Penetration testing attempts to exploit weaknesses or vulnerabilities in systems, networks, human resources, or physical assets in order to stress test the effectiveness of security controls.
The different types of penetration tests include network services, web application, client side, wireless, social engineering, and physical. A penetration test may be performed externally or internally to simulate different attack vectors. Depending on the goals of each test, a penetration tester may or may not have prior knowledge of the environment and systems they’re attempting to breach. This is categorized as black box, white box, and gray box penetration testing.
External VS Internal
In this article, I’m going to explain the different types of penetration tests, how they work, and why they should be performed. By the end, you will have a better understanding of why penetration tests are an effective layer of defense for any successful cyber security program.
Before we dive into the different types of penetration testing let’s first explore what factors determine the goals of the test itself.
- What Is The Main Goal Of A Penetration Test?
- The Different Types And Approaches To Penetration Testing
What Is The Main Goal Of A Penetration Test?
Penetration testing has become a widely adopted security practice by businesses in recent years. This is especially true for industries that store and access sensitive or private information such as banks and healthcare providers.
While the purpose of a penetration test is to expose vulnerabilities or exploit weaknesses, it’s important to note that the main goal is often tied to a business objective with an overarching strategy. For example, A business may need to meet NIST 800-171 under certain deadlines if they are to be awarded a $10 million contract.
On the other hand, a software company’s security goals may vary greatly. For example, application penetration testing helps to identify flaws and weaknesses within code that could be susceptible to an attack. Developers then work to create fixes to update the codebase.
Ultimately, the business goals determine the types of penetration testing performed.
The Different Types And Approaches To Penetration Testing
Penetration tests differ both in their approach and in the weaknesses they attempt to exploit.
The different approaches to penetration testing include:
- External VS Internal
- White Box
- Black Box
- Gray Box
The different types of penetration testing include:
- Network Services
- Web Application
- Client Side
- Social Engineering
- Physical Penetration Testing
External VS Internal Penetration Testing
External penetration tests are performed when businesses want to assess their risk of a successful attack on their network from the outside. Many businesses have begun to prepare themselves over the last 5 years by deploying next-generation firewalls or by implementing security awareness training to deter and mitigate attacks.
While content filters and URL attachment blocking may help, it doesn’t provide the kind of holistic protection you might expect. This is because malicious actors are aware of the typical security controls that businesses have in place. As a result, new attack vectors are constantly being adopted to get around firewalls and anti-malware software.
Kerberoasting, for example, is a credential access tactic that malicious actors use against systems running Windows. In short, weak Active Directory security policies can lead to an unauthorized party being given access to an encrypted hash of every user profile in your environment. From there, they can brute force the encryption offline to crack it and gain access into your network.
Businesses may also want to know how much damage a malicious actor could cause if they already had access to the internal network. The goal here could be to test if the blue team is able to identify the attack, or if the pen tester is able to escalate their privileges to admin rights.
Black Box Penetration Testing
During a black box penetration test, the pen tester is given little to no information regarding the IT infrastructure of a business. The main benefit of this type of test is to simulate a real-world cyber attack, whereby the pen tester assumes the role of an uninformed attacker.
A black box penetration test can take up to six weeks to complete making it one of the longest types of pentration tests. Businesses can expect to pay between $10,000 – $25,000 due to the level of effort involved in planning, performing, testing, and completing the report. This, of course, all depends on the scope of the project.
One of the easiest ways for pen testers to break into a system during a black block test is by deploying a series of exploits known to work, such as Kerberoasting mentioned above. This type of test is also referred to as the “trial and error” approach, however, there is a high degree of technical skill involved in this process.
White Box Penetration Testing
White box penetration testing also called clear box testing or glass box testing, is when the pen tester has full knowledge and access to the source code and environment.
The goal of a white box penetration test is to conduct an in-depth security audit of a business’s systems and to provide the pen tester with as much detail as possible. As a result, the tests are more thorough because the pen tester has access to areas where a black box test cannot, such as quality of code and application design.
