What is Penetration Testing and Its Types?Vishnu Yash Tripathi
A penetration test tells whether the existing defensive measures employed on the system are strong enough to prevent any security break. Penetration test reports also suggest the countermeasures that can be taken to reduce the security risk of the system being hacked.
Causes Of Vulnerabilities
- Design and development errors: There can be security breaches in the design of hardware and software. These bugs can put your business-critical data at security risk of exposure.
- Poor system configuration: This is another reason for vulnerability. If the systems are poorly configured, then it can find loopholes through which attackers can enter into the system & steal the information.
- Human errors: Human factors in cyber security like inappropriate disposal of documents, leaving the documents unattended, development errors, threats, sharing passwords over phishing sites, etc. can lead to security errors.
- Connectivity: If the systems are connected to an unsecured network (open network connections) then it comes to the reach of hackers.
- Complexity: The security vulnerability rises in proportion to the complexity of any system. The more functionality a system has, the many chances of the system being attacked.
- Passwords: Passwords are generally used to prevent unauthorized access. They should be strong enough that generally no one can guess your password. Passwords should not be shared with anyone for any reason and passwords should be changed after some time. Instead of these instructions, at times people reveal their passwords to others.
- User Input: You must have heard about SQL injection, buffer overflows, etc. These data received electronically through these methods can be used to attack the receiving system.
- Management: Security system is hard & expensive to manage. Many times organizations lack behind in proper risk management and hence vulnerability gets induced in the system.
- Lack of training to staff: This leads to human errors and other security breaches.
- Communication: Channels like mobile phone network, internet, telephone opens up security hacking scope.
Why Penetration Testing?
You must have listened about the WannaCry ransomware attack that started in May 2017. It locked more than 2 lakh computers around the world and demanded random payments in the Bitcoin cryptocurrency. This attack has affected many big organizations around the world.
With such dangerous cyber-attacks happening nowadays, it has become unavoidable to do penetration testing at regular intervals to secure the information systems against security breaches.
So, Penetration Testing is mainly required for:
- Financial or critical data must be secured while transferring it in different systems or over the network.
- Most of the clients are asking for pen testing as part of the software release cycle.
- To protect user data.
- To find security breaches in an application.
- To find loopholes in the system.
- To access the business impact of successful attacks.
- To meet the information security compliance in any organization.
- To implement an effective security policy in the organization.
Any organization needs to identify security flaws present in the internal network and computers. Using this information organization can plan a security defense against any hacking attempt. User privacy and data security are the biggest concerns these days.
Suppose if any hacker manages to get user details of social networking sites like Facebook. The organization can face legal issues due to small security issues left in a software system. Hence, big organizations are looking for PCI (Payment Card Industry) or any other payment compliance certifications before doing any business with third-party clients.
What Should Be Tested?
- Software (Operating system, services, Complete application)
- End-user behavior
Penetration Testing Types
#1) Social Engineering Test: In Social Engineering Test, attempts are being made to make a person reveal sensitive information like user password, any business-critical data, etc. These tests are mostly done by phone or internet and it targets certain helpdesks, employees & processes.
Human errors are the main causes of security breaches. Security standards and policies should be followed by all members to avoid social engineering penetration attempts. An example of these standards does not mention any sensitive information in the email or phone communication. Security audits can be conducted to identify and correct security process flaws.
#2) Web Application Test: Using the software methods any one can verify if the application is exposed to security vulnerabilities. It checks the security flaws of web apps and software programs positioned in the target environment.
#3) Physical Penetration Test: Strong physical security methods are generally applied to protect sensitive data. This is commonly used in military and government facilities. All physical network devices and access points are tested for the possibilities of any security flaws. This test is not much related to the scope of software testing.
#4) Network Services Test: It is one of the most commonly performed penetration tests where the openings in the network are identified by which entry is being made in the systems on the network to check what kind of security issues are there.
#5) Client-side Test: It reaches to search and exploit vulnerabilities in client-side software programs.
#6) Remote dial-up war dial: It searches for modems in the environment and tries to log in to the systems connected through these modems by password guessing or brute-forcing.
#7) Wireless Security Test: It searches the open, unauthorized access and less secured hotspots or Wi-Fi networks and connects through them.
The above all categories we have seen are one way of categorizing the types of pen tests. We can also organize the types of penetration testing into below three parts as seen below:
Let’s discuss this testing approaches one by one:
- Black Box Penetration Testing: In this testing approach, the tester assesses the target system, network or process without the knowledge of system details. They just only have a very high level of inputs like URL or company name using which they penetrate the target environment. There is no code being examined in this method.
- White Box Penetration Testing: In this testing approach, the tester is equipped with complete details about the target environment – Systems, network, OS, IP address, source code, schema, etc. It verifies the code and finds out design & development errors. It’s a simulation of an internal security attack.
- Grey Box Penetration Testing: In this testing approach, the tester has limited details about the target environment. It’s a simulation of external security attacks.
Pen Testing Techniques
- Manual Penetration Test
- Using automated penetration test tools
- Combination of both manual and automated process
The third process is more common to identify all kinds of security vulnerabilities.
