Pen-testing or the Penetration testing is a very key term in the ethical hacking scenario. It is a security testing approach often incorporated by most professionals. Penetration is going one step at a time and then mapping out the vulnerabilities in a network. For an ethical hacker, it is very important to know where the vulnerabilities lie in a given network or a protocol. To determine these vulnerabilities and make them into the potential threats for the network, a sequential and step by step approach is adapted. Checking each and every step in a network in an orderly manner is termed as pen-testing. Since the hacker is essentially going deep into the network at each step, it is given the name of penetration. There is no certainty about any loophole or vulnerability and hence every action of the hacker is just a test. This gives the name to this process as Penetration Testing. Penetration testing is often described by the professionals as an "adversarial use by experienced attackers." Other terms have been used to elucidate the same concept: tiger team testing, ethical hacking, and so on. The word "experienced" in this definition is very important: this is because the result of any pen-testing is directly proportional to the skill of the hacker who performs the tests.
Background for Ethical Hackers
Pen-testing is a very good way of testing any software. Companies hire third party pen-testers (this is where the role of ethical hackers comes into the picture) to ensure that their product or software is absolutely free from any loopholes. The pen-testers try to get into the security and perform every test that a potential attacker might try on the software. To put it in other terms, they try to think from the perspective of an outside unethical hacker. A regular pen-test is often advisable in order to ensure a high efficiency of web based applications which have regular updates. Pen-testing requires a special type of person, someone who really enjoys circumventing, subverting, and/or usurping technology built by others.
Author and renowned security tester Joel Scambray describes pen-testing as a very crucial step in any security conduct. "It is even more challenging to sustain an internal pen-test team over the long haul, due to this "cognitive dissonance" as well as the perpetual mismatch between the market price for good pen-testing skills and the perceived value by management across successive budget cycles. Thus, we recommend critically evaluating the abilities of internal staff to perform pen-testing and strongly considering an external service provider for such work", he quotes in his famous release Hacking Exposed.
Conducting Penetration Tests
Whenever a penetration test is to be performed, a proper plan has to be made before hand. Throughout the process, one must stick to the plan. The basic prerequisite of any pen-testing process is to document everything. It should be a written documentation about which node the attack will initiate and which sequence will be followed. There should be audio, video, screenshots for every keytests performed. Ensure that the tests follow a sequence.
Sequences are defined by what your goals are for the penetration tests. Following the sequence becomes of utmost importance not just for adherence to the plan but also for ensuring that you have the right thing being done at every instance of the test conducted.
It is not a good idea to hack a network in the middle way and then enumerate or spread malwares from that point and then eventually coming back to the footprinting. This will make the work done by you very unpredictable for your own employers. Such unplanned pen-test is a sign of an amateur at work.
Subsequent tests should be based on previous results.
Third Party Pen-testing
To ensure that there is no partiality by the organization's internal pen-testers, a third party pen-tester is hired to perform the job. A few points must always be kept in mind while hiring the third party pen-testers to ensure smooth functioning and optimum return on investment. These crucial factors are:
• Liaison : This refers to providing adequate information to the pen-testers about the networks and the software. This will help the pen-tester to get his documentation and footprinting done on the network to be checked or attacked.
• Schedule : Ideally, pen-testing occurs after the availability of beta-quality code but early enough to permit significant changes before ship date should the pentest team identify serious issues. Yes, this is a fine line to walk.
• Deliverables : Make sure that the pen-testers give a brief documented report on the attacks performed and the measures taken. This will help the future pen-testers to get relevant information while making their documentations.
Types of Penetration Tests
There are basically three types of penetration tests which are as follows:
• Black Box Penetration test
• White Box Penetration test
• Grey Box Penetration test
Black Box Penetration test
To put it in simple terms, black box penetration tests are the tests wherein you cannot see inside the box, hence the name black box. This means that the pen-tester has no idea of what is going on in the network. There is no pre-knowledge of the network or the software with the pen-tester. This usually happens with the unethical attackers as they do not have much clue about the network, how it is laid and where it is connected etc.
Only the publicly available information is available with the penetration tester. Everything else is something that the pen-tester has to work on to find the answers. It is the most realistic simulation of an outside attacker as discussed earlier. It is the most time consuming and expensive pen-testing type as a lot of work has to be done to build a nefarious network around the domain to be attacked.
White Box Penetration test
This is the exact opposite of the black box penetration test. While the black box pen-testers are the unethical attackers, the white box pen-testers are the ethical hackers or the insiders of an organization who are hired to perform the pen-tests to find out any loophole in the network. These pen-testers are basically hired. A proper documentation and data is provided to the penetration tester at the beginning of the test by the network owners. It is the best simulation of an inside attack (usually for productive purposes).
It is useful for testing the specific security conducts in the network. It is a less expensive method as a jump start approach. Most of the data is already provided to the pen-tester and all that he needs to do is try to break into the security of the network. All information like the database servers, the database domains, the networks associated with it, the logs and how all of this is connected; everything is given to the white box penetration tester. They are also told about the potential honey parts of the network or in simple terms, the weak links.
Grey Box Penetration test
It is the most common type of penetration testing. As the name suggests, it is nothing but the hybrid of the black box penetration test and the white box penetration test.
Here in this case, some of the information is given to the pen-tester. All the information is not leaked out as there always is some confidential data which one does not wish to give out. This is because there cannot be a total trust relationship with the hired third party pen-tester. A very good example of this is that during pen-testing, the company gives the pen-tester all the data about the IP addresses and the data servers but does not reveal any logs or transactions of the company.