White box tests do have their disadvantages. For instance, given the level of access the pen tester has it can take longer to decide what areas to focus on. In addition, these types of tests often require sophisticated and expensive tools such as code analyzers and debuggers.
White box tests can take two to three week to complete and cost between $4,000 – $20,000. In the end, it doesn’t matter whether you perform a black box or a white box penetration test so long as the primary goal of the test is being met.
Gray Box Penetration Testing
During a gray box penetration test, the pen tester has partial knowledge or access to an internal network or web application. A pen tester may begin with user privileges on a host and be told to escalate their account to a domain admin. Or, they could be asked to get access to software code and system architecture diagrams.
One main advantage of a gray box penetration test is that the reporting provides a more focused and efficient assessment of your network’s security. For instance, instead of spending time with the “trial and error” approach, pen testers performing a gray box penetration test are able to review the network diagrams to identify areas of greatest risk. From there, the proper countermeasures can be recommended to fill the gaps.
Network Service Penetration Testing
Network service penetration testing, or infrastructure testing, is one of the most common types of penetration testing performed.
The main purpose is to identify the most exposed vulnerabilities and security weaknesses in the network infrastructure (servers, firewalls, switches, routers, printers, workstations, and more) of an organization before they can be exploited.
How Does A Network Service Penetration Test Work?
There are 6 main steps to performing a network service penetration test including:
1. Planning– In this phase, pen testers review the network user documents, usage, specifications, and meet with teams to discuss goals and the approach. This information is later used to plan a set of test cases for performing the actual test.
2. Information Gathering – Next, the pen tester gathers information on network interfaces, APIs (application programming interfaces), user interfaces, accessible systems, services running on them and other input points. If any of these are not properly configured/designed, it can be a prime target of an attacker to enter into a network. In addition, the make and model of devices and operating systems in use provide attackers with insight as to how your network operates.
3. Identifying Vulnerabilities – Internal penetration tests often consists of scans, similar to a network vulnerability scan, with the goal of identifying weaknesses on a system.
4. Document Findings – Throughout this process the pen testing team documents this information in order to further plan their objective. This also makes writing the final report easier as the information is fresh and top of mind.
5. Perform Penetration Test – Only after weeks of planning will the actual test be carried out.
6. Reporting – Finally, a fact-based and objective report is provided to project stakeholders with prioritized findings, rankings, impact and actions for implementing counter-measures.
One thing to keep in mind is that this six-step process can be applied to all types of penetration testing discussed below.
Why Should You Perform A Network Service Penetration Test?
Network penetration tests should be performed to protect your business from common network-based attacks including:
- Firewall Misconfiguration And Firewall Bypass
- IPS/IDS Evasion Attacks
- Router Attacks
- DNS Level Attacks:
- Zone Transfer Attacks
- Switching Or Routing Based Attacks
- SSH Attacks
- Proxy Server Attacks
- Unnecessary Open Ports Attacks
- Database Attacks
- Man In The Middle (MITM) Attacks
- FTP/SMTP Based Attacks
Given that a network provides mission-critical services to a business, it is recommended that both internal and external network penetration tests be performed at least annually. This will provide your business with adequate coverage to protect against these attack vectors.
Web Application Penetration Testing
Web application penetration testing is used to discover vulnerabilities or security weaknesses in web based applications. It uses different penetration techniques and attacks with aims to break into the web application itself.
The typical scope for a web application penetration test includes web based applications, browsers, and their components such as ActiveX, Plugins, Silverlight, Scriptlets, and Applets.
These types of tests are far more detailed and targeted and therefore is considered to be a more complex test. In order to complete a successful test, the endpoints of every web-based application that interacts with the user on a regular basis must be identified. This requires a fair amount of effort and time from planning to executing the test, and finally compiling a useful report.
The techniques of web application penetration testing are continuously evolving with time due to the increase in threats coming from web applications day by day.
How Does A Web Application Penetration Test Work?
Penetration testers are trained to think with the attacker’s perspective in mind. This allows them to attempt exploitations during the test in ways that an actual attacker might. As a result, applications are stress-tested for any known or previously undiscovered point of entry.
