Penetration Test

Penetration Testing: introduction

Penetration Testing – In today’s world, where vulnerabilities are increasing and data breaches are consequently affecting companies, it’s easy to understand the importance of CyberSecurity.

It doesn’t matter how hard the IT department works in order to avoid attacks, Cyber Criminals will always be a step ahead. Everything comes down to the cat who chases the mouse and never catches it.

However, there will always be activities that companies can carry out to spot its weaknesses before a third party does that.

That’s the reason of this article: showing in a detailed way Penetration Testing or “Pentesting” activities.

We will go through different subjects, such as:

  • Penetration Testing: definition;
  • Vulnerability Assessment vs. Penetration Testing;
  • Purposes of Penetration Testing;
  • Penetration Testing methodologies;
  • Penetration Testing: three teams to carry out the activity;
  • Techniques of Penetration Testing;
  • Penetration Testing phases;
  • Penetration Testing: a professional solution.

Penetration Testing: definition

To put it in simple words, Penetration Testing activities consist of “examining” the weaknesses of a corporate IT infrastructure. Once these weak spots have been identified, the person who carries out the activity tries to exploit these vulnerabilities in a very safe way. Vulnerabilities can be found pretty much everywhere in the software:

  • Unintentional flaws in the design of the software code;
  • Using the software in an inappropriate way;
  • Backdoors in the operating system.

Penetration Testing activities can be carried out both manually and automatically. Usually, the target of such activities is focused on one of the following endpoints:

  • Network endpoints;
  • Mobile and Wireless devices;
  • Network Security Devices;
  • Server;
  • Additional exposed areas like the code behind applications.

Vulnerability Assessment vs. Penetration Testing

Often the term vulnerability scanning or assessment and penetration testing are two phrases used in interchangeable ways. However, there are certain differences in their meaning as well as implications. When we talk about vulnerability assessment, we mean spotting certain vulnerabilities that remain in a system, Swascan offers an advanced Vulnerability Assessment tool that identifies and solves all vulnerabilities of websites and web applications. On the other hand, penetration test is an authorized attack (which is simulated) on a system to test its security.

Purposes of Penetration Testing

However, a Penetration Test aims at going as deep as possible inside the IT infrastructure and get to the electronic asset of the company. The main objective is not to hit the target hard in the first try, is to hit even harder in the following tries.

Starting form this, we can move forward saying that the ultimate goal is to clearly identify security issues and vulnerabilities. In addition, we have several side goals that Pentesting activities can accomplish:

    • Test the compliance of security policies;
    • Verify the awareness of the staff in terms of security;
    • Check if and how an organization can face a security breach.

Penetration Testing methodologies

As far as Penetration testing is concerned, you have differents methodologies to carry it out. In the following list, we’ll see these methodologies:

Black Box / White Box / Gray Box Testing

As you can see from the title of the paragraph, in order to spot the full list of vulnerabilities, you have three different methods available:

  • Black Box Testing;
  • White Box Testing;
  • Gray Box Testing.

Black Box Testing

Normally, a potential attacker will not be aware of the ins and outs of the IT infrastructure. This is why a Cyber Attack will probably be a brute force all-out attack against the IT infrastructure. This attack is carried out to eventually find a weakness where the efforts will be focused in a second moment.

During a Black Box Penetration Test, the person who carries out the activity (Pentester) will not have any information any information regarding the Web Application and its source code. This is why this specific methodology often requires a lot of time and the Pentester uses automated tools in order to find vulnerabilities and weak spots. This approach sometimes is referred to as “trial and error”.

White Box Testing

White Box Penetration Testing or “Clear Box Testing” assumes that the Pentester has at his disposal both the source code and the architecture of the Web Application software.

This is why a White Box test requires less time than a Black Box one. Obviously, you have both pros and cons with a White Box Test, a big pro is that the test can be way more precise. Cons are summarized in this list:

  • The Pentester has the key information available, it might require time to focus on a specific matter;
  • The tools required to carry out a White Box Test is more complex.

Gray Box Testing

As you can easily understand from the title, this is a combination of the two methodologies we’ve just analysed. The Pentester has partial knowledge in terms of the Web Application to test.

Gray Box Penetration Testing activities require both manual and automated tools and a possible approach to adopt is the following: focusing on the areas with more information and start exploiting vulnerabilities. This approach, as a matter of fact, offers higher chances to discover weaknesses.

Penetration Testing: three teams to carry out the activity

Penetration Testing often requires more than one person, we are talking of teams. To conduct a single Penetration Test we can have dedicated teams that we divide in:

  • Blue team;
  • Red team;
  • Purple team.

Blue team

Blue Team is made of people who work within the organization (they usually work in the IT department). Their main goal is to avoid the attacks that the Red Team (we will describe it in the next paragraph) carries out.

Key characteristics for a Blue member? Easy: proactivity and security-orientation.

Red team

It’s easy to understand, at this point, who makes this team up. Red Team members actively execute the attacks and try to pass theirselves off as real attackers: they try to break the defenses of the company and exploit its vulnerabilities.

Purple team

As we’ve previously seen for the Gray Box Testing, Purple Team is a sort of mix of Blue and Red teams.

As a matter of fact, Purple Team has tactics and security controls of the Blue team at his disposal and, at the same time, has the vulnerabilities that the Red Team discovered available as well.

This team is something like a bridge between the two teams, it helps Reds and Blues in the integration: in order to achieve such goal, Purple Team needs to be as impartial as possible.