During the onset of the test, some of the information is given out as and when needed or asked by the pen-tester. This information exchange is scheduled during the tests when the tests fail or stall at any particular instance.
There is a proper balance of disclosure and discovery in this form of pen-testing. Grey box pen-testers are often in the consultative role.
Finally, no matter which security testing approach you choose, it is strongly recommended that all testing focus on the risks prioritized during threat modeling. This will lend coherence and consistency to your overall testing efforts that will result in regular progress toward reducing serious security vulnerabilities.
Background for Ethical Hackers
Pen-testing is a very good way of testing any software. Companies hire third party pen-testers (this is where the role of ethical hackers comes into the picture) to ensure that their product or software is absolutely free from any loopholes. The pen-testers try to get into the security and perform every test that a potential attacker might try on the software. To put it in other terms, they try to think from the perspective of an outside unethical hacker. A regular pen-test is often advisable in order to ensure a high efficiency of web based applications which have regular updates. Pen-testing requires a special type of person, someone who really enjoys circumventing, subverting, and/or usurping technology built by others.
Author and renowned security tester Joel Scambray describes pen-testing as a very crucial step in any security conduct. "It is even more challenging to sustain an internal pen-test team over the long haul, due to this "cognitive dissonance" as well as the perpetual mismatch between the market price for good pen-testing skills and the perceived value by management across successive budget cycles. Thus, we recommend critically evaluating the abilities of internal staff to perform pen-testing and strongly considering an external service provider for such work", he quotes in his famous release Hacking Exposed.
Conducting Penetration Tests
Whenever a penetration test is to be performed, a proper plan has to be made before hand. Throughout the process, one must stick to the plan. The basic prerequisite of any pen-testing process is to document everything. It should be a written documentation about which node the attack will initiate and which sequence will be followed. There should be audio, video, screenshots for every keytests performed. Ensure that the tests follow a sequence.
Sequences are defined by what your goals are for the penetration tests. Following the sequence becomes of utmost importance not just for adherence to the plan but also for ensuring that you have the right thing being done at every instance of the test conducted.
It is not a good idea to hack a network in the middle way and then enumerate or spread malwares from that point and then eventually coming back to the footprinting. This will make the work done by you very unpredictable for your own employers. Such unplanned pen-test is a sign of an amateur at work.
Subsequent tests should be based on previous results.
Third Party Pen-testing
To ensure that there is no partiality by the organization's internal pen-testers, a third party pen-tester is hired to perform the job. A few points must always be kept in mind while hiring the third party pen-testers to ensure smooth functioning and optimum return on investment. These crucial factors are:
• Liaison : This refers to providing adequate information to the pen-testers about the networks and the software. This will help the pen-tester to get his documentation and footprinting done on the network to be checked or attacked.
• Schedule : Ideally, pen-testing occurs after the availability of beta-quality code but early enough to permit significant changes before ship date should the pentest team identify serious issues. Yes, this is a fine line to walk.
• Deliverables : Make sure that the pen-testers give a brief documented report on the attacks performed and the measures taken. This will help the future pen-testers to get relevant information while making their documentations.
Types of Penetration Tests
There are basically three types of penetration tests which are as follows:
• Black Box Penetration test
• White Box Penetration test
• Grey Box Penetration test
Black Box Penetration test
To put it in simple terms, black box penetration tests are the tests wherein you cannot see inside the box, hence the name black box. This means that the pen-tester has no idea of what is going on in the network. There is no pre-knowledge of the network or the software with the pen-tester. This usually happens with the unethical attackers as they do not have much clue about the network, how it is laid and where it is connected etc.
Only the publicly available information is available with the penetration tester. Everything else is something that the pen-tester has to work on to find the answers. It is the most realistic simulation of an outside attacker as discussed earlier. It is the most time consuming and expensive pen-testing type as a lot of work has to be done to build a nefarious network around the domain to be attacked.
White Box Penetration test
This is the exact opposite of the black box penetration test. While the black box pen-testers are the unethical attackers, the white box pen-testers are the ethical hackers or the insiders of an organization who are hired to perform the pen-tests to find out any loophole in the network. These pen-testers are basically hired. A proper documentation and data is provided to the penetration tester at the beginning of the test by the network owners. It is the best simulation of an inside attack (usually for productive purposes).
It is useful for testing the specific security conducts in the network. It is a less expensive method as a jump start approach. Most of the data is already provided to the pen-tester and all that he needs to do is try to break into the security of the network. All information like the database servers, the database domains, the networks associated with it, the logs and how all of this is connected; everything is given to the white box penetration tester. They are also told about the potential honey parts of the network or in simple terms, the weak links.
Grey Box Penetration test
It is the most common type of penetration testing. As the name suggests, it is nothing but the hybrid of the black box penetration test and the white box penetration test.
Here in this case, some of the information is given to the pen-tester. All the information is not leaked out as there always is some confidential data which one does not wish to give out. This is because there cannot be a total trust relationship with the hired third party pen-tester. A very good example of this is that during pen-testing, the company gives the pen-tester all the data about the IP addresses and the data servers but does not reveal any logs or transactions of the company.
During the onset of the test, some of the information is given out as and when needed or asked by the pen-tester. This information exchange is scheduled during the tests when the tests fail or stall at any particular instance.
There is a proper balance of disclosure and discovery in this form of pen-testing. Grey box pen-testers are often in the consultative role.
Finally, no matter which security testing approach you choose, it is strongly recommended that all testing focus on the risks prioritized during threat modeling. This will lend coherence and consistency to your overall testing efforts that will result in regular progress toward reducing serious security vulnerabilities.
