Penetration testing, or pen testing as it is often referred to, involves an authorized individual adopting the role of a hacker and attempting to compromise or gain access to a network or an application. A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; This is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.
The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (about which background and system information are provided in advance to the tester) or a black box (about which only basic information—if any—other than the company name is provided). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help identify a system’s vulnerabilities to attack and estimate how vulnerable it is.
Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts on the organization and suggest countermeasures to reduce the risk.
The goals of a penetration test vary depending on the type of approved activity for any given engagement, with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor, and informing the client of those vulnerabilities along with recommended mitigation strategies.
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes. Penetration testing also can support risk assessments as outlined in the NIST Risk Management Framework SP 800-53
Penetration testing phases
The process of penetration testing may be simplified into the following five phases:
Reconnaissance: The act of gathering important information on a target system. This information can be used to better attack the target. For example, open-source search engines can be used to find data that can be used in a social engineering attack.
Scanning: Uses technical tools to further the attacker’s knowledge of the system. For example, Nmap can be used to scan for open ports.
Gaining access: Using the data gathered in the reconnaissance and scanning phases, the attacker can use a payload to exploit the targeted system. For example, Metasploit can be used to automate attacks on known vulnerabilities.
Maintaining access: Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible.
Covering tracks: The attacker must clear any trace of compromising the victim system, any type of data gathered, or log events, in order to remain anonymous.
Once an attacker has exploited one vulnerability they may gain access to other machines so the process repeats i.e. they look for new vulnerabilities and attempt to exploit them. This process is referred to as pivoting.
Types of Penetration Tests
1) Infrastructure And Network Penetration Testing
2) Web Application Penetration Testing
3) Mobile Application Penetration Testing
4) Social Engineering Penetration Testing