In today’s corporate world, security has become the most common issue. Every day, we hear about how attackers hacked computer systems and stole all crucial information.
In 2019, there were 1,473 reported data breaches in the United States, with more than 164 million sensitive records exposed. In the first half of 2020, the number of data breaches amounted to 540. — Statista Report
To detect security weaknesses and vulnerabilities, many large companies perform an authorized simulated cyberattack on their own system. This is what we call penetration testing (Pen Test for short). Basically, the aim is to identify security vulnerabilities and weaknesses before the cyber hacker and fix them as soon as possible.
More specifically, penetration testing involves simulating real-world attack scenarios to find and exploit security gaps (in a safe manner) that could ultimately lead to stolen information, compromised credentials, or other harmful business outcomes.
It can either be performed in-house through pen-testing tool or outsourced to a penetration testing provider. The process usually begins with a security professional enumerating the target network to detect vulnerable devices or accounts. This means scanning every device on the network for open ports that have services running on them.
The level of the intrusion depends on what kind of operation the security tester wants to explore on the target system. Therefore, the tester must have a good knowledge of the most relevant kind of pen test.
Penetration tests can be classified based on how they are performed as well as the assets and components being targeted. In this overview article, we have explained different types of penetration testing that are designed to be intense and invasive.
Penetration Testing Based On Methods Used
1. Black Box Testing
- Test cases can be designed immediately
- Can detect certain kind of flaws
In black-box penetration testing, the tester doesn’t have access to the client’s application, network configuration, or any kind of internal information. He/she performs all reconnaissance to extract the required information.
This type of testing determines the weaknesses of a system that are exploitable from outside the network. Finding those weaknesses relies on dynamic inspection of currently running programs and systems within the target network.
The tester should be familiar with automated scanning software and different techniques of manual penetration testing. Since there is no prior knowledge of system configuration or application source code, the black box penetration tester must be capable of building his/her own map of the target network based on personal observations.
The limited knowledge prevents the tester from finding all vulnerabilities in the system. This is the major downside of this type of testing. If testers can’t breach all perimeters, internal vulnerabilities remain undiscovered.
However, it can uncover certain kinds of flaws, such as server configuration mistakes and input/output validation errors. In order to be successful (efficiently detect and remediate more vulnerabilities), black-box testing methodologies should be combined with other testing tools.
There are plenty of tools available in the market for conducting black-box penetration testing. Wapiti, for example, analyses web applications for potential liabilities by injecting temporary data.
2. White Box Testing
- More Comprehensive
- Allows for code optimization and detection of hidden security issues
As the name suggests, white box penetration testing is the opposite of black-box testing. The tester has complete access to architecture documentation, source code, and other system information.
Testers sift through a large volume of data available to detect potential points of weakness. They can use both static and dynamic code analyzers and debuggers for this kind of testing.
Since testers have complete knowledge of the system, it takes more time to decide which modules should be tested first and what specific software should be used to conduct the test.
JUnit, PyUnit, Selenium are some of the most popular open-source white box testing tools. Selenium, for instance, is used for validating web applications across various browsers and platforms.
3. Gray Box Testing
- Identifies more significant vulnerabilities with less cost and effort
- Testing is performed from the users’ point of view instead of designer’s
This is the combination of both black box and white box penetration testing. The gray box pen tester has some knowledge of the system’s internals, such as database and design documents. With this limited knowledge, he/she can make better test data and test cases while preparing a test plan.
This type of testing provides a more efficient and focused assessment of the system’s security compared to black-box assessment. It can identify the defects due to improper use of applications or improper code structure. More specifically, it uncovers the context-specific errors by concentrating on all layers of complex systems.
Gray box testing is suited more for functional testing, web applications, web services, security assessment, and GUI. Burp Suite is one of the popular gray box testing tools that exploit application vulnerabilities by attacking the tentative insecure spots.
Different Between These Three Testing Techniques
|Black Box Penetration Testing||Gray Box Penetration Testing||White Box Penetration Testing|
|No knowledge of the system’s internal working is required||Partial knowledge of the system’s internal working is required||Complete knowledge of the system’s internal working is required|
|Very difficult to discover hidden errors||Difficult to discover hidden errors||Simple to discover hidden errors|
|Also known as closed-box testing or data-driven testing||Also known as translucent testing||Also known as clear-box testing, structural testing, or code-based testing|
|Least time-consuming||Partly time-consuming||Most comprehensive and time-consuming|
|Best for finding input/output validation errors||Best suited for testing data domains and system design||Best suited for testing algorithms, code structure, and internal boundaries|
|Tests are conducted by end-users, developers, and testers||Tests are performed by independent testers and developers||Tests are performed by testers and developers|
Penetration Testing Based On Targeted Components
1. Network Services Testing
- Prevents network and data breaches
- Ensures network and system security
The network penetration testing process involves discovering security vulnerabilities in applications and systems by using different malicious methods to examine the network’s security.
