What is Penetration Testing?
What is Penetration Testing?
The shortest definition of penetration testing is the set of testing activities to capture the targeted system or systems. Pentest is the abbreviated version of “penetration testing”.
The penetration testers simulate certain attacker profiles. The anonymous profile, which has no assigned access rights to the target systems, is generally used in all of the pentest engagements. In some cases a customer or personnel user profile with a certain level of application access righs is used in penetration testing engagements.
Penetration testing activities start with a basic network access, but they might continue with using the footholds obtained during the pentesting process to have deeper access into the target network or systems. In some engagements the penetration tester accesses to the target system or application with a low level of user access rights. In that case the penetration tester enumerates the target system to identify the local vulnerabilities or configuration weaknesses, than tries to escalate his/her privileges to the system administrator rights using them. Because, the ultimate goal of a pentest is usually to capture the system to the highest extent possible.
Technically, a pentest engagement ends after capturing the target system using a certain vulnerability. In that case, the pentest client would not be able to learn all (or most) of the vulnerabilites. For that reason in most penetration testing engagements the scope of work includes a vulnerability assessment of the targeted systems. Capturing a system and enumerating all (or most) of the vulnerabilities of the targeted system might contradict each other most of the time. Because, penetration testing with a capturing objective would require focusing on a certain vulnerability and technology and additional research for relevant technical matters. With a limited time budget and the time wasted with a comprehensive vulnerability assessment a penetration testing engagement might not advance to the highest level of capture as possible.
Penetration testing activities involves uploading attack tools to captured systems, unexpected requests to services which could result in loss of integrity and business interruptions. Those risks are inevitable, but can be lowered with appropriate test timing, good coordination with the system owners, backup of the critical data before testing and a skilled test team. When a vulnerability with available exploit is discovered management, approval must be obtained prior to the use of the exploit.
How to Perform a Penetration Test
The first phase in a penetration test is information gathering. There are two main methods to gather information about a targeted network if it is accessible from the internet. One of them is the offline method. In the offline method the targeted network’s IP intervals and domain names are searched from whois databases and registries. Search engines are used to identify the web services available in the targeted domains. Personnel information is gathered from the search engines and social media if social engineering tests are in the scope of the penetration testing. Although not exactly an offline method forward and reverse DNS queries can be included in the offline information gathering phase.
The second method of information gathering is the online method. In this method the penetration tester starts touching the targeted systems to gather information. Thus the tester’s activities are noticable by the system owners at this phase of the penetration testing. With online queries and requests to the targeted systems a clearer picture of the target network can be obtained.
After information gathering phase service and user enumeration phases begin. In this phase the technologies supporting the discovered services, the producers of the technologies and the versions of the services are enumerated. Additionally the default users and other enumerables users for the certain services are identified at this phase.
Known vulnerabilities for the enumerated services are searched from the vulnerability databases. Most of the web services are custom services, thus a manual discovery for web vulnerabilities is required for most of the web services.
After the vulnerability search phase shared exploit codes are searched or the development of custom exploits are considered. As mentioned above exploits can only be tried after management approval since we might face loss of integrity and availability risks.
The default user passwords are tried for the enumerated default users. For other enumerated users the password policy and feasibility of the password bruteforce attacks are considered before trying passwords. Tight password policies might result in denial of service in case of a bruteforce attacks, thus they must be implemented with extreme care.
Once a foothold is gained at a target system (e.g. accessed the system with a regular user access rights) the next step should be to obtain an administrator access to the system. Thus enumeration scripts are run on the systems if possible to identify any local privilege escalation vulnerabilities or insecure configurations which might result in running privileged processes. Again management approval is required for the use of potential exploit codes on the target systems to manage the risks of integrity and availability losses.
Depending on the project plan and the objectives of the penetration testing engagement, additional information obtained from the captured systems might be evaluated for the next steps.
Finally, the identified vulnerabilities, their impacts and their resolution suggestions are reported. To increase the added value of the report, recommendations might contain architectural and procedural control improvements since the root causes of the identified vulnerabilities stem from them most of the time.
Selection of a Pentest Firm
Penetration testing is essentially an audit activity with a high level of technical depth. Thus the technical expertise of the penetration testing team is very important. The technical expertise of a firm can be assessed in may ways, but the most effective way is to ask for the opinion of the firm’s other clients or trying the firm’s services in a sample engagement.
The second but equally important factor for the selection of a penetration testing firm is the firm’s independence. The information one can access before and during a penetration testing engagement is highly sensitive. Thus the independence and ethics of the pentesting firm must be scrutinized. Obvious or not so obvious ties of a penetration testing firm to other parties should carefully be evaluated and the possibility of misuse of the information gathered during a penetration testing service engagement should be considered.
The third factor for the selection of a penetration testing firm is the firm’s ethics. Approach of a penetration testing firm with a cyber intelligence information or with a critical vulnerability information after a penetration testing engagement should be considered suspicious. That kind of an information might be identified during the penetration testing engagement but not shared with you in the first place. The use of stories about the critical vulnerabilities identified during other clients’ engagements as a marketing argument is not as rare as expected.
The Periods for Penetration Testing Engagements
As with all audit activities the penetration testing engagements should be planned in accordance with a risk assessment process. During the risk assessment process the criticality of the systems, the profile of the users and the security profile of the networks connected should be taken into consideration. For highly critical systems periodic penetration tests should be done whether a change happens on the system or not since new vulnerabilities are discovered every day.
BTRisk’s Point of View
BTRisk has a database of vulnerabilities for network, system, application and privacy related findings accumulated in many years of penetration testing engagements. Business and technical risks are explained to make the findings more conceivable in terms of their impacts. Detailed recommendations are reported with each finding to make the technical teams’ works easier.
We use our own reporting engine software to improve the efficiency of our reporting process. Our reports include vulnerability statistics, executive summary and detailed technical vulnerabilities sections. In the executive summary part we define the test scope, criteria for vulnerabilities and a summary of significant vulnerabilities.
BTRisk uses prominent commercial and open source security audit tools to support its penetration testing methodology. In application pentest services all input points and attack vectors are manually checked using the relevant payloads for the used technologies. This enables us to detect vulnerabilities that might be overlooked by the automated scanning tools and to detect logic errors as well as minimize the risk of loss of data integrity. For those cases where the existing tools are not sufficient we develop custom testing scripts to meet our objectives.
BTRisk uses existing load generators and custom developed scripts for load testing and DDOS simulation tests. To simulate the distributed attacks we create virtual servers from the cloud service providers and run our load generators on them.
To alleviate the risk of interruption during our tests we plan our tests for less risky hours, create immediate communication channels with the client personnel and use manual testing methods whenever required.
BTRisk takes every procedural and technical measure to protect its clients’ sensitive data and don’t create another risk vector for them.