April 26, 2020

What is penetration testing (explained) step-by-step

By dicchacker

organizations developed new security models, but I’m worried that the security measures are enough.” One of the security measures I want people to do is the “penetration test.”

 

This time, I will organize the explanation about the penetration test so that people who are not known the penetration test?”, Those who are studying this method and those who are looking for a Pentest. Should be satisfied after reading this article.

What is a penetration test?

A penetration test (commonly called pen test) is one of the test methods to detect weaknesses in the security of computers and networks, and it is a method actually to attack a system and try to penetrate it. In particular, we will verify the security by actually testing the attack method to see if the information system connected to the network is safe against attacks.

Need for penetration testing

It is necessary to experience the attack before the development of the system is complete and release for operation. In that case, using a penetration test is not adequately defended. Still, you can build a more effective defense method by experiencing how attackers attack.

Penetration testing goes beyond just testing your system for penetration. apart of it,

  • Taking out confidential information
  • DDoS attacks on the perimeter and open resources
  • Test target for WEB application
  • How much damage will happen when attacked

It is also the intention of examining such.

 

Penetration testing is not enough to be done once before the system goes into production.

 

Attacks from the outer world are growing every day. It is required to operate a cycle of continuously reviewing security measures and update it if there is a weak spot. 

Accordingly, it is necessary to execute the penetration test repeatedly.

Penetration testing practice

The process of penetration testing depends on services, systems, and tools we use, but the plan as follows.

  1. Hearing and preparation

Create a scenario for what kind of diagnosis/test should perform in consideration of the network configuration on the system under test.the capacity status of individual data and confidential data, the securing location of access logs, and so on.

 

  1. Attack

Make the Cyberattack according to the planned situation and report the outcome.

Attacks and intrusions are carried out by various methods such as automatic tests and manual tests and confirmations.

 

  1. Creation of report

 Make a report after Gathering the investigation results.

 

 If the hacker attacks, he began by social engineering as one of the information gatherings, sooner than gaining illegal access over the systems.

 

May tries to steal system and private information by applying multiple methods. There are many cases where the stolen data can use to attack or invade the system.

Strategies for Penetration testing.

 

White box Test

Hacker already knows the internal structure of the victim system and network to examine the content of the customer.

 

Black box Test

In this process, hacker attacks from outside, without knowing about the internal network/systems of an organization.

 

External Penetration Test

Pseudo-attack will perform on the part that open to the public. We will expose the vulnerabilities that leak information and give administrator privileges and identify the risks that lead to intrusion and capture from the outside.

 

Internal Penetration Test

Assuming that some employees have been infected with malware and have already compromised.

By attacking other computers on the internal network and hijacking them in the same way an attacker does.

 

Wi-Fi Networks

It is also possible to conduct tests to verify whether the confidential information in the organization can be stolen or attacked to other users by using the Wi-Fi AP or the guest LAN in the conference room as the starting point of the attack.

Characteristic

 

Target network intrusion

In addition to checking the service behavior of the host alone and determining the presence or absence of known vulnerabilities, we will comprehensively utilize the information obtained from the entire diagnosis of the target network to verify whether the diagnosed target can be attacked.

Test based on the scenario

It is possible to perform tests assuming specific situations such as intrusion into a particular target or unauthorized segment. It can be used directly for studying countermeasures against specific threats such as internal crimes and targeted attacks.

Safe and low load test

Our network diagnostics are carried out by experienced engineers who are fully manual, paying close attention to their impact on networks and systems. Compared with tests that rely on automated tools, you can perform tests safely and lightly.

Domino effect

We will verify whether it is possible to invade other hosts (domino effect) by collecting and using the information obtained from the hosts that have successfully invaded. Unlike the actual intrusion verification, unlike the real attack, the strategic hacking that considers the entire network as the intrusion target is executed.

Overwhelming speed

With the pen test framework developed by ourselves, we strongly support the strategic network capture of the team that conducts the test and carry out diagnosis at an overwhelming speed that cannot be achieved by general commercial tools.

Testing from a unique entry point

It is also possible to perform penetration tests from a different route, such as verification of whether or not a guest wireless network can enter the business network, and penetration tests from segments such as IP phones, surveillance cameras, and video conferencing systems.

Penetration test / ASV scan for PCI-DSS compliance

You can leave the penetration test / ASV scan for PCI-DSS compliance as a one-stop service. Not only helping to comply with PCI-DSS, but effective penetration testing that is as close to real-life attacks assures actual security risk reduction.

 

After conducting the penetration test, we may create reports.

Specific countermeasures will be provided for the vulnerabilities.

Introducing to tools that allows to perform penetration tests

Here are four representative tools that you can use for free penetration tests.

