What is Penetration Testing & How Does it Work?

What is penetration testing?

To secure computer systems from attackers and keep your company safe, companies hire “ethical hackers”, also called “white hat hackers”, who use Penetration Testing (sometimes referred to as pen testing or pen testing) to discover weak spots in your system. Pen testing - as well as pen testing in the context of ethical hacking - helps you become acquainted with the strengths and failures of your business network. More significantly, ethical hacking in penetration testing helps you root out how you could be and likely will be attacked and which steps to take to secure your organization.

How does penetration testing work?

In pen testing, ethical hackers aim to deter malicious hackers by finding weak spots in your organization’s computer system before bad actors do. Pen testers educate themselves on the latest technology and its potential flaws and simulate cyber criminals by copying their tactics, techniques, and procedures, infiltrating your system, and, in short, rooting out your IT vulnerabilities. The idea behind penetration testing services is to find and patch vulnerabilities before attackers exploit them. Sometimes they use automated penetration testing tools that expose the weaknesses in your core attack vectors, operating systems, network devices and application software, and sometimes they will take a more manual approach.

What is the purpose of a penetration test?

Aside from the fundamentals of testing for security vulnerabilities, you’d also want to use pen testing to:

1. Remove hypotheticals from your security program
   Use live testing and exploitation to gather evidence of the real-world impact of discovered vulnerabilities.

2. Test your security controls 
   You want to see whether network security devices like your firewalls, IPS, and DDTs are current and work.

3. Ensure system security
   Before releasing new and or updated products, you want to pen test them for safety.

4. Get a baseline 
   Inspect your infrastructure to find out which areas need fixing and in which order.

5. Compliance 
   Keep up-to-date with federal and state regulations on data privacy and security (e.g., PCI, DSS, HIPAA, and GDPR).

What are the different types of penetration testing?

Malicious hackers compromise your system through various means that pen testers imitate. Common tests that these ethical hackers employ include:

• Social Engineering Test
  Ethical hackers try to persuade company insiders to disclose secure information, such as their computer passwords or other sensitive data.

• Network Services Test
  Ethical hackers scout for security weaknesses in the organization's network infrastructure (servers, firewalls, switches, routers, printers, workstations, and more).

• Web Application Test
  Pen testers run different tests to dig out vulnerabilities in web-based applications and software programs.

• Physical Penetration Tests 
  Usually required by military and government organizations, where pen testers perform brute force tests to compromise physical barriers in a business’s infrastructure, building, systems, or employees.

• Wireless Access Tests 
  Ethical hackers inspect all entry points of connected devices on that business wireless network. Devices include laptops, tablets, smartphones, and desktops.

• Cloud Penetration Test
  Testers specializing in cloud penetration testing services focus on current and emerging cloud-specific threats that could impact an organization’s cloud-based assets.

What are the three stages of penetration testing?

1. Pre-engagement
   Pen testers set the scope and objectives of their project. They also collect and research information on the company’s computer network.

2. Engagement
   Pen testers target the network, collect preliminary data, and analyze the results to identify exploitation routes.

3. Post-engagement
   Pen testers draft and submit their reports to administrators and technical or security employees, adding prioritized analysis results based on risk level. This is often the most important part of pen testing engagements, where the testers will summarize their results for an executive audience to create an evidence-based narrative to drive the reprioritization of initiatives or reallocation of funds.

Steps of penetration testing

1. Establish a goal
   Pen testers ask themselves: Why are we performing this penetration test: For compliance? To scout out system security? To make sure the new appliance is 100% secure? Other reasons? They formulate their goals to map out their strategies.

2. Reconnaissance 
   Pen testers conduct deep research on the organization and study the company data they’ve been given.

