What is Penetration testing?

A penetration testing is a step ahead of vulnerability assessment, Penetration testing points at vulnerabilities and document how those weaknesses can be exploited. It allows an attacker to exploit several vulnerabilities to compromise a computer or network. Penetration testing exposes the gaps in the security model of an organization and assists organization to have a balance between technical expertise and business functionality from the perspective of potential security breaches.

What an organization can accomplish from penetration testing?

  • Testing and validating the efficiency of security controls used by organization
  • Enabling vulnerabilities aspect of the organization, internally and externally
  • Providing gathered data to the audit team for regulatory compliance
  • Reducing the cost of security audits by providing comprehensive and details evidence of the organization abilities
  • Provide guidance in prioritizing the application known vulnerabilities and unknown vulnerabilities
  • To find the existing risks of an organization’s networks and systems
  • To govern the efficiency of network security devices such as firewall, routers and web servers
  • To provide an approach that can be used to prevent future exploitation
  • To find if existing software, hardware or network infrastructure needs a change or up-gradation.

There are three phases of penetration testing:

1. Pre – Attack Phase

In pre-attack phase consists of attempts to investigate or explore the potential target.  This stage involves information gathering and may also involve competitive intelligence gathering, social engineering, breaching security and more. Penetration tester/Attacker/Security Researcher spends more time in pre-attack phase than in the actual attack phase.

Passive Reconnaissance – In this stage, the tester will gather as must as possible information as possible about the target network/software/Operating System.

Few passive reconnaissance activities are:

  • Mapping the directory structure of web server and FTP server
  • Gathering information over newsgroups for references, bulletin boards and feedback site of organization. Information can also be obtained from job postings, published resumes and number of personnel.
  • Gathering network information from WHOIS database, critical assets information from websites and information about business services.
  • Determining the worth of infrastructure interfacing with the Web. Asset classification, as it is described under ISO 17799, may also be carried out here. This is to ensure that the penetration test is able to quantify acceptable risk to the business
  • Determining the product range and service offerings of the target company that is available online or can be requested online. A tester can estimate the threat level posed to these by checking for available documentation, associated third-party product vulnerabilities, cracks, and versions

Active Reconnaissance – In the stage, the information gathering process is done on the target territory. Probe request is sent to the target in the form of port scans, network sweeps, enumeration of shares and user accounts.  The penetration tester/Hacker/Security researcher may adopt techniques as social engineering and use tools that automate tasks such as scanners and sniffers.

Few active reconnaissance activities are:

  • Network mapping: Map the network by getting the information from the server domain registry numbers unearthed during the passive reconnaissance phase. The IP block forms the backbone of the network. Investigate the network linkages both upstream and downstream. These include the primary and secondary name servers for hosts and subdomains. Steps include:
    • Interpreting broadcast responses from the network.
    • If ICMP is not blocked, use ICMP to sweep the network.
    • Use reverse name lookups to verify addresses.
  • Web profiling: This phase will attempt to profile and map the Internet profile of the organization. Information gleaned will be used for later attack techniques such as SQL injection, Web server and application hacking, session hijacking, denial-of-service, etc. Steps include:
    • Cataloguing all Web-based forms, types of user input, and form-submission destinations.
    • Cataloguing Web privacy data including cookie types (persistent or session), nature and location of information stored, cookie expiration rules, and encryption used.
    • Cataloguing Web error messages, bugs in services, third-party links, and applications.
    • Locate the destination.

 2. Attack Phase

In this phase, the actual target is compromised. The target may exploit vulnerabilities discovered during the pre-attack phase. The important point here is that while the attacker needs only one port of entry, organizations are left to defend several. Once inside, the attacker may escalate privileges and install a backdoor to sustain access to the system and exploit it.

Acquiring the target: target acquisition refers to all the activities that are undertaken to unearth as much information as possible about a particular machine or system so that it can be used later in the actual process of exploitation. Acquiring a target refers to the set of activities in which the tester subjects the target machine to more-intrusive challenges such as vulnerability scans and security assessments. This is done to gain more information about the target that can be used in the exploit phase.

Escalating Privileges Once the target has been acquired, the tester attempts to exploit the system and gain greater access to protected resources. Activities include the following techniques:

  • The tester may take advantage of poor security policies, e-mails, or unsafe Web code to gather information that can lead to an escalation of privileges.
  • Use of techniques such as brute force to achieve privileged status. Tools for this purpose include GetAdmin and password crackers.
  • Use of Trojans and protocol analyzers.
  • Use of information gleaned through techniques such as social engineering to gain unauthorized access to privileged resources.

Execute, Implant, and Retract In this phase, the tester effectively compromises the acquired system by executing arbitrary code. The objective here is to explore the extent to which security fails. The tester will attempt to execute arbitrary code, hide files in the compromised system, and leave the system without raising alarms.

3. Post Attack Phase 

 This phase is critical to any penetration test, as it is the responsibility of the tester to restore the systems to the pre-test state. The objective of the test is to show where security fails, and unless there is a scaling of the penetration test agreement whereby the tester is assigned the responsibility of correcting the security posture of the systems, this phase must be completed. Activities in this phase include the following processes:

  • Removing all files uploaded to the system
  • Cleaning all registry entries and removing any vulnerabilities created
  • Reversing all file and settings manipulations done during the test
  • Reversing all changes in privileges and user settings
  • Removing all tools and exploits from the tested systems
  • Restoring the network to the pre-test stage by removing shares and connections
  • Mapping the network state
  • Documenting and capturing all logs registered during the test
  • Analysing all results and presenting them to the organization