Pentesting: What It Is, And How It Works
Pentesting is also called penetration testing or ethical hacking. A penetration test is designed to answer the question: “How effective is my current security against a skilled human attacker?” In this article, we’ll go over what it is, why it’s important to businesses and how a skilled pentester works.
What is Pentesting?
Pentesting is the process a security expert uses in the attempt to gain access to resources without conventional means. The primary thing that separates a pentester from a hacker is permission. The company in question will contract a pentester for a specific job, with specific goals, meant to protect both parties. Pentesting is often called “ethical hacking” by those that practice it.
Pentesting is a practice designed to find the holes and backdoors that may have inadvertently been overlooked when a system, server, web application or other software was put together. Pentesters are expected to keep notes as they work so that they can provide a report when they are finished. Rather than finding the first hole and stopping, they continue pushing forward so that further problems can be identified and fixed. Their reports are used not only for fixing the problems they’ve found, but also for seeing how others might find new problems or gaps in security.
It is important to note that pentesting is not a one-off security test that can be passed or failed forever. Programs are constantly being updated, and so what passed yesterday might not pass today. Holes that are created today might not be there a month from now, and new ones could have been created. It is an ongoing process that must be consistently maintained.
Why Is Pentesting Important?
The next question that is often asked is, “why is it so important?”
We hope that we began to show the reasons for that in our last section, but if not, let’s go a bit deeper. We’ll look at three scenarios that show times when pentesting might be useful to a company.
A) You could give a team of pentesters your company’s office address and tell them to try and gain access to your systems. They are then allowed to employ a huge range of techniques to do so.
B) You can give a pentester access to a web app you haven’t released yet, and tell them to try and cause damage or gain access.
C) You can give a pentester no upfront information other than the goal of gaining access to vital data.
The first two are examples of “whitebox” testing, where the attacker is given information or access ahead of time which would normally be difficult to attain from outside the company. According to Forbes, this type of testing is useful because of the internal security checks that are performed. “The threat posed by insiders is often underestimated by organizations that entrust them to physical and logical access to IT resources.”
The last example is called “blackbox” testing. Here the attacker is only given access to information that could be gained by calling the company or searching the internet. Blackbox testing provides the company with a ‘real-world’ perspective of the organization and allows them to see how an attacker would gain a foothold in the organization starting from scratch. The information gained from this type of testing allows the organization to take steps to mitigate or remediate the vulnerabilities posed from unlikely sectors, such as social engineering.
A penetration test can be compared to a fire-drill. It allows you the chance to uncover aspects of your security policy that are lacking or need to be upgraded.
Some examples might include:
- Many security policies focus on preventing or detecting attacks, but fail to consider the process of evicting an attacker.
- They provide feedback on the routes into your company or application that are most at risk.
- They can be used to train developers to make fewer mistakes. If developers can see how an outside attacker thinks, they can devise new ways to keep them out.
How Does Pentesting Work?
We’ve covered what it is, and why you need it. Now let’s talk about how it works. If you looked at the three examples above that we provided about how a penetration test can be useful, you’re probably wondering “how can someone get in? What do you mean by a variety of techniques?” Not to worry, we’re going to go through the top techniques that are available to a skilled pentester.
Perhaps one of the most important steps for any project, is where the tester does passive scans and begins to put together information regarding their target. A passive scan allows them to find the available connections to a network and can be compared to viewing topographical maps prior to a battle. This stage might seem simple, but a good amount of time is spent here, finding potential entry points into the system for later.
Application Security Testing –
The tester can use software to verify if the system is exposed to security vulnerabilities. One can also use web page source code analysis to get more info about plugin version, the system, and software. There are free tools and services available which can give you information like database or table names, DB versions, software versions, hardware used and various third party plugins used. Often this is done in conjunction with other techniques to accomplish many goals at once.
Social Engineering –
You might be surprised, but this one should not be overlooked. Even today, one of the most effective routes into a company is by talking to the people that run it. A prime example is by dressing as a janitor or a technician and asking a receptionist if they can take a look in a computer room to run safety checks. A bit of flirting, a bit of misinformation, perhaps having overheard someone within the company mentioning an actual problem that is occurring and they can be inside and installing USB keyloggers before security has any idea.
Some more in-depth techniques might include looking at:
- Verify that the application is secure against SQL Injections.
- Check to see if user sessions end when logged off.
- Find out if files are scanned before being loaded to the server
- Verify if reset password functionality is secure.
- Check if error messages presented are specific to the error to glean information.
- Find out if there are open ports on the network.
- See if there are any hardcoded usernames or passwords in the system.
- Check to see if directory browsing is enabled on the server.
- Check to see if Brute Force Attacks work – a trial and error method to find sensitive information like passwords.
- Look for out of date applications and databases to exploit.
- Packet sniffing, for example, is used to appropriate valid TCP/IP network addresses by reading packets. Malicious code is then labeled with the trusted network address and blasted through the network unquestioned.
- Hiding a recording device in an office or listening outside windows to gain access to sensitive information.
- Testing the physical security of an organization. This can range from testing physical locks to seeing how easy it is to dupe your way into restricted areas.
Depending on how you look at it, these are either very simple or very in-depth techniques, all of which are available to the skilled pentester or hacker. If you’re looking to protect your company or application, pentesting is not to be overlooked.
There are many resources on the web with regards to pentesting tools, we encourage you to have a look at this list which contains the most comprehensive and up to date list of tools covering all areas of IT Security.