Kali Linux

KALI LINUX 2020

Kali Linux is a distribution of Linux OS. The functions for penetration are fully standard. A distribution derived from BackTrack Linux since 2013, based on Debian. You can download and use it for free from the official website.

 Site Kali Linux

Maltego

 It is a tool that automatically collects and graphically visualizes various data related to specific domains, URLs, servers, email addresses, and networks. installed as standard on Kali Linux, but there is also a Windows version. “Maltego CE” for individual users can be used free of charge, but for commercial use, you need to purchase a license.

Edition Maltego CE Maltego Classic Maltego XL
Commercial use No Yes Yes
Number of elements displayed in the graph 10,000 10,000 1,000,000
technical support None Yes Yes
price free $ 760 $ 1800
Renewal fee (every year) free $ 320 $ 760

OWASP Zed Attack Proxy (ZAP)

owasp-zed-proxy-attack

It is a tool that can check significant vulnerabilities such as XSS, CSRF, SQL injection. If you specify the URL to be tested, it will automatically crawl the site and collect and validate the URL. Test results can be categorized from HIGH to LOW according to risk severity. There is also a function that explains the details of the problem and how to deal with it.

Also, it is a tool for penetration testing, which has introduced for beginners with high detection accuracy. 

“Introduction of vulnerability inspection methods on websites.”

The source code released on Github as an open-source tool that can be used free of charge.

 Site OWASP ZAP

 
 

Burp Suite

Burp-suite

A tool that examines specifically Web applications. Portswigger develops this tool to Discover Vulnerabilities by crawling the website, extracting the URL, and accessing the URL with a specific pattern. Cross-site scripting and cross-site request forgery can be detected using the technology of “BurpSuite,” which is a vulnerability inspection tool that uses a proxy, including SQL injection and command injection. The survey results will be saved as an HTML file.

Site BurpSuite

Penetration test service comparison

We will compare and introduce the penetration test services provided by domestic security companies.

Even in a penetration test conducted by the same company, the test items and costs may vary greatly depending on the company that operates the system under test. Some companies also offer penetration testing as a service above general security diagnostics.

A Company that do Penetration Test

We will conduct a test by considering research, attack, and achievement as one cycle. Therefore, regardless of the size of the site, we selected about Multiple requests based on the function level, etc., and realized a standard and easy-to-understand charge form for risk evaluation.

Security Initiative Penetration Test

 The vulnerabilities that cannot be found by the vulnerability scan are verified using the methods and tools used by the attackers. If there is a security problem, we are consulting how to report, solve, and fix it so that both engineers and non-technologists can understand what it is. We will carry out the test in a form conforming to “PCI DSS Ver3.1.”

Site Security Initiative Penetration Test

Asgent Penetration Test

 Penetration testing from the perspective of both web applications and networks. The web application tests the inspection items such as cross-site scripting, SQL injection, and session management. At the network, we check the managed servers and network devices by remote access and the inside of the system to check the OS security status and report measures.

Site Agent Penetration Test

What is the price quote?

As you can see from the tools and services introduced so far, the cost required for penetration testing can vary widely. Freely available tools can only test limited functionality or vulnerabilities.

However, in the case of an advanced penetration test, which is carried out by highly skilled engineers assuming a dedicated scenario, the cost required for the test varies widely.

 

It depends on the scale of the system to test, items, and the skill of the engineer who performs the test.

It is also advisable to carry out the penetration test regularly even after it has been tested, and safety is confirmed. In that case, it is also worth considering that the second and subsequent tests will also be costly.

What is the difference between vulnerability diagnosis?

You might think that vulnerability diagnosis and penetration tests are the same things. Both are the same in discovering vulnerabilities, but they will change a little in the subsequent measures.

Vulnerability diagnostics aimed at identifying weaknesses. The usual procedure is to perform diagnostics regularly to discover and fix vulnerabilities. Send specific commands to the server or system under test to obtain information such as the OS and application version, and check what weaknesses it has. In other words, the vulnerability diagnosis may not know whether there is a vulnerability.

 

Penetration testing will verify from the attacker’s point of view the extent to which the existing vulnerabilities will be affected when they exploited. Therefore, penetration testing should be done by a more skilled engineer.

Also, when testing the system or server that is the target of the penetration test, it is necessary to obtain the operator’s approval and do not affect the running system or server.

Summary

Penetration testing is more expensive than general vulnerability diagnosis, but it is definitely a diagnostic method you should incorporate as a system security measure. And before conducting the test, it is essential to clarify the purpose of the test.

If there is a security issue, you need to determine what risk and how much loss will occur. It can be said that it is essential to perform the optimal penetration test according to the purpose and nature of the developed system.