Typically, the tester identifies exploitable networks, hosts, systems, and devices (such as switches and routers) to uncover weaknesses. Since a network has both external and internal access points, it is mandatory to perform tests remotely from the outer world and locally at the client site.
This helps testers understand the level of risk the organization is dealing with and how to address and fix security flaws. Depending on the risk, they can target different network areas in their tests. For example, they can conduct:
- Stateful analysis testing
- Firewall config testing
- Firewall bypass testing
- DNS attacks
The most common protocol investigated in these tests include:
- Simple Mail Transfer Protocol (SMTP)
- File Transfer Protocol (FTP)
- Secure Shell (SSH)
- MySQL and SQL Server
Depending on system size and complexity, it may take anywhere between one and four weeks to complete a network penetration test. Testers can offer a detailed estimate only after scoping the project.
2. Web Application Pen Testing
Steps to perform a web app pen test
- Identifies vulnerability in both design and configuration
Locates intruders and blocks them
Since many web applications hold sensitive information, it is necessary to keep them secure at all times. One way to do that is to include web app penetration testing as a part of the Software Development Life Cycle (SDLC).
Pen tests make it easy to determine vulnerabilities of the entire web applications and across its components, including its database, backend network, and source code. This helps developers pinpoint and prioritize weaknesses and errors and come up with ways to mitigate them.
This type of testing involves collecting data about the target web app, mapping out the host network, and examining all possible points of injection or tampering attacks. The most reasons for performing web app pen testing are:
- Detect unknown vulnerabilities
- Check publicly exposed components, such as routers and firewalls
- Find the most vulnerable route for a possible attack
- Look for loopholes that could result in information theft
- Check the effectiveness of existing security policies
3. Wireless Pen Testing
- Determines the realistic security posture of wireless networks
- Addresses vulnerabilities and security policies/procedures
Wireless penetration testing involves detecting and analyzing the connections between all devices connected to the business’s WiFi. This includes laptops, smartphones, tablets, printers, and other Internet of Things (IoT) devices.
Various wireless protocols and wireless access points are tested to discover security loopholes. Usually, these tests are conducted at the client’s site because the tester needs to be in the range of wireless signals to access the device.
In most cases, vulnerabilities are found in wifi access points due to lack of MAC filtering and insufficient Network Access Controls. To remediate these issues before they happen for real, it is crucial to test the effectiveness of security posture expose unintended weaknesses.
It’s also important to keep in mind that WiFi is not the only wireless technology attackers can exploit. There are several Bluetooth devices, Bluetooth Low Energy devices, and other less popular technologies, such as Z-wave and DECT (cordless phone), found in public.
4. Client-Side Penetration Testing
- Detects security misconfigurations in client-side software
- Allows proper control of inbound and outbound network traffic
This is an internal Pen Test where testers exploit vulnerabilities in client-side application programs such as web browsers, Adobe Acrobat, email clients, Macromedia Flash, etc.
While there is no rule for conducting such tests on specific intervals, businesses should perform pen tests when new IT infrastructure or client-side applications are added or when existing infrastructure is altered.
Most of the client-side vulnerabilities occur due to the unpatched software installed on laptops or desktops. Some attackers even intercept the updating process, sending malicious code along with the original update.
USB devices are also infected with malicious files or executable code. These files are automatically executed as soon as the victim attaches the USB to his/her machine. Cross-site scripting, form hijacking, clickjacking, HTML injection, and open redirection are some of the most common client-side security attacks.
This is why it is important to test employees’ susceptibility and networks’ capability to recognize and respond to client-side attacks.
5. External Pen Testing
- A security assessment of a company’s perimeter systems
- Includes both application-layer as well as network-layer assessments
External penetration testing generally tests from the attacker’s perspective with no prior access to the target system or network. This is different from internal pen testing, in which the attacker already has a foothold on the compromised machine.
In external pen testing, the tester tries to gain access to the internal network by leveraging vulnerabilities found on the external assets. He/she carries out reconnaissance on the in-scope assets, collecting data on all assets in scope.
This data may include open ports, vulnerabilities, or employees’ information for password attacks. Once the perimeter is breached, the aim of the external penetration test is achieved, and the tester proceeds to the internal pen testing.
6. Social Engineering
- Con unsuspecting employees into compromising the company’s security
- Exploit human psychology to get confidential data
The term social engineering is used for a wide range of malicious activities accomplished via human interactions. Since it relies on human error (instead of weakness in applications or networks), it is less predictable and harder to detect than malware-based intrusions.
These kinds of tests involve attempting to get confidential data by tricking the company’s employees into revealing sensitive information. This could be achieved through either remote testing or physical testing.
Remote testing involves sending phishing emails to employees or bombarding their devices with false alarms or fictitious threats. In contrast, physical testing includes tailgating, impersonation, dumpster diving, physical threats, etc.