It is of utmost importance to determine the definition of penetration testing for everyone’s benefit so that we sail into the common understanding throughout this article. In my perception, penetration testing is about exploiting vulnerabilities within the systems, network, or application by simulating an attack to provide evidence that there is a potential chance of client’s sensitive information disclosures or business disruption. The end goal is to test the organization’s readiness to test the capabilities on their resistance against attackers and providing detailed recommendations on how they can improve.
The pen testers may need to analyse the scope in detail to select the suitable methodology to gain unauthorized access to the system and evaluate the system and laterally move across the system until there is a demonstrated evidence of valuable information.
If the focus is on identifying weaknesses within the network, then “Network-Pen Testing” would be the right approach. Network Pen testing typically can be conducted on the perimeter, wireless or internal networks. Sometimes it is a combination of all three.
In the Perimeter network testing, the tester may need to find a way to break into the organization network from the internet. The target is to find misconfiguration, vulnerabilities of the internet-facing systems and exploit their weakness. At times, misconfiguration will result in a credential leak which would pave the way to gain initial access to the network. However, there is riskier task such as exploiting a vulnerability in systems such as VPN concentrator or web-facing application which could be critical to business. When you exploit a memory leak vulnerability and if you intend to get control over the command shell, there is a risk of performing a DOS attack that potentially could have a business impact. It is vital that the pen testers should have a broad understanding of the business-critical applications and their dependency and should not deviate away from the rules of engagement when performing pentest. After initial access is obtained, the pen testers can look for lateral movement to systems with in the internal network via privilege escalation.
Wireless Pen-testing is done to ensure the organization’s wireless infrastructure inclusive of their guest network is secured. The Pen-testers can try to break into wireless infrastructure with weak authentication and encryption with the right set of tools, skills, and techniques. Historically, WEP has been the target for the penetration tester to perform the MITM (Man-in-the-middle attack) or credential grabbing. The Wireless range of the access point can also be verified during testing which can turn up as recommendations to restrict the range within the office premises to minimize the attack surface. The segregation of the guest network and installing rogue access points are some of the key testing focus areas in wireless pen-testing. There are two ways to stand up the wireless rogue access point, one is configuring a rogue wireless access point by publishing the same SSID (Service Set IDentifier) to mimic the organization’s wireless infra and trick the users to connect to the network for credentials stuffing. The other approach is plugging an access point to the network port which can establish a set of connections that sometimes provide access to the network if the NAC (Network Access Control) controls are weak and may provide initial access to the network.
Internal network testing is performed primarily to evaluate the internal security controls such as network segregation, authentication & access control. The Pen-tester act as an insider or intruder here in this case with initial access to the network with an intent to find business-critical or valuable assets, perform privilege escalation to gain access to sensitive information or systems. They often surveillance on a focus group to amplify the information disclosure. The goals can be achieved comparatively sooner with a focused approach on valuable assets and surveillance on the extremely sensitive working group.
Application testing in essence varies because of the complexity involved within various application types. If the testing is targeted towards just a website, the complexity is thin as opposed to testing the enterprise applications with multi-tier architecture.
There are various testing approaches, in the black box testing, the tester will not have any access or basic information about the application that is going to be tested. However, in the Grey box testing, clients will set up the initial access to the tester. In the Static Application Security testing (SAST) or Whitebox Testing, the tester would be provided access to source code to identify weakness and verify if the code is written as per “Secure Code Guiding Principles”. However, in the Dynamic Appllication Security (DAST) or Black Box testing, tester will not have knowledge about the application framework or architecture and expected to find vulnerabilities in the runtime. Application weakness may exist through presence of obsolete software which potentially could use outdated libraries or could wide open an admin console due to misconfigurations.
Testers can refer the OWASP top 10 web application security weakness as a source of reference to identify common security weakness that prevails. Cross-Site Scripting, Injection, Insecure deserialization, and broken access controls are some of the flaws you would expect to see in the applications that were built without poor security coding practices.
The pentest execution standard (PTES) consists of 7 different phases to conduct the Pen testing more effectively and it is supplemented by the Technical guidelines which are expected to be updated frequently by the community. The guidelines should be used as the baseline method as used in the industry.