Pen testers may use any number of attacks to compromise an application including:
- SQL Injection Attacks
- Cross-Site Scripting Attacks
- Broken Authentication and Session Management Attacks
- DoS And DDoS Attacks
- File Upload Flaws
- Cross-Site Request Forgery Attacks
- Password Cracking Attacks
- Security Misconfigurations
Other test scenarios include:
- Deployment Management Testing
- Identity Management Testing
- Input Validation Testing
- Error Handling
- Business Logic Testing
Why Should You Perform A Web Application Penetration Test?
A key reason to perform a web application penetration test is to identify security weaknesses or vulnerabilities within the web based applications and its components like Database, Source Code, and the back-end network. It also helps by prioritizing the determined weaknesses or vulnerabilities and provides possible solutions to mitigate them.
In software application development it’s considered best practice to continuously improve the codebase. Deploying a secure and agile code is the phrase often used to describe this practice.
Agile code deployment is the preferred method over large batch deployments, as the more variables introduced into the code in a single deployment, the more opportunities there are to create bugs or errors leading to security vulnerabilities. As a result, technical debt forms, where developers gradually spend more time implementing fixes to problems then they do develop new features or updates.
In contrast, agile methodologies use a sandbox environment (a duplicate copy of the codebase) to test code functionality and usability prior to launching into production. If the deployment is unsuccessful, developers can easily single out the change and roll the code back to previous version history. The trick is balancing daily code deployment with security in mind.
It’s not uncommon for enterprise software companies to employ pen testers to continuously test their code. Google, as well as others, also offer a reward for finding and reporting on vulnerabilities within their applications.
Client Side Penetration Testing
Client side penetration testing is used to discover vulnerabilities or security weaknesses in client side applications.
These could be a program or applications such as Putty, email clients, web browsers (i.e. Chrome, Firefox, Safari, etc.), Macromedia Flash, and others. Programs like Adobe Photoshop and the Microsoft Office Suite are also subject to testing.
How Does A Client Side Penetration Test Work?
Pen testers typically run a network vulnerability scan to identify and categorize applications at risk.
The image above shows the raw scan result of a vulnerability found on a host, which appears to be a server running Windows 2008 R2 and Windows 7. The issue here is that the host is missing a security update and that without it the host is vulnerable to an attack.
The scanner also lists the Common Vulnerabilities Exposures (CVE) for each vulnerability.
Finally, the scan recommends applying the KB4056897 or Cumulative Update KB4056894 to resolve the vulnerability. Unfortunately, the pen tester isn’t going to apply this patch for you, but instead, exploit these vulnerabilities to gain entry to your network.
Why Should You Perform A Client Side Penetration Test?
Client-side tests are performed to identify specific cyber attacks including:
- Cross-Site Scripting Attacks
- Clickjacking Attacks
- Cors-Origin Resource Sharing (CORS)
- Form Hijacking
- HTML Injection
- Open Redirection
- Malware Infection
Wireless Penetration Testing
Wireless penetration testing involves identifying and examining the connections between all devices connected to the business’s wifi. These devices include laptops, tablets, smartphones, and any other internet of things (IoT) devices.
Wireless penetration tests are typically performed on the client’s site as the pen tester needs to be in range of the wireless signal to access it.
How Does A Wireless Penetration Test Work?
One of the most important phases of a wireless penetration test is the information-gathering phase. For example, an access point could still be using default credentials that the device shipped with. If the attacker knows the make and model of the device, then they are able to deploy a wireless attack to take down or access the network.
Next, the pen tester identifies vulnerabilities in the discovered hardware, checks the wifi signal strength beyond the organization’s physical area, and checks the visible nodes in the wifi network. As a result, this will map any workstation, server or other devices publically visible and accessible in the network.