3. Discovery 
   Pen testers scan the network (port scanning), assessing its scanners, hosts, ports, and so forth.

4. Exploitation 
   Pen testers probe for system flaws and exploit weaknesses to gain access to and spread through an organization’s network. Some common methods of gaining and expanding access include:

• Brute forcing to test for weak, unencrypted, or shared passwords.
• Social engineering wherein testers persuade company staff to disclose sensitive information, such as usernames and passwords, by posing as official personnel or otherwise deceiving end users.
• Taking control Once they've penetrated the system, pen testers may be limited by the agreed-upon scope of work in what further actions they can take with the organization's data, such as downloading or uploading files, executing malicious scripts, extracting password hashes from read-out password files to penetrate deeper into the system, or eavesdropping through webcams and microphones.
• Pivoting Ethical hackers use their breached access on one device to pivot to other devices on that network, such as desktops, laptops, servers, mobile devices, and so forth.

Evidence Collection and Reporting

Testers gather the evidence showing they successfully invaded your network, draft and deliver their report of how they got in and what they discovered, and summarize their results for an executive audience to create an evidence-based narrative to drive reprioritization of initiatives or reallocation of funds.

Things to consider when doing a pen test

1. What’s your scope? 
   For example, you may want to limit your testing to certain networks and network segments or use certain techniques (such as brute-forcing or social engineering) rather than others.

2. Are you going to do an internal or external penetration test?
   In other words, are you going to test for malicious actors attacking from outside of the network using external pen testing strategies, or are you going to test for risks originating from inside the network (e.g., incautious employees)?

3. Safe testing 
   Penetration tests can be intrusive and disturb company productivity and can pose a risk to company assets if done incorrectly. Look for safe and proven tools, and exercise care and caution when handling or interacting with target assets.

4. In-house or outsourced 
   If you pen test only occasionally, you’ll find that outsourcing, or hiring a consultant, is likely to be cheaper than hiring and training qualified professionals and investing in expensive tools. Insourcing works best for those who test more frequently (say once a month), pre-test, undergo official audits, and add an ongoing internal assessment to their annual spot test.

5. Selecting a pen-tester
   If you're going the in-house route, train your employees and make them familiar with your tools. The outsourced route? Determine that your vendor is qualified, credible, and reliable.

Penetration testing methods

There's no one comprehensive testing method that everyone uses. Since cyber threats are unpredictable and constantly evolving, pen testers simulate whichever attack method the organization may encounter. These include:

1. External testing
   Pen testers gather all they can on the company and use that research to breach it. Online data includes the company's web applications, website, email, and domain name servers (DNS).

2. Internal testing
   Pen testers are allowed entry to the network as though they were company insiders. They try to penetrate the system using methods that rogue or accidental insiders typically use. These include social engineering techniques, phishing, and using network-distributed unencrypted passwords to access critical accounts.

3. Blind testing
   All pen testers are given the name of the business as a starting point, similar to where most attackers would start.

4. Double-blind testing
   With double-blind testing, security personnel are not told there’s going to be a simulated attack. Just as with a “live” threat, IT is caught unawares so they have no time to shore their defenses.

5. Targeted testing
   Pen testers and security personnel work together with pen testers, providing security personnel with their feedback. This doubles as valuable training in that it helps IT (and staff) understand how hackers work.
6. Open-box pen test
   Pen tests and cybersecurity experts evaluate an organization's security posture, in particular focusing on its networks and systems. Open-box tests help security teams identify vulnerabilities and validate secure controls more quickly and effectively.
7. Covert pen test
   External specialists like our experts at GuidePoint evaluate real-time response capabilities and security protocols. Organizations can benefit from more effective incident response testing and the ability to detect and mitigate attacks with covert penetrating testing, meaning they can also look forward to more realistic security posture assessments.

How much access are pen testers given beforehand?

Both intentional, as well as accidental hackers, gain unauthorized entry into an organization’s systems in a variety of ways. For this reason, organizations give ethical hackers different levels of access that leverage the wide range of tools and techniques hackers usually use:

1. Opaque box 
   As the name suggests, the system is entirely opaque, meaning the pen tester knows nothing about it. They start as the hacker would, probing for weaknesses. This type of test can take up to six weeks to complete.

