Penetration Testing Process

Penetration tests are often used to identify existing vulnerabilities in an entity's network or system and are performed by skilled and trusted security professionals. These tests can range from simple scans of the network to find vulnerabilities, all the way to exploiting vulnerabilities to compromise systems. These results are documented and presented to corporate leadership and system owners to improve the cybersecurity posture of an organization.

Penetration testing can cause unforeseen complications such as network traffic congestion and system downtime, and may cause the same vulnerabilities and compromises it was designed to prevent. Due to the potential consequences of penetration testing, it is vital to create a comprehensive rules of engagement (ROE) before carrying out the test. Regardless of who is performing the penetration test, it's vital to establish parameters to define who is aware of the testing and what actions will be performed.

Penetration tests are often conducted by ethical hackers. Penetration tests can be done to further determine the likelihood of system vulnerabilities being exploited by malicious attackers. A white box or black box test can be conducted. During a white box test, the ethical hacker has knowledge about the internal structure of the attack landscape. However, during a black box test, the attacker does not have any information on the internals of the systems and is attempting the penetration test like an actual malicious hacker.

During these tests, attempts are made to exploit vulnerabilities through conducting attacks, as well as conducting packet and network analysis to get further into the network and learn more about its users.

Penetration Testing Process

Reconnaissance: Reconnaissance is the process of collecting preliminary information about the target in order to facilitate penetration. Initial reconnaissance can provide a wealth of information about the target and can be performed through the use of "readily available public information" (Hafele, 2004). Social engineering is also a method of finding out information about the client.

Scanning phase or service determination: This occurs when the ethical hacker is listening to ports across a corporation's network to determine information such as operating systems and potential vulnerabilities.

Enumeration: Penetration testers continue to determine information about network devices such as routers, switches, and servers in the enumeration phase as they scan for vulnerabilities.

Gaining access: During this phase, a penetration tester will attempt to compromise systems using cyberattack strategies. Some of these attack strategies involve password cracking, buffer overflow, SQL injection, and denial-of-service attacks.

Once an ethical hacker has gained access to the corporation's systems, the next goal is to attain administrator or root-level permissions. With these permissions, hackers can plant malware that can spread easily across the network. Hackers use rootkits to mask detection and/or a backdoor to maintain entry to the target.

The Penetration Testing Execution Standard (PTES) is a standard that aims to prevent the low-quality penetration tests that were being conducted in the cybersecurity market. The PTES categorizes penetration testing into seven phases:

  1. Preengagement Interactions
  2. Intelligence Gathering
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Postexploitation
  7. Reporting

Preengagement interactions are conducted with the client prior to receiving approval to conducting penetration testing on the network, i.e., rules of engagement.

Intelligence gathering, also known as reconnaissance, consists of gathering information about the target. Threat modeling identifies the vulnerable parts of the network. In the exploitation phase, the attack actually occurs. The ethical hacker will try to get as far into the network, escalate privileges, and document this process according to the agreement in the preengagement interactions. Afterward, a report will be produced with the ethical hacker's findings.

References

Hafele, D. M. (2004, February 23). Three different shades of ethical hacking. https://www.sans.org/reading-room/whitepapers/hackers/shades-ethical-hacking-black-white-gray-1390+&cd=1&hl=en&ct=clnk&gl=us

Resources