Examples of wireless penetration testing attacks include:
- Bypassing WLAN Authentication – Shared Key, MAC Filtering, Hidden SSIDs
- Cracking WLAN Encryption – WEP, WPA/WPA2 Personal and Enterprise, Understanding encryption based flaws (WEP,TKIP,CCMP)
- Attacking the WLAN Infrastructure – Rogues Devices, Evil Twins, DoS Attacks, MITM, Wi-Fi Protected Setup
- Advanced Enterprise Attacks – 802.1x, EAP, LEAP, PEAP, EAP-TTLS
- Attacking the Wireless Client – Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc Networks and Viral SSIDs, WiFishing
- Breaking into the Client – Metasploit, SET, Social Engineering
- Enterprise Wi-Fi Worms, Backdoors and Botnets
Why Should You Perform A Wireless Penetration Test?
Wireless communications are an invisibly running service that allows data to flow in and out of the network. Therefore, this wireless network must be secured from any weaknesses like unauthorized access or data leakage.
Before performing a wireless penetration test you should consider the following:
- Have all access points been identified and how many use poor encryption methods?
- Is the data flowing in and out of the network encrypted and if so, how?
- Are there monitoring systems in place to identify unauthorized users?
- Is there any possibility the IT team could have misconfigured or duplicated a wireless network?
- What are the current measures in place to protect the wireless network?
- Are all wireless access points using WPA protocol?
Social Engineering Tests
Social engineering penetration tests are where a malicious actor attempts to persuade or trick users into giving them sensitive information, such as a username and password.
Common types of social engineering tests used by pen testers include:
- Phishing Attacks
- Imposters (i.e. Fellow Employees, External Vendors, or Contractors)
- Name Dropping
- Dumpster Diving
How Does A Social Engineering Test Work?
Malicious actors use any number of means to trick users which may include:
- Using authority to get someone to make a quick decision.
- Relating to the target by sharing similar interests attitudes or beliefs to disarm them.
- Using fear or intimidation such as threatening someone’s job if they don’t do what they’re told.
Social engineering takes advantage of above in different ways to attempt to initiate a breach.
Why Should You Perform Social Engineering Tests?
According to recent statistics, 98% of all cyber attacks rely on social engineering. This is because internal users are one of the biggest threats to a networks security and due to how lucrative the scams are.
Social engineering tests and awareness programs have proven to be one of the most effective methods of mitigating against an attack.
For example, KnowBe4, the popular email phishing platform, simulates an email phishing attack. When the user clicks on the link they’re taken to a page that informs them that it was a phishing test.
Remediation training is then provided to help educate and inform users on the most current cyber attacks and how to avoid them.
Physical Penetration Testing
Physical penetration testing simulates a real-world threat whereby a pen tester attempts to compromise physical barriers to access a business’s infrastructure, building, systems, or employees.
How Does A Physical Penetration Test Work?
Pen testers use any number of methods during a physical penetration test including:
- Mapping The Entrances An Perimeter
- Lock Picking Entry Points
- Remotely Accessing Sensitive Information
- Targeting Server Rooms, Wires, Or Cables
- Exploiting Fire And Cooling Systems
- Intercepting EM Waves
- Dumpster Diving
- Breaking RFID Tag Encryption
- Accessing Unprotected Network Jacks
- Checking Rooms For Unattended Devices
- Shoulder Surfing
- Social Engineering
Why Should You Perform A Physical Penetration Test?
Physical barriers are often an afterthought for most businesses, however, if a malicious actor is able to gain physical access to your server room then they could own your network. Imagine the impact that might have on your business, on your customers, as well as business partnerships.
The primary benefit of a physical penetration test is to expose weaknesses and vulnerabilities in physical controls (locks, barriers, cameras, or sensors) so that flaws can be quickly addressed. Through identifying these weaknesses proper mitigations can be put in place to strengthen the physical security posture.
- Vulnerability Scans VS Penetration Tests: What’s The Main Difference?
- How Often Should You Perform A Penetration Test?
- How To Perform A Successful Network Vulnerability Assessment
- How Often Should You Perform A Network Vulnerability Scan?
- What Are The Most Common Types Of Network Vulnerabilities?