Get your mind out of the gutter! Penetration testing can prove extremely useful in identifying security vulnerabilities attackers can exploit.
What Is a Penetration Test?
When you are looking for a vendor to conduct a penetration test, it’s important to understand the different phases of a proper test.
What Are the 7 Phases of Penetration Testing?
- Vulnerability Analysis
It’s a bad idea to hire a penetration tester and then let them run wild on your network. The pre-engagement phase consists of discussing and agreeing on scope, logistics, rules of engagement and timeline.
Understanding what you want tested and why is important before entering discussions with vendors. There are many different types of penetration tests.
5 Types of Penetration Tests
- Internal and External Network
- Social Engineering
Depending on the type of testing, the tester may be required to travel to a physical office location (as in wireless or physical testing). Other types of testing may be conducted remotely, such as network or web application testing.
Practically speaking, defining your scope will allow you to prioritize the assets tested and will often have a direct connection to pricing. The scope of a test depends on what exactly you’re testing. If you’re conducting a network penetration test, you should know which IPs or subnets you want tested. If you are conducting an application penetration test on the other hand, you should know the size and complexity of the application, including how many different user roles you want tested.
Every penetration test must also have a defined timeline. This is because these tests don’t always have a defined end-state, so you’ll want to define the duration of the test explicitly with the vendor. Moreover, you’ll need to define the testing scope before the timeline, as the scope can greatly affect the duration required to properly test the assets. For example, an internal network penetration test on 50 active IPs will require a shorter timeline than 500 IPs for the same level of intensity.
Finally, rules of engagement are a formal contract between the tester and the organization receiving the test. Because many of the actions a penetration tester takes are illegal without explicit authorization, rules of engagement outline exactly what the tester is and isn’t allowed to do on your network. Any actions you don’t want taken need to be explicitly outlined in this contract (which will differ across organizations). It is also useful to list any critical assets in this contract to which the testers should pay extra attention.
The reconnaissance phase consists of open-source intelligence (OSINT) gathering techniques to better understand the target organization and network. You’d be surprised what information you can freely gather from open sources.
Sources commonly used to gather information include social media such as Linkedin, the organization’s public website, and media and PR documents. You may ask — but how is any of this information useful?
Linkedin, for example, provides a great place to scrape employee information. Understanding the names and roles of employees in the organization can aid in enumerating email addresses for a phishing attack or identifying network administrators.
Attackers can gather network information using open-source tools such as Shodan or Censys. These tools continuously scan public-facing IP addresses and index their response headers. This allows the tester to begin building a picture of the external network without having to actively scan it.
The discovery phase consists of scanning and asset analysis. Typically, the tester will use a network scanning tool such as
nmap to identify which assets are available and to gather some basic information about them such as operating system, open ports and running services.
Here’s the output of a basic
nmap scan for a single host.
The penetration tester may or may not already have a list of targets by IP. In a white box test, targets and some asset/network information are provided and available to the tester. A black box test, on the other hand, starts with little to no information about the targets or network, with the tester usually only having a domain or organization name. In a black box test, however, it’s still good practice to provide the tester with an asset inventory and scope guidelines for the purpose of confirming ownership before they take any actions.
4. Vulnerability Analysis
After testers scan and analyze assets, they’ll use vulnerability identification methods to look for potential exploitation opportunities. Testers may identify vulnerabilities manually by analyzing the results of the previous discovery phase and utilizing existing knowledge, but they’re more likely to use an automated vulnerability scanning tool.
There are many vulnerability scanning tools available, and they’re often used by organizations as part of a continuous vulnerability management program. Some popular tools include Tenable, Rapid7, and Qualys. Even
nmap has some vulnerability scanning capabilities tests can use during the discovery phase.
Here’s an example output from an
nmap vulnerability scan against a single host.
After testers have identified vulnerabilities, attackers will attempt to exploit those vulnerabilities using either public or custom exploits. Generally, the ultimate target is root or administrator privileges on a machine, especially a domain controller.
A common tool used for this is Metasploit, a framework that provides a streamlined process for finding and executing publicly available exploits for vulnerabilities.
The exploitation phase is the key differentiator between a penetration test and a vulnerability scan. Vulnerability scans will identify vulnerabilities on the network, but can come with some caveats. They may identify false positives or exploit code that isn’t applicable to that individual environment.
In a penetration test, however, the tester will exploit the vulnerability and prove that the vulnerability is actually exploitable, as well as simulate the ramifications of exploiting that machine — such as data exfiltration.
For example, an asset may have been identified as low-risk due to the lack of sensitive information stored, transmitted or processed by the asset, but exploitable vulnerabilities proved to allow the attacker to pivot (move from one machine to another) through the network from that device.
Reporting is arguably the most important phase of any penetration test. You’ll want to investigate the reporting standards of a vendor before moving forward with a test. One way to do this is by requesting a sanitized example report.
During the reporting phase, the tester will put together a report outlining the test, including a narrative of the attack chains executed. A good penetration test report will have the findings well-organized and prioritized by risk level. They should provide screenshots and detailed descriptions so you can reproduce the issues during the remediation phase. Most testers will also provide guidance on how to remediate their findings.
A typical penetration test report will consist of the following sections:
4 Components of a Typical Penetration Test Report
- Executive Summary
- Detailed Findings and Recommendations
- Appendices (usually including a vulnerability report in spreadsheet format)
The remediation phase is usually in the organization’s hands; it’s up to them what they do with the findings and whether or not they close the identified gaps.
Generally, an organization will take the penetration testing report and attempt to reproduce and validate the attack chains. Then, they’ll implement the appropriate changes using a combination of public sources, employee knowledge and the tester’s remediation guidance.
While remediation may sound straightforward, it can be more difficult than you would think. Before making any domain-wide changes to the environment, it’s best to adopt a rollout testing process, starting with a small, diverse subset of test users or devices with documented and tested rollback procedures in the event the change breaks business processes.
Penetration tests are an important piece of your organization’s security program by helping identify exploitable vulnerabilities and prioritize remediation. However, choosing a vendor to conduct the test isn’t always easy. Understanding the seven phases of a penetration test is critical for an organization to properly engage and understand the service they’re buying.
Opinions expressed are solely my own and do not express the views or opinions of my employer.