Techniques of Penetration Testing

Here you can see a list of the different kinds of Penetration Testing that can be carried out:

  • Web Application;
  • Wireless;
  • Network Services;
  • Social Engineering;
  • Client Side

Penetration Testing: Web Application

This Penetration Testing activity is a sort of thorough analysis. It is an all-embracing and very detailed test which considers several components, such as: APIs, Silverlight, ActiveX, …

This allows to identify every vulnerability related to the web applications and this is the reason why this test requires a lot of time.

Penetration Testing: Wireless

This Penetration Testing activity checks for every Wireless device within the company. This can be a very long list that goes from smartphones to tablets and, obviously, we are far from done.

Usually, Pentesters carry out such tests on the spot because of the need to be close to the wireless network’s signal. This test spots vulnerabilities in terms of: access point wireless, admin credentials and wireless protocols.

Penetration Testing: Network Services

This specific Penetration Testing activity aims at discovering weaknesses and vulnerabilities related to the network infrastructure of the customer. This kind of test is the most common one among the ones in this list.

It would be useful to conduct this test both remotely and on site in order to gather as much information as possible. However, there is a big difference between this test and the Web Application one that we’ve seen before: the depth. As a matter of fact, this test does not go as much in depth as the Web App one.

Anyway, you have several elements considered by this test, such as:

  • Stateful analysis;
  • Test of the configuration and bypass of the Firewall;
  • IPS evasion;
  • DNS attacks that can include: every issue in terms of routers and zone transfer testing.

Moreover, Network Services Penetration Tests consider different software like:

  • Server SQL;
  • File Transfer Protocol;
  • MySQL;
  • SMTP

Penetration Testing: Social Engineering

How can a Criminal hacker get information in some other ways? One of these methods could consist of trying to deceive employees. To this end, this is how a Social Engineering Penetration Test can be structured:

  • Physical test: it consists of “tangible means” used to persuade the employee and make him confess important information. It could be a phone call, the impersonation of someone else, …
  • Remote test: this test assumes “electronic means” and the most common one is the e-mail – phishing campaigns are a classic example.

Penetration Testing: Client Side

Here we get to the Client Side Penetration Test where the purpose is to identify security issues in terms of software running on the customer’s workstations. Here you have a potentially unlimited list of examples, just to mention some of them: browsers, media players or content creation software.

Penetration Testing phases

In order to provide a detailed overview of the Penetration Testing activities, following you have a six steps list which describes the different phases of a Penetration Test.

1. Penetration Testing: Pre-Engagement Interactions

This is a preliminary phase when the parties define some starting points like: logistics (chosen by the Pentester), legal implications, expectations and – maybe the most important one – the objectives of the customer.

As we’ve previously seen, you have different techniques available to carry out a Pentest, during this phase the customer sets the standard and says what he exactly wants to get from this test. From this, the better strategy to achieve these goals will follow.

2. Penetration Testing: Open Source Intelligence (OSINT) Gathering

During this second step of the process the Penetration Tester gathers information about the customer. Depending on the kind of test (White Box or Black Box), Pentesters will have more or less information available.

In order to obtain this information, pentesters have different techniques at their disposal:

  • Dumpster Diving;
  • Online researches;
  • Social Engineering;
  • Tailgating;

As far as open source information in concerned, the OSINT Framework can provide very useful information.

3. Penetration Testing: Threat Modeling & vulnerability identification

Step 3: Pentesters map the attack vectors and identifies the targets they want to focus on.

Usually, in order to carry out this activity, automated tools are necessary. Vulnerability Scanning tools are very useful to spot vulnerabilities and provide a detailed overview of the customer’s IT infrastructure.

Penetration Testers often focus their attention on:

  • External and internal threats;
  • Valuable assets (especially data related to technical specifications, employees and customers).

4. Penetration Testing: Exploitation

Once the interest areas, vulnerabilities and access points have been mapped, the Penetration Tester will start testing the exploits. Obviously, as previously mentioned, the main goal is to test how vulnerable is the network. How deep can the Pentester go?

You can answer this question in the first step of the process, there’s the chance that the Pentester and the customer already set the rules and the guide lines for the attack.

Exploit standard techniques include: attacks to networks and web applications, social engineering attacks, …

5. Penetration Testing: Post-Exploitation, Risk Analysis & Recommendations

Once the activities are done, the person who carried out such activities must show the results to the customer. As a matter of fact, sometimes Pentesters cannot quantify the impacts of the exploits or cannot provide useful recommendations to implement in order to improve security levels.

Moreover, he must restore the situation that he found prior to the attack and reset every access that he managed to obtain in the previous phase.

Basically, the main objective is to prevent non authorized accesses in the future and to achieve this you often have some actions to do:

  • Reset the original configurations;
  • Delete every account that has been created to access the compromised system;
  • Remove the installed rootkits;
  • Erase every element from the compromised system.

6. Penetration Testing: Output

This last step is very important for the whole process. Recommendations identified in the previous phase need to be written down and delivered to the customer. This report must be as detailed as possible.

Gathering information is very important. The customer will use this information to improve his security measures.

Penetration Testing: a professional solution

In order to face corporate needs, Swascan offers professional Security Management services that allow companies to have detailed information about their scenario.

Moreover, as we’ve seen in step three, having at your disposal useful tools to discover vulnerabilities is crucial. To this end, Swascan offers a dynamic platform that provides:

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.