Manual Penetration Test
It’s difficult to find all vulnerabilities using automation tools. There are some security vulnerabilities that can be identified by manual scan only. Penetration testers can attack applications based on their logics, skills and knowledge of the system being penetrated.
The methods like social engineering can be done by humans only which is manual testing. Manual testing includes design, business logic as well as code verification.
Penetration Test Process:
Now let’s discuss the actual process followed by test agencies or penetration testers. Finding security breaches present in the system is the first important step in this process. Corrective actions are taken on this vulnerability and the same penetration tests are repeated until the system is negative to all those tests.
We can categorize this process in the following methods:
#1) Data collection: Different methods including Google search are used to get target system data. One of them also uses the web page source code analysis technique to get more info about the system, software and plugin versions.
There are various free tools and services available in the market which can give you information like database or table names, DB versions, software versions, the hardware used and various third-party plugins used in the target system.
#2) Vulnerability Assessment: Based on the data collected in the first step one can find the security flaws in the target system. This helps out penetration testers to launch attacks using identified entry points in the system.
#3) Actual Exploit: This is a crucial step. It requires special skills and penetration testing techniques to launch an attack on the target system. Experienced penetration testers can use their logics and skills to launch an attack on the system.
#4) Result in analysis and report preparation: After finishing the penetration tests, detailed reports are prepared for taking corrective actions. All identified security vulnerabilities and recommended corrective methods are listed in these reports. You can customize vulnerability report format (HTML, XML, MS Word or PDF) as per your organization’s needs.
Penetration Testing Sample Test Cases (Test Scenarios)
Remember penetration testing is not functional testing. In this test your goal is to find security holes in the system. Below are some common test cases and not necessarily applicable to all applications:
- Check if the web application is able to find spam attacks on contact forms used on the website.
- Proxy server – Check if network traffic is observed by proxy appliances. The proxy server makes it difficult for attackers to get internal details of the network thus protecting the system from external attacks.
- Spam email filters – Verify if incoming and outgoing email traffic is filtered and unpleasant emails are blocked.
- Many emails come with inbuilt spam filters that need to be configured as per your needs. Such configuration rules can be applied to email headers, subject or body.
- Firewall – Make sure the whole network or computers are protected with firewalls. A Firewall can be software or hardware to block unauthorized user access to a system. A Firewall can protect sending data outside the network without your permission.
- Try to utilize all servers, desktop systems, printers, and network devices.
- Verify that all usernames and passwords are encrypted and transferred over secure connections such as https.
- Verify information stored in website cookies. It should not be in a readable format.
- Verify previously found security breaches to check if the fix is working.
- Verify if there is no open port in the computer network.
- Verify all telephonic devices.
- Verify wireless (WIFI) network security.
- Verify all HTTP methods. PUT and Delete methods should not be enabled at cloud (Server).
- Verify if the password meets the required standards. The password should be at least 8 characters long combination of special characters, and alphanumeric.
- Username should not be like “admin” or “administrator” as open error guessing.
- The application login page should be locked upon a few unsuccessful login attempts.
- Error messages must be generic and should not mention specific error details like “Invalid username” or “Invalid password”.
- Verify if special characters, handle HTML tags, and scripts are handled properly as an input value.
- Internal system details should not be published in any of the error or alert messages.
- Custom error messages should be displayed to end-users in case of a web page crash.
- Verify the use of registry entries. Sensitive data should not be kept in the registry.
- All files must be scanned before uploading them to the server.
- Sensitive data should not be passed in any URLs while communicating with different internal modules of the projects.
- There should not be any hardcoded username or password in the system.
- Verify all input fields with long input strings with and without spaces.
- Verify if reset password functionality is secure.
- Verify application for SQL Injection.
- Verify application for XSS (Cross site scripting)
- Critical resources in the system should be available to only authorized persons and services only.
- All access logs should be maintained with proper authorize permissions.
- Verify the user session ends upon log off.
- Verify that directory browsing must be disabled on the server.
- Verify that all applications and database versions must be up to date.
- Verify URL manipulation to check if a web application is not showing any unwanted information such user sensitive information.
- Verify memory leak and buffer overflow.
- Verify if incoming traffics are scanned to find Trojan attacks.
- Verify if the system is safe from Brute Force Attacks – a trial and error method to find sensitive data information like passwords.
- Verify application for HTML script injection attacks.
- Verify against COM & ActiveX attacks.
- Verify against spoofing attacks. It can be of multiple types – IP address spoofing, Email ID spoofing.
- ARP spoofing, Referrer spoofing, Caller ID spoofing, Poisoning of file-sharing networks, GPS spoofing.
- Check for an uncontrolled format string attack – a security attack that can cause the application to crash or execute the harmful script on it.
- Verify XML injection attack – used to alter the intended logic of the web application.
- Verify against canonicalization attacks.
- Verify if the error pages are displaying any information such as sensitive data path etc that can be helpful for a hacker to enter into the system.
These are just the basic test scenarios to get started with Penetration testing. There are hundreds of advanced penetration methods which can be done either manually or with the help of any automation tools.
Finally, as a penetration tester, I need to collect and log all vulnerabilities in the system. Don’t avoid any scenario considering that it won’t be executed by end-users.