Penetration testing is the process of attacking an organization to test its technical security, practices, procedures, and other defenses. Penetration tests are conducted by, or for, organizations that want a real-world test of their security. Unlike actual attacks, penetration tests are conducted with the knowledge of the organization, although some types of penetration tests occur without the knowledge of the employees and departments being tested.
Penetration tests are typically used to verify threats or to test security controls. They do this by bypassing security controls and exploiting vulnerabilities, using a variety of tools and techniques, including the attack methods discussed earlier in this book. Social engineering, malware, and vulnerability exploit tools are all fair game when it comes to penetration testing.
Penetration tests are often classified as overt or covert and as internal-perspective or external-perspective tests. Overt penetration tests are intended to be visible to members of the organization being tested, and use techniques that are likely to be detected by security tools, system administrators, and security professionals. Covert tests better simulate more stealthy attacks and attempt to evade detection. Tests with an internal perspective or view are conducted from inside an organization’s security perimeter, whereas external-perspective tests are conducted from outside that perimeter. Note that the designation of a test as an internal-perspective test does not imply that the testers were allowed past that perimeter. One common technique for penetration testers is to bypass external security perimeters physically by placing devices inside an organization.
Types of penetration tests
The CompTIA Security+ exam divides penetration tests into three major types of testing, classified by how much information the testers have. The categories are black box, white box, and gray box testing. We’ll take a look at each of them, and then we’ll explore how they are performed.
Black box penetration testing
Black box penetration tests, sometimes called blind penetration tests, are conducted with no knowledge of the environment. They are much more difficult to conduct than white box or gray box vulnerability tests, because they require the penetration testers to gather any information they need about an organization by themselves.
This makes black box penetration tests a far better test of what an actual attacker might manage to do. Because black box testing is as close to a real-world attack as possible, some organizations opt to use black box penetration tests to test their own defenses against attackers. As you might imagine, a black box penetration test is typically far more expensive in terms of both time and effort than tests that provide attackers with more knowledge. Worse, black box testing can leave entire sections of an IT infrastructure alone if the attacker misses them when scanning for targets.
White box penetration testing
White box penetration tests provide the most information to the penetration testing team. Because white box testing provides a complete and unobstructed view of the environment tothe attacker, it is sometimes called crystal box penetration testing.
White box penetration testing provides several advantages:
More focus is placed on the test itself, rather than on gathering information.
More in-depth testing can be accomplished, because everything that can be tested is exposed.
Attacks against known systems and services are more likely to be the right attack and to demonstrate true issues with the systems and services.
White box testing can be very helpful in identifying vulnerabilities that might be missed by a black or gray box test, but they can add additional cost because of the broader scope that total visibility can create.
Gray box penetration testing
Gray box penetration testing is a middle ground between black box testing and white box testing. Gray box testers typically receive partial information about the subjects of their testing but don’t have access to every detail of the target. Gray box testing can help avoid some of the problems with black box testing by ensuring that important parts of the target aren’t missed. It can also prevent the common white box testing issue of not replicating an actual attack scenario.
Conducting a penetration test
After you have decided on the type of penetration test that will be conducted, a complex process still awaits. Thorough penetration testing can be very involved, and using a standard process can help keep the test from causing issues or breaking down midway through.
A typical penetration test will use most of the following steps:
Documentation of the request for the penetration test, including the authority under which it will be performed, its scope, and who the audience for the results will be
Planning and design
Identification of the targets of the test
Selection of methods and tools
Vulnerability testing and validation against the target and/or security assessment of the target
Remediation of issues discovered during the penetration test
Next we will explore each of these steps, including what each requires, what it involves, and what you need to know to execute each step.
Authority, scope, and audience
Three key elements to understand before you begin a penetration test are the authority under which you are conducting it, the scope of the penetration test, and who you are preparing the results for.
Penetration tests should be authorized by an appropriate member of the organization engaging the penetration tester. Often this means the CEO or CIO of an organization, or an equivalent member of management. Equally important is to have written authorization for the test.
The person or group that authorizes the test is typically the sponsor within the organization. The sponsor of a penetration test plays a key role, which usually includes coordination within the organization. In addition, the sponsor can help handle issues that arise during the penetration test, particularly if it is a black box test that staff members in the organization are not aware of.
The sponsor or sponsors of the penetration test will also help to set the scope of the test. Properly scoped tests will include appropriate systems and networks. If scope isn’t well defined, or if the scope includes the wrong systems, penetration tests can cause outages or other issues. Obviously. penetration tests bear some risk even at the best of times, but proper scoping can keep those risks within the risk appetite of the organization. Scoping also helps penetration testers estimate how much effort and time they will need to complete the test, which can ensure that appropriate resources are used.
During the scoping process, testers will also typically set the rules of engagement for the penetration test. These should clearly state what the testers are allowed to do, as well as what they are prohibited from doing. If testers are not allowed to use social engineering, or cannot seed the parking lot of the facility with flash drives filled with malware, they need to know this as part of the rules. This means that the penetration testers need to carefully explain what they will be doing to the sponsors, because sponsors are unlikely to realize the full impact of what they may authorize if they are not told.