2. Semi-opaque box 
   Pen testers are given some level of insight into the workings of the organization’s network and systems. This could include knowledge of one or more sets of credentials as well as rough information on internal data structures, code, architecture, and algorithms. The advantage of this setup is that pen testers can immediately proceed to their inspections without undergoing the trial-and-error ordeals of the opaque box.

3. Transparent box 
   Pen testers are given unlimited access to business systems and system artifacts including source code, binaries, containers, software code, and application design. These tests, which often require costly tools such as code analyzers and debuggers, mostly take two to three weeks to complete.

What are the types of pen testing tools?

Different tests require different tools, such as firewall configuration testing, internet vulnerability scanning, perimeter network testing, email testing, telephone scanning, and so forth. Broadly speaking, pen testing tools fit into five categories.

• Reconnaissance tools for probing the internals of the network, such as analyzing its traffic.
• Vulnerability scanners for discovering issues in an organization's IT infrastructure, such as in its network services, web applications, and APIs.
• Proxy tools to inspect the security of your web filters, firewalls, secure web gateways, or other software security products.
• Exploitation tools that help testers craft, deliver, and inject malicious payloads and gain control of assets.
• Post-exploitation tools help testers maintain access as well as escalate privileges on the machine, allowing them to stay in control until they achieve their objectives.

Which tools are the best?

1.  NMap Network Scanner
   Ideal for the reconnaissance stage when it comes to scanning for open ports and services. NMap includes features for identifying vulnerable applications.
2. Gobuster, directory scanner 
   A tool used to brute-force URIs including directories and files as well as DNS subdomains.
3. BurpSuite, web app scanner 
   An all-in-one web application security testing tool, BurpSuite scans websites for vulnerabilities, manipulates requests and responses, and intercepts traffic between the client and server.
4. GTFOBIns (in Github) Unix binaries 
   An online resource that’s “a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems”.

Other popular tools include Metasploit (a vulnerability exploitation tool), Wireshark (a network analysis tool that can capture packet data from a network and decode it into a readable form), and Powershell-Suite (a tool used to build, test, and deploy solutions).

What to look for in pen testing tools?

The bottom line is that you want tools that are:

• Easy to use
• Provide automated verification (there's no manual testing, you want these tools to do the job for you)
• Provide vulnerability prioritization, meaning they prioritize flaws according to their severity so you know which to address first
• Help you easily locate identified flaws for rapid fixing
• Provide detailed reporting features for the ultimate report that pen testers need to present to the company, detailing what they did and found

Difference between vulnerability testing and pen testing

Though they may seem similar on the surface, risk assessments and penetration tests are not the same. The first provides a prioritized list of exploitable vulnerabilities telling you what to correct to remedy your systems. Vulnerability testing is a way to reduce your attack surface by closing known gaps.

Pen testing, in contrast, aims to find hackable databases or weak spots that hackers could compromise. It’s an overarching goal, where pen testers try to find the insecurities in your IT before a hacker does. While this may include utilizing known vulnerabilities, penetration testing is more focused on exploitation and access.

What are the pros and cons of pen testing?

The pros are evident.

• Pen testing can uncover even the smallest flaws that if undiscovered could bring down the system.
• It saves your company from falling afoul of strict security and data privacy regulations such as the HIPAA and Payment Card Industry Data Security Standard (PCI DSS).
• Regular pen testing keeps your IT current on the latest cyber threats and on how to defend against them.

Disadvantages exist, too

• Labor-intensive and expensive
• Fails to prevent bugs and flaws from creeping into production
• Potential for business disruption
• Can provide a false sense of security

What happens after the penetration test is done?

Once a pen test is complete, pen testers or ethical hackers will put together a report that grants insight into an organization's security posture. These insights specifically outline an organization's various levels of vulnerabilities, from critical to low. Our specialists can help you prioritize each vulnerability for action to ensure timely remediation and reduce the risk of exploitation by malicious actors.

Once our security specialists have helped remediate critical vulnerabilities, they can then help you reassess your systems to confirm the success of each corrective action. In essence, the post-penetration test phase is crucial, transitioning from vulnerability identification to prioritization and remediation, ensuring a fortified and resilient security infrastructure.