A penetration test is a controlled (and legal!) attack against system, web application or computer network which shows real state of the target system security. So … I have to pay someone to destroy my system or web application to check if it is secure? The answer is: no. The main goals of such tests are to check if target system is vulnerable for common security issues (configuration errors, procedures errors, implementation errors, not enough data validation, etc.) and how the system will react for user unusual behavior or strange data passed to the application.
Penetration test is a practical process which includes exposure evaluation on attacks and strong proofs that the security can be bypassed. What is the proof? Performed attack uses the found vulnerabilities. Contract have to describe how far tester can go!
This approach sometimes is called: offensive security.
Properly conducted penetration test should provide recommendations about removing identified vulnerabilities.
Business value of the penetration test is not to demolish operating systems in clients servers or replace company’s home page with photos of naked women. The real value is detailed and to the point report about current system security state with recommendations how to improve security level.
Penetration testing have also other names:
- pen testing
- Hacking (historical means of hacking, not)
- Ethical hacking
- White hat hacking
Penetration test equals to security audit?
There is subtle difference between penetration test and security audit and unfortunately these two terms are wrongly used interchangeably. According to definition of security audit it is a rational, technical evaluation status of the system or application in relation to a specific checklist law or compliance with standards or internal regulations of the organization. Penetration tests is more practical assessment of the current state of security.
Penetration testing approaches
Penetration tests can be performed using well known approaches for normal tests:
Black box tests - The analysis is provided from attackers perspective so the black box scenario is similar to real situation where attacker don’t have any knowledge about target systems. This approach can last very long because of long knowledge gathering process (see reconnaissance phase in next point). Due to lack of knowledge at the beginning and deadlines (time for test is limited due to contract), time for reconnaissance part could be not enough long.
White box tests – Opposite to black box tests. These are tests with full knowledge about system and network architecture. In that scenario goals are defined in detail and the results are predictable. White box tests are mostly performed by company’s internal IT security teams. This kind of tests are focused on specific business targets like to check if security systems:
- fulfill the standards
- are correct in accordance with law
- requirements are met with internal company rules
This type of tests lasts quite short because of complete knowledge at the beginning (almost lack of reconnaissance part).
Gray box tests – Approach which lays between black and white box tests. This is scenario where access to basic information about target system at the beginning of test is granted. In that case pentester have some knowledge about target system but it is not enough to take white box testing approach and the level of knowledge is too high for black box approach so reconnaissance part is necessary.
Penetration test phases
There are many methodologies which describes and organize process of penetration tests. Depends on which we will use, number of phases will be different but in general we can distinguish five main parts of each penetration test:
- Reconnaissance – underestimate and very important phase. In this part you should gain as many information about target system as it is possible – just think about it in terms of military reconnaissance! Gathered data about target could be priceless ! In this phase you should collect the following information:
- Hosts list (which are part of the tests)
- List of shared application and theirs purpose
- Identify operating systems
- Identify open ports in operating system
- Identify running services in operating system
- Other useful information using social engineering methods
- Everything is documented
- Scanning/Vulnerabilities detection - At this stage pentester should gathered enough knowledge about target system to identify vulnerabilities in an optimal way. Well conducted reconnaissance will:
- speed up this phase
- help to bypass security systems
- help to define vector of attack to particular part of system
- Vulnerabilities in applications and network devices are identified and ordered by priorities
- Users of the vulnerable systems are identified
- Everything is documented
- System exploiting –The most exciting part of penetration tests.Pentester should check if found vulnerabilities are real threats - in other words: he should attack the system using identified in previous phase vector of attacks. Success of this phase depends on the results of the previous part of penetration test. Goals after this part should the following points:
- Make attempt to attack system using identified vector of attacks and weaknesses in target system
- Break out security systems and find anchor points for further attacks
- Attempt to grant unauthorized access to target system
- Attempt to capture secret information from users using social engineering
- Make attempt to attack other systems
- Create report from this part of test
- Maintaining access – The last technical part of penetration test is to persist access to attacked system. Activities related to penetration test can be detected by security team and all security holes can be fixed. One of the good practices of penetration tests are to install so called backdoors in captured system. Alternative way for access maintaining can be creation of another account with administrator rights or lunching tunneled encrypted network connection. Another point of this part should be blurred traces of attack by in example logs removal. What should be done in this part:
- Various network channels for system are established
- All evidence of attack are erased
- Communication with system is hidden (using cryptography method for example)
- Report – Phase which is very valuable for client. When the penetration test if finished, descriptions of all discovered vulnerabilities and recommendations have to be documented. There are available many descriptions about how this report should look like but remember that first of all it should be to the point.
These are very basics of penetration tests. As you can see, hacking (ethical and not) completely differs from movies scenes: the faster you are typing on keyboard, the more you are hacking… In real this process is very long, very tedious, very frustrating and very boring … but the success is indescribable. Unfortunately sometimes penetration test could be not enough due to time or contract’s limits but as Kevin Mitnick says:
“Frankly speaking, all enemies with proper techniques and resources can break security systems but your goal should be impede attempts to the extent that it was not worth taking the time.”
Remember! Don’t be stupid - according to polish law, not ordered penetration tests are illegal!