Finally, penetration testers need to know who their report will be provided to. Often, penetration tests include both a high-level executive summary suitable for senior management as well as a more technical, in-depth report. The executive summary must provide key information about the testing and what issues were found without venturing too far into esoteric technical data. The in-depth report typically includes far deeper detail on what actions were taken, what resulted from the actions, and how vulnerabilities were verified.
If these three initial elements aren’t well understood, a penetration test can fail before it starts!
Penetration test planning and design
In order to perform a thorough penetration test, you need a plan. Fortunately, several organizations provide documentation on penetration testing methodologies, including NIST’s SP 800-115 Technical Guide to Information Security Testing, the OWASP (Open Web Application Security Project) guide to web application penetration testing, and the Institute for Security and Open Methodologies’ (ISECOM’s) Open Source Security Testing Methodology Manual, or OSSTMM.
Whether you select a third-party methodology, use one to develop your own, or simply create one in house, a thorough penetration testing plan can help avoid problems. Plans help you identify tools and infrastructure, needed information and skills, and when and how the test will be conducted. A well-designed plan can reduce the potential negative impact that attacking an organization’s infrastructure can have, while still allowing you to gather useful information.
The way targets are identified for a penetration test depends on the type of test being conducted. A white box test will usually be accompanied by a list of targets, including systems, applications, and security procedures that need to be tested. Black and gray box tests provide far less information, leaving identification of targets to the penetration testing team.
Target identification without full knowledge starts with gathering information about the organization. Public information includes public websites, information from web forums, and postings that employees have made about the company. With that information in hand, the penetration tester can gather more detail, including IP address ranges, domains, and other information that can help narrow the list of potential targets.
After the penetration testers have identified a list of potential targets, they will typically conduct information-gathering exercises such as DNS queries, port scans, and sometimes vulnerability scans. Each of these can provide more detail about the systems their target exposes to the world.
When they are done, penetration testers will have a list of targets with information about each. From there, they can build a list of penetration testing goals and tasks that will drive the rest of their assessment. In order to complete the assessment, they need to determine what methods and tools they will use to meet their penetration testing goals.
Methods and tools
Penetration testing methods include many of the same attacks discussed in earlier chapters but are intended to determine if a vulnerability exists, rather than to disable the organization. Thus, attacks tend to focus on vulnerability verification, with exploits used to prove that the vulnerability exits or to gain further access to allow deeper testing. Most penetration tests avoid conducting denial of service attacks, although it is possible that an organization may include them in the scope.
Methods for testing are often selected in the planning phase of the penetration test to meet the scope of the assessment. After targets have been identified, those methods can be refined based on information gathered about the targets. If the targets are web servers, then web application testing tools and techniques would be chosen, whereas a Windows domain would require the selection of tools that focus on Active Directory and common Windows vulnerabilities.
A broad variety of tools exist for penetration testers to choose from, ranging from commercial tools to open-source packages, and those that have both commercial and open-source versions, such as the Metasploit Framework. A key part of penetration testing is selecting appropriate tools for the targets of the test.
Vulnerability testing, validation, and assessment
The full details of how to conduct a penetration test could fill a book on their own. For our purposes, it is important to know that a penetration test should be conducted in accordance with the rules of engagement that the sponsor helped set when the assessment was scoped, and that the tester or testers must be careful to not go beyond that scope without approval.
During a penetration test, the testers will use a variety of scan, attack, and analysis tools. All of the data that is collected should be carefully logged, including notes on when each attack is conducted, what target or targets it is aimed at, and what data was gathered from the attack.
Careful logging and analysis is important, and if a team is conducting the penetration test, a method to keep the team coordinated is very important. Penetration tests can be expensive and dangerous to an organization’s business and infrastructure if they are not carefully conducted, so care and diligence are critical.
After a penetration test has been completed, a report needs to be prepared for the sponsor or sponsors. In many cases, additional technical reports will also be required for the areas in which issues were identified, because the report to the sponsor of the penetration test is typically a high-level report.
Reports should include the scope, the targets, the tools and methods selected and used, and information about what vulnerabilities were found and successfully validated. Reports should also include details on any vulnerabilities that were identified but that testers were unable to exploit, particularly if they were not exploited due to constraints set by the scope or rules of engagement of the test.
Reports typically include technical information as an appendix or as an additional document. This allows the sponsors to provide detail to system administrators or security staff, which will allow them to put in place appropriate controls or fixes for the issues observed during the test.
The final stage of a penetration test is remediation. After the sponsor and those who have a stake in the test have read the report, the issues that were reported must be prioritized and acted on. In most cases, penetration tests find a variety of issues, and not all of them will be remediated due to costs, time constraints, or other reasons.
When remediation is finished, long-term monitoring and maintenance is necessary. The network monitoring techniques we discussed in Chapter 6 are important to implement to ensure that ongoing monitoring occurs. Many organizations choose to perform penetration tests on a recurring basis, and some standards and laws require them.