What is a Penetration Test?

@ Jeremie Amsellem - 10 May, 2019

A penetration test (or PenTest) is an analysis that is part of a security audit, conducted by one or more Ethical Hackers. It involves simulating an attack to identify vulnerabilities and configuration errors in an IT system and to understand their associated risks.

How does a penetration test work?

Preparing the test

A penetration test begins with collaborative work between the entity conducting the test and the company or individual being tested. Before any technical action is taken, it is necessary to address and document several key points:

I - The scope of the test

What is commonly referred to as the “scope” is the precise perimeter of the test. It is crucial to define in advance which domains, IP ranges, applications, machines, and physical locations will be tested. Poorly defining the scope of a test can lead to inconclusive results or even unexpected service interruptions or significant data loss in the worst-case scenario.

II - The legal context of the test

Every intrusive test must, at a minimum, be accompanied by written authorization to test the elements defined in the scope, signed by the legal representative of the company being tested.

It is also highly recommended to sign a contract outlining the duties and responsibilities of both parties regarding the upcoming pentest before starting. Involving a legal expert in drafting such a document is a significant advantage.

III - The type of test

There are generally three types of penetration tests, differentiated by the amount of information shared with the person conducting the test:

White Box

In a White Box test, a large amount of information (admin accounts, IP addresses, physical locations, domain names, network maps, software architecture) is shared with the tester.

The advantage is that the test is often more thorough. However, the White Box scenario rarely represents a “realistic” framework for a cyberattack.

Gray Box

In a Gray Box test, less information is shared than in a White Box test. Only basic account credentials with limited privileges are provided, along with a basic topology of the architecture and network.

The advantage is that the test closely resembles what a malicious user (with limited privileges) might discover and exploit. It strikes a balance between a realistic attack scenario (like in Black Box) and a comprehensive test (like in White Box).

Black Box

In a Black Box test, the bare minimum of information (only an IP or domain name) is shared with the tester.

This is the test scenario that most closely resembles the context of a “real” attack and is the most relevant if you want to understand the potential damage an external attack could cause.

However, it is likely that in a Black Box test, some services and entities may not be discovered or accessed, and therefore not tested.

Conducting the test

Once the preparatory phase is complete, the technical part can begin. Some pentesters choose not to disclose the exact date of the test to prevent the target from preparing and becoming more vigilant than usual.

Standardized PenTest methodologies (such as PTES, CREST, EC-Council […]) generally break down the test into 5 to 8 steps, following a plan similar to this:

  • Passive Reconnaissance: The goal of this phase is to gather information about the organization, technical architecture, physical location, and activity of the target from publicly available resources.
  • Enumeration: In this phase, the tester actively interacts with the target to identify available services, machines, networks, and accounts.
  • Exploitation: Once the tester has a clear view of the available resources, the exploitation of the target system begins. The goal here is to find and list vulnerabilities to gain user access to the system.
  • Privilege Escalation: From the discovered user access, the pentester now seeks a vulnerability that allows them to gain higher privileges.
  • Post-Exploitation: The post-exploitation phase (as in a “real” cyberattack) is the step where the attacker covers their tracks and sets up discreet mechanisms (backdoors) to easily access what they discovered during the exploitation phase.

Why should you test your system?

The primary benefit of a PenTest is to gain visibility into a system’s vulnerabilities before they can be discovered and exploited by malicious actors.

Even with significant defensive measures, maintaining a perfect defense is challenging. The slightest third-party tool or system lagging behind on security updates can compromise the security of an entire infrastructure.

Every penetration test is accompanied by a detailed report of the actions taken, along with remediation advice for each vulnerability discovered.

Contrary to what one might think, the real purpose of a penetration test is not to prove whether it is possible (or not) to breach your system but to provide visibility into the strengths and weaknesses of your system’s security.

The difference between a penetration test and a vulnerability audit

Penetration testing is often associated with active vulnerability research, alongside regular vulnerability audits.

A vulnerability audit shares the same goal as a penetration test: identifying vulnerabilities before they can cause problems. The key difference is that a penetration test is a manual and in-depth procedure, while a vulnerability audit is an automated, less costly task that should be performed frequently.

For more information on penetration tests, vulnerability audits, or if you would like advice on your company’s security, you can contact us and explore our services.

Resources:

https://www.owasp.org/index.php/Penetration_testing_methodologies

https://www.crest-approved.org/wp-content/uploads/CREST-Penetration-Testing-Guide.pdf