In common parlance, penetration testing is often defined as an authorized and legal attempt to disclose exploits in systems/applications in order to make them more secure. Penetration testing generally involves searching for weaknesses and providing POC (i.e. proof of concept) attacks to validate the significance of vulnerabilities/flaws in the system. A well-defined penetration test also presents specific recommendations to counter the flaws in the systems and make it immune to such attacks in future.
Ideally, penetration testing plays a significant role in the total security of one’s organization. Much akin to policies; business continuity planning, risk assessments and disaster recovery are crucial factors in the safety and security of the organization, which makes penetration testing an important part of an overall security plan as well.
Though penetration testing goes by many names, some commonly referred alternatives to penetration testing include:
- Pen Testing
- Ethical Hacking
- White Hat Hacking
Phases of Penetration Testing
The overall process of PT can essentially be broken down to a few steps, which cumulatively establish a comprehensive PT technique. While conducting a penetration test, it is crucial to follow an organized approach as it helps a penetration tester to move ahead in a focused manner and allow results from each particular step to form a base for ensuing steps.
Various phases in a penetration test include-
Step 1: Reconnaissance
Reconnaissance essentially deals with the gathering of information about the target which can be used in later phases. Despite arguably being the most important of all steps, it is also one of the most overlooked and misunderstood steps in penetration testing methodology in current times. Apart from the lack of proper tools to facilitate penetration testing, there is also a dearth of well-defined rules of engagement to undertake tests.
A crucial factor in successful reconnaissance is to have a strategy, which includes a mix of active and passive reconnaissance techniques, by leveraging the power of the internet. Active/passive reconnaissance includes-
- Active reconnaissance- It involves direct interaction with the target. Though active reconnaissance provides authentic information, it is also crucial to note that the target may log a tester’s activity and track IP in the process.
- Passive reconnaissance– This involves making use of the information available on the internet to gather data. This does not involve a direct interaction, and consequentially, provides no way to the target to record, know or log the activity.
A few tools that could be utilized while doing PT are :
- Netcraft (It returns any websites it is aware of that contains the search words).
- Google (Google is a great way to conduct recon as it provides directives that help a lot to gain the most out of every search, while also being easy to use. Directives are keywords that facilitate extraction of accurate information from Google Index).
- Nslookup (NS Lookup is a tool that can be used to query DNS servers and potentially obtain records about the various hosts of which it is aware)
- Social Engineering (It the process of exploiting the human weakness that is inherent in every organization. In doing this, the aim of the attacker is to get the target to disclose confidential information).
- Whois (Allows access to specific information about the target including the IP addresses or hostnames of the company’s Domain Name Systems (DNS) servers and contact information usually containing an address and phone number) etc.
Step II: Scanning
Scanning begins by breaking the scanning process into three distinct phases:
- Determining if a system is alive– It is the process of determining whether a target system is turned on and capable of communicating or interacting with the machine.
- Port scanning the system– It is the process of identifying the specific ports and services running a particular host (A port is a data connection that allows a computer to exchange information with other computers, software, or devices).
- Scanning the system for vulnerabilities-Vulnerability scanning is the process of locating and identifying known weaknesses in the services and software running on a target machine. Tools like Nessus are great starters to vulnerability testing and are also available free of cost.
Step III- Exploitation
Exploitation is the process of gaining control over a system, with the sole goal being to gain administrative-level access to the computer. In simple terms, it is defined as a process of initiating an exploit (defined as bugs in the code that enables the attacker to change the primary function of the software).
Testers may use varying techniques to exploit software codes. One such technique is password resetting, that can be used to gain access to a system or to escalate privileges. Another interesting method to exploit is to gain access to systems through a technique called ‘network sniffing’. Sniffing is a practice of viewing and capturing traffic on the network to gather sensitive and important information. It is still a good technique used by several popular protocols to gather data over the network without the use of encryption.
It is crucial to note that the practice of exploitation is one of the most frustrating, challenging and time-consuming processes in penetration testing. Nevertheless, it is also one of the most rewarding phases which can be practised easily by setting a penetration testing lab. It is also helpful to use virtual machines in practising exploitation due to feasibility in resetting virtual machines as compared to reimaging of physical machines.
Step IV- Maintaining Access
The last step in the penetration testing process is to maintain access gained over the targets application/ system. Note that maintaining access to a remote system is dubious practice and must be deliberated clearly with the client. Though many companies may prefer penetration testing, a lot is uncertain about allowing penetration testers to use backdoors due to fear that it can be exploited by an unauthorized third party on discovery.
This step is normally carried out through the use of rootkits and backdoors. A rootkit is a kind of software that attaches itself deeply to the operating system and executes a number of tasks, including providing the attacker with the ability to complete execution of processes on the target’s system. On the other hand, a backdoor is a software that merely resides on the system of the target, allowing the attacker to connect to the system at any point of time and control the PC in an unauthorized manner.
After reconnaissance, scanning, exploitation and maintaining access is complete, a tester may also need to summarize his findings in the form of a penetration testing report, which often becomes the face of your organization. However, following the above steps in itself may be a great way to start your career in penetration testing!