Home / Hacking / Penetration testing

Penetration testing

Penetration testing

Penetration testing, often called “pentesting”, “pen testing”, “network penetration testing” or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Of course, you do this without actually harming the network. The person carrying out a penetration test is called a penetration tester or pentester. Penetration testing requires that you get permission from the person who owns the system. Otherwise, you would be hacking the system, which is illegal in most countries – and trust me, you don’t look good in an orange jump suit. The difference between penetration testing and hacking is whether you have the system owner’s permission. If you want to do a network penetration test on someone else’s system, we highly recommend that you get written permission. In this case, asking first is definitely better than apologizing later!

Read:- computer parts

Ethics of a Penetration tester

Every penetration tester that works for the information security industry must have ethics that will help him to serve his client better and to avoid any illegal activities.Of course for this reason penetration testing companies are requiring from their penetration testers to sign the NDA (Non-disclosure agreement) in order to protect their clients and align with the current laws depending the location as the legal framework can be different from country to country. However the penetration tester must be aware of the current laws and must remain fully ethical and professional at all times as the information security industry is not that big and a potential mistake can mark your career.So according to my personal opinion the following are some of the ethical standards that a penetration tester must have:

Serve and protect the client and uphold the security profession

Never take personal copies of client’s data

Never perform unauthorized testing

Don’t discuss findings with unauthorized people

Don’t publish vulnerabilities without permission

Test everything in scope and never go outside

Observe all legal requirements

Act with integrity

Protect client’s data (encryption etc.)

Don’t associate with black-hat hackers

Types of Pen Testing

INTERNAL PENETRATION TEST

An Internal Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed. An Internal Penetration Test mimics the actions of an actual attacker exploiting weaknesses in network security without the usual dangers. This test examines internal IT systems for any weakness that could be used to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness. Internal Penetration Test follows documented security testing methodologies which can include:

Internal Network Scanning

Port Scanning

System Fingerprinting

Services Probing

Exploit Research

Manual Vulnerability Testing and Verification

Manual Configuration Weakness Testing and Verification

Limited Application Layer Testing

Firewall and ACL Testing

Administrator Privileges Escalation Testing

Password Strength Testing

Network Equipment Security Controls Testing

Database Security Controls Testing

Internal Network Scan for Known Trojans

Third-Party/Vendor Security Configuration Testing

Penetration testing

EXTERNAL PENETRATION TEST

An External Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed to the outside world. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness. External Penetration Test follows best practice in penetration testing methodologies which includes:

Footprinting

Public Information & Information Leakage

DNS Analysis & DNS Bruteforcing

Port Scanning

System Fingerprinting

Services Probing

Exploit Research

Manual Vulnerability Testing and Verification of Identified Vulnerabilities

Intrusion Detection/Prevention System Testing

Password Service Strength Testing

Remediation Retest (optional)

Penetration testing

Following are the important types of pen testing −

Black Box Penetration Testing

White Box Penetration Testing

Grey Box Penetration Testing

Pen Testing

For better understanding, let us discuss each of them in detail −

Black Box Penetration Testing

In black box penetration testing, tester has no idea about the systems that he is going to test. He is interested to gather information about the target network or system. For example, in this testing, a tester only knows what should be the expected outcome and he does not know how the outcomes arrives. He does not examine any programming codes.

Advantages of Black Box Penetration Testing It has the following advantages −

Tester need not necessarily be an expert, as it does not demand specific language knowledge

Tester verifies contradictions in the actual system and the specifications

Test is generally conducted with the perspective of a user, not the designer

Disadvantages of Black Box Penetration Testing Its disadvantages are −

Particularly, these kinds of test cases are difficult to design.

Possibly, it is not worth, incase designer has already conducted a test case.

It does not conduct everything.

White Box Penetration Testing

This is a comprehensive testing, as tester has been provided with whole range of information about the systems and/or network such as Schema, Source code, OS details, IP address, etc. It is normally considered as a simulation of an attack by an internal source. It is also known as structural, glass box, clear box, and open box testing. White box penetration testing examines the code coverage and does data flow testing, path testing, loop testing, etc.

Advantages of White Box Penetration Testing It carries the following advantages −

It ensures that all independent paths of a module have been exercised.

It ensures that all logical decisions have been verified along with their true and false value.

It discovers the typographical errors and does syntax checking.

It finds the design errors that may have occurred because of the difference between logical flow of the program and the actual execution.

Grey Box Penetration Testing

In this type of testing, a tester usually provides partial or limited information about the internal details of the program of a system. It can be considered as an attack by an external hacker who had gained illegitimate access to an organization’s network infrastructure documents.

Advantages of Grey Box Penetration Testing It has the following advantages-

As the tester does not require the access of source code, it is non-intrusive and unbiased

As there is clear difference between a developer and a tester, so there is least risk of personal conflict

You don’t need to provide the internal information about the program functions and other operations

I hope that you understand my post. if you like this post then share my post, and comment on my post if you have any suggestion or Queries related to Penetration testing. Thank you!

Check Also

Using Tor for Hacking

how to use tor for hacking

how to use tor for hacking how to use tor for hacking:- Hacking is done …

Leave a Reply

Your email address will not be published. Required fields are marked *