
their security controls and infrastructure.
Why is pen testing important?
A test run of a cyber attack, a penetration test offers insights into the most vulnerable aspects of a system. It
also serves as a mitigation technique, enabling organizations to close the identified loopholes before threat
actors get to them.

The following are four reasons why organizations should conduct pen testing:

1. Risk assessment. The rate of distributed DoS, phishing and ransomware attacks is dramatically
increasing, putting most companies at risk. Considering how reliant businesses are on technology, the
consequences of a successful cyber attack have never been greater. A ransomware attack, for instance,
could block a company from accessing the data, devices, networks and servers it relies on to conduct
business. Such an attack could result in millions of dollars of lost revenue. Pen testing uses the hacker
perspective to identify and mitigate cybersecurity risks before they're exploited. This helps IT leaders
perform informed security upgrades that minimize the possibility of successful attacks.
2. Security awareness. As technology continues to evolve, so do the methods cybercriminals use. For
companies to successfully protect themselves and their assets from these attacks, they need to be able
to update their security measures at the same rate. The caveat, however, is that it's often difficult to
know which methods cybercriminals are using and how they might be used in an attack. But by using
skilled ethical hackers, organizations can quickly and effectively identify, update and replace the parts of
their systems that are particularly susceptible to modern hacking techniques.
3. Reputation. A data breach can put a company's reputation at stake, especially if it goes public.
Customers can lose confidence in the business and stop buying its products, while investors might be
hesitant to invest in a business that doesn't take its cyberdefense seriously. Penetration testing protects
the reputation of a business by offering proactive mitigation approaches.

4. Compliance. Industries, including healthcare, banking and service providers, take compliance and
regulation seriously and include pen testing as part of their compliance efforts. Common regulations,
such as a Service Organization Control 2 (SOC 2), HIPAA and the Payment Card Industry Data Security
Standard (PCI DSS), require pen tests to be compliant. Therefore, by performing regularly scheduled pen
testing, organizations can stay on top of their compliance needs.