7 execution Steps
Pen test Standard clearly defines each step of execution in detail and Pentester should put their best efforts to get aligned with the process and technical guidelines to achieve the best outcome.
Due importance needs to be given before performing penetration testing to discuss and agree to the scope of the work during the Pre-engagement interactions phase. There might be an organization that would be interested to specially test their web-facing applications or test the network infrastructure and sometimes you might also come across a request to test for applications that are just internal.
The testing methodology and timeframe differ based on the requirements, whatever the requirements are, there is something very crucial, they are agreed goals and expected outcomes. There is also a need for reasonable consideration given to “time”. Many time-bound activities probably would result in disclosure after a stipulated amount of time.
In the intelligence-gathering phase, the pen test gathers intelligence at all levels to identify the security controls and would almost finalize the target with a deep understanding of the organization’s business models and their relationship with various technology or business partners. There are three levels in this phase, they are compliance-driven, best practices-driven, and advanced information gathering. There are a variety of techniques that can be used, Open Source Intelligence (OSINT), digital footprinting, Social network profiling to gather information about the Client. The identified target would need to be explicitly discussed with the Client considering the engagement scope to understand the value of the target.
In the threat modelling phase, the tester leverages the information about the target, performs threat analysis and motivation modelling to assign threats to the identified target. Followed up with an actual Vulnerability discovery & exploitation phase of simulating a real-time attack to gain initial access to the system or network evading the security controls. In the post-exploitation the tester horizontally moves across to other systems until there is sensitive data disclosure, gaining administrative access, or attain reasonable thresholds that may cause business disruption.
In the reporting phase, testers would document the approaches, methods, and results in the report for the consumption of executives and technical officers. The report would need to include the current state of security and the improvement identified with suitable artifacts and remediation steps. The organization should be ready and acknowledge the complexity of the bad actors when discussing the findings with the penetration testers. This would revolve around time-bound constraints, for example when Pen-testers would say that this specific password can be cracked within six months using password cracking algorithms when supported with artifacts.
There is always a probability that the pen test findings would reveal that your systems, applications, or network are secure without any significant findings. The findings should be considered as acknowledgment of the Client’s true efforts in ensuring the systems, apps, network are designed as per best-in-class security design and principles. But does this mean that the findings ensure fool-proof security? Unfortunately, no, with the limited timeframe, Pen testers will exercise their best efforts to identify vulnerabilities to demonstrate with factual evidence. It is always ok, not to have a significant finding which is an attestation to the existing security controls. Finally, testers should take extra caution or reasonable effort to remove any footprints or implants to ensure the systems are returned to their original state after the completion of the engagement.
There are abundant tools and custom scripts available to support the pen testing activity. The Penetration testing execution standard has a myriad of tools listed in their technical guidelines references. Although may not be comprehensive due, here is the shortlist of few tools that should be on your arsenal to play around with during your exercise.
| TOOLS | CATEGORY |
| FOCA | Information Gathering |
| CREE.PY | Information Gathering |
| KISMET NEWCORE | Information Gathering |
| DNSENUM | Information Gathering |
| DNSMAP | Information Gathering |
| DNSRECON | Information Gathering |
| HOSTMAP | Information Gathering |
| URLCRAZY | Information Gathering |
| THEHARVESTER | Information Gathering |
| SITEDIGGER | Vulnerability Discovery |
| OPENVAS | Vulnerability Discovery |
| THC HYDRA | Credential’s cracking |
| CAIN | Credential’s cracking |
| RAINBOW CRACK | Credential’s cracking |
| THE METASPLOIT FRAMEWORK | Pen testing Framework (Collection of Tools) |
| THE SOCIAL-ENGINEER TOOLKIT (SET) | Social Engineering Framework (Collection of Tools) |
| FAST-TRACK | Pen testing Framework (Collection of Tools) |
| BACKTRACK LINUX | Pen testing Framework (Collection of Tools) |
| SAMURAIWTF | Web testing Framework (Collection of Tools) |
Conclusion:
To be concise, when pen testers move on with the agreed rules of engagement and execute the activity in the phased approach as defined by the PTES with the right tools and skills, the outcome will be more efficient and will add value to the proposer or the client’s business. Happy Pen-testing