What Is Penetration Testing
Penetration Testing: What It Is
Penetration testing is an offensive security exercise conducted by an organization with the intent to uncover security weaknesses and ultimately help strengthen their defense mechanisms, threat detection capabilities and response times. Traditionally, penetration testing is performed by an independent third-party with little to no upfront knowledge of their target organization. This is done to imitate an adversary who is targeting the organization with nefarious intent.
Penetration testing can be performed against something as small as a single tenant application and as large as a global enterprise network. Several penetration testing methodologies frameworks standards and tools exist which are often motivated by or designed to satisfy a particular compliance or regulatory committee such as PCI and HIPAA.
Penetration Testing: What It Is Not
It is common throughout the information security industry to hear the term penetration testing used to describe a vulnerability assessment. These two types of engagements are quite different and their names should not be used interchangeably to describe one another. Here are a few important distinctions to keep in mind.
|Penetration Testing||Vulnerability Assessment|
|Manually executed tests||Automated scanning tools|
|Emphasizes stealth infiltration||Produces significant network traffic|
|Accuracy is critical||False positives are frequent|
|Documentation is specific to compromise-able weaknesses||Documentation is lengthy and focuses on best practices|
|Used to test hardened organizations||Considered a prerequisite for penetration testing|
|Assessors exercise caution and precision||Untuned scanners often break things|
Vulnerability Assessment: Overview
During a vulnerability assessment some type of automated scanning engine is leveraged to sweep large IP Address ranges and identify live systems as well as the software version for all network-accessible applications being broadcasted. The software versions are then compared to a database of known/published vulnerabilities and attack vectors. Findings are scored using an agreed upon standard and severity ratings are applied based on business risks that should hopefully be tailored to the individual organization requesting the assessment. This type of activity is very important but should not at all be considered penetration testing.
Penetration Testing: Overview
During a penetration testing engagement an individual or group of individuals act as if they were in fact an adversary trying to compromise the integrity of their target organization. Penetration testers will take every precaution available to remain stealthy and undetected while executing tactical and targeted attack patterns observed in real-world corporate breaches. Skilled Penetration testing engineers are often hard to distinguish from real-world hackers other than the fact that they first obtain written permission before engaging their targets.
Penetration Testing: Documentation
The results of a successful penetration testing engagement should not produce a lengthy report containing hundreds or thousands of IP addresses with missing security patches and hot fixes. Instead, the report should contain a detailed narrative of attack vectors and identified entry points which resulted directly in some degree of network or application compromise. Penetration Testing findings focus on the systemic underlining problem and therefore recommendations are often not as simple as checking a box or enabling a property. An organization that is serious about penetration testing should expect to find architectural flaws in their network design and be prepared to reengineer systems and processes that may have existed within their operational structure for a significant period of time.
Penetration Testing: Related Content
Below are some of Pentest Geek’s articles related to various penetration testing activities and are intended for educational purposes as well as further supplementation to aid in defining the term penetration testing.
- Hacking Jenkins Servers With No Password – Explanation and demonstration of a common attack vector leveraged during a penetration test.
- Using Nmap To Find Local Admin – Step-by-step walkthrough of a useful Nmap NSE script for checking windows credentials for local administrator access.
- Using Metasm to Avoid Antivirus Detection (Ghost Writing ASM) – The definitive guide to an old-school AV bypass technique that still works every time.
- Stealing Servers Through Directory Traversal – Great writeup demonstrating the capabilities of turning a simple vulnerability into a catastrophic security breach.
Subscribe to Pentest Geek
Follow Pentest Geek
- How To Install Metasploit Framework Ubuntu 14.04
- How to Install Nmap From Source
- Another Lap Around Microsoft LAPS
- Credential Harvesting via MiTM – Burp Suite Tutorial
- SSL Certificate from letsencrypt.org – Setup Guide
- Forensics and Incident Response
- Information Gathering
- Penetration Testing Tutorials